Processing role removal information provided by Airlock Gateway

Airlock Gateway maintains the list of roles granted for each user session. It uses this information to determine if a specific user is authorized to access a particular backend.

Role removal may be initiated by both internal features of the gateway (e.g. Client Fingerprinting, Anomaly Shield) and external systems. Independent of the source of the role removal the intended result is to de-authorize the user and prevent access to certain backends.

Airlock IAM must ensure that re-acquiring these roles require the user to pass selected authentication flow steps. To achieve this goal, Airlock IAM provides a feature that removes a list of tags from the session, if the Gateway reports certain roles removed on the Gateway session. With the tags removed from the user session, skip conditions in authentication flows will fail and the selected authentication steps need to be passed by the user.

Airlock Gateway environment cookies

Airlock Gateway provides information about available and removed roles in environment cookies:

Cookie Name




Lists all roles that are currently stored in this specific session on the Gateway



Lists all roles that have been removed from the Gateway and have not been restored by any system.


This information can be used in IAM flows to process the removal of roles and therefore remove tags from the IAM session.

Configuration of Removed Roles Mappings

  1. Go to:
    Loginapp >> Gateway Settings
  2. One or more Removed Roles Mapping plugins in the Removed Roles Mappings list.
  3. Configure the Role Name parameter to match the role removed by Airlock Gateway.
  4. Add a Tag plugin to the list of tags for every tag to be removed.
  5. This configuration will remove all listed tags when the role name matches one of the roles in the AL_ENV_REMOVED_ROLES environment cookie.