TitelTable of contents1. Airlock Secure Access Hub1.1. Semantic versioning scheme for Airlock Secure Access Hub components2. About this document2.1. How information is structured in this manual2.2. Warning tiers in this document2.3. Additional panel types2.4. Advanced Lucene searches within this online help3. About Airlock IAM3.1. Reference architecture3.2. Overview of IAM interfaces3.3. IAM modules and databases/directories3.4. Incubating features in Airlock IAM3.4.1. Self-Sovereign Identities (SSI) – an incubating feature3.4.2. Scriptable step overview - an incubating feature4. IAM 8.3 release notes4.1. Airlock IAM 8.3 - Changelog 4.2. Airlock IAM 8.3 - Actions required when upgrading4.3. Airlock IAM 8.3 - Deprecation announcement for future releases5. Security best practices5.1. Sensitive information5.2. Separation of IAM modules5.3. Requirements for a secure configuration5.3.1. Authentication concepts5.3.2. Identity propagation5.3.3. Self-services5.3.4. User enumeration protection5.3.5. Escaping HTML values in emails5.4. Privilege escalation prevention5.5. Operating system, Java runtime, network5.6. Security considerations Docker container usage5.7. Auditability5.8. Selection and parametrization of hash functions5.9. Custom extension development6. Installation and upgrade6.1. Quick start guide6.2. Data sources (databases, directories)6.2.1. Relational databases for IAM6.2.2. Generic LDAP directories for IAM6.2.3. Microsoft Active Directory (MSAD) for Airlock IAM6.3. Installation on a Linux host system6.3.1. System requirements6.3.2. Installation with installer script6.3.3. Manual installation without installer script6.3.4. Getting started after installation6.4. IAM as Docker image6.4.1. Getting the Docker image6.4.2. Using the container image6.4.3. External secrets6.4.4. Storage and volumes6.4.5. Examples6.4.6. Troubleshooting 6.5. Upgrade Airlock IAM6.5.1. Upgrade a single installation (standard case)6.5.2. Upgrade and manage parallel installations (migration case)6.5.3. Upgrade Airlock IAM at runtime (rolling upgrade)6.5.4. Alternative installation arrangements6.5.5. Airlock Gateway mapping upgrade7. IAM Operation7.1. Starting and stopping Airlock IAM (system service integration)7.1.1. Creating systemd services7.1.2. Customizing systemd services7.1.3. Using systemd services with profiles7.2. Sandboxing with profiles7.2.1. Using profiles7.3. Generating Airlock IAM log output7.3.1. Log parameters, appenders, and files7.3.2. Log rotation7.4. Processing Airlock IAM log output7.4.1. Airlock IAM logging API7.4.2. Reporting with Elasticsearch and Kibana7.4.3. Integration with container environments (Docker, Kubernetes, Cloud)7.4.4. Custom log agent/data collector7.5. User trail logging7.5.1. Clean-up task for user trail logs in database7.6. Correlation ID for better traceability7.7. Log message formats7.7.1. Main log format7.7.2. Structured log format7.8. Monitoring, health checks, and metrics7.8.1. Using systemd7.8.2. Health checks with liveness and readiness probes7.8.3. Metrics (Prometheus, OpenMetrics)7.8.4. Java management extensions (JMX)7.9. Performance tuning and scaling best practices7.10. Data backup and restore7.11. Storing session state in an external Redis session repository7.12. Connection drop with slash and/or backslash in the username8. Initial configuration8.1. Airlock IAM instances directory8.1.1. Application parameters8.1.2. Airlock IAM instance configuration8.2. Config Editor quick start guide8.2.1. Step 1 – Access the Config Editor8.2.2. Step 2 – Save current configuration (for later restoration)8.2.3. Step 3 – Load the Demo configuration template8.2.4. Step 4 – Find the plugin to reconfigure8.2.5. Step 5 – Simple configuration change8.2.6. Step 6 – Create a new plugin configuration8.2.7. Step 7 – Activate changes8.2.8. Step 8 – Restore a previous configuration8.3. Airlock Gateway and Microgateway configuration for IAM8.3.1. Comparison of gateway integration