The default Airlock IAM mappings for Airlock Gateway contain a AuthUserRepresentation Allow Rule. It defines that the default names for Target Parameter (=target) and Representee Parameter(=user) are allowed when accessing user representation. If you change those default values, you must adjust the allow rules. Otherwise, Airlock Gateway will block your request to start a user representation.
Default Parameter Name Pattern
^(user|target|lang|Location)$
If URL encryption is enabled, check if the context paths for the representation feature are configured as well. Those are included in the default IAM mappings as well. If you ever adjusted them, you have to add the following exceptions to the URL Encryption Path Exception Pattern.
URL Encryption Path Exception Pattern
/representation/start/?|/representation/start_intern/?|/representation/stop/?|/representation-denied/?
It is only necessary to configure Airlock Gateway for user representation on the representer-Loginapp, where the feature is started.