Plugin Referenz - Airlock IAM 8.4.1

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

If the step fails (no retry) and a goto target for the error code is defined here, the flow does not fail and instead a "goto" to the specified target step is executed. Note that even when the "goto" is executed, any error codes that are considered a failed factor attempt will still increment the "failed attempts" counter, and may lead to the user being locked. Therefore, this may still result in a failed flow.

A typical application of this feature is switching to an alternative authentication factor step, if an external service (e.g. Futurae server, SMS gateway) is not available (error code EXTERNAL_SERVICE_UNAVAILABLE with "Strict Counting" disabled, which will not increment the "failed attempts" counter). Other error codes can be found in the IAM REST documentation, in both the general "Error Codes" section and in the documentation of specific endpoints.

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.AccountLinkLinkingInitiationStepConfig
id: AccountLinkLinkingInitiationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Account Link Management Config

Description

Configuration of the account link management of users.

Class

com.airlock.iam.admin.application.configuration.accountlink.AccountLinkManagementConfig

May be used by

License-Tags

OAuthAccountLinking

Properties

Account Link Persister (accountLinkPersister)

Description

Repository providing the account links of users.

Attributes

Plugin-Link

Mandatory

License-Tags

OAuthAccountLinking

Assignable plugins

Account Link Database Repository

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.accountlink.AccountLinkManagementConfig
id: AccountLinkManagementConfig-xxxxxx
displayName: 
comment: 
properties:
  accountLinkPersister:

Account Link Management UI

Description

Configures the account link management user interface.

Depending on the configuration, the user interface allows an authenticated user:

to delete an account link.
to add an account link.

The account link management interface is accessible at /<loginapp-uri>/ui/app/protected/account-links after user authentication.

Class

com.airlock.iam.selfservice.application.configuration.ui.accountlinks.AccountLinkManagementUiConfig

May be used by

OAuth 2.0 Consent Management UI Authentication & Authorization UI FIDO Credential Management UI Account Link Management UI Airlock 2FA Device Management UI Protected Self-Service UI Protected Self-Service UI Protected Self-Service UI mTAN Number Management UI User Self-Registration UI User Self-Registration UI Public Self-Service UI Public Self-Service UI Cronto Device Management UI Device Token Management UI Application Portal Target Config OAuth 2.0 Session Management UI Remember-Me Device Management UI

License-Tags

OAuthAccountLinking

Properties

Flow To Link Account (flowToLinkAccount)

Description

ID of the flow which is used for adding an account link.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Unlink Account (flowToUnlinkAccount)

Description

ID of the flow which is used for removing an account link.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Page Exit Target (pageExitTarget)

Description

If configured, an additional button is displayed on the account link management to exit the page. On click, this button redirects the user to the configured target.

To redirect to a target application, redirect to the corresponding "Authentication Flow". If the flow can be skipped due to the obtained tags, the user is directly forwarded to the target application.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.accountlinks.AccountLinkManagementUiConfig
id: AccountLinkManagementUiConfig-xxxxxx
displayName: 
comment: 
properties:
  flowToLinkAccount:
  flowToUnlinkAccount:
  pageExitTarget:

Account Link Management UI Redirect

Description

Redirects to the "Account Link Management UI".

Class

com.airlock.iam.selfservice.application.configuration.ui.accountlinks.AccountLinkManagementFlowRedirectTargetConfig

May be used by

License-Tags

OAuthAccountLinking

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.accountlinks.AccountLinkManagementFlowRedirectTargetConfig
id: AccountLinkManagementFlowRedirectTargetConfig-xxxxxx
displayName: 
comment: 
properties:

Account Link Removal Initiation Step

Description

Step to initiate the removal of an account link. The actual removal will be done in the "Apply Changes Step" which requires an "Apply Account Link Deletion" to perform the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.AccountLinkDeletionInitiationStepConfig

May be used by

License-Tags

OAuthAccountLinking

Properties

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.AccountLinkDeletionInitiationStepConfig
id: AccountLinkDeletionInitiationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Account Linking Lists Self Services

Description

Configures the account link and provider list REST APIs. Additional self-service functionality can be configured in "Protected Self-Service Flows". Requires an Account Link Persister in OAuth 2.0/OIDC Client settings.

Class

com.airlock.iam.selfservice.application.configuration.token.AccountLinkingListsSelfServiceRestConfig

May be used by

OIDC Flow Client Missing Account Link Step Red Flag Raising Step Config Password-only Authentication Step Red Flag Raised Mandatory Password Change Step Config Username Password Authentication Step OIDC Discovery Flow Client Account Linking Required Red Flag Condition OAuth 2.0 Flow Client HTTP Basic Authentication Step

License-Tags

OAuthAccountLinking

Properties

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access the account link and provider list.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access the account link and provider list without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.token.AccountLinkingListsSelfServiceRestConfig
id: AccountLinkingListsSelfServiceRestConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:

Account Linking Required Red Flag

Description

Red Flag for account linking required. Typically raised by an 'OAuth 2.0 SSO Step' and handled by a 'Missing Account Link Step'.

Class

com.airlock.iam.oauth2.application.configuration.accountlinking.AccountLinkingRequiredRedFlagConfig

May be used by

License-Tags

OAuthAccountLinking

Properties

Name (name)

Description

The name of the red flag.

Attributes

String

Optional

Default value

OAUTH2_ACCOUNT_LINKING_REQUIRED

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.accountlinking.AccountLinkingRequiredRedFlagConfig
id: AccountLinkingRequiredRedFlagConfig-xxxxxx
displayName: 
comment: 
properties:
  name: OAUTH2_ACCOUNT_LINKING_REQUIRED

Account Linking Required Red Flag Condition

Description

Flow condition which evaluates to true, if the configured red flag is raised.

Class

com.airlock.iam.oauth2.application.configuration.accountlinking.AccountLinkingRequiredConditionConfig

May be used by

License-Tags

OAuthAccountLinking

Properties

Red Flag (redFlag)

Description

While the configured red flag is raised, this condition evaluates to true.

Attributes

Plugin-Link

Optional

Assignable plugins

Account Linking Required Red Flag Mandatory Password Change Red Flag Red Flag

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.accountlinking.AccountLinkingRequiredConditionConfig
id: AccountLinkingRequiredConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  redFlag:

Account Linking Self Service Config

Description

Allows users to manage a link to their account of the provider.

Class

com.airlock.iam.oauth2.application.configuration.accountlinking.AccountLinkingSelfServiceConfig

May be used by

OIDC Flow Client OIDC Discovery Flow Client OAuth 2.0 Flow Client

License-Tags

OAuthAccountLinking,OAuthSocialRegistration

Properties

Ask For Confirmation Before Linking (askForConfirmationBeforeLinking)

Description

If enabled, an additional confirmation page is shown when a user starts linking a new account before being redirected to the external provider for authentication.

Attributes

Boolean

Optional

Default value

true

Account Info Resource Key (accountInfo)

Description

Defines a resource key that is used to look up and display additional data of a linked account on the account link management page. To obtain the data, it is required to add an 'OAuth 2.0 Remote Context Data Resource' with a 'Local Context Data Key' equal to this resource key to the resource mappings. Please note that the remote data might only be available if it was requested with the corresponding scope from the authorization endpoint.
This property is helpful to display data that uniquely and understandably identifies an account, e.g. to display the user's email if available.

Attributes

String

Optional

Suggested values

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.accountlinking.AccountLinkingSelfServiceConfig
id: AccountLinkingSelfServiceConfig-xxxxxx
displayName: 
comment: 
properties:
  accountInfo:
  askForConfirmationBeforeLinking: true

Ace Radius Token Verifier

Description

Token verifier to test ACE/RSA tokens using the RADIUS protocol.
This plug-in supports multiple ACE/RSA servers and failover.

The ACE server must be installed/configured to support RADIUS. Here are some configuration hints (may be different for more recent ACE server versions):

RADIUS support must be activated.
Create an agent host of type "Unix Agent" with the name and the IP of the host running this client. This makes sure that the ACE server accepts RADIUS requests from the client host.
Activate the users you like to use on the just created agent host.

Since the RADIUS protocol does not know anything about the different challenge responses (next token required, new pin required, etc.), some RSA/ACE server versions encode them in the state attribute (like a session id). This implementation can check for these special state values and behave accordingly. This is the default setting. If the next token mode (and new pin mode) does not work properly, enable the property Interpret Challenge Messages. In this case, this plug-in intreprets the reply messages rather than the special state attributes.

Class

com.airlock.iam.core.misc.impl.tokenverifier.ace.AceRadiusTokenVerifier

May be used by

License-Tags

RadiusClient,SecurID,SecureID

Properties

Radius Servers (radiusServers)

Description

The RADIUS Server(s). If more than one is provided, the list is used for failover.

Non-backward compatibility: Before hierarchical plugins were released, the RadiusServer informations were all configured directly in this plugin with a comma separated list. This must be converted by hand.

Attributes

Plugin-List

Mandatory

Assignable plugins

Advanced Migration Selection Option Custom Protected Self-Service Flow Authorization Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For User Self-Registration Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Transaction Approval Flow Public Self-Service Flow Selection Option For Public Self-Service Authentication Flow Selection Step for User Self-Registration User Self-Registration Flow Selection Option Selection Step for Self-Service Selection Step

Interpret Challenge Messages (interpretChallengeMessages)

Description

If set to TRUE, this plug-in will look at the reply messages in RADIUS responses. The messages are used to distinguish next-token-mode, new-pin-mode, and new-pin-accepted-mode.
If the property is set to FALSE (default), this plugin interprets the RADIUS state attribute to make this distinction. This is may not work with newer RSA/ACE servers.

Attributes

Boolean

Optional

Default value

false

Nas Identifier (nasIdentifier)

Description

The NAS-Identifier to set in all requests.

Attributes

String

Optional

Length >= 3

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.tokenverifier.ace.AceRadiusTokenVerifier
id: AceRadiusTokenVerifier-xxxxxx
displayName: 
comment: 
properties:
  interpretChallengeMessages: false
  nasIdentifier:
  radiusServers:

Acknowledge Message Step

Description

Configures a message ID or a message to be acknowledged by a client during a flow.

This can be used for example to inform users about a concrete event happening inside the flow, e.g., a successful mandatory password change, steps inside user self-registration, etc. This step can return a static message ID or a message that was generated by the server. At least one has to be configured. The message ID expects the client to display a corresponding message, while the server message is composed on the server and can therefore contain dynamic properties available in the IAM flow.

The message ID and the server message will both be provided as an additional attribute inside the flow response under the key messageId and serverMessage respectively.

Class

com.airlock.iam.flow.shared.application.configuration.acknowledgemessage.AcknowledgeMessageStepConfig

May be used by

Properties

Message ID (messageId)

Description

ID of the corresponding message which a client is expected to display. If a Server Message is configured, this is optional, but could still be useful, e.g. for the client to determine the title or styling.

Attributes

String

Optional

Server Message (serverMessage)

Description

The message composed on the server, which can be displayed directly. If a Message ID is configured, this is optional, but can still be used to determine the actual message to be displayed.

Attributes

Plugin-Link

Optional

Assignable plugins

Changed Email Address Provider Display Language String Provider Config Fallback String Value Provider Generic Session Attribute String Provider Config HTTP Request Header Value Provider Identity Value Provider Config Static String Value Provider String Context Data Value Provider String From Map Value Provider Template-based String Provider Ticket String Provider Config Transforming String Value Provider Translated String Provider User Principal Name Provider mTAN Registration Number Provider

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Secret Questions Token Controller Main Authenticator Main Authenticator Primary Key Lookup Email User Profile Item Config Token Data mTAN Handler Airlock 2FA Authenticator Cipher Credential Persister Static Request Authentication User to Password Service Mapping User to Password Service Mapping Radius Authentication Service Radius Authentication Service Certificate Authenticator Certificate Authenticator Lock Inactive Accounts Task Lock Inactive Accounts Task Password Authenticator JSP Remember-Me Settings Administrators Management Password-only Authentication Step Persister Password Service Persister Password Service Has Email Address Vasco Token Report Strategy Active Directory Password Repository Client Certificate (X.509) Request Authentication Password Reset Step Basic Auth Request Authentication Basic Auth Request Authentication OAuth 2.0 Token Request Authentication String User Profile Item Credential-based Generic Token Repository mTAN IAK Token Report Strategy Pattern-based Random String Generator Email Otp Authenticator Certificate Data Extractor Task Combining User Persister SMS Notifier User Persister Email Certificate Provider Composite Password Service Composite Password Service Composite Password Service Mandatory Password Change Step Config Credential Secret Batch Task Transaction Approval OAuth 2.0/OIDC Authorization Server Delete Users Task Delete Users Task Token Activation On Delivery Strategy Combining Extended User Persister Loginapp Certificate Token Authenticator Export Users Task Export Users Task Airlock 2FA Activation Letter Task User Persister-based User Store Password User Item User to Authenticator Mapping Email Notifier Target Application/Service Credential Report Task OATH OTP Settings Meta Authenticator Meta Authenticator Meta Authenticator Meta Authenticator Username Password Authentication Step Administrators Configuration Administrators Configuration Administrators Configuration Credential Data mTAN Handler Credential Data mTAN Handler Set Password Step Config User Sync Task Config User Sync Task Config Password Change Self-Service Step Self Reg Users Reminder Task Vasco Letter Generator Admin SSO Ticket Request Authentication Credential Data Certificate Matcher Persister IAK Verifier User-based Authenticator Selector User Store Configuration User Store Configuration XML File Importer Task SSO Ticket Request Authentication Password Token Controller Password Batch Task Password Batch Task Auth Method-based Authenticator Selector Self Reg Users Clean Up Task Lock Expired Initial Passwords Task Lock Expired Initial Passwords Task Role-based Authenticator Selector Data Sources Legacy Email OTP Authentication Step Extended String User Profile Item Config HTTP Password Service Cronto Report Strategy Token Authenticator Selection Authenticator HTTP Basic Authentication Step Context Data Username Transformer Lookup and Accept Authenticator Voluntary Password Change Step Fallback Authenticator New Email Clean-up Strategy Custom User Persister-based User Store Provider Password Settings Password Settings Destroy Last User Session Email Notification Task Email Notification Task Remember-Me Reset Step User-based Password Service Selector User Persister Configuration User Persister Configuration User Persister Configuration

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.acknowledgemessage.AcknowledgeMessageStepConfig
id: AcknowledgeMessageStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  messageId:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  serverMessage:
  skipCondition:
  stepId:
  tagsOnSuccess:

ACR to Flow Application ID Mapping

Description

An authentication flow can be started based on a requested ACR value. If a configured ACR Value is found in the OpenID Connect request, the authentication flow of the configured application ID is started.

Class

com.airlock.iam.login.application.configuration.oauth2.OpenIdConnectAcrToApplicationIdConfig

May be used by

OAuth 2.0 Static Client OIDC Authorization Code / Hybrid Flow

Properties

ACR Value (acrValue)

Description

When a requested ACR value matches this ACR, the configured Flow Application ID is started. Note: The ACR value is case sensitive.

Attributes

String

Mandatory

Flow Application ID (flowApplicationId)

Description

Application ID Flow to start, if a configured ACR is found in the OpenID Connect request.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Application ID

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.oauth2.OpenIdConnectAcrToApplicationIdConfig
id: OpenIdConnectAcrToApplicationIdConfig-xxxxxx
displayName: 
comment: 
properties:
  acrValue:
  flowApplicationId:

Active Authentication Method

Description

Condition that is fulfilled if the configured "Auth Method" matches the user's active authentication method.

Class

com.airlock.iam.authentication.application.configuration.selection.condition.AuthMethodBasedConditionConfig

May be used by

Properties

Auth Method (authMethod)

Description

Expected value of the auth method field on the user for this condition to be fulfilled.

Attributes

String

Mandatory

Suggested values

AIRLOCK_2FA, CRONTO, EMAILOTP, FIDO, MATRIX, MTAN, OATH_OTP, OTP, PASSWORD

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.selection.condition.AuthMethodBasedConditionConfig
id: AuthMethodBasedConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  authMethod:

Active Directory Authentication Failure Mapper

Description

Maps messages returned in LDAP exceptions (in the case of bind failures) to authentication result types. Known Active Directory errors are:

data 525 - user not found
data 52e - invalid credentials
data 530 - not permitted to logon at this time
data 531 - not permitted to logon at this workstation
data 532 - password expired
data 533 - account disabled
data 701 - account expired
data 773 - user must reset password
data 775 - user account locked

Class

com.airlock.iam.core.misc.impl.authen.ldap.ActiveDirectoryAuthenticationFailureMapper

May be used by

LDAP Connector LDAP Password Authenticator

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.ldap.ActiveDirectoryAuthenticationFailureMapper
id: ActiveDirectoryAuthenticationFailureMapper-xxxxxx
displayName: 
comment: 
properties:

Active Directory Connector

Description

Microsoft Active Directory Connector

General Information
If a Microsoft Active Directory is used to manage the users, only this Plugin needs to be configured to handle the different user-related directory tasks. This MS AD connector implements the Airlock IAM Plugin interfaces: Authenticator, UserIterator, LicenseUserCounter, UserPersister, CredentialPersister, PasswordService, PasswordPolicy, and PasswordAuthenticator

Only standard Active Directory user attributes are used. Therefore its not necessary to extend the schema.
Active Directory features like recursive group membership, password policies and password histories are supported.
Changing passwords is possible when the connection to the AD is secured using SSL/TLS.
Multiple AD servers can be configured for failover or load balancing.
Multiple "User Search Bases" and "Group Search Bases" can be specified.

This plugin works best with Microsoft Active Directory server 2008R2 and later.

Note on Stealth-Mode (Zero-Information Leakage)
This plugin provides "stealth" in the sense that it does not reveal information about the factor that prevented the successful login but it does not provide protection against denial of service attacks based on locking user accounts.
If used in conjunction with the "Stealth Mode" (see "Main Authenticator" plugin), it is strongly recommended to enable the "soft account lock" feature of this plugin (see property below).

Note on using this plugin only for password checks
When only using this plugin to check the user's password, additional features like role lookup or context data retrieval may not work as expected.

Class

com.airlock.iam.core.misc.impl.activedirectory.ActiveDirectoryConnector

May be used by

Properties

Connection Settings (connectionPool)

Description

The connection settings for communicating with one or more Microsoft Active Directory servers.

Attributes

Plugin-Link

Mandatory

Assignable plugins

LDAP Connection Pool

Is Read Only (isReadOnly)

Description

If enabled, the Active Connector plugin does not write any data to the AD except for new passwords (changing and setting passwords can be disabled in the global password settings).
This allows using a service account user with only few privileges.

If enabled, the following data is not written to the AD (and therefore some features may not work as expected):

Context data (e.g. changes to user's postal address)
Credential data (e.g. change of mobile phone number)
User unlocking (after password change or from the Adminapp)
Enforcing password change (after setting a new password in the Adminapp)

Note that individual context attributes can be made read-only using the configuration property "Read-Only Attributes".

Attributes

Boolean

Optional

Default value

false

Username Attribute (userIdAttributeName)

Description

The name of the attribute that holds the user ID. Usually the default value 'sAMAccountName' should not be changed.

Attributes

String

Optional

Default value

sAMAccountName

Suggested values

cn, sAMAccountName, userPrincipalName

Credential Data Attribute (credentialDataAttribute)

Description

The LDAP attribute with credential data (e.g. mobile phone number for mTAN/SMS authentication or email address for certificate validation).
If the same attribute is listed in the property "Binary Attributes", it will be treated as binary data, otherwise it is assumed to be UTF-8 string data.

This property is only required when an additional credential should be checked besides the password.

Attributes

String

Optional

Default value

mobile

Suggested values

mobile, mail, cn, userPrincipalName

User Search Bases (userSearchBases)

Description

Specifies the LDAP tree node(s) for users. If multiple nodes are defined, all are considered in the defined order when finding users.

The separate property "User Search Scope" controls whether users are only searched in the nodes defined by this property or in its subtrees as well.

Attributes

String-List

Mandatory

User Search Scope (userSearchScope)

Description

Specifies whether the search should consider the complete subtree of the search base "User Search Bases" or only its direct child nodes.

ONE_LEVEL: Search users only in the specified "User Search Bases" - the subtree is ignored.
SUBTREE: Search users recursively in the specified "User Search Bases" - considers the complete subtree.
SUBORDINATE_SUBTREE: Search users recursively in the specified "User Search Bases" - considers the complete subtree from one level below the specified "User Search Bases" and ignores users directly in it.
BASE: Only the exact entries in the specified "User Search Bases" are considered.

Attributes

Enum

Optional

Default value

SUBTREE

User Search Filter (userSearchFilter)

Description

LDAP search filter expression applied when searching for users.
Note that this filter is automatically combined (logical AND) with a username filter based on the "Username Attribute".
The format and interpretation of filter follow RFC 2254.

Example 1 - Consider only entries with object class user: (objectCategory=user)
Example 2 - Consider only entries with object class person: (objectClass=person)
Example 3 - Consider only users in a specific group (no nested groups): (&(objectCategory=Person)(memberOf=cn=snakeOilDepartment,ou=groups,dc=company,dc=com))
Example 4 - Same as example 1 but considering nested groups: (&(objectCategory=Person)(memberOf:1.2.840.113556.1.4.1941:=cn=snakeOilDepartment,ou=groups,dc=company,dc=com))

Attributes

String

Optional

Multi-line-text

Default value

(objectCategory=user)

Example

(objectCategory=user)

Example

(objectClass=person)

Username Conversion Pattern (usernameConversionPattern)

Description

Regular expression pattern containing a group (a region embraced by parentheses) that can be used in conjunction with property "Username Conversion Replacement" in order to transform the username before it is used for searching the user in the directory. If the username does not match the pattern at all, no transformation is performed.

Example: The pattern "(.*)" and the replacement pattern "user.$1" will transform the username "jdoe" to "user.jdoe" before it is used in the directory.

Example: The pattern "user\.(.*)" and the replacement pattern "$1" will transform the username "user.jdoe" to "jdoe" before it is used in the directory.

Attributes

RegEx

Optional

Username Conversion Replacement (usernameConversionReplacement)

Description

The replacement string used in conjunction with property "Username Conversion Pattern" in order to transform the username. The token "$1" is used to reference the string matching the group in the pattern. See property "Username Conversion Pattern" for examples.

Attributes

String

Optional

Example

user.$1

Example

Group Search Bases (groupSearchBases)

Description

Specifies the LDAP tree node(s) for groups/roles. If multiple nodes are defined, all are considered in the defined order when finding groups.

Groups/roles are not searched if this property is not configured.

The separate property "Group Search Scope" controls whether groups are only searched in the nodes defined by this property or in its subtrees as well.

Attributes

String-List

Optional

Group Search Scope (groupSearchScope)

Description

Specifies whether the search should consider the complete subtree of the search base "User Search Bases" or only its direct child nodes.

ONE_LEVEL: Search groups only in the specified "Group Search Bases" - the subtree is ignored.
SUBTREE: Search groups recursively in the specified "Group Search Bases" - considers the complete subtree.
SUBORDINATE_SUBTREE: Search groups recursively in the specified "Group Search Bases" - considers the complete subtree from one level below the specified "Group Search Bases" and ignores groups directly in it.
BASE: Only the exact entries in the specified "Group Search Bases" are considered.

Attributes

Enum

Optional

Default value

SUBTREE

Group Search Filter (groupSearchFilter)

Description

LDAP search filter expression applied when searching for groups.

Note that this filter is automatically combined (logical AND) with a username filter based on the "Username Attribute".
The format and interpretation of filter follow RFC 2254.

Attributes

String

Optional

Multi-line-text

Default value

(objectClass=group)

Example

(objectClass=group)

Example

(objectCategory=group)

Example

(objectClass=*)

Resolve Nested Groups (resolveNestedGroups)

Description

If enabled, also nested groups are assigned to a user as roles. If disabled, only groups directly connected to the user (memberOf) are read from the Active Directory and are assigned to the user as roles.

Notice that in any case, only groups in the "Group Search Bases" will be found.

Attributes

Boolean

Optional

Default value

true

Static Roles (staticRoles)

Description

Static list of roles added to all users. Every user found in the AD gets these roles in addition to his roles/groups in the Active Directory (if configured).

Attributes

String-List

Optional

Role Filters (roleFilters)

Description

Allows filtering of retrieved user roles by regular expressions. If configured, only roles that match at least one of the filter patterns are assigned to the user. Static roles are not filtered.

Attributes

RegEx-List

Optional

Match Roles Case Sensitive (matchRolesCaseSensitive)

Description

If enabled, roles are matched against the role filters considering the case (the default).

Attributes

Boolean

Optional

Default value

true

Use Groups From memberOf Attribute (useGroupsFromMemberOfAttribute)

Description

If enabled, the group values from the memberOf attribute are imported as user roles. This is combinable with the groups search. The values from the memberOf attribute will also be filtered by the role filter.

Note that nested roles can NOT be resolved via the memberOf attribute. This can only be done using the groups search. The role lookup through the memberOf attribute is readonly, as is the lookup through the groups search.

Attributes

Boolean

Optional

Default value

false

Search Result Page Size (searchResultPageSize)

Description

If set to a value greater than zero and the Active Directory supports the SimplePaging control, "paging" is enabled for LDAP searches: This property defines the number of entries to fetch at once when searching in a directory.

This setting may be useful if the Active Directory limits the number of entries in a search result.
If the property is set to zero (the default) or if the server does not announce to support the SimplePaging control, paging is disabled

Attributes

Integer

Optional

Default value

1000

Suppress Substring Search (suppressSubstringSearch)

Description

If enabled, substring searches are suppressed, i.e. attributes do only match a filter if the whole filter string matches.
This may greatly improve search performance in large directories.

Attributes

Boolean

Optional

Default value

false

Soft Account Lock (softAccountLock)

Description

Lock users when they have more than the configured number of successive incorrect password checks on the AD. (E.g.: the value "2" means that 2 incorrect passwords are still OK).

If the number is smaller than the corresponding setting in AD, this allows "soft-locking" the account if accessed via Airlock IAM without actually locking the account on the AD. This feature may be used to prevent AD accounts from being locked by unsuccessful remote logins.

Note: if "Stealth Mode" is used (see "Main Authenticator" plugin), it is strongly recommended to enable this feature.

Attributes

Integer

Optional

Unlock User On Password Reset (unlockUserOnPasswordReset)

Description

If set to TRUE the user attribute "Lockout Time" is reset to 0 upon password reset.

Attributes

Boolean

Optional

Default value

true

Check Server-Side Password Policies On Change/Reset (checkServersidePasswordPoliciesOnChange)

Description

If enabled the server side password policy is checked when a user changes or resets the password (not when an administrator sets one). This is for example useful to enforce advanced server-side policies like password histories.

Note that the AD might impose further password constraints (e.g. minimal length), that cannot be weakened or disabled with these settings.

Attributes

Boolean

Optional

Default value

true

Context Data Attributes (contextDataAttributes)

Description

A list of attribute names that are loaded into the context data container of the user, e.g. address data.
Notice: Context data attributes are string based. Values will be read as strings and are converted to string when written.

To prevent attributes from being changed by Airlock IAM/Login, add them also to the list of "Read-only Attributes".

Notice: The attributes "objectGUID" and "ImmutableID" are always considered read-only.

Attributes

String-List

Optional

Binary Attributes (binaryAttributes)

Description

A list of attribute names that should be treated as binary data (instead of string data).

Those attributes are Base64 encoded for use in Airlock IAM/Login.

If the attribute name from "Credential Data Attribute" is also listed here, the credential data will be treated as binary.

Attributes

String-List

Optional

Read-only Attributes (readOnlyAttributes)

Description

A list of attribute names that are never written when updating a user. This must be a subset of the attributes listed in Context Data Attributes.

Attributes

String-List

Optional

User DN Context Data Attribute (userDNContextDataAttribute)

Description

The name of the context data field to hold the user's distinguished name (DN).
This DN is in the format "uid=user,ou=People,dc=company,dc=ch"

Attributes

String

Optional

Example

User Change Event Listeners (userChangeEventListeners)

Description

This property defines a list of event handlers that listen to one or more events posted by this persister and perform corresponding actions, e.g. to maintain consistency with token data.

Attributes

Plugin-List

Optional

Assignable plugins

Domain DN (domainDN)

Description

The distinguished name (DN) of the root domain. If left unconfigured the default naming context of the Active Directory server is used.

Attributes

String

Optional

Example

DC=example, DC=org

Password Settings Container DN (passwordSettingsContainerDN)

Description

The distinguished name (DN) of the Password Settings Container (PSC). If left unconfigured the PSC "CN=Password Settings Container, CN=System" in the default naming context of the Active Directory server is used.

Attributes

String

Optional

Example

CN=Password Settings Container, CN=System, DC=example, DC=org

User Count Search Filter (userCountSearchFilter)

Description

The search filter expression applied (in addition to the "User Search Filter" expression if present) to count the users. If no filter expression is given, the "User Search Filter" expression is used to count users. If also no "User Search Filter" expression is given the default filter is used to count users. The format and interpretation of filter follow RFC 2254.

Note: The user count is relevant for the product license. This filter should therefore describe the set of users who are able to authenticate through Airlock IAM.

Attributes

String

Optional

Example

(objectCategory=user)

LDS Mode (adLdsMode)

Description

Activates the AD LDS mode of operation ("Lightweight Directory Services")

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.activedirectory.ActiveDirectoryConnector
id: ActiveDirectoryConnector-xxxxxx
displayName: 
comment: 
properties:
  adLdsMode: false
  binaryAttributes:
  checkServersidePasswordPoliciesOnChange: true
  connectionPool:
  contextDataAttributes:
  credentialDataAttribute: mobile
  domainDN:
  groupSearchBases:
  groupSearchFilter: (objectClass=group)
  groupSearchScope: SUBTREE
  isReadOnly: false
  matchRolesCaseSensitive: true
  passwordSettingsContainerDN:
  readOnlyAttributes:
  resolveNestedGroups: true
  roleFilters:
  searchResultPageSize: 1000
  softAccountLock:
  staticRoles:
  suppressSubstringSearch: false
  unlockUserOnPasswordReset: true
  useGroupsFromMemberOfAttribute: false
  userChangeEventListeners:
  userCountSearchFilter:
  userDNContextDataAttribute:
  userIdAttributeName: sAMAccountName
  userSearchBases:
  userSearchFilter: (objectCategory=user)
  userSearchScope: SUBTREE
  usernameConversionPattern:
  usernameConversionReplacement:

Active Directory Password Policy

Description

A password policy that validates a password against different requirements. Those requirements are retrieved from the configured Active Directory connector. Validation can be done for different contexts, e.g. only on login or on password reset.

Note: This plugin does only check against certain requirements of the current password if this information is made available in the user data (e.g. latest-password-change-timestamp). Whether this is the case, may depend on the configuration of the underlying user persister.

Class

com.airlock.iam.core.misc.impl.authen.ldap.ActiveDirectoryPasswordPolicy

May be used by

Password-only Authentication Step Password Reset Step Basic Auth Request Authentication Pattern-based Random String Generator Mandatory Password Change Step Config Password User Item Username Password Authentication Step Administrators Configuration Set Password Step Config Password Change Self-Service Step Dynamic Active Directory String Generator HTTP Basic Authentication Step Voluntary Password Change Step Password Settings

Properties

Active Directory Connector (activeDirectoryConnector)

Description

Provides access to the schema of an Active Directory to retrieve the current password policy for certain users.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Password Policy Connector

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.ldap.ActiveDirectoryPasswordPolicy
id: ActiveDirectoryPasswordPolicy-xxxxxx
displayName: 
comment: 
properties:
  activeDirectoryConnector:

Active Directory Password Policy Connector

Description

This plugin retrieves a Password Policy Object (PSO) for a specific user from an Active Directory (AD) via the configured LDAP connection.

Class

com.airlock.iam.core.misc.impl.authen.ldap.ActiveDirectoryPasswordPolicyConnector

May be used by

Active Directory Password Policy

Properties

Connection Pool (connectionPool)

Description

The settings used to talk to the LDAP directory (or active directory).

Attributes

Plugin-Link

Mandatory

Assignable plugins

LDAP Connection Pool

Domain DN (domainDN)

Description

The distinguished name (DN) of the domain the active directory schema.

Attributes

String

Mandatory

Example

dc=example, dc=org

Password Settings Container DN (passwordSettingsContainerDN)

Description

The distinguished name (DN) of the Password Settings Container (PSC) in the active directory schema.

Attributes

String

Mandatory

Example

cn=Password Settings Container, cn=System, dc=example, dc=org

Username Attribute (userIdAttributeName)

Description

The name of the attribute that holds the user id.

Attributes

String

Optional

Default value

sAMAccountName

Suggested values

cn, sAMAccountName, userPrincipalName

User Search Bases (searchBases)

Description

Defines a list of search contexts (search trees with search levels) to use when looking for users. The search contexts are used in the defined order. If left unconfigured sensible defaults apply.

Attributes

String-List

Optional

User Search Scope (searchScope)

Description

Specifies whether the search should also recurse down the subtrees of the search base nodes or only the direct children nodes of the search base nodes should be searched.

Valid values are SUB and ONE.

Attributes

Enum

Optional

Default value

SUBTREE

User Search Filter (searchFilter)

Description

The additional LDAP search filter expression used when searching the user to check the password for. This filter is automatically combined (by a logical and) with a username filter based on the Username Attribute name.

The format and interpretation of filter follows RFC 2254.

Attributes

String

Optional

Multi-line-text

Default value

(objectClass=person)

Example

(objectClass=person)

LDS Mode (adLdsMode)

Description

Activates the AD LDS mode of operation ("Lightweight Directory Services")

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.ldap.ActiveDirectoryPasswordPolicyConnector
id: ActiveDirectoryPasswordPolicyConnector-xxxxxx
displayName: 
comment: 
properties:
  adLdsMode: false
  connectionPool:
  domainDN:
  passwordSettingsContainerDN:
  searchBases:
  searchFilter: (objectClass=person)
  searchScope: SUBTREE
  userIdAttributeName: sAMAccountName

Active Directory Password Repository

Description

Retrieves the password of the user from Active Directory.

Class

com.airlock.iam.common.application.configuration.password.repository.ActiveDirectoryPasswordRepositoryConfig

May be used by

Default End-To-End Encryption Password Repository Password-only Authentication Step Password Reset Step Basic Auth Request Authentication Mandatory Password Change Step Config Selection Password Repository Password Repository Mapping (Request Authentication Username Password Authentication Step Set Password Step Config Password Change Self-Service Step User Self-Registration Flow Password Repository Mapping HTTP Basic Authentication Step Voluntary Password Change Step Selection Password Repository (Request Authentication)

Properties

Connector (connector)

Description

The connector for the Active Directory.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector

Allowed Password Validity Duration (allowedPasswordValidityDuration)

Description

The number of days a password may be used before it must be changed.

If a password is changed, the 'latest password change timestamp' is set and, if this property is defined, the 'next enforced password change timestamp' is updated.

If this property is not defined, the 'next enforced password change timestamp' is not updated.

Attributes

Integer

Optional

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.password.repository.ActiveDirectoryPasswordRepositoryConfig
id: ActiveDirectoryPasswordRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedPasswordValidityDuration:
  connector:

Actor Claim from Actor Token (OAuth 2.0 Token Exchange)

Description

Sets the act claim to a claim set containing sub and iss claim from the (required) actor token and nests the original act claim from the subject token data into this claim set.

Nesting the act claim within another expresses a chain of delegation. The outermost act claim represents the current actor while nested act claims represent prior actors. The least recent actor is the most deeply nested. The nested act claims serve as a history trail that connects the initial request and subject through the various delegation steps undertaken before reaching the current actor.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2ActorClaimFromActorTokenConfig

May be used by

License-Tags

OAuthTokenExchange

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2ActorClaimFromActorTokenConfig
id: OAuth2ActorClaimFromActorTokenConfig-xxxxxx
displayName: 
comment: 
properties:

Actor Token Unsigned Claims Extractor

Description

Requires an actor token to be present in the token exchange request, but does not check the signature. Tokens are expected to have at least the following claims: iss sub. If present, the claims exp and nbf are validated.
Caution: JWT tokens with alg=none are accepted: This may be a security risk.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2ActorTokenUnsignedClaimsExtractorConfig

May be used by

License-Tags

OAuthTokenExchange

Properties

Allowed Token Issuers (allowedTokenIssuers)

Description

Only tokens issued by these issuers can be exchanged at the endpoint. If left empty, all issuers are allowed.

Attributes

Plugin-List

Optional

Assignable plugins

OAuth 2.0 Issuer ID

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2ActorTokenUnsignedClaimsExtractorConfig
id: OAuth2ActorTokenUnsignedClaimsExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedTokenIssuers:

Add Authentee Attribute Config

Description

Adds an attribute to the RADIUS response packet. The value of the attribute is extracted from a configurable context data field of the authenticated user.

Class

com.airlock.iam.servicecontainer.app.application.configuration.radius.AddAuthenteeAttributeConfig

May be used by

Transforming Role Provider OAuth 2.0 Static Client OAuth 2.0/OIDC Authorization Server

Properties

Radius Attribute (radiusAttribute)

Description

The attribute to add to the RADIUS response.

The suffix of the attribute name gives a hint on the data type that this attribute expects in the context data field:

NV a named value meaning one of a known set of well string keys as defined in the latest FreeRadius dictionary.
STRING an UTF8 encoded string.
INT a number that can be represented by 4 bytes.
BYTES either a byte array or a base64 encoded string.
IPV4 either an IPv4 address object, a host name or a raw 4 bytes internet address.
IPV6 either an IPv6 address object, a host name or a raw 16 bytes internet address.
DATE either a Date object or a number representing seconds since 1.1.1970.

Attributes

Enum

Mandatory

Context Data Field (contextDataField)

Description

The context data field to get the value from. If the context data does not contain this field, the radius attribute will not be added.

Attributes

String

Mandatory

Is Sensitive (isSensitive)

Description

If true, only the attribute name (and not its value) will be logged. If false, the attribute value will be logged.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.radius.AddAuthenteeAttributeConfig
id: AddAuthenteeAttributeConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataField:
  isSensitive: true
  radiusAttribute:

Add Roles

Description

Add static roles to the list of propagated roles.

Class

com.airlock.iam.common.application.configuration.role.AddRoleTransformationConfig

May be used by

Properties

Add static roles (staticRoles)

Description

A list of static roles. If the list of propagated roles already contains the same role, the role won't be added again.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.role.AddRoleTransformationConfig
id: AddRoleTransformationConfig-xxxxxx
displayName: 
comment: 
properties:
  staticRoles:

Add Scope From Request Parameter

Description

Will add the scopes from the token exchange "scope" request parameter.

If the token exchange "scope" request parameter is not provided or empty, no scopes will be added.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.scope.OAuth2TokenExchangeRequestParameterScopeProcessorConfig

May be used by

JWT Scope Handling

License-Tags

OAuthTokenExchange

Properties

Add only scopes matching (patterns)

Description

An optional list of regular expressions. If the list is configured, only scope values matching any of the regular expressions will be added. Scope values that do not match any of the configured regular expressions will be ignored. If the list is not configured, all the scope values will be added.

Attributes

RegEx-List

Optional

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.scope.OAuth2TokenExchangeRequestParameterScopeProcessorConfig
id: OAuth2TokenExchangeRequestParameterScopeProcessorConfig-xxxxxx
displayName: 
comment: 
properties:
  patterns:

Add Scope From Subject Token

Description

Will add the scopes from the subject token's "scope" data.

If the subject token's "scope" data is string-valued, it is parsed as an OAuth 2.0 access token scope as defined in RFC6749. If the subject token's "scope" data is string-valued but its format does not conform with the specification, it will be ignored.

If the subject token's "scope" data is a string array, each value is parsed as a single OAuth 2.0 scope value as defined in RFC6749. If the subject token's "scope" data is an array but any of its values is not a string or does not conform with the specification, the whole array will be ignored.

If the subject token's "scope" data is not present, is neither a string nor a string array, or is an empty array, it will be ignored.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.scope.OAuth2TokenExchangeSubjectTokenScopeProcessorConfig

May be used by

JWT Scope Handling

License-Tags

OAuthTokenExchange

Properties

Add only scopes matching (patterns)

Description

Attributes

RegEx-List

Optional

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.scope.OAuth2TokenExchangeSubjectTokenScopeProcessorConfig
id: OAuth2TokenExchangeSubjectTokenScopeProcessorConfig-xxxxxx
displayName: 
comment: 
properties:
  patterns:

Add Static Scope

Description

Will add the scopes values from the configured list.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.scope.OAuth2TokenExchangeStaticScopeProcessorConfig

May be used by

JWT Scope Handling

License-Tags

OAuthTokenExchange

Properties

Values (values)

Description

The values that will be added to the scope.

Scope tokens must consist of the following characters: %x21 / %x23-5B / %x5D-7E (see RFC6749)

Attributes

String-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.scope.OAuth2TokenExchangeStaticScopeProcessorConfig
id: OAuth2TokenExchangeStaticScopeProcessorConfig-xxxxxx
displayName: 
comment: 
properties:
  values:

Additional Context Data

Description

Specifies how to determine a read-only context data value using an SQL query.

The query may use ${xxx} variables to refer to database columns in the main object (e.g. user) the context data is added to.
Example (reading a user): SELECT separateColum FROM OTHER_TABLE WHERE username = ${username}

From the result of the query, the first selected column is interpreted as string and used as context data value.

Class

com.airlock.iam.core.misc.impl.persistency.db.AdditionalContextData

May be used by

Database Credential Persister Database User Persister

Properties

Name (name)

Description

The name of the context data field.

Attributes

String

Mandatory

Example

customField1

Query (query)

Description

The SQL query used to retrieve the value for the context data field. See plugin description for details.

Attributes

String

Mandatory

Example

SELECT separateColum FROM OTHER_TABLE WHERE username = ${username}

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.db.AdditionalContextData
id: AdditionalContextData-xxxxxx
displayName: 
comment: 
properties:
  name:
  query:

Additional Password Check Attribute Map

Description

Provides additional attributes that were sent with the password check request.

Note: The actual additional attributes must be configured in the corresponding authentication flow.

Class

com.airlock.iam.authentication.application.configuration.password.AdditionalPasswordCheckAttributesValueMapProviderConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.password.AdditionalPasswordCheckAttributesValueMapProviderConfig
id: AdditionalPasswordCheckAttributesValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:

Admin Role Specific Setting

Description

Used to overwrite certain behaviour for administrators with specified roles.

Class

com.airlock.iam.admin.application.configuration.users.AdminRoleSpecificSetting

May be used by

AES256 Decryption Ticket Decoder Esp Sign Ticket Decoder JWT Ticket Decoder OAuth 2.0 Access Token Ticket Decoder Plain Base64 Ticket Decoder Plain Ticket Decoder RSA Sign Ticket Decoder

Properties

Required Admin Roles (requiredRoles)

Description

The roles to match the administrator's roles for selecting the settings defined in this plugin. If multiple required roles are configured, the configured "Role Specific Settings Selection" determines whether or not the roles are matching.

Attributes

String-List

Mandatory

User Data Source (userDataSource)

Description

The User Data Source to be used for administrators with matching "Required Admin Roles" configured above.

If not configured, the User Data Source from the Users Configuration is used.

Attributes

Plugin-Link

Optional

Assignable plugins

User Persister Configuration User Store Configuration

Available User Roles (availableUserRoles)

Description

Set of roles assignable to users for administrators with matching "Required Admin Roles" configured above.

Translations for the roles displayed in the Adminapp user management UI can be defined using the Adminapp translation keys roles.user.labels.[rolename].

If no roles are configured, the default user roles are used.

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.users.AdminRoleSpecificSetting
id: AdminRoleSpecificSetting-xxxxxx
displayName: 
comment: 
properties:
  availableUserRoles:
  requiredRoles:
  userDataSource:

Admin SSO Ticket Request Authentication

Description

Extracts an SSO ticket from a request to authenticate the current session.

Class

com.airlock.iam.admin.application.configuration.credential.AdminSsoTicketRequestAuthenticationConfig

May be used by

Administrators Configuration

Properties

Query Parameter Name (queryParameterName)

Description

The name of the query parameter bearing the SSO ticket to be extracted.

Attributes

String

Mandatory

Example

sso

Ticket Decoder (ticketDecoder)

Description

The ticket decoder plugin used to decode the SSO ticket.

Security note: If tickets are transported via the web browser (in the URL), they need to be protected. Make sure to use an appropriate ticket decoder securing the ticket (e.g. digitally signed and/or encrypted)!

Attributes

Plugin-Link

Mandatory

Assignable plugins

Accepted SSO Tickets Repository (acceptedSsoTicketRepository)

Description

Configures the repository used to store accepted SSO tickets and reject previously accepted ones.

The in-memory repository cannot be used if multiple instances of IAM are deployed in parallel (failover, horizontal scaling). Furthermore, the in-memory repository does not preserve previously accepted SSO tickets across IAM restarts.

Attributes

Plugin-Link

Mandatory

Assignable plugins

In-Memory Accepted SSO Tickets Repository Persistent Accepted SSO Tickets Repository

Context Data Extractors (contextDataExtractors)

Description

List of ticket context data extractors that extract custom data from the ticket.

Attributes

Plugin-List

Optional

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Username Key (usernameKey)

Description

The ticket key containing the username.

Attributes

String

Optional

Default value

username

Provided Username Key (providedUsernameKey)

Description

The ticket key containing the provided username, which is used for logging and possibly displayed.

This is not combinable with Username Transformation. If the ticket does not contain a provided username, the value from "Username Key" is used.

Attributes

String

Optional

Roles Key (rolesKey)

Description

The ticket key containing the user's roles. If not configured, no roles are extracted from the ticket.

Attributes

String

Optional

Example

roles

User Store (userStore)

Description

If configured, the user is loaded from local persistence and checked for validity. Authentication fails if the user is not found or is invalid. If no user store is configured, no persistency look-up takes place and the authentication is performed on data contained within the credential only.

Attributes

Plugin-Link

Optional

Assignable plugins

Username Transformation (usernameTransformers)

Description

Transforms the provided username from the credential to a technical user ID.

Attributes

Plugin-List

Optional

Assignable plugins

Airlock 2FA Username Transformer Context Data Username Transformer Identity Username Transformer Lowercase Transformer Primary Key Lookup Regex Username Transformer Template-based Username Transformer Token Data Username Transformer Uppercase Transformer

Static Roles (staticRoles)

Description

Static list of roles granted to the authenticated user.

Attributes

String-List

Optional

Roles Blocklist (rolesBlocklist)

Description

List of role names that won't be granted to the authenticated user. The block list is also applied to persistent roles (if available).

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.credential.AdminSsoTicketRequestAuthenticationConfig
id: AdminSsoTicketRequestAuthenticationConfig-xxxxxx
displayName: 
comment: 
properties:
  acceptedSsoTicketRepository:
  contextDataExtractors:
  providedUsernameKey:
  queryParameterName:
  rolesBlocklist:
  rolesKey:
  staticRoles:
  ticketDecoder:
  userStore:
  usernameKey: username
  usernameTransformers:

Adminapp

Description

Configures the Adminapp module used to administrate users, credentials, and messages.

Class

com.airlock.iam.admin.app.application.configuration.Adminapp

Properties

Start Pages (startPages)

Description

The admin application page to be displayed after login. If more than one start page is configured, the system displays the first page for which the current user is authorized. If none is found, the system displays an empty page.

Attributes

String-List

Optional

Default value

[viewLog, listUsers, manageTokens]

Users (users)

Description

Defines settings related to users. This includes

Authentication of users
Management of user credentials and tokens
Management of users

If not provided, the users management is disabled.

Attributes

Plugin-Link

Optional

Assignable plugins

Users Configuration

Access Control (accessControl)

Description

Defines access control in the Adminapp and to the Adminapp REST API.

Attributes

Plugin-Link

Mandatory

Assignable plugins

No Access Control Role-based Access Control

Maintenance Messages (maintenanceMessages)

Description

Configures the maintenance message facility of the Adminapp.

Attributes

Plugin-Link

Optional

License-Tags

MaintenanceMessages

Assignable plugins

Maintenance Message Configuration

Administrators (administrators)

Description

Defines settings related to administrators. This includes

Authentication of administrators
Authorization of administrators
Management of administrators (optional)

Attributes

Plugin-Link

Mandatory

Assignable plugins

Administrators Configuration

Tokens (tokens)

Description

Defines settings related to tokens. This includes

Management of tokens

Attributes

Plugin-Link

Optional

Assignable plugins

Tokens Configuration

Technical Clients (technicalClients)

Description

Defines settings related to technical clients.

Attributes

Plugin-Link

Optional

License-Tags

TechClients

Assignable plugins

Technical Clients Settings

REST API Configuration (rest)

Description

Enables REST services for the Adminapp.

Attributes

Plugin-Link

Optional

Assignable plugins

Adminapp REST API Configuration Denying Adminapp REST API Configuration

Gateway Settings (gatewaySettings)

Description

Settings regarding an Airlock Gateway or Airlock Microgateway reverse proxy placed in front of Airlock IAM.

If no settings are configured, extra information from the reverse proxy will not be available and it may be harder to correlate log messages that are written to different log files.

Attributes

Plugin-Link

Optional

Assignable plugins

Airlock Gateway Settings Airlock Microgateway Settings

Event Settings (eventSettings)

Description

Configures handling of events in the Adminapp.

Attributes

Plugin-Link

Optional

Assignable plugins

Adminapp Event Settings

Log Viewer (logViewer)

Description

Configuration of the Log Viewer.

Attributes

Plugin-Link

Optional

Assignable plugins

Log Viewer

Realm Administration (realmAdministration)

Description

Enables realm administration. This feature limits the rights of administrators to a single realm. All users that a realm administrator creates are assigned to his realm and he can only administer users of his own realm.

The assignment of a realm to an administrator requires super administrator authorization.

Attributes

Plugin-Link

Optional

Assignable plugins

Realm Administration

Session Idle Timeout (sessionIdleTimeout)

Description

Session idle timeout for the Adminapp (including Config Editor). When IAM is deployed behind an Airlock Gateway (WAF), timeout and lifetime values should always be longer than those maintained by the Gateway.

Attributes

String

Optional

Default value

30m

Example

30m

Example

2h 15m

Session Lifetime (sessionLifetime)

Description

Session lifetime for the Adminapp (but not for the Config Editor). Unlike an idle timeout, the lifetime cannot be extended by activity and is always terminated once the lifetime has been reached. When IAM is deployed behind an Airlock Gateway (WAF), timeout and lifetime values should always be longer than those maintained by the Gateway.

Attributes

String

Optional

Default value

Example

4h 30m

Example

Session Cookie SameSite Policy (sameSitePolicy)

Description

Specifies the 'SameSite' cookie attribute of the IAM session cookie 'iam-session-id'. The 'Secure' attribute is automatically set based on whether the request was performed using http or https (see exception for 'None' below).

Strict: The cookie is not sent in cross-origin requests.
Lax: The cookie is sent in some cross-origin requests, such as GET requests.
None: The cookie is sent in cross-origin requests. In this case, the 'Secure' Cookie-Attribute is always set, regardless of whether the request was performed using http or https.Use this setting when using SAML2 in combination with cross-domain POST Bindings.
No SameSite Attribute: No attribute is set. Browsers apply their default behaviour, usually 'Lax'.

Attributes

Enum

Optional

Default value

LAX

Language Settings (languageSettings)

Description

Configures language settings.
If not set, the default language is German and the allowed languages are German, English and French.

Attributes

Plugin-Link

Optional

Assignable plugins

Adminapp Language Settings

Service Container Shared Secret (serviceContainerSharedSecret)

Description

The service container secret is used to access the service container from the Adminapp. The shared secret will be used to encrypt the SSO ticket, sent from the Adminapp to the service container in order to authenticate the admin. The shared secret must be identical to the property Service Container Shared Secret within Service Container (Advanced Settings). When not configured, no Service Container link will be displayed in Adminapp.

Attributes

String

Optional

Sensitive

State Repository (stateRepository)

Description

Defines where IAM stores all state. As long as only one instance of IAM is running (no horizontal scaling), the in-memory repository can be used.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Expert Mode Redis State Repository Config In-Memory State Repository Single Mode Redis State Repository Config

Custom Login URL (customLoginUrl)

Description

The page displayed instead of the default login page. This can be used if authentication is done by an external service.

This value must not be URL encoded. Only URLs starting with "https://" or "http://" are treated as absolute URLs, otherwise the redirect is relative. Furthermore, if the URL starts with "app/" or "/app/" the redirect is performed within the Adminapp UI (context path not needed).

This property can be overridden by the loginUrl URL parameter (see Allowed Login URL Pattern).

Attributes

String

Optional

Example

https://another.server.com/login

Example

app/login

Example

/mycustomresource/login

After Logout URL (afterLogoutUrl)

Description

The forward page displayed after the logout if no location parameter is set.

This property can be overridden by the afterLogout URL parameter (see Allowed After Logout URL Pattern).

Attributes

String

Optional

Default value

app/login

Example

https://another.server.com/logout-disclaimer

Example

app/login

Example

/mycustomresource/logout-disclaimer

Allowed Login URL Pattern (allowedLoginUrlPattern)

Description

A regular expression describing the Login URLs that are allowed to be sent to IAM in the loginUrl URL parameter.

A matching URL will be used to redirect users who have not yet authenticated or whose session has expired. If no pattern is configured, no URL will match. Matching URLs will have precedence over the URL configured in Custom Login URL.

Attributes

RegEx

Optional

Allowed After Logout URL Pattern (allowedAfterLogoutUrlPattern)

Description

A regular expression describing the Logout URLs that are allowed to be sent to IAM in the afterLogoutUrl URL parameter.

A matching URL will be used to redirect the user after a successful logout in IAM. If no pattern is configured, no URL will match. Matching URLs will have precedence over the URL configured in After Logout URL.

Attributes

RegEx

Optional

Skin Color (skin)

Description

The skin of the Adminapp. This configuration may be overridden by the skin URL parameter, if the property "Allow Skin URI Parameter" is enabled.

Attributes

String

Optional

Default value

blue

Allowed values

blue, green, red, orange, violet, purple, grey, black

Allow Skin URL Parameter (skinFromParamAllowed)

Description

Enables overriding the Adminapp skin with the skin URL parameter.

Attributes

Boolean

Optional

Default value

false

Custom Instance Tag (instanceTag)

Description

Labels the instance with a custom tag that is displayed in the Adminapp. This can be used in combination with the 'Skin Color' property to visually identify an instance.

Attributes

String

Optional

Content Security Policy (CSP) (contentSecurityPolicy)

Description

Content Security Policy (CSP) for the Adminapp.

Neither the Config Editor nor the Service Container are covered by this CSP.

Attributes

Plugin-Link

Optional

Assignable plugins

Adminapp Content Security Policy No Adminapp Content Security Policy

License and Usage Analytics (licenseAnalytics)

Description

Configures the settings for license and usage analytics.

If undefined, no data will be sent.

Attributes

Plugin-Link

Optional

Assignable plugins

License and Usage Analytics

Log User Trail To Database (logUserTrailToDatabase)

Description

Configures the database settings to use when persisting user trail log entries.

If this value is defined, then all user trail log messages generated by the Adminapp module will additionally be forwarded to the database configured within the referenced repository plugin.

All forwarded log entries are stored inside the table "USER_TRAIL_LOG". Note that setting this value does not disable writing log messages to the Adminapp log file.

Attributes

Plugin-Link

Optional

Assignable plugins

Basic Auth Request Authentication Client Certificate (X.509) Request Authentication Denying Request Authentication SSO Ticket Request Authentication Static Request Authentication

Correlation ID Settings (correlationIdSettings)

Description

Defines settings for correlation ID transfer and logging inside the Adminapp module.

If undefined, no correlation ID will be logged for this module.

Attributes

Plugin-Link

Optional

Assignable plugins

Correlation ID Settings

Custom Extensions (customExtensions)

Description

Custom extensions for the Adminapp.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.admin.app.application.configuration.Adminapp
id: Adminapp-xxxxxx
displayName: 
comment: 
properties:
  accessControl:
  administrators:
  afterLogoutUrl: app/login
  allowedAfterLogoutUrlPattern:
  allowedLoginUrlPattern:
  contentSecurityPolicy:
  correlationIdSettings:
  customExtensions:
  customLoginUrl:
  eventSettings:
  gatewaySettings:
  instanceTag:
  languageSettings:
  licenseAnalytics:
  logUserTrailToDatabase:
  logViewer:
  maintenanceMessages:
  realmAdministration:
  rest:
  sameSitePolicy: LAX
  serviceContainerSharedSecret:
  sessionIdleTimeout: 30m
  sessionLifetime: 8h
  skin: blue
  skinFromParamAllowed: false
  startPages: [viewLog, listUsers, manageTokens]
  stateRepository:
  technicalClients:
  tokens:
  users:

Adminapp Content Security Policy

Description

Enables a Content Security Policy (CSP) for the Adminapp.

Neither the Config Editor nor the Service Container are covered by this CSP.

Class

com.airlock.iam.admin.application.configuration.csp.AdminappContentSecurityPolicyConfig

May be used by

Adminapp

Properties

Content Security Policy (contentSecurityPolicy)

Description

This property can be used to define a custom policy.

The default policy requires to insert a nonce into script tags. Script tags that do not include a nonce will be blocked.

The placeholder '${cspNonce}' in the policy will be replaced with a fresh, randomly generated nonce for each request. The same nonce must be present in all policy relevant tags that were generated by a specific request.

Known use cases requiring CSP customization

IAM is embedded in an (i)frame: frame-ancestors directive must be relaxed.

Security Warning: The default CSP was designed to offer a good level of security and maintainability. The CSP is validated to work with IAM (see limitations above). Defining a custom CSP may reduce the level of security and may lead to browsers blocking IAM pages. Therefore, the security benefits of a custom policy must be evaluated carefully and IAM must be tested to work with the policy.

Attributes

String

Optional

Default value

default-src 'self'; object-src 'none'; script-src ${cspNonce} 'strict-dynamic' 'self'; img-src 'self' data:; connect-src 'self'; base-uri 'self'; frame-ancestors 'none';

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.csp.AdminappContentSecurityPolicyConfig
id: AdminappContentSecurityPolicyConfig-xxxxxx
displayName: 
comment: 
properties:
  contentSecurityPolicy: default-src 'self'; object-src 'none'; script-src ${cspNonce} 'strict-dynamic' 'self'; img-src 'self' data:; connect-src 'self'; base-uri 'self'; frame-ancestors 'none';

Adminapp Event Settings

Description

Event settings for the Adminapp.

Class

com.airlock.iam.admin.application.configuration.event.AdminappEventSettingsConfig

May be used by

Adminapp

Properties

Event Subscribers (eventSubscribers)

Description

List of event subscribers.

Attributes

Plugin-List

Mandatory

Assignable plugins

Email Event Subscriber (Adminapp) Remote Event Subscriber (Adminapp) SMS Event Subscriber (Adminapp)

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.event.AdminappEventSettingsConfig
id: AdminappEventSettingsConfig-xxxxxx
displayName: 
comment: 
properties:
  eventSubscribers:

Adminapp Language Settings

Description

Configures the language settings of the Adminapp.

Class

com.airlock.iam.admin.application.configuration.AdminappLanguageSettings

May be used by

Adminapp

Properties

Valid Languages (validLanguages)

Description

A list of values that are accepted as language parameter values. Corresponding Locales must be available. If the requested language is not in the list, the default language is used. The values in the list are not case-sensitive.

Attributes

String-List

Optional

Default value

[de, fr, en]

Default Language (defaultLanguage)

Description

The default language code used when no (or no valid) information about the current language is present. A corresponding Locale must be available.

Attributes

String

Optional

Default value

Suggested values

de, fr, en

Resources File Prefix (resourcesFilePrefix)

Description

Language dependent string resources for server-side translation (e.g. for emails and SMS) are located in property files. This setting configures the prefix of these property files.

Example: If the value of this property is strings, the language dependent files must be "strings_de.properties", "strings_en.properties" and so on and the default file must be "strings.properties".

Attributes

String

Optional

Default value

strings

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.AdminappLanguageSettings
id: AdminappLanguageSettings-xxxxxx
displayName: 
comment: 
properties:
  defaultLanguage: de
  resourcesFilePrefix: strings
  validLanguages: [de, fr, en]

Adminapp REST API Configuration

Description

Configures the Adminapp REST interface.

Class

com.airlock.iam.admin.application.configuration.AdminappRestConfig

May be used by

Adminapp

Properties

SMS Service Settings (smsServiceConfig)

Description

Configures functionality for sending SMS.

Attributes

Plugin-Link

Optional

Assignable plugins

SMS Service

Request Authentication (requestAuthentication)

Description

Determines how a credential is extracted and used to authenticate single requests.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Hash Function (hashFunction)

Description

The hash function used to hash information that is transferred over the public network.

Attributes

Plugin-Link

Optional

Assignable plugins

AWS KMS Password Hash Bcrypt Password Hash Combined Password Hash Encrypted Password Hash History Password Hash Identity Password Hash LDAP Password Hash MD5 Base64 Password Hash MD5 Hex Password Hash Multi Password Hash (LDAP-style) Password Hash Configuration SHA1 Base64 Password Hash SHA1 Hex Password Hash SHA1 Password Hash SHA256 Base64 Password Hash SHA256 Hex Password Hash SHA256 Password Hash Scrypt Password Hash

Hash Shared Secret (hashSharedSecret)

Description

The shared secret to be included in the hashed information.

Can be used together with the 'Hash Function' to externalize session information to the client.

Attributes

String

Optional

Sensitive

CORS Settings (corsSettings)

Description

The settings to allow cross-domain REST calls.

Attributes

Plugin-Link

Optional

Assignable plugins

CORS Settings

CSRF Protection (csrfProtection)

Description

If enabled, REST endpoints are protected against CSRF attacks.

With this protection, the REST API only accepts requests that contain the custom header X-Same-Domain with an arbitrary non-empty value. In cross-origin resource sharing (CORS), such requests are not considered simple requests and thus must always be preceded by a preflight request, which prevents cross-site request forgery (CSRF) attacks.

Security warning: Disabling this feature may allow CSRF attacks. Only do so if the REST client is unable to comply with the aforementioned restrictions.

Attributes

Boolean

Optional

Default value

true

Username Transformation (usernameTransformers)

Description

Transforms user name aliases in REST resource URLs into real user names.

Attributes

Plugin-List

Optional

Assignable plugins

Link Response Rewriting Enabled (linkResponseRewritingEnabled)

Description

Enables rewriting of links in REST responses. If rewriting is disabled or cannot be done correctly due to missing information, the internal URI is written to the response.

If a 'Base URI' is configured, links are rewritten according to the configured value. Otherwise, links are rewritten according to the external view provided by the WAF (if configured an a WAF environment cookie is present).

Attributes

Boolean

Optional

Default value

true

Base URI (baseUri)

Description

Allows to change the base URI for all links in REST responses.

This property is useful in test environments where you want links contained in REST responses to be relative to the configured base URI. Note that configuring this property will take precedence over link rewriting based on the WAF environment cookie.

Example:

Property value: http://myhost:8090/test
The response from the REST call to /<adminapp-uri>/rest/maintenance-messages will contain a link to http://myhost:8090/test/rest/maintenance-messages.

Attributes

String

Optional

Example

https://myhost:8090/test

Default Page Size (defaultPageSize)

Description

The amount of records returned by a resource if the page size is not explicitly specified in the request by the page[limit] query parameter. Must be greater than 0 and smaller than or equal to the 'Max Page Size'.

Attributes

Integer

Optional

Default value

500

Max Page Size (maxPageSize)

Description

The maximum amount of records returned by a pageable resource. Must be greater than or equal to the 'Default Page Size'. This parameter also limits the maximum number of displayed results in some searches of the Adminapp.

Attributes

Integer

Optional

Default value

5000

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.AdminappRestConfig
id: AdminappRestConfig-xxxxxx
displayName: 
comment: 
properties:
  baseUri:
  corsSettings:
  csrfProtection: true
  defaultPageSize: 500
  hashFunction:
  hashSharedSecret:
  linkResponseRewritingEnabled: true
  maxPageSize: 5000
  requestAuthentication:
  smsServiceConfig:
  usernameTransformers:

Administrators Configuration

Description

Configuration of administrators, i.e. authentication, authorization and management of administrators.

Class

com.airlock.iam.admin.application.configuration.administrators.AdministratorsConfiguration

May be used by

Adminapp

Properties

Authenticator (authenticator)

Description

Defines how administrators are authenticated interactively. If only authentication using SSO tickets is required, this property is optional.

Note that the Adminapp authentication UI only support username/password login. Configuring second factors or other authentication means will not work and users will not be able to login.

Attributes

Plugin-Link

Optional

Assignable plugins

Accepting Authenticator Active Directory Connector Airlock 2FA Authenticator Certificate Authenticator Certificate Token Authenticator Configuration-based Authenticator Credential-based Authenticator Selector Denying Authenticator Dummy Matrix Authenticator Dummy Polling Authenticator Dummy Two Step Authenticator Email Otp Authenticator Fallback Authenticator LDAP Connector LDAP Password Authenticator Lookup and Accept Authenticator MTAN/SMS Authenticator Main Authenticator Matrixcard Authenticator (TAN Challenge) Meta Authenticator NextGenPSD2 Certificate Authenticator OATH OTP Authenticator OAuth 2.0 Access Token Authenticator Password Authenticator RADIUS Authenticator SSO Credential Authenticator STET PSD2 Authenticator Selection Authenticator Static Authenticator Token Authenticator User-based Authenticator Selector

Password Service (passwordService)

Description

Password service used to change passwords by administrators.

Attributes

Plugin-Link

Optional

Assignable plugins

Accepting Password Service Active Directory Connector Composite Password Service Dummy Password Service HTTP Password Service LDAP Connector LDAP Password Authenticator Persister Password Service User-based Authenticator Selector User-based Password Service Selector

Password Policy (passwordPolicy)

Description

Defines a password policy that must be passed when the administrator chooses a new password.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Active Directory Password Policy Customizable Password Policy Null Password Policy Simple Password Policy

SSO Ticket Authentication (ssoTicketAuthentication)

Description

If specified, ticket-based single sign-on (SSO) is enabled for the Adminapp: Externally authenticated administrators may access the Adminapp without additional login, provided they bring a valid SSO ticket. The ticket is passed to the Adminapp as URL parameter.

Attributes

Plugin-Link

Optional

Assignable plugins

Admin SSO Ticket Request Authentication

Administrators Management (administratorsManagement)

Description

Configures the management of administrators.

Attributes

Plugin-Link

Optional

Assignable plugins

Administrators Management

Username Transformation (usernameTransformers)

Description

Username transformation enables authentication with an alias name, by transforming the name entered into the login form to the internal user ID.

The username transformation configured here is only applied to the interactive username/password login.

Transformers can be chained, e,g. a first transformer could normalize the entered name, and the next transformer would then search for a user with a matching context-data field. A transformer can also signal that it already found the final user ID and that no further transformations should be performed.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.administrators.AdministratorsConfiguration
id: AdministratorsConfiguration-xxxxxx
displayName: 
comment: 
properties:
  administratorsManagement:
  authenticator:
  passwordPolicy:
  passwordService:
  ssoTicketAuthentication:
  usernameTransformers:

Administrators Management

Description

Configuration of administrators in the Adminapp.

Class

com.airlock.iam.admin.application.configuration.administrators.AdministratorsManagement

May be used by

Administrators Configuration

Properties

Enforce Role Combinations (enforceRoleCombinations)

Description

If enabled, role combinations can be defined. The system then enforces that only one role combination can be chosen. If disabled, roles can arbitrarily be assigned. However, the configuration of role combinations is not allowed.

Attributes

Boolean

Optional

Default value

true

Assignable Role Combinations (assignableRoleCombinations)

Description

Defines a list of roles (or combination of roles). Only the specified roles (or combination of roles) can be assigned to the administrators.

Role combinations are specified using comma-separate entries (e.g. "useradmin,tokenadmin"). These combinations can only be assigned to or removed from an admin together. At least one role (or combination of roles) must contain the "superadmin" role.

Translations for the roles displayed in the administrators management UI can be defined using the Adminapp translation keys roles.admin.labels.[rolename], where [rolename] is one of the entries. E.g.:

roles.admin.labels.useradmin = User Admin
roles.admin.labels.useradmin,tokenadmin = Special Admin

Attributes

String-List

Mandatory

Privilege Escalation Protected Admin Roles (PEPAR) (privilegeEscalationProtectedAdminRoles)

Description

Defines a list of protected roles. Operations on an administrator with one of these roles can only be performed by another administrator that also at least has one of these roles assigned.

Each entry contains a single role.

Attributes

String-List

Optional

Super Admin Role (superAdminRole)

Description

Defines the name of the "superadmin" role. Access control must be configured accordingly to define the allowed actions of this role.

Attributes

String

Mandatory

Suggested values

superadmin

Password Generator (passwordGenerator)

Description

Plugin used to generate passwords for administrators. It defines the length and the characters in the generator passwords.

Attributes

Plugin-Link

Optional

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Password Hash Function (passwordHashFunction)

Description

The hash function used to store the password. Make sure it is the same as used when verifying the password.

NOTE: Some password hashes, such as SHA 256 Password Hash or Scrypt Password Hash, produce binary output. If one of these is used, make sure the persistence layer supports binary data in the hash field and the corresponding persistence plugins (e.g. Database User Store or Ldap Connector) are configured to treat hash values as binary values.
In case the persistence layer expects a string, encode the password hash by wrapping it with an encoder. To achieve this, use the Password Hash Configuration plugin and specify the hash function (such as Scrypt Password Hash) together with the desired encoder. We recommend using the Base64 Password Hash Encoder.

Attributes

Plugin-Link

Optional

Assignable plugins

Columns In Admin List (columnsInAdminList)

Description

The property names and labels of context data to be displayed on the admin list page. Usually, this is the first- and last name of the administrator.

The data for the columns is taken from the context data container of the available administrators. The configuration of the used admin persister must include the context data properties referenced here.

The columns are displayed in addition to the following columns:

username
assigned roles
locked flag

Attributes

Plugin-List

Optional

Assignable plugins

Boolean User Profile Item Config Date User Profile Item Config Email User Profile Item Config Extended String User Profile Item Config International Phone Number User Profile Item Config List User Profile Item Config String User Profile Item Username User Profile Item Config

Rows On Admin Detail Page (rowsOnAdminDetailPage)

Description

The property names and labels of context data to be displayed on the admin detail page.

The data for is taken from the context data container of the selected administrator. The configuration of the used admin persister must include the context data properties referenced here.

Attributes

Plugin-List

Optional

Assignable plugins

Admin User Store (adminUserStore)

Description

User store to manage administrator data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Lock Reasons (lockReasons)

Description

Lock reasons listed in this property define the options selectable by an administrator when locking an administrator manually. Any string can be used to identify a lock reason. The following is a set of predefined lockout reasons: LockReason.TooManyLoginFailed= Too many login failedLockReason.InitialPasswordExpired= Initial password expiredLockReason.MaxWrongOldPassword= Wrong old passwordLockReason.InitiatedByUser= Initiated by userLockReason.InitiatedByAdmin= Initiated by administrator

Attributes

String-List

Optional

Default value

[LockReason.InitiatedByAdmin]

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.administrators.AdministratorsManagement
id: AdministratorsManagement-xxxxxx
displayName: 
comment: 
properties:
  adminUserStore:
  assignableRoleCombinations:
  columnsInAdminList:
  enforceRoleCombinations: true
  lockReasons: [LockReason.InitiatedByAdmin]
  passwordGenerator:
  passwordHashFunction:
  privilegeEscalationProtectedAdminRoles:
  rowsOnAdminDetailPage:
  superAdminRole:

Advanced Location Interpreter Config

Description

Highly customizable plugin to transform the given URI and potentially extract a value by applying the following procedure:

The optional "URI Transformers" are called in the configured order to transform the URI to a new URI. The output of a preceding transformer is used as input of a subsequent transformer. If an URI transformer returns a veto, the default value configured in this plugin is used as the resulting value.
Those plugins are used to perform generic transformations on the URI like regular expression replacements or to use a query parameter as the new URI.
The optional "Value Extractors" are now called in the configured order to extract a string value from the potentially transformed URI. The first extractor able to return a non-empty value stops the chain. If no extractor returns a non-empty value, the whole URI is passed on unchanged.
Those extractors are used to extract a query parameter or a path segment containing the target value.
Finally the optional "String Transformers" are called in the configured order to transform the final string. The output of the preceding transformer is used as input of the subsequent transformer. If a string transformer returns a veto, the default value configured in this plugin is used as overall value.
They can for example be used to normalize values, for example convert the string to lowercase or convert values from one format to another (e.g. convert 'GER' to 'de').

Class

com.airlock.iam.login.application.configuration.location.interpret.AdvancedLocationInterpreterConfig

May be used by

Authentication & Authorization UI Location Interpretations Configuration

Properties

Default Value (defaultValue)

Description

The default value to be returned if a transformer produces a veto.

Attributes

String

Optional

URI Transformers (uriTransformers)

Description

The chain of URI transformers that transform the original URI.

Attributes

Plugin-List

Optional

Assignable plugins

Query Parameter URI Transformation Regex-based URI Transformer To Query Parameter URI Transformer

Value Extractors (valueExtractors)

Description

The extractors that extract string values from the transformed URI. The result of the first extractor returning a non-empty value is used.

Attributes

Plugin-List

Optional

Assignable plugins

Query Parameter URI Value Extraction Regex-based URI Value Extraction

String Transformers (stringTransformers)

Description

The chain of string transformers that transform the extracted string value to the final interpretation result.

Attributes

Plugin-List

Optional

Assignable plugins

Lowercase Transformation Regex-based String Transformer String Transformation Failed Config

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.location.interpret.AdvancedLocationInterpreterConfig
id: AdvancedLocationInterpreterConfig-xxxxxx
displayName: 
comment: 
properties:
  defaultValue:
  stringTransformers:
  uriTransformers:
  valueExtractors:

Advanced Migration Selection Option

Description

Advanced configuration of a migration subflow. The condition and all steps (including the "Complete Migration Step", if needed) must be configured manually.

Class

com.airlock.iam.authentication.application.configuration.migration.AdvancedMigrationSelectionOptionConfig

May be used by

Migration Selection Step

Properties

Option Name (optionName)

Description

Name of the selection option for this migration subflow.

This includes POST /<loginapp-uri>/rest/public/authentication/migration/options/retrieve and POST /<loginapp-uri>/rest/public/authentication/migration/options/<id>/select

Attributes

String

Mandatory

Validation RegEx: [A-Za-z0-9_-]+

Suggested values

MIGRATE_NOW, SPECIAL, MTAN, CRONTO

Steps (steps)

Description

Steps of this subflow. A "Complete Migration Step" must be configured manually, if needed.

Attributes

Plugin-List

Mandatory

Assignable plugins

Condition (condition)

Description

Condition that determines whether this migration subflow is available or not.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.migration.AdvancedMigrationSelectionOptionConfig
id: AdvancedMigrationSelectionOptionConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  optionName:
  steps:

AES 128 GCM State Encryption

Description

State encryption that uses AES/GCM with 128-bit keys to encrypt all values stored in the state repository.

Class

com.airlock.iam.common.application.configuration.state.Aes128GcmStateEncryptionConfig

May be used by

Expert Mode Redis State Repository Config Migrating State Encryption Config Migrating State Encryption Config Single Mode Redis State Repository Config

Properties

Secret Key (secretKey)

Description

Key used for encryption and decryption, 128 bit encoded in Base64.

A random Base64 string with 128 bits (16 bytes) can be generated e.g. using openssl as follows: openssl rand -base64 16

CAUTION: Once the key is set and has been used to encrypt the key must not be changed!. Data encrypted with a different key cannot be recovered.

Attributes

String

Mandatory

Sensitive

Length >= 8

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.state.Aes128GcmStateEncryptionConfig
id: Aes128GcmStateEncryptionConfig-xxxxxx
displayName: 
comment: 
properties:
  secretKey:

AES256 Decryption Ticket Decoder

Description

Decodes the ticket produced by the AES256 Encryption Ticket Encoder plugin.

Class

com.airlock.iam.core.misc.util.ticket.codec.AES256DecryptionTicketDecoder

May be used by

SSO Ticket Authentication Step HTTP Header Token Extractor (as SSO Credential) Representation SSO Ticket Identifying Step Admin SSO Ticket Request Authentication SSO Ticket Request Authentication

License-Tags

SSOTickets

Properties

Password (password)

Description

Specifies the password used to decrypt the ticket.

Attributes

String

Mandatory

Sensitive

Length >= 4

License-Tags

SSOTickets

Require Authenticated Encryption (requireAuthenticatedEncryption)

Description

If integrity is essential, it is strongly recommended to forbid tickets which are not authenticated encrypted by GCM. Only for backward compatibility reasons we do not enforce incoming tickets to be encrypted in GCM mode. If this flag is set to false, this encoder also accepts tickets that were encrypted without authentication, using the CBC mode. That may be a threat if the ticket is exposed to an attacker.

If possible this flag should be enabled.

The AES256EncryptionTicketEncoder uses the GCM Mode by default.

Attributes

Boolean

Optional

License-Tags

SSOTickets

Default value

true

Max PBKDF2 Iterations (maxPBKDF2Iterations)

Description

Specifies the maximum number of PBKDF2 iterations allowed for decryption. Choose this maximum as small as possible. Allowing a large number of iterations may require a considerable amount of computing time when decoding the ticket.

Attributes

Integer

Optional

License-Tags

SSOTickets

Default value

32000

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ticket.codec.AES256DecryptionTicketDecoder
id: AES256DecryptionTicketDecoder-xxxxxx
displayName: 
comment: 
properties:
  maxPBKDF2Iterations: 32000
  password:
  requireAuthenticatedEncryption: true

AES256 Encryption Ticket Encoder

Description

Encodes the ticket and encrypts the contents with a password.

The key-value pairs are first encoded as described in KeyMultiValue, the expiry timestamp is added and then encrypted using a password based encryption scheme with salt. The resulting ticket value is the base-64 representation of the ciphertext.

Class

com.airlock.iam.core.misc.util.ticket.codec.AES256EncryptionTicketEncoder

May be used by

Encoded User Data Response Header Cookie Ticket Identity Propagator OAuth 2.0 SSO Ticket Resource Start User Representation Step Encoded User Data Header SSO Ticket Identity Propagator Ticket String Provider Config

Properties

Password (password)

Description

Specifies the password used to encrypt the ticket.

Attributes

String

Mandatory

Sensitive

Length >= 4

Require Authenticated Encryption (requireAuthenticatedEncryption)

Description

By default, password based encryption now uses the GCM mode for authenticated encryption. If this flag is disabled, the legacy CBC mode is used. This mode does not provide authenticity and is only provided for backward compatibility for cases where the ticket is decrypted in an external system.

If possible this flag should be enabled.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ticket.codec.AES256EncryptionTicketEncoder
id: AES256EncryptionTicketEncoder-xxxxxx
displayName: 
comment: 
properties:
  password:
  requireAuthenticatedEncryption: true

Age Check Password Policy

Description

A password policy check that tests that the existing password has a minimum age before a new password can be set. This can be used to make password rotation harder to perform.

Note: This plugin does only check the minimum age of the current password if this information is made available in the user data (latest-password-change-timestamp). Whether this is the case, may depend on the configuration of the underlying user persister.

Note: This check should not be performed if the user is forced to change the password.

Class

com.airlock.iam.core.misc.impl.authen.PwdPolicyAgeCheck

May be used by

Customizable Password Policy Customizable Password Policy Meta Password Policy

Properties

Minimum password age [secs] (minRequiredPasswordAge)

Description

The minimum required age of the old (current) password in seconds before a new may be set.

Attributes

Integer

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PwdPolicyAgeCheck
id: PwdPolicyAgeCheck-xxxxxx
displayName: 
comment: 
properties:
  minRequiredPasswordAge:

Aggregate Report

Description

An aggregation report over several reports of a task. It uses an aggregation strategy to create the parameter map passed into the report renderer that generates this aggregate report.

Class

com.airlock.iam.core.misc.util.report.aggregation.AggregateReport

May be used by

Vasco Token Report Strategy mTAN IAK Token Report Strategy Credential Secret Batch Task TAN Batch Task Password Batch Task Cronto Report Strategy

Properties

File Name Prefix (fileNamePrefix)

Description

Filename prefix for rendered report files.

The prefix "aggregate-" is used if none is defined.

The generated name is -timestamp[.]

Attributes

String

Optional

Default value

aggregate-

Example

aggregate-

Example

swissPostSummary-

File Name Suffix (fileNameSuffix)

Description

Filename suffix for rendered password files.

Attributes

String

Optional

Suggested values

.pdf

Properties Aggregator (propertiesAggregator)

Description

Creates the properties needed for the aggregation report.

Attributes

Plugin-Link

Optional

Assignable plugins

Default Aggregate Report Strategy

Report Renderer (reportRenderer)

Description

Specifies which generic renderer to use to render the aggregate report.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.report.aggregation.AggregateReport
id: AggregateReport-xxxxxx
displayName: 
comment: 
properties:
  fileNamePrefix: aggregate-
  fileNameSuffix:
  propertiesAggregator:
  reportRenderer:

Airlock 2FA Activation Authentication UI

Description

User interface configuration for "Airlock 2FA Activation Step" authentication flow step.

Class

com.airlock.iam.login.rest.application.configuration.ui.authentication.Airlock2FAActivationAuthenticationStepUiConfig

May be used by

Properties

Step ID (stepId)

Description

The ID of the step to which this user interface is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Show App Device Activation Link (showAppDeviceActivationLink)

Description

If enabled, an app device link is displayed below the QR code to register the device directly in the mobile app, instead of scanning the QR code. This is useful when users register on their mobile devices and thus cannot scan the displayed QR code.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.ui.authentication.Airlock2FAActivationAuthenticationStepUiConfig
id: Airlock2FAActivationAuthenticationStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  showAppDeviceActivationLink: true
  stepId:

Airlock 2FA Activation Authentication UI (with additional Activation)

Description

User interface configuration for "Airlock 2FA Activation Step (with additional Activation)" authentication flow step.

Class

com.airlock.iam.login.rest.application.configuration.ui.authentication.Airlock2FAAdditionalActivationAuthenticationStepUiConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Public Self-Service Flow Selection Option For Public Self-Service Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Step ID (stepId)

Description

The ID of the step to which this user interface is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Show App Device Activation Link (showAppDeviceActivationLink)

Description

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.ui.authentication.Airlock2FAAdditionalActivationAuthenticationStepUiConfig
id: Airlock2FAAdditionalActivationAuthenticationStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  showAppDeviceActivationLink: true
  stepId:

Airlock 2FA Activation Letter Order Step

Description

Step to non-interactively order an activation letter.
This step doesn't create the letter, but places an order. It is thus recommended to use 'Airlock 2FA Device Activation Letter Order (Batch)' for the 'Activation Letters' option in the 'Airlock 2FA Token Controller' to create the letters.
This step has to be added after an identifying step, e.g. a Password Authentication Step. Further, the user has to have an Airlock 2FA Account.

When this step completes successfully, either a new letter order is created or a letter order is already pending.

Class

com.airlock.iam.airlock2fa.application.configuration.Airlock2FALetterOrderStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.Airlock2FALetterOrderStepConfig
id: Airlock2FALetterOrderStepConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Activation Letter Order User Event Listener

Description

A listener that reacts to the insertion of a new user in the persistency layer by creating automatically:

an Airlock 2FA account;
an order for an Airlock 2FA activation letter to register the first Airlock 2FA device. All opened orders will be batch processed by the "Airlock 2FA Activation Letter Order Task" in service container to create the necessary activation letters.

Class

com.airlock.iam.airlock2fa.application.configuration.Airlock2FAActivationLetterOrderUserEventListener

May be used by

Active Directory Connector LDAP User Persister LDAP Connector Database User Persister

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Condition (condition)

Description

The condition to decide whether the event should be handled. If not configured, the event is always handled.

Attributes

Plugin-Link

Optional

Assignable plugins

Authentication Method Condition Context Data Regex Condition Logical AND Condition Logical NOT Condition Logical OR Condition

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.Airlock2FAActivationLetterOrderUserEventListener
id: Airlock2FAActivationLetterOrderUserEventListener-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  condition:

Airlock 2FA Activation Letter Task

Description

Settings to batch process Airlock 2FA activation letter orders. Each order will generate at most one activation letter. No activation letter will be generated for a permanently disabled Airlock 2FA account. Each order will be deleted after being processed.

An Airlock 2FA letter contains a QR code to be scanned and is typically necessary for the registration of the first Airlock 2FA device.

Note that once the letter is generated, Airlock IAM is no longer involved in the activation of a user's device. This implies in particular, that a user who has been locked out after the generation of an activation letter could still use it to successfully register an Airlock 2FA device. Login will of course remain impossible as long the the user is locked out.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.airlock2fa.Airlock2FAActivationLetterOrderTaskConfig

May be used by

Task Schedule

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

User Store (userStore)

Description

The user store to retrieve all user data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Renderer (renderer)

Description

Defines how activation letters (e.g. PDFs) are rendered.

The following placeholders can be used in the templates

${User Context Data Name} - context data of the user.
${activationQRCode} - QR code image for the activation. Image size in document can be adjusted: ${activationQRCode,imageSize,width in points,height in points}
${expires} - expiring date of the activation. Can be used with extended format (e.g. ${expires,date,short})

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

Working Directory (workingDirectory)

Description

A writable directory used to store a partially rendered activation letter.
If this property is defined, activation letters are not directly generated into the output directory (see other property) but they are generated into this working directory and are then moved into the output directory once they are done.
This helps to solve problems with processes that automatically read the rendered activation letters and therefore might not see the fully rendered result. Make sure that the working directory and the output directory reside in the same file system (otherwise the moving of the generated file will not be atomic).
The directory is either absolute or relative to the JVMs current directory.

Attributes

File/Path

Optional

Output Directory (outputDirectory)

Description

The directory where the printable letters will be stored.

Attributes

File/Path

Mandatory

Language Context Data Name (languageContextDataName)

Description

The user's context data attribute containing its language. The language is used to choose the template in the renderer. If left empty, the default template will be used.

Attributes

String

Optional

Suggested values

language

Enrollment Validity [s] (enrollmentValidityInSeconds)

Description

The duration (in seconds) an enrollment code should be valid.

Note: This value is only used for the validity of the QR code in the enrollment letter and does not affect enrollment self-services.

Attributes

Integer

Optional

Default value

604800

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.airlock2fa.Airlock2FAActivationLetterOrderTaskConfig
id: Airlock2FAActivationLetterOrderTaskConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  enrollmentValidityInSeconds: 604800
  languageContextDataName:
  outputDirectory:
  renderer:
  userStore:
  workingDirectory:

Airlock 2FA Activation Step

Description

Step to add a new Airlock 2FA device. This step will generate a QR code (and an Airlock 2FA account if necessary) that needs to be scanned by the device to be added.

Depending on the use-case, this step should be configured as an 'Authentication Flow Step', 'Protected Self-Service Flow Step' or 'User-Self-Registration Flow Step'.

Migration to Airlock 2FA (Authentication Flow): In this case, the user does not yet have any Airlock 2FA device, but already has a different second authentication factor (see Security note) that needs to be migrated to Airlock 2FA. This step needs to be configured as an 'Authentication Flow Step' inside a 'Migration Selection Step'. Upon successful migration, the user will have an Airlock 2FA account and a newly registered Airlock 2FA device that can be used for strong authentication. The user's default authentication method will have been changed to Airlock 2FA.
Activation of an Airlock 2FA device (Protected Self-Service Flow): In this case, the user already has a second authentication factor (see Security note) and needs to activate an Airlock 2FA device. This typically happens, when the user already has Airlock 2FA as a second authentication factor and needs to activate an additional device. This steps needs to be configured as a 'Protected Self-Service Flow Step'. Upon successful activation, the user will have an Airlock 2FA account and a newly registered Airlock 2FA device that can be used for strong authentication. In contrast to the migration scenario above, the user's default authentication method will remain unchanged.
Activation of an Airlock 2FA device (User-Self-Registration Flow): In this case, the flow step will register a futurae user account with the device, that was used to scan the activation code. It is required to add an 'Airlock 2FA Token Persisting Handler' in the 'User Persisting Step' to persist the linked futurae user account with the IAM user.

In the migration and self-service scenarios, an optional 'Airlock 2FA Device Edit Step' can be configured afterwards, to allow the user to edit the newly registered device, e.g., changing its display name.

Note: This step can only register one device in one flow execution. The flow has to be started multiple times when more devices are needed.

Security note: For migration and self-service flows this step should be restricted to strongly authenticated users. To do so a 'Pre-Condition Tag' should be used to ensure that the user is strongly authenticated (using at least one of his pre-existing second authentication factors). In particular, this step should not be used for a user authenticated with username and password only. In the password only use-case, the (physical) generation of an 'Airlock 2FA Device Activation Letter' is necessary.

Class

com.airlock.iam.airlock2fa.application.configuration.Airlock2FAActivationStepConfig

May be used by

Advanced Migration Selection Option Custom Protected Self-Service Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For User Self-Registration Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration User Self-Registration Flow Selection Option Selection Step for Self-Service Selection Step

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Enrollment Timeout [s] (enrollmentTimeoutSeconds)

Description

The duration (in seconds) an enrollment QR code should be valid.

Note: This value is not used when generating activation letters.

Attributes

Integer

Optional

Default value

300

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.Airlock2FAActivationStepConfig
id: Airlock2FAActivationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  enrollmentTimeoutSeconds: 300
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Activation Step (with additional Activation)

Description

Step to add a new Airlock 2FA device. This step will generate a QR code (and an Airlock 2FA account if necessary) that needs to be scanned by the device to be added.

This Step allows device activation during the authentication flow even when the user already has a device. This step is able to add both the first device during a migration or an additional device.

Class

com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2FAAdditionalActivationStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Enrollment Timeout [s] (enrollmentTimeoutSeconds)

Description

The duration (in seconds) an enrollment QR code should be valid.

Note: This value is not used when generating activation letters.

Attributes

Integer

Optional

Default value

300

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2FAAdditionalActivationStepConfig
id: Airlock2FAAdditionalActivationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  enrollmentTimeoutSeconds: 300
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Activation Step Self-Registration UI

Description

User interface configuration for "Airlock 2FA Activation Step" user-self registration flow step.

Class

com.airlock.iam.userselfreg.application.configuration.ui.Airlock2FAActivationUserSelfRegStepUiConfig

May be used by

User Self-Registration UI

Properties

Step ID (stepId)

Description

The ID of the step to which this user interface is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Show App Device Activation Link (showAppDeviceActivationLink)

Description

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.ui.Airlock2FAActivationUserSelfRegStepUiConfig
id: Airlock2FAActivationUserSelfRegStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  showAppDeviceActivationLink: true
  stepId:

Airlock 2FA Activation Step Self-Service UI

Description

User interface configuration for "Airlock 2FA Activation Step" self-service flow step.

Class

com.airlock.iam.selfservice.application.configuration.ui.Airlock2FAActivationSelfServiceStepUiConfig

May be used by

Advanced Migration Selection Option Custom Protected Self-Service Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Step ID (stepId)

Description

The ID of the step to which this user interface is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Show App Device Activation Link (showAppDeviceActivationLink)

Description

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.Airlock2FAActivationSelfServiceStepUiConfig
id: Airlock2FAActivationSelfServiceStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  showAppDeviceActivationLink: true
  stepId:

Airlock 2FA Activation Trusted Session Binding Step

Description

This step can be used if an Airlock 2FA activation letter has previously been sent to the user. If 'Trusted Session Binding for Activation' is set to 'Only with Letter' or 'Always' in the 'Airlock 2FA Settings', this step is necessary for users to activate devices using activation letters. Airlock IAM does not provide a UI for this step, since it is intended to be used by custom mobile apps. The intended use-case is a mobile app to scan an activation letter and extract the activation code. The activation code is sent to Airlock IAM, which will return a trusted session binding token. The mobile app can then use the binding token together with the activation code, to complete the Airlock 2FA device activation. If Airlock IAM does not receive a flow binding token from Futurae, it will return an empty response and the step will not fail.

This step also provides a REST endpoint to poll the status of an activation.

Class

com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2faActivationTrustedSessionBindingStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Authentication Method ID (authenticationMethodId)

Description

The identifier of the authentication method for this step. Since the authentication method is also the identifier for failed login attempts for this step, distinct identifiers must be chosen if multiple instances of the same step type are used to check different credentials (e.g., two password step instances check two different passwords).

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

If only one identifier (e.g. "PASSWORD") is used, this may allow brute force attacks on the password as follows. Assuming an attacker knows the user's password 1, they get an unlimited number of attempts on flow B, as the 'PASSWORD' counter can repeatedly be reset to 0 by performing a successful login on flow A.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

AIRLOCK_2FA

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2faActivationTrustedSessionBindingStepConfig
id: Airlock2faActivationTrustedSessionBindingStepConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  authenticationMethodId: AIRLOCK_2FA
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Apply Device Deletion Change

Description

Applies the "Airlock 2FA Device Deletion" change. Performs the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.Airlock2FAApplyDeviceDeletionChangeConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

The Airlock 2FA Settings. Verify that the initiation step use the same settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.Airlock2FAApplyDeviceDeletionChangeConfig
id: Airlock2FAApplyDeviceDeletionChangeConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:

Airlock 2FA Apply Device Edit Change

Description

Applies the "Airlock 2FA Device Edit" change. Performs the actual edit.

Class

com.airlock.iam.selfservice.application.configuration.step.Airlock2FAApplyDeviceEditChangeConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

The Airlock 2FA Settings. Verify that the initiation step use the same settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.Airlock2FAApplyDeviceEditChangeConfig
id: Airlock2FAApplyDeviceEditChangeConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:

Airlock 2FA Approval UI (Protected Self-service)

Description

User interface configuration for "Airlock 2FA Self-Service Approval Step".

Class

com.airlock.iam.selfservice.application.configuration.ui.Airlock2FASelfServiceApprovalStepUiConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Step ID (stepId)

Description

The ID of the step to which this user interface is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Show App Approval Link (showAppApprovalLink)

Description

If enabled, when approving an operation using the Online QR Code factor, an app device link is displayed below the QR code. This link can be clicked to approve the operation in a mobile app (e.g. the Airlock 2FA app) instead of scanning the QR code. This is useful when the self-service is used on a mobile device and the displayed QR code cannot be scanned.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.Airlock2FASelfServiceApprovalStepUiConfig
id: Airlock2FASelfServiceApprovalStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  showAppApprovalLink: true
  stepId:

Airlock 2FA Approval UI (Public Self-service)

Description

User interface configuration for "Airlock 2FA Public Self-Service Approval Step".

Class

com.airlock.iam.publicselfservice.application.configuration.ui.Airlock2FAPublicSelfServiceApprovalStepUiConfig

May be used by

Public Self-Service UI

Properties

Step ID (stepId)

Description

The ID of the step to which this user interface is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Show App Approval Link (showAppApprovalLink)

Description

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.ui.Airlock2FAPublicSelfServiceApprovalStepUiConfig
id: Airlock2FAPublicSelfServiceApprovalStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  showAppApprovalLink: true
  stepId:

Airlock 2FA Authentication Data Map

Description

Provides Airlock 2FA authentication information regarding the Auth Token ID device, as well as cooldown information of the authentication device.

The provided Auth Token ID information concerns the device from the Auth Token ID and is available as soon as the user has used or activated an Airlock 2FA device as a second factor for authentication in this session. Currently, the following values are provided:

a2fa-auth-token-device-id: This key provides the device ID of the Airlock 2FA device.
a2fa-auth-token-device-type: This key provides the device type of the Airlock 2FA device. It can have the following values:
- ios
- android
- hardware
a2fa-auth-token-device-display-name: This key provides the display name of the Airlock 2FA device.
a2fa-auth-token-device-enrollment-timestamp: Timestamp (as date-time object) of the point in time when the Airlock 2FA device was enrolled. This value can be used by template-based providers to format the timestamp into a specific date format.

The cooldown information concerns the device that was used for authentication and is available as soon as the user has successfully used an Airlock 2FA device for authentication in this session. Unlike the Auth Token ID, which is also updated after registering a new device, the values provided here only concern the device used for the actual authentication. Currently, the following values are provided:

a2fa-cooldown-auth-device: This key reports whether or not the Airlock 2FA device used during authentication is in cooldown. This key can have the following values:
- cooldown: the device is in cooldown
- active: the device is fully active
a2fa-cooldown-ends: Timestamp (as date-time object) of the point in time when cooldown will end for the Airlock 2FA device that was used during authentication. If the Airlock 2FA device used for authentication is active (not in cooldown), this key is not supplied. This value can be used by template-based providers to format the timestamp into a specific date format.

The following key is always provided and reports what type of devices the user has in the account:

a2fa-cooldown-devices: This key can have the following values:
- has_active: at least one active Airlock 2FA device is available
- all_cooldown: only Airlock 2FA devices in cooldown are available
- none: no Airlock 2FA devices are available

Class

com.airlock.iam.airlock2fa.application.configuration.Airlock2FAAuthenticationDataValueMapProviderConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA. It is recommended to use the same settings everywhere. Otherwise, the values provided by this data map can seem inconsistent.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.Airlock2FAAuthenticationDataValueMapProviderConfig
id: Airlock2FAAuthenticationDataValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:

Airlock 2FA Authentication Step

Description

Configuration of an Airlock 2FA authentication step for any of the factors One-Touch, Online QR Code, Passcode or Offline QR Code.

The identifier of the authentication method for this step is 'AIRLOCK_2FA' and is also the identifier for failed authentication attempts.

Note that for mobile-only authentication scenarios, the other authentication plugin "Airlock 2FA Mobile Only Authentication Step" should be used.

Class

com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2FAUserFactorAuthenticationStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Factors (factors)

Description

Priority list of all enabled factors. Only factors that are in this list can be used for authentication. The factors are offered in the configured order.

Online factors (One-Touch and Online QR Code) must come before all other factors. It is recommended to include at least one offline factor.

Available factors:

One-Touch: a push message is sent to the user's mobile app, where it must be approved. This is an online factor and will require device selection if the user has multiple devices.
Online QR Code: a QR code is displayed in the browser, which has to be scanned by a mobile app and approved there. This is an online factor. No prior device selection is required.
Passcode: the device (mobile app or hardware token) generates a time-dependent code (OTP) that has to be entered manually in the browser. This is an offline factor. No prior device selection is required.
Offline QR Code: a QR code is displayed in the browser which has to be scanned by a mobile app or hardware token. The device displays a code (OTP) that must be entered manually in the browser. This is an offline factor and will require device selection if the user has multiple devices.

Attributes

String-List

Optional

Default value

[One-Touch, Passcode, Offline QR Code]

Max Failed Passcode Check Attempts (maxFailedPasscodeCheckAttempts)

Description

Defines the number of failed passcode checks that may occur before the flow is aborted. Setting this value to n means that the flow is aborted on the n + 1st failed attempt. This value must be less than "Max Failed Logins" in the "Authentication Flows" settings to be effective.

Attributes

Integer

Optional

Default value

Enforce Device Selection (enforceDeviceSelection)

Description

Defines if the device has to be selected even when there is only one selectable device.

Attributes

Boolean

Optional

Default value

false

Enable Push-to-All (enablePushToAll)

Description

If Push-to-All is enabled for One-Touch, device selection is never required for One-Touch. Push notifications are sent to all of a user's devices and authentication can be approved on any of the devices.

The combination of Push-to-All and "Cooldown Period" can result in push notifications being sent to devices that are currently still in cooldown. However, those devices can not be used for successfully completing the authentication.

The combination of Push-to-All and "Lock User on Fraud" could have undesired effects, because users might report fraud in legitimate use-cases.

Attributes

Boolean

Optional

Default value

false

One-Touch Message Provider (messageProvider)

Description

Creates the message that will be displayed on the user's device when using One-Touch. If no message provider is configured, only a title with the fixed translation key "airlock2fa.one-touch.authentication-title" or its fallback value "Login" is used.

Using a custom Message Provider could prevent authentication with a smartwatch: Because additional information is included, the app forces the user to scroll through the message (which might not be supported by the watch).

Attributes

Plugin-Link

Optional

Assignable plugins

QR Code Message Provider (qrCodeMessageProvider)

Description

Creates the message that will be displayed on the user's device when using Online QR Code or Offline QR Code factors. If no message provider is configured, the default title of Futurae will be shown (without any additional information items).

Note that the Login ID cannot be included because it is only available in the One-Touch Message Provider.

Also, because of technical limitations, the title of Offline QR Codes is always the default title from Futurae, the configuration is ignored.

Attributes

Plugin-Link

Optional

Assignable plugins

Generate One-Touch Login ID (generateLoginId)

Description

If enabled, a random ID is generated and shown to the user during One-Touch authentication.

The ID is shown on the Airlock 2FA device and on the login page, allowing the user to correlate the session.

The "One-Touch Message Provider" property must be configured for the Login ID to be displayed on the device.

If the multi-numbered challenge feature is enabled on the Futurae service, "Generate One-Touch Login ID" should be disabled. In that case, the Login ID does not provide any security enhancement, but severely impacts usability.

Attributes

Boolean

Optional

Default value

true

Tags On Successful One-Touch (tagsOnSuccessfulOneTouch)

Description

Additional success tags to be granted if the step is completed using One-Touch.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags On Successful Online QR Code (tagsOnSuccessfulOnlineQrCode)

Description

Additional success tags to be granted if the step is completed using online QR Code.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags On Successful Passcode Check (tagsOnSuccessfulPasscodeCheck)

Description

Additional success tags to be granted if the step is completed using passcode.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags On Successful Offline QR Code (tagsOnSuccessfulOfflineQrCode)

Description

Additional success tags to be granted if the step is completed using Offline QR Code.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags On Successful Bypass (tagsOnSuccessfulBypass)

Description

Additional success tags to be granted if the step is completed using bypass.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown cannot be used for authentication.

If disabled, the step ignores the "Cooldown Period" for new devices configured in the "Airlock 2FA Settings". This is typically used for authentication steps that protect low-risk applications, such as a portal page, which can also be accessed using devices in cooldown.

If no "Cooldown Period" is defined, enabling this property has no effect.

Attributes

Boolean

Optional

Default value

true

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2FAUserFactorAuthenticationStepConfig
id: Airlock2FAUserFactorAuthenticationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  enablePushToAll: false
  enforceDeviceSelection: false
  factors: [One-Touch, Passcode, Offline QR Code]
  generateLoginId: true
  interactiveGotoTargets:
  maxFailedPasscodeCheckAttempts: 3
  messageProvider:
  onFailureGotos:
  preCondition:
  qrCodeMessageProvider:
  requiresActivation: false
  respectCooldownPeriod: true
  skipCondition:
  stepId:
  tagsOnSuccess:
  tagsOnSuccessfulBypass:
  tagsOnSuccessfulOfflineQrCode:
  tagsOnSuccessfulOneTouch:
  tagsOnSuccessfulOnlineQrCode:
  tagsOnSuccessfulPasscodeCheck:

Airlock 2FA Authentication UI

Description

User interface configuration for "Airlock 2FA Authentication Step" authentication flow step.

Class

com.airlock.iam.login.rest.application.configuration.ui.authentication.Airlock2FAUserFactorAuthenticationStepUiConfig

May be used by

Main Authenticator Radius Authentication Service Authentication Method Identifier Mapping Persister Password Service Credential-based Authenticator Selector Roles-to-Authenticator Mapping User to Authenticator Mapping Credential to Authenticator Mapping Target Application/Service Meta Authenticator Meta Authenticator Meta Authenticator Administrators Configuration User-based Authenticator Selector Auth Method-based Authenticator Selector Role-based Authenticator Selector Selection Authenticator Fallback Authenticator

Properties

Step ID (stepId)

Description

The ID of the step to which this user interface is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Show App Approval Link (showAppApprovalLink)

Description

If enabled, when authenticating using the Online QR Code factor, an app device link is displayed below the QR code. The user may then click the link to approve the authentication in the mobile app instead of scanning the QR code. This is useful when users authenticate on their mobile devices and thus cannot scan the displayed QR code.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.ui.authentication.Airlock2FAUserFactorAuthenticationStepUiConfig
id: Airlock2FAUserFactorAuthenticationStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  showAppApprovalLink: true
  stepId:

Airlock 2FA Authenticator

Description

Authenticator for Airlock 2FA.

Customize the string resource airlock2fa.one-touch.authentication-title to define the text that is displayed after the word "Approve" for One-Touch authentications.

Class

com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2FAAuthenticatorConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Factors (factors)

Description

Priority list of all enabled factors. Only factors that are in this list can be used for authentication. The factors are offered in the configured order.

Online factors (One-Touch and Online QR Code) must come before all other factors. It is recommended to include at least one offline factor.

Available factors:

One-Touch: a push message is sent to the user's mobile app, where it must be approved. This is an online factor and will require device selection if the user has multiple devices.
Passcode: the device (mobile app or hardware token) generates a time-dependent code (OTP) that has to be entered manually. This is an offline factor. No prior device selection is required.
Offline QR Code: a QR code is returned which has to be scanned by a mobile app or hardware token. The device displays a code (OTP) that must be entered manually. This is an offline factor and will require device selection if the user has multiple devices.

Attributes

String-List

Optional

Default value

[One-Touch, Passcode, Offline QR Code]

User Persister (userPersister)

Description

The user persister to access IAM users.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector Cipher User Persister Combining Extended User Persister Combining User Persister Database User Persister Dummy Extended User Persister LDAP Connector LDAP User Persister Property User Persister

String Resources File (stringResourcesFile)

Description

Specifies the prefix of the file(s) containing the language dependent string resources. Example: If the value of this property is strings, the language dependent files must be strings_de.properties, strings_en.properties and so on and the default file must be strings.properties.

Attributes

String

Optional

Default value

strings

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2FAAuthenticatorConfig
id: Airlock2FAAuthenticatorConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  factors: [One-Touch, Passcode, Offline QR Code]
  stringResourcesFile: strings
  userPersister:

Airlock 2FA Consistency User Change Listener

Description

A listener that reacts on change events on users and keeps the Airlock 2FA account in a consistent state. Actions:

on user deletion: delete associated Airlock 2FA account.
on user name change: updates the user reference for the Airlock 2FA account.

Class

com.airlock.iam.airlock2fa.application.configuration.Airlock2FAConsistencyUserChangeListener

May be used by

Active Directory Connector LDAP User Persister LDAP Connector Database User Persister

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.Airlock2FAConsistencyUserChangeListener
id: Airlock2FAConsistencyUserChangeListener-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:

Airlock 2FA Database Repository

Description

Persists and loads data for Airlock 2FA.

Class

com.airlock.iam.airlock2fa.application.configuration.Airlock2FARepositoryConfig

May be used by

Airlock 2FA Username Transformer Airlock 2FA Settings

License-Tags

Airlock2FA

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Storage Encryption (storageEncryptionConfig)

Description

Defines how activation codes are encrypted when stored on the database. This ensures that an adversary obtaining data from the database cannot read or modify activation codes without knowing the secret for decryption.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Storage Encryption Configuration

Log Queries (logQueries)

Description

Enable to log SQL queries (only effective if the log level is at least INFO). Attention: query values (including potentially sensitive data) will be logged as well.

Attributes

Boolean

Optional

Default value

false

Tenant ID (tenantId)

Description

The value which is added to database records to distinguish between different tenants. The value is also used when retrieving data from the persistence.
If no value is configured, then 'no_tenant' is used as value on the database.

Attributes

String

Optional

Length <= 50

Validation RegEx: (?!no_tenant$).*

Example

customerA

Example

customerB

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.Airlock2FARepositoryConfig
id: Airlock2FARepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  logQueries: false
  sqlDataSource:
  storageEncryptionConfig:
  tenantId:

Airlock 2FA Delete Devices Step

Description

Step to non-interactively delete Airlock 2FA devices of the current user.
The devices which will be deleted can be configured by the corresponding property.
In case the user does not have an Airlock 2FA Account, the step succeeds without deleting any devices.

Common use cases which can be achieved with this step are:

Remove all Airlock 2FA devices.
Remove all Airlock 2FA devices except previously activated devices in this flow.
Remove all Airlock 2FA devices except the last registered device.
Remove the Airlock 2FA device which was used for login unless it is the last device.

Class

com.airlock.iam.airlock2fa.application.configuration.Airlock2FADeleteDevicesStepConfig

May be used by

Advanced Migration Selection Option Custom Protected Self-Service Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Transaction Approval Flow Public Self-Service Flow Selection Option For Public Self-Service Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Devices To Delete (devicesToDelete)

Description

Devices which will be deleted.
In case no device ID is provided, the step succeeds without deleting any devices.

Attributes

Plugin-Link

Mandatory

Assignable plugins

All Devices Except Most Recently Registered All Devices Except Registered In Flow App Device Used For Login Unless Last App Device Customizable Device List

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.Airlock2FADeleteDevicesStepConfig
id: Airlock2FADeleteDevicesStepConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  devicesToDelete:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Device Activated

Description

Event that is triggered by an activation of an Airlock 2FA device.

Class

com.airlock.iam.login.application.configuration.event.Airlock2FADeviceActivatedSubscribedEventConfig

May be used by

Remote Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Email Event Subscriber (Loginapp) Filtered Flow Event

Properties

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.event.Airlock2FADeviceActivatedSubscribedEventConfig
id: Airlock2FADeviceActivatedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

Airlock 2FA Device Delete Initiation Step

Description

Step to initiate the deletion of an Airlock 2FA device. The actual deletion will be done in the "Apply Changes Step" which requires an "Airlock 2FA Apply Device Deletion Change" to perform the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.Airlock2FASelfServiceDeviceDeleteInitiationStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

The Airlock 2FA Settings. Verify that the corresponding apply handler uses the same settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Allow Deleting All Devices (canUserDeleteAllDevices)

Description

If this option is enabled, a user may delete all his Airlock 2FA app devices in the Airlock 2FA device management. In this case, the user will no longer be able to log in with Airlock 2FA unless he/she is in possession of an Airlock 2FA hardware device. Note that a user cannot delete assigned Airlock 2FA hardware-devices and so this setting affects only app devices.

Deprecated: this property will be removed in the next major version of Airlock IAM. Instead, configure the plugin "Airlock 2FA Device Deletion Possible" as an Access Condition inside the protected self-service flow where this step is configured. This ensures that a user has sufficiently many Airlock 2FA app devices before entering the flow.

Attributes

Boolean

Optional

Default value

false

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Remote Event Subscriber (Loginapp) SMS Event Subscriber (Adminapp) SMS Event Subscriber (Loginapp) Email Event Subscriber (Loginapp) Remote Event Subscriber (Adminapp) Email Event Subscriber (Adminapp) Filtered Flow Event

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.Airlock2FASelfServiceDeviceDeleteInitiationStepConfig
id: Airlock2FASelfServiceDeviceDeleteInitiationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  canUserDeleteAllDevices: false
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Device Deleted

Description

Event that is triggered by the deletion of an Airlock 2FA device.

Class

com.airlock.iam.common.application.configuration.event.Airlock2FADeviceDeletedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.Airlock2FADeviceDeletedSubscribedEventConfig
id: Airlock2FADeviceDeletedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

Airlock 2FA Device Deletion Possible

Description

Condition that determines whether the current user is allowed to delete an Airlock 2FA app device. For device deletion to be possible, the user needs to have at least one app device. If "Allow Deleting All Devices" is disabled, at least two app devices are required. This is to ensure that the user will still be able to log in with Airlock 2FA after device deletion was performed.

Class

com.airlock.iam.airlock2fa.application.configuration.condition.Airlock2FADeviceDeletionPossibleConditionConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Allow Deleting All Devices (canUserDeleteAllDevices)

Description

If this option is enabled, a user may delete all his Airlock 2FA app devices. In this case, the user will no longer be able to log in with Airlock 2FA unless he/she is in possession of an Airlock 2FA hardware device. Note that a user cannot delete assigned Airlock 2FA hardware-devices and so this setting affects only app devices.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.condition.Airlock2FADeviceDeletionPossibleConditionConfig
id: Airlock2FADeviceDeletionPossibleConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  canUserDeleteAllDevices: false

Airlock 2FA Device Edit Initiation Step

Description

Step to initiate the edit of an Airlock 2FA device. The actual edit will be done in the "Apply Changes Step" which requires an "Airlock 2FA Apply Device Edit Change" to perform the actual edit.

Class

com.airlock.iam.selfservice.application.configuration.step.Airlock2FASelfServiceDeviceEditInitiationStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

The Airlock 2FA Settings. Verify that the corresponding apply handler uses the same settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Advanced Migration Selection Option Custom Protected Self-Service Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.Airlock2FASelfServiceDeviceEditInitiationStepConfig
id: Airlock2FASelfServiceDeviceEditInitiationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Device Edit Step

Description

Step to edit a newly added Airlock 2FA device.

This step can be used after an 'Airlock 2FA Activation Step' to, for example, change the display name of the new device. See the documentation of 'Airlock 2FA Activation Step' to know in which cases this step should be configured as an 'Authentication Flow Step' or as a 'Protected Self-Service Flow Step'.

Note that this step can not be used to edit already activated Airlock 2FA devices (which were not activated by an 'Airlock 2FA Activation Step' in the same session). For this use-case, a 'Protected Self-Service Flow' with an 'Airlock 2FA Device Edit Initiation Step' and a corresponding 'Apply Changes Step' should be used.

Class

com.airlock.iam.airlock2fa.application.configuration.Airlock2FADeviceEditStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Remote Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Email Event Subscriber (Loginapp) Filtered Flow Event

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.Airlock2FADeviceEditStepConfig
id: Airlock2FADeviceEditStepConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Device In Cooldown Used

Description

Event that is triggered if an Airlock 2FA device is used during its cooldown period.

Class

com.airlock.iam.login.application.configuration.event.Airlock2FADeviceInCooldownUsedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.event.Airlock2FADeviceInCooldownUsedSubscribedEventConfig
id: Airlock2FADeviceInCooldownUsedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

Airlock 2FA Device List

Description

Configures the Airlock 2FA device list REST self-service. Additional self-service functionality can be configured in "Protected Self-Service Flows".

Class

com.airlock.iam.selfservice.application.configuration.Airlock2FADeviceListSelfServiceRestConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

The Airlock 2FA Settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access the Airlock 2FA device list.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access the Airlock 2FA device list without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.Airlock2FADeviceListSelfServiceRestConfig
id: Airlock2FADeviceListSelfServiceRestConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  airlock2FASettings:
  authorizationCondition:

Airlock 2FA Device Management UI

Description

Configures Airlock 2FA device management user interface.

Depending on the configuration, the user interface allows an authenticated user:

to delete an Airlock 2FA device;
to change the display name of an Airlock 2FA device;
to activate a new Airlock 2FA device.

The device management interface is accessible at /<loginapp-uri>/ui/app/protected/tokens/airlock-2fa/devices after user authentication.

Class

com.airlock.iam.selfservice.application.configuration.ui.tokens.Airlock2FADeviceManagementUiConfig

May be used by

License-Tags

Airlock2FA

Properties

Flow To Delete Device (flowToDeleteDevice)

Description

ID of the flow which is used for deletion of an Airlock 2FA device. If not configured, the user will not be able to delete a device via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Change Display Name (flowToChangeDisplayName)

Description

ID of the flow which is used for changing the display name of an Airlock 2FA device. If not configured, the user will not be able to edit the display name of a device via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Activate App Device (flowToActivateAppDevice)

Description

ID of the flow which is used for activating an Airlock 2FA device. If not configured, the user will not be able to activate a new device via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Page Exit Target (pageExitTarget)

Description

If configured, an additional button is displayed on the Airlock 2FA device management to exit the page. On click, this button redirects the user to the configured target.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.tokens.Airlock2FADeviceManagementUiConfig
id: Airlock2FADeviceManagementUiConfig-xxxxxx
displayName: 
comment: 
properties:
  flowToActivateAppDevice:
  flowToChangeDisplayName:
  flowToDeleteDevice:
  pageExitTarget:

Airlock 2FA Device Management UI Redirect

Description

Redirects to the "Airlock 2FA Device Management UI".

Class

com.airlock.iam.selfservice.application.configuration.ui.tokens.Airlock2FADeviceManagementFlowRedirectTargetConfig

May be used by

License-Tags

Airlock2FA

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.tokens.Airlock2FADeviceManagementFlowRedirectTargetConfig
id: Airlock2FADeviceManagementFlowRedirectTargetConfig-xxxxxx
displayName: 
comment: 
properties:

Airlock 2FA Information Item

Description

An information item (key-value pair) that is shown on the Airlock 2FA app and has to be approved by the user. Both the key and the value can be parameterised.

Class

com.airlock.iam.flow.shared.application.configuration.message.Airlock2FAInformationItemConfig

May be used by

Airlock 2FA Authentication Step Airlock 2FA Authentication Step Airlock 2FA Self-Service Approval Step Airlock 2FA Public Self-Service Approval Step Airlock 2FA Transaction Approval Step Airlock 2FA Usernameless Authentication Step

License-Tags

Airlock2FA

Properties

Translation Key for the Key (keyTranslationKey)

Description

Identifies the string resource used to generate the key of this contextual information. The translated string as well as the resource key itself may contain variables, e.g. 'airlock2fa.message.${type}.key'. Variables are replaced with the corresponding values provided by the "Value Providers". For more information about formatting, consult the customer documentation.

Attributes

String

Mandatory

Example

self-service.user-data-edit.approval.airlock-2fa.key

Example

password-reset.factors.airlock-2fa.username.key

Example

airlock2fa.one-touch.login-id.key

Translation Key for Value (valueTranslationKey)

Description

Identifies the string resource used to generate the value of this contextual information. The translated string as well as the resource key itself may contain variables, e.g. 'airlock2fa.message.${type}.value'. Variables are replaced with the corresponding values provided by the "Value Providers". For more information about formatting, consult the customer documentation.

Attributes

String

Mandatory

Example

self-service.user-data-edit.approval.airlock-2fa.value

Example

password-reset.factors.airlock-2fa.username.value

Example

airlock2fa.one-touch.login-id.value

Omit If Value Empty (omitIfValueEmpty)

Description

If enabled, the whole information item (key and value) is omitted, if the value results in an empty string (after variable substitution and trimming of whitespace).

Attributes

Boolean

Optional

Default value

false

Maximum Key Length (maxKeyLength)

Description

Defines the maximum length of the generated contextual information key. If the translated string is longer than this, shrinking is attempted until it is shorter than the limit. If it cannot be shrunk enough, generating the message fails.

Attributes

Integer

Optional

Default value

100

Maximum Value Length (maxValueLength)

Description

Defines the maximum length of the generated contextual information value. If the translated string is longer than this, shrinking is attempted until it is shorter than the limit. If it cannot be shrunk enough, generating the message fails.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.message.Airlock2FAInformationItemConfig
id: Airlock2FAInformationItemConfig-xxxxxx
displayName: 
comment: 
properties:
  keyTranslationKey:
  maxKeyLength: 100
  maxValueLength: 100
  omitIfValueEmpty: false
  valueTranslationKey:

Airlock 2FA Login ID Parameter

Description

Provides the "loginId" parameter that is used to correlate the authentication in the Loginapp with the approval on the 2FA device. The Login ID is displayed if One-Touch is used and "Generate One-Touch Login ID" is set in the Airlock 2FA Authentication Step

This value is only available while the current flow is in the Airlock 2FA Authentication Step

Class

com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2FALoginIdValueMapProviderConfig

May be used by

License-Tags

Airlock2FA

Properties

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2FALoginIdValueMapProviderConfig
id: Airlock2FALoginIdValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:

Airlock 2FA Message Provider

Description

Generic message provider for Airlock 2FA.

Class

com.airlock.iam.flow.shared.application.configuration.message.GenericAirlock2FAMessageProviderConfig

May be used by

License-Tags

Airlock2FA

Properties

Title Translation Key (titleTranslationKey)

Description

This key identifies the message template that is used to generate the message title. The title is displayed in the Airlock 2FA mobile app after the word "Approve", e.g. "Login" or "Password Reset".

It is displayed for One-Touch, Online QR Code and Usernameless QR Code factors.

It is ignored for Offline QR Code. Because of technical limitations, the title of Offline QR Codes is always the default title from Futurae.

The string resource key itself may also contain variables, e.g. 'airlock2fa.message.${type}.title'. Variables are replaced with the corresponding values provided by the "Value Providers". For more information about formatting, consult the customer documentation.

Attributes

String

Mandatory

License-Tags

Airlock2FA

Example

self-service.user-data-edit.approval.airlock-2fa.title

Example

password-reset.factors.airlock-2fa.title

Example

airlock2fa.one-touch.authentication-title

Information Items (informationItems)

Description

Configures the various contextual information that will be displayed on the Airlock 2FA app of a user when a message approval is started. Note that for readability reasons it is not recommended to provide more than three entries of such contextual information.

These information items are displayed for One-Touch, Online QR Code, Offline QR Code and Usernameless QR Code factors.

Attributes

Plugin-List

Optional

License-Tags

Airlock2FA

Assignable plugins

Airlock 2FA Information Item

Value Providers (valueProviders)

Description

List of value map providers that are used to replace the variables in the localized template. The values providers are called in the configured order and their values are added to a map. Later providers can overwrite values from earlier providers. If no value providers are configured, the localized template should not contain any variables, since all of them would be replaced by empty strings.

Attributes

Plugin-List

Optional

License-Tags

Airlock2FA

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.message.GenericAirlock2FAMessageProviderConfig
id: GenericAirlock2FAMessageProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  informationItems:
  titleTranslationKey:
  valueProviders:

Airlock 2FA Mobile Only Authentication Step

Description

Airlock 2FA authentication step for "Mobile Only" authentication.

This step allows an app on an enrolled mobile device to authenticate with Airlock 2FA by using the Loginapp REST API. The authentication is either performed by switching from the main app to a dedicated authentication app (Airlock 2FA, Futurae or compatible) or directly within an app that has an integrated SDK.

There is no UI for this step.

The identifier of the authentication method for this step is 'AIRLOCK_2FA' and is also the identifier for failed authentication attempts.

Class

com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2FAMobileOnlyAuthenticationStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

Airlock2FA

Properties

Redirect URI (redirectUri)

Description

The URI used on iOS to switch from the authentication app (Airlock 2FA or compatible) back to the main app where the authentication was initiated. This value is not applicable if the authentication is directly performed by the main app. Furthermore, this value is ignored on Android, where the back stack mechanism is used instead.

Attributes

String

Optional

License-Tags

Airlock2FA

Scheme Override (schemeOverride)

Description

Allows to override the scheme of the mobile authentication URI which is returned by the authentication step. The scheme of the authentication URI determines, which app to open on the mobile device for authentication. This is useful when migrating from one authentication app (such as Airlock 2FA) to a different authentication app. For example, during a migration, this step can be used to support the previous authentication app by overriding the scheme of the new app with the scheme of the previous app.

Attributes

String

Optional

Validation RegEx: ^[a-zA-Z][a-zA-Z0-9\+\-\.]*$

License-Tags

Airlock2FA

Example

airlock2fa

Example

OneApp-1

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

License-Tags

Airlock2FA

Assignable plugins

Airlock 2FA Settings

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown cannot be used for authentication.

If no "Cooldown Period" is defined, enabling this property has no effect.

Attributes

Boolean

Optional

License-Tags

Airlock2FA

Default value

true

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

License-Tags

Airlock2FA

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

License-Tags

Airlock2FA

Assignable plugins

Selection Step for Public Self-Service Flow Step Sequence Public Self-Service Flow Selection Option For Public Self-Service Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

License-Tags

Airlock2FA

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

License-Tags

Airlock2FA

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

License-Tags

Airlock2FA

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

License-Tags

Airlock2FA

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

License-Tags

Airlock2FA

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

License-Tags

Airlock2FA

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

License-Tags

Airlock2FA

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

License-Tags

Airlock2FA

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2FAMobileOnlyAuthenticationStepConfig
id: Airlock2FAMobileOnlyAuthenticationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  redirectUri:
  requiresActivation: false
  respectCooldownPeriod: true
  schemeOverride:
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Public Self-Service Approval Step

Description

This step allows to use Airlock 2FA to approve operations in public self-service flows.

Approval steps require an existing user and cannot prevent username enumeration (no stealth mode). Therefore, approval steps should only be used after an identity verification step.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.Airlock2FAPublicSelfServiceApprovalStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Message Provider (messageProvider)

Description

Creates the message that will be displayed on the user's device.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Enable Push-to-All (enablePushToAll)

Description

If Push-to-All for One-Touch is enabled, device selection is never required for One-Touch. Push notifications are sent to all devices of a user and approval can be given on any of the devices.

The combination of Push-to-All and "Lock User on Fraud" could have undesired effects, because users might report fraud in legitimate use-cases.

Attributes

Boolean

Optional

Default value

false

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Redirect URI (mobileOnlyRedirectUri)

Description

Attributes

String

Optional

Scheme Override (mobileOnlySchemeOverride)

Description

Allows to override the scheme of the mobile authentication URI which is returned by the approval step. The scheme of the authentication URI determines, which app to open on the mobile device for authentication. This is useful when migrating from one authentication app (such as Airlock 2FA) to a different authentication app. For example, during a migration, this step can be used to support the previous authentication app by overriding the scheme of the new app with the scheme of the previous app.

Attributes

String

Optional

Validation RegEx: ^[a-zA-Z][a-zA-Z0-9\+\-\.]*$

Example

airlock2fa

Example

OneApp-1

Approval Factors (approvalFactors)

Description

Priority list of all factors that can be used in this approval step. Only factors that are in this list can be used. The factors are offered in the configured order.

One-Touch and Online QR Code must come before all other factors. It is recommended to include at least one offline factor.

Available factors:

One-Touch: a push message is sent to the user's mobile app, where it must be approved. This is an online factor and will require device selection if the user has multiple devices.
Online QR Code: a QR code is displayed in the browser, which has to be scanned by a mobile app and approved there. This is an online factor. No prior device selection is required.
Offline QR Code: a QR code is displayed in the browser which has to be scanned by a mobile app or hardware token. The device displays a code (OTP) that must be entered manually in the browser. This is an offline factor and will require device selection if the user has multiple devices.
Mobile Only: the approval is handled directly by the mobile app. This is an online factor. No prior device selection is required. There is no fallback from this factor to other factors or vice-versa. Therefore, the only use case for combining this with other factors is in transaction approval, where the factor previously used for authentication determines whether mobile-only or another factor will be used. Since there is no way to use any factors configured after Mobile Only, it should always be configured as the last factor.

Attributes

String-List

Optional

Default value

[One-Touch, Offline QR Code, Mobile Only]

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown cannot be used for approval.

If disabled, this step ignores the "Cooldown Period" for new devices configured in the "Airlock 2FA Settings". This is typically used for approval steps that protect low-risk operations, which can also be performed with devices in cooldown.

If no "Cooldown Period" is defined, enabling this property has no effect.

Attributes

Boolean

Optional

Default value

true

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Advanced Migration Selection Option Custom Protected Self-Service Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.Airlock2FAPublicSelfServiceApprovalStepConfig
id: Airlock2FAPublicSelfServiceApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  approvalFactors: [One-Touch, Offline QR Code, Mobile Only]
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  enablePushToAll: false
  interactiveGotoTargets:
  messageProvider:
  mobileOnlyRedirectUri:
  mobileOnlySchemeOverride:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  respectCooldownPeriod: true
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Recovery Trusted Session Binding Step

Description

This step can be used to recover previously enrolled Airlock 2FA accounts on a fresh installation of a mobile app. This refers to mobile apps which integrate the Futurae SDK and can therefore be enrolled as a device for an Airlock 2FA account. An enrollment of an Airlock 2FA account on a mobile app is subsequently referred to as a (virtual) device. One physical device can host multiple virtual devices. If 'Trusted Session Binding for Recovery' is enabled in the 'Airlock 2FA Settings', this step is necessary for users to recover their devices.

Airlock IAM does not provide a UI for this step, since it exposes a REST API which is intended to be used by custom mobile apps.

The following describes the recovery use case which is enabled by this step:

A fresh installation of a mobile app extracts the device identifiers of a previous installation from a backup.
A user authenticates with Airlock IAM (via the mobile app).
This is where the 'Airlock 2FA Recovery Trusted Session Binding Step' has to be active in the IAM flow. The step can be completed successfully with the following actions:
- The mobile app sends the device identifiers Airlock IAM.
- Airlock IAM checks whether one of the devices to be recovered belongs to the authenticated user and aborts the flow otherwise.
- Airlock IAM requests a Trusted Session Binding token from Futurae and returns it to the mobile app. If Airlock IAM does not receive a flow binding token from Futurae, it will return an empty response and the step will continue as if the retrieval was successful.
- The mobile app forwards the Trusted Session Binding token to the Futurae SDK to complete the recovery.
- The mobile app polls Airlock IAM for the status of the recovery.
After successful recovery, all users who had devices on the previous installation will have new devices and the ones from the previous installation cannot be used anymore.

The security guarantee provided by Trusted Session Binding for recovery is the following: The devices on a mobile app can only be recovered by someone who owns one of the devices. One user of a device is able to recover the devices of the other users of the same physical device.

Class

com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2faRecoveryTrustedSessionBindingStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

AIRLOCK_2FA

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2faRecoveryTrustedSessionBindingStepConfig
id: Airlock2faRecoveryTrustedSessionBindingStepConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  authenticationMethodId: AIRLOCK_2FA
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Self-Service Approval Step

Description

This step allows to use Airlock 2FA to approve operations in protected self-services flows, such as user data changes or registrations of additional devices. Typically, this step is configured between the step where a change is initiated and the step where the change is persisted.

Class

com.airlock.iam.selfservice.application.configuration.step.Airlock2FASelfServiceApprovalStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Message Provider (messageProvider)

Description

Creates the message that will be displayed on the user's device.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Enable Push-to-All (enablePushToAll)

Description

If Push-to-All for One-Touch is enabled, device selection is never required for One-Touch. Push notifications are sent to all devices of a user and approval can be given on any of the devices.

The combination of Push-to-All and "Lock User on Fraud" could have undesired effects, because users might report fraud in legitimate use-cases.

Attributes

Boolean

Optional

Default value

false

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Redirect URI (mobileOnlyRedirectUri)

Description

Attributes

String

Optional

Scheme Override (mobileOnlySchemeOverride)

Description

Attributes

String

Optional

Validation RegEx: ^[a-zA-Z][a-zA-Z0-9\+\-\.]*$

Example

airlock2fa

Example

OneApp-1

Approval Factors (approvalFactors)

Description

Priority list of all factors that can be used in this approval step. Only factors that are in this list can be used. The factors are offered in the configured order.

One-Touch and Online QR Code must come before all other factors. It is recommended to include at least one offline factor.

Available factors:

One-Touch: a push message is sent to the user's mobile app, where it must be approved. This is an online factor and will require device selection if the user has multiple devices.
Online QR Code: a QR code is displayed in the browser, which has to be scanned by a mobile app and approved there. This is an online factor. No prior device selection is required.
Offline QR Code: a QR code is displayed in the browser which has to be scanned by a mobile app or hardware token. The device displays a code (OTP) that must be entered manually in the browser. This is an offline factor and will require device selection if the user has multiple devices.
Mobile Only: the approval is handled directly by the mobile app. This is an online factor. No prior device selection is required. There is no fallback from this factor to other factors or vice-versa. Therefore, the only use case for combining this with other factors is in transaction approval, where the factor previously used for authentication determines whether mobile-only or another factor will be used. Since there is no way to use any factors configured after Mobile Only, it should always be configured as the last factor.

Attributes

String-List

Optional

Default value

[One-Touch, Offline QR Code, Mobile Only]

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown cannot be used for approval.

If no "Cooldown Period" is defined, enabling this property has no effect.

Attributes

Boolean

Optional

Default value

true

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Airlock 2FA Authentication Step Airlock 2FA Recovery Trusted Session Binding Step Airlock 2FA Self-Service Approval Step App Device Used For Login Unless Last App Device Airlock 2FA Public Self-Service Approval Step Airlock 2FA Authenticator Airlock 2FA Device Deletion Possible Airlock 2FA Transaction Approval Step Airlock 2FA Apply Device Deletion Change Airlock 2FA Consistency User Change Listener Airlock 2FA Device List Main Authentication Settings All Devices Except Most Recently Registered Airlock 2FA Activation Step Airlock 2FA Device Edit Initiation Step Airlock 2FA Device Edit Step Airlock 2FA Activation Trusted Session Binding Step Airlock 2FA Token Controller Airlock 2FA Authentication Data Map Airlock 2FA Activation Letter Task Is In Cooldown Device Condition Airlock 2FA Usernameless Authentication Step Customizable Device List Airlock 2FA Activation Letter Order Step Airlock 2FA Device Delete Initiation Step Airlock 2FA Activation Letter Order User Event Listener All Devices Except Registered In Flow Has Suitable Airlock 2FA Device Airlock 2FA Delete Devices Step Airlock 2FA Apply Device Edit Change Airlock 2FA Token Insertion Handler Airlock 2FA Mobile Only Authentication Step Airlock 2FA Activation Step (with additional Activation)

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.Airlock2FASelfServiceApprovalStepConfig
id: Airlock2FASelfServiceApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  approvalFactors: [One-Touch, Offline QR Code, Mobile Only]
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  enablePushToAll: false
  interactiveGotoTargets:
  messageProvider:
  mobileOnlyRedirectUri:
  mobileOnlySchemeOverride:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  respectCooldownPeriod: true
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Settings

Description

Global settings related to Airlock 2FA.

