Configuration of IAM mappings

Upload mapping templates to Airlock Gateway

With Airlock IAM 8.0 the support for JSP-Loginapp has been removed and the Airlock Gateway templates have been updated accordingly.

For the latest available JSP-Loginapp compatible templates, choose Airlock IAM 7.7 templates for Airlock Gateway.

  1. Create one of more new mappings for Airlock IAM modules
  2. Download the appropriate mapping template:
  3. for Airlock Gateway 8.0 and newer

    IAM Loginapp mapping template

    IAM Adminapp mapping template

    IAM Transaction Approval mapping template

  4. In the Airlock Gateway Configuration Center, go to:
    Application Firewall >> Reverse Proxy
  5. Import the downloaded mapping template.
  6. Import new mapping
  7. For the Loginapp, for example, this will add three new and unconnected mapping templates to the mapping list:
  8. Mapping Template

    Description

    Used for

    Airlock-IAM-Loginapp

    Basic Loginapp mapping

    Used for all IAM Loginapp features including REST APIs.

    Airlock-IAM-Loginapp-REST-Protected

    Loginapp REST API mapping for protected calls

    Required, if OpenAPI specification should be enforced to the protected part of the Loginapp REST API.
    Can be deleted if OpenAPI specification enforcement is not required.

    Airlock-IAM-Loginapp-REST-Public

    Loginapp REST API mapping for public calls

    Required, if OpenAPI specification should be enforced to the protected part of the Loginapp REST API.
    Can be deleted if OpenAPI specification enforcement is not required.

Using and adapting the basic Loginapp mapping (Airlock-IAM-Loginapp)

  1. After uploading the templates, adapt the basic template:
  2. Set the entry- and back-end paths:
    • Change the entry path to your needs. The default value /auth will work with most other Airlock IAM tutorials and is recommended to be used.
    • Change the back-end path to point to the corresponding Loginapp instance's context path (for example /prod-login).

    To find out the context path of a Loginapp, you may use the following CLI command:

    iam info -i <instance-name> | grep iam.loginapp.url.path

    Example for instance auth:

    iam info -i auth | grep iam.loginapp.url.path
  3. Change the Allow Rules tab of the mapping and activate the allow rules corresponding to all required Loginapp functionalities. For security reasons, only activate those allow-rules that are needed.
  4. Example:

    128671609.png
  5. Connect the Airlock IAM mapping to a virtual host and a back-end group.
  6. Activate the configuration.

Using the API Enforcement feature to protect IAM's Loginapp REST API

  • The Airlock Gateway's API Enforcement feature validates each REST request against the OpenAPI specification (OAS) of an API.
  • IAM provides an OpenAPI specification (OAS) file with each version.
  • SeeĀ OpenAPI specification on how to use the OpenAPI specification for IAM.

When upgrading Airlock IAM, remember to update the OpenAPI specification accordingly.

Note that the API enforcement must be licensed separately on Airlock Gateway.

  • There are the following options:
  • Assure the feature is licensed and enabled in Airlock Gateway
  • Disable the feature in Airlock Gateway and delete the corresponding mappings imported with the IAM mapping template files.

CSRF protection

  • CSRF token protection of Airlock Gateway:
  • The gateway CSRF token protection feature is activated on all Loginapp REST mappings using the mapping template 7.6 and newer.
  • This may require small changes to custom single-page applications to handle possible CSRF blocks. If this is not possible, the CSRF protection on these mappings can be disabled to return to the previous behavior.