One-shot target application configuration for MS-OFBA

This article shows how to configure a one-shot target application for usage with MS-OFBA.

Note that this article covers only part of the MS-OFBA setup. Please refer to MS-OFBA Configuration in Airlock Gateway and Airlock IAM for all configuration steps.

The one-shot target application configuration takes care of handling the MS-OFBA-specific HTTP protocol parts and it redirects the web browser built into MS-Office applications (such as Word) to the login screen.

Prerequisites

  • Airlock Gateway must be configured to redirect the authentication request to IAM.
  • SharePoint must be configured as back-end in Airlock Gateway.

Limited Loginapp features available

Note that the MS-Office applications (e.g. Word) use outdated browser libraries (IE11 or IE8) that are not compatible with the AIrlock IAM Loginapp UI.

The Loginapp UI provides a very limited set of features available for MS-OFBA by offering a separate Loginapp front-end written in JavaScript. Currently, only username password authentication and mTAN as the second factor are supported.

If Microsoft does not update to newer browser libraries, MS-OFBA support may be removed from Airlock IAM in future versions.

Instructions

  1. Go to:
    Loginapp >> Airlock One-Shot Authentication
  2. Create a new target application of type MS-OFBA One-Shot Target Application and open it.
  3. Set the properties according to the examples in the following table. Consult the property documentation in the Config Editor for further information.

    4. Property

    Value for Loginapp UI

    URL Pattern

    https://myhost.com/sharepoint/.*

    User Agent HTTP Header Pattern

    Microsoft Office(.*)

    Browser Redirect URL

    https://myhost.com/auth/public/msofba/index.html

    MS-OFBA Authentication URL

    https://myhost.com/auth/public/msofba/index.html

    MS-OFBA Success URL

    https://myhost.com/auth/public/msofba/success.html

    MS-OFBA Display Size

    800x600

  4. In the IAM mapping on Airlock Gateway (WAF) make sure to enable the allow rule for one-shot authentication (One-Shot Functionality).