Class

com.airlock.iam.airlock2fa.application.configuration.Airlock2FASettings

May be used by

License-Tags

Airlock2FA

Properties

Repository (repository)

Description

Configures the repository to store Airlock 2FA data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Database Repository

Futurae Server (futuraeServer)

Description

Configures access to Futurae servers.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Futurae Server

Account Display Name Provider (accountDisplayNameProvider)

Description

An optional display name that is displayed in the Airlock 2FA/Futurae mobile application. As an example, it could be the IAM username or a configured context data item such as the user's email address. Note that currently the display name will not be updated if the underlying user data changed after the user being enrolled.

Privacy warning: The display name, when configured, will be stored on Futurae's servers. Sensitive data should therefore not be used as display name.

Attributes

Plugin-Link

Optional

Assignable plugins

Context Data Item (Airlock 2FA Account Display Name) IAM Username (Airlock 2FA Account Display Name) None (Airlock 2FA Account Display Name)

Trusted Session Binding for Activation (trustedSessionBindingForActivation)

Description

If enabled, activation codes (from a letter or on-screen QR code) can only be used as part of an authenticated session with Airlock IAM. If enabled, activation codes are only accepted together with a "Trusted Session Binding Token". This short-lived token can only be retrieved from an Airlock IAM flow and must be sent to the Futurae server together with the activation code.

This feature ensures that only the intended user can activate a 2FA app/device with a given activation code. The standard Airlock 2FA app does not support this feature, a custom mobile app built using the Futurae SDK is required.

Airlock IAM supports three modes for Trusted Session Binding:

Never: Trusted Session Binding is disabled.
Only with Letter: Trusted Session Binding is only enabled for activation letters.
Always: Trusted Session Binding is enabled both for activation letters and on-screen activation. For on-screen activation, Trusted Session Binding does not provide additional security because the activation code is already bound to an authenticated IAM session, but it could simplify the implementation of the activation process in the mobile app.

Attributes

Enum

Optional

Default value

OFF

Trusted Session Binding for Recovery (trustedSessionBindingForRecovery)

Description

If enabled, "Trusted Session Binding for Recovery" will be enabled on newly activated Airlock 2FA devices. This means that these devices can only be recovered from a backup as part of an authenticated session with Airlock IAM. Already activated devices are not retrospectively affected by this setting.

Attributes

Boolean

Optional

Default value

false

Binding Token Validity [s] (trustedSessionBindingValidity)

Description

The amount of time a Trusted Session Binding Token for device activation and recovery is valid in seconds. This setting only has an effect if at least one of the two following conditions is met:

Trusted Session Binding for Activation is set to "Only with Letter" or "Always".
Trusted Session Binding for Recovery is enabled.

The duration should not be larger than the "Session Idle Timeout" in the Loginapp, to avoid session timeouts when polling the IAM status.

Attributes

Integer

Optional

Default value

120

Lock User on Fraud (lockUserOnFraud)

Description

If enabled, the user is locked with reason LockReason.FraudReportedByUser when reporting a possible fraudulent authentication attempt via the Airlock 2FA app. This is done by rejecting the authentication attempt and then confirming that the attempt was not initiated by the user (in the app dialog).

Self-unlock is possible when locked by this option.

Attributes

Boolean

Optional

Default value

false

Allow Futurae Bypass Mode (allowFuturaeBypassMode)

Description

If enabled, Futurae users that have the bypass mode enabled will be allowed to authenticate / perform approval with IAM. Otherwise, any authentication or approval attempts for users with the bypass mode enabled will result in a failure.

Warning: Enabling bypass mode effectively disables all Airlock 2FA second factor checks. Bypass mode should not be used in production environments.

Attributes

Boolean

Optional

Default value

false

Payload Encryption Key (payloadEncryptionKey)

Description

The symmetric key to encrypt the authentication/transaction payloads. If left empty, the payloads are not encrypted.

The encryption of payloads in requests to the Futurae API prevents that intermediate infrastructure such as a reverse proxy is able to read or alter the confidential data therein. The encryption key can be obtained from the Futurae Admin Dashboard.

Attributes

String

Optional

Sensitive

Cooldown Period (cooldownPeriod)

Description

If configured, a cooldown period is enabled during which a newly registered device cannot be used for certain operations.

By default, all Airlock 2FA steps are configured so that devices may not be used during the "Cooldown Period". Exceptions can be configured directly on the step by de-activating the "Respect Cooldown Period" property.

The duration must be specified in the format "2d 4h 10m 5s" (any part can be omitted).

Attributes

String

Optional

Example

10m

Example

12h

Example

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.Airlock2FASettings
id: Airlock2FASettings-xxxxxx
displayName: 
comment: 
properties:
  accountDisplayNameProvider:
  allowFuturaeBypassMode: false
  cooldownPeriod:
  futuraeServer:
  lockUserOnFraud: false
  payloadEncryptionKey:
  repository:
  trustedSessionBindingForActivation: OFF
  trustedSessionBindingForRecovery: false
  trustedSessionBindingValidity: 120

Airlock 2FA Token Controller

Description

Plugin to manage a user's Airlock 2FA account.

Class

com.airlock.iam.admin.application.configuration.airlock2fa.Airlock2FATokenControllerConfig

May be used by

Selection Step for Public Self-Service Flow Step Sequence Transaction Approval Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

Airlock2FA

Properties

ID (id)

Description

Unique identifier for the token controller. Serves as token type ID in the REST interface.

This is also the "auth method" that is set on the user as active/next authentication method, i.e. it must match the "Authentication Method ID" of corresponding authentication flow steps.

Finally, this ID also determines the name (label) of this token controller in the Adminapp UI, as defined by the resource key 'user.auth-methods.type.generic.<id>', as well as the label for "auth method" specific lock reasons defined by the resource key 'user.account-state.LockReason.TooManyAuthAtts.<id>'.

Please note that the length of this ID must not be longer than 22 characters in order to comply with the default DB schema restrictions for column lock_reason.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_]+

Default value

AIRLOCK_2FA

Example

AIRLOCK_2FA

Example

AIRLOCK_2FA_CUSTOM

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Create Activation Letters (createActivationLetters)

Description

Settings for creating device activation letters. If not configured, activation letters cannot be created.

Attributes

Plugin-Link

Optional

Assignable plugins

Create Airlock 2FA Device Activation Letters

Order Activation Letters (orderActivationLetters)

Description

Settings for ordering a device activation letter. If not configured, activation letters cannot be ordered.

Attributes

Plugin-Link

Optional

Assignable plugins

Order Airlock 2FA Device Activation Letters

Create Shipment Letters (createShipmentLetters)

Description

Settings for hardware token shipment letters. If not configured, shipment letter cannot be created.

Attributes

Plugin-Link

Optional

Assignable plugins

Create Airlock 2FA Hardware Token Shipment Letters

Assign Hardware Tokens to Multiple Users (shareHardwareTokensAmongUsers)

Description

If checked, a hardware token can be assigned to multiple users.

Once a hardware token is assigned to a user, it is only available within the corresponding Futurae service.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.airlock2fa.Airlock2FATokenControllerConfig
id: Airlock2FATokenControllerConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  createActivationLetters:
  createShipmentLetters:
  id: AIRLOCK_2FA
  orderActivationLetters:
  shareHardwareTokensAmongUsers: false

Airlock 2FA Token Insertion Handler

Description

Persists an Airlock 2FA account that was created through a previous step.

Note: The Airlock 2FA Account Display Name can only be set when the registering user is persisted. Therefore the Account Display Name in the Airlock 2FA mobile app might not be displayed correctly, until the registration is fully completed.

Class

com.airlock.iam.userselfreg.application.configuration.step.Airlock2FAInsertionHandlerConfig

May be used by

User Persisting Step Config

License-Tags

SelfRegistration

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.step.Airlock2FAInsertionHandlerConfig
id: Airlock2FAInsertionHandlerConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:

Airlock 2FA Transaction Approval Step

Description

A flow step to perform transaction approval using Airlock 2FA.

The transaction data will be displayed on the Airlock 2FA app, where the user can verify the data and approve the transaction if satisfied.

Class

com.airlock.iam.transactionapproval.application.configuration.airlock2fa.Airlock2FATransactionApprovalStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Message Provider (messageProvider)

Description

Creates the message for transaction approval that will be displayed on the user's device.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Enable Push-to-All (enablePushToAll)

Description

If Push-to-All for One-Touch is enabled, device selection is never required for One-Touch. Push notifications are sent to all devices of a user and approval can be given on any of the devices.

The combination of Push-to-All and "Lock User on Fraud" could have undesired effects, because users might report fraud in legitimate use-cases.

If an AuthTokenId is provided, notifications are only sent to the device specified in the AuthTokenId.

Attributes

Boolean

Optional

Default value

false

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Redirect URI (mobileOnlyRedirectUri)

Description

Attributes

String

Optional

Scheme Override (mobileOnlySchemeOverride)

Description

Attributes

String

Optional

Validation RegEx: ^[a-zA-Z][a-zA-Z0-9\+\-\.]*$

Example

airlock2fa

Example

OneApp-1

Approval Factors (approvalFactors)

Description

Priority list of all factors that can be used in this approval step. Only factors that are in this list can be used. The factors are offered in the configured order.

One-Touch and Online QR Code must come before all other factors. It is recommended to include at least one offline factor.

Available factors:

One-Touch: a push message is sent to the user's mobile app, where it must be approved. This is an online factor and will require device selection if the user has multiple devices.
Online QR Code: a QR code is displayed in the browser, which has to be scanned by a mobile app and approved there. This is an online factor. No prior device selection is required.
Offline QR Code: a QR code is displayed in the browser which has to be scanned by a mobile app or hardware token. The device displays a code (OTP) that must be entered manually in the browser. This is an offline factor and will require device selection if the user has multiple devices.
Mobile Only: the approval is handled directly by the mobile app. This is an online factor. No prior device selection is required. There is no fallback from this factor to other factors or vice-versa. Therefore, the only use case for combining this with other factors is in transaction approval, where the factor previously used for authentication determines whether mobile-only or another factor will be used. Since there is no way to use any factors configured after Mobile Only, it should always be configured as the last factor.

Attributes

String-List

Optional

Default value

[One-Touch, Offline QR Code, Mobile Only]

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown cannot be used for approval.

If no "Cooldown Period" is defined, enabling this property has no effect.

Attributes

Boolean

Optional

Default value

true

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.transactionapproval.application.configuration.airlock2fa.Airlock2FATransactionApprovalStepConfig
id: Airlock2FATransactionApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  approvalFactors: [One-Touch, Offline QR Code, Mobile Only]
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  enablePushToAll: false
  interactiveGotoTargets:
  messageProvider:
  mobileOnlyRedirectUri:
  mobileOnlySchemeOverride:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  respectCooldownPeriod: true
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Username Transformer

Description

Username transformer that takes a Futurae Account ID as an input and returns the corresponding Airlock IAM username.

Class

com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2FAUsernameTransformer

License-Tags

Airlock2FA

Properties

Airlock 2FA User Repository (a2faUserRepositoryConfig)

Description

The repository to look up Airlock 2FA data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Database Repository

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2FAUsernameTransformer
id: Airlock2FAUsernameTransformer-xxxxxx
displayName: 
comment: 
properties:
  a2faUserRepositoryConfig:

Airlock 2FA Usernameless Authentication Step

Description

Step for Airlock 2FA Usernameless QR Code authentication.

This step allows authentication without requiring the user to enter their username. Instead, a QR code (identifying the session) is displayed on the login page and can be scanned by any user with the Airlock 2FA app. The app then authenticates this session on the server and thus enables Airlock IAM to connect the browser session with the user who scanned the QR code.

Class

com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2FAUsernamelessQrCodeAuthenticationStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Message Provider (messageProvider)

Description

Creates the message that will be displayed on the user's device when using Usernameless QR Code. If no message provider is configured, the default title of Futurae will be shown (without any additional information items).

Note that since no user ID is known when creating a username-less QR code, no message providers relying on user-specific data can be used.

Attributes

Plugin-Link

Optional

Assignable plugins

QR Code Validity [s] (qrCodeValidity)

Description

The amount of time a QR Code is valid in seconds.

Attributes

Integer

Optional

Default value

Maximum QR Code Renewals (maxRenewals)

Description

The maximum number of times the QR code is renewed, which means that it is replaced by an unrelated new QR code.

QR codes will be renewed already before they expire. This ensures that users can complete ongoing authentication seamlessly even if they scan a QR code shortly before it is refreshed.

Fewer renewals do not lead to enhanced security. The only reason not to renew indefinitely is to save server resources.

Attributes

Integer

Optional

Default value

Timeout Goto Target (timeoutGoto)

Description

The ID of the target step to go to on timeout.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown cannot be used for authentication.

If no "Cooldown Period" is defined, enabling this property has no effect.

Attributes

Boolean

Optional

Default value

true

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.auth.application.configuration.Airlock2FAUsernamelessQrCodeAuthenticationStepConfig
id: Airlock2FAUsernamelessQrCodeAuthenticationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxRenewals: 10
  messageProvider:
  onFailureGotos:
  preCondition:
  qrCodeValidity: 60
  requiresActivation: false
  respectCooldownPeriod: true
  skipCondition:
  stepId:
  tagsOnSuccess:
  timeoutGoto:

Airlock 2FA was used for login (Transaction Approval only)

Description

Flow selection condition that selects the subflow if Airlock 2FA was used for login (as determined by the authTokenId provided in a previous Transaction Approval Parameter Step).

Class

com.airlock.iam.transactionapproval.application.configuration.selection.Airlock2FAAuthTokenIdSelectionConditionConfig

May be used by

License-Tags

Airlock2FA

Properties

Selectable If Login Method Unknown (selectableIfNoAuthTokenIdPresent)

Description

If this option is selected, the condition is always true (i.e. the option is selectable) if the login method is unknown.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.transactionapproval.application.configuration.selection.Airlock2FAAuthTokenIdSelectionConditionConfig
id: Airlock2FAAuthTokenIdSelectionConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  selectableIfNoAuthTokenIdPresent: true

Airlock Gateway Roles Config

Description

Roles from the Role Provider will be added to the Airlock Gateway session. The Timeout Provider can be used to set custom session idle timeouts and lifetimes. The timeouts are applied to all provided roles. If no timeouts are provided and the role doesn't have timeouts, the Airlock Gateway defaults are applied.

Class

com.airlock.iam.login.application.configuration.targetapp.AirlockGatewayRolesConfig

May be used by

All User Roles Combining Role Provider Condition-based Role Provider OAuth 2.0 Credential Roles Provider Roles from Password Check SSO Ticket Roles Provider Static Roles String-based Role Provider Tag-based Role Provider Transforming Role Provider

Properties

Role Provider (roleProvider)

Description

All roles which are provided will be added to the Airlock Gateway session.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Timeout Provider (timeoutProvider)

Description

The Timeout Provider will be applied to all provided roles. The roles idle timeouts and lifetimes are preserved, when neither is overwritten by a timeout provider.

Attributes

Plugin-Link

Optional

Assignable plugins

Static Timeout Provider Config User Specific Timeout Provider Config

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.AirlockGatewayRolesConfig
id: AirlockGatewayRolesConfig-xxxxxx
displayName: 
comment: 
properties:
  roleProvider:
  timeoutProvider:

Airlock Gateway Settings

Description

Configuration for Airlock Gateway (WAF) running in front of Airlock IAM. While active, IAM parses HTTP request environment cookies.

Class

com.airlock.iam.core.application.configuration.waf.AirlockGatewayConfig

May be used by

Adminapp URL Context Extractor Client Certificate Context Extractor Transaction Approval IP Address Context Extractor

Properties

Add Credentials To Session (addCredentialsToSession)

Description

Usually, existing roles should be kept, i.e., the roles granted to a user in Airlock IAM should be added to the existing set of roles of an Airlock Gateway session. This is achieved by using the Airlock Control Cookie command ADD_CREDENTIALS. If every identity propagation shall replace all previously set roles, disable this property, which results in the Airlock Control Cookie command SET_CREDENTIALS.

Attributes

Boolean

Optional

Default value

true

Control Cookie Name (controlCookieName)

Description

The name of the control cookie used to communicate with the Airlock Gateway (WAF) backend control API. This must be the same as configured in Airlock.

A control cookie is set after successful authentication with the roles granted to the user as credentials/roles. Additionally, a new session ID is generated (to prevent session fixation attacks) and the global session ID is set as audit token.

This property also enables so-called "session tickets". After successful authentication the user's name and the granted roles are stored in the current session plus a session ticket cookie including this information is stored in the Airlock Gateway cookie store. The session ticket is needed to re-authenticate any new session later.

Attributes

String

Optional

Default value

AL_CONTROL

Environment Cookie Prefix (environmentCookiePrefix)

Description

The name of the prefix that Airlock Gateway (WAF) prepends to all environment cookies it sends to its backends. This must be the same as configured in Airlock Gateway. It is used to extract, for example, the client IP address or the client certificate.

Attributes

String

Optional

Default value

AL_ENV_

Audit Token (auditToken)

Description

Type of the audit token set in the Airlock Gateway (WAF) after the authentication.

"Username": The audit token contains just the username.
"SessionID": The audit token contains just the session id.
"Username and SessionID": The audit token contains the username followed by a "-" and the session ID.
"None": The audit token is empty.

Attributes

Enum

Optional

Default value

USERNAME

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.waf.AirlockGatewayConfig
id: AirlockGatewayConfig-xxxxxx
displayName: 
comment: 
properties:
  addCredentialsToSession: true
  auditToken: USERNAME
  controlCookieName: AL_CONTROL
  environmentCookiePrefix: AL_ENV_

Airlock Gateway Settings (Loginapp)

Description

Gateway settings for the Loginapp. These settings are essential to ensure correct and secure behavior if Airlock IAM is deployed behind an Airlock Gateway.

Class

com.airlock.iam.login.application.configuration.gateway.LoginappGatewayConfig

May be used by

Loginapp

Properties

Removed Roles Mappings (removedRolesMappings)

Description

Airlock Gateway can indicate (using an environment cookie) that roles have been dropped. Dropped roles can be mapped to tags in Airlock IAM that should be dropped as a consequence.

Attributes

Plugin-List

Optional

Assignable plugins

Removed Roles Mapping

Client Fingerprinting Lockout Threshold (clientFingerprintingLockoutThreshold)

Description

If the Airlock Gateway terminates a session because of a high client fingerprinting (CFP) score, IAM is informed about this as part of the Airlock Gateway logout propagation.
This property defines a CFP score threshold: If the CFP score reported by the Airlock Gateway is above or equal to the threshold, the user account is locked in IAM. This way not only the current Airlock Gateway session is terminated but also the user account is locked for further login attempts. The user can't unlock his account by using the "Unlock Self-Service".

Note: Ensure that the logout propagation path in the corresponding Airlock Gateway mapping for IAM points to the corresponding REST endpoint.

Please refer to the Airlock Gateway manual for further information about client fingerprinting.

Attributes

Integer

Optional

Add Credentials To Session (addCredentialsToSession)

Description

Attributes

Boolean

Optional

Default value

true

Control Cookie Name (controlCookieName)

Description

The name of the control cookie used to communicate with the Airlock Gateway (WAF) backend control API. This must be the same as configured in Airlock.

Attributes

String

Optional

Default value

AL_CONTROL

Environment Cookie Prefix (environmentCookiePrefix)

Description

Attributes

String

Optional

Default value

AL_ENV_

Audit Token (auditToken)

Description

Type of the audit token set in the Airlock Gateway (WAF) after the authentication.

"Username": The audit token contains just the username.
"SessionID": The audit token contains just the session id.
"Username and SessionID": The audit token contains the username followed by a "-" and the session ID.
"None": The audit token is empty.

Attributes

Enum

Optional

Default value

USERNAME

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.gateway.LoginappGatewayConfig
id: LoginappGatewayConfig-xxxxxx
displayName: 
comment: 
properties:
  addCredentialsToSession: true
  auditToken: USERNAME
  clientFingerprintingLockoutThreshold:
  controlCookieName: AL_CONTROL
  environmentCookiePrefix: AL_ENV_
  removedRolesMappings:

Airlock Microgateway Settings

Description

Configuration for Airlock Microgateway running in front of Airlock IAM. While active, IAM parses HTTP request headers.

Class

com.airlock.iam.common.application.configuration.gateway.AirlockMicrogatewayConfig

May be used by

Adminapp URL Context Extractor Client Certificate Context Extractor Transaction Approval Loginapp IP Address Context Extractor

Properties

HTTP Request Client IP Extractor (clientIpExtractor)

Description

Extracts the client IP address from the incoming HTTP request. The request ID is written by the gateway in front and is required by IAM in various places, e.g. when writing log files.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Request Client IP Extractor

HTTP Request ID Extractor (requestIdExtractor)

Description

Extracts the ID from the incoming HTTP request. The request ID is required by IAM in various places, e.g. when writing log files.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Request ID Extractor

HTTP Request URL Extractor (requestUrlExtractor)

Description

Extracts the request URL as seen by the client from the incoming HTTP request. The request URL is required by IAM in various places, e.g. when using OAuth 2.0.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Request URL Extractor

HTTP Request Client mTLS Certificate Extractor (requestMtlsClientCertExtractor)

Description

Extracts the mutual TLS client certificate from the incoming HTTP request. The client certificate is required by IAM in various places, e.g. when using OAuth 2.0.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Request mTLS Client Certificate Extractor

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.gateway.AirlockMicrogatewayConfig
id: AirlockMicrogatewayConfig-xxxxxx
displayName: 
comment: 
properties:
  clientIpExtractor:
  requestIdExtractor:
  requestMtlsClientCertExtractor:
  requestUrlExtractor:

Alias User Item

Description

Definition of a user alias. An alias is a special context data item that can be used as a login name in the same way as the username.

Note that by definition, all login names (i.e., aliases and usernames) must be unique across all users.

Class

com.airlock.iam.userselfreg.application.configuration.definition.AliasDefinitionConfig

May be used by

Email Verification Step Phone Number Verification Step User Data Registration Step Config

Properties

Context Data Name (contextDataName)

Description

The string-typed context data item in which the alias is stored.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Required (required)

Description

Specifies whether this alias must be provided before the step validates successfully.

Attributes

Boolean

Optional

Default value

true

Validators (validators)

Description

The validators for the alias. Additionally, alias names are automatically validated against the global Username Filter Pattern (configured in the Security Settings).

Attributes

Plugin-List

Mandatory

Assignable plugins

Email Address Validator Phone Number Validator Config Regex String Validator Config

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.definition.AliasDefinitionConfig
id: AliasDefinitionConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  required: true
  validators:

All Devices Except Most Recently Registered

Description

This plugin returns the IDs of all the Airlock 2FA devices of the current user except for the Airlock 2FA device which has been registered most recently.

In case no Airlock 2FA account is associated with the current user, no device IDs are returned.

Use case: This plugin can be used to enforce a single-device policy, meaning a user must only be able to use a single device simultaneously. For this, in any flow allowing the user to authenticate with Airlock 2FA, this plugin must be used with an 'Airlock 2FA Delete Devices Step' upfront.

Class

com.airlock.iam.airlock2fa.application.configuration.provider.AllAirlock2FADevicesExceptMostRecentlyRegisteredProviderConfig

May be used by

License-Tags

Airlock2FA

Properties

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown are never returned and do not count towards determining the latest registered device.

Attributes

Boolean

Optional

Default value

true

Airlock 2FA Settings (airlock2FASettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.provider.AllAirlock2FADevicesExceptMostRecentlyRegisteredProviderConfig
id: AllAirlock2FADevicesExceptMostRecentlyRegisteredProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  respectCooldownPeriod: true

All Devices Except Registered In Flow

Description

This plugin returns the IDs of all the Airlock 2FA devices of the current user except for the Airlock 2FA devices registered in the current flow.

In case no Airlock 2FA account is associated with the current user, no device IDs are returned.

Use case: This plugin is designed to facilitate the secure migration of users from the Airlock 2FA app to either an alternative 2FA app or a new business app that includes built-in two-factor authentication using the Futurae Mobile SDK (One App solution). During this migration, all old tokens associated with the user's previous business application are deleted to ensure security and prevent unauthorized access.
For this use case, the plugin should be used with an 'Airlock 2FA Delete Devices Step' which is configured after the step activating the new Airlock 2FA device.

Class

com.airlock.iam.airlock2fa.application.configuration.provider.AllAirlock2FADevicesExceptRegisteredInFlowProviderConfig

May be used by

License-Tags

Airlock2FA

Properties

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown are never returned.

Attributes

Boolean

Optional

Default value

true

Airlock 2FA Settings (airlock2FASettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.provider.AllAirlock2FADevicesExceptRegisteredInFlowProviderConfig
id: AllAirlock2FADevicesExceptRegisteredInFlowProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  respectCooldownPeriod: true

All Ok On Behalf Login Step Validator

Description

Validates a login step successfully regardless of the result (access denied or not) of the login step as long as the login step does not encounter technical errors.

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.AllOkOnBehalfLoginStepValidator

May be used by

CSRF Token Extraction Step HTTP POST Step HTTP GET Step

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.onbehalflogin.AllOkOnBehalfLoginStepValidator
id: AllOkOnBehalfLoginStepValidator-xxxxxx
displayName: 
comment: 
properties:

All Phone Numbers Provider

Description

Provides all of the user's phone numbers.

Class

com.airlock.iam.common.application.configuration.sms.AllPhoneNumbersProviderConfig

May be used by

SMS Event Subscriber (Adminapp) SMS Event Subscriber (Loginapp)

Properties

mTAN Handler (mtanHandler)

Description

An mTAN handler retrieves mTAN number tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Data mTAN Handler Token Data mTAN Handler

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.sms.AllPhoneNumbersProviderConfig
id: AllPhoneNumbersProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  mtanHandler:

All Required Roles Match

Description

Strategy to select role specific configurations based on the admin's roles.

Selects a configuration if the admin has all of the roles required by the configuration. If a configuration requires no roles, it is always selected.

Class

com.airlock.iam.admin.application.configuration.users.AllRequiredRolesMatcher

May be used by

Roles SAML 2.0 Attribute Roles Provider Config Has Matching Role Airlock Gateway Roles Config Transforming Role Provider Legacy ID Propagation Adapter Start User Representation Step Combining Role Provider Role-based OAuth 2.0 Scope Condition Role-based Tag Acquisition Step

Properties

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.users.AllRequiredRolesMatcher
id: AllRequiredRolesMatcher-xxxxxx
displayName: 
comment: 
properties:

All User Roles

Description

Provides all roles from the user. Note that this includes only roles loaded from the persistency.

Class

com.airlock.iam.login.application.configuration.targetapp.UserRolesProviderConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.UserRolesProviderConfig
id: UserRolesProviderConfig-xxxxxx
displayName: 
comment: 
properties:

Allowed Characters Password Policy

Description

A password policy check that checks whether all characters of the password are allowed.

Class

com.airlock.iam.core.misc.impl.authen.PwdPolicyAllowedCharsCheck

May be used by

Customizable Password Policy Customizable Password Policy Meta Password Policy

Properties

Allowed Chars Pattern (allowedCharsPattern)

Description

The regular expression pattern defining the set of allowed characters.

Every character of the password is matched against this pattern and must match or the password is not allowed.

For details about regular expression syntax, please refer to the class description of the Java JDK class java.util.regex.Pattern of the used Java JDK.

Because every single character is checked against the expression anchors ('^') and end-of-line chars ('$') don't make sense and can be left out.

Attributes

RegEx

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PwdPolicyAllowedCharsCheck
id: PwdPolicyAllowedCharsCheck-xxxxxx
displayName: 
comment: 
properties:
  allowedCharsPattern:

Allowed Username Password Combination

Description

A combination of a username and password that shall be allowed for this endpoint.

Class

com.airlock.iam.login.app.misc.oauth2.introspection.config.AllowedUsernamePasswordCombination

May be used by

Basic Auth Token Introspection Config

License-Tags

OAuthServer

Properties

Username (username)

Description

The username.

Attributes

String

Mandatory

Password (password)

Description

The user's password.

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oauth2.introspection.config.AllowedUsernamePasswordCombination
id: AllowedUsernamePasswordCombination-xxxxxx
displayName: 
comment: 
properties:
  password:
  username:

Alphabet

Description

An alphabet.

Class

com.airlock.iam.core.misc.impl.authen.Alphabet

May be used by

Customizable Identity Generator Pattern-based Random String Generator

Properties

Characters (characters)

Description

The allowed characters in the alphabet.

Attributes

String

Mandatory

Length >= 1

Example

abcde

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.Alphabet
id: Alphabet-xxxxxx
displayName: 
comment: 
properties:
  characters:

Always Down Check

Description

A health check that always results in the status "DOWN".

Class

com.airlock.iam.common.application.configuration.health.AlwaysDownCheckConfig

May be used by

Readiness Health Check Endpoint

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.health.AlwaysDownCheckConfig
id: AlwaysDownCheckConfig-xxxxxx
displayName: 
comment: 
properties:

Always False

Description

Flow selection condition that is never fulfilled.

Class

com.airlock.iam.flow.application.configuration.selection.condition.AlwaysFalseConditionConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.selection.condition.AlwaysFalseConditionConfig
id: AlwaysFalseConditionConfig-xxxxxx
displayName: 
comment: 
properties:

Always Revoked Status Checker

Description

A status checker that returns revoked for all certificates.

Class

com.airlock.iam.core.misc.impl.cert.crl.AlwaysRevokedStatusChecker

May be used by

Certificate Authenticator Certificate Authenticator Caching Certificate Status Checker NextGenPSD2 Certificate Authenticator Client Certificate (X.509) Request Authentication STET PSD2 Authenticator OAuth 2.0 Client mTLS Authentication CRL Distribution Point Extension CRL Checker Certificate Token Authenticator HTTP Signature Verification Credential Extractor

License-Tags

ClientCertificate

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.crl.AlwaysRevokedStatusChecker
id: AlwaysRevokedStatusChecker-xxxxxx
displayName: 
comment: 
properties:

Always True

Description

Flow selection condition that is always fulfilled.

Class

com.airlock.iam.flow.application.configuration.selection.condition.AlwaysTrueConditionConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.selection.condition.AlwaysTrueConditionConfig
id: AlwaysTrueConditionConfig-xxxxxx
displayName: 
comment: 
properties:

Always True Representation Authorization

Description

Condition that always allows to start a user representation.

Class

com.airlock.iam.selfservice.application.configuration.representation.AlwaysTrueRepresentationAuthorizationConfig

May be used by

Start User Representation Step

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.representation.AlwaysTrueRepresentationAuthorizationConfig
id: AlwaysTrueRepresentationAuthorizationConfig-xxxxxx
displayName: 
comment: 
properties:

And Claim Condition Config

Description

This condition is fulfilled if all of its configured conditions are fulfilled.

Class

com.airlock.iam.oauth2.application.configuration.claims.conditions.AndClaimConditionConfig

May be used by

Username Custom Claim OAuth 2.0 LocalDate Context Data Resource Static String Custom Claim OAuth 2.0 User Roles Resource Claim Set Custom Claim Context Data String Custom Claim OAuth 2.0 Static Resource OAuth 2.0 Username Resource Or Claim Condition Config Session ID Custom Claim String Format Custom Claim OIDC Birthdate Standard Claim (String) OIDC Phone Number Standard Claim OAuth 2.0 SSO Ticket Resource OAuth 2.0 String Context Data Resource OIDC Birthdate Standard Claim (Date) OAuth 2.0 Date Context Data Resource Not Claim Condition Config Formatted LocalDate Context Data Custom Claim OIDC Email Standard Claim OIDC Family Name Standard Claim OIDC Given Name Standard Claim Formatted Date And Time Context Data Custom Claim User Roles Custom Claim Custom Claim (OAuth 2.0 Token Exchange) Client ID Custom Claim OIDC Name Standard Claim String Value Provider Custom Claim

License-Tags

OAuthServer

Properties

Conditions (conditions)

Description

This condition is fulfilled if every one of these conditions are fulfilled.

Attributes

Plugin-List

Mandatory

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.conditions.AndClaimConditionConfig
id: AndClaimConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  conditions:

Anomaly Shield State Risk Extractor Config

Description

Risk Extractor that extracts the state of the Gateway Anomaly Shield and compares it to the configured anomaly states. No tags are granted, if the request does not contain an anomaly shield environment cookie.

Class

com.airlock.iam.authentication.application.configuration.risk.extractor.anomaly.AnomalyShieldStateRiskExtractorConfig

May be used by

Properties

Expected Anomaly States (expectedAnomalyStates)

Description

The expected Airlock Gateway (WAF) Anomaly Shield state of the request. If the request's anomaly shield state is within this list of states, it is considered to be a 'match'. The match is case-insensitive. Note: Airlock Gateway 8.3 and newer no longer issue anomaly state "redeemed".

Attributes

String-List

Optional

Default value

[anomalous]

Tags If One Of Expected Anomaly States (tagsIfOneOfExpectedAnomalyStates)

Description

The tags to grant if the current request's anomaly shield state equals any of the configured anomaly states.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags If None Of Expected Anomaly States (tagsIfNoneOfExpectedAnomalyStates)

Description

The tags to grant if the current request's anomaly shield state does not match any of the configured states.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.risk.extractor.anomaly.AnomalyShieldStateRiskExtractorConfig
id: AnomalyShieldStateRiskExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  expectedAnomalyStates: [anomalous]
  tagsIfNoneOfExpectedAnomalyStates:
  tagsIfOneOfExpectedAnomalyStates:

Any Required Role Matches

Description

Strategy to select role specific configurations based on the admin's roles.

Selects a configuration if the admin has any of the roles required by the configuration.

Class

com.airlock.iam.admin.application.configuration.users.AnyRequiredRoleMatcher

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.users.AnyRequiredRoleMatcher
id: AnyRequiredRoleMatcher-xxxxxx
displayName: 
comment: 
properties:

API Policy Service

Description

Configures the API Policy Service web application.

This web application currently offers a REST endpoint targeted at Airlock WAF that allows to retrieve information about a technical client by resolving a given API key. Among other, the returned information contains details about the technical client and associated plans (including rate limits).

Class

com.airlock.iam.apipolicyservice.application.configuration.ApiPolicyServiceAppConfig

License-Tags

ApiPolicyService

Properties

Repository (repository)

Description

A repository that allows to configure the DB access concerning API policy service functionality.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Client Certificate Context Extractor Combining Context Extractor Concatenating Context Extractor HTTP Query Parameter Context Extractor IP Address Context Extractor No Context Extractor Static Context Extractor URL Context Extractor

Shared Secret (sharedSecret)

Description

Shared secret to verify the JWT signature. Must be the same as on the Airlock Gateway (WAF) using this API Policy Service endpoint.

The shared secret must be encoded in base64. The minimal required unencoded length is at least 512 bits. Configuration validation fails if the secret is too short.

One can, for example, generate a random secret with 512 bits (64 bytes) as base64 encoded string using openssl as follows: openssl rand -base64 96

Attributes

String

Mandatory

Sensitive

Context Extractor (contextExtractor)

Description

Specifies how a context is to be extracted from a request.

Attributes

Plugin-Link

Optional

Assignable plugins

Log User Trail To Database (logUserTrailToDatabase)

Description

Configures the database settings to use when persisting user trail log entries.

If this value is defined, then all user trail log messages generated by the API Policy Service App module will additionally be forwarded to the database configured within the referenced repository plugin.

All forwarded log entries are stored inside the table "USER_TRAIL_LOG". Note that setting this value does not disable writing log messages to the API Policy Service log file.

Attributes

Plugin-Link

Optional

Assignable plugins

Correlation ID Settings (correlationIdSettings)

Description

Defines settings for correlation ID transfer and logging inside the Api Policy Service module.

If undefined, no correlation ID will be logged for this module.

Attributes

Plugin-Link

Optional

Assignable plugins

Correlation ID Settings

YAML Template (with default values)


type: com.airlock.iam.apipolicyservice.application.configuration.ApiPolicyServiceAppConfig
id: ApiPolicyServiceAppConfig-xxxxxx
displayName: 
comment: 
properties:
  contextExtractor:
  correlationIdSettings:
  logUserTrailToDatabase:
  repository:
  sharedSecret:

App Device Used For Login Unless Last App Device

Description

This plugin returns the ID of the Airlock 2FA App device which has been used for login in an authentication flow of the current user session.
This provider returns nothing in case the login device is the only App device of the user or the login device is not an App device, e.g. Hardware device.

In case no Airlock 2FA account is associated with the current user, no device IDs are returned.

Note: This plugin should only be used in authentication and protected self-service flows since the other flows do not contain information on the last device used for login.

Use case: This plugin is designed to facilitate the secure migration of users from the Airlock 2FA app to either an alternative 2FA app or a new business app that includes built-in two-factor authentication using the Futurae Mobile SDK (One App solution). In contrast to the 'All Devices Except Registered In Flow' plugin, this plugin does not delete all old tokens during a migration but only the one used in this session. This is beneficial when a user has multiple devices, and you want to avoid unintended deletions that could disrupt access from other devices.
For this use case, the plugin should be used with an 'Airlock 2FA Delete Devices Step' which is configured after the step activating the new Airlock 2FA device.

Class

com.airlock.iam.airlock2fa.application.configuration.provider.Airlock2FALoginDeviceUnlessLastDeviceIdProviderConfig

May be used by

Target Application Redirect SAML 2.0 Flow SP Authentication & Authorization UI OAuth 2.0 Static Client Target Application Config Link Configuration Authentication UI Requested Authentication Context Mapping ACR to Flow Application ID Mapping OAuth 2.0 Authorization Code Grant SAML 2.0 Service Provider OIDC Authorization Code / Hybrid Flow

License-Tags

Airlock2FA

Properties

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown are never returned. Consequently, if the login device is in cooldown or if there is only one device which is not in cooldown, no devices are returned.

Attributes

Boolean

Optional

Default value

false

Airlock 2FA Settings (airlock2FASettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.provider.Airlock2FALoginDeviceUnlessLastDeviceIdProviderConfig
id: Airlock2FALoginDeviceUnlessLastDeviceIdProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  respectCooldownPeriod: false

Application ID

Description

Configuration of the Application ID.

In the SPA, this property defines the access path of the respective application. For example:

/<loginapp-uri>/ui/app/auth/application/access/<APP_ID>

Class

com.airlock.iam.login.application.configuration.targetapp.ApplicationIdConfig

May be used by

Properties

ID (applicationId)

Description

The ID of the application.

Attributes

String

Mandatory

Length <= 30

Validation RegEx: [a-z0-9_-]+

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.ApplicationIdConfig
id: ApplicationIdConfig-xxxxxx
displayName: 
comment: 
properties:
  applicationId:

Application Portal Group Config

Description

Groups portal targets.

Class

com.airlock.iam.selfservice.application.configuration.ui.portal.ApplicationPortalGroupConfig

May be used by

Application Portal UI

License-Tags

ApplicationPortal

Properties

Identifier (identifier)

Description

Unique ID of this portal group. The ID is used for customizations, e.g. in the string resource properties. The following string resource properties are available:

protected.application-portal.group.${identifier}.title for the group title
protected.application-portal.group.${identifier}.description for the description text of the group

The suggested values correlate with already existing string resources. If there is no translation, the Identifier is displayed.

Attributes

String

Mandatory

Suggested values

self-services

Portal Targets (portalTargets)

Description

List of portal targets in this group.

Attributes

Plugin-List

Mandatory

Assignable plugins

Application Portal Target Config

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.portal.ApplicationPortalGroupConfig
id: ApplicationPortalGroupConfig-xxxxxx
displayName: 
comment: 
properties:
  identifier:
  portalTargets:

Application Portal Target Config

Description

Configures a target to be displayed on the portal page.

Class

com.airlock.iam.selfservice.application.configuration.ui.portal.ApplicationPortalTargetConfig

May be used by

Application Portal Group Config

License-Tags

ApplicationPortal

Properties

Identifier (identifier)

Description

Unique ID of this target. The ID is used in the string resource properties and to customize the styling of the target on the portal page. The following string resource properties are available:

protected.application-portal.group.${group-identifier}.target.${identifier}.title for the portal target on the portal page

The suggested values correlate with already existing string resources. If there is no translation, the Identifier is displayed.

Attributes

String

Mandatory

Suggested values

account-link-management, address-change, airlock2fa-device-management, cronto-device-management, device-token-management, email-address-change, fido-registration, mtan-token-management, oauth2-consent-management, oauth2-session-management, password-change, self-lockout

Redirect Target (redirectTarget)

Description

Defines the URL or service of this target.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Redirect via Application Access (redirectByAccess)

Description

If enabled, an application access is performed prior to being redirected to the target. This is used to enable step-up and/or identity propagation.

This functionality is not needed for Protected Self-Services, where access control is already provided by the "Access Condition" and "Authorization Condition".

Attributes

Boolean

Optional

Default value

true

Precondition (precondition)

Description

The target is displayed on the portal if this condition is fulfilled. If no target within a group is displayed, the whole group is not shown.

Attributes

Plugin-Link

Optional

Assignable plugins

Open In New Tab (openInNewTab)

Description

Opens the target in a new browser tab.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.portal.ApplicationPortalTargetConfig
id: ApplicationPortalTargetConfig-xxxxxx
displayName: 
comment: 
properties:
  identifier:
  openInNewTab: false
  precondition:
  redirectByAccess: true
  redirectTarget:

Application Portal UI

Description

Configures the application portal. The portal lists the configured portal target applications, i.e. self-services or backends.

The portal is accessible at /<loginapp-uri>/ui/app/protected/portal after user authentication.

Class

com.airlock.iam.selfservice.application.configuration.ui.portal.ApplicationPortalUiConfig

May be used by

License-Tags

ApplicationPortal

Properties

Portal Groups (portalGroups)

Description

Groups portal targets.

Attributes

Plugin-List

Mandatory

Assignable plugins

Application Portal Group Config

Auto Forward (autoForward)

Description

If enabled and only one application is accessible, the user is automatically forwarded to the application instead of displaying the portal page.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.portal.ApplicationPortalUiConfig
id: ApplicationPortalUiConfig-xxxxxx
displayName: 
comment: 
properties:
  autoForward: false
  portalGroups:

Apply Account Link Deletion

Description

Applies the "Account Link Deletion" change. Performs the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyAccountLinkDeletionConfig

May be used by

License-Tags

OAuthAccountLinking

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyAccountLinkDeletionConfig
id: ApplyAccountLinkDeletionConfig-xxxxxx
displayName: 
comment: 
properties:

Apply Account Link Linking

Description

Applies the "Account Link Linking" change. Performs the actual linking of the provider account.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyAccountLinkLinkingConfig

May be used by

Advanced Migration Selection Option Custom Protected Self-Service Flow Authorization Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

OAuthAccountLinking

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyAccountLinkLinkingConfig
id: ApplyAccountLinkLinkingConfig-xxxxxx
displayName: 
comment: 
properties:

Apply Changes Step

Description

Flow step that applies (persists) all changes performed during the flow so far.

Class

com.airlock.iam.flow.shared.application.configuration.step.apply.ApplyChangesStepConfig

May be used by

Properties

Handlers (handlers)

Description

List of Apply Change Handlers. Each handler can apply (persist) the change from a specific self-service step (which typically stores a description of the change in the flow session).

Attributes

Plugin-List

Mandatory

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.step.apply.ApplyChangesStepConfig
id: ApplyChangesStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  handlers:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Apply Cronto Device Deletion

Description

Applies the "Cronto Device Deletion" change. Performs the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoDeviceDeletionConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoDeviceDeletionConfig
id: ApplyCrontoDeviceDeletionConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Apply Cronto Device Disabling

Description

Applies the "Cronto Device Disabling" change. Performs the actual disabling.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoDeviceDisablingConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoDeviceDisablingConfig
id: ApplyCrontoDeviceDisablingConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Apply Cronto Device Enabling

Description

Applies the "Cronto Device Enabling" change. Performs the actual enabling.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoDeviceEnablingConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoDeviceEnablingConfig
id: ApplyCrontoDeviceEnablingConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Apply Cronto Device Renaming

Description

Applies the "Cronto Device Renaming" change. Persists the new device name.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoDeviceRenamingConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoDeviceRenamingConfig
id: ApplyCrontoDeviceRenamingConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Apply Cronto Push Disabling

Description

Applies the "Cronto Push Disabling" change. Performs the actual disabling.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoPushDisablingConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoPushDisablingConfig
id: ApplyCrontoPushDisablingConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Apply Cronto Push Enabling

Description

Applies the "Cronto Push Enabling" change. Performs the actual enabling.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoPushEnablingConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoPushEnablingConfig
id: ApplyCrontoPushEnablingConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Apply Device Token Registration

Description

Applies the "Device Token Registration" change. Persists the registered device token.

Note that only the last registered device token will be persisted.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyDeviceTokenRegistrationConfig

May be used by

License-Tags

DeviceToken

Properties

Device Token Settings (deviceTokenSettings)

Description

Defines the device token settings to be used in this handler. Must match the one used in the "Device Token Registration Step ".

Attributes

Plugin-Link

Mandatory

Assignable plugins

Device Token Settings

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyDeviceTokenRegistrationConfig
id: ApplyDeviceTokenRegistrationConfig-xxxxxx
displayName: 
comment: 
properties:
  deviceTokenSettings:

Apply Email Change

Description

Applies an "Email" change by assigning the registered email address to the user as a context-data value.

Class

com.airlock.iam.flow.shared.application.configuration.step.apply.ApplyEmailChangeConfig

May be used by

License-Tags

UserProfileSelfService

Properties

Context Data Name (contextDataName)

Description

Name of the context-data in which to store the email address in.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.step.apply.ApplyEmailChangeConfig
id: ApplyEmailChangeConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:

Apply FIDO Credential Deletion

Description

Applies the "FIDO Credential Deletion" change. Performs the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyFidoCredentialDeletionConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyFidoCredentialDeletionConfig
id: ApplyFidoCredentialDeletionConfig-xxxxxx
displayName: 
comment: 
properties:
  fidoSettings:

Apply FIDO Credential Disabling

Description

Applies the "FIDO Credential Disabling" change. Performs the actual disabling.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyFidoCredentialDisablingConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyFidoCredentialDisablingConfig
id: ApplyFidoCredentialDisablingConfig-xxxxxx
displayName: 
comment: 
properties:
  fidoSettings:

Apply FIDO Credential Display Name Change

Description

Applies the "FIDO Credential Display Name Change" change. Persists the new display name.

Class

com.airlock.iam.fido.login.application.configuration.ApplyFidoCredentialDisplayNameChangeConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

YAML Template (with default values)


type: com.airlock.iam.fido.login.application.configuration.ApplyFidoCredentialDisplayNameChangeConfig
id: ApplyFidoCredentialDisplayNameChangeConfig-xxxxxx
displayName: 
comment: 
properties:
  fidoSettings:

Apply FIDO Credential Enabling

Description

Applies the "FIDO Credential Enabling" change. Performs the actual enabling.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyFidoCredentialEnablingConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyFidoCredentialEnablingConfig
id: ApplyFidoCredentialEnablingConfig-xxxxxx
displayName: 
comment: 
properties:
  fidoSettings:

Apply mTAN Deletion

Description

Applies the "mTAN Number Deletion" change. Performs the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyMtanDeletionConfig

May be used by

License-Tags

mTan

Properties

mTAN Settings (mtanSettings)

Description

Defines the required settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyMtanDeletionConfig
id: ApplyMtanDeletionConfig-xxxxxx
displayName: 
comment: 
properties:
  mtanSettings:

Apply mTAN Edit Change

Description

Persists an edited mTAN token. Use this change handler if an existing mTAN token has been edited. If a new token has been registered, use the "Apply mTAN Registration Change".

Class

com.airlock.iam.flow.shared.application.configuration.step.apply.ApplyMtanEditChangeConfig

May be used by

Properties

mTAN Settings (mtanSettings)

Description

Defines the required settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.step.apply.ApplyMtanEditChangeConfig
id: ApplyMtanEditChangeConfig-xxxxxx
displayName: 
comment: 
properties:
  mtanSettings:

Apply mTAN Registration Change

Description

Persists a registered mTAN token. Use this change handler if a new mTAN token has been registered. If an existing token has been edited, use the "Apply mTAN Edit Change".

Class

com.airlock.iam.flow.shared.application.configuration.step.apply.ApplyMtanRegistrationChangeConfig

May be used by

License-Tags

UserProfileSelfService

Properties

mTAN Settings (mtanSettings)

Description

Defines the required settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.step.apply.ApplyMtanRegistrationChangeConfig
id: ApplyMtanRegistrationChangeConfig-xxxxxx
displayName: 
comment: 
properties:
  mtanSettings:

Apply OAuth 2.0 Consent Deny

Description

Applies the "OAuth 2.0 Consent Deny" change. Performs the actual denial.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyOAuth2DenyConsentConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyOAuth2DenyConsentConfig
id: ApplyOAuth2DenyConsentConfig-xxxxxx
displayName: 
comment: 
properties:

Apply OAuth 2.0 Consent Grant

Description

Applies the "OAuth 2.0 Consent Grant" change. Performs the actual grant.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyOAuth2GrantConsentConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyOAuth2GrantConsentConfig
id: ApplyOAuth2GrantConsentConfig-xxxxxx
displayName: 
comment: 
properties:

Apply OAuth 2.0 Consents Deletion

Description

Applies the "OAuth 2.0 Consents Deletion" change. Performs the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyOAuth2DeleteConsentsConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyOAuth2DeleteConsentsConfig
id: ApplyOAuth2DeleteConsentsConfig-xxxxxx
displayName: 
comment: 
properties:

Apply OAuth 2.0 Session Deletion

Description

Applies the "OAuth 2.0 Session Deletion" change. Performs the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.OAuth2DeleteSessionApplyConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.OAuth2DeleteSessionApplyConfig
id: OAuth2DeleteSessionApplyConfig-xxxxxx
displayName: 
comment: 
properties:

Apply Remember-Me Device Deletion

Description

Applies the "Remember-Me Device Deletion" change. Performs the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyRememberMeDeviceDeletionConfig

May be used by

Properties

Remember-Me Settings (rememberMeConfig)

Description

Common configuration for the Remember-Me feature.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Remember-Me Settings

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyRememberMeDeviceDeletionConfig
id: ApplyRememberMeDeviceDeletionConfig-xxxxxx
displayName: 
comment: 
properties:
  rememberMeConfig:

Apply User Data Edit Change Config

Description

Applies the context-data changes from the "User Data Edit" step to the user (which is then automatically persisted at the end of the request).

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyUserDataEditChangeConfig

May be used by

Number-based Selection SMS Gateway Phone Number Verification Step SMS Gateway Selection Option SMS Notifier Failover SMS Gateway Basic mTAN Settings MTAN/SMS Settings SMS Service

License-Tags

UserProfileSelfService

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.apply.ApplyUserDataEditChangeConfig
id: ApplyUserDataEditChangeConfig-xxxxxx
displayName: 
comment: 
properties:

ASP SMS Gateway

Description

Sms gateway implementation for "http://www.aspsms.com/".
This plug-in uses the XML/HTTP(S) interface of ASPSMS to send SMS messages.

Class

com.airlock.iam.core.misc.impl.sms.AspSmsGateway

May be used by

Properties

Account Username (accountUsername)

Description

Username for a registered ASPSMS account.

Attributes

String

Mandatory

Example

myaspsmslogin

Account Password (accountPassword)

Description

Password for the registered ASPSMS account.

Attributes

String

Mandatory

Sensitive

Service URI (serviceUri)

Description

The URI of the ASPSMS service.
See note in plug-in description when using SSL (HTTPS instead of HTTP).

Use the plugin FailoverSmsGateway to use multiple ASPSMS URLs for increased availability.

Attributes

String

Mandatory

Suggested values

http://xml1.aspsms.com:5061/xmlsvr.asp, http://xml1.aspsms.com:5098/xmlsvr.asp, http://xml2.aspsms.com:5061/xmlsvr.asp, http://xml2.aspsms.com:5098/xmlsvr.asp

Proxy Host (proxyHost)

Description

The hostname of the HTTP proxy server (if any).

Attributes

String

Optional

Example

proxy.company.com

Proxy Port (proxyPort)

Description

The port of the HTTP proxy server (if any).

Attributes

Integer

Optional

Proxy Login User (proxyLoginUser)

Description

Username for the http proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the http proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

Allow Only Trusted Certs (allowOnlyTrustedCerts)

Description

Only allow connections to servers whose certificate is trusted. See documentation of property "Trust Store Path" for more information about what certificates are trusted.

Security warning: Trusting all certificates allows connections to adversarial hosts. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

String

Optional

Default value

JKS

Allowed values

JKS, PKCS12

Trust Store Password (trustStorePassword)

Description

The password used verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

JKS: the keystore can be opened and used but the integrity of the keystore is not checked.
PKCS12: an error occurs.

Attributes

String

Optional

Sensitive

Connection/Read Timeout [s] (connectTimeout)

Description

The timeout in seconds used for connection timeout and read timeout.
Therefore, a connection may take a maximum of twice this time until it is aborted.

Attributes

Integer

Optional

Default value

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Suggested values

X-Correlation-ID

Visible Phone Number Digits In Log (visiblePhoneNumberDigitsInLog)

Description

Defines the number of phone number digits visible in log statements.

Thus, if the value is zero, all digits are masked, if it is large enough, all digits are visible. If set to 3, for example, the logged number looks like ********965.

The default is 100, i.e. showing all digits.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.AspSmsGateway
id: AspSmsGateway-xxxxxx
displayName: 
comment: 
properties:
  accountPassword:
  accountUsername:
  allowOnlyTrustedCerts: true
  connectTimeout: 10
  correlationIdHeaderName:
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  serviceUri:
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  verifyServerHostname: true
  visiblePhoneNumberDigitsInLog: 100

Assertion Attribute

Description

Holds information about an attribute to put into the assertion.

Class

com.airlock.iam.saml2.application.configuration.AssertionAttribute

May be used by

SAML Access Cookie Identity Propagator SAML Access Cookie Identity Propagator SAML Assertion Cookie Identity Propagator SAML Assertion Cookie Identity Propagator

Properties

Name (name)

Description

The name of an additional SAML2 Attribute to be added to the Assertion. The value of the attribute is defined by the corresponding value-property or static-value property. One of valueor static-value must be set, but not both at the same time.

Attributes

String

Mandatory

Example

username

Example

lang

Example

authentication-method

Value (value)

Description

The value(s) of an additional SAML2 Attribute to be added to the Assertion. The specified value is interpreted as follows:

The value @username refers to the user's name.
The value @roles refers to the user's roles.
The value @info:key refers to the element of the additional input data with the given key.
The value @param:key refers to the element of the parameter map with the given key.
Any other value is retrieved from the user's context data container.

Attributes

String

Optional

Example

@username

Example

language

Example

auth_method

Example

@info:authLevel

Value Transformations (valueTransformations)

Description

A list of Value Transformations that is applied to the Value. If multiple transformations are defined, the first matching one will be executed and the later ones ignored.

Attributes

Plugin-List

Optional

Assignable plugins

Value Transformation

Static Value (staticValue)

Description

The static value(s) of an additional SAML2 Attribute to be added to the Assertion.

Attributes

String

Optional

Example

security-level

Example

language

Example

Airlock

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.AssertionAttribute
id: AssertionAttribute-xxxxxx
displayName: 
comment: 
properties:
  name:
  staticValue:
  value:
  valueTransformations:

Audience From Request Parameter (OAuth 2.0 Token Exchange)

Description

Sets the claim value to that of the token exchange "audience" request parameter.

If the request does not contain an "audience" parameter or if the request's "audience" parameter is an empty array, the claim value will not be set (unless when the claim is required, for example for the "aud" target claim).

If the request contains one "audience" parameter, the claim value will be set to a single string value. If the request contains multiple "audience" parameters, the claim value will be set to an array.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtAudienceRequestParameterClaimValueConfig

May be used by

JWT Token Exchange Rule Custom Claim (OAuth 2.0 Token Exchange)

License-Tags

OAuthTokenExchange

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtAudienceRequestParameterClaimValueConfig
id: OAuth2TokenExchangeJwtAudienceRequestParameterClaimValueConfig-xxxxxx
displayName: 
comment: 
properties:

Audience From Subject Token (OAuth 2.0 Token Exchange)

Description

Sets the claim value to that of the subject token's "aud" claim value.

If present, the subject token's "aud" data is parsed as either a single string audience value or an array of string audience values as per RFC7519. If the subject token's "aud" data is present but does not conform with the specification, the token exchange request will lead to an invalid request error.

If the subject token's "aud" data is single-valued after removing non-allowed values (i.e. it is either a string or an array with a single element after removing the values not matching any of the configured patterns) and conforms with the specification, the claim value will be set to a string. If the subject token's "aud" data is multi-valued and conforms with the specification, the claim value will be set to an array.

If the subject token's "aud" data is not present, is an empty array or none of the values match the configured filters, the claim value will not be set.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtSubjectTokenAudienceClaimValueConfig

May be used by

JWT Token Exchange Rule Custom Claim (OAuth 2.0 Token Exchange)

License-Tags

OAuthTokenExchange

Properties

Value Filters (valueFilters)

Description

An optional list of regular expressions. If the list is configured, only values in in the subject token's "aud" data matching at least one of the regular expressions will be added. Values that do not match any of the configured regular expressions will be ignored. If the list is not configured, all the values in the subject token's "aud" claim will be added.

Attributes

RegEx-List

Optional

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtSubjectTokenAudienceClaimValueConfig
id: OAuth2TokenExchangeJwtSubjectTokenAudienceClaimValueConfig-xxxxxx
displayName: 
comment: 
properties:
  valueFilters:

Audit Token SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing the audit token.

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.AuditTokenAttributeConfig

May be used by

Main Authenticator Authentication Method Identifier Mapping Credential-based Authenticator Selector Roles-to-Authenticator Mapping Credential to Authenticator Mapping Role-based Authenticator Selector

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion.

Attributes

String

Mandatory

Example

Audit-Token

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.assertion.attribute.AuditTokenAttributeConfig
id: AuditTokenAttributeConfig-xxxxxx
displayName: 
comment: 
properties:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:

Auth Method-based Authenticator Selector

Description

Authenticator plugin that selects one of several configured authenticators depending on the user's active authentication method.

Note: This plugin does not check the status of the user account (locked, invalid) and does not update login statistics (failed logins, etc.). It can therefore only be used in conjunction with another authenticator (e.g. Main Authenticator or Meta Authenticator).

Class

com.airlock.iam.core.misc.impl.authen.AuthMethodBasedAuthenticatorSelector

May be used by

Properties

Mappings (mappings)

Description

Maps authentication method identifiers (e.g. "MTAN") to corresponding authenticators (e.g. "MTAN/SMS Authenticator").

Attributes

Plugin-List

Mandatory

Assignable plugins

Authentication Method Identifier Mapping

Default Authenticator (defaultAuthenticator)

Description

The authenticator to use when none of the defined authentication identifiers match the user's active authentication method.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Accepting Authenticator Airlock 2FA Authenticator Auth Method-based Authenticator Selector Credential-based Authenticator Selector Denying Authenticator Dummy Matrix Authenticator Dummy Two Step Authenticator Email Otp Authenticator MTAN/SMS Authenticator Matrixcard Authenticator (TAN Challenge) OATH OTP Authenticator RADIUS Authenticator Role-based Authenticator Selector Selection Authenticator Static Authenticator Token Authenticator

User Persister (userPersister)

Description

The user persister used to load the user's active authentication method.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.AuthMethodBasedAuthenticatorSelector
id: AuthMethodBasedAuthenticatorSelector-xxxxxx
displayName: 
comment: 
properties:
  defaultAuthenticator:
  mappings:
  userPersister:

Auth Token ID SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing the Authentication Token ID.

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.AuthTokenIdAttributeConfig

May be used by

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion. If there is no Auth Token in the session, the attribute will not be included in the assertion.

Attributes

String

Mandatory

Example

Auth-Token

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.assertion.attribute.AuthTokenIdAttributeConfig
id: AuthTokenIdAttributeConfig-xxxxxx
displayName: 
comment: 
properties:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:

Authenticated Client ID (OAuth 2.0 Token Exchange)

Description

Sets the act claim to a claim set containing the authenticated client ID as sub claim and nests the original act claim from the subject token data into this claim set.

If the subject token data has no act claim, the new claim only contains the sub claim.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeAuthenticatedClientIdActorClaimConfig

May be used by

License-Tags

OAuthTokenExchange

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeAuthenticatedClientIdActorClaimConfig
id: OAuth2TokenExchangeAuthenticatedClientIdActorClaimConfig-xxxxxx
displayName: 
comment: 
properties:

Authentication & Authorization UI

Description

User interface configuration for authentication and authorization.

Class

com.airlock.iam.authentication.application.configuration.ui.AuthenticationUiConfig

May be used by

Airlock 2FA Activation Authentication UI Airlock 2FA Activation Authentication UI (with additional Activation) Airlock 2FA Authentication UI Custom Configuration-based Authentication UI Custom JavaScript-based Authentication UI Link Configuration Authentication UI

Properties

Target Application ID (targetApplicationId)

Description

The identifier of the target application that the user interface configuration refers to.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Application ID

Customized Step UIs (customizedStepUis)

Description

The user interface configuration for the steps. Note: if using standard IAM steps, no user interface has to be configured manually.

Attributes

Plugin-List

Optional

Assignable plugins

Language Extractor (languageExtractor)

Description

The Language Extractor is a Location Interpreter which allows the UI to extract the language from the forward location. It is added to the value map from the location interpretation endpoint (/<loginapp-uri>/rest/public/authentication/location/interpret/) with the key IAM_UI_LANGUAGE.

The IAM UI uses this endpoint, when application access with a forward location is requested. For this, an "Application Selector" must be configured on the "Target Application" configuration for the respective authentication flow. Otherwise, this setting has no effect for the default IAM UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Advanced Location Interpreter Config Simple Location Interpreter Config

Show Goto Buttons (showGotoButtons)

Description

Show Goto buttons for all configured Goto targets on all pages using default UIs of this flow. Clicking a Goto button will redirect to the corresponding Goto target. The Goto targets are configured in the flows themselves, not the UIs.

For customized step UIs, Goto buttons have to be configured explicitly using the "Goto Button UI Element" plugin.

Notice: Goto buttons do not come with pre-defined labels. It is required to add i18n keys and values for each button manually. The key may looks as follows: 'authentication.pages.actions.goto.<currentStepId>.<targetStepId>'.

Attributes

Boolean

Optional

Default value

true

Maintenance Message UI Settings (maintenanceMessageUiSettings)

Description

Settings to define if and how maintenance messages are displayed for this flow. If this property is not set no maintenance messages are displayed for this flow.

Attributes

Plugin-Link

Optional

License-Tags

MaintenanceMessages

Assignable plugins

Public Self-Service Flow Redirect Redirect to URI Same Flow Redirect Target Config Target Application Redirect User Self-Registration Flow Redirect

Self-Unlock Flow (selfUnlockFlow)

Description

The self-unlock flow to use when a user is locked on this authentication flow. If configured, a message is displayed with a link to start this self-unlock flow. The link is displayed using the resource key: authentication.pages.messages.self-unlock

Attributes

Plugin-Link

Optional

Assignable plugins

Public Self-Service Flow Link

Target URI Resolver (targetURIResolver)

Description

Resolves the URI to be propagated to after successful authentication.

The resolved URL must either be absolute (i.e. using https://) or start with a slash.
It may be necessary to configure 'Identity Propagation' to make the authentication work.
Uses the custom 'X-Forward-URL' header to inform the SPA about the target. Do not set the same header again in the identity propagation of the respective authentication flow.
Note: this setting is irrelevant for SAML 2.0 target applications (a target application where the "SAML 2.0 Identity Propagator" is configured). For such an application, simply configure a resolver with "/" as default value.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Target URI Resolver

Cancellation Target (cancellationTarget)

Description

If configured, shows a cancel button on all pages, except the first, using default UIs of this flow. Clicking the cancel button will abort the flow and redirect to the configured target.

For customized step UIs, cancel buttons have to be configured explicitly using the "Cancel Button UI Element" plugin.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow Failure Target (flowFailureTarget)

Description

Defines the redirect URL in the case of a failed flow. If not configured and the flow fails, the flow is restarted, unless it has failed immediately, in which case an error page is displayed.

Attributes

Plugin-Link

Optional

Assignable plugins

Show Cancel Button On First Page (showCancelButtonOnFirstPage)

Description

If enabled, displays the cancel button also on the first interactive page of the flow. This can be useful if the "Cancellation Target" redirects to another flow or external page.

Note that even if this flag is disabled, a cancel button on the first page is always shown when the first page is reached again during the flow, e.g. by a Goto.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.ui.AuthenticationUiConfig
id: AuthenticationUiConfig-xxxxxx
displayName: 
comment: 
properties:
  cancellationTarget:
  customizedStepUis:
  flowFailureTarget:
  languageExtractor:
  maintenanceMessageUiSettings:
  selfUnlockFlow:
  showCancelButtonOnFirstPage: false
  showGotoButtons: true
  targetApplicationId:
  targetURIResolver:

Authentication & Authorization UIs

Description

User interface configurations for authentication and authorization.

Class

com.airlock.iam.authentication.application.configuration.ui.AuthenticationUiConfigs

May be used by

UI Settings

Properties

Flow UIs (flowUis)

Description

Allows to configure the user interface for the flow belonging to a target application.

Attributes

Plugin-List

Mandatory

Assignable plugins

Non-Flow UI Settings (nonFlowUiSettings)

Description

Defines UI settings for pages that are not flow specific.

Attributes

Plugin-Link

Optional

Assignable plugins

Non-Flow UI Settings

On Logout (onLogout)

Description

The action to take after a logout.

Attributes

Plugin-Link

Optional

Assignable plugins

Redirect On Logout Config SAML2 Single-Logout Config Show Logout Disclaimer Page Config

SSO Parameter Names (ssoParameterNames)

Description

Names of SSO parameters that the SPA tries to extract. The names are used in the configured order and extracting stops with the first parameter that is present.

Attributes

String-List

Optional

Default value

[sso]

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.ui.AuthenticationUiConfigs
id: AuthenticationUiConfigs-xxxxxx
displayName: 
comment: 
properties:
  flowUis:
  nonFlowUiSettings:
  onLogout:
  ssoParameterNames: [sso]

Authentication Data Map

Description

Provides some data about the successful authentication of the user.

Currently, the following values are provided:

auth-token-id: Auth Token ID (available as soon as the user has used a second factor for authentication in this session).
authentication-timestamp: timestamp (as date object) of the successful authentication (available as soon as the user has successfully authenticated for the first time in this session). Can be used by template-based providers to format the timestamp into a specific date format.
authentication-timestamp-millis: timestamp (as number of milliseconds since epoch) of the successful authentication (available as soon as the user has successfully authenticated for the first time in this session).

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.AuthenticationDataValueMapProviderConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.AuthenticationDataValueMapProviderConfig
id: AuthenticationDataValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:

Authentication Flow

Description

Configuration for an authentication flow.

Class

com.airlock.iam.authentication.application.configuration.AuthenticationFlowConfig

May be used by

Custom Flow Processors Default Authentication Processors Config Default Authorization Processors Default Persistency-less Authentication Processors Default Persistency-less Protected Self-Service Processors Default Protected Self-Service Processors Default Public Self-Service Processors Default Technical Client Registration Processors Default Transaction Approval Processors Config Default User Self-Registration Processors

Properties

Steps (steps)

Description

Steps of the flow.

Attributes

Plugin-List

Mandatory

Assignable plugins

Processors (processors)

Description

Processors get notified about the various stages of the flow and offer hooks to plug in custom logic. These processors realize the entire authentication logic such as incrementing failed login counters or checking of user validity.

The configured processors are extended with the following processors (if not already present):

User Enumeration Protection Processor (only if "Prevent User Enumeration" enabled)
Temporary Locking Processor (only if "Enable Temporary Locking" enabled)

Attributes

Plugin-Link

Optional

Assignable plugins

Prevent User Enumeration (preventUserEnumeration)

Description

If enabled, user enumeration is prevented by not revealing what went wrong in a user identifying step ("Stealth Mode"). In particular, all failures because of wrong password or not existing, locked or invalid user are answered with the same generic error code AUTHENTICATION_FAILED. Furthermore, the sessions of the user will be terminated on IAM and on the Airlock Gateway (WAF).

Note that this feature is not compatible with Temporary Locking, but it is recommended to configure a "Fixed Response Duration" for failed responses to prevent timing attacks.

Important note: This feature only protects against user enumeration if the identifying step identifies the user and at the same time checks a credential, e.g. in case of "Password Authentication" or "Device Token Authentication". If the "User Identifying Step" is used, this feature does not protect against user enumeration.

If enabled, a "User Enumeration Protection Processor" is automatically added to the list of flow processors.

Attributes

Boolean

Optional

Default value

false

Enable Temporary Locking (temporaryLockingActive)

Description

Enables Temporary Locking for this flow.

Note: Additional configuration must be done in "Authentication Flows", otherwise Temporary Locking will not be enabled.

If enabled, a "Temporary Locking Processor" is automatically added to the list of flow processors.

Note: Disabling and re-enabling this feature does not reset temporary locks.

Attributes

Boolean

Optional

Default value

true

Add Remaining Attempts Info (addRemainingAttemptsInfo)

Description

If enabled, for any step result that caused an increase in the number of failed attempts, the remaining number of attempts for that factor is returned with the step result.

This feature is not combinable with username enumeration protection.

Attributes

Boolean

Optional

Default value

false

Username Transformers (usernameTransformers)

Description

Username transformers may transform the provided username into the single unique user ID required for the flow.
The transformation of a username takes place in the first step before the user is loaded. Note that username transformers have no effect on the propagated username value. Transformers can be chained, i.e. a first transformer could normalize the original name, where the next transformer looks up the normalized name in a database for potential transformation matches.
In contrary to the above description of chaining, a transformer can also signal that it already found the final user ID and the chain must stop after it.
For further details please refer to the documentation of the username transformer plugins.

Attributes

Plugin-List

Optional

Assignable plugins

Additional Attributes (additionalAttributes)

Description

Whitelist of additional attributes (e.g. headers or REST attributes) for the check password authentication REST call (/<loginapp-uri>/rest/public/authentication/password/check/).

Attributes with matching names and valid values are made available to the flow.

Attributes

Plugin-List

Optional

Assignable plugins

Request Attribute

Persistency-less (persistencyless)

Description

If enabled, this flow does not consider persistency, i.e. users don't have to exist locally in order to be authenticated. This is typically used with SSO tickets or external authentication using OAuth or SAML.

Persistency-less flows are very limited in their capabilities, in particular:

Password checks and second factor authentication are not possible.
The user state (locked, invalid etc.) cannot be verified.
Identity propagation is limited to the information received from external systems.

Note that configuration validation support is limited. It is essential to test such a flow extensively to ensure it behaves correctly in all situations.

It is recommended to use the "Default Persistency-less Authentication Processors" when using a persistency-less flow.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.AuthenticationFlowConfig
id: AuthenticationFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  addRemainingAttemptsInfo: false
  additionalAttributes:
  persistencyless: false
  preventUserEnumeration: false
  processors:
  steps:
  temporaryLockingActive: true
  usernameTransformers:

Authentication Flow Successfully Completed

Description

Event that is triggered by the successful completion of an authentication flow.

Class

com.airlock.iam.login.application.configuration.event.AuthenticationFlowSuccessfullyCompletedSubscribedEventConfig

May be used by

Remote Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Email Event Subscriber (Loginapp) Filtered Flow Event

Properties

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.event.AuthenticationFlowSuccessfullyCompletedSubscribedEventConfig
id: AuthenticationFlowSuccessfullyCompletedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

Authentication Instant SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing the authentication instant.

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.AuthenticationInstantAttributeConfig

May be used by

Cronto Letter User Event Listener mTAN Letter User Event Listener Set UUID For New Users Logical AND Condition Logical NOT Condition Airlock 2FA Activation Letter Order User Event Listener Logical OR Condition New User Defaults Setter

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion.

Attributes

String

Mandatory

Example

AuthInstant

Date And Time Format (dateAndTimeFormat)

Description

If this property is set, the SAML 2.0 attribute will contain the authentication instant formatted using the configured date and time format. The format is interpreted as specified in the java.text.SimpleDateFormat documentation. Note that the output time zone is fixed to GMT.

If this property is not set, the attribute value will contain the authentication instant as a Unix timestamp (i.e. milliseconds since epoch).

Attributes

String

Optional

Example

yyyy-MM-dd'T'HH:mm:ss'Z'

Example

yyyy-MM-dd'T'HH:mm:ss.SSS'Z'

Example

yyyy-MM-dd HH:mm:ss

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.assertion.attribute.AuthenticationInstantAttributeConfig
id: AuthenticationInstantAttributeConfig-xxxxxx
displayName: 
comment: 
properties:
  dateAndTimeFormat:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:

Authentication Method Changed

Description

Event that is published when the authentication method of a user changes.

This event is not published in the following cases:

The authentication method is edited via context data - use a "Context Data Changed" event instead
The user is newly created
The user is imported, e.g. via a service container task or from external persistency (AD/LDAP)

Class

com.airlock.iam.common.application.configuration.event.AuthenticationMethodChangedEventConfig

May be used by

Properties

Ignore Empty Previous Method (ignoreEmptyPreviousMethod)

Description

If enabled, the event will not be handled when the user did not have an active previous authentication method.

Attributes

Boolean

Optional

Default value

false

Ignore Empty Active Method (ignoreEmptyActiveMethod)

Description

If enabled, the event will not be handled when the active authentication method has been removed.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.AuthenticationMethodChangedEventConfig
id: AuthenticationMethodChangedEventConfig-xxxxxx
displayName: 
comment: 
properties:
  ignoreEmptyActiveMethod: false
  ignoreEmptyPreviousMethod: false

Authentication Method Condition

Description

Condition that is fulfilled, if the active authentication method of the user is equal to the configured expected authentication method.

Class

com.airlock.iam.core.misc.persistency.usereventbus.conditions.AuthMethodEqualsEventCondition

May be used by

Properties

Authentication Method (authMethod)

Description

The expected authentication method for the condition to be fulfilled.

Attributes

String

Mandatory

Suggested values

AIRLOCK_2FA, CRONTO, EMAILOTP, FIDO, MATRIX, MTAN, OATH_OTP, OTP, PASSWORD

YAML Template (with default values)


type: com.airlock.iam.core.misc.persistency.usereventbus.conditions.AuthMethodEqualsEventCondition
id: AuthMethodEqualsEventCondition-xxxxxx
displayName: 
comment: 
properties:
  authMethod:

Authentication Method Identifier Mapping

Description

Maps authentication method identifiers to authenticators.

Class

com.airlock.iam.core.misc.impl.authen.AuthMethodBasedAuthenticatorSelectorMapping

May be used by

Auth Method-based Authenticator Selector

Properties

Auth Method Identifier (authMethodIdentifier)

Description

Authentication method identifier. Corresponds to the "authentication method" value stored in the user directory or database.

Attributes

String

Mandatory

Suggested values

AIRLOCK_2FA, CRONTO, EMAILOTP, FIDO, MATRIX, MTAN, OATH_OTP, OTP, PASSWORD

Authenticator (authenticator)

Description

The authenticator to use for the identifier.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.AuthMethodBasedAuthenticatorSelectorMapping
id: AuthMethodBasedAuthenticatorSelectorMapping-xxxxxx
displayName: 
comment: 
properties:
  authMethodIdentifier:
  authenticator:

AuthnContextClassRef URI SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing the AuthnContextClassRef URI if an explicit Authentication Context Mapping (or a default Authentication Context) has been configured in the IdP config.

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.AuthnClassRefAttributeConfig

May be used by

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion.

Attributes

String

Mandatory

Example

AuthnContextClassRef

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.assertion.attribute.AuthnClassRefAttributeConfig
id: AuthnClassRefAttributeConfig-xxxxxx
displayName: 
comment: 
properties:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:

Authorization Flow

Description

Configuration for an authorization flow.

Class

com.airlock.iam.authentication.application.configuration.AuthorizationFlowConfig

May be used by

Properties

Steps (steps)

Description

Steps of the flow.

Attributes

Plugin-List

Mandatory

Assignable plugins

Processors (processors)

Description

Processors get notified about the various stages of the flow and offer hooks to plug in custom logic. These processors ensure user validity during the authorization process.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.AuthorizationFlowConfig
id: AuthorizationFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  processors:
  steps:

Automated Account Registration

Description

Configuration for the registration of IAM accounts with data from the provider. The created account will be persisted in the user persister of the Loginapp and linked with the provider.

Class

com.airlock.iam.oauth2.application.configuration.accountregistration.AccountRegistrationConfig

May be used by

OIDC Flow Client OIDC Discovery Flow Client OAuth 2.0 Flow Client

License-Tags

OAuthSocialRegistration

Properties

Determine Username (usernameProvider)

Description

Determines the username of the created IAM account.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Context Data Username Generated Username

User Context Data Items (userContextDataItems)

Description

Context Data items from the provider that will be included in the created IAM account. There must exist a corresponding context data column entry in the user persister to successfully persist the item.

Attributes

Plugin-List

Optional

Assignable plugins

Context Data Item

Static Roles (staticRoles)

Description

The set of roles to add to the created IAM account.

Attributes

String-List

Optional

Status Upon Creation (statusUponCreation)

Description

Defines the status of the IAM user after creation:

logged-in: the new user will be automatically logged-in.
locked: the new user will be locked, allowing an administrator to review the registration before unlocking the account. The user will be locked with reason AwaitingAdminApproval. The string resource key "account-registration-user-locked-message" is used for the corresponding feedback message.

Attributes

Enum

Optional

Default value

LOGGED_IN

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.accountregistration.AccountRegistrationConfig
id: AccountRegistrationConfig-xxxxxx
displayName: 
comment: 
properties:
  staticRoles:
  statusUponCreation: LOGGED_IN
  userContextDataItems:
  usernameProvider:

AWS Access Key Authentication

Description

AWS access key based authentication. Keys are created and maintained within AWS services.

This plugin provides credentials to allow IAM to access AWS services. If configured, no other credentials are considered, such as AWS cloud environment credentials.

Class

com.airlock.iam.keymanagementservice.application.configuration.authentication.AwsAccessKeyAuthenticationConfig

May be used by

Properties

Access Key ID (accessKeyId)

Description

AWS IAM users access key ID.

Attributes

String

Mandatory

Secret Access Key (secretAccessKey)

Description

AWS IAM users secret access key.

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: com.airlock.iam.keymanagementservice.application.configuration.authentication.AwsAccessKeyAuthenticationConfig
id: AwsAccessKeyAuthenticationConfig-xxxxxx
displayName: 
comment: 
properties:
  accessKeyId:
  secretAccessKey:

AWS Custom Service Access

Description

This plugin allows to manually configure the AWS region and service endpoint to use.

Class

com.airlock.iam.keymanagementservice.application.configuration.access.AwsCustomServiceAccessConfig

May be used by

Properties

Region (region)

Description

Specifies the AWS region to use for the service connection and endpoints. Regions enable you to access AWS services that physically reside in a specific geographic area.

If no explicit AWS region is specified, IAM will attempt to identify the region in the following order:

Java system property aws.region
Environment variable AWS_REGION
Config files at location {user.home}/.aws/credentials and {user.home}/.aws/config
Region delivered through the Amazon EC2 metadata service

IAM requires a region to connect to the AWS service, otherwise connection fails with an error.

Attributes

String

Optional

Suggested values

eu-central-1, eu-central-2, eu-west-1, eu-west-2, eu-west-3, eu-south-1, eu-south-2, eu-west-2, eu-north-1

Endpoint URL (endpointUrl)

Description

This property defines the endpoint (URL) of the entry point for an AWS web service.

If left empty, the default endpoint for the selected region is used (refer to the official AWS documentation).

If configured, the default endpoint is overwritten with this URL.

Attributes

String

Optional

Example

https://kms.eu-west-2.amazonaws.com

Example

https://kms.us-east-1.amazonaws.com

YAML Template (with default values)


type: com.airlock.iam.keymanagementservice.application.configuration.access.AwsCustomServiceAccessConfig
id: AwsCustomServiceAccessConfig-xxxxxx
displayName: 
comment: 
properties:
  endpointUrl:
  region:

AWS Default Authentication

Description

AWS default authentication to allow IAM access to AWS services. If configured, IAM looks for AWS credentials in the following order:

Java system properties aws.accessKeyId and aws.secretAccessKey
Environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
Web Identity Token credentials from system properties or environment variables
Credential profiles file at location {user.home}/.aws/credentials
Credentials delivered through the Amazon EC2 container service
Instance profile credentials delivered through the Amazon EC2 metadata service

Class

com.airlock.iam.keymanagementservice.application.configuration.authentication.AwsDefaultAuthenticationConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.keymanagementservice.application.configuration.authentication.AwsDefaultAuthenticationConfig
id: AwsDefaultAuthenticationConfig-xxxxxx
displayName: 
comment: 
properties:

AWS Default Service Access

Description

This plugin handles how IAM can access AWS service endpoints. It automatically selects the AWS region and thus the default endpoint for each service in that region, e.g. AWS Key Management Service (KMS).

Regions enable you to access AWS services that physically reside in a specific geographic area.

Default access selection is useful when IAM is deployed in an AWS cluster where the region is already provided in one of the formats described below.

IAM attempts to identify the AWS region in the following order:

Java system property aws.region
Environment variable AWS_REGION
Config files at location {user.home}/.aws/credentials and {user.home}/.aws/config
Region delivered through the Amazon EC2 metadata service

IAM requires a region to connect to the AWS service, otherwise connection fails with an error.

Multiple AWS regions for the same service are currently not supported.

Class

com.airlock.iam.keymanagementservice.application.configuration.access.AwsDefaultServiceAccessConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.keymanagementservice.application.configuration.access.AwsDefaultServiceAccessConfig
id: AwsDefaultServiceAccessConfig-xxxxxx
displayName: 
comment: 
properties:

AWS Key Management Service

Description

Configures account and key details to use with the Amazon Web Services (AWS) Key Management Service (KMS).

AWS KMS provides a web interface to generate and manage cryptographic keys and acts as a cryptographic service provider.

Airlock IAM utilizes AWS KMS to store encrypted data in its database without having access to the cryptographic key material. AWS KMS can also be used for end-to-end encryption.

Class

com.airlock.iam.keymanagementservice.application.configuration.AwsKmsConfig

May be used by

AWS KMS Password Decryption AWS KMS Password Hash

License-Tags

AWSKMS

Properties

Service Access (serviceAccessSettings)

Description

Specifies how IAM can access AWS services.

If IAM is deployed in an AWS cluster, it is recommended to use "AWS Default Service Access".

If you want to manually configure AWS access (region/service endpoint), use "AWS Custom Service Access" instead.

Attributes

Plugin-Link

Optional

Assignable plugins

AWS Custom Service Access AWS Default Service Access

Authentication Method (authenticationSettings)

Description

Specifies how IAM authenticates against AWS services.

If IAM is deployed in an AWS cluster, it is recommended to use "AWS Default Authentication".

If you want to manually configure AWS authentication (access key ID and secret), use "AWS Access Key Authentication" instead.

Attributes

Plugin-Link

Optional

Assignable plugins

AWS Access Key Authentication AWS Default Authentication

Symmetric Key ARN (symmetricKeyArn)

Description

The symmetric KMS key. A symmetric key is used to encrypt/decrypt data on the IAM database, e.g. password hashes.

This key is created in AWS and referenced here by its Amazon Resource Name (ARN). Key ARN and alias ARN are supported.

When automatic key rotation is active on AWS KMS, or if you intend to manually rotate keys, you must specify an alias ARN in this property.

Attributes

String

Optional

RSA Asymmetric Key ARN (asymmetricKeyArn)

Description

The asymmetric KMS key. An asymmetric key is only required if end-to-end encryption in the Loginapp is required.

This key is created in AWS and referenced here by its Amazon Resource Name (ARN). Key ARN and alias ARN are supported.

Since the lifetime of the public key is long, it is possible to save one AWS KMS round trip by downloading the public key and configuring it in "RSA Public Key". Make sure "RSA Asymmetric Key ARN" and "RSA Public Key" always point to the same asymmetric key material.

Attributes

String

Optional

RSA Public Key (publicKey)

Description

The RSA public key of the asymmetric KMS key referenced by "RSA Asymmetric Key ARN".

The public key can be downloaded from AWS directly and referenced here. A Base64 encoded key with or without RSA public key wrapping "BEGIN PUBLIC KEY"/"END PUBLIC KEY" is expected. This is an optimization so that the public key is taken from this property instead of requesting it by its "RSA Asymmetric Key ARN" from AWS for every operation.

Attributes

String

Optional

Multi-line-text

RSA Algorithm (rsaAlgorithm)

Description

The RSA encryption algorithm to use for end-to-end encryption.

The algorithm must be compatible with the KMS key referenced by "RSA Asymmetric Key ARN".

Attributes

Enum

Optional

Default value

RSAES_OAEP_SHA_256

YAML Template (with default values)


type: com.airlock.iam.keymanagementservice.application.configuration.AwsKmsConfig
id: AwsKmsConfig-xxxxxx
displayName: 
comment: 
properties:
  asymmetricKeyArn:
  authenticationSettings:
  publicKey:
  rsaAlgorithm: RSAES_OAEP_SHA_256
  serviceAccessSettings:
  symmetricKeyArn:

AWS KMS Password Decryption

Description

Decryption service accepting passwords encrypted with AWS KMS key material. On AWS KMS two keys are required:

Asymmetric key to encrypt the randomly generated key which encrypts a users password on client side. Configure this ARN in "RSA Asymmetric Key ARN".
Symmetric key to encrypt the password hashes that are stored on Airlock IAM's database. Configure this ARN in "Symmetric Key ARN".

Class

com.airlock.iam.keymanagementservice.application.configuration.password.AwsKmsPasswordDecryptionConfig

May be used by

Default End-To-End Encryption Password Repository

License-Tags

AWSKMS

Properties

AWS KMS Settings (awsKmsSettings)

Description

Specifies the AWS account and key material for cryptographic operations.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.keymanagementservice.application.configuration.password.AwsKmsPasswordDecryptionConfig
id: AwsKmsPasswordDecryptionConfig-xxxxxx
displayName: 
comment: 
properties:
  awsKmsSettings:

AWS KMS Password Hash

Description

Password hash for AWS Key Management Service (KMS).

The password is first hashed with the defined hash function and then encrypted by AWS KMS.

This plugin does no encoding on the resulting hash. Therefore it should be used in combination with a 'Password Hash Configuration' or 'History Password Hash'.

If a password history is required, wrap this plugin in a 'History Password Hash'. However, bear in mind that an encrypted hash can be longer than the hash value itself. This affects the number of possible entries of 'Max History Length' in 'History Password Hash'.

Class

com.airlock.iam.keymanagementservice.application.configuration.password.hash.AwsKmsPasswordHashConfig

License-Tags

AWSKMS

Properties

Hash Function (hashFunction)

Description

The password hash function to apply before the hash is encrypted by AWS KMS.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AWS KMS Settings (awsKmsSettings)

Description

Specifies the AWS account and key material for cryptographic operations.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Roles Provider Config Template-based String Provider Transforming String Value Provider Template-based Username Transformer Transforming Value Map Provider Generic ID Propagator

YAML Template (with default values)


type: com.airlock.iam.keymanagementservice.application.configuration.password.hash.AwsKmsPasswordHashConfig
id: AwsKmsPasswordHashConfig-xxxxxx
displayName: 
comment: 
properties:
  awsKmsSettings:
  hashFunction:

Base64 Password Hash Encoder

Description

Password Hash Plugin that Base64 encodes and decodes raw hash values.

Class

com.airlock.iam.core.misc.util.password.hash.Base64PasswordHashEncoder

May be used by

Password Hash Configuration

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.Base64PasswordHashEncoder
id: Base64PasswordHashEncoder-xxxxxx
displayName: 
comment: 
properties:

Base64 String Encoder

Description

Base64-encodes a string.

Class

com.airlock.iam.common.application.configuration.encoder.Base64StringEncoderConfig

May be used by

Properties

Encoding Scheme (encodingScheme)

Description

The scheme used for character encoding.

Attributes

String

Optional

Default value

UTF-8

URL-safe Encoding (urlSafeEncoding)

Description

Whether URL-safe encoding should be used ("+" and "/" are replaced by "-" and "_", respectively, and trailing "=" are omitted).

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.encoder.Base64StringEncoderConfig
id: Base64StringEncoderConfig-xxxxxx
displayName: 
comment: 
properties:
  encodingScheme: UTF-8
  urlSafeEncoding: false

Basic Auth Credentials

Description

Configures a HTTP Basic Authentication header containing username and password.

Class

com.airlock.iam.core.application.configuration.basicauth.BasicAuthCredentialsConfig

May be used by

HTTP Client Config REST Client Config HTTP Client With Client Certificate

Properties

User Name (userName)

Description

The username for HTTP Basic Authentication.

Attributes

String

Mandatory

Password (password)

Description

The password for HTTP Basic Authentication.

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.basicauth.BasicAuthCredentialsConfig
id: BasicAuthCredentialsConfig-xxxxxx
displayName: 
comment: 
properties:
  password:
  userName:

Basic Auth Error Mapper

Description

Error Mapper that initiates Basic Authentication when the client does not send credentials or the credentials are not valid.

This plugin is designed to be used with "Basic Auth HTTP Header Extractor".

Class

com.airlock.iam.login.app.misc.oneshot.impl.BasicAuthErrorMapperFactory

May be used by

Target Application/Service HTTP Signature Verification Credential Extractor

License-Tags

OneShotAuthentication

Properties

Realm (realm)

Description

The realm that is sent to the client when basic authentication is initiated.

Attributes

String

Mandatory

License-Tags

OneShotAuthentication

Example

My Server

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.BasicAuthErrorMapperFactory
id: BasicAuthErrorMapperFactory-xxxxxx
displayName: 
comment: 
properties:
  realm:

Basic Auth HTTP Header Extractor

Description

Extracts username and password from the Basic Auth HTTP header.

Make sure to also configure the "Basic Auth Error Mapper" to respond with a corresponding "WWW-Authenticate" header in case of missing credentials.

Class

com.airlock.iam.login.app.misc.oneshot.impl.BasicAuthCredentialExtractorFactory

May be used by

License-Tags

OneShotAuthentication

Properties

Charset (charset)

Description

Defines the charset of the Basic Auth HTTP header. If you have trouble accepting special characters, try "ISO-8859-1" instead.

Attributes

String

Optional

License-Tags

OneShotAuthentication

Default value

UTF-8

Example

UTF-8

Example

ISO-8859-1

Username Transformers (usernameTransformers)

Description

Username transformers may transform the username to log in using different user IDs.
For further details please refer to the documentation of the username transformer plugins.

Attributes

Plugin-List

Optional

License-Tags

OneShotAuthentication

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.BasicAuthCredentialExtractorFactory
id: BasicAuthCredentialExtractorFactory-xxxxxx
displayName: 
comment: 
properties:
  charset: UTF-8
  usernameTransformers:

Basic Auth Request Authentication

Description

Authenticates single requests with HTTP Basic Authentication.

Class

com.airlock.iam.common.application.configuration.credential.BasicAuthRequestAuthenticationConfig

May be used by

Session-less REST Endpoints Transaction Approval Adminapp REST API Configuration

Properties

Password Repository (passwordRepository)

Description

The repository of user passwords.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Password Repository External Database Password Repository Config LDAP Password Repository Selection Password Repository (Request Authentication)

Policy To Check On Login (policyToCheckOnLogin)

Description

The password policy that is checked when authenticating. Authentication fails if password policies are violated.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Active Directory Password Policy Customizable Password Policy Null Password Policy Simple Password Policy

Max Failed Attempts (maxFailedAttempts)

Description

The maximum number of failed authentication attempts before the user is locked.

Effective only if a 'User Store' is configured.

Attributes

Integer

Optional

Default value

Charset Name (charsetName)

Description

The character set to use for decoding 'Authorization' headers.

Attributes

String

Optional

Default value

UTF-8

Suggested values

ISO-8859-1, UTF-8

User Store (userStore)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Username Transformation (usernameTransformers)

Description

Transforms the provided username from the credential to a technical user ID.

Attributes

Plugin-List

Optional

Assignable plugins

Static Roles (staticRoles)

Description

Static list of roles granted to the authenticated user.

Attributes

String-List

Optional

Roles Blocklist (rolesBlocklist)

Description

List of role names that won't be granted to the authenticated user. The block list is also applied to persistent roles (if available).

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.credential.BasicAuthRequestAuthenticationConfig
id: BasicAuthRequestAuthenticationConfig-xxxxxx
displayName: 
comment: 
properties:
  charsetName: UTF-8
  maxFailedAttempts: 5
  passwordRepository:
  policyToCheckOnLogin:
  rolesBlocklist:
  staticRoles:
  userStore:
  usernameTransformers:

Basic Auth Token Introspection Config

Description

Checks a basic authentication header value against a fixed list of allowed users and passwords.

Note: The basic auth scheme in OAuth 2.0 requests must comply to the specification in RFC 6749

Class

com.airlock.iam.login.app.misc.oauth2.introspection.config.BasicAuthTokenIntrospectionConfig

May be used by

OAuth 2.0 Token Introspection Endpoint

License-Tags

OAuthServer

Properties

Charset (charset)

Description

The name of the charset used to decode the basic authentication header.

Attributes

String

Optional

Default value

UTF-8

Suggested values

ISO-8859-1, UTF-8

Allowed Users (allowedUsers)

Description

A list of all allowed username and password combinations.

Attributes

Plugin-List

Mandatory

Assignable plugins

Allowed Username Password Combination

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oauth2.introspection.config.BasicAuthTokenIntrospectionConfig
id: BasicAuthTokenIntrospectionConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedUsers:
  charset: UTF-8

Basic mTAN Settings

Description

The basic settings for mTAN.

Class

com.airlock.iam.common.application.configuration.mtan.BasicMtanSettings

May be used by

Default mTAN Deletion Flow mTAN Number List SMS Event Subscriber (Adminapp) mTAN Number Item Definition SMS Identity Verification Step Select mTAN Token Step SMS Event Subscriber (Loginapp) mTAN Token Edit Step mTAN Token Insertion Handler Apply mTAN Edit Change mTAN Token Registration Step Delete mTAN Number Initiation Step Apply mTAN Deletion mTAN OTP Checks Settings mTAN Number Registration Possible Apply mTAN Registration Change mTAN Self-Services (Legacy) mTAN Number Deletion Possible

Properties

mTAN Handler (mtanHandler)

Description

An mTAN handler retrieves and updates mTAN number tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Data mTAN Handler Token Data mTAN Handler

SMS Gateway (smsGateway)

Description

The SMS gateway used to send messages.

Attributes

Plugin-Link

Mandatory

Assignable plugins

ASP SMS Gateway Dummy SMS Gateway Email SMS Gateway Failover SMS Gateway HTTP SMS Gateway Kannel SMS Gateway Null SMS Gateway Number-based Selection SMS Gateway SMPP SMS Gateway SMS Finder Gateway Swisscom REST SMS Gateway Swissphone SMS Gateway True Senses SMS Gateway UCP SMS Gateway eCall SMS Gateway (v1)

Originator (originator)

Description

Originator of the SMS messages.

There may be restrictions on the originator imposed by the SMS gateway service and by local law.

The format of the originator must be one of:

Numeric characters only, optionally prefixed with a plus sign '+', at most 16 characters
Alphanumeric characters, at most 11 characters

Furthermore, the characters that are allowed may depend on your SMS gateway provider.

Attributes

String

Mandatory

Example

Airlock

Default Country Code (defaultCountryCode)

Description

Default country code to be used if a phone number does not contain a country code. It is only used when sending messages to the user.

Attributes

String

Optional

Length <= 3

Length >= 1

Default value

Suggested values

41, 39, 49, 423

Use Flash Messages (useFlashMessages)

Description

If enabled, SMS messages are sent as flash SMS by default. A flash message is shown directly on the mobile phone display.

If the per-user setting is set, it takes precedence as long as a value is set for a user. If it is empty or not set, this default value is used.

Note: This has to be supported by the SMS gateway. Some recipients might not be able to receive flash messages.

Attributes

Boolean

Optional

Default value

false

Visible Phone Number Digits (visiblePhoneNumberDigits)

Description

Defines the number of phone number digits visible in log statements and in selection options sent to the user.

If the value is zero, all digits are masked, if it is large enough, all digits are visible. Example: if set to 3, logged number looks like ********965.

The default is 100, i.e. showing all digits.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.mtan.BasicMtanSettings
id: BasicMtanSettings-xxxxxx
displayName: 
comment: 
properties:
  defaultCountryCode: 41
  mtanHandler:
  originator:
  smsGateway:
  useFlashMessages: false
  visiblePhoneNumberDigits: 100

Basic Secret Question Settings

Description

Configures common settings for secret questions. It is recommended to use the same settings for provisioning, administration and password reset.

Class

com.airlock.iam.login.application.configuration.secretquestions.BasicSecretQuestionSettings

May be used by

Secret Questions Identity Verification Step Secret Questions Provisioning Step Disabled Or Missing Secret Questions Restriction Config

Properties

Question Resource Keys (questionResourceKeys)

Description

List of resource keys of the available questions. Each key represents one question. Removing a question (resource key) from this list, causes all answers to that question to become invalid.

Ensure that no new question with the same key is introduced later. Any user's answer to the previous question would not match the new question.

Attributes

String-List

Mandatory

Number of Questions (numberOfQuestions)

Description

This property defines the number of questions which have to be provisioned and answered.

Attributes

Integer

Optional

Default value

Normalization (normalization)

Description

Normalization is a string-transformation applied to answers before they are persisted, and before they are verified. Therefore, an answer can be accepted even if it has minor differences to the provisioned answer. Currently, the following options exist:

OFF:
No normalization. Provisioned and challenged answers must match exactly.
TRIM:
Removes whitespaces at the beginning and end of the answer string.
TRIM_CASEINSENSITIVE:
Does the same as TRIM and additionally converts all characters to lowercase.
TRIM_CASEINSENSITIVE_NOWHITESPACE:
Does the same as CASEINSENSITIVE_TRIM and additionally removes all whitespace.
TRIM_CASEINSENSITIVE_NOWHITESPACE_NOSPECIALCHARS:
Does the same as CASEINSENSITIVE_TRIM_NOWHITESPACE and additionally removes all non-word characters (all characters except letters, digits and the underscore).

Attributes

Enum

Optional

Default value

TRIM_CASEINSENSITIVE

Token Data Provider (tokenDataProvider)

Description

The provider for token data for persisting the secret answers.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Target Application/Service HTTP Signature Verification Credential Extractor

Hash Function Plugin (hashFunctionPlugin)

Description

This hash algorithm is used to hash the answers.

Attributes

Plugin-Link

Optional

Assignable plugins

Min Length (minLength)

Description

Defines the minimum length of an answer.

Attributes

Integer

Optional

Default value

Max Length (maxLength)

Description

Defines the maximum length of an answer.

Attributes

Integer

Optional

Default value

100

Answer Regex Pattern (answerRegexPattern)

Description

Regex pattern to check the given answer (after normalization).

Attributes

RegEx

Optional

Duplicate Answers Forbidden (duplicateAnswersForbidden)

Description

Forbid the same answer for more than one question per user.

Attributes

Boolean

Optional

Default value

true

Check Using Latin1 Encoding (checkUsingLatin1Encoding)

Description

If enabled, answers containing special characters stored by IAM earlier than 6.3 are still accepted. This option does not have to be activated if all answers were set using IAM 6.3 or later or if all answers were set via webservices or REST.

To support legacy answers, those with special characters are additionally checked using their legacy encoding in latin1.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.secretquestions.BasicSecretQuestionSettings
id: BasicSecretQuestionSettings-xxxxxx
displayName: 
comment: 
properties:
  answerRegexPattern:
  checkUsingLatin1Encoding: false
  duplicateAnswersForbidden: true
  hashFunctionPlugin:
  maxLength: 100
  minLength: 2
  normalization: TRIM_CASEINSENSITIVE
  numberOfQuestions: 2
  questionResourceKeys:
  tokenDataProvider:

Bcrypt Password Hash

Description

Password hash plugin that uses bcrypt for hashing. Bcrypt only uses the first 72 bytes of the password in UTF-8 encoding. Therefore, consider using a policy to enforce a maximum password length restriction. See https://www.openbsd.org/papers/bcrypt-paper.pdf for more details.

Returns $[version]$[cost]$[22 character salt][31 character hash] as a bcrypt string.

Class

com.airlock.iam.core.misc.util.password.hash.BcryptPasswordHash

Properties

Cost (Iterations Exponent) (cost)

Description

The exponent used to compute the number of iterations, also known as cost. The actual number of iterations is 2 to the power of the value defined here.

The value must be greater than or equal to 4 and less than or equal to 31. The number of iterations is stored together with the bcrypt string. Therefore, this value can be increased or decreased without losing backward compatibility.

Attributes

Integer

Optional

Default value

Version (version)

Description

The version used to generate the password hashes. The implementations of these versions do not differ from one another, therefore you can choose which one is used for generating password hashes.

$2$: version prefix in the original specification.
$2a$: version prefix in the revised specification defining encoding and null-terminator explicitly.
$2y$, $2b$: version prefixes stating explicitly that the implementation is not affected by certain known bugs.

This has no effect when checking passwords as this implementation does not suffer from the known bugs and supports all versions. Therefore, this value can be changed without losing backward compatibility.

Attributes

String

Optional

Default value

Allowed values

2, 2a, 2b, 2y

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.BcryptPasswordHash
id: BcryptPasswordHash-xxxxxx
displayName: 
comment: 
properties:
  cost: 12
  version: 2a

Bearer Token HTTP Header Extractor (as Token Credential)

Description

Extracts a bearer token from the "Authorization" HTTP header and provides it as "Token Credential" to the authenticator.

This extractor is suitable for authenticators that are able to process token credentials, such as the "Token Authenticator" or the "OAuth 2.0 Access Token Authenticator".

Class

com.airlock.iam.login.app.misc.oneshot.impl.BearerTokenHttpHeaderExtractorConfig

May be used by

License-Tags

OneShotAuthentication

Properties

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.BearerTokenHttpHeaderExtractorConfig
id: BearerTokenHttpHeaderExtractorConfig-xxxxxx
displayName: 
comment: 
properties:

Body And HTTP Status On Behalf Login Step Validator

Description

Validates the HTTP response of a login step. Based on the HTTP status of the response, different validators can be configured. If the response contains an unmapped response code, a default validator will be used to validate the response.

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.BodyAndHttpStatusOnBehalfLoginStepValidator

May be used by

CSRF Token Extraction Step HTTP POST Step HTTP GET Step

Properties

HTTP Status Validators (httpStatusValidators)

Description

Provides a mean to have different validators depending on the HTTP status code of the response.

The map defines pairs of status codes (key) and validators (value). If the HTTP status code of the response matches to one of the following mappings, the corresponding validator gets executed. The key has to be a valid number.

If the response contains a status code that is not defined here, the "Default Body Status On Behalf Login Step Validator" is used for the validation.

Attributes

Plugin-Map

Mandatory

Assignable plugins

Body Status On Behalf Login Step Validator

Default Validator (defaultValidator)

Description

Default validator that gets selected if the received HTTP status code does not have a corresponding entry within the "HTTP Status Validators".

Attributes

Plugin-Link

Mandatory

Assignable plugins

Body Status On Behalf Login Step Validator

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.onbehalflogin.BodyAndHttpStatusOnBehalfLoginStepValidator
id: BodyAndHttpStatusOnBehalfLoginStepValidator-xxxxxx
displayName: 
comment: 
properties:
  defaultValidator:
  httpStatusValidators:

Body Status On Behalf Login Step Validator

Description

Validates the HTTP response of a login step. If one of the patterns defined in "successCases" is found in the response and none of the other patterns ("accessDeniedCases" or "technicalErrorCases") are found, the validation is successful. More precisely, the following validation checks are performed in this order:

The technical error patterns are validated. In case one of the technical error patterns matches, the validation fails.
The access denied patterns are matched. In case one of the access denied patterns matches, the validation fails with an access denied error.
In case one of the success patterns matches, the validation is successful. In case none of the success patterns match, the validation fails with a technical error.

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.BodyStatusOnBehalfLoginStepValidator

May be used by

CSRF Token Extraction Step Body And HTTP Status On Behalf Login Step Validator Body And HTTP Status On Behalf Login Step Validator HTTP POST Step HTTP GET Step

Properties

Success Cases (successCases)

Description

After the error and access denied validation is finished, one of the success patterns must match in order that the validation is successful.

Attributes

RegEx-List

Mandatory

Access Denied Cases (accessDeniedCases)

Description

None of the access denied patterns are allowed to match the response or the validation fails with an access denied error.

Attributes

RegEx-List

Optional

Technical Error Cases (technicalErrorCases)

Description

The technical error patterns are validated first. None of the technical error patterns are allowed to match the response or the validation fails with a technical error.

Attributes

RegEx-List

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.onbehalflogin.BodyStatusOnBehalfLoginStepValidator
id: BodyStatusOnBehalfLoginStepValidator-xxxxxx
displayName: 
comment: 
properties:
  accessDeniedCases:
  successCases:
  technicalErrorCases:

Boolean Condition Config

Description

This condition is fulfilled if the configured boolean value provider provides the value true.

Class

com.airlock.iam.flow.shared.application.configuration.condition.BooleanConditionConfig

May be used by

Properties

Value Provider (valueProvider)

Description

Boolean value provider whose provided value will be used to determine whether the condition is fulfilled.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Boolean Context Data Value Provider Static Boolean Value Provider

Is Fulfilled If Value Is Null (isFulfilledIfValueIsNull)

Description

If checked, the condition is fulfilled if the provided value is null. If unchecked, the condition is unfulfilled in that situation.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.condition.BooleanConditionConfig
id: BooleanConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  isFulfilledIfValueIsNull: false
  valueProvider:

Boolean Context Data

Description

Non-interactive user context data item that stores a boolean value.

Class

com.airlock.iam.userselfreg.application.configuration.definition.BooleanNonInteractiveUserDataItemDefinitionConfig

May be used by

Properties

Context Data Item Name Config (contextDataItemNameConfig)

Description

The name of the context data where the value will be stored.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database Credential Persister Database Token List Persister Database User Persister

Value Provider Config (valueProviderConfig)

Description

Provides the value for the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Boolean Context Data Value Provider Static Boolean Value Provider

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.definition.BooleanNonInteractiveUserDataItemDefinitionConfig
id: BooleanNonInteractiveUserDataItemDefinitionConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataItemNameConfig:
  valueProviderConfig:

Boolean Context Data Item Config

Description

Context Data item of type Boolean.

The database column must either be of an integer type (e.g. TINYINT, INTEGER containing either 0 or 1) or of a string type (e.g. VARCHAR, CHAR containing either "0" or "1") and the values in the context data container are guaranteed to be of type java.lang.Boolean. If the persistency has a NULL value or its value does not match the values above, FALSE is assumed.

Class

com.airlock.iam.core.application.configuration.contextdata.BooleanContextDataItemConfig

May be used by

Properties

Context Data Name (contextDataName)

Description

Defines the reusable context data item representing the name and type of a value in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Boolean Context Data Item Config Boolean Context Data Value Provider User Information Group Config String Context Data User Group Condition Config User Self Information Group Config Boolean Context Data User Sync Task Config Boolean User Context Data Item User Information Self-Service User Attribute Is Unique

Database Column Name (databaseColumnName)

Description

The name of the database column to load into the context data in case it differs from the Context Data Name.

Attributes

String

Optional

Example

locked

Example

valid

Example

self_registered

Readonly On Update (readonlyOnUpdate)

Description

If enabled, this context data field is treated readonly during updates of the user data. However, the field will still be persisted while inserting the user.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.contextdata.BooleanContextDataItemConfig
id: BooleanContextDataItemConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  databaseColumnName:
  readonlyOnUpdate: false

Boolean Context Data Item Name

Description

Context Data item of type Boolean.

Class

com.airlock.iam.core.application.configuration.contextdata.BooleanContextDataItemNameConfig

May be used by

Properties

Context Data Name (contextDataName)

Description

The name of the context data field under which the boolean value is stored.

Attributes

String

Mandatory

Example

locked

Example

valid

Example

self_registered

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.contextdata.BooleanContextDataItemNameConfig
id: BooleanContextDataItemNameConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:

Boolean Context Data Value Provider

Description

Provides the boolean value contained in the specified context data item of the user.

Make sure the configured context data item is also configured on the user persister.

Class

com.airlock.iam.common.application.configuration.valueprovider.contextdata.ContextDataBooleanValueProviderConfig

May be used by

Boolean Context Data Value Provider Map Boolean Condition Config

Properties

Context Data Field (contextDataField)

Description

Context data field whose value will be returned.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Mandatory (mandatory)

Description

If enabled, the value provided by this context data item is not allowed to be null.

If this option is enabled and the context data item is null (e.g. if the configured context data is not configured on the user persister), an exception will be thrown at runtime.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.valueprovider.contextdata.ContextDataBooleanValueProviderConfig
id: ContextDataBooleanValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataField:
  mandatory: false

Boolean Data Transformer

Description

Parses the strings '0', '1', 'false', 'true' (ignoring case) and converts them to regular context data boolean objects. Any other string value will be transformed to 'false'.

The values in the context data container are guaranteed to be of type java.lang.Boolean.

Class

com.airlock.iam.core.misc.util.datatransformer.BooleanDataTransformer

May be used by

Properties

Properties (properties)

Description

Selects the properties to apply the replacement to.
Use the asterisk character ("*") to replace all properties.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.datatransformer.BooleanDataTransformer
id: BooleanDataTransformer-xxxxxx
displayName: 
comment: 
properties:
  properties:

Boolean Input Token Controller Element

Description

Renders a checkbox for a boolean property.

Class

com.airlock.iam.admin.application.configuration.generic.ui.BooleanInputTokenControllerUiElementConfig

May be used by

Properties

Label (label)

Description

Label for the field. The UI treats it as a key to translate. If there is no translation, the label is shown in the UI as is.

Attributes

String

Mandatory

Example

user.generic-token.device-token.enabled

Property (property)

Description

The property to use as value for this field.

The referenced property must be available in the attributes value of the generic token REST call response. If the property is nested, e.g. inside the contextData key, it can be referenced with dot notation (see example values).

Attributes

String

Mandatory

Example

enabled

Example

contextData.locked

Read-only (readOnly)

Description

If enabled, the field is read-only and cannot be altered by administrators via the UI.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.generic.ui.BooleanInputTokenControllerUiElementConfig
id: BooleanInputTokenControllerUiElementConfig-xxxxxx
displayName: 
comment: 
properties:
  label:
  property:
  readOnly: false

Boolean User Context Data Item

Description

User context data item that stores a boolean value.

Class

com.airlock.iam.flow.shared.application.configuration.item.BooleanContextDataItemDefinitionConfig

May be used by

User Data Edit Step User Data Registration Step Config

Properties

Context Data Name (contextDataName)

Description

The context data item in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Administrators Management Administrators Management Users Configuration Users Configuration User Group Configuration

Required (required)

Description

Specifies whether this context data item is required for the step to validate successfully.

Attributes

Boolean

Optional

Default value

true

Value Must Be True (valueMustBeTrue)

Description

If enabled, only 'true' is considered a valid value.

Attributes

Boolean

Optional

Default value

false

Value Must Be False (valueMustBeFalse)

Description

If enabled, only 'false' is considered a valid value.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.item.BooleanContextDataItemDefinitionConfig
id: BooleanContextDataItemDefinitionConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  required: true
  valueMustBeFalse: false
  valueMustBeTrue: false

Boolean User Profile Item Config

Description

A configurable user profile item of type boolean. This will be represented as a checkbox in input form. The selected value is added to the user's context data, provided that the property name matches the property name in the configured user data. If the item is configured as not optional, the user is forced to check the field before they are allowed to continue. This can be used to require the user to accept terms and conditions.

Class

com.airlock.iam.common.application.configuration.userprofile.BooleanUserProfileItemConfig

May be used by

Properties

Format As Boolean Object (formatAsBooleanObject)

Description

Determines whether the value should be saved as a java.lang.Boolean object. If this is not selected, the value is saved as a String.

Attributes

Boolean

Optional

Default value

true

String Resource Key (stringResourceKey)

Description

String identifier for the language-specific string tables.

Attributes

String

Mandatory

Example

userdata.label.salutation

Example

userdata.label.firstname

Example

userdata.label.lastname

Example

userdata.label.email

Example

userdata.label.nationality

Example

userdata.label.birthdate

Example

userdata.label.street

Example

userdata.label.street-number

Example

userdata.label.address2

Example

userdata.label.zipcode

Example

userdata.label.town

Example

userdata.label.state

Example

userdata.label.country

Example

userdata.label.company

Example

userdata.label.department

Example

userdata.label.office-phone

Example

userdata.label.mobile-phone

Example

userdata.label.language

Example

userdata.label.correspondence-language

Example

userdata.label.realm

Property Name (propertyName)

Description

Name of the context-data field in which the value is stored.

Attributes

String

Mandatory

Example

surname

Example

givenname

Example

mtan_number

Optional (optional)

Description

If this field is optional or mandatory for the user.

Attributes

Boolean

Optional

Default value

true

Modifiable (modifiable)

Description

Indicates if the user is allowed to change this property once it is set. Specifically, if this flag is set to false, then during self-registration the property could be set, but when editing the user data, this property would be read-only.

Attributes

Boolean

Optional

Default value

true

Validate Only Changed Values (validateOnlyChangedValues)

Description

If enabled, only values that have been changed by the user (compared to the data loaded from the data layer) are validated.

Attributes

Boolean

Optional

Default value

true

Sortable (sortable)

Description

If enabled, the attribute is sortable in the user list if the underlying user iterator supports sorting.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.userprofile.BooleanUserProfileItemConfig
id: BooleanUserProfileItemConfig-xxxxxx
displayName: 
comment: 
properties:
  formatAsBooleanObject: true
  modifiable: true
  optional: true
  propertyName:
  sortable: true
  stringResourceKey:
  validateOnlyChangedValues: true

Button Group UI Element

Description

A grouping element for buttons.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiButtonGroupConfig

May be used by

Custom Configuration-based Self-Service UI Custom Configuration-based Authentication UI Custom Configuration-based Public Self-Service UI Form UI Element Custom Configuration-based User Self-Registration UI

Properties

Buttons (buttons)

Description

Defines the buttons inside the button group.

Attributes

Plugin-List

Mandatory

Assignable plugins

Button UI Element Cancel Button UI Element Goto Button UI Element

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiButtonGroupConfig
id: ConfigurableUiButtonGroupConfig-xxxxxx
displayName: 
comment: 
properties:
  buttons:

Button UI Element

Description

Displays a button.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiButtonConfig

May be used by

Button Group UI Element Custom Configuration-based Self-Service UI Custom Configuration-based Authentication UI Custom Configuration-based Public Self-Service UI Form UI Element Custom Configuration-based User Self-Registration UI

Properties

Label (label)

Description

Label for the button. The UI treats it as a key to translate. If there is no translation, the configured value is what is shown in the UI.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9]+((\.|-)[a-zA-Z0-9]+)*

Disabled On Validation Errors (disabledOnValidationErrors)

Description

If checked, the button is not clickable if the form that contains the button has validation errors. The setting is ignored if the button is not part of a form.

Attributes

Boolean

Optional

Default value

true

Disabled With No Changes (disabledWithNoChanges)

Description

If checked, the button is not clickable if the form's content did not change. The setting is ignored if the button is not part of a form.

Attributes

Boolean

Optional

Default value

true

Alignment (alignment)

Description

Defines the button's alignment.

Attributes

Enum

Optional

Default value

RIGHT

Submit (submit)

Description

If checked, the button is of type 'submit', otherwise the type is 'button'.

Attributes

Boolean

Optional

Default value

false

On Click (onClick)

Description

The REST API calls to execute in sequence when clicking the button.

Attributes

Plugin-List

Optional

Assignable plugins

REST API Invocation

HTML ID (htmlId)

Description

The ID of the element in the HTML.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_]+

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiButtonConfig
id: ConfigurableUiButtonConfig-xxxxxx
displayName: 
comment: 
properties:
  alignment: RIGHT
  disabledOnValidationErrors: true
  disabledWithNoChanges: true
  htmlId:
  label:
  onClick:
  submit: false

Caching Certificate Status Checker

Description

Adds a cache for revocation status for another Certificate Status Checker. Can be used if faster response time is needed. The size and the lifetime of the cache entries influences the memory consumption.

Class

com.airlock.iam.core.misc.impl.cert.cached.CachingCertificateStatusChecker

May be used by

Certificate Authenticator Certificate Authenticator NextGenPSD2 Certificate Authenticator Client Certificate (X.509) Request Authentication STET PSD2 Authenticator OAuth 2.0 Client mTLS Authentication CRL Distribution Point Extension CRL Checker Certificate Token Authenticator HTTP Signature Verification Credential Extractor

License-Tags

ClientCertificate

Properties

Cache entry lifetime [minutes] (cacheEntryLifetime)

Description

Maximum lifetime of a cached revocation status in minutes.

Attributes

Integer

Optional

License-Tags

ClientCertificate

Default value

Maximum Cache Size (maximumCacheSize)

Description

Maximum number of cache entries.

Attributes

Integer

Optional

License-Tags

ClientCertificate

Default value

1000

Wrapped Status Checker (wrappedStatusChecker)

Description

The wrapped Certificate Status Checker.

Attributes

Plugin-Link

Mandatory

License-Tags

ClientCertificate

Assignable plugins

Always Revoked Status Checker CRL Certificate Status Checker CRL Distribution Point Extension CRL Checker Caching Certificate Status Checker Dummy Certificate Status Checker OCSP Certificate Status Checker

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.cached.CachingCertificateStatusChecker
id: CachingCertificateStatusChecker-xxxxxx
displayName: 
comment: 
properties:
  cacheEntryLifetime: 60
  maximumCacheSize: 1000
  wrappedStatusChecker:

Cancel Button UI Element

Description

Displays a cancel button which aborts the current flow when clicked and redirects to the "Cancellation Target" configured on the flow UI config. If the corresponding "Cancellation Target" is not configured, the cancel button is not shown.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiCancelButtonConfig

May be used by

Properties

Label (label)

Description

Label for the button. The UI treats it as a key to translate. If there is no translation, the configured value is what is shown in the UI.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9]+((\.|-)[a-zA-Z0-9]+)*

Default value

cancel

Alignment (alignment)

Description

Defines the button's alignment.

Attributes

Enum

Optional

Default value

RIGHT

HTML ID (htmlId)

Description

The ID of the element in the HTML.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_]+

Default value

cancelButton

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiCancelButtonConfig
id: ConfigurableUiCancelButtonConfig-xxxxxx
displayName: 
comment: 
properties:
  alignment: RIGHT
  htmlId: cancelButton
  label: cancel

CAPTCHA Processor

Description

This processor checks if the current flow step requires CAPTCHA protection. It blocks all calls to the step until a correct CAPTCHA solution is provided.
Note: This processor must be the first in the list of available processors.

Class

com.airlock.iam.flow.shared.application.configuration.captcha.CaptchaProcessorConfig

May be used by

Radius Authentication Service Persister Password Service User to Authenticator Mapping Target Application/Service Meta Authenticator Meta Authenticator Meta Authenticator Administrators Configuration User-based Authenticator Selector Fallback Authenticator

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.captcha.CaptchaProcessorConfig
id: CaptchaProcessorConfig-xxxxxx
displayName: 
comment: 
properties:

CAPTCHA UI Element

Description

Displays the CAPTCHA challenge, if the step supports it and CAPTCHA is required.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableCaptchaConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableCaptchaConfig
id: ConfigurableCaptchaConfig-xxxxxx
displayName: 
comment: 
properties:

Certificate Authenticator

Description

Authenticator used to perform authentication based on X509 certificates.

Warning 1: This authenticator assumes that some external process can guarantee that the certificate belongs to the authenticating entity. This is typically done by challenging the entity to sign something with the corresponding private key. This is, for example, the case in an SSL handshake involving client certificate verification.

Warning 2: This authenticator does not check whether the certificate was signed by a trusted entity. This must be done prior to calling this authenticator, typically during an SSL handshake.

The credentials passed to this authenticator must be of type CertificateCredential or UserCredential.
If the credential contains a username (subtype of UserCredential) the user name is stored in the authentication session for usage after successful verification of the certificate.
If the credential contains a username but no certificate (type UserCredential but not of subtype CertificateCredential), this plugin responds with CERTIFICATE_REQUIRED. This makes it suitable for usage with the MetaAuthenticator plugin.

What checks are done on the certificate and how the user name and granted roles (and possibly other data) are determined is specified by the configuration.

There are two different (and mutual exclusive) ways how this plugin determines the username given the client certificate:
(1) Extract username from client certificate. In this case the username potentially passed as credential is ignored. Look at configuration property user-attribute for this case.
(2) Take user name from the credential. In this case, the credential must contain a username.
Independent of the way the username has been determined, a credential persister can be used to verify that the client certificate really belongs to the username. See property credential-persister for details. If the client certificate does not match the data stored under the determined username, the authentication response AuthenticationFailedCertificate.CERTIFICATE_DOES_NOT_MATCH_USER is returned.

Class

com.airlock.iam.core.misc.impl.authen.CertificateAuthenticator

May be used by

License-Tags

ClientCertificate

Properties

User Attribute (userAttribute)

Description

Defines how the user's username (or other piece of data used to look up the username) is to be extracted from the certificate. If this property is not defined, the username is not extracted from the certificate but expected to be part of the credential passed to this plugin (see plugin description).

If a credential persister is configured (see below), the extracted user name is used to look up the credential bean. The bean can be used for further checks.
Note: This can be used to find a user mapped to the certificate (e.g. the CN of the certificate is stored with the username in the persistence layer). To do so, configure the credential persister accordingly to look up the credential data given the value defined by this property(which does not necessarily have to be the real username). Then use the credential-bean-username property below to read the real username from the credential bean.
Note: This property has precedence over the username in the credential object. Thus, if this property is defined, any user information passed as credential is ignored.

Usually the username is part of the DN (distinguished name) of the certified subject.
This attribute specifies the attribute name of the username in the DN. Example: The value "cn" will extract the common name from the DN and use this as username.

The following values are treated especially:

"dn": use this value to use the whole distinguished name as username.
"altSubjectName": use this value to use the alternative subject name as username.

See also configuration property "strip-domain-from-username".

If this property is not defined, the plugin takes the username from the credential.

Look at property credential-persister to see how to validate that the user is registered with for this client certificate.

Attributes

String

Optional

License-Tags

ClientCertificate

Suggested values

cn, sAMAccountName, dn, altSubjectName

Strip Domain From Username (stripDomainFromUsername)

Description

If this property is set to TRUE and the username (see configuration property "user-attribute") has a domain part (as in "john.doe@domain.com"), the domain part is stripped off (resulting in "john.doe").
This property is ignored if the configuration property "user-attribute" is not defined or set to "dn".

Attributes

Boolean

Optional

License-Tags

ClientCertificate

Default value

false

Credential Persister (credentialPersister)

Description

Class name of the credential persister used to validate that the client certificate really belongs to the user identifier by the username determined by this plugin (either taken from the credential or from the client certificate).

If this property is defined, the plugin is used to look up a credential bean using the determined username (or other id determined by this plugin). Then a check is performed whether the certificate really belongs to the user. The check is defined by the separate configuration property "matchPolicy".

How this plugin reacts if no credential record can be found is specified by the separate property "treat-no-credential-data-as-not-assigned".

Attributes

Plugin-Link

Optional

License-Tags

ClientCertificate

Assignable plugins

Active Directory Connector Cipher Credential Persister Database Credential Persister Dummy Credential Persister LDAP Connector LDAP Credential Persister Property Credential Persister Static Credential Persister

Username Transformation (usernameTransformers)

Description

Username transformers may transform the name a user states in the login-form into the single unique user-id required for the authentication process.

The transformation of a username takes place after extracting the user name from the presented certificate and before the authenticator reads the user from persistency layer. If a username is supplied from a previous authentication step, then no transformation is done here.

Transfomers can be chained, i.e. a first transformer could normalize the original name, where the next transformer looks-up the normalized name in a database for eventual transformation matches.

A transformer can also signal that it already found the final user-id and the chain must stop after him.

Attributes

Plugin-List

Optional

License-Tags

ClientCertificate

Assignable plugins

Do Not Update User Statistics (doNotUpdateUserStatistics)

Description

If a user persister is configured (see property "user-persister") and this property is set to TRUE, user statistics (failed logins, etc.) are not updated. This is helpful if this authenticator is part of a bigger authentication scheme (e.g. using the MetaAuthenticator plugin).

This property is only relevant if a user persister is configured.

Attributes

Boolean

Optional

License-Tags

ClientCertificate

Default value

false

Match Policy (matchPolicy)

Description

Defines how this plugin checks whether a certificate belongs to the user or not.

This check is only done if a credential bean has been loaded using the configured credential persister.
The credential data of the credential bean is compared to the certificate depending on the value of this property:

"DNs" : The distinguished names (DN) of the certificate subject and the issuer is compared to the string data of the credential bean. The comparison is case-insensitive. The DNs are encoded in the following form for comparison: <issuer-dn>ISSUER-DN</issuer-dn><subject-dn>SUBJECT-DN</subject-dn>
This is the default value.
"subject-DN" : The DN of the certificate subject is compared to the string data of the credential bean. The comparison is case-insensitive. This setting can be combined with the setting "issuer-dn-property"
"CN" : The common name (CN) of the certificate subject is compared to the string data of the credential bean. The comparison is case-insensitive. This setting can be combined with the setting "issuer-dn-property"
"TBS" : The TBS (to-be-signed) part of the certificate is compared to the string or binary data of the credential bean. If the credential data is binary, the comparison is done byte-wise, if it is a string type credential, the TBS-part is base64-encoded before comparing.
"certificate" : The X509 certificate is compared to the string or binary data of the credential bean. If the credential data is binary, the comparison is done byte-wise, if it is a string type credential, the certificate is base64-encoded before comparing.
"NONE" : No check is performed.

Note: For backwards-compatibility, the default value of this property is "DNs"!

If a credential record can be found but it contains no credential data, this plugin responds with CREDENTIAL_NOT_ASSIGNED (can for example start a registration process), if credential data can be found but does not match in this check, CERTIFICATE_DOES_NOT_MATCH_USER. How the plugin behaves if no credential record can be found at all is defined property "treat-no-credential-data-as-not-assigned".

Attributes

String

Optional

License-Tags

ClientCertificate

Default value

DNs

Allowed values

DNs, subject-DN, CN, TBS, certificate, NONE

Issuer Dn Property (issuerDnProperty)

Description

The name of the credential context data property holding the DN (distinguished name) of the issuer of the client certificate.

This setting is only used in conjunction with match policies "CN" and "subject-DN" and requires that a credential persister is configured: In addition to matching the cn or subject dn the issuer DN is also compared to the value stored in the context property (of the credential context container) referenced by this setting.
The comparison is case-insensitive.

Attributes

String

Optional

License-Tags

ClientCertificate

Example

issuer_dn

Multi Format Dn Comparison (multiFormatDnComparison)

Description

If set to true, comparison of distinguished names (DNs) supports various formats. If set to true, the following DNs are considered to be equal:

a=A,b=B,c=C
c=C,b=B,a=A (backwards)
/a=A/b=B/c=C (slash notation)
/c=C/b=B/a=A (slash notation backwards)
a=A,b=B,x.y.z=C (where x.y.z is the OID for attribute c)

This affects match policy "subject-DN" and it affects issuer DN comparison if the property "issuer-dn-property" is defined.

Attributes

Boolean

Optional

License-Tags

ClientCertificate

Default value

false

User Property (userProperty)

Description

Name (key) of a context data property in the credential bean that defines the username to be used.

This property is used in situations where the username cannot be extracted directly from the certificate but it is determined by looking up a credential bean and reading the username from it. If the referenced context data property cannot be found, an AuthenticatorException is thrown.

If this property is defined, it usually makes sense to also set the property "treat-no-credential-data-as-not-assigned" to true.

Attributes

String

Optional

License-Tags

ClientCertificate

Example

username

Example

uid

Treat No Cred Data As Not Assigned (treatNoCredDataAsNotAssigned)

Description

If this property is set to "TRUE", this plugin responds with CREDENTIAL_NOT_ASSIGNED if no credential bean can be found at all. If it is "FALSE" (which is the default), this plugin responds with USER_NOT_FOUND.

This property exists to make this plugin suitable for situations where the username cannot be extracted directly from the certificate but it is determined by looking up a credential bean and reading the username from it. In this case not finding a credential bean at all usually means that the certificate has not yet been assigned. In the other case - i.e. the username is directly read from the certificate - not finding the credential bean usually means that the user does no more exist.

Attributes

Boolean

Optional

License-Tags

ClientCertificate

Default value

false

Static Roles (staticRoles)

Description

A comma-separated list of roles (role names, optionally followed by a colon and a role idle timeout in seconds) that are granted to authenticated users. Make sure not to use spaces between the values.

Attributes

String

Optional

License-Tags

ClientCertificate

Example

role1,role2:300

Example

admin

Example

user:300,employee:600

Certificate Status Checker (certificateStatusChecker)

Description

The certificate status checker plug-in used to check the revocation status of the client certificate. The status checker can for example use a CRL or an OCSP service to do this.

Note: If this optional property is not defined or empty (and no certificate status checker plugins are configured by the property "Cert Status Checkers"), no status check is performed (i.e. all certificates are considered to be non-revoked).

Attributes

Plugin-Link

Optional

License-Tags

ClientCertificate

Assignable plugins

User Persister (userPersister)

Description

Class name of a user persister used after successful certificate verification and user extraction. The user is loaded from the persister in order to check the "locked" status and update statistics. In one of the following cases, the authentication fails (after successful certificate verification!):

User is not found
Username is ambiguous
User is locked
User is not valid

In the case of successful authentication, user data (roles, context data) is loaded and added to the result.

Attributes

Plugin-Link

Optional

License-Tags

ClientCertificate

Assignable plugins

Max Failed Logins (maxFailedLogins)

Description

The number of failed logins before a user is locked. Set to zero (0) to disable this feature. This feature only works if a user persister is configured.

Attributes

Integer

Optional

License-Tags

ClientCertificate

Default value

Expiring Certificate Warning Days (expiringCertificateWarningDays)

Description

This displays a warning page to the user if the client certificate is about to expire within the configured number of days.

Attributes

Integer

Optional

License-Tags

ClientCertificate

Additional User Validators (additionalUserValidators)

Description

To validate users beyond the usual tests for being locked or invalid, additional plugins can be added, which e.g. check context data fields. This is only functional if a User Persister is configured.

Attributes

Plugin-List

Optional

License-Tags

ClientCertificate

Assignable plugins

Technical Client Registration Flow Selection Step for Public Self-Service Flow Step Sequence Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Check Validity Period (checkValidityPeriod)

Description

If enabled, the validity period of the certificate is checked. If disabled, expired (or not-yet-valid) certificates are also accepted.

Attributes

Boolean

Optional

License-Tags

ClientCertificate

Default value

true

Certificate Status Checkers (certStatusCheckers)

Description

A list of certificate status checkers used to check the revocation status of the client certificate. If more than one checker is configured, all of them are consulted and the certificate is considered revoked if at least one of them tells so.

Attributes

Plugin-List

Optional

License-Tags

ClientCertificate

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.CertificateAuthenticator
id: CertificateAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  additionalUserValidators:
  certStatusCheckers:
  certificateStatusChecker:
  checkValidityPeriod: true
  credentialPersister:
  doNotUpdateUserStatistics: false
  expiringCertificateWarningDays:
  issuerDnProperty:
  matchPolicy: DNs
  maxFailedLogins: 0
  multiFormatDnComparison: false
  staticRoles:
  stripDomainFromUsername: false
  treatNoCredDataAsNotAssigned: false
  userAttribute:
  userPersister:
  userProperty:
  usernameTransformers:

Certificate Credential Extraction Step Config

Description

Step for extracting a client certificate from the request.

Class

com.airlock.iam.techclientreg.application.configuration.step.CertificateCredentialExtractionStepConfig

May be used by

License-Tags

TechClientRegistration

Properties

Certificate Required (certificateRequired)

Description

If enabled, the client certificate is always required. If it is required but missing, the step fails. In all other cases it succeeds.

