Extended tenant ID-dependent customization of the Loginapp UI

The TENANT_ID is an attribute in the REST API. The purpose of this attribute is to provide styling and customization depending on the client's ID or the URL used to access Airlock IAM.

In setups with OAuth or OIDC the TENANT_ID attribute can be configured to contain the client's identifier (client_id). In SAML setups, it can be configured to contain the entityID.

Configuration of tenant ID

The TENANT_ID is configured in the Loginapp UI as follows:
Go to
Loginapp >> UI Settings
In property UI Tenant ID Rules, create and edit one or more plugins. See table below.
Note that these plugins are processed in order. The first match sets the TENANT_ID.

You can choose from the following types of plugins:

Plugin	Purpose
OAuth 2.0 Client ID Pattern UI Tenant ID Rule	The OAuth `client_id` is matched against a regex pattern. If the pattern matches, the `TENANT_ID` is set to the configured string. This applies only to authorization code grant/flow.
OAuth 2.0 Client ID UI Tenant ID Rule	If an OAuth `client_id` is present, this rule matches and the `TENANT_ID` is set to the `client_id`. This applies only to authorization code grant/flow.
Request URL Pattern UI Tenant ID Rule	The request URL is matched against a regex pattern. If the pattern matches, the `TENANT_ID` is set to the configured string.
SAML 2.0 SP Entity ID Pattern UI Tenant ID Rule	The `SAML entityID` is matched against a regex pattern. If the pattern matches, the `TENANT_ID` is set to the configured string. This applies only to SP-Initiated SAML Requests.
SAML 2.0 SP Entity ID UI Tenant ID Rule	If a SAML `entityID` is present, this rule matches and the `TENANT_ID` is set to the `entityID`. This applies only to SP-Initiated SAML Requests.

The Request URL Pattern UI Tenant ID Rule will match the URL of the first request made to the IAM backend to start the flow. It will not match the URL entered into the end-client browser.

If no plugin matches, the TENANT_ID will remain unset.

Using the tenant ID with the Loginapp Design Kit

For customization with the Loginapp Design Kit, the attribute is named TENANT_ID. For customization in Javascript, the attribute is named uiTenantId.

To use the Loginapp Design Kit with different tenant IDs, add the following entry in custom.sdk.config.js:
config.uiTenantId = 'myTenant'

Use case

A typical use case scenario for OAuth is:
Several tenants use the same authorization server.
Each tenant provides its users with a mobile app or a web application.
Mobile apps and web applications are all registered as clients in the IAM authorization server with their own client IDs.
During the authorization code flow, IAM identifies the clients with their client ID and supplies this information as TENANT_ID to the Loginapp UI.
The Loginapp UI applies styling and customization depending on the TENANT_ID, FLOW_ID, and STEP_ID.

Further information and links

Internal links:
Fine-grained customization using tenant ID, flow ID, and/or step ID provides information on how customizations are applied depending on the tenant, flow, or step ID.
Advanced customization options for the Loginapp REST API layout demonstrates how uiTenantId is used in Javascript for customizations.
General information about Airlock IAM flows provides general information about flows and about starting flows in partiuclar.