Using the Airlock 2FA self-services UI with the JSP-based Loginapp

The Airlock IAM Loginapp provides self-service features that allow logged-in users to manage their own Airlock 2FA app devices. However, there is no web front-end for the Loginapp (JSP). A web front-end is only provided for the Loginapp REST UI that is based on the Loginapp REST API.

This article describes how to combine the two Loginapp types as follows:

• Use the Loginapp REST UI for the Airlock 2FA self-services only.
• Use the Loginapp (JSP) for everything else including authentication.

• Understand how to configure Airlock IAM to implement the use-case.
• Understand how to configure the Airlock Gateway (WAF) to implement the use-case.
• Know the limitations of the setup.

All following procedures are exemplary and will vary according to your setup or needs.

The intended solution can be implemented with the following setup:

• Unauthenticated access to the Airlock 2FA self-services UI in the Loginapp REST UI must result in authentication in the Loginapp (JSP).
  This can be achieved by editing the Airlock Gateway (WAF) mapping.
• The Airlock 2FA self-services UI is configured as a target application in the Loginapp (JSP).
• The identity and role of the authenticated user is securely transported to the Loginapp REST UI using HTTP cookie-based identity propagation.
• The Loginapp REST API is configured to interpret the identity propagation cookie from the Loginapp (JSP) in an authentication flow.
• The resulting flow session will allow access to the Airlock 2FA self-services for the logged-in user.

The single configuration pieces are described in detail separately.

• The Loginapp (JSP) is configured to authenticate users. Authentication is such that access to the Airlock 2FA self-service is possible.
• Both the Loginapp REST API and a Loginapp REST UI for Airlock 2FA self-services are configured.

• Token management self-service