Attributes

Boolean

Optional

Default value

true

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.techclientreg.application.configuration.step.CertificateCredentialExtractionStepConfig
id: CertificateCredentialExtractionStepConfig-xxxxxx
displayName: 
comment: 
properties:
  certificateRequired: true
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Certificate Data Extractor Task

Description

This task plug-in iterates over user or credential records reads an X509 certificate(or the TBS part of it) from the record, extracts information (e.g. DN or serial number) from it and stores this information in another field of the record.

This task can be used to retrieve information encoded in the certificate and write it to the user record so the information can be used in search criteria, queries or be displayed more easily in the admin tool.

The certificate data read from the record must be the base-64 encoded binary representation of an X.509 ASN.1 structure. It also can be only the TBS-part ("to-be-signed part") of the certificate.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.CertificateDataExtractorTask

May be used by

Task Schedule

License-Tags

ClientCertificate

Properties

Credential Persister (credentialPersister)

Description

The credential persister plug-in is used to read the certificate and store the extracted piece(s) of information.

The returned credentials must either contain the certificate data in the string credential field or in one of the context data fields. In the latter case, the name of the context data field containing the certificate data must be specified in property "certificate-property".

Make sure the persister is able to store the target field(s), i.e. the field(s) where the extracted data is stored. It is usally necessary to list these fields in the context data container.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Iterator (credentialIterator)

Description

The credential iterator plug-in used to iterate over a set of credential structures. For efficiency reasons it makes sense to limit the set of credential structures returned by this plug-in as much as possible.

It is usually a good idea to already include a "not-null"-check on the certificate data and "null"-checks in the fields where the extracted data is stored. Like this only the records with missing (i.e. not yet processed) data are processed.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database Credential Persister Dummy Credential Persister LDAP Connector LDAP Credential Persister Property Credential Persister

Certificate Property (certificateProperty)

Description

Name of the data field of the context data container to read the certificate data from. If this property is not defined, the certificate data is read from the string credential data field of the configured credential persister.

Attributes

String

Optional

Suggested values

cert_x509_data, cert_tbs, client_certificate

Is Tbs Data (isTbsData)

Description

Set to true if the stored certificate data is not an X509 certificate but only the TBS-part (to-be-signed-part) of it.

Attributes

Boolean

Optional

Default value

false

Mapping (mapping)

Description

Mappings of certificate data elements to context data properties.

Attributes

Plugin-List

Mandatory

Assignable plugins

Certificate Data to Context Data Mapping

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.CertificateDataExtractorTask
id: CertificateDataExtractorTask-xxxxxx
displayName: 
comment: 
properties:
  certificateProperty:
  credentialIterator:
  credentialPersister:
  isTbsData: false
  mapping:

Certificate Data to Context Data Mapping

Description

Mapping certificate data elements into context data properties.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.CertificateDataExtractorTaskMapping

May be used by

Certificate Data Extractor Task

Properties

Certificate Data Element (certificateDataElement)

Description

Selects the data element in the certificate. Allowed values are:

"notBefore": Validity start date.
"notAfter": Validity end date.
"subjectDn": Distinguished name of the subject.
"subjectCn": Common name of the subject.
"issuerDn": Distinguished name of the issuer.
"serial": Certificate serial number.

Attributes

String

Mandatory

Allowed values

notBefore, notAfter, subjectDn, subjectCn, issuerDn, serial

Context Property (contextProperty)

Description

Name of the context data property, the extracted certificate data element is written to.

Attributes

String

Mandatory

Example

certValidFrom

Example

certValidTo

Example

certSubjectDn

Example

certSubjectCn

Example

certIssuerDn

Example

certSerial

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.CertificateDataExtractorTaskMapping
id: CertificateDataExtractorTaskMapping-xxxxxx
displayName: 
comment: 
properties:
  certificateDataElement:
  contextProperty:

Certificate Subject Organization Identifier Equality Credential Verifier

Description

Verifies that the HTTP signature signing certificate's subject organizationIdentifier (oid 2.5.4.97 according to ITU-T Recommendations X.520) equals the client credential certificate's subject organizationIdentifier. The signing certificate must contain an organizationIdentifier in it's Subject Distinguished Name and the credential must be a certificate credential containing an equal organizationIdentifier in it's Subject Distinguished Name or else the verification will fail.

Class

com.airlock.iam.login.app.misc.oneshot.impl.CertificateSubjectOrganizationIdentifierEqualityCredentialVerifierConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.CertificateSubjectOrganizationIdentifierEqualityCredentialVerifierConfig
id: CertificateSubjectOrganizationIdentifierEqualityCredentialVerifierConfig-xxxxxx
displayName: 
comment: 
properties:

Certificate Token Authenticator

Description

Authenticator for client certificates (e.g. from smart cards or USB sticks) using the token model. This allows for more than one certificate per user.

Warning 2: This authenticator does not check whether the certificate was signed by a trusted entity. This must be done prior to calling this authenticator, typically during an SSL handshake.

Class

com.airlock.iam.core.misc.impl.authen.certificate.CertificateTokenAuthenticator

May be used by

License-Tags

ClientCertificate

Properties

Certificate Matcher (certificateMatcher)

Description

Plugin to lookup the client certificate in the persistency layer or an external service.

Attributes

Plugin-Link

Mandatory

License-Tags

ClientCertificate

Assignable plugins

Credential Data Certificate Matcher Token Data Certificate Matcher

Static Roles (staticRoles)

Description

A list of roles (role names, optionally followed by a colon and a role idle timeout in seconds) that are granted to authenticated users.

Attributes

String-List

Optional

License-Tags

ClientCertificate

Update User Statistics (updateUserStatistics)

Description

If the user statistics (last successful login, total logins) should be updated.

Attributes

Boolean

Optional

License-Tags

ClientCertificate

Default value

true

Update Token Statistics (updateTokenStatistics)

Description

If the token statistics (last usage, total usages) should be updated.

Attributes

Boolean

Optional

License-Tags

ClientCertificate

Default value

true

User Persister (userPersister)

Description

User is not found
Username is ambiguous
User is locked
User is not valid

In the case of successful authentication, user data (roles, context data) is loaded and added to the result.

Attributes

Plugin-Link

Optional

License-Tags

ClientCertificate

Assignable plugins

Max Failed Logins (maxFailedLogins)

Description

The number of failed logins before a user is locked. Set to zero (0) to disable this feature. This feature only works if a user persister is configured.

Attributes

Integer

Optional

License-Tags

ClientCertificate

Default value

Expiring Certificate Warning Days (expiringCertificateWarningDays)

Description

This displays a warning page to the user if the client certificate is about to expire within the configured number of days.

Attributes

Integer

Optional

License-Tags

ClientCertificate

Additional User Validators (additionalUserValidators)

Description

To validate users beyond the usual tests for being locked or invalid, additional plugins can be added, which e.g. check context data fields. This is only functional if a User Persister is configured.

Attributes

Plugin-List

Optional

License-Tags

ClientCertificate

Assignable plugins

Check Validity Period (checkValidityPeriod)

Description

If enabled, the validity period of the certificate is checked. If disabled, expired (or not-yet-valid) certificates are also accepted.

Attributes

Boolean

Optional

License-Tags

ClientCertificate

Default value

true

Certificate Status Checkers (certStatusCheckers)

Description

Attributes

Plugin-List

Optional

License-Tags

ClientCertificate

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.certificate.CertificateTokenAuthenticator
id: CertificateTokenAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  additionalUserValidators:
  certStatusCheckers:
  certificateMatcher:
  checkValidityPeriod: true
  expiringCertificateWarningDays:
  maxFailedLogins: 0
  staticRoles:
  updateTokenStatistics: true
  updateUserStatistics: true
  userPersister:

Certificate Token Controller

Description

Token controller to manage X.509 certificates based on the token model. Currently supported operations are adding and removing certificates.

Class

com.airlock.iam.admin.application.configuration.certificate.CertificateTokenController

May be used by

License-Tags

ClientCertificate

Properties

Token Data Provider (tokenDataProvider)

Description

Token data provider for creating, loading, updating and deleting certificates.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Target Application/Service HTTP Signature Verification Credential Extractor

Allowed As Active (allowedAsActive)

Description

Whether or not certificates can be chosen as active authentication method.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.certificate.CertificateTokenController
id: CertificateTokenController-xxxxxx
displayName: 
comment: 
properties:
  allowedAsActive: true
  tokenDataProvider:

Certificate Token Credential Extractor Config

Description

Extracts a client certificate credential and an authorization bearer token. The result will be a credential that is both a certificate and a token credential and therefore can be handled by authenticators handling either or both credential types.

Class

com.airlock.iam.login.app.misc.oneshot.impl.CertificateTokenCredentialExtractorConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.CertificateTokenCredentialExtractorConfig
id: CertificateTokenCredentialExtractorConfig-xxxxxx
displayName: 
comment: 
properties:

Chaining Identity Propagator

Description

An identity propagator that calls multiple other identity propagators in a defined order.

Note: The configured identity propagators are processed in the defined order.
This plugin is useful if more than one identity propagator should be used.

Class

com.airlock.iam.core.misc.impl.sso.ChainingIdentityPropagator

May be used by

Target Application/Service Conditional Identity Propagator

Properties

Id Propagators (idPropagators)

Description

The list of identity propagators called in the defined order.

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.ChainingIdentityPropagator
id: ChainingIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  idPropagators:

Changed Email Address Provider

Description

Provides the email address stored in the flow session for email verification during email change. This provider must find an email address in the flow session, otherwise it fails.

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.ChangedEmailProviderConfig

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.ChangedEmailProviderConfig
id: ChangedEmailProviderConfig-xxxxxx
displayName: 
comment: 
properties:

Checkbox UI Element

Description

Displays a checkbox.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiCheckboxConfig

May be used by

Properties

Label (label)

Description

Label for the checkbox. The UI treats it as a key to translate. If there is no translation, the configured value is what is shown in the UI.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9]+((\.|-)[a-zA-Z0-9]+)*

Property (property)

Description

The property of the checkbox. This property will be sent to the server via REST as part of a JSON object. For example, if the property name is 'termsAccepted' and the checkbox is checked, the JSON sent to the server will be as follows: {"termsAccepted": true}.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9_]+(\.[a-zA-Z0-9_]+)*

Example

termsAccepted

Example

allowNewsletter

Validation (validation)

Description

Validates the state of the checkbox. If not configured, the user can freely choose its state.

Attributes

Plugin-Link

Optional

Assignable plugins

Required Checkbox State

Label Left (labelLeft)

Description

Whether the label should be aligned left to the checkbox like for normal input fields or right to the checkbox with the checkbox itself aligned to input fields.

Attributes

Boolean

Optional

Default value

true

HTML ID (htmlId)

Description

The ID of the element in the HTML. If no ID is set, the 'property' is used as the ID.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_]+

Submit To Server (submitToServer)

Description

If enabled, this value is submitted to the server. Otherwise, it is only used locally (e.g. to confirm inputs of other fields).

Attributes

Boolean

Optional

Default value

true

Initial Value Query (initialValueQuery)

Description

JSONPath query to fetch the field value from the initial REST call response. Requires an initial REST call to be configured in this custom step UI. If the query yields multiple results, the first one is set as the initial value and all others are discarded.

See the JSONPath documentation for the full documentation: https://github.com/dchester/jsonpath

Examples:

Assume the initial REST call returns the following JSON response:

{
 "meta": {
   "type": "jsonapi.metadata.document",
   "timestamp": "2023-03-10T13:06:01.294+02:00"
 },
 "data": [
  {
    "type": "user",
    "id": "user1",
    "attributes": {
      "contextData": {
         "givenname": "User1",
         "surname": "FSMTest",
         "roles": "customerA"
      }
    }
  },
  {
    "type": "user",
    "id": "user2",
    "attributes": {
      "contextData": {
        "givenname": "User2",
        "surname": "FSMTest",
        "roles": "customerB"
      }
    }
  }
 ]
}

The following table shows the results of various JSONPath queries given the JSON above:

Description JSONPath Query Extracted Initial Value Static path from the root $.meta.type jsonapi.metadata.document The role of the user whose id equals "user1" $.data[?(@.id == 'user1')].attributes.contextData.roles customer The number of users $.data.length 2 All "givenname" attributes
Note:
This query yields multiple results.
The first one is set to the initial value, the rest is discarded. $..givenname User1

Attributes

String

Optional

Example

$..locked

Example

$..data[?(@.id == 'valid')].attributes.currentValue

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiCheckboxConfig
id: ConfigurableUiCheckboxConfig-xxxxxx
displayName: 
comment: 
properties:
  htmlId:
  initialValueQuery:
  label:
  labelLeft: true
  property:
  submitToServer: true
  validation:

Cipher Credential Persister

Description

Encrypts and decrypts selected fields of credential data. Uses an underlying other credential persister plugin to load and store data, i.e. it is applicable to any other credential persister plugin.

Note that data that is not (yet) encrypted can be read as plaintext. The first time the field is written(because of a change in the very field itself), it will be encrypted. This makes migration of data and mixture with encrypted and non-encrypted data possible. It also implies that this encryption provides secrecy (confidentiality) but no authenticity!

The following restrictions apply when using data field encryption:

Encryption can only be applied to the serial number, the credential data and context data fields.
Encryption of context data properties can only be applied to string type properties.
Encryption cannot be applied to the username (even if part of the context data container)
Searching on encrypted fields is not supported.
If encrypting a context data property that is also used by other persister plugins (e.g. a user persister plugin), make sure that the other plugin also encrypts the field.
Note that encrypted strings are larger than their plain counterpart. Make sure to allow long strings in the underlying persister plugin. The shortest encrypted string is 38 characters long. For longer strings, doubling the plain string length makes a good upper boundary.

Class

com.airlock.iam.core.misc.impl.persistency.cipher.CipherCredentialPersister

May be used by

Certificate Authenticator JSP Remember-Me Settings Has Email Address Credential-based Generic Token Repository Email Otp Authenticator Certificate Data Extractor Task Credential Secret Batch Task Credential Report Task OATH OTP Settings Credential Data mTAN Handler Credential Data mTAN Handler Persister IAK Verifier Legacy Email OTP Authentication Step Token Authenticator Remember-Me Reset Step

License-Tags

DataEncryption

Properties

Credential Persister (credentialPersister)

Description

The underlying persister plugin used to load and store data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Encrypt Serial (encryptSerial)

Description

Set to TRUE if the serial number of the credential should be encrypted.

Attributes

Boolean

Optional

Default value

false

Encrypt Credential Data (encryptCredentialData)

Description

Set to TRUE if the credential data of the credential should be encrypted.

Attributes

Boolean

Optional

Default value

true

Encrypted Context Properties (encryptedContextProperties)

Description

Specifies a list of names of string context data properties that have to be stored encrypted on the database.

Attributes

String-List

Mandatory

Cipher Password (cipherPassword)

Description

Password used for the encryption and decryption.

If other persister plugins (e.g. a UserPersister plugin) also use encryption on data fields encrypted in this plugin, make sure they use the same password.

This property supports the extended string syntax, i.e. its value may be configured scrambled or in an external file (see example values).

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.cipher.CipherCredentialPersister
id: CipherCredentialPersister-xxxxxx
displayName: 
comment: 
properties:
  cipherPassword:
  credentialPersister:
  encryptCredentialData: true
  encryptSerial: false
  encryptedContextProperties:

Cipher Token List Persister

Description

Encrypts and decrypts selected context data fields of token list data structure. Uses an underlying other token list persister plugin to load and store data, i.e. it is applicable to any other token list persister plugin.

The following restrictions apply when using data field encryption:

Encryption can only be applied to context data fields.
Encryption can only be applied to string type properties.
Encryption cannot be applied to the username (even if part of the context data container)
Searching on encrypted fields is not supported.
If encrypting a context data property that is also used by other persister plugins (e.g. a user persister plugin), make sure that the other plugin also encrypts the field.
Note that encrypted strings are larger than their plain counterpart. Make sure to allow long strings in the underlying persister plugin. The shortest encrypted string is 38 characters long. For longer strings, doubling the plain string length makes a good upper boundary.

Class

com.airlock.iam.core.misc.impl.persistency.cipher.CipherTokenListPersister

May be used by

Matrix Token Controller Fixed TAN Generator Task Default TAN Service TAN Batch Task

License-Tags

DataEncryption

Properties

Token List Persister (tokenListPersister)

Description

The underlying persister plugin used to load and store data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cipher Token List Persister Database Token List Persister Dummy Token List Persister LDAP Token List Persister Property Token List Persister

Encrypted Context Properties (encryptedContextProperties)

Description

Specifies a list of names of string context data properties that have to be stored encrypted on the database.

Attributes

String-List

Mandatory

Cipher Password (cipherPassword)

Description

Password used for the encryption and decryption.

If other persister plugins (e.g. a UserPersister plugin) also use encryption on data fields encrypted in this plugin, make sure they use the same password.

This property supports the extended string syntax, i.e. its value may be configured scrambled or in an external file (see example values).

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.cipher.CipherTokenListPersister
id: CipherTokenListPersister-xxxxxx
displayName: 
comment: 
properties:
  cipherPassword:
  encryptedContextProperties:
  tokenListPersister:

Cipher User Persister

Description

Encrypts and decrypts selected fields of user data. Uses an underlying other user persister plugin to load and store data, i.e. it is applicable to any other user persister plugin.

The method changeUsername(String oldUsername, String newUsername) is not implemented and will throw a NotImplementedException.

Note that data that is not (yet) encrypted can be read as plaintext. The first time the field is written (because of a change in the very field itself), it will be encrypted. This makes migration of data and mixture with encrypted and non-encrypted data possible. It also implies that this encryption provides secrecy (confidentiality) but no authenticity!

The following restrictions apply when using data field encryption:

Encryption can only be applied to context data fields.
Encryption can only be applied to string type fields.
Encryption cannot be applied to the username (even if part of the context data container)
Searching on encrypted fields is not supported.
If encrypting a context data property that is also used by other persister plugins (e.g. a credential persister plugin), make sure that the other plugin also encrypts the field.
Note that encrypted strings are larger than their plain counterpart. Make sure to allow long strings in the underlying persister plugin. The shortest encrypted string is 38 characters long. For longer strings, doubling the plain string length makes a good upper boundary but some encryption mechanisms will still produce much longer output.

Class

com.airlock.iam.core.misc.impl.persistency.cipher.CipherUserPersister

May be used by

Main Authenticator Email User Profile Item Config Airlock 2FA Authenticator User to Password Service Mapping Radius Authentication Service Certificate Authenticator Lock Inactive Accounts Task Lock Inactive Accounts Task Password Authenticator String User Profile Item Combining User Persister SMS Notifier User Persister Email Certificate Provider Delete Users Task Delete Users Task Token Activation On Delivery Strategy Combining Extended User Persister Combining Extended User Persister Certificate Token Authenticator Export Users Task Export Users Task User Persister-based User Store Email Notifier Meta Authenticator Self Reg Users Reminder Task Self Reg Users Reminder Task Vasco Letter Generator Credential Data Certificate Matcher Extended User Persister-based User Store Provider Password Batch Task Password Batch Task Auth Method-based Authenticator Selector Self Reg Users Clean Up Task Self Reg Users Clean Up Task Lock Expired Initial Passwords Task Lock Expired Initial Passwords Task Role-based Authenticator Selector Extended String User Profile Item Config HTTP Password Service Selection Authenticator Lookup and Accept Authenticator New Email Clean-up Strategy Custom User Persister-based User Store Provider Destroy Last User Session Email Notification Task Email Notification Task User Persister Configuration User Persister Configuration User Persister Configuration

License-Tags

DataEncryption

Properties

User Persister (userPersister)

Description

The underlying persister plugin used to load and store data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cipher User Persister Combining Extended User Persister Database User Persister Dummy Extended User Persister LDAP Connector LDAP User Persister Property User Persister

Encrypted Context Properties (encryptedContextProperties)

Description

Specifies a list of names of string context data properties that have to be stored encrypted on the database.

Attributes

String-List

Mandatory

Cipher Password (cipherPassword)

Description

Password used for the encryption and decryption.

If other persister plugins (e.g. a CredentialPersister plugin) also use encryption on context data fields listed in this plugin, make sure they use the same password.

This property supports the extended string syntax, i.e. its value may be configured scrambled or in an external file (see example values).

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.cipher.CipherUserPersister
id: CipherUserPersister-xxxxxx
displayName: 
comment: 
properties:
  cipherPassword:
  encryptedContextProperties:
  userPersister:

Claim From Subject Token (OAuth 2.0 Token Exchange)

Description

Sets the claim to the configured claim value of the subject token.

If the referenced subject token data does not contain any value, it will be ignored.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtSubjectTokenClaimValueConfig

May be used by

Custom Claim (OAuth 2.0 Token Exchange)

License-Tags

OAuthTokenExchange

Properties

Subject Token Data Name (subjectTokenDataName)

Description

The subject token claim to use. The referenced value must be a string, number, boolean, array or object.

Attributes

String

Mandatory

Example

sub

Example

username

Example

claim1

Example

roles

Example

context-data

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtSubjectTokenClaimValueConfig
id: OAuth2TokenExchangeJwtSubjectTokenClaimValueConfig-xxxxxx
displayName: 
comment: 
properties:
  subjectTokenDataName:

Claim Set Custom Claim

Description

A custom claim introducing a JSON Object in the response.

Class

com.airlock.iam.oauth2.application.configuration.claims.CustomClaimSetClaimConfig

May be used by

OIDC UserInfo Endpoint OAuth 2.0 Static Client OAuth 2.0 Static Client JWT Access Token Format OIDC ID Token Claims

License-Tags

OAuthServer

Properties

Custom Claims (customClaims)

Description

Custom claims to include in the object.

Attributes

Plugin-List

Mandatory

Assignable plugins

Claim Set Custom Claim Client ID Custom Claim Context Data String Custom Claim Formatted Date And Time Context Data Custom Claim Formatted LocalDate Context Data Custom Claim Session ID Custom Claim Static String Custom Claim String Format Custom Claim User Roles Custom Claim Username Custom Claim

Claim Name (claimName)

Description

The name (JSON key) of the claim.

Attention: If a custom claim with this same claim name already exists, it will result in a runtime error.

Using a registered claim name (see RFC 7519) might cause the claim to be ignored or an exception to be thrown.

Attributes

String

Mandatory

Example

firstname

Example

street

Example

zip

Example

country

Example

roles

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.CustomClaimSetClaimConfig
id: CustomClaimSetClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:
  customClaims:

Claim Validator

Description

Validates one (single-valued) claim against different rules defined by the config.

Class

com.airlock.iam.oauth2.application.configuration.claims.ClaimValidatorSettings

May be used by

JWT Ticket Decoder OIDC Flow Client OIDC Discovery Flow Client

Properties

Claim (claim)

Description

Claim to validate.

Attributes

String

Mandatory

Suggested values

acr, iss

Mandatory (mandatory)

Description

If enabled, the claim must be present. Otherwise validation fails.

Attributes

Boolean

Optional

Default value

true

Validation Pattern (validationPattern)

Description

If defined, the claim must match the pattern. Otherwise validation fails. If left empty, a present claim is always valid.

Attributes

RegEx

Optional

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.ClaimValidatorSettings
id: ClaimValidatorSettings-xxxxxx
displayName: 
comment: 
properties:
  claim:
  mandatory: true
  validationPattern:

Client Certificate (X.509) Credential Extractor

Description

Extracts the client certificate from the request and creates a credential that can be used with a "Certificate Token Authenticator" or a "Certificate Authenticator".

Class

com.airlock.iam.login.app.misc.oneshot.impl.ClientCertificateExtractor

May be used by

Target Application/Service HTTP Signature Verification Credential Extractor

License-Tags

ClientCertificate

Properties

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.ClientCertificateExtractor
id: ClientCertificateExtractor-xxxxxx
displayName: 
comment: 
properties:

Client Certificate (X.509) Request Authentication

Description

Authenticates single requests by their client certificate.

Warning 1: This authentication assumes that some external process can guarantee that the certificate belongs to the authenticating entity. This is typically done by challenging the entity to sign something with the corresponding private key. This is, for example, the case in an SSL handshake involving client certificate verification.

Warning 2: This authentication does not check whether the certificate was signed by a trusted entity. This must be done during the SSL handshake.

Class

com.airlock.iam.common.application.configuration.certificate.ClientCertificateRequestAuthenticationConfig

May be used by

Session-less REST Endpoints Transaction Approval Adminapp REST API Configuration

Properties

User Attribute (userAttribute)

Description

Defines how the username is extracted from the certificate.

Usually the username is part of the DN (distinguished name) of the certified subject. This attribute specifies the attribute name of the username in the DN. Example: The value "cn" will extract the common name from the DN and use this as username.

The following values are interpreted separately:

dn: the whole distinguished name is used.
subjectAlternativeName: the alternative subject name is used.
certificate: the base64 encoded certificate.

Username transformation can be used to lookup the user based on a context-data field or to modify the extracted username (e.g. to strip the domain from the name).

Attributes

String

Mandatory

Suggested values

cn, sAMAccountName, dn, subjectAlternativeName, certificate

Check Validity Period (checkValidityPeriod)

Description

If enabled, the validity period of the certificate is checked. If disabled, expired (or not yet valid) certificates are also accepted.

Attributes

Boolean

Optional

Default value

true

Certificate Status Checkers (certStatusCheckers)

Description

Attributes

Plugin-List

Optional

Assignable plugins

User Store (userStore)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Username Transformation (usernameTransformers)

Description

Transforms the provided username from the credential to a technical user ID.

Attributes

Plugin-List

Optional

Assignable plugins

Static Roles (staticRoles)

Description

Static list of roles granted to the authenticated user.

Attributes

String-List

Optional

Roles Blocklist (rolesBlocklist)

Description

List of role names that won't be granted to the authenticated user. The block list is also applied to persistent roles (if available).

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.certificate.ClientCertificateRequestAuthenticationConfig
id: ClientCertificateRequestAuthenticationConfig-xxxxxx
displayName: 
comment: 
properties:
  certStatusCheckers:
  checkValidityPeriod: true
  rolesBlocklist:
  staticRoles:
  userAttribute:
  userStore:
  usernameTransformers:

Client Certificate Context Extractor

Description

Context extractor that determines the context by matching configurable regular expressions against information in the client certificate extracted from the request.

This extractor works in conjunction with client certificate authentication.

Class

com.airlock.iam.common.application.configuration.context.ClientCertificateContextExtractor

May be used by

API Policy Service Transaction Approval Loginapp Combining Context Extractor Concatenating Context Extractor

Properties

Mappings (mappings)

Description

Defines mappings of regular expressions patterns to configuration contexts.

Each pattern is matched in order against the issuer distinguished name (DN) of the extracted client certificate.

The first matching pattern determines the resulting configuration context.

Attributes

Plugin-List

Mandatory

Assignable plugins

Client Certificate Context Extractor Pattern

Match Against Subject DN (matchAgainstSubjectDn)

Description

By default, the patterns are matched against the distinguished name (DN) of the certificate issuer. If this property is enabled, the patterns are matched against the DN of the certificate subject (holder) instead.

Attributes

Boolean

Optional

Default value

false

Fallback Context (fallbackContext)

Description

Name of the context to be used if no pattern matches or no client certificate could be extracted from the request.
Leave empty to implicitly use the default context. If this plugin is used within a "Combining Context Extractor", use "[DEFAULT]" to explicitly return the default context if necessary.

Attributes

String

Optional

Example

CTX1

Example

EXT

Example

[DEFAULT]

Gateway (gateway)

Description

Settings regarding an Airlock Gateway or Airlock Microgateway reverse proxy placed in front of Airlock IAM.

The client certificate is extracted differently from the request based on this configuration:

Airlock Gateway (WAF): certificate is extracted from the environment cookie
Airlock Microgateway: certificate is extracted from the configured header
When no gateway is configured, attempt to extract the client certificate from the jakarta.servlet.request.X509Certificate request attribute

Attributes

Plugin-Link

Optional

Assignable plugins

Airlock Gateway Settings Airlock Microgateway Settings

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.context.ClientCertificateContextExtractor
id: ClientCertificateContextExtractor-xxxxxx
displayName: 
comment: 
properties:
  fallbackContext:
  gateway:
  mappings:
  matchAgainstSubjectDn: false

Client Certificate Context Extractor Pattern

Description

A regular expression pattern and its resulting configuration context.

Class

com.airlock.iam.common.application.configuration.context.ContextPatternForClientCertificateContextExtractor

May be used by

Client Certificate Context Extractor

Properties

Pattern (pattern)

Description

Regular expression pattern matched against the distinguished name.

Attributes

RegEx

Mandatory

Configuration Context (configurationContext)

Description

The configuration context identifier.
Use "[DEFAULT]" to explicitly return the default context.

Attributes

String

Mandatory

Example

ch1

Example

[DEFAULT]

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.context.ContextPatternForClientCertificateContextExtractor
id: ContextPatternForClientCertificateContextExtractor-xxxxxx
displayName: 
comment: 
properties:
  configurationContext:
  pattern:

Client Certificate PEM Format

Description

The mTLS client certificate is expected in URL encoded PEM format.

If an invalid format is presented, the certificate cannot be extracted.

Class

com.airlock.iam.common.application.configuration.gateway.extractor.ClientCertificatePemExtractionFormatConfig

May be used by

HTTP Request mTLS Client Certificate Extractor

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.gateway.extractor.ClientCertificatePemExtractionFormatConfig
id: ClientCertificatePemExtractionFormatConfig-xxxxxx
displayName: 
comment: 
properties:

Client Certificate XFCC Format

Description

The mTLS client certificate is expected in XFCC (x-forwarded-client-cert) header format as specified by Envoy proxy.

The XFCC is a proxy header which indicates certificate information of part or all of the clients or proxies that a request has flowed through, on its way from the client to the server.

IAM requires that the Cert key is set in the XFCC header under which the URL encoded PEM certificate is contained.

Envoy and other proxies in between, e.g. Airlock Micogateway, must be configured accordingly.

If an invalid format is presented, the certificate cannot be extracted.

Class

com.airlock.iam.common.application.configuration.gateway.extractor.ClientCertificateXfccExtractionFormatConfig

May be used by

HTTP Request mTLS Client Certificate Extractor

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.gateway.extractor.ClientCertificateXfccExtractionFormatConfig
id: ClientCertificateXfccExtractionFormatConfig-xxxxxx
displayName: 
comment: 
properties:

Client Fingerprinting Score Risk Extractor

Description

Risk Extractor that extracts the Airlock Gateway (WAF) client fingerprinting (CFP) score and compares it to the configured threshold. No tags are granted, if the request does not contain a CFP score environment cookie.

Class

com.airlock.iam.authentication.application.configuration.risk.extractor.clientfingerprinting.ClientFingerprintingScoreRiskExtractorConfig

May be used by

OIDC UserInfo Endpoint Claim Set Custom Claim OAuth 2.0 Static Client OAuth 2.0 Static Client JWT Access Token Format OIDC ID Token Claims

Properties

Client Fingerprinting Score Threshold (clientFingerprintingThreshold)

Description

This property defines the client fingerprinting (CFP) score threshold: If the CFP score reported by the Airlock Gateway (WAF) is higher or equal to the threshold, it is considered to be a 'match'. Otherwise, it is considered to be a 'mismatch'. Please refer to the Airlock Gateway manual for further information about client fingerprinting.

Attributes

Integer

Mandatory

Tags When Above Or Equal Threshold (tagsWhenAboveOrEqualThreshold)

Description

The tags to grant if the current request's client fingerprinting score is higher or equal to the configured threshold.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags When Below Threshold (tagsWhenBelowThreshold)

Description

The tags to grant if the current request's client fingerprinting score is lower than the configured threshold.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.risk.extractor.clientfingerprinting.ClientFingerprintingScoreRiskExtractorConfig
id: ClientFingerprintingScoreRiskExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  clientFingerprintingThreshold:
  tagsWhenAboveOrEqualThreshold:
  tagsWhenBelowThreshold:

Client ID Custom Claim

Description

A custom claim for the Client ID.

Class

com.airlock.iam.oauth2.application.configuration.claims.CustomClientIdClaimConfig

May be used by

License-Tags

OAuthServer

Properties

Claim Name (claimName)

Description

The name (JSON key) of the claim.

Attention: If a custom claim with this same claim name already exists, it will result in a runtime error.

Using a registered claim name (see RFC 7519) might cause the claim to be ignored or an exception to be thrown.

Attributes

String

Mandatory

Example

firstname

Example

street

Example

zip

Example

country

Example

roles

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.CustomClientIdClaimConfig
id: CustomClientIdClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:

Client ID From Subject Token (OAuth 2.0 Token Exchange)

Description

Sets the claim value to that of the subject token's "client_id" data.

Only string values are considered. If the subject token's "client_id" data is a not a string value, the token exchange request will lead to an invalid request error.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtSubjectTokenClientIdClaimValueConfig

May be used by

JWT Token Exchange Rule JWT Token Exchange Rule JWT Token Exchange Rule Custom Claim (OAuth 2.0 Token Exchange)

License-Tags

OAuthTokenExchange

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtSubjectTokenClientIdClaimValueConfig
id: OAuth2TokenExchangeJwtSubjectTokenClientIdClaimValueConfig-xxxxxx
displayName: 
comment: 
properties:

Client ID Of Authenticated Client (OAuth 2.0 Token Exchange)

Description

Sets the claim value to that of the authenticated client ID.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtAuthenticatedClientIdStringClaimValueConfig

May be used by

JWT Token Exchange Rule JWT Token Exchange Rule JWT Token Exchange Rule Custom Claim (OAuth 2.0 Token Exchange)

License-Tags

OAuthTokenExchange

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtAuthenticatedClientIdStringClaimValueConfig
id: OAuth2TokenExchangeJwtAuthenticatedClientIdStringClaimValueConfig-xxxxxx
displayName: 
comment: 
properties:

Client IP SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing the client IP address.

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.ClientIpAttributeConfig

May be used by

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion.

Attributes

String

Mandatory

Example

ClientIP

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.assertion.attribute.ClientIpAttributeConfig
id: ClientIpAttributeConfig-xxxxxx
displayName: 
comment: 
properties:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:

Client Name Processor

Description

Processes the "client_name" metadata attribute. The value is taken from the request as long as it matches the configured regular expression and doesn't exceed the length limit imposed by the database.

Class

com.airlock.iam.techclientreg.application.configuration.registration.ClientNameProcessorConfig

May be used by

Main Authenticator Email User Profile Item Config Airlock 2FA Authenticator User to Password Service Mapping Radius Authentication Service Certificate Authenticator Lock Inactive Accounts Task Lock Inactive Accounts Task Password Authenticator String User Profile Item Cipher User Persister Combining User Persister SMS Notifier User Persister Email Certificate Provider Delete Users Task Delete Users Task Token Activation On Delivery Strategy Certificate Token Authenticator Export Users Task Export Users Task User Persister-based User Store Email Notifier Meta Authenticator Self Reg Users Reminder Task Self Reg Users Reminder Task Vasco Letter Generator Credential Data Certificate Matcher Extended User Persister-based User Store Provider Password Batch Task Password Batch Task Auth Method-based Authenticator Selector Self Reg Users Clean Up Task Self Reg Users Clean Up Task Lock Expired Initial Passwords Task Lock Expired Initial Passwords Task Role-based Authenticator Selector Extended String User Profile Item Config HTTP Password Service Selection Authenticator Lookup and Accept Authenticator New Email Clean-up Strategy Custom User Persister-based User Store Provider Destroy Last User Session Email Notification Task Email Notification Task User Persister Configuration User Persister Configuration User Persister Configuration

License-Tags

TechClientRegistration

Properties

Allowed Values (allowedValues)

Description

Regular expression limiting the client names requested by the client.

Attributes

RegEx

Optional

Default value

[a-zA-Z0-9 _.-]+

Mandatory (mandatory)

Description

If the attribute is mandatory a valid value is required, or else an error is returned. If it is not mandatory, invalid values are silently ignored.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.techclientreg.application.configuration.registration.ClientNameProcessorConfig
id: ClientNameProcessorConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedValues: [a-zA-Z0-9 _.-]+
  mandatory: false

Coloring Rule

Description

Defines a coloring rule for the log viewer based on a regular expression.

Class

com.airlock.iam.admin.application.configuration.logviewer.ColoringRule

May be used by

Log Viewer

Properties

Regexp Pattern String (regexpPatternString)

Description

Defines the regular expression pattern matched against the log level and the message. The matching is case-insensitive. The pattern must match part of the level or message. Use "^" and "$" to be sure it matches the whole level or message.

Attributes

RegEx

Mandatory

Foreground Color (foregroundColor)

Description

Foreground color (font) of the log message.

Attributes

String

Optional

Default value

black

Allowed values

black, white, red, blue, green, yellow, orange, purple

Background Color (backgroundColor)

Description

Background color of the log message.

Attributes

String

Optional

Default value

white

Allowed values

black, white, red, blue, green, yellow, orange, purple

Foreground Color For Meta Data (foregroundColorForMetaData)

Description

Metadata color of the log message.

Attributes

String

Optional

Default value

black

Allowed values

black, white, red, blue, green, yellow, orange, purple

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.logviewer.ColoringRule
id: ColoringRule-xxxxxx
displayName: 
comment: 
properties:
  backgroundColor: white
  foregroundColor: black
  foregroundColorForMetaData: black
  regexpPatternString:

Combined Password Hash

Description

Combined password hash plugin that uses one defined PasswordHash for hash generation and a list of PasswordHash functions for checking / verification. Verification is passed, if one of the configured hashes can verify the password with its hash.

Class

com.airlock.iam.core.misc.util.password.hash.CombinedPasswordHash

Properties

Hash For Generation (hashForGeneration)

Description

The hash function used to generate password hashes.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Hashes For Verification (hashesForVerification)

Description

List of hash functions used to verify a given password/hash pair. Verification succeeds, if at least on function can verify the pair.

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.CombinedPasswordHash
id: CombinedPasswordHash-xxxxxx
displayName: 
comment: 
properties:
  hashForGeneration:
  hashesForVerification:

Combining Context Extractor

Description

Combines two or more context extractors in the following way: Iterates over the list of configured context extractors and returns the first specific context (even if it is the explicit default context). If no context extractor returns a context, the fallback context is used.

Class

com.airlock.iam.core.misc.util.context.CombiningContextExtractor

May be used by

API Policy Service Transaction Approval Loginapp Concatenating Context Extractor

Properties

Context Extractors (contextExtractors)

Description

Defines the context extractors to be used in order.

Attributes

Plugin-List

Mandatory

Assignable plugins

Fallback Context (fallbackContext)

Description

Name of the context to be used if none of the configured extractors returns a specific context.
Leave empty to implicitly use the default context. If this plugin is used within a "Combining Context Extractor", use "[DEFAULT]" to explicitly return the default context if necessary.

Attributes

String

Optional

Example

CTX1

Example

EXT

Example

[DEFAULT]

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.context.CombiningContextExtractor
id: CombiningContextExtractor-xxxxxx
displayName: 
comment: 
properties:
  contextExtractors:
  fallbackContext:

Combining Extended User Persister

Description

Merges the results of several ExtendedUserPersisters. This may only work as expected, if every user persister cares about a distinct subset of users. Please be aware that the undeletion of a user is not possible.

Class

com.airlock.iam.core.misc.impl.persistency.CombiningExtendedUserPersister

May be used by

License-Tags

UserAggregation

Properties

User Insertion Persister (userInsertionPersister)

Description

The persister that will be used when a user gets inserted. Please make sure that this user persister is also used in the list of persisters within this plugin, otherwise some unexpected behaviour may be the result of the configuration. If this property is left empty, the configuration validates, but the insertion of a user is not possible.

Attributes

Plugin-Link

Optional

License-Tags

UserAggregation

Assignable plugins

Cipher User Persister Combining Extended User Persister Database User Persister Dummy Extended User Persister LDAP Connector LDAP User Persister Property User Persister

Persisters (persisters)

Description

The list of persisters in the order they are combined. When a user exists in multiple inner persisters an exception is thrown, or the first persister in this list wins, depending on the configuration flag Allow Duplicates.

Attributes

Plugin-List

Mandatory

License-Tags

UserAggregation

Assignable plugins

Allow Duplicates (allowDuplicates)

Description

If this flag is set to true, the result from the first inner persister where the user is found is returned.

Potentially the user may be found by an other persister. If this flag is set to false, always all inner persisters are asked, and if a userId is found by multiple inner persisters, a NotUniqueException is thrown.

Iterator methods are always called on all persisters, but if Allow Duplicates is enabled, no exception is thrown in case of duplicates.

Enabling this flag improves performance but the uniqueness of a user over all inner persisters is not checked any more.

Attributes

Boolean

Optional

License-Tags

UserAggregation

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.CombiningExtendedUserPersister
id: CombiningExtendedUserPersister-xxxxxx
displayName: 
comment: 
properties:
  allowDuplicates: false
  persisters:
  userInsertionPersister:

Combining Role Provider

Description

Provides the roles from the configured role providers.

Class

com.airlock.iam.login.application.configuration.targetapp.CombiningRoleProviderConfig

May be used by

Roles SAML 2.0 Attribute Roles Provider Config Has Matching Role Airlock Gateway Roles Config Transforming Role Provider Legacy ID Propagation Adapter Start User Representation Step Role-based OAuth 2.0 Scope Condition Role-based Tag Acquisition Step

Properties

Role Providers (roleProviders)

Description

Role providers whose roles will be provided.

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.CombiningRoleProviderConfig
id: CombiningRoleProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  roleProviders:

Combining User Persister

Description

Merges the results of several UserPersisters. This may only work as expected, if every user persister cares about a distinct subset of users.

Class

com.airlock.iam.core.misc.impl.persistency.CombiningUserPersister

May be used by

Main Authenticator Email User Profile Item Config Airlock 2FA Authenticator User to Password Service Mapping Radius Authentication Service Certificate Authenticator Lock Inactive Accounts Task Lock Inactive Accounts Task Password Authenticator String User Profile Item SMS Notifier User Persister Email Certificate Provider Delete Users Task Delete Users Task Token Activation On Delivery Strategy Combining Extended User Persister Certificate Token Authenticator Export Users Task Export Users Task User Persister-based User Store Email Notifier Meta Authenticator Self Reg Users Reminder Task Vasco Letter Generator Credential Data Certificate Matcher Password Batch Task Password Batch Task Auth Method-based Authenticator Selector Self Reg Users Clean Up Task Lock Expired Initial Passwords Task Lock Expired Initial Passwords Task Role-based Authenticator Selector Extended String User Profile Item Config HTTP Password Service Selection Authenticator Lookup and Accept Authenticator New Email Clean-up Strategy Custom User Persister-based User Store Provider Destroy Last User Session Email Notification Task Email Notification Task User Persister Configuration User Persister Configuration User Persister Configuration

License-Tags

UserAggregation

Properties

Persisters (persisters)

Description

Attributes

Plugin-List

Mandatory

License-Tags

UserAggregation

Assignable plugins

Allow Duplicates (allowDuplicates)

Description

If this flag is set to true, the result from the first inner persister where the user is found is returned.

Iterator methods are always called on all persisters, but if Allow Duplicates is enabled, no exception is thrown in case of duplicates.

Enabling this flag improves performance but the uniqueness of a user over all inner persisters is not checked any more.

Attributes

Boolean

Optional

License-Tags

UserAggregation

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.CombiningUserPersister
id: CombiningUserPersister-xxxxxx
displayName: 
comment: 
properties:
  allowDuplicates: false
  persisters:

Complete Migration Step

Description

A flow step to complete the migration. The step sets the "authMethod" field on the user to the new authentication method and clears the "nextAuthMethod" and "migrationDate" fields.

Class

com.airlock.iam.authentication.application.configuration.migration.CompleteMigrationStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Target Auth Method (targetAuthMethod)

Description

The user's authentication method is set to the configured target authentication method when the migration is completed.

Attributes

String

Mandatory

Suggested values

MTAN, CRONTO, DEVICE_TOKEN, MATRIX

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.migration.CompleteMigrationStepConfig
id: CompleteMigrationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  targetAuthMethod:

Composite Password Service

Description

A password service that takes different password services for each task. This password service is useful in a certificate environment where users don't have any passwords for login but want to set a password for their mobile app.

Class

com.airlock.iam.core.misc.impl.authen.CompositePasswordService

May be used by

User to Password Service Mapping Administrators Configuration Password Settings User-based Password Service Selector

Properties

Check Password Password Service (checkPasswordPasswordService)

Description

This is the password service to use when checking the password.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Change Password Password Service (changePasswordPasswordService)

Description

This is the password service to use when changing the password.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Reset Password Password Service (resetPasswordPasswordService)

Description

This is the password service to use when reseting the password.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.CompositePasswordService
id: CompositePasswordService-xxxxxx
displayName: 
comment: 
properties:
  changePasswordPasswordService:
  checkPasswordPasswordService:
  resetPasswordPasswordService:

Concatenating Context Extractor

Description

Combines two or more context extractors in the following way: Iterates over the list of configured context extractors and returns the concatenation of all extracted specific contexts (ignoring DEFAULT contexts) as result context. If no configured context extractor returns a specific context, the fallback context is used.

Class

com.airlock.iam.core.misc.util.context.ConcatenatingContextExtractor

May be used by

API Policy Service Transaction Approval Loginapp Combining Context Extractor

Properties

Context Extractors (contextExtractors)

Description

Defines one of the context extractors to be used in order. Use the group/selector notation to specify a list of context extractors.

Attributes

Plugin-List

Mandatory

Assignable plugins

Fallback Context (fallbackContext)

Description

Name of the context to be used if none of the configured extractors returns a non-default context.
Leave empty to implicitly use the default context. If this plugin is used within a "Combining Context Extractor", use "[DEFAULT]" to explicitly return the default context if necessary.

Attributes

String

Optional

Example

CTX1

Example

EXT

Example

[DEFAULT]

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.context.ConcatenatingContextExtractor
id: ConcatenatingContextExtractor-xxxxxx
displayName: 
comment: 
properties:
  contextExtractors:
  fallbackContext:

Condition-based Role Provider

Description

Provides a list of roles depending on a flow condition.

Class

com.airlock.iam.login.application.configuration.targetapp.ConditionBasedRoleProviderConfig

May be used by

Properties

Condition (condition)

Description

Condition that has to be fulfilled for this roles to be provided.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Roles (roles)

Description

Roles to be provided.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.ConditionBasedRoleProviderConfig
id: ConditionBasedRoleProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  roles:

Conditional Identity Propagator

Description

Identity propagator that can check multiple conditions before deciding to propagate the identity. The conditions can be set so that all have to be true or only one (see "Conditions Logic Mode" property).

Class

com.airlock.iam.core.misc.impl.sso.ConditionalIdentityPropagator

May be used by

Chaining Identity Propagator Target Application/Service

Properties

Conditions Logic Mode (conditionsLogicMode)

Description

Determines how the conditions are logically connected.

AND: All conditions must be true.
OR: At least one condition must be true.

Attributes

Enum

Optional

Default value

AND

Conditions (conditions)

Description

The conditions to be checked. How the conditions are connected is determined by the "Conditions Logic Mode" above (e.g. AND or OR).

Attributes

Plugin-List

Mandatory

Assignable plugins

Context Data Condition User Condition

Identity Propagator (identityPropagator)

Description

The identity propagator to call if the conditions are true according to the configured conditions logic mode.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.ConditionalIdentityPropagator
id: ConditionalIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  conditions:
  conditionsLogicMode: AND
  identityPropagator:

Conditional Risk-based Role Derivation

Description

An access policy rule deriving new roles from existing roles and Risk Tags by combining logical conditions.

Class

com.airlock.iam.authentication.application.configuration.risk.accesspolicy.condition.ConditionalRiskBasedRoleDerivationConfig

Properties

Conditions (conditions)

Description

This rule only matches if all of the defined conditions match.

Attributes

Plugin-List

Mandatory

Assignable plugins

Logical AND Role Derivation Logical NOT Role Derivation Logical OR Role Derivation

Target Roles (targetRoles)

Description

The resulting roles if all required conditions can be satisfied.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.risk.accesspolicy.condition.ConditionalRiskBasedRoleDerivationConfig
id: ConditionalRiskBasedRoleDerivationConfig-xxxxxx
displayName: 
comment: 
properties:
  conditions:
  targetRoles:

Conditional Value Map Provider

Description

Optionally relays the values of another Value Map Provider, depending on the evaluation of a flow condition.

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.ConditionalValueMapProviderConfig

May be used by

Properties

Condition (condition)

Description

A condition that must be met for this Value Map Provider to relay the values of the embedded Value Map Provider.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Value Map Provider (valueMapProvider)

Description

A Value Map Provider whose provided values will be relayed by this Value Map Provider only if the condition is met.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.ConditionalValueMapProviderConfig
id: ConditionalValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  valueMapProvider:

Configurable Error Mapper

Description

Defines how to respond based on configuration.

Class

com.airlock.iam.login.app.misc.configuration.oneshot.ConfigurableErrorMapperFactory

May be used by

Main Authenticator Radius Authentication Service Persister Password Service User to Authenticator Mapping Target Application/Service Meta Authenticator Meta Authenticator Meta Authenticator Administrators Configuration User-based Authenticator Selector Fallback Authenticator

License-Tags

OneShotAuthentication

Properties

Responses by Authentication Failure Type (authenticationFailures)

Description

Maps authentication failure types to HTTP error responses.

The authentication failure types can be defined by the authenticator. Known types seen in one-shot flow:

"user not found"
"user required"
"user name ambiguous"
"user locked"
"user temporarily locked"
"user invalid"
"user not permitted at this time"
"user not permitted at this client"
"device blocked"
"device busy with another authentication request"
"unspecified"
"password required"
"password wrong"
"password change required"
"token required"
"token wrong"
"next token required"
"binding token required"
"token expired"
"certificate required"
"certificate does not match user"
"certificate not yet valid"
"certificate expired"
"certificate revoked"
"certificate issuer not trusted"

Note that more failure types may be added as the authenticator interface evolves.

Attributes

Plugin-Map

Optional

License-Tags

OneShotAuthentication

Assignable plugins

Failure HTTP Response

Default Authentication Failure Response (defaultAuthenticationFailure)

Description

Specifies how to respond in case no specific authentication failure type matches.

Attributes

Plugin-Link

Optional

License-Tags

OneShotAuthentication

Assignable plugins

Failure HTTP Response

Authorization Failure Response (user has no access) (userHasNoAccess)

Description

Defines how to respond if the user has no access to the target application/service (authorization failure).

Attributes

Plugin-Link

Optional

License-Tags

OneShotAuthentication

Assignable plugins

Failure HTTP Response

Credential Extraction Failure Response (credentialCannotBeExtracted)

Description

Defines how to respond if the credential cannot be extracted from the request.

Attributes

Plugin-Link

Optional

License-Tags

OneShotAuthentication

Assignable plugins

Failure HTTP Response

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oneshot.ConfigurableErrorMapperFactory
id: ConfigurableErrorMapperFactory-xxxxxx
displayName: 
comment: 
properties:
  authenticationFailures:
  credentialCannotBeExtracted:
  defaultAuthenticationFailure:
  userHasNoAccess:

Configurable HTTP CRL Obtainer

Description

This obtains a CRL by calling other obtainers. Optionally, there is a configuration for every CRL URL possible, but without a configuration the default obtainer is used. To improve performance and to help reduce bottlenecks upon startup, CRL can be persisted (e.g. in a file). Only CRL located at HTTP(s) URLs are considered.

Class

com.airlock.iam.core.misc.impl.cert.crl.MultiIssuerConfigurableHTTPCrlObtainer

May be used by

Fallback Crl Obtainer CRL Distribution Point Extension CRL Checker

License-Tags

ClientCertificate

Properties

Cache Persister (cachePersister)

Description

Persists the CRL in a cache for faster access after a server (re-)start.

Attributes

Plugin-Link

Optional

License-Tags

ClientCertificate

Assignable plugins

File Crl Persister No CRL Persister

Default Obtainer (defaultObtainer)

Description

The obtainer that is used by default (if no special obtainer is configured for that URL).

Attributes

Plugin-Link

Optional

License-Tags

ClientCertificate

Assignable plugins

CRL HTTP Obtainer Configurable HTTP CRL Obtainer Do Nothing Obtainer Fallback Crl Obtainer

Overwriting Obtainers (overwritingObtainers)

Description

A map of URLs to obtainers. Whenever the CRL at the given URL is accessed the defined obtainer is used instead of the default obtainer.

Attributes

Plugin-Map

Optional

License-Tags

ClientCertificate

Assignable plugins

CRL HTTP Obtainer Configurable HTTP CRL Obtainer Do Nothing Obtainer Fallback Crl Obtainer

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.crl.MultiIssuerConfigurableHTTPCrlObtainer
id: MultiIssuerConfigurableHTTPCrlObtainer-xxxxxx
displayName: 
comment: 
properties:
  cachePersister:
  defaultObtainer:
  overwritingObtainers:

Configuration-based Authenticator

Description

This authenticator allows to statically configure a list of users, e.g. for defining a short list of admins without setting up an additional database.

Class

com.airlock.iam.core.misc.impl.authen.ConfigurationBasedAuthenticator

May be used by

Properties

Users (users)

Description

List of statically configured users. Allows to add any number of users with statically configured username, password and roles.

Attributes

Plugin-List

Mandatory

Assignable plugins

Configured User Data

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.ConfigurationBasedAuthenticator
id: ConfigurationBasedAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  users:

Configured User Data

Description

Basic information for statically configured users. Only username, password and roles are stored for these users.

Class

com.airlock.iam.core.misc.impl.authen.ConfiguredUserData

May be used by

Configuration-based Authenticator

Properties

Username (username)

Description

The name of the authenticated user.

Attributes

String

Mandatory

Length >= 3

Example

admin

Example

joe

Password (password)

Description

Password for the user.

Attributes

String

Mandatory

Sensitive

Roles (roles)

Description

Roles granted to the authenticated user.

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.ConfiguredUserData
id: ConfiguredUserData-xxxxxx
displayName: 
comment: 
properties:
  password:
  roles:
  username:

Contacts Processor

Description

Processes the "contacts" metadata attribute. The values are taken from the request as long as they match the configured regular expression and don't exceed the length limits imposed by the database.

Class

com.airlock.iam.techclientreg.application.configuration.registration.ContactsProcessorConfig

May be used by

License-Tags

TechClientRegistration

Properties

Allowed Contacts (allowedContacts)

Description

Regex limiting the contacts values provided by the client. Typically email addresses.

Attributes

RegEx

Optional

Default value

[a-zA-Z0-9 _.@-]+

Mandatory (mandatory)

Description

If the attribute is mandatory a valid value is required, or else an error is returned. If it is not mandatory, invalid values are silently ignored.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.techclientreg.application.configuration.registration.ContactsProcessorConfig
id: ContactsProcessorConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedContacts: [a-zA-Z0-9 _.@-]+
  mandatory: true

Context Data Access Rule

Description

Defines fine-grained permissions on context data.

Class

com.airlock.iam.admin.application.configuration.ContextDataAccessRule

May be used by

Role-based Access Control Role-based Access Control

Properties

Context Data Field (contextDataField)

Description

The name of a context data column for which to configure the access.

Attributes

String

Mandatory

Roles (roles)

Description

Defines the set of required roles needed to access the resource. Multiple roles are specified as a comma-separated list. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, tokenadmin, helpdesk, sysadmin, superadmin, useradmin,tokenadmin, useradmin,helpdesk, tokenadmin,helpdesk, sysadmin,superadmin, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.ContextDataAccessRule
id: ContextDataAccessRule-xxxxxx
displayName: 
comment: 
properties:
  contextDataField:
  roles:

Context Data Changed

Description

Event that is published when a user's context data is changed.

Class

com.airlock.iam.common.application.configuration.event.ContextDataChangedSubscribedEventConfig

May be used by

Properties

Field Name Pattern (fieldNamePattern)

Description

The event is only handled by this subscriber, if at least one of the changed context data fields matches this pattern.

Attributes

RegEx

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.ContextDataChangedSubscribedEventConfig
id: ContextDataChangedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:
  fieldNamePattern: .*

Context Data Condition

Description

Condition that matches the value of a context data field against a configurable pattern.

Class

com.airlock.iam.core.misc.impl.sso.ContextDataCondition

May be used by

Conditional Identity Propagator

Properties

Name (name)

Description

The name of the context data field to check.

Attributes

String

Mandatory

Pattern (pattern)

Description

The pattern to match the context data field with.

Attributes

RegEx

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.ContextDataCondition
id: ContextDataCondition-xxxxxx
displayName: 
comment: 
properties:
  name:
  pattern:

Context Data Item

Description

Context data to include in the created IAM user.

Class

com.airlock.iam.oauth2.application.configuration.accountregistration.ContextDataItemConfig

May be used by

License-Tags

OAuthSocialRegistration

Properties

Context Data Item Name (contextDataItemName)

Description

The name of the context data item of the provider account.

To be able obtain the context data value, it is required to add an 'OAuth 2.0 Remote Context Data Resource' with a 'Local Context Data Key' equal to this value to the resource mappings.

Attributes

String

Mandatory

Example

surname

Example

givenname

Example

Optional (optional)

Description

Defines whether the context data value has to be present or not. If a mandatory property is missing, the user will not be created.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.accountregistration.ContextDataItemConfig
id: ContextDataItemConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataItemName:
  optional: false

Context Data Item (Airlock 2FA Account Display Name)

Description

Provides the value of a configured context data during the user's enrollment for Airlock 2FA as display name.

Class

com.airlock.iam.airlock2fa.application.configuration.enrollment.Airlock2FAContextDataDisplayNameProviderConfig

May be used by

License-Tags

Airlock2FA

Properties

Context Data Name (contextDataName)

Description

Name of the context data whose value is to be used as display name during user's enrollment.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Mandatory (mandatory)

Description

If enabled, it is mandatory that the context data field be non-blank, otherwise attempting to create an Airlock 2FA account will result in an error. If disabled and the context data field is blank, then no display name will be provided.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.enrollment.Airlock2FAContextDataDisplayNameProviderConfig
id: Airlock2FAContextDataDisplayNameProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  mandatory: false

Context Data Map

Description

Provides all context data of the current user. The keys of the context data items are provided as defined in the Loginapp's user store.

The "username" is always part of the map, even if it is not explicitly part of the context data.

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.ContextDataValueMapProviderConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.ContextDataValueMapProviderConfig
id: ContextDataValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:

Context Data Regex Condition

Description

Condition that is fulfilled, if the value of the configured context data field matches a specified pattern.

Class

com.airlock.iam.core.misc.persistency.usereventbus.conditions.ContextDataEventCondition

May be used by

Properties

Context Data Key (contextDataKey)

Description

The context data field for which the value is matched against the configured pattern.

For newly created users (before/after insert user events), some context data fields (e.g. the username field or "additional context data") are not available.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Pattern (pattern)

Description

Specifies the pattern that has to match the context data value from the specified key.

Attributes

RegEx

Mandatory

Is Fulfilled If Value Is Null (isFulfilledIfValueIsNull)

Description

If checked, the condition is fulfilled if the provided value is null. If unchecked, the condition is unfulfilled in that situation.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.persistency.usereventbus.conditions.ContextDataEventCondition
id: ContextDataEventCondition-xxxxxx
displayName: 
comment: 
properties:
  contextDataKey:
  isFulfilledIfValueIsNull: false
  pattern:

Context Data SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing context data of the user.

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.ContextDataAttributeConfig

May be used by

OIDC UserInfo Endpoint Claim Set Custom Claim OAuth 2.0 Static Client OAuth 2.0 Static Client JWT Access Token Format OIDC ID Token Claims

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion.

Attributes

String

Mandatory

Example

givenname

Example

authmethod

Context Data Name (contextDataName)

Description

The context data key to add to the Assertion. If the context data doesn't contain any value for the given key, the attribute will not be included in the assertion.

Attributes

String

Mandatory

Example

givenname

Example

auth_method

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.assertion.attribute.ContextDataAttributeConfig
id: ContextDataAttributeConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:

Context Data String Custom Claim

Description

A custom context data string claim.

Class

com.airlock.iam.oauth2.application.configuration.claims.CustomContextDataStringClaimConfig

May be used by

License-Tags

OAuthServer

Properties

Context Data Name (contextDataName)

Description

The context data field that should be included in the claim. If the value is missing or is not of type string, the claim will not be included in the response.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Claim Name (claimName)

Description

The name (JSON key) of the claim.

Attention: If a custom claim with this same claim name already exists, it will result in a runtime error.

Using a registered claim name (see RFC 7519) might cause the claim to be ignored or an exception to be thrown.

Attributes

String

Mandatory

Example

firstname

Example

street

Example

zip

Example

country

Example

roles

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.CustomContextDataStringClaimConfig
id: CustomContextDataStringClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:
  contextDataName:

Context Data Uniqueness Check

Description

Ensures that context data values across all users remain unique when user data is imported. Uniqueness checks are only supported on string context fields.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.xmlimporter.ContextDataUniquenessCheck

May be used by

XML File Importer Task

Properties

Context Data Name (contextDataKey)

Description

The key of the user's context data item to be checked for uniqueness.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Main Authenticator Certificate Authenticator Certificate Token Authenticator Meta Authenticator

Behaviour (behaviour)

Description

The behaviour of the XML File Importer in case of a uniqueness check violation.

IGNORE_ATTRIBUTE: The violating context field is ignored, and the import proceeds with the next context fields of the user. Note: If the field is also required through "Required User Info Attributes" the current user is ignored instead.
IGNORE_USER: The current user is ignored, and the import proceeds with data for the next user.
ABORT: The current user is ignored and the import is aborted. The changes of previous import commands are not rolled back.

Attributes

Enum

Mandatory

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.xmlimporter.ContextDataUniquenessCheck
id: ContextDataUniquenessCheck-xxxxxx
displayName: 
comment: 
properties:
  behaviour:
  contextDataKey:

Context Data User Group Condition

Description

Checks user group membership by comparing a context data attribute with the specified value.

Class

com.airlock.iam.core.misc.impl.persistency.ContextDataUserGroupCondition

May be used by

User Group Configuration

Properties

Group Name (groupName)

Description

The name of the user group. May be used in log files and may be displayed in the admin tool.

Attributes

String

Mandatory

Example

Administrator

Example

Employee

Example

Customer

Context Property Name (contextPropertyName)

Description

Name of the context data attribute to be examined. Make sure the user user persister provides the attribute.

Attributes

String

Mandatory

Example

department

Example

company

Example

distinguishedName

Pattern (pattern)

Description

Regular expression pattern matched against the (default string representation of the) context data value. If it matches, the user is considered to be member of the group.

Attributes

RegEx

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.ContextDataUserGroupCondition
id: ContextDataUserGroupCondition-xxxxxx
displayName: 
comment: 
properties:
  contextPropertyName:
  groupName:
  pattern:

Context Data User Validator

Description

Validates a user based on allowed values in a specified context data field.

Class

com.airlock.iam.core.misc.impl.authen.ContextDataUserValidator

May be used by

Properties

Context Field (contextField)

Description

Name of the context field with the values that should be checked. If the user does not have this context field (i.e. it is null), then the user is considered to be invalid.

Attributes

String

Mandatory

Example

status

Example

is_locked

Allowed Values (allowedValues)

Description

List of allowed values for the context data field. The field must contain one of these values in order to be valid.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.ContextDataUserValidator
id: ContextDataUserValidator-xxxxxx
displayName: 
comment: 
properties:
  allowedValues:
  contextField:

Context Data Username

Description

Uses a context data value as username.

Class

com.airlock.iam.oauth2.application.configuration.accountregistration.ContextDataUsernameConfig

May be used by

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

License-Tags

OAuthSocialRegistration

Properties

Context Data (contextData)

Description

Context Data to use as username. The value of this context data must be present, else the user creation will fail.

To be able obtain the context data value, it is required to add an 'OAuth 2.0 Remote Context Data Resource' with a 'Local Context Data Key' equal to this value to the resource mappings.

Attributes

String

Mandatory

Example

email, mtan_number

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.accountregistration.ContextDataUsernameConfig
id: ContextDataUsernameConfig-xxxxxx
displayName: 
comment: 
properties:
  contextData:

Context Data Username Provider

Description

Provides a username from a context data field.

Class

com.airlock.iam.login.application.configuration.targetapp.ContextDataUsernameProviderConfig

May be used by

Legacy ID Propagation Adapter

Properties

Property Name (propertyName)

Description

Name of the context data property from which the username is taken.

Attributes

String

Mandatory

Example

applA-name

Mandatory (mandatory)

Description

If enabled, it is mandatory that the context data field be non-empty, otherwise an exception is thrown at identity propagation time. If disabled and the context data field is empty, then no username is supplied and subsequent username providers are asked to supply a name (or the authenticated user ID is used if no provider supplies a username).

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.ContextDataUsernameProviderConfig
id: ContextDataUsernameProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  mandatory: false
  propertyName:

Context Data Username Transformer

Description

This user name transformer allows to configure any user store which provides alternative log-in names (aliases) in its context data. In case the alias is found in the context data, the provided user name will be transformed to the user ID used in the user store.

Class

com.airlock.iam.core.misc.impl.authen.ContextDataUsernameTransformer

Properties

User Store (userStore)

Description

The user store which must provide the alternative user name fields (as context data). The transformation result will be the user ID of the matching user record. This user store must provide all the context data columns which are selected as potential user aliases in the context-data-columns property.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Context Data Columns (contextDataColumns)

Description

The names of the context data columns of the underlying user store which may contain an alias. The originally stated user name is looked up in all the context data columns. If there is a match, the user ID of the record in the store becomes the transformation result. If multiple records match, the user cannot log in and user trail logs are written. In this case the alias data is in an inconsistent state and this must be fixed. Thus, the listed columns - including the user ID column - must not contain duplicates.
Note that at least one context data column must be stated for the transformation to be successful.

Attributes

String-List

Mandatory

Check User Store First (checkUserStoreFirst)

Description

For efficiency reasons, the default behavior of this transformer is to first check if the user store finds a user name that matches the input of the user. With this property, this first check could be disabled.
Usually, setting this property to false is not recommended, as it is often the best strategy to first match for the user ID.
Disabling this check makes sense in a chain of UsernameTransformers where it is known that the current input name cannot be a user ID, e.g. directly after a Primary Key Lookup.

Attributes

Boolean

Optional

Default value

true

Mandatory Transformation (mandatoryTransformation)

Description

Specifies whether or not the transformation is mandatory:
This transformer serves two main purposes: It can allow login using an 'alias' in addition to the user ID (in this case, set this property to false because this transformer may or may not be given the alias) or it can transform the entered user name on the fly to an 'internal identifier' used for further processing (in this case, set this property to true). In the latter case, this 'internal identifier' cannot be used directly as a login name, thus the transformation must succeed in order to obtain a valid userid for further processing.
Note that a transformation is considered successful if the user name could be resolved, no matter whether or not the user name was actually changed (e.g. the transformation is also successful if the 'Check User Persister First' flag is true and the user name was found using that persister directly).

Attributes

Boolean

Optional

Default value

false

Stop After Successful Transformation (stopAfterSuccessfulTransformation)

Description

With this flag the chaining of user name transformers can be interrupted. If it is enabled and the user name transformer found the user name in a context field (or if enabled using the primary key lookup), following user name transformers are not executed.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.ContextDataUsernameTransformer
id: ContextDataUsernameTransformer-xxxxxx
displayName: 
comment: 
properties:
  checkUserStoreFirst: true
  contextDataColumns:
  mandatoryTransformation: false
  stopAfterSuccessfulTransformation: false
  userStore:

Context Pattern

Description

A context extractor matching against the request path.

Class

com.airlock.iam.core.misc.util.context.ContextPattern

May be used by

URL Context Extractor

Properties

Pattern (pattern)

Description

Regular expression pattern matched against the request URI.
The matching is done against the part of the request URI after the protocol or after the host (depending on the configuration of the context extractor).
Example: If the request URL is "https://host/blah/blue", the considered path is either "host/blah/blue" (if virtualhost is included) or "/blah/blue" otherwise.

The request path is then matched against the regular expression which must match the entire path, not just a substring.

Important: For SPA URLs under /ui/app/*, only top-level navigation (for example when navigating from an external site using a link or http redirect) can be used for context extraction. Most navigations/clicks within the SPA do not lead to an explicit request to the URL seen in the URL bar.

Attributes

RegEx

Mandatory

Configuration Context (configurationContext)

Description

The resulting configuration context if the regular expression matches.
Use "[DEFAULT]" to explicitly return the default context.

Attributes

String

Mandatory

Example

CTX1

Example

EXT

Example

[DEFAULT]

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.context.ContextPattern
id: ContextPattern-xxxxxx
displayName: 
comment: 
properties:
  configurationContext:
  pattern:

Cookie Mapping

Description

A mapping from a source cookie to a target cookie sent to the Airlock Gateway (WAF) or the client.

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.CookieMapping

May be used by

SAML Access Cookie Identity Propagator On Behalf Login Identity Propagation Config On Behalf Login Identity Propagator Access Cookie Identity Propagator

Properties

Source Access Cookie Name (sourceAccessCookieName)

Description

The name of the access cookie to be extracted from the HTTP response of the application providing access cookies.

Attributes

String

Mandatory

Example

ACCESS_COOKIE

Example

AUTH_USER

Target Access Cookie Name (targetAccessCookieName)

Description

The name of the access cookie to be sent to the browser or entry server. If this property is not defined, the name of the fetched access cookie is used.

Attributes

String

Optional

Example

ACCESS_COOKIE

Example

AUTH_USER

Target Access Cookie Path (targetAccessCookiePath)

Description

The path for which the cookie is set. The path determines where the cookie is sent by the reverse proxy (or browser).

If the same access cookie is used for all applications, the value "/" can be used. If different tickets are used for different applications, the applications path should be used.

Note that only one access cookie per cookie path and name can exist. Make sure that this cookie name does not clash with other cookie's names. For example, do not use session cookie names such as "JSESSIONID".

Make sure the configuration flag Interpret Cookie Domains is set in the Airlock Gateway (WAF) configuration. If not the cookie path is ignored and cookies in the cookie store are sent to any backend HTTP request of the same session. This also means that there may be only one cookie per cookie name!
It is best to consult the corresponding documentation of the web entry server or reverse proxy to get more accurate information on cookie handling.

Attributes

String

Optional

Default value

Example

/appl1

Example

/appl2

Target Access Cookie Domain (targetAccessCookieDomain)

Description

The domain for which the cookie is set. The domain determines where the cookie is sent by the reverse proxy (or browser).

Because of security restrictions in browsers (same origin policy) it is usually not possible to set a cookie for a different domain unless the right-most two domain parts (e.g. "ergon.ch") are equal to that of the application setting the cookie.
It is possible that there are further restrictions regarding this in browsers.

If you are using a HTTP reverse proxy that stores the cookie in its session store (and does not send it to the client), make sure to understand the proxies interpretation of the cookie domain and cookie path.

Make sure the configuration flag Interpret Cookie Domains is set in the Airlock Gateway (WAF) configuration. If not the cookie domain is ignored and cookies in the cookie store are sent to any backend HTTP request of the same session. The cookie path is also ignored meaning that there may be only one cookie per cookie name!
The Airlock Gateway also supports the following cookie domain values (if the flag Interpret Cookie Domains is set):

The value .* results in cookies being sent to all backend servers. This is especially useful if one authentication ticket is used for multiple backends.
The value @<fully-qualified-host> results in the cookie being treated as if it were set by the host specified by "<fully-qualified-host>". If using this value, make sure the corresponding mapping also uses the fully qualified hostname.

It is best to consult the corresponding documentation of the web entry server or reverse proxy to get more accurate information on cookie handling.

Note that only one cookie per cookie path and name can exist. Make sure that this cookie name does not clash with other cookie's names. For example, do not use session cookie names such as "JSESSIONID".

Attributes

String

Optional

Example

@172.16.1.1:80

Set Secure Flag Target Access Cookie (setSecureFlagTargetAccessCookie)

Description

If set to TRUE the "secure"-flag of the cookie is set.

If the cookie is marked as secure, the browser (and any HTTP proxy behaving like a browser) should send the cookie only over secure connections.
Caution: If you think that setting this flag makes your application more secure, it is in most cases way better to adequately secure the access cookie by encrypting it appropriately. Remember that this flag just "asks" the browser to not transmit the cookie over unencrypted connections.

Attributes

Boolean

Optional

Default value

false

URL Encode Target Cookie Value (urlEncodeTargetCookieValue)

Description

If set to TRUE the value from the fetched cookie is not passed as is to the response but it is URL-encoded (using UTF-8 encoding).

Attributes

Boolean

Optional

Default value

false

Mandatory (mandatory)

Description

If set to TRUE the cookie must be present in the response or the process will fail.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.onbehalflogin.CookieMapping
id: CookieMapping-xxxxxx
displayName: 
comment: 
properties:
  mandatory: true
  setSecureFlagTargetAccessCookie: false
  sourceAccessCookieName:
  targetAccessCookieDomain:
  targetAccessCookieName:
  targetAccessCookiePath: /
  urlEncodeTargetCookieValue: false

Cookie Ticket Adder Config

Description

Adds a ticket string as a response cookie.

Class

com.airlock.iam.login.application.configuration.idpropagation.CookieTicketAdderConfig

May be used by

Legacy ID Propagation Adapter Chaining Identity Propagator Target Application/Service Conditional Identity Propagator

Properties

Cookie Name (cookieName)

Description

The name of the cookie used to transport the ticket.

Only one cookie per cookie path and name can exist, therefore the name of this cookie must be distinct from all other cookie names used by this applications (such as "JSESSIONID").

Attributes

String

Mandatory

Example

AUTH_TICKET

Cookie Path (cookiePath)

Description

The path for which the cookie is set. This determines with which future requests the cookie will be sent to the server.

To add the cookie to all requests to a given domain, the value "/" can be used. If the cookie should be limited to a certain backend, the corresponding context path should be used.

Only one cookie per cookie path and name can exist, therefore the name of this cookie must be distinct from all other cookie for the same path (such as "JSESSIONID").

When using an Airlock Gateway (WAF), the Gateway configuration flag Interpret Cookie Domains must be set. Otherwise the cookie path is ignored and cookies in the cookie store are sent with back-end HTTP requests of the same session.

Attributes

String

Optional

Default value

Example

/appl1

Example

/appl2

Cookie Domain (cookieDomain)

Description

The domain for which the cookie is set. This determines with which future requests the cookie will be sent to the server.

Because of security restrictions in browsers (same origin policy) it is usually not possible to set a cookie for a different domain (except subdomains).

Airlock Gateway (WAF) handle cookies differently and allow setting cookies for other domains within the protected infrastructure while not exposing them to the internet. The Gateway configuration flag Interpret Cookie Domains needs to be enabled for this feature. If this flag is enabled, also the following special domain names are supported:

An empty value results in the cookie only being sent to the origin server that set the cookie.
The value .* results in cookies being sent to all back-end servers.
Setting a different hostname results in the cookie being sent to the back-end host with that hostname.

Consult the Airlock Gataway documentation for more information on cookie handling.

Attributes

String

Optional

Example

@www.test.com

Example

ergon.ch

Secure Flag (secureFlag)

Description

If enabled, the "secure"-flag of the cookie is set.

If the cookie is marked as secure, the browser (and any HTTP proxy behaving like a browser) should send the cookie only over secure connections.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.idpropagation.CookieTicketAdderConfig
id: CookieTicketAdderConfig-xxxxxx
displayName: 
comment: 
properties:
  cookieDomain:
  cookieName:
  cookiePath: /
  secureFlag: true

Cookie Ticket Identity Propagator

Description

An identity propagator based on authentication tickets transported to the target application using a HTTP cookie.

This plugin is usually used together with an entry component that keeps the authentication ticket cookie from being sent to the client and therefore from being exposed to external attacks.
If you intend to send the cookie to the client, it must be protected accordingly by choosing an appropriate ticket encoder.

Class

com.airlock.iam.core.misc.impl.sso.CookieTicketIdentityPropagator

May be used by

Properties

Cookie Name (cookieName)

Description

The name of the cookie used to transport the authentication ticket.

Attributes

String

Mandatory

Example

AUTH_TICKET

Example

medusaAuth

Cookie Path (cookiePath)

Description

The path for which the cookie is set. The path determines where the cookie is sent by the reverse proxy (or browser).

If one single authentication ticket is used for all applications, the value "/" can be used. If different tickets are used for different applications, the applications path should be used.

Make sure the configuration flag Interpret Cookie Domains is set in the Airlock Gateway (WAF) configuration. If not, the cookie path is ignored and cookies in the cookie store are sent to any back-end HTTP request of the same session. This also means that there may be only one cookie per cookie name!
It is best to consult the corresponding documentation of the web entry server or reverse proxy to get more accurate information on cookie handling.

Attributes

String

Optional

Default value

Example

/appl1

Example

/appl2

Cookie Domain (cookieDomain)

Description

The domain for which the cookie is set. The domain determines where the cookie is sent by the reverse proxy (or browser).

Make sure the configuration flag Interpret Cookie Domains is set in the Airlock Gateway (WAF) configuration. If not, the cookie domain is ignored and cookies in the cookie store are sent to any back-end HTTP request of the same session. The cookie path is also ignored, meaning that there may be only one cookie per cookie name!
Airlock also supports the following cookie domain values (if the flag Interpret Cookie Domains is set):

An empty value results in the cookie only being sent to the origin server that set the cookie.
The value .* results in cookies being sent to all back-end servers. This is especially useful if one authentication ticket is used for multiple back-ends.
The value @<fully-qualified-host> results in the cookie being treated as if it were set by the host specified by "<fully-qualified-host>". If using this value, make sure the corresponding mapping also uses the fully qualified hostname.

It is best to consult the corresponding documentation of the web entry server or reverse proxy to get more accurate information on cookie handling.

If one single authentication ticket is used for all applications, the value ".*" can be used. If different tickets are used for different applications, the applications path should be used.

Attributes

String

Optional

Example

@www.test.com

Example

ergon.ch

Ticket Service (ticketService)

Description

The ticket service providing the authentication ticket and knowing what to put into the ticket.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Mapping Ticket Service

Ticket Encoder (ticketEncoder)

Description

The ticket encoder plugin used to encode the authentication ticket in a string.

Caution:This plugin is usually used together with an entry component that keeps the authentication ticket cookie from being sent to the client and therefore from being exposed to external attacks.
If you intend to send the cookie to the client, it must be protected accordingly by choosing an appropriate ticket encoder.

Note that some ticket encoders do not support ticket expiry, i.e. they do not encode the ticket validity into the ticket.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AES256 Encryption Ticket Encoder Esp Sign Ticket Encoder Gzip Base64 Ticket Encoder JWT Ticket Encoder Plain Base64 Ticket Encoder Plain Ticket Encoder RSA Sign Ticket Encoder

Fixed Key-Value Pairs (keyValuePairs)

Description

Additional fixed name-value-pairs may be provided to the ticket service.
If supported by the ticket service plugin, this is a way to add such an extra key-value-pair to a ticket.
The key-value-pairs are added to the key-value-pairs passed to this plugin by the calling application. It overwrites existing values with the same key.

Attributes

Plugin-List

Optional

Assignable plugins

Key Value Pair

URL Encoding Scheme (urlEncodingScheme)

Description

String values should be URL encoded in order to be suitable as cookie values. This optional property defines the URL encoding scheme to be used.
Make sure that the component receiving the ticket uses the same URL encoding scheme.

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15

Disable URL Encoding (disableUrlEncoding)

Description

If set to true, the cookie's final value is not URL-encoded, though the key/values will always be.
Notice that this may result in V1 cookies because the value will most probably contain the '=' character which is not allowed in V0 cookies. Make sure your application supports V1 cookies when disabling this property.

Attributes

Boolean

Optional

Default value

false

Set Secure Flag In Cookie (setSecureFlagInCookie)

Description

If set to TRUE the "secure"-flag of the cookie is set.

If the cookie is marked as secure, the browser (and any HTTP proxy behaving like a browser) should send the cookie only over secure connections.
Caution: If you think that setting this flag makes your application more secure, it is in most cases way better to adequately secure the authentication ticket by choosing a secure ticket encoder plugin. Remember that this flag just "asks" the browser to not transmit the cookie over unencrypted connections.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.CookieTicketIdentityPropagator
id: CookieTicketIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  cookieDomain:
  cookieName:
  cookiePath: /
  disableUrlEncoding: false
  keyValuePairs:
  setSecureFlagInCookie: false
  ticketEncoder:
  ticketService:
  urlEncodingScheme: UTF-8

Correlation ID Settings

Description

Defines settings for the correlation ID.

Class

com.airlock.iam.common.application.configuration.logging.CorrelationIdSettingsConfig

May be used by

Adminapp API Policy Service Main Settings Transaction Approval Loginapp Service Container

Properties

Header Name (headerName)

Description

Defines the header from which the correlation ID will be extracted on incoming requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Default value

X-Correlation-ID

Validation Pattern (validationPattern)

Description

The correlation ID that is extracted from the request header will be matched against this regular expression.

If it matches, then it will be logged for the scope of the current HTTP request. Otherwise, the value is rejected, and no correlation ID will be logged.

This can be configured to prevent unexpected values from being written to the log files.

Attributes

RegEx

Optional

Default value

[\x21-\x7E]{2,256}

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.logging.CorrelationIdSettingsConfig
id: CorrelationIdSettingsConfig-xxxxxx
displayName: 
comment: 
properties:
  headerName: X-Correlation-ID
  validationPattern: [\x21-\x7E]{2,256}

CORS Settings

Description

CORS Settings.

Class

com.airlock.iam.common.application.configuration.CorsSettings

May be used by

Transaction Approval Security Settings Adminapp REST API Configuration

Properties

Allowed Origins (allowedOrigins)

Description

A list of regular expressions for the origins allowed to execute cross domain requests ('preflight checks') to the REST API. If no origins are configured, the server will deny any CORS requests.

Note that if a TLS tunnel is terminated by a load balancer which connects to IAM via http, IAM will consider most requests as CORS requests unless 'Strict CORS Validation' is deactivated.

Attributes

RegEx-List

Optional

Strict CORS Validation (strictCorsValidation)

Description

Match the 'Origin' header of the browser exactly.

Disabling this flag allows Airlock IAM to be connected to e.g. a load-balancer without TLS (load-balancer terminates TLS):

'https://yourhost.com:443' is then considered a match compared to 'http://yourhost.com:80', and treated as same-origin

Note that this setting does not influence the 'Allowed Origins'.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.CorsSettings
id: CorsSettings-xxxxxx
displayName: 
comment: 
properties:
  allowedOrigins:
  strictCorsValidation: true

Create Airlock 2FA Device Activation Letters

Description

Settings for user's device activation letters. Such a letter contains a QR code to be scanned and is typically necessary for the registration of the first Airlock 2FA device.

Compared to "Order Airlock 2FA Device Activation Letters", no order will be created since activation letters will be directly generated by this plugin. The "Airlock 2FA Activation Letter Order Task" is therefore not necessary in this case.

Class

com.airlock.iam.admin.application.configuration.airlock2fa.Airlock2FACreateActivationLettersConfig

May be used by

Airlock 2FA Token Controller

License-Tags

Airlock2FA

Properties

Letter Printing Options (letterPrintingOptions)

Description

Configuration needed in case the created activation letter should be printed to a file.

Attributes

Plugin-Link

Optional

Assignable plugins

Print Airlock 2FA Activation Letters

Enrollment Validity [s] (enrollmentValidityInSeconds)

Description

The duration (in seconds) an enrollment code should be valid.

Note: This value is only used for the validity of the QR code in the enrollment letter and does not affect enrollment self-services.

Attributes

Integer

Optional

Default value

604800

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.airlock2fa.Airlock2FACreateActivationLettersConfig
id: Airlock2FACreateActivationLettersConfig-xxxxxx
displayName: 
comment: 
properties:
  enrollmentValidityInSeconds: 604800
  letterPrintingOptions:

Create Airlock 2FA Hardware Token Shipment Letters

Description

Settings for user's hardware token shipment letters. Such a letter is designed to accompany the shipment of the hardware token to the user and contains information relevant to its first use.

Class

com.airlock.iam.admin.application.configuration.airlock2fa.Airlock2FAShipmentLettersConfig

May be used by

Airlock 2FA Token Controller

License-Tags

Airlock2FA

Properties

Renderer (renderer)

Description

Defines how shipment letters (e.g. PDFs) are rendered.

The following placeholders can be used in the templates

${User Context Data Name} - context data of the user.
${deviceManufacturer} - manufacturer of device.
${deviceModel} - model of device.
${deviceSerialNumber} - serial number of device.
${deviceActivationCode} - activation code of device, if any.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

Working Directory (workingDirectory)

Description

A writable directory used to store a partially rendered shipment letter.
If this property is defined, shipment letters are not directly generated into the output directory (see other property) but they are generated into this working directory and are then moved into the output directory once they are done.
This helps to solve problems with processes that automatically read the rendered letters and therefore might not see the fully rendered result. Make sure that the working directory and the output directory reside in the same file system (otherwise the moving of the generated file will not be atomic).
The directory is either absolute or relative to the JVMs current directory.

Attributes

File/Path

Optional

Output Directory (outputDirectory)

Description

The directory where the printable letters will be stored.

Attributes

File/Path

Mandatory

Language Context Data Name (languageContextDataName)

Description

The user's context data attribute containing its language. The language is used to choose the template in the renderer. If left empty, the default template will be used.

Attributes

String

Optional

Suggested values

language

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.airlock2fa.Airlock2FAShipmentLettersConfig
id: Airlock2FAShipmentLettersConfig-xxxxxx
displayName: 
comment: 
properties:
  languageContextDataName:
  outputDirectory:
  renderer:
  workingDirectory:

Credential Data Certificate Matcher

Description

The plugin extracts a username from a X509 client certificate. The extracted username can afterwards be used by e.g. an authenticator.

In a first step, a user identifier is extracted from the certificate data (e.g. from the subject DN). The result can either be used directly as username, or additionally, a User Iterator is configured to match the extracted identifier against some user attribute. If a matching user is found, its username is returned.

Example:
A certificate contains the following DN: cn=test,ou=local,o=company,c=ch.
The matcher can be configured (without User Iterator) to match the CN as user attribute, therefore, the extracted username is "test".

Class

com.airlock.iam.core.misc.impl.authen.certificate.CredentialDataCertificateMatcher

May be used by

Certificate Token Authenticator

Properties

User Attribute (userAttribute)

Description

Defines how the user's username (or other piece of data used to look up the username) is to be extracted from the certificate. Example: The value "cn" will extract the common name from the DN and use it as username.

The following value is treated specially:

"altSubjectName": Use the certificate's alternative subject name as username.

Attributes

String

Mandatory

Suggested values

cn, altSubjectName

Username Transformer (usernameTransformer)

Description

Transforms the extracted username from the certificate before it is used in the lookup.

Attributes

Plugin-Link

Optional

Assignable plugins

User Iterator (userIterator)

Description

Searches the user in the underlying persistency layer by using the extracted user attribute and returns its username. If no iterator is configured, the extracted (and eventually transformed) user attribute is used as username.

Attributes

Plugin-Link

Optional

Assignable plugins

Context Data Columns (contextDataColumns)

Description

Defines the values the extracted user attribute is matched against in the lookup. The value must match any of the context columns.

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.certificate.CredentialDataCertificateMatcher
id: CredentialDataCertificateMatcher-xxxxxx
displayName: 
comment: 
properties:
  contextDataColumns:
  userAttribute:
  userIterator:
  usernameTransformer:

Credential Data mTAN Handler

Description

An mTAN handler that uses the credential data (in the user table of the IAM database). Supports only one mTAN number per user.

Class

com.airlock.iam.core.misc.impl.authen.mtan.CredentialDataMtanHandler

May be used by

mTAN Letter User Event Listener No mTAN Token Restriction Has mTAN Token Basic mTAN Settings All Phone Numbers Provider MTAN/SMS Settings Has mTAN Activation Letter

Properties

Credential Persister (credentialPersister)

Description

Credential persister to load the mobile phone number from user data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Per User Flash Context Field (perUserFlashContextField)

Description

If a context data field is configured, sending of flash messages is decided per user, based on the value in this field. If this field is empty, the default flash setting is used.

Important: The referenced context data field must be of type String and accepts only one of the following values:

true - send flash SMS
false - send normal SMS
<empty/null> - use the default flash settings

Note: The same configuration value must also be added to the credential persister's context data fields.

Attributes

String

Optional

Suggested values

flashSms

IAK Verifier (iakVerifier)

Description

The IAK verifier is used to check initial activation keys. It is only used during credential self-registration and not during credential self-migration.

CAUTION: Not specifying an IAK verifier plugin means that no IAK is checked during the self-registration process. Be careful to not create unsafe processes! Usually, self-registration is unsafe without IAK verification.

Attributes

Plugin-Link

Optional

Assignable plugins

Dummy IAK Verifier Persister IAK Verifier Token IAK Handler

IAK Generator (iakGenerator)

Description

The string generator plugin which will generate the new IAKs.

Attributes

Plugin-Link

Optional

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

IAK Hash Function (iakHashFunction)

Description

This property is only used when new IAKs are generated. The hash function specifies how generated IAKs are hashed. It must be the same (or hash value compatible) to the one used for checking IAKs.

Attributes

Plugin-Link

Optional

Assignable plugins

Hash Value Is Binary (hashValueIsBinary)

Description

Enable, if the hash value produced by the configured hash function is binary (and not a string). It will the be stored using the credential persisters "binary" data slot.

Attributes

Boolean

Optional

Default value

false

IAK Credential Persister (iakCredentialPersister)

Description

If immediate generation of IAK letters in the Admin Tool should be allowed, an IAK credential persister must be configured.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.mtan.CredentialDataMtanHandler
id: CredentialDataMtanHandler-xxxxxx
displayName: 
comment: 
properties:
  credentialPersister:
  hashValueIsBinary: false
  iakCredentialPersister:
  iakGenerator:
  iakHashFunction:
  iakVerifier:
  perUserFlashContextField:

Credential Report Task

Description

This task plug-in iterates over user or credential records and - if certain conditions are met - executes a report renderer on the user (or credential). It is thought to produce for example letters for newly issued tokens or other credentials.

The task uses a user iterator plug-in to go through the set of users or credential records and looks at a specific flag telling this plug-in that a report should be rendered for the user (or credential). If the flag is set, the "delivery security gap" is checked: This is the minimum amount of time there must be between two reports being generated for one and the same user. If this check is ok, the configured report renderer is called and the flag reset.

Note:: There are special tasks for generating password letters (PasswordBatchTask) and matrix cards/TAN lists (TanBatchTask).

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.CredentialReportTask

May be used by

Task Schedule

Properties

Report Type Short Desc (reportTypeShortDesc)

Description

Defines a short textual description of the type of the report being rendered.
The text is used in the user trail log written when a report is rendered. Please specify a text like in the examples below, so it suits the structure of the log statement it is used in.
If this property is not specified, a general statement will be logged.

Attributes

String

Optional

Example

password letter

Example

keyfile accompanying report

Example

mobile number registration letter

Credential Persister (credentialPersister)

Description

The credential persister plug-in is used to read and store credential data structures.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Iterator (credentialIterator)

Description

The credential iterator plug-in used to iterate over a set or credential structures. For efficiency reasons it makes sense to limit the set of credential structures returned by this plug-in as much as possible. It is usually a good idea to already include the "order-credential" flag already in the additional where clause of the iterator plug-in. Like this, this plug-in only gets the "interesting" records.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database Credential Persister Dummy Credential Persister LDAP Connector LDAP Credential Persister Property Credential Persister

Report Renderer (reportRenderer)

Description

Tells the this task which generic renderer to use to render reports. Like this, this plug-in only gets the "interesting" records.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

Delivery Security Gap (deliverySecurityGap)

Description

Specifies the minimum number of days there must be between two reports being generated for the same user. This delivery gap tries to prevent that a user gets - as an example - a password letter and a token within a short amount of time resulting in a security risk because both letters are handled at the same time (e.g. by the postal service).
This feature only works correct, if the underlying credential persister knows about the other credentials delivery timestamps. Make sure these are properly configured for the credential persister.
Not setting this property turns this feature off.

Attributes

Integer

Optional

Default value

Language Attribute Name (languageAttributeName)

Description

Tells the report task which attribute in the context data container contains the language to be used for rendering the password. If this property is configured and if the context data container of the user has a value for this attribute, it is used when calling the report renderer plug-in.

Attributes

String

Mandatory

Suggested values

language

Working Directory (workingDirectory)

Description

A writable directory used to store partial reports.
If this property is defined, the credential reports are not directly generated into the output directory (see other property) but they are generated into this working directory and are moved to the output directory once they are done.
This helps to solve problems with processes automatically reading the rendered reports and reading partial reports during the generation process. Make sure that the working directory and the output directory reside in the same file system (if not the moving of the generated file will not be atomic).
The directory is either absolute or relative to the JVMs current directory.

Attributes

File/Path

Optional

Output Directory (outputDirectory)

Description

Directory in the file system to put the rendered reports in. The directory is either absolute or relative to the JVMs current directory.

This property is not required if the renderer plugin (see separate property) does not write on the outputstream (e.g. sends it somewhere else). It is required otherwise.

Note: If this property is not defined and the used renderer plugin writes on the output stream, then the result (e.g. a PDF file) is lost.

Attributes

File/Path

Optional

File Name Prefix (fileNamePrefix)

Description

Filename prefix for rendered report files. It is important to set this to a unique value for the kind of reports generated by this task. When this task deletes old reports, it looks at this prefix (and the user id) in order to find out what files to delete. Thus, if this prefix is the same as for other reports and the reside in the same directory, other reports may be deleted.
Do not use the prefix "pwd-" or the empty prefix if password- or tokenlist reports are stored in the same directory. The latter is used as default for token lists (matrix card) and the former for password letters.

Attributes

String

Mandatory

Example

token-letter

Example

smartcardLetter

File Name Suffix (fileNameSuffix)

Description

Filename suffix for rendered report files. The indicated suffix is appended to the generated reports. This may be required if the files are processed (e.g. printed) by another process (manual or automatic).

Attributes

String

Mandatory

Suggested values

.pdf, .txt

Delete Old Reports (deleteOldReports)

Description

Deletes old rendered reports of a user from the file system when a new one is rendered. Setting this to TRUE results in at most one rendered report of this type per user.
Caution: This feature will delete all reports starting with the prefix configured by property "file-name-prefix" and the user's name. Thus you must make sure, that different report types use different filename prefixes.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.CredentialReportTask
id: CredentialReportTask-xxxxxx
displayName: 
comment: 
properties:
  credentialIterator:
  credentialPersister:
  deleteOldReports: false
  deliverySecurityGap: 0
  fileNamePrefix:
  fileNameSuffix:
  languageAttributeName:
  outputDirectory:
  reportRenderer:
  reportTypeShortDesc:
  workingDirectory:

Credential Secret Batch Task

Description

Server task that checks all users for a flag indicating that a new letter with a secret (e.g. activation code) should be generated.

Unlike the "Password Batch Task" this plugin uses a credential persister / iterator.

Generated secrets are rendered (e.g. made a pdf or printed) using a PasswordRenderer plugin.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.CredentialSecretBatchTask

May be used by

Task Schedule

Properties

Credential Iterator (credentialIterator)

Description

The credential iterator plugin used to iterate over all users' credentials. Usually this is the same as the credential persister.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database Credential Persister Dummy Credential Persister LDAP Connector LDAP Credential Persister Property Credential Persister

Credential Persister (credentialPersister)

Description

The credential persister plugin used to read and store credential data structures.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Delivery Security Gap Days (deliverySecurityGapDays)

Description

In order to avoid sending more than one credential to a user at the same time, this task inspects the delivery times of other credentials of the same user. The value of this property indicates the minimum number of days between the latest delivery of another token and the generation of a secret.

Setting this property to zero (0) disables this feature.

Attributes

Long

Optional

Default value

Aggregate Report (aggregateReport)

Description

Optional property to describe an aggregate report over all generated reports in a batch. If none is configured, no aggregate report will be generated.

Attributes

Plugin-Link

Optional

Assignable plugins

Aggregate Report

Credential Secret Generator (credentialSecretGenerator)

Description

Allows the configuration of settings for the generation of the credential secret reports.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Secret Generator

Token Cleanup Configs (tokenCleanupConfigs)

Description

Allows the configuration of settings to remove tokens during the batch task.

Attributes

Plugin-List

Optional

Assignable plugins

O Auth2 Token Cleanup Remember Me Token Cleanup

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.CredentialSecretBatchTask
id: CredentialSecretBatchTask-xxxxxx
displayName: 
comment: 
properties:
  aggregateReport:
  credentialIterator:
  credentialPersister:
  credentialSecretGenerator:
  deliverySecurityGapDays: 0
  tokenCleanupConfigs:

Credential Secret Generator

Description

Responsible for the generation and the rendering of credential secrets.

Class

com.airlock.iam.core.misc.renderer.CredentialSecretGenerator

May be used by

mTAN/SMS Token Controller Credential Secret Batch Task Password Batch Task

Properties

Hash Value Is Binary (hashValueIsBinary)

Description

Enable to tell this plugin that the hash value produced by the configured hash function is binary (and not a string). It will the be stored using the credential persisters "binary" data slot.

Attributes

Boolean

Optional

Default value

false

Password Generator (passwordGenerator)

Description

The string generator plugin which will generate the new password.

Attributes

Plugin-Link

Optional

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Hash Function Plugin (hashFunctionPlugin)

Description

This property is used when new passwords are generated. The hash function is used to hash the generated password. It must be the same (or hash value compatible) as used when checking passwords.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Output Directory Path (outputDirectoryPath)

Description

Directory in the file system to put the rendered passwords in. The directory is either absolute or relative to the JVMs current directory.

This property is not required if the renderer plugin (see separate property) does not write on the outputstream (e.g. sends it somewhere else). It is required otherwise.

Note: If this property is not defined and the used renderer plugin writes on the output stream, then the result (e.g. a PDF file) is lost.

Attributes

File/Path

Optional

Working Directory Path (workingDirectoryPath)

Description

A writable directory used to store partial reports.
If this property is defined, the passwords are not directly generated into the output directory (see other property) but they are generated into this working directory and are moved to the output directory once they are done.
This helps to solve problems with processes automatically reading the rendered passwords and reading partial reports during the generation process. Make sure that the working directory and the output directory reside in the same file system (if not the moving of the generated file will not be atomic).
The directory is either absolute or relative to the JVMs current directory.

Attributes

File/Path

Optional

File Name Prefix (fileNamePrefix)

Description

Do not use the empty prefixes if token-list reports are stored in the same directory. The empty prefix is the default for token list letters (and not configurable in older plugin versions).

This property is optional to be backwards compatible. The prefix "pwd-" is used if none is defined.

Attributes

String

Optional

Default value

pwd-

Example

pwd-

Example

passwordLetter-

Configured File Name Suffix (configuredFileNameSuffix)

Description

Filename suffix for rendered password files. The configured file name suffix will be extended with a leading dot, before using as suffix if necessary.

Attributes

String

Optional

Suggested values

.pdf, .docx

Report Type Short Desc (reportTypeShortDesc)

Description

Attributes

String

Optional

Example

password letter

Example

activation key letter

Example

PIN letter

Password Renderer (passwordRenderer)

Description

Tells the password batch task which password renderer to use for the rendering of newly generated passwords.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Password Renderer Text File Password Renderer Word Template Password Renderer

Language Attribute Name (languageAttributeName)

Description

Tells the password batch task which attribute in the context data container contains the language to be used for rendering the password. If this property is configured and if the context data container of the user has a value for this attribute, it is used when calling the password renderer plugin.

Attributes

String

Optional

Suggested values

language

Delete Old Passwords (deleteOldPasswords)

Description

Deletes old rendered passwords of a user from the file system when a new one is rendered. Setting this to TRUE results in at most one rendered password per user.

Attributes

Boolean

Optional

Default value

false

Barcode Generator (barcodeGenerator)

Description

Optional barcode generator. If this property is configured, a barcode image and the corresponding barcode content are added to the parameter map accessible by report templates. The following keys are defined:

BarcodeImage: placeholder for the barcode image.
BarcodeContent: placeholder for the barcode content.
BarcodeContentDisplay: placeholder for the barcode content in a human-readable format.

Attributes

Plugin-Link

Optional

Assignable plugins

Credential-based Generic Token Repository Token-based Generic Token Repository

YAML Template (with default values)


type: com.airlock.iam.core.misc.renderer.CredentialSecretGenerator
id: CredentialSecretGenerator-xxxxxx
displayName: 
comment: 
properties:
  barcodeGenerator:
  configuredFileNameSuffix:
  deleteOldPasswords: false
  fileNamePrefix: pwd-
  hashFunctionPlugin:
  hashValueIsBinary: false
  languageAttributeName:
  outputDirectoryPath:
  passwordGenerator:
  passwordRenderer:
  reportTypeShortDesc:
  workingDirectoryPath:

Credential to Authenticator Mapping

Description

Maps a credential pattern to an authenticator plugin.

Class

com.airlock.iam.core.misc.impl.authen.CredentialBasedAuthenticatorSelectorMapping

May be used by

Credential-based Authenticator Selector

Properties

Pattern (pattern)

Description

Defines a regular expression pattern matched against the credential (token or response to a challenge or password) provided during authentication.

Attributes

RegEx

Mandatory

Case Sensitive (caseSensitive)

Description

If set to false, the case of characters is ignored when matching the pattern against the credential data.

Attributes

Boolean

Optional

Default value

true

Authenticator (authenticator)

Description

Defines the authenticator plugin used when the credential provided during authentication matches the pattern specified by property "pattern".

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.CredentialBasedAuthenticatorSelectorMapping
id: CredentialBasedAuthenticatorSelectorMapping-xxxxxx
displayName: 
comment: 
properties:
  authenticator:
  caseSensitive: true
  pattern:

Credential-based Attribute Mapping

Description

Filters and maps attributes from the outside to the generic token and vice versa.

This plugin is designed to work only with the credential-based repository that is shipped with IAM. For custom repository implementations, custom attribute mappings are needed.

Class

com.airlock.iam.admin.application.configuration.generic.CredentialBasedAttributeMapping

May be used by

Properties

Serial Number (serialNumber)

Description

The serial ID of this token.

Attributes

String

Optional

Enabled (enabled)

Description

Indicates whether this token is enabled. This is a read-only property.

Attributes

String

Optional

Valid From (validFrom)

Description

Date as of which the token is valid.

Attributes

String

Optional

Valid To (validTo)

Description

Expiration date of this token.

Attributes

String

Optional

Generation Date (generationDate)

Description

The activation date of this token. This is a read-only property.

Attributes

String

Optional

Data (data)

Description

The actual data of this token. Binary data is converted to a base64 representation.

Attributes

String

Optional

Encoding (encoding)

Description

Encoding of the data (BINARY or STRING).

Attributes

String

Optional

Delivery Date (deliveryDate)

Description

The token delivery date.

Attributes

String

Optional

Context Data Fields (contextDataFields)

Description

Maps internal credential context data keys (left side of the map, labeled KEY) under the mapped name to an external interface (right side, labeled PLUGIN).

Mapped context data fields are elements of a nested map with the name 'contextData'. For example an entry with external name 'myField' will be mapped to an external interface as data.attributes.contextData.myField.

Attributes

Plugin-Map

Optional

Assignable plugins

Mapped Context Data Field

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.generic.CredentialBasedAttributeMapping
id: CredentialBasedAttributeMapping-xxxxxx
displayName: 
comment: 
properties:
  contextDataFields:
  data:
  deliveryDate:
  enabled:
  encoding:
  generationDate:
  serialNumber:
  validFrom:
  validTo:

Credential-based Authenticator Selector

Description

An authenticator plugin that selects one of several authenticators (and/or contexts) depending on the credential provided in the first or any preceding authentication steps: The credential, i.e. the token or response to a challenge or the password, is compared against a list of regular expressions. The first matching expression defines the authenticator plugin (and/or context) to use for the rest of the authentication process. If none matches, a default authenticator is used.

This plugin does not add or change data added to the authentication result but just passes on the results of the wrapped authenticator(s).

Example usage:

Use the plugin as second authenticator after username and password have been provided.
Configure it with an SmsAuthenticator as default authenticator and an EmailOtpAuthenticator used if the token matches "email"
The user is then asked for an SMS code after successful password verification. If the user enters "email" as SMS code, an email is sent and the user is asked for the OTP in the email.

Class

com.airlock.iam.core.misc.impl.authen.CredentialBasedAuthenticatorSelector

May be used by

Main Authenticator Radius Authentication Service Authentication Method Identifier Mapping Persister Password Service Roles-to-Authenticator Mapping User to Authenticator Mapping Credential to Authenticator Mapping Target Application/Service Meta Authenticator Meta Authenticator Meta Authenticator Administrators Configuration User-based Authenticator Selector Auth Method-based Authenticator Selector Role-based Authenticator Selector Fallback Authenticator

Properties

Mappings (mappings)

Description

Mappings between user name patterns and authenticator plugins.

Attributes

Plugin-List

Mandatory

Assignable plugins

Credential to Authenticator Mapping

Default Authenticator (defaultAuthenticator)

Description

The default authenticator plugin, i.e. the authenticator to be used when the credential data matches no pattern.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.CredentialBasedAuthenticatorSelector
id: CredentialBasedAuthenticatorSelector-xxxxxx
displayName: 
comment: 
properties:
  defaultAuthenticator:
  mappings:

Credential-based Generic Token Repository

Description

Repository that loads credentials as tokens from persistence.

If configured, the credential model supports a 'current' and 'next' credential. The db columns can be specified in the configured 'Credential Persister'.

Class

com.airlock.iam.admin.application.configuration.generic.CredentialBasedGenericTokenRepositoryConfig

May be used by

Generic Token Endpoint

Properties

Credential Persister (credentialPersister)

Description

Credential Persister to load credentials from persistence.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Support Current And Next Credential (supportCurrentAndNextCredential)

Description

Controls whether a 'next' credential is supported.

Attributes

Boolean

Optional

Default value

false

Use Next As Current On Deletion (useNextAsCurrentOnDeletion)

Description

Controls whether a 'next' credential is automatically used as new 'current' on deletion of an old 'current'. Has no effect if 'next' credential is not supported.

Attributes

Boolean

Optional

Default value

true

Token Attribute Mapping (attributeMapping)

Description

Defines the set of supported attributes and optional name mappings.

Attributes

Plugin-Link

Optional

Assignable plugins

Credential-based Attribute Mapping Identity Attribute Mapping Token-based Attribute Mapping

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.generic.CredentialBasedGenericTokenRepositoryConfig
id: CredentialBasedGenericTokenRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  attributeMapping:
  credentialPersister:
  supportCurrentAndNextCredential: false
  useNextAsCurrentOnDeletion: true

CRL Certificate Status Checker

Description

Certificate status checker using a CRL (certificate revocation list) to check the status of certificates.

Periodically updates the CRL using the configured "CRL Fetcher". The latest fetched CRL is cached in memory and if configured, persisted into a file cache.

The CRL Distribution Point Extension of the certificate is not taken into account. Use plugin "CRL Distribution Point Extension CRL Checker" to consider the CRL Distribution Point Extension of the certificate being checked.

Class

com.airlock.iam.core.misc.impl.cert.crl.CrlCertificateStatusChecker

May be used by

License-Tags

ClientCertificate

Properties

CRL Fetcher (crlFetcher)

Description

The plug-in used to periodically obtain the CRL.

Attributes

Plugin-Link

Mandatory

License-Tags

ClientCertificate

Assignable plugins

Fallback CRL Fetcher File CRL Fetcher LDAP CRL Fetcher URL CRL Fetcher

Fetch Interval Seconds (fetchIntervalSeconds)

Description

The number of seconds between two attempts to fetch the current CRL. This plug-in uses always the latest fetched CRL. Values lower than one minute (60) are not allowed.
If the CRL cannot be fetched, a warning is logged and the plug-in tries again after the waiting some time specified by property retry-interval-seconds.

Attributes

Long

Mandatory

License-Tags

ClientCertificate

Retry Interval Seconds (retryIntervalSeconds)

Description

If a CRL cannot be fetched (because the CRL fetcher plug-in throws an exception), this plug-in retries after waiting a certain time. This property specifies the amount of seconds to wait before retrying. The minimum allowed value is 10 seconds.

Attributes

Long

Mandatory

License-Tags

ClientCertificate

Retry Count (retryCount)

Description

If a CRL cannot be fetched (because the CRL fetcher plug-in throws an exception), this plug-in retries after waiting a certain time specified by property retry-interval-seconds. This property specifies the maximum number of retries before the plug-in gives up. After giving up, the plug-in will try again after the normal fetch interval (specified by property fetch-interval-seconds has been passed.
The number of retries times the amount of time to wait between retries must not be greater than the fetch interval.

Attributes

Integer

Mandatory

License-Tags

ClientCertificate

CRL Validity Seconds (crlValiditySeconds)

Description

The number of seconds a CRL is considered valid. The validity is counted from the update time of the CRL (this is an attribute of the CRL itself and does not depend on the time it was fetched).
Make sure that the validity period is considerably larger than the fetch interval.
The minimum value is one minute (60).

Attributes

Long

Mandatory

License-Tags

ClientCertificate

Fail Silently If CRL Expired (failSilentlyIfCrlExpired)

Description

Optional property specifying how this class certificate status checker should behave if the latest available CRL has expired:
If set to TRUE, calling method isRevoked(X509Certificate) always returns true and a warning is logged.
If set to FALSE (the default), calling method isRevoked(X509Certificate) will result in a CertificateStatusCheckerException.

Attributes

Boolean

Optional

License-Tags

ClientCertificate

Default value

false

Cache File (cacheFile)

Description

Specifies a readable and writable file used by the plug-in to cache the latest fetched CRL. This is valuable in the case of a server restart at a time when there is a valid CRL from the last successful fetch but no CRL can be fetched at startup. In this case, the locally cached file is used.
This property is optional. If not defined, no local file cache will be used.
Caution:Make sure the file is readable and writable. Be careful with relative paths and permissions.

Attributes

File/Path

Optional

License-Tags

ClientCertificate

Included Issuer (includedIssuer)

Description

Specifies that only certificates with a issuer matching against this pattern are checked against the CRL. Certificates that do not match this pattern are ignored and true is returned upon the check.

Attributes

RegEx

Optional

License-Tags

ClientCertificate

Keystore Config (keystoreConfig)

Description

The keystore containing the CA certificate to verify the signature of the CRL.

Attributes

Plugin-Link

Optional

License-Tags

ClientCertificate

Assignable plugins

HSM Keystore Java Keystore

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.crl.CrlCertificateStatusChecker
id: CrlCertificateStatusChecker-xxxxxx
displayName: 
comment: 
properties:
  cacheFile:
  crlFetcher:
  crlValiditySeconds:
  failSilentlyIfCrlExpired: false
  fetchIntervalSeconds:
  includedIssuer:
  keystoreConfig:
  retryCount:
  retryIntervalSeconds:

CRL Distribution Point Extension CRL Checker

Description

Uses the CRL distribution point extension of the certificate to determine which CRL to use. If a certificate does not provide the CRL distribution point extension, the fallbackChecker is used to check the certificate. Otherwise the CRL is obtained by the CRL obtainer and used to check the certificate. As long as the CRL is not expired, the CRL is cached in memory.

Class

com.airlock.iam.core.misc.impl.cert.crl.MultiIssuerCRLChecker

May be used by

Certificate Authenticator Certificate Authenticator Caching Certificate Status Checker NextGenPSD2 Certificate Authenticator Client Certificate (X.509) Request Authentication STET PSD2 Authenticator OAuth 2.0 Client mTLS Authentication Certificate Token Authenticator HTTP Signature Verification Credential Extractor

License-Tags

ClientCertificate

Properties

CRL Obtainer (crlObtainer)

Description

Accesses newer versions of the CRL.

Attributes

Plugin-Link

Optional

License-Tags

ClientCertificate

Assignable plugins

CRL HTTP Obtainer Configurable HTTP CRL Obtainer Do Nothing Obtainer Fallback Crl Obtainer

Fallback Checker (fallbackChecker)

Description

This checker is used when the CRL distribution point extension is not available on the certificate.

Attributes

Plugin-Link

Optional

License-Tags

ClientCertificate

Assignable plugins

Eagerly Loaded URLs (eagerlyLoadedURLs)

Description

The CRLs located at these URLs are downloaded upon startup of Airlock IAM. Otherwise a CRL is downloaded once the first certificate check uses the CRL, which can cause delays during the check.

Attributes

String-List

Optional

License-Tags

ClientCertificate

Keystore Config (keystoreConfig)

Description

The keystore containing the CA certificate to verify the signature of the CRL.

Attributes

Plugin-Link

Optional

License-Tags

ClientCertificate

Assignable plugins

HSM Keystore Java Keystore

Factory (factory)

Description

Creates a friendly representation of the X509 Certificate. Normally, the default plugin should be used.

Attributes

Plugin-Link

Optional

License-Tags

ClientCertificate

Assignable plugins

Default X509 Factory Implementation

CRL Cache (cacheRefreshInterval)

Description

Defines the interval in minutes in which the internal cache is checked for expired CRLs, which are then updated asynchronously. Note that this has option has no security consequences, since an expired CRL is also updated before a check. However, this might cause delays.

Attributes

Integer

Optional

License-Tags

ClientCertificate

Default value

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.crl.MultiIssuerCRLChecker
id: MultiIssuerCRLChecker-xxxxxx
displayName: 
comment: 
properties:
  cacheRefreshInterval: 1
  crlObtainer:
  eagerlyLoadedURLs:
  factory:
  fallbackChecker:
  keystoreConfig:

CRL HTTP Obtainer

Description

Fetches the CRL from the specified URL. Alternatively the URL can be overwritten and various other HTTP client settings can be used.

Class

com.airlock.iam.core.misc.impl.cert.crl.CrlHTTPObtainer

May be used by

Configurable HTTP CRL Obtainer Configurable HTTP CRL Obtainer Fallback Crl Obtainer CRL Distribution Point Extension CRL Checker

License-Tags

ClientCertificate

Properties

Overwrite URL (overwriteURL)

Description

The URL to use instead of the default URL in the certificate.

Attributes

String

Optional

License-Tags

ClientCertificate

Example

https://localhost:8080/mypki/clients.crl

Example

http://crl.verisign.com/Class3InternationalServer.crl

Factory (factory)

Description

Creates a friendly representation of the X509 CRL.

Attributes

Plugin-Link

Optional

License-Tags

ClientCertificate

Assignable plugins

Default X509 Factory Implementation

Basic Auth Username (basicAuthUsername)

Description

Username used to fetch the CRL when a basic authentication is required the access the URL. Used in conjunction with property basic-auth-password.

Attributes

String

Optional

License-Tags

ClientCertificate

Example

johndoe

Basic Auth Password (basicAuthPassword)

Description

Password used to fetch the CRL when basic authentication is required to access the URL. Used in conjunction with property basic-auth-username.

Attributes

String

Optional

Sensitive

License-Tags

ClientCertificate

Proxy Host (proxyHost)

Description

The http proxy host if connections to the specified URL must be made using a http proxy.

Attributes

String

Optional

License-Tags

ClientCertificate

Example

gw.foo.bar

Example

192.168.12.13

Proxy Port (proxyPort)

Description

The http proxy port if connections to the specified URL must be made using a http proxy.

Attributes

Integer

Optional

License-Tags

ClientCertificate

Proxy Login User (proxyLoginUser)

Description

The user for authentication at the http proxy server. Using a http proxy does not necessarily make this property necessary. This depends on the proxy configuration.

Attributes

String

Optional

License-Tags

ClientCertificate

Example

felix

Example

jdoe

Proxy Login Password (proxyLoginPassword)

Description

The password for authentication at the http proxy server. Using a http proxy does not necessarily make this property necessary. This depends on the proxy configuration.

Attributes

String

Optional

Sensitive

License-Tags

ClientCertificate

Allow Only Trusted Certs (allowOnlyTrustedCerts)

Description

Only allow connections to servers whose certificate is trusted. See documentation of property "Trust Store Path" for more information about what certificates are trusted.

Security warning: Trusting all certificates allows connections to adversarial hosts. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

License-Tags

ClientCertificate

Default value

true

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

License-Tags

ClientCertificate

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

License-Tags

ClientCertificate

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

String

Optional

License-Tags

ClientCertificate

Default value

JKS

Allowed values

JKS, PKCS12

Trust Store Password (trustStorePassword)

Description

The password used verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

JKS: the keystore can be opened and used but the integrity of the keystore is not checked.
PKCS12: an error occurs.

Attributes

String

Optional

Sensitive

License-Tags

ClientCertificate

Connect Timeout (connectTimeout)

Description

The connection timeout in seconds. A timeout value of zero is interpreted as an infinite timeout.

Attributes

Integer

Optional

License-Tags

ClientCertificate

Default value

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

License-Tags

ClientCertificate

Suggested values

X-Correlation-ID

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.crl.CrlHTTPObtainer
id: CrlHTTPObtainer-xxxxxx
displayName: 
comment: 
properties:
  allowOnlyTrustedCerts: true
  basicAuthPassword:
  basicAuthUsername:
  connectTimeout: 5
  correlationIdHeaderName:
  factory:
  overwriteURL:
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  verifyServerHostname: true

Cronto Activation Possible

Description

Flow selection condition that determines whether the user can activate a Cronto device. A Cronto device activation is possible if the user either has a valid activation letter with remaining activations or, if configured, the user is allowed to activate Cronto without a letter (e.g. in migration use cases).

Class

com.airlock.iam.flow.shared.application.configuration.cronto.CrontoActivationPossibleConditionConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

The Cronto Handler to load the user's Cronto activation letters.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Strong Authentication Tag (strongAuthenticationTag)

Description

This tag indicates strong authentication (typically two factors) and thus considers Cronto activation without a letter as a possible Cronto activation method. If the tag is not configured, Cronto activation without a letter is not considered as a possible Cronto activation method.

Attributes

Plugin-Link

Optional

Assignable plugins

Tag

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.cronto.CrontoActivationPossibleConditionConfig
id: CrontoActivationPossibleConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  strongAuthenticationTag:

Cronto Activation Required

Description

Flow selection condition that selects the subflow depending on whether a Cronto activation is required. A Cronto device activation is required if the user has no (active) Cronto device and either has a valid activation letter with remaining activations or if the user is allowed to activate cronto without activation letter (typically in migration use cases).

Class

com.airlock.iam.authentication.application.configuration.selection.condition.CrontoActivationRequiredConditionConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

The Cronto Handler to manage the user's Cronto devices and activation letters.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Advanced Migration Selection Option Custom Protected Self-Service Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Include Inactive Devices (includeInactiveDevices)

Description

Flag to determine, whether inactive devices should be included when deciding whether the user has a Cronto device.

Attributes

Boolean

Optional

Default value

false

Strong Authentication Tag (strongAuthenticationTag)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Tag

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.selection.condition.CrontoActivationRequiredConditionConfig
id: CrontoActivationRequiredConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  includeInactiveDevices: false
  strongAuthenticationTag:

Cronto Activation Step

Description

Configuration for a Cronto activation flow step.

Class

com.airlock.iam.authentication.application.configuration.cronto.CrontoActivationStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

CRONTO

Strong Authentication Tag (strongAuthenticationTag)

Description

If configured, this tag indicates strong authentication (typically two factors) and thus enables Cronto on-screen activation. The configured tag has to be obtained by an authentication step. In addition, the property "Enable On-Screen Activation" on the Cronto Handler must be enabled and all described conditions of the property must be fulfilled. This feature is typically used for migration use cases.

For security reasons, it is important to configure a strong authentication tag.

Attributes

Plugin-Link

Optional

Assignable plugins

Tag

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.cronto.CrontoActivationStepConfig
id: CrontoActivationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: CRONTO
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  strongAuthenticationTag:
  tagsOnSuccess:

Cronto Approval Stealth Step

Description

Cronto approval stealth step for public self-service flows.

This step displays a random dummy Cronto cryptogram and classifies any response OTP as wrong. Thus, it can never be successfully completed. It is intended to be used to avoid information leaking about users. Externally it behaves like the real Cronto approval step for public self-service flows.

This step is needed if the Cronto approval is used instead of a user verification step. Because the real Cronto approval step cannot be used for nonexistent or otherwise invalid users, a selection must be configured, using the "Public Self-Service Allowed Condition" to ensure that only users that are allowed to do public self-services enter the real Cronto step, while the other users end up in the stealth step.

Note that push and online validation have to be disabled in the real Cronto step, otherwise information would be leaked because it could behave differently for existing users (e.g. show push device selection). The configured authentication method ID must be the same as that of the real Cronto step. Also make sure the configured Flow Processors and Flow Restrictions in the public self-service flow allow nonexistent users and do not provide user feedback.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.CrontoPublicSelfServiceApprovalStealthStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Handles all Cronto-specific actions.

When the Cronto app communicates directly to IAM (for online validation and push notification management) these requests are on a separate session and must therefore be handled by a separate, global Cronto Handler defined in "Cronto App Communication" in Loginapp.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

CRONTO

Max Response Retries (maxResponseRetries)

Description

The number of times the user may enter a wrong response before the flow is aborted (and the challenge is deleted). If set to 0, only 1 attempt is possible for each challenge.

The purpose of this settings is usability. The failed attempts counter is always increased upon receiving a wrong OTP and the user is locked when the global failed attempts limit is exceeded.

Attributes

Integer

Optional

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.CrontoPublicSelfServiceApprovalStealthStepConfig
id: CrontoPublicSelfServiceApprovalStealthStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: CRONTO
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxResponseRetries: 3
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto Authentication Step

Description

Configuration for a Cronto authentication flow step.

Class

com.airlock.iam.authentication.application.configuration.cronto.CrontoAuthStepConfig

May be used by

License-Tags

Cronto

Properties

Authenticate Push Devices Only (authenticatePushDevicesOnly)

Description

If this flag is set and there is no push-enabled device for the user, authentication is not possible.

This feature may be used for mobile application logins, where showing a cryptogram on the same device is not appropriate.

Attributes

Boolean

Optional

Default value

false

Push Selection For Single Device (pushSelectionForSingleDevice)

Description

If enabled, the step also asks for push device selection if there is only one push device enabled. Since the selection always includes the "offline" option, this can be used for "app-to-app" setups, where push messages should never be sent.

Attributes

Boolean

Optional

Default value

false

Show Login ID On Push (showLoginIdOnPush)

Description

If this flag is set a random ID is generated and shown to the user during push login.

The ID is shown on the Cronto device with the push message and on the login page, allowing the user to correlate a push message with a login session.

Attributes

Boolean

Optional

Default value

false

Message Provider (messageProvider)

Description

Message provider to create the login message.

Attributes

Plugin-Link

Optional

Assignable plugins

Cronto Legacy Login Message Provider Config Cronto Message Provider Default Cronto Login Message Provider Config Transaction Approval Cronto Message Provider

Cronto Handler (crontoHandler)

Description

Handles all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

CRONTO

Max Response Retries (maxResponseRetries)

Description

The number of times the user may enter a wrong response before the flow is aborted (and the challenge is deleted). If set to 0, only 1 attempt is possible for each challenge.

The purpose of this settings is usability. The failed attempts counter is always increased upon receiving a wrong OTP and the user is locked when the global failed attempts limit is exceeded.

Attributes

Integer

Optional

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.cronto.CrontoAuthStepConfig
id: CrontoAuthStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticatePushDevicesOnly: false
  authenticationMethodId: CRONTO
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxResponseRetries: 3
  messageProvider:
  onFailureGotos:
  preCondition:
  pushSelectionForSingleDevice: false
  requiresActivation: false
  showLoginIdOnPush: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto Challenge Token Cleanup Strategy

Description

Task strategy that deletes challenge tokens which have not been consumed after a configured time.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.token.CrontoChallengeTokenCleanUpStrategyConfig

May be used by

Token Task

Properties

Token Data Provider (tokenDataProvider)

Description

The token data provider plugin is used to read all tokens to be handled by this task. Should be configured to only return the tokens that should be handled by this task.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Remote Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Email Event Subscriber (Loginapp) Filtered Flow Event

Seconds To Keep Challenge Token (secondsToKeepChallengeToken)

Description

The number of seconds to keep a Cronto challenge token after its expiration date.

Attributes

Integer

Optional

Default value

300

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.token.CrontoChallengeTokenCleanUpStrategyConfig
id: CrontoChallengeTokenCleanUpStrategyConfig-xxxxxx
displayName: 
comment: 
properties:
  secondsToKeepChallengeToken: 300
  tokenDataProvider:

Cronto Device Activated

Description

Event that is triggered by the activation of a Cronto device.

Class

com.airlock.iam.login.application.configuration.event.CrontoDeviceActivatedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.event.CrontoDeviceActivatedSubscribedEventConfig
id: CrontoDeviceActivatedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

Cronto Device Deleted

Description

Event that is triggered by the deletion of an Cronto device.

Class

com.airlock.iam.common.application.configuration.event.CrontoDeviceDeletedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.CrontoDeviceDeletedSubscribedEventConfig
id: CrontoDeviceDeletedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

Cronto Device List

Description

Configures the Cronto device list REST self-service. Additional self-service functionality can be configured in "Protected Self-Service Flows".

Class

com.airlock.iam.selfservice.application.configuration.token.CrontoDeviceListSelfServiceRestConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

The plugin to handle all Cronto operations.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access the Cronto device list.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access the Cronto device list without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.token.CrontoDeviceListSelfServiceRestConfig
id: CrontoDeviceListSelfServiceRestConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  crontoHandler:

Cronto Device Management UI

Description

Configures Cronto device management user interface.

Depending on the configuration, the user interface allows an authenticated user:

to activate a new Cronto device.
to order a new Cronto device activation letter.
to delete a Cronto device.
to rename a Cronto device.
to enable a Cronto device.
to disable a Cronto device.
to enable push for a Cronto device.
to disable push for a Cronto device.

The Cronto device management interface is accessible at /<loginapp-uri>/ui/app/protected/tokens/cronto/devices after user authentication.

Class

com.airlock.iam.selfservice.application.configuration.ui.tokens.CrontoDeviceManagementUiConfig

May be used by

License-Tags

Cronto

Properties

Flow To Activate Device (flowToActivateDevice)

Description

ID of the flow which is used for activating a new Cronto device. If not configured, the user will not be able to activate a new Cronto device via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Order Activation Letter (flowToOrderActivationLetter)

Description

ID of the flow which is used for ordering a new Cronto device activation letter. If not configured, the user will not be able to order a new activation letter via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Delete Device (flowToDeleteDevice)

Description

ID of the flow which is used for deletion of a Cronto device. If not configured, the user will not be able to delete a device via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Rename Device (flowToRenameDevice)

Description

ID of the flow which is used for renaming a Cronto device. If not configured, the user will not be able to rename a device via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Enable Device (flowToEnableDevice)

Description

ID of the flow which is used for enabling a Cronto device. If not configured, the user will not be able to enable a Cronto device via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Disable Device (flowToDisableDevice)

Description

ID of the flow which is used for disabling a Cronto device. If not configured, the user will not be able to disable a Cronto device via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Enable Push (flowToEnablePush)

Description

ID of the flow which is used for enabling push notifications for a Cronto device. If not configured, the user will not be able to enable Cronto Push for a device via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Disable Push (flowToDisablePush)

Description

ID of the flow which is used for disabling push notifications for a Cronto device. If not configured, the user will not be able to disable Cronto Push for a device via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Page Exit Target (pageExitTarget)

Description

If configured, an additional button is displayed on the Cronto device management to exit the page. On click, this button redirects the user to the configured target.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.tokens.CrontoDeviceManagementUiConfig
id: CrontoDeviceManagementUiConfig-xxxxxx
displayName: 
comment: 
properties:
  flowToActivateDevice:
  flowToDeleteDevice:
  flowToDisableDevice:
  flowToDisablePush:
  flowToEnableDevice:
  flowToEnablePush:
  flowToOrderActivationLetter:
  flowToRenameDevice:
  pageExitTarget:

Cronto Device Management UI Redirect

Description

Redirects to the "Cronto Device Management UI".

Class

com.airlock.iam.selfservice.application.configuration.ui.tokens.CrontoDeviceManagementFlowRedirectTargetConfig

May be used by

License-Tags

Cronto

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.tokens.CrontoDeviceManagementFlowRedirectTargetConfig
id: CrontoDeviceManagementFlowRedirectTargetConfig-xxxxxx
displayName: 
comment: 
properties:

Cronto Device Removal Possible

Description

Condition that determines whether the current user can remove a Cronto device. For device removal to be possible, the user needs to have at least one device. If "Allow Deleting Last Device" is disabled, at least two devices are required. This is to ensure that the user will still be able to log in with Cronto after device deletion was performed.

Class

com.airlock.iam.selfservice.application.configuration.selection.CrontoDeviceDeletionPossibleConditionConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Advanced Migration Selection Option Custom Protected Self-Service Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Public Self-Service Flow Selection Option For Public Self-Service Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Allow Deleting Last Device (allowDeletingLastDevice)

Description

If enabled, the last device can be deleted. This can leave the user without a means to login again.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.selection.CrontoDeviceDeletionPossibleConditionConfig
id: CrontoDeviceDeletionPossibleConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  allowDeletingLastDevice: false
  crontoHandler:

Cronto Device Reset Step Config

Description

A non-interactive step that deletes all Cronto devices of the user (and optionally also the Cronto account and activation letter).

Class

com.airlock.iam.flow.shared.application.configuration.cronto.CrontoDeviceResetStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Remove Account (removeAccount)

Description

If enabled, also the Cronto account and activation letter are removed. This can be useful when using the CrontoEngine stack, where all letters generated from the same account are identical.

Attributes

Boolean

Optional

Default value

false

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.cronto.CrontoDeviceResetStepConfig
id: CrontoDeviceResetStepConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  removeAccount: false
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto Device Selection Step

Description

Step to select a Cronto device for further operations. E.g., this step can be followed by a Rename Cronto Device Step where the name can be edited.

Class

com.airlock.iam.selfservice.application.configuration.step.CrontoDeviceSelectionStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Default Enable Cronto Push Flow Cronto Device Selection Step Default Cronto Login Message Provider Config Cronto Letter User Event Listener Cronto Transaction Approval Step Cronto Authentication Step Apply Cronto Device Renaming CrontoSign Swiss Push Activation Step Cronto Token Service Enable Cronto Push Initiation Step Cronto Approval Stealth Step Cronto Letter Order Condition Config Cronto Device Removal Possible Cronto Public Self-Service Approval Step Delete Cronto Device Initiation Step Main Authentication Settings Cronto Message Provider Cronto Activation Step Has Cronto Device Default Cronto Device Removal Flow Cronto Activation Required Disable Cronto Device Initiation Step Loginapp Cronto Device List Apply Cronto Push Disabling Has Cronto Account Enable Cronto Device Initiation Step Cronto Device Reset Step Config Default Disable Cronto Push Flow Cronto Token Controller Transaction Approval Cronto Message Provider Cronto Self-Service Approval Step Apply Cronto Device Deletion Default Enable Cronto Device Flow Apply Cronto Device Enabling Rename Cronto Device Step Default Cronto Device Renaming Flow Default Disable Cronto Device Flow Apply Cronto Push Enabling Cronto Self-Services (Legacy) Cronto Letter Order Step Config Apply Cronto Device Disabling Disable Cronto Push Initiation Step Cronto Report Strategy Cronto Activation Possible CrontoSign Swiss Push Activation Possible

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.CrontoDeviceSelectionStepConfig
id: CrontoDeviceSelectionStepConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto Engine Handler

Description

Cronto functionality using the CrontoEngine implementation.

Class

com.airlock.iam.core.misc.impl.cronto.crontoengine.CrontoEngineHandler

May be used by

License-Tags

Cronto

Properties

Maximum Number Of Activated Devices (maximumNumberOfActivatedDevices)

Description

The maximum number of devices that a user can have activated simultaneously.

Attributes

Integer

Optional

Default value

Default Allowed Platforms (defaultAllowedPlatforms)

Description

Defines the platforms for which an activation letter can be used per default. This can always be changed by an administrator for an individual letter.

Currently, the following platform codes are supported:

0: stand-alone Cronto device
1: iOS
2: Android
3: Windows phone
4: Blackberry
5: rooted iOS
6: rooted Android

Enter the numbers for all allowed platforms as one sequence, without spaces or commas, e.g. "012" to allow stand-alone, iOS and Android devices.

Attributes

String

Optional

Default value

01234

Platform Blacklist (platformBlacklist)

Description

Blacklist of blocked platform types. If a type is on this list, it can not be used for login or transaction signing and new devices of this type cannot be activated, independent of the allowed platforms in the activation letter.

Currently, the following platform codes are supported:

0: stand-alone Cronto device
1: iOS
2: Android
3: Windows phone
4: Blackberry
5: rooted iOS
6: rooted Android

Enter the numbers for all allowed platforms as one sequence, without spaces or commas, e.g. "56" to block rooted iOS and Android devices.

Attributes

String

Optional

Challenge Token Lifetime [s] (challengeTokenLifetime)

Description

The lifetime in seconds of a challenge token. After the lifetime of a challenge token has expired, no successful validation with this token is possible anymore and the token is deleted upon the next verification request.

Attributes

Integer

Optional

Default value

300

Enable Push Notifications (enablePushNotifications)

Description

If this option is selected, push notifications are enabled for users with a device that supports this feature.

