Step 2 - Configure the target application

To transport the identity and the roles of the authenticated user from the Loginapp (JSP) to the Loginapp REST UI, a target application with adequate identity propagation needs to be configured.

Procedure-related prerequisites

  • You need to be logged in to the Airlock IAM Adminapp and be able to access the Config Editor.

Add the target application

  1. Go to:
    MAIN SETTINGS >> Application Settings
    (or alternatively to Loginapp >> Application Settings)
  2. Add a new target application of type Target Application using Identity Propagator with the following properties:

    3. Property

    Value

    Identifier

    Choose a unique identifier such as Self-services in SPA Loginapp.

    Default URL

    https://##External_FQDN_IAM##/auth/ui/app/protected/tokens/airlock-2fa/devices

    Application Entry URLs

    ^https://##IAM_external_fqdn_pattern_AM##/auth/ui/app/protected/.*$

    URL Pattern

    ^https://##IAM_external_fqdn_pattern_AM##/auth/ui/app/protected/.*$

    Required Roles

    authenticated

    Identity Propagator

    Add a plugin of type Cookie Ticket Identity Propagator.

    How to configure the plugin is described in detail below.

  3. Review the other target application settings and set them according to your environment and needs.

    4. In this example, we require the role authenticated to access the self-service UI. It is therefore added in property Required Roles.

  4. The target application is now ready except for the identity propagator configuration. Follow the instructions below.

Configure the identity propagation

Identity propagation from the Loginapp (JSP) to the Loginapp REST UI can be done in different ways. This example uses a signed JWT transported in an HTTP cookie. This choice adheres to the following security-relevant aspects:

  • The HTTP cookie is transported via the Airlock Gateway (WAF)'s session store and is therefore never sent to the browser.
  • The recipient, i.e., the Loginapp REST UI is able to verify that the ticket was sent by the Loginapp (JSP) by verifying the signature and looking at the Issuer attribute.
  1. Go to:
    the Cookie Ticket Identity Propagator that you just added (see above).
  2. Use the following properties in the plugin:

    3. Property

    Value

    Identifier

    JSP to SPA Session Ticket

    Cookie Name

    JSP_TO_SPA_TICKET

    Ticket Service

    Use a Mapping Ticket Service plugin with the following mappings in property Content from Authentee:

    • Map Value Reference @username to Ticket Key username and make it mandatory.
    • Map Value Reference @roles to Ticket Key roles.

    Ticket Encoder

    Use a JWT Ticket Encoder plugin and configure it as described in the next step.

  3. In the JWT Ticket Encoder plugin use the following settings:

    4. Identifier

    HTML to SPA Ticket Encoder

    Username Ticket Key

    username

    Issuer

    Airlock IAM

    Signer

    Use a plugin of type JWT Ticket HMAC Settings and choose a corresponding HMAC key.

    You will need the key again when configuring the signature verification plugin in Step 3 - Configure REST authentication flow for ticket extraction.

  4. Activate the configuration.
  5. The configuration part concerning the Loginapp (JSP) is now complete.

Verify the configuration

To verify the configuration, you may do the following:

  • Make sure your browser does not have an authenticated session.Terminate existing session using the logout URL https://##External_FQDN_IAM##/auth/logout.
  • Open the URL https://##External_FQDN_IAM##/auth/ui/app/protected/tokens/airlock-2fa/devices

    • This will result in an error or displaying the login page of the Loginapp REST UI, because the Loginapp REST UI has not yet been configured appropriately.

  • Open the Airlock Gateway (WAF) configuration center and go to Log & Report >> Session Viewer
  • Choose your session and click on it to view the details.
  • Verify that the Cookie Store contains a cookie with the name JSP_TO_SPA_TICKET.

Additionally, the Loginapp log files may be used for verification and troubleshooting. The following log statements are relevant:

  • The choice of the target application:

    • Choosing target application with URL pattern "^https://##External_FQDN_IAM##auth/ui/app/protected/.*$" because it matches the forward location "https://airlock/auth/ui/app/protected/tokens/airlock-2fa/devices"

  • Identity propagation:

    • Setting authentication ticket as cookie: JSP_TO_SPA_TICKET path="/" domain="" secure-flag: false

  • Redirection to Airlock 2FA self-service URL in the Loginapp REST UI:

    • Redirecting user to follow page "https://##External_FQDN_IAM##/auth/ui/app/protected/tokens/airlock-2fa/devices?lang=en"