One-shot target application configuration for MS-OFBA
This article shows how to configure a one-shot target application for usage with MS-OFBA.
Note that this article covers only part of the MS-OFBA setup. Please refer to MS-OFBA Configuration in Airlock Gateway and Airlock IAM for all configuration steps.
The one-shot target application configuration takes care of handling the MS-OFBA-specific HTTP protocol parts and it redirects the web browser built into MS-Office applications (such as Word) to the login screen.
Prerequisites
- Airlock Gateway must be configured to redirect the authentication request to IAM.
- SharePoint must be configured as back-end in Airlock Gateway.
Limited Loginapp features available
Note that the MS-Office applications (e.g. Word) use outdated browser libraries (IE11 or IE8) that are not compatible with the AIrlock IAM Loginapp UI.
The Loginapp UI provides a very limited set of features available for MS-OFBA by offering a separate Loginapp front-end written in JavaScript. Currently, only username password authentication and mTAN as the second factor are supported.
If Microsoft does not update to newer browser libraries, MS-OFBA support may be removed from Airlock IAM in future versions.
Instructions
- Go to:
Loginapp >> One-Shot Authentication - Create a new target application of type MS-OFBA One-Shot Target Application and open it.
- Set the properties according to the examples in the following table. Consult the property documentation in the Config Editor for further information.
Property
Value for Loginapp UI
URL Pattern
https://myhost.com/sharepoint/.*User Agent HTTP Header Pattern
Microsoft Office(.*)Browser Redirect URL
https://myhost.com/auth/public/msofba/index.htmlMS-OFBA Authentication URL
https://myhost.com/auth/public/msofba/index.htmlMS-OFBA Success URL
https://myhost.com/auth/public/msofba/success.htmlMS-OFBA Display Size
800x600- In the IAM mapping on Airlock Gateway (WAF) make sure to enable the allow rule for one-shot authentication (One-Shot Functionality).