Step 1 - Airlock Gateway (WAF) configuration

To make sure that unauthenticated HTTP requests to the Airlock 2FA self-service result in an HTTP redirect to the Loginapp (JSP) (and not the Loginapp REST UI) the Airlock Gateway (WAF) mapping(s) for IAM need to be adapted as follows.

Procedure-related prerequisites

  • Access to the IAM mapping configuration on the affected Airlock Gateway (WAF) is required.
  • One or more functioning IAM mappings exist.

Restrict access to protected self-services

  1. Open the Airlock Gateway (WAF) configuration center and log in.
  2. Open the affected IAM mapping and select the Access tab.
  3. Add the following entry to the list of Access restrictions:
  4. Property

    Value

    HTTP Method

    .*

    Path

    ^%ENTRYDIR%/ui/app/protected/.*

    Restricted to Roles

    authenticated

    Exchange the role authenticated with whatever role(s) relevant to your setup. Remember that access to Airlock 2FA self-services are granted with the specified role(s). The required role(s) should imply strong user authentication.

  5. The Authentication flow must be set to Redirect.
  6. Set the Denied access URL to /%ENTRYDIR%/check-login.
    This may require selecting the Custom radio button.
  7. The resulting configuration should look like:

    GatewayAccessRestrictionForAirlock2FASelfService
  8. Activate the configuration.
  9. The Airlock Gateway (WAF) now ensures that unauthenticated requests to the protected self-service part of the IAM are redirected to the Loginapp (JSP).

Verify the configuration

To verify the access restriction configuration, do the following:

  1. Make sure your browser does not have an authenticated session. Terminate existing session using the logout URL https://##External_FQDN_IAM##/auth/logout.
  2. Open the URL https://##External_FQDN_IAM##/auth/ui/app/protected/tokens/airlock-2fa/devices in the browser.
  3. The browser should now be redirected to the Loginapp (JSP)'s login page.