• Configure the Airlock IAM OAuth 2 Authorization Server: see Configuration of IAM as OAuth Authorization Server / OpenID Provider
  • One-Shot End-Point in IAM: (Loginapp >> One-Shot Authentication)
    • Add a target application for the protected service and configure it as follows:
    • Credential Extractor: use plugin Bearer Token HTTP Header Extractor (as Token Credential).
    • Authenticator:  use plugin OAuth 2 Access Token Authenticator with the Authorization Server Settings used in the above Oauth2 target application.
    • Failure Responses: configure responses as desired - always use responses of type FINAL_RESPONSE.
    • Identity Propagator: as required by back-end application.
    • URL pattern: according to the back-end application.
    • Airlock Credentials: Choose sensitive Airlock Gateway credential timeouts.
    • Shared One-Shot Configuration

      The one-shot settings can be used for multiple protected services. Choose the URL pattern property to match all services for which the same settings apply.

  • Airlock Gateway Configuration
    • Make sure the Gateway's IAM mapping has the allow rules for Oauth2 enabled
    • Create a mapping for the protected service(s)
    • As Denied access URL, use /<iam-mapping-entry-path>/login-oneshot
    • From the Authentication flow drop-down, select One-Shot
    • Enable bearer token session tracking in the Security Gate Expert Settings (on both the IAM mapping and the protected services mapping(s)):
    • Session.Tracking.ExternalToken.Enable                     "TRUE"