features8.3.2. Airlock Gateway for Airlock IAM configuration8.3.3. Airlock Microgateway 3.X for Airlock IAM configuration8.3.4. Airlock Microgateway 4.X for Airlock IAM configuration8.3.5. Securing Airlock IAM with HTTPS8.3.6. Airlock Gateway reports Status 503 or Status 400 when trying to access Airlock IAM (HTTP Header Size)8.4. User data source configuration (databases and directories)8.5. Logging configuration8.5.1. Logging parameters8.5.2. Log4j 2 configuration files8.6. Using custom plugins in Airlock IAM9. Configuration management9.1. Configuration environments9.1.1. Configuration environments in the Config Editor9.1.2. Config example scenarios and usage9.2. Using environment variables in the IAM configuration9.3. Configuration contexts9.3.1. Planning configuration contexts9.3.2. How to configure and use configuration contexts9.3.3. Best practices - Configuration contexts and context retention policy9.4. Storing sensitive configuration values externally9.4.1. Storing sensitive configuration values using the Config Editor9.4.2. Storing sensitive configuration values using the IAM CLI (command-line interface)9.4.3. Using standard keystore tools9.4.4. Technical information9.5. IAM Config Editor (UI)9.5.1. Plugin trees9.5.2. Plugin overview9.5.3. Plugin properties9.5.4. Flow step plugins in IAM flows9.5.5. Sensitive configuration values (config secrets)9.5.6. View toggles9.5.7. Configuration validation9.5.8. Loading and saving a configuration9.5.9. Configuration activation timeout9.5.10. Configuration activation internals9.6. IAM Command-Line Interface (CLI)10. Authentication of end-users10.1. Interaction models for authentication10.1.1. REST interaction model10.1.2. One-shot interaction model10.2. Authentication methods in IAM10.2.1. Username and password authentication10.2.2. Airlock 2FA as the second factor with IAM10.2.3. FIDO authentication (WebAuthn, U2F, CTAP)10.2.4. mTAN/SMS authentication10.2.5. OATH OTP authentication10.2.6. Cronto authentication (OneSpan)10.2.7. Digipass OTP authentication (OneSpan)10.2.8. Email OTP authentication10.2.9. Matrix card authentication10.2.10. Token authentication via RADIUS10.2.11. Client certificate for browser authentication (X.509)10.2.12. Front-side Kerberos authentication10.2.13. Single sign-on (SSO) ticket authentication10.3. Remember-Me in authentication flows10.3.1. Keep me logged-in – persistent authentication between sessions10.3.2. Trust this browser/device – persistent 2nd-factor authentication10.4. Step-Up authentication10.4.1. Gateway- vs. application-triggered step-up10.5. Risk-based authentication10.6. Failed login counters and temporary locking10.6.1. Temporary locking10.7. Username transformation: Login with multiple IDs10.7.1. User transformation configuration hints10.8. Maintenance messages10.8.1. Managing maintenance messages10.8.2. Maintenance messages examples in the Loginapp10.8.3. Maintenance messages usage and limitations10.8.4. Maintenance Message Locations10.9. User representation10.9.1. Terms and definitions in user representation10.9.2. User representation use cases10.9.3. User representation system design10.9.4. User representation flow diagrams10.10. Event-based subscriber notification10.10.1. Event producers10.10.2. Event attributes10.10.3. Examples of available event attributes10.10.4. Event subscribers10.11. Login from a new device - Loginapp Event10.12. Actions when the user logs out11. Self-services for end-users11.1. Public self-services for end-users11.1.1. User registration self-service11.1.2. Unlock self-service11.2. Protected self-services for end-users11.2.1. Application portal11.2.2. User profile self-services11.2.3. User lockout self-service12. Target applications and services12.1. Target application selection12.2. Access control for end-users (authorization)12.2.1. Basic access control concepts12.2.2. Authorization of internal services12.3. Securing REST APIs/service APIs12.3.1. Using the flow