Using gateway-generated cookies for session tracking

In this configuration example, we use HTTP cookies between the REST client and Airlock Gateway which works primarily for browser-based clients.

For non-browser-based REST clients, see Gateway configuration in article Using header tokens for session tracking.

A mixed setup with REST and browser-based clients usually requires a split setup with two VirtualHost configurations on the Airlock Gateway – one with cookie-based tracking and one with header tracking configuration.

Client authentication and identity propagation using the Loginapp REST API

  1. Go to:
    Loginapp >> Applications and Authentication
  2. Add a target application for the protected service and configure the properties.
    • Refer to the plugin documentation when configuring the following properties:
    • Application ID
    • Authentication Flow
    • Airlock Gateway Roles
    • Identity Propagation

    See also Authentication REST API for more information.

One-Shot End-Point in Airlock IAM

  1. Go to:
    Loginapp >> section OpenID Connect, OAuth, SAML, One-Shot
  2. In property One-Shot Authentication, create and edit a One-Shot Authentication Settings plugin.
  3. In property Default Target Application/Service, add and configure a Target Application/Service plugin.
  4. In property Credential Extractor you may choose either
    1. Bearer Token HTTP Header Extractor (as Token Credential) with an arbitrary header name,
    2. OR

    3. Static Username Password Extractor with arbitrary configuration.
      It does not matter which one to configure because we will always send back an HTTP 401 response by configuring a denying authenticator.
  5. In property Authenticator, set Denying Authenticator (one-shot must always fail in this scenario).
  6. In property Failure Responses, configure an HTTP Status Code 401 and a Workflow FINAL_RESPONSE setting.
  7. In property Identity Propagator, configure a No Identity Propagator plugin.
  8. In property URL Pattern, set the pattern according to the protected services. Note that the one-shot settings can be used for multiple protected services by choosing a URL pattern that matches all services for which the same settings apply.

Airlock Gateway configuration

The IAM One-Shot end-point configured above returns an HTTP 401 without looking at the request's credentials.
This can also be achieved by the Airlock Gateway alone (no IAM involved) using the following Security Gate Expert Settings on the protected service's Gateway mapping:

Authentication.Implicit.Enable                 "TRUE"
Authentication.Implicit.ErrorPath              "/error_path/one-shot.asis"
  • Follow-up task:
  • Create a corresponding asis-error page with the desired HTTP 401 response and update the Gateway error pages. See Airlock Gateway documentation Authorization and authentication.

Additional configuration information can be found in specific Airlock Gateway release documentation. For the latest Gateway release, follow the external links below.