Attributes

Boolean

Optional

Default value

false

Bank URL Index (bankUrlIndex)

Description

Index of the bank URL hard-coded in the CrontoSign application.

Attributes

Integer

Optional

Push Notifications Reminder Period (pushNotificationsReminderPeriod)

Description

Number of Cronto device usages required before a user is asked again whether push notifications should be activated for this device. A value of "1" means that the user is asked upon every login.

Attributes

Integer

Optional

Default value

Service Code (serviceCode)

Description

The Cronto Service Code used to generate the Cronto challenges. If the value is empty the Service Code of IAM will be used. Normally there is no need to overwrite this property.

Attributes

String

Optional

Sensitive

Push Notification Sender (pushNotificationSender)

Description

Plugin responsible for sending Cronto push notifications.

Attributes

Plugin-Link

Optional

Assignable plugins

Cronto Push Notification Sender Dummy Cronto Push Notification Sender

Token Data Provider (tokenDataProvider)

Description

Plugin to load tokens from persistence.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cronto Transaction Approval Step Cronto Authentication Step Cronto Public Self-Service Approval Step Cronto Self-Service Approval Step

Default Number of Letter Usages (defaultNumberOfActivations)

Description

Defines how many times an activation letter can be used per default to activate devices or apps. This can always be changed by an administrator for an individual letter.

Attributes

Integer

Optional

Default value

Default Letter Validity Time (defaultLetterValidityTime)

Description

Defines how long (how many days) an activation letter can be used per default to activate devices or apps. This can always be changed by an administrator for an individual letter. If no value is set, the validity is not limited.

Attributes

Integer

Optional

Selectable As Auth Method (selectableAsAuthMethod)

Description

Disable to prevent CrontoSign from being selected as active authentication method.

Attributes

Boolean

Optional

Default value

true

Selectable As Next Auth Method (selectableAsNextAuthMethod)

Description

Disable to prevent CrontoSign from being selected as the next authentication method (migration).

Attributes

Boolean

Optional

Default value

true

Enable On-Screen Activation (enableOnScreenActivation)

Description

If enabled, allows users to register Cronto devices with an on-screen activation cryptogram. This is typically the case when users do not have activation letters. If on-screen activation with a letter must be possible, enable "Enable On-Screen Activation With Letter".

On-screen activation is only possible in two situations: (1) during credential migration and (2) when activating an additional device.

Attention: make sure that such an activation can only be accessed by strongly authenticated users. For this, the "Strong Authentication Tag" must be configured on the following plugins (if used):

Cronto Activation Step
Cronto Activation Possible
Cronto Activation Required

Attributes

Boolean

Optional

Default value

false

Enable On-Screen Activation With Letter (enableOnScreenActivationWithLetter)

Description

If enabled, allows users who have a Cronto activation letter to register Cronto devices with the activation cryptogram from the letter being displayed in the browser.

Attention: make sure that such an activation can only be accessed by strongly authenticated users (refer to the documentation of "Enable On-Screen Activation")

Attributes

Boolean

Optional

Default value

false

Available Printing Options (availableOrderOptions)

Description

If several different ways of printing the letter are needed (for example to print locally or via the central printer, or to also order a device), then these printing options can be defined. The printing options allow to define separate printing task for different printing options.

Attributes

String-List

Optional

Default value

[default]

Options Resource Key Prefix (optionsResourceKeyPrefix)

Description

If this property is defined, the order options are assumed to be resource key and are used together with the prefix defined here to display a translated version of the options. If left empty, the options are displayed as defined above.

Attributes

String

Optional

Default value

cronto-order-option.

Default Printing Options (defaultOrderOptions)

Description

Defines the default order options for a new letter (what will be set for a new letter).

Attributes

String-List

Optional

Default value

[default]

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cronto.crontoengine.CrontoEngineHandler
id: CrontoEngineHandler-xxxxxx
displayName: 
comment: 
properties:
  availableOrderOptions: [default]
  bankUrlIndex:
  challengeTokenLifetime: 300
  defaultAllowedPlatforms: 01234
  defaultLetterValidityTime:
  defaultNumberOfActivations: 8
  defaultOrderOptions: [default]
  enableOnScreenActivation: false
  enableOnScreenActivationWithLetter: false
  enablePushNotifications: false
  maximumNumberOfActivatedDevices: 8
  optionsResourceKeyPrefix: cronto-order-option.
  platformBlacklist:
  pushNotificationSender:
  pushNotificationsReminderPeriod: 3
  selectableAsAuthMethod: true
  selectableAsNextAuthMethod: true
  serviceCode:
  tokenDataProvider:

Cronto Legacy Login Message Provider Config

Description

Provides the same Cronto login message that is created when using the "Cronto Authenticator".

This plugin exists for backward compatibility and uses the translations cronto.login-title, cronto.login-username, cronto.login-last and cronto.login-id to create a login message.

Class

com.airlock.iam.core.application.configuration.cronto.CrontoLegacyLoginMessageProviderConfig

May be used by

Properties

Username Alias (usernameAlias)

Description

Context data field for the alias that is used instead of the username in the message that is encoded in the cryptogram during login.

Attributes

Plugin-Link

Optional

Assignable plugins

Date Format (dateFormat)

Description

Date format for the "last login" information in the login message.

Attributes

String

Optional

Default value

dd.MM.yyyy HH:mm

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.cronto.CrontoLegacyLoginMessageProviderConfig
id: CrontoLegacyLoginMessageProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  dateFormat: dd.MM.yyyy HH:mm
  usernameAlias:

Cronto Letter Order Condition Config

Description

A condition to decide whether a user can order a (new) Cronto activation letter.

Class

com.airlock.iam.flow.shared.application.configuration.cronto.CrontoLetterOrderConditionConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Advanced Migration Selection Option Custom Protected Self-Service Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Public Self-Service Flow Selection Option For Public Self-Service Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Cronto Account Required (crontoAccountRequired)

Description

If enabled, only users that already have a Cronto account are allowed to order an activation letter.

Attributes

Boolean

Optional

Default value

true

Cronto Letter Required (crontoLetterRequired)

Description

If enabled, only users that already have a Cronto activation letter are allowed to order a new letter.

Attributes

Boolean

Optional

Default value

false

Minimum Letter Order Interval [h] (minimalLetterOrderInterval)

Description

Number of hours that must at least have passed since the last Cronto activation letter has been ordered.

By setting this value to 0, no waiting time until an additional letter can be ordered is required. However, it is recommended to set a different value to prevent a letter being ordered while another one is still being printed or being delivered.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.cronto.CrontoLetterOrderConditionConfig
id: CrontoLetterOrderConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoAccountRequired: true
  crontoHandler:
  crontoLetterRequired: false
  minimalLetterOrderInterval: 24

Cronto Letter Order Step Config

Description

A non-interactive step that orders a new Cronto activation letter. Existing letters for the user are deleted and can no longer be used. If the user does not yet have a Cronto account, a new account is created.

Class

com.airlock.iam.flow.shared.application.configuration.cronto.CrontoLetterOrderStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.cronto.CrontoLetterOrderStepConfig
id: CrontoLetterOrderStepConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto Letter User Event Listener

Description

Listens to 'after insert user events'. When notified that a new user has been inserted in the persistency layer, a Cronto activation letter is ordered.

Class

com.airlock.iam.core.misc.impl.persistency.usereventbus.CrontoLetterUserEventListener

May be used by

Active Directory Connector LDAP User Persister LDAP Connector Database User Persister

Properties

Cronto Handler (crontoHandler)

Description

Plugin to manage a user's Cronto tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cronto Transaction Approval Step Cronto Authentication Step Cronto Public Self-Service Approval Step Cronto Self-Service Approval Step

Condition (condition)

Description

The condition to decide whether the event should be handled. If not configured, the event is always handled.

Attributes

Plugin-Link

Optional

Assignable plugins

Authentication Method Condition Context Data Regex Condition Logical AND Condition Logical NOT Condition Logical OR Condition

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.usereventbus.CrontoLetterUserEventListener
id: CrontoLetterUserEventListener-xxxxxx
displayName: 
comment: 
properties:
  condition:
  crontoHandler:

Cronto Message Provider

Description

Generic provider for Cronto messages.

Class

com.airlock.iam.flow.shared.application.configuration.message.GenericCrontoMessageProviderConfig

May be used by

License-Tags

Cronto

Properties

Resource Key (resourceKey)

Description

Resource key to select the localized template to display the data. The localized template can contain variables (e.g. ${town}) and the same formatting options (including shrinking of values to fit to limited size) as are available for Transaction Approval messages.

Attributes

String

Mandatory

License-Tags

Cronto

Example

self-service.user-data-edit.approval.cronto

Example

password-reset.factors.cronto.message

Push Title Resource Key (pushTitleResourceKey)

Description

Resource key to select the localized template to display the push title. The localized template can contain variables (e.g. ${username}).

Attributes

String

Optional

License-Tags

Cronto

Default value

cronto.push.login.title

Example

cronto.push.login.title

Push Subject Resource Key (pushSubjectResourceKey)

Description

Resource key to select the localized template to display the push subject. The localized template can contain variables (e.g. ${username}).

Attributes

String

Optional

License-Tags

Cronto

Default value

cronto.push.login.subject

Example

cronto.push.login.subject

Value Providers (valueProviders)

Description

Attributes

Plugin-List

Optional

License-Tags

Cronto

Assignable plugins

Omit Empty Value Lines (omitEmptyValueLines)

Description

If enabled, lines with an empty or blank "value" part (right-hand side) after variable replacing are omitted from the message. Example: if the message contains a line Town=${town} and the "town" variable is empty, then the whole line will be omitted.

Attributes

Boolean

Optional

License-Tags

Cronto

Default value

false

Cronto Handler (crontoHandler)

Description

Cronto Handler to determine if a message is small enough to be encoded as a cryptogram. This is used for "shrinking" the growable message until it fits into a cryptogram. If it cannot be shrunk enough, an exception is thrown.

Attributes

Plugin-Link

Mandatory

License-Tags

Cronto

Assignable plugins

Cronto Legacy Login Message Provider Config Cronto Message Provider Default Cronto Login Message Provider Config Transaction Approval Cronto Message Provider

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.message.GenericCrontoMessageProviderConfig
id: GenericCrontoMessageProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  omitEmptyValueLines: false
  pushSubjectResourceKey: cronto.push.login.subject
  pushTitleResourceKey: cronto.push.login.title
  resourceKey:
  valueProviders:

Cronto Public Self-Service Approval Step

Description

Cronto approval step for public self-service flows.

Note that unlike identity verification steps, approval steps require an existing user and cannot prevent username enumeration (no stealth mode). It is therefore important that approval steps are only used after an identity verification step.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.CrontoPublicSelfServiceApprovalStepConfig

May be used by

License-Tags

Cronto

Properties

Message Provider (messageProvider)

Description

Configures how to create Cronto messages.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Allow Push Devices Only (allowPushDevicesOnly)

Description

If this flag is set and there is no push-enabled device for the user, public self-service is not possible.

This feature may be used for mobile application services, where showing a cryptogram on the same device is not useful.

Attributes

Boolean

Optional

Default value

false

Push Selection For Single Device (pushSelectionForSingleDevice)

Description

Attributes

Boolean

Optional

Default value

false

Cronto Handler (crontoHandler)

Description

Handles all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

CRONTO

Max Response Retries (maxResponseRetries)

Description

The number of times the user may enter a wrong response before the flow is aborted (and the challenge is deleted). If set to 0, only 1 attempt is possible for each challenge.

The purpose of this settings is usability. The failed attempts counter is always increased upon receiving a wrong OTP and the user is locked when the global failed attempts limit is exceeded.

Attributes

Integer

Optional

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.CrontoPublicSelfServiceApprovalStepConfig
id: CrontoPublicSelfServiceApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  allowPushDevicesOnly: false
  authenticationMethodId: CRONTO
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxResponseRetries: 3
  messageProvider:
  onFailureGotos:
  preCondition:
  pushSelectionForSingleDevice: false
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto Push Notification Sender

Description

Configurations for sending Cronto push notifications.

Settings for Android and iOS are both optional and it is possible to configure only one of them.

IAM must be able to connect to the push servers of Google (fcm.googleapis.com) and Apple (gateway.push.apple.com or gateway.sandbox.push.apple.com). To prevent direct communication of IAM to the push servers, a proxy can be configured (see Advanced Settings).

Class

com.airlock.iam.core.misc.impl.cronto.pushnotification.CommonCrontoPushNotificationSender

May be used by

CrontoSign Swiss App Cronto Engine Handler Digipass Push App Handler

License-Tags

Cronto

Properties

Firebase Service Account JSON (firebaseServiceAccountJson)

Description

Path to the JSON file used to authenticate communication with the Google servers. This file can be obtained from the Firebase Console, or, in case of third-party Cronto apps, from the app developer.

Attributes

File/Path

Optional

iOS Authentication Certificate Path (iOsAuthenticationCertificatePath)

Description

Path of the PKCS #12 client certificate used for the communication with the server when sending push notifications to Apple iOS devices.

Attributes

File/Path

Optional

iOS Authentication Certificate Password (iOsAuthenticationCertificatePassword)

Description

Password of the PKCS #12 client certificate used for the communication with the server when sending push notifications to Apple iOS devices.

Attributes

String

Optional

Sensitive

iOS Bundle ID (iOsBundleId)

Description

The bundle ID for sending notifications to iOS. Typically the same as used for creating the iOS authentication certificate.

Attributes

String

Optional

Default value

com.vasco.digipass.DIGIPASS

Use iOS Sandbox Gateway (iOsUseSandboxGateway)

Description

Status of the gateway to be used. The sandbox gateway must be used for application development. This Boolean must be consistent with the issued PKCS #12 certificate.

Attributes

Boolean

Optional

Default value

false

Show iOS Badge (showIosBadge)

Description

If enabled, the badge number on iOS is set to the number of open transactions. Otherwise no badge number is displayed.

Attributes

Boolean

Optional

Default value

true

Proxy Host (proxyHost)

Description

Name of the proxy host through which the push notifications are sent. Both HTTP and SOCKS proxy types are supported.

Attributes

String

Optional

Example

proxy.mycompany.com

Proxy Type (proxyType)

Description

Type of the proxy server.

Attributes

Enum

Optional

Default value

SOCKS

Proxy Port (proxyPort)

Description

Port of the proxy server.

Attributes

Integer

Optional

Default value

1080

Connection Timeout (connectionTimeout)

Description

Timeout (in milliseconds) after which a sending connection (HTTP or TCP connection) should be closed.

Attributes

Integer

Optional

Default value

20000

Max Number Of Threads (maxNumberOfThreads)

Description

Maximum number of threads allowed for sending push messages.

Attributes

Integer

Optional

Default value

Termination Timeout (terminationTimeout)

Description

Maximum time to wait (in milliseconds) when awaitSendTerminationAndFinish is called.

Attributes

Integer

Optional

Default value

60000

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cronto.pushnotification.CommonCrontoPushNotificationSender
id: CommonCrontoPushNotificationSender-xxxxxx
displayName: 
comment: 
properties:
  connectionTimeout: 20000
  firebaseServiceAccountJson:
  iOsAuthenticationCertificatePassword:
  iOsAuthenticationCertificatePath:
  iOsBundleId: com.vasco.digipass.DIGIPASS
  iOsUseSandboxGateway: false
  maxNumberOfThreads: 20
  proxyHost:
  proxyPort: 1080
  proxyType: SOCKS
  showIosBadge: true
  terminationTimeout: 60000

Cronto Report Strategy

Description

Task strategy to create the Cronto activation letters, containing a cryptogram to activate Cronto devices and apps.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.token.CrontoReportStrategyConfig

May be used by

Token Task

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Token Data Provider (tokenDataProvider)

Description

The token data provider plugin is used to read all tokens to be handled by this task. Should be configured to only return the tokens that should be handled by this task.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Report Type Short Desc (reportTypeShortDesc)

Description

Attributes

String

Optional

Default value

UNSPECIFIED

Example

password letter

Example

keyfile accompanying report

Example

mobile number registration letter

User Store (userStore)

Description

The user store to retrieve all user data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Report Renderer (reportRenderer)

Description

Tells this task which generic renderer to use to render reports.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

Barcode Generator (barcodeGenerator)

Description

BarcodeImage: placeholder for the barcode image.
BarcodeContent: placeholder for the barcode content.
BarcodeContentDisplay: placeholder for the barcode content in a human-readable format.

Tracking ID: If the "tracking ID" field is configured in the token data provider the generated barcode content is automatically stored in the token. This is useful for future reference, e.g., for tracking active shipments.

Attributes

Plugin-Link

Optional

Assignable plugins

Cronto Legacy Login Message Provider Config Cronto Message Provider Default Cronto Login Message Provider Config Transaction Approval Cronto Message Provider

Language Attribute Name (languageAttributeName)

Description

Attributes

String

Optional

Suggested values

language

Output Directory (outputDirectory)

Description

Directory in the file system to put the rendered reports in. The directory is either absolute or relative to the JVMs current directory.

This property is not required if the renderer plugin (see separate property) does not write on the outputstream (e.g. sends it somewhere else). It is required otherwise.

Note: If this property is not defined and the used renderer plugin writes on the output stream, then the result (e.g. a PDF file) is lost.

Attributes

File/Path

Optional

Working Directory (workingDirectory)

Description

Attributes

File/Path

Optional

Delete Old Reports (deleteOldReports)

Description

Attributes

Boolean

Optional

Default value

false

File Name Prefix (fileNamePrefix)

Description

Attributes

String

Mandatory

Example

token-letter

Example

smartcardLetter

File Name Suffix (fileNameSuffix)

Description

Attributes

String

Mandatory

Suggested values

.pdf, .docx, .txt

Aggregate Report (aggregateReport)

Description

Optional property to describe an aggregate report over all generated reports in a batch. If none is configured, no aggregate report will be generated.

Attributes

Plugin-Link

Optional

Assignable plugins

Aggregate Report

Required Order Options (requiredOrderOptions)

Description

Order options that have to be set for this task to handle the order. Leave empty handle all orders with the "order new" flag set. Several options can be comma-separated, in which case ALL listed options must be set for an order to be handled.

Attributes

String-List

Optional

Excluding Order Options (excludingOrderOptions)

Description

Order options that, if set, will exclude the order from being handled by this task. Leave empty to not exclude any orders. Several options can be comma-separated, in which case ANY listed option excludes the order from being handled by this task.

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.token.CrontoReportStrategyConfig
id: CrontoReportStrategyConfig-xxxxxx
displayName: 
comment: 
properties:
  aggregateReport:
  barcodeGenerator:
  crontoHandler:
  deleteOldReports: false
  excludingOrderOptions:
  fileNamePrefix:
  fileNameSuffix:
  languageAttributeName:
  outputDirectory:
  reportRenderer:
  reportTypeShortDesc: UNSPECIFIED
  requiredOrderOptions:
  tokenDataProvider:
  userStore:
  workingDirectory:

Cronto Self-Service Approval Step

Description

Configuration for a Cronto approval step for self-service flows. This can be used to validate self-service operations such as user data changes or registrations of additional devices. Typically, this step is configured between the step where a change is initiated and the step where the change is persisted.

Class

com.airlock.iam.selfservice.application.configuration.step.CrontoSelfServiceApprovalStepConfig

May be used by

License-Tags

Cronto

Properties

Message Provider (messageProvider)

Description

Creates the message based on the self-service operation.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Allow Only Push Devices (allowOnlyPushDevices)

Description

If this flag is set and there is no push-enabled device for the user, approval is not possible.

This feature may be used for mobile application services, where showing a cryptogram on the same device is not useful.

Attributes

Boolean

Optional

Default value

false

Push Selection For Single Device (pushSelectionForSingleDevice)

Description

Attributes

Boolean

Optional

Default value

false

Cronto Handler (crontoHandler)

Description

Handles all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

CRONTO

Max Response Retries (maxResponseRetries)

Description

The number of times the user may enter a wrong response before the flow is aborted (and the challenge is deleted). If set to 0, only 1 attempt is possible for each challenge.

The purpose of this settings is usability. The failed attempts counter is always increased upon receiving a wrong OTP and the user is locked when the global failed attempts limit is exceeded.

Attributes

Integer

Optional

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.CrontoSelfServiceApprovalStepConfig
id: CrontoSelfServiceApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  allowOnlyPushDevices: false
  authenticationMethodId: CRONTO
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxResponseRetries: 3
  messageProvider:
  onFailureGotos:
  preCondition:
  pushSelectionForSingleDevice: false
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto Self-Services (Legacy)

Description

Configures the Cronto device management REST self-service.

Class

com.airlock.iam.login.rest.application.configuration.CrontoSelfServiceRestConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Manages the organization of the different Cronto tokens as well as the calls to the Cronto engine. This is usually the same handler as used by the Cronto authenticator.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Can Disable All Devices (userCanDisableAllDevices)

Description

If this option is checked, a user may disable all his Cronto devices in the Cronto device management.

Attributes

Boolean

Optional

Default value

false

Activation Session Lifetime [s] (activationSessionLifetime)

Description

The maximum allowed time (in seconds) between the first REST call for adding a new Cronto device, and the second call that verifies the OTP from the first call.

Attributes

Integer

Optional

Default value

120

User Can Order Additional Letter (userCanOrderAdditionalLetter)

Description

If this option is activated, users can order an additional activation letter, given they have already received a letter but need a new one.

The letter can be ordered on the activation page and the device management page.

Attributes

Boolean

Optional

Default value

false

Minimal New Letter Interval In Hours (minimalNewLetterIntervalInHours)

Description

Number of hours that must at least have passed since the last Cronto activation letter has been ordered. This is only used if "User can order additional letter" is activated.

Note:By setting this value to 0, no waiting time until an additional letter can be ordered is required. However, it is recommended to set a different value to prevent a letter being ordered while another one is still being printed or being delivered.

Attributes

Integer

Optional

Default value

Provide Deactivation Challenge (provideDeactivationChallenge)

Description

If enabled, a deactivation challenge is provided after deleting a device. This challenge is used to remove the account from the app.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.CrontoSelfServiceRestConfig
id: CrontoSelfServiceRestConfig-xxxxxx
displayName: 
comment: 
properties:
  activationSessionLifetime: 120
  crontoHandler:
  minimalNewLetterIntervalInHours: 24
  provideDeactivationChallenge: true
  userCanDisableAllDevices: false
  userCanOrderAdditionalLetter: false

Cronto Token Controller

Description

Plugin to manage a user's Cronto tokens.

Class

com.airlock.iam.admin.application.configuration.cronto.CrontoTokenController

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to manage a user's Cronto tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Auto Order (autoOrder)

Description

Auto order an activation letter upon adding this credential to the user. Note that if no default order options are set in the Cronto Handler plugin, the letter is only generated but not printed.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.cronto.CrontoTokenController
id: CrontoTokenController-xxxxxx
displayName: 
comment: 
properties:
  autoOrder: false
  crontoHandler:

Cronto Token Service

Description

Services for Cronto tokens.

Class

com.airlock.iam.core.misc.tokenservice.CrontoTokenService

May be used by

Token Consistency User Change Listener

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to manage a user's Cronto tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Token Data Provider (tokenDataProvider)

Description

Plugin to load Tokens from persistence.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Selection Step for Public Self-Service Flow Step Sequence Transaction Approval Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

YAML Template (with default values)


type: com.airlock.iam.core.misc.tokenservice.CrontoTokenService
id: CrontoTokenService-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  tokenDataProvider:

Cronto Transaction Approval Step

Description

Configuration for a Cronto transaction approval flow step.

Class

com.airlock.iam.transactionapproval.application.configuration.cronto.CrontoTransactionApprovalStepConfig

May be used by

License-Tags

Cronto

Properties

Message Provider (messageProvider)

Description

Creates the message for transaction approval.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cronto Legacy Login Message Provider Config Cronto Message Provider Default Cronto Login Message Provider Config Transaction Approval Cronto Message Provider

Allow Push Devices Only (authenticatePushDevicesOnly)

Description

If this flag is set and there is no push-enabled device for the user, transaction approval is not possible.

This feature may be used for mobile application approvals, where showing a cryptogram on the same device is not appropriate.

Attributes

Boolean

Optional

Default value

false

Push Selection For Single Device (pushSelectionForSingleDevice)

Description

Attributes

Boolean

Optional

Default value

false

Push To All Devices (pushToAllDevices)

Description

If enabled, the step never asks for a device selection even when there is more then one push device available. To enable this feature, Allow Push Devices Only needs to be enabled and Push Selection For Single Device needs to be disabled. In case a Auth Token ID was provided, the push notification is only sent to that device.

Attributes

Boolean

Optional

Default value

false

Cronto Handler (crontoHandler)

Description

Handles all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

CRONTO

Max Response Retries (maxResponseRetries)

Description

The number of times the user may enter a wrong response before the flow is aborted (and the challenge is deleted). If set to 0, only 1 attempt is possible for each challenge.

The purpose of this settings is usability. The failed attempts counter is always increased upon receiving a wrong OTP and the user is locked when the global failed attempts limit is exceeded.

Attributes

Integer

Optional

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.transactionapproval.application.configuration.cronto.CrontoTransactionApprovalStepConfig
id: CrontoTransactionApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticatePushDevicesOnly: false
  authenticationMethodId: CRONTO
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxResponseRetries: 3
  messageProvider:
  onFailureGotos:
  preCondition:
  pushSelectionForSingleDevice: false
  pushToAllDevices: false
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto was used for login (Transaction Approval only)

Description

Flow selection condition that selects the subflow if Cronto was used for login (as determined by the authTokenId provided in a previous Transaction Approval Parameter Step).

Class

com.airlock.iam.transactionapproval.application.configuration.selection.CrontoAuthTokenIdSelectionConditionConfig

May be used by

License-Tags

TransactionApproval

Properties

Selectable If Login Method Unknown (selectableIfNoAuthTokenIdPresent)

Description

If this flag is set, the condition is always true (i.e. the option is selectable) if the login method is unknown.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.transactionapproval.application.configuration.selection.CrontoAuthTokenIdSelectionConditionConfig
id: CrontoAuthTokenIdSelectionConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  selectableIfNoAuthTokenIdPresent: true

CrontoSign Swiss App

Description

Allows the configuration of CrontoSign Swiss push workflows based on the Vasco stack.

Class

com.airlock.iam.core.misc.impl.cronto.pushnotification.CrontoSignSwissVascoPushAppHandler

May be used by

Vasco Cronto Handler

Properties

Push Notifications Reminder Period (pushNotificationsReminderPeriod)

Description

Number of uses of a Cronto device required before a user is asked again whether push notifications should be activated for this device.

Attributes

Integer

Optional

Default value

Bank URL Index (bankUrlIndex)

Description

Index of the bank URL hard-coded in the CrontoSign application.

Attributes

Integer

Mandatory

Push Notification Sender (pushNotificationSender)

Description

Plugin responsible for sending Cronto push notifications.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cronto Push Notification Sender Dummy Cronto Push Notification Sender

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cronto.pushnotification.CrontoSignSwissVascoPushAppHandler
id: CrontoSignSwissVascoPushAppHandler-xxxxxx
displayName: 
comment: 
properties:
  bankUrlIndex:
  pushNotificationSender:
  pushNotificationsReminderPeriod: 3

CrontoSign Swiss Push Activation Possible

Description

Flow condition that determines if the Cronto device used during login (or registered during the authentication flow) can be activated for push. It also considers the "Push Notification Reminder Period" property of the Cronto handler to determine if the user should already be asked again.

This condition is only useful in authentication flows and after a Cronto authentication or activation step.

Class

com.airlock.iam.flow.shared.application.configuration.cronto.CrontoPushActivationConditionConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Advanced Migration Selection Option Custom Protected Self-Service Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.cronto.CrontoPushActivationConditionConfig
id: CrontoPushActivationConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

CrontoSign Swiss Push Activation Step

Description

A step that allows push activation on the CrontoSign Swiss app.

In an authentication flow, it is typically used together with the "CrontoSign Swiss Push Activation Possible" condition, which is fulfilled if the currently used device (for login or newly registered) qualifies for push activation.

In self-service flows, it can be used without a condition, allowing the user to activate any Cronto device.

Class

com.airlock.iam.authentication.application.configuration.cronto.CrontoPushActivationStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

On Behalf Login Identity Propagation Config On Behalf Login Identity Propagator

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.cronto.CrontoPushActivationStepConfig
id: CrontoPushActivationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

CSRF Token Extraction Step

Description

This plugin obtains the login page of a backend application with a HTTP GET request. It then extracts the CSRF-token from the login form and stores it in the on-behalf login step context under the configured key for further use.

This on behalf login step is typically used as a first step in the sequence of on-behalf login steps.

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.CsrfFormTokenExtractionStep

May be used by

Properties

CSRF token selector (csrfTokenSelector)

Description

Collects the CSRF protection token from the web application's login page.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Jsoup HTML Element Attribute Extractor

CSRF storage key (csrfStorageKey)

Description

The extracted CSRF protection token is stored in an information storage for further on behalf login steps. This key defines the name of the key under which the value of the CSRF protection token is stored. Further on behalf login steps reference the CSRF protection token's value using this key.

Attributes

String

Mandatory

Example

csrftoken

Target Application Login Page URL (targetApplicationLoginPageUrl)

Description

URL of the target application's page to connect.

Attributes

String

Mandatory

Example

http://foo.bar.ch/login.php

Example

https://secure.ergon.ch/auth/login

Query Parameters (queryParameters)

Description

The HTTP Query parameters to be added to the target url. This implementation supports template syntax using ${variable} in parameters. Available variables are all values provided to the identity propagation.

If the query parameter is already defined in the target URL, the value defined through this configuration will be added to the existing values.

If the same parameter name is configured multiple times, the values will be added to the existing values in order of the configured list.

Attributes

Plugin-List

Optional

Assignable plugins

HTTP Parameter

On Behalf Login Step Validator (onBehalfLoginStepValidator)

Description

An optional validator that validates the response of this step.

Attributes

Plugin-Link

Optional

Assignable plugins

All Ok On Behalf Login Step Validator Body And HTTP Status On Behalf Login Step Validator Body Status On Behalf Login Step Validator

Additional Headers (additionalHeaders)

Description

A list of headers to add to the standard headers of the HTTP client. It is possible to add multiple headers with the same name.

Attributes

Plugin-List

Optional

Assignable plugins

Request Header

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.onbehalflogin.CsrfFormTokenExtractionStep
id: CsrfFormTokenExtractionStep-xxxxxx
displayName: 
comment: 
properties:
  additionalHeaders:
  csrfStorageKey:
  csrfTokenSelector:
  onBehalfLoginStepValidator:
  queryParameters:
  targetApplicationLoginPageUrl:

CSV Renderer

Description

A renderer that creates CSV output.

Class

com.airlock.iam.core.misc.renderer.CsvRenderer

May be used by

Export Users Task

Properties

Header Names (headerNames)

Description

Defines the header line of the CSV. Each of the Strings is used as the header for column at its position in the List. This list may be empty, if no header is to be written.

Attributes

String-List

Optional

Data Column Names (dataColumnNames)

Description

Defines the column names of the data to be written to the CSV. The columns are written in the order they have in this list. Columns that are in the data, but not defined here, will not be written.

Attributes

String-List

Mandatory

Charset (charset)

Description

Defines the character set to use when creating the CSV output.

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15

Field Delimiter (fieldDelimiter)

Description

This property specifies the separation character used in the generated CSV output in order to separate fields from each other. Usually, a comma is used but, e.g., Excel requires this to be a semicolon. To use the generated file with Excel, use a semicolon, to use it with most other programs, use a comma.

If the field delimiter is a valid character in one of the exported fields, then a text delimiter has to configured! Lack of doing so might result in erroneous CSV output.

Attributes

String

Optional

Default value

Suggested values

,, ;, :, |

Text Delimiter (textDelimiter)

Description

Specifies the character used to enclose the text of a single field. Such a delimiter is required if the field delimiter character is allowed to be used inside the field texts.

Attributes

String

Optional

Suggested values

", '

YAML Template (with default values)


type: com.airlock.iam.core.misc.renderer.CsvRenderer
id: CsvRenderer-xxxxxx
displayName: 
comment: 
properties:
  charset: UTF-8
  dataColumnNames:
  fieldDelimiter: ,
  headerNames:
  textDelimiter:

CSV Users Export

Description

Specifies what data to include in the export. A download button is included on the user list page. When pressed the current selection (filter) of users are downloaded as a CSV file.

For efficiency reasons, prefer using a "User Store Configuration" over a "User Persister Configuration".

Class

com.airlock.iam.admin.application.configuration.users.CsvUsersExportConfig

May be used by

Date And Time With Offset Value Provider Config Date And Time Context Data Value Provider Map

Properties

Type (type)

Description

Valid values of this property are:

BASIC: The downloaded file contains only basic infos about the user (username, roles) plus the context data selected by the context keys.
FULL: The downloaded file contains all available data about the user plus the context data.

Attributes

Enum

Optional

Default value

BASIC

Context Keys (contextKeys)

Description

This property specifies a list of keys of the context data values to be included in the user data download file. Only values are included that the admin user is allowed to see (according to authorization settings).

Attributes

String-List

Optional

Charset (charset)

Description

Defines the character set to use when exporting the user list as CSV file.

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15

Separation Character (separationCharacter)

Description

This property specifies the separation character used in the generated CSV file in order to separate fields from eachother. Usually, a comma is used but, e.g., Excel requires this to be a semicolon. To use the generated file with Excel, use a semicolon, to use it with most programs, use a comma. The separator character MAY be surrounded by double quotes. E.g., the space character is specified as " ".

Attributes

String

Optional

Default value

;

Suggested values

,, ;, :, |

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.users.CsvUsersExportConfig
id: CsvUsersExportConfig-xxxxxx
displayName: 
comment: 
properties:
  charset: UTF-8
  contextKeys:
  separationCharacter: ;
  type: BASIC

Current Date And Time Value Provider

Description

Provides the current date and time.

Class

com.airlock.iam.common.application.configuration.valueprovider.DateAndTimeNowValueProviderConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.valueprovider.DateAndTimeNowValueProviderConfig
id: DateAndTimeNowValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:

Custom CAPTCHA

Description

Requires a user to solve a custom CAPTCHA challenge.
Intended for use with a CAPTCHA Server that is API-compatible with reCAPTCHA. For reCAPTCHA and hCAPTCHA the according plugins should be used instead.
This plugin configuration does not affect the Loginapp UI. You will need to adapt it with design kit customization.

Class

com.airlock.iam.flow.shared.application.configuration.captcha.CustomCaptchaConfig

May be used by

Email Verification Step Phone Number Verification Step User Data Registration Step Config User Identification By Data Step (Public Self-Service) User Identification Step User Identification By Data Step Username Password Authentication Step User Identification Step (Public Self-Service)

Properties

Site Key (siteKey)

Description

The site key can be assumed to be public knowledge and identifies the associated CAPTCHA account.

Attributes

String

Mandatory

Secret Key (secretKey)

Description

The secret is used to validate the CAPTCHA challenge response on the custom CAPTCHA server.

Attributes

String

Mandatory

Sensitive

CAPTCHA Service URL (captchaServiceUrl)

Description

URL of the CAPTCHA service to use. The CAPTCHA validation will be performed against a CAPTCHA server with this URL. The server API must match the reCAPTCHA API.

For example, the API request for reCAPTCHA is 'https://google.com/recaptcha/api/siteverify' as POST method with the 'secret' and the user 'response' token as POST parameters.

Attributes

String

Mandatory

Enforce CAPTCHA for step (enforceCaptchaForStep)

Description

Whether a CAPTCHA solution is always required. By default, solving a CAPTCHA in a step will cause subsequent steps with CAPTCHA to skip CAPTCHA verification. When this setting is enabled, the user is always required to solve the CAPTCHA for this step, irrespective of whether a CAPTCHA has previously been solved. Later CAPTCHA verifications are also not influenced by the step using this CAPTCHA, i.e. solving the CAPTCHA in this step has no effect on later CAPTCHA verifications. When this setting is disabled, no CAPTCHA is required if a CAPTCHA was resolved in a preceding step, unless the preceding Custom Captcha Step had this setting activated.

Attributes

Boolean

Optional

Default value

false

Type (type)

Description

The type is used to differentiate multiple types of CAPTCHA (reCAPTCHA, hCAPTCHA or multiple custom CAPTCHA). If you use multiple custom CAPTCHA make sure this type is unique.

Attributes

String

Optional

Default value

CUSTOM_CAPTCHA

Proxy URI (proxyUri)

Description

URI of a HTTP proxy the connector should use. If the port component of the URI is absent then a default port of 8080 is assumed. If this property is left empty then no proxy will be used.

Attributes

String

Optional

Example

https://proxy.company.com

Proxy Login User (proxyLoginUser)

Description

Username for the proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.captcha.CustomCaptchaConfig
id: CustomCaptchaConfig-xxxxxx
displayName: 
comment: 
properties:
  captchaServiceUrl:
  enforceCaptchaForStep: false
  proxyLoginPassword:
  proxyLoginUser:
  proxyUri:
  secretKey:
  siteKey:
  type: CUSTOM_CAPTCHA

Custom Claim (OAuth 2.0 Token Exchange)

Description

Sets the configured claim to the configured value. Beware that claims with a "Registered Claim Name" (see RFC7519) are not allowed.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtCustomClaimConfig

May be used by

License-Tags

OAuthTokenExchange

Properties

Claim Name (claimName)

Description

The claim name. Claims with a "Registered Claim Name" see RFC7519 are not allowed.

Attributes

String

Mandatory

Example

username

Example

claim1

Claim Value (claimValue)

Description

The claim value.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtCustomClaimConfig
id: OAuth2TokenExchangeJwtCustomClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:
  claimValue:

Custom Configuration-based Authentication UI

Description

User interface configuration for a configurable authentication flow step.

Class

com.airlock.iam.authentication.application.configuration.ui.ConfigurableAuthenticationStepUiConfig

May be used by

Button Group UI Element Button UI Element CAPTCHA UI Element Cancel Button UI Element Checkbox UI Element Date UI Element Drop-Down UI Element Form UI Element Goto Button UI Element Hidden UI Element Input UI Element Radio Buttons UI Element Text UI Element

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

The step action that requires this UI. This must correspond to a "nextStep" that is returned in responses from flow REST calls, and that can be handled by the "Flow Step" referenced by the "Step ID" configured above. Leave empty to match all step actions (preferred method for steps with only one possible step action).

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

UI Elements (uiElements)

Description

Defines the user interface elements of the step.

Attributes

Plugin-List

Mandatory

Assignable plugins

Initial REST Invocation (initialRestInvocation)

Description

A REST API call to execute when loading the page. The data retrieved in this call can be used to display information in UI components, e.g. by configuring the "Initial Value Query" property on supported UI elements.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.ui.ConfigurableAuthenticationStepUiConfig
id: ConfigurableAuthenticationStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  initialRestInvocation:
  pageId:
  requiredStepAction:
  stepId:
  uiElements:

Custom Configuration-based Public Self-Service UI

Description

User interface configuration for a configurable public self-service flow step.

The step is accessible by the following URI: /<loginapp-uri>/ui/app/self-service/flow/default/ext/<ID>

Class

com.airlock.iam.publicselfservice.application.configuration.ui.ConfigurablePublicSelfServiceStepUiConfig

May be used by

Public Self-Service UI

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

UI Elements (uiElements)

Description

Defines the user interface elements of the step.

Attributes

Plugin-List

Mandatory

Assignable plugins

Initial REST Invocation (initialRestInvocation)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.ui.ConfigurablePublicSelfServiceStepUiConfig
id: ConfigurablePublicSelfServiceStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  initialRestInvocation:
  pageId:
  requiredStepAction:
  stepId:
  uiElements:

Custom Configuration-based Self-Service UI

Description

User interface configuration for a configurable protected self-service flow step.

The step is accessible by the following URI: /<loginapp-uri>/ui/app/protected/flow/<FLOW_ID>/ext/<ID>

Class

com.airlock.iam.selfservice.application.configuration.ui.ConfigurableSelfServiceStepUiConfig

May be used by

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

UI Elements (uiElements)

Description

Defines the user interface elements of the step.

Attributes

Plugin-List

Mandatory

Assignable plugins

Initial REST Invocation (initialRestInvocation)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.ConfigurableSelfServiceStepUiConfig
id: ConfigurableSelfServiceStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  initialRestInvocation:
  pageId:
  requiredStepAction:
  stepId:
  uiElements:

Custom Configuration-based User Self-Registration UI

Description

User interface configuration for a configurable user self-registration flow step.

The step is accessible by the following URI: /<loginapp-uri>/ui/app/registration/flow/<FLOW_ID>/ext/<ID>

Class

com.airlock.iam.userselfreg.application.configuration.ui.ConfigurableUserSelfRegStepUiConfig

May be used by

User Self-Registration UI

License-Tags

SelfRegistration

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

UI Elements (uiElements)

Description

Defines the user interface elements of the step.

Attributes

Plugin-List

Mandatory

Assignable plugins

Initial REST Invocation (initialRestInvocation)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Custom Protected Self-Service Flow Technical Client Registration Flow Authorization Flow Transaction Approval Flow Public Self-Service Flow Authentication Flow User Self-Registration Flow

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.ui.ConfigurableUserSelfRegStepUiConfig
id: ConfigurableUserSelfRegStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  initialRestInvocation:
  pageId:
  requiredStepAction:
  stepId:
  uiElements:

Custom Flow Processors

Description

Allows to configure custom processors for any kind of flow.

Security Warning: For advanced users only. A custom processor configuration may change the behavior of, e.g., counting of failed logins, user locking and user validity checks. Using this advanced option may therefore have major security implications. Only use this option if you understand how to achieve a secure processor configuration.

Class

com.airlock.iam.flow.application.configuration.processor.CustomFlowProcessorsConfig

May be used by

Properties

Processors (processors)

Description

Custom list of processors that are applied in the configured order.

It is crucial to understand that a faulty processor configuration leads to an insecure system. Unless the consequences are well understood, it is recommended to work with the respective default processors plugin provided for the flow type in question. Please read its documentation to know which processors it uses internally. Also read the plugin documentations of the individual processors, in particular to understand which processors are combinable and if so in which order.

Attributes

Plugin-List

Optional

Assignable plugins

CAPTCHA Processor Default Authentication Processor Default Transaction Approval Flow Processor Device Usage Processor Factor Use Reporting Processor Failed Factor Attempts Processor Latest Authentication Feedback Processor Login History Processor Public Self-Service Allowed Processor Renew Session ID Processor Set UI Tenant ID Processor Temporary Locking Processor Unlock Attempts Reset Processor User Enumeration Protection Processor User Identification Processor User Self-Registration Logging Processor User Validity Processor

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.processor.CustomFlowProcessorsConfig
id: CustomFlowProcessorsConfig-xxxxxx
displayName: 
comment: 
properties:
  processors:

Custom JavaScript-based Authentication UI

Description

User interface configuration for a custom JavaScript authentication flow step.

The step is accessible by the following URI: /<loginapp-uri>/ui/app/auth/flow/<FLOW_ID>/ext/<ID>

Class

com.airlock.iam.authentication.application.configuration.ui.CustomJavaScriptAuthenticationStepUiConfig

May be used by

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.ui.CustomJavaScriptAuthenticationStepUiConfig
id: CustomJavaScriptAuthenticationStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  pageId:
  requiredStepAction:
  stepId:

Custom JavaScript-based Public Self-Service UI

Description

User interface configuration for a custom JavaScript public self-service flow step.

The step is accessible by the following URI: /<loginapp-uri>/ui/app/self-service/flow/default/ext/<ID>

Class

com.airlock.iam.publicselfservice.application.configuration.ui.CustomJavaScriptPublicSelfServiceStepUiConfig

May be used by

Public Self-Service UI

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.ui.CustomJavaScriptPublicSelfServiceStepUiConfig
id: CustomJavaScriptPublicSelfServiceStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  pageId:
  requiredStepAction:
  stepId:

Custom JavaScript-based Self-Service UI

Description

User interface configuration for a custom JavaScript self-service flow step.

The step is accessible by the following URI: /<loginapp-uri>/ui/app/protected/flow/<FLOW_ID>/ext/<ID>

Class

com.airlock.iam.selfservice.application.configuration.ui.CustomJavaScriptSelfServiceStepUiConfig

May be used by

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.CustomJavaScriptSelfServiceStepUiConfig
id: CustomJavaScriptSelfServiceStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  pageId:
  requiredStepAction:
  stepId:

Custom JavaScript-based User Self-Registration UI

Description

User interface configuration for a custom JavaScript user self-registration flow step.

The step is accessible by the following URI: /<loginapp-uri>/ui/app/registration/flow/<FLOW_ID>/ext/<ID>

Class

com.airlock.iam.userselfreg.application.configuration.ui.CustomJavaScriptUserSelfRegStepUiConfig

May be used by

User Self-Registration UI

License-Tags

SelfRegistration

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.ui.CustomJavaScriptUserSelfRegStepUiConfig
id: CustomJavaScriptUserSelfRegStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  pageId:
  requiredStepAction:
  stepId:

Custom Protected Self-Service Flow

Description

Configuration for a custom protected self-service flow.

Class

com.airlock.iam.selfservice.application.configuration.flow.CustomProtectedSelfServiceFlowConfig

May be used by

Abort Step Account Link Linking Initiation Step Account Link Removal Initiation Step Acknowledge Message Step Airlock 2FA Activation Step Airlock 2FA Activation Trusted Session Binding Step Airlock 2FA Delete Devices Step Airlock 2FA Device Delete Initiation Step Airlock 2FA Device Edit Initiation Step Airlock 2FA Device Edit Step Airlock 2FA Recovery Trusted Session Binding Step Airlock 2FA Self-Service Approval Step Apply Changes Step Cronto Activation Step Cronto Device Reset Step Config Cronto Device Selection Step Cronto Letter Order Step Config Cronto Self-Service Approval Step CrontoSign Swiss Push Activation Step Delete Cronto Device Initiation Step Delete FIDO Credential Initiation Step Delete OAuth 2.0 Session Initiation Step Delete Remember-Me Device Initiation Step Delete mTAN Number Initiation Step Device Token Registration Step Disable Cronto Device Initiation Step Disable Cronto Push Initiation Step Disable FIDO Credential Initiation Step Email Change Verification Step Email Notification Step Enable Cronto Device Initiation Step Enable Cronto Push Initiation Step Enable FIDO Credential Initiation Step FIDO Credential Display Name Change Step FIDO Credential Selection Step FIDO Registration Step FIDO Self-Service Approval Step Failure Step Lock Self-Service Step Matrix Self-Service Approval Step No Operation Step OATH OTP Activation Step OAuth 2.0 Consent Deny Initiation Step OAuth 2.0 Consent Grant Initiation Step OAuth 2.0 Consents Delete Initiation Step OAuth 2.0 Session Reset Step Password Change Self-Service Step Remember-Me Reset Step Rename Cronto Device Step SSI Issuance Step Scriptable Step Select mTAN Token Step Selection Step for Self-Service Set Context Data Step Start User Representation Step Stop User Representation Step Tag Removal Step Config User Data Edit Step Vasco OTP Device Activation Vasco OTP Self-Service Approval Step mTAN Self-Service Approval Step mTAN Token Edit Step mTAN Token Registration Step mTAN Verification Step

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Steps (steps)

Description

Steps of the flow.

Attributes

Plugin-List

Mandatory

Assignable plugins

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Processors (processors)

Description

Processors are notified at various stages of the flow and offer hooks for custom logic.

Attributes

Plugin-Link

Optional

Assignable plugins

Persistency-less (persistencyless)

Description

If enabled, this flow does not consider persistency, i.e. users don't have to exist locally in order to use a self-service. This is typically used with SSO tickets or external authentication using OAuth or SAML.

Persistency-less flows are very limited in their capabilities, in particular:

The user state (locked, invalid etc.) cannot be verified.
Flow steps editing user data will complete without failure but changed data is lost.

Note that configuration validation support is limited. It is essential to test such a flow extensively to ensure it behaves correctly in all situations.

It is recommended to use the "Default Persistency-less Protected Self-Service Processors" when using a persistency-less flow.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.CustomProtectedSelfServiceFlowConfig
id: CustomProtectedSelfServiceFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  flowId:
  persistencyless: false
  processors:
  steps:

Custom Public Self-Service Restrictions

Description

Custom configuration for public self-service restrictions.

See the plugin descriptions of "Default Password Reset Restrictions" or "Default Self-Unlock Restrictions" for determine reasonable sets of restrictions.

Class

com.airlock.iam.publicselfservice.application.configuration.restrictions.CustomPublicSelfServiceRestrictionsConfig

May be used by

Public Self-Service Flow

Properties

Restrictions (restrictions)

Description

Restrictions define which users are allowed to perform a public self-service. These restrictions are checked in the configured order and after the first restriction disallows public self-service, no further checks are performed.

Security Warning: We recommend to use at least the restrictions provided by the "Default Password Reset Restrictions". Omitting these restrictions may allow public self-service for unauthorized (e.g. locked or invalid) users. The "Nonexistent User Restriction" is probably always needed and should be the first restriction in the list.

Attributes

Plugin-List

Optional

Assignable plugins

Disabled Or Missing Secret Questions Restriction Config Invalid User Restriction Locked User Restriction No Email Address Restriction No mTAN Token Restriction Nonexistent User Restriction Too Many Unlocks Restriction

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.restrictions.CustomPublicSelfServiceRestrictionsConfig
id: CustomPublicSelfServiceRestrictionsConfig-xxxxxx
displayName: 
comment: 
properties:
  restrictions:

Custom User Persister-based User Store Provider

Description

This is a user store implementation that emulates the new user store interface for large numbers of users with existing plugins.

Class

com.airlock.iam.core.application.configuration.store.user.CustomUserPersisterBasedUserStoreProvider

Properties

User Persister (userPersister)

Description

A user persister that will be used to retrieve and update users. Expects the persister to be an extended persister. Logs a warning if this is not the case.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.store.user.CustomUserPersisterBasedUserStoreProvider
id: CustomUserPersisterBasedUserStoreProvider-xxxxxx
displayName: 
comment: 
properties:
  userPersister:

Customizable Device List

Description

This plugin starts with all of a user's Airlock 2FA devices and allows you to narrow down the list using customizable filters. The filters are applied in sequence, with each step only keeping the devices that match the current filter. For example, applying a 'Hardware Device' filter first, followed by a 'Most Recently Registered' filter, will return only the most recently registered hardware device.

In case no Airlock 2FA account is associated with the current user, no device IDs are returned.

Class

com.airlock.iam.airlock2fa.application.configuration.provider.CustomizableAirlock2FADeviceIdsProviderConfig

May be used by

Device Was Registered In Current Flow Condition Device Was Used For Login Condition Is App Device Condition Is Hardware Device Condition Is In Cooldown Device Condition Is Single Device Condition Logical AND Device Condition Logical NOT Device Condition Logical OR Device Condition Most Recently Registered Device Condition

License-Tags

Airlock2FA

Properties

Device Filter Sequence (deviceFilters)

Description

In case not all device IDs should be returned, restrictions can be defined using this property.

A device will only be returned by this provider in case it passes all the filtering steps defined by this sequence. An example is given in the plugin documentation.

Note: No configured predicate (default) means all device IDs of the user will be returned.

Note: Generally, combining the device filters using a "Logical AND Device Condition", and configuring it as a single filter is not equivalent to using a list of filters.

Attributes

Plugin-List

Optional

Assignable plugins

Airlock 2FA Settings (airlock2FASettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.provider.CustomizableAirlock2FADeviceIdsProviderConfig
id: CustomizableAirlock2FADeviceIdsProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  deviceFilters:

Customizable Identity Generator

Description

Generate a random identity from a customizable pattern of fixed and random components.

Class

com.airlock.iam.common.application.configuration.user.CustomizableIdentityGenerator

May be used by

Users Configuration XML File Importer Task Generated Username Username Generation Step Config

Properties

Pattern (pattern)

Description

The pattern for the identity creation.

Syntax:
pattern = fix_part | random_part [fix_part | random_part]*
random_part = {alphabet_name:number_of_characters}
fix_part = any_string_without_'{'

Custom alphabets can be configured below; built in alphabets are:

"digits" all decimal digits (i.e. the characters 0123456790)
"lower26" standard alphabet with 26 lower chars (i.e. the characters abcdefghijklmnopqrstuvwxyz)
"upper26" standard alphabet with 26 upper chars (i.e. the characters ABCDEFGHIJKLMNOPQRSTUVWXYZ)
"alpha52" standard alphabet with 26 upper and 26 lower chars (i.e. the characters ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz)
"distinct" distinct standard signs: digits, upper and lower case letter without the hard to distinguish '0,O,1,l,I' (i.e. the characters 23456789abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ)
"DISTINCT" distinct standard uppercase signs: digits and upper case letter without the hard to distinguish '0,O,1,I' (i.e. the characters 23456789ABCDEFGHJKLMNPQRSTUVWXYZ)
"extended" contains most of the signs visible on a computer keyboard without the hard to distinguish '0,O,1,l,I' (i.e. the characters +-.,:;$<>()[]{}%&!?/*@#=_23456789abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ)
NOTE: Characters in this pattern do not pass the input filter for tokens (OTP, SMS, and alike). Choose a different pattern for tokens or relax the corresponding pattern (in the Loginapp's security settings). Characters may be blocked by a WAF deny rule.

Attributes

String

Optional

Default value

user{digits:8}

Example

{distinct:5}

Example

user{digits:8}

Example

{lower26:1}{digits:3}{distinct:3}

Alphabets (alphabets)

Description

A list of alphabets used to generate the strings with.

Attributes

Plugin-Map

Optional

Assignable plugins

Alphabet

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.user.CustomizableIdentityGenerator
id: CustomizableIdentityGenerator-xxxxxx
displayName: 
comment: 
properties:
  alphabets:
  pattern: user{digits:8}

Customizable Password Policy

Description

Password policy validates a password against a list of predefined password policy checks. Each password policy check validates one requirement of the password.

Not all checks are applied in all situations (e.g. a check whether a password is too young to be changed is not applied during a mandatory password change).

Class

com.airlock.iam.core.misc.impl.authen.CustomizablePasswordPolicy

May be used by

Password-only Authentication Step Password Reset Step Basic Auth Request Authentication Pattern-based Random String Generator Mandatory Password Change Step Config Password User Item Username Password Authentication Step Administrators Configuration Set Password Step Config Password Change Self-Service Step HTTP Basic Authentication Step Voluntary Password Change Step Password Settings

Properties

Policy Checks (policyChecks)

Description

The list of password policy checks that must be passed when setting a password.

Attributes

Plugin-List

Optional

Assignable plugins

Age Check Password Policy Allowed Characters Password Policy Equals Old Password Policy Forbidden Characters Password Policy History Password Policy Meta Password Policy Password Length Policy Required Characters Password Policy Silly Password Policy Static Blacklist Password Policy Unique Across Services Password Policy User Data Blacklist Password Policy Valid Flag Password Policy

Optional Policy Checks (optionalPolicyChecks)

Description

The List of optional password policy checks of which at least the 'Minimum Passed Optional Checks' must be fulfilled when setting a new password.

Attributes

Plugin-List

Optional

Assignable plugins

Minimum Passed Optional Checks (minimumPassedOptionalChecks)

Description

The minimal amount of passed optional checks.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.CustomizablePasswordPolicy
id: CustomizablePasswordPolicy-xxxxxx
displayName: 
comment: 
properties:
  minimumPassedOptionalChecks: 0
  optionalPolicyChecks:
  policyChecks:

Data Sources

Description

Configures data sources (e.g. databases or directories) for the following data (excerpt):

User data
Token data

Note that data sources for some tokens are configured directly in the corresponding token-specific settings.

Class

com.airlock.iam.core.misc.plugin.config.GlobalPersisterSettings

May be used by

Main Settings

Properties

User Data Source (userStore)

Description

Data source (e.g. database or directory) to access user related data.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Token Data Source (tokenDataSource)

Description

Data source (e.g. database or directory) to read and write token related data.

Attributes

Plugin-Link

Optional

Assignable plugins

User Trail Data Source (userTrailDataSource)

Description

Configures the global settings to persist user trail log messages across all modules.

If defined, user trail logs are additionally forwarded to the referenced repository. This does not affect writing messages to the respective module log files.

Attributes

Plugin-Link

Optional

Assignable plugins

Boolean Context Data Item Config Date And Time Context Data Item Config Date Context Data Item Config Integer Context Data Item Config Legacy Context Data Item String Context Data Item Config

Device Usage Data Source (deviceUsageDataSource)

Description

Data source to read and write device usage related data.

Attributes

Plugin-Link

Optional

Assignable plugins

Device Usage Database Repository

Accepted SSO Tickets Repository (acceptedSsoTicketRepository)

Description

Configures the repository used to store accepted SSO tickets and reject previously accepted ones.

Attributes

Plugin-Link

Optional

Assignable plugins

In-Memory Accepted SSO Tickets Repository Persistent Accepted SSO Tickets Repository

YAML Template (with default values)


type: com.airlock.iam.core.misc.plugin.config.GlobalPersisterSettings
id: GlobalPersisterSettings-xxxxxx
displayName: 
comment: 
properties:
  acceptedSsoTicketRepository:
  deviceUsageDataSource:
  tokenDataSource:
  userStore:
  userTrailDataSource:

Database Credential Persister

Description

Configurable credential persister and iterator using a database table as credential-repository.

The database is accessed via JDBC. It fetches the data of a user by directly executing a prepared statement. Making changes persistent is achieved by multiple update statement executions on the user record within a transaction.
This plug-in is very flexible in that it allows you to specify extra where clauses and search filters to select the set of credential records.

Note: This persister also supports iteration over credentials.

How this plug-in finds a credential record

There are two ways how this plugin finds a credential record for getting data, updating data and deleting data. The credential record is always fetched using a select statement given a primary key and applying the configured filters (additional where clause). The two variants differ in how the primary key is determined:

The primary key for selecting the credential record is the username itself. This is by far the most common and most efficient method to obtain credential data.
The primary key is determined by a separate query including the username. The query can be configured. This way of selecting the credential record is more flexible but results in an additional select statement.

Class

com.airlock.iam.core.misc.impl.persistency.db.DatabaseCredentialPersister

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Credential Table Name (credentialTableName)

Description

The name of the database table containing the credential data (and often also user data).

Attributes

String

Mandatory

Suggested values

medusa_user, medusa_token

Col User Name (colUserName)

Description

The name of the database column with the username. This column is used to search the credential given the user's name.

Attributes

String

Mandatory

Suggested values

username

User Name Resolve Query (userNameResolveQuery)

Description

An SQL query that returns a primary key for the user table given the user name.
Such a query is useful if the username (used on the login page) is not part of the user table.
The query must be such that - given the username - it returns one value that can be used as primary key in the user table. The query must contain one question mark (?) which will be substituted by the username (a string).

If the query returns no records, it results in the user not being found.
If the query returns more than one record, it results in the username being ambiguous.

If this property is not defined, the username itself is used as primary key in the user table (the usual and efficient way).

Note: If this property is defined credential insertion by this plugin is no more possible.

Attributes

String

Optional

Example

SELECT u.id FROM user u, person p WHERE p.id = u.person_id and p.contractId = ?

Col Binary Credential Data (colBinaryCredentialData)

Description

The name of the database column with the current credential data's binary credential data. This database field must be able to store the appropriate amount of binary data (depending on the credential). The data type of this column is expected to be BYTE or VARBYTE.
The presence of this property indicates that the credential data is stored in binary form and not in string form. If this property is set, this class returns (and expects) instances of CredentialBean returning false in method "CredentialBean.isCredentialDataStringType()".
You cannot specify both this property and property "col-string-credential-type".

Attributes

String

Optional

Example

tokenSeed

Example

tanHashes

Example

token_list

Col String Credential Data (colStringCredentialData)

Description

The name of the database column with the current credential data's string type credential data. This database field must be able to store the appropriate amount of string data (depending on the credential). The data type of this column is expected to be VARCHAR or CHAR.
The presence of this property indicates that the credential data is stored as string and not in binary form. If this property is set, this class returns (and expects) instances of CredentialBean returning true in method "CredentialBean.isCredentialDataStringType()".
You cannot specify both this property and property "col-binary-credential-type".

Attributes

String

Optional

Suggested values

mtan_number, cert_subject_cn, oathotp_data, securid_user, secovid_data, remember_me_secret

Col Credential Serial (colCredentialSerial)

Description

The name of the database column with the current credential data's serial number. This database field must be able to store the appropriate amount of string data (depending on the credential). The data type of this column is expected to be VARCHAR or CHAR.

Attributes

String

Optional

Suggested values

cert_serial, oathotp_serial, securid_serial, secovid_serial

Col Credential Not Active After (colCredentialNotActiveAfter)

Description

The name of the database column indicating the point in time after which the current credential is considered no more active. The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Example

active_until

Example

tokenExpiryDate

Col Credential Not Active Before (colCredentialNotActiveBefore)

Description

The name of the database column indicating the point in time prior to which the current credential is considered active yet. The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Example

tokenActivationDate

Example

valid_since

Col Credential Delivery Date (colCredentialDeliveryDate)

Description

The name of the database column with the date and time of the latest credential delivery. This column type is either DATETIME or TIMESTAMP

Attributes

String

Optional

Suggested values

mtan_del_date, cert_del_date, oathotp_del_date

Col Credential Generation Date (colCredentialGenerationDate)

Description

The name of the database column with the date and time of the latest credential generation or assignment. This column type is either DATETIME or TIMESTAMP

Attributes

String

Optional

Suggested values

mtan_ass_date, cert_ass_date, oathotp_gen_date, remember_me_gen_date

Col Next Binary Credential Data (colNextBinaryCredentialData)

Description

The name of the database column with the next credential data's binary credential data. This database field must be able to store the appropriate amount of binary data (depending on the credential). The data type of this column is expected to be BYTE or VARBYTE.
The presence of this property indicates that the credential data is stored in binary form and not in string form. If this property is set, this class returns (and expects) instances of CredentialBean returning false in method "CredentialBean.isCredentialDataStringType()".
You cannot specify both this property and property "col-string-credential-type".

Attributes

String

Optional

Example

tokenSeed

Example

tanHashes

Example

token_list

Col Next String Credential Data (colNextStringCredentialData)

Description

The name of the database column with the next credential data's string type credential data. This database field must be able to store the appropriate amount of string data (depending on the credential). The data type of this column is expected to be VARCHAR or CHAR.
The presence of this property indicates that the credential data is stored as string and not in binary form. If this property is set, this class returns (and expects) instances of CredentialBean returning true in method "CredentialBean.isCredentialDataStringType()".
You cannot specify both this property and property "col-binary-credential-type".

Attributes

String

Optional

Example

tokenUserInAce

Example

bas64TanHash

Col Next Credential Serial (colNextCredentialSerial)

Description

The name of the database column with the next credential data's serial number. This database field must be able to store the appropriate amount of string data (depending on the credential). The data type of this column is expected to be VARCHAR or CHAR.

Attributes

String

Optional

Example

serial

Example

token_serial

Col Next Credential Not Active After (colNextCredentialNotActiveAfter)

Description

The name of the database column indicating the point in time after which the next credential is considered no more active. The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Example

active_until

Example

tokenExpiryDate

Col Next Credential Not Active Before (colNextCredentialNotActiveBefore)

Description

The name of the database column indicating the point in time prior to which the next credential is considered active yet. The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Example

tokenActivationDate

Example

valid_since

Col Next Credential Delivery Date (colNextCredentialDeliveryDate)

Description

The name of the database column with the date and time of the (latest) delivery of the next credential item. This column type is either DATETIME or TIMESTAMP

Attributes

String

Optional

Example

latest_token_delivery

Example

card_letter_delivery

Col Next Credential Generation Date (colNextCredentialGenerationDate)

Description

The name of the database column with the date and time of the latest credential generation or assignment. This column type is either DATETIME or TIMESTAMP

Attributes

String

Optional

Example

matrix_letter_generation

Example

card_assignment_date

Col Credential Active (colCredentialActive)

Description

The name of the database column with the flag indicating whether the credential is active or not. This field refers to the 'type' of credential for the user, not to a particular instance. If a current and a next credential data item exist for this credential type, deactivating this field concerns both credential data items. If only one credential data item should be deactivated, the fields not-active-before and not-active-after are required. Inactive credentials may not be used by the callers. This column type is either CHAR or NUMBER. The value "0" (zero) is treated as false, any other value is treated as true.
If the column is not specified, all credentials are considered to be active.

Attributes

String

Optional

Example

active

Example

tokenActive

Col Other Credentials Delivery Timestamps (colOtherCredentialsDeliveryTimestamps)

Description

Comma-separated list of column names with the delivery dates of other credentials. This information may be used in order to delay the delivery time for credentials so no two credentials of the same user are delivered the same day.

Attributes

String

Optional

Example

password_delivery

Example

password_delivery,iak_delivery

Col Credential Ordered Flag (colCredentialOrderedFlag)

Description

The name of the database column with the flag indicating whether a new credential should be generated or assigned for the user. This column type is either CHAR or NUMBER. The value "0" is treated as false, any other value is treated as true.

Attributes

String

Optional

Suggested values

mtan_order_new, cert_order_new, oathotp_order_new

Col Credential Ordered User (colCredentialOrderedUser)

Description

The name of the database column with the user by whom the new credential was ordered to be generated or assigned for the user. This column type is either CHAR or VARCHAR.

Attributes

String

Optional

Suggested values

mtan_order_user, cert_order_user, oathotp_order_user

Col Credential Ordered Date (colCredentialOrderedDate)

Description

The name of the database column with the date of when the new credential was ordered to be generated or assigned for the user. This column type is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

mtan_order_date, cert_order_date, oathotp_order_date

Additional Where Clause (additionalWhereClause)

Description

Optional SQL query part that is added to the where clause when searching the credentials by user name.
The SQL query without an additional where clause is "SELECT * FROM credential-table WHERE colusername = 'username'"(real values for "credential-table", "colusername" are taken from the configuration and "username" is taken from the credential object).
The SQL query with an additional where clause "xyz" is: "SELECT * FROM credential-table WHERE colusername = 'username' AND xyz".

Example: If the value of this configuration setting is "GROUP = 'a' AND COD = 1" the resulting query is "SELECT * FROM credential-table WHERE colusername = 'username' AND GROUP = 'a' AND COD = 1"

Attributes

String

Optional

Example

deleted = 0

Example

group = 'remoteUsers' AND verified = 1

Search Condition Query (searchConditionQuery)

Description

A way to limit the set of valid credential records with an arbitrary SQL query. (See also configuration property "additional-where-clause": it offers a different, slightly more efficient but less powerful way to limit the set of valid credential records).

After the credential has been found by username (and matching the optional additional where clause as specified by configuration property "additional-where-clause") the query specified by this configuration property is executed.
If the result of the query is "true" or "1", the credential record is considered valid. In all other cases, the credential record is not valid, i.e. the behaviour is as if the record did not exist.

The value of this configuration property can be empty (no effect) or any valid SQL query. You can use values of the user record (Record selected from table specified by configuration property "user-table-name" by user name and optionally additional where clause) in the query as follows: ${xxx} references the field (column) "xxx" from the selected user record.

Example:
In our example the selected user record has the following values (column name = value): user_id = 'freddy', person_no = 13, ... Further, there is a different database table "PERSON" which is referenced by the user table. The table "PERSON" has a column of type boolean called "valid" which indicates whether a person record is valid or not.
Consider the following value for this configuration property: SELECT p.valid FROM PERSON p WHERE p.person_no = ${person_no} Thus, when looking for the user record (given the username and the matching the optional additonal where part), the above query is executed where ${person_no} is substituted by the value 13 of field "person_no" of the selected user record.

Attributes

String

Optional

Example

SELECT p.valid FROM PERSON p WHERE p.person_no = ${person_no}

Additional Iterator Where Clause (additionalIteratorWhereClause)

Description

Same as property "additional-where-clause" except that it is used as where part when iterating over the credentials.

Attributes

String

Optional

Example

deleted = 0

Example

group = 'remoteUsers' AND verified = 1

Iterator Query (iteratorQuery)

Description

This query is used to get all user ids (or all matching user ids) instead of the default generated query defined by the user table, the username column and the context data fields.

Specifying such a query is only necessary if the username cannot be used as primary key in the user table (this only if property "user-name-resolve-query" is specified).

The query must be such that it returns one-column records one username (userid) per row.

Note that his query is used both when returning all user ids and when returning only matching user ids (filtered by the user). Thus, the query must be such that LIKE-clauses against context data columns work. This usually means that you must join the result with the user table (even if the user id is not read from the usertable) so the LIKE-clauses can access the context data of the user table. Failing to do so will result in runtime SQL syntax exceptions!

Note: If this property is specified, additional-iterator-clauses and the deleted flag is ignored. They must be part of the query itself!

Attributes

String

Optional

Example

SELECT p.id from PERSON p, User u where u.person_id = p.id

Context Data Items (contextDataItems)

Description

A list of context data items that are fetched and returned to the caller together with the credential.

Attributes

Plugin-List

Optional

Assignable plugins

Additional Context Data (additionalContextData)

Description

This selector allows to read context data from other tables by executing the specified query. The selector of this configuration property specifies the name of the context data variable to be read. The value of this configuration property may be empty (no effect) or any valid SQL query. You can use the values of the user record (Record selected from table specified by property user-table-name by user name) in the query as follows: ${xxx} refers to the field (column) xxx from the selected user record.

Note: These context data values are read only! When fetching credential records, the query will be executed for each credential and the values will be added to the context data container. Modified, new or deleted values will not be written when credential records are updated.

Also note that context data fields defined in configuration property context-data-columns override corresponding entries in this property.

Example:
SELECT p.mobile_no FROM person p WHERE p.person_no = ${person_no}

Attributes

Plugin-List

Optional

Assignable plugins

Additional Context Data

Col Deleted (colDeleted)

Description

The name of a binary column that marks a record as deleted. A record that has been marked as deleted is no more found by the persister.
Note: If a credential is deleted and this property is defined, the record is marked as deleted and not really removed from the database! If this property is not defined and a credential is deleted, the record is deleted from the database. The type of this column is either CHAR or NUMBER. The value "0" is treated as not deleted, any other value is treated as deleted.

Attributes

String

Optional

Suggested values

deleted

Col Version Id (colVersionId)

Description

Name of a database column containing a numerical version id that is automatically incremented by one when a record is changed.
Such a technical column is used by some applications or libraries (such as Hibernate) to implement optimistic locking.

Note that this plugin still uses its own data-based optimistic locking mechanism. It just increments the value within a transaction in order to be compliant with other components' locking mechanisms.

The column must be of an integer type. Usually a long type is used.

Attributes

String

Optional

Suggested values

rowVersionId

Col Record Modification Date (colRecordModificationDate)

Description

Name of a database column with the date and time this record was modified. The timestamp is written by this plugin at the time the record is modified by this plugin.

The type of the column must be compatible with a timestamp.

Note that - if configured (see separate property) - user information may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowUpdateDate

Col Record Modification User (colRecordModificationUser)

Description

Name of a database column with the name of the system that modified the record. The name is determined by configuration property "record-modification-user" and is written by this plugin at the time the record is modified by this plugin.

Note that - if configured (see separate property) - the modification date may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowUpdateUser

Record Modification User (recordModificationUser)

Description

Specifies a string (typically the name associated with the system using this plugin) that is written to the database fields specified by properties "col-record-insertion-user" and "col-record-modification-user" when this plugin creates or modifies a user record.

Attributes

String

Optional

Suggested values

AirlockIAM

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.db.DatabaseCredentialPersister
id: DatabaseCredentialPersister-xxxxxx
displayName: 
comment: 
properties:
  additionalContextData:
  additionalIteratorWhereClause:
  additionalWhereClause:
  colBinaryCredentialData:
  colCredentialActive:
  colCredentialDeliveryDate:
  colCredentialGenerationDate:
  colCredentialNotActiveAfter:
  colCredentialNotActiveBefore:
  colCredentialOrderedDate:
  colCredentialOrderedFlag:
  colCredentialOrderedUser:
  colCredentialSerial:
  colDeleted:
  colNextBinaryCredentialData:
  colNextCredentialDeliveryDate:
  colNextCredentialGenerationDate:
  colNextCredentialNotActiveAfter:
  colNextCredentialNotActiveBefore:
  colNextCredentialSerial:
  colNextStringCredentialData:
  colOtherCredentialsDeliveryTimestamps:
  colRecordModificationDate:
  colRecordModificationUser:
  colStringCredentialData:
  colUserName:
  colVersionId:
  contextDataItems:
  credentialTableName:
  iteratorQuery:
  recordModificationUser:
  searchConditionQuery:
  sqlDataSource:
  userNameResolveQuery:

Database Field

Description

Name-Value pair where the name represents the column of a db field.

Class

com.airlock.iam.core.misc.impl.persistency.db.DatabaseField

May be used by

Property User Persister Database User Persister Database Token Persister Database Token Persister Database Maintenance Message Persister Database Maintenance Message Persister

Properties

Column (column)

Description

The name of the db column.

Attributes

String

Mandatory

Example

column_name

Value (value)

Description

The value of the database field. Make sure to use single quotes when inserting string data.

Attributes

String

Mandatory

Example

'foobar'

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.db.DatabaseField
id: DatabaseField-xxxxxx
displayName: 
comment: 
properties:
  column:
  value:

Database Login History Repository Config

Description

Login History Repository for relational databases. Stores information about all successful logins for future risk evaluations. The database table name is expected to be "login_history", and "history_seq" is the expected sequence name for Oracle DBs.

Class

com.airlock.iam.common.application.configuration.loginhistory.DatabaseLoginHistoryRepositoryConfig

May be used by

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Max Number Of Entries (maxNumberOfEntries)

Description

The maximum number of login history entries to keep per user. It must be set high enough to accommodate all configured risk extractors.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.loginhistory.DatabaseLoginHistoryRepositoryConfig
id: DatabaseLoginHistoryRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  maxNumberOfEntries: 50
  sqlDataSource:

Database Maintenance Message Persister

Description

Database interface for persisting maintenance messages.

The database model is based on two database tables: the first stores message details such as validity period, system availability, etc and the second stores the translations associated to the messages.

Class

com.airlock.iam.core.misc.impl.persistency.db.DatabaseMaintenanceMessagePersister

May be used by

Maintenance Message Configuration Maintenance Message Settings

License-Tags

MaintenanceMessages

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

License-Tags

MaintenanceMessages

Assignable plugins

JDBC Connection Pool

Cache Timeout (cacheTimeout)

Description

Specifies the number of seconds for which fetched maintenance messages are cached, before the underlying database layer is asked again. Thus a maintenance message that becomes valid at the point in time t may be deferred at most n seconds.
Setting this property to 0 (zero) or omitting this property results in a direct call to the underlying database layer every time the provider is asked for a maintenance message.
Note that the usage of the location token "${location}" in the additional where-clause of the message, disables caching.

Attributes

Long

Optional

License-Tags

MaintenanceMessages

Default value

Message Table (messageTable)

Description

The name of the database table containing the maintenance messages.

Attributes

String

Mandatory

License-Tags

MaintenanceMessages

Suggested values

medusa_maint_msg

Message Col Name (messageColName)

Description

The name of the column holding the message name.

Attributes

String

Mandatory

License-Tags

MaintenanceMessages

Suggested values

name

Message Col System Available (messageColSystemAvailable)

Description

The name of the column that indicates if the system is available for this message.

Attributes

String

Mandatory

License-Tags

MaintenanceMessages

Suggested values

system_available

Message Col Active (messageColActive)

Description

The name of the column that indicates if the message is active.

Attributes

String

Mandatory

License-Tags

MaintenanceMessages

Suggested values

active

Message Col Valid From (messageColValidFrom)

Description

The name of the column that stores the message's valid-from date.

Attributes

String

Mandatory

License-Tags

MaintenanceMessages

Suggested values

valid_from

Message Col Valid To (messageColValidTo)

Description

The name of the column that stores the message's valid-to date.

Attributes

String

Mandatory

License-Tags

MaintenanceMessages

Suggested values

valid_to

Message Col Location (messageColLocation)

Description

The name of the column that stores the message's location identifier. A message may have a location or not. Messages with different locations are independent of each other.

Attributes

String

Optional

License-Tags

MaintenanceMessages

Suggested values

location

Message Col Version Id (messageColVersionId)

Description

Name of a database column containing a numerical version id that is automatically incremented by one when a record is changed. Such a technical column is used by some applications or libraries (such as Hibernate) to implement optimistic locking.

The column must be of an integer type. Usually a long type is used.

Attributes

String

Optional

License-Tags

MaintenanceMessages

Suggested values

rowVersionId

Message Col Record Insertion Date (messageColRecordInsertionDate)

Description

Name of a database column with the date and time this record was created. The timestamp is written by this plugin at the time the record is inserted by this plugin.

The type of the column must be compatible with a timestamp.

Note that - if configured (see separate property) - user information may alos be written to the database at the same time.

Attributes

String

Optional

License-Tags

MaintenanceMessages

Suggested values

rowInsertDate

Message Col Record Insertion User (messageColRecordInsertionUser)

Description

Name of a database column with the name of the system that inserted the record. The name is determined by configuration property "record-modification-user" and is written by this plugin at the time the record is inserted by this plugin

Note that - if configured (see separate property) - the insertion date may alo be written to the database at the same time.

Attributes

String

Optional

License-Tags

MaintenanceMessages

Suggested values

rowInsertUser

Message Col Record Modification Date (messageColRecordModificationDate)

Description

Name of a database column with the date and time this record was modified. The timestamp is written by this plugin at the time the record is modified by this plugin.

The type of column must be compatible with a timestamp.

Note that - if configured (see separate property) - user information may also be written to the database at the same time.

Attributes

String

Optional

License-Tags

MaintenanceMessages

Suggested values

rowUpdateDate

Message Col Record Modification User (messageColRecordModificationUser)

Description

Note that - if configured (see separate property - the modification date may also be written to the database at the same time.

Attributes

String

Optional

License-Tags

MaintenanceMessages

Suggested values

rowUpdateUser

Message Additional Where Clause (messageAdditionalWhereClause)

Description

Optional SQL query condition that is added to the where clause when searching for, updating or deleting messages.
The SQL query without an additional where clause is something like SELECT * FROM message_table WHERE VALID_FROM <= now AND VALID_TO >= now.
The SQL query with an additional where clause xyz is: SELECT * FROM message_table WHERE VALID_FROM <= now AND VALID_TO >= now AND (xyz).

Note that this where clause may be overridden for the message lookup using property "Message Lookup Additional Where Clause".

Attributes

String

Optional

License-Tags

MaintenanceMessages

Example

GROUP = 'cus1' AND MANDATE = 'abc'

Example

deleted=0

Translation Table (translationTable)

Description

The name of the database table containing the translations for the maintenance messages. Records in this table belong to a message table record (i.e. a foreign key to the message table).

Attributes

String

Mandatory

License-Tags

MaintenanceMessages

Suggested values

medusa_maint_msg_tnsl

Translation Col Message Ref (translationColMessageRef)

Description

The name of the column in the translation table that references messages (the referred column in the message table is the one specified by message-col-name

Attributes

String

Mandatory

License-Tags

MaintenanceMessages

Suggested values

message_ref

Translation Col Language (translationColLanguage)

Description

The name of the column that holds the language of the translation.

Attributes

String

Mandatory

License-Tags

MaintenanceMessages

Suggested values

language

Translation Col Message (translationColMessage)

Description

The name of the column that holds the translated message.

Attributes

String

Mandatory

License-Tags

MaintenanceMessages

Suggested values

message

Translation Additional Where Clause (translationAdditionalWhereClause)

Description

Optional SQL query condition that is added to the where clause when searching for translations.
The SQL query without an additional where clause is something like SELECT * FROM translation_table WHERE language = 'en'.
The SQL query with an additional where clause xyz is: SELECT * FROM translation_table WHERE language = 'en' AND xyz.

Attributes

String

Optional

License-Tags

MaintenanceMessages

Example

GROUP = 'cus1' AND MANDATE = 'abc'

Example

deleted=0

Record Modification User (recordModificationUser)

Description

Specifies a string (typically the name associated with the system using this plugin) that is written to the database fields specified by properties "message-col-record-insertion-user" and "message-col-record-modification-user" when this plugin creates or modifies a record.

Attributes

String

Optional

License-Tags

MaintenanceMessages

Default value

Medusa

Suggested values

Airlock

Additional Insert Data (additionalInsertData)

Description

This property defines a list of name/value pairs used in insert statements when a new record is inserted.

This allows you to add arbitrary fixed or dynamic values when a new record is created. This is useful if some database fields may not be NULL but are not inserted by this plugin by default.

CautionMake sure to appropriately escape values (e.g. use single quotes around strings). They are used as provided in the SQL insert statements. This allows calling database dependent functions (e.g. in order to get a sequence number, system date, etc).

Attributes

Plugin-List

Optional

License-Tags

MaintenanceMessages

Assignable plugins

Database Field

Additional Insert Data Translations (additionalInsertDataTranslations)

Description

This property defines a list of name/value pairs used in insert statements when a new record is inserted.

This allows you to add arbitrary fixed or dynamic values when a new record is created. This is useful if some database fields may not be NULL but are not inserted by this plugin by default.

Attributes

Plugin-List

Optional

License-Tags

MaintenanceMessages

Assignable plugins

Database Field

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.db.DatabaseMaintenanceMessagePersister
id: DatabaseMaintenanceMessagePersister-xxxxxx
displayName: 
comment: 
properties:
  additionalInsertData:
  additionalInsertDataTranslations:
  cacheTimeout: 0
  messageAdditionalWhereClause:
  messageColActive:
  messageColLocation:
  messageColName:
  messageColRecordInsertionDate:
  messageColRecordInsertionUser:
  messageColRecordModificationDate:
  messageColRecordModificationUser:
  messageColSystemAvailable:
  messageColValidFrom:
  messageColValidTo:
  messageColVersionId:
  messageTable:
  recordModificationUser: Medusa
  sqlDataSource:
  translationAdditionalWhereClause:
  translationColLanguage:
  translationColMessage:
  translationColMessageRef:
  translationTable:

Database Sequence Generator

Description

Sequence generator storing the sequence number in a database.

Class

com.airlock.iam.core.misc.util.report.barcode.DatabaseSequenceGenerator

May be used by

Matrix Token Controller Fixed TAN Generator Task Default TAN Service TAN Batch Task TAN Batch Task Cipher Token List Persister

Properties

Sql Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Sequence Name (sequenceName)

Description

The name of the sequence. It must be a unique value in the column specified by property "Column Sequence Name".

Attributes

String

Mandatory

Example

Sendungsnummer01

Example

SEQ-A

Table Name (tableName)

Description

The name of the table where the sequence is stored.

Attributes

String

Optional

Default value

SEQUENCES

Example

SEQUENCES

Example

COUNTERS

Column Sequence Name (columnSequenceName)

Description

The name of the column holding the sequence name.

Attributes

String

Optional

Default value

NAME

Example

NAME

Column Sequence Number (columnSequenceNumber)

Description

The name of the column holding the sequence number. The column must be of a numeric type.

Attributes

String

Optional

Default value

STATE

Example

STATE

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.report.barcode.DatabaseSequenceGenerator
id: DatabaseSequenceGenerator-xxxxxx
displayName: 
comment: 
properties:
  columnSequenceName: NAME
  columnSequenceNumber: STATE
  sequenceName:
  sqlDataSource:
  tableName: SEQUENCES

Database Token List Persister

Description

Highly configurable persister using a relational database as repository for token lists. The database is accessed via JDBC. It fetches the data of a user by directly executing a prepared statement. Making changes persistent is achieved by multiple update statement executions on the token list record within a transaction.
This plug-in allows you to specify extra where clauses and search filters to select the set of users.

How this plug-in finds a user record

There are two ways how this plugin finds a user record for getting user data, updating user data and deleting user data. The user record is always fetched using a select statement given a primary key and applying the configured filters (additional where clause). The two variants differ in how the primary key is determined:

The primary key for selecting the user record is the username itself. This is by far the most common and most efficient method to obtain user data.
The primary key is determined by a separate query including the username. The query can be configured. This way of selecting the user record is more flexible but results in an additional select statement.

Estimate for the Length of the Token List Database Field

The length of the encoded token hash list depends mainly on the number of unused tokens in the list, the used hash function and the encoding of the list.

Here is an example using the SHA1PasswordHash as hashfunction (which produces 40 bytes for each token) together with the hashed token list encoding used by this persister implementation (actually it is the encoding provided by TokenListHasher#hashedTokenListToBytes(HashedTokenList) ):
Each unused token uses 40 bytes for the hash value, 4 bytes for the index and 4 bytes for the length of the hash value, thus 48 bytes. Due to the nature of the hash function, this figures are independent of the length of the tokens.
Additionally the encoded list holds the number of the tokens (when the list was new) in 4 bytes, the length of the identification string in 4 bytes, the identification string of arbitrary length and the generation timestamp in 8 bytes. This makes another 16 bytes excluding the identification string.
If the list has 100 tokens and the identification string is 20 bytes at most, this makes 100 * 48 + 16 + 20 = 4836 bytes.

Class

com.airlock.iam.core.misc.impl.persistency.db.DatabaseTokenListPersister

May be used by

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Token List Table Name (tokenListTableName)

Description

The name of the database table containing the token lists (and often also user data).

Attributes

String

Mandatory

Suggested values

medusa_user

Col User Name (colUserName)

Description

The name of the database column with the username. This column is used to search the token list given the user's name.

Attributes

String

Mandatory

Suggested values

username

User Name Resolve Query (userNameResolveQuery)

Description

If the query returns no records, it results in the user not being found.
If the query returns more than one record, it results in the username being ambiguous.

If this property is not defined, the username itself is used as primary key in the user table (the usual and efficient way).

Note: If this property is defined, user insertion by this plugin is no more possible.

Attributes

String

Optional

Example

SELECT u.id FROM user u, person p WHERE p.id = u.person_id and p.contractId = ?

Col Token List (colTokenList)

Description

The name of the database column holding binary token list data. The type of this database column must be able to hold binary data (see plugin description to estimate the size of this field).

Attributes

String

Mandatory

Suggested values

matrix_current_list

Col New Token List (colNewTokenList)

Description

The name of the database column holding binary token list data of the new (or next) token list. The type of this database column must be able to hold binary data (see plugin description to estimate the size of this field).

Attributes

String

Mandatory

Suggested values

matrix_next_list

Col Generation Time Stamp (colGenerationTimeStamp)

Description

The name of the database column with the timestamp of the latest token list generation. This column type is either DATETIME or TIMESTAMP

Attributes

String

Optional

Suggested values

matrix_gen_date

Col Delivery Time Stamp (colDeliveryTimeStamp)

Description

The name of the database column with the timestamp of the latest token list delivery. This column type is either DATETIME or TIMESTAMP

Attributes

String

Optional

Suggested values

matrix_del_date

Col Other Credentials Delivery Timestamps (colOtherCredentialsDeliveryTimestamps)

Description

Comma-separated list of column names with the delivery dates of other credentials. This information may be used in order to delay the delivery time for token lists so no two credentials of the same user are delivered the same day.

Attributes

String

Optional

Example

password_delivery

Example

tokenDeliveryTimestamp

Col List Active (colListActive)

Description

The name of the database column with the flag indicating whether the token list is active or not. Inactive token lists may not be used by the callers. This column type is either CHAR or NUMBER. The value "0" (zero) is treated as false, any other value is treated as true.
If the column is not specified, all token lists are considered to be active.

Attributes

String

Optional

Suggested values

active, matrix_active

Col Challenge Open Since (colChallengeOpenSince)

Description

Name of the database column with the timestamp of the start of an ongoing challenge. The type of this column is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

matrix_chal_open_since, MATRIX_CHAL_OPEN_SINCE

Col Unanswered Challenges (colUnansweredChallenges)

Description

Name of the database column with the number of unanswered challenges. The type of this column is NUMBER.

Attributes

String

Optional

Suggested values

matrix_open_chals, MATRIX_OPEN_CHALS

Col New List Ordered (colNewListOrdered)

Description

The name of the database column with the flag indicating whether a new token list should be generated for a user. This column type is either CHAR or NUMBER. The value "0" is treated as false, any other value is treated as true.

Attributes

String

Mandatory

Suggested values

matrix_order_new

Col New List Ordered User (colNewListOrderedUser)

Description

The name of the database column with the user by whom a new token list was ordered. This column type is VARCHAR.

Attributes

String

Optional

Suggested values

matrix_order_user

Col New List Ordered Date (colNewListOrderedDate)

Description

The name of the database column with date of when a new token list was ordered. This column type is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

matrix_order_date

Additional Where Clause (additionalWhereClause)

Description

Optional SQL query part that is added to the where clause when searching the token lists by user name.
The SQL query without an additional where clause is "SELECT * FROM token-list-table WHERE colusername = 'username'"(real values for "token-list-table", "colusername" are taken from the configuration and "username" is taken from the token list object).
The SQL query with an additional where clause "xyz" is: "SELECT * FROM token-list-table WHERE colusername = 'username' AND xyz".

Example: If the value of this configuration setting is "GROUP = 'a' AND COD = 1" the resulting query is "SELECT * FROM token-list-table WHERE colusername = 'username' AND GROUP = 'a' AND COD = 1"

Attributes

String

Optional

Example

deleted = 0

Example

group = 'remoteUsers' AND verified = 1

Additional Iterator Where Clause (additionalIteratorWhereClause)

Description

Same as property "additional-where-clause" except that it is used as where part when iterating over the token lists.

Attributes

String

Optional

Example

deleted = 0

Example

group = 'remoteUsers' AND verified = 1

Iterator Query (iteratorQuery)

Description

This query is used to get all user ids (or all matching user ids) instead of the default generated query defined by the user table, the username column and the context data fields.

Specifying such a query is only necessary if the username cannot be used as primary key in the user table (this only if property "user-name-resolve-query" is specified).

The query must be such that it returns one-column records one username (userid) per row.

Note: If this property is specified, additional-iterator-clauses and the deleted flag is ignored. They must be part of the query itself!

Attributes

String

Optional

Example

SELECT p.id from PERSON p, User u where u.person_id = p.id

Context Data Items (contextDataItems)

Description

A list of context data items that are fetched and returned to the caller together with the token list.

Attributes

Plugin-List

Optional

Assignable plugins

Boolean Context Data Item Config Date And Time Context Data Item Config Date Context Data Item Config Integer Context Data Item Config Legacy Context Data Item String Context Data Item Config

Col Version Id (colVersionId)

Description

Note that this plugin still uses its own data-based optimistic locking mechanism. It just increments the value within a transaction in order to be compliant with other components' locking mechanisms.

The column must be of an integer type. Usually a long type is used.

Attributes

String

Optional

Suggested values

rowVersionId

Col Record Modification Date (colRecordModificationDate)

Description

Name of a database column with the date and time this record was modified. The timestamp is written by this plugin at the time the record is modified by this plugin.

The type of the column must be compatible with a timestamp.

Note that - if configured (see separate property) - user information may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowUpdateDate

Col Record Modification User (colRecordModificationUser)

Description

Note that - if configured (see separate property) - the modification date may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowUpdateUser

Record Modification User (recordModificationUser)

Description

Attributes

String

Optional

Default value

Medusa

Suggested values

Airlock

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.db.DatabaseTokenListPersister
id: DatabaseTokenListPersister-xxxxxx
displayName: 
comment: 
properties:
  additionalIteratorWhereClause:
  additionalWhereClause:
  colChallengeOpenSince:
  colDeliveryTimeStamp:
  colGenerationTimeStamp:
  colListActive:
  colNewListOrdered:
  colNewListOrderedDate:
  colNewListOrderedUser:
  colNewTokenList:
  colOtherCredentialsDeliveryTimestamps:
  colRecordModificationDate:
  colRecordModificationUser:
  colTokenList:
  colUnansweredChallenges:
  colUserName:
  colVersionId:
  contextDataItems:
  iteratorQuery:
  recordModificationUser: Medusa
  sqlDataSource:
  tokenListTableName:
  userNameResolveQuery:

Database Token Persister

Description

Defines the table and column names, as well as additional query settings for the Database Token Persister.

This persister handles both token and token assignment data.

Class

com.airlock.iam.core.misc.impl.persistency.token.DatabaseTokenPersister

May be used by

Main Authenticator Email User Profile Item Config Airlock 2FA Authenticator Database User Store User to Password Service Mapping Radius Authentication Service Certificate Authenticator Lock Inactive Accounts Task Lock Inactive Accounts Task Password Authenticator String User Profile Item Cipher User Persister Combining User Persister SMS Notifier User Persister Email Certificate Provider Delete Users Task Delete Users Task Token Activation On Delivery Strategy Combining Extended User Persister Combining Extended User Persister Certificate Token Authenticator Export Users Task Export Users Task User Persister-based User Store Email Notifier Meta Authenticator Self Reg Users Reminder Task Self Reg Users Reminder Task Vasco Letter Generator Credential Data Certificate Matcher Extended User Persister-based User Store Provider Password Batch Task Password Batch Task Auth Method-based Authenticator Selector Self Reg Users Clean Up Task Self Reg Users Clean Up Task Lock Expired Initial Passwords Task Lock Expired Initial Passwords Task Role-based Authenticator Selector Extended String User Profile Item Config HTTP Password Service Selection Authenticator Lookup and Accept Authenticator New Email Clean-up Strategy Custom User Persister-based User Store Provider Destroy Last User Session Email Notification Task Email Notification Task User Persister Configuration User Persister Configuration User Persister Configuration

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Token Table (tokenTable)

Description

The name of the database table containing the tokens.

Attributes

String

Mandatory

Suggested values

token

Token Sequence (tokenSequence)

Description

The name of the database sequence providing primary keys (Oracle only).

If left empty, Airlock IAM expects the database to support auto-increment columns (SQL Server, MySQL).

Attributes

String

Optional

Suggested values

token_seq

Token Col Token Id (tokenColTokenId)

Description

The name of the column holding the token identity (primary key).

This column needs to be set to auto_increment (H2, mysql,..) or the database sequence name must be configured (Oracle).

Attributes

String

Mandatory

Suggested values

token_id

Token Col Type (tokenColType)

Description

The name of the column holding the token type.

Attributes

String

Mandatory

Suggested values

type

Token Col Serial Id (tokenColSerialId)

Description

The name of the column holding the token serial.

Attributes

String

Mandatory

Suggested values

serial_id

Token Col Active (tokenColActive)

Description

The name of the column holding the active flag.

Attributes

String

Mandatory

Suggested values

active

Token Col Activation Date (tokenColActivationDate)

Description

The name of the column holding the activation date.

Attributes

String

Mandatory

Suggested values

activation_date

Token Col Obsoletes Token Id (tokenColObsoletesTokenId)

Description

The name of the column holding the 'obsoletes_token' token reference (foreign key).

Stores a reference to the token that gets deactivated the next time this token is used.

Attributes

String

Mandatory

Suggested values

obsoletes_token_id

Token Col Validity Range Lower (tokenColValidityRangeLower)

Description

The name of the column holding the validity range lower bound.

Attributes

String

Mandatory

Suggested values

validity_range_lower

Token Col Validity Range Upper (tokenColValidityRangeUpper)

Description

The name of the column holding the validity range upper bound.

Attributes

String

Mandatory

Suggested values

validity_range_upper

Token Col Generation Date (tokenColGenerationDate)

Description

The name of the column holding the generation date.

Attributes

String

Mandatory

Suggested values

generation_date

Token Col First Usage Date (tokenColFirstUsageDate)

Description

The name of the column holding the first usage date.

Attributes

String

Mandatory

Suggested values

first_usage_date

Token Col Latest Usage Date (tokenColLatestUsageDate)

Description

The name of the column holding the latest usage date.

Attributes

String

Mandatory

Suggested values

latest_usage_date

Token Col Total Usages (tokenColTotalUsages)

Description

The name of the column holding the number of total usages.

Attributes

String

Mandatory

Suggested values

total_usages

Token Col Token Data (tokenColTokenData)

Description

The name of the column holding the token data.

Attributes

String

Mandatory

Suggested values

token_data

Token Col Activates Token Id (tokenColActivatesTokenId)

Description

The name of the column holding the 'activates_token' token reference (foreign key).

Stores a reference to the token that gets activated the next time this token is used.

Attributes

String

Mandatory

Suggested values

activates_token_id

Token Col Generic Data Element1 (tokenColGenericDataElement1)

Description

The name of the 1st column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_1

Token Col Generic Data Element2 (tokenColGenericDataElement2)

Description

The name of the 2nd column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_2

Token Col Generic Data Element3 (tokenColGenericDataElement3)

Description

The name of the 3rd column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_3

Token Col Generic Data Element4 (tokenColGenericDataElement4)

Description

The name of the 4th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_4

Token Col Generic Data Element5 (tokenColGenericDataElement5)

Description

The name of the 5th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_5

Token Col Generic Data Element6 (tokenColGenericDataElement6)

Description

The name of the 6th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_6

Token Col Generic Data Element7 (tokenColGenericDataElement7)

Description

The name of the 7th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_7

Token Col Generic Data Element8 (tokenColGenericDataElement8)

Description

The name of the 8th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_8

Token Col Generic Data Element9 (tokenColGenericDataElement9)

Description

The name of the 9th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_9

Token Col Generic Data Element10 (tokenColGenericDataElement10)

Description

The name of the 10th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_10

Token Col Generic Data Element11 (tokenColGenericDataElement11)

Description

The name of the 11th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_11

Token Col Generic Data Element12 (tokenColGenericDataElement12)

Description

The name of the 12th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_12

Token Col Tracking Id (tokenColTrackingId)

Description

The name of the column holding the tracking identity.

Attributes

String

Optional

Suggested values

tracking_id

Token Additional Where Clause (tokenAdditionalWhereClause)

Description

Optional SQL query condition that is added to the WHERE clause when searching for, updating or deleting tokens.

Example for an SQL query without an additional WHERE clause: SELECT * FROM token WHERE type = 'myTokenType'
Example for an SQL query with an additional WHERE clause "foo()": SELECT * FROM token WHERE type = 'myTokenType' AND foo()

Note that this WHERE clause may be overridden for the token lookup using the property: "Token Search Additional Where Clause"

Attributes

String

Optional

Example

generic_data_element_1 = 'myData1'

Token Search Additional Where Clause (tokenSearchAdditionalWhereClause)

Description

Same as the property "Token Additional Where Clause", but the additional WHERE clause of this property is only used to search tokens.

Attributes

String

Optional

Example

generic_data_element_1 = 'myData1'

Additional Token Insert Data (additionalTokenInsertData)

Description

This property defines a list of name/value pairs used in insert statements when a new token record is inserted.

This allows you to add arbitrary fixed or dynamic values when a new record is created.

Caution: Make sure to appropriately escape values (e.g. use single quotes around strings). They are used as provided in the SQL insert statements. This allows calling database dependent functions (e.g. in order to get a sequence number, system date, etc). Also, do not use any of the standard fields of the token table.

Attributes

Plugin-List

Optional

Assignable plugins

Database Field

Token Assignment Table (tokenAssignmentTable)

Description

The name of the database table containing the token assignments.

Attributes

String

Mandatory

Suggested values

token_assignment

Token Assignment Col Token Id (tokenAssignmentColTokenId)

Description

The name of the column holding the identity referencing the assigned token (foreign key).

Attributes

String

Mandatory

Suggested values

ta_token_id

Token Assignment Col User (tokenAssignmentColUser)

Description

The name of the column holding the name of the user whom the token is assigned to.

Attributes

String

Mandatory

Suggested values

ta_user

Token Assignment Col Assignment Date (tokenAssignmentColAssignmentDate)

Description

The name of the column holding the date of the assignment.

Attributes

String

Mandatory

Suggested values

ta_assignment_date

Token Assignment Col Assignment User (tokenAssignmentColAssignmentUser)

Description

The name of the column holding the name of the user that did the assignment.

Attributes

String

Mandatory

Suggested values

ta_assignment_user

Token Assignment Col Order New (tokenAssignmentColOrderNew)

Description

The name of the column holding the flag indicating whether a new token has been ordered.

Attributes

String

Mandatory

Suggested values

ta_order_new

Token Assignment Col Order New User (tokenAssignmentColOrderNewUser)

Description

The name of the column holding the name of the user that placed the order for a new token.

Attributes

String

Mandatory

Suggested values

ta_order_new_user

Token Assignment Col Order New Date (tokenAssignmentColOrderNewDate)

Description

The name of the column holding the date where a new token was ordered.

Attributes

String

Mandatory

Suggested values

ta_order_new_date

Token Assignment Col Order Options (tokenAssignmentColOrderOptions)

Description

The name of the column holding the options of a token order.

Attributes

String

Optional

Suggested values

ta_order_options

Token Assignment Col Additional Information (tokenAssignmentColAdditionalInformation)

Description

The name of the column holding additional token assignment information.

Attributes

String

Optional

Suggested values

ta_additional_information

Token Assignment Col Comment (tokenAssignmentColComment)

Description

The name of the column holding the token assignment comments.

Attributes

String

Optional

Suggested values

ta_comment

Token Assignment Additional Where Clause (tokenAssignmentAdditionalWhereClause)

Description

Optional SQL query condition that is added to the WHERE clause when searching for, updating or deleting token assignments.

Example for an SQL query without additional WHERE clause: SELECT * FROM token_assignment WHERE ta_user = 'user'
Example for an SQL query with additional WHERE clause "foo()": SELECT * FROM token_assignment WHERE ta_user = 'user' AND foo()

Attributes

String

Optional

Example

ta_comment = 'myComment1'

Additional Token Assignment Insert Data (additionalTokenAssignmentInsertData)

Description

This property defines a list of name/value pairs used in insert statements when a new token assignment record is inserted.

This allows you to add arbitrary fixed or dynamic values when a new record is created.

Attributes

Plugin-List

Optional

Assignable plugins

Database Field

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.token.DatabaseTokenPersister
id: DatabaseTokenPersister-xxxxxx
displayName: 
comment: 
properties:
  additionalTokenAssignmentInsertData:
  additionalTokenInsertData:
  sqlDataSource:
  tokenAdditionalWhereClause:
  tokenAssignmentAdditionalWhereClause:
  tokenAssignmentColAdditionalInformation:
  tokenAssignmentColAssignmentDate:
  tokenAssignmentColAssignmentUser:
  tokenAssignmentColComment:
  tokenAssignmentColOrderNew:
  tokenAssignmentColOrderNewDate:
  tokenAssignmentColOrderNewUser:
  tokenAssignmentColOrderOptions:
  tokenAssignmentColTokenId:
  tokenAssignmentColUser:
  tokenAssignmentTable:
  tokenColActivatesTokenId:
  tokenColActivationDate:
  tokenColActive:
  tokenColFirstUsageDate:
  tokenColGenerationDate:
  tokenColGenericDataElement1:
  tokenColGenericDataElement10:
  tokenColGenericDataElement11:
  tokenColGenericDataElement12:
  tokenColGenericDataElement2:
  tokenColGenericDataElement3:
  tokenColGenericDataElement4:
  tokenColGenericDataElement5:
  tokenColGenericDataElement6:
  tokenColGenericDataElement7:
  tokenColGenericDataElement8:
  tokenColGenericDataElement9:
  tokenColLatestUsageDate:
  tokenColObsoletesTokenId:
  tokenColSerialId:
  tokenColTokenData:
  tokenColTokenId:
  tokenColTotalUsages:
  tokenColTrackingId:
  tokenColType:
  tokenColValidityRangeLower:
  tokenColValidityRangeUpper:
  tokenSearchAdditionalWhereClause:
  tokenSequence:
  tokenTable:

Database User Persister

Description

Highly configurable persister using a relational database as user-repository. The database is accessed via JDBC. It fetches the data of a user by directly executing a prepared statement. Making changes persistent is achieved by multiple update statement executions on the user record within a transaction.
This plug-in is very flexible in that most database columns are optional and it allows you to specify extra where clauses and search filters to select the set of users. It also allows to fetch role information from separate tables.

Note: This persister also supports insertion and deletion of users and can be used to iterate over users.

How this plug-in finds a user record

The primary key for selecting the user record is the username itself. This is by far the most common and most efficient method to obtain user data.
The primary key is determined by a separate query including the username. The query can be configured. This way of selecting the user record is more flexible but results in an additional select statement.

Class

com.airlock.iam.core.misc.impl.persistency.db.DatabaseUserPersister

May be used by

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

User Table Name (userTableName)

Description

The name of the database table containing the user data.

Attributes

String

Mandatory

Suggested values

medusa_user, medusa_admin

Col User Name (colUserName)

Description

The name of the database column with the username. This column is directly used to search the user unless a separate username-resolve-query (see separate configuration property) is specified.

Attributes

String

Mandatory

Suggested values

username

User Name Resolve Query (userNameResolveQuery)

Description

If the query returns no records, it results in the user not being found.
If the query returns more than one record, it results in the username being ambiguous.

If this property is not defined, the username itself is used as primary key in the user table (the usual and efficient way).

Note: If this property is defined user insertion by this plugin is no more possible.

Attributes

String

Optional

Example

SELECT u.id FROM user u, person p WHERE p.id = u.person_id and p.contractId = ?

Col Password (colPassword)

Description

The name of the database column with the password hash value (or the password itself).
In general the type of this database column is expected to be BYTE or VARBYTE because password hashes are byte sequences. However, if a password hash function is used that returns a character sequence (for example the password itself) this also works with column type CHAR or VARCHAR.
The plug-in tries to find out automatically whether the password hash is binary or string type by reading a value from the database and looking at the type of the returned object. This may lead to problems with NULL values or "too intelligent" JDBC drivers that implicitly convert HEX- or base64-strings to binary data. The optional property "Is Pwd Hash String Type" can be used to tell the plug-in explicitly what data type this column is.

Attributes

String

Optional

Suggested values

pwd_hash

Is Pwd Hash String Type (isPwdHashStringType)

Description

Flag telling this persister whether the password hash column is a string type column (CHAR, VARCHAR) or whether it is binary (VARBYTE, RAW, BLOB).
The value TRUE indicates that the password hash column is a string type column. The value FALSE indicates that the password hash column is a binary type column.
If this optional property is not defined or empty, the plug-in tries to determine the type of column automatically (see description of property "Col Password").

Attributes

Boolean

Optional

Default value

true

Col Auth Method (colAuthMethod)

Description

The name of the database column that holds the identifier for the authentication method to use for the user, if different authentication methods are supported. The column type is a string type column (CHAR, VARCHAR) and its value may be NULL.

Attributes

String

Optional

Suggested values

auth_method

Default Auth Method (defaultAuthMethod)

Description

The default authentication method value used when inserting new users that have no auth method set. This is only used if an authentication method column is configured.

Attributes

String

Optional

Suggested values

PASSWORD, MATRIX, MTAN, OATH_OTP, CERTIFICATE, CRONTO, EMAILOTP, SECURID, SECOVID

Col Next Auth Method (colNextAuthMethod)

Description

The name of the database column that holds the identifier for the next authentication method to use for the user after a migration. The column type is a string type column (CHAR, VARCHAR) and its value may be NULL.

Attributes

String

Optional

Suggested values

next_auth_method

Default Next Auth Method (defaultNextAuthMethod)

Description

The default next authentication method value used when inserting new users that have no next auth method set. This is only used if a next authentication method column is configured.

Attributes

String

Optional

Suggested values

PASSWORD, MATRIX, MTAN, OATH_OTP, CERTIFICATE, EMAILOTP, SECURID, SECOVID

Col Auth Migration Date (colAuthMigrationDate)

Description

The name of the database column that holds the date until which the migration of the authentication method must be performed. The column type is either DATETIME or TIMESTAMP and its value may be NULL.

Attributes

String

Optional

Suggested values

auth_migration_date

Col User Locked (colUserLocked)

Description

The name of the database column with the flag indicating whether the user is locked or not.
Authenticators usually set a user locked after some number of consecutively failed login attempts. This column type is either CHAR or NUMBER. The value "0" is treated as false, any other value is treated as true.
If this column is not specified, users are not considered locked.

Attributes

String

Optional

Suggested values

locked

Col User Lock Reason (colUserLockReason)

Description

The name of the database column contains the reason why the users is locked.
This can be the hole description of the reason or a key to the string resource.
This column type is either CHAR or VARCHAR.

Attributes

String

Optional

Suggested values

lock_reason

Col User Lock Date (colUserLockDate)

Description

The name of the database column contains the timestamp of the user locking.
The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

lock_date

Col Failed Logins (colFailedLogins)

Description

The name of the database column holding the number of consecutively failed logins. The type of this column is NUMBER.
If this column is not specified, the failed logins are not counted.

Attributes

String

Optional

Suggested values

failed_logins

Col Failed Token Counts (colFailedTokenCounts)

Description

The name of the database column holding the counters for failed attempts on individual authentication tokens. The type of this column is CLOB (or a DB-type equivalent).
If this column is not specified, the failed attempts in the flow-based REST authentication API are not counted.

Attributes

String

Optional

Suggested values

failed_token_counts

Col Failed Logins Before Latest Login (colFailedLoginsBeforeLatestLogin)

Description

The name of the database column holding the number of consecutively failed logins before the latest successful login. The type of this column is NUMBER.
If this column is not specified, the failed logins before the latest successful login are not counted.

Attributes

String

Optional

Suggested values

failed_logins_before

Col Total Logins (colTotalLogins)

Description

The name of the database column holding the total number of successful logins. The type of this column is NUMBER.
If this column is not specified, the successful logins are not counted.

Attributes

String

Optional

Suggested values

total_logins

Col Password Change Forced (colPasswordChangeForced)

Description

The name of the database column with the flag indicating whether the user must be forced to change the password.
This column type is either CHAR or NUMBER. The value "0" is treated as false, any other value is treated as true.
If this column is not specified, no password change is enforced.

Attributes

String

Optional

Suggested values

pwd_chg_enf

Col Password Delivery Date (colPasswordDeliveryDate)

Description

The name of the database column with the date and time of the latest password delivery.
The type of this column either DATETIME or TIMESTAMP. Note that it will work with most data types but depending on the chosen database data type, only the date without the time is stored.
If this column is not specified, the delivery date of the latest password is not provided to callers.

Attributes

String

Optional

Suggested values

pwd_lat_del

Col Other Credentials Delivery Timestamps (colOtherCredentialsDeliveryTimestamps)

Description

Comma-separated list of column names with the delivery dates of other credentials.
The type of every referenced column is either a DATETIME or TIMESTAMP.
This information can be used by components that care about not delivering more than one user credential at the same time.
If this column is not specified, no delivery dates are provided to callers.

Attributes

String

Optional

Example

latest_token_delivery

Example

latest_list_delivery

Example

smart_card_delivery_date

Example

smart_card_delivery_date,pin_delivery_date

Col Password Generation Date (colPasswordGenerationDate)

Description

The name of the database column with the date and time of the latest password generation.
The type of this column either DATETIME or TIMESTAMP.
This information is needed by components in which the generation date of a password and its delivery date is not necessarily the same. This can - for example - be the case when a generated credential is held back because another credential for the same user is delivered at the same time.
If this column is not specified, no password generation date is provided to callers.

Attributes

String

Optional

Example

pwd_lat_gen

Example

latest_password_generation

Example

pwd_gen_date

Col Latest Password Change (colLatestPasswordChange)

Description

The name of the database column with the date and time of the latest password change.
The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

pwd_lat_chg

Col Next Enforced Password Change (colNextEnforcedPasswordChange)

Description

The name of the database column with the date and time of next enforced password change.
The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

pwd_next_chg

Col Password Ordered Flag (colPasswordOrderedFlag)

Description

The name of the database column with the flag indicating whether a new password should be generated for this user.
This column type is either CHAR or NUMBER. The value "0" is treated as false, any other value is treated as true.
If this column is not specified, the password order state is always reported to be false.

Attributes

String

Optional

Suggested values

pwd_order_new

Col Password Ordered User (colPasswordOrderedUser)

Description

The name of the database column with the user by whom a new password was ordered.
This column type is either CHAR or VARCHAR.
If this column is not specified, the password order user is always null.

Attributes

String

Optional

Suggested values

pwd_order_user

Col Password Ordered Date (colPasswordOrderedDate)

Description

The name of the database column with the date of when a new password was ordered.
This column type is either DATETIME or TIMESTAMP.
If this column is not specified, the password order date is always null.

Attributes

String

Optional

Suggested values

pwd_order_date

Col Failed Password Resets (colFailedPasswordResets)

Description

The name of the database column with the number of failed password reset attempts for flow-based password reset. The type of this column is NUMBER

Security note: If this column is not specified, failed password reset attempts are not counted, which enables brute-force attacks.

Attributes

String

Optional

Suggested values

pwd_failed_resets

Col Role String (colRoleString)

Description

The name of the database column with a comma-separated list of roles granted to the user after successful authentication.
The type of this column is CHAR or VARCHAR.
Note: There are other ways to determine a user's roles (see other configuration properties). If the roles granted to a user are obtained from other tables (via foreign keys), leave this property empty and use the property roles-query instead.

Attributes

String

Optional

Suggested values

roles

Roles Query (rolesQuery)

Description

As an alternative way to get the roles granted to the authenticated user as described in configuration property Col Role String, this property allows to retrieve the roles based on foreign tables.
This property defines an arbitrary SQL query that returns the roles associated with the user. Note: The statement must be such that the query returns rows consisting of one column only with the granted role!
You may use the string ${userId} to reference the user id of the authenticated user inside the SQL query. The reference may be used once or multiple times.

Example: In the following example, the user table is USER, there is role table ROLE and a table with the user-to-role mappings USER2ROLE:

roles-query="SELECT r.role_name from ROLE r, USER u, USER2ROLE u2r where u.userName = ${userId} AND u.id = u2r.user AND u2r.role = r.id"

Attributes

String

Optional

Example

SELECT r.role_name from ROLE r, USER u, USER2ROLE u2r where u.userName = ${userId} AND u.id = u2r.user AND u2r.role = r.id

Grant Roles (grantRoles)

Description

A comma-separated list of roles (role names, optionally followed by a colon and a role idle timeout in seconds) that are granted to loaded users.
This set of roles is added to the otherwise determined set of roles. Thus, it does not replace otherwise determined roles but can be used in conjunction with other methods.

Attributes

String

Optional

Example

role1,role2:300

Example

admin

Example

user:300,employee:600

Col User Valid (colUserValid)

Description

Name of a database column with a flag indicating whether the user entry is valid or not.
The type of this column is either CHAR or NUMBER. The value "0" is treated as invalid, any other value is treated as valid.
If this column is not specified, all users are considered to be valid.

Attributes

String

Optional

Suggested values

valid

Col User Not Valid After (colUserNotValidAfter)

Description

The name of the database column indicating the point in time after which a user record is considered not valid anymore. The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

not_valid_after

Col User Not Valid Before (colUserNotValidBefore)

Description

The name of the database column indicating the point in time before which a user record is considered not valid yet. The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

not_valid_before

Col Latest Successful Login (colLatestSuccessfulLogin)

Description

Name of the database column with the timestamp of the latest successful login. The type of this column is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

lat_succ_login

Col Second Latest Successful Login (colSecondLatestSuccessfulLogin)

Description

Name of the database column with the timestamp of the second latest successful login. The type of this column is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

lat_succ_login2

Col Latest Login Attempt (colLatestLoginAttempt)

Description

Name of the database column with the timestamp of the latest attempted login (regardless of success or failure). The type of this column is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

lat_login_attempt

Col First Login (colFirstLogin)

Description

Name of the database column with the timestamp of very first login of this user. The type of this column is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

first_login

Col Unlock Attempts (colUnlockAttempts)

Description

Name of the database column with the number of attempts of unlocking the user (e.g. through self-unlocking). The type of this column is NUMBER.

Attributes

String

Optional

Suggested values

unlock_attempts, UNLOCK_ATTEMPTS

Col Latest Unlock Attempt (colLatestUnlockAttempt)

Description

Name of the database column with the timestamp of the last unlock attempt of this user. The type of this column is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

lat_unlock_attempt, LAT_UNLOCK_ATTEMPT

Col Self Registered Flag (colSelfRegisteredFlag)

Description

Name of the database column with the flag indicating if the user is self-registered. This column type is either CHAR or NUMBER. The value "0" is treated as false, any other value is treated as true.
If this column is not specified, it will be assumed that no users are self-registered.

Attributes

String

Optional

Suggested values

self_registered

Col Self Registration Date (colSelfRegistrationDate)

Description

Name of the database column with the timestamp of the user's self-registration. The type of this column is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

self_registration_date

Col Channel Verification Resends (colChannelVerificationResends)

Description

Name of the database column holding the number of completed resends of the channel verification token during the user's self-registration. The type of this column is NUMBER.
If this column is not specified, the number of allowed resend attempts is not limited.

Attributes

String

Optional

Suggested values

channel_verification_resends

Col Last GSID (colLastGSID)

Description

Name of the database column with the last global session id.

Attributes

String

Optional

Suggested values

last_gsid_value

Col Last GSID Date (colLastGSIDDate)

Description

Name of the database column with the last update timestamp for the global session id.

Attributes

String

Optional

Suggested values

last_gsid_date

Col Secret Questions Enabled (colSecretQuestionsEnabled)

Description

The name of the database column with the flag indicating whether secret question features are enabled for the user or not.

Attributes

String

Optional

Suggested values

secret_questions_enabled

Additional Where Clause (additionalWhereClause)

Description

Optional SQL query condition that is added to the where clause when searching the user by user name.
The SQL query without an additional where clause is SELECT * FROM usertable WHERE colusername = 'username' (real values for "usertable", "colusername" are taken from the configuration and "username" is taken from the user name input field of the login mask.
The SQL query with an additional where clause xyz is: SELECT * FROM usertable WHERE colusername = 'username' AND xyz
. Example: If the value of this configuration setting is "GROUP = 'cus1' AND MANDATE = 'abc'" the resulting query is SELECT * FROM usertable WHERE colusername = 'username' AND GROUP = 'cus1' AND MANDATE = 'abc'
See also property search-condition-query: It offers a more powerful (although slightly less efficient) way to control the set of valid users.

Attributes

String

Optional

Example

GROUP = 'cus1' AND MANDATE = 'abc'

Example

deleted=0

Additional Iterator Where Clause (additionalIteratorWhereClause)

Description

Optional SQL query condition that is added to the where clause when iterating over users.
The SQL query without an additional where clause is SELECT colusername FROM usertable (real values for "usertable", "colusername" are taken from the configuration.
The SQL query with an additional where clause xyz is: SELECT colusername FROM usertable WHERE xyz
. Example: If the value of this configuration setting is "GROUP = 'cus1' AND MANDATE = 'abc'" the resulting query is SELECT colusername FROM usertable WHERE GROUP = 'cus1' AND MANDATE = 'abc'
See also property search-condition-query: It offers a more powerful (although slightly less efficient) way to control the set of valid users.

Attributes

String

Optional

Example

GROUP = 'cus1' AND MANDATE = 'abc'

Example

deleted=0

Iterator Query (iteratorQuery)

Description

This query is used to get all user ids (or all matching user ids) instead of the default generated query defined by the user table, the username column and the context data fields.

Specifying such a query is only necessary if the username cannot be used as primary key in the user table (this only if property "User Name Resolve Query" is specified).

The query must be such that it returns one-column records one username (userid) per row.

Note: If this property is specified, "Additional Iterator Clauses" and the deleted flag is ignored. They must be part of the query itself!

Attributes

String

Optional

Example

SELECT p.id from PERSON p, User u where u.person_id = p.id

Search Condition Query (searchConditionQuery)

Description

A way to limit the set of valid users with an arbitrary SQL query.
(See also configuration property additional-where-clause: it offers a different, slightly more efficient but less powerful way to limit the set of valid users).
After the user has been found by username (and matching the optional additional where clause as specified by configuration property additional-where-clause) the query specified by this configuration property is executed. If the result of the query is true or 1, the user is considered valid. In all other cases, the user is not valid, i.e. the behaviour is as if the user would not exist.

The value of this configuration property can be empty (no effect) or any valid SQL query. You can use values of the user record (Record selected from table specified by configuration property user-table-name by user name and optionally additional where clause) in the query as follows: ${xxx} refers to the field (column) xxx from the selected user record.

Example: In our example the selected user record has the following values (column name = value): user_id = 'freddie', person_no = 13, ...
Further, there is a different database table PERSON which is referenced by the user table. The table PERSON has a column of type boolean called "valid" which indicates whether a person record is valid or not. Consider the following value for this configuration property: SELECT p.valid FROM PERSON p WHERE p.person_no = ${person_no}
Thus, when looking for the user record (given the username and the matching the optional additonal where part), the above query is executed where ${person_no} is substituted by the value 13 of field person_no of the selected user record.

Attributes

String

Optional

Example

SELECT p.valid FROM PERSON p WHERE p.person_no = ${person_no}

Context Data Columns (contextDataColumns)

Description

A list of database columns that are loaded/stored in the user's context data container.

Use either an appropriately typed instance (preferred) or the legacy type using auto-detection (the default up to IAM 6.4).

Attributes

Plugin-List

Optional

Assignable plugins

Boolean Context Data Item Config Date And Time Context Data Item Config Date Context Data Item Config Integer Context Data Item Config Legacy Context Data Item String Context Data Item Config

Additional Context Data (additionalContextData)

Description

Note: These context data values are read only! When fetching user records, the query will be executed for each user and the values will be added to the context data container. Modified, new or deleted values will not be written when user records are updated.

Also note that context data fields defined in configuration property context-data-columns override corresponding entries in this property.

Example:
SELECT p.mobile_no FROM person p WHERE p.person_no = ${person_no}

Attributes

Plugin-List

Optional

Assignable plugins

Additional Context Data

Col Deleted (colDeleted)

Description

The name of a column that marks a record as deleted. A record that has been marked as deleted is ignored by this persister.
Note: If a user is deleted and this property is defined, the record is only marked as deleted and not really removed from the database! If this property is not defined and a user is deleted, the record is deleted from the database. The type of this column is either NUMBER (recommended) or CHAR. The value "1" represents a deleted user, "0" represents a non-deleted user.

Attributes

String

Optional

Suggested values

deleted

Col Version Id (colVersionId)

Description

Note that this plugin still uses its own data-based optimistic locking mechanism. It just increments the value within a transaction in order to be compliant with other components' locking mechanisms.

The column must be of an integer type. Usually a long type is used.

Attributes

String

Optional

Suggested values

rowVersionId

Col Record Insertion Date (colRecordInsertionDate)

Description

Name of a database column with the date and time this record was created. The timestamp is written by this plugin at the time the record is inserted by this plugin.

The type of the column must be compatible with a timestamp.

Note that - if configured (see separate property) - user information may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowInsertDate

Col Record Insertion User (colRecordInsertionUser)

Description

Name of a database column with the name of the system that inserted the record. The name is determined by configuration property "Record Modification User" and is written by this plugin at the time the record is inserted by this plugin.

Note that - if configured (see separate property) - the insertion date may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowInsertUser

Col Record Modification Date (colRecordModificationDate)

Description

Name of a database column with the date and time this record was modified. The timestamp is written by this plugin at the time the record is modified (or created) by this plugin.

The type of the column must be compatible with a timestamp.

Note that - if configured (see separate property) - user information may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowUpdateDate

Col Record Modification User (colRecordModificationUser)

Description

Name of a database column with the name of the system that modified the record. The name is determined by configuration property "Record Modification User" and is written by this plugin at the time the record is modified (or created) by this plugin.

Note that - if configured (see separate property) - the modification date may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowUpdateUser

Record Modification User (recordModificationUser)

Description

Specifies a string (typically the name associated with the system using this plugin) that is written to the database fields specified by properties "Col Record Insertion User" and "Col Record Modification User" when this plugin creates or modifies a user record.

Attributes

String

Optional

Default value

Medusa

Suggested values

Airlock

Additional Insert Data (additionalInsertData)

Description

This property defines a list of name/value pairs used in insert statements when a new record is inserted.

This allows you to add arbitrary fixed or dynamic values when a new record is created. This is useful if some database fields may not be NULL but are not inserted by this plugin by default.

Caution: If the columns specified here are the same as configured in the context data fields or in any "Col ..." property, remove them from the other places for this persister instance.

Attributes

Plugin-List

Optional

Assignable plugins

Database Field

User Change Event Listeners (userChangeEventListeners)

Description

This property defines a list of User Change Event Listeners that listen to one or more events posted by a user persister and perform corresponding actions, e.g. to keep consistency with other tables.

Attributes

Plugin-List

Optional

Assignable plugins

Rowset Range Pattern (rowsetRangePattern)

Description

This property only has an effect if used in connection with a "Database User Store".

A string formatter pattern describing how to constrain the result set to a subrange of all results. Set this value in case Airlock IAM cannot determine the optimal query pattern automatically.

The first argument is the number of rows to skip (offset), and the second argument is the number of rows to return (limit).

If no pattern is set, Airlock IAM will attempt to automatically determine the query based on the database type.

Commonly used patterns:

LIMIT %2$d OFFSET %1$d for MySQL, MariaDB, H2, HSQLDB, PostgreSQL, SQLite
OFFSET %1$d ROWS FETCH NEXT %2$d ROWS ONLY for SQL:2008 standard, Derby, SQL Server 2012, Oracle 12c

Attributes

String

Optional

Suggested values

LIMIT %2$d OFFSET %1$d, OFFSET %1$d ROWS FETCH NEXT %2$d ROWS ONLY

Case Sensitive Exact Matching (caseSensitiveExactMatching)

Description

This property only has an effect if used in connection with a "Database User Store".

A String formatter pattern describing how to compare a string field on equality, case sensitive.

If the database is already case sensitive (most DBs, except MySQL and MariaDB) the default value can be used.

The argument (%s) is the name of the field to compare, and the question mark is the value to be searched for.

Commonly used patterns:

%s = ? – in most cases
BINARY `%s` = ? – for MySQL and MariaDB databases with standard (case insensitive) settings

Attributes

String

Optional

Default value

%s = ?

Suggested values

%s = ?, %s = BINARY ?

Case Sensitive Matching (caseSensitiveMatching)

Description

This property only has an effect if used in connection with a "Database User Store".

A String formatter pattern describing how to search in a string field, case sensitive.

If the database is already case sensitive (most DBs, except MySQL and MariaDB) the default value can be used.

The argument (%s) is the name of the field to compare, and the question mark is the value to be searched for. Important: This is used for approximate matching, e.g. "contains" matching, where the search value could be like "%bla%", thus the "LIKE" operator must be used instead of the equality sign.

Commonly used patterns:

%s LIKE ? – in most cases
%s LIKE BINARY ? – for MySQL and MariaDB databases with standard (case insensitive) settings
%s COLLATE latin1_general_cs LIKE ? – alternative for MySQL and MariaDB, possibly more efficient, but collation must be known

Attributes

String

Optional

Default value

%s LIKE ?

Suggested values

%s LIKE ?, %s LIKE BINARY ?, %s COLLATE latin1_general_cs LIKE ?

Case Insensitive Exact Matching (caseInsensitiveExactMatching)

Description

This property only has an effect if used in connection with a "Database User Store".

A String formatter pattern describing how to compare a string database field on equality, case insensitive.

If the database is already case insensitive (e.g. MySQL and MariaDB) the default value can be used.

The argument (%s) is the name of the field to compare, and the question mark is the value to be searched for. For some databases a less efficient "LIKE" operator has to be used for this.

Depending on used DB and version, as well as the specific setup, different values can be the most efficient. For large user repositories, a DB expert might be consulted or tests with different settings should be performed.

Commonly used patterns:

LOWER( %s ) = LOWER ( ? ) – works for most DBs, tested with Oracle DB. Note that this is only really efficient, if a lower-case index is created for the relevant columns.
%s COLLATE latin1_general_ci = ? – recommended for MSSQL.
%s = ? – for databases with default case insensitive matching, e.g. MySQL and MariaDB with standard settings

Attributes

String

Optional

Default value

LOWER( %s ) = LOWER ( ? )

Suggested values

%s = ?, LOWER( %s ) = LOWER ( ? ), %s COLLATE latin1_general_ci LIKE ?

Case Insensitive Matching (caseInsensitiveMatching)

Description

This property only has an effect if used in connection with a "Database User Store".

A String formatter pattern describing how to compare a string database field on equality, case insensitive.

If the database is already case insensitive (e.g. MySQL and MariaDB) the default value can be used.

Commonly used patterns:

LOWER( %s ) LIKE LOWER ( ? ) – works for most DBs, tested with Oracle DB. Note that this is only really efficient, if a lower-case index is created for the relevant columns.
%s COLLATE latin1_general_ci LIKE ? – recommended for MSSQL.
%s LIKE ? – for databases with default case insensitive matching, e.g. MySQL and MariaDB with standard settings
%s ILIKE ? – for PostgreSQL databases

Attributes

String

Optional

Default value

LOWER( %s ) LIKE LOWER ( ? )

Suggested values

%s LIKE ?, LOWER( %s ) LIKE LOWER ( ? ), %s COLLATE latin1_general_ci LIKE ?, %s ILIKE ?

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.db.DatabaseUserPersister
id: DatabaseUserPersister-xxxxxx
displayName: 
comment: 
properties:
  additionalContextData:
  additionalInsertData:
  additionalIteratorWhereClause:
  additionalWhereClause:
  caseInsensitiveExactMatching: LOWER( %s ) = LOWER ( ? )
  caseInsensitiveMatching: LOWER( %s ) LIKE LOWER ( ? )
  caseSensitiveExactMatching: %s = ?
  caseSensitiveMatching: %s LIKE ?
  colAuthMethod:
  colAuthMigrationDate:
  colChannelVerificationResends:
  colDeleted:
  colFailedLogins:
  colFailedLoginsBeforeLatestLogin:
  colFailedPasswordResets:
  colFailedTokenCounts:
  colFirstLogin:
  colLastGSID:
  colLastGSIDDate:
  colLatestLoginAttempt:
  colLatestPasswordChange:
  colLatestSuccessfulLogin:
  colLatestUnlockAttempt:
  colNextAuthMethod:
  colNextEnforcedPasswordChange:
  colOtherCredentialsDeliveryTimestamps:
  colPassword:
  colPasswordChangeForced:
  colPasswordDeliveryDate:
  colPasswordGenerationDate:
  colPasswordOrderedDate:
  colPasswordOrderedFlag:
  colPasswordOrderedUser:
  colRecordInsertionDate:
  colRecordInsertionUser:
  colRecordModificationDate:
  colRecordModificationUser:
  colRoleString:
  colSecondLatestSuccessfulLogin:
  colSecretQuestionsEnabled:
  colSelfRegisteredFlag:
  colSelfRegistrationDate:
  colTotalLogins:
  colUnlockAttempts:
  colUserLockDate:
  colUserLockReason:
  colUserLocked:
  colUserName:
  colUserNotValidAfter:
  colUserNotValidBefore:
  colUserValid:
  colVersionId:
  contextDataColumns:
  defaultAuthMethod:
  defaultNextAuthMethod:
  grantRoles:
  isPwdHashStringType: true
  iteratorQuery:
  recordModificationUser: Medusa
  rolesQuery:
  rowsetRangePattern:
  searchConditionQuery:
  sqlDataSource:
  userChangeEventListeners:
  userNameResolveQuery:
  userTableName:

Database User Store

Description

Provides an efficient user store implementation for relational databases.

Class

com.airlock.iam.core.application.configuration.store.user.DatabaseUserStoreProvider

Properties

Database User Persister (databaseUserPersister)

Description

A database user persister whose configuration will be used by the user store.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database User Persister

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.store.user.DatabaseUserStoreProvider
id: DatabaseUserStoreProvider-xxxxxx
displayName: 
comment: 
properties:
  databaseUserPersister:

Date And Time Context Data

Description

Non-interactive user context data item that stores a date and time value.

Class

com.airlock.iam.userselfreg.application.configuration.definition.DateAndTimeNonInteractiveUserDataItemDefinitionConfig

May be used by

Properties

Context Data Item Name (contextDataItemNameConfig)

Description

The name of the context data where the value will be stored.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Current Date And Time Value Provider Date And Time Context Data Value Provider Date And Time With Offset Value Provider Config Static Date And Time Value Provider

Date And Time Value Provider (valueProviderConfig)

Description

Provides the date and time value for the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.definition.DateAndTimeNonInteractiveUserDataItemDefinitionConfig
id: DateAndTimeNonInteractiveUserDataItemDefinitionConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataItemNameConfig:
  valueProviderConfig:

Date And Time Context Data Item Config

Description

Context Data item of type Date and Time without time zone information (corresponds to java.util.Date).

The database column must be of a date with time type (e.g. DATETIME (TIMESTAMP on Oracle)) and the values in the context data container are guaranteed to be of type java.util.Date.

Class

com.airlock.iam.core.application.configuration.contextdata.DateAndTimeContextDataItemConfig

May be used by

Database Credential Persister Database Token List Persister Database User Persister

Properties

Context Data Name (contextDataName)

Description

Defines the reusable context data item representing the name and type of a value in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Information Group Config String Context Data User Group Condition Config User Self Information Group Config OAuth 2.0 Date Context Data Resource Date And Time Context Data Date And Time User Context Data Item User Information Self-Service Formatted Date And Time Context Data Custom Claim Date And Time Context Data Value Provider User Attribute Is Unique Email Notification Task Date And Time Context Data Item Config

Database Column Name (databaseColumnName)

Description

The name of the database column to load into the context data in case it differs from the Context Data Name.