authentication API with Airlock Gateway sessions12.3.2. Using the flow authentication API with JWTs and one-shot authentication12.3.3. Using Device Tokens to authenticate mobile apps12.3.4. Using OAuth 2 for native apps (RFC 8252)12.4. Identity propagation12.5. Terms of service (ToC)12.6. PSD2 support12.6.1. PSD2 support in Airlock IAM12.6.2. NextGenPSD2 (Berlin Group) with Airlock Secure Access Hub12.6.3. STET PSD2 with Airlock components12.6.4. Technical client in IAM and tech-clients REST API12.6.5. Getting issuer certificates for PSD212.6.6. Technical client interceptors (custom plugin)13. OAuth 2.0 and OpenID Connect (OIDC) overview13.1. Introduction to OAuth 2.0 and OIDC13.1.1. OAuth 2.0 grant types13.1.2. Recommendations for using OAuth and OIDC13.1.3. Security best practices for OAuth 2.0 and OIDC13.1.4. Terms and definitions13.2. Airlock IAM as OAuth Authorization Server (AS)/OpenID Provider (OP)13.2.1. URLs and endpoints13.2.2. OAuth 2.0 scopes13.2.3. OAuth 2.0 claims13.2.4. OAuth 2.0 consent13.2.5. ACR – Authentication Context Class Reference13.2.6. PAR - Pushed Authorization Request on the AS/OP13.2.7. PKCE - Proof Key for Code Exchange13.2.8. OAuth 2.0/OIDC client authentication13.2.9. OAuth and OIDC session management13.2.10. OAuth 2.0 OIDC Configuration override13.2.11. SSO tickets in the OAuth/OIDC context13.2.12. Flow authentication with the Loginapp UI13.2.13. Usage examples of the authorization server13.3. Airlock IAM as OAuth Client/OIDC Relying Party (RP)13.3.1. Processing claims (user attributes) from the AS in IAM13.3.2. Account linking13.3.3. IAM account creation based on remote IDP data (social registration) 13.3.4. Example: Mobile app with IAM as OAuth client13.3.5. Example: SPA (Single-page Application) with IAM as OAuth client13.4. Token Exchange Overview14. SAML 2.0 (conceptual information)14.1. SAML terms and definitions14.2. SAML web browser SSO with POST binding14.3. SAML web browser SSO with HTTP artifact binding14.4. SAML Single logout (SLO)14.5. How to set up a proxy for SAML artifact binding14.6. Troubleshooting SAML14.6.1. AuthnContext doesn't match RequestedAuthnContext14.6.2. Missing default AssertionConsumerService in SP metadata14.6.3. SLO exception in debug mode14.6.4. AuthnRequest for an unknown target application14.6.5. Entity IDs do not match14.6.6. SLO not working in SP14.6.7. Host flag not set or using withouth FQDN14.6.8. MetaAlias missing or entity IDs do not match14.6.9. NullPointerException processing SAML assertion in SP14.6.10. Mismatch in CoT list definition14.6.11. IDP entity ID not found in SP14.6.12. Unsupported SAML signature algorithms in IAM 7.6 and later15. API access control with Airlock Secure Access Hub15.1. Solution overview15.1.1. Terms and definitions15.1.2. Request processing (sequence diagram)15.1.3. API access control - how it works in detail15.2. Tech-Client management15.2.1. Profile management15.2.2. Plan management15.2.3. API key management15.3. API access control configuration for Airlock IAM and Airlock Gateway15.3.1. Configure the Airlock IAM API policy service15.3.2. Configure Tech-Client management in Airlock IAM16. Flows as Airlock IAM concept16.1. General information about Airlock IAM flows16.1.1. Flow processing internals16.1.2. Flow Engine interaction with REST API 16.1.3. Session tracking16.1.4. Mapping Flow steps to REST API next step codes16.2. Flow step properties16.3. Flow tags and red flags16.4. Flow selection and conditions16.4.1. HTTP Request Header Value Provider16.5. Goto (flow concept)16.6. Dynamic step activation (DSA) - flow concept16.7. Failed factor attempts16.8. Flow error handling16.9. Protected Flows17. Loginapp Configuration17.1. Loginapp REST API17.1.1. REST API service overview17.1.2. Authentication REST API17.1.3. User self-registration REST API17.1.4. Public self-service flows REST APIs17.1.5. Protected self-service REST APIs17.1.6. SAML IDP setup with the Loginapp REST API17.1.7. SAML