One-shot target application configuration for MS-OFBA

This article shows how to configure a one-shot target application for usage with MS-OFBA.

Note that this article covers only part of the MS-OFBA setup. Please refer to MS-OFBA Configuration in Airlock Gateway (WAF) and Airlock IAM for all configuration steps.

The one-shot target application configuration takes care of handling the MS-OFBA-specific HTTP protocol parts and it redirects the web browser built into MS-Office applications (such as Word) to the login screen.

Prerequisites

  • Airlock Gateway (WAF) must be configured to redirect the authentication request to IAM.
  • ##SharePoint## must be configured as back-end in Airlock Gateway (WAF).

Limited Loginapp features available

Note that the MS-Office applications (e.g. Word) use outdated browser libraries (IE11 or IE8) that are not compatible with the AIrlock IAM Loginapp REST UI.

The Loginapp REST UI provides a very limited set of features available for MS-OFBA by offering a separate Loginapp front-end written in JavaScript. Currently, only username password authentication and mTAN as the second factor are supported.

If Microsoft does not update to newer browser libraries, MS-OFBA support may be removed from Airlock IAM in future versions.

Instructions

  1. Go to:
    Loginapp >> Airlock One-Shot Authentication
  2. Create a new target application of type MS-OFBA One-Shot Target Application and open it.
  3. Set the properties according to the examples in the following table. Note that the values depend on the loginapp type (JSP-Loginapp or Loginapp REST UI). Please consult the property documentation in the Config Editor for further information.

    4. Property

    Value for JSP-Loginapp

    Value for Loginapp REST UI

    URL Pattern

    https://myhost.com/sharepoint/.*

    User Agent HTTP Header Pattern

    Microsoft Office(.*)

    Browser Redirect URL

    https://myhost.com/auth/check-login

    https://myhost.com/auth/public/msofba/index.html

    MS-OFBA Authentication URL

    https://myhost.com/auth/check-login

    https://myhost.com/auth/public/msofba/index.html

    MS-OFBA Success URL

    https://myhost.com/auth/msofba-success

    https://myhost.com/auth/public/msofba/success.html

    MS-OFBA Display Size

    800x600

  4. In the IAM mapping on Airlock Gateway (WAF) make sure to enable the allow rule for one-shot authentication (One-Shot Functionality).