Attributes

String

Optional

Example

self_registration_date

Example

auth_migration_date

Readonly On Update (readonlyOnUpdate)

Description

If enabled, this context data field is treated readonly during updates of the user data. However, the field will still be persisted while inserting the user.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.contextdata.DateAndTimeContextDataItemConfig
id: DateAndTimeContextDataItemConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  databaseColumnName:
  readonlyOnUpdate: false

Date And Time Context Data Item Name

Description

Context Data item of type Date and Time (a moment in time without timezone information).

Class

com.airlock.iam.core.application.configuration.contextdata.DateAndTimeContextDataItemNameConfig

May be used by

Properties

Context Data Name (contextDataName)

Description

The name of the context data field under which the date value is stored.

Attributes

String

Mandatory

Example

self_registration_date

Example

auth_migration_date

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.contextdata.DateAndTimeContextDataItemNameConfig
id: DateAndTimeContextDataItemNameConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:

Date And Time Context Data Value Provider

Description

Provides the date and time value contained in the specified context data item of the user.

Make sure the configured context data item is also configured on the user persister.

Class

com.airlock.iam.common.application.configuration.valueprovider.contextdata.ContextDataDateAndTimeValueProviderConfig

May be used by

Date And Time With Offset Value Provider Config Date And Time Context Data Value Provider Map

Properties

Context Data Field (contextDataField)

Description

Context data field whose value will be returned.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Mandatory (mandatory)

Description

If enabled, the value provided by this context data item is not allowed to be null.

If this option is enabled and the context data item is null (e.g. if the configured context data is not configured on the user persister), an exception will be thrown at runtime.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.valueprovider.contextdata.ContextDataDateAndTimeValueProviderConfig
id: ContextDataDateAndTimeValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataField:
  mandatory: false

Date And Time Data Transformer

Description

Parses date strings (with time information, without time zone information) according to the specified pattern and converts them to regular context data date objects.

The values in the context data container are guaranteed to be of type java.util.Date.

Class

com.airlock.iam.core.misc.util.datatransformer.DateAndTimeDataTransformer

May be used by

Properties

Properties (properties)

Description

Selects the properties to apply the replacement to.
Use the asterisk character ("*") to replace all properties.

Attributes

String-List

Mandatory

Pattern (pattern)

Description

The format pattern of the date/time string representations.

Attributes

String

Mandatory

Example

yyyy-MM-dd HH:mm:ss

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.datatransformer.DateAndTimeDataTransformer
id: DateAndTimeDataTransformer-xxxxxx
displayName: 
comment: 
properties:
  pattern:
  properties:

Date And Time User Context Data Item

Description

User context data item that stores a date and time value without time zone information.

Class

com.airlock.iam.flow.shared.application.configuration.item.DateAndTimeContextDataItemDefinitionConfig

May be used by

User Data Edit Step User Data Registration Step Config

Properties

Context Data Name (contextDataName)

Description

The context data item in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Current Date And Time Value Provider Date And Time Context Data Value Provider Date And Time With Offset Value Provider Config Static Date And Time Value Provider

Required (required)

Description

Specifies whether this context data item is required for the step to validate successfully.

Attributes

Boolean

Optional

Default value

true

Validators (validators)

Description

The validators for this context data item.

Attributes

Plugin-List

Optional

Assignable plugins

Date And Time Validator

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.item.DateAndTimeContextDataItemDefinitionConfig
id: DateAndTimeContextDataItemDefinitionConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  required: true
  validators:

Date And Time Validator

Description

Validate a date and time.

Class

com.airlock.iam.common.application.configuration.validation.DefaultDateAndTimeValidatorConfig

May be used by

Date And Time User Context Data Item

Properties

Minimum Relative [days] (minRelative)

Description

The "minimum relative value" is the lower limit (earliest possible) for allowed difference in days to the current date.

Examples: A value of 1 means that tomorrow is the earliest possible date to enter, a value of -365 means that the entered date can be at most one year in the past.

Attributes

Integer

Optional

Min Date (minDate)

Description

The earliest date allowed to be filled in. This cannot be used together with "Minimum Relative" and must be in ISO 8601 format.

Attributes

String

Optional

Example

2011-12-03T10:15:30.000+01:00

Example

2018-02-06T15:58:53.661Z

Maximum Relative [days] (maxRelative)

Description

The "maximum relative value" is the upper limit (last possible) for allowed difference in days to the current date. This cannot be used together with "Max Date".

Examples: A value of 1 means that tomorrow is the latest possible date to enter, a value of -365 means that the entered date has to be at least one year in the past. Use this property to configure a minimal required age.

Attributes

Integer

Optional

Max Date (maxDate)

Description

The latest date allowed to be filled in. This cannot be used together with "Maximum Relative" and it must be in ISO 8601 format.

Attributes

String

Optional

Example

2011-12-03T10:15:30.000+01:00

Example

2018-02-06T15:58:53.661Z

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.validation.DefaultDateAndTimeValidatorConfig
id: DefaultDateAndTimeValidatorConfig-xxxxxx
displayName: 
comment: 
properties:
  maxDate:
  maxRelative:
  minDate:
  minRelative:

Date And Time With Offset Value Provider Config

Description

Defines a date and time value obtained by offsetting a date and time value by a fixed amount.

Class

com.airlock.iam.common.application.configuration.valueprovider.DateAndTimeWithOffsetValueProviderConfig

May be used by

Date And Time Context Data Value Provider Map

Properties

Date And Time Provider (dateAndTimeProvider)

Description

The date and time value to which an amount is added.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Offset (offsetProvider)

Description

The amount to offset Date And Time Provider by.

A positive offset will result in a later date and time than Date And Time Provider, while a negative offset will result in an earlier date and time.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Integer Context Data Value Provider Static Integer Value Provider

Unit (unit)

Description

The unit of Offset.

Attributes

Enum

Mandatory

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.valueprovider.DateAndTimeWithOffsetValueProviderConfig
id: DateAndTimeWithOffsetValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  dateAndTimeProvider:
  offsetProvider:
  unit:

Date Context Data Item Config

Description

Context Data item that contains a date (only contains year, month and day but no time information).

The database column must either be of a date type (e.g. DATE; TIMESTAMP and DATETIME will also work where supported) or of a string type (e.g. VARCHAR, CHAR (whitespaces are removed automatically)), in which case a date pattern must be specified).

The values in the context data container are guaranteed to be of type java.time.LocalDate.

Class

com.airlock.iam.core.application.configuration.contextdata.DateContextDataItemConfig

May be used by

Database Credential Persister Database Token List Persister Database User Persister

Properties

Context Data Name (contextDataName)

Description

Defines the reusable context data item representing the name and type of a value in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database Column Name (databaseColumnName)

Description

The name of the database column to load into the context data in case it differs from the Context Data Name.

Attributes

String

Optional

Example

birthdate

Date Pattern For String Columns (datePatternForStringColumns)

Description

If the database uses a column of any string type (e.g. VARCHAR or CHAR), a date pattern must be specified to convert the value from database to a LocalDate. Invalid values on the database are treated as NULL.

Attributes

String

Optional

Suggested values

yyyy-MM-dd, dd.MM.yyyy

Readonly On Update (readonlyOnUpdate)

Description

If enabled, this context data field is treated readonly during updates of the user data. However, the field will still be persisted while inserting the user.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.contextdata.DateContextDataItemConfig
id: DateContextDataItemConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  databaseColumnName:
  datePatternForStringColumns:
  readonlyOnUpdate: false

Date Data Transformer

Description

Parses date strings (without time information) according to the specified pattern and converts them to regular context data date objects.

The values in the context data container are guaranteed to be of type java.time.LocalDate.

Class

com.airlock.iam.core.misc.util.datatransformer.DateDataTransformer

May be used by

Properties

Properties (properties)

Description

Selects the properties to apply the replacement to.
Use the asterisk character ("*") to replace all properties.

Attributes

String-List

Mandatory

Pattern (pattern)

Description

The format pattern of the date string representations.

Attributes

String

Mandatory

Example

yyyy-MM-dd

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.datatransformer.DateDataTransformer
id: DateDataTransformer-xxxxxx
displayName: 
comment: 
properties:
  pattern:
  properties:

Date Format

Description

Validates that a date has a valid format. The validity of a format is determined by the language in the UI. For example, with English, the format is mm/dd/yyyy while with German the format is dd.mm.yyyy. Note that this refers to the user-facing format in the UI only - the date format sent via REST still adheres to the standard format as specified by the REST API.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.validation.DateFormatValidationConfig

May be used by

Date UI Element

Properties

Translation Key (translationKey)

Description

The translation key to use for the error message in case the validation fails. A default translation is used when no translation key is configured.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.validation.DateFormatValidationConfig
id: DateFormatValidationConfig-xxxxxx
displayName: 
comment: 
properties:
  translationKey:

Date UI Element

Description

Displays an input field for date.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiDateConfig

May be used by

Properties

Label (label)

Description

Label for the input field. The UI treats it as a key to translate. If there is no translation, the configured value is what is shown in the UI.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9]+((\.|-)[a-zA-Z0-9]+)*

Property (property)

Description

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9_]+(\.[a-zA-Z0-9_]+)*

Example

otp

Example

phoneNumber

Placeholder (placeholder)

Description

Displays the placeholder if the field has no value. If empty, the UI will display the expected format of the date as placeholder.

Attributes

String

Optional

Validations (validations)

Description

The validations on the input field. The validator for 'Date Format' is automatically added if not already explicitly configured.

Attributes

Plugin-List

Optional

Assignable plugins

Date Format Maximum Date Minimum Date Required Field

HTML ID (htmlId)

Description

The ID of the element in the HTML. If no ID is set, the 'property' is used as the ID.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_]+

Submit To Server (submitToServer)

Description

If enabled, this value is submitted to the server. Otherwise, it is only used locally (e.g. to confirm inputs of other fields).

Attributes

Boolean

Optional

Default value

true

Initial Value Query (initialValueQuery)

Description

See the JSONPath documentation for the full documentation: https://github.com/dchester/jsonpath

Examples:

Assume the initial REST call returns the following JSON response:

{
 "meta": {
   "type": "jsonapi.metadata.document",
   "timestamp": "2023-03-10T13:06:01.294+02:00"
 },
 "data": [
  {
    "type": "user",
    "id": "user1",
    "attributes": {
      "contextData": {
         "givenname": "User1",
         "surname": "FSMTest",
         "roles": "customerA"
      }
    }
  },
  {
    "type": "user",
    "id": "user2",
    "attributes": {
      "contextData": {
        "givenname": "User2",
        "surname": "FSMTest",
        "roles": "customerB"
      }
    }
  }
 ]
}

The following table shows the results of various JSONPath queries given the JSON above:

Attributes

String

Optional

Example

$..birthdate

Example

$..data[?(@.id == 'birthdate')].attributes.currentValue

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiDateConfig
id: ConfigurableUiDateConfig-xxxxxx
displayName: 
comment: 
properties:
  htmlId:
  initialValueQuery:
  label:
  placeholder:
  property:
  submitToServer: true
  validations:

Date User Context Data Item

Description

User context data item that stores a date (only date, no time nor time zone).

Class

com.airlock.iam.flow.shared.application.configuration.item.DateContextDataItemDefinitionConfig

May be used by

User Data Edit Step User Data Registration Step Config

Properties

Context Data Name (contextDataName)

Description

The context data item in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Administrators Management Administrators Management Users Configuration Users Configuration User Group Configuration

Required (required)

Description

Specifies whether this context data item is required for the step to validate successfully.

Attributes

Boolean

Optional

Default value

true

Validators (validators)

Description

The validators for this context data item.

Attributes

Plugin-List

Optional

Assignable plugins

Date Validator

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.item.DateContextDataItemDefinitionConfig
id: DateContextDataItemDefinitionConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  required: true
  validators:

Date User Profile Item Config

Description

Plugin to hold a configurable user profile item of type date (potentially including time information). This will correspond to a text input field is added to the user's context data, provided that the property name matches the property name in the configured user data. The date format can be configured as well acceptable date ranges. These can be absolute dates or in number of days relative to the current day.

Class

com.airlock.iam.common.application.configuration.userprofile.DateUserProfileItemConfig

May be used by

Properties

Date Format (dateFormat)

Description

Defines the date format of this item. The format is used for server-side validations and must correspond to other config options, such as "Earliest Date" and "Latest Date".

Attributes

String

Optional

Default value

dd.MM.yyyy

Allowed values

dd.MM.yyyy, dd-MM-yyyy, MM-dd-yyyy

Minimum Relative [days] (minRelative)

Description

The "minimum relative value" is the lower limit (earliest possible) for allowed difference in days to the current date.

Examples: A value of 1 means that tomorrow is the earliest possible day to enter, a value of -365 means that the entered date can be at most one year in the past.

Attributes

Integer

Optional

Earliest Date (minDate)

Description

The earliest date allowed to be filled in. This cannot be used together with "Minimum Relative" and must be in the same format as specified in "Date Format".

Attributes

String

Optional

Maximum Relative [days] (maxRelative)

Description

The "maximum relative value" is the upper limit (last possible) for allowed difference in days to the current date. This cannot be used together with "Max Date".

Examples: A value of 1 means that tomorrow is the latest possible day to enter, a value of -365 means that the entered date has to be at least one year in the past. Use this property to configure a minimal required age.

Attributes

Integer

Optional

Latest Date (maxDate)

Description

The latest date allowed to be filled in. This cannot be used together with "Maximum Relative" and it must be in the same format as specified in "Date Format".

Attributes

String

Optional

Date Transformation (dateTransformation)

Description

Defines how the date value should be transformed before it is persisted.

DATE: the date value is transformed to a java.util.Date object (date with time, where all time values are set to 0).
Use 'Date And Time Context Data Item Config' for the corresponding context data item in the persister.
LOCAL_DATE: the date value is transformed to a java.time.LocalDate object (date only).
Use 'Local Date Context Data Item Config' for the corresponding context data item in the persister.
STRING: the date value is transformed to a String as defined by "Date Format".
Use 'String Context Data Item Config' for the corresponding context data item in the persister.

Attributes

Enum

Optional

Default value

LOCAL_DATE

String Resource Key (stringResourceKey)

Description

String identifier for the language-specific string tables.

Attributes

String

Mandatory

Example

userdata.label.salutation

Example

userdata.label.firstname

Example

userdata.label.lastname

Example

userdata.label.email

Example

userdata.label.nationality

Example

userdata.label.birthdate

Example

userdata.label.street

Example

userdata.label.street-number

Example

userdata.label.address2

Example

userdata.label.zipcode

Example

userdata.label.town

Example

userdata.label.state

Example

userdata.label.country

Example

userdata.label.company

Example

userdata.label.department

Example

userdata.label.office-phone

Example

userdata.label.mobile-phone

Example

userdata.label.language

Example

userdata.label.correspondence-language

Example

userdata.label.realm

Property Name (propertyName)

Description

Name of the context-data field in which the value is stored.

Attributes

String

Mandatory

Example

surname

Example

givenname

Example

mtan_number

Optional (optional)

Description

If this field is optional or mandatory for the user.

Attributes

Boolean

Optional

Default value

true

Modifiable (modifiable)

Description

Attributes

Boolean

Optional

Default value

true

Validate Only Changed Values (validateOnlyChangedValues)

Description

If enabled, only values that have been changed by the user (compared to the data loaded from the data layer) are validated.

Attributes

Boolean

Optional

Default value

true

Sortable (sortable)

Description

If enabled, the attribute is sortable in the user list if the underlying user iterator supports sorting.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.userprofile.DateUserProfileItemConfig
id: DateUserProfileItemConfig-xxxxxx
displayName: 
comment: 
properties:
  dateFormat: dd.MM.yyyy
  dateTransformation: LOCAL_DATE
  maxDate:
  maxRelative:
  minDate:
  minRelative:
  modifiable: true
  optional: true
  propertyName:
  sortable: true
  stringResourceKey:
  validateOnlyChangedValues: true

Date Validator

Description

Validate a date.

Class

com.airlock.iam.common.application.configuration.validation.DefaultDateValidatorConfig

May be used by

Date User Context Data Item

Properties

Minimum Relative [days] (minRelative)

Description

The "minimum relative value" is the lower limit (earliest possible) for allowed difference in days to the current date.

Examples: A value of 1 means that tomorrow is the earliest possible date to enter, a value of -365 means that the entered date can be at most one year in the past.

Attributes

Integer

Optional

Min Date (minDate)

Description

The earliest date allowed to be filled in. This cannot be used together with "Minimum Relative" and must be in ISO 8601 format.

Attributes

String

Optional

Example

2011-12-03

Example

2018-02-06

Maximum Relative [days] (maxRelative)

Description

The "maximum relative value" is the upper limit (last possible) for allowed difference in days to the current date. This cannot be used together with "Max Date".

Attributes

Integer

Optional

Max Date (maxDate)

Description

The latest date allowed to be filled in. This cannot be used together with "Maximum Relative" and it must be in ISO 8601 format.

Attributes

String

Optional

Example

2011-12-03

Example

2018-02-06

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.validation.DefaultDateValidatorConfig
id: DefaultDateValidatorConfig-xxxxxx
displayName: 
comment: 
properties:
  maxDate:
  maxRelative:
  minDate:
  minRelative:

Date/Time Input Token Controller Element

Description

Renders an input filed with a date picker for a date property.

Class

com.airlock.iam.admin.application.configuration.generic.ui.DateInputTokenControllerUiElementConfig

May be used by

Properties

Label (label)

Description

Label for the field. The UI treats it as a key to translate. If there is no translation, the label is shown in the UI as is.

Attributes

String

Mandatory

Example

userdata.label.birthdate

Property (property)

Description

The property to use as value for this field.

The ID of the response is referenced by using the reserved value @id.

Attributes

String

Mandatory

Example

orderDate

Example

contextData.birthdate

Example

@id

Placeholder (placeholder)

Description

Displays a placeholder when the field has no value. The placeholder is not interpreted as value and disappears when typing in the field.

Attributes

String

Optional

Required (required)

Description

Whether this field must have a value when the token is added or updated. Required fields are marked with an asterisk.

Attributes

Boolean

Optional

Default value

false

Date-only (dateOnly)

Description

If enabled, the date is handled without time. The date picker changes accordingly. The referenced property must be of a matching date type, e.g. a "Date Context Data Item".

Attributes

Boolean

Optional

Default value

false

Read-only (readOnly)

Description

If enabled, the field is read-only and cannot be altered by administrators via the UI.

Attributes

Boolean

Optional

Default value

false

Hide If Empty (hideIfEmpty)

Description

If enabled, this UI element is hidden if it has no value.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.generic.ui.DateInputTokenControllerUiElementConfig
id: DateInputTokenControllerUiElementConfig-xxxxxx
displayName: 
comment: 
properties:
  dateOnly: false
  hideIfEmpty: false
  label:
  placeholder:
  property:
  readOnly: false
  required: false

Default Account Link Linking Flow

Description

Simple configuration for an account link linking self-service flow.

The following steps are automatically generated:

An Account Link Linking Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultAccountLinkLinkingFlowConfig

May be used by

License-Tags

OAuthAccountLinking

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultAccountLinkLinkingFlowConfig
id: DefaultAccountLinkLinkingFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  flowId:

Default Account Link Removal Flow

Description

Simple configuration for an account link removal self-service flow.

The following steps are automatically generated:

An Account Link Removal Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultAccountLinkDeletionFlowConfig

May be used by

License-Tags

OAuthAccountLinking

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultAccountLinkDeletionFlowConfig
id: DefaultAccountLinkDeletionFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  flowId:

Default Aggregate Report Strategy

Description

Default aggregator that should be sufficent for most aggregate reports. The parameter map passed to the template contains the follwoing data:

Key	Value
aggr_count	<number of reports>
aggr_langs	<List of all languages>
aggr_filenames	<List of all file names>
<key Param1>	<List of all Param1 values>
<key Param1>.aggr_first	<Value of this parameter in the first report. >
<key Param1>.aggr_last	<Value of this parameter in the last report. >

All parameters passed to the reports are listed as <key Param1>. All the lists are in the same order of reports as they have been genereated (first generated report at position 0).

Class

com.airlock.iam.core.misc.util.report.aggregation.DefaultAggregateReportStrategy

May be used by

Aggregate Report

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.report.aggregation.DefaultAggregateReportStrategy
id: DefaultAggregateReportStrategy-xxxxxx
displayName: 
comment: 
properties:

Default Authentication Processor

Description

Processor that performs the necessary actions related to authentication, such as audit logging, tracking used authentication methods, updating login statistics, renewing session ID and executing the configured behavior upon existing sessions.

Class

com.airlock.iam.authentication.application.configuration.processor.DefaultAuthenticationProcessorConfig

May be used by

Custom Protected Self-Service Flow Technical Client Registration Flow Authorization Flow Transaction Approval Flow Public Self-Service Flow Authentication Flow User Self-Registration Flow

Properties

Update Login Statistics (updateLoginStatistics)

Description

If disabled, the login statistics (timestamps, login counts, etc.) won't be updated.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.processor.DefaultAuthenticationProcessorConfig
id: DefaultAuthenticationProcessorConfig-xxxxxx
displayName: 
comment: 
properties:
  updateLoginStatistics: true

Default Authentication Processors Config

Description

This plugin automatically configures a list of essential flow processors, depending on the use case. Note that User Enumeration Protection and Temporary Locking cannot be used at the same time. Either one of two will be used depending on which one is enabled.

The processors are configured in this order:

CAPTCHA Processor
User Identification Processor
Latest Authentication Feedback Processor (only if enabled)
Default Authentication Processor
Factor Use Reporting Processor
Failed Factor Attempts Processor (with strict counting)
Renew Session ID Processor
User Validity Processor
Login History Processor (only if enabled)
Unlock Attempts Reset Processor
Device Usage Processor
Set UI Tenant ID Processor

Class

com.airlock.iam.authentication.application.configuration.processor.DefaultAuthenticationProcessorsConfig

May be used by

Properties

Add Latest Authentication Feedback (addLatestAuthenticationFeedback)

Description

If enabled, adds the "Latest Authentication Feedback Processor" to the list of authentication processors.
The latest authentication information is provided in all flow step results (REST responses) after successfully identifying the user. In addition, the Loginapp UI displays this information on selected second factor pages.

Note: If an authentication flow starts with a user identifying step without verification of an authentication factor (e.g. password, remember-me cookie, SSO ticket, ...) this may lead to unwanted information leakage.

Attributes

Boolean

Optional

Default value

false

Write Login History (writeLoginHistory)

Description

If enabled, an entry is added to the login history repository after a successful authentication in an authentication flow. Within a session, only a single entry is written into the login history database per successful login, even if a user completes the same or another authentication flow multiple times. This adds the "Login History Processor" to the list of authentication processors.

Attributes

Boolean

Optional

Default value

false

Update Login Statistics (updateLoginStatistics)

Description

If disabled, the login statistics (timestamps, login counts, etc.) won't be updated.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.processor.DefaultAuthenticationProcessorsConfig
id: DefaultAuthenticationProcessorsConfig-xxxxxx
displayName: 
comment: 
properties:
  addLatestAuthenticationFeedback: false
  updateLoginStatistics: true
  writeLoginHistory: false

Default Authorization Processors

Description

This plugin uses the following processors for standard authorization flows:

User Validity Processor
Factor Use Reporting Processor

Class

com.airlock.iam.authentication.application.configuration.processor.DefaultAuthorizationProcessorsConfig

May be used by

Custom Protected Self-Service Flow Technical Client Registration Flow Authorization Flow Transaction Approval Flow Public Self-Service Flow Authentication Flow User Self-Registration Flow

Properties

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.processor.DefaultAuthorizationProcessorsConfig
id: DefaultAuthorizationProcessorsConfig-xxxxxx
displayName: 
comment: 
properties:

Default Cronto Device Removal Flow

Description

Simple configuration for a Cronto device removal self-service flow.

The following steps are automatically generated:

A Delete Cronto Device Initiation Step.
An Apply Changes Step

The access condition for the flow is always a Cronto Device Removal Possible.

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoDeviceDeletionFlowConfig

May be used by

License-Tags

Cronto

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Allow Deleting Last Device (allowDeletingLastDevice)

Description

If enabled, the last device can be deleted. This can leave the user without a means to login again.

Attributes

Boolean

Optional

Default value

false

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. The "Access Condition" is always the Cronto Device Removal Possible. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoDeviceDeletionFlowConfig
id: DefaultCrontoDeviceDeletionFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  allowDeletingLastDevice: false
  authorizationCondition:
  crontoHandler:
  flowId:

Default Cronto Device Renaming Flow

Description

Simple configuration for a Cronto device renaming self-service flow.

The following steps are automatically generated:

A Cronto Device Selection Step.
A Rename Cronto Device Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoDeviceRenamingFlowConfig

May be used by

License-Tags

Cronto

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cronto Transaction Approval Step Cronto Authentication Step Cronto Public Self-Service Approval Step Cronto Self-Service Approval Step

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoDeviceRenamingFlowConfig
id: DefaultCrontoDeviceRenamingFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  crontoHandler:
  flowId:

Default Cronto Login Message Provider Config

Description

Provides the default Cronto login message.

This plugin configures a Generic Cronto Message Provider for the translation string cronto.login-message with the two value map providers for the user's context-data and user statistics.

Class

com.airlock.iam.flow.shared.application.configuration.message.DefaultCrontoLoginMessageProviderConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Attributes

Plugin-Link

Mandatory

License-Tags

Cronto

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.message.DefaultCrontoLoginMessageProviderConfig
id: DefaultCrontoLoginMessageProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Default Disable Cronto Device Flow

Description

Simple configuration for a self-service flow to disable a Cronto device.

The following steps are automatically generated:

A Disable Cronto Device Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoDeviceDisablingFlowConfig

May be used by

License-Tags

Cronto

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoDeviceDisablingFlowConfig
id: DefaultCrontoDeviceDisablingFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  crontoHandler:
  flowId:

Default Disable Cronto Push Flow

Description

Simple configuration for a self-service flow to disable Cronto push notification.

The following steps are automatically generated:

A Disable Cronto Push Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoPushDisablingFlowConfig

May be used by

License-Tags

Cronto

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoPushDisablingFlowConfig
id: DefaultCrontoPushDisablingFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  crontoHandler:
  flowId:

Default Disable FIDO Credential Flow

Description

Simple configuration for a self-service flow to disable a FIDO credential.

The following steps are automatically generated:

A Disable FIDO Credential Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultFidoCredentialDisablingFlowConfig

May be used by

License-Tags

FIDO

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultFidoCredentialDisablingFlowConfig
id: DefaultFidoCredentialDisablingFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  fidoSettings:
  flowId:

Default Enable Cronto Device Flow

Description

Simple configuration for a self-service flow to enable a Cronto device.

The following steps are automatically generated:

A Enable Cronto Device Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoDeviceEnablingFlowConfig

May be used by

License-Tags

Cronto

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoDeviceEnablingFlowConfig
id: DefaultCrontoDeviceEnablingFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  crontoHandler:
  flowId:

Default Enable Cronto Push Flow

Description

Simple configuration for a self-service flow to enable Cronto push notification.

The following steps are automatically generated:

A Enable Cronto Push Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoPushEnablingFlowConfig

May be used by

License-Tags

Cronto

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoPushEnablingFlowConfig
id: DefaultCrontoPushEnablingFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  crontoHandler:
  flowId:

Default Enable FIDO Credential Flow

Description

Simple configuration for a self-service flow to enable a FIDO credential.

The following steps are automatically generated:

A Enable FIDO Credential Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultFidoCredentialEnablingFlowConfig

May be used by

Password-only Authentication Step Password Reset Step Mandatory Password Change Step Config Selection Password Repository Username Password Authentication Step Set Password Step Config Password Change Self-Service Step User Self-Registration Flow Password Repository Mapping HTTP Basic Authentication Step Voluntary Password Change Step

License-Tags

FIDO

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultFidoCredentialEnablingFlowConfig
id: DefaultFidoCredentialEnablingFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  fidoSettings:
  flowId:

Default End-To-End Encryption Password Repository

Description

End-to-end encrypted password repository using the configured decryption plugin to decrypt the password before delegating to the configured internal password repository.

Class

com.airlock.iam.common.application.configuration.password.repository.DefaultE2eEncryptionPasswordRepositoryConfig

May be used by

License-Tags

EndToEndPasswordEncryption

Properties

Password Decryption (passwordDecryption)

Description

Decrypts the password and provides all information needed for the client to encrypt the password.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AWS KMS Password Decryption JWE Password Decryption

Internal Password Repository (internalPasswordRepository)

Description

The password repository that handles the password operations (check/change/set) after decryption.

The Default Password Repository cannot be used in self-registration flows.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Password Repository Default End-To-End Encryption Password Repository Default Password Repository External Database Password Repository Config LDAP Password Repository RADIUS Password Repository Selection Password Repository

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.password.repository.DefaultE2eEncryptionPasswordRepositoryConfig
id: DefaultE2eEncryptionPasswordRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  internalPasswordRepository:
  passwordDecryption:

Default FIDO Credential Display Name Change Flow

Description

Simple configuration for a FIDO credential display name change self-service flow.

The following steps are automatically generated:

A FIDO Credential Selection Step.
A FIDO Credential Display Name Change Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultFidoCredentialDisplayNameChangeFlowConfig

May be used by

License-Tags

FIDO

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultFidoCredentialDisplayNameChangeFlowConfig
id: DefaultFidoCredentialDisplayNameChangeFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  fidoSettings:
  flowId:

Default FIDO Credential Removal Flow

Description

Simple configuration for a FIDO credential removal self-service flow.

The following steps are automatically generated:

A Delete FIDO Credential Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultFidoCredentialDeletionFlowConfig

May be used by

License-Tags

FIDO

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

Allow Deleting Last Credential (allowDeletingLastCredential)

Description

If enabled, the last credential can be deleted. This can leave the user without a means to login again.

Attributes

Boolean

Optional

Default value

false

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. The "Access Condition" is always the FIDO Credential Removal Possible. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultFidoCredentialDeletionFlowConfig
id: DefaultFidoCredentialDeletionFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  allowDeletingLastCredential: false
  authorizationCondition:
  fidoSettings:
  flowId:

Default mTAN Deletion Flow

Description

Simple configuration for an mTAN number deletion self-service flow.

The following steps are automatically generated:

A Delete mTAN Number Initiation Step.
An Apply Changes Step

The access condition for the flow is always an mTAN Number Deletion Possible using the "Allow Deleting Last Number" property.

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultMtanDeletionFlowConfig

May be used by

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

mTAN Settings (mtanSettings)

Description

Settings for handling mTAN numbers.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

Allow Deleting Last Number (allowDeletingLastNumber)

Description

If enabled, the last number can be deleted. This can leave the user without a means to login again.

Attributes

Boolean

Optional

Default value

false

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. The "Access Condition" is always the mTAN Number Deletion Possible. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultMtanDeletionFlowConfig
id: DefaultMtanDeletionFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  allowDeletingLastNumber: false
  authorizationCondition:
  flowId:
  mtanSettings:

Default mTAN Token Edit Flow

Description

Simple configuration for an mTAN token editing self-service flow.

The following steps are automatically generated:

A Select mTAN Token Step.
A mTAN Token Edit Step (step ID "edit-mtan") to edit the mTAN number and optionally also the label.
A Selection Step with an optional mTAN Verification Step (if the number has been edited)
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultMtanTokenEditFlowConfig

May be used by

License-Tags

mTan

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

mTAN Settings (mtanSettings)

Description

Defines the settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN OTP Check Settings (based on mTAN Settings) mTAN OTP Checks Settings

Label Editable (labelEditable)

Description

If enabled, the label can be edited in this flow.

Attributes

Boolean

Optional

Default value

true

Message Provider (messageProvider)

Description

Creates the message for the verification SMS.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN Message Provider

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultMtanTokenEditFlowConfig
id: DefaultMtanTokenEditFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  flowId:
  labelEditable: true
  messageProvider:
  mtanSettings:

Default mTAN Token Registration Flow

Description

Simple configuration for an mTAN token registration self-service flow.

The following steps are automatically generated:

A mTAN Token Registration Step (step ID "register-mtan") to register the mTAN number and optionally also a label.
An mTAN Verification Step to verify the new number by sending and verifying an OTP
An Apply Changes Step

The access condition for the flow is always an mTAN Number Registration Possible.

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultMtanTokenRegistrationFlowConfig

May be used by

License-Tags

mTan

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

mTAN Settings (mtanSettings)

Description

Defines the settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN OTP Check Settings (based on mTAN Settings) mTAN OTP Checks Settings

Label Registration (labelRegistration)

Description

If enabled, the label can also be set in this flow.

Attributes

Boolean

Optional

Default value

true

Message Provider (messageProvider)

Description

Creates the message for the verification SMS.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN Message Provider

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultMtanTokenRegistrationFlowConfig
id: DefaultMtanTokenRegistrationFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  authorizationCondition:
  flowId:
  labelRegistration: true
  messageProvider:
  mtanSettings:

Default OAuth 2.0 Consent Deny Flow

Description

Simple configuration for an OAuth 2.0 Consent Deny Self-Service Flow.

The following steps are automatically generated:

An OAuth 2.0 Consent Deny Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultOAuth2DenyConsentFlowConfig

May be used by

License-Tags

OAuthServer

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultOAuth2DenyConsentFlowConfig
id: DefaultOAuth2DenyConsentFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  flowId:

Default OAuth 2.0 Consent Grant Flow

Description

Simple configuration for an OAuth 2.0 Consent Grant Self-Service Flow.

The following steps are automatically generated:

An OAuth 2.0 Consent Grant Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultOAuth2GrantConsentFlowConfig

May be used by

License-Tags

OAuthServer

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultOAuth2GrantConsentFlowConfig
id: DefaultOAuth2GrantConsentFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  flowId:

Default OAuth 2.0 Consents Delete Flow

Description

Simple configuration for an OAuth 2.0 Consents Delete Self-Service Flow.

The following steps are automatically generated:

An OAuth 2.0 Consents Delete Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultOAuth2DeleteConsentsFlowConfig

May be used by

License-Tags

OAuthServer

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultOAuth2DeleteConsentsFlowConfig
id: DefaultOAuth2DeleteConsentsFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  flowId:

Default OAuth 2.0 Session Deletion Flow

Description

Simple configuration for an OAuth 2.0 session deletion self-service flow.

The following steps are automatically generated:

An Delete OAuth 2.0 Session Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultOAuth2DeleteSessionFlowConfig

May be used by

Default End-To-End Encryption Password Repository Password-only Authentication Step Password Reset Step Mandatory Password Change Step Config Selection Password Repository Username Password Authentication Step Set Password Step Config Password Change Self-Service Step User Self-Registration Flow Password Repository Mapping HTTP Basic Authentication Step Voluntary Password Change Step

License-Tags

OAuthServer

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultOAuth2DeleteSessionFlowConfig
id: DefaultOAuth2DeleteSessionFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  flowId:

Default Password Repository

Description

Access the password of the in-memory user which is automatically loaded at the start and saved at the end of each request by the standard flow mechanisms.

Class

com.airlock.iam.authentication.application.configuration.password.repository.InMemoryPasswordRepositoryConfig

May be used by

Properties

Allowed Password Validity Duration (allowedPasswordValidityDuration)

Description

The number of days a password may be used before it must be changed.

If a password is changed, the 'latest password change timestamp' is set and, if this property is defined, the 'next enforced password change timestamp' is updated.

If this property is not defined, the 'next enforced password change timestamp' is not updated.

Attributes

Integer

Optional

Hash Function (hashFunction)

Description

The password hash function used for verification and when storing a new password.

Note that the password hash function may or may not support password history checks. If the configured password hash function does not support password history checks but a policy checker requires this capability, an exception is thrown when trying to change a password.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Legacy Hash Functions (legacyHashFunctions)

Description

If the password cannot be verified using the main "Hash Function" above, all hashes in this list are tried as well. If any hash of this list matches, the password is stored using the current main hash function (see property "Hash Function"). In this case, a potential password history is lost.

This feature allows changing the password hash function with automatic migration of all users that log in.

Notice that having a legacy hash function in this list producing the same output length as the main hash function can pose a security risk since it might be possible for an attacker to provoke a match using a weaker hash method.

Attributes

Plugin-List

Optional

Assignable plugins

Use Latin1 Encoding (useLatin1Encoding)

Description

If enabled, passwords containing special characters stored by IAM earlier than 6.3 are still accepted. This option does not have to be activated if all passwords were set using IAM 6.3 or later or if all passwords were set via webservices or REST.

To support legacy passwords, those with special characters are additionally checked using their legacy encoding in latin1 and if matching, they are rehashed and stored using the current hash function. In this case, a potential password history is lost.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.password.repository.InMemoryPasswordRepositoryConfig
id: InMemoryPasswordRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedPasswordValidityDuration:
  hashFunction:
  legacyHashFunctions:
  useLatin1Encoding: false

Default Password Reset Restrictions

Description

Default restrictions for password reset flows. Currently, they are (in this order):

Nonexistent User Restriction
Invalid User Restriction
Locked User Restriction

By default, these restrictions do not report violations and therefore prevent user enumeration. To include custom restrictions or to configure restrictions for other types of self-service flows, the "Custom Public Self-Service Restrictions" plugin can be used.

Class

com.airlock.iam.publicselfservice.application.configuration.restrictions.DefaultPasswordResetRestrictionsConfig

May be used by

Public Self-Service Flow

Properties

Allow Locked User (allowLockedUser)

Description

If enabled, users that are locked because of too many failed password checks (lock reason "LockReason.TooManyAuthAtts.PASSWORD") are allowed to perform a password reset flow. Locked users with any other lock reason cannot reset their password. To allow other lock reasons, use the "Locked User Restriction" plugin with "Custom Public Self-Service Restrictions".

Attributes

Boolean

Optional

Default value

false

Nonexistent User Feedback (nonexistentUserFeedback)

Description

If enabled, nonexistent users attempting to start a password reset flow receive an error response with error code "USER_NOT_FOUND". Otherwise, the flow would also continue for nonexistent users but fail in the verification step (to protect against user enumeration).

Security consideration: Enabling feedback on restriction violations can increase usability but it weakens or disables the user enumeration protection.

Attributes

Boolean

Optional

Default value

false

Invalid User Feedback (invalidUserFeedback)

Description

If enabled, invalid users attempting to start a password reset flow receive an error response with error code "USER_INVALID". Otherwise, the flow would also continue for invalid users, but fail in the verification step (to protect against user enumeration).

Security consideration: Enabling feedback on restriction violations can increase usability but it weakens or disables the user enumeration protection.

Attributes

Boolean

Optional

Default value

false

Locked User Feedback (lockedUserFeedback)

Description

If enabled, locked users attempting to start a password reset flow receive an error response with error code "USER_LOCKED". Otherwise, the flow would also continue for locked users but fail in the verification step (to protect against user enumeration).

Security consideration: Enabling feedback on restriction violations can increase usability but it weakens or disables the user enumeration protection.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.restrictions.DefaultPasswordResetRestrictionsConfig
id: DefaultPasswordResetRestrictionsConfig-xxxxxx
displayName: 
comment: 
properties:
  allowLockedUser: false
  invalidUserFeedback: false
  lockedUserFeedback: false
  nonexistentUserFeedback: false

Default Persistency-less Authentication Processors

Description

This plugin automatically configures a list of essential flow processors for a persistency-less authentication flow. The processors are configured in this order:

User Identification Processor
Default Authentication Processor
Factor Use Reporting Processor
Renew Session ID Processor
User Validity Processor
Set UI Tenant ID Processor

When using a persistency-less authentication flow, it is recommended to use this "Default Persistency-less Authentication Processors"

Class

com.airlock.iam.authentication.application.configuration.processor.DefaultPersistencyLessAuthenticationProcessorsConfig

May be used by

Custom Protected Self-Service Flow Technical Client Registration Flow Authorization Flow Transaction Approval Flow Public Self-Service Flow Authentication Flow User Self-Registration Flow

Properties

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.processor.DefaultPersistencyLessAuthenticationProcessorsConfig
id: DefaultPersistencyLessAuthenticationProcessorsConfig-xxxxxx
displayName: 
comment: 
properties:

Default Persistency-less Protected Self-Service Processors

Description

This plugin automatically configures a list of essential flow processors for a persistency-less self-service flow. The processors are configured in this order:

Factor Use Reporting Processor
User Validity Processor
Renew Session ID Processor
Set UI Tenant ID Processor

When using a persistency-less self-service flow, it is recommended to use this "Default Persistency-less Protected Self-Service Processors"

Class

com.airlock.iam.selfservice.application.configuration.processor.DefaultPersistencyLessSelfServiceProcessorsConfig

May be used by

Custom Protected Self-Service Flow Technical Client Registration Flow Authorization Flow Transaction Approval Flow Public Self-Service Flow Authentication Flow User Self-Registration Flow

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.processor.DefaultPersistencyLessSelfServiceProcessorsConfig
id: DefaultPersistencyLessSelfServiceProcessorsConfig-xxxxxx
displayName: 
comment: 
properties:

Default Protected Self-Service Processors

Description

This plugin automatically configures the essential flow processors for self-services.

The processors are configured in this order:

Factor Use Reporting Processor
Failed Factor Attempts Processor (with lenient counting)
User Validity Processor
Renew Session ID Processor
Device Usage Processor
Set UI Tenant ID Processor

Class

com.airlock.iam.selfservice.application.configuration.processor.DefaultSelfServiceProcessorsConfig

May be used by

Custom Protected Self-Service Flow Technical Client Registration Flow Authorization Flow Transaction Approval Flow Public Self-Service Flow Authentication Flow User Self-Registration Flow

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.processor.DefaultSelfServiceProcessorsConfig
id: DefaultSelfServiceProcessorsConfig-xxxxxx
displayName: 
comment: 
properties:

Default Public Self-Service Processors

Description

This plugin automatically configures the essential flow processors for public self-service flows.

The processors are configured in this order:

CAPTCHA Processor
User Identification Processor
Factor Use Reporting Processor
Failed Factor Attempts Processor (with lenient counting)
Public Self-Service Allowed Processor
Renew Session ID Processor
Device Usage Processor
Set UI Tenant ID Processor

To use custom processors or flows where these processors are not appropriate, use the "Custom Flow Processors".

Class

com.airlock.iam.publicselfservice.application.configuration.processors.DefaultPublicSelfServiceProcessorsConfig

May be used by

Custom Protected Self-Service Flow Technical Client Registration Flow Authorization Flow Transaction Approval Flow Public Self-Service Flow Authentication Flow User Self-Registration Flow

Properties

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.processors.DefaultPublicSelfServiceProcessorsConfig
id: DefaultPublicSelfServiceProcessorsConfig-xxxxxx
displayName: 
comment: 
properties:

Default Remember-Me Device Deletion Flow

Description

Simple configuration for a Remember-Me device deletion self-service flow.

The following steps are automatically generated:

A Delete Remember-Me Device Initiation Step
An Apply Remember-Me Device Deletion

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultRememberMeDeviceDeletionFlowConfig

May be used by

Has Matrix Card Matrix Public Self-Service Approval Step Matrix Self-Service Approval Step Matrixcard Authenticator (TAN Challenge) Matrix Authentication Step TAN Token Verifier

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Remember-Me Settings (rememberMeConfig)

Description

Common configuration for the Remember-Me feature.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Remember-Me Settings

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication.

Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultRememberMeDeviceDeletionFlowConfig
id: DefaultRememberMeDeviceDeletionFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  flowId:
  rememberMeConfig:

Default Self-Unlock Restrictions

Description

Default restrictions for self-unlock flows. Currently, they are (in this order):

Nonexistent User Restriction
Invalid User Restriction
Locked User Restriction (only users with one of the configured "Allowed Lock Reasons" are allowed to perform self-unlock. Users that are not locked may still perform a self-unlock flow.)
Too Many Unlocks Restriction

Class

com.airlock.iam.publicselfservice.application.configuration.restrictions.DefaultSelfUnlockRestrictionsConfig

May be used by

Public Self-Service Flow

Properties

Nonexistent User Feedback (nonexistentUserFeedback)

Description

If enabled, nonexistent users attempting to start a self-unlock flow receive an error response with error code "USER_NOT_FOUND". Otherwise, the flow would also continue for nonexistent users but fail in the verification step (to protect against user enumeration).

Security consideration: Enabling feedback on restriction violations can increase usability but it weakens or disables the user enumeration protection.

Attributes

Boolean

Optional

Default value

false

Invalid User Feedback (invalidUserFeedback)

Description

If enabled, invalid users attempting to start a self-unlock flow receive an error response with error code "USER_INVALID". Otherwise, the flow would also continue for invalid users, but fail in the verification step (to protect against user enumeration).

Security consideration: Enabling feedback on restriction violations can increase usability but it weakens or disables the user enumeration protection.

Attributes

Boolean

Optional

Default value

false

Locked User Feedback (lockedUserFeedback)

Description

If enabled, locked users attempting to start a self-unlock flow receive an error response with error code "USER_LOCKED". Otherwise, the flow would also continue for locked users but fail in the verification step (to protect against user enumeration).

Security consideration: Enabling feedback on restriction violations can increase usability but it weakens or disables the user enumeration protection.

Attributes

Boolean

Optional

Default value

false

Too Many Unlock Feedback (tooManyUnlockFeedback)

Description

If enabled and the 'Public Self-Service Flow Settings' configuration has a 'Max Number of Unlocks' limit configured, locked users with more unlock attempts attempting to start a self-unlock flow receive an error response with error code "TOO_MANY_UNLOCKS". Otherwise, the flow would also continue for locked users but fail in the verification step (to protect against user enumeration).

Security consideration: Enabling feedback on restriction violations can increase usability but it weakens or disables the user enumeration protection.

Attributes

Boolean

Optional

Default value

false

Allowed Lock Reasons (allowedLockReasons)

Description

List of lock reasons that still allow the user to perform the self-unlock. Locked users with any lock reason not listed here will be rejected.

Note that a user is not automatically unlocked after a successful public self-service. A "Unlock User Step (Public Self-Service)" step has to be configured to perform this task.

Attributes

String-List

Optional

Default value

[LockReason.TooManyAuthAtts.PASSWORD]

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.restrictions.DefaultSelfUnlockRestrictionsConfig
id: DefaultSelfUnlockRestrictionsConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedLockReasons: [LockReason.TooManyAuthAtts.PASSWORD]
  invalidUserFeedback: false
  lockedUserFeedback: false
  nonexistentUserFeedback: false
  tooManyUnlockFeedback: false

Default TAN Service

Description

Default implementation of the Tan Service extension point.
This plugin provides TAN service functionality for TAN list and matrix card authentication.

Class

com.airlock.iam.core.misc.impl.tanserver.DefaultTanService

May be used by

License-Tags

Matrixcard

Properties

Token List Persister (tokenListPersister)

Description

Name of the token list persister plugin used by this plugin to read and write token list information.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cipher Token List Persister Database Token List Persister Dummy Token List Persister LDAP Token List Persister Property Token List Persister

Token Alphabet (tokenAlphabet)

Description

Defines the alphabet (or set of characters) of which a token is composed.

Attributes

Enum

Mandatory

Token Length (tokenLength)

Description

Specifies the length of each token on the token list.

Attributes

Integer

Mandatory

Tokens Per List (tokensPerList)

Description

Specifies the total number of tokens per token list.

Attributes

Integer

Mandatory

Reuse Challenge Tokens (reuseChallengeTokens)

Description

When this plugin is used for challenge response authentication (with matrix cards or indexed token lists), this property specifies if tokens may be reused in future challenges. If set to false a single token will never be re-challenged. As a result, the space of remaining tokens will decrease with each successful challenge response.

Attributes

Boolean

Optional

Default value

true

Index Positions Per Challenge (indexPositionsPerChallenge)

Description

When this plugin is used for challenge response authentication (with matrix cards or indexed token lists), this property specifies the number of indices (or matrix coordinates) to return in a challenge.

Attributes

Integer

Mandatory

Hash Function (hashFunction)

Description

Specifies the hash function plugin used by this plugin in order to produce hash value of the tokens. Using an insecure hash function (such as the IdentityPasswordHash plugin) results potential security vulnerability in that the token lists may easily be reconstructed from the stored hash values.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Low On Tokens Threshold (lowOnTokensThreshold)

Description

Specifies the number of unused (remaining) tokens which indicates that a new list should be generated. When the threshold is reached, a new list is ordered, but not yet generated. Generating a new list is handled by a task (normally the TanBatchTask). The value -1 turns this feature off (no threshold).

Attributes

Integer

Mandatory

Event Source Name (eventSourceName)

Description

String used as event source name for events generated by this service. The event source name is included in events such that events from different sources (for example different tan service instances) can be distinguished.

Attributes

String

Optional

Example

Instance A

Example

Prod

Example

Test

Event Notificator (eventNotificator)

Description

Defines the event notificator that should be informed if a user is low on tokens (see configuration property low-on-tokens-threshold). The event notificator can then handle the event by (for example) sending an email to somebody or starting some asynchronous processing.
Leaving this property unset results in no notification events to be generated.

Attributes

Plugin-Link

Optional

Assignable plugins

Mail Notificator

Activate New List With First Usage (activateNewListWithFirstUsage)

Description

This property is only relevant for token lists (and not for challenge-response matrix cards or indexed lists). For matrix cards and indexed lists, this feature is always activated.
If this property is set to TRUE and there are both an active and a new list, the new list can be activated any time by using it. If the property is FALSE (default), the new list is only activated after the active list has expired or the all the tokens have been used.

Attributes

Boolean

Optional

Default value

false

Max List Validity (maxListValidity)

Description

Specifies the number of days a token list is valid after its generation. After the period has elapsed, the list can no longer be used and is replaced by the new token list (if there is any). If there is no new list, the list is deleted.
If the value -1 is used, the token list does not expire.

Attributes

Long

Optional

Default value

-1

Ignore Token Case (ignoreTokenCase)

Description

If set to true the case of characters is ignored when checking tokens.

Attributes

Boolean

Optional

Default value

false

Max Token Length (maxTokenLength)

Description

The maximum length of a token entered by the user. If the property ignoreTokenCase is set to true, all combinations of lowercase and uppercase characters are generated and checked against the stored hash value of the token. If a user enters a token that is very long, the generation of all combinations takes a significant amount of time. To prevent the system from being slowed down because of the generation, this property has to be configured if the property ignoreTokenCase is set to true.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.tanserver.DefaultTanService
id: DefaultTanService-xxxxxx
displayName: 
comment: 
properties:
  activateNewListWithFirstUsage: false
  eventNotificator:
  eventSourceName:
  hashFunction:
  ignoreTokenCase: false
  indexPositionsPerChallenge:
  lowOnTokensThreshold:
  maxListValidity: -1
  maxTokenLength: 10
  reuseChallengeTokens: true
  tokenAlphabet:
  tokenLength:
  tokenListPersister:
  tokensPerList:

Default Technical Client Registration Processors

Description

This plugin automatically configures the essential flow processors for technical client registration. Currently, only the Renew Session ID Processor is used by default.

Class

com.airlock.iam.techclientreg.application.configuration.processor.DefaultTechClientRegProcessorsConfig

May be used by

Custom Protected Self-Service Flow Technical Client Registration Flow Authorization Flow Transaction Approval Flow Public Self-Service Flow Authentication Flow User Self-Registration Flow

License-Tags

TechClientRegistration

Properties

YAML Template (with default values)


type: com.airlock.iam.techclientreg.application.configuration.processor.DefaultTechClientRegProcessorsConfig
id: DefaultTechClientRegProcessorsConfig-xxxxxx
displayName: 
comment: 
properties:

Default Token Data Provider

Description

Default implementation of a TokenDataProvider.

Class

com.airlock.iam.core.misc.impl.persistency.token.DefaultTokenDataProvider

May be used by

Token Data Username Transformer Has Vasco OTP Token Token Data mTAN Handler Vasco OTP Public Self-Service Approval Step Generic Token Service Secret Questions Settings Cronto Token Service Token Consistency User Change Listener Certificate Token Controller Vasco Token Report Strategy Vasco Token Report Strategy Vasco OTP Authentication Step Vasco Cronto Online Activation Token Clean-up Strategy Vasco Token Verifier mTAN IAK Token Report Strategy Cronto Challenge Token Cleanup Strategy Token Data Certificate Matcher Vasco Cronto Handler OAuth 2.0/OIDC Authorization Server Token Activation On Delivery Strategy Vasco Token Service Token IAK Handler Basic Secret Question Settings Device Token Settings Cronto Engine Handler Vasco OTP Self-Service Approval Step Vasco OTP Device Activation Vasco OTP Token Manager Data Sources Vasco Activation Possible Cronto Report Strategy OAuth 2.0 Token Controller New Email Clean-up Strategy Token Data mTAN Handler for IAK Order Token-based Generic Token Repository

Properties

Token Persister (tokenPersister)

Description

Persister to load Tokens from persistence.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database Token Persister

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.token.DefaultTokenDataProvider
id: DefaultTokenDataProvider-xxxxxx
displayName: 
comment: 
properties:
  tokenPersister:

Default Transaction Approval Flow Processor

Description

Performs the necessary default processing for transaction approval flows.

Class

com.airlock.iam.transactionapproval.application.configuration.flow.DefaultTransactionApprovalFlowProcessorConfig

May be used by

Custom Protected Self-Service Flow Technical Client Registration Flow Authorization Flow Transaction Approval Flow Public Self-Service Flow Authentication Flow User Self-Registration Flow

License-Tags

TransactionApproval

Properties

YAML Template (with default values)


type: com.airlock.iam.transactionapproval.application.configuration.flow.DefaultTransactionApprovalFlowProcessorConfig
id: DefaultTransactionApprovalFlowProcessorConfig-xxxxxx
displayName: 
comment: 
properties:

Default Transaction Approval Processors Config

Description

The processors are configured in this order:

User Identification Processor
Default Transaction Approval Flow Processor
Factor Use Reporting Processor
Failed Factor Attempts Processor (with strict counting)
Renew Session ID Processor
User Validity Processor
Unlock Attempts Reset Processor
Device Usage Processor

Class

com.airlock.iam.transactionapproval.application.configuration.flow.DefaultTransactionApprovalProcessorsConfig

May be used by

License-Tags

TransactionApproval

Properties

YAML Template (with default values)


type: com.airlock.iam.transactionapproval.application.configuration.flow.DefaultTransactionApprovalProcessorsConfig
id: DefaultTransactionApprovalProcessorsConfig-xxxxxx
displayName: 
comment: 
properties:

Default User Self-Registration Processors

Description

This plugin automatically configures the essential flow processors for the user self-registration. The processors are configured in this order:

CAPTCHA Processor
User Self-Registration Logging Processor
Renew Session ID Processor
Set UI Tenant ID Processor

Class

com.airlock.iam.userselfreg.application.configuration.processor.DefaultUserSelfRegProcessorsConfig

May be used by

Custom Protected Self-Service Flow Technical Client Registration Flow Authorization Flow Transaction Approval Flow Public Self-Service Flow Authentication Flow User Self-Registration Flow

License-Tags

SelfRegistration

Properties

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.processor.DefaultUserSelfRegProcessorsConfig
id: DefaultUserSelfRegProcessorsConfig-xxxxxx
displayName: 
comment: 
properties:

Default X509 Factory Implementation

Description

Default implementation for the X509 factory.

Class

com.airlock.iam.core.misc.impl.cert.crl.X509FactoryConfig

May be used by

CRL HTTP Obtainer CRL Distribution Point Extension CRL Checker

License-Tags

ClientCertificate

Properties

Grace Period In M (gracePeriodInM)

Description

Defines how long an CRL is valid after a new CRL is available. Duration is in minutes.

Attributes

Integer

Optional

License-Tags

ClientCertificate

Default value

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.crl.X509FactoryConfig
id: X509FactoryConfig-xxxxxx
displayName: 
comment: 
properties:
  gracePeriodInM: 10

Delete Cronto Device Initiation Step

Description

Step to initiate the removal of a Cronto device. The actual removal will be done in the "Apply Changes Step" which requires an "Apply Cronto Device Deletion" to perform the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.CrontoDeviceDeletionInitiationStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.CrontoDeviceDeletionInitiationStepConfig
id: CrontoDeviceDeletionInitiationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Delete FIDO Credential Initiation Step

Description

Step to initiate the removal of a FIDO credential. The actual removal will be done in the "Apply Changes Step" which requires an "Apply FIDO Credential Deletion" to perform the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.FidoCredentialDeletionInitiationStepConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.FidoCredentialDeletionInitiationStepConfig
id: FidoCredentialDeletionInitiationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  fidoSettings:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Delete mTAN Number Initiation Step

Description

Step to initiate the deletion of an mTAN number. The actual deletion will be done in the "Apply Changes Step" which requires an "Apply mTAN Deletion" to perform the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.MtanNumberDeletionInitiationStepConfig

May be used by

Properties

mTAN Settings (mtanSettings)

Description

Settings for handling mTAN numbers.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.MtanNumberDeletionInitiationStepConfig
id: MtanNumberDeletionInitiationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  mtanSettings:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Delete OAuth 2.0 Session Initiation Step

Description

Step to initiate the deletion of an OAuth 2.0 session. The actual removal will be done in the "Apply Changes Step" which requires an "Apply OAuth 2.0 Session Deletion" to perform the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.OAuth2DeleteSessionInitiationStepConfig

May be used by

License-Tags

OAuthServer

Properties

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.OAuth2DeleteSessionInitiationStepConfig
id: OAuth2DeleteSessionInitiationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Delete Remember-Me Device Initiation Step

Description

Step to initiate the deletion of a Remember-Me device. The actual deletion will be done in the "Apply Changes Step" which requires an "Apply Remember-Me Device Deletion" to perform the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.RememberMeDeviceDeletionInitiationStepConfig

May be used by

Properties

Remember-Me Settings (rememberMeConfig)

Description

Common configuration for the Remember-Me feature.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Remember-Me Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Transforming Role Provider OAuth 2.0 Static Client OAuth 2.0/OIDC Authorization Server

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.RememberMeDeviceDeletionInitiationStepConfig
id: RememberMeDeviceDeletionInitiationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  rememberMeConfig:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Delete Roles

Description

Delete matching roles from the list of propagated roles.

Class

com.airlock.iam.common.application.configuration.role.DeleteRoleTransformationConfig

May be used by

Properties

Delete roles matching (patterns)

Description

A list of regular expressions. Any role in the list of propagated roles matching any of the regular expressions will be deleted.

Attributes

RegEx-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.role.DeleteRoleTransformationConfig
id: DeleteRoleTransformationConfig-xxxxxx
displayName: 
comment: 
properties:
  patterns:

Delete Users Task

Description

Deletes all users that fulfill a configurable condition.

It is up to the configured user persister to decide whether the deleted users are effectively deleted from the persistent store, or only marked as deleted.

Note that this task iterates over all users and fetches them one-by-one from the persistent store. In order to avoid performance issues, consider to configure the underlying user iterator with a restriction that matches the delete condition, e.g. by using an 'Additional Iterator Where Clause' when using a database user persister.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.user.DeleteUsersTask

May be used by

Task Schedule

Properties

User Persister (userPersister)

Description

User persister plugin used to read user account data and delete if necessary.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Iterator (userIterator)

Description

The user iterator plugin used to iterate over all users.

Usually this is the same as the user persister.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Delete Condition (deleteCondition)

Description

The condition that must be true in order to delete a user.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Not Valid Anymore Predicate Config

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.user.DeleteUsersTask
id: DeleteUsersTask-xxxxxx
displayName: 
comment: 
properties:
  deleteCondition:
  userIterator:
  userPersister:

Demo Service Config

Description

A demo service that writes a log line from time to time.

There are no configuration properties.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.DemoServiceConfig

May be used by

Service Config

Properties

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.DemoServiceConfig
id: DemoServiceConfig-xxxxxx
displayName: 
comment: 
properties:

Denying Adminapp REST API Configuration

Description

Denies all access to the Adminapp REST API from clients other then the Adminapp GUI.

Class

com.airlock.iam.admin.application.configuration.DenyingAdminappRestConfig

May be used by

Adminapp

Properties

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.DenyingAdminappRestConfig
id: DenyingAdminappRestConfig-xxxxxx
displayName: 
comment: 
properties:

Denying Authenticator

Description

Stateless authenticator that denies all credentials responding always with an authentication failure.

There are no configuration properties.

Class

com.airlock.iam.core.misc.impl.authen.DenyingAuthenticator

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.DenyingAuthenticator
id: DenyingAuthenticator-xxxxxx
displayName: 
comment: 
properties:

Denying Request Authentication

Description

Request Authentication that always fails. Behaves as if no credential is sent with the request.

Class

com.airlock.iam.common.application.configuration.credential.DenyingRequestAuthenticationConfig

May be used by

Session-less REST Endpoints Transaction Approval Adminapp REST API Configuration

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.credential.DenyingRequestAuthenticationConfig
id: DenyingRequestAuthenticationConfig-xxxxxx
displayName: 
comment: 
properties:

Destroy Last User Session

Description

Destroys currently active user sessions when the user is locked by an admin in the Adminapp.

Note: This only works if the Adminapp is deployed behind the same Airlock Gateway (WAF) as the Loginapp.

Class

com.airlock.iam.admin.application.configuration.locking.DestroyLastUserSession

May be used by

Locking Settings (Adminapp)

Properties

User Persister (userPersister)

Description

Used to read and terminate the GSID (global session id) information of the locked user.

Make sure that the selected user persister is configured for persisting the GSID.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.locking.DestroyLastUserSession
id: DestroyLastUserSession-xxxxxx
displayName: 
comment: 
properties:
  userPersister:

Destroy Multiple Existing Sessions Config

Description

Terminates multiple old sessions retrieved from the persistence layer directly without further notification after a successful login and upon logout. This is only used when there are multiple context data fields containing different sessions (e.g. mobile/web or for cross-domain use-cases where more than one session exists for the same user). For standard cases, "Destroy Other User Session" is sufficient to delete the old session.

Class

com.airlock.iam.login.application.configuration.existingsessionbehavior.DestroyMultipleExistingSessionsConfig

May be used by

Properties

Description

List of keys corresponding to context data entries that store existing sessions of a user. All sessions found in these entries are terminated together with the global session upon successful login. Note that these additional sessions are also deleted if no global session exists.

Attributes

String-List

Optional

Description

List of keys corresponding to context data entries that store the dates of the last update to session IDs. These dates will be updated to the current time after terminating all configured sessions upon login.

Attributes

String-List

Optional

Logout Session IDs (logoutSessionContextDataKeys)

Description

List of keys corresponding to context data entries that store existing sessions of a user. All sessions found in these entries are terminated together with the global session upon logout. Note that these additional sessions are also deleted if no global session exists.

Attributes

String-List

Optional

Logout Timestamps (logoutDateContextDataKeys)

Description

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.existingsessionbehavior.DestroyMultipleExistingSessionsConfig
id: DestroyMultipleExistingSessionsConfig-xxxxxx
displayName: 
comment: 
properties:
  loginDateContextDataKeys:
  loginSessionContextDataKeys:
  logoutDateContextDataKeys:
  logoutSessionContextDataKeys:

Destroy Other User Session

Description

Terminates a previous user session if no (proper) logout has been performed.

Class

com.airlock.iam.login.application.configuration.existingsessionbehavior.DestroyOtherUserSessionConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.existingsessionbehavior.DestroyOtherUserSessionConfig
id: DestroyOtherUserSessionConfig-xxxxxx
displayName: 
comment: 
properties:

Device Token Authentication Step

Description

Configuration for a device token flow step.

Class

com.airlock.iam.authentication.application.configuration.devicetoken.DeviceTokenAuthStepConfig

May be used by

License-Tags

DeviceToken

Properties

Device Token Settings (deviceTokenSettings)

Description

Device token settings used for this step.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Device Token Settings

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

DEVICE_TOKEN

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.devicetoken.DeviceTokenAuthStepConfig
id: DeviceTokenAuthStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: DEVICE_TOKEN
  customFailureResponseAttributes:
  customResponseAttributes:
  deviceTokenSettings:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Device Token Deleted

Description

Event that is triggered by the deletion of a device token.

Note that when configuring this event within an event subscriber, the loginapp user store will not be used to provide context data values. Instead, the user store configured within the loginapp request authentication is used.

Class

com.airlock.iam.common.application.configuration.event.DeviceTokenDeletedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.DeviceTokenDeletedSubscribedEventConfig
id: DeviceTokenDeletedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

Device Token Identity Verification Step Config

Description

Verifies the user's identity based on a signed challenge. This step can be used as a first step in the flow, meaning the user has not been identified, or after a user identifying step. It provides user enumeration protection.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.DeviceTokenIdentityVerificationStepConfig

May be used by

License-Tags

DeviceToken

Properties

Device Token Settings (deviceTokenSettings)

Description

Device token settings used for this step.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Device Token Settings

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

DEVICE_TOKEN

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.DeviceTokenIdentityVerificationStepConfig
id: DeviceTokenIdentityVerificationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: DEVICE_TOKEN
  customFailureResponseAttributes:
  customResponseAttributes:
  deviceTokenSettings:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Device Token List

Description

Configures the device token list REST self-service. Additional self-service functionality can be configured in "Protected Self-Service Flows".

Class

com.airlock.iam.selfservice.application.configuration.token.DeviceTokenListSelfServiceRestConfig

May be used by

License-Tags

DeviceToken

Properties

Device Token Settings (deviceTokenSettings)

Description

Settings for device tokens.

Attributes

Plugin-Link

Mandatory

License-Tags

DeviceToken

Assignable plugins

Device Token Settings

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access the device token list.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

License-Tags

DeviceToken

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access the device token list without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

License-Tags

DeviceToken

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.token.DeviceTokenListSelfServiceRestConfig
id: DeviceTokenListSelfServiceRestConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  deviceTokenSettings:

Device Token Management UI

Description

Configures device token management user interface.

Allows an authenticated user to list his registered device tokens. Only enabled and valid device tokens are shown.

The device token management interface is accessible at /<loginapp-uri>/ui/app/protected/tokens/device-token after user authentication.

Class

com.airlock.iam.selfservice.application.configuration.ui.tokens.DeviceTokenManagementUiConfig

May be used by

Remote Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Email Event Subscriber (Loginapp) Filtered Flow Event

License-Tags

DeviceToken

Properties

Page Exit Target (pageExitTarget)

Description

If configured, an additional button is displayed on the device token management to exit the page. On click, this button redirects the user to the configured target.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.tokens.DeviceTokenManagementUiConfig
id: DeviceTokenManagementUiConfig-xxxxxx
displayName: 
comment: 
properties:
  pageExitTarget:

Device Token Management UI Redirect

Description

Redirects to the "Device Token Management UI".

Class

com.airlock.iam.selfservice.application.configuration.ui.tokens.DeviceTokenManagementFlowRedirectTargetConfig

May be used by

License-Tags

DeviceToken

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.tokens.DeviceTokenManagementFlowRedirectTargetConfig
id: DeviceTokenManagementFlowRedirectTargetConfig-xxxxxx
displayName: 
comment: 
properties:

Device Token Registered

Description

Event that is triggered by the registration of a device token.

Class

com.airlock.iam.login.application.configuration.event.DeviceTokenRegisteredSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.event.DeviceTokenRegisteredSubscribedEventConfig
id: DeviceTokenRegisteredSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

Device Token Registration Step

Description

Flow step for registering a device token. Only available via REST calls.

Note that for the changes made in this step to take effect, an "Apply Changes Step" with an "Apply Device Token Registration" handler must be configured after it in the same flow. If missing, the device token registration is lost.

Security note: For authentication and self-service flows this step should be restricted to strongly authenticated users. To do so a 'Pre Condition' under 'Tags/Guards' must be set to ensure that the user is authenticated.

Class

com.airlock.iam.flow.shared.application.configuration.step.devicetoken.DeviceTokenRegistrationStepConfig

May be used by

Advanced Migration Selection Option Custom Protected Self-Service Flow Authorization Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

DeviceToken

Properties

Device Token Settings (deviceTokenSettings)

Description

Defines the device token settings to be used in this step.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Device Token Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Apply Device Token Registration Has Device Token User Token Settings Device Token List Device Token Registration Step Device Token Authentication Step Device Token Identity Verification Step Config

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.step.devicetoken.DeviceTokenRegistrationStepConfig
id: DeviceTokenRegistrationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  deviceTokenSettings:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Device Token Settings

Description

Configures device token registration and authentication

Allows devices (e.g. mobile apps on smart phones) to register a public key (after successful authentication) and use the key for later authentication.

For example, this can be used as follows: when logging in for the first time using the mobile app, the user authenticates using the password and a second factor. After this initial login, the mobile app registers its public key and obtains a device token. For later logins, the user authenticates using password only. The second factor can be omitted as long as the app has the device token.

Class

com.airlock.iam.flow.shared.application.configuration.devicetoken.DeviceTokenSettings

May be used by

License-Tags

DeviceToken

Properties

Token Data Provider (tokenDataProvider)

Description

Token data provider used to load and store device token data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Allowed Signature Algorithms (allowedSignatureAlgorithms)

Description

Allowed signature algorithms that can be used to authenticate with the device.

Attributes

String-List

Optional

Default value

[ES256, ES256K, ES384, ES512]

Token Validity [days] (tokenValidityDays)

Description

The validity period of a "binding", i.e. the amount of time a registered key is accepted for authentication after it has been registered. Afterwards, a registered key is no more accepted for authentication and a new key must be registered.

The validity is only relevant when the device token is registered. When using a device token, the expiry date that was computed at registration time is relevant.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.devicetoken.DeviceTokenSettings
id: DeviceTokenSettings-xxxxxx
displayName: 
comment: 
properties:
  allowedSignatureAlgorithms: [ES256, ES256K, ES384, ES512]
  tokenDataProvider:
  tokenValidityDays: 30

Device Usage Database Repository

Description

Persists and loads Device Usage data.

Class

com.airlock.iam.common.application.configuration.device.DeviceUsageRepositoryConfig

May be used by

Transaction Approval Loginapp Data Sources

Properties

SQL Data Source (sqlDataSource)

Description

Database connection used to persist and load device usage data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Log Queries (logQueries)

Description

If enabled, all SQL queries executed on this repository will be written to the module's corresponding log file. This is only effective if the log level is set to at least INFO.

Warning: query values (including potentially sensitive data) will be logged as well.

Attributes

Boolean

Optional

Default value

false

Tenant ID (tenantId)

Description

Identity added to the database records to distinguish between different tenants. Only logs that match the tenant ID specified here will be retrieved on query.

If left empty, 'no_tenant' is used as the effective value for tenant ID.

Attributes

String

Optional

Length <= 50

Validation RegEx: (?!no_tenant$).*

Example

customerA

Example

customerB

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.device.DeviceUsageRepositoryConfig
id: DeviceUsageRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  logQueries: false
  sqlDataSource:
  tenantId:

Device Usage Processor

Description

On successfully completed flows, the processor persists the device usages that were reported by the steps.

Currently only the following steps report device usages

Airlock 2FA Public Self-Service Approval Step
Airlock 2FA Self-Service Approval Step
Airlock 2FA Mobile Only Authentication Step
Airlock 2FA Step for Authentication
Airlock 2FA Transaction Approval Step

If the "Device Usage Repository" in the application (Loginapp/Transaction Approval) is not configured, the device usages will not be persisted.

Class

com.airlock.iam.authentication.application.configuration.processor.DeviceUsageProcessorConfig

May be used by

Logical AND Device Condition Logical NOT Device Condition Customizable Device List Logical OR Device Condition

Properties

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.processor.DeviceUsageProcessorConfig
id: DeviceUsageProcessorConfig-xxxxxx
displayName: 
comment: 
properties:

Device Was Registered In Current Flow Condition

Description

Plugin for filtering Airlock 2FA devices. It returns true for all devices which have been registered in the current flow.

Class

com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FADeviceRegisteredInFlowPredicateConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FADeviceRegisteredInFlowPredicateConfig
id: Airlock2FADeviceRegisteredInFlowPredicateConfig-xxxxxx
displayName: 
comment: 
properties:

Device Was Used For Login Condition

Description

Plugin for filtering Airlock 2FA devices. This plugin returns true for the one device which was used most recently for login in an authentication flow of the current user session.
In case Airlock 2FA was not used for login, the condition is false for every device.

Note:This predicate should only be used in authentication and protected self-service flows since the other flows do not contain information on the last device used for login.

Class

com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FADeviceUsedForLoginPredicateConfig

May be used by

Logical AND Device Condition Logical NOT Device Condition Customizable Device List Logical OR Device Condition

Properties

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FADeviceUsedForLoginPredicateConfig
id: Airlock2FADeviceUsedForLoginPredicateConfig-xxxxxx
displayName: 
comment: 
properties:

Digipass Push App Handler

Description

Handles push messages to a Digipass (or compatible) app.

Class

com.airlock.iam.core.misc.impl.cronto.pushnotification.DigipassPushAppHandler

May be used by

Vasco Cronto Handler

Properties

Push Notification Sender (pushNotificationSender)

Description

Plugin responsible for sending Cronto push notifications.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cronto Push Notification Sender Dummy Cronto Push Notification Sender

Transaction Data Signing Notification Action Id (transactionDataSigningNotificationActionId)

Description

The identifier of the transaction data signing notification action configured on the mobile devices.

Attributes

String

Optional

Default value

airlockIamPushTransaction

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cronto.pushnotification.DigipassPushAppHandler
id: DigipassPushAppHandler-xxxxxx
displayName: 
comment: 
properties:
  pushNotificationSender:
  transactionDataSigningNotificationActionId: airlockIamPushTransaction

Disable Cronto Device Initiation Step

Description

Step to initiate the disabling of a Cronto device. The actual disabling will be done in the "Apply Changes Step" which requires an "Apply Cronto Device Disabling" to disable the device.

Class

com.airlock.iam.selfservice.application.configuration.step.CrontoDeviceDisablingInitiationStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.CrontoDeviceDisablingInitiationStepConfig
id: CrontoDeviceDisablingInitiationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Disable Cronto Push Initiation Step

Description

Step to initiate the disabling of a Cronto push notification to device. The actual disabling will be done in the "Apply Changes Step" which requires an "Apply Cronto Push Disabling" to apply and persist the change.

Class

com.airlock.iam.selfservice.application.configuration.step.CrontoPushDisablingInitiationStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.CrontoPushDisablingInitiationStepConfig
id: CrontoPushDisablingInitiationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Disable FIDO Credential Initiation Step

Description

Step to initiate the disabling of a FIDO credential. The actual disabling will be done in the "Apply Changes Step" which requires an "Apply FIDO Credential Disabling" to disable the credential.

Class

com.airlock.iam.selfservice.application.configuration.step.FidoCredentialDisablingInitiationStepConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.FidoCredentialDisablingInitiationStepConfig
id: FidoCredentialDisablingInitiationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  fidoSettings:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Disabled Or Missing Secret Questions Restriction Config

Description

Does not allow users that cannot use secret questions to perform a public self-service and returns a corresponding feedback message. A user must have enough secret questions provisioned and they must be active for this user.

For public self-service flows using secret question identity verification, the purpose of this restriction is only to add an informative feedback message. This increases usability but could allow user enumeration since it makes it possible to find existing users without secret questions.

We recommend to configure this restriction as the last restriction to be checked.

Class

com.airlock.iam.publicselfservice.application.configuration.restrictions.DisabledOrMissingSecretQuestionsRestrictionConfig

May be used by

Properties

Secret Questions Settings (secretQuestionsSettings)

Description

Settings related to secret questions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic Secret Question Settings

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.restrictions.DisabledOrMissingSecretQuestionsRestrictionConfig
id: DisabledOrMissingSecretQuestionsRestrictionConfig-xxxxxx
displayName: 
comment: 
properties:
  secretQuestionsSettings:

Disclaimer Text Config

Description

Defines a language-dependent, formatted disclaimer text displayed to the user.

Class

com.airlock.iam.common.application.configuration.termsofservice.DisclaimerTextConfig

May be used by

License-Tags

TermsOfServices

Properties

Language (language)

Description

The two-letter ISO code of the display language this text should be used for. It must correspond to one of the configured login application languages.

Attributes

String

Mandatory

License-Tags

TermsOfServices

Suggested values

de, en, fr, it, es

Text (text)

Description

The text to be displayed (may contain HTML markup code).

Attributes

String

Mandatory

Multi-line-text

License-Tags

TermsOfServices

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.termsofservice.DisclaimerTextConfig
id: DisclaimerTextConfig-xxxxxx
displayName: 
comment: 
properties:
  language:
  text:

Display Language SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing an ISO 639-1/2 code for the display language.

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.DisplayLanguageAttributeConfig

May be used by

OIDC UserInfo Endpoint OAuth 2.0 Static Client OAuth 2.0 Static Client JWT Access Token Format OIDC ID Token Claims

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion.

Attributes

String

Mandatory

Example

language

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.assertion.attribute.DisplayLanguageAttributeConfig
id: DisplayLanguageAttributeConfig-xxxxxx
displayName: 
comment: 
properties:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:

Display Language String Provider Config

Description

Provides the current display language as a string.

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.DisplayLanguageStringProviderConfig

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.DisplayLanguageStringProviderConfig
id: DisplayLanguageStringProviderConfig-xxxxxx
displayName: 
comment: 
properties:

Distributed Claim Config

Description

Distributed Claims provide a way to include static references to claims held by 3rd party claims providers.

The client may then fetch those claims using the given URL from the claims providers.

Supplying an 'access_token' is currently not supported.

Class

com.airlock.iam.oauth2.application.configuration.claims.DistributedClaimConfig

May be used by

License-Tags

OAuthServer

Properties

Claim Names (claimNames)

Description

The claim name(s) to be obtained using the distributed claim.

These names will be used in the _claim_names object to reference this distributed claim.

Attributes

String-List

Mandatory

Endpoint Url (endpointUrl)

Description

The resource endpoint from which the associated Claim can be retrieved. The endpoint MUST return the Claim as a JWT.

Attributes

String

Mandatory

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.DistributedClaimConfig
id: DistributedClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimNames:
  endpointUrl:

Do Nothing Obtainer

Description

A CRLObtainer that does nothing. This is used when some URL must be disabled.

Class

com.airlock.iam.core.misc.impl.cert.crl.DoNothingObtainer

May be used by

Configurable HTTP CRL Obtainer Configurable HTTP CRL Obtainer Fallback Crl Obtainer CRL Distribution Point Extension CRL Checker

License-Tags

ClientCertificate

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.crl.DoNothingObtainer
id: DoNothingObtainer-xxxxxx
displayName: 
comment: 
properties:

DOCX Save Option

Description

Configuration generating a DOCX file. Saves the document as an Office Open XML WordprocessingML Document (macro-free)

Class

com.airlock.iam.core.misc.renderer.saveaction.DocxSaveActionConfig

May be used by

Word Template Token List Renderer Word Template Report Renderer Word Template Password Renderer

Properties

File Name Extension (fileNameExtension)

Description

File name extension for the generated DOCX file.

Attributes

String

Optional

Default value

.docx

Fonts Path (fontsPath)

Description

The absolute or relative path containing all TrueType fonts required for the conversion.
This is mandatory on unix-like operating systems and optional on Windows where the installed Windows fonts will always be included automatically.

When loading a document in the DOCX format and saving it back as DOCX, configuring custom fonts might not have a significant impact. The reason is that the DOCX format already embeds the font information within the document itself. This means that the font information is preserved during the save operation, and font substitution might not be necessary. However, there can be scenarios where using this property can still be useful, even when working with DOCX files. For example:

1. Font Substitution: When rendering or converting a document, IAM may encounter fonts that are not available on the system where the operation is being performed. By defining font sources, you provide IAM with a list of locations to search for required fonts. This enables IAM to automatically substitute missing fonts with available alternatives from the defined font sources.

2. Consistent Rendering: Defining font sources allows you to ensure consistent font rendering across different systems. By specifying the exact font sources to be used, you can guarantee that the same fonts will be available and utilized, regardless of the system where the document is processed. This can be crucial for maintaining consistent visual appearance, especially when sharing documents across different environments.

In order to reflect changes from the file system, reactivating the IAM configuration is required.

Attributes

File/Path

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.renderer.saveaction.DocxSaveActionConfig
id: DocxSaveActionConfig-xxxxxx
displayName: 
comment: 
properties:
  fileNameExtension: .docx
  fontsPath:

Drop-Down UI Element

Description

Displays a drop-down.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiDropDownConfig

May be used by

Properties

Label (label)

Description

Label for the drop-down. The UI treats it as a key to translate. If there is no translation, the configured value is what is shown in the UI.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9]+((\.|-)[a-zA-Z0-9]+)*

Property (property)

Description

The property of the drop-down. This property will be sent to the server via REST as part of a JSON object. For example, if the property name is 'gender' and the options allow one of the values 'male' or 'female' with 'female' being chosen, the JSON sent to the server will be as follows: {"gender": "female"}.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9_]+(\.[a-zA-Z0-9_]+)*

Example

gender

Example

deviceType

Required (required)

Description

Requires a value to be chosen.

Attributes

Plugin-Link

Optional

Assignable plugins

Required Field

Options (options)

Description

Defines the list options to choose from.

Attributes

Plugin-List

Mandatory

Assignable plugins

Option UI Element

HTML ID (htmlId)

Description

The ID of the element in the HTML. If no ID is set, the 'property' is used as the ID.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_]+

Submit To Server (submitToServer)

Description

If enabled, this value is submitted to the server. Otherwise, it is only used locally (e.g. to confirm inputs of other fields).

Attributes

Boolean

Optional

Default value

true

Initial Value Query (initialValueQuery)

Description

See the JSONPath documentation for the full documentation: https://github.com/dchester/jsonpath

Examples:

Assume the initial REST call returns the following JSON response:

{
 "meta": {
   "type": "jsonapi.metadata.document",
   "timestamp": "2023-03-10T13:06:01.294+02:00"
 },
 "data": [
  {
    "type": "user",
    "id": "user1",
    "attributes": {
      "contextData": {
         "givenname": "User1",
         "surname": "FSMTest",
         "roles": "customerA"
      }
    }
  },
  {
    "type": "user",
    "id": "user2",
    "attributes": {
      "contextData": {
        "givenname": "User2",
        "surname": "FSMTest",
        "roles": "customerB"
      }
    }
  }
 ]
}

The following table shows the results of various JSONPath queries given the JSON above:

Attributes

String

Optional

Example

$.store.bicycle.color

Example

$..language

Example

$..data[?(@.id == 'country')].attributes.currentValue

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiDropDownConfig
id: ConfigurableUiDropDownConfig-xxxxxx
displayName: 
comment: 
properties:
  htmlId:
  initialValueQuery:
  label:
  options:
  property:
  required:
  submitToServer: true

Dummy Certificate Status Checker

Description

Dummy implementation that can be used for testing: All certificates are accepted during even minutes and all certificates are rejected during odd minutes.

Class

com.airlock.iam.core.misc.impl.cert.dummy.DummyCertificateStatusChecker

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.dummy.DummyCertificateStatusChecker
id: DummyCertificateStatusChecker-xxxxxx
displayName: 
comment: 
properties:

Dummy Credential Persister

Description

Dummy credential persister and iterator that can be used for testing. Its behaviour is purely determined by the input in the following way:

Getting a Credential (getCredentialByName):

If the username contains the string "notfound" a NotFoundException is thrown.
If the username contains the string "ambig" a NotUniqueException is thrown.
If the username contains the string "except" a PersisterException is thrown.
If the username contains the string "inactive" an inactive credential is returned.
If the username contains the string "order" a credential with the order flag set is returned.
If the username contains the string "binary" a binary type credential is returned. The binary data is the binary representation of the username.
If the username does not contain the string "binary" a string type credential is returned. The credential data is the username.

Updating a Credential (makeCredentialPersistent):

If the username contains the string "notfound" a NotFoundException is thrown.
If the username contains the string "ambig" a NotUniqueException is thrown.
If the username contains the string "except" a PersisterException is thrown.
For all other usernames, the call returns normally.

Getting all User-IDs (getAllUserIds):

Returns a list with 100 random user ids.

Getting matching User-IDs (getMatchingUserIds):

If the value to match contains the string "empty" an empty list is returned.
If the value to match contains the string "big" a list with 10'000 random user ids is returned.
If the value to match contains the string "except" a PersisterException is thrown.
For all values to match, a list with 100 random user ids is returned.

Class

com.airlock.iam.core.misc.impl.persistency.DummyCredentialPersister

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.DummyCredentialPersister
id: DummyCredentialPersister-xxxxxx
displayName: 
comment: 
properties:

Dummy Cronto Push Notification Sender

Description

Dummy Cronto push notification sender.

Class

com.airlock.iam.core.misc.impl.cronto.pushnotification.DummyCrontoPushNotificationSender

May be used by

CrontoSign Swiss App Cronto Engine Handler Digipass Push App Handler

License-Tags

Cronto

Properties

Simulate Failure (simulateFailure)

Description

If enabled, a failure is simulated by returning false on sending a push notification.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cronto.pushnotification.DummyCrontoPushNotificationSender
id: DummyCrontoPushNotificationSender-xxxxxx
displayName: 
comment: 
properties:
  simulateFailure: false

Dummy Email Service

Description

Prints the message details on stdout instead of sending an email. Use domain "exception.com" in any recipient (to, cc, bcc) to generate an {@link EmailServiceException}.

Class

com.airlock.iam.core.misc.impl.email.DummyEmailService

May be used by

Flow-based Password Reset Email Identity Verification Step Email OTP Transaction Approval Step Send Email Link Step Report Mailer Task Email Verification Step Email OTP Authentication Step Email Change Verification Step Email Otp Authenticator Email Notification Step Token Activation On Delivery Strategy Email Notifier Self Reg Users Reminder Task Vasco Letter Generator Email SMS Gateway Legacy Email OTP Authentication Step Email Event Subscriber (Loginapp) Email Event Subscriber (Adminapp) Email Notification Task

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.email.DummyEmailService
id: DummyEmailService-xxxxxx
displayName: 
comment: 
properties:

Dummy Extended User Persister

Description

Dummy user persister and iterator that can be used for testing. Its behavior is purely determined by the input in the following way:

Getting a User (getPersistentUserByName):

If the username contains the string "notfound" a NotFoundException is thrown.
If the username contains the string "ambig" a NotUniqueException is thrown.
If the username contains the string "except" a PersisterException is thrown.
If the username contains the string "nobody" a user with no roles is returned.
If the username contains the string "locked" a locked user is returned. Locked date and reason are set.
If the username contains the string "pwch" the password change enforced flag is set for the returned user.
If the username contains the string "pworder" the password order flag is set for the returned user.
If the username contains the string "manyfailed" the user is not locked but has 10 failed logins.
For all other user names, a user bean with the specified username and fixed other data is returned. The roles of the user are configurable.

Updating a User (makeUserPersistent):

If the username contains the string "notfound" a NotFoundException is thrown.
If the username contains the string "ambig" a NotUniqueException is thrown.
If the username contains the string "except" a PersisterException is thrown.
For all other usernames, the call returns normally.

Inserting a User (insertUser):

If the username of the inserted user contains the string "ambig" a NotUniqueException is thrown.
If the username of the inserted user contains the string "except" a PersisterException is thrown.
For all other usernames, the call returns normally.

Deleting a User (deleteUser):

If the username contains the string "notfound" a NotFoundException is thrown.
If the username contains the string "ambig" a NotUniqueException is thrown.
If the username contains the string "except" a PersisterException is thrown.
For all other usernames, the call returns normally.

Getting all User-IDs (getAllUserIds):

Returns a list with 100 random user ids.

Getting matching User-IDs (getMatchingUserIds):

If the value to match contains the string "empty" an empty list is returned.
If the value to match contains the string "big" a list with 10'000 random user ids is returned.
If the value to match contains the string "except" a PersisterException is thrown.
For all values to match, a list with 100 random user ids is returned.

The method changeUsername(String oldUsername, String newUsername) is not implemented and will throw a NotImplementedException.

Class

com.airlock.iam.core.misc.impl.persistency.DummyExtendedUserPersister

May be used by

Main Authenticator Email User Profile Item Config Airlock 2FA Authenticator User to Password Service Mapping Radius Authentication Service Certificate Authenticator Lock Inactive Accounts Task Lock Inactive Accounts Task Password Authenticator String User Profile Item Cipher User Persister Combining User Persister SMS Notifier User Persister Email Certificate Provider Delete Users Task Delete Users Task Token Activation On Delivery Strategy Combining Extended User Persister Combining Extended User Persister Certificate Token Authenticator Export Users Task Export Users Task User Persister-based User Store Email Notifier Meta Authenticator Self Reg Users Reminder Task Self Reg Users Reminder Task Vasco Letter Generator Credential Data Certificate Matcher Extended User Persister-based User Store Provider Password Batch Task Password Batch Task Auth Method-based Authenticator Selector Self Reg Users Clean Up Task Self Reg Users Clean Up Task Lock Expired Initial Passwords Task Lock Expired Initial Passwords Task Role-based Authenticator Selector Extended String User Profile Item Config HTTP Password Service Selection Authenticator Lookup and Accept Authenticator New Email Clean-up Strategy Custom User Persister-based User Store Provider Destroy Last User Session Email Notification Task Email Notification Task User Persister Configuration User Persister Configuration User Persister Configuration

Properties

User Roles (userRoles)

Description

Defines the set of roles assigned to the users returned by this persister.
The roles must be specified as comma-separated list.

Attributes

String-List

Optional

Default value

[role1, role2]

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.DummyExtendedUserPersister
id: DummyExtendedUserPersister-xxxxxx
displayName: 
comment: 
properties:
  userRoles: [role1, role2]

Dummy IAK Verifier

Description

Dummy IAK (Initial Activation Key) Verifier

Users with a name containing "noiak" will have no IAK (case-insensitive)
Accepts all IAKs that contain the string "ok" (case-insensitive)
Throws an exception for all IAKs that contain the string "exc" (case-insensitive)
Rejects all other IAKs.

This plugin has no configuration properties.

Class

com.airlock.iam.core.misc.impl.authen.DummyIakVerifier

May be used by

Credential Data mTAN Handler

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.DummyIakVerifier
id: DummyIakVerifier-xxxxxx
displayName: 
comment: 
properties:

Dummy Maintenance Message Persister

Description

This is a stateless dummy plugin that implements both MaintenanceMessageService and MaintenanceMessagePersister extension points.

MaintenanceMessageService implementation:

getMaintenanceMessage(Date date): returns a dummy message containing de/fr/en translations. This works for every location.

MaintenanceMessagePersister implementation:

getAllMaintenanceMessages(int maxMessages): returns maxMessages random messages with the location null.
getMaintenanceMessageByName(String name): passing "nf" leads to a NotFoundException, "nu" leads to a NotUniqueException, all other names will return a random message with the given name.
insertMaintenanceMessage(MaintenanceMessage message): Inserting a message with name "nu" leads to a NotUniqueException, all other names are accepted.
updateMaintenanceMessage(MaintenanceMessage message): Updating a message with name "nf" leads to a NotFoundException, "nu" leads to a NotUniqueException, all other names are accepted.
deleteMaintenanceMessage(MaintenanceMessage message): Deleting a message with name "nf" leads to a NotFoundException, "nu" leads to a NotUniqueException, all other names are accepted.

Class

com.airlock.iam.core.misc.impl.sysmessage.DummyMaintenanceMessagePersister

May be used by

Maintenance Message Configuration Maintenance Message Settings

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sysmessage.DummyMaintenanceMessagePersister
id: DummyMaintenanceMessagePersister-xxxxxx
displayName: 
comment: 
properties:

Dummy Matrix Authenticator

Description

Dummy authenticator plug-in to test matrix card authentication.

Expects a credential of type UserCredential (or a subtype) in the first step and responds with a random challenge of three coordinate pairs.

Usernames and responses other than the challenge (just concatenate the coordinate pairs; no spaces) are processed as follows:

User "unknown" is unknown.
User "ambiguous" is abiguous
User "locked" is a locked user
User "invalid" is an invalid user
User "unspec" results in an unspecified authentication failure
The request will result in an AuthenticatorException if any response contains "except".
The request will be accepted if any response contains "accept".
All other responses are not accepted.

If the authentication succeeds, the roles "role1" and "role2" are granted to the user.

There are no configuration properties.

Class

com.airlock.iam.core.misc.impl.authen.DummyMatrixAuthenticator

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.DummyMatrixAuthenticator
id: DummyMatrixAuthenticator-xxxxxx
displayName: 
comment: 
properties:

Dummy Password Renderer

Description

Dummy password renderer that just outputs the password to the log.

Class

com.airlock.iam.core.misc.util.password.generator.DummyPasswordRenderer

May be used by

Password Generator Config Credential Secret Generator Secret Letter Renderer

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.generator.DummyPasswordRenderer
id: DummyPasswordRenderer-xxxxxx
displayName: 
comment: 
properties:

Dummy Password Service

Description

Dummy password service. The result of the password service methods can be influenced by the password in the following way:

Using `checkPassword(...)`

All passwords containing the string "wrong" will be rejected.
All passwords containing the string "change" will be accepted but lead to a forced password change.
All passwords containing the string "expired" will be accepted but lead to a forced password change because the password has expired.
All passwords containing the string "exception" will lead to an exception.
All other passwords are accepted.

Using `changePassword(...)`

All old passwords containing the string "wrong" will be rejected. The number of retries is 3.
All old passwords containing the string "toomany" will be rejected and the number of retries is zero.
All old passwords containing the string "exception" will lead to an exception.
All other old passwords are accepted.
All new passwords containing the string "short" will be rejected because it is too short.
All new passwords containing the string "long" will be rejected because it is too long.
All new passwords containing the string "hist" will be rejected with a history match.
All new passwords containing the string "req" will be rejected because required characters are missing.
All new passwords containing the string "forb" will be rejected because it contains forbidden characters.
All new passwords containing the string "black" will be rejected because matches a blacklist.
All new passwords containing the string "young" will be rejected because the old password is too young to be changes.

Does not consider policy check plugins injected externally (using method setPasswordPolicyChecks).

Class

com.airlock.iam.core.misc.impl.authen.DummyPasswordService

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.DummyPasswordService
id: DummyPasswordService-xxxxxx
displayName: 
comment: 
properties:

Dummy Polling Authenticator

Description

Dummy authenticator that simulates an asynchronous authentication process.

Class

com.airlock.iam.core.misc.impl.authen.DummyPollingAuthenticator

May be used by

Properties

Authentication State (authenticationState)

Description

Determines the state of the authentication process.

Attributes

Enum

Optional

Default value

FAILED

Authentication Method (authenticationMethod)

Description

The authentication method to be set in the authentication result.

Attributes

Enum

Optional

Default value

AIRLOCK_2FA

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.DummyPollingAuthenticator
id: DummyPollingAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethod: AIRLOCK_2FA
  authenticationState: FAILED

Dummy Report Renderer

Description

Dummy report renderer outputting report contents to the log.

Class

com.airlock.iam.core.misc.util.report.DummyReportRenderer

May be used by

Simple File Renderer Config Vasco Token Report Strategy mTAN IAK Token Report Strategy Aggregate Report OATH OTP Letter Task Airlock 2FA Activation Letter Task Credential Report Task Vasco Letter Generator Print Airlock 2FA Activation Letters Create Airlock 2FA Hardware Token Shipment Letters Cronto Report Strategy

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.report.DummyReportRenderer
id: DummyReportRenderer-xxxxxx
displayName: 
comment: 
properties:

Dummy SMS Gateway

Description

Dummy SMS gateway that prints the SMS (including originator name and target number) to the log file and standard out.

To produce an AuthenticatorException exception (for testing), set the SMS originator to exception in the plugin using the SMS gateway.

Class

com.airlock.iam.core.misc.impl.sms.DummySmsGateway

May be used by

Number-based Selection SMS Gateway Phone Number Verification Step SMS Gateway Selection Option SMS Notifier Failover SMS Gateway Basic mTAN Settings MTAN/SMS Settings SMS Service

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.DummySmsGateway
id: DummySmsGateway-xxxxxx
displayName: 
comment: 
properties:

Dummy Token List Persister

Description

Dummy token list persister and iterator that can be used for testing. Its behaviour is purely determined by the input in the following way:

Getting a token user structure (getTokenUserStructure):

If the username contains the string "notfound" a NotFoundException is thrown.
If the username contains the string "ambig" a NotUniqueException is thrown.
If the username contains the string "except" a PersisterException is thrown.
If the username contains the string "inactive" an inactive token user structure is returned.
If the username contains the string "order" a token user structure with the order flag set is returned.
All returned token lists contain 130 tokens with 3 characters each which are either random or set to the token's index (0-padded), depending on configuration.

Updating a token user structure (makeTokenUserStructurePersistent):

If the username contains the string "notfound" a NotFoundException is thrown.
If the username contains the string "ambig" a NotUniqueException is thrown.
If the username contains the string "except" a PersisterException is thrown.
For all other usernames, the call returns normally.

Getting all User-IDs (getAllUserIds):

Returns a list with 100 random user ids.

Class

com.airlock.iam.core.misc.impl.persistency.DummyTokenListPersister

May be used by

Matrix Token Controller Fixed TAN Generator Task Default TAN Service TAN Batch Task TAN Batch Task Cipher Token List Persister

Properties

Use Random Tokens (useRandomTokens)

Description

If enabled, random tokens are generated for each position in the list. Else, each position simply contains its index on the list (0-based).

Attributes

Boolean

Optional

Default value

true

Number Of Unanswered Challenges (numberOfUnansweredChallenges)

Description

Sets the number of unanswered challenges on the dummy token. If this value is greater than the configured number of allowed unanswered challenges (e.g. "Matrix Authentication Step" or "Matrix Authenticator"), authentication fails.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.DummyTokenListPersister
id: DummyTokenListPersister-xxxxxx
displayName: 
comment: 
properties:
  numberOfUnansweredChallenges: 0
  useRandomTokens: true

Dummy Token List Renderer

Description

Dummy token list renderer that just outputs the token list to the log.

Class

com.airlock.iam.core.misc.impl.renderer.DummyTokenListRenderer

May be used by

Matrix Public Self-Service Approval Step Matrix Self-Service Approval Step TAN Batch Task Matrixcard Authenticator (TAN Challenge) Matrix Authentication Step Matrix Card Generator Config

License-Tags

Matrixcard

Properties

Tokens Per Row (tokensPerRow)

Description

Specifies the number of tokens per row.
This is needed to be able to translate internal token indices to a challenge coordinate pair.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.renderer.DummyTokenListRenderer
id: DummyTokenListRenderer-xxxxxx
displayName: 
comment: 
properties:
  tokensPerRow: 10

Dummy Token Verifier

Description

A dummy token verifier implementation that can be used for testing. It's behaviour is based on the token to be verified.

The token 123456 is accepted.
The token 111111 leads to the next token mode.
The token 222222 leads to a new pin being required.
The token 333333 leads to a new pin being accepted.
The token 999999 results in a TokenVerifierException.
All other tokens are denied.

The last used token is always 555555.

There are no configuration properties

Class

com.airlock.iam.core.misc.impl.tokenverifier.DummyTokenVerifier

May be used by

Vasco OTP Public Self-Service Approval Step Vasco OTP Authentication Step Vasco Token Verifier Vasco Cronto Handler Vasco OTP Self-Service Approval Step Vasco OTP Device Activation Vasco OTP Token Manager

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.tokenverifier.DummyTokenVerifier
id: DummyTokenVerifier-xxxxxx
displayName: 
comment: 
properties:

Dummy Two Step Authenticator

Description

Dummy authenticator expecting a credential with a username alone (UserCredential) or a username and a password (UserPasswordCredential) in the first authentication step. The reaction depends solely on the input (username or password).

This plugin can be used for testing and MUST NOT BE USED PRODUCTIVELY.

Note that all comparisons are done case-insensitive, i.e. NOT regarding case.

The responses are dependent on the credentials as follows:

User "unknown" is unknown.
User "ambiguous" is ambiguous.
User "locked" is a locked user.
User "invalid" is an invalid user.
User "unspec" results in an unspecified authentication failure.
User "exception" results in an authenticator exception being thrown.
For user "mtan" no password is expected but a mtan code is required in the second step.
For user "token" no password is expected but a token is required in the second step.
For user "nexttoken" no password is expected but the next token will be requested.
For user "index" no password is expected but a index-token challenge (with 3 challenges) is sent in the second step.
For user "index1" no password is expected but a index-token challenge (with 1 challenge) is sent in the second step.
For user "matrix" no password is expected but a matrix card challenge (with 3 challenges) is sent in the second step.
For user "matrix1" no password is expected but a matrix card challenge (with 1 challenge) is sent in the second step.
For user "smartcard" no password is expected but a string challenge is sent in the second step.
For user "newpin" no password is expected but a new pin is required in the next step.
For user "unassigned" the result is CREDENTIAL_NOT_ASSIGNED.
All other users are valid users and a password is expected.
The password "password" is accepted and no further steps are required.
The password "step" or "pwstep" is accepted and leads to password-required in the second step.
The password "mtan" is accepted and leads to a mtan code required in the second step.
The password "token" is accepted and leads to token-required in the second step. The last used token is 123456.
The password "nexttoken" is accepted and leads to next-token-required in the next step. The last used token is 123456.
The password "index" is accepted and leads to an index-challenge (with 3 challenges) in the second step.
The password "index1" is accepted and leads to an index-challenge (with 1 challenge) in the second step.
The password "matrix" is accepted and leads to a matrix-challenge (with 3 challenges) in the second step.
The password "matrix1" is accepted and leads to a matrix-challenge (with 1 challenge) in the second step.
The password "smartcard" is accepted and leads to a string challenge in the second step.
The password "newpin" is accepted and leads to a new pin being required in the second step.
The password "pwdchange" or "pwch" is accepted but forces a password change.
The password "usergotlocked" is considered to be wrong AND the user-got-locked flag is set.
All other passwords are not accepted.
Any value containing the string "accept" or "acpt" will be accepted as token and as response to the index-challenge and the matrix challenge.
Any value containing the string "pwdchange" or "pwch" accepts the response and leads to forced password change.
Any value containing the string "mtan" accepts the response and leads to requiring a mtan code.
Any value containing the string "token" accepts the response and leads to requiring a token.
Any value containing the string "nexttoken" accepts the response and leads to requiring a next token.
Any value containing the string "matrix" accepts the response and leads to a matrix challenge.
Any value containing the string "newpin" accepts the response and leads to requiring a new pin.
Any value containing the string "index" accepts the response and leads to an index challenge.
Any value containing the string "unspec" results in an unspecified authentication failure.
Any value containing the string "except" results in an authenticator exception being thrown.
All other values are not accepted.

If the authentication succeeds, the roles "role1" and "role2" are granted to the user.

Class

com.airlock.iam.core.misc.impl.authen.DummyTwoStepAuthenticator

May be used by

Properties

Instance Name (instanceName)

Description

Used to distinguish one instance from another in unit tests.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.DummyTwoStepAuthenticator
id: DummyTwoStepAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  instanceName:

Dummy Vasco Handler

Description

Dummy implementation of a VascoHandler

DO NOT USE IN PRODUCTION

Since VascoHandler needs a native library in order to be configured, this dummy implementation can be used for testing purposes if one does not want to load the native library

When importing tokens, the key specifies the number of tokens to be generated (i.e. key '5' will generate 5 tokens). Just select any file (the file is ignored, but may not be empty).
When verifying tokens, the serialId of the token is accepted. All other input strings will be declined.

Class

com.airlock.iam.core.misc.util.vasco.DummyVascoHandler

May be used by

Properties

Token Type (tokenType)

Description

The token type to be used for all generated dummy tokens.

Attributes

String

Optional

Default value

DUMMY

Auth Mode (authMode)

Description

The vasco token authentication mode to be used for all generated dummy tokens. Depending on you application, choose the following:

RESPONSE ONLY for Vasco Digipass OTP tokens
MASTER ACTIVATION for Cronto account licenses

Attributes

Enum

Optional

Default value

response only

Request Software Vector During License Import (requestSoftwareVectorDuringLicenseImport)

Description

If this flag is set, the input of a software vector is required during license import. The software vector is not used for generating the second activation message.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.vasco.DummyVascoHandler
id: DummyVascoHandler-xxxxxx
displayName: 
comment: 
properties:
  authMode: response only
  requestSoftwareVectorDuringLicenseImport: false
  tokenType: DUMMY

Dynamic Active Directory String Generator

Description

Dynamic Active Directory String Generator plugin can be used to generate random passwords or one time passwords. Passwords are generated based on a password policy retrieved from an Active Directory for a specific user.

A fixed pattern is used that will generate passwords based on the restrictions given by an Active Directory, i.e. a password must meet three out of the following four requirements:

Contains a lowercase character.

Contains an uppercase character.

Contains a special character.

Contains a number.

Class

com.airlock.iam.core.misc.impl.authen.DynamicActiveDirectoryStringGenerator

Properties

Password Policy (passwordPolicy)

Description

A freshly generated string will be checked by the policy stated here.

Remark: The pattern must be able to construct strings that will be accepted by the policy.

After the policy rejected 10'000 generated strings (for each string to create) the plugin gives up and throws a runtime exception. This should not occur in real-life, since during initialization of this plugin, 100 test strings are generated to ensure the compatibility of the pattern with the policy. During this initial check, only 200 rejections from the policy are allowed. This is a much harder constraint, than 10'000 allowed rejections afterwards when the plugin is used. Therefore in practice the probability of a failure after initialization of the plugin should be negligible.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Password Policy

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.DynamicActiveDirectoryStringGenerator
id: DynamicActiveDirectoryStringGenerator-xxxxxx
displayName: 
comment: 
properties:
  passwordPolicy:

Dynamic Step Activation Config

Description

Dynamic activation of a subsequent step in the flow.

Class

com.airlock.iam.flow.api.application.configuration.dynamicactivation.DynamicStepActivationConfig

May be used by

Properties

Step ID (targetStepId)

Description

The ID of the step to activate dynamically. The taget step must have the "Requires Dynamic Activation" flag enabled for the feature to work.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Activatable (activatable)

Description

Whether the target step can be activated while in this step.

Attributes

Boolean

Optional

Default value

true

Deactivatable (deactivatable)

Description

Whether the target step can be deactivated while in this step.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.flow.api.application.configuration.dynamicactivation.DynamicStepActivationConfig
id: DynamicStepActivationConfig-xxxxxx
displayName: 
comment: 
properties:
  activatable: true
  deactivatable: true
  targetStepId:

eCall SMS Gateway (v1)

Description

Legacy SMS gateway implementation for "http://www.ecall.ch/".
This plugin uses the HTTP(S) interface of eCall to send SMS messages.

Important: This plugin only supports the eCall HTTP SMS Gateway Version 1.x (using the "/ecallurl/ecallurl.ASP" endpoint). For ECall HTTP Gateway 2.0, please use the generic "HTTP SMS Gateway" using the following configuration:

HTTP Method: "POST"
Service URI: "https://url.ecall.ch/Api/Sms"
Message Parameter: "Message"
Recipient Parameter: "Address"
Originator Parameter: "CallBack" (or leave empty for the default originator of the associated account)
Flash Parameter: (if flash is required, otherwise leave empty)
- Parameter Name: "MsgType"
- Parameter Value: "Flash"
Attribute Value Pairs:
- "Username=xyz" (replace with your technical user id)
- "Password=xyz" (replace with your password)
Successful Response Pattern can be left empty. Every response with code 200 is a successful response.

Class

com.airlock.iam.core.misc.impl.sms.EcallSmsGateway

May be used by

Number-based Selection SMS Gateway Phone Number Verification Step SMS Gateway Selection Option SMS Notifier Failover SMS Gateway Basic mTAN Settings MTAN/SMS Settings SMS Service

Properties

Account Username (accountUsername)

Description

Username for a registered ECall account.

Attributes

String

Mandatory

Example

MyEcallLogin

Account Password (accountPassword)

Description

Password for the registered Ecall account.

Attributes

String

Mandatory

Sensitive

Service URI (serviceUri)

Description

The URI of the Ecall service.
See note in plug-in description when using SSL (HTTPS instead of HTTP).

Attributes

String

Mandatory

Suggested values

https://www.ecall.ch/ecallurl/ecallurl.ASP, http://www.ecall.ch/ecallurl/ecallurl.ASP

Proxy Host (proxyHost)

Description

The hostname of the HTTP proxy server (if any).

Attributes

String

Optional

Example

proxy.company.com

Proxy Port (proxyPort)

Description

The port of the HTTP proxy server (if any).

Attributes

Integer

Optional

Proxy Login User (proxyLoginUser)

Description

Username for the http proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the http proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

Allow Only Trusted Certs (allowOnlyTrustedCerts)

Description

Only allow connections to servers whose certificate is trusted. See documentation of property "Trust Store Path" for more information about what certificates are trusted.

Security warning: Trusting all certificates allows connections to adversarial hosts. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

String

Optional

Default value

JKS

Allowed values

JKS, PKCS12

Trust Store Password (trustStorePassword)

Description

The password used verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

JKS: the keystore can be opened and used but the integrity of the keystore is not checked.
PKCS12: an error occurs.

Attributes

String

Optional

Sensitive

Connection/Read Timeout [s] (connectTimeout)

Description

The timeout in seconds used for connection timeout and read timeout.
Therefore, a connection may take a maximum of twice this time until it is aborted.

Attributes

Integer

Optional

Default value

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Suggested values

X-Correlation-ID

Visible Phone Number Digits In Log (visiblePhoneNumberDigitsInLog)

Description

Defines the number of phone number digits visible in log statements.

Thus, if the value is zero, all digits are masked, if it is large enough, all digits are visible. If set to 3, for example, the logged number looks like ********965.

The default is 100, i.e. showing all digits.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.EcallSmsGateway
id: EcallSmsGateway-xxxxxx
displayName: 
comment: 
properties:
  accountPassword:
  accountUsername:
  allowOnlyTrustedCerts: true
  connectTimeout: 10
  correlationIdHeaderName:
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  serviceUri:
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  verifyServerHostname: true
  visiblePhoneNumberDigitsInLog: 100

Edited Context Data Map

Description

Provides the edited context data values from a "User Data Edit Step". Removed values are provided as empty strings. This allows to combine this map with the "Context Data Map" to obtain the context data values as they will be after applying the data edit change.

Class

com.airlock.iam.selfservice.application.configuration.message.UserDataEditValueMapProviderConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.message.UserDataEditValueMapProviderConfig
id: UserDataEditValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:

Email Address

Description

Validates that a field contains an email address.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.validation.EmailValidationConfig

May be used by

Input UI Element

Properties

Translation Key (translationKey)

Description

The translation key to use for the error message in case the validation fails. A default translation is used when no translation key is configured.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.validation.EmailValidationConfig
id: EmailValidationConfig-xxxxxx
displayName: 
comment: 
properties:
  translationKey:

Email Address Added

Description

Event that is published when a new email address has been added to a user.

This event is published in Loginapp flows by the "Apply Email Change" handler and in the Adminapp by Generic Token Controllers for tokens with "EMAIL" as Token Event Type and by profile items of type "Email User Profile Item".

Class

com.airlock.iam.common.application.configuration.event.EmailAddressAddedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.EmailAddressAddedSubscribedEventConfig
id: EmailAddressAddedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

Email Address Changed

Description

Event that is published when a user's email address has been changed.

Class

com.airlock.iam.common.application.configuration.event.EmailAddressChangedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.EmailAddressChangedSubscribedEventConfig
id: EmailAddressChangedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

Email Address Deleted

Description

Event that is published when a user's email address has been deleted.

Class

com.airlock.iam.common.application.configuration.event.EmailAddressDeletedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.EmailAddressDeletedSubscribedEventConfig
id: EmailAddressDeletedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

Email Address Validator

Description

Validator to ensure that the provided string value is an email address.

Class

com.airlock.iam.common.application.configuration.validation.EmailAddressValidatorConfig

May be used by

mTAN Number Item Definition Alias User Item String User Context Data Item Username User Item mTAN Label Item Definition mTAN Token Edit Step mTAN Token Edit Step Users Configuration mTAN Token Registration Step mTAN Token Registration Step Email Item Definition

Properties

Maximum Length (maximumLength)

Description

Maximum length of email addresses. 100 characters is the default IAM email database field limit. IETF accepted errata against RFC 3696 allow up to 254 characters.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.validation.EmailAddressValidatorConfig
id: EmailAddressValidatorConfig-xxxxxx
displayName: 
comment: 
properties:
  maximumLength: 100

Email Change Verification Step

Description

Flow step that uses the email address provided by the user in an User Data Edit Step. It verifies the email address by sending an email with an OTP that has to be entered correctly for the flow to continue.

Note that channel verification is the only way to ensure the uniqueness of email addresses while at the same time not revealing already registered email addresses.

Class

com.airlock.iam.login.application.configuration.EmailChangeVerificationStepConfig

May be used by

Advanced Migration Selection Option Custom Protected Self-Service Flow Authorization Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Email Item (emailItem)

Description

Email item that was edited.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Email Item Definition

Email Address Provider (emailProvider)

Description

Email address provider for the email address to verify. The "Changed Email Address Provider" can be used to provide the changed email address, if this step follows after a User Data Edit Step with an "Email Item Definition".

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

Email Service (emailService)

Description

Email service for sending emails.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OTP Generator (otpGenerator)

Description

Secret string generator to create the OTP. Make sure that the code is long enough to prevent brute-force attacks (by restarting the flow multiple times).

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Email Message Provider (emailMessageProvider)

Description

Creates the Email message content.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Email Message Provider

Max Failed Attempts (maxFailedAttempts)

Description

Number of allowed failed attempts before the flow is aborted.

Attributes

Integer

Optional

Default value

OTP Validity [s] (otpValidity)

Description

Determines how long the OTP is valid (in seconds).

Attributes

Integer

Optional

Default value

300

Otp Case Sensitive (otpCaseSensitive)

Description

If enabled, the case of characters is considered when matching the entered otp against the generated one.

Attributes

Boolean

Optional

Default value

true

Send As HTML (sendAsHtml)

Description

If enabled, the verification email will be sent as an HTML mail. Otherwise it will be sent as plain text.

Security Warning: If e-mails are sent as HTML, make sure to properly escape values originating from untrusted sources (such as user input during self-registration). This can be achieved by enabling the property 'Escape Values in HTML'.

If a more fine-grained control is required, use a 'Transforming Value Map Provider' with an 'HTML String Escaper' to transform all values of the map. (Alternatively, if you want to transform only individual values of a map, use a 'Value Provider Map' with 'Transforming String Value Providers'.)

Attributes

Boolean

Optional

Default value

false

Masking Settings (maskingSettings)

Description

Settings for masking the email address in the REST API responses. Please refer to the REST API documentation for further details.

If left empty, the email address will not be masked.

Attributes

Plugin-Link

Optional

Assignable plugins

Masking Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.EmailChangeVerificationStepConfig
id: EmailChangeVerificationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: EMAIL
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  emailItem:
  emailMessageProvider:
  emailProvider:
  emailService:
  interactiveGotoTargets:
  maskingSettings:
  maxFailedAttempts: 1
  onFailureGotos:
  otpCaseSensitive: true
  otpGenerator:
  otpValidity: 300
  preCondition:
  requiresActivation: false
  sendAsHtml: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Email Event Subscriber (Adminapp)

Description

An event subscriber that sends an email to notify a user.

Class

com.airlock.iam.admin.application.configuration.event.AdminappEmailEventSubscriberConfig

May be used by

Adminapp Event Settings

Properties

Email Service (emailService)

Description

Email service for sending emails.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Recipient Address (recipientAddress)

Description

Email address to which the notification email is sent.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Recipient From Context Data Recipient From Event Value

Subject Resource Key (subjectResourceKey)

Description

The resource key under which the localized template for the email subject can be found. The following syntax can be used to include data in the template.

${contextDataName} for the value of contextDataName in the context-data of the managed user.
${event.createdAt,date,format} for the date/time at which the event was created, where "format" is a date pattern like "yyyy-MM-dd HH:mm:ss".

Depending on the event and on the conditions in which the event originated, the following variables may also be available:

event.createdAt
event.data.addedRoles (list of strings)
event.data.airlock2FAAccountId
event.data.airlock2FADeviceId
event.data.activeAuthenticationMethod
event.data.contextDataChanged.%s.newValue (where "%s" is replaced by the context-data field name).
event.data.contextDataChanged.%s.oldValue (where "%s" is replaced by the context-data field name).
event.data.crontoDeviceId
event.data.fidoCredentialId
event.data.lockReason
event.data.mtanNewPhoneNumber
event.data.mtanNumberId
event.data.mtanOldPhoneNumber
event.data.newEmailAddress
event.data.newRoles (list of strings)
event.data.oldEmailAddress
event.data.oldRoles (list of strings)
event.data.previousAuthenticationMethod
event.data.removedRoles (list of strings)
event.data.userId
event.id
event.metadata.requestIp
event.metadata.userAgent
event.source.adminId

Variables that are not defined are replaced by an empty string. The Airlock IAM documentation provides further information about the availability of specific variables.

Attributes

String

Optional

Default value

email.notification.subject

Suggested values

email.notification.address-changed-event.subject, email.notification.airlock2fa-device-deleted-event.subject, email.notification.authentication-method-changed-event.subject, email.notification.cronto-device-deleted-event.subject, email.notification.device-token-deleted-event.subject, email.notification.email-added-event.subject, email.notification.email-changed-event.subject, email.notification.email-deleted-event.subject, email.notification.fido-credential-deleted-event.subject, email.notification.mtan-token-deleted-event.subject, email.notification.mtan-token-phone-number-changed-event.subject, email.notification.mtan-token-registered-event.subject, email.notification.user-created-event.subject, email.notification.user-deleted-event.subject, email.notification.user-locked-event.subject, email.notification.user-roles-changed-event.subject, email.notification.user-unlocked-event.subject

Body Resource Key (bodyResourceKey)

Description

The resource key under which the localized template for the email message body can be found. The following syntax can be used to include data in the template.

${contextDataName} for the value of contextDataName in the context-data of the managed user.
${event.createdAt,date,format} for the date/time at which the event was created, where "format" is a date pattern like "yyyy-MM-dd HH:mm:ss".

Depending on the event and on the conditions in which the event originated, the following variables may also be available:

event.createdAt
event.data.addedRoles (list of strings)
event.data.airlock2FAAccountId
event.data.airlock2FADeviceId
event.data.activeAuthenticationMethod
event.data.contextDataChanged.%s.newValue (where "%s" is replaced by the context-data field name).
event.data.contextDataChanged.%s.oldValue (where "%s" is replaced by the context-data field name).
event.data.crontoDeviceId
event.data.fidoCredentialId
event.data.lockReason
event.data.mtanNewPhoneNumber
event.data.mtanNumberId
event.data.mtanOldPhoneNumber
event.data.newEmailAddress
event.data.newRoles (list of strings)
event.data.oldEmailAddress
event.data.oldRoles (list of strings)
event.data.previousAuthenticationMethod
event.data.removedRoles (list of strings)
event.data.userId
event.id
event.metadata.requestIp
event.metadata.userAgent
event.source.adminId

Variables that are not defined are replaced by an empty string. The Airlock IAM documentation provides further information about the availability of specific variables.

Attributes

String

Optional

Default value

email.notification.body

Suggested values

email.notification.address-changed-event.body, email.notification.airlock2fa-device-deleted-event.body, email.notification.authentication-method-changed-event.body, email.notification.cronto-device-deleted-event.body, email.notification.device-token-deleted-event.body, email.notification.email-added-event.body, email.notification.email-changed-event.body, email.notification.email-deleted-event.body, email.notification.fido-credential-deleted-event.body, email.notification.mtan-token-deleted-event.body, email.notification.mtan-token-phone-number-changed-event.body, email.notification.mtan-token-registered-event.body, email.notification.user-created-event.body, email.notification.user-deleted-event.body, email.notification.user-locked-event.body, email.notification.user-roles-changed-event.body, email.notification.user-unlocked-event.body

Send As HTML (sendAsHtml)

Description

If enabled, the verification email will be sent as an HTML mail. Otherwise it will be sent as plain text.

Attributes

Boolean

Optional

Default value

false

Language Context Data Name (languageContextDataName)

Description

The context data field whose value is to be used as the recipient's message language. If the provided value is blank or invalid, the default language will be used.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Device Deleted Authentication Method Changed Context Data Changed Cronto Device Deleted Device Token Deleted Email Address Added Email Address Changed Email Address Deleted FIDO Credential Deleted MTAN Token Deleted MTAN Token Phone Number Changed MTAN Token Registered User Created User Deleted User Locked User Roles Changed User Unlocked

Default Language (defaultLanguage)

Description

The default language code used when no (or no valid) information about the current language is present. A corresponding locale must be available.

Attributes

String

Optional

Default value

Suggested values

de, fr, en

Event (event)

Description

Event for which the user should be notified.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.event.AdminappEmailEventSubscriberConfig
id: AdminappEmailEventSubscriberConfig-xxxxxx
displayName: 
comment: 
properties:
  bodyResourceKey: email.notification.body
  defaultLanguage: de
  emailService:
  event:
  languageContextDataName:
  recipientAddress:
  sendAsHtml: false
  subjectResourceKey: email.notification.subject

Email Event Subscriber (Loginapp)

Description

An event subscriber that sends an email to notify a user.

Class

com.airlock.iam.login.application.configuration.event.LoginappEmailEventSubscriberConfig

May be used by

Loginapp Event Settings

Properties

Email Service (emailService)

Description

Email service for sending emails.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Recipient Address (recipientAddress)

Description

Email address to which the notification email is sent.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Recipient From Event Value Recipient From String Value Provider

Subject Resource Key (subjectResourceKey)

Description

The resource key under which the localized template for the email subject can be found. The following syntax can be used to include data in the template.

${valueMapKey} for the value of valueMapKey provided by any of the configured Value Map Providers.
${event.createdAt,date,format} to include the date/time at which the event was created, where "format" is a date pattern like "yyyy-MM-dd HH:mm:ss".

Depending on the event and on the conditions in which the event originated, the following variables may also be available:

event.createdAt
event.data.airlock2FAAccountId
event.data.airlock2FADeviceId
event.data.activeAuthenticationMethod
event.data.authenticationMethods
event.data.browser
event.data.city
event.data.contextDataChanged.%s.newValue (where "%s" is replaced by the context-data field name).
event.data.contextDataChanged.%s.oldValue (where "%s" is replaced by the context-data field name).
event.data.countryCode
event.data.crontoDeviceId
event.data.device
event.data.deviceTokenId
event.data.fidoCredentialId
event.data.fidoPublicKeyCredentialId
event.data.fidoRelyingPartyId
event.data.lockReason
event.data.mtanNewPhoneNumber
event.data.mtanNumberId
event.data.mtanOldPhoneNumber
event.data.newEmailAddress
event.data.oldEmailAddress
event.data.operatingSystem
event.data.previousAuthenticationMethod
event.data.stepResult.attributes.<attribute-name> (where <attribute-name> ist the name of the additional attribute, could be nested.)
event.data.stepResult.errorCode
event.data.stepResult.nextAction
event.data.stepResult.type
event.data.userId
event.id
event.metadata.requestIp
event.metadata.userAgent
event.source.applicationId
event.source.configurationContext
event.source.flowId
event.source.stepId

Variables that are not defined are replaced by an empty string. The Airlock IAM documentation provides further information about the availability of specific variables.

Attributes

String

Optional

Default value

email.notification.subject

Suggested values

email.notification.address-changed-event.subject, email.notification.airlock2fa-device-activated-event.subject, email.notification.airlock2fa-device-deleted-event.subject, email.notification.airlock2fa-device-in-cooldown-used-event.subject, email.notification.authentication-flow-successfully-completed-event.subject, email.notification.authentication-method-changed-event.subject, email.notification.cronto-device-activated-event.subject, email.notification.cronto-device-deleted-event.subject, email.notification.device-token-deleted-event.subject, email.notification.device-token-registered-event.subject, email.notification.email-added-event.subject, email.notification.email-changed-event.subject, email.notification.email-deleted-event.subject, email.notification.fido-credential-deleted-event.subject, email.notification.fido-credential-registered-event.subject, email.notification.login-from-new-device-event.subject, email.notification.mtan-token-deleted-event.subject, email.notification.mtan-token-phone-number-changed-event.subject, email.notification.mtan-token-registered-event.subject, email.notification.password-changed-event.subject, email.notification.user-created-event.subject, email.notification.user-locked-event.subject, email.notification.user-unlocked-event.subject, email.notification.oath-otp-secret-added-event.subject, email.notification.oath-otp-secret-viewed-event.subject

Body Resource Key (bodyResourceKey)

Description

The resource key under which the localized template for the email message body can be found. The following syntax can be used to include data in the template.

${valueMapKey} for the value of valueMapKey provided by any of the configured Value Map Providers.
${event.createdAt,date,format} to include the date/time at which the event was created, where "format" is a date pattern like "yyyy-MM-dd HH:mm:ss".

Depending on the event and on the conditions in which the event originated, the following variables may also be available:

event.createdAt
event.data.airlock2FAAccountId
event.data.airlock2FADeviceId
event.data.activeAuthenticationMethod
event.data.authenticationMethods
event.data.browser
event.data.city
event.data.contextDataChanged.%s.newValue (where "%s" is replaced by the context-data field name).
event.data.contextDataChanged.%s.oldValue (where "%s" is replaced by the context-data field name).
event.data.countryCode
event.data.crontoDeviceId
event.data.device
event.data.deviceTokenId
event.data.fidoCredentialId
event.data.fidoPublicKeyCredentialId
event.data.fidoRelyingPartyId
event.data.lockReason
event.data.mtanNewPhoneNumber
event.data.mtanNumberId
event.data.mtanOldPhoneNumber
event.data.newEmailAddress
event.data.oldEmailAddress
event.data.operatingSystem
event.data.previousAuthenticationMethod
event.data.stepResult.attributes.<attribute-name> (where <attribute-name> ist the name of the additional attribute, could be nested.)
event.data.stepResult.errorCode
event.data.stepResult.nextAction
event.data.stepResult.type
event.data.userId
event.id
event.metadata.requestIp
event.metadata.userAgent
event.source.applicationId
event.source.configurationContext
event.source.flowId
event.source.stepId

Variables that are not defined are replaced by an empty string. The Airlock IAM documentation provides further information about the availability of specific variables.

Attributes

String

Optional

Default value

email.notification.body

Suggested values

email.notification.address-changed-event.body, email.notification.airlock2fa-device-activated-event.body, email.notification.airlock2fa-device-deleted-event.body, email.notification.airlock2fa-device-in-cooldown-used-event.body, email.notification.authentication-flow-successfully-completed-event.body, email.notification.authentication-method-changed-event.body, email.notification.cronto-device-activated-event.body, email.notification.cronto-device-deleted-event.body, email.notification.device-token-deleted-event.body, email.notification.device-token-registered-event.body, email.notification.email-added-event.body, email.notification.email-changed-event.body, email.notification.email-deleted-event.body, email.notification.fido-credential-deleted-event.body, email.notification.fido-credential-registered-event.body, email.notification.login-from-new-device-event.body, email.notification.mtan-token-deleted-event.body, email.notification.mtan-token-phone-number-changed-event.body, email.notification.mtan-token-registered-event.body, email.notification.oath-otp-secret-added-event.body, email.notification.oath-otp-secret-viewed-event.body, email.notification.password-changed-event.body, email.notification.user-created-event.body, email.notification.user-locked-event.body, email.notification.user-unlocked-event.body, email.notification.oath-otp-secret-added-event.body, email.notification.oath-otp-secret-viewed-event.body

Send As HTML (sendAsHtml)

Description

If enabled, the notification email will be sent as an HTML mail. Otherwise it will be sent as plain text.

Attributes

Boolean

Optional

Default value

false

Language (language)

Description

A String Value Provider which provides the language of the message. It is recommended to use a context data field and not the display language, as latter could be misused by an attacker to confuse the victim with an unknown language.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Event (event)

Description

Event for which the user should be notified.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Value Map Providers (valueMapProviders)

Description

Mappings that are used to replace the variables in the localized templates for the notification's content. The value map providers are called in the configured order and their values are added to a map. Later added values will overwrite earlier ones if they have the same key.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.event.LoginappEmailEventSubscriberConfig
id: LoginappEmailEventSubscriberConfig-xxxxxx
displayName: 
comment: 
properties:
  bodyResourceKey: email.notification.body
  emailService:
  event:
  language:
  recipientAddress:
  sendAsHtml: false
  subjectResourceKey: email.notification.subject
  valueMapProviders:

Email Identity Verification Step

Description

Public self-service flow step that verifies the user identity by sending an email with an OTP that the user has to enter correctly for the flow to continue.

This is an identity verification step that differs from a general "factor check" step in the following ways:

It doesn't fail with non-existing users or users without an email address.
It implements stealth mode: if a user does not exist or cannot do a public self-service for whatever reason, no error is returned, but any OTP entered is rejected, so that the step can never be completed successfully.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.EmailIdentityVerificationStepConfig

May be used by

Properties

Email Item (emailContextData)

Description

The context data field that contains the email address of the user.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Email Service (emailService)

Description

Email service for sending emails.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OTP Generator (otpGenerator)

Description

Secret string generator to create the OTP. Make sure that the code is long enough to prevent brute-force attacks (by restarting the flow multiple times).

Attributes

Plugin-Link

Optional

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Subject Resource Key (subjectResourceKey)

Description

The resource key for the email subject. The replacement variables described for "Body Resource Key" are also available here.

Attributes

String

Optional

Default value

public-self-service.email.otp.subject

Body Resource Key (bodyResourceKey)

Description

The resource key for the email message body.

The following syntax can be used to include data in the template:

${TOKEN} to include the generated OTP.
${USERNAME} to include the name of the user (as entered to initiate the public self-service).
${Now,date,format} to include the current date/time, where "format" is a date pattern like "yyyy-MM-dd HH:mm:ss".
${contextDataName} to include the value of the context data field "contextDataName". Note that only context data of type "string" can be included.

Note that unreplaced variables result in a failure and no email is sent. Therefore, only variable names should be used that are guaranteed to be available when the email verification is performed.

Attributes

String

Optional

Default value

public-self-service.email.otp.body

Max Failed Attempts (maxFailedAttempts)

Description

Number of allowed failed attempts before the flow is aborted.

Attributes

Integer

Optional

Default value

OTP Validity [s] (otpValidity)

Description

Determines how long the OTP is valid (in seconds).

Attributes

Integer

Optional

Default value

300

Otp Case Sensitive (otpCaseSensitive)

Description

If enabled, the case of characters is considered when matching the entered otp against the generated one.

Attributes

Boolean

Optional

Default value

true

Send As HTML (sendAsHtml)

Description

If enabled, the verification email will be sent as an HTML mail. Otherwise it will be sent as plain text.

Attributes

Boolean

Optional

Default value

false

Escape Values in HTML (escapeHtmlValues)

Description

HTML-escape all provided values if property Send As HTML is enabled.

Attributes

Boolean

Optional

Default value

true

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

User Data Edit Step User Data Registration Step Config Email Change Verification Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.EmailIdentityVerificationStepConfig
id: EmailIdentityVerificationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: EMAIL
  bodyResourceKey: public-self-service.email.otp.body
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  emailContextData:
  emailService:
  escapeHtmlValues: true
  interactiveGotoTargets:
  maxFailedAttempts: 1
  onFailureGotos:
  otpCaseSensitive: true
  otpGenerator:
  otpValidity: 300
  preCondition:
  requiresActivation: false
  sendAsHtml: false
  skipCondition:
  stepId:
  subjectResourceKey: public-self-service.email.otp.subject
  tagsOnSuccess:

Email Item Definition

Description

Item to register an email address. By default, the email address is validated by the "Email Address Validator" plugin but additional configurable validators can further restrict the allowed input values. Once validated, the email address is kept in the session to be verified and persisted later in the flow.

Class

com.airlock.iam.flow.shared.application.configuration.item.EmailItemDefinitionConfig

May be used by

Properties

Key (key)

Description

The key under which the client is expected to provide the email address.

Attributes

String

Optional

Default value

Required (required)

Description

Specifies whether this item is required for the step to validate successfully.

Attributes

Boolean

Optional

Default value

true

Unique (unique)

Description

Specifies whether the email address must be unique across all users.

Attributes

Boolean

Optional

Default value

true

Enable Stealth Mode (enableStealthMode)

Description

Enables stealth mode uniqueness validation. In stealth mode, uniqueness violations are not communicated to the client. Instead, the email verification step will simulate sending the email OTP and all submitted OTPs will be invalid.

Attributes

Boolean

Optional

Default value

true

Maximum Input Length (maximumInputLength)

Description

Maximum length of email addresses. 100 characters is the default IAM email database field limit. IETF accepted errata against RFC 3696 allow up to 254 characters.

Attributes

Integer

Optional

Default value

100

Initial Value Provider (initialValueProvider)

Description

Specifies how to retrieve the user's initial email address.

Attributes

Plugin-Link

Optional

Assignable plugins

Validators (validators)

Description

Validators for the email address. E.g. to restrict the email address to certain domains.