SP setup with the Loginapp REST API17.1.8. Cleanup on user lock17.1.9. Customizing non-UI-related text elements in the Loginapp REST API17.1.10. Additional attributes in REST responses17.1.11. JWKS endpoint17.2. Loginapp UI17.2.1. Loginapp UI configuration17.2.2. Loginapp Design Kit for Loginapp UI customization17.2.3. Content Security Policy for the Loginapp UI17.3. HTTP request authentication (One-Shot flow)17.3.1. One-Shot Configuration17.3.2. Example: Authenticate HTTP request with JWT17.3.3. Front-Side Kerberos configuration (one-shot flow) 17.3.4. One-shot target application configuration for MS-OFBA17.4. OAuth 2.0 / OIDC configuration17.4.1. Configuration of IAM as OAuth Authorization Server / OpenID Provider17.4.2. Configuration of Airlock IAM as OAuth Client / OIDC Relying Party (RP)17.5. HTTP Basic Auth access17.6. Event notification configuration in the Loginapp18. Adminapp Configuration18.1. Adminapp UI configuration and access options18.2. Adminapp REST API18.3. User search in Adminapp18.3.1. User search in Adminapp configuration18.4. Password management in the IAM Adminapp18.5. Airlock 2FA token management configuration18.6. FIDO token management in the IAM Adminapp18.7. Cronto Token Controller configuration18.8. Digipass OTP configuration18.8.1. Digipass OTP tokens in Users management menu (Adminapp)18.8.2. Digipass OTP tokens in Tokens management menu (Adminapp)18.8.3. Digipass OTP administrative use-cases18.9. Matrix card management in the Adminapp18.10. Remember-Me configuration in Adminapp18.11. Generic token controller for token management in the Adminapp18.11.1. Generic token REST endpoint18.11.2. Generic Token Controller UI configuration18.12. User Management Extension in the IAM Adminapp18.12.1. User Management Extensions (Adminapp) Hello World Example18.12.2. User Management Extensions (Adminapp) Send Message Example18.13. Maintenance Messages menu in the Adminapp18.14. User-group dependent settings18.15. Admin roles and user groups in Adminapp18.15.1. Access Control18.15.2. Segregation of duties18.15.3. Segregation of users18.15.4. Privilege escalation protected administrator roles (PEPAR) in the Adminapp18.16. Realm administration18.16.1. Conceptual overview of Realm Administration18.16.2. Configuration of Realm Administration18.16.3. Usage of Realm Administration18.17. Event notification configuration in the Adminapp18.18. Customizing text elements in the Adminapp UI18.19. Adminapp log viewer18.20. Adminapp Content Security Policy (CSP)19. Service Container Configuration19.1. RADIUS server19.1.1. Configure the RADIUS server for Airlock 2FA19.2. Cronto activation letter generation19.3. Airlock 2FA letter generation task19.4. Matrix card generation in the Service Container19.5. Customizing text elements in the Service Container19.6. Remember-Me token cleanup task configuration20. Transaction Approval Configuration20.1. Transaction approval REST API20.1.1. Transaction approval flow selection20.1.2. User identifying step20.1.3. Parameter step and message providers20.1.4. Selection of authentication token and authTokenId usage20.1.5. Approval steps20.1.6. Message provider configuration20.1.7. Authentication of the delegating entity (REST client authentication)20.1.8. Transaction approval with Airlock 2FA20.1.9. Transaction approval with mTAN (SMS)20.1.10. Transaction approval with Cronto Push20.2. Customizing text elements in the Transaction Approval module20.3. Cronto message custom formatting for the Transaction Approval module21. IAM REST APIs21.1. Authentication of REST requests21.2. Authentication of REST API calls with client certificates (X.509)22. Customizing UIs and texts22.1. Internationalization (i18n) with language and locale codes22.2. Report templates based on Word documents22.2.1. Plugins22.2.2. Parameter replacement22.2.3. Further examples using MessageFormat22.2.4. Extra information in password (and similar) letters23. Third-party licenses