MS-OFBA configuration for the Loginapp UI

This article describes how to configure an authentication flow and its UI for using MS-OFBA with the Loginapp UI.

Note that this article covers only part of the MS-OFBA setup. Please refer to MS-OFBA Configuration in Airlock Gateway and Airlock IAM for all configuration steps.

Limited Loginapp features available

Note that the MS-Office applications (e.g. Word) use outdated browser libraries (IE11 or IE8) that are not compatible with the AIrlock IAM Loginapp UI.

The Loginapp UI provides a very limited set of features available for MS-OFBA by offering a separate Loginapp front-end written in JavaScript. Currently, only username password authentication and mTAN as the second factor are supported.

If Microsoft does not update to newer browser libraries, MS-OFBA support may be removed from Airlock IAM in future versions.

Authentication flow configuration

To configure a target application and an authentication flow for MS-OFBA, follow these instructions:

  1. Go to:
    Loginapp >> Applications and Authentication
  2. In property Applications, add a new Target Application plugin with an Identifier (e.g. Sharepoint access for MS-OFBA)
  3. For property Application ID, create a new app Application ID plugin with the ID msofba.
    Note that it is important to use exactly this application ID (msofba in all lower-case letters).
  4. Add an Authentication Flow with the following Steps:
    • The first step must be a Username Password Authentication Step.
    • If a second authentication step is required, a mTAN Authentication Step must be used. No other interactive authentication steps are supported.
    • Disable temporary locking by unchecking the Enable Temporary Locking checkbox.

Authentication UI configuration

To configure the UI for the above authentication flow, do the following:

  1. Go to:
    Loginapp >> UI Settings >> Authentication UIs
  2. To the list of property Flow UIs, add a new Authentication & Authorization UI plugin and open it.
  3. In the property Target Application ID choose the application ID of the MS-OFBA target application (the one with ID msofba).
  4. As Target URI Resolver set a Target URI Resolver plugin. As Default Value choose the MSOFBA success URL as configured in One-shot target application configuration for MS-OFBA (e.g.
  5. Set the value .* in property Allowed URLs.

Gateway (WAF) configuration

The mapping for Airlock IAM must be configured to allow the special MS-OFBA web front-end:

  1. Make sure to use the latest mapping template (available here: Configuration of IAM mappings). At least the one delivered with IAM 7.7 is required.
  2. Enable the allow rule MSOFBA Functionality.

Customizing using CSS

  • To style the MS-OFBA HTML pages, a custom CSS file can be specified:
  • Go to the IAM installation directory (where the instances directory lies).
  • Create the file instances/<instance-name>/loginapp-layout/public/msofba/custom.css.
  • Specify custom styles in the custom.css file.

Adding other 2nd factors using a JavaScript hook

Airlock IAM only supports mTAN as a second factor with MS-OFBA. However, other second factors may be supported by adding custom JavaScript code communicating with IAM's Loginapp REST API.

  • To do so:
  • Go to the IAM installation directory (where the instances directory lies).
  • Create the file instances/<instance-name>/loginapp-layout/public/msofba/js/custom.js
  • To support additional second factors, define the variable iam.nextSteps in the custom.js file. It specifies what custom HTML files to load in reaction to the next step codes received in the REST API. Consider the following example:
    iam.nextSteps = {CRONTO_OTP_REQUIRED: 'cronto.html' };
  • The target HTML files may be
    • fully qualified, i.e., starting with https://
    • absolute, i.e., starting with /
    • just the name of an HTML file (e.g. cronto.html) that resides next to all other HTML pages for MSFOFBA in instances/<instance-name>/loginapp-layout/public/. This is is the recommended way.