The "Email Address Validator" is automatically applied. A manual configuration is not necessary.

Attributes

Plugin-List

Optional

Assignable plugins

Email Address Validator Phone Number Validator Config Regex String Validator Config

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.item.EmailItemDefinitionConfig
id: EmailItemDefinitionConfig-xxxxxx
displayName: 
comment: 
properties:
  enableStealthMode: true
  initialValueProvider:
  key: email
  maximumInputLength: 100
  required: true
  unique: true
  validators:

Email Message Provider

Description

Generic message provider for emails.

Class

com.airlock.iam.flow.shared.application.configuration.message.GenericEmailMessageProviderConfig

May be used by

Email OTP Transaction Approval Step Email Verification Step Email OTP Authentication Step Email Change Verification Step

Properties

Subject Resource Key (subjectResourceKey)

Description

Resource key to select the localized template to generate the subject line. The localized template can contain variables (e.g. ${town}).

Attributes

String

Mandatory

Example

authentication.email.otp.subject

Example

user-self-reg.email.verification.subject

Body Resource Key (bodyResourceKey)

Description

Resource key to select the localized template to generate the email body. The localized template can contain variables (e.g. ${town}). If the email is used to send an email OTP, the template must contain the variable ${TOKEN} which will be replaced by the OTP token.

Attributes

String

Mandatory

Example

authentication.email.otp.body

Example

user-self-reg.email.verification.body-with-otp

Value Providers (valueProviders)

Description

If available, the OTP token for the ${TOKEN} variable is automatically added to the map and doesn't have to be configured here.

Attributes

Plugin-List

Optional

Assignable plugins

Escape Values in HTML (escapeValuesInHtml)

Description

HTML-escape all provided values if this message provider is used in an HTML email.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.message.GenericEmailMessageProviderConfig
id: GenericEmailMessageProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  bodyResourceKey:
  escapeValuesInHtml: true
  subjectResourceKey:
  valueProviders:

Email Notification Step

Description

A flow step allowing to send emails. Body and subject of the email can be defined as a template, where predefined (current date) and custom (e.g. context data) variables can be referenced. The custom variables will be replaced based on the configured Value Map Providers.

Class

com.airlock.iam.flow.shared.application.configuration.step.email.EmailNotificationStepConfig

Properties

Email Service (emailService)

Description

Email service for sending emails.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Recipient Address Provider (recipientAddressProvider)

Description

A String Value Provider which provides the email address of the receiver. Make sure that this always provides a valid email address otherwise this step will fail.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Subject Resource Key (subjectResourceKey)

Description

The resource key under which the localized template for the email subject can be found.The following syntax can be used to include data in the template.

${valueMapKey} will look up the configured Value Map Providers and include the value found under the key valueMapKey.
${NOW,date,format} to include the current date/time, where "format" is a date pattern like "yyyy-MM-dd HH:mm:ss".

Note that non-replaced variables result in a failure and no email is sent. Therefore, only variable names should be used in the template that are guaranteed to be available when the notification email is sent.

Attributes

String

Optional

Default value

email.notification.subject

Body Resource Key (bodyResourceKey)

Description

The resource key under which the localized template for the email message body can be found.The following syntax can be used to include data in the template.

${valueMapKey} will look up the configured Value Map Providers and include the value found under the key valueMapKey.
${NOW,date,format} to include the current date/time, where "format" is a date pattern like "yyyy-MM-dd HH:mm:ss".

Attributes

String

Optional

Default value

email.notification.body

Value Map Providers (valueMapProviders)

Description

Mappings that are used to replace the variables in the localized templates for the email subject and body. The value map providers are called in the configured order and their values are added to a map. Later added values will overwrite earlier ones if they have the same key.

Attributes

Plugin-List

Optional

Assignable plugins

Send As HTML (sendAsHtml)

Description

If enabled, the verification email will be sent as an HTML mail. Otherwise it will be sent as plain text.

Attributes

Boolean

Optional

Default value

false

Escape Values in HTML (escapeHtmlValues)

Description

HTML-escape all provided values if property Send As HTML is enabled.

Attributes

Boolean

Optional

Default value

true

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.step.email.EmailNotificationStepConfig
id: EmailNotificationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  bodyResourceKey: email.notification.body
  customFailureResponseAttributes:
  customResponseAttributes:
  emailService:
  escapeHtmlValues: true
  onFailureGotos:
  preCondition:
  recipientAddressProvider:
  requiresActivation: false
  sendAsHtml: false
  skipCondition:
  stepId:
  subjectResourceKey: email.notification.subject
  tagsOnSuccess:
  valueMapProviders:

Email Notification Task

Description

Sends an email notification to all users returned by the specified iterator. After the notification has been sent successfully, the current date is written to the specified user attribute.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.EmailNotificationTask

May be used by

Task Schedule

Properties

Email Service (emailService)

Description

The Email Service plugin used to send emails.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Subject Renderer (subjectRenderer)

Description

The subject renderer is used to create the language-dependent email subject.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Simple Text Renderer Text File Renderer

Content Renderer (contentRenderer)

Description

The content renderer is used to create the language-dependent email content.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Simple Text Renderer Text File Renderer

Content Is HTML (contentIsHtml)

Description

Defines whether the email content should be treated as HTML or plain text. This flag affects the MIME type of the email body.

Attributes

Boolean

Optional

Default value

false

User Persister (userPersister)

Description

The User Persister plugin used to read user data and write the date when the email was sent.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Iterator (userIterator)

Description

The User Iterator defines the set of users a notification email is sent to. It has to be configured to return correct user set.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Notification Sent Date Context Attribute (notificationSentDateContextAttribute)

Description

Selects the user context attribute to store the date and time when the notification email was sent. Make sure it is configured in the configured user persister.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Email Address Context Attribute (emailAddressContextAttribute)

Description

Selects the user context attribute to read the recipient's email address from.

Attributes

Plugin-Link

Optional

Assignable plugins

Givenname Context Attribute (givennameContextAttribute)

Description

Selects the user context attribute to read the recipient's given name from. This is used for the human-readable name in the "to:" field, but has no effect on the data used for subject or body.

Attributes

Plugin-Link

Optional

Assignable plugins

Surname Context Attribute (surnameContextAttribute)

Description

Selects the user context attribute to read the recipient's surname from. This is used for the human-readable name in the "to:" field, but has no effect on the data used for subject or body.

Attributes

Plugin-Link

Optional

Assignable plugins

Correspondance Language Context Attribute (correspondanceLanguageContextAttribute)

Description

Selects the user context attribute to read the recipient's correspondence language from.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.EmailNotificationTask
id: EmailNotificationTask-xxxxxx
displayName: 
comment: 
properties:
  contentIsHtml: false
  contentRenderer:
  correspondanceLanguageContextAttribute:
  emailAddressContextAttribute:
  emailService:
  givennameContextAttribute:
  notificationSentDateContextAttribute:
  subjectRenderer:
  surnameContextAttribute:
  userIterator:
  userPersister:

Email Notifier

Description

Configuration of an EmailNotifier which sends an email to a user.

Class

com.airlock.iam.core.misc.impl.notification.EmailNotifier

May be used by

Vasco OTP Token Controller

Properties

Email Service (emailService)

Description

Email service plugin. This defines what mail server is used for sending the email. It also defines the sender address and whether the email should be signed or not.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

User Persister (userPersister)

Description

The user persister plug-in used to load the email address of an user.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Email Context Data Field (emailContextDataField)

Description

Context data field in which the email address is stored in.

Attributes

String

Mandatory

Mail Subject (mailSubject)

Description

The subject used in the email.

Attributes

String

Mandatory

Mail Body (mailBody)

Description

The template used as body. This text may contain specific variable strings defined one plugin level higher (e.g. $USERNAME$) or context data variables (e.g. ${givenname}).

Attributes

String

Mandatory

Multi-line-text

Example

Hi $USERNAME$, this email notifies you about something.

Example

Hi Mr/Ms ${givenname}, this email notifies you about something.

Example

Hi Mr/Ms ${givenname}, your username is $USERNAME$.

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.notification.EmailNotifier
id: EmailNotifier-xxxxxx
displayName: 
comment: 
properties:
  emailContextDataField:
  emailService:
  mailBody:
  mailSubject:
  userPersister:

Email OTP Authentication Step

Description

Configuration for an authentication flow step to check an OTP sent via email. This Email OTP Authentication Step supports template based emails.

Note: Emails are neither confidential nor authentic (i.e. the user cannot be sure that the email is really from Airlock IAM and Airlock IAM cannot be sure that the email is delivered to the correct user). Therefore, this step must not be used for high-security applications.

Class

com.airlock.iam.authentication.application.configuration.emailotp.EmailOtpAuthenticationStepConfig

May be used by

License-Tags

EmailOTP

Properties

Email Service (emailService)

Description

Email service plugin. This defines what mail server is used for sending the email. It also defines the sender address and whether the email should be signed or not.

Attributes

Plugin-Link

Mandatory

License-Tags

EmailOTP

Assignable plugins

Email Message Provider (emailMessageProvider)

Description

Creates the Email message content.

Attributes

Plugin-Link

Mandatory

License-Tags

EmailOTP

Assignable plugins

Email Message Provider

Recipient Address (recipientAddress)

Description

A String Value Provider which provides the email address of the recipient. Make sure that this always provides a valid email address, otherwise this step will fail.

Attributes

Plugin-Link

Mandatory

License-Tags

EmailOTP

Assignable plugins

Message Template Is HTML (messageTemplateIsHtml)

Description

Enable if the message template is HTML code.

Attributes

Boolean

Optional

License-Tags

EmailOTP

Default value

true

Ignore Case (ignoreCase)

Description

If enabled, the case of characters is ignored when checking OTPs.

Attributes

Boolean

Optional

License-Tags

EmailOTP

Default value

false

Masking Settings (maskingSettings)

Description

Settings for masking the email address in the REST API responses. Please refer to the REST API documentation for further details.

If left empty, the email address will not be masked.

Attributes

Plugin-Link

Optional

License-Tags

EmailOTP

Assignable plugins

Masking Settings

OTP Generator (otpGenerator)

Description

The string generator plugin to generate the OTP.

Attributes

Plugin-Link

Optional

License-Tags

EmailOTP

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

OTP Validity [s] (otpValiditySeconds)

Description

Determines how long the OTP is valid (in seconds).

Attributes

Integer

Optional

License-Tags

EmailOTP

Default value

300

Max Retries (maxRetries)

Description

The number of times the user may enter a wrong OTP before the flow is aborted. If set to zero (the default), only one attempt is possible.

The purpose of this settings is usability. The failed attempts counter is always increased upon receiving a wrong OTP and the user is locked when the global failed attempts limit is exceeded.

Attributes

Integer

Optional

License-Tags

EmailOTP

Default value

Max Resends (maxResends)

Description

The number of times the email can be resent.

Attributes

Integer

Optional

License-Tags

EmailOTP

Default value

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

License-Tags

EmailOTP

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

License-Tags

EmailOTP

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

License-Tags

EmailOTP

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

License-Tags

EmailOTP

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

License-Tags

EmailOTP

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

License-Tags

EmailOTP

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

License-Tags

EmailOTP

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

License-Tags

EmailOTP

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

License-Tags

EmailOTP

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

License-Tags

EmailOTP

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

License-Tags

EmailOTP

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.emailotp.EmailOtpAuthenticationStepConfig
id: EmailOtpAuthenticationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: EMAIL
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  emailMessageProvider:
  emailService:
  ignoreCase: false
  interactiveGotoTargets:
  maskingSettings:
  maxResends: 0
  maxRetries: 0
  messageTemplateIsHtml: true
  onFailureGotos:
  otpGenerator:
  otpValiditySeconds: 300
  preCondition:
  recipientAddress:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Email Otp Authenticator

Description

The Email OTP Authenticator is an authenticator plug-in designed for an additional authentication step and also suitable for transaction verification.

The user receives an Email message containing a code. He has to provide this code for successful authentication.

The message template used to form the messages sent to the user is taken from the credential object passed in the first step. If no such template is available (or if the property "dont-use-credential-message" is TRUE) the message template is taken from the configuration of this plugin (see property "message-template").

Note: The Email OTP Authenticator should only be used as an additional step in an authentication process and not stand-alone.

Note: Emails are neither confidential nor authentic in any way (i.e. the user cannot be sure that the email is really from Airlock IAM and Airlock IAM cannot be sure that the email is delivered to the correct user). This must be considered regarding security. This authenticator is not to be used for high-security applications!

Class

com.airlock.iam.core.misc.impl.authen.EmailOtpAuthenticator

May be used by

License-Tags

EmailOTP

Properties

Email Service (emailService)

Description

Email service plugin. This defines what mail server is used for sending the email. It also defines the sender address and whether the email should be signed or not.

Attributes

Plugin-Link

Mandatory

License-Tags

EmailOTP

Assignable plugins

Selection Step for Public Self-Service Flow Step Sequence Transaction Approval Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Message Template (messageTemplate)

Description

Message template used to create the message text sent to the user.

Note: The template is used if no message template is available in the credential passed in the first authentication step or if the property "dont-use-credential-message" is set to TRUE.

The email message contains only the token if no template specified at all.

The string $TOKEN$ in the message template is mandatory and is replaced by the token.
If the message text is HTML code, you must set the property "message-template-is-html" to true.

Attributes

String

Optional

Multi-line-text

License-Tags

EmailOTP

Default value

$TOKEN$

Example

Authentication Code

In order to access our services, please provide the following security code: $TOKEN$

Best Regards,
Your Airlock IAM Server

Subject (subject)

Description

The subject used in the email.

Attributes

String

Mandatory

License-Tags

EmailOTP

Example

Security Code for Login

Message Template Is HTML (messageTemplateIsHtml)

Description

Set to true if the message template is HTML code.

Attributes

Boolean

Optional

License-Tags

EmailOTP

Default value

true

Ignore Token Case (ignoreTokenCase)

Description

If set to true the case of characters is ignored when checking tokens.

Attributes

Boolean

Optional

License-Tags

EmailOTP

Default value

false

Max Token Retransmissions (maxTokenRetransmissions)

Description

Maximum number of times a token may be retransmitted during one authentication process. Authentication is aborted if this limit is exceeded. Token retransmissions are disabled if this value is 0. Restricting this value to a small number prevents the abusive use of email delivery.

Attributes

Integer

Optional

License-Tags

EmailOTP

Default value

Retransmit Same Token (retransmitSameToken)

Description

If token retransmissions are enabled this sets whether the same token code should be retransmitted or whether a new code should be generated for each retransmission. Setting this property to true is less secure but helps avoiding erroneous user input when the initial token code is received before its retransmission.

Attributes

Boolean

Optional

License-Tags

EmailOTP

Default value

false

Credential Persister (credentialPersister)

Description

Credential persister to load additional user data, in this case the email address of the specific user.

Attributes

Plugin-Link

Mandatory

License-Tags

EmailOTP

Assignable plugins

Token Validity Millis (tokenValidityMillis)

Description

The number of milliseconds a token is valid for. If the token is entered correctly but after its expiration, authentication will fail. (TOKEN_EXPIRED).

The value 0 (zero) disables this feature, i.e. tokens never expire (this is the default).

Attributes

Long

Optional

License-Tags

EmailOTP

Default value

Max Token Retries (maxTokenRetries)

Description

The number of times the user may enter a wrong token before the authentication process is aborted (and the token gets useless). If set to zero (the default), only one attempt is possible for each token. This is more secure but may increase costs (if sending a token is costly) and decrease usability.

Attributes

Integer

Optional

License-Tags

EmailOTP

Default value

Token Generator (tokenGenerator)

Description

The string generator plugin which will generate the one time password token.

Attributes

Plugin-Link

Optional

License-Tags

EmailOTP

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.EmailOtpAuthenticator
id: EmailOtpAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  credentialPersister:
  emailService:
  ignoreTokenCase: false
  maxTokenRetransmissions: 0
  maxTokenRetries: 0
  messageTemplate: $TOKEN$
  messageTemplateIsHtml: true
  retransmitSameToken: false
  subject:
  tokenGenerator:
  tokenValidityMillis: 0

Email OTP Transaction Approval Step

Description

Configuration for an email otp transaction approval flow step.

Class

com.airlock.iam.transactionapproval.application.configuration.email.EmailOtpTransactionApprovalStepConfig

May be used by

License-Tags

TransactionApproval

Properties

Email Service (emailService)

Description

Email service plugin. This defines what mail server is used for sending the email. It also defines the sender address and whether the email should be signed or not.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Email Message Provider (emailMessageProvider)

Description

Creates the Email message content.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Email Message Provider

Recipient Address (recipientAddress)

Description

A String Value Provider which provides the email address of the recipient. Make sure that this always provides a valid email address, otherwise this step will fail.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Message Template Is HTML (messageTemplateIsHtml)

Description

Enable if the message template is HTML code.

Attributes

Boolean

Optional

Default value

true

Ignore Case (ignoreCase)

Description

If enabled, the case of characters is ignored when checking OTPs.

Attributes

Boolean

Optional

Default value

false

Masking Settings (maskingSettings)

Description

Settings for masking the email address in the REST API responses. Please refer to the REST API documentation for further details.

If left empty, the email address will not be masked.

Attributes

Plugin-Link

Optional

Assignable plugins

Masking Settings

OTP Generator (otpGenerator)

Description

The string generator plugin to generate the OTP.

Attributes

Plugin-Link

Optional

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

OTP Validity [s] (otpValiditySeconds)

Description

Determines how long the OTP is valid (in seconds).

Attributes

Integer

Optional

Default value

300

Max Retries (maxRetries)

Description

The number of times the user may enter a wrong OTP before the flow is aborted. If set to zero (the default), only one attempt is possible.

The purpose of this settings is usability. The failed attempts counter is always increased upon receiving a wrong OTP and the user is locked when the global failed attempts limit is exceeded.

Attributes

Integer

Optional

Default value

Max Resends (maxResends)

Description

The number of times the email can be resent.

Attributes

Integer

Optional

Default value

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Number-based Selection SMS Gateway Phone Number Verification Step SMS Gateway Selection Option SMS Notifier Failover SMS Gateway Basic mTAN Settings MTAN/SMS Settings SMS Service

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.transactionapproval.application.configuration.email.EmailOtpTransactionApprovalStepConfig
id: EmailOtpTransactionApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: EMAIL
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  emailMessageProvider:
  emailService:
  ignoreCase: false
  interactiveGotoTargets:
  maskingSettings:
  maxResends: 0
  maxRetries: 0
  messageTemplateIsHtml: true
  onFailureGotos:
  otpGenerator:
  otpValiditySeconds: 300
  preCondition:
  recipientAddress:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Email OTP was used for login (Transaction Approval only)

Description

Condition that is fulfilled if Email OTP was used for login (as determined by the authTokenId provided in a previous Transaction Approval Parameter Step).

Class

com.airlock.iam.transactionapproval.application.configuration.selection.EmailOtpAuthTokenIdSelectionConditionConfig

May be used by

License-Tags

TransactionApproval

Properties

Selectable If Login Method Unknown (selectableIfNoAuthTokenIdPresent)

Description

If this flag is set, the condition is always true (i.e. the option is selectable) if the login method is unknown.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.transactionapproval.application.configuration.selection.EmailOtpAuthTokenIdSelectionConditionConfig
id: EmailOtpAuthTokenIdSelectionConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  selectableIfNoAuthTokenIdPresent: true

Email SMS Gateway

Description

SMS gateway plugin that sends an email instead of an SMS message.

This plugin sends an email message with a configurable subject and the actual SMS message as body as email using the configured EmailService plugin.
The recipient of the email may depend on the target SMS message (see configuration properties).

Note that this plugin cannot only be used to use Email as channel instead of SMS but it also serves as integration plugin for SMS gateways that actually work this way (i.e. expect an email).

This plugin does neither support multi-sms-messages nor flash messages.

Class

com.airlock.iam.core.misc.impl.sms.EmailSmsGateway

May be used by

Properties

Email Service (emailService)

Description

The email service plugin used to send the email.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Administrators Management Administrators Management Users Configuration Users Configuration User Group Configuration

Mail Subject (mailSubject)

Description

The string used as subject.

Attributes

String

Optional

Example

Authentication Code

Example

-OMedusa

Recipient Template (recipientTemplate)

Description

A template string used to build the email recipient address given the normalized mobile phone number used.
The recipient address may contain the string "${phonenumber}", which will be replaced by the phone number passed to this plugin.

Attributes

String

Mandatory

Example

${phonenumber}@smsgate.myfirm.com

Example

admin@myfirm.com

International Prefix (internationalPrefix)

Description

Defines what prefix to use for international phone numbers. Possible values: "+", "00"

Attributes

String

Optional

Default value

Example

Visible Phone Number Digits In Log (visiblePhoneNumberDigitsInLog)

Description

Defines the number of phone number digits visible in log statements.

Thus, if the value is zero, all digits are masked, if it is large enough, all digits are visible. If set to 3, for example, the logged number looks like ********965.

The default is 100, i.e. showing all digits.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.EmailSmsGateway
id: EmailSmsGateway-xxxxxx
displayName: 
comment: 
properties:
  emailService:
  internationalPrefix: +
  mailSubject:
  recipientTemplate:
  visiblePhoneNumberDigitsInLog: 100

Email User Profile Item Config

Description

String profile item to display/edit email addresses. In addition to a default validation pattern, changes to fields that are defined as email items also trigger events for "Email Address Changed", "Email Address Added" and "Email Address Deleted".

Class

com.airlock.iam.common.application.configuration.userprofile.EmailUserProfileItemConfig

May be used by

Properties

Validation Pattern (validationPattern)

Description

Pattern for validating the email address.

The provided regex is used in Java for server-side validation and potentially in Javascript for client-side validation. The capabilities of these regex interpreters differ. Therefore make sure to only use patterns that are equivalent in both types of interpreters.

Attributes

RegEx

Optional

Default value

[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@(?:[a-zA-Z0-9-]+\.){1,20}[a-zA-Z-]{2,63}

Check Uniqueness (checkUniqueness)

Description

If defined, the user persister is used to check whether the value is unique by querying the corresponding user iterator plugin.

This user iterator must provide the context data value specified by this profile item.
Usually, the same plugin is used that was used to load the user data to the form this profile item is part of.

Attributes

Plugin-Link

Optional

Assignable plugins

Check Uniqueness Against Username (checkUniquenessAgainstUsername)

Description

If set to true, uniqueness is also checked against the username. The value entered by the user is not allowed to exist neither in the configured property nor as a username. This is mainly used in conjunction with a username transformer, where login is possible with an alias property in addition to the username.

This flag is only checked if checkUniqueness is configured.

Attributes

Boolean

Optional

Default value

false

Prefill (prefill)

Description

If configured, the profile item is prefilled with the provided value. This feature can be used to suggest administrators on possible values or to prefill a common value when creating a user via Adminapp UI. This property only has an effect when creating a user. Furthermore it is only allowed for mandatory items because only mandatory items are displayed in the user create dialog.

Attributes

Plugin-Link

Optional

Assignable plugins

Identity Value Provider Config Realm Value Provider Static String Value Provider

String Resource Key (stringResourceKey)

Description

String identifier for the language-specific string tables.

Attributes

String

Mandatory

Example

userdata.label.salutation

Example

userdata.label.firstname

Example

userdata.label.lastname

Example

userdata.label.email

Example

userdata.label.nationality

Example

userdata.label.birthdate

Example

userdata.label.street

Example

userdata.label.street-number

Example

userdata.label.address2

Example

userdata.label.zipcode

Example

userdata.label.town

Example

userdata.label.state

Example

userdata.label.country

Example

userdata.label.company

Example

userdata.label.department

Example

userdata.label.office-phone

Example

userdata.label.mobile-phone

Example

userdata.label.language

Example

userdata.label.correspondence-language

Example

userdata.label.realm

Property Name (propertyName)

Description

Name of the context-data field in which the value is stored.

Attributes

String

Mandatory

Example

surname

Example

givenname

Example

mtan_number

Optional (optional)

Description

If this field is optional or mandatory for the user.

Attributes

Boolean

Optional

Default value

true

Modifiable (modifiable)

Description

Attributes

Boolean

Optional

Default value

true

Validate Only Changed Values (validateOnlyChangedValues)

Description

If enabled, only values that have been changed by the user (compared to the data loaded from the data layer) are validated.

Attributes

Boolean

Optional

Default value

true

Sortable (sortable)

Description

If enabled, the attribute is sortable in the user list if the underlying user iterator supports sorting.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.userprofile.EmailUserProfileItemConfig
id: EmailUserProfileItemConfig-xxxxxx
displayName: 
comment: 
properties:
  checkUniqueness:
  checkUniquenessAgainstUsername: false
  modifiable: true
  optional: true
  prefill:
  propertyName:
  sortable: true
  stringResourceKey:
  validateOnlyChangedValues: true
  validationPattern: [a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@(?:[a-zA-Z0-9-]+\.){1,20}[a-zA-Z-]{2,63}

Email Verification Step

Description

User self-registration flow step that verifies the email address of a user by sending an email with an OTP that has to be entered correctly for the flow to continue.

Note that channel verification is the only way to ensure the uniqueness of email addresses while at the same time not revealing already registered email addresses (if Stealth Mode is enabled).

Class

com.airlock.iam.userselfreg.application.configuration.step.EmailRegistrationVerificationStepConfig

May be used by

Selection Step for Public Self-Service Selection Option For User Self-Registration Flow Step Sequence Selection Step for User Self-Registration User Self-Registration Flow Selection Option Selection Step for Self-Service Selection Step

License-Tags

SelfRegistration

Properties

Email Item (emailItemDefinition)

Description

Verification target. This item must contain the email address of the user.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Alias User Item String User Context Data Item Username User Item mTAN Number Item Definition

CAPTCHA (captchaProvider)

Description

If a CAPTCHA is configured, a CAPTCHA challenge will be added to:

the response of the flow selecting request (when this step is the first interactive step in a flow).
the step response immediately preceding the protected step (when this step is not the first interactive step in a flow).

To complete this step and proceed with the flow, the CAPTCHA must be solved successfully.
Caution: The CAPTCHA only protects the verification of the OTP. The OTP is send to the user before the CAPTCHA is solved.

Attributes

Plugin-Link

Optional

Assignable plugins

Email Service (emailService)

Description

Email service for sending emails.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OTP Generator (otpGenerator)

Description

Secret string generator to create the OTP. Make sure that the code is long enough to prevent brute-force attacks (by restarting the flow multiple times).

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Email Message Provider (emailMessageProvider)

Description

Creates the Email message content.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Email Message Provider

Max Failed Attempts (maxFailedAttempts)

Description

Number of allowed failed attempts before the flow is aborted.

Attributes

Integer

Optional

Default value

OTP Validity [s] (otpValidity)

Description

Determines how long the OTP is valid (in seconds).

Attributes

Integer

Optional

Default value

300

Otp Case Sensitive (otpCaseSensitive)

Description

If enabled, the case of characters is considered when matching the entered otp against the generated one.

Attributes

Boolean

Optional

Default value

true

Send As HTML (sendAsHtml)

Description

If enabled, the verification email will be sent as an HTML mail. Otherwise it will be sent as plain text.

Attributes

Boolean

Optional

Default value

false

Masking Settings (maskingSettings)

Description

Settings for masking the email address in the REST API responses. Please refer to the REST API documentation for further details.

If left empty, the email address will not be masked.

Attributes

Plugin-Link

Optional

Assignable plugins

Masking Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.step.EmailRegistrationVerificationStepConfig
id: EmailRegistrationVerificationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  captchaProvider:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  emailItemDefinition:
  emailMessageProvider:
  emailService:
  interactiveGotoTargets:
  maskingSettings:
  maxFailedAttempts: 1
  onFailureGotos:
  otpCaseSensitive: true
  otpGenerator:
  otpValidity: 300
  preCondition:
  requiresActivation: false
  sendAsHtml: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Enable Cronto Device Initiation Step

Description

Step to initiate the enabling of a Cronto device. The actual enabling will be done in the "Apply Changes Step" which requires an "Apply Cronto Device Enabling" to enable the device.

Class

com.airlock.iam.selfservice.application.configuration.step.CrontoDeviceEnablingInitiationStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.CrontoDeviceEnablingInitiationStepConfig
id: CrontoDeviceEnablingInitiationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Enable Cronto Push Initiation Step

Description

Step to initiate the enabling of a Cronto push notification to device. The actual enabling will be done in the "Apply Changes Step" which requires an "Apply Cronto Push Enabling" to apply and persist the change.

Class

com.airlock.iam.selfservice.application.configuration.step.CrontoPushEnablingInitiationStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.CrontoPushEnablingInitiationStepConfig
id: CrontoPushEnablingInitiationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Enable FIDO Credential Initiation Step

Description

Step to initiate the enabling of a FIDO credential. The actual enabling will be done in the "Apply Changes Step" which requires an "Apply FIDO Credential Enabling" to enable the credential.

Class

com.airlock.iam.selfservice.application.configuration.step.FidoCredentialEnablingInitiationStepConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.FidoCredentialEnablingInitiationStepConfig
id: FidoCredentialEnablingInitiationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  fidoSettings:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Enabling All Access Controller

Description

An access controller plugin that always grants access.

Class

com.airlock.iam.core.misc.impl.authorization.EnablingAllAccessController

May be used by

AES256 Encryption Ticket Encoder Esp Sign Ticket Encoder Gzip Base64 Ticket Encoder JWT Ticket Encoder Plain Base64 Ticket Encoder Plain Ticket Encoder RSA Sign Ticket Encoder

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authorization.EnablingAllAccessController
id: EnablingAllAccessController-xxxxxx
displayName: 
comment: 
properties:

Encoded User Data Header

Description

Configuration for encoded userdata header propagation. Examples are JWT Bearer token Authorization header.

Class

com.airlock.iam.core.misc.impl.sso.EncodedUserDataHeader

May be used by

HTTP Header Identity Propagator

Properties

Name (name)

Description

The name of the encoded user data header to be propagated to the back-end application.

Attributes

String

Optional

Default value

Authorization

Example

mandate

Example

stage

Ticket Service (ticketService)

Description

The ticket service providing the authentication ticket with the configuration of the ticket elements.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Mapping Ticket Service

Ticket Encoder (ticketEncoder)

Description

The ticket encoder plugin used to encode the authentication ticket in a string.

Note that some ticket encoders do not support ticket expiration, i.e. they do not encode the ticket validity into the ticket.

Attributes

Plugin-Link

Mandatory

Assignable plugins

URL Encoding Scheme (urlEncodingScheme)

Description

String values should be URL encoded in order to be suitable as header values. This optional property defines the URL encoding scheme to be used.
Make sure that the component receiving the ticket uses the same URL encoding scheme.

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15

Add Prefix To Value (addPrefixToValue)

Description

Whether to prepend the configured prefix to the header value. The prefix is separated from the value with a space.

Attributes

Boolean

Optional

Default value

true

Value Prefix (valuePrefix)

Description

A prefix to prepend to the encoded header value. The prefix is separated from the value with a space.

Attributes

String

Optional

Default value

Bearer

Suggested values

Bearer

Mapping Names (mappingNames)

Description

For each header, this property optionally defines the name of the Airlock Gateway (WAF) mappings to use it on.
If no mapping name is specified, the HTTP header is used on all Airlock Gateway mappings.

Note: Headers must never be defined globally and on a specific mapping at the same time.

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.EncodedUserDataHeader
id: EncodedUserDataHeader-xxxxxx
displayName: 
comment: 
properties:
  addPrefixToValue: true
  mappingNames:
  name: Authorization
  ticketEncoder:
  ticketService:
  urlEncodingScheme: UTF-8
  valuePrefix: Bearer

Encoded User Data Response Header

Description

HTTP header holding encoded information about values from the authentee to be set on the response of the identity propagation. A typical usecase for this header is JWT bearer token authorization.

Class

com.airlock.iam.core.application.configuration.header.EncodedUserDataResponseHeader

May be used by

HTTP Response Header Identity Propagator

Properties

Name (name)

Description

The name of the header to be propagated to the HTTP client.

Attributes

String

Optional

Default value

Authorization

Example

Authorization

Example

X-Access-Token

Ticket Service (ticketService)

Description

The ticket service providing the authentication ticket with the configuration of the ticket elements.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Mapping Ticket Service

Ticket Encoder (ticketEncoder)

Description

The ticket encoder plugin used to encode the authentication ticket in a string.

Note that some ticket encoders do not support ticket expiration, i.e. they do not encode the ticket validity into the ticket.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AES256 Encryption Ticket Encoder Esp Sign Ticket Encoder Gzip Base64 Ticket Encoder JWT Ticket Encoder Plain Base64 Ticket Encoder Plain Ticket Encoder RSA Sign Ticket Encoder

URL Encoding Scheme (urlEncodingScheme)

Description

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15

Value Prefix (valuePrefix)

Description

If configured, the prefix is prepended to the encoded header value separated by a space.

Attributes

String

Optional

Suggested values

Bearer

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.header.EncodedUserDataResponseHeader
id: EncodedUserDataResponseHeader-xxxxxx
displayName: 
comment: 
properties:
  name: Authorization
  ticketEncoder:
  ticketService:
  urlEncodingScheme: UTF-8
  valuePrefix:

Encrypted Password Hash

Description

Stores the password hash in encrypted form. It will first call the internal hash function and then encrypt the resulting hash.

Class

com.airlock.iam.core.misc.util.password.hash.EncryptedPasswordHashConfig

Properties

Hash Function (hashFunction)

Description

The password hash function.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Keystore (keystore)

Description

The configuration of the keystore. The keystore is used to load the secret key for the encryption and decryption of the hash.

Attributes

Plugin-Link

Mandatory

Assignable plugins

HSM Keystore Java Keystore

Encryption Key Alias (encryptionKeyAlias)

Description

The alias of the secret key in the given keystore to encrypt the hash.

Attributes

String

Mandatory

Example

mykey

Encryption Key Password (encryptionKeyPassword)

Description

The password of the secret key to encrypt the hash.

Attributes

String

Mandatory

Sensitive

Cipher Transformation (cipherTransformation)

Description

The cipher to encrypt the hash. A symmetric cipher is required.

Attributes

String

Optional

Default value

AES/ECB/PKCS5Padding

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.EncryptedPasswordHashConfig
id: EncryptedPasswordHashConfig-xxxxxx
displayName: 
comment: 
properties:
  cipherTransformation: AES/ECB/PKCS5Padding
  encryptionKeyAlias:
  encryptionKeyPassword:
  hashFunction:
  keystore:

Enumeration User Context Data Item

Description

User context data item that stores a string value out of a fixed set of allowed strings.

Class

com.airlock.iam.flow.shared.application.configuration.item.EnumContextDataItemDefinitionConfig

May be used by

User Data Edit Step User Data Registration Step Config

Properties

Context Data Name (contextDataName)

Description

The context data item in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

SSO Ticket Authentication Step HTTP Header Token Extractor (as SSO Credential) Representation SSO Ticket Identifying Step Admin SSO Ticket Request Authentication SSO Ticket Request Authentication

Required (required)

Description

Specifies whether this context data item is required for the step to validate successfully.

Attributes

Boolean

Optional

Default value

true

Values (values)

Description

The allowed values of the context data item.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.item.EnumContextDataItemDefinitionConfig
id: EnumContextDataItemDefinitionConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  required: true
  values:

Equals Old Password Policy

Description

A password policy check that tests whether the new password is the same as the old (existing) one.

Class

com.airlock.iam.core.misc.impl.authen.PwdPolicyEqualsOldCheck

May be used by

Customizable Password Policy Customizable Password Policy Meta Password Policy

Properties

Ignore Case (ignoreCase)

Description

If set to TRUE, the case of characters is ignored when comparing the two passwords.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PwdPolicyEqualsOldCheck
id: PwdPolicyEqualsOldCheck-xxxxxx
displayName: 
comment: 
properties:
  ignoreCase: false

Esp Sign Ticket Decoder

Description

Ticket decoder decoding digitally signed tickets with a fix 512-bit RSA public key located in the ticket encoder code.

Note:In order for the encoder to be compliant with legacy code, the encoding of the ticket information is not straight forward and not like in the other ticket encoders.

Use the ticket encoder EspSignTicketEncoder to encode tickets to be decoded by this decoder.

Class

com.airlock.iam.core.misc.util.ticket.codec.esp.EspSignTicketDecoder

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ticket.codec.esp.EspSignTicketDecoder
id: EspSignTicketDecoder-xxxxxx
displayName: 
comment: 
properties:

Esp Sign Ticket Encoder

Description

Ticket encoder digitally signing tickets with a fix 512-bit RSA private key located in the ticket encoder code.

Note:In order for this encoder to be compliant with legacy code, the encoding of the ticket information is not straight forward and not like in the other ticket encoders.

Use the ticket decoder EspSignTicketDecoder to decode tickets encoded with this encoder.

Class

com.airlock.iam.core.misc.util.ticket.codec.esp.EspSignTicketEncoder

May be used by

Encoded User Data Response Header Cookie Ticket Identity Propagator Encoded User Data Header SSO Ticket Identity Propagator Ticket String Provider Config

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ticket.codec.esp.EspSignTicketEncoder
id: EspSignTicketEncoder-xxxxxx
displayName: 
comment: 
properties:

Expert Mode Redis State Repository Config

Description

State repository that stores all values in a Redis service.

Caution: This plugin supports a very wide range of configuration options and not all of them have been tested to work with Airlock IAM.
It is recommended to use as few Redis config options as possible: this minimizes the possible need for manual changes for future versions of Redis. Please refer to the property documentations for example configurations.

Class

com.airlock.iam.common.application.configuration.state.ExpertModeRedisStateRepositoryConfig

May be used by

Adminapp Main Settings Transaction Approval Loginapp

Properties

YAML Configuration (yamlConfig)

Description

The configuration of the built-in Redisson Redis client in YAML format. Please consult the Redisson Configuration Documentation for details on the available configuration options.

A configuration file which contains the YAML configuration can be used as an alternative to this configuration (see below).

Note:

Cluster mode is currently not supported
Configuring read-only Redis nodes does do not improve performance, because Airlock IAM does not use any read-only operations.

Attributes

String

Mandatory

Multi-line-text

Example

singleServerConfig:
address: "redis://127.0.0.1:6379"

Example

sentinelServersConfig:
  masterName: "mymaster"
  connectTimeout: 10000
  sentinelAddresses:
  - "redis://127.0.0.1:26379"
  - "redis://127.0.0.1:26389"

Example

replicatedServersConfig:
  connectTimeout: 10000
  nodeAddresses:
  - "redis://redishost1:2812"
  - "redis://redishost2:2815"
  - "redis://redishost3:2813"

Encryption (encryption)

Description

Encryption settings defining whether and how state information in Redis is encrypted. IAM state contains sensitive information. State encryption prevents other systems from reading and modifying IAM state information.

To enable state encryption with non-encrypted state already present, use the "Migrating State Encryption" plugin.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AES 128 GCM State Encryption Migrating State Encryption Config No State Encryption

Use Legacy Key Format (legacyKeyFormat)

Description

If enabled, session data for the Loginapp and Adminapp is stored in a flat key naming scheme that is backward compatible to IAM 8.1. If disabled (default for new installations as of IAM 8.2), all keys are stored in a structured naming scheme.

When changing this setting after state has already been stored in Redis, that state will be lost and the corresponding sessions will be terminated.

Attributes

Boolean

Optional

Default value

false

Namespace (namespace)

Description

A string that will be used as a namespace for the keys in Redis.

This is useful if, for example, multiple IAM instances share the same Redis instance and one must ensure that their Redis keys don't interfere with each other

When changing this setting after state has already been stored in Redis, that state will be lost and the corresponding sessions will be terminated.

Attributes

String

Optional

Validation RegEx: ^[A-Za-z0-9]+$

Default value

default

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.state.ExpertModeRedisStateRepositoryConfig
id: ExpertModeRedisStateRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  encryption:
  legacyKeyFormat: false
  namespace: default
  yamlConfig:

Exponential Temporary Locking Strategy

Description

A Temporary Locking strategy with a duration based on an exponential or linear formula. The lock duration after n failed attempts is calculated as follows:

Duration = (Base Duration) * (Exponential Factor) ^ (n - 1) + (Additional Duration) * (n - 1)

Note that the first addend is always greater than Base Duration

Class

com.airlock.iam.common.application.configuration.templock.ExponentialTemporaryLockingStrategyConfig

May be used by

Temporary Locking

Properties

Base Duration (in ms) (baseDurationMs)

Description

The duration (in milliseconds) a user is locked out after exactly one failed authentication attempt.

Attributes

Integer

Optional

Default value

3000

Exponential Factor (exponentialFactor)

Description

Factor that is multiplied to Base Duration with each failed attempt. If set to 1.0, the duration only grows linearly with the number of failed attempts.
After one failed attempt, Base Duration is used. After two failed attempts, Base Duration is multiplied with this factor. After three failed attempts, this factor is multiplied once more. For example, if the factor is 2.0, the duration is doubled with every failed attempt.
Note that this property can be combined with Additional Duration. See the plugin description for the overall formula.

Attributes

Double

Optional

Default value

2.0

Additional Duration (in ms) (additionalDurationMs)

Description

Duration (in milliseconds) that is added to Base Duration with each failed attempt. It has an effect if greater than 0 ms.
After one failed attempt, Base Duration is used. After two failed attempts, the additional duration is added to Base Duration. After three failed attempts, the additional duration is added once more.
Note that this property can be combined with Exponential Factor. See the plugin description for the overall formula.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.templock.ExponentialTemporaryLockingStrategyConfig
id: ExponentialTemporaryLockingStrategyConfig-xxxxxx
displayName: 
comment: 
properties:
  additionalDurationMs: 0
  baseDurationMs: 3000
  exponentialFactor: 2.0

Export Users Task

Description

Exports all users that are returned by the given UserIterator and writes their data to a CSV file.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.ExportUsersTask

May be used by

Task Schedule

Properties

User Persister (userPersister)

Description

User persister plugin used to read the necessary user account data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Iterator (userIterator)

Description

The user iterator returns the users that need to be exported.

Attributes

Plugin-Link

Mandatory

Assignable plugins

CSV Renderer (csvRenderer)

Description

The CSV renderer is used to write the CSV output.

Attributes

Plugin-Link

Mandatory

Assignable plugins

CSV Renderer

Export Directory (exportDirectory)

Description

Directory where the export files should be stored.

Attributes

File/Path

Mandatory

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.ExportUsersTask
id: ExportUsersTask-xxxxxx
displayName: 
comment: 
properties:
  csvRenderer:
  exportDirectory:
  userIterator:
  userPersister:

Extended String User Profile Item Config

Description

Extension to the string user profile item. Using regular expressions, the display value can be inferred from the actual value and if the field is modifiable can also be determined using a regular expression.

Class

com.airlock.iam.common.application.configuration.userprofile.ExtendedStringUserProfileItemConfig

May be used by

Administrators Management Administrators Management Users Configuration Users Configuration User Group Configuration

Properties

Display Pattern (displayPattern)

Description

This regular expression is used to extract values which can be used in "Display Output" to determine the display value.

The two fields are applied to the value to be displayed as follows: value.replaceAll(displayPattern, displayReplacement).

For example, a displayPattern of ".*CN=([^,]*).*" and displayReplacement of "Name: $1" would transform the value "C=CH, L=Zurich, CN=Ergon Informatik AG" to "Name: Ergon Informatik AG".

Attributes

RegEx

Optional

Display Replacement (displayReplacement)

Description

The output string produced using the "Display Pattern". See that description for detailed information about the display string transformation.

Attributes

String

Optional

Read Only Pattern (readOnlyPattern)

Description

This regular expression is used to determine if the value is modifiable for the user or read-only. If this pattern is defined, the "Modifiable" flag is overwritten and determined based on the value to be displayed: if the pattern matches the entered value, then it is not editable by the user. If the pattern is not defined, then the "Modifiable" flag is used.

Attributes

RegEx

Optional

Validation Pattern (validationPattern)

Description

Pattern for validating the value of the field.

Attributes

RegEx

Optional

Check Uniqueness (checkUniqueness)

Description

If defined, the user persister is used to check whether the value is unique by querying the corresponding user iterator plugin.

This user iterator must provide the context data value specified by this profile item.
Usually, the same plugin is used that was used to load the user data to the form this profile item is part of.

Attributes

Plugin-Link

Optional

Assignable plugins

Check Uniqueness Against Username (checkUniquenessAgainstUsername)

Description

This flag is only checked if checkUniqueness is configured.

Attributes

Boolean

Optional

Default value

false

Prefill (prefill)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Identity Value Provider Config Realm Value Provider Static String Value Provider

String Resource Key (stringResourceKey)

Description

String identifier for the language-specific string tables.

Attributes

String

Mandatory

Example

userdata.label.salutation

Example

userdata.label.firstname

Example

userdata.label.lastname

Example

userdata.label.email

Example

userdata.label.nationality

Example

userdata.label.birthdate

Example

userdata.label.street

Example

userdata.label.street-number

Example

userdata.label.address2

Example

userdata.label.zipcode

Example

userdata.label.town

Example

userdata.label.state

Example

userdata.label.country

Example

userdata.label.company

Example

userdata.label.department

Example

userdata.label.office-phone

Example

userdata.label.mobile-phone

Example

userdata.label.language

Example

userdata.label.correspondence-language

Example

userdata.label.realm

Property Name (propertyName)

Description

Name of the context-data field in which the value is stored.

Attributes

String

Mandatory

Example

surname

Example

givenname

Example

mtan_number

Optional (optional)

Description

If this field is optional or mandatory for the user.

Attributes

Boolean

Optional

Default value

true

Modifiable (modifiable)

Description

Attributes

Boolean

Optional

Default value

true

Validate Only Changed Values (validateOnlyChangedValues)

Description

If enabled, only values that have been changed by the user (compared to the data loaded from the data layer) are validated.

Attributes

Boolean

Optional

Default value

true

Sortable (sortable)

Description

If enabled, the attribute is sortable in the user list if the underlying user iterator supports sorting.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.userprofile.ExtendedStringUserProfileItemConfig
id: ExtendedStringUserProfileItemConfig-xxxxxx
displayName: 
comment: 
properties:
  checkUniqueness:
  checkUniquenessAgainstUsername: false
  displayPattern:
  displayReplacement:
  modifiable: true
  optional: true
  prefill:
  propertyName:
  readOnlyPattern:
  sortable: true
  stringResourceKey:
  validateOnlyChangedValues: true
  validationPattern:

Extended User Persister-based User Store Provider

Description

This is a user store implementation that emulates the new user store interface for large numbers of users with existing plugins whereas the user persister is expected to be of type ExtendedUserPersister.

Class

com.airlock.iam.core.application.configuration.store.user.ExtendedUserPersisterBasedUserStoreProvider

Properties

User Persister (userPersister)

Description

An user persister that will be used to retrieve and update users.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cipher User Persister Combining Extended User Persister Database User Persister Dummy Extended User Persister LDAP Connector LDAP User Persister Property User Persister

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.store.user.ExtendedUserPersisterBasedUserStoreProvider
id: ExtendedUserPersisterBasedUserStoreProvider-xxxxxx
displayName: 
comment: 
properties:
  userPersister:

External Database Password Repository Config

Description

Retrieves the password (hash) of the user from a database.

It is typically used in cases where the Default Password Repository does not work:

The passwords are stored in a database different from the user database.
In self-registration flows (where there is no in-memory user that is persisted automatically).

Class

com.airlock.iam.common.application.configuration.password.repository.ExternalDatabasePasswordRepositoryConfig

May be used by

Properties

User Store (userStore)

Description

Defines the database to be used to retrieve and store passwords.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database User Store

Allowed Password Validity Duration (allowedPasswordValidityDuration)

Description

The number of days a password may be used before it must be changed.

If a password is changed, the 'latest password change timestamp' is set and, if this property is defined, the 'next enforced password change timestamp' is updated.

If this property is not defined, the 'next enforced password change timestamp' is not updated.

Attributes

Integer

Optional

Hash Function (hashFunction)

Description

The password hash function used for verification and when storing a new password.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Legacy Hash Functions (legacyHashFunctions)

Description

This feature allows changing the password hash function with automatic migration of all users that log in.

Attributes

Plugin-List

Optional

Assignable plugins

Use Latin1 Encoding (useLatin1Encoding)

Description

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.password.repository.ExternalDatabasePasswordRepositoryConfig
id: ExternalDatabasePasswordRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedPasswordValidityDuration:
  hashFunction:
  legacyHashFunctions:
  useLatin1Encoding: false
  userStore:

Factor Use Reporting Processor

Description

This processor creates reporting log entries for 'factor use'. Log entries are written for all 'success' or 'failure' step results that contain information about an involved (authentication) factor.

Class

com.airlock.iam.authentication.application.configuration.processor.FactorUseReportingProcessorConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.processor.FactorUseReportingProcessorConfig
id: FactorUseReportingProcessorConfig-xxxxxx
displayName: 
comment: 
properties:

Failed Factor Attempts Processor

Description

Processor for counting failed factor usages. Failed step results from authentication method verifying steps cause the failed attempts counter for the corresponding authentication method to be increased (unless explicitly overridden in the step result). After successful completion of a flow all counters of authentication methods used during the flow are reset. If strict counting is enabled, all exceptions are also counted as failed attempts.

Class

com.airlock.iam.authentication.application.configuration.processor.FailedFactorAttemptsProcessorConfig

May be used by

Number-based Selection SMS Gateway Phone Number Verification Step SMS Gateway Selection Option SMS Notifier Basic mTAN Settings MTAN/SMS Settings SMS Service

Properties

Strict Counting (strictCounting)

Description

If strict counting is enabled, exceptions and failures to connect to external systems are also counted as failed attempts. This is recommended for security-critical flows such as authentication. If the current step does not specify an authentication method, the failed attempt is counted for the last authentication method used in this flow, or a generic UNSPECIFIED if there was no previous authentication method verifying step.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.processor.FailedFactorAttemptsProcessorConfig
id: FailedFactorAttemptsProcessorConfig-xxxxxx
displayName: 
comment: 
properties:
  strictCounting: true

Failover SMS Gateway

Description

This SMS gateway plugin is used to specify multiple plugins in a failover setting.

Class

com.airlock.iam.core.misc.impl.sms.FailoverSmsGateway

May be used by

Properties

Sms Gateways (smsGateways)

Description

SMS gateway plugins to use in the specified order for failover: If the first fails, the second is tried and so on.

Attributes

Plugin-List

Mandatory

Assignable plugins

Revert To Primary Timeout (revertToPrimaryTimeout)

Description

Timeout in milliseconds after which the first gateway in the list is tried again, even though another gateway could be reached recently. This is used to prioritize the first gateway and make sure the current client doesn't permanently switch to another gateway even though the first one could be available again. If not set, Airlock IAM will just keep using the last working gateway until it fails.

Attributes

Integer

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.FailoverSmsGateway
id: FailoverSmsGateway-xxxxxx
displayName: 
comment: 
properties:
  revertToPrimaryTimeout:
  smsGateways:

Failure HTTP Response

Description

Defines how to respond, i.e. what HTTP response to send (status and headers) and how to proceed on the Airlock Gateway (WAF).

Class

com.airlock.iam.login.app.misc.configuration.oneshot.FailureHttpResponseConfig

May be used by

Configurable Error Mapper Configurable Error Mapper Configurable Error Mapper Configurable Error Mapper

License-Tags

OneShotAuthentication

Properties

HTTP Status Code (httpStatusCode)

Description

The HTTP status code to set on the response.

Attributes

Integer

Optional

License-Tags

OneShotAuthentication

Default value

401

HTTP Headers (httpHeaders)

Description

A list of HTTP headers to add to the response.

Attributes

Plugin-List

Optional

License-Tags

OneShotAuthentication

Assignable plugins

HTTP Header

Workflow (workflow)

Description

Controls the Airlock Gateway (WAF) workflow.

Attributes

Enum

Optional

License-Tags

OneShotAuthentication

Default value

CONTINUE

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oneshot.FailureHttpResponseConfig
id: FailureHttpResponseConfig-xxxxxx
displayName: 
comment: 
properties:
  httpHeaders:
  httpStatusCode: 401
  workflow: CONTINUE

Failure Step

Description

A flow step to abort and fail the current flow. This step always fails with the configured error code and increments the number of failed attempts for the configured authentication method. If no failed attempts should be counted, use the "Abort Step" instead.

Class

com.airlock.iam.flow.application.configuration.step.FailureStepConfig

Properties

Error Code (errorCode)

Description

The error code which will be included in the response. Allows specifying the reason for aborting the current flow.

Attributes

String

Mandatory

Example

FLOW_ABORTED_INTENTIONALLY

Authentication Method Identifier (authMethod)

Description

Identifies which failed factor attempts counter should be increased.

Attributes

String

Mandatory

Example

PASSWORD

Example

MTAN

Example

CRONTO

Example

FIDO

Example

AIRLOCK_2FA

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.step.FailureStepConfig
id: FailureStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authMethod:
  customFailureResponseAttributes:
  customResponseAttributes:
  errorCode:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:

Fallback Authenticator

Description

Combines two or more authenticator plugins in the way that the next authenticator in the list is tried if one fails to authenticate.

The reason of "failing" can be configured (see separate properties):

Error during authentication process
User not found
User not valid (outside validity period or flagged as invalid)
Credential not assigned
Credential not active
Authentication failed (e.g. password wrong)

In general, when switching to the next authenticator, the credential object (e.g. username and password) used with the first authenticator that led to the "failure" is used again with the next authenticator. A new session is obtained from the next authenticator. After trying all authenticators, the result from the last authenticator is returned regardless of its result.

Example usage: Use the reason "user not found" if it is not clear what system to authenticate against in case of multiple user directories.

Class

com.airlock.iam.core.misc.impl.authen.FallbackAuthenticator

May be used by

Properties

Authenticators (authenticators)

Description

List of authenticator plug-ins to be used. There must be at least one authenticator in the list.

Attributes

Plugin-List

Mandatory

Assignable plugins

Failover On Error (failoverOnAuthenticationError)

Description

Enable to switch to the next authenticator if an unrecoverable error occurs.

Typical errors arise from unreachable databases or other dependent systems.

Attributes

Boolean

Optional

Default value

true

Failover If User Not Found (failoverIfUserNotFound)

Description

Enable to switch to the next authenticator if the previous returns "user not found".

Attributes

Boolean

Optional

Default value

true

Failover If User Not Valid (failoverIfUserNotValid)

Description

Enable to switch to the next authenticator if the previous returns "user not valid". This is the case if the user record has been flagged invalid or if the current point in time is outside the validity period of the account.

Attributes

Boolean

Optional

Default value

true

Failover If Credential Not Assigned (failoverIfCredentialNotAssigned)

Description

Enable to switch to the next authenticator if the previous returns "credential not assigned".

Attributes

Boolean

Optional

Default value

false

Failover If Credential Not Active (failoverIfCredentialNotActive)

Description

Enable to switch to the next authenticator if the previous returns "credential not active".

Attributes

Boolean

Optional

Default value

false

Failover If Authentication Fails (failoverIfAuthenticationFails)

Description

Enable to switch to the next authenticator on arbitrary authentication failures (e.g. password wrong).

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.FallbackAuthenticator
id: FallbackAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  authenticators:
  failoverIfAuthenticationFails: false
  failoverIfCredentialNotActive: false
  failoverIfCredentialNotAssigned: false
  failoverIfUserNotFound: true
  failoverIfUserNotValid: true
  failoverOnAuthenticationError: true

Fallback CRL Fetcher

Description

This fallback CRL checker uses multiple CRL checkers to obtain the CRL. It calls the CRLCheckers in the order and returns the CRL of the first fetcher that works (composite pattern).

Class

com.airlock.iam.core.misc.impl.cert.crl.FallbackCrlFetcher

May be used by

CRL Certificate Status Checker

License-Tags

ClientCertificate

Properties

Fetchers (fetchers)

Description

The fetchers to use. They are called in order and the result of the first matching is returned.

Attributes

Plugin-List

Mandatory

License-Tags

ClientCertificate

Assignable plugins

Fallback CRL Fetcher File CRL Fetcher LDAP CRL Fetcher URL CRL Fetcher

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.crl.FallbackCrlFetcher
id: FallbackCrlFetcher-xxxxxx
displayName: 
comment: 
properties:
  fetchers:

Fallback Crl Obtainer

Description

An CRL obtainer that is a composite of multiple other CRL Obtainers. It tries one after the other (in order) and returns the result of the first that obtains something. When all don't obtain anything, nothing is returned.

Class

com.airlock.iam.core.misc.impl.cert.crl.FallbackCrlObtainer

May be used by

Configurable HTTP CRL Obtainer Configurable HTTP CRL Obtainer CRL Distribution Point Extension CRL Checker

License-Tags

ClientCertificate

Properties

Delegates (delegates)

Description

The CRL obtainers to use (in this order).

Attributes

Plugin-List

Mandatory

License-Tags

ClientCertificate

Assignable plugins

CRL HTTP Obtainer Configurable HTTP CRL Obtainer Do Nothing Obtainer Fallback Crl Obtainer

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.crl.FallbackCrlObtainer
id: FallbackCrlObtainer-xxxxxx
displayName: 
comment: 
properties:
  delegates:

Fallback String Value Provider

Description

The first non-null value in the list of String Value Providers will be provided.

Class

com.airlock.iam.common.application.configuration.valueprovider.FallbackStringValueProviderConfig

Properties

String Value Providers (stringValueProviders)

Description

A list of StringValueProviders which are evaluated. The first non-null value will be provided.

Attributes

Plugin-List

Mandatory

Assignable plugins

Treat Empty Strings As Null (treatEmptyStringsAsNull)

Description

If activated, empty strings will be treated as null.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.valueprovider.FallbackStringValueProviderConfig
id: FallbackStringValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  stringValueProviders:
  treatEmptyStringsAsNull: false

FIDO Attestation Certificate Trust Verifier

Description

Verifies that the attestation certificate and the associated chain of certificates provided in an attestation statement produced by a FIDO authenticator during registration can be trusted. Currently, only the following attestation statement formats are supported:

"packed" attestation statement (see Webauthn - Packed Attestation Statement Format)
"fido-u2f" attestation statement (see Webauthn - FIDO U2F Attestation Statement Format)

An attestation certificate in such an attestation statement is valid if trust can be derived back to a trusted certificate (a.k.a. trust anchor) configured in the truststore, requiring that

the attestation certificate and every certificate in the chain is valid at the time of registration;
the signature of the attestation certificate and every certificate in the chain (excepted the last one) can be verified using the public key attested in the next certificate;
the signature of the attestation certificate or of at least one certificate in the chain can be verified by a public key attested in one of the trusted certificates configured in the trust store.

Class

com.airlock.iam.fido.application.configuration.registration.FidoAttestationCertificateTrustVerifierConfig

May be used by

FIDO Settings

License-Tags

FIDO

Properties

Trust Store (trustStore)

Description

The truststore containing the trusted certificates to verify the attestation certificate produced by a FIDO authenticator during registration. The certificates must be in X509 format and all X509 certificates in the truststore will be used for verification and assumed to be trusted.

Security warning: Putting a certificate in the trust store has security implications. In particular, trusting a certificate implies trusting every chain of certificates that can be derived back to this trusted certificate. Depending on your requirements as to which type of FIDO authenticators should or should not be accepted, it might be advisable to not directly trust root certificates of a particular FIDO authenticator manufacturer, in order to ensure that future FIDO authenticators from this manufacturer will not be automatically accepted. If the system needs to be as closed as possible, then trusting only the deepest intermediate certificate in the chain would be advisable.

Attributes

Plugin-Link

Mandatory

Assignable plugins

HSM Keystore Java Keystore

Maximum Certificate Chain Length (maximumCertificateChainLength)

Description

Maximum length of certificate chain to verify. Longer chains of certificates will fail this verification.

It is recommended to keep this value as low as possible to ensure that Airlock IAM is not overly burdened by such verifications (denial of service).

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.fido.application.configuration.registration.FidoAttestationCertificateTrustVerifierConfig
id: FidoAttestationCertificateTrustVerifierConfig-xxxxxx
displayName: 
comment: 
properties:
  maximumCertificateChainLength: 3
  trustStore:

FIDO Authentication Step

Description

Step to authenticate a user with a FIDO authenticator.

Class

com.airlock.iam.fido.login.application.configuration.FidoAuthenticationStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

FIDO

Properties

On Failure Gotos (onFailureGotos)

Description

This step can return the following error codes:

FIDO_AUTHENTICATION_FAILED: The FIDO authentication failed for unspecified reasons (either in the browser/client or during server-side verification).
FIDO_AUTHENTICATION_TIMEOUT: The response from the browser/client has timed out.
FIDO_AUTHENTICATION_ABORTED: The authentication has been aborted in the browser/client.
FIDO_AUTHENTICATION_NOT_ALLOWED: The browser/client did not allow authentication with the given credentials.
FIDO_WEB_AUTHN_NOT_AVAILABLE: The client/browser is not capable of performing WebAuthn/FIDO authentication.
NO_VALID_TOKEN: The user has no eligible FIDO credential registered.

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Advanced Migration Selection Option Custom Protected Self-Service Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.fido.login.application.configuration.FidoAuthenticationStepConfig
id: FidoAuthenticationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  fidoSettings:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

FIDO Consistency User Change Listener

Description

A listener that reacts on change events on users and keeps the FIDO user in a consistent state. Actions:

on user deletion: delete associated FIDO user account and its credentials.
on user name change: updates the user reference for the FIDO user account.

Class

com.airlock.iam.fido.application.configuration.FidoConsistencyUserChangeListener

May be used by

Active Directory Connector LDAP User Persister LDAP Connector Database User Persister

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

YAML Template (with default values)


type: com.airlock.iam.fido.application.configuration.FidoConsistencyUserChangeListener
id: FidoConsistencyUserChangeListener-xxxxxx
displayName: 
comment: 
properties:
  fidoSettings:

FIDO Credential Deleted

Description

Event that is triggered by the deletion of an FIDO credential.

Class

com.airlock.iam.common.application.configuration.event.FidoCredentialDeletedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.FidoCredentialDeletedSubscribedEventConfig
id: FidoCredentialDeletedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

FIDO Credential Display Name Change Step

Description

Step to change display name of a FIDO credential. This step must be preceeded by a FIDO Credential Selection Step to select the credential to be renamed.
If auto generate display name is enabled during the registration, it is also possible to configure this step after a FIDO Credential Registration Step.
The change is applied by a "Apply Changes Step" which requires an "Apply FIDO Credential Display Name Change" to persist the new name.

Class

com.airlock.iam.fido.login.application.configuration.FidoCredentialDisplayNameChangeStepConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.fido.login.application.configuration.FidoCredentialDisplayNameChangeStepConfig
id: FidoCredentialDisplayNameChangeStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  fidoSettings:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

FIDO Credential List

Description

Configures the FIDO credential list REST self-service. Additional self-service functionality can be configured in "Protected Self-Service Flows".

Class

com.airlock.iam.selfservice.application.configuration.token.FidoCredentialListSelfServiceRestConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access the FIDO credential list.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access the FIDO credential list without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.token.FidoCredentialListSelfServiceRestConfig
id: FidoCredentialListSelfServiceRestConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  fidoSettings:

FIDO Credential Management UI

Description

Configures FIDO credential management user interface.

Depending on the configuration, the user interface allows an authenticated user:

to register a new FIDO credential.

The FIDO credential management interface is accessible at /<loginapp-uri>/ui/app/protected/tokens/fido/credentials after user authentication.

Class

com.airlock.iam.selfservice.application.configuration.ui.tokens.FidoCredentialManagementUiConfig

May be used by

Remote Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Email Event Subscriber (Loginapp) Filtered Flow Event

License-Tags

FIDO

Properties

Flow To Register Credential (flowToRegisterCredential)

Description

ID of the flow which is used for registering a new FIDO credential. If not configured, the user will not be able to register a new FIDO credential via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Change Display Name (flowToChangeDisplayName)

Description

ID of the flow which is used for changing the display name of a FIDO credential. The first interactive step of the corresponding flow must be a FIDO Credential Selection Step.

If not configured, the user will not be able to edit the display name of a credential via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Delete Credential (flowToDeleteCredential)

Description

ID of the flow which is used for deletion of a FIDO credential. The first interactive step of the corresponding flow must be a Delete FIDO Credential Initiation Step.

If not configured, the user will not be able to delete a credential via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Disable Credential (flowToDisableCredential)

Description

ID of the flow which is used for disabling a FIDO credential. The first interactive step of the corresponding flow must be an Enable FIDO Credential Initiation Step.

If not configured, the user will not be able to disable a credential via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Enable Credential (flowToEnableCredential)

Description

ID of the flow which is used for enabling a FIDO credential. The first interactive step of the corresponding flow must be a Disable FIDO Credential Initiation Step.

If not configured, the user will not be able to enable a credential via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Page Exit Target (pageExitTarget)

Description

If configured, an additional button is displayed on the FIDO credential management to exit the page. On click, this button redirects the user to the configured target.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.tokens.FidoCredentialManagementUiConfig
id: FidoCredentialManagementUiConfig-xxxxxx
displayName: 
comment: 
properties:
  flowToChangeDisplayName:
  flowToDeleteCredential:
  flowToDisableCredential:
  flowToEnableCredential:
  flowToRegisterCredential:
  pageExitTarget:

FIDO Credential Management UI Redirect

Description

Redirects to the "FIDO Credential Management UI".

Class

com.airlock.iam.selfservice.application.configuration.ui.tokens.FidoCredentialManagementFlowRedirectTargetConfig

May be used by

License-Tags

FIDO

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.tokens.FidoCredentialManagementFlowRedirectTargetConfig
id: FidoCredentialManagementFlowRedirectTargetConfig-xxxxxx
displayName: 
comment: 
properties:

FIDO Credential Registered

Description

Event that is triggered by the registration of a FIDO credential.

Class

com.airlock.iam.login.application.configuration.event.FidoCredentialRegisteredSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.event.FidoCredentialRegisteredSubscribedEventConfig
id: FidoCredentialRegisteredSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

FIDO Credential Removal Possible

Description

Condition that determines whether the current user can remove a FIDO credential. For credential removal to be possible, the user needs to have at least one credential. If "Allow Deleting Last FIDO Credential" is disabled, at least two credentials are required. This is to ensure that the user will still be able to log in with FIDO after credential deletion was performed.

Class

com.airlock.iam.selfservice.application.configuration.selection.condition.FidoCredentialDeletionPossibleConditionConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

Allow Deleting Last Credential (allowDeletingLastCredential)

Description

If enabled, the last credential can be deleted. This can leave the user without a means to login again.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.selection.condition.FidoCredentialDeletionPossibleConditionConfig
id: FidoCredentialDeletionPossibleConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  allowDeletingLastCredential: false
  fidoSettings:

FIDO Credential Selection Step

Description

Step to select a FIDO credential for further operations. E.g., this step can be followed by a FIDO Credential Display Name Change Step where the name can be edited.

Class

com.airlock.iam.selfservice.application.configuration.step.FidoCredentialSelectionStepConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.FidoCredentialSelectionStepConfig
id: FidoCredentialSelectionStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  fidoSettings:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

FIDO Custom AAGUID Mapping

Description

Describes a FIDO authenticator by mapping its AAGUID to a make and model.

Class

com.airlock.iam.fido.application.configuration.authenticator.FidoCustomAaguidMappingConfig

May be used by

FIDO Settings FIDO Token Controller

License-Tags

FIDO

Properties

AAGUID (aaguid)

Description

The AAGUID (authenticator attestation globally unique identifier) is an opaque identifier chosen by the authenticator manufacturer, indicating the make and model of the authenticator. It may be reported by the FIDO authenticator during registration and is stored in the Airlock IAM database together with the FIDO credential.

Note that not all authenticators have an AAGUID. In particular, no U2F authenticators do.

Attributes

String

Mandatory

Example

ee882879-721c-4913-9775-3dfcce97072a

Description (description)

Description

Describes the FIDO authenticator corresponding to this AAGUID. This typically encompasses the make and model of the FIDO authenticator.

Attributes

String

Mandatory

Length <= 200

Example

YubiKey 5 NFC Series

Example

Windows Hello Hardware Authenticator

YAML Template (with default values)


type: com.airlock.iam.fido.application.configuration.authenticator.FidoCustomAaguidMappingConfig
id: FidoCustomAaguidMappingConfig-xxxxxx
displayName: 
comment: 
properties:
  aaguid:
  description:

FIDO Database Repository

Description

Persists and loads data for FIDO.

Class

com.airlock.iam.fido.application.configuration.FidoRepositoryConfig

May be used by

FIDO Settings FIDO Token Controller

License-Tags

FIDO

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Log Queries (logQueries)

Description

Enable to log SQL queries (only effective if the log level is at least INFO). Attention: query values (including potentially sensitive data) will be logged as well.

Attributes

Boolean

Optional

Default value

false

Tenant ID (tenantId)

Description

Attributes

String

Optional

Length <= 50

Validation RegEx: (?!no_tenant$).*

Example

customerA

Example

customerB

Persist Transports (persistTransports)

Description

When enabled, the transports which were used for registering a credential will be persisted with the credential. During authentication this can be used to already select the correct transports, which can strongly improve the user experience.

When disabled, users have to select from all allowed transports, even if some of them are not supported by their credential.

To use this feature, the DB migration for release 8.4 must have been carried out.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.fido.application.configuration.FidoRepositoryConfig
id: FidoRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  logQueries: false
  persistTransports: true
  sqlDataSource:
  tenantId:

FIDO Default AAGUID Mappings

Description

Provides a pre-defined list of known FIDO authenticators, where each AAGUID is mapped to a make and model. For example, the AAGUID "dd4ec289-e01d-41c9-bb89-70fa845d4bf2" is mapped to "iCloud Keychain (Managed)". The provided list does not aim to be complete nor current.

Class

com.airlock.iam.fido.application.configuration.authenticator.FidoDefaultAaguidMappingsConfig

May be used by

FIDO Settings FIDO Token Controller

License-Tags

FIDO

Properties

YAML Template (with default values)


type: com.airlock.iam.fido.application.configuration.authenticator.FidoDefaultAaguidMappingsConfig
id: FidoDefaultAaguidMappingsConfig-xxxxxx
displayName: 
comment: 
properties:

FIDO Passwordless Authentication Step

Description

Step to identify and authenticate a user with a FIDO authenticator. This step is passwordless meaning that the user is not required to input a username nor a password in a previous step.

Passwordless authentication requires the use of resident key, where the key material is stored on the FIDO authenticator. This needs to be enforced at registration by ensuring that "Require Resident Key" in "FIDO Settings" is enabled. Please refer to the documentation for more details about the requirements of FIDO passwordless authentication. Furthermore, transports cannot be restricted in passwordless mode.

Class

com.airlock.iam.fido.login.application.configuration.FidoPasswordlessAuthenticationStepConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

On Failure Gotos (onFailureGotos)

Description

This step can return the following error codes:

FIDO_AUTHENTICATION_FAILED: The FIDO authentication failed for unspecified reasons (either in the browser/client or during server-side verification).
FIDO_AUTHENTICATION_TIMEOUT: The response from the browser/client has timed out.
FIDO_AUTHENTICATION_ABORTED: The authentication has been aborted in the browser/client.
FIDO_AUTHENTICATION_NOT_ALLOWED: The browser/client did not allow authentication with the given credentials.
FIDO_WEB_AUTHN_NOT_AVAILABLE: The client/browser is not capable of performing WebAuthn/FIDO authentication.

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.fido.login.application.configuration.FidoPasswordlessAuthenticationStepConfig
id: FidoPasswordlessAuthenticationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  fidoSettings:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

FIDO Public Self-Service Approval Step

Description

Step to approve an operation with FIDO.

Unlike identity verification steps, approval steps require an existing user and cannot prevent username enumeration (no stealth mode). Therefore, approval steps can only be used after an identity verification step.

FIDO approval does not allow verification of the data via a separate channel. If this additional level of security is required, use Airlock 2FA, Cronto or mTAN approval.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.PublicSelfServiceFidoApprovalStepConfig

May be used by

License-Tags

FIDO

Properties

On Failure Gotos (onFailureGotos)

Description

This step can return the following error codes:

FIDO_APPROVAL_FAILED: The FIDO approval failed for unspecified reasons (either in the browser/client or during server-side verification).
FIDO_APPROVAL_TIMEOUT: The response from the browser/client has timed out.
FIDO_APPROVAL_ABORTED: The approval has been aborted in the browser/client.
FIDO_APPROVAL_NOT_ALLOWED: The browser/client did not allow approval with the given credentials.
FIDO_WEB_AUTHN_NOT_AVAILABLE: The browser/client is not capable of performing WebAuthn/FIDO approval.
NO_VALID_TOKEN: The user has no eligible FIDO credential registered.

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Advanced Migration Selection Option Custom Protected Self-Service Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.PublicSelfServiceFidoApprovalStepConfig
id: PublicSelfServiceFidoApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  fidoSettings:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

FIDO Registration Step

Description

Step to register a new credential on a FIDO authenticator.

Class

com.airlock.iam.fido.login.application.configuration.FidoRegistrationStepConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

On Failure Gotos (onFailureGotos)

Description

This step can return the following error codes:

FIDO_REGISTRATION_FAILED: The FIDO registration failed for unspecified reasons (either in the browser/client or during server-side verification).
FIDO_REGISTRATION_TIMEOUT: The response from the browser/client has timed out.
FIDO_REGISTRATION_ABORTED: The registration has been aborted in the browser/client.
FIDO_REGISTRATION_NOT_ALLOWED: The browser/client did not allow registration with the given parameters.
FIDO_REGISTRATION_NOT_POSSIBLE: The selected credential could not be registered.
FIDO_WEB_AUTHN_NOT_AVAILABLE: The client/browser is not capable of performing WebAuthn/FIDO registration.

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.fido.login.application.configuration.FidoRegistrationStepConfig
id: FidoRegistrationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  fidoSettings:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

FIDO Self-Service Approval Step

Description

Step to approve an operation with FIDO.

FIDO approval does not allow verification of the data via a separate channel. If this additional level of security is required, use Airlock 2FA, Cronto or mTAN approval.

Class

com.airlock.iam.selfservice.application.configuration.step.FidoSelfServiceApprovalStepConfig

May be used by

License-Tags

FIDO

Properties

On Failure Gotos (onFailureGotos)

Description

This step can return the following error codes:

FIDO_APPROVAL_FAILED: The FIDO approval failed for unspecified reasons (either in the browser/client or during server-side verification).
FIDO_APPROVAL_TIMEOUT: The response from the browser/client has timed out.
FIDO_APPROVAL_ABORTED: The approval has been aborted in the browser/client.
FIDO_APPROVAL_NOT_ALLOWED: The browser/client did not allow approval with the given credentials.
FIDO_WEB_AUTHN_NOT_AVAILABLE: The browser/client is not capable of performing WebAuthn/FIDO approval.
NO_VALID_TOKEN: The user has no eligible FIDO credential registered.

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.FidoSelfServiceApprovalStepConfig
id: FidoSelfServiceApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  fidoSettings:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

FIDO Settings

Description

Global settings related to FIDO.

Note that FIDO can behave differently on different operating systems or browsers. Some browsers offer only limited support for FIDO. This might lead to some FIDO features not working on all browsers.

Class

com.airlock.iam.fido.application.configuration.FidoSettingsConfig

License-Tags

FIDO

Properties

Repository (repository)

Description

Configures the repository to store FIDO data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Database Repository

Relying Party ID (relyingPartyId)

Description

The relying party ID (RPID) defines the scope of registered FIDO credentials. It determines the set of origins on which registered FIDO credentials may be used.

The RPID must either be the origin's domain or a registerable domain suffix. It is determined based on the fully-qualified domain name of the Airlock IAM (as seen by the browser or REST client).

Example:

The browser communicates with IAM using the URLs of the form https://www.virtinc.com/auth/...
The RPID can then be either "virtinc.com" or "www.virtinc.com".
The RPID cannot be either of: "abc.virtinc.com", "com".

Caution: FIDO credentials are registered for a specific RPID and can only be used for this very RPID. The web domain can therefore not be changed without having to re-register the FIDO credentials!

If acceptable with your security requirements, we recommend to use only the domain suffix (e.g. "virtinc.com") as RPID. This gives you the freedom to use registered FIDO credentials on any subdomain (e.g. "login.virtinc.com" or "auth.viritinc.com").

Attributes

String

Mandatory

Length <= 253

Example

www.virtinc.com

Example

mycompany.com

Example

secure.mycompany.com

Relying Party Name (relyingPartyName)

Description

Name of the relying party. The name may be displayed by the web browser (or REST client).

If not defined, the relying party ID is used.

Attributes

String

Optional

Length <= 255

Example

ACME Corporation

Example

Wonderful Widgets

AAGUID Mappings (aaguidMappings)

Description

List of recognized FIDO authenticators. Maps a unique ID provided by a FIDO authenticator (AAGUID) to a descriptive string displayed in the self-service credential list.

The order is important since in case multiple FIDO authenticators are defined with the same AAGUID, only the last entry in the list will be considered. This allows to override default information provided by the plugin' FIDO Default AAGUID Mappings' when configured in the list.

Attributes

Plugin-List

Optional

Assignable plugins

FIDO Custom AAGUID Mapping FIDO Default AAGUID Mappings

User Information Provider (userInformationProvider)

Description

Specifies what user attribute (e.g. username, email address, etc.) is sent to the web browser (or REST client) during FIDO credential registration.

The user attribute is stored on the FIDO authenticator and may be displayed when using the registered FIDO credential. The stored user attribute cannot be changed on the FIDO authenticator, i.e. even if the attribute value changes in IAM (e.g. new email address), the value on the FIDO authenticator remains as it was during credential registration.

We strongly encourage to configure a User Information Provider if resident keys are required. This allows a user to easily identify and manage the credentials stored on the FIDO authenticator.

If no provider is configured or the configured provider provides no value, the string '-' is used.

Privacy warning: The user attribute is stored on the FIDO authenticator. IAM cannot influence how secure the information is stored.

Attributes

Plugin-Link

Optional

Assignable plugins

Static String Value Provider String Context Data Value Provider User Principal Name Provider

Require Resident Key (requireResidentKey)

Description

Requires that key material is stored on the FIDO authenticator ("residential key").

Important: Enabling or disabling this setting can have significant disadvantages depending on your use-case:

when enabled: not all FIDO authenticators support this requirement (in particular no FIDO U2F authenticator). Users with such authenticators will not be able to register FIDO credentials. However, enabling this setting is mandatory for passwordless authentication with FIDO. If possible, it is therefore recommended to require residential keys, even if you have currently no plans to use passwordless authentication.
when disabled: all FIDO authenticators can a priori be used (including older FIDO U2F authenticators). As mentioned above, the FIDO credentials registered with this setting cannot be used for passwordless authentication. If you later decide to use FIDO passwordless authentication, users will have to register new FIDO credentials after having enabled this setting.

Attributes

Boolean

Optional

Default value

true

Allowed Authenticator Type (allowedAuthenticatorType)

Description

Restricts the FIDO authenticator types that can be used during FIDO credential registration.

Roaming authenticators are FIDO authenticators that can be used with different devices (e.g. USB sticks, devices using NFC or Bluetooth).

Bound authenticators are "built-in" FIDO authenticators that cannot be used with different devices (e.g. fingerprint-based in laptop or smartphone).

Attributes

Enum

Optional

Default value

ALL

User Verification Preference (registrationUserVerificationPreference)

Description

Tells the FIDO client (browser, REST client) whether user verification is required, preferred, or discouraged during FIDO credential registration.

"User verification" denotes the process by which a FIDO authenticator "locally" checks whether the key material may be accessed. Examples: fingerprint, PIN code, touching the authenticator.

Required: User verification is required for a successful registration.
Preferred: User verification is preferred but is not required for a successful registration. Whether or not user verification is actually performed depends on the FIDO authenticator.
Discouraged: User verification should be avoided, but carrying it out will not fail registration. Whether or not user verification is actually performed depends on the FIDO authenticator.

Note that user verification can be configured separately for authentication.

Attributes

Enum

Optional

Default value

PREFERRED

Attestation Type (attestationType)

Description

Tells the FIDO client (browser, REST client), what kind of attestation is expected by Airlock IAM.

Direct: The FIDO client (browser, REST client) must pass the attestation unaltered from the authenticator to Airlock IAM.
Indirect: The FIDO client (browser, REST client) may replace the attestation from the FIDO authenticator (e.g. for privacy reasons).
None: Indicates that Airlock IAM is not interested in attestation data and the FIDO client (browser, REST client) may replace the attestation from the FIDO authenticator with a fixed string as defined in the Web Authentication specification.

Security warning: to enforce the type of an attestation, an "Attestation Verifier" other than the "None (FIDO Attestation Verification)" plugin must be configured. Otherwise, there is no guarantee that the provided attestation is of the desired type.

Attributes

Enum

Optional

Default value

DIRECT

Attestation Verifier (attestationVerifier)

Description

Defines how attestations and attestation certificates in particular are used to verify whether a FIDO authenticator is acceptable for registration or not.

This can be used, e.g. to restrict the set of allowed FIDO authenticators (i.e. only certain models and/or manufacturers).

The verification may be disabled by choosing the "None (FIDO Attestation Verification)" plugin.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Attestation Certificate Trust Verifier None (FIDO Attestation Verification)

Registration Timeout [s] (registrationTimeout)

Description

Maximum time in seconds a registration process may last.

The value is both passed to the FIDO client (web browser or REST client) as a hint and used for server-side verification.

Responses to FIDO registration challenges after the defined timeout are rejected by Airlock IAM.

Attributes

Integer

Optional

Default value

300

Auto Generate Display Name (autoGenerateDisplayName)

Description

If enabled, the description of the AAGUID mapping is used as the display name during the registration flow. If no mapping matches, the display name is set to '-'.

The auto generated display name can be edited after the Fido Registration Step through a subsequent Fido Credential Display Name Change Step.

If disabled, the display name must be set explicitly during the registration flow.

Attributes

Boolean

Optional

Default value

false

User Verification Preference (authenticationUserVerificationPreference)

Description

Tells the FIDO client (browser, REST client) whether user verification is required, preferred, or discouraged during an authentication with a FIDO credential .

"User verification" denotes the process by which a FIDO authenticator "locally" checks whether the key material may be accessed. Examples: fingerprint, PIN code, touching the authenticator.

Required: User verification is required for a successful authentication.
Preferred: User verification is preferred but is not required for a successful authentication. Whether or not user verification is actually performed depends on the FIDO authenticator.
Discouraged: User verification should be avoided, but carrying it out will not fail registration. Whether or not user verification is actually performed depends on the FIDO authenticator.

Note that user verification can be configured separately for registration.

Attributes

Enum

Optional

Default value

PREFERRED

Authentication / Approval Timeout [s] (authenticationTimeout)

Description

Maximum time in seconds an authentication or approval process may last.

The value is both passed to the FIDO client (web browser or REST client) as a hint and used for server-side verification.

Responses to FIDO verification challenges after the defined timeout are rejected by Airlock IAM.

Attributes

Integer

Optional

Default value

Authentication / Approval Transports (allowedAuthenticationTransports)

Description

Tells the FIDO client (browser, REST client) which transports should be displayed to the user to choose from. A successful FIDO authentication is also possible with an empty list of transports.

This configuration is ignored in FIDO passwordless mode.

Possible transports:

ble - External Bluetooth Low Energy (BLE) device
nfc - External NFC device
usb - External USB device
internal - e.g. fingerprint sensor
hybrid - combination of transports (e.g. scan QR code and use the fingerprint reader on your phone)
smart-card - ISO/IEC 7816 smart card

Attributes

String-List

Optional

Allowed Algorithms (allowedAlgorithms)

Description

Specifies the list of cryptographic algorithms to be used by FIDO authenticators to generate public and private key pairs during registration.

The order of the algorithms in the list defines the preference (first algorithm is most preferred by Airlock IAM).

Security warning: Usage of RS256 is not recommended for security reasons (see https://tools.ietf.org/html/rfc8812#section-2) and should only be configured for compatibility reasons if required. This is in particular the case if Windows Hello with bound authenticators needs to be supported.

ES256: ECDSA with SHA-256
EDDSA: Edwards-curve Digital Signature Algorithm (EdDSA)
RS256: RSASSA-PKCS1-v1_5 using SHA-256

Attributes

String-List

Optional

Default value

[ES256, EDDSA]

Maximum Attestation Object Size In Bytes (maximumAttestationObjectSizeInBytes)

Description

Maximum size of an attestation object in its binary representation in bytes that can be provided by a FIDO credential during registration. Larger attestation objects will fail registration. Changing this value will not impact already registered FIDO credentials.

Security warning: It is recommended to keep this value as low as possible, especially if the attestation provided during registration is not verified (the plugin "None (FIDO Attestation Verification)" is configured), in order to prevent persisting unnecessary data, which could result in a denial of service.

Attributes

Integer

Optional

Default value

6000

YAML Template (with default values)


type: com.airlock.iam.fido.application.configuration.FidoSettingsConfig
id: FidoSettingsConfig-xxxxxx
displayName: 
comment: 
properties:
  aaguidMappings:
  allowedAlgorithms: [ES256, EDDSA]
  allowedAuthenticationTransports:
  allowedAuthenticatorType: ALL
  attestationType: DIRECT
  attestationVerifier:
  authenticationTimeout: 60
  authenticationUserVerificationPreference: PREFERRED
  autoGenerateDisplayName: false
  maximumAttestationObjectSizeInBytes: 6000
  registrationTimeout: 300
  registrationUserVerificationPreference: PREFERRED
  relyingPartyId:
  relyingPartyName:
  repository:
  requireResidentKey: true
  userInformationProvider:

FIDO Token Controller

Description

Plugin to manage a user's FIDO credentials.

Class

com.airlock.iam.admin.application.configuration.fido.FidoTokenControllerConfig

May be used by

Remote Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Email Event Subscriber (Loginapp)

License-Tags

FIDO

Properties

Repository (repository)

Description

Configures the repository to load / store FIDO data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Database Repository

Selectable As Active Auth Method (selectableAsActiveAuthMethod)

Description

Disable to prevent FIDO from being selected as the active authentication method.

Attributes

Boolean

Optional

Default value

true

Selectable As Next Auth Method (selectableAsNextAuthMethod)

Description

Disable to prevent FIDO from being selected as the next authentication method for token migration.

Attributes

Boolean

Optional

Default value

true

FIDO AAGUID Mappings (aaguidMappings)

Description

List of recognized FIDO authenticators. Maps a unique ID provided by a FIDO authenticator (AAGUID) to a descriptive string displayed in the FIDO token controller (Adminapp, Adminapp REST API).

Attributes

Plugin-List

Optional

Assignable plugins

FIDO Custom AAGUID Mapping FIDO Default AAGUID Mappings

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.fido.FidoTokenControllerConfig
id: FidoTokenControllerConfig-xxxxxx
displayName: 
comment: 
properties:
  aaguidMappings:
  repository:
  selectableAsActiveAuthMethod: true
  selectableAsNextAuthMethod: true

Field Matching

Description

Validates that the values of two properties are identical.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.validation.MatchingFieldsValidationConfig

May be used by

Input UI Element

Properties

First Field (firstField)

Description

The name of the first property to match.

Attributes

String

Mandatory

Example

password

Second Field (secondField)

Description

The name of the second property to match.

Attributes

String

Mandatory

Example

email_confirmation

Example

password_confirmation

Translation Key (translationKey)

Description

The translation key to use for the error message in case the validation fails. A default translation is used when no translation key is configured.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.validation.MatchingFieldsValidationConfig
id: MatchingFieldsValidationConfig-xxxxxx
displayName: 
comment: 
properties:
  firstField:
  secondField:
  translationKey:

File CRL Fetcher

Description

CRL (certificate revocation list) fetcher that reads the latest CRL from an X509 file. If more than one X509 objects are encoded in one file, only the first X509 CRL is read and returned.

Class

com.airlock.iam.core.misc.impl.cert.crl.FileCrlFetcher

May be used by

CRL Certificate Status Checker Fallback CRL Fetcher

License-Tags

ClientCertificate

Properties

Crl File (crlFile)

Description

The relative or absolute path to the CRL file.

Attributes

File/Path

Mandatory

License-Tags

ClientCertificate

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.crl.FileCrlFetcher
id: FileCrlFetcher-xxxxxx
displayName: 
comment: 
properties:
  crlFile:

File Crl Persister

Description

Allows reading the files from a file cache.

Class

com.airlock.iam.core.misc.impl.cert.crl.FileCrlPersister

May be used by

Configurable HTTP CRL Obtainer

License-Tags

ClientCertificate

Properties

Cache Dir (cacheDir)

Description

The directory where the cache files are located. No manual changes must be performed within this directory. All changes are automatically performed by Airlock IAM.

Attributes

File/Path

Mandatory

License-Tags

ClientCertificate

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.crl.FileCrlPersister
id: FileCrlPersister-xxxxxx
displayName: 
comment: 
properties:
  cacheDir:

Filter Pattern

Description

Defines a log file filter pattern.

Class

com.airlock.iam.admin.application.configuration.logviewer.FilterPattern

May be used by

Log File

Properties

Name Translation Key (nameTranslationKey)

Description

Defines the translation key for the pattern name. The translations must be provided in the string_XX.properties.

Attributes

String

Mandatory

Example

warnings-only

Example

audit-log

Example

exception-reasons

Regexp Pattern String (regexpPatternString)

Description

The pattern string (a regular expression).

Attributes

RegEx

Mandatory

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.logviewer.FilterPattern
id: FilterPattern-xxxxxx
displayName: 
comment: 
properties:
  nameTranslationKey:
  regexpPatternString:

Filtered Flow Event

Description

Filters flow events based on the below defined properties.

If several of these properties are configured, all conditions must be met.

Note that the filter properties are only applicable to events that are emitted inside a flow. A subscriber will not be notified of an event that was emitted by a session-less REST call (i.e. end-points under /protected/my/ or the end-point /protected/secret-questions).

Use Case 1: You want to subscribe to all events (of the specified type) occurring in a protected self-service flow.
Precondition: You have assigned each self-registration flow a flow ID starting with "prot-self-service-". E.g.: prot-self-service-address-change
Required Pattern for Flow ID: prot-self-service-.*

Use Case 2: You want to subscribe to all events (of the specified type) NOT occurring in a self-registration flow.
Precondition: You have assigned each self-registration flow a flow ID starting with "self-registration-". E.g.: self-registration-business-customers
Required Pattern for Flow ID: ((?!self-registration-).)*

Class

com.airlock.iam.login.application.configuration.event.LoginappFilteredFlowEventConfig

May be used by

Properties

Event (event)

Description

Subscribed event for which the user should be notified.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID Pattern (stepIdPattern)

Description

If configured, the subscriber is only notified of events that have a step ID and whose step ID matches the defined pattern. See plugin documentation for examples.

Attributes

RegEx

Optional

Flow ID / Application ID Pattern (flowIdPattern)

Description

If configured, the subscriber is only notified of events whose flow ID (or application ID in case of an authentication flow) matches the defined pattern. See plugin documentation for examples.

Attributes

RegEx

Optional

Required Flow Type (requiredFlowType)

Description

The subscriber is only notified of events from flows of the configured type. If no type is configured, by default events of any flow type are allowed.

Attributes

String

Optional

Allowed values

Authentication and Authorization, Public Self-Service, Protected Self-Service, User Self-Registration

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.event.LoginappFilteredFlowEventConfig
id: LoginappFilteredFlowEventConfig-xxxxxx
displayName: 
comment: 
properties:
  event:
  flowIdPattern:
  requiredFlowType:
  stepIdPattern:

First Usage of Device

Description

Condition to determine whether the current user has used an authentication device for the first time. If multiple devices were used the latest device is considered for the evaluation. Requires that a "Device Usage Repository" in the application (Loginapp/Transaction Approval) is configured. Evaluates to false in the following cases:

No repository is configured
No device could be determined (was not used in current flow)
The device has been used before

Class

com.airlock.iam.flow.shared.application.configuration.device.usage.FirstDeviceUsageConditionConfig

May be used by

Properties

Token Type (tokenType)

Description

If multiple devices of different types were used, this can be used to restrict the device that is considered for the evaluation. Currently, AIRLOCK_2FA is the only supported token type.

Attributes

String

Optional

Default value

AIRLOCK_2FA

Example

AIRLOCK_2FA

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.device.usage.FirstDeviceUsageConditionConfig
id: FirstDeviceUsageConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  tokenType: AIRLOCK_2FA

Fixed TAN Generator Task

Description

This plug-in implements a task that creates a tan list with fixed identical entries for a fixed user.

The following characteristics describe the task in detail:

The current token list is replaced (not the next token list)
No checks on the current token list are made (e.g. how many free tokens still exist)
No checks on the user are made (e.g. if the user is valid, has matrix card as authentication method, etc.)
The 'order new tokenlist' flag is disregarded
Old token lists in the file system are deleted.
An existing new token list is deleted. This list would have been created via the admin GUI or the TAN batch task.
The token list is never rendered, but only inserted into the persistency layer.

Many properties are equal to the ones in TanBatchTask.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.FixedTanGeneratorTask

May be used by

Task Schedule

License-Tags

Matrixcard

Properties

Token List Persister (tokenListPersister)

Description

The token list persister plugin used to read and store token list structures.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cipher Token List Persister Database Token List Persister Dummy Token List Persister LDAP Token List Persister Property Token List Persister

Tokens Per List (tokensPerList)

Description

This property is used when new token lists are generated. The number of tokens in each generated list. Setting for standard matrix card (credit-card-format)

Attributes

Integer

Mandatory

Hash Function Plugin (hashFunctionPlugin)

Description

This property is used when new token lists are generated.
The hash function used to hash the generated tokens. It must be the same (or hash value compatible) as used when generating the token lists.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Target Username (targetUsername)

Description

Username of the user to generate the list for.

Attributes

String

Mandatory

Example

id8904

Example

IB1234

Target Token Value (targetTokenValue)

Description

Value of the token the list should be filled with. Can contain arbitrary characters such as upper- and lowercase letters, numbers, etc. Its length is also arbitrary, though it should typically be around 4 charaters.

Attributes

String

Mandatory

Example

4T6Z

Example

aic5

Example

OuF9d

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.FixedTanGeneratorTask
id: FixedTanGeneratorTask-xxxxxx
displayName: 
comment: 
properties:
  hashFunctionPlugin:
  targetTokenValue:
  targetUsername:
  tokenListPersister:
  tokensPerList:

Flash Parameter

Description

In case of a flash message, a fixed parameter is added to the request. If no flash is requested, no parameter is added at all.

Class

com.airlock.iam.core.misc.impl.sms.FlashParameter

May be used by

HTTP SMS Gateway

Properties

Parameter Name (parameterName)

Description

Name of the parameter to add when flash is used.

Attributes

String

Mandatory

Example

MsgType

Example

flash

Parameter Value (parameterValue)

Description

Value of the parameter to add when flash is used.

Attributes

String

Mandatory

Example

Flash

Example

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.FlashParameter
id: FlashParameter-xxxxxx
displayName: 
comment: 
properties:
  parameterName:
  parameterValue:

Flow Condition To Authentication Context Mapping

Description

Uses a specific Authentication Context if the Flow Condition can be satisfied.

Class

com.airlock.iam.saml2.application.configuration.Saml2FlowConditionToAuthnContextMapping

May be used by

SAML 2.0 Flow IdP

License-Tags

SamlIdp

Properties

Flow Condition (flowCondition)

Description

If this condition is fulfilled, the configured Authentication Context will be used in the Assertion (AuthnContextClassRef element).

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Context (authnContextUri)

Description

The Authentication Context URI to be used if the configured flow condition is satisfied.

The available context classes are configured in the IDP extended metadata under the attribute "idpAuthncontextClassrefMapping". Only URIs in that list are valid to be set here.

Attributes

String

Mandatory

Suggested values

urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword, urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered, urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered, urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract, urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract, urn:oasis:names:tc:SAML:2.0:ac:classes:Password, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession, urn:oasis:names:tc:SAML:2.0:ac:classes:X509, urn:oasis:names:tc:SAML:2.0:ac:classes:PGP, urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI, urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig, urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard, urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI, urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI, urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony, urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony, urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony, urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony, urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword, urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken, urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.Saml2FlowConditionToAuthnContextMapping
id: Saml2FlowConditionToAuthnContextMapping-xxxxxx
displayName: 
comment: 
properties:
  authnContextUri:
  flowCondition:

Flow Condition-based OAuth 2.0 Scope Condition

Description

Configures a OAuth 2.0 scope condition.

The scope is matched against the "Scope Matcher" pattern. A scope is allowed if it matches the regex and the condition is fulfilled.

Class

com.airlock.iam.oauth2.application.configuration.scope.FlowConditionBasedOAuth2ScopeConditionConfig

May be used by

OAuth 2.0 Custom Scopes Flow Settings

License-Tags

OAuthServer

Properties

Scope Matcher (scopeMatcher)

Description

Matches the scope to check.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Scope Matcher

Condition (condition)

Description

The condition that must be fulfilled. If the condition is not fulfilled, the scope is restricted and thus can not be granted.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.scope.FlowConditionBasedOAuth2ScopeConditionConfig
id: FlowConditionBasedOAuth2ScopeConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  scopeMatcher:

Flow Condition-based OIDC ID Token ACR Value

Description

Configures the contents of the "acr" (Authentication Context Class Reference) claim in the ID Token, if the flow authentication was used for the OpenID Connect handshake. Note that requesting ACR values is only supported using the "acr_values" claim, but not using the "claims" request parameter.

Class

com.airlock.iam.oauth2.application.configuration.OpenIdConnectAcrMappingClaimConfig

May be used by

OIDC ID Token

License-Tags

OAuthServer

Properties

Mappings (mappings)

Description

Mappings from a flow condition to ACR values used to determine the OpenID Connect ID Token ACR value. The matching will be done in this order:

If acr_values have been requested, they are matched in the requested order against these mappings. The first acr value for which a flow condition matches is used.
If no acr_values have been requested or none could be satisfied, this list is processed in order and the first acr value for which a flow condition matches is used.
If no acr value could be determined so far, the "Default ACR" value below is used (if any).

Attributes

Plugin-List

Mandatory

Assignable plugins

OIDC Flow Condition To ACR Value Mapping

Default ACR (defaultAcr)

Description

Default ACR to issue. This only applies if no mapping matched.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OpenIdConnectAcrMappingClaimConfig
id: OpenIdConnectAcrMappingClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  defaultAcr:
  mappings:

Flow Continuation Database Repository

Description

Persists and loads data during flow continuation.

Class

com.airlock.iam.common.application.configuration.continuation.FlowContinuationRepositoryConfig

May be used by

Flow-based Password Reset Send Email Link Step Flow Continuation Token Consumption Step Flow Continuation Step Flow Continuation Token Clean-up Task

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Log Queries (logQueries)

Description

Enable to log SQL queries (only effective if the log level is at least INFO). Attention: query values (including potentially sensitive data) will be logged as well.

Attributes

Boolean

Optional

Default value

false

Tenant ID (tenantId)

Description

Attributes

String

Optional

Length <= 50

Validation RegEx: (?!no_tenant$).*

Example

customerA

Example

customerB

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.continuation.FlowContinuationRepositoryConfig
id: FlowContinuationRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  logQueries: false
  sqlDataSource:
  tenantId:

Flow Continuation Step

Description

Non-interactive flow step that continues a flow based on a token that must be provided in a request header X-Flow-Continuation-Token. Based on the token, this step initializes the flow with the same data, e.g. user identity, as the flow that issued the token.

Such a token is for example provided by a "Send Email Link Step".

Class

com.airlock.iam.publicselfservice.application.configuration.steps.FlowContinuationStepConfig

May be used by

Properties

Repository (repository)

Description

Configures the repository to store flow continuation data. This is required if there is any flow containing a "Flow Continuation Step".

Attributes

Plugin-Link

Mandatory

Assignable plugins

Immediate Token Consumption (consumesToken)

Description

If enabled, the token will be immediately consumed when the flow step is executed.

If disabled, the token will be preserved until additional steps have been completed. A red flag is raised to ensure that the token will be consumed at a later step in the flow before termination.

In this case a "Flow Continuation Token Consumption Step" needs to be executed before the flow terminates.

Attributes

Boolean

Optional

Default value

true

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.FlowContinuationStepConfig
id: FlowContinuationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  consumesToken: true
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  repository:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Flow Continuation Token Clean-up Task

Description

Task to clean up expired flow continuation tokens.

In order to minimize database locks, the task doesn't delete all expired tokens in one transaction but deletes the tokens in configurable batches.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.continuation.FlowContinuationTokenCleanupTaskConfig

May be used by

Task Schedule

Properties

Flow Continuation Repository (repository)

Description

Configures the repository for the flow continuation tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Keep Expired Tokens Duration (keepExpiredTokens)

Description

Expired tokens will not be deleted immediately after their expiration instant but kept for the configured duration. This may be useful to inform users that their tokens have expired. Tokens will be deleted once this duration has passed since their expiration.

Attributes

String

Optional

Default value

Example

14d 12h

Batch Size (batchSize)

Description

During clean-up, tokens are deleted in batches of this size. This makes sure that any row locks on the database are very short-lived, not affecting parallel token modifications. This value should not be set too high to prevent very long running transactions. Token clean-up will repeat deleting this number of tokens until all expired tokens have been cleaned up. Therefore, this task can take some time when a lot of expired tokens are present. This size should be chosen so that every batch does not take longer than 5 seconds. The average runtime of the batches can be found in the task's logs.

Attributes

Integer

Optional

Default value

1000

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.continuation.FlowContinuationTokenCleanupTaskConfig
id: FlowContinuationTokenCleanupTaskConfig-xxxxxx
displayName: 
comment: 
properties:
  batchSize: 1000
  keepExpiredTokens: 7d
  repository:

Flow Continuation Token Consumption Step

Description

Non-interactive flow step that consumes the flow continuation token that was preserved in a previous "Flow Continuation Step" by disabling the "Immediate Token Consumption". This step also removes the corresponding red flag.

If no flow continuation token is available, this step will be skipped.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.FlowContinuationTokenConsumptionStepConfig

May be used by

Properties

Repository (repository)

Description

Configures the repository to retrieve the flow continuation token from.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Default Enable Cronto Push Flow Default mTAN Deletion Flow Legacy mTAN Registration Flow User Self-Registration Flow Redirect Flow-based Password Reset Custom Protected Self-Service Flow Default Disable FIDO Credential Flow Send Email Link Step User Self-Registration Flow Link Public Self-Service Flow Redirect OAuth 2.0 Consent Management UI OAuth 2.0 Consent Management UI OAuth 2.0 Consent Management UI Default OAuth 2.0 Consents Delete Flow Default mTAN Token Registration Flow Default Account Link Removal Flow Default Account Link Linking Flow FIDO Credential Management UI FIDO Credential Management UI FIDO Credential Management UI FIDO Credential Management UI FIDO Credential Management UI Account Link Management UI Account Link Management UI Airlock 2FA Device Management UI Airlock 2FA Device Management UI Airlock 2FA Device Management UI Protected Self-Service UI mTAN Number Management UI mTAN Number Management UI mTAN Number Management UI User Self-Registration UI Public Self-Service UI Default OAuth 2.0 Session Deletion Flow Public Self-Service Flow Link Default Cronto Device Removal Flow Transaction Approval Flow User Representation UI User Representation UI Default mTAN Token Edit Flow Public Self-Service Flow Default FIDO Credential Display Name Change Flow Self-Service Flow Redirect Default Disable Cronto Push Flow Default OAuth 2.0 Consent Deny Flow Default Enable Cronto Device Flow User Self-Registration Flow Cronto Device Management UI Cronto Device Management UI Cronto Device Management UI Cronto Device Management UI Cronto Device Management UI Cronto Device Management UI Cronto Device Management UI Cronto Device Management UI Default Enable FIDO Credential Flow Default Cronto Device Renaming Flow Default Disable Cronto Device Flow Default Remember-Me Device Deletion Flow OAuth 2.0 Session Management UI Remember-Me Device Management UI Default OAuth 2.0 Consent Grant Flow Default FIDO Credential Removal Flow

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.FlowContinuationTokenConsumptionStepConfig
id: FlowContinuationTokenConsumptionStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  repository:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Flow ID

Description

Configuration of a Flow ID.

Class

com.airlock.iam.flow.application.configuration.flow.FlowIdConfig

May be used by

Properties

ID (flowId)

Description

The ID of the flow.

Attributes

String

Mandatory

Length <= 30

Validation RegEx: [a-z0-9_-]+

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.flow.FlowIdConfig
id: FlowIdConfig-xxxxxx
displayName: 
comment: 
properties:
  flowId:

Flow Selection-based OIDC ID Token ACR Value

Description

Configures the contents of the "acr" (Authentication Context Class Reference) claim in the ID Token. The flow selection is configured in "ACR to Flow Application ID Mapping" plugin. If no flow could be determined by the requested ACRs, the ID Token will not have a ACR claim. Note that requesting ACR values is only supported using the "acr_values" claim, but not using the "claims" request parameter.

Class

com.airlock.iam.oauth2.application.configuration.OpenIdConnectDefaultAcrClaimConfig

May be used by

OIDC ID Token

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OpenIdConnectDefaultAcrClaimConfig
id: OpenIdConnectDefaultAcrClaimConfig-xxxxxx
displayName: 
comment: 
properties:

Flow Step Sequence

Description

Configuration of a sequence of flow steps.

Class

com.airlock.iam.flow.api.application.configuration.sequence.FlowStepSequence

Properties

Steps (steps)

Description

Steps of the flow.

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.api.application.configuration.sequence.FlowStepSequence
id: FlowStepSequence-xxxxxx
displayName: 
comment: 
properties:
  steps:

Flow-based Password Reset

Description

Plugin to send a link to the user to perform a password reset in a public self-service flow of the Loginapp. The email link contains a token which will be resolved by the Loginapp. It allows to initialize the correct password reset flow without the user having to enter their username.

Class

com.airlock.iam.admin.application.configuration.password.AdminappFlowPasswordResetConfig

May be used by

Password Token Controller

Properties

Target Flow ID (targetFlowId)

Description

Flow ID of the public self-service flow which will be used to continue the process.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Password Reset URL (passwordResetUrl)

Description

Absolute URL that handles password reset links. The URL should contain the following variables that will be replaced when the link is generated:

${token} - the random continuation token
${flowId} - the ID of the target flow to continue
${language} - the correspondence language of the user (optional)

When using the IAM Loginapp UI, this should be the page for selecting a public self-service flow: https://myhost.com/auth/ui/app/self-service/select/flow/${flowId}?lang=${language}&token=${token}

Attributes

String

Mandatory

Example

https://myhost.com/auth/ui/app/self-service/select/flow/${flowId}?lang=${language}&token=${token}

Example

https://myhost.com/continue/flow/${flowId}?lang=${language}&token=${token}

Recipient Address (recipientAddress)

Description

Context-data field that contains the email address of the user to which the password reset email is sent.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Email Service (emailService)

Description

Email service for sending emails.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Subject Resource Key (subjectResourceKey)

Description

Resource key to select the localized template to generate the subject line. The localized template can contain context-data values as variables (e.g. ${town}).

Attributes

String

Optional

Default value

flow-password-reset.email.subject

Example

flow-password-reset.email.subject

Body Resource Key (bodyResourceKey)

Description

Resource key to select the localized template to generate the email body. The localized template can use context-data values as variables (e.g. ${town}). The template must contain the variable "${LINK}" which will be replaced by the password reset URL.

Attributes

String

Optional

Default value

flow-password-reset.email.body

Example

flow-password-reset.email.body

Repository (repository)

Description

Configures the repository to store flow continuation data, which will be restored to complete the process in the Loginapp.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Custom Configuration-based Self-Service UI Custom Configuration-based Authentication UI Custom Configuration-based Public Self-Service UI Custom Configuration-based User Self-Registration UI

Token Validity (tokenValidity)

Description

Determines how long the generated token (and thus the link) is valid.

The duration must be specified in the format "2d 4h 10m 5s" (any part can be omitted).

Attributes

String

Optional

Default value

24h

Example

10d

Example

2d 12h

Send As HTML (sendAsHtml)

Description

If enabled, the password reset email will be sent as an HTML mail. Otherwise it will be sent as plain text.

Attributes

Boolean

Optional

Default value

false

Escape Values in HTML (escapeHtmlValues)

Description

HTML-escape all provided values if property Send As HTML is enabled.

Attributes

Boolean

Optional

Default value

true

String Resources File (stringResourcesFile)

Description

Attributes

String

Optional

Default value

strings

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.password.AdminappFlowPasswordResetConfig
id: AdminappFlowPasswordResetConfig-xxxxxx
displayName: 
comment: 
properties:
  bodyResourceKey: flow-password-reset.email.body
  emailService:
  escapeHtmlValues: true
  passwordResetUrl:
  recipientAddress:
  repository:
  sendAsHtml: false
  stringResourcesFile: strings
  subjectResourceKey: flow-password-reset.email.subject
  targetFlowId:
  tokenValidity: 24h

Forbidden Characters Password Policy

Description

A password policy check that checks for forbidden characters in the new password.

Class

com.airlock.iam.core.misc.impl.authen.PwdPolicyForbiddenCharsCheck

May be used by

Customizable Password Policy Customizable Password Policy Meta Password Policy

Properties

Forbidden Chars Pattern (forbiddenCharsPattern)

Description

The regular expression pattern defining the set of forbidden characters.

The defined pattern is used to match any occurrences in the password.

Attributes

RegEx

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PwdPolicyForbiddenCharsCheck
id: PwdPolicyForbiddenCharsCheck-xxxxxx
displayName: 
comment: 
properties:
  forbiddenCharsPattern:

Form UI Element

Description

Renders a form.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiFormConfig

May be used by

Properties

Autocomplete (autocomplete)

Description

If set to 'true', the browser will automatically complete values based on values that the user has entered before.

Attributes

Boolean

Optional

Default value

false

User Interface Elements (uiElements)

Description

Defines the user interface elements of the form.

Attributes

Plugin-List

Mandatory

Assignable plugins

On Submit (onSubmit)

Description

The REST API calls to execute in sequence when submitting the form on pressing 'enter'.

Attributes

Plugin-List

Optional

Assignable plugins

REST API Invocation

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiFormConfig
id: ConfigurableUiFormConfig-xxxxxx
displayName: 
comment: 
properties:
  autocomplete: false
  onSubmit:
  uiElements:

Formatted Date And Time Context Data Custom Claim

Description

A custom claim containing a Date and Time value (from the context data of the user) formatted as string.

Class

com.airlock.iam.oauth2.application.configuration.claims.CustomContextDataDateAsStringClaimConfig

May be used by

OIDC UserInfo Endpoint Claim Set Custom Claim OAuth 2.0 Static Client OAuth 2.0 Static Client JWT Access Token Format OIDC ID Token Claims

License-Tags

OAuthServer

Properties

Context Data (contextDataName)

Description

The name of the date and time context data element to be returned in this claim.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OIDC UserInfo Endpoint Claim Set Custom Claim OAuth 2.0 Static Client OAuth 2.0 Static Client JWT Access Token Format OIDC ID Token Claims

Pattern (pattern)

Description

The pattern to format the date value with.

Attributes

String

Optional

Default value

yyyy-MM-dd

Suggested values

yyyy-MM-dd, dd.MM.yyyy, MM/dd/yyyy, dd-MMM-yyyy HH:mm:ss, yyyy-MM-dd HH:mm:ss

Timezone (timezone)

Description

The timezone that should be used when formatting the date value. If nothing is configured the timezone of the server is taken.

See for more examples.

Attributes

String

Optional

Suggested values

Europe/Zurich, US/Pacific, CET, GMT, UTC

Claim Name (claimName)

Description

The name (JSON key) of the claim.

Attention: If a custom claim with this same claim name already exists, it will result in a runtime error.

Using a registered claim name (see RFC 7519) might cause the claim to be ignored or an exception to be thrown.

Attributes

String

Mandatory

Example

firstname

Example

street

Example

zip

Example

country

Example

roles

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.CustomContextDataDateAsStringClaimConfig
id: CustomContextDataDateAsStringClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:
  contextDataName:
  pattern: yyyy-MM-dd
  timezone:

Formatted LocalDate Context Data Custom Claim

Description

A custom claim containing a LocalDate (a date without any time information from the context data of the user) value formatted as string.

Class

com.airlock.iam.oauth2.application.configuration.claims.CustomContextDataLocalDateAsStringClaimConfig

May be used by

License-Tags

OAuthServer

Properties

Context Data (contextDataName)

Description

The name of the date (without time) context data element to be returned in this claim.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Pattern (pattern)

Description

The pattern to format the date value.

Attributes

String

Optional

Default value

yyyy-MM-dd

Suggested values

yyyy-MM-dd, dd.MM.yyyy, MM/dd/yyyy, dd-MMM-yyyy HH:mm:ss, yyyy-MM-dd HH:mm:ss

Claim Name (claimName)

Description

The name (JSON key) of the claim.

Attention: If a custom claim with this same claim name already exists, it will result in a runtime error.

Using a registered claim name (see RFC 7519) might cause the claim to be ignored or an exception to be thrown.

Attributes

String

Mandatory

Example

firstname

Example

street

Example

zip

Example

country

Example

roles

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.CustomContextDataLocalDateAsStringClaimConfig
id: CustomContextDataLocalDateAsStringClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:
  contextDataName:
  pattern: yyyy-MM-dd

Fortinet Roles Configuration

Description

Configures the RADIUS service for returning roles in ACCEPT messages. The roles are returned in the vendor-specific attribute "Fortinet-Group-Name". Each role is returned in a separate attribute.

Class

com.airlock.iam.servicecontainer.app.application.configuration.radius.FortinetRolesConfiguration

May be used by

License-Tags

RadiusServer

Properties

Return Granted User Roles (returnGrantedUserRoles)

Description

Add the user's granted roles to the list of returned roles. If disabled, only static roles are returned.

Attributes

Boolean

Optional

Default value

true

Static Roles (staticRoles)

Description

Additional static roles that are added to the list of returned roles.

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.radius.FortinetRolesConfiguration
id: FortinetRolesConfiguration-xxxxxx
displayName: 
comment: 
properties:
  returnGrantedUserRoles: true
  staticRoles:

Forward Location Parameter Adder

Description

Appends the ticket string as a query parameter to the URL to which the Loginapp UI redirects the user upon successful completion of an authentication flow.

Multiple 'Forward Location Parameter Adder' can be configured, all will be evaluated by the Loginapp UI.

This plugin only works in combination with the IAM Loginapp UI.

Class

com.airlock.iam.login.application.configuration.idpropagation.ForwardLocationParameterAdderConfig

May be used by

Properties

Ticket Parameter Name (ticketParameterName)

Description

Name of the query parameter that is added to the URL to which the IAM Loginapp UI forwards the user upon successful completion of an authentication flow. The value of the query parameter is the ticket string.

Attributes

String

Optional

Default value

sso

Example

sso

Example

ticket

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.idpropagation.ForwardLocationParameterAdderConfig
id: ForwardLocationParameterAdderConfig-xxxxxx
displayName: 
comment: 
properties:
  ticketParameterName: sso

Futurae Server

Description

Settings to configure access to Futurae servers.

Class

com.airlock.iam.airlock2fa.application.configuration.FuturaeServerConfig

May be used by

License-Tags

Airlock2FA

Properties

Service ID (serviceId)

Description

The service ID of the client.

The value is of the form 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.

Attributes

String

Mandatory

Auth API Key (authApiKey)

Description

The API key for the Futurae Auth API.

Attributes

String

Mandatory

Sensitive

Admin API Key (adminApiKey)

Description

The API key for the Futurae Admin API.

The Admin API key is different than the Auth API key, which is used to access the Auth API.

Attributes

String

Mandatory

Sensitive

Back-End Server URL (backEndUrl)

Description

The back-end URL of the Futurae server (without path or trailing slash).

This URL is used by the back-end of IAM to connect to the Futurae API.

Note: When using a custom URL and a CSP, add exceptions for img-src and connect-src directives with the configured URL to it.

Attributes

String

Optional

Validation RegEx: https?:\/\/[^\/]+

Default value

https://api.futurae.com

Front-End Server URL (frontEndUrl)

Description

The front-end URL of the Futurae server (without path or trailing slash).

This URL is used by the browser of the end user to access the Futurae API via the internet.

Note: When using a custom URL and a CSP, add exceptions for img-src and connect-src directives with the configured URL to it.

Attributes

String

Optional

Validation RegEx: https?:\/\/[^\/]+

Default value

https://api.futurae.com

Call Timeout [ms] (callTimeoutMs)

Description

The timeout (in milliseconds) that is used for requests to the Futurae server. The setting affects both the connection establishment and response reception. Setting this value to 0 disables the timeout.

Attributes

Integer

Optional

Default value

10000

Connection Pool Max Size (connectionPoolMaxSize)

Description

The maximum size of the connection pool that is used for requests to the Futurae server.

Attributes

Integer

Optional

Default value

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

In any case, IAM will only establish an HTTPS connection to the Futurae server or its proxy if the server certificate issuer is trusted or the certificate itself is trusted according to the aforementioned definition of trust.

Attributes

File/Path

Optional

Trust Store Password (trustStorePassword)

Description

The password used to check the integrity of the truststore, or to unlock the truststore.

Attributes

String

Optional

Sensitive

Key Store Path (keyStorePath)

Description

The keystore containing a client certificate (including a private key) for Airlock IAM. The client certificate is used to establish mutual SSL connections for HTTPS REST calls.

Attributes

File/Path

Optional

Key Store Password (keyStorePassword)

Description

The password used to check the integrity of the keystore, or to unlock the keystore. Must be provided in case the keystore is configured.

Attributes

String

Optional

Sensitive

Proxy URI (proxyUri)

Description

URI of a HTTP proxy the connector should use. If the port component of the URI is absent then a default port of 8080 is assumed. If this property is left empty then no proxy will be utilized.

Attributes

String

Optional

Example

https://proxy.company.com

Proxy Login User (proxyLoginUser)

Description

Username for the proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.FuturaeServerConfig
id: FuturaeServerConfig-xxxxxx
displayName: 
comment: 
properties:
  adminApiKey:
  authApiKey:
  backEndUrl: https://api.futurae.com
  callTimeoutMs: 10000
  connectionPoolMaxSize: 50
  frontEndUrl: https://api.futurae.com
  keyStorePassword:
  keyStorePath:
  proxyLoginPassword:
  proxyLoginUser:
  proxyUri:
  serviceId:
  trustStorePassword:
  trustStorePath:

Generated Username

Description

Generates a username based on the configured identity generator.

Class

com.airlock.iam.oauth2.application.configuration.accountregistration.GeneratedUsernameConfig

May be used by

License-Tags

OAuthSocialRegistration

Properties

Username Generator (usernameGenerator)

Description

Rule to generate user names.

Attributes

Plugin-Link

Optional

Assignable plugins

Customizable Identity Generator Universally Unique Identity (UUID) Generator

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.accountregistration.GeneratedUsernameConfig
id: GeneratedUsernameConfig-xxxxxx
displayName: 
comment: 
properties:
  usernameGenerator:

Generic ID Propagator

Description

Generic Identity Propagator that allows creating a ticket string and adding it to the response.

Class

com.airlock.iam.login.application.configuration.idpropagation.GenericIdentityPropagationConfig

May be used by

Cookie Ticket Adder Config Forward Location Parameter Adder Request Header Ticket Adder Config Response Header Ticket Adder Config

Properties

Ticket String Provider (ticketStringProvider)

Description

Provides the string containing the information to be propagated.

Ensure that this provider never returns null. The "Condition" property can be used to skip this identity propagation if there is nothing to propagate.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Encoders (encoders)

Description

Encode the string before it is added to the response. The encoders are applied in the configured order.

Attributes

Plugin-List

Optional

Assignable plugins

Base64 String Encoder HTML String Escaper JSON String Escaper URL String Encoder

Ticket Adder (ticketAdder)

Description

Adds the encoded string to the response.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Condition (condition)

Description

Defines the condition under which this identity propagation is executed.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.idpropagation.GenericIdentityPropagationConfig
id: GenericIdentityPropagationConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  encoders:
  ticketAdder:
  ticketStringProvider:

Generic LDAP Authentication Failure Mapper

Description

Maps messages returned in LDAP exceptions (in the case of bind failures) to authentication result types. Known Active Directory error message snippets are:

data 525 - user not found
data 52e - invalid credentials
data 530 - not permitted to logon at this time
data 531 - not permitted to logon at this workstation
data 532 - password expired
data 533 - account disabled
data 701 - account expired
data 773 - user must reset password
data 775 - user account locked

Class

com.airlock.iam.core.misc.impl.authen.ldap.GenericLdapAuthenticationFailureMapper

May be used by

LDAP Connector LDAP Password Authenticator

Properties

Password Change Enforced (passwordChangeEnforced)

Description

If defined, the string specified in this property is compared against the exception message returned when authentication fails. If the exception message contains the string specified here, the authentication result is PASSWORD_CHANGE_ENFORCED (rather than PASSWORD_WRONG).

For the Microsoft Active Directory, the value "data 773" has proven to be a good value.

Attributes

String

Optional

Example

data 773

User Locked (userLocked)

Description

Attributes

String

Optional

Example

data 775

User Invalid (userInvalid)

Description

For the Microsoft Active Directory, the value "data 701" has proven to be a good value.

Attributes

String

Optional

Example

data 701

Credential Inactive (credentialInactive)

Description

For the Microsoft Active Directory, the value "data 530" has proven to be a good value.

Attributes

String

Optional

Example

data 730

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.ldap.GenericLdapAuthenticationFailureMapper
id: GenericLdapAuthenticationFailureMapper-xxxxxx
displayName: 
comment: 
properties:
  credentialInactive:
  passwordChangeEnforced:
  userInvalid:
  userLocked:

Generic Session Attribute String Provider Config

Description

A value provider that loads the String value associated with the configured key from the 'Generic Strings Session Attribute'.
Those attributes are a generic way to store custom string values in the session. They are empty unless populated by custom code or by configuring a "SAML 2.0 Assertion String Attribute Importer" on the SAML 2.0 service provider.

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.GenericSessionAttributeStringProviderConfig

Properties

Key (key)

Description

The key in the 'Generic Strings Session Attribute' for which the value should be provided.

Attributes

String

Mandatory

Default Value (defaultValue)

Description

An optional default value to be provided if the attribute container contains no value for the configured key.

Attributes

String

Optional

Fail If Null (failIfNull)

Description

If this flag is set and the final value (also considering the optional default value) evaluates to null, an exception is thrown. Otherwise, null is returned.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.GenericSessionAttributeStringProviderConfig
id: GenericSessionAttributeStringProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  defaultValue:
  failIfNull: false
  key:

Generic Session Attribute Value Map Provider Config

Description

A value map provider that provides the entire set of 'Generic Strings Session Attribute' entries.
Those attributes are a generic way to store custom string values in the session. They are empty unless populated by custom code or by configuring a "SAML 2.0 Assertion String Attribute Importer" on the SAML 2.0 service provider.

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.GenericSessionAttributeValueMapProviderConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.GenericSessionAttributeValueMapProviderConfig
id: GenericSessionAttributeValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:

Generic SSI Proof Predicate

Description

A predicate for checking integer-valued attributes of a verifiable credential.
The threshold value is compared to the value of the attribute using the specified relation.

Class

com.airlock.iam.ssi.application.configuration.GenericPredicateConfig

May be used by

SSI Claim

Properties

Attribute name (name)

Description

The attribute checked by the predicate.

Attributes

String

Mandatory

Example

birthDate

Example

tenureYears

Example

subscriptionLevel

Predicate type (type)

Description

The type of the predicate.

Attributes

Enum

Mandatory

Threshold Value (thresholdValue)

Description

The threshold value.

Attributes

Integer

Mandatory

Provider Key (providerKey)

Description

The key which can be used for obtaining information on the verified predicate from the SSI Verification Data Provider.

Attributes

String

Mandatory

Example

over18

YAML Template (with default values)


type: com.airlock.iam.ssi.application.configuration.GenericPredicateConfig
id: GenericPredicateConfig-xxxxxx
displayName: 
comment: 
properties:
  name:
  providerKey:
  thresholdValue:
  type:

Generic Step Result

Description

Event that is published with every step result during flows.

All configured filters must apply ("AND" logic). To achieve "OR" logic, multiple subscribers can be configured.

This event can also be published while no user ID is known, thus make sure to either filter for flows/steps where a user ID is guaranteed to be known, or only use recipient address and value providers that don't require a known user ID.

Class

com.airlock.iam.login.application.configuration.event.GenericStepResultSubscribedEventConfig

May be used by

Remote Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Email Event Subscriber (Loginapp) Filtered Flow Event

Properties

Step ID Filter (stepIdFilter)

Description

If configured, the subscriber is only notified of events that have a step ID and whose step ID matches the defined pattern.

Attributes

RegEx

Optional

Flow ID Filter (flowIdFilter)

Description

If configured, the subscriber is only notified of events whose flow ID (or application ID in case of an authentication flow) matches the defined pattern.

Attributes

RegEx

Optional

Flow Type Filter (flowTypeFilter)

Description

If configured, the subscriber is only notified of events from flows of the configured type.

Attributes

String

Optional

Allowed values

Authentication and Authorization, Public Self-Service, Protected Self-Service, User Self-Registration

Result Type Filter (resultTypeFilter)

Description

If configured, the subscriber is only notified of events if the result is of the configured type.

Attributes

String

Optional

Allowed values

SUCCESS, STAY, SKIP, FAIL, FAIL_RETRY, SUBFLOW_SELECTED, GOTO, FAIL_GOTO, INTERNAL_ERROR

Next Action Filter (nextActionFilter)

Description

If configured, the subscriber is only notified of events that have a "next step action" code and if this code matches the configured pattern.

Attributes

RegEx

Optional

Error Code Filter (errorCodeFilter)

Description

If configured, the subscriber is only notified of events that have an error code code and if this code matches the configured pattern.

Attributes

RegEx

Optional

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.event.GenericStepResultSubscribedEventConfig
id: GenericStepResultSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:
  errorCodeFilter:
  flowIdFilter:
  flowTypeFilter:
  nextActionFilter:
  resultTypeFilter:
  stepIdFilter:

Generic String SAML 2.0 Attribute

Description

A SAML 2.0 single-value attribute containing a string from a value provider.

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.GenericStringAttributeConfig

May be used by

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion.

Attributes

String

Mandatory

Example

user_type

Example

Value Provider (valueProvider)

Description

Provides the string value for the attribute.

The configured provider must be able to provide a string value. If null is provided, the attribute will be silently ignored.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.assertion.attribute.GenericStringAttributeConfig
id: GenericStringAttributeConfig-xxxxxx
displayName: 
comment: 
properties:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:
  valueProvider:

Generic Token Controller

Description

Generic Token Controller which allows a customized UI. Use this plugin if you need to manage a custom token in the Adminapp or if you need other functionality than the provided Token Controllers offer.

Class

com.airlock.iam.admin.application.configuration.generic.GenericTokenControllerConfig

May be used by

Properties

ID (id)

Description

Unique identifier for the token controller. Serves as token type ID in the REST interface.

This is also the "auth method" that is set on the user as active/next authentication method, i.e. it must match the "Authentication Method ID" of corresponding authentication flow steps.

Please note that the length of this ID must not be longer than 22 characters in order to comply with the default DB schema restrictions for column lock_reason.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9_]+

Example

EMAILOTP

Example

DEVICE_TOKEN

Example

securid

User Interface (ui)

Description

Defines the graphical UI of this token controller in the Adminapp. If configured, the token controller is displayed as separate tab on the user management tab sheet using the configured ID. Otherwise, the token controller can only be used via the REST API.

Attributes

Plugin-Link

Optional

Assignable plugins

Boolean Input Token Controller Element Date/Time Input Token Controller Element String Input Token Controller Element String Value Token Controller Element Text Message Token Controller Element

Token Endpoint (tokenEndpoint)

Description

Configures the REST endpoint for this token. The configuration defines the persistency and which token data is provided for the generic REST endpoint.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Generic Token Endpoint

Token Event Type (tokenEventType)

Description

Type of events published on changes to the token data:

NONE: no events are published (default)
EMAIL: Events of type "Email Address Changed", "Email Address Added" and "Email Address Deleted" are published
DEVICE_TOKEN: Events of type "Device Token Deleted" are published

Attributes

Enum

Optional

Default value

NONE

Allowed As Active Auth Method (allowedAsActiveAuthMethod)

Description

Whether or not this token can be chosen as active authentication method.

Attributes

Boolean

Optional

Default value

true

Allowed As New Auth Method (allowedAsNewAuthMethod)

Description

Whether or not this token can be chosen as new authentication method.

Attributes

Boolean

Optional

Default value

true

Allowed For Auth Method Migration (allowedForAuthMethodMigration)

Description

Whether or not this token can be chosen for an authentication method migration.

Attributes

Boolean

Optional

Default value

true

Auto Order On Auth Method Add (autoOrderOnAuthMethodAdd)

Description

If enabled, an activation order is automatically placed when this authentication method is added to a user.

Attributes

Boolean

Optional

Default value

false

Auto Order On User Create (autoOrderOnUserCreate)

Description

If enabled, an activation order is automatically placed when the user is created.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.generic.GenericTokenControllerConfig
id: GenericTokenControllerConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedAsActiveAuthMethod: true
  allowedAsNewAuthMethod: true
  allowedForAuthMethodMigration: true
  autoOrderOnAuthMethodAdd: false
  autoOrderOnUserCreate: false
  id:
  tokenEndpoint:
  tokenEventType: NONE
  ui:

Generic Token Controller UI

Description

A configurable UI to manage tokens that are provided by the IAM REST generic token endpoints. The controller is displayed as separate tab on the user management tab sheet of the Adminapp.

Class

com.airlock.iam.admin.application.configuration.generic.ui.GenericTokenControllerUiConfig

May be used by

Generic Token Controller

Properties

UI Elements (uiElements)

Description

Defines the visible UI elements of this token controller.

Attributes

Plugin-List

Mandatory

Assignable plugins

Show Add Button (showAddButton)

Description

If enabled, displays an "Add" button that creates an empty and unsaved client-side token. The button is visible as long as the server allows to create more tokens and the maximum token count is not reached.

The visibility of the button depends on the configured access control and if the administrator has permission for this action.

Attributes

Boolean

Optional

Default value

true

Show Save Button (showSaveButton)

Description

If enabled, a "Save" button is displayed that allows the admin to submit changed token data to the server. For new tokens, the "Save" button is always shown.

The visibility of the button depends on the configured access control and if the administrator has permission for this action.

Attributes

Boolean

Optional

Default value

true

Show Delete Button (showDeleteButton)

Description

If enabled, displays a "Delete" button that will remove the token from the user on the server.

The visibility of the button depends on the configured access control and if the administrator has permission for this action.

Attributes

Boolean

Optional

Default value

true

Show Enable/Disable Button (showEnableDisableButton)

Description

If enabled, displays either an "Enable" or "Disable" button to change the state of this token on the server. The button is only visible if the "Enabled" property is mapped in the "Token Endpoint" settings of this controller. The "Identity Attribute Mapping" is not supported.

The visibility of the button depends on the configured access control and if the administrator has permission for this action.

Attributes

Boolean

Optional

Default value

true

Show Activation Order (showActivationOrder)

Description

If enabled, displays a section to view and manage activation orders. Managing orders also depends on "Show Order/Cancel Button".

Attributes

Boolean

Optional

Default value

true

Show Order/Cancel Button (showOrderCancelButton)

Description

If enabled, displays either an "Order" or "Cancel" button to manage activation letters. This option is only visible if "Show Activation Order" is enabled.

The visibility of the button depends on the configured access control and if the administrator has permission for this action.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.generic.ui.GenericTokenControllerUiConfig
id: GenericTokenControllerUiConfig-xxxxxx
displayName: 
comment: 
properties:
  showActivationOrder: true
  showAddButton: true
  showDeleteButton: true
  showEnableDisableButton: true
  showOrderCancelButton: true
  showSaveButton: true
  uiElements:

Generic Token Endpoint

Description

Configures a REST endpoint for a specific token type.

Class

com.airlock.iam.admin.application.configuration.generic.TokenEndpointConfig

May be used by

Generic Token Controller

Properties

Token Repository (tokenRepository)

Description

Defines the repository to be used for this token endpoint.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential-based Generic Token Repository Token-based Generic Token Repository

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.generic.TokenEndpointConfig
id: TokenEndpointConfig-xxxxxx
displayName: 
comment: 
properties:
  tokenRepository:

Generic Token Service

Description

Generic token service for token types that don't require special treatment. Note that Vasco and Cronto token require special workflows and therefore the dedicated Token Services must be configured for those types.

Class

com.airlock.iam.core.misc.tokenservice.GenericTokenService

May be used by

Token Consistency User Change Listener

Properties

Token Data Provider (tokenDataProvider)

Description

Plugin to load, save and delete tokens on persistence.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Encoded User Data Response Header Cookie Ticket Identity Propagator Encoded User Data Header SSO Ticket Identity Propagator Ticket String Provider Config

Types To Handle (typesToHandle)

Description

Token types to be handled by this token service.

