Configuration contexts

Configuration contexts are used to determine the specific configuration of Airlock IAM based on how IAM is accessed. Using this feature, it is possible for IAM to behave differently, e.g., based on the client or the target URL.

Configuration contexts may be used to avoid duplicating large parts of a configuration and adapt it to a particular context.

It is recommended using configuration contexts sparingly.

Configuration contexts can only be used in the Loginapp, Transaction Approval and API Policy Service.

Configuration context examples

How a meaningful configuration context is determined depends on the use case.

The following list shows some examples to illustrate the flexibility of this feature. Configuration context can be determined based on:

  • Client IPs (e.g. intranet access vs. internet access).
  • URL the Loginapp was accessed by:
    • Domain a.iam.com or b.iam.com
    • Context path /auth/ or /secure/ 
  • Information from a client certificate (mutual TLS).

Context retention policy

IAM supports two policies how context retention will be applied:

  • The Request Context Retention policy determines the IAM context for every request.
  • The Session Context Retention policy determines the IAM context once and retain it for as long as no context extractor matches and changes the context.

A typical use case example for a Session Context Retention policy would be a query parameter on the first call of a flow. An HTTP Query Parameter Context Extractor would be used to match the query parameter's different values and set the context accordingly. The following steps in the flow do not use query parameters so that the context will remain unchanged throughout the entire flow.

Context retention policies can only be used in the Loginapp.

Supported IAM modules

Some Airlock IAM modules do not support configuration contexts.

Support is limited to the following modules:

  • Loginapp REST API
  • Transaction Approval module
  • API Policy Service

Limitations

The following are limitations of the current implementation of configuration contexts:

  • Configuration contexts are determined on the Airlock IAM server, not the browser. Use the HTTP Query Parameter Context Extractor plugin to allow the browser to define the configuration context.
  • To use configuration contexts successfully within flows, it must be guaranteed that the configuration context never changes during an entire flow. A change in the configuration context will abort the flow as a failure. Use the Session Context Retention Policy plugin to fix the configuration context for the entire flow.