Airlock IAM handles one-shot requests in a different way than redirect requests: The Airlock Gateway sends the one-shot requests to IAM end-point 'login-oneshot
' (instead of 'check-login
' for redirect workflow).
- The one-shot end-point is configured as follows in IAM:
- Loginapp >> One-Shot Authentication
- Define the target applications or services to be protected.
- For each target application the following settings are specific for one-shot:
- Credential Extractor: specifies how to extract a credential (e.g. a token, a ticket, or a header containing information about the authenticated user) from the HTTP request.
- Authenticator: specifies how to check whether the credential is valid and thus whether the request is authenticated
- Failure Responses (error mapper): specifies how to respond to the HTTP Client if the request is not authenticated
- All other properties (ID propagator, URL pattern, etc.) are the same as in normal target applications.