Attributes

String-List

Optional

Default value

[MTAN, SECRETQUESTION, CERTIFICATE, OAUTH2]

Contains Multi Assignment Tokens (containsMultiAssignmentTokens)

Description

Enable if any of the tokens managed by this service can be assigned to more than one user simultaneously. This results in less efficient database queries but is necessary for those tokens.

All tokens currently managed by IAM are assigned to only a single user, with the exception of Vasco OTP tokens.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.tokenservice.GenericTokenService
id: GenericTokenService-xxxxxx
displayName: 
comment: 
properties:
  containsMultiAssignmentTokens: false
  tokenDataProvider:
  typesToHandle: [MTAN, SECRETQUESTION, CERTIFICATE, OAUTH2]

Goto Button UI Element

Description

Displays a Goto button which leads the user to a Goto target defined by the configured "Target Step ID".

The Goto button is only shown if the 'Show Goto Buttons' flag on the flow UI config is enabled.

Notice: Goto buttons do not come with pre-defined labels. It is required to add i18n keys and values for each button manually.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiGotoButtonConfig

May be used by

Properties

Target Step ID (targetStepId)

Description

The ID of the target step.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Label (label)

Description

Label for the button. The UI treats it as a key to translate. If there is no translation, the configured value is what is shown in the UI.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9]+((\.|-)[a-zA-Z0-9]+)*

Alignment (alignment)

Description

Defines the button's alignment.

Attributes

Enum

Optional

Default value

RIGHT

HTML ID (htmlId)

Description

The ID of the element in the HTML.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9_]+

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiGotoButtonConfig
id: ConfigurableUiGotoButtonConfig-xxxxxx
displayName: 
comment: 
properties:
  alignment: RIGHT
  htmlId:
  label:
  targetStepId:

Gzip Base64 Ticket Encoder

Description

Encodes the ticket using GZIP and base-64.

The keys/values in the ticket are encoded as described in KeyMultiValue. The expiry date is then appended (see below) and the resulting byte array is base-64 encoded. Thus, there is no cryptographic protection in place!

Example:
"medusaID=1234;uname=smith;roles=customer,employee;name1=value1;name2=value2;"

The ticket string (as above) is interpreted as byte array (ASCII encoding) from here on. The expiry date is appended to the ticket string: The milliseconds since midnight 01.01.1970 appended as 64 bit signed integer (MSB first).

Class

com.airlock.iam.core.misc.util.ticket.codec.GzipBase64TicketEncoder

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ticket.codec.GzipBase64TicketEncoder
id: GzipBase64TicketEncoder-xxxxxx
displayName: 
comment: 
properties:

Has Cronto Account

Description

Condition that decides whether the user has a Cronto account.

Class

com.airlock.iam.authentication.application.configuration.selection.condition.CrontoAccountConditionConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.selection.condition.CrontoAccountConditionConfig
id: CrontoAccountConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Has Cronto Device

Description

Condition that decides whether the user has an active Cronto device.

Class

com.airlock.iam.authentication.application.configuration.selection.condition.HasCrontoDeviceConditionConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Require Push Device (requirePushDevice)

Description

If this flag is set and there is no push-enabled device for the user, authentication is not possible.

This feature may be used for mobile application logins, where showing a cryptogram on the same device is not appropriate.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.selection.condition.HasCrontoDeviceConditionConfig
id: HasCrontoDeviceConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  requirePushDevice: false

Has Device Token

Description

Flow selection condition that selects the subflow depending on whether the user has at least one valid and enabled device token.

Class

com.airlock.iam.authentication.application.configuration.selection.condition.DeviceTokenConditionConfig

May be used by

License-Tags

DeviceToken

Properties

Device Token Settings (deviceTokenSettings)

Description

The device token settings to use.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Device Token Settings

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.selection.condition.DeviceTokenConditionConfig
id: DeviceTokenConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  deviceTokenSettings:

Has Email Address

Description

Flow selection condition that selects the subflow depending on whether the user has an active email address. Typically used to determine wheter email OTP authentication can be performed.

Class

com.airlock.iam.authentication.application.configuration.selection.condition.EmailOtpCredentialConditionConfig

May be used by

Properties

Credential Persister (credentialPersister)

Description

Credential persister to load the email address of the user.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.selection.condition.EmailOtpCredentialConditionConfig
id: EmailOtpCredentialConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  credentialPersister:

Has FIDO Credential

Description

Condition that decides whether the user has an active FIDO credential.

Class

com.airlock.iam.fido.login.application.configuration.FidoCredentialConditionConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

YAML Template (with default values)


type: com.airlock.iam.fido.login.application.configuration.FidoCredentialConditionConfig
id: FidoCredentialConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  fidoSettings:

Has Matching Role

Description

Condition that is fulfilled if the user has at least one role that matches the configured regular expression. Note: If the user does not exist (i.e., is not identified) an exception is thrown (configuration error).

Class

com.airlock.iam.flow.shared.application.configuration.condition.RoleMatchingConditionConfig

May be used by

Properties

Role Providers (roleProviders)

Description

Role Providers which provide the roles against which the role pattern is checked.

Attributes

Plugin-List

Mandatory

Assignable plugins

Role Pattern (rolePattern)

Description

Pattern that is checked against the user's roles. If the user has at least one role that matches the pattern, the condition evaluates to true.

Attributes

RegEx

Mandatory

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.condition.RoleMatchingConditionConfig
id: RoleMatchingConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  rolePattern:
  roleProviders:

Has Matrix Card

Description

Flow selection condition that selects the subflow depending on whether the user has an active Matrix card.

Class

com.airlock.iam.authentication.application.configuration.selection.condition.MatrixCredentialConditionConfig

May be used by

License-Tags

Matrixcard

Properties

Tan Service (tanService)

Description

The tan service plugin to be used.

Attributes

Plugin-Link

Optional

Assignable plugins

Default TAN Service

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.selection.condition.MatrixCredentialConditionConfig
id: MatrixCredentialConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  tanService:

Has mTAN Activation Letter

Description

Flow selection condition that selects the subflow depending on whether the user has an mTAN activation letter.

Class

com.airlock.iam.authentication.application.configuration.selection.condition.MtanHasActivationLetterConditionConfig

May be used by

Properties

MTAN Handler (mtanHandler)

Description

The mTAN handler to load the user's mTAN tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Data mTAN Handler Token Data mTAN Handler

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.selection.condition.MtanHasActivationLetterConditionConfig
id: MtanHasActivationLetterConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  mtanHandler:

Has mTAN Token

Description

Flow condition that is fulfilled depending on whether the user has an active mTAN token.

Class

com.airlock.iam.authentication.application.configuration.selection.condition.MtanCredentialConditionConfig

May be used by

Properties

MTAN Handler (mtanHandler)

Description

The mTAN handler to load the user's mTAN tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Data mTAN Handler Token Data mTAN Handler

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.selection.condition.MtanCredentialConditionConfig
id: MtanCredentialConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  mtanHandler:

Has OATH OTP Token

Description

Flow selection condition that selects the subflow depending on whether the user has an active OATH OTP token.

Class

com.airlock.iam.authentication.application.configuration.selection.condition.OathOtpCredentialConditionConfig

May be used by

License-Tags

MobileOTP,OathOtp

Properties

Oath Otp Settings (oathOtpSettings)

Description

The OATH OTP settings to load the user's OATH OTP information.

Attributes

Plugin-Link

Mandatory

License-Tags

MobileOTP,OathOtp

Assignable plugins

OATH OTP Settings

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.selection.condition.OathOtpCredentialConditionConfig
id: OathOtpCredentialConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  oathOtpSettings:

Has Password

Description

Condition to determine whether the current user has a password. Requires a user store where the password hash is readable, e.g. a database.

Class

com.airlock.iam.authentication.application.configuration.selection.condition.PasswordConditionConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.selection.condition.PasswordConditionConfig
id: PasswordConditionConfig-xxxxxx
displayName: 
comment: 
properties:

Has Suitable Airlock 2FA Device

Description

Condition that is fulfilled if the user has at least one Airlock 2FA device that is active and capable of at least one of the allowed factors.

The allowed authentication factors are determined as the common factors between:

The factors configured here. These factors are the same for all users.
The factors that are enabled for the user in the Futurae administration service.

If bypass mode is not enabled in the Airlock 2FA settings, this condition will not be satisfied for users for which the Futurae bypass mode is enabled. If bypass mode is enabled in the Airlock 2FA settings, this condition will be satisfied for all users for which the Futurae bypass mode is enabled.

Class

com.airlock.iam.airlock2fa.application.configuration.condition.Airlock2FAHasDeviceConditionConfig

May be used by

License-Tags

Airlock2FA

Properties

Factors (factors)

Description

List of all enabled factors. The condition is fulfilled, if the user has at least one device that is capable of at least one of the factors listed here.

Available factors:

One-Touch: a push message is sent to the user's mobile app, where it must be approved. This is an online factor.
Online QR Code: a QR code is displayed in the browser, which has to be scanned by a mobile app and approved there. This is an online factor.
Passcode: the device (mobile app or hardware token) generates a time-dependent code (OTP) that has to be entered manually. This is an offline factor.
Offline QR Code: a QR code is displayed which has to be scanned by a mobile app or hardware token. The device displays a code (OTP) that must be entered manually. This is an offline factor.

Attributes

String-List

Optional

Default value

[One-Touch, Online QR Code, Passcode, Offline QR Code]

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

It is recommended to use the same settings everywhere. Otherwise, behaviour of the condition could seem inconsistent.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Respect Cooldown Period (respectCooldown)

Description

Whether to ignore Cooldown information.

If no "Cooldown Period" is defined, enabling this property has no effect.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.condition.Airlock2FAHasDeviceConditionConfig
id: Airlock2FAHasDeviceConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  factors: [One-Touch, Online QR Code, Passcode, Offline QR Code]
  respectCooldown: true

Has Tag

Description

Flow condition which evaluates to true if the configured tag is present.

Class

com.airlock.iam.flow.application.configuration.selection.condition.TagConditionConfig

May be used by

Properties

Tag (tag)

Description

When the user has obtained this tag in the current flow, this condition evaluates to true.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Tag

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.selection.condition.TagConditionConfig
id: TagConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  tag:

Has Vasco OTP Token

Description

Flow selection condition that selects the subflow depending on whether the user has an active Vasco OTP token.

Class

com.airlock.iam.authentication.application.configuration.selection.condition.VascoOtpCredentialConditionConfig

May be used by

License-Tags

Digipass

Properties

Token Data Provider (tokenDataProvider)

Description

Token Data Provider to load the Vasco tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Attestation Certificate Trust Verifier Encrypted Password Hash CRL Certificate Status Checker CRL Distribution Point Extension CRL Checker Public/Private JWK Configuration

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.selection.condition.VascoOtpCredentialConditionConfig
id: VascoOtpCredentialConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  tokenDataProvider:

hCAPTCHA

Description

Requires a user to solve a hCAPTCHA challenge.
If you use an HTTPS truststore, make sure to add the root certificate for https://hcaptcha.com.
Further, you need to ensure that the correct Content Security Policy (CSP) is set. hCAPTCHA requires

script-src https://hcaptcha.com https://*.hcaptcha.com
frame-src https://hcaptcha.com https://*.hcaptcha.com
style-src https://hcaptcha.com https://*.hcaptcha.com
connect-src https://hcaptcha.com https://*.hcaptcha.com

Consult the official hCAPTCHA documentation for further information.

Class

com.airlock.iam.flow.shared.application.configuration.captcha.HCaptchaConfig

May be used by

Properties

Site Key (siteKey)

Description

The site key can be assumed to be public knowledge and identifies the associated hCAPTCHA account.

The site key can be found on the hCAPTCHA profile page.

Attributes

String

Mandatory

Secret Key (secretKey)

Description

The secret key is used to validate the CAPTCHA challenge response on the hCAPTCHA server. While a leaked secret key doesn't impact the security or validity of this CAPTCHA method, its misuse can infer costs as it is used for quota calculations at the CAPTCHA provider (similar to an API key).

The secret key can be found on the hCAPTCHA profile page.

Attributes

String

Mandatory

Sensitive

Proxy URI (proxyUri)

Description

URI of a HTTP proxy the connector should use. If the port component of the URI is absent then a default port of 8080 is assumed. If this property is left empty then no proxy will be used.

Attributes

String

Optional

Example

https://proxy.company.com

Proxy Login User (proxyLoginUser)

Description

Username for the proxy if proxy authentication is used.

Attributes

String

Optional

Example

proxyLogin

Proxy Login Password (proxyLoginPassword)

Description

Password for the proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.captcha.HCaptchaConfig
id: HCaptchaConfig-xxxxxx
displayName: 
comment: 
properties:
  proxyLoginPassword:
  proxyLoginUser:
  proxyUri:
  secretKey:
  siteKey:

Header URI Propagation Config

Description

Propagates a target URI as a HTTP header.

Class

com.airlock.iam.login.application.configuration.location.propagate.HeaderURIPropagationConfig

May be used by

SAML 2.0 Identity Propagator Target URI ID Propagator

Properties

Header Name (headerName)

Description

The name of the HTTP header.

Attributes

String

Mandatory

Example

X-Forward-URL

Example

X-Location

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.location.propagate.HeaderURIPropagationConfig
id: HeaderURIPropagationConfig-xxxxxx
displayName: 
comment: 
properties:
  headerName:

Hex Password Hash Encoder

Description

Password Hash Plugin that Hex encodes and decodes raw hash values.

Class

com.airlock.iam.core.misc.util.password.hash.HexPasswordHashEncoder

May be used by

Password Hash Configuration

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.HexPasswordHashEncoder
id: HexPasswordHashEncoder-xxxxxx
displayName: 
comment: 
properties:

Hidden UI Element

Description

Renders a hidden field.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableHiddenFieldConfig

May be used by

Properties

Value (value)

Description

The static default value of the hidden field. If an "Initial Value Query" is configured that returns a result, the default value is replaced by this result.

Attributes

String

Mandatory

Property (property)

Description

The property of the hidden field. This property will be sent to the server via REST as part of a JSON object. For example, if the property name is 'marketingCampaign' and the value is configured to 'socialPlatformX', the JSON sent to the server will be as follows: {"marketingCampaign": "socialPlatformX"}.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9_]+(\.[a-zA-Z0-9_]+)*

Example

marketingCampaign

Example

referredFrom

HTML ID (htmlId)

Description

The ID of the element in the HTML. If no ID is set, the 'property' is used as the ID.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_]+

Submit To Server (submitToServer)

Description

If enabled, this value is submitted to the server. Otherwise, it is only used locally (e.g. to confirm inputs of other fields).

Attributes

Boolean

Optional

Default value

true

Initial Value Query (initialValueQuery)

Description

See the JSONPath documentation for the full documentation: https://github.com/dchester/jsonpath

Examples:

Assume the initial REST call returns the following JSON response:

{
 "meta": {
   "type": "jsonapi.metadata.document",
   "timestamp": "2023-03-10T13:06:01.294+02:00"
 },
 "data": [
  {
    "type": "user",
    "id": "user1",
    "attributes": {
      "contextData": {
         "givenname": "User1",
         "surname": "FSMTest",
         "roles": "customerA"
      }
    }
  },
  {
    "type": "user",
    "id": "user2",
    "attributes": {
      "contextData": {
        "givenname": "User2",
        "surname": "FSMTest",
        "roles": "customerB"
      }
    }
  }
 ]
}

The following table shows the results of various JSONPath queries given the JSON above:

Attributes

String

Optional

Example

$.store.bicycle.color

Example

$..phoneNumber

Example

$..data[?(@.id == 'street')].attributes.currentValue

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableHiddenFieldConfig
id: ConfigurableHiddenFieldConfig-xxxxxx
displayName: 
comment: 
properties:
  htmlId:
  initialValueQuery:
  property:
  submitToServer: true
  value:

History Password Hash

Description

This plugin adds password history functionality to any password hash plugin.

It encodes password history information in a list of password hashes.
The plugin can be configured to base64-encode the resulting hash value.

Note that this plugin does also implement the extension point PasswordHash, i.e. it can be used to verify passwords. Further, the plugin can operate on both plain hash values without history and on hash values produced by itself containing history information. Thus, the plugin can be used when introducing the password history on existing data (without password history) without having to migrate the data.
The code verifying passwords must not know of the new concept "password history". The changing a password (or setting one), however, must use the corresponding methods of extension point "PasswordHashWithHistory".

Class

com.airlock.iam.core.misc.util.password.hash.PasswordHistoryHash

Properties

Password Hash (passwordHash)

Description

The plugin hash function used for password verification and hashing.

Since the hash value of the configured password hash plugin is considered binary data in any case and base64-encoding is added later (optional, see other configuration property), it does not make much sense to use a password hash function that returns a base64-encoded hash value. It will work but it will make the resulting hash value longer.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Encode Base64 (encodeBase64)

Description

If this property is set to TRUE, the resulting password hash value is base64-encoded and can be treated as string. This is the default.

Attributes

Boolean

Optional

Default value

true

Max History Length (maxHistoryLength)

Description

Defines the maximum number of passwords stored in the history for a single user.

A value of 5, for example, means that the five most recently set passwords are stored, excluding the currently hashed password.

Note that the maximum size of the password history is also limited by the capacity of the "pwd_hash" column in the table "medusa_user". To ensure that users do not run into errors when trying to change their password, you should set the history length low enough to avoid exceeding the character limit of the "pwd_hash" database column. By default, this is a limit of 4000 characters.

Some password hash algorithms (for example, encrypted hashes) produce much longer entries for the password history than others.

Attributes

Integer

Optional

Default value

Case Insensitive Storage (caseInsensitiveStorage)

Description

If this property is set to TRUE, the password is matched case insensitively. Notice though that if this property is enabled after some passwords were already hashed, the following property "Also Try Upper Case" has to be enabled as well. Notice that this only affects newly stored passwords (for example after a password change).
This feature is implemented by simply converting the passwords to uppercase before hashing them.

Attributes

Boolean

Optional

Default value

false

Also Try Upper Case (alsoTryUpperCase)

Description

This property is only relevant when matching passwords case-insensitively or if they were stored so previously.
If enabled, user-supplied passwords will not only be checked exactly as entered but also in uppercase to allow case-insensitive matching.
Leave this setting enabled when disabling case insensitive storage later on to still recognize the previously stored passwords.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.PasswordHistoryHash
id: PasswordHistoryHash-xxxxxx
displayName: 
comment: 
properties:
  alsoTryUpperCase: false
  caseInsensitiveStorage: false
  encodeBase64: true
  maxHistoryLength: 5
  passwordHash:

History Password Policy

Description

A password policy check that tests whether the new password is the same as one in the password history (i.e. a previously used password).
The number of "forbidden" used passwords (= the password history length) is defined by the password hash plugin passed to this plugin when performing the check.

IMPORTANT: If using this policy check, the used password hash function must support password histories. Use the "History Password Hash" plugin.

Performance considerations: For every entry in the password history a hash will be calculated. With growing password history length (the maximum of which is configured in "History Password Hash") the performance of this check degrades linearly.

Class

com.airlock.iam.core.misc.impl.authen.PwdPolicyHistoryCheck

May be used by

Customizable Password Policy Customizable Password Policy Meta Password Policy

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PwdPolicyHistoryCheck
id: PwdPolicyHistoryCheck-xxxxxx
displayName: 
comment: 
properties:

HSM Keystore

Description

Configures a HSM keystore. If a normal Java keystore is required, use the 'Java Keystore' Plugin instead.

Class

com.airlock.iam.core.misc.util.crypto.keystore.HsmKeystoreConfig

May be used by

License-Tags

HSM

Properties

Security Provider Name (securityProviderName)

Description

The name of the configured security provider. If a PKCS #11 security provider is used with the Oracle JVM, the name should be set to SunPKCS11-<nameOfToken>, where <nameOfToken> is the token name of the configured provider. If this is set to a SunPKCS11 provider the keystore type has to be set to 'PKCS11'. See the documentation for further details on how to configure the HSM Keystore.

Attributes

String

Mandatory

License-Tags

HSM

Suggested values

SunPKCS11-Luna, SunPKCS11-SoftHSM, LunaProvider

Keystore Type (keystoreType)

Description

The type of keystore to use. If a PKCS #11 security provider is used, this property must be set to 'PKCS11'.

Attributes

String

Mandatory

License-Tags

HSM

Suggested values

PKCS11, Luna

Keystore File (keystoreFile)

Description

Path to a file-based keystore.
This property only has to be set if the keystore is file-based. In any other case it should be left empty.

Attributes

File/Path

Optional

License-Tags

HSM

Keystore Password (keystorePassword)

Description

The password used to read the keystore or HSM module. If the HSM is already authenticated in another way, then this can be empty.

Attributes

String

Optional

Sensitive

License-Tags

HSM

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.crypto.keystore.HsmKeystoreConfig
id: HsmKeystoreConfig-xxxxxx
displayName: 
comment: 
properties:
  keystoreFile:
  keystorePassword:
  keystoreType:
  securityProviderName:

HTML String Escaper

Description

Escapes a string to be safely used inside an HTML string.

Class

com.airlock.iam.common.application.configuration.encoder.HtmlStringEscaperConfig

May be used by

Roles Provider Config Template-based String Provider Transforming String Value Provider Template-based Username Transformer Transforming Value Map Provider Generic ID Propagator

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.encoder.HtmlStringEscaperConfig
id: HtmlStringEscaperConfig-xxxxxx
displayName: 
comment: 
properties:

HTTP Basic Auth Identity Propagator

Description

An identity propagator that instructs the Airlock Gateway (WAF) to send an HTTP Basic Auth header to the back-end.

This propagator only works together with Airlock Gateway (WAF). It uses the control API to propagate username and password.

Class

com.airlock.iam.core.misc.impl.sso.HttpBasicAuthIdentityPropagator

May be used by

Legacy ID Propagation Adapter Chaining Identity Propagator Target Application/Service Conditional Identity Propagator

Properties

Control Cookie Name (controlCookieName)

Description

The name of the Airlock control cookie. The name must match the control cookie name defined in the Airlock server.

Attributes

String

Optional

Default value

AL_CONTROL

Suggested values

AL_CONTROL

Username Property (usernameProperty)

Description

The username to be used for identity propagation.

Possible values are:

The special keyword "@username" to use the effective username of the authenticated user.
The prefix "STATIC:..." to use a fixed value every time. The part after the prefix "STATIC:" is used for all users.
For example: "STATIC:techaccount" means that the username "techaccount" is used for all users.
The name of a context data field read from persistency (for example "context_data"). Make sure to also configure the same value in the persister.

Attributes

String

Optional

Default value

@username

Example

@username

Example

STATIC:techaccount

Example

context_data

Example

userPrincipalName

Password Property (passwordProperty)

Description

The name of the context key holding the password to be used for identity propagation. It only works if the password is stored in the session ticket (must be activated in the Security Settings).

Possible values are:

The special keyword "@password" to use the password the user entered during authentication.
Note that depending on the authentication scheme, there is no such password (e.g. when using client certificates).
The special keyword "@roles" to use the user's roles as the password. The roles are represented as comma-separated list (e.g. "admin,empoloyee,user").
Notice: If there are users with no roles and basic-auth headers with no passwords are accepted by the backend, the property "Allow Empty Passwords" must be enabled.
The prefix "STATIC:..." to use a fixed value every time. The part after the prefix "STATIC:" is used for all users.
For example: "STATIC:techpwd" means that the password "techpwd" is used for all users.
The name of a context data field read from persistency (for example "context_data"). Make sure to also configure the same value in the persister.

Attributes

String

Optional

Default value

@password

Example

@password

Example

STATIC:techpwd

Example

@roles

Example

context_data

Example

userPrincipalName

Allow Empty Passwords (allowEmptyPasswords)

Description

If enabled, empty passwords are accepted and propagated. Only enable this option if your backend is able to handle such basic-auth headers.

Attributes

Boolean

Optional

Default value

false

Encoding (encoding)

Description

The encoding used for the basic auth header values. The default is to use UTF-8, but certain webservers might expect ISO-8859-1.

Attributes

String

Optional

Default value

UTF-8

Suggested values

UTF-8, ISO-8859-1, ISO-8859-15

Target Mapping Name (targetMappingName)

Description

The basic auth header can be restricted to just one back-end by specifying its name here. If left unset, the basic auth header is sent to every back-end having the 'on-behalf' login configured.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.HttpBasicAuthIdentityPropagator
id: HttpBasicAuthIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  allowEmptyPasswords: false
  controlCookieName: AL_CONTROL
  encoding: UTF-8
  passwordProperty: @password
  targetMappingName:
  usernameProperty: @username

HTTP Basic Authentication Step

Description

An authentication flow step that verifies a username/password combination using HTTP Basic Authentication.

If there are no preceding interactive steps in the flow, a request to one of the .../access endpoints with the HTTP Basic Authentication credentials header will automatically be handled by this step. This allows for completely non-interactive flows that are started with an "access" request and are immediately completed successfully, provided the HTTP Basic Authentication credentials are valid.

Class

com.airlock.iam.authentication.application.configuration.password.HttpBasicAuthenticationStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Password Repository (passwordRepository)

Description

The repository of user passwords.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Realm (realm)

Description

The "realm" defines the protection space of the authentication. Realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database.

Attributes

String

Optional

Default value

default

Example

default

Example

myApplication

Charset (charsetName)

Description

The character set for decoding the basic authentication credentials.

Attributes

String

Optional

Default value

ISO-8859-1

Suggested values

ISO-8859-1, UTF-8

Policy To Check On Login (policyToCheckOnLogin)

Description

The password policy that is checked when authenticating. If the policy is violated, a mandatory password change is required.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Active Directory Password Policy Customizable Password Policy Null Password Policy Simple Password Policy

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

PASSWORD

Password Attribute Key (passwordAttributeKey)

Description

The optional key under which this password will be available in the identity propagation.

The value can also be retrieved from the session using the "User Passwords Map" value map provider.

If no key is configured, the password cannot be used by identity propagators.

Important: Multiple Password Authentication steps or Mandatory Password Change steps which have the same value for this property might override each others passwords.
If you have configured a Mandatory Password Change step, you might consider using the same key.

Note: This feature will not work together with end-to-end encryption.

Attributes

String

Optional

Suggested values

PASSWORD

Password Change Red Flag (passwordChangeRedFlag)

Description

Raises this red flag if a mandatory password change is required. This flag must then be handled by a later step.

Attributes

Plugin-Link

Optional

Assignable plugins

Account Linking Required Red Flag Mandatory Password Change Red Flag Red Flag

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.password.HttpBasicAuthenticationStepConfig
id: HttpBasicAuthenticationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: PASSWORD
  charsetName: ISO-8859-1
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  passwordAttributeKey:
  passwordChangeRedFlag:
  passwordRepository:
  policyToCheckOnLogin:
  preCondition:
  realm: default
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

HTTP Client Config

Description

A HTTP client for HTTP and HTTPS connections.

Class

com.airlock.iam.core.misc.util.httpclient.HttpClientConfig

May be used by

OIDC Flow Client Remote Event Subscriber (Loginapp) On Behalf Login Identity Propagation Config AcaPy SSI Service OIDC RS256 Signature Validator On Behalf Login Identity Propagator OIDC Discovery Actor Token Validation JWKS Ticket Verifier Settings OIDC Discovery Subject Token Validation HTTP Signature X.509 Certificate URL Loader OIDC Discovery Flow Client OCSP Over HTTP Client OAuth 2.0 Flow Client Remote Event Subscriber (Adminapp)

Properties

Connect Timeout (connectTimeout)

Description

The connection timeout in seconds. A timeout value of zero is interpreted as an infinite timeout.

Attributes

Integer

Optional

Default value

Basic Auth Credentials (basicAuthCredentials)

Description

The credentials for HTTP Basic Authentication. If configured, a Basic Authentication header is sent with each request. Note that the Basic Authentication header is not sent preemptively, it is expected that the server requests it by replying with a 401 status code and a "WWW-Authenticate: Basic" header to unauthenticated requests.

Attributes

Plugin-Link

Optional

Assignable plugins

Basic Auth Credentials

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Allow Only Trusted Certs (allowOnlyTrustedCerts)

Description

Only allow connections to servers whose certificate is trusted. See documentation of property "Trust Store Path" for more information about what certificates are trusted.

Security warning: Trusting all certificates allows connections to adversarial hosts. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

Enum

Optional

Default value

JKS

Trust Store Password (trustStorePassword)

Description

The password used to check the integrity of the trust store, or to unlock the trust store.

The password must be provided if a trust store is specified.

Attributes

String

Optional

Sensitive

Proxy Host (proxyHost)

Description

The hostname of the HTTP proxy server (if any).

Attributes

String

Optional

Example

proxy.company.com

Proxy Port (proxyPort)

Description

The port of the HTTP proxy server (if any).

Attributes

Integer

Optional

Proxy Login User (proxyLoginUser)

Description

Username for the HTTP proxy if proxy authentication is used.

Attributes

String

Optional

Example

proxyLogin

Proxy Login Password (proxyLoginPassword)

Description

Password for the HTTP proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

User Agent (userAgent)

Description

A HTTP client sends a userAgent header with each request to identify the client software. If no value or an empty value is specified, "Apache-HttpClient/4.1 (java 1.5)" is used as user agent. This value allows to overwrite the default user agent.

Attributes

String

Optional

Suggested values

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0, Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Suggested values

X-Correlation-ID

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.httpclient.HttpClientConfig
id: HttpClientConfig-xxxxxx
displayName: 
comment: 
properties:
  allowOnlyTrustedCerts: true
  basicAuthCredentials:
  connectTimeout: 30
  correlationIdHeaderName:
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  userAgent:
  verifyServerHostname: true

HTTP Client With Client Certificate

Description

A HTTP client for HTTPS connections where both the server and the client are authenticated using certificates (also known as mutual authentication).

Class

com.airlock.iam.core.misc.util.httpclient.HttpClientWithClientAuthConfig

May be used by

Properties

Key Store Path (keyStorePath)

Description

The keystore file name containing the client certificate including both private and public key.

Attributes

File/Path

Mandatory

Key Store Type (keyStoreType)

Description

Identifies the type of the keystore.

Attributes

Enum

Optional

Default value

JKS

Key Store Password (keyStorePassword)

Description

The password used to check the integrity of the keystore, or to unlock the keystore.

The password must be provided if a key store is specified.

Attributes

String

Optional

Sensitive

Private Key Password (privateKeyPassword)

Description

The password to access the private key in the keystore stored at the key store path, in case the private key is password protected.

Attributes

String

Optional

Sensitive

Connect Timeout (connectTimeout)

Description

The connection timeout in seconds. A timeout value of zero is interpreted as an infinite timeout.

Attributes

Integer

Optional

Default value

Basic Auth Credentials (basicAuthCredentials)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Basic Auth Credentials

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

Enum

Optional

Default value

JKS

Trust Store Password (trustStorePassword)

Description

The password used to check the integrity of the trust store, or to unlock the trust store.

The password must be provided if a trust store is specified.

Attributes

String

Optional

Sensitive

Proxy Host (proxyHost)

Description

The hostname of the HTTP proxy server (if any).

Attributes

String

Optional

Example

proxy.company.com

Proxy Port (proxyPort)

Description

The port of the HTTP proxy server (if any).

Attributes

Integer

Optional

Proxy Login User (proxyLoginUser)

Description

Username for the HTTP proxy if proxy authentication is used.

Attributes

String

Optional

Example

proxyLogin

Proxy Login Password (proxyLoginPassword)

Description

Password for the HTTP proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

User Agent (userAgent)

Description

Attributes

String

Optional

Suggested values

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Suggested values

X-Correlation-ID

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.httpclient.HttpClientWithClientAuthConfig
id: HttpClientWithClientAuthConfig-xxxxxx
displayName: 
comment: 
properties:
  basicAuthCredentials:
  connectTimeout: 30
  correlationIdHeaderName:
  keyStorePassword:
  keyStorePath:
  keyStoreType: JKS
  privateKeyPassword:
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  userAgent:
  verifyServerHostname: true

HTTP GET Step

Description

This on behalf login step performs a HTTP GET request on the defined URL.

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.HttpGetOnBehalfLoginStep

May be used by

On Behalf Login Identity Propagation Config On Behalf Login Identity Propagator

Properties

Target Application Login Page URL (targetApplicationLoginPageUrl)

Description

URL of the target application's page to connect.

Attributes

String

Mandatory

Example

http://foo.bar.ch/login.php

Example

https://secure.ergon.ch/auth/login

Query Parameters (queryParameters)

Description

If the query parameter is already defined in the target URL, the value defined through this configuration will be added to the existing values.

If the same parameter name is configured multiple times, the values will be added to the existing values in order of the configured list.

Attributes

Plugin-List

Optional

Assignable plugins

HTTP Parameter

On Behalf Login Step Validator (onBehalfLoginStepValidator)

Description

An optional validator that validates the response of this step.

Attributes

Plugin-Link

Optional

Assignable plugins

All Ok On Behalf Login Step Validator Body And HTTP Status On Behalf Login Step Validator Body Status On Behalf Login Step Validator

Additional Headers (additionalHeaders)

Description

A list of headers to add to the standard headers of the HTTP client. It is possible to add multiple headers with the same name.

Attributes

Plugin-List

Optional

Assignable plugins

Request Header

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.onbehalflogin.HttpGetOnBehalfLoginStep
id: HttpGetOnBehalfLoginStep-xxxxxx
displayName: 
comment: 
properties:
  additionalHeaders:
  onBehalfLoginStepValidator:
  queryParameters:
  targetApplicationLoginPageUrl:

HTTP Header

Description

Defines an HTTP header.

Class

com.airlock.iam.login.app.misc.configuration.oneshot.HTTPHeader

May be used by

Failure HTTP Response

License-Tags

OneShotAuthentication

Properties

Name (name)

Description

The name of the header.

Attributes

String

Mandatory

License-Tags

OneShotAuthentication

Example

Location

Example

Server

Example

WWW-Authenticate

Value (value)

Description

The value of the header.

Attributes

String

Mandatory

License-Tags

OneShotAuthentication

Example

http://www.example.com

Example

Apache/1.3.27 (Unix) (Red-Hat/Linux)

Example

Bearer realm="myrealm", error="invalid_request"

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oneshot.HTTPHeader
id: HTTPHeader-xxxxxx
displayName: 
comment: 
properties:
  name:
  value:

HTTP Header Identity Propagator

Description

An identity propagator that sets a HTTP header to an Airlock Gateway (WAF) mapping using the control API.

This propagator only works together with the Airlock Gateway. Using the control API (control cookie), this identity propagator plugin stores one or more HTTP headers with information selected from the authentee (username, roles, context-data) or statically configured values in the Airlock header. Each header can be stored on one or more specific Gateway mappings or on all mappings. Airlock then appends HTTP header(s) to back-end requests of the corresponding mapping(s) so the back-end(s) can use it/them.

Class

com.airlock.iam.core.misc.impl.sso.HttpHeaderIdentityPropagator

May be used by

Legacy ID Propagation Adapter Chaining Identity Propagator Target Application/Service Conditional Identity Propagator

Properties

Control Cookie Name (controlCookieName)

Description

The name of the Airlock control cookie. The name must match the control cookie name defined in the Airlock server.

Attributes

String

Optional

Default value

AL_CONTROL

Suggested values

AL_CONTROL

Headers (headers)

Description

Defines a number of values to propagate as HTTP headers using the Airlock back-end control API.

Attributes

Plugin-List

Optional

Assignable plugins

Encoded User Data Header Plain User Data Header Static Header

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.HttpHeaderIdentityPropagator
id: HttpHeaderIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  controlCookieName: AL_CONTROL
  headers:

HTTP Header Token Extractor (as SSO Credential)

Description

Extracts a token from an HTTP header, decodes it using the specified ticket decoder (e.g. JWT) and provides a "Single-Sign-On-Credential" to the authenticator.
This extractor can be used to verify JWTs in "Authorization" headers (to remove the "Bearer "-Prefix from the header value use "Header Value Conversion Pattern" and "Header Value Conversion Replacement").

This extractor can only be used with authenticators that are able to process Single-Sign-On-Credentials (e.g. the "SSO Credential Authenticator").

Class

com.airlock.iam.login.app.misc.configuration.oneshot.HttpHeaderTokenExtractorConfig

May be used by

Target Application/Service HTTP Signature Verification Credential Extractor

License-Tags

OneShotAuthentication

Properties

Header Name (headerName)

Description

The name of the header.

Attributes

String

Mandatory

License-Tags

OneShotAuthentication

Example

Authorization

URL Encoding Scheme (urlEncodingScheme)

Description

The encoding of the URL encoding.

Attributes

String

Optional

License-Tags

OneShotAuthentication

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII

Decoder (decoder)

Description

The ticket decoder to decode the value of the HTTP header.

Attributes

Plugin-Link

Mandatory

License-Tags

OneShotAuthentication

Assignable plugins

AES256 Decryption Ticket Decoder Esp Sign Ticket Decoder JWT Ticket Decoder OAuth 2.0 Access Token Ticket Decoder Plain Base64 Ticket Decoder Plain Ticket Decoder RSA Sign Ticket Decoder

Username Key (usernameKey)

Description

The name (key) under which the extracted username is stored in the ticket (and therefore the "SSO Credential")

Attributes

String

Optional

License-Tags

OneShotAuthentication

Default value

username

Roles Key (rolesKey)

Description

The ticket key under which the extracted roles are stored in the ticket (and therefore the "SSO Credential")

Attributes

String

Optional

License-Tags

OneShotAuthentication

Default value

roles

Context Properties (contextProperties)

Description

The keys in the ticket that are used as attributes in the credential under the same key name. These are later used as context-data fields. Note that the key must have only one value attached (not like roles that has multiple values). Moreover, in case there is no entry for the given key, the corresponding attribute value is set to null.

Attributes

String-List

Optional

License-Tags

OneShotAuthentication

Header Value Conversion Pattern (headerValueConversionPattern)

Description

Regular expression pattern containing a group (a section in parentheses) that can be used in conjunction with property "Header Value Conversion Replacement" in order to transform the header value before it is decoded. If the header value does not match the pattern at all, no transformation is performed.

Example: The pattern "^Bearer (.*)$" and the replacement pattern "$1" will transform the header value "Bearer ABCD1234" to "ABCD1234" before it is decoded.

Attributes

RegEx

Optional

License-Tags

OneShotAuthentication

Header Value Conversion Replacement (headerValueConversionReplacement)

Description

The replacement string used in conjunction with property "Header Value Conversion Pattern" in order to transform the header value. The token "$1" is used to reference the string matching the group in the pattern. See property "Header Value Conversion Pattern" for examples.

Attributes

String

Optional

License-Tags

OneShotAuthentication

Example

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oneshot.HttpHeaderTokenExtractorConfig
id: HttpHeaderTokenExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  contextProperties:
  decoder:
  headerName:
  headerValueConversionPattern:
  headerValueConversionReplacement:
  rolesKey: roles
  urlEncodingScheme: UTF-8
  usernameKey: username

HTTP Header Token Extractor (as Token Credential)

Description

Extracts a value from a specified HTTP header and provides it to the authenticator as "Token Credential".

This extractor is suitable for authenticators that are able to process token credentials, such as the "Token Authenticator" or the "OAuth 2.0 Access Token Authenticator".

Class

com.airlock.iam.login.app.misc.oneshot.impl.HeaderTokenCredentialExtractorFactory

May be used by

Target Application/Service HTTP Signature Verification Credential Extractor

License-Tags

OneShotAuthentication

Properties

Header Name (headerName)

Description

The name of the header bearing the value to be extracted.

Attributes

String

Mandatory

License-Tags

OneShotAuthentication

Example

X-Login-OTP

Example

X-LOGIN-TOKEN

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.HeaderTokenCredentialExtractorFactory
id: HeaderTokenCredentialExtractorFactory-xxxxxx
displayName: 
comment: 
properties:
  headerName:

HTTP Instance Digest Verification

Description

Verifies the HTTP Instance Digest according to RFC 3230.

Class

com.airlock.iam.login.app.misc.oneshot.impl.HttpInstanceDigestVerificationConfig

May be used by

SAML Access Cookie Identity Propagator CSRF Token Extraction Step Access Cookie Identity Propagator HTTP POST Step HTTP POST Step HTTP GET Step

Properties

Allowed Algorithms (allowedAlgorithms)

Description

Allowed algorithms that the digest must use.

Attributes

Plugin-List

Mandatory

Assignable plugins

SHA-256 HTTP Instance Digest Algorithm SHA-512 HTTP Instance Digest Algorithm

Audit Logger (auditLogger)

Description

Enables logging of digest verification information. Successfully verified digests and request body contents will be logged. This allows to verify digests at a later point in time.

Security Warning: Request bodies often contain sensitive information and should therefore not be logged. If this feature is enabled, it is highly recommended that these logs are redirected to a special destination using the Logger Name.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Signature Audit Logger

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.HttpInstanceDigestVerificationConfig
id: HttpInstanceDigestVerificationConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedAlgorithms:
  auditLogger:

HTTP Parameter

Description

A HTTP parameter consisting of a name and a value.

Class

com.airlock.iam.core.misc.util.httpclient.HttpParameter

May be used by

Properties

Name (name)

Description

The name of the HTTP parameter.

Attributes

String

Mandatory

Example

uid

Example

userId

Example

username

Example

contractNo

Value (value)

Description

The value of the HTTP parameter. Some enclosing plugins might provide template substitution mechanism. Please check the property description.

Attributes

String

Mandatory

Example

submit

Example

${user-id}

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.httpclient.HttpParameter
id: HttpParameter-xxxxxx
displayName: 
comment: 
properties:
  name:
  value:

HTTP Parameter Context Extractor Pattern

Description

A regular expression pattern and its resulting configuration context.

Class

com.airlock.iam.core.misc.util.context.ContextPatternForHttpParameterContextExtractor

May be used by

HTTP Query Parameter Context Extractor

Properties

Pattern (pattern)

Description

A regular expression pattern matched against the HTTP parameter value.

Attributes

RegEx

Mandatory

Configuration Context (configurationContext)

Description

The configuration context identifier.
Use "[DEFAULT]" to explicitly return the default context.

Attributes

String

Mandatory

Example

CTX1

Example

EXT

Example

[DEFAULT]

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.context.ContextPatternForHttpParameterContextExtractor
id: ContextPatternForHttpParameterContextExtractor-xxxxxx
displayName: 
comment: 
properties:
  configurationContext:
  pattern:

HTTP Password Service

Description

Perform a password change operation by sending a HTTP POST request to a configured URL. Only the changePassword operation is supported. Additional parameters may be sent to the password change URL, either static values or user attributes.

Class

com.airlock.iam.core.misc.impl.authen.HttpPasswordService

May be used by

User to Password Service Mapping Composite Password Service Composite Password Service Composite Password Service Administrators Configuration Password Settings User-based Password Service Selector

Properties

Password Change URL (passwordChangeUrl)

Description

The full URL of the application that provides the password change functionality. A POST request is sent to this URL simulating a login.
See note in plug-in description when using SSL (HTTPS instead of HTTP).

Attributes

String

Mandatory

Example

http://someapp.somehost.com/auth/passwordchange

Example

https://securehost.com/changepassword.php

HTTP Parameter Username (httpParamUsername)

Description

The name of the HTTP parameter for the username.

Attributes

String

Mandatory

Example

uid

Example

userId

Example

username

Example

contractNo

User Persister (userPersister)

Description

User persister that is used to load the user data so that user attributes can be passed on to the password change URL.

Attributes

Plugin-Link

Optional

Assignable plugins

User Data Parameters (userDataParams)

Description

List of user record values that are sent with the request when changing the password.

Attributes

Plugin-List

Optional

Assignable plugins

Password Service HTTP Parameter

Static Parameters (staticParams)

Description

List of fixed (statically defined) HTTP parameters that are sent with the request when changing the password.

In many cases, the submit button value must be sent to an application to make it think that the button has been pressed.

Attributes

Plugin-List

Optional

Assignable plugins

Password Service HTTP Parameter

HTTP Parameter Old Password (httpParamOldPassword)

Description

The name of the HTTP parameter for the old password.

Attributes

String

Mandatory

Example

oldpassword

Example

existingpassphrase

HTTP Parameter New Password (httpParamNewPassword)

Description

The name of the HTTP parameter for the new password.

Attributes

String

Mandatory

Example

password

Example

passphrase

Expected Response Status Code (expectedResponseStatusCode)

Description

The expected HTTP response code that signals a successful password change.

The response status code is always being checked on password changes. A password change is successful if the response status code equals the expected status code. Additionally a pattern can be searched in the response body using the "expected response body pattern" configuration property.

Attributes

Integer

Optional

Default value

200

Expected Response Body Pattern (expectedResponseBodyPattern)

Description

A pattern that is searched in the response to the password change request. If this property is set the pattern will be searched in the response body in addition to the response status code check.

Attributes

RegEx

Optional

Allow Only Trusted Certs (allowOnlyTrustedCerts)

Description

Only allow connections to servers whose certificate is trusted. See documentation of property "Trust Store Path" for more information about what certificates are trusted.

Security warning: Trusting all certificates allows connections to adversarial hosts. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

String

Optional

Default value

JKS

Allowed values

JKS, PKCS12

Trust Store Password (trustStorePassword)

Description

The password used to verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

JKS: the keystore can be opened and used but the integrity of the keystore is not checked.
PKCS12: an error occurs.

Attributes

String

Optional

Sensitive

Connection Timeout [s] (connectTimeout)

Description

The connection timeout in seconds. A timeout value of zero is interpreted as an infinite timeout.

Attributes

Integer

Optional

Default value

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Suggested values

X-Correlation-ID

Proxy Host (proxyHost)

Description

The hostname of the HTTP proxy server (if any).

Attributes

String

Optional

Example

proxy.company.com

Proxy Port (proxyPort)

Description

The port of the HTTP proxy server (if any).

Attributes

Integer

Optional

Proxy Login User (proxyLoginUser)

Description

Username for the HTTP proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the HTTP proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.HttpPasswordService
id: HttpPasswordService-xxxxxx
displayName: 
comment: 
properties:
  allowOnlyTrustedCerts: true
  connectTimeout: 10
  correlationIdHeaderName:
  expectedResponseBodyPattern:
  expectedResponseStatusCode: 200
  httpParamNewPassword:
  httpParamOldPassword:
  httpParamUsername:
  passwordChangeUrl:
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  staticParams:
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  userDataParams:
  userPersister:
  verifyServerHostname: true

HTTP POST Step

Description

This on behalf login step submits a form using HTTP POST. Typically this is the final step in the on behalf login process.

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.HttpPostOnBehalfLoginStep

May be used by

On Behalf Login Identity Propagation Config On Behalf Login Identity Propagator

Properties

Target URL (targetUrl)

Description

The target URL of the HTTP POST request.

Attributes

String

Mandatory

Example

https://someapp.somehost.com/auth/login

Example

https://securehost.com/login.php

POST Parameters (postParameters)

Description

The HTTP POST parameters of the request. This implementation supports template syntax using ${variable} in parameters. Available variables are all values provided to the identity propagation.

Attributes

Plugin-List

Optional

Assignable plugins

HTTP Parameter

HTTP Parameter Encoding (httpParameterEncoding)

Description

POST parameter encoding charset.

Attributes

String

Optional

Default value

UTF-8

Example

UTF-8

Example

ISO-8859-1

Example

ISO-8859-15

Query Parameters (queryParameters)

Description

If the query parameter is already defined in the target URL, the value defined through this configuration will be added to the existing values.

If the same parameter name is configured multiple times, the values will be added to the existing values in order of the configured list.

Attributes

Plugin-List

Optional

Assignable plugins

HTTP Parameter

On Behalf Login Step Validator (onBehalfLoginStepValidator)

Description

An optional validator that validates the response of this step.

Attributes

Plugin-Link

Optional

Assignable plugins

All Ok On Behalf Login Step Validator Body And HTTP Status On Behalf Login Step Validator Body Status On Behalf Login Step Validator

Additional Headers (additionalHeaders)

Description

A list of headers to add to the standard headers of the HTTP client. It is possible to add multiple headers with the same name.

Attributes

Plugin-List

Optional

Assignable plugins

Request Header

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.onbehalflogin.HttpPostOnBehalfLoginStep
id: HttpPostOnBehalfLoginStep-xxxxxx
displayName: 
comment: 
properties:
  additionalHeaders:
  httpParameterEncoding: UTF-8
  onBehalfLoginStepValidator:
  postParameters:
  queryParameters:
  targetUrl:

HTTP Query Parameter Context Extractor

Description

A context extractor that matches against an HTTP query parameter in the request and compares the parameter value with a list of patterns. The first matching pattern defines the resulting context.

Notices:

This extractor matches on any request to the UI application (/ui/app/*) but not other (usually static) /ui resources
Most REST requests are POST requests and usually do not contain any query parameters. This context extractor can not analyze the contents of the POST requests
Only for legacy servlets (e.g. Cronto Servlets), this extractor also matches on form POST parameters

Class

com.airlock.iam.core.misc.util.context.HttpParameterContextExtractor

May be used by

API Policy Service Transaction Approval Loginapp Combining Context Extractor Concatenating Context Extractor

Properties

HTTP Parameter Name (httpParameterName)

Description

The name of the HTTP parameter. The name is case sensitive, i.e. parameters match this name only if case is identical. If more than one parameter in the request matches, the result is undefined.

Attributes

String

Mandatory

Example

USERNAME

Example

MANDATE

Fallback Context (fallbackContext)

Description

Name of the context to be used if it cannot be determined by the HTTP parameter.
Leave empty to implicitly use the default context. If this plugin is used within a "Combining Context Extractor", use "[DEFAULT]" to explicitly return the default context if necessary.

Attributes

String

Optional

Example

CTX1

Example

EXT

Example

[DEFAULT]

Parameters (parameters)

Description

Defines a list of mappings from regular expressions to configuration contexts. The regular expressions are matched against the parameter value. If it matches, the corresponding configuration context is used and no further patterns considered (thus the first match wins).

Attributes

Plugin-List

Mandatory

Assignable plugins

HTTP Parameter Context Extractor Pattern

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.context.HttpParameterContextExtractor
id: HttpParameterContextExtractor-xxxxxx
displayName: 
comment: 
properties:
  fallbackContext:
  httpParameterName:
  parameters:

HTTP Request Body Is Present

Description

Checks if a request body is present in the request.

Class

com.airlock.iam.login.app.misc.oneshot.impl.HttpRequestBodyPresentConditionConfig

May be used by

Mandatory HTTP Signature Header

Properties

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.HttpRequestBodyPresentConditionConfig
id: HttpRequestBodyPresentConditionConfig-xxxxxx
displayName: 
comment: 
properties:

HTTP Request Client IP Extractor

Description

Extract the client IP address of the incoming HTTP request. The client IP address is required by IAM in various places, e.g. when writing log files.

Class

com.airlock.iam.common.application.configuration.gateway.extractor.ClientIpExtractorConfig

May be used by

Properties

HTTP Header Name (httpHeaderName)

Description

HTTP header name whose value contains the IP address.

The HTTP header name must be identical to the configured HTTP header name on the proxy in front of IAM. HTTP header names are case-insensitive. The first header matching this configuration is processed. If the header value has multiple coma-separated IP addresses the first value is considered. If no matching header or no valid IP address is found, the IP address of the request source is used.

The HTTP header name consists of any visible ASCII characters except: "(),/:;<=>?@[\]{}".

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9!#$%&'*+\-.^_`|~]+

Default value

X-Forwarded-For

Example

X-Forwarded-For

Example

X-Client-IP

Ignore Private IP Addresses (ignorePrivateIpAddresses)

Description

Whether private IP addresses should be ignored or not.

The X-Forwarded-For header may contain multiple comma-separated IP addresses of proxies before IAM. Public and private IP addresses are allowed in this header. When this option is:

checked: the first public IP address is used. Potential private IP addresses before the public IP address are ignored.
unchecked: the first public or private IP address is used.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.gateway.extractor.ClientIpExtractorConfig
id: ClientIpExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  httpHeaderName: X-Forwarded-For
  ignorePrivateIpAddresses: false

HTTP Request Header Is Present

Description

Checks if the header is present in the request.

Class

com.airlock.iam.login.app.misc.oneshot.impl.HttpRequestHeaderPresentConditionConfig

May be used by

Mandatory HTTP Signature Header

Properties

HTTP Request Header (httpSignatureHeader)

Description

The header that must be present in the request for this condition to be met.

Attributes

Plugin-Link

Mandatory

Assignable plugins

String HTTP Signature Header

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.HttpRequestHeaderPresentConditionConfig
id: HttpRequestHeaderPresentConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  httpSignatureHeader:

HTTP Request Header Value Provider

Description

Provides the value of an HTTP header from the current HTTP request.

Only the current request is considered. In case the same header was set in a previous request, but not the current one, the value provider will provide no value.

Class

com.airlock.iam.common.application.configuration.valueprovider.HttpRequestHeaderStringValueProviderConfig

Properties

Header Name (headerName)

Description

The name of the HTTP header of which the value will be extracted from the current request.

Attributes

String

Mandatory

Allowed Header Value Pattern (allowedHeaderValuePattern)

Description

In case a header is present, its value has to match the configured Regex pattern. Otherwise, no value will be returned.

Attributes

RegEx

Optional

Default value

[a-zA-Z0-9 ._-]+

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.valueprovider.HttpRequestHeaderStringValueProviderConfig
id: HttpRequestHeaderStringValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedHeaderValuePattern: [a-zA-Z0-9 ._-]+
  headerName:

HTTP Request ID Extractor

Description

Extract the ID of the incoming HTTP request. The request ID is required by IAM in various places, e.g. when writing log files. Only IDs with a length of 2 to 256 printable ASCII characters are accepted.

Class

com.airlock.iam.common.application.configuration.gateway.extractor.RequestIdExtractorConfig

May be used by

Properties

HTTP Header Name (httpHeaderName)

Description

HTTP header name whose value contains the request ID.

The HTTP header name must be identical to the configured HTTP header name on the proxy in front of IAM. HTTP header names are case-insensitive. If multiple identical HTTP header names are present, only the first one is considered. The HTTP header value is expected to be a single-value string.

The HTTP header name consists of any visible ASCII characters except delimiters "(),/:;<=>?@[\]{}".

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9!#$%&'*+\-.^_`|~]+

Default value

X-Request-ID

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.gateway.extractor.RequestIdExtractorConfig
id: RequestIdExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  httpHeaderName: X-Request-ID

HTTP Request Information Map

Description

Provides information about the current HTTP request.

Currently, the following values are provided:

client-ip: IP address of the client which issued the HTTP request (if available). Can be either IPv4 or IPv6.
client-ip-v4: IPv4 address of the client which issued the HTTP request (if IPv4 address information is available).
client-ip-v6: IPv6 address of the client which issued the HTTP request (if IPv6 address information is available).
session-id: ID of the session on the Gateway. Not available if no Gateway is used.
request-id: ID of the request on the Gateway. Not available if no Gateway is used.
correlation-id: Correlation ID of the request (if any).
request-url: URL of the HTTP request.

The following additional values can be provided, if a geolocation provider is configured in the Loginapp:

client-latitude: Geographical latitude coordinate (WGS84) of the client based on its IP.
client-longitude: Geographical longitude coordinate (WGS84) of the client based on its IP.
client-continent: Continent of the client based on its IP. Two-character code:
- Asia: AS
- South America: SA
- North America: NA
- Africa: AF
- Europe: EU
- Antarctica: AN
- Oceania: OC
client-country: Country of the client based on its IP. Two-character ISO 3166-1 ALPHA-2 code.
client-subdivision: Geographical subdivision of the client based on its IP. Up to three characters describing the subdivision part of the ISO 3166-2 code (state/district/canton, ...).
client-city: City of the client based on its IP.
client-zip: Postal code (ZIP) of the client based on its IP.
client-timezone: Time Zone of the client based on its IP.

MaxMind geolocation example values (in the order listed above): 37.386, -122.0838, NA, US, CA, Mountain View, 94040, America/Los_Angeles.
With custom geolocation providers, the format of these values might differ, and even with a geolocation provider configured, all values are optional.

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.HttpRequestInformationValueMapProviderConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.HttpRequestInformationValueMapProviderConfig
id: HttpRequestInformationValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:

HTTP Request mTLS Client Certificate Extractor

Description

Extracts the mutual TLS (mTLS) client certificate of the incoming HTTP request.

The plugin allows certificates to be extracted from various request headers.

Class

com.airlock.iam.common.application.configuration.gateway.extractor.RequestMtlsClientCertificateExtractorConfig

May be used by

Properties

HTTP Header Name (httpHeaderName)

Description

HTTP header name whose value contains the mTLS X.509 client certificate.

The HTTP header name must be identical to the configured HTTP header name on the proxy in front of IAM. HTTP header names are case-insensitive. The first value of the first header received is considered. The received header value is extracted using the configured extraction format.

The HTTP header name consists of any visible ASCII characters except delimiters "(),/:;<=>?@[\]{}".

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9!#$%&'*+\-.^_`|~]+

Default value

X-Forwarded-mTLS-Client-Cert

Example

X-Forwarded-mTLS-Client-Cert

Example

X-SSL-Client-Cert

Example

x-forwarded-client-cert

Extraction Format (extractionFormat)

Description

Defines the expected format that the mTLS X.509 client certificate is provided in the specified HTTP header.

Attributes

Plugin-Link

Optional

Assignable plugins

Client Certificate PEM Format Client Certificate XFCC Format

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.gateway.extractor.RequestMtlsClientCertificateExtractorConfig
id: RequestMtlsClientCertificateExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  extractionFormat:
  httpHeaderName: X-Forwarded-mTLS-Client-Cert

HTTP Request URL Extractor

Description

Extract the request URL as seen by the client of the incoming HTTP request. The request URL is required by IAM in various places, e.g. when writing log files.

Class

com.airlock.iam.common.application.configuration.gateway.extractor.RequestUrlExtractorConfig

May be used by

Legacy ID Propagation Adapter Chaining Identity Propagator Target Application/Service Conditional Identity Propagator

Properties

HTTP Header Name (httpHeaderName)

Description

HTTP header name whose value contains the request URL.

The HTTP header name must be identical to the configured HTTP header name on the proxy in front of IAM. HTTP header names are case-insensitive. If multiple identical HTTP header names are present, only the first one is considered. The expected HTTP header value is a valid request URL which complies to RFC 2396.

The HTTP header name consists of any visible ASCII characters except delimiters "(),/:;<=>?@[\]{}".

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9!#$%&'*+\-.^_`|~]+

Default value

X-URL

Example

X-URL

Example

X-URL-Seen-By-Client

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.gateway.extractor.RequestUrlExtractorConfig
id: RequestUrlExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  httpHeaderName: X-URL

HTTP Response Header Identity Propagator

Description

An identity propagator that sets HTTP response headers that are returned to the HTTP client.

Class

com.airlock.iam.core.misc.impl.sso.ResponseHeaderIdentityPropagator

May be used by

Properties

Headers (headers)

Description

Defines HTTP headers that are set on the response to the HTTP client.

Attributes

Plugin-List

Mandatory

Assignable plugins

Encoded User Data Response Header Plain User Data Response Header Static Response Header

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.ResponseHeaderIdentityPropagator
id: ResponseHeaderIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  headers:

HTTP Signature Algorithm Whitelist

Description

Verifies that whitelisted signing algorithm is used.

Class

com.airlock.iam.login.app.misc.oneshot.impl.HttpSignatureAlgorithmWhitelistConfig

May be used by

HTTP Instance Digest Verification HTTP Signature Verification Credential Extractor

Properties

Allowed Signature Algorithms (allowedSignatureAlgorithms)

Description

The allowed signature algorithms. The value can be provided in any letter case. The format specified by Java is <digest>with<encryption>and<mgf>, where the mgf is optional.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.HttpSignatureAlgorithmWhitelistConfig
id: HttpSignatureAlgorithmWhitelistConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedSignatureAlgorithms:

HTTP Signature Audit Logger

Description

Audit logging of HTTP Signature verification.

Class

com.airlock.iam.login.app.misc.oneshot.impl.HttpSignatureAuditLoggerConfig

May be used by

Properties

Logger Name (loggerName)

Description

This property can be used to redirect the logs to a specific Log4J Logger. In the Log4J configuration this name can be used as follows:

<Logger name="ConfiguredLoggerName" level="INFO" additivity="false">
	<AppenderRef ref="SECURED-LOG-DESTINATION"/>
</Logger>

additivity="false" is used to filter messages from going to other appenders via the <Root> logger.

Please refer to the customer documentation for details on logging configuration.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.HttpSignatureAuditLoggerConfig
id: HttpSignatureAuditLoggerConfig-xxxxxx
displayName: 
comment: 
properties:
  loggerName:

HTTP Signature Static X.509 Certificate Loader

Description

Returns the configured certificate.

Class

com.airlock.iam.login.app.misc.oneshot.impl.HttpSignatureStaticX509CertificateLoaderConfig

May be used by

Properties

Certificate (PEM) (pemCertificate)

Description

The certificate in PEM format.

Attributes

String

Mandatory

Multi-line-text

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.HttpSignatureStaticX509CertificateLoaderConfig
id: HttpSignatureStaticX509CertificateLoaderConfig-xxxxxx
displayName: 
comment: 
properties:
  pemCertificate:

HTTP Signature Verification Credential Extractor

Description

Verifies the HTTP Signature from the "Signature" header of the HTTP request according to Signing HTTP Messages. If valid, extracts the credential according to the configured extractor.

Class

com.airlock.iam.login.app.misc.oneshot.impl.HttpSignatureVerificationCredentialExtractorConfig

May be used by

HTTP Signature Static X.509 Certificate Loader HTTP Signature X.509 Certificate Header Loader HTTP Signature X.509 Certificate URL Loader

Properties

Digest (digest)

Description

The HTTP Instance Digest verification according to RFC 3230. If configured, requests with body must include a digest.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Instance Digest Verification

Signature Headers Verifications (signatureHeadersVerifications)

Description

Allows to define verifications on the HTTP signature. The headers parameter defines the signed data and is passed with the request to each of the configured verifications. If any of the verifications fail, the request will be rejected.

This allows to enforce certain data to be included/excluded in the signature.

Attributes

Plugin-List

Optional

Assignable plugins

Mandatory HTTP Signature Header Whitelist HTTP Signature Headers

Request Line Header (requestLineHeader)

Description

The name of the header containing the request line of the original HTTP request. This must be added on the Airlock Gateway (WAF) mapping's Apache Expert Settings with
RequestHeader set AL_ENV_REQUEST_LINE expr=%{THE_REQUEST}

Attributes

String

Optional

Default value

AL_ENV_REQUEST_LINE

HTTP Signature Certificate Loader (httpSignatureCertificateLoader)

Description

How to load the certificate that is used to verify the signature.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Trust Store Path (trustStorePath)

Description

Keystore file name containing certificates of trusted issuers. Certificates from the loader must be directly issued by one of the issuers in this keystore. The keystore can be of type:

JKS
PKCS12

Attributes

File/Path

Mandatory

Trust Store Password (trustStorePassword)

Description

The password used verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

JKS: the keystore can be opened and used but the integrity of the keystore is not checked.
PKCS12: an error occurs.

Attributes

String

Optional

Sensitive

Certificate Status Checkers (certificateStatusCheckers)

Description

A list of certificate status checkers used to check the revocation status of the HTTP signature verification certificate. If more than one checker is configured, all of them are consulted and the certificate is considered revoked if at least one of them tells so.

Security warning: The revocation status is only checked for the leaf certificate. Issuer certificates are not checked for revocation. If revocation checks for issuer certificates are required, these must be performed by the administrative process that manages the IAM truststore, see property 'Trust Store Path'.

Attributes

Plugin-List

Optional

Assignable plugins

Credential Extractor (credentialExtractor)

Description

The client credential extractor.

Attributes

Plugin-Link

Optional

Assignable plugins

Basic Auth HTTP Header Extractor Bearer Token HTTP Header Extractor (as Token Credential) Certificate Token Credential Extractor Config Client Certificate (X.509) Credential Extractor HTTP Header Token Extractor (as SSO Credential) HTTP Header Token Extractor (as Token Credential) HTTP Signature Verification Credential Extractor Kerberos SPNEGO Extractor Static Username Password Extractor

HTTP Signature Algorithm Verifier (httpSignatureAlgorithmVerifier)

Description

Verifies the signature algorithms being used. If not configured, all algorithms are allowed and therefore all supported algorithms that can be used with the certificate's key material will pass the signature verification.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Signature Algorithm Whitelist

Credential Verifier (credentialVerifier)

Description

Client credential verification against the used HTTP signature signing certificate. If not configured, no verification of the credential will be performed.

Attributes

Plugin-Link

Optional

Assignable plugins

Certificate Subject Organization Identifier Equality Credential Verifier

Audit Logger (auditLogger)

Description

Enables logging of signature verification information. Certificate, algorithm, signing string and the signature will be logged in case the verification was successful. This allows to verify signatures at a later point in time.

Security Warning: Signing strings contain request headers which often contain sensitive information and should therefore not be logged. If this feature is enabled, it is highly recommended that these logs are redirected to a special destination using the Logger Name.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Signature Audit Logger

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.HttpSignatureVerificationCredentialExtractorConfig
id: HttpSignatureVerificationCredentialExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  auditLogger:
  certificateStatusCheckers:
  credentialExtractor:
  credentialVerifier:
  digest:
  httpSignatureAlgorithmVerifier:
  httpSignatureCertificateLoader:
  requestLineHeader: AL_ENV_REQUEST_LINE
  signatureHeadersVerifications:
  trustStorePassword:
  trustStorePath:

HTTP Signature X.509 Certificate Header Loader

Description

Loads the certificate from a header of the HTTP request. The HTTP header must contain a PEM or base64-encoded DER X.509 certificate.

Class

com.airlock.iam.login.app.misc.oneshot.impl.HttpSignatureX509CertificateHeaderLoaderConfig

May be used by

Properties

Certificate Header Name (headerName)

Description

HTTP Request header name containing the certificate.

Attributes

String

Mandatory

Example

TPP-Signature-Certificate

Example

Certificate

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.HttpSignatureX509CertificateHeaderLoaderConfig
id: HttpSignatureX509CertificateHeaderLoaderConfig-xxxxxx
displayName: 
comment: 
properties:
  headerName:

HTTP Signature X.509 Certificate URL Loader

Description

Loads the certificate for an HTTP signature keyId. The keyId must be an HTTP(S) URL indicating where the certificate is located. The HTTP response body must contain a PEM, DER or base64-encoded DER X.509 certificate. Certificates will be cached in memory, hence once a certificate is loaded it will remain in the cache until IAM is restarted, a configuration is activated or the maximum cache size is reached.

Class

com.airlock.iam.login.app.misc.oneshot.impl.HttpSignatureX509CertificateHttpUrlLoaderConfig

May be used by

Number-based Selection SMS Gateway Phone Number Verification Step SMS Gateway Selection Option SMS Notifier Failover SMS Gateway Basic mTAN Settings MTAN/SMS Settings SMS Service

Properties

HTTP Client (httpClientConfig)

Description

HTTP client used for the requests. It is recommended to use a trust store containing trusted certificates for HTTPs connections.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Client Config HTTP Client With Client Certificate

Maximum Cache Size (maximumCacheSize)

Description

Defines the maximum number of certificates that reside in the cache. This will limit the memory usage of this feature but may also have a performance trade-off. A regular X.509 certificate has a size of approximately 3kB. If the maximum number of certificates in the cache is reached, certificates that haven't been used recently or very often will be removed from the cache to make space for the newly cached certificate.

A maximum cache size of 0 disables the cache.

Attributes

Integer

Optional

Default value

1000

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.HttpSignatureX509CertificateHttpUrlLoaderConfig
id: HttpSignatureX509CertificateHttpUrlLoaderConfig-xxxxxx
displayName: 
comment: 
properties:
  httpClientConfig:
  maximumCacheSize: 1000

HTTP SMS Gateway

Description

Generic SMS Gateway implementation based on a simple HTTP request.

Class

com.airlock.iam.core.misc.impl.sms.GenericHttpSmsGateway

May be used by

Properties

HTTP Method (httpMethod)

Description

HTTP Method used for the request.

Attributes

Enum

Optional

Default value

GET

Service URI (serviceUri)

Description

URI used to send the HTTP request to.

Attributes

String

Mandatory

Message Parameter (messageParameter)

Description

Name of the parameter used to convey the SMS message.

Attributes

String

Mandatory

Example

message

Example

text

Recipient Parameter (recipientParameter)

Description

Name of the parameter used to specify the recipient.

Attributes

String

Mandatory

Example

recipient

Example

phone-number

Originator Parameter (originatorParameter)

Description

Name of the parameter used to specify the originator.

Attributes

String

Optional

Example

originator

Example

sender

Flash Parameter (flashParameter)

Description

Name and value of the parameter to add when a flash message shall be sent.

Attributes

Plugin-Link

Optional

Assignable plugins

Flash Parameter

HTTP Parameters (httpParameters)

Description

List of name-value pairs sent as parameters in the HTTP request.

Attributes

Plugin-List

Optional

Assignable plugins

Sensitive HTTP Parameter Static HTTP Parameter

Successful Response Pattern (successfulResponsePattern)

Description

Specifies the pattern that has to match part of the response body in order to assume successful transmission. Note that responses with status codes other than 2xx are always treated as failure. If no pattern is defined, every response with status code 2xx (e.g. 200, 201, 202, etc.) is assumed successful.

Attributes

RegEx

Optional

Truncate Plus Sign (truncatePlusSign)

Description

Set to true to truncate the + prefix of the recipient number.

Attributes

Boolean

Optional

Default value

false

Basic Auth Username (basicAuthUsername)

Description

The username for HTTP Basic Authentication.

Attributes

String

Optional

Basic Auth Password (basicAuthPassword)

Description

The password for HTTP Basic Authentication.

Attributes

String

Optional

Sensitive

URL Encoding for GET requests (urlEncoding)

Description

The URL-encoding to use for GET requests to append parameters to the Service URI. POST requests ignore this property and always use UTF-8.

Attributes

String

Optional

Default value

UTF-8

Suggested values

UTF-8, ISO-8859-1

Proxy Host (proxyHost)

Description

The hostname of the HTTP proxy server (if any).

Attributes

String

Optional

Example

proxy.company.com

Proxy Port (proxyPort)

Description

The port of the HTTP proxy server (if any).

Attributes

Integer

Optional

Proxy Login User (proxyLoginUser)

Description

Username for the http proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the http proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

Allow Only Trusted Certs (allowOnlyTrustedCerts)

Description

Only allow connections to servers whose certificate is trusted. See documentation of property "Trust Store Path" for more information about what certificates are trusted.

Security warning: Trusting all certificates allows connections to adversarial hosts. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

String

Optional

Default value

JKS

Allowed values

JKS, PKCS12

Trust Store Password (trustStorePassword)

Description

The password used verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

JKS: the keystore can be opened and used but the integrity of the keystore is not checked.
PKCS12: an error occurs.

Attributes

String

Optional

Sensitive

Connection/Read Timeout [s] (connectTimeout)

Description

The timeout in seconds used for connection timeout and read timeout.
Therefore, a connection may take a maximum of twice this time until it is aborted.

Attributes

Integer

Optional

Default value

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Suggested values

X-Correlation-ID

Visible Phone Number Digits In Log (visiblePhoneNumberDigitsInLog)

Description

Defines the number of phone number digits visible in log statements.

Thus, if the value is zero, all digits are masked, if it is large enough, all digits are visible. If set to 3, for example, the logged number looks like ********965.

The default is 100, i.e. showing all digits.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.GenericHttpSmsGateway
id: GenericHttpSmsGateway-xxxxxx
displayName: 
comment: 
properties:
  allowOnlyTrustedCerts: true
  basicAuthPassword:
  basicAuthUsername:
  connectTimeout: 10
  correlationIdHeaderName:
  flashParameter:
  httpMethod: GET
  httpParameters:
  messageParameter:
  originatorParameter:
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  recipientParameter:
  serviceUri:
  successfulResponsePattern:
  truncatePlusSign: false
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  urlEncoding: UTF-8
  verifyServerHostname: true
  visiblePhoneNumberDigitsInLog: 100

IAM Username (Airlock 2FA Account Display Name)

Description

Provides the user's username stored in IAM as display name during the enrollment for Airlock 2FA.

Class

com.airlock.iam.airlock2fa.application.configuration.enrollment.Airlock2FAIamUsernameDisplayNameProviderConfig

May be used by

License-Tags

Airlock2FA

Properties

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.enrollment.Airlock2FAIamUsernameDisplayNameProviderConfig
id: Airlock2FAIamUsernameDisplayNameProviderConfig-xxxxxx
displayName: 
comment: 
properties:

ID Token Claim

Description

The configured claim is requested to be added to the default claims in the ID Token returned from the authorization server.

Note that the authorization server may not support requesting the configured claim (or requesting claims at all).

Class

com.airlock.iam.oauth2.application.configuration.IdTokenClaimConfig

May be used by

Credential-based Generic Token Repository Token-based Generic Token Repository

Properties

Claim (claim)

Description

The claim to request to be included in the ID Token.

Attributes

String

Mandatory

Example

sub

Example

acr

Example

auth_time

Values (values)

Description

Requests that the claim be returned with a particular value. The value must be a valid value for the claim being requested.

If multiple values are configured, the request indicates that the claim should be returned with one of the given values. The values in the request appear in order of preference.

If not configured, the claim is requested without a restriction on its value.

Attributes

String-List

Optional

Requirement (requirement)

Description

The client indicates whether the claim being requested is an essential or a voluntary claim.

Essential: the claim is necessary to ensure a smooth authorization experience for the specific task requested by the end-user.
Voluntary: the claim is useful but not essential for the specific task requested by the end-user

Note that even if a claim is requested as 'essential', the authorization server is not obligated to return it.

Attributes

Enum

Optional

Default value

ESSENTIAL

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.IdTokenClaimConfig
id: IdTokenClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claim:
  requirement: ESSENTIAL
  values:

Identity Attribute Mapping

Description

Filters and maps attributes from the outside to the generic token and vice versa.

This plugin forwards all entries unchanged and works with all token repositories.

Class

com.airlock.iam.admin.application.configuration.generic.IdentityAttributeMapping

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.generic.IdentityAttributeMapping
id: IdentityAttributeMapping-xxxxxx
displayName: 
comment: 
properties:

Identity Password Hash

Description

Hash function that just returns the password itself as a byte array. This should only be used for testing and when it is correct to store the password in plain.

Class

com.airlock.iam.core.misc.util.password.hash.IdentityPasswordHash

Properties

Charset (charset)

Description

Specifies the character set to use for encoding a string to a byte array.

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.IdentityPasswordHash
id: IdentityPasswordHash-xxxxxx
displayName: 
comment: 
properties:
  charset: UTF-8

Identity Username Transformer

Description

An username transformer that leaves the input name unchanged. This is handy as default value, but users should rarely use this transformer.

Class

com.airlock.iam.core.misc.impl.authen.IdentityUsernameTransformer

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.IdentityUsernameTransformer
id: IdentityUsernameTransformer-xxxxxx
displayName: 
comment: 
properties:

Identity Value Provider Config

Description

Provides a string value representing an identity.

Class

com.airlock.iam.common.application.configuration.valueprovider.IdentityValueProviderConfig

Properties

Identity Generator (identityGenerator)

Description

Defines how the identity should be generated.

Attributes

Plugin-Link

Mandatory

Assignable plugins

UUID Identity Generator

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.valueprovider.IdentityValueProviderConfig
id: IdentityValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  identityGenerator:

IdP-Initiated SSO Flow On SP

Description

Only relevant on the SAML 2.0 Service Provider side: This condition is true if the current flow was initiated by a SAML 2.0 IdP-initiated SSO attempt (as opposed to the flow having been started directly).
This can be used to distinguish between a local login attempt and an IdP-initiated attempt within the same authentication flow. The IdP can select a specific authentication flow by sending a Relay State whose contents are matched against the flow's Application Selector.

Class

com.airlock.iam.saml2.application.configuration.sp.Saml2IdpInitiatedSsoConditionConfig

May be used by

License-Tags

SamlSp

Properties

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.sp.Saml2IdpInitiatedSsoConditionConfig
id: Saml2IdpInitiatedSsoConditionConfig-xxxxxx
displayName: 
comment: 
properties:

Ignore Existing User Sessions Config

Description

Does nothing when there is already a user session.

Class

com.airlock.iam.login.application.configuration.existingsessionbehavior.IgnoreExistingUserSessionsConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.existingsessionbehavior.IgnoreExistingUserSessionsConfig
id: IgnoreExistingUserSessionsConfig-xxxxxx
displayName: 
comment: 
properties:

Impossible Journey Risk Extractor

Description

Emits tags based on whether the journey from the previous login location to the current login location is plausible or impossible. Login timestamps and geolocations of previous login and current login are taken into account to calculate the travel speed.

This risk extractor depends on the user identity. Make sure to place the corresponding Risk Assessment Step after the user-identifying step (e.g. the Password Authentication Step) in the authentication flow.
This plugin requires that a Login History Repository is configured in the Authentication Flows configuration.
This plugin requires a geolocation provider supplying longitude and latitude to be configured in Loginapp's REST settings.

Class

com.airlock.iam.authentication.application.configuration.risk.extractor.journey.ImpossibleJourneyRiskExtractorConfig

May be used by

SSO Ticket Authentication Step Representation SSO Ticket Identifying Step Service Container Admin SSO Ticket Request Authentication Data Sources

Properties

Max Travel Speed [km/h] (maximumTravelSpeed)

Description

Maximum travel speed in kilometers per hour (km/h). If the calculated travel speed is above this value, the journey is considered impossible.

Attributes

Integer

Optional

Default value

1000

Minimal Travel Distance [km] (minimalTravelDistance)

Description

Minimal travel distance in kilometers (km). The user must have traveled at least that far for the risk extractor to take travel speed into account.

Attributes

Integer

Optional

Default value

Tags On Impossible Journey (tagsOnImpossibleJourney)

Description

The tags to grant if the current journey is impossible.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags On Plausible Journey (tagsOnPlausibleJourney)

Description

The tags to grant if the current journey is plausible.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.risk.extractor.journey.ImpossibleJourneyRiskExtractorConfig
id: ImpossibleJourneyRiskExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  maximumTravelSpeed: 1000
  minimalTravelDistance: 1
  tagsOnImpossibleJourney:
  tagsOnPlausibleJourney:

In-Memory Accepted SSO Tickets Repository

Description

Repository that stores accepted SSO tickets in memory.

The tickets are stored to prevent replay attacks.

This repository should not be used if multiple instances of IAM are deployed in parallel (failover, horizontal scaling) Furthermore, the cache is not preserved across IAM restarts.

Class

com.airlock.iam.common.application.configuration.sso.InMemoryAcceptedSsoTicketRepositoryConfig

May be used by

Properties

Tenant ID (tenantId)

Description

Identity stored with the accepted SSO Tickets to distinguish between different tenants.

If left empty, 'no_tenant' is used as the effective value for tenant ID.

Attributes

String

Optional

Length <= 50

Validation RegEx: (?!no_tenant$).*

Example

customerA

Example

customerB

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.sso.InMemoryAcceptedSsoTicketRepositoryConfig
id: InMemoryAcceptedSsoTicketRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  tenantId:

In-Memory Sequence Generator

Description

Sequence generator without persistency. The sequence number is held only in memory and will therefore be reset upon server restart.

Note: All instances of this plugin share the same sequence number.

Class

com.airlock.iam.core.misc.util.report.barcode.InMemorySequenceGenerator

May be used by

Custom Configuration-based Self-Service UI Custom Configuration-based Authentication UI Custom Configuration-based Public Self-Service UI Custom Configuration-based User Self-Registration UI

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.report.barcode.InMemorySequenceGenerator
id: InMemorySequenceGenerator-xxxxxx
displayName: 
comment: 
properties:

In-Memory State Repository

Description

State repository that stores all values in memory.

This repository cannot be used if multiple instances of IAM are deployed in parallel (failover, horizontal scaling). Furthermore, state is not preserved across IAM restarts.

Class

com.airlock.iam.core.application.configuration.state.InMemoryStateRepositoryConfig

May be used by

Adminapp Main Settings Transaction Approval Loginapp

Properties

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.state.InMemoryStateRepositoryConfig
id: InMemoryStateRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:

Initial REST API Invocation

Description

Allows the UI to initially invoke the IAM REST API before loading the custom UI itself. This can be used to fetch an authentication challenge for example.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.InitialRestApiInvocationConfig

May be used by

Properties

URL (url)

Description

The URL to call which is relative to IAM's toplevel 'rest' path. For example, when deploying IAM to https://mycompany.com/auth, all REST APIs will be available under https://mycompany.com/auth/rest. The URL to configure is relative to the latter.

Attributes

String

Mandatory

Example

/public/my-company/my-custom-auth-method

Method (method)

Description

The HTTP method to used when calling the URL.

Attributes

String

Optional

Default value

GET

Allowed values

GET, POST, DELETE

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.InitialRestApiInvocationConfig
id: InitialRestApiInvocationConfig-xxxxxx
displayName: 
comment: 
properties:
  method: GET
  url:

Input UI Element

Description

Displays a text input field.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiInputFieldConfig

May be used by

Properties

Label (label)

Description

Label for the input field. The UI treats it as a key to translate. If there is no translation, the configured value is what is shown in the UI.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9]+((\.|-)[a-zA-Z0-9]+)*

Property (property)

Description

The input field's property. This property will be sent to the server via REST as part of a JSON object. For example, if the property name is 'otp' and the user enters '4123' into the field, the JSON sent to the server will be as follows: {"otp": "4123"}. Values can also be nested using the dot notation. For example, if the property name is 'attributes.badge' and the user enters 'abc' into the field, the JSON sent to the server will be as follows: {"attributes": {"badge": "abc"}}

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9_]+(\.[a-zA-Z0-9_]+)*

Example

otp

Example

phoneNumber

Example

attributes.badge

Placeholder (placeholder)

Description

Displays the placeholder if the field has no value.

Attributes

String

Optional

Mask Input (maskInput)

Description

Mask the input field to not show the characters written into the field.

Attributes

Boolean

Optional

Default value

false

Validations (validations)

Description

The validations on the input field.

Attributes

Plugin-List

Optional

Assignable plugins

Email Address Field Matching Maximal Length Minimum Length Pattern Matching Phone Number Required Field

Submit To Server (submitToServer)

Description

If enabled, this value is submitted to the server. Otherwise, it is only used locally (e.g. to confirm inputs of other fields).

Attributes

Boolean

Optional

Default value

true

HTML ID (htmlId)

Description

The ID of the element in the HTML. If no ID is set, the 'property' is used as the ID.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_]+

Initial Value Query (initialValueQuery)

Description

See the JSONPath documentation for the full documentation: https://github.com/dchester/jsonpath

Examples:

Assume the initial REST call returns the following JSON response:

{
 "meta": {
   "type": "jsonapi.metadata.document",
   "timestamp": "2023-03-10T13:06:01.294+02:00"
 },
 "data": [
  {
    "type": "user",
    "id": "user1",
    "attributes": {
      "contextData": {
         "givenname": "User1",
         "surname": "FSMTest",
         "roles": "customerA"
      }
    }
  },
  {
    "type": "user",
    "id": "user2",
    "attributes": {
      "contextData": {
        "givenname": "User2",
        "surname": "FSMTest",
        "roles": "customerB"
      }
    }
  }
 ]
}

The following table shows the results of various JSONPath queries given the JSON above:

Attributes

String

Optional

Example

$.store.bicycle.color

Example

$..phoneNumber

Example

$..data[?(@.id == 'street')].attributes.currentValue

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiInputFieldConfig
id: ConfigurableUiInputFieldConfig-xxxxxx
displayName: 
comment: 
properties:
  htmlId:
  initialValueQuery:
  label:
  maskInput: false
  placeholder:
  property:
  submitToServer: true
  validations:

Integer Context Data

Description

Non-interactive user context data item that stores an integer value.

Class

com.airlock.iam.userselfreg.application.configuration.definition.IntegerNonInteractiveUserDataItemDefinitionConfig

May be used by

Database Credential Persister Database Token List Persister Database User Persister

Properties

Context Data Field (contextDataField)

Description

The name of the context data where the value will be stored.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Integer Context Data Item Name

Value Provider (valueProvider)

Description

Provides the value for the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Integer Context Data Value Provider Static Integer Value Provider

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.definition.IntegerNonInteractiveUserDataItemDefinitionConfig
id: IntegerNonInteractiveUserDataItemDefinitionConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataField:
  valueProvider:

Integer Context Data Item Config

Description

Context Data item of type Integer.

The database column must be of an integer type (e.g. INTEGER) and the values in the context data container are guaranteed to be of type java.lang.Integer. NULL values on the persistency are interpreted as 0.

Class

com.airlock.iam.core.application.configuration.contextdata.IntegerContextDataItemConfig

May be used by

Properties

Context Data Name (contextDataName)

Description

Defines the reusable context data item representing the name and type of a value in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Integer Context Data Item Name

Database Column Name (databaseColumnName)

Description

The name of the database column to load into the context data in case it differs from the Context Data Name.

Attributes

String

Optional

Example

failed_logins

Example

total_logins

Readonly On Update (readonlyOnUpdate)

Description

If enabled, this context data field is treated readonly during updates of the user data. However, the field will still be persisted while inserting the user.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.contextdata.IntegerContextDataItemConfig
id: IntegerContextDataItemConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  databaseColumnName:
  readonlyOnUpdate: false

Integer Context Data Item Name

Description

Context Data item of type Integer.

Class

com.airlock.iam.core.application.configuration.contextdata.IntegerContextDataItemNameConfig

May be used by

Integer Context Data Value Provider Integer Context Data Item Config User Information Group Config String Context Data User Group Condition Config User Self Information Group Config User Information Self-Service User Attribute Is Unique Integer Context Data

Properties

Context Data Name (contextDataName)

Description

The name of the context data field under which the integer value is stored.

Attributes

String

Mandatory

Example

failed_logins

Example

total_logins

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.contextdata.IntegerContextDataItemNameConfig
id: IntegerContextDataItemNameConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:

Integer Context Data Value Provider

Description

Provides the integer value contained in the specified context data item of the user.

Make sure the configured context data item is also configured on the user persister.

Class

com.airlock.iam.common.application.configuration.valueprovider.contextdata.ContextDataIntegerValueProviderConfig

May be used by

Date And Time With Offset Value Provider Config Value Provider Map Integer Context Data

Properties

Context Data Field (contextDataField)

Description

Context data field whose value will be returned.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Integer Context Data Item Name

Mandatory (mandatory)

Description

If enabled, the value provided by this context data item is not allowed to be null.

If this option is enabled and the context data item is null (e.g. if the configured context data is not configured on the user persister), an exception will be thrown at runtime.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.valueprovider.contextdata.ContextDataIntegerValueProviderConfig
id: ContextDataIntegerValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataField:
  mandatory: false

Interactive Goto Target Config

Description

Configuration of an interactive goto target.

Class

com.airlock.iam.flow.api.application.configuration.step.InteractiveGotoTargetConfig

May be used by

Properties

Target Step ID (targetStepId)

Description

The ID of the target step.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Treated As Failure (treatedAsFailure)

Description

Whether the transition from the source to the target step via an interactive goto causes the source step to fail. Depending on the configured flow processors this may have different effects. For instance, in an authentication flow with default processors, failing will increment the associated failed login counter.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.flow.api.application.configuration.step.InteractiveGotoTargetConfig
id: InteractiveGotoTargetConfig-xxxxxx
displayName: 
comment: 
properties:
  targetStepId:
  treatedAsFailure: false

Internal Goto Target Config

Description

Configuration of an internal goto target. This allows the step to execute internal gotos including whether the goto is treated as failure. Internal gotos must be directly triggered by the step implementation and cannot be triggered by the client.

Class

com.airlock.iam.flow.api.application.configuration.step.InternalGotoTargetConfig

Properties

Target Step ID (targetStepId)

Description

The ID of the target step.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

YAML Template (with default values)


type: com.airlock.iam.flow.api.application.configuration.step.InternalGotoTargetConfig
id: InternalGotoTargetConfig-xxxxxx
displayName: 
comment: 
properties:
  targetStepId:

International Phone Number User Profile Item Config

Description

Plugin to hold a configurable user profile item of type international phone number.

Phone numbers must be entered in international format. Phone numbers in international format start with a plus sign (+) and the country code. When parsing the phone number, punctuation and white-space as well as any text before the number is ignored (for example, a leading "Tel: "). To persist the phone number, it is formatted according to the ITU-T phone number format E.164.

This profile item will be represented as a text input field and its value is added to the user's context data, provided that the property name matches the property name in the configured user data.

Class

com.airlock.iam.common.application.configuration.userprofile.InternationalPhoneNumberUserProfileItemConfig

May be used by

Administrators Management Administrators Management Users Configuration Users Configuration User Group Configuration

Properties

Validation Level (validationLevel)

Description

This property controls the level of validation that is performed.

Default: Full validation of a phone number in international format using length and prefix information. Verifies whether the parsed, canonicalised number is valid. It is not verified, whether a particular series of digits entered by the user can actually be dialled from the region provided. For example, the number +41 (0) 78 927 2696 can be parsed into a number with country code '41' and national significant number '789272696'. This is valid, while the original string cannot be dialled.
Lenient: Quickly guesses whether a number is a possible phone number by using only the length information. So, validation is performed more lenient. In particular, phone numbers that have the correct lenght but may otherwise be invalid (for example, because the carrier code is invalid) are considered valid. Phone numbers must still be in international format with valid country codes.
Minimal: This is the most lenient form of validation. All inputs that can be parsed to a phone number are accepted. For example, phone numbers that are otherwise considered too short or too long up (but only to a certain extent) are accepted. Phone numbers must still be in international format with valid country codes.

Attributes

Enum

Optional

Default value

DEFAULT

String Resource Key (stringResourceKey)

Description

String identifier for the language-specific string tables.

Attributes

String

Mandatory

Example

userdata.label.salutation

Example

userdata.label.firstname

Example

userdata.label.lastname

Example

userdata.label.email

Example

userdata.label.nationality

Example

userdata.label.birthdate

Example

userdata.label.street

Example

userdata.label.street-number

Example

userdata.label.address2

Example

userdata.label.zipcode

Example

userdata.label.town

Example

userdata.label.state

Example

userdata.label.country

Example

userdata.label.company

Example

userdata.label.department

Example

userdata.label.office-phone

Example

userdata.label.mobile-phone

Example

userdata.label.language

Example

userdata.label.correspondence-language

Example

userdata.label.realm

Property Name (propertyName)

Description

Name of the context-data field in which the value is stored.

Attributes

String

Mandatory

Example

surname

Example

givenname

Example

mtan_number

Optional (optional)

Description

If this field is optional or mandatory for the user.

Attributes

Boolean

Optional

Default value

true

Modifiable (modifiable)

Description

Attributes

Boolean

Optional

Default value

true

Validate Only Changed Values (validateOnlyChangedValues)

Description

If enabled, only values that have been changed by the user (compared to the data loaded from the data layer) are validated.

Attributes

Boolean

Optional

Default value

true

Sortable (sortable)

Description

If enabled, the attribute is sortable in the user list if the underlying user iterator supports sorting.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.userprofile.InternationalPhoneNumberUserProfileItemConfig
id: InternationalPhoneNumberUserProfileItemConfig-xxxxxx
displayName: 
comment: 
properties:
  modifiable: true
  optional: true
  propertyName:
  sortable: true
  stringResourceKey:
  validateOnlyChangedValues: true
  validationLevel: DEFAULT

Invalid User Restriction

Description

Excludes users that are invalid, either because of the validity flag or the validity period.

Class

com.airlock.iam.publicselfservice.application.configuration.restrictions.InvalidUserRestrictionConfig

May be used by

API Policy Service Transaction Approval Loginapp Combining Context Extractor Concatenating Context Extractor

Properties

Enable Feedback (enableFeedback)

Description

If enabled, the User Identification Step always returns a specific error code in case this restriction is violated.

If no restrictions are configured to provide feedback, a flow can also be started for users violating one or more restrictions and the flow will advance to the user identity verification step in stealth mode. In this mode, the initial behavior of the step is the same as for unrestricted users (e.g. an mTAN OTP is required), but all responses are rejected as if they were incorrect. This behavior prevents restricted users from ever proceeding further in the flow and thus offers protection against user enumeration. Please refer to the documentation for more details.

Irrespective of this settings, once the identity verification step is passed, restriction are always checked before and after each method call and violations are always reported.

Security notice: Enabling this feature might allow a client to determine whether certain users exist in the system.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.restrictions.InvalidUserRestrictionConfig
id: InvalidUserRestrictionConfig-xxxxxx
displayName: 
comment: 
properties:
  enableFeedback: false

Invalidate All Tokens Of The Grant

Description

Invalidates all tokens that were issued within the grant.

I.e., if the initial token response was used to obtain additional tokens, all of these tokens will be invalidated.

Class

com.airlock.iam.oauth2.application.configuration.token.revocation.AuthorizationInvalidationStrategyConfig

May be used by

OAuth 2.0 Token Revocation Endpoint OAuth 2.0 Token Revocation Endpoint

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.token.revocation.AuthorizationInvalidationStrategyConfig
id: AuthorizationInvalidationStrategyConfig-xxxxxx
displayName: 
comment: 
properties:

Invalidate Single Token

Description

Invalidates no other tokens except the token that is being revoked.

Class

com.airlock.iam.oauth2.application.configuration.token.revocation.SingleTokenInvalidationStrategyConfig

May be used by

OAuth 2.0 Token Revocation Endpoint OAuth 2.0 Token Revocation Endpoint

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.token.revocation.SingleTokenInvalidationStrategyConfig
id: SingleTokenInvalidationStrategyConfig-xxxxxx
displayName: 
comment: 
properties:

IP Address Context Extractor

Description

Configures client IP address to context mappings. If the IP of the client does not match, the fallback context is used.

To determine the client IP address behind a gateway, Airlock IAM requires one of these gateway settings:

Airlock Gateway (WAF): Verify that "Environment Cookies" are activated on all Loginapp mappings and that the environment cookie prefix in Airlock Gateway and Airlock IAM is the same. The client IP is sent by the WAF in the REMOTE_ADDR cookie (with respect to the configured prefix)
Airlock Microgateway: Make sure to extract the client's IP address in Airlock Microgateway Settings.

Class

com.airlock.iam.common.application.configuration.context.IpAddressContextExtractor

May be used by

Properties

Mappings (mappings)

Description

Defines a list of IPv4 ranges matched against the client IP to determine the configuration context.

Attributes

Plugin-List

Mandatory

Assignable plugins

IP Range Context

Fallback Context (fallbackContext)

Description

Name of the context to be used if none of the IP range mappings match.
Leave empty to implicitly use the default context. If this plugin is used within a "Combining Context Extractor", use "[DEFAULT]" to explicitly return the default context if necessary.

Attributes

String

Optional

Example

CTX1

Example

EXT

Example

[DEFAULT]

Gateway (gateway)

Description

Settings regarding an Airlock Gateway or Airlock Microgateway reverse proxy placed in front of Airlock IAM.

The client IP address is extracted differently from the request based on this configuration:

Airlock Gateway (WAF): client IP is extracted from the environment cookie
Airlock Microgateway: client IP is extracted from the configured header
When no gateway is configured, the request's remote address is used as client IP

Attributes

Plugin-Link

Optional

Assignable plugins

Airlock Gateway Settings Airlock Microgateway Settings

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.context.IpAddressContextExtractor
id: IpAddressContextExtractor-xxxxxx
displayName: 
comment: 
properties:
  fallbackContext:
  gateway:
  mappings:

IP Address Range Risk Extractor

Description

Risk Extractor that determines the client's IP address and compares it to the configured IP ranges. Currently, only IPv4 address ranges are allowed.

Class

com.airlock.iam.authentication.application.configuration.risk.extractor.ip.IPAddressRangeRiskExtractorFlowConfig

May be used by

Logical AND Device Condition Logical NOT Device Condition Customizable Device List Logical OR Device Condition

Properties

IP Ranges (ipRanges)

Description

A list of IPv4 ranges to check. If the client's IP address is in at least one of the configured ranges, it is considered to be a 'match'.

Attributes

String-List

Mandatory

Tags On Match (tagsOnMatch)

Description

The tags to grant if the current IP address is within one of the configured ranges.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags On Mismatch (tagsOnMismatch)

Description

The tags to grant if the current IP address is not within one of the configured ranges.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.risk.extractor.ip.IPAddressRangeRiskExtractorFlowConfig
id: IPAddressRangeRiskExtractorFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  ipRanges:
  tagsOnMatch:
  tagsOnMismatch:

IP Range Context

Description

An IP address to context name mapping.

Class

com.airlock.iam.common.application.configuration.context.IpRangeContext

May be used by

IP Address Context Extractor

Properties

IP Ranges (ipRanges)

Description

A list of IP ranges resulting in the specified context if they match the client IP. The following notations of IPs and IP ranges are supported:

Single IPv4: xxx.xxx.xxx.xxx IPv4-Range (CIDR notation): xxx.xxx.xxx.xxx/n IPv4-Range (subnet mask): xxx.xxx.xxx.xxx/mmm.mmm.mmm.mmm

Attributes

String-List

Optional

Configuration Context (configurationContext)

Description

The resulting configuration context identifier if the client IP matches the configured IP ranges.
Use "[DEFAULT]" to explicitly return the default context.

Attributes

String

Mandatory

Example

CTX1

Example

EXT

Example

[DEFAULT]

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.context.IpRangeContext
id: IpRangeContext-xxxxxx
displayName: 
comment: 
properties:
  configurationContext:
  ipRanges:

IP-based Target Service

Description

This target service is associated with an IP.

The target service is meant to be used if the IP of the RADIUS client matches the one in the configuration.

Class

com.airlock.iam.servicecontainer.app.application.configuration.radius.IPBasedTargetServiceConfig

May be used by

Radius Authorization Config Radius Authorization Config

License-Tags

RadiusServer

Properties

Client IP (clientIp)

Description

IP of the RADIUS client.

Attributes

String

Mandatory

Example

192.168.1.55

Required Roles (requiredRoles)

Description

A list of roles used to access the target service.

The user needs one of the roles in order to get access to the target service.

If no roles are configured, all authenticated users may access the target service.

The roles may be transformed before being compared to this list using the role transformers (see separate property).

Attributes

String-List

Optional

Role Transformation Rules (roleTransformationRules)

Description

A list of transformation rules used to modify user roles before being compared to the roles required by an application.

Attributes

Plugin-List

Optional

Assignable plugins

Role Transformation Rule (Radius)

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.radius.IPBasedTargetServiceConfig
id: IPBasedTargetServiceConfig-xxxxxx
displayName: 
comment: 
properties:
  clientIp:
  requiredRoles:
  roleTransformationRules:

Is App Device Condition

Description

Plugin for filtering Airlock 2FA devices. It returns true in case the type of the device is an app such as Android or iOS.

Class

com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FAAppDevicePredicateConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FAAppDevicePredicateConfig
id: Airlock2FAAppDevicePredicateConfig-xxxxxx
displayName: 
comment: 
properties:

Is Hardware Device Condition

Description

Plugin for filtering Airlock 2FA devices. It returns true in case the device is a hardware device.

Class

com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FAHardwareDevicePredicateConfig

May be used by

Logical AND Device Condition Logical NOT Device Condition Customizable Device List Logical OR Device Condition

Properties

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FAHardwareDevicePredicateConfig
id: Airlock2FAHardwareDevicePredicateConfig-xxxxxx
displayName: 
comment: 
properties:

Is In Cooldown Device Condition

Description

Plugin for filtering Airlock 2FA devices. It returns true in case the device is in cooldown.

Class

com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FACooldownPredicateConfig

May be used by

Logical AND Device Condition Logical NOT Device Condition Customizable Device List Logical OR Device Condition

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FACooldownPredicateConfig
id: Airlock2FACooldownPredicateConfig-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:

Is Single Device Condition

Description

Plugin for filtering Airlock 2FA devices. It returns true in case the device under test is the one and only device in the list of devices this filter is currently applied on.

An example use case where this predicate can be used is when trying to delete the device used for login unless it is the last device.

Class

com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FASingleDevicePredicateConfig

May be used by

Logical AND Device Condition Logical NOT Device Condition Customizable Device List Logical OR Device Condition

Properties

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FASingleDevicePredicateConfig
id: Airlock2FASingleDevicePredicateConfig-xxxxxx
displayName: 
comment: 
properties:

Java Keystore

Description

Configures a Java keystore.

Class

com.airlock.iam.core.misc.util.crypto.keystore.JavaKeystoreConfig

May be used by

FIDO Attestation Certificate Trust Verifier Encrypted Password Hash CRL Certificate Status Checker CRL Distribution Point Extension CRL Checker Public/Private JWK Configuration

Properties

Keystore Type (keystoreType)

Description

The type of Java keystore to use.

Attributes

String

Optional

Default value

JKS

Suggested values

JKS, JCEKS

Keystore File (keystoreFile)

Description

The file name of the Java keystore to load the key for the encryption.

Attributes

File/Path

Mandatory

Keystore Password (keystorePassword)

Description

The password to read the keystore.

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.crypto.keystore.JavaKeystoreConfig
id: JavaKeystoreConfig-xxxxxx
displayName: 
comment: 
properties:
  keystoreFile:
  keystorePassword:
  keystoreType: JKS

JDBC Connection Pool

Description

Connection pool using HikariCP. See https://github.com/brettwooldridge/HikariCP for details and information about optimal configuration.

Class

com.airlock.iam.core.misc.impl.persistency.db.JdbcConnectionPool

Properties

Maximum Pool Size (maximumPoolSize)

Description

The maximum pool size is the maximum number of both idle and in-use connections that will be maintained by the pool, thus determining the maximum number of connections to the database backend (per web application). A reasonable value for this is best determined by your database environment. A rule of thumb is to set this roughly to (number of db processor cores * 2) + number of harddisks of db.

When the pool reaches this size, and no idle connections are available, getting a connection will block for up to Connection Timeout [milliseconds] milliseconds before timing out.

Attributes

Integer

Optional

Default value

Minimum Idle Connections (minimumIdleConnections)

Description

This determines the minimum number of idle connections that HikariCP tries to maintain in the pool. If the idle connections dip below this value, HikariCP will make a best effort to restore them quickly and efficiently. However, for maximum performance and responsiveness to spike demands, HikariCP recommends to set the same value for 'Maximum Pool Size' and 'Minimum Idle Connections' allowing HikariCP to act as a fixed size connection pool. The current default settings are a compromise to support more concurrent requests while still limiting the up-front consumption of connections.

Note that IAM creates at least one connection pool per deployed module (e.g. Loginapp, Adminapp, Service-Container). Multiple connection pools are created within a module, if differently configured connection pools are present in the configuration. Keep in mind that in multi-instance setups (active-active or horizontally scaling cloud setups) with n instances, the number of connection pools is multiplied by n.

Attributes

Integer

Optional

Default value

Connection Timeout [milliseconds] (connectionTimeoutInMs)

Description

Sets the maximum time in milliseconds to wait to acquire a live connection. This includes connecting and authenticating to the database and verifying the connection.

This value is also used as "login timeout" on the underlying SQL driver (if possible).

Attributes

Integer

Optional

Default value

5000

Idle Timeout [minutes] (idleTimeoutInMinutes)

Description

Sets the maximum time in minutes a connection is allowed to be idle before it is closed. This setting is useful when a firewall drops idle connections after a while, to proactively close idle connections beforehand.

This setting only applies when "Minimum Idle Connections" is defined to be less than "Maximum Pool Size". Whether a connection is retired as idle or not is subject to a maximum variation of +30 seconds (to avoid retiring many connections at the same time). A connection will never be retired as idle before this timeout. Once the pool reaches "Minimum Idle Connections", connections will no longer be retired, even if idle.

Attributes

Integer

Optional

Default value

Maximum Connection Lifetime [minutes] (maxLifetimeInMinutes)

Description

Sets the maximum lifetime of a connection in the pool. An in-use connection will never be retired, only when it is closed will it then be removed. On a connection-by-connection basis, minor negative attenuation is applied to avoid mass-extinction in the pool. We strongly recommend setting this value, and it should be at least 1 minute less than any database or infrastructure imposed connection time limit. A value of 0 indicates no maximum lifetime (infinite lifetime), subject of course to the "Idle Timeout" setting.

Attributes

Integer

Optional

Default value

Leak Detection Threshold [seconds] (leakDetectionThresholdInSeconds)

Description

This sets the amount of time that a connection can be out of the pool before a message is logged (without closing the connection). This can but not necessarily has to indicate an actual connection leak. Typically, it indicates performance problems on the database.

Attributes

Integer

Optional

Default value

Transaction Isolation Level (transactionIsolationLevel)

Description

Determines the default transaction isolation level of connections returned from the pool. If this property is not specified, the default transaction isolation level defined by the JDBC driver is used. Only use this property if you have specific isolation requirements that are common for all queries. Use one of the suggested constant names or a corresponding integer value.

Attributes

String

Optional

Suggested values

TRANSACTION_READ_COMMITTED, TRANSACTION_REPEATABLE_READ, TRANSACTION_NONE, TRANSACTION_READ_UNCOMMITTED, TRANSACTION_SERIALIZABLE

Enable JMX (enableJmx)

Description

Enables the registration of JMX Management Beans ("MBeans").

Attributes

Boolean

Optional

Default value

false

Connection Init SQL (connectionInitSql)

Description

Sets an SQL statement that will be executed after every new connection creation before adding it to the pool. If this SQL is not valid or throws an exception, it will be treated as a connection failure and the standard retry logic will be followed. This statement is normally not needed and would only hamper the performance.

Attributes

String

Optional

Driver Class (driverClass)

Description

The class name of the JDBC driver to use. The driver must be on the class path. This property is required for preloading the correct driver class and for detecting the SQL dialect.

Legacy drivers:

For Oracle before 9i use oracle.jdbc.driver.OracleDriver.
For MySQL 5.x use com.mysql.jdbc.Driver.

Attributes

String

Mandatory

Suggested values

org.h2.Driver, com.mysql.cj.jdbc.Driver, org.mariadb.jdbc.Driver, oracle.jdbc.OracleDriver, com.microsoft.sqlserver.jdbc.SQLServerDriver, org.postgresql.Driver

URL (url)

Description

The URL (also called "connect string") to connect to the database using the JDBC driver. The exact format of the string depends on the JDBC driver and contains hostname, port and probably other information.

Attributes

String

Mandatory

Example

jdbc:h2:tcp://localhost:9001/iamdb

Example

jdbc:mysql://host:3306/iamdb

Example

jdbc:mysql://host:3306/iamdb?useSSL=true&requireSSL=true

Example

jdbc:mariadb://host:3306/iamdb

Example

jdbc:oracle:thin:@host:1521:SID

Example

jdbc:sqlserver://host:1433;databaseName=IAM

Example

jdbc:postgresql://host:5432/iamdb

User (user)

Description

The username used to login on the database.

Attributes

String

Mandatory

Example

admin

Example

dba

Example

airlock

Password (password)

Description

The password used to login on the database.

Attributes

String

Mandatory

Sensitive

Connection Test Statement (connectionTestStatement)

Description

SQL statement to test the database connection. Only use this property if your connections aren't correctly tested for validity. A JDBC 4.0 driver is usually able to test the connection validity with an internal mechanism, without an explicit test statement.

For H2 databases, a statement involving a table name should be used.

This is database specific and should be set to a query that consumes the minimal amount of load on the server.

Attributes

String

Optional

Suggested values

/* ping */ SELECT 1, SELECT NOW(), SELECT 1 FROM DUAL, SELECT COUNT(*) FROM medusa_admin

SQL Dialect (sqlDialect)

Description

The SQL dialect to use. SQL dialects have minor – but important – differences: For example, Oracle does not support auto-increment, or MSSQL requires extra information for an insert statement with default values.

With the default setting (AUTOMATIC), the dialect is automatically determined based on the "Driver Class" of the JDBC driver. When using a non-standard "Driver Class", the SQL dialect of the underlying database cannot be determined automatically and must be set to the correct value here.

Attributes

Enum

Optional

Default value

AUTOMATIC

Driver Properties (driverProperties)

Description

Additional properties that will be passed on to the JDBC driver itself.

Attributes

Plugin-List

Optional

Assignable plugins

Jdbc Driver Property

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.db.JdbcConnectionPool
id: JdbcConnectionPool-xxxxxx
displayName: 
comment: 
properties:
  connectionInitSql:
  connectionTestStatement:
  connectionTimeoutInMs: 5000
  driverClass:
  driverProperties:
  enableJmx: false
  idleTimeoutInMinutes: 10
  leakDetectionThresholdInSeconds: 60
  maxLifetimeInMinutes: 30
  maximumPoolSize: 20
  minimumIdleConnections: 5
  password:
  sqlDialect: AUTOMATIC
  transactionIsolationLevel:
  url:
  user:

Jdbc Driver Property

Description

Holds information about additional driver-specific properties.

Class

com.airlock.iam.core.misc.impl.persistency.db.JdbcDriverProperty

May be used by

JDBC Connection Pool

Properties

Property (property)

Description

The name of the driver property.

Attributes

String

Mandatory

Example

oracle.net.encryption_client

Example

oracle.net.encryption_types_client

Value (value)

Description

The value of the driver property.

Attributes

String

Mandatory

Example

REJECTED

Example

ACCEPTED

Example

REQUESTED

Example

REQUIRED

Example

RC4_256

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.db.JdbcDriverProperty
id: JdbcDriverProperty-xxxxxx
displayName: 
comment: 
properties:
  property:
  value:

JSON String Escaper

Description

Escapes a string to be safely used inside a JSON string.

Note: This plugin can only handle JSON strings, not numbers or other value types. The quotes around the values must be part of the template (e.g. {"message":"Hello, ${name}!"}).

Class

com.airlock.iam.common.application.configuration.encoder.JsonStringEscaperConfig

May be used by

Roles Provider Config Template-based String Provider Transforming String Value Provider Template-based Username Transformer Transforming Value Map Provider Generic ID Propagator

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.encoder.JsonStringEscaperConfig
id: JsonStringEscaperConfig-xxxxxx
displayName: 
comment: 
properties:

Jsoup HTML Element Attribute Extractor

Description

Selects an HTML element out of a HTML page using a CSS style syntax and extracts an attribute of the selected element.

Class

com.airlock.iam.core.misc.util.html.JsoupHtmlElementAttributeExtractor

May be used by

CSRF Token Extraction Step

Properties

Jsoup Css Content Selector (jsoupCssContentSelector)

Description

Jsoup CSS style selector according to which the HTML element should be selected.

A description of the selector syntax can be found in the Jsoup online documentation.

Attributes

String

Mandatory

Example

input[name=FORM_TOKEN]

Attribute Name (attributeName)

Description

The name of the attribute that is extracted from the selected HTML element.

Attributes

String

Optional

Default value

value

Example

value

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.html.JsoupHtmlElementAttributeExtractor
id: JsoupHtmlElementAttributeExtractor-xxxxxx
displayName: 
comment: 
properties:
  attributeName: value
  jsoupCssContentSelector:

JSP Remember-Me Settings

Description

Configuration for the legacy implementation for Remember-Me using the JSP Loginapp.

This plugin is only needed for:

Migrating legacy cookies during an authentication flow.
Displaying and deleting legacy cookies in the Adminapp user management.

Class

com.airlock.iam.common.application.configuration.rememberme.JspRememberMeConfig

May be used by

Remember-Me User Identifying Step Users Configuration

Properties

Cookie Lifetime (cookieLifetime)

Description

The maximum lifetime of the cookie. After this time, the cookie will be invalidated no matter whether it has been used recently or not.

Duration must be specified like "2d 4h 10m 5s" or any part thereof.

Attributes

String

Optional

Default value

Example

10d

Example

2d 12h

Cookie Idle Timeout (cookieIdleTimeout)

Description

The optional idle timeout of the cookie. If a cookie hasn't been used for this amount of time, it will be invalidated no matter whether it has reached its lifetime or not. When this property is not set, every cookie will only expire when its lifetime has been reached or it has been invalidated by other means.

Duration must be specified like "2d 4h 10m 5s" or any part thereof.

Attributes

String

Optional

Example

10d

Example

2d 12h

Credential Persister (credentialPersister)

Description

Credential persister plugin used to load and store the cookie secrets.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cookie Name (cookieName)

Description

The name of the Remember-Me cookie.

If this name is changed, the Airlock Gateway has to be reconfigured to pass-through and encrypt this cookie.

Attributes

String

Optional

Default value

RememberMe

Example

RememberMe

Cookie Domain (cookieDomain)

Description

The domain for which the cookie is set. If left empty, it will be automatically be sent back only to the originating domain which set the cookie in the first place.

Attributes

String

Optional

Example

www.airlock.com

Example

airlock.com

Cookie Path (cookiePath)

Description

The path for which the cookie is set. The path determines where the cookie is sent to by the browser.

Use the variable "%ENTRYPATH%" to automatically set the correct path even if used behind an Airlock Gateway.

Attributes

String

Optional

Default value

%ENTRYPATH%

Example

%ENTRYPATH%

Example

/auth

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.rememberme.JspRememberMeConfig
id: JspRememberMeConfig-xxxxxx
displayName: 
comment: 
properties:
  cookieDomain:
  cookieIdleTimeout:
  cookieLifetime: 7d
  cookieName: RememberMe
  cookiePath: %ENTRYPATH%
  credentialPersister:

JWE Password Decryption

Description

Decryption service accepting encrypted passwords in JWE format (as specified in https://tools.ietf.org/html/rfc7516).

The encryption information contained in the step responses (additional data "e2eEncryptionInformation") consists of a type (always "type"="JWE"), a nonce (element "nonce") and the public key of the configured key pair in JWK format (element "publicKey").

The password sent by the client for verification must be encrypted in JWE format and include the nonce in the header. The JWE payload must include the password as a JSON string. The location of the password in the payload JSON structure can be configured. By default the JWE payload is expected to be in the following format:

{
    "header": {
        "nonce":"si04fHDORRELOO0T4nJad8mz9DgPPE9GhArD2reQ2Dk=",
        "alg":"RSA-OAEP-256",
        "enc":"A128GCM"
     },
    "password":"userPasswordInPlaintext"
}

For decryption, the private key of the configured "Key Pair" is used.

Class

com.airlock.iam.common.application.configuration.e2ee.JwePasswordDecryptionConfig

May be used by

Default End-To-End Encryption Password Repository

License-Tags

EndToEndPasswordEncryption

Properties

Password Json Path (passwordJsonPath)

Description

The path which points to the password contained in the payload of the JWE in JSON Pointer format as specified in https://tools.ietf.org/html/rfc6901 The referenced plaintext password must be a JSON string.

If for example the payload of the JWE looks as follows:

{
  "user": {
    "id": "8331-1212-1233",
    "password": "userPasswordInPlaintext"
    }
}

Then the following JSON Pointer should be configured in order to use "userPasswordInPlaintext" for the password check: /user/password

Attributes

String

Optional

Default value

/password

Example

/password

Example

/user/passwords/0

Key Pair (keyPair)

Description

The configuration of the public/private keypair used for encrypting/decrypting the passwords. The public key information, needed for encrypting the JWE, will be returned by the flow step.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Public/Private JWK Configuration

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.e2ee.JwePasswordDecryptionConfig
id: JwePasswordDecryptionConfig-xxxxxx
displayName: 
comment: 
properties:
  keyPair:
  passwordJsonPath: /password

JWKS Ticket Verifier Settings

Description

JWT Signature verification based on fetching key information from a URL providing a JWKS (see RFC7517).

Class

com.airlock.iam.common.application.configuration.jwt.signature.JwksSignatureVerifierSettings

May be used by

JWT Ticket Decoder OAuth 2.0 Static Client OAuth 2.0 Remote Consent

Properties

JWKS URL (url)

Description

The URL providing the JWKS. Must be an absolute URL with "https" scheme.

Attributes

String

Mandatory

HTTP Client (httpClient)

Description

The HTTP Client used to fetch the JWKS data

Attributes

Plugin-Link

Mandatory

Assignable plugins

HTTP Client Config HTTP Client With Client Certificate

Cache Refresh Time [minutes] (cacheRefreshTimeInMinutes)

Description

Time in minutes until the data from the JWKS endpoint will be invalidated and refreshed on the next use.

If the data cannot be refreshed because of an error, the previous data will be used.

The JWKS Cache is reloaded as needed. In particular:

if the Cache Refresh Time is exceeded
if a key is not yet known
if the verification of a signature with a previously known key fails

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.jwt.signature.JwksSignatureVerifierSettings
id: JwksSignatureVerifierSettings-xxxxxx
displayName: 
comment: 
properties:
  cacheRefreshTimeInMinutes: 10
  httpClient:
  url:

JWT Access Token Format

Description

JWT Access Tokens allow to add metadata to the token. This is useful when clients send Access Tokens to third parties (e.g. resource servers). These third parties can read metadata directly from the token (e.g. validity time), without making any requests (e.g. Token Introspection) to the authorization server.

Security Warning: Using this feature has a major security drawback: Revoked / invalidated tokens might still be considered valid by third parties.

Third parties must validate the JWT according to current security best practices (signature validation, validation of Registered Claims, etc.).

The JWT always includes the following claims:

iat - Issue Time
nbf - Not Valid Before
exp - Expiration Time (claim is not included if token has infinite validity)
jti - JWT ID (random value)
random - A random value defined through "OAuth 2.0 Token Generator Settings" for the token entropy
scope - A JSON array defining the scope of the access token

Class

com.airlock.iam.oauth2.application.configuration.token.JwtAccessTokenFormatConfig

May be used by

OAuth 2.0 Authorization Code Grant OIDC Authorization Code / Hybrid Flow OIDC Authorization Code / Hybrid Flow

License-Tags

OAuthServer

Properties

Include Subject Claim (includeSubjectClaim)

Description

If enabled, the username will be included as subject claim (sub).

Attributes

Boolean

Optional

Default value

false

Issuer (issuer)

Description

The issuer claim (iss). If left empty the claim will not be included.

Attributes

String

Optional

Audience (audience)

Description

The audience claim (aud) to include. If left empty the claim will not be included.

If there is one audience, the claim is written as a string, for multiple values as an array.

Attributes

String-List

Optional

Not Valid Before Skew [s] (notValidBeforeSkew)

Description

The skew that will be subtracted from the token creation date to define the not-before claim (nbf).

Attributes

Integer

Optional

Default value

Scopes As Space Separated String (scopesAsSpaceSeparatedString)

Description

When enabled, scopes are written as space-separated string claim (as required by RFC 9086). Otherwise, the scope claim will be issued as a string array, even if it only contains a single value.

Attributes

Boolean

Optional

Default value

true

Custom Claims (customClaims)

Description

Custom claims to include in the JWT.

Multiple claims with the same name can be configured if each has a claim condition which ensures that only one of them will be included at runtime.

The following claims are automatically set by Airlock IAM and therefore will be ignored if defined as custom claim.

iss
aud
exp
nbf
iat
jti
random
scope

Note: When "Persist Claims" is disabled, custom claims are collected when the Access Token is requested by an OAuth 2.0 client and not when the Access Token is issued. Therefore the values of the custom claims may change between issue and request time.

Attributes

Plugin-List

Optional

Assignable plugins

Distributed Claims (distributedClaims)

Description

Distributed Claims to add to the JWT.

These claims allow providing a URL to a 3rd party claims provider in the response where additional claims may be obtained.

Attributes

Plugin-List

Optional

Assignable plugins

Distributed Claim Config

Signature (signature)

Description

The signature of the Access Token.

Security Warning: The signature must be verified by the consumer of the JWT before the content is interpreted. When using "JWT Access Token No Signature", the consumer must not trust the content of the JWT and therefore not use it as authenticated data.

Security Warning: Verifying the signature and validity of the self-contained JWT is not sufficient to validate the access token. The access token might have been revoked and thus consumers must verify the validity of the access token (e.g. using Token Introspection) before being used for access control.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JWT Access Token No Signature JWT Access Token Private Key Signature

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.token.JwtAccessTokenFormatConfig
id: JwtAccessTokenFormatConfig-xxxxxx
displayName: 
comment: 
properties:
  audience:
  customClaims:
  distributedClaims:
  includeSubjectClaim: false
  issuer:
  notValidBeforeSkew: 5
  scopesAsSpaceSeparatedString: true
  signature:

JWT Access Token No Signature

Description

JWT Access Tokens will not be signed.

Security Warning: The consumer must not trust the content of the JWT and therefore not use it as authenticated data.

Class

com.airlock.iam.oauth2.application.configuration.token.JwtAccessTokenNoSignature

May be used by

JWT Access Token Format

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.token.JwtAccessTokenNoSignature
id: JwtAccessTokenNoSignature-xxxxxx
displayName: 
comment: 
properties:

JWT Access Token Private Key Signature

Description

JWT Access Tokens will be signed using a private key signature.

Class

com.airlock.iam.oauth2.application.configuration.signature.JwtAccessTokenPrivateKeySignature

May be used by

JWT Token Exchange Rule OAuth 2.0 Client Credentials Grant JWT Access Token Format

License-Tags

OAuthServer

Properties

Algorithm (algorithm)

Description

Private key based signature algorithm to use.

Attributes

Enum

Optional

Default value

RS256

Keystore File (keystoreFile)

Description

Keystore file name containing the certificate and key used to sign the JWT.

Attributes

File/Path

Mandatory

Keystore Password (keystorePassword)

Description

The password used to open the keystore.

Attributes

String

Optional

Sensitive

Signing Key Alias (signingKeyAlias)

Description

The alias of the key used to sign the JWT. This field can be omitted if the keystore only contains one private key entry.

Attributes

String

Optional

Example

alias

Signing Key Password (signingKeyPassword)

Description

The password used to retrieve the key from the keystore. This password can be the same as the keystore password.

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.signature.JwtAccessTokenPrivateKeySignature
id: JwtAccessTokenPrivateKeySignature-xxxxxx
displayName: 
comment: 
properties:
  algorithm: RS256
  keystoreFile:
  keystorePassword:
  signingKeyAlias:
  signingKeyPassword:

JWT Scope Handling

Description

Defines the "scope" token exchange response parameter and issued JWT claim.

Note: The order of the scope tokens that define the scope is not defined and thus may vary for every exchange. The meaning of a scope is independent of the order of the scope tokens (see RFC6749). Furthermore, adding a scope token more than once has no effect on the scope value.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtScopeHandlingConfig

May be used by

SSO Ticket Authentication Step HTTP Header Token Extractor (as SSO Credential) Representation SSO Ticket Identifying Step Admin SSO Ticket Request Authentication SSO Ticket Request Authentication

License-Tags

OAuthTokenExchange

Properties

Scope Processors (scopeProcessors)

Description

List of scope processors that define the issued scopes.

The issued scopes are determined by successively applying each scope processor to the scopes issued by the previous one. The first scope processor in the list is applied to an empty set.

Attributes

Plugin-List

Mandatory

Assignable plugins

Add Scope From Request Parameter Add Scope From Subject Token Add Static Scope

Scope Policy (scopePolicy)

Description

The scope policy defines how the scopes produced by the scope processors are processed.

Depending on the selected policy, the following rules apply:

Scopes Mandatory: It is mandatory for the scope processors to return at least one scope, otherwise the request is denied.
- For static clients for which 'Filter Requested Scopes' is enabled: the returned scopes are filtered against the client's allowed scopes and if the client has no allowed scopes, this is treated as if the scope processors had not returned any scopes at all.
- For static clients for which 'Filter Requested Scopes' is disabled: the returned scopes are not filtered (i.e. all scopes are allowed).
- For persisted clients, the allowed scopes to return are stored per client and it can be configured there what the effect of an empty list of allowed scopes is.
Empty Scopes Allowed: It is optional for scope processors to return scopes.
If scopes are returned:
- For static clients for which 'Filter Requested Scopes' is enabled: the returned scopes are filtered against the client's allowed scopes and if the client has no allowed scopes, this is treated as if the scope processors had not returned any scopes at all.
- For static clients for which 'Filter Requested Scopes' is disabled: the returned scopes are not filtered (i.e. all scopes are allowed).
- For persisted clients, the allowed scopes to return are stored per client and it can be configured there what the effect of an empty list of allowed scopes is.
Always Overwrite Scopes: The scopes returned by the scope processors are ignored and replaced by the default scopes of the client. If the client has no default scopes, this is treated as if the client has not requested any scopes at all.
With this policy, the 'Filter Requested Scopes' flag of static clients is ignored.
Empty Scopes Overwritten: When the scope processors do not return any scopes, the request is treated as if the default scopes of this client were returned.
If scopes are returned:
- For static clients for which 'Filter Requested Scopes' is enabled: the returned scopes are filtered against the client's allowed scopes and if the client has no allowed scopes, this is treated as if the scope processors had not returned any scopes at all.
- For static clients for which 'Filter Requested Scopes' is disabled: the returned scopes are not filtered (i.e. all scopes are allowed).
- For persisted clients, the allowed scopes to return are stored per client and it can be configured there what the effect of an empty list of allowed scopes is.

Attributes

Enum

Optional

Default value

SCOPES_MANDATORY

Allow Issuing Tokens With No Scope (emptyScopeAllowed)

Description

Defines whether issuing tokens with an empty scope is allowed or not.

If this option is disabled, token exchange requests resulting in a token with an empty scope will result in an invalid request error.

Attributes

Boolean

Optional

Default value

false

Scopes As Space Separated String (scopesAsSpaceSeparatedString)

Description

When enabled, scopes in the issued token are written as space-separated string claim (as required by RFC 9086). Otherwise, the "scope" claim will be issued as a string array, even if it only contains a single value.

Note that the scopes are also directly returned in the token exchange response. Those scopes are always returned as space-separated string (irrespective of this setting) as required by the token exchange specification.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtScopeHandlingConfig
id: OAuth2TokenExchangeJwtScopeHandlingConfig-xxxxxx
displayName: 
comment: 
properties:
  emptyScopeAllowed: false
  scopePolicy: SCOPES_MANDATORY
  scopeProcessors:
  scopesAsSpaceSeparatedString: true

JWT Ticket Decoder

Description

Configures the JWT (JSON Web Token) ticket decoder.

The decoder verifies a ticket's MAC or signature and decrypts it in case encryption is enabled. A ticket is required to contain at least a subject ('sub' claim) and an expiration date ('exp' claim). Additionally an issuer ('iss' claim) and audience ('aud' claim) might be required, if configured. A 'not before' ('nbf' claim) is validated if present but only mandatory if configured to be.

If the ticket starts with a "Bearer " prefix (e.g. from a HTTP Authorization header), the prefix is removed before decoding the JWT.

Class

com.airlock.iam.common.application.configuration.jwt.JwtTicketDecoderSettings

May be used by

Properties

Username Ticket Key (usernameTicketKey)

Description

The ticket key for the username. The username in the 'sub' claim of the JWT will be written to the IAM ticket using this ticket key.

If using this ticket decoder for the loginapp's "SSO Ticket Feature", the value of this attribute must be "username".

Attributes

String

Mandatory

Example

username

Not Before Is Mandatory (notBeforeIsMandatory)

Description

If set to true, the incoming JWT must have a 'nbf' claim. Note that this setting does not affect validation of the 'nbf' claim. If this claim is present, it will always be validated.

Attributes

Boolean

Optional

Default value

true

Valid Not Before Skew (validNotBeforeSkew)

Description

The configured value in seconds is added to the current time before validating the 'nbf' claim. The motivation to compare the 'nbf' claim with a time in the future is to avoid clock synchronization problems with the JWT issuer.

Attributes

Integer

Optional

Default value

Not Before Ticket Key (notBeforeTicketKey)

Description

The ticket key for the not before claim. The JWT not before claim ('nbf') will be written to that field. Note that this field is optional. If not set, the 'nbf' claim of the JWT won't be written into the ticket.

Attributes

String

Optional

Issued At Is Mandatory (issuedAtIsMandatory)

Description

If set to true, the incoming JWT must have a 'iat' claim.

Attributes

Boolean

Optional

Default value

true

Issued At Ticket Key (issuedAtTicketKey)

Description

The ticket key for the issued at claim. The JWT issued at claim ('iat') will be written to that field. Note that this field is optional. If not set, the 'iat' claim of the JWT won't be written into the ticket.

Attributes

String

Optional

Issuer Is Mandatory (issuerIsMandatory)

Description

If set to true, the incoming JWT must have an 'iss' claim. Note that this setting does not affect validation of the 'iss' claim. If this claim is present, it will always be validated against the configured list of allowed issuers.

Attributes

Boolean

Optional

Default value

true

Allowed Issuers (allowedIssuers)

Description

The allowed values for the issuer claim ('iss') in the JWT. If not configured, the issuer claim is not validated.

Attributes

String-List

Optional

Issuer Ticket Key (issuerTicketKey)

Description

The ticket key for the issuer claim. The JWT issuer claim ('iss') will be written to that field. Note that this field is optional. If not set, the 'iss' claim of the JWT won't be written into the ticket.

Attributes

String

Optional

Audience Is Mandatory (audienceIsMandatory)

Description

If set to true, the incoming JWT must have a 'aud' claim. Note that this setting does not affect validation of the 'aud' claim. If this claim is present, it will always be validated against the configured expected audience entry.

Attributes

Boolean

Optional

Default value

false

Allowed Audiences (allowedAudiences)

Description

A list of accepted entries for the audience claim ('aud') of the JWT. If not configured, the audience claim is not validated. To pass validation there must be at least one entry that is present in the audience claim and in the configured list.

Attributes

String-List

Optional

Audience Ticket Key (audienceTicketKey)

Description

The ticket key for the audience claim. The JWT audience claim ('aud') will be written to that field. Note that this field is optional. If not set, the 'aud' claim of the JWT won't be written into the ticket.

Attributes

String

Optional

Jwt Id Is Mandatory (jwtIdIsMandatory)

Description

If set to true, the incoming JWT must have a 'jti' claim.

Attributes

Boolean

Optional

Default value

false

Claims Stored As JSON (claimsStoredAsJson)

Description

The claim names that should be interpreted as JSON in the received JWT. If such a claim does not exist in the JWT, it is not written into the ticket. The ticket key is always the claim name. If the JSON of this claim is invalid, an exception is thrown.
Note: It is not allowed to specify registered claims here. Registered claims are always propagated as specified in RFC 7519.

Attributes

String-List

Optional

Jwt Id Ticket Key (jwtIdTicketKey)

Description

The ticket key for the JWT ID claim. The JWT ID claim ('jti') will be written to that field. Note that this field is optional. If not set, the 'jti' claim of the JWT won't be written into the ticket. In order to use the 'jti' claim as unique ID for the ticket, you must specify 'uniqueId' here. This is mandatory for Ticket-SSO-Setups.

Attributes

String

Optional

Example

uniqueId

Additional Claim Validators (additionalClaimValidators)

Description

List of additional claim validators.

Attributes

Plugin-List

Optional

Assignable plugins

Claim Validator

Signature Verifier (signatureVerifier)

Description

The settings that are used for verifying the MAC or signature of the JWT.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JWKS Ticket Verifier Settings JWT Ticket EC Verifier Settings JWT Ticket HMAC Settings JWT Ticket RSA Verifier Settings

Decrypter (decrypter)

Description

The settings that are used for decrypting the JWT. If no plugin is configured, the JWT must be unencrypted.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.jwt.JwtTicketDecoderSettings
id: JwtTicketDecoderSettings-xxxxxx
displayName: 
comment: 
properties:
  additionalClaimValidators:
  allowedAudiences:
  allowedIssuers:
  audienceIsMandatory: false
  audienceTicketKey:
  claimsStoredAsJson:
  decrypter:
  issuedAtIsMandatory: true
  issuedAtTicketKey:
  issuerIsMandatory: true
  issuerTicketKey:
  jwtIdIsMandatory: false
  jwtIdTicketKey:
  notBeforeIsMandatory: true
  notBeforeTicketKey:
  signatureVerifier:
  usernameTicketKey:
  validNotBeforeSkew: 5

JWT Ticket Direct AES Encryption Settings

Description

Configures symmetric direct encryption for JWTs.

This plugin can be used for JWT encryption and decryption. To decrypt a JWT the same algorithm and key must be used as for encryption.

Class

com.airlock.iam.common.application.configuration.jwt.encryption.JwtTicketDirectAesEncryptionSettings

May be used by

JWT Ticket Decoder JWT Ticket Encoder OAuth 2.0 Remote Consent OAuth 2.0 Remote Consent

Properties

Direct Encryption Method (directEncryptionMethod)

Description

The algorithm used for direct encryption. The configured secret must match the length requirements for the configured direct encryption method, see property 'Encryption Key'.

Attributes

Enum

Optional

Default value

A256GCM

Encryption Key (Base64 Encoded) (encryptionKey)

Description

The key for the selected direct encryption method, encoded in base64. The minimal required length depends on the configured encryption method and must be chosen as follows:

A128GCM: 128 bits / 16 bytes
A192GCM: 192 bits / 24 bytes
A256GCM: 256 bits / 32 bytes
A128CBC_HS256: 256 bits / 32 bytes
A192CBC_HS384: 384 bits / 48 bytes
A256CBC_HS512: 512 bits / 64 bytes

One can, for example, generate a random base64 string with 256 bits (32 bytes) using OpenSSL as follows: openssl rand -base64 32

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.jwt.encryption.JwtTicketDirectAesEncryptionSettings
id: JwtTicketDirectAesEncryptionSettings-xxxxxx
displayName: 
comment: 
properties:
  directEncryptionMethod: A256GCM
  encryptionKey:

JWT Ticket EC Signer Settings

Description

Configures EC based JWT signatures.

This plugin can be used for JWT signature creation. An EC based signature is created with a private key and must be validated with the corresponding public key.

Class

com.airlock.iam.common.application.configuration.jwt.signature.JwtTicketEcSignerSettings

May be used by

JWT Ticket Encoder OAuth 2.0 Remote Consent

Properties

EC Signature Algorithm (ecSignatureAlgorithm)

Description

The algorithm used for signing. Signing requires an EC private key, which will be obtained from the configured keystore using the configured properties (alias and password).

According to the selected algorithm, the private key must be derived from a specific curve:

ES512: NIST Curve P521
ES384: NIST Curve P384
ES256: NIST Curve P256

Attributes

Enum

Optional

Default value

ES512

Keystore Path (keystorePath)

Description

Keystore that holds the private key for JWT token signing.

Attributes

File/Path

Mandatory

Keystore Password (keystorePassword)

Description

Password for the keystore.

Attributes

String

Optional

Sensitive

Private Key Alias (privateKeyAlias)

Description

Alias for the private key contained in the keystore that should be used for signing. This field can be omitted if the keystore only contains one EC private key with the configured password.

Attributes

String

Optional

Private Key Password (privateKeyPassword)

Description

Password for the private key in the keystore.

Attributes

String

Optional

Sensitive

Include KID (includeKid)

Description

If enabled, the KID of the public key used to sign a JWT is added to the JWT header. Consumers of the JWT can use the KID to identify the public key that is verifying the signature.

Attributes

Boolean

Optional

Default value

true

Add x5t#S256 Header Parameter (addX5tS256HeaderParameter)

Description

Indicates whether the x5t#S256 header parameter containing a SHA-256 certificate thumbprint should be added to the JWT header.

The 'Private Key Alias' is used to find the X.509 certificate in the keystore to compute the thumbprint for. I.e., it is assumed that the alias identifies a private key with the corresponding certificate. If no 'Private Key Alias' is configured, the keystore is assumed to contain exactly one certificate.

Attributes

Boolean

Optional

Default value

false

Add x5t Header Parameter (addX5tHeaderParameter)

Description

Indicates whether the x5t header parameter containing a SHA-1 certificate thumbprint should be added to the JWT header.

Security warning: SHA-1 fingerprints should no longer be used as SHA-1 is considered broken. We recommend the x5t#S256 thumbprint instead.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.jwt.signature.JwtTicketEcSignerSettings
id: JwtTicketEcSignerSettings-xxxxxx
displayName: 
comment: 
properties:
  addX5tHeaderParameter: false
  addX5tS256HeaderParameter: false
  ecSignatureAlgorithm: ES512
  includeKid: true
  keystorePassword:
  keystorePath:
  privateKeyAlias:
  privateKeyPassword:

JWT Ticket EC Verifier Settings

Description

Configures the EC based JWT signature verifier.

This plugin can be used for JWT signature verification. An EC based signature is created with a private key and must be validated with the corresponding public key.

Class

com.airlock.iam.common.application.configuration.jwt.signature.JwtTicketEcVerifierSettings

May be used by

JWT Ticket Decoder OAuth 2.0 Remote Consent

Properties

EC Signature Algorithm (ecSignatureAlgorithm)

Description

The algorithm used for signature verifying. Signature verification requires an EC certificate (public key), which will be obtained from the configured keystore using the configured alias.

According to the selected algorithm, the private key must be derived from a specific curve:

ES512: NIST Curve P521
ES384: NIST Curve P384
ES256: NIST Curve P256

Attributes

Enum

Optional

Default value

ES512

Keystore Path (keystorePath)

Description

Keystore that holds the certificate containing the public key for JWT signature verification. Alternatively, it can be a file containing a PEM encoded public key.

Attributes

File/Path

Mandatory

Keystore Password (keystorePassword)

Description

Password for the keystore.

Attributes

String

Optional

Sensitive

X.509 Certificate Alias (x509CertificateAlias)

Description

Alias for the X.509 certificate contained in the keystore that should be used for signature verification. This field can be omitted if the keystore only contains one X.509 certificate with a public key.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.jwt.signature.JwtTicketEcVerifierSettings
id: JwtTicketEcVerifierSettings-xxxxxx
displayName: 
comment: 
properties:
  ecSignatureAlgorithm: ES512
  keystorePassword:
  keystorePath:
  x509CertificateAlias:

JWT Ticket Encoder

Description

Configures the JWT (JSON Web Token) ticket encoder.

The encoder protects the integrity of the ticket by a MAC or signature according to the configured signer settings. It also has the ability to (optionally) encrypt the ticket if encrypter settings are configured.

Class

com.airlock.iam.common.application.configuration.jwt.JwtTicketEncoderSettings

May be used by

Properties

Username Ticket Key (usernameTicketKey)

Description

The key used to find the username in the ticket. The username will be written to the subject field ('sub') of the JWT.

Attributes

String

Mandatory

Suggested values

username

Issuer (issuer)

Description

The value for the issuer field (iss) in the JWT. If this value is set, the ticket must not contain a value for the key iss.

Attributes

String

Optional

Example

Airlock IAM

Audience (audience)

Description

The values for the audience field (aud) in the JWT. If a value is set, the ticket must not contain a value for the key aud. Note: If a single value is configured, it will be sent as string. If multiple values are configured an array is sent. This behaviour cannot be changed by specifying the aud claim in claimsStoredAsArray.

Attributes

String-List

Optional

Expiration Time [s] (expirationTime)

Description

Expiration time in seconds after which the JWT must not be accepted. If configured, a potentially defined expiration time in the ticket is overwritten. When left empty, the ticket's expiration date - if present - is unchanged.

Note: For security reasons, a short expiration time is preferable.

Attributes

Integer

Optional

Valid Not Before Skew [s] (validNotBeforeSkew)

Description

When generating a JWT, a JWT 'nbf' (not before) claim is added. This claim identifies the time before which the JWT must not be accepted for processing. To determine the 'nbf' in the JWT, the number of seconds configured in this property are subtracted from the JWT issue time. The motivation to set a time in the past is to avoid clock synchronization problems with the JWT receiver.

Attributes

Integer

Optional

Default value

Enforce JWT ID (enforceJwtId)

Description

The "jti" (JWT ID) claim provides a unique identifier for the JWT. This claim can be used to prevent the JWT from being replayed. A new JWT ID is applied only, when no ticket ID is set and no custom jti claim is defined.

Attributes

Boolean

Optional

Default value

true

Claims Stored As Array (claimsStoredAsArray)

Description

The keys of ticket fields that should be stored as array in the JWT. If such a key does not exist in the ticket an empty array is written into the JWT. Note: It is not allowed to specify registered claims here. Registered claims are always propagated as specified in RFC 7519. The aud claim will be sent as string if it is a single value and as array otherwise.

Attributes

String-List

Optional

Claims Stored As JSON (claimsStoredAsJson)

Description

The keys of ticket fields that should be stored as JSON in the JWT. If such a key does not exist in the ticket, the corresponding key is not written into the JWT. The claim name is always the ticket key. If the JSON is invalid, an exception is thrown.
Note: It is not allowed to specify registered claims here. Registered claims are always propagated as specified in RFC 7519. The aud claim will be sent as string if it is a single value and as array otherwise.

Attributes

String-List

Optional

Signer (signer)

Description

The settings that are used for signing the JWT.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JWT Ticket EC Signer Settings JWT Ticket HMAC Settings JWT Ticket RSA Signer Settings

Encrypter (encrypter)

Description

The settings that are used for encrypting the JWT. If no plugin is configured the JWT will be sent unencrypted.

Attributes

Plugin-Link

Optional

Assignable plugins

Client ID From Subject Token (OAuth 2.0 Token Exchange) Client ID Of Authenticated Client (OAuth 2.0 Token Exchange) Static String (OAuth 2.0 Token Exchange) String From Actor Token (OAuth 2.0 Token Exchange) String From Subject Token (OAuth 2.0 Token Exchange) Subject From Subject Token (OAuth 2.0 Token Exchange)

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.jwt.JwtTicketEncoderSettings
id: JwtTicketEncoderSettings-xxxxxx
displayName: 
comment: 
properties:
  audience:
  claimsStoredAsArray:
  claimsStoredAsJson:
  encrypter:
  enforceJwtId: true
  expirationTime:
  issuer:
  signer:
  usernameTicketKey:
  validNotBeforeSkew: 5

JWT Ticket HMAC Settings

Description

Configures an HMAC for JWTs.

This plugin can be used for JWT signature creation and verification. An HMAC is valid if the same HMAC algorithm and HMAC key are used for creation and validation.

Class

com.airlock.iam.common.application.configuration.jwt.signature.JwtTicketHmacSettings

May be used by

JWT Ticket Decoder JWT Ticket Encoder OAuth 2.0 Remote Consent OAuth 2.0 Remote Consent

Properties

HMAC Algorithm (hmacAlgorithm)

Description

The HMAC algorithm. The configured secret must be long enough for the configured hash function (e.g. >= 512 bits for HS512).

Attributes

Enum

Optional

Default value

HS512

HMAC Key (Base64 Encoded) (hmacKey)

Description

The key for the HMAC function, encoded in base64.
The minimal required length depends on the configured algorithm and must be at least 256 bits. Configuration validation will fail if the secret is too short.

One can, for example, generate a random base64 string with 512 bits (64 bytes) using OpenSSL as follows: openssl rand -base64 64

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.jwt.signature.JwtTicketHmacSettings
id: JwtTicketHmacSettings-xxxxxx
displayName: 
comment: 
properties:
  hmacAlgorithm: HS512
  hmacKey:

JWT Ticket RSA Signer Settings

Description

Configures RSA based JWT signatures.

This plugin can be used for JWT signature creation. An RSA based signature is created with a private key and must be validated with the corresponding public key.

Class

com.airlock.iam.common.application.configuration.jwt.signature.JwtTicketRsaSignerSettings

May be used by

JWT Ticket Encoder OAuth 2.0 Remote Consent

Properties

RSA Signature Algorithm (rsaSignatureAlgorithm)

Description

The algorithm used for signing. Signing requires an RSA private key, which will be obtained from the configured keystore using the configured properties (alias and password).

Attributes

Enum

Optional

Default value

RS512

Keystore Path (keystorePath)

Description

Keystore that holds the private key for JWT token signing.

Attributes

File/Path

Mandatory

Keystore Password (keystorePassword)

Description

Password for the keystore.

Attributes

String

Optional

Sensitive

Private Key Alias (privateKeyAlias)

Description

Alias for the private key contained in the keystore that should be used for signing. This field can be omitted if the keystore only contains one EC private key with the configured password.

Attributes

String

Optional

Private Key Password (privateKeyPassword)

Description

Password for the private key in the keystore.

Attributes

String

Optional

Sensitive

Include KID (includeKid)

Description

If enabled, the KID of the public key used to sign a JWT is added to the JWT header. Consumers of the JWT can use the KID to identify the public key that is verifying the signature.

Attributes

Boolean

Optional

Default value

true

Add x5t#S256 Header Parameter (addX5tS256HeaderParameter)

Description

Indicates whether the x5t#S256 header parameter containing a SHA-256 certificate thumbprint should be added to the JWT header.

Attributes

Boolean

Optional

Default value

false

Add x5t Header Parameter (addX5tHeaderParameter)

Description

Indicates whether the x5t header parameter containing a SHA-1 certificate thumbprint should be added to the JWT header.

Security warning: SHA-1 fingerprints should no longer be used as SHA-1 is considered broken. We recommend the x5t#S256 thumbprint instead.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.jwt.signature.JwtTicketRsaSignerSettings
id: JwtTicketRsaSignerSettings-xxxxxx
displayName: 
comment: 
properties:
  addX5tHeaderParameter: false
  addX5tS256HeaderParameter: false
  includeKid: true
  keystorePassword:
  keystorePath:
  privateKeyAlias:
  privateKeyPassword:
  rsaSignatureAlgorithm: RS512

JWT Ticket RSA Verifier Settings

Description

Configures the RSA based JWT signature verifier.

This plugin can be used for JWT signature verification. An RSA based signature is created with a private key and must be validated with the corresponding public key.

Class

com.airlock.iam.common.application.configuration.jwt.signature.JwtTicketRsaVerifierSettings

May be used by

JWT Ticket Decoder OAuth 2.0 Remote Consent

Properties

RSA Signature Algorithm (rsaSignatureAlgorithm)

Description

The algorithm used for signature verifying. Signature verification requires an RSA certificate (public key), which will be obtained from the configured keystore using the configured alias.

Attributes

Enum

Optional

Default value

RS512

Keystore Path (keystorePath)

Description

Keystore that holds the certificate containing the public key for JWT signature verification. Alternatively, it can be a file containing a PEM encoded public key.

Attributes

File/Path

Mandatory

Keystore Password (keystorePassword)

Description

Password for the keystore.

Attributes

String

Optional

Sensitive

X.509 Certificate Alias (x509CertificateAlias)

Description

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.jwt.signature.JwtTicketRsaVerifierSettings
id: JwtTicketRsaVerifierSettings-xxxxxx
displayName: 
comment: 
properties:
  keystorePassword:
  keystorePath:
  rsaSignatureAlgorithm: RS512
  x509CertificateAlias:

JWT Token Exchange Rule

Description

Defines a JWT token that is being issued.

The various claims of the issued token can be configured along with the issued token type and signature.

Note that the iss claim cannot be configured explicitly and will instead automatically be set to the value of the issuer ID of the AS where the token exchange grant is configured. If no issuer ID is configured, the issued token will not contain an iss claim.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtRuleConfig

May be used by

OAuth 2.0 Token Exchange

License-Tags

OAuthTokenExchange

Properties

Condition (condition)

Description

Condition defining when this token may be issued.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Requested Resource Or Audience Condition

Actor Token Validation (actorTokenValidation)

Description

Defines the validation of the actor token. If left empty, actor tokens are ignored.

If the validation fails, this rule does not issue a token and is skipped.

Attributes

Plugin-Link

Optional

Assignable plugins

Actor Token Unsigned Claims Extractor OIDC Discovery Actor Token Validation

Issued Token Type (issuedTokenType)

Description

Type of the issued token that will be reflected in the response's JSON attribute "issued_token_type".

Attributes

Enum

Optional

Default value

JWT

Token Validity Lifetime [s] (validityLifetime)

Description

Lifetime of the issued token.

Security warning: This should be chosen as short as possible.

Attributes

Integer

Optional

Default value

180

Audience Claim (audienceClaim)

Description

Defines the "aud" claim of the issued token.

If the claim is configured but the resulting value is empty, the token exchange will fail.

Attributes

Plugin-Link

Optional

Assignable plugins

Subject Claim (subjectClaim)

Description

Defines the "sub" claim of the issued token.

If the evaluated value is not of type String, empty or blank, the token exchange will fail.

Attributes

Plugin-Link

Optional

Assignable plugins

Actor Claim (actorClaim)

Description

Defines the "act" claim of the issued token.

If not defined, no "act" claim is added.

Attributes

Plugin-Link

Optional

Assignable plugins

Actor Claim from Actor Token (OAuth 2.0 Token Exchange) Authenticated Client ID (OAuth 2.0 Token Exchange)

Client Id Claim (clientIdClaim)

Description

Defines the "client_id" claim of the issued token.

If not defined, no "client_id" claim is added.

Attributes

Plugin-Link

Optional

Assignable plugins

Client ID From Subject Token (OAuth 2.0 Token Exchange) Client ID Of Authenticated Client (OAuth 2.0 Token Exchange)

Scope Claim (scopeClaim)

Description

Defines the "scope" claim and token exchange "scope" response parameter.

If no plugin is configured, the scope of the issued token will be empty.

Attributes

Plugin-Link

Optional

Assignable plugins

JWT Scope Handling

Custom Claims (customClaims)

Description

Defines the custom claims. Beware that standard claims can not be overwritten.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Claim (OAuth 2.0 Token Exchange)

Signature (signature)

Description

The signature of the issued token.

The signature verification data can be obtained from the JWKs Endpoint.

Security Warning: The signature must be verified by the consumer of the JWT before the content is interpreted.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JWT Access Token Private Key Signature

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtRuleConfig
id: OAuth2TokenExchangeJwtRuleConfig-xxxxxx
displayName: 
comment: 
properties:
  actorClaim:
  actorTokenValidation:
  audienceClaim:
  clientIdClaim:
  condition:
  customClaims:
  issuedTokenType: JWT
  scopeClaim:
  signature:
  subjectClaim:
  validityLifetime: 180

Kannel SMS Gateway

Description

SMS gateway implementation for Kannel gateways. Uses the Kannel's sendsms HTTP(s) interface to send SMS messages.

Class

com.airlock.iam.core.misc.impl.sms.KannelSmsGateway

May be used by

Number-based Selection SMS Gateway Phone Number Verification Step SMS Gateway Selection Option SMS Notifier Failover SMS Gateway Basic mTAN Settings MTAN/SMS Settings SMS Service

Properties

Username (username)

Description

Username or account name used when calling Kannel's sendsms HTTP(S) interface.

Attributes

String

Optional

Example

fmuster

Password (password)

Description

Password associated with the given username.

Attributes

String

Optional

Sensitive

Service URI (serviceUri)

Description

The URI of the Kannel sendsms HTTP(S) interface.
See note in plugin description when using SSL.

Attributes

String

Mandatory

Example

http://localhost:13010/cgi-bin/sendsms

Proxy Host (proxyHost)

Description

The hostname of the HTTP proxy server (if any).

Attributes

String

Optional

Example

proxy.company.com

Proxy Port (proxyPort)

Description

The port of the HTTP proxy server (if any).

Attributes

Integer

Optional

Proxy Login User (proxyLoginUser)

Description

Username for the http proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the http proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

Allow Only Trusted Certs (allowOnlyTrustedCerts)

Description

Only allow connections to servers whose certificate is trusted. See documentation of property "Trust Store Path" for more information about what certificates are trusted.

Security warning: Trusting all certificates allows connections to adversarial hosts. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

String

Optional

Default value

JKS

Allowed values

JKS, PKCS12

Trust Store Password (trustStorePassword)

Description

The password used verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

JKS: the keystore can be opened and used but the integrity of the keystore is not checked.
PKCS12: an error occurs.

Attributes

String

Optional

Sensitive

Connection/Read Timeout [s] (connectTimeout)

Description

The timeout in seconds used for connection timeout and read timeout.
Therefore, a connection may take a maximum of twice this time until it is aborted.

Attributes

Integer

Optional

Default value

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Suggested values

X-Correlation-ID

Visible Phone Number Digits In Log (visiblePhoneNumberDigitsInLog)

Description

Defines the number of phone number digits visible in log statements.

Thus, if the value is zero, all digits are masked, if it is large enough, all digits are visible. If set to 3, for example, the logged number looks like ********965.

The default is 100, i.e. showing all digits.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.KannelSmsGateway
id: KannelSmsGateway-xxxxxx
displayName: 
comment: 
properties:
  allowOnlyTrustedCerts: true
  connectTimeout: 10
  correlationIdHeaderName:
  password:
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  serviceUri:
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  username:
  verifyServerHostname: true
  visiblePhoneNumberDigitsInLog: 100

Keep Roles

Description

Keep only matching roles (whitelist) in the list of propagated roles.

Class

com.airlock.iam.common.application.configuration.role.KeepRoleTransformationConfig

May be used by

Transforming Role Provider OAuth 2.0 Static Client OAuth 2.0/OIDC Authorization Server

Properties

Keep only roles matching (patterns)

Description

A list of regular expressions. Only roles in the list of propagated roles matching any of the regular expressions will be kept.

Attributes

RegEx-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.role.KeepRoleTransformationConfig
id: KeepRoleTransformationConfig-xxxxxx
displayName: 
comment: 
properties:
  patterns:

Kerberos Authentication Step

Description

Performs a Kerberos SPNEGO authentication handshake.

If the client does not support Kerberos, the step fails with error code KERBEROS_AUTHENTICATION_NOT_POSSIBLE. Use On Failure Gotos on this error code (and possibly also on KERBEROS_TICKET_VERIFICATION_FAILED) to switch to an alternative authentication method.

Class

com.airlock.iam.authentication.application.configuration.kerberos.KerberosAuthStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Keytab File (keytabFile)

Description

The path of the Kerberos keytab file to be used for Kerberos SPNEGO identity assertion.

Attributes

File/Path

Mandatory

Service Principal (servicePrincipal)

Description

The Kerberos Service Principal Name (SPN) associated with Airlock IAM. It is usually in the form HTTP/<FQDN> or * to allow all SPNs present in the keytab file.
Optionally, the realm can be specified if there's no default realm in the Kerberos configuration file or if the SPN is associated with a different realm/domain.

Attributes

String

Mandatory

Example

HTTP/login.ergon.ch

Example

HTTP/login.ergon.ch@REALM

Example

Strip Domain From Username (stripDomainFromUsername)

Description

Strip the domain name part from the resulting username.

Attributes

Boolean

Optional

Default value

true

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

KERBEROS

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.kerberos.KerberosAuthStepConfig
id: KerberosAuthStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: KERBEROS
  customFailureResponseAttributes:
  customResponseAttributes:
  keytabFile:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  servicePrincipal:
  skipCondition:
  stepId:
  stripDomainFromUsername: true
  tagsOnSuccess:

Kerberos Identity Propagator (requires Airlock Gateway)

Description

Propagates user information using back-side Kerberos with Airlock WAF.

This propagator only works together with Airlock Gateway (WAF) 6.0 or later. It uses the Gateway's control API to propagate username and domain.

Class

com.airlock.iam.core.misc.impl.sso.KerberosIdentityPropagator

May be used by

Legacy ID Propagation Adapter Chaining Identity Propagator Target Application/Service Conditional Identity Propagator

Properties

Kerberos Users (kerberosUsers)

Description

Defines the Kerberos user, that contains the username, the Windows Domain and the Airlock Gateway (WAF) mapping name. Multiple Kerberos user definitions can be sent to the Airlock Gateway if a mapping is specified for each user definition.

For each entry, the Kerberos username can be determined based on context data and it can be transformed using various transformation plugins.
The mapping and the domain can be specified in the configuration. The mapping is mandatory if multiple user definitions are configured.

Attributes

Plugin-List

Mandatory

Assignable plugins

Kerberos User Definition

Control Cookie Name (controlCookieName)

Description

The name of the Airlock control cookie. The name must match the control cookie name defined in the Airlock server.

Attributes

String

Optional

Default value

AL_CONTROL

Suggested values

AL_CONTROL

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.KerberosIdentityPropagator
id: KerberosIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  controlCookieName: AL_CONTROL
  kerberosUsers:

Kerberos SPNEGO Error Mapper

Description

ErrorMapper that initiates Kerberos SPNEGO authentication when the client does not send a credential or the credential is not valid.

This plugin is designed to be used with "Kerberos SPNEGO Extractor".

Class

com.airlock.iam.login.app.misc.oneshot.impl.KerberosSpnegoErrorMapperFactory

May be used by

Target Application/Service HTTP Signature Verification Credential Extractor

License-Tags

KerberosAuth

Properties

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.KerberosSpnegoErrorMapperFactory
id: KerberosSpnegoErrorMapperFactory-xxxxxx
displayName: 
comment: 
properties:

Kerberos SPNEGO Extractor

Description

Extracts the username from the Kerberos SPNEGO header.

Class

com.airlock.iam.login.app.misc.oneshot.impl.KerberosSpnegoCredentialExtractorFactory

May be used by

License-Tags

KerberosAuth

Properties

Kerberos Config (kerberosConfig)

Description

The Kerberos SPNEGO settings to use.

Attributes

Plugin-Link

Mandatory

License-Tags

KerberosAuth

Assignable plugins

Kerberos/SPNEGO Config For One-Shot

Username Transformers (usernameTransformers)

Description

Username transformers may transform the username to log in using different user ids.
For further details please refer to the documentation of the username transformer plugins.

Attributes

Plugin-List

Optional

License-Tags

KerberosAuth

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.KerberosSpnegoCredentialExtractorFactory
id: KerberosSpnegoCredentialExtractorFactory-xxxxxx
displayName: 
comment: 
properties:
  kerberosConfig:
  usernameTransformers:

Kerberos User Definition

Description

Defines the user to be propagated to the back-end server with the Airlock Gateway (WAF) Back-side Kerberos SSO. Windows domain and mapping are optional if only one Kerberos User Spec is configured. If multuple Kerberos User Specs are configured, the mapping must be specified.

Class

com.airlock.iam.core.misc.impl.sso.KerberosUserSpec

May be used by

Kerberos Identity Propagator (requires Airlock Gateway)

Properties

Username Attribute (usernameAttribute)

Description

Defines the username to be propagated as Kerberos user.

By default the username from the login form is used ("@username"). Keep in mind that username transformation configured in the target application may have taken place.

Use the prefix "STATIC:" to indicate that what follows is the statically configured username to be used for all users.

Any other value from the context data container may be referred to using its key (for example: "userPrincipalName" or "sAMAccountname"). Make sure that the referenced context data attribute is read by the used user store or user persister plugin.

Attributes

String

Optional

Default value

@username

Windows Domain (windowsDomain)

Description

Specifies the Windows Domain the user belongs to. If no Windows Domain is defined, the Airlock Gateway (WAF) tries to use this user for all configured Windows Domains.
The domain name must not contain the backslash ("\") character.

Attributes

String

Optional

Example

airlock.intra

Mapping Name (mappingName)

Description

If specified, the Kerberos user is only used for the corresponding mapping. The mapping must be specified if multiple Kerberos User Specs are configured.
Valid characters are letters, digits and the special characters '.', ':', '-' and '_'.

Attributes

String

Optional

Example

cms

Example

owa

Username Transformation (usernameTransformation)

Description

List of transformation plugins which allow various mutations of the username before it is used as Kerberos user. The transformations are applied in order. Note that some username transformer stop the transformation chain after successful application.

Note: The target application configuration allows to perform user transformation, too.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.KerberosUserSpec
id: KerberosUserSpec-xxxxxx
displayName: 
comment: 
properties:
  mappingName:
  usernameAttribute: @username
  usernameTransformation:
  windowsDomain:

Kerberos/SPNEGO Config For One-Shot

Description

Configures the Kerberos settings for One-Shot authentication via SPNEGO.

Class

com.airlock.iam.login.app.misc.configuration.KerberosConfig

May be used by

Kerberos SPNEGO Extractor

License-Tags

KerberosAuth

Properties

Keytab File (keytabFile)

Description

The path of the Kerberos keytab file that should be used for Kerberos SPNEGO identity assertion.

Attributes

File/Path

Mandatory

License-Tags

KerberosAuth

Service Principal (servicePrincipal)

Description

The Kerberos Service Principal Name (SPN) associated with Airlock IAM. It is usually in the form HTTP/<FQDN> or * to allow all SPNs present in the keytab file.
Optionally, the realm can be specified if there's no default realm in the kerberos configuration file or if the SPN is associated with a different realm/domain (see example values).

Attributes

String

Mandatory

License-Tags

KerberosAuth

Example

HTTP/login.ergon.ch

Example

HTTP/login.ergon.ch@REALM

Example

Enable Debugging (enableDebugging)

Description

Enable/Disable Kerberos debug logs.

Attributes

Boolean

Optional

License-Tags

KerberosAuth

Default value

false

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.KerberosConfig
id: KerberosConfig-xxxxxx
displayName: 
comment: 
properties:
  enableDebugging: false
  keytabFile:
  servicePrincipal:

Key Entry

Description

A key entry maps a ticket key to a authentee context data key.

Class

com.airlock.iam.core.misc.sso.KeyEntry

May be used by

Cookie Ticket Identity Propagator SSO Ticket Identity Propagator Mapping Ticket Service Mapped Ticket Element

License-Tags

SSOTickets

Properties

Ticket Key (ticketKey)

Description

The ticket key to be mapped. If the ticket under consideration contains this key, the associated (key,value) pair is copied to the authentee's context data container.

Attributes

String

Mandatory

License-Tags

SSOTickets

Context Data Key (contextDataKey)

Description

The key to be used in the authentee's context data. If a context data key is specified, that key is used in the authentee's context data and otherwise the ticket key is used. If the key already exists in the authentee's context data, the value will be overwritten.

Attributes

String

Optional

License-Tags

SSOTickets

Store First Value Only (storeFirstValueOnly)

Description

If set to true, then the String KeyMultiValue.getValues()[0] of the ticket is written to the authentee's context data. If set to false, then all the values are written to the authentee's context data as a List of String objects.

Attributes

Boolean

Optional

License-Tags

SSOTickets

Default value

true

YAML Template (with default values)


type: com.airlock.iam.core.misc.sso.KeyEntry
id: KeyEntry-xxxxxx
displayName: 
comment: 
properties:
  contextDataKey:
  storeFirstValueOnly: true
  ticketKey:

Key Value Pair

Description

A key value pair.

Class

com.airlock.iam.core.misc.util.KeyValuePair

May be used by

Properties

Key (key)

Description

The key of the key value pair.

Attributes

String

Mandatory

Example

name

Value (value)

Description

The value of the key value pair.

Attributes

String

Mandatory

Example

value

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.KeyValuePair
id: KeyValuePair-xxxxxx
displayName: 
comment: 
properties:
  key:
  value:

Language Query Parameter Appender

Description

Appends the user's current language as a query parameter to the target URI.

Class

com.airlock.iam.login.application.configuration.location.transform.LanguageQueryParameterAppenderConfig

May be used by

Target URI Resolver Parameter-based Target URI Redirect to URI

Properties

Parameter Name (parameterName)

Description

The name of the query parameter.

Attributes

String

Optional

Default value

lang

Example

lang

Append Country (appendCountry)

Description

Whether to specify the country in the language query parameter.

If this option is enabled, the two-letter country tag will be appended to the language query parameter when available (e.g. "en_US", "fr_CA", "de_CH"). If this option is enabled but no country is defined, the language parameter will only include the language code (e.g. "en", "fr", "de").

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.location.transform.LanguageQueryParameterAppenderConfig
id: LanguageQueryParameterAppenderConfig-xxxxxx
displayName: 
comment: 
properties:
  appendCountry: false
  parameterName: lang

Language Settings

Description

Configures language settings of the Loginapp.

Class

com.airlock.iam.common.application.configuration.language.LanguageSettings

May be used by

Transaction Approval Loginapp

Properties

Valid Languages (validLanguages)

Description

Attributes

String-List

Optional

Default value

[de, fr, it, en]

Default Language (defaultLanguage)

Description

The default language code used when no or invalid information about the current language is present. A corresponding Locale must be available. The default language must be included in the valid languages.

Attributes

String

Optional

Default value

Suggested values

de, fr, it, en, es

Resources File Prefix (resourcesFilePrefix)

Description

Language dependent text resources used server-side, e.g., for email, SMS, or push messages, are loaded from property files.
This property configures the prefix of these property files.

Example: If the value of this property is "strings", the language dependent files must be "strings_de.properties", "strings_en.properties" and so on and the default file must be "strings.properties".

Note that text elements used in the Loginapp's web frontend are adapted using the Loginapp Design Kit. Please consult the Loginapp Design Kit documentation for further information.

Attributes

String

Optional

Default value

strings

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.language.LanguageSettings
id: LanguageSettings-xxxxxx
displayName: 
comment: 
properties:
  defaultLanguage: en
  resourcesFilePrefix: strings
  validLanguages: [de, fr, it, en]

Language Specific Template

Description

Language specific template.

Class

com.airlock.iam.core.misc.renderer.LanguageSpecificTemplate

May be used by

Word Template Token List Renderer Word Template Report Renderer Word Template Password Renderer Text File Renderer

Properties

Language (language)

Description

The two-letter ISO language code.

Attributes

String

Mandatory

Length <= 2

Length >= 2

Suggested values

de, fr, it, en

Template (template)

Description

The file name of the template definition for the specified language.

Attributes

File/Path

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.renderer.LanguageSpecificTemplate
id: LanguageSpecificTemplate-xxxxxx
displayName: 
comment: 
properties:
  language:
  template:

Language Specific Text

Description

Language specific text.

Class

com.airlock.iam.core.misc.renderer.LanguageSpecificText

May be used by

Simple Text Renderer

Properties

Language (language)

Description

The two-letter ISO language code.

Attributes

String

Mandatory

Length <= 2

Length >= 2

Suggested values

de, fr, it, en

Text (text)

Description

The text string for the specified language.

Attributes

String

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.renderer.LanguageSpecificText
id: LanguageSpecificText-xxxxxx
displayName: 
comment: 
properties:
  language:
  text:

Last Selection Consistency User Change Listener

Description

A listener that reacts on change events on users and keeps the last selections in a consistent state. Actions:

on user deletion: delete all associated last selections.
on user name change: updates the user reference for all last selections.

Class

com.airlock.iam.login.misc.infrastructure.LastSelectionConsistencyUserChangeListener

May be used by

Active Directory Connector LDAP User Persister LDAP Connector Database User Persister

Properties

Last Selection Repository (lastSelectionRepository)

Description

Settings for the last selection repository.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Selection Step for Public Self-Service Last Selection Consistency User Change Listener Selection Step for Self-Service Selection Step

YAML Template (with default values)


type: com.airlock.iam.login.misc.infrastructure.LastSelectionConsistencyUserChangeListener
id: LastSelectionConsistencyUserChangeListener-xxxxxx
displayName: 
comment: 
properties:
  lastSelectionRepository:

Last Selection Repository Config

Description

Repository that remembers the last selection the user made. There is only one last selection per step, user and tenant. If there are multiple selection steps with different step IDs, a user can have multiple last selections.

Class

com.airlock.iam.flow.shared.application.configuration.selection.LastSelectionRepositoryConfig

May be used by

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Log Queries (logQueries)

Description

If enabled, all SQL queries executed on this repository will be written to the module's corresponding log file. This is only effective if the log level is set to at least INFO.

Warning: query values (including potentially sensitive data) will be logged as well.

Attributes

Boolean

Optional

Default value

false

Tenant ID (tenantId)

Description

The value which is added to user consents to distinguish between different tenants. The value is also used when retrieving user consents from the persistence.
If no value is configured, then 'no_tenant' is used as value on the database.

Attributes

String

Optional

Length <= 50

Validation RegEx: (?!no_tenant$).*

Example

customerA

Example

customerB

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.selection.LastSelectionRepositoryConfig
id: LastSelectionRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  logQueries: false
  sqlDataSource:
  tenantId:

Latest Authentication Feedback Processor

Description

This processor adds information on the latest authentication attempt of the identified user to the step result. The information is not added if the flow fails.

Class

com.airlock.iam.authentication.application.configuration.processor.LatestAuthenticationFeedbackProcessorConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.processor.LatestAuthenticationFeedbackProcessorConfig
id: LatestAuthenticationFeedbackProcessorConfig-xxxxxx
displayName: 
comment: 
properties:

Latest Login Attempt Date Range Filter

Description

Filter for latest successful login within a specified date range.

Class

com.airlock.iam.admin.application.configuration.usersearch.filter.LatestLoginAttemptDateRangeFilter

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.usersearch.filter.LatestLoginAttemptDateRangeFilter
id: LatestLoginAttemptDateRangeFilter-xxxxxx
displayName: 
comment: 
properties:

Latest Successful Login Date Range Filter

Description

Filter for latest successful login within a specified date range.

Class

com.airlock.iam.admin.application.configuration.usersearch.filter.LatestSuccessfulLoginDateRangeFilter

May be used by

Active Directory Connector LDAP User Persister LDAP Connector Active Directory Password Policy Connector LDAP Password Authenticator LDAP Token List Persister LDAP Credential Persister

Properties

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.usersearch.filter.LatestSuccessfulLoginDateRangeFilter
id: LatestSuccessfulLoginDateRangeFilter-xxxxxx
displayName: 
comment: 
properties:

LDAP Connection Pool

Description

LDAP server connection pool supporting failover with multiple servers and secure connections using LDAP over SSL or the START_TLS extended operation.

The plugin makes use of the UnboundID LDAP SDK.

Note: If several plugins share the same main connection settings (server addresses with ports, bind DN, SSL settings) they also share one single connection pool.

Connection Pooling

This plugin manages a pool of open connections to the LDAP server. To perform an operation a connection is checked out of the pool, then used for the operation and afterward checked into the pool of available connections again.

There are several configuration properties that influence how these connections are managed and how connection errors are handled.

To debug the LDAP connections set the following Java system properties:

com.unboundid.ldap.sdk.debug.enabled=true - If set to true, LDAP debugging is enabled.
com.unboundid.ldap.sdk.debug.type=asn1,connect,exception,ldap,ldif,monitor,coding-error,other - If set, only the given categories will be logged.
com.unboundid.ldap.sdk.debug.includeStackTrace=true - If set to true, a stack trace will be included with every log message.
com.unboundid.ldap.sdk.debug.level=ALL - If set, only messages with a level higher than specified (like ALL, FINE, INFO, WARNING, ...) will be written.
javax.net.debug=all - Set this property to diagnose SSL related issues.

Class

com.airlock.iam.core.misc.util.ldap.LdapConnectionPool

May be used by

Properties

Servers With Ports (serversWithPorts)

Description

List of server names with ports in the form of: server-name:port . If no port number is specified, the default port 389 (or 636 if using SSL) is assumed.

Attributes

String-List

Mandatory

Server Selection Policy (serverSelectionPolicy)

Description

Which policy to use if more than one server is configured, one of FAILOVER or ROUND_ROBIN.

FAILOVER: Always try to get a connection from the first server, if that fails from the second, etc...
ROUND_ROBIN: Cycle through the configured servers to get connections.

Attributes

Enum

Optional

Default value

FAILOVER

Service Account Username (bindDn)

Description

The bind DN (distinguished name) to bind to the LDAP server.

Attributes

String

Optional

Example

CN=MedusaUser,CN=users,dc=exchangeserver,dc=company,dc=com

Service Account Password (password)

Description

The password to bind to the LDAP server for searching and modifying users.

Attributes

String

Optional

Sensitive

Anonymous Bind (anonymousBind)

Description

Enable this property to allow anonymous binds. An anonymous bind allows users to connect to the Directory Server without supplying any username or password. This simplifies common search and read operations, like checking the directory for a phone number or email address, by not requiring users to authenticate to the directory first. However, there are risks with anonymous binds. If no authentication is enforced, sensitive data like user data might be accessible for unauthenticated or unauthorized users because the access to the Directory Server is not protected. Only set this property to true if it is absolutely necessary and you are aware of the resulting security implications.

Attributes

Boolean

Optional

Default value

false

Connection Security (connectionSecurity)

Description

The type of connection security, one of NONE, START_TLS or SSL.

Notice: Most directories will refuse to perform a password change operation if the connection is not secured using SSL/TLS.

Notice: Microsoft disabled support for Server certificates using MD5 with KB2862973 (mandatory update in early 2014). Using any server certificate with an MD5 signature in its entire chain will result in a connection error. The same error will be raised when using a certificate using SHA-512 without having KB2973337 installed.

Attributes

Enum

Optional

Default value

NONE

Keystore File (keystoreFile)

Description

The file name of the Java keystore used for SSL operations. It must contain the private key for client authentication. This is only used if SSL is enabled.
Note: If the keystore file name is relative, it is loaded relative to the current directory of the JVM process.

Attributes

File/Path

Optional

Keystore Password (keystorePassword)

Description

The password used to read the keystore and the private key also. This is only used if SSL is enabled.

Attributes

String

Optional

Sensitive

Key Alias (keyAlias)

Description

The alias of the private key for SSL client authentication. This is only used if SSL is enabled and if the server enforces SSL client authentication. If only the server certificate should be checked, please leave this property empty.

Attributes

String

Optional

Example

airlock

Truststore File (truststoreFile)

Description

The file name of the Java truststore used for SSL operations. It must contain the trusted server CA certs. This is only used if SSL is enabled.
Note: If the file name is relative, it is loaded relative to the current directory of the JVM process.

Attributes

File/Path

Optional

Truststore Password (truststorePassword)

Description

The password used to read the truststore. Can be left empty if the truststore does not require any password. This is only used if SSL is enabled.

Attributes

String

Optional

Sensitive

Check Certificate Server Name (checkCertificateServerName)

Description

Tells if the server name should be checked against the name in the certificate.

Attributes

Boolean

Optional

Default value

true

Check Certificate Validity (checkCertificateValidity)

Description

Tells if the server certificate validity dates should be respected.

Attributes

Boolean

Optional

Default value

true

Trust All Server Certificates (trustAllServerCertificates)

Description

Tells if all server certificates should be trusted. Note: Only enable this flag for testing.

Attributes

Boolean

Optional

Default value

false

Use Synchronous Mode (useSynchronousMode)

Description

Specifies whether to operate in synchronous mode, in which at most one operation may be in progress at any time on a given connection.

Attributes

Boolean

Optional

Default value

true

Follow Referrals (followReferrals)

Description

Tells if automatic referral following should be enabled.

Attributes

Boolean

Optional

Default value

false

Connection Timeout [ms] (connectTimeoutInMs)

Description

How long to wait for a connection to be established.

Attributes

Integer

Optional

Default value

2000

Response Timeout [ms] (responseTimeoutInMs)

Description

How long to wait for the server response on a protocol level.
This timeout may be reached if the connection has been dropped by a firewall without actively terminating the connection or when a query requires a lot of time on the server.

Attributes

Integer

Optional

Default value

20000

Initial Connections (initialConnections)

Description

How many connections should be opened initially.

Attributes

Integer

Optional

Default value

Maximum Connections (maximumConnections)

Description

Maximum number of open connections.

Attributes

Integer

Optional

Default value

100

Create New Connections If Necessary (createNewConnectionsIfNecessary)

Description

When a connection is requested but the pool has used up all free connections, it first waits for up to "Max Wait Time In Ms" for a connection to become available. If still no connection is available and this setting is enabled, a new connection is created; otherwise an exception is thrown.

Attributes

Boolean

Optional

Default value

false

Max Wait Time For Connection [ms] (maxWaitTimeInMs)

Description

Maximum time to wait until an existing, valid connection can be obtained from the pool. After that, either a new one is created (if "Create New Connections If Necessary" is enabled) or else an exception is thrown. Specify 0 to indicate not to wait at all in case of no available connection.

Attributes

Long

Optional

Default value

5000

Max Connection Age [ms] (maxConnectionAgeInMs)

Description

Maximum age of held open LDAP connections in millis. Any connection older will not be reused. Set to 0 for no limit if the LDAP server (and possible firewalls inbetween) support this. If set to unlimited, it is recommended to enable the background health check.

Attributes

Long

Optional

Default value

3600000

Try Synchronous Read During Health Check (trySynchronousReadDuringHealthCheck)

Description

Specifies whether health check processing for connections operating in synchronous mode should include attempting to perform a read from each connection with a very short timeout.

Attributes

Boolean

Optional

Default value

false

Health Check Response Timeout [ms] (healthCheckResponseTimeoutInMs)

Description

How long to wait for the server response when doing a connection health check.

Attributes

Long

Optional

Default value

30000

Retry Upon Invalid Connection Error (retryUponInvalidConnectionError)

Description

If an operation fails because the current connection is invalid, checkout a new connection from the pool and try again.

Attributes

Boolean

Optional

Default value

true

Enable Health Check On Checkout (enableHealthCheckOnCheckout)

Description

Perform a health check query every time before actually using an open connection.

Attributes

Boolean

Optional

Default value

true

Enable Health Check In Background (enableHealthCheckInBackground)

Description

Perform a health check query in the background for all held connections at the configured interval. Note: by setting this property to false, socket level connection health checking is still being performed.

Attributes

Boolean

Optional

Default value

true

Enable Health Check On Exception (enableHealthCheckOnException)

Description

Perform a health check query after an LDAP exception occurred on a LDAP connection.

Attributes

Boolean

Optional

Default value

false

Enable Health Check On Create (enableHealthCheckOnCreate)

Description

Perform a health check query when creating a new LDAP connection.

Attributes

Boolean

Optional

Default value

false

Enable Health Check On Release (enableHealthCheckOnRelease)

Description

Perform a health check query when putting an open LDAP connection back to the pool.

Attributes

Boolean

Optional

Default value

false

Background Health Check Interval [ms] (backgroundHealthCheckIntervalInMs)

Description

Interval in milliseconds between performing the configured LDAP connection health checks on open LDAP connections held by the pool. Note: socket level health checking can not be disabled.

Attributes

Long

Optional

Default value

60000

Health Check Query Dn (healthCheckQueryDn)

Description

DN that should be queried for in a LDAP health check query. If empty it's the root DSE.

Attributes

String

Optional

Use Schema (useSchema)

Description

Specifies whether to try to use schema information when reading data from the server (e.g., to select the appropriate matching rules for the attributes included in a search result entry).

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ldap.LdapConnectionPool
id: LdapConnectionPool-xxxxxx
displayName: 
comment: 
properties:
  anonymousBind: false
  backgroundHealthCheckIntervalInMs: 60000
  bindDn:
  checkCertificateServerName: true
  checkCertificateValidity: true
  connectTimeoutInMs: 2000
  connectionSecurity: NONE
  createNewConnectionsIfNecessary: false
  enableHealthCheckInBackground: true
  enableHealthCheckOnCheckout: true
  enableHealthCheckOnCreate: false
  enableHealthCheckOnException: false
  enableHealthCheckOnRelease: false
  followReferrals: false
  healthCheckQueryDn:
  healthCheckResponseTimeoutInMs: 30000
  initialConnections: 10
  keyAlias:
  keystoreFile:
  keystorePassword:
  maxConnectionAgeInMs: 3600000
  maxWaitTimeInMs: 5000
  maximumConnections: 100
  password:
  responseTimeoutInMs: 20000
  retryUponInvalidConnectionError: true
  serverSelectionPolicy: FAILOVER
  serversWithPorts:
  trustAllServerCertificates: false
  truststoreFile:
  truststorePassword:
  trySynchronousReadDuringHealthCheck: false
  useSchema: false
  useSynchronousMode: true

LDAP Connector

Description

Provides the following services by connecting to an LDAP directory (for MS Active Directory, please use the Active Directory Connector plugin):

Main Features

LDAP directory as user data repository (User Persister, User Iterator, Extended User Persister)
LDAP directory as password service (check password, reset password, change password)
LDAP directory as token storage for one user-related token (e.g. for mobile number)

Requirements on Directory Schema

For using the basic features, users should have object class inetOrgPerson. More limited usage is possible with organizationalPerson and even Person.
All attribute names are configurable. Therefore custom schemas are supported as long as all user data is stored as attributes in one directory entry (except for roles/groups).
To use all features of this plugin, custom attributes are required. Please refer to the Airlock IAM documentation page "What LDAP Directory Attributes does Airlock Login/IAM require?" (then go to "LDAP Attributes for User Data").
For details about the meaning of an attribute, please refer to the corresponding attribute setting's help in this plugin.
Depending on the configured attributes, more or fewer features can be used.
User roles/groups can be read from the following:
- From a user attribute with one or more values (see "Roles Attribute"). RDNs can be extracted from DNs stored in this attribute. This set of roles can also be written.
- Roles can be looked up in other directory trees (e.g. groups subtree) by configuring the corresponding query, search depth and filters.
- Nested/hierarchical roles are supported.

How Users are found
For all operations (load, store user, check password, change password, etc.), this plugin first looks up the user entry in the directory using the service account specified in the connection pool settings.
Multiple search trees can be specified in order to limit the search space (and therefore improve performance) when users are stored in multiple subtrees.

Reading / Writing Token/Credential Information
This plugin only provides very limited features for reading / writing token information: It only reads and writes a single attribute stored as user attribute (see "Credential Data Attribute").
It can be used for example to use the mobile phone number authentication token (for 2-factor authentication).
The plugin does not support token order flags, serial numbers, delivery dates, and alike. Please use an "Ldap Credential Persister" plugin for more features.

Differences to "LDAP Password Authenticator"
This plugin offers most features of the "LDAP Password Authenticator". Whereas the "LDAP Password Authenticator" only checks or sets the password this plugin also considers user information such as:

Locked flag
User validity attributes
Failed logins counter
Password change enforced flag
Password expiry date
etc.

The user information is also updated unless "Update Login Statistics" is disabled.

Read-only Attributes and Operational Attributes
In property "Read-only Attributes" attributes can be defined that are only read and never written by this plugin. This works not only for context data attributes but for all attributes potentially written by this plugin.
This enables the plugin to read operational attributes and use them in authentication or password management: some directories provide automatically updated operational attributes (e.g. latest password change) that may be read but not be written by LDAP clients. They can be configured in the corresponding attribute settings and put in the list of read-only attributes.
NOTE: Some directories do not provide operational attributes to LDAP clients and always return empty values when read using LDAP.

Limitation of Usage
Unlike the "LDAP User Persister", this plugin is not able to read the password hash from the directory. It can therefore not be used with a custom schema where the password hash is computed in Airlock IAM and only stored (and read) by this plugin.

Related Plugins
The following plugins are highly related to this one and offer slightly more and different functions. In certain situations it may make sense to use a combination of them instead of using this plugin:

LDAP User Persister
LDAP Credential Persister
LDAP Password Authenticator

Class

com.airlock.iam.core.misc.impl.persistency.ldap.LdapConnector

May be used by

Secret Questions Token Controller Main Authenticator Main Authenticator Primary Key Lookup Email User Profile Item Config Token Data mTAN Handler Airlock 2FA Authenticator Cipher Credential Persister Static Request Authentication User to Password Service Mapping User to Password Service Mapping Radius Authentication Service Radius Authentication Service Certificate Authenticator Certificate Authenticator Lock Inactive Accounts Task Lock Inactive Accounts Task Password Authenticator JSP Remember-Me Settings Administrators Management Persister Password Service Persister Password Service Has Email Address Vasco Token Report Strategy Client Certificate (X.509) Request Authentication Basic Auth Request Authentication OAuth 2.0 Token Request Authentication String User Profile Item Credential-based Generic Token Repository mTAN IAK Token Report Strategy Email Otp Authenticator Cipher User Persister Certificate Data Extractor Task Certificate Data Extractor Task Combining User Persister SMS Notifier User Persister Email Certificate Provider Composite Password Service Composite Password Service Composite Password Service Credential Secret Batch Task Credential Secret Batch Task Transaction Approval OAuth 2.0/OIDC Authorization Server Delete Users Task Delete Users Task Token Activation On Delivery Strategy Combining Extended User Persister Combining Extended User Persister Loginapp Certificate Token Authenticator OATH OTP Letter Task Export Users Task Export Users Task Airlock 2FA Activation Letter Task User Persister-based User Store User to Authenticator Mapping Email Notifier LDAP Password Repository Target Application/Service Credential Report Task Credential Report Task OATH OTP Settings Meta Authenticator Meta Authenticator Meta Authenticator Meta Authenticator Administrators Configuration Administrators Configuration Credential Data mTAN Handler Credential Data mTAN Handler User Sync Task Config User Sync Task Config Self Reg Users Reminder Task Self Reg Users Reminder Task Vasco Letter Generator Admin SSO Ticket Request Authentication Credential Data Certificate Matcher Persister IAK Verifier User-based Authenticator Selector User Store Configuration User Store Configuration XML File Importer Task Extended User Persister-based User Store Provider Unique Across Services Password Policy SSO Ticket Request Authentication Password Token Controller Password Batch Task Password Batch Task Auth Method-based Authenticator Selector Self Reg Users Clean Up Task Self Reg Users Clean Up Task Lock Expired Initial Passwords Task Lock Expired Initial Passwords Task Role-based Authenticator Selector Data Sources Legacy Email OTP Authentication Step Extended String User Profile Item Config HTTP Password Service Cronto Report Strategy Token Authenticator Selection Authenticator Context Data Username Transformer Lookup and Accept Authenticator Fallback Authenticator New Email Clean-up Strategy Custom User Persister-based User Store Provider Password Settings Destroy Last User Session Email Notification Task Email Notification Task Remember-Me Reset Step User-based Password Service Selector User Persister Configuration User Persister Configuration User Persister Configuration

Properties

Connection Pool (connectionPool)

Description

The connection pool connecting to the LDAP directory (or active directory).

Attributes

Plugin-Link

Mandatory

Assignable plugins

LDAP Connection Pool

Username Attribute (usernameAttribute)

Description

The LDAP attribute which holds the user id.

Attributes

String

Mandatory

Suggested values

uid, cn, mail

Credential Data Attribute (credentialDataAttribute)

Description

The LDAP attribute with credential data (e.g. mobile phone number for MTAN/SMS authentication or email address for certificate validation). It is supposed to be UTF-8 string data.

Attributes

String

Optional

Suggested values

mobile, mail

User Container Nodes (userContainerNodes)

Description

Defines a list of search contexts (search trees with search levels) to use when looking for users. The search contexts are used in the defined order.

Attributes

String-List

Mandatory

User Search Scope (userSearchScope)

Description

Specifies whether the search should also recurse down the subtrees of the user container nodes or only the direct children nodes of the user container nodes should be searched.

Attributes

Enum

Optional

Default value

subtree

User Search Filter (userSearchFilter)

Description

The additional LDAP search filter expression used when searching the users.
The format and interpretation of filter follows RFC 2254.

Attributes

String

Optional

Multi-line-text

Default value

(objectClass=inetOrgPerson)

Example

(objectClass=inetOrgPerson)

Example

(objectClass=organizationalPerson)

Example

(objectClass=person)

Username Conversion Pattern (usernameConversionPattern)

Description

Example: The pattern "(.*)" and the replacement pattern "user.$1" will transform the username "jdoe" to "user.jdoe" before it is used in the directory.

Example: The pattern "user\.(.*)" and the replacement pattern "$1" will transform the username "user.jdoe" to "jdoe" before it is used in the directory.

Attributes

RegEx

Optional

Username Conversion Replacement (usernameConversionReplacement)

Description

Attributes

String

Optional

Example

user.$1

Example

Insert DN Template (insertDnTemplate)

Description

Distinguished name (DN) template used for inserting new users into the LDAP directory. Use ${userId} to specify the user id (username). Use ${xxx} to use the context data value with name xxx and make sure xxx ist part of the context data attributes!
The resulting string must be a correct DN for a newly inserted user.

If no value is specified, the user id attribute (see separate property) together with the user insert tree and the username is used to form a DN for new entries.(resulting in =${userId},).

Attributes

String

Optional

Example

uid=${userId},ou=users,o=test

Example

cn=${cn},cn=users,dc=exchangeserver,dc=yourcompany,dc=com

User Insert Tree (userInsertTree)

Description

Distinguished name (DN) of the container node (subtree) to insert new users to. If not specified, the first user container node (see separate property) is used. Use ${xxx} to include the context data value with name xxx in the DN (may result in errors if the data does not form a valid subtree).

This property is only used if no "Insert DN Template" is specified and cannot be combined with it.

Attributes

String

Optional

Example

ou=users,o=test

Example

cn=users,dc=exchangeserver,dc=yourcompany,dc=com

Example

ou=users,ou=${company},dc=com

Insert Object Classes (insertObjectClasses)

Description

Object class(es) used for newly inserted users. At least one object class must be structural.

Note: When inserting a new entry into an LDAP, the object class defines a number of mandatory attributes. You must make sure that the corresponding attributes are inserted by adding the corresponding values to the new user's context data container and/or mapping other user values to the required attributes (e.g. map the user name to the cn attribute).

This property is only used if users are inserted using this plugin.

Attributes

String-List

Optional

Default value

[inetOrgPerson]

Default Auth Method (defaultAuthMethod)

Description

The default authentication method value used when inserting new users that have no auth method set. This is only used if an authentication method attribute is configured.

Attributes

String

Optional

Suggested values

PASSWORD, MATRIX, MTAN, OATH_OTP, CERTIFICATE, CRONTO, EMAILOTP, SECURID, SECOVID

Default Next Auth Method (defaultNextAuthMethod)

Description

The default next authentication method value used when inserting new users that have no next auth method set. This is only used if a next authentication method attribute is configured.

Attributes

String

Optional

Suggested values

PASSWORD, MATRIX, MTAN, OATH_OTP, CERTIFICATE, EMAILOTP, SECURID, SECOVID

Additional Insert Data (additionalInsertData)

Description

A List of additional user insert data. If the same attribute is already defined, an exception will be thrown.

Attributes

Plugin-List

Optional

Assignable plugins

Ldap String Attribute

Password Attribute (passwordAttribute)

Description

The LDAP attribute which holds the password. It is used to set the password (not for checking the password).

Note that this attribute is ignored if a 'Password Modify Extended Operation' is used.

Attributes

String

Optional

Default value

userPassword

Suggested values

userPassword

Password Validity Days (passwordValidityDays)

Description

The number of days a password may be used before it must be changed.

If a password is changed, this plugin sets the latest-password-change-timestamp and (if the corresponding property is defined) also updates the next-enforced-password-change-timestamp.

If this property is not defined, the "Next Enforced Password Change Timestamp" is not updated.

Attributes

Integer

Optional

Maximum Wrong Old Passwords (maximumWrongOldPasswords)

Description

The number of wrong old passwords during a password change before a user is locked.

Warning: Make sure that number of logins is not increased by the calling application, too.

Attributes

Integer

Optional

Default value

Force Password Change Attribute (forcePasswordChangeAttribute)

Description

The name of the LDAP attribute holding the force password flag.

Attributes

String

Optional

Suggested values

forcePasswordChange

Order Password Attribute (orderPasswordAttribute)

Description

The name of the LDAP attribute holding the order password flag. This attribute is used for batch processes generating password letters and alike.

Attributes

String

Optional

Suggested values

orderPassword

Password Order User Attribute (passwordOrderUserAttribute)

Description

The name of the LDAP attribute holding the user by whom the new password was ordered. This attribute is used for batch processes generating password letters and alike.

Attributes

String

Optional

Suggested values

orderPasswordUser

Password Order Date Attribute (passwordOrderDateAttribute)

Description

The name of the LDAP attribute holding the date when the new password was ordered. This attribute is used for batch processes generating password letters and alike.

Attributes

String

Optional

Suggested values

orderPasswordDate

Latest Password Change Date Attribute (latestPasswordChangeDateAttribute)

Description

The name of the LDAP attribute holding the date of the latest password change.

Attributes

String

Optional

Suggested values

latestPasswordChangeDate

Next Enforced Password Change Date Attribute (nextEnforcedPasswordChangeDateAttribute)

Description

The name of the LDAP attribute holding the date of the next enforced password change.

Attributes

String

Optional

Suggested values

nextEnforcedPasswordChangeDate

Password Generation Date Attribute (passwordGenerationDateAttribute)

Description

The name of the LDAP attribute holding the password generation date. This attribute is used for batch processes generating password letters and alike.

Attributes

String

Optional

Suggested values

passwordGenerationDate

Password Delivery Date Attribute (passwordDeliveryDateAttribute)

Description

The name of the LDAP attribute holding the password delivery date. This attribute is used for batch processes generating password letters and alike.

Attributes

String

Optional

Suggested values

passwordDeliveryDate

Failed Password Resets Attribute (failedPasswordResetsAttribute)

Description

The name of the LDAP attribute holding the number of failed password reset attempts for flow-based password reset.

Security note: If this column is not specified, failed password reset attempts are not counted, which enables brute-force attacks.

Attributes

String

Optional

Suggested values

failedPasswordResets

Other Credentials Delivery Timestamp Attributes (otherCredentialsDeliveryTimestampAttributes)

Description

list of column names with the delivery dates of other credentials.
The type of every referenced column is either a DATE or TIMESTAMP.
This information can be used by components that care about not delivering more than one user credential at the same time.
If this column is not specified, no delivery dates are provided to callers.

Attributes

String-List

Optional

Auth Method Attribute (authMethodAttribute)

Description

The name of the LDAP attribute holding the user's authentication method.

Attributes

String

Optional

Suggested values

authMethod

Next Auth Method Attribute (nextAuthMethodAttribute)

Description

The name of the LDAP attribute holding the user's authentication method after migration.

Attributes

String

Optional

Suggested values

nextAuthMethod

Auth Migration Date Attribute (authMigrationDateAttribute)

Description

The name of the LDAP attribute holding the date until which the migration of the auth method has to be performed.

Attributes

String

Optional

Suggested values

authMigrationDate

Valid Attribute (validAttribute)

Description

The name of the LDAP attribute telling if the user is valid or not.

Attributes

String

Optional

Suggested values

valid

Not Valid Before Attribute (notValidBeforeAttribute)

Description

The name of the LDAP attribute indicating the point in time before which a user is considered not valid yet. The attribute must contain a timestamp.

Attributes

String

Optional

Suggested values

notValidBefore

Not Valid After Attribute (notValidAfterAttribute)

Description

The name of the LDAP attribute indicating the point in time after which a user is considered not valid anymore. The attribute must contain a timestamp.

Attributes

String

Optional

Suggested values

notValidAfter

Failed Logins Attribute (failedLoginsAttribute)

Description

The name of the LDAP attribute holding the number of failed logins (for the classic Loginapp). If this attribute is not specified, the number of failed logins is not counted and the user is not locked after a certain amount of failed logins even if the maximum number of failed logins is specified in the authenticator.

Attributes

String

Optional

Suggested values

failedLogins

Failed Token Counts Attribute (failedTokenCountsAttribute)

Description

The name of the LDAP attribute holding the failed attempts on authentication tokens (for the flow-based REST API). If this attribute is not specified, the failed token attempts are not counted.

Attributes

String

Optional

Suggested values

failedTokenCounts

Failed Logins Before Latest Successful Login Attribute (failedLoginsBeforeLatestSuccessfulLoginAttribute)

Description

The name of the LDAP attribute holding the number of failed logins before the latest successful login. If this attribute is not specified, the number of failed logins before the latest successful login is not counted.

Attributes

String

Optional

Suggested values

failedLoginsBeforeLatestSuccessfulLogin

Total Logins Attribute (totalLoginsAttribute)

Description

The name of the LDAP attribute holding the total number of successful logins. If this attribute is not specified, the total number of logins is not counted.

Attributes

String

Optional

Suggested values

totalLogins

Latest Login Attempt Attribute (latestLoginAttemptAttribute)

Description

The name of the LDAP attribute holding the date and time of the latest login attempt.

Attributes

String

Optional

Suggested values

latestLoginAttempt

Latest Successful Login Attribute (latestSuccessfulLoginAttribute)

Description

The name of the LDAP attribute holding the date and time of the latest successful login.

Attributes

String

Optional

Suggested values

latestSuccessfulLogin

Second Latest Successful Login Attribute (secondLatestSuccessfulLoginAttribute)

Description

The name of the LDAP attribute holding the date and time of the second latest successful login.

Attributes

String

Optional

Suggested values

secondLatestSuccessfulLogin

First Login Attribute (firstLoginAttribute)

Description

The name of the LDAP attribute holding the date and time of the very first login.

Attributes

String

Optional

Suggested values

firstLogin

Unlock Attempts Attribute (unlockAttemptsAttribute)

Description

The name of the LDAP attribute holding the number of failed unlock attempts.

Attributes

String

Optional

Suggested values

unlockAttempts

Latest Unlock Attempt Attribute (latestUnlockAttemptAttribute)

Description

The name of the LDAP attribute holding the date and time of the latest unlock attempt.

Attributes

String

Optional

Suggested values

latestUnlockAttempt

Self Registered Attribute (selfRegisteredAttribute)

Description

The name of the LDAP attribute holding the flag indicating if a user is self-registered.

Attributes

String

Optional

Suggested values

selfRegisteredFlag

Self Registration Date Attribute (selfRegistrationDateAttribute)

Description

The name of the LDAP attribute holding the self-registration date (if applicable).

Attributes

String

Optional

Suggested values

selfRegistrationDate

Channel Verification Resends Attribute (channelVerificationResendsAttribute)

Description

Name of the LDAP attribute holding the number of completed resends of the channel verification token during the user's self-registration.

Attributes

String

Optional

Suggested values

channelVerificationResends

Last GSID Value Attribute (lastGSIDValueAttribute)

Description

Name of the LDAP attribute holding the last global session id.

Attributes

String

Optional

Suggested values

lastGsidValue

Last GSID Date Attribute (lastGSIDDateAttribute)

Description

Name of the LDAP attribute holding the last update timestamp for the global session id.

Attributes

String

Optional

Suggested values

lastGsidDate

Secret Questions Enabled Attribute (secretQuestionsEnabledAttribute)

Description

Name of the LDAP attribute holding the secret questions enable/disable flag.

Attributes

String

Optional

Suggested values

secretQuestionsEnabled

Context Data Attributes (contextDataAttributes)

Description

A list of attribute names that are loaded into the context data container of the user. This can be used to transport arbitrary information such as user address information to calling plug-ins.
Note: Context data attributes are string based. Values will be read as strings and are converted to string when written.Note: When referring operational attributes, also configure them in the "Attributes to Request" in "Advanced Settings" below.

Attributes

String-List

Optional

Read-only Attributes (readOnlyAttributes)

Description

A list of attribute names that will never be written to (even for non-context-data attributes).

Attributes

String-List

Optional

Binary Attributes (binaryAttributes)

Description

A list of attribute names that should be treated as binary data (instead of string data).

Those attributes are Base64 encoded before they are loaded into the context data container of the user.

Note: To be able to use a an attribute configured here, it must additionally be added to the property "Context Data Attributes".

Attributes

String-List

Optional

User DN Context Data Attribute (userDNContextDataAttribute)

Description

The name of the context data attribute to store the user's DN into.
This DN is in the format "uid=user,ou=People,dc=company,dc=ch".

Attributes

String

Optional

Example

Max Failed Logins (maxFailedLogins)

Description

The maximum number of consecutively failed logins before a user account is locked. If not defined, locking is turned off.
This is only relevant if the property "Update Login Statistics" is on (the default).
Note: User locking only works if the number of failed logins and the locked state can be written/read to/from the directory (see attribute settings).
Important: This feature is disabled in case the Ldap Connector is used as authenticator in a Main Authenticator. In that case, the Main Authenticator is responsible for counting failed logins.

Attributes

Integer

Optional

Locked Attribute (lockedAttribute)

Description

The name of the LDAP attribute holding the locked status flag.

Attributes

String

Optional

Suggested values

isLocked

Lock Reason Attribute (lockReasonAttribute)

Description

The name of the LDAP attribute contains the reason why the users is locked.
This can be the hole description of the reason or a key to the string resource.

Attributes

String

Optional

Suggested values

lockReason

Lock Date Attribute (lockDateAttribute)

Description

The name of the LDAP attribute contains the timestamp of the user locking.
.

Attributes

String

Optional

Suggested values

lockDate

Static Roles (staticRoles)

Description

List of roles granted to authenticated users. These roles are never persisted on the LDAP.

Note that there are other ways to retrieve a user's roles from the directory. See configuration properties "Role Search ..." and "Roles Attribute".

Attributes

String-List

Optional

Roles Attribute (rolesAttribute)

Description

Name of the attribute holding a list of roles granted to the user after successful authentication.
The attribute can have multiple values (= multiple occurrences of the attribute in the directory; not a comma-separated list of values).

Note that there are other ways to write and retrieve a user's roles from the directory. See configuration properties "Role Update: User Attribute In Roles", "Role Search ..." and "Static Roles".

Attributes

String

Optional

Suggested values

roles

Roles can be changed (rolesEditable)

Description

If enabled and either the property "Roles Attribute" or "Role Update: User Attribute In Roles" is specified, the role set of a user can be changed (e.g. using the Adminapp). Otherwise, the role set is read-only.
If enabled, the way roles are determined (see other role-related properties) is limited.

Attributes

Boolean

Optional

Default value

true

Roles Attribute RDN (rolesAttributeRdn)

Description

When using the property "Roles Attribute" and when the role value is given as a full DN, e.g. "cn=admin,dc=groups,dc=auth,o=acme", you can specify the RDN which identifies the role name. In the previous example if you specify "cn" as the RDN then the value "admin" will be extracted.

Attributes

String

Optional

Example

role

Roles Nested Resolution Depth (rolesNestedResolutionDepth)

Description

When using the property "Roles Attribute" you can specify the depth of nested role resolution.

That is, if the user has a role superusers, which again has a role users then both roles are returned. A value of 0 turns off nested role resolution and looks for roles only on the current user object.

Attributes

Integer

Optional

Default value

Roles Nested Resolution Top Only (rolesNestedResolutionTopOnly)

Description

When using the property "Roles Nested Resolution Depth" with a value >0 you can specify whether all nested roles are selected or only the top-most roles.

For example, assume the user has a role superusers, which has a role users, which again has a role basicusers. If this property is enabled and the resolution depth is at least 2 then only the role basicusers is returned. If this property is enabled and the resolution depth is set to 1 the role users is returned. If this property is disabled all visited roles are returned (all three if the resolution depth is at least 2).

Attributes

Boolean

Optional

Default value

false

Roles Search Base (rolesSearchBase)

Description

Together with the attributes "Roles Search Level", "Roles Search Filter", and "Roles Search Attribute", this forms a flexible way to retrieve a user's role from the LDAP directory. The selected roles are granted to the user after successful authentication.
This attribute specifies the search context (subtree) where roles are searched. It must identify a subtree in the directory.

Note that there are other ways to retrieve a user's roles from the directory. See configuration properties "Roles Search ..." and "Roles Attribute".

Attributes

String

Optional

Example

CN=roles,dc=exchangeserver,dc=company,dc=com

Roles Search Level (rolesSearchLevel)

Description

Together with the attributes "Roles Search Base", "Roles Search Filter", and "Roles Search Attribute", this forms a flexible way to retrieve a user's role from the LDAP directory. The selected roles are granted to the user after successful authentication.
This attribute specifies whether the user search scope is the node selected by the configuration property "Roles Search Base" only or whether the serach scope is the whole subtree.

Note that there are other ways to retrieve a user's roles from the directory. See configuration properties "Roles Search ..." and "Roles Attribute".

Attributes

Enum

Optional

Default value

onelevel

Roles Search Filter (rolesSearchFilter)

Description

Together with the attributes "Roles Search Base", "Roles Search Level", and "Roles Search Attribute", this forms a flexible way to retrieve a user's role from the LDAP directory. The selected roles are granted to the user after successful authentication.
This attribute specifies an arbitrary filter applied when searching the roles. In the filter, you can refer to the user's DN by ${DN}, the username by ${userId} and you can use any attribute value listed of the context data container (values of attributes listed in configuration property "Context Data Attributes") by referring to it in the following way: ${attribute-name}.

Note that there are other ways to retrieve a user's roles from the directory. See configuration properties "Roles Search ..." and "Roles Attribute".

Attributes

String

Optional

Example

(member=${DN})

Example

(userId=${userId})

Example

&(userId=${userId})(memberOf=CN=@VPNMail,OU=${town},DC=company,DC=com))

Roles Search Attribute (rolesSearchAttribute)

Description

Together with the attributes "Roles Search Base", "Roles Search Level", and "Roles Search Filter", this forms a flexible way to retrieve a user's role from the LDAP directory. The selected roles are granted to the user after successful authentication.
This attribute specifies the name of the attribute with the role name in the result of the search. The attribute must select a string type attribute.

Note that there are other ways to retrieve a user's roles from the directory. See configuration properties "Roles Search ..." and "Roles Attribute".

Attributes

String

Optional

Example

role

Example

Role Update: User Attribute In Roles (userAttributeInRolesForRoleUpdate)

Description

Only relevant if roles can be changed and are found by search using "Roles Search Base" and its dependent properties.

Defines the attribute on a role entry containing the users of this role. This attribute will be updated when roles managed in separate LDAP groups are being changed.

If your directory does not automatically update the user entry when writing a user DN to a role entry, configure the property "Role Update: Roles Attribute In User" as well.

Attributes

String

Optional

Example

member

Role Update: Roles Attribute In User (rolesAttributeInUserForRoleUpdate)

Description

Only relevant if roles can be changed and are found by search using "Roles Search Base" and its dependent properties.

Defines the attribute on a user entry containing the roles of this user. If set, this attribute will be updated when roles are being changed. Configure this property if your directory does not automatically update the user entry when its DN is added to a role entry.

Attributes

String

Optional

Example

memberOf

Role Filters (roleFilters)

Description

Allows filtering of retrieved user roles. If configured, only roles that match at least one of the filter patterns are assigned to the user. Static roles are not filtered.

Attributes

RegEx-List

Optional

Match Roles Case Sensitive (matchRolesCaseSensitive)

Description

If enabled, roles are matched against the role filters considering the case (the default).

Attributes

Boolean

Optional

Default value

true

Attributes To Request (attributesToRequest)

Description

The list of explicit attributes to request from the LDAP server.
If left empty, all attributes are requested (default).

Operational attributes are attributes which the directory organizes for internal use. Normally, such attributes are not returned to an LDAP client in a standard request for object data. Therefore, they have to be configured explicitly here. In order to return all available operational attributes, the value '+' can be used for certain directories like OpenLDAP.
Some directories return only the operational attributes with the value '+', thus the normal attributes need to be requested in addition by also requesting '*' for all normal attributes.
Alternatively (and if supported by the directory), when only one specific operational attributes is required, configure "*" and the operational attribute (for example "creatorsName") to specifically request this operational attribute in addition to the normal attributes.

Attributes

String-List

Optional

Update Login Statistics (updateLoginStatistics)

Description

If enabled, login statistics (failed logins, timestamps, etc.) are updated during the authentication process. If disabled, they are not.
Disabling this flag makes the plugin suitable as step in a multi-step authentication process (e.g. using the Meta Authenticator or the Main Authenticator).

Note: Login statistic data can only be updated, if the corresponding attributes are configured to be read/written from/to the directory.

Attributes

Boolean

Optional

Default value

true

Search Result Page Size (searchResultPageSize)

Description

If set to a value greater than zero and the LDAP server supports the SimplePaging control, "paging" is enabled for LDAP searches: This property defines the amount of entries to fetch at once when searching in a directory. This setting may be useful if the LDAP directory server limits the amount of entries in a search result.
If the property undefined (the default) or if the server does not announce to support the SimplePaging control, paging is disabled.

Attributes

Integer

Optional

Special Date Time Pattern (specialDateTimePattern)

Description

Optional special date formatter / parser pattern used to read and write timestamps in a different way than in standard LDAP. This may be useful if timestamps are stored in some proprietary way as strings in a directory.
The used timezone is UTC or the local one if the flag "Special Date Time Pattern Use Local Timezone" ist set to true.

If this property is not defined, the LDAP-standard pattern yyyyMMddHHmmss.SSS'Z' is used.

Attributes

String

Optional

Suggested values

yyyyMMddHHmmss, yyyyMMddHHmmss'Z', MM-dd-yyyy HH:mm:ss

Special Date Time Pattern Use Local Timezone (specialDateTimePatternUseLocalTimezone)

Description

Optional flag telling the plug-in that the special date formatter should use the local timezone instead of UTC.

Attributes

Boolean

Optional

Default value

false

Suppress Substring Search (suppressSubstringSearch)

Description

If enabled, substring string searches are suppressed, i.e. attributes do only match a filter if the whole filter string matches.
This may greatly improve search performance in large directories.

Attributes

Boolean

Optional

Default value

false

User Count Search Filter (userCountSearchFilter)

Description

The LDAP search filter expression applied to count the users. If no filter expression is given here, the "User Search Filter" expression is used to determine the user count. The format and interpretation of filter follows RFC 2254.

Note: The user count is relevant for the product license. This filter should therefore describe the set of users who should be able to authenticate by Airlock IAM.

Attributes

Plugin-Link

Optional

Assignable plugins

LDAP Search Filter

User Change Event Listeners (userChangeEventListeners)

Description

This property defines a list of UserChangeEventListeners that listen to one or more events posted by a user persister and perform corresponding actions, e.g. to keep consistency with other tables.

Attributes

Plugin-List

Optional

Assignable plugins

Ldap Failure Mappers (ldapFailureMappers)

Description

A list of plugins mapping ldap failure messages (exception message returned by the LDAP directory in case of bind failures) to authentication result types.

Attributes

Plugin-List

Optional

Assignable plugins

Active Directory Authentication Failure Mapper Generic LDAP Authentication Failure Mapper

Constraint Violation Result Code (constraintViolationResultCode)

Description

Optional LDAP result code value that should be treated as password constraint violation.

Attributes

Integer

Optional

Default value

-1

Use Password Modify Extended Operation (passwordModifyExtendedOperation)

Description

If enabled, an 'LDAP Password Modify Extended Operation' is used instead of a modify request to change or reset a user password. Please refer to RFC-3062 for further information.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.ldap.LdapConnector
id: LdapConnector-xxxxxx
displayName: 
comment: 
properties:
  additionalInsertData:
  attributesToRequest:
  authMethodAttribute:
  authMigrationDateAttribute:
  binaryAttributes:
  channelVerificationResendsAttribute:
  connectionPool:
  constraintViolationResultCode: -1
  contextDataAttributes:
  credentialDataAttribute:
  defaultAuthMethod:
  defaultNextAuthMethod:
  failedLoginsAttribute:
  failedLoginsBeforeLatestSuccessfulLoginAttribute:
  failedPasswordResetsAttribute:
  failedTokenCountsAttribute:
  firstLoginAttribute:
  forcePasswordChangeAttribute:
  insertDnTemplate:
  insertObjectClasses: [inetOrgPerson]
  lastGSIDDateAttribute:
  lastGSIDValueAttribute:
  latestLoginAttemptAttribute:
  latestPasswordChangeDateAttribute:
  latestSuccessfulLoginAttribute:
  latestUnlockAttemptAttribute:
  ldapFailureMappers:
  lockDateAttribute:
  lockReasonAttribute:
  lockedAttribute:
  matchRolesCaseSensitive: true
  maxFailedLogins:
  maximumWrongOldPasswords: 5
  nextAuthMethodAttribute:
  nextEnforcedPasswordChangeDateAttribute:
  notValidAfterAttribute:
  notValidBeforeAttribute:
  orderPasswordAttribute:
  otherCredentialsDeliveryTimestampAttributes:
  passwordAttribute: userPassword
  passwordDeliveryDateAttribute:
  passwordGenerationDateAttribute:
  passwordModifyExtendedOperation: false
  passwordOrderDateAttribute:
  passwordOrderUserAttribute:
  passwordValidityDays:
  readOnlyAttributes:
  roleFilters:
  rolesAttribute:
  rolesAttributeInUserForRoleUpdate:
  rolesAttributeRdn:
  rolesEditable: true
  rolesNestedResolutionDepth: 0
  rolesNestedResolutionTopOnly: false
  rolesSearchAttribute:
  rolesSearchBase:
  rolesSearchFilter:
  rolesSearchLevel: onelevel
  searchResultPageSize:
  secondLatestSuccessfulLoginAttribute:
  secretQuestionsEnabledAttribute:
  selfRegisteredAttribute:
  selfRegistrationDateAttribute:
  specialDateTimePattern:
  specialDateTimePatternUseLocalTimezone: false
  staticRoles:
  suppressSubstringSearch: false
  totalLoginsAttribute:
  unlockAttemptsAttribute:
  updateLoginStatistics: true
  userAttributeInRolesForRoleUpdate:
  userChangeEventListeners:
  userContainerNodes:
  userCountSearchFilter:
  userDNContextDataAttribute:
  userInsertTree:
  userSearchFilter: (objectClass=inetOrgPerson)
  userSearchScope: subtree
  usernameAttribute:
  usernameConversionPattern:
  usernameConversionReplacement:
  validAttribute:

LDAP Credential Persister

Description

Credential persister and iterator using a LDAP directory (also Active Directory) as repository.

Access to the directory is done using the UnboudID library.

This plug-in binds to the LDAP server using a technical user. With this technical user, credentials are searched, read and updated. Make sure the technical user has enough access rights to perform these actions.

Class

com.airlock.iam.core.misc.impl.persistency.ldap.LdapCredentialPersister

Properties

Connection Pool (connectionPool)

Description

The connection pool connecting to the LDAP directory (or active directory).

Attributes

Plugin-Link

Mandatory

Assignable plugins

LDAP Connection Pool

Search Contexts (searchContexts)

Description

Defines a list of search contexts (search trees with search levels) to use when looking for credential records. The search contexts are used in the defined order.

Attributes

Plugin-List

Mandatory

Assignable plugins

LDAP Search Context

Search Filter (searchFilter)

Description

The LDAP search filter expression to extract a single credential object given the user's name. You must make sure, that the query - performed relative to the specified search-tree - results in exactly one entry. Use the variable notation ${userId} to specify the user id in the search filter. The format and interpretation of filter follows RFC 2254.

Attributes

Plugin-Link

Mandatory

Assignable plugins

LDAP Search Filter

Iterator Search Filter (iteratorSearchFilter)

Description

The LDAP search filter expression applied when iterating over credential nodes (only used if used as CredentialIterator). If no filter is given, all entries in the specified search tree are returned from the directory. The format and interpretation of filter follows RFC 2254.

Attributes

Plugin-Link

Optional

Assignable plugins

LDAP Search Filter

Userid Attribute (useridAttribute)

Description

The LDAP attribute which holds the username. This is in most cases the same attribute used in the search filter.

Attributes

String

Mandatory

Suggested values

cn, sAMAccountName, userId

Update Dn Template (updateDnTemplate)

Description

Distinguished name (DN) template used for updating the node in the LDAP directory. Use ${userId} to specify the user id. The resulting DN must uniquely identify the credential's LDAP entry.

Note: Usually it is not necessary (and not recommended) using an update template because it requires that the resulting DN is unique which is often not possible when searching with scope "subtree". This setting, however, can be very useful if the user directory service has no notion of "full names" and can therefore not determine the DN of search result by it-self.

Attributes

String

Optional

Example

uid=${userId},ou=users,o=test

Example

cn=${userId},cn=users,dc=exchangeserver,dc=yourcompany,dc=com

Binary Credential Data Attribute (binaryCredentialDataAttribute)

Description

The LDAP attribute with binary credential data for the current inner item.
The presence of this property indicates that the credential data is stored in binary form and not in string form. If this property is set, this class returns (and expects) instances of CredentialBean returning false in method "CredentialBean.isCredentialDataStringType()".
You cannot specify both this property and property "col-string-credential-type".

Attributes

String

Optional

Suggested values

currentCredentialBinaryData, currentTokenBinaryData

Next Binary Credential Data Attribute (nextBinaryCredentialDataAttribute)

Description

The LDAP attribute with binary credential data for the next inner item.
The presence of this property indicates that the credential data is stored in binary form and not in string form. If this property is set, this class returns (and expects) instances of CredentialBean returning false in method "CredentialBean.isCredentialDataStringType()".
You cannot specify both this property and property "col-string-credential-type".

Attributes

String

Optional

Suggested values

nextCredentialBinaryData, nextTokenBinaryData

String Credential Data Attribute (stringCredentialDataAttribute)

Description

The LDAP attribute with string-type credential data for the current inner item.
The presence of this property indicates that the credential data is stored as string and not in binary form. If this property is set, this class returns (and expects) instances of CredentialBean returning true in method "CredentialBean.isCredentialDataStringType()".
You cannot specify both this property and property "col-binary-credential-type".

Attributes

String

Optional

Suggested values

currentCredentialStringData, currentTokenStringData

Next String Credential Data Attribute (nextStringCredentialDataAttribute)

Description

The LDAP attribute with string-type credential data for the next inner item.
The presence of this property indicates that the credential data is stored as string and not in binary form. If this property is set, this class returns (and expects) instances of CredentialBean returning true in method "CredentialBean.isCredentialDataStringType()".
You cannot specify both this property and property "col-binary-credential-type".

Attributes

String

Optional

Suggested values

nextCredentialStringData, nextTokenStringData

Serial Attribute (serialAttribute)

Description

The name of the LDAP attribute with the credential serial number for the current inner item.

Attributes

String

Optional

Suggested values

currentCredentialSerialNumber, currentTokenSerialNumber

Next Serial Attribute (nextSerialAttribute)

Description

The name of the LDAP attribute with the credential serial number for the next inner item.

Attributes

String

Optional

Suggested values

nextCredentialSerialNumber, nextTokenSerialNumber

Active Attribute (activeAttribute)

Description

The name of the LDAP attribute column with the flag indicating whether the credential is active or not. Inactive credentials may not be used by the callers.
If the column is not specified, all credentials are considered to be active.

Attributes

String

Optional

Suggested values

credentialActive, tokenActive

Delivery Date Attribute (deliveryDateAttribute)

Description

The name of the LDAP attribute column with the date and time of the (latest) credential delivery of the current inner CredentialData item.

Attributes

String

Optional

Suggested values

currentCredentialDeliveryDate, currentTokenDeliveryDate

Next Delivery Date Attribute (nextDeliveryDateAttribute)

Description

The name of the LDAP attribute column with the date and time of the credential delivery of the next inner CredentialData item.

Attributes

String

Optional

Suggested values

nextCredentialDeliveryDate, nextTokenDeliveryDate

Other Credentials Delivery Dates Attributes (otherCredentialsDeliveryDatesAttributes)

Description

Comma-separated list of LDAP attribtues with the delivery dates of other credentials. This information may be used in order to delay the delivery time for credentials so no two credentials of the same user are delivered the same day.

Attributes

String-List

Optional

Generation Date Attribute (generationDateAttribute)

Description

The name of the LDAP attributes with the date and time of the credential generation or assignment of the current CredentialData item.

Attributes

String

Optional

Suggested values

currentCredentialGenerationDate, matrixLetterGeneration, cardAssignmentDate

Next Generation Date Attribute (nextGenerationDateAttribute)

Description

The name of the LDAP attributes with the date and time of the credential generation or assignment of the next CredentialData item.

Attributes

String

Optional

Suggested values

nextCredentialGenerationDate, matrixLetterGeneration, cardAssignmentDate

Ordered Attribute (orderedAttribute)

Description

The name of the LDAP attribute with the flag indicating whether a new credential should be generated or assigned for the user.

Attributes

String

Optional

Suggested values

credentialOrdered, orderNewTokenlist, tokenLetterOrdered

Ordered User Attribute (orderedUserAttribute)

Description

The name of the LDAP attribute with the user by whom the new credential was ordered to be generated or assigned for the user.

Attributes

String

Optional

Suggested values

orderNewTokenlistUser, tokenLetterOrderedUser

Ordered Date Attribute (orderedDateAttribute)

Description

The name of the LDAP attribute with the date when the new credential was ordered to be generated or assigned for the user.

Attributes

String

Optional

Suggested values

orderNewTokenlistDate, tokenLetterOrderedDate

Context Data Attributes (contextDataAttributes)

Description

A list of attribute names that are loaded into the context data container of the credential. This can be used to transport arbitrary information such as address information to calling plug-ins.

Attributes

String-List

Optional

Read Only Attributes (readOnlyAttributes)

Description

A list of attribute names that are to be treated read-only.

Attributes

String-List

Optional

Search Result Page Size (searchResultPageSize)

Description

If set to a value greater than zero, "paging" is enabled for LDAP searches: This property defines the amount of entries to fetch at once when searching in a directory. This setting may be useful if the LDAP directory server limits the amount of entries in a search result.
If the property is set to zero (the default), paging is disabled.

Attributes

Integer

Optional

Default value

Special Date Time Pattern (specialDateTimePattern)

Description

special-date-time-pattern-use-local-timezone ist set to true.If this property is not defined, the LDAP-standard pattern yyyyMMddHHmmss.SSS'Z' is used.

Attributes

String

Optional

Suggested values

yyyyMMddHHmmss, yyyyMMddHHmmss'Z', MM-dd-yyyy HH:mm:ss

Special Date Time Pattern Use Local Timezone (specialDateTimePatternUseLocalTimezone)

Description

Optional flag telling the plug-in that the special date formatter should use the local timezone.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.ldap.LdapCredentialPersister
id: LdapCredentialPersister-xxxxxx
displayName: 
comment: 
properties:
  activeAttribute:
  binaryCredentialDataAttribute:
  connectionPool:
  contextDataAttributes:
  deliveryDateAttribute:
  generationDateAttribute:
  iteratorSearchFilter:
  nextBinaryCredentialDataAttribute:
  nextDeliveryDateAttribute:
  nextGenerationDateAttribute:
  nextSerialAttribute:
  nextStringCredentialDataAttribute:
  orderedAttribute:
  orderedDateAttribute:
  orderedUserAttribute:
  otherCredentialsDeliveryDatesAttributes:
  readOnlyAttributes:
  searchContexts:
  searchFilter:
  searchResultPageSize: 0
  serialAttribute:
  specialDateTimePattern:
  specialDateTimePatternUseLocalTimezone: false
  stringCredentialDataAttribute:
  updateDnTemplate:
  useridAttribute:

LDAP CRL Fetcher

Description

CRL (certificate revocation list) fetcher that obtains the latest CRL using an LDAP query.

Class

com.airlock.iam.core.misc.impl.cert.crl.LdapCrlFetcher

May be used by

CRL Certificate Status Checker Fallback CRL Fetcher

License-Tags

ClientCertificate

Properties

Ldap Host (ldapHost)

Description

The host name (or IP) of the LDAP directory.

Attributes

String

Mandatory

License-Tags

ClientCertificate

Example

localhost

Example

pkiServer

Ldap Port (ldapPort)

Description

The port of the LDAP directory.

Attributes

Integer

Optional

License-Tags

ClientCertificate

Default value

389

Issuer Name (issuerName)

Description

The DN (distinguished name) of the issuer of the CRL.

Attributes

String

Mandatory

License-Tags

ClientCertificate

Example

CN=myca,OU=myou,O=My Crypto Company,C=CH

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.crl.LdapCrlFetcher
id: LdapCrlFetcher-xxxxxx
displayName: 
comment: 
properties:
  issuerName:
  ldapHost:
  ldapPort: 389

LDAP Password Authenticator

Description

Authenticator (and PasswordService plugin) checking (and setting) passwords against an LDAP directory (also Microsoft Active Directory).

The plug-in uses a "technical" LDAP user to bind to the directory and search the user to check the password for. If the user can be found, a bind operation using the user's distinguished name (DN) and password is performed. If the bind operation succeeds, the password is considered to be correct.

The plugin may distinguish different types of authentication failures (e.g. "password wrong", "password change enforced") by looking at the error message returned by the LDAP directory. To use this feature, specify the corresponding configuration properties defining error message patterns (see list of LdapFailureMappers config property...). The default authentication failure (i.e. if no pattern is defined or none matches) is PASSWORD_WRONG.

This plug-in does only check the password and does not consider other user attributes, such as locked-flags or forced password change flags. To do this, use the LdapUserPersister together with the PasswordServicePasswordAuthenticator.

Because each password check is independent, this plug-in does not need authentication sessions.

This plugin also implements the PasswordService extension point, i.e. it can be used to reset or change a password in an LDAP directory.
If doing so, you must specify the password attribute name (property password-attribute).
Note that most LDAP directories require to connect using SSL (LDAPS) if setting passwords. If using a Microsoft Active Airectory as LDAP server, set the following properties:

Set Password Attribute to UnicodePwd.
Set Active Directory Password Encoding to TRUE. This will tell this plug-in that it has to deal with an MSAD and therefore set the password slightly different. (It encodes the new password specially for MSAD.)

Class

com.airlock.iam.core.misc.impl.authen.ldap.LdapPasswordAuthenticator

May be used by

User to Password Service Mapping Radius Authentication Service Persister Password Service Composite Password Service Composite Password Service Composite Password Service User to Authenticator Mapping Target Application/Service Meta Authenticator Meta Authenticator Meta Authenticator Administrators Configuration Administrators Configuration User-based Authenticator Selector Fallback Authenticator Password Settings User-based Password Service Selector

Properties

Connection Pool (connectionPool)

Description

The settings used to talk to the LDAP directory (or active directory).

Attributes

Plugin-Link

Mandatory

Assignable plugins

LDAP Connection Pool

Search Contexts (searchContexts)

Description

Defines a list of search contexts (search trees with search levels) to use when looking for users. The search contexts are used in the defined order.

Attributes

Plugin-List

Mandatory

Assignable plugins

LDAP Search Context

Bind Dn Template (bindDnTemplate)

Description

The DN (distinguished name) used to bind to the LDAP. Use ${userId} for the username variable. Binding to the LDAP using this DN is done for both password checking and changing. If this property is empty, the user is first searched.

Attributes

String

Optional

Example

uid=${userId},dc=users,dc=test.com

Additional Search Filter (searchFilter)

Description

The format and interpretation of filter follows RFC 2254.

Attributes

Plugin-Link

Optional

Assignable plugins

LDAP Search Filter

Username Attribute (searchAttrName)

Description

The name of the attribute to match the user name against when looking for the user data.

Attributes

String

Mandatory

Suggested values

cn, sAMAccountName, userPrincipalName, uid

Username Conversion Pattern (usernameConversionPattern)

Description

Example: The pattern "(.*)" and the replacement pattern "user.$1" will transform the username "jdoe" to "user.jdoe" before it is used in the directory.

Example: The pattern "user\.(.*)" and the replacement pattern "$1" will transform the username "user.jdoe" to "jdoe" before it is used in the directory.

Attributes

RegEx

Optional

Username Conversion Replacement (usernameConversionReplacement)

Description

Attributes

String

Optional

Example

user.$1

Example

Ldap Failure Mappers (ldapFailureMappers)

Description

A list of plugins mapping ldap failure messages (exception message returned by the LDAP directory in case of bind failures) to authentication result types.

Attributes

Plugin-List

Optional

Assignable plugins

Active Directory Authentication Failure Mapper Generic LDAP Authentication Failure Mapper

Static Roles (staticRoles)

Description

List of roles granted to authenticated users.

Attributes

String-List

Optional

Password Attribute (passwordAttribute)

Description

The LDAP attribute which holds the password.

Note: This is required if the plugin is used for setting or changing passwords.

Attributes

String

Optional

Suggested values

password, userPassword, unicodePwd

Active Directory Password Encoding (activeDirectoryPasswordEncoding)

Description

Optional flag telling the plug-in that is has to deal with a Microsoft Active Directory (MSAD). Set this property to TRUE when using an active directory.

Note: This is only used if the plugin is used for setting or changing passwords.

Attributes

Boolean

Optional

Default value

false

Active Directory Unlock User On Reset (activeDirectoryUnlockUserOnReset)

Description

If set to TRUE a password change will also unlock the user on Active Directory by resetting the lockoutTime.

Attributes

Boolean

Optional

Default value

false

Active Directory Account Control On Reset (activeDirectoryAccountControlOnReset)

Description

Optional flag telling the plug-in that it should set the MSAD attribute userAccountControl to the given value on reset. A value of -1 means that the userAccountControl attribute is not changed.

Attributes

Integer

Optional

Default value

-1

Active Directory Check Password Policies For User Initiated Modification (activeDirectoryCheckPasswordPoliciesForUserInitiatedModification)

Description

If set to TRUE the Active Directory server side password policy checks are enabled if the user resets or changes his password. This is useful to enforce advanced Active Directory server-side policies like password histories.

Attributes

Boolean

Optional

Default value

true

Active Directory Reset Pwd Last Set For User Initiated Modification (activeDirectoryResetPwdLastSetForUserInitiatedModification)

Description

Optional flag telling the plug-in that it should reset the MSAD attribute pwdLastSet to the current time when the user resets or changes his password.

Attributes

Boolean

Optional

Default value

false

Constraint Violation Result Code (constraintViolationResultCode)

Description

Optional LDAP result code value that should be treated as password constraint violation.

Attributes

Integer

Optional

Default value

-1

Use Password Modify Extended Operation (passwordModifyExtendedOperation)

Description

If enabled, an 'LDAP Password Modify Extended Operation' is used instead of a modify request to change or reset a user password. Please refer to RFC-3062 for further information.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.ldap.LdapPasswordAuthenticator
id: LdapPasswordAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  activeDirectoryAccountControlOnReset: -1
  activeDirectoryCheckPasswordPoliciesForUserInitiatedModification: true
  activeDirectoryPasswordEncoding: false
  activeDirectoryResetPwdLastSetForUserInitiatedModification: false
  activeDirectoryUnlockUserOnReset: false
  bindDnTemplate:
  connectionPool:
  constraintViolationResultCode: -1
  ldapFailureMappers:
  passwordAttribute:
  passwordModifyExtendedOperation: false
  searchAttrName:
  searchContexts:
  searchFilter:
  staticRoles:
  usernameConversionPattern:
  usernameConversionReplacement:

LDAP Password Hash

Description

Password hash plugin supporting password hashes commonly used by LDAP servers. The syntax is {hash-func}hash-value, where hash-func is the hash function identifier and hash-value is the base64-encoded hash value and salt.

This plugin has been tested with OpenLDAP and 389 Directory Server LDAP implementations.

Currently supported hash functions are:

SSHA: Salted SHA-1
SSHA256: Salted SHA-256
SSHA384: Salted SHA-384
SSHA512: Salted SHA-512

The use of this plugin is discouraged due to security reasons. We recommend using this hash for migration purposes or compatibility with an existing LDAP only. Please use scrypt Password Hash instead (within a PasswordHashConfiguration for Encoded Hash Values).

Class

com.airlock.iam.core.misc.util.password.hash.LdapPasswordHash

Properties

Generation Hash Function (generationHashFunction)

Description

The hash function used to generate password hashes.

Attributes

Enum

Mandatory

Salt Length (saltLength)

Description

The length of the salt (in bytes) used when generating hashes.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.LdapPasswordHash
id: LdapPasswordHash-xxxxxx
displayName: 
comment: 
properties:
  generationHashFunction:
  saltLength: 32

LDAP Password Repository

Description

Manages the user's password and verifies it with an LDAP bind operation.

Class

com.airlock.iam.common.application.configuration.password.repository.LdapPasswordRepositoryConfig

May be used by

Properties

LDAP Connector (connector)

Description

The LDAP settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

LDAP Connector

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.password.repository.LdapPasswordRepositoryConfig
id: LdapPasswordRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  connector:

LDAP Search Context

Description

An LDAP search context consists of an LDAP search tree DN and a search level.

Class

com.airlock.iam.core.misc.util.ldap.LdapSearchContext

May be used by

LDAP User Persister LDAP Password Authenticator LDAP Token List Persister LDAP Credential Persister

Properties

Search Tree (searchTree)

Description

Distinguished names of the contexts (or subtrees) of the directories with the users.

Attributes

String

Mandatory

Example

CN=users,dc=exchangetest,dc=company,dc=com

Search Level (searchLevel)

Description

Specifies whether the search should also include subtrees or only the trees specified by the configuration properties search-base.

Valid values are onelevel and subtree. The default is onelevel.

Attributes

Enum

Optional

Default value

onelevel

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ldap.LdapSearchContext
id: LdapSearchContext-xxxxxx
displayName: 
comment: 
properties:
  searchLevel: onelevel
  searchTree:

LDAP Search Filter

Description

An LDAP search filter expression (as in RFC 2254).

Class

com.airlock.iam.core.misc.util.ldap.LdapSearchFilter

May be used by

LDAP User Persister LDAP User Persister LDAP User Persister LDAP Connector LDAP Password Authenticator LDAP Token List Persister LDAP Token List Persister LDAP Credential Persister LDAP Credential Persister

Properties

Filter Expression (filterExpression)

Description

The LDAP search filter expression.

Attributes

String

Mandatory

Multi-line-text

Example

(objectClass=*)

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ldap.LdapSearchFilter
id: LdapSearchFilter-xxxxxx
displayName: 
comment: 
properties:
  filterExpression:

Ldap String Attribute

Description

Specifies a static key value pair of a ldap string attribute.

Class

com.airlock.iam.core.misc.impl.persistency.ldap.LdapStringAttribute

May be used by

LDAP User Persister LDAP Connector

Properties

Name (name)

Description

The name of the additional ldap string attribute.

Attributes

String

Mandatory

Example

preferredLanguage

Example

description

Value (value)

Description

The value of the additional ldap string attribute.

Attributes

String

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.ldap.LdapStringAttribute
id: LdapStringAttribute-xxxxxx
displayName: 
comment: 
properties:
  name:
  value:

LDAP Token List Persister

Description

User persister (extended) and iterator using a LDAP directory (also Active Directory) as repository.

Access to the directory is done using UnboundID LDAP SDK.

This plug-in binds to the LDAP server using a technical user. With this technical user, users are searched, read and updated. Make sure the technical user has enough access rights to perform these actions.

Note that setting passwords is done in an LDAP specific way such that it only works in conjunction with the password hash plug-in IdentityPasswordHash.
Make sure that users of this implementation (e.g. Loginapp and password change applications) use the IdentityPasswordHash plug-in as password hash function.

The method changeUsername(String oldUsername, String newUsername) is not implemented and will throw a NotImplementedException.

Working with Microsoft Active Directory (MSAD)

When setting passwords using this plug-in and an MSAD, the following settings must be used:

Set password-attribute to UnicodePwd.
Set password-attribute-is-string to FALSE.
Set ad-like-password-set to TRUE. This will tell this plug-in that it has to deal with an MSAD and therefore set the password slightly different. (It encodes the new password specially for MSAD.)

Class

com.airlock.iam.core.misc.impl.persistency.ldap.LdapTokenListPersister

May be used by

Matrix Token Controller Fixed TAN Generator Task Default TAN Service TAN Batch Task TAN Batch Task Cipher Token List Persister

Properties

Connection Pool (connectionPool)

Description

The connection pool connecting to the LDAP directory (or active directory).

Attributes

Plugin-Link

Mandatory

Assignable plugins

LDAP Connection Pool

Search Contexts (searchContexts)

Description

Defines a list of search contexts (search trees with search levels) to use when looking for token list records. The search contexts are used in the defined order.

Attributes

Plugin-List

Mandatory

Assignable plugins

LDAP Search Context

Search Filter (searchFilter)

Description

The LDAP search filter expression to extract a single user given its username. You must make sure, that the query - performed relative to the specified search-tree - results in exactly one entry. Use the variable notation ${userId} to specify the user id in the search filter. The format and interpretation of filter follows RFC 2254.

Attributes

Plugin-Link

Mandatory

Assignable plugins

LDAP Search Filter

Iterator Search Filter (iteratorSearchFilter)

Description

The LDAP search filter expression applied when iterating over users (only used if used as UserIterator). If no filter is given, all entries in the specified search tree are returned from the directory. The format and interpretation of filter follows RFC 2254.

Attributes

Plugin-Link

Optional

Assignable plugins

LDAP Search Filter

Userid Attribute (useridAttribute)

Description

The LDAP attribute which holds the user id. This is in most cases the same attribute used in the search filter.

Attributes

String

Mandatory

Example

sAMAccountName

Example

userId

Update Dn Template (updateDnTemplate)

Description

Distinguished name (DN) template used for updating the user in the LDAP directory. Use ${userId} to specify the user id. The resulting DN must uniquely identify the user's LDAP entry.

Attributes

String

Optional

Example

uid=${userId},ou=users,o=test

Example

cn=${userId},cn=users,dc=exchangeserver,dc=yourcompany,dc=com

Token List Attribute (tokenListAttribute)

Description

The LDAP attribute with the binary hash values of the current token list.
The corresponding attribute must be able to store binary data.

Attributes

String

Mandatory

Example

tokenList

Example

matrixCard

Next Token List Attribute (nextTokenListAttribute)

Description

The LDAP attribute with the binary hash values of the next token list.
The corresponding attribute must be able to store binary data.

Attributes

String

Mandatory

Example

nextTokenList

Example

matrixCardNext

Active Attribute (activeAttribute)

Description

The name of the LDAP attribute column with the flag indicating whether the tokenlist is active or not. Inactive tokenlists may not be used by the callers.
If the column is not specified, all tokenlists are considered to be active.

Attributes

String

Optional

Example

active

Example

matrixCardActive

Challenge Open Since Attribute (challengeOpenSinceAttribute)

Description

Name of the LDAP attribute with the timestamp of the start of an ongoing challenge.

Attributes

String

Optional

Suggested values

challengeOpenSince, matrixChalOpenSince

Unanswered Challenges Attribute (unansweredChallengesAttribute)

Description

Name of the LDAP attribute with the number of unanswered challenges.

Attributes

String

Optional

Suggested values

unansweredChallenges, matrixOpenChals

Delivery Date Attribute (deliveryDateAttribute)

Description

The name of the LDAP attribute column with the date and time of the latest tokenlist delivery.

Attributes

String

Optional

Example

latestTokenListDelivery

Example

matrixCardDeliveryDate

Other Credentials Delivery Dates Attributes (otherCredentialsDeliveryDatesAttributes)

Description

Attributes

String-List

Optional

Generation Date Attribute (generationDateAttribute)

Description

The name of the LDAP attributes with the date and time of the latest tokenlist generation or assignment.

Attributes

String

Optional

Example

tokenListGenerationDate

Example

matrixCardGenerationDate

Ordered Attribute (orderedAttribute)

Description

The name of the LDAP attribute with the flag indicating whether a new tokenlist should be generated for the user.

Attributes

String

Optional

Example

orderNewTokenlist

Example

matrixCardOrdered

Ordered User Attribute (orderedUserAttribute)

Description

The name of the LDAP attribute with the user by whom a new tokenlist was ordered to be generated for the user.

Attributes

String

Optional

Example

orderNewTokenlistUser

Example

orderMatrixCardUser

Ordered Date Attribute (orderedDateAttribute)

Description

The name of the LDAP attribute with the date of when a new tokenlist was ordered to be generated for the user.

Attributes

String

Optional

Example

orderNewTokenlistDate

Example

orderMatrixCardDate

Context Data Attributes (contextDataAttributes)

Description

A list of attribute names that are loaded into the context data container of the token list. This can be used to transport arbitrary information such as user address information to calling plug-ins.

Attributes

String-List

Optional

Read Only Attributes (readOnlyAttributes)

Description

A list of attribute names that are to be treated read-only.

Attributes

String-List

Optional

Search Result Page Size (searchResultPageSize)

Description

Attributes

Integer

Optional

Default value

Special Date Time Pattern (specialDateTimePattern)

Description

special-date-time-pattern-use-local-timezone ist set to true.If this property is not defined, the LDAP-standard pattern yyyyMMddHHmmss.SSS'Z' is used.

Attributes

String

Optional

Suggested values

yyyyMMddHHmmss, yyyyMMddHHmmss'Z', MM-dd-yyyy HH:mm:ss

Special Date Time Pattern Use Local Timezone (specialDateTimePatternUseLocalTimezone)

Description

Optional flag telling the plug-in that the special date formatter should use the local timezone.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.ldap.LdapTokenListPersister
id: LdapTokenListPersister-xxxxxx
displayName: 
comment: 
properties:
  activeAttribute:
  challengeOpenSinceAttribute:
  connectionPool:
  contextDataAttributes:
  deliveryDateAttribute:
  generationDateAttribute:
  iteratorSearchFilter:
  nextTokenListAttribute:
  orderedAttribute:
  orderedDateAttribute:
  orderedUserAttribute:
  otherCredentialsDeliveryDatesAttributes:
  readOnlyAttributes:
  searchContexts:
  searchFilter:
  searchResultPageSize: 0
  specialDateTimePattern:
  specialDateTimePatternUseLocalTimezone: false
  tokenListAttribute:
  unansweredChallengesAttribute:
  updateDnTemplate:
  useridAttribute:

LDAP User Persister

Description

User persister (extended) and iterator using a LDAP directory (also Active Directory) as repository.

Note that setting passwords is done in an LDAP specific way such that it only works in conjunction with the password hash plug-in IdentityPasswordHash.

The method changeUsername(String oldUsername, String newUsername) is not implemented and will throw a NotImplementedException.

Working with Microsoft Active Directory (MSAD)

When setting passwords using this plug-in and an MSAD, the following settings must be used:

Set password-attribute to UnicodePwd.
Set password-attribute-is-string to FALSE.
Set ad-like-password-set to TRUE. This will tell this plug-in that it has to deal with an MSAD and therefore set the password slightly different. (It encodes the new password specially for MSAD.)

Class

com.airlock.iam.core.misc.impl.persistency.ldap.LdapUserPersister

May be used by

Main Authenticator Email User Profile Item Config Airlock 2FA Authenticator User to Password Service Mapping Radius Authentication Service Certificate Authenticator Lock Inactive Accounts Task Lock Inactive Accounts Task Password Authenticator String User Profile Item Cipher User Persister Combining User Persister SMS Notifier User Persister Email Certificate Provider Delete Users Task Delete Users Task Token Activation On Delivery Strategy Combining Extended User Persister Combining Extended User Persister Certificate Token Authenticator Export Users Task Export Users Task User Persister-based User Store Email Notifier Meta Authenticator Self Reg Users Reminder Task Self Reg Users Reminder Task Vasco Letter Generator Credential Data Certificate Matcher Extended User Persister-based User Store Provider Password Batch Task Password Batch Task Auth Method-based Authenticator Selector Self Reg Users Clean Up Task Self Reg Users Clean Up Task Lock Expired Initial Passwords Task Lock Expired Initial Passwords Task Role-based Authenticator Selector Extended String User Profile Item Config HTTP Password Service Selection Authenticator Lookup and Accept Authenticator New Email Clean-up Strategy Custom User Persister-based User Store Provider Destroy Last User Session Email Notification Task Email Notification Task User Persister Configuration User Persister Configuration User Persister Configuration

Properties

Connection Pool (connectionPool)

Description

The connection pool connecting to the LDAP directory (or active directory).

Attributes

Plugin-Link

Mandatory

Assignable plugins

LDAP Connection Pool

Search Contexts (searchContexts)

Description

Defines a list of search contexts (search trees with search levels) to use when looking for users. The search contexts are used in the defined order.

Note that new users (using "insertUser(...)") will be added to one tree only. See property "Insert DN Template".

Attributes

Plugin-List

Mandatory

Assignable plugins

LDAP Search Context

Search Filter (searchFilter)

Description

Attributes

Plugin-Link

Mandatory

Assignable plugins

LDAP Search Filter

Iterator Search Filter (iteratorSearchFilter)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

LDAP Search Filter

Userid Attribute (useridAttribute)

Description

The LDAP attribute which holds the user id. This is in most cases the same attribute used in the search filter.

Attributes

String

Mandatory

Suggested values

cn, sAMAccountName, userPrincipalName, uid

Update Dn Template (updateDnTemplate)

Description

Distinguished name (DN) template used for updating the user in the LDAP directory. Use ${userId} to specify the user id. Use ${xxx} to use the context data value with name xxx. The resulting DN must uniquely identify the user's LDAP entry.

Attributes

String

Optional

Example

uid=${userId},ou=users,o=test

Example

cn=${userId},cn=users,dc=exchangeserver,dc=yourcompany,dc=com

Insert Dn Template (insertDnTemplate)

Description

Distinguished name (DN) template used for inserting new users into the LDAP directory. Use ${userId} to specify the user id (username). Use ${xxx} to use the context data value with name xxx. The resulting DN must be a correct DN for a newly inserted user. If an update-dn-template is set (see separate configuration property), then this property has usually the same value.

A DN-template is essential if users are inserted using this persister. If this plugin only reads and updates user data, this property is optional. If users have to be inserted, either this property or the property "update-dn-template" is mandatory. If both are defined, this property has precedence over the "update-dn-template" when inserting users.

Attributes

String

Optional

Example

uid=${userId},ou=users,o=test

Example

cn=${userId},cn=users,dc=exchangeserver,dc=yourcompany,dc=com

Insert Object Classes (insertObjectClasses)

Description

Object class used for newly inserted users. (At least one object class must be structural.)

This property is only used if users are inserted using this plugin.

Attributes

String-List

Optional

Default value

[inetOrgPerson]

Default Auth Method (defaultAuthMethod)

Description

The default authentication method value used when inserting new users that have no auth method set. This is only used if an authentication method attribute is configured.

Attributes

String

Optional

Suggested values

PASSWORD, MATRIX, MTAN, OATH_OTP, CERTIFICATE, CRONTO, EMAILOTP, SECURID, SECOVID

Default Next Auth Method (defaultNextAuthMethod)

Description

The default next authentication method value used when inserting new users that have no next auth method set. This is only used if a next authentication method attribute is configured.

Attributes

String

Optional

Suggested values

PASSWORD, MATRIX, MTAN, OATH_OTP, CERTIFICATE, EMAILOTP, SECURID, SECOVID

Additional Insert Data (additionalInsertData)

Description

A List of additional user insert data. If the same attribute is already defined, an exception will be thrown.

Attributes

Plugin-List

Optional

Assignable plugins

Ldap String Attribute

Password Attribute (passwordAttribute)

Description

The LDAP attribute which holds the password or its hash value.

Attributes

String

Optional

Example

password

Example

unicodePwd

Password Attribute Is String (passwordAttributeIsString)

Description

Optional flag indicating whether the password attribute is string type or not. Usually, the password attribute is stored in an LDAP directory as a binary hash value and has to be treated differently from string passwords.

Attributes

Boolean

Optional

Default value

false

Ad Like Password Handling (adLikePasswordHandling)

Description

Optional flag telling the plug-in that is has to deal with a Microsoft Active Directory (MSAD). Set this property to TRUE when using an active directory.

Attributes

Boolean

Optional

Default value

false

Force Password Change Attribute (forcePasswordChangeAttribute)

Description

The name of the LDAP attribute holding the force password flag.

Attributes

String

Optional

Example

forcePwdChange

Order Password Attribute (orderPasswordAttribute)

Description

The name of the LDAP attribute holding the order password flag. This attribute is used for batch processes generating password letters and alike.

Attributes

String

Optional

Example

orderNewPassword

Password Order User Attribute (passwordOrderUserAttribute)

Description

The name of the LDAP attribute holding the user by whom the new password was ordered. This attribute is used for batch processes generating password letters and alike.

Attributes

String

Optional

Example

passwordOrderUser

Password Order Date Attribute (passwordOrderDateAttribute)

Description

The name of the LDAP attribute holding the date when the new password was ordered. This attribute is used for batch processes generating password letters and alike.

Attributes

String

Optional

Example

passwordOrderDate

Latest Password Change Date Attribute (latestPasswordChangeDateAttribute)

Description

The name of the LDAP attribute holding the date of the latest password change.

Attributes

String

Optional

Example

latestPasswordChangeDateAttribute

Next Enforced Password Change Date Attribute (nextEnforcedPasswordChangeDateAttribute)

Description

The name of the LDAP attribute holding the date of the next enforced password change.

Attributes

String

Optional

Example

nextEnforcedPasswordChangeDateAttribute

Password Generation Date Attribute (passwordGenerationDateAttribute)

Description

The name of the LDAP attribute holding the password generation date. This attribute is used for batch processes generating password letters and alike.

Attributes

String

Optional

Example

passwordGenerationDate

Password Delivery Date Attribute (passwordDeliveryDateAttribute)

Description

The name of the LDAP attribute holding the password delivery date. This attribute is used for batch processes generating password letters and alike.

Attributes

String

Optional

Example

passwordDeliveryDate

Failed Password Resets Attribute (failedPasswordResetsAttribute)

Description

The name of the LDAP attribute holding the number of failed password reset attempts for flow-based password reset.

Security note: If this column is not specified, failed password reset attempts are not counted, which enables brute-force attacks.

Attributes

String

Optional

Suggested values

failedPasswordResets

Other Credentials Delivery Timestamp Attributes (otherCredentialsDeliveryTimestampAttributes)

Description

Attributes

String-List

Optional

Auth Method Attribute (authMethodAttribute)

Description

The name of the LDAP attribute holding the user's authentication method.

Attributes

String

Optional

Example

authMethod

Next Auth Method Attribute (nextAuthMethodAttribute)

Description

The name of the LDAP attribute holding the user's authentication method after migration.

Attributes

String

Optional

Example

nextAuthMethod

Auth Migration Date Attribute (authMigrationDateAttribute)

Description

The name of the LDAP attribute holding the date until which the migration of the auth method has to be performed.

Attributes

String

Optional

Example

authMigrationDate

Locked Attribute (lockedAttribute)

Description

The name of the LDAP attribute holding the locked status flag.

Attributes

String

Optional

Example

locked

Lock Reason Attribute (lockReasonAttribute)

Description

The name of the LDAP attribute contains the reason why the users is locked.
This can be the hole description of the reason or a key to the string resource.

Attributes

String

Optional

Example

lockReason

Lock Date Attribute (lockDateAttribute)

Description

The name of the LDAP attribute contains the timestamp of the user locking.
.

Attributes

String

Optional

Example

lockDate

Valid Attribute (validAttribute)

Description

The name of the LDAP attribute telling if the user is valid or not. This attribute is only read but not written (i.e. cannot be changed on the directory).

Attributes

String

Optional

Example

valid

Not Valid Before Attribute (notValidBeforeAttribute)

Description

The name of the LDAP attribute indicating the point in time before which a user is considered not valid yet. The attribute must contain a timestamp.

Attributes

String

Optional

Example

notValidBefore

Not Valid After Attribute (notValidAfterAttribute)

Description

The name of the LDAP attribute indicating the point in time after which a user is considered not valid anymore. The attribute must contain a timestamp.

Attributes

String

Optional

Example

notValidAfter

Failed Login Attribute (failedLoginAttribute)

Description

The name of the LDAP attribute holding the number of failed logins. If this attribute is not specified, the number of failed logins is not counted and the user is not locked after a certain amount of failed logins even if the maximum number of failed logins is specified in the authenticator.

Attributes

String

Optional

Example

failedLogins

Failed Login Before Latest Successful Login Attribute (failedLoginBeforeLatestSuccessfulLoginAttribute)

Description

Attributes

String

Optional

Example

failedLoginsBeforeLatestSuccessfulLogin

Failed Token Counts Attribute (failedTokenCountsAttribute)

Description

The name of the LDAP attribute holding the failed attempts on authentication tokens (for the flow-based REST API). If this attribute is not specified, the failed token attempts are not counted.

Attributes

String

Optional

Example

failedTokenCounts

Total Logins Attribute (totalLoginsAttribute)

Description

The name of the LDAP attribute holding the total number of successful logins. If this attribute is not specified, the total number of logins is not counted.

Attributes

String

Optional

Example

totalLogins

Latest Login Attempt Attribute (latestLoginAttemptAttribute)

Description

The name of the LDAP attribute holding the date and time of the latest login attempt.

Attributes

String

Optional

Example

latestLoginAttempt

Latest Successful Login Attribute (latestSuccessfulLoginAttribute)

Description

The name of the LDAP attribute holding the date and time of the latest successful login.

Attributes

String

Optional

Example

latestSuccessfulLogin

Second Latest Successful Login Attribute (secondLatestSuccessfulLoginAttribute)

Description

The name of the LDAP attribute holding the date and time of the second latest successful login.

Attributes

String

Optional

Example

secondLatestSuccessfulLogin

First Login Attribute (firstLoginAttribute)

Description

The name of the LDAP attribute holding the date and time of the very first login.

Attributes

String

Optional

Example

firstLogin

Unlock Attempts Attribute (unlockAttemptsAttribute)

Description

The name of the LDAP attribute holding the number of failed unlock attempts.

Attributes

String

Optional

Example

unlockAttempts

Latest Unlock Attempt Attribute (latestUnlockAttemptAttribute)

Description

The name of the LDAP attribute holding the date and time of the latest unlock attempt.

Attributes

String

Optional

Example

latestUnlockAttempt

Self Registered Attribute (selfRegisteredAttribute)

Description

The name of the LDAP attribute holding the flag indicating if a user is self-registered.

Attributes

String

Optional

Example

selfRegisteredFlag

Self Registration Date Attribute (selfRegistrationDateAttribute)

Description

The name of the LDAP attribute holding the self-registration date (if applicable).

Attributes

String

Optional

Example

selfRegistrationDate

Channel Verification Resends Attribute (channelVerificationResendsAttribute)

Description

Name of the LDAP attribute holding the number of completed resends of the channel verification token during the user's self-registration.

Attributes

String

Optional

Suggested values

channelVerificationResends

Last GSID Value Attribute (lastGSIDValueAttribute)

Description

Name of the LDAP attribute holding the last global session id.

Attributes

String

Optional

Suggested values

lastGsidValue

Last GSID Date Attribute (lastGSIDDateAttribute)

Description

Name of the LDAP attribute holding the last update timestamp for the global session id.

Attributes

String

Optional

Suggested values

lastGsidDate

Secret Questions Enabled Attribute (secretQuestionsEnabledAttribute)

Description

Name of the LDAP attribute holding the secret questions enable/disable flag.

Attributes

String

Optional

Suggested values

secretQuestionsEnabled

Active Directory Locked Flag Supported (activeDirectoryLockedFlagSupported)

Description

Optional flag telling the plug-in that the locked state is managed by MSAD setting the UserAccountControl attribute. If enabled, the locked flags are read only.

Attributes

Boolean

Optional

Default value

false

Active Directory Disabled Flag Supported (activeDirectoryDisabledFlagSupported)

Description

Optional flag telling the plug-in to use the MSAD UserAccountControl attribute to handle enable/disable. If enabled, the valid flag and the valid-from- and valid-to-dates cannot be written into the directory by this plugin.

Attributes

Boolean

Optional

Default value

false

Active Directory Enforce Password Change Flag Supported (activeDirectoryEnforcePasswordChangeFlagSupported)

Description

Optional flag telling the plug-in to use the MSAD pwdLastSet attribute to handle enforced password change. If enabled the password change enforced flag is read only.

Attributes

Boolean

Optional

Default value

false

Add objectGUID To Context Data (addObjectGuidToContextData)

Description

If enabled, the "objectGUID" attribute will be added read-only as context data attribute in its canonical form, e.g. "abcdef12-3456-7890-abcd-ef1234567890".

Attributes

Boolean

Optional

Default value

false

Add ImmutableID To Context Data (addImmutableIDToContextData)

Description

If enabled, the "ImmutableID" attribute will be added read-only as context data attribute, representing the Base64-Encoded objectGUID.

Attributes

Boolean

Optional

Default value

false

User DN Context Data Attribute (userDNContextDataAttribute)

Description

The name of the attribute to store the user's DN into.
This DN is in the format "uid=user,ou=People,dc=company,dc=ch"

Attributes

String

Optional

Example

Context Data Attributes (contextDataAttributes)

Description

Notice: When using Active Directory and needing the special attribute "objectGUID" or "ImmutableID", please enable it in the "MSAD-specific Settings" instead to ensure proper encoding.

Attributes

String-List

Optional

Read Only Attributes (readOnlyAttributes)

Description

A list of attribute names that must not be written to.

Attributes

String-List

Optional

Roles Attribute (rolesAttribute)

Description

Name of the LDAP attribute holding a list of roles granted to the user after successful authentication.
The attribute can have multiple values (= multiple occurrences of the attribute in the directory; not a comma-separated list of values).

Note that there are other ways to retrieve a user's roles from the directory. See configuration properties roles-search-* and static-roles.

Attributes

String

Optional

Example

roles

Example

userRoles

Roles Attribute RDN (rolesAttributeRdn)

Description

When using the property roles-attribute and when the role value is given as a full DN, e.g. "cn=admin,dc=groups,dc=auth,o=acme", you can specify the RDN which identifies the role name. In the previous example if you specify "cn" as the RDN then the value "admin" will be extracted.

Attributes

String

Optional

Example

role

Roles Nested Resolution Depth (rolesNestedResolutionDepth)

Description

When using the property roles-attribute you can specify the depth of nested role resolution.

Attributes

Integer

Optional

Default value

Roles Nested Resolution Top Only (rolesNestedResolutionTopOnly)

Description

When using the property rolesNestedResolutionDepth with a value >0 you can specify whether all nested roles are selected or only the top-most roles.

Attributes

Boolean

Optional

Default value

false

Static Roles (staticRoles)

Description

List of roles granted to authenticated users.

Note that there are other ways to retrieve a user's roles from the directory. See configuration properties roles-search-* and roles-attribute.

Attributes

String-List

Optional

Roles Search Base (rolesSearchBase)

Description

Together with the attributes roles-search-level, roles-search-filter, and roles-search-attribute this forms a flexible way to retrieve a user's role from the LDAP directory. The selected roles are granted to the user after successful authentication.
This attribute specifies the search context (subtree) where roles are searched. It must identify a subtree in the directory.

Note that there are other ways to retrieve a user's roles from the directory. See configuration properties roles-search-* and roles-attribute.

Attributes

String

Optional

Example

CN=roles,dc=exchangeserver,dc=company,dc=com

Roles Search Level (rolesSearchLevel)

Description

Together with the attributes roles-search-base, roles-search-filter, and roles-search-attribute this forms a flexible way to retrieve a user's role from the LDAP directory. The selected roles are granted to the user after successful authentication.
This attribute specifies whether the search scope is the node selected by the configuration property roles-search-base only or whether the serach scope is the whole subtree.

Note that there are other ways to retrieve a user's roles from the directory. See configuration properties roles-search-* and roles-attribute.

Attributes

Enum

Optional

Default value

onelevel

Roles Search Filter (rolesSearchFilter)

Description

Together with the attributes roles-search-base, roles-search-level, and roles-search-attribute this forms a flexible way to retrieve a user's role from the LDAP directory. The selected roles are granted to the user after successful authentication.
This attribute specifies an arbitrary filter applied when searching the roles. In the filter, you can refer to the user's DN by ${DN}, the username by ${userId} and you can use any attribute value listed of the context data container (values of attributes listed in configuration property context-data-attribute) by referring to it in the following way: ${attribute-name}.

Note that there are other ways to retrieve a user's roles from the directory. See configuration properties roles-search-* and roles-attribute.

Attributes

String

Optional

Example

(member=${DN})

Example

(userId=${userId})

Example

&(userId=${userId})(memberOf=CN=@VPNMail,OU=${town},DC=company,DC=com))

Roles Search Attribute (rolesSearchAttribute)

Description

Together with the attributes roles-search-base, roles-search-level, and roles-search-filter this forms a flexible way to retrieve a user's role from the LDAP directory. The selected roles are granted to the user after successful authentication.
This attribute specifies the name of the attribute with the role name in the result of the search. The attribute must select a string type attribute.

Note that there are other ways to retrieve a user's roles from the directory. See configuration properties roles-search-* and roles-attribute.

Attributes

String

Optional

Example

role

Example

Role Filters (roleFilters)

Description

Allows filtering of retrieved user roles. If configured, only roles that match at least one of the filter patterns are assigned to the user. Static roles are not filtered.

Attributes

RegEx-List

Optional

Match Roles Case Sensitive (matchRolesCaseSensitive)

Description

If enabled, roles are matched against the role filters considering the case (the default).

Attributes

Boolean

Optional

Default value

true

Search Result Page Size (searchResultPageSize)

Description

If set to a value greater than zero and if the LDAP server supports the SimplePaging control, paging is enabled for LDAP searches.
This property defines the amount of entries to fetch per page. When loading a large number of entries, paging improves performance. This setting may also be useful if the LDAP directory server limits the amount of entries in a search result.
If the property is set to zero (the default) or if the server does not announce support of the SimplePaging control, paging is disabled and all results will be loaded at once.

Attributes

Integer

Optional

Default value

Special Date Time Pattern (specialDateTimePattern)

Description

special-date-time-pattern-use-local-timezone ist set to true.If this property is not defined, the LDAP-standard pattern yyyyMMddHHmmss.SSS'Z' is used.

Attributes

String

Optional

Suggested values

yyyyMMddHHmmss, yyyyMMddHHmmss'Z', MM-dd-yyyy HH:mm:ss

Special Date Time Pattern Use Local Timezone (specialDateTimePatternUseLocalTimezone)

Description

Optional flag telling the plug-in that the special date formatter should use the local timezone.

Attributes

Boolean

Optional

Default value

false

Suppress Substring Search (suppressSubstringSearch)

Description

If enabled, substring string searches are suppressed, i.e. attributes do only match a filter if the whole filter string matches.
This may greatly improve search performance in large directories.

Attributes

Boolean

Optional

Default value

false

User Count Search Filter (userCountSearchFilter)

Description

The LDAP search filter expression applied (in addition to the "Iterator Search Filter" expression if present) to count the users. If no filter expression is given, the "Iterator Search Filter" expression is used to determine the user count. If also no "Iterator Search Filter" expression is given the default filter is used to determine the user count. The format and interpretation of filter follows RFC 2254.

Note: The user count is relevant for the product license. This filter should therefore describe the set of users who should be able to authenticate by Airlock IAM.

Attributes

Plugin-Link

Optional

Assignable plugins

LDAP Search Filter

User Change Event Listeners (userChangeEventListeners)

Description

This property defines a list of UserChangeEventListeners that listen to one or more events posted by a user persister and perform corresponding actions, e.g. to keep consistency with other tables.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.ldap.LdapUserPersister
id: LdapUserPersister-xxxxxx
displayName: 
comment: 
properties:
  activeDirectoryDisabledFlagSupported: false
  activeDirectoryEnforcePasswordChangeFlagSupported: false
  activeDirectoryLockedFlagSupported: false
  adLikePasswordHandling: false
  addImmutableIDToContextData: false
  addObjectGuidToContextData: false
  additionalInsertData:
  authMethodAttribute:
  authMigrationDateAttribute:
  channelVerificationResendsAttribute:
  connectionPool:
  contextDataAttributes:
  defaultAuthMethod:
  defaultNextAuthMethod:
  failedLoginAttribute:
  failedLoginBeforeLatestSuccessfulLoginAttribute:
  failedPasswordResetsAttribute:
  failedTokenCountsAttribute:
  firstLoginAttribute:
  forcePasswordChangeAttribute:
  insertDnTemplate:
  insertObjectClasses: [inetOrgPerson]
  iteratorSearchFilter:
  lastGSIDDateAttribute:
  lastGSIDValueAttribute:
  latestLoginAttemptAttribute:
  latestPasswordChangeDateAttribute:
  latestSuccessfulLoginAttribute:
  latestUnlockAttemptAttribute:
  lockDateAttribute:
  lockReasonAttribute:
  lockedAttribute:
  matchRolesCaseSensitive: true
  nextAuthMethodAttribute:
  nextEnforcedPasswordChangeDateAttribute:
  notValidAfterAttribute:
  notValidBeforeAttribute:
  orderPasswordAttribute:
  otherCredentialsDeliveryTimestampAttributes:
  passwordAttribute:
  passwordAttributeIsString: false
  passwordDeliveryDateAttribute:
  passwordGenerationDateAttribute:
  passwordOrderDateAttribute:
  passwordOrderUserAttribute:
  readOnlyAttributes:
  roleFilters:
  rolesAttribute:
  rolesAttributeRdn:
  rolesNestedResolutionDepth: 0
  rolesNestedResolutionTopOnly: false
  rolesSearchAttribute:
  rolesSearchBase:
  rolesSearchFilter:
  rolesSearchLevel: onelevel
  searchContexts:
  searchFilter:
  searchResultPageSize: 0
  secondLatestSuccessfulLoginAttribute:
  secretQuestionsEnabledAttribute:
  selfRegisteredAttribute:
  selfRegistrationDateAttribute:
  specialDateTimePattern:
  specialDateTimePatternUseLocalTimezone: false
  staticRoles:
  suppressSubstringSearch: false
  totalLoginsAttribute:
  unlockAttemptsAttribute:
  updateDnTemplate:
  userChangeEventListeners:
  userCountSearchFilter:
  userDNContextDataAttribute:
  useridAttribute:
  validAttribute:

Legacy Context Data Item

Description

Context Data entry using a heuristic auto-detection of the appropriate database and context data type. This type was the default up to IAM 6.4. For newer configurations, there are better replacements using explicitly typed plugins that guarantee specific types on the database and in the context data.

Class

com.airlock.iam.core.misc.impl.persistency.db.contextdata.LegacyContextDataItem

May be used by

Database Credential Persister Database Token List Persister Database User Persister

Properties

Context Data Name (contextDataName)

Description

The name of the context data field of the user in memory under which the value is stored.

Attributes

String

Mandatory

Example

givenname

Example

name

Example

address

Example

zip

Example

location

Database Column Name (databaseColumnName)

Description

The name of the database column to load into the context data in case it differs from the Context Data Name.

Attributes

String

Optional

Example

givenname

Example

name

Example

address

Example

zip

Example

location

Readonly On Update (readonlyOnUpdate)

Description

If enabled, this context data field is treated readonly during updates of the user data. However, the field will still be persisted while inserting the user.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.db.contextdata.LegacyContextDataItem
id: LegacyContextDataItem-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  databaseColumnName:
  readonlyOnUpdate: false

Legacy Email OTP Authentication Step

Description

Configuration for an authentication flow step to check an OTP sent via email.

Class

com.airlock.iam.authentication.application.configuration.emailotp.LegacyEmailOtpAuthenticationStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

EmailOTP

Properties

Email Service (emailService)

Description

Email service plugin. This defines what mail server is used for sending the email. It also defines the sender address and whether the email should be signed or not.

Attributes

Plugin-Link

Mandatory

License-Tags

EmailOTP

Assignable plugins

Message Template (messageTemplate)

Description

Message template used to create the message text sent to the user.

The string $TOKEN$ in the message template is mandatory and is replaced by the generated OTP.

If the message text is in HTML code, enable the property "Message Template Is HTML".

Attributes

String

Optional

Multi-line-text

License-Tