Configuration of IAM mappings
Upload mapping templates to Airlock Gateway
With Airlock IAM 8.0 the support for JSP-Loginapp has been removed and the Airlock Gateway templates have been updated accordingly.
For the latest available JSP-Loginapp compatible templates, choose Airlock IAM 7.7 templates for Airlock Gateway.
This article describes the uploading and adaptation of mapping templates for the Airlock IAM modules to the Airlock Gateway Configuration Center. A mapping template is a pre-configured mapping between a virtual host and a back-end application that defines all the rules, exceptions and security settings required to get the application up and running. Mapping templates are used for rapid configuration of complex back-end applications with maximal security.
Create one or more new mappings for Airlock IAM:
- Download the appropriate mapping template:
Airlock Gateway 8.0 - 8.2
Airlock Gateway 8.3 and newer
IAM Loginapp mapping template
iam-loginapp-8.4.0-mapping-template-for-gateway-8.0-8.2.zip
Related OpenAPI specification: login-rest-openapi-8.4.0.json
iam-loginapp-8.4.0-mapping-template-for-gateway-8.3-and-newer.zip
Related OpenAPI specification: login-rest-openapi-8.4.0.json
IAM Adminapp mapping template
iam-adminapp-8.4.0-mapping-template-for-gateway-8.0-8.2.zip
Related OpenAPI specification: admin-rest-openapi-8.4.0.json
iam-adminapp-8.4.0-mapping-template-for-gateway-8.3-and-newer.zip
Related OpenAPI specification: admin-rest-openapi-8.4.0.json
IAM Transaction Approval mapping template
iam-transaction-approval-8.4.0-mapping-template-for-gateway-8.0-8.2.zip
Related OpenAPI specification: transaction-approval-rest-openapi-8.4.0.json
iam-transaction-approval-8.4.0-mapping-template-for-gateway-8.3-and-newer.zip
Related OpenAPI specification: transaction-approval-rest-openapi-8.4.0.json
- In the Airlock Gateway Configuration Center, go to:
Application Firewall >> Reverse Proxy - Import the downloaded mapping template.
- Image:
- This will add the following new and unconnected mapping templates to the mapping list:
- This will add the following new and unconnected mapping templates to the mapping list:
- For the Loginapp:
Mapping Template
Description
Used for
Airlock-IAM-Loginapp
Basic Loginapp mapping
Used for all IAM Loginapp features including REST APIs.
Airlock-IAM-Loginapp-REST-Protected
Loginapp REST API mapping for protected calls
Required, if OpenAPI specification should be enforced to the protected part of the Loginapp REST API.
Can be deleted if OpenAPI specification enforcement is not required.Airlock-IAM-Loginapp-REST-Public
Loginapp REST API mapping for public calls
Required, if OpenAPI specification should be enforced to the public part of the Loginapp REST API.
Can be deleted if OpenAPI specification enforcement is not required.- For the Adminapp:
Mapping Template
Description
Used for
Airlock-IAM-Adminapp
Basic Adminapp mapping
Used for all IAM Adminapp features.
Airlock-IAM-Adminapp-REST
Mapping for calls to Adminapp REST API clients
Required, if OpenAPI should be used. The template enforces the corresponding OpenAPI specification.
Can be deleted if OpenAPI specification enforcement is not required.Airlock-IAM-Servicecontainer
Basic mapping for the Airlock IAM Service Container
Used for the Service Container services, such as the Radius Authentication Service and the Task Scheduler Service
- For transaction approval:
Mapping Template
Description
Used for
Airlock-IAM-Transaction-Approval
Basic mapping for the Airlock IAM Transaction Approval application
Used for all features of the Transaction Approval module, including REST APIs.
Using and adapting the basic Loginapp mapping (Airlock-IAM-Loginapp)
After uploading the templates, adapt the basic template:
- Set the entry- and back-end paths:
- Change the entry path to your needs. The default value
/authwill work with most other Airlock IAM tutorials and is recommended to be used. - Change the back-end path to point to the corresponding Loginapp instance's context path (for example
/prod-login).
- Change the entry path to your needs. The default value
- Info
To find out the context path of a Loginapp, you may use the following CLI command:
iam info -i <instance-name> | grep iam.loginapp.url.path
Example for instance
auth:iam info -i auth | grep iam.loginapp.url.path
- Change the Allow Rules tab of the mapping and activate the allow rules corresponding to all required Loginapp functionalities. For security reasons, only activate those allow-rules that are needed.
Example:
- Connect the Airlock IAM mapping to a virtual host and a back-end group.
- Activate the configuration.
Using the API Enforcement feature to protect IAM REST APIs
- The Airlock Gateway's API Enforcement feature validates each REST request against the OpenAPI specification (OAS) of an API.
- IAM provides OpenAPI specification (OAS) files for Loginapp, Adminapp, and Transaction Approval with each IAM version.
- See OpenAPI specification and validation on how to use the OpenAPI specification for IAM.
When upgrading Airlock IAM, remember to update the OpenAPI specification accordingly.
API enforcement must be licensed separately and enabled explicitly in Airlock Gateway. If you do not want to use API enforcement, you could disable this feature in Airlock Gateway and delete the corresponding mappings imported with the IAM mapping template files.
CSRF protection
CSRF token protection of Airlock Gateway:
- The gateway CSRF token protection feature is activated on all Loginapp REST mappings using the mapping template 7.6 and newer.
- This may require small changes to custom single-page applications to handle possible CSRF blocks. If this is not possible, the CSRF protection on these mappings can be disabled to return to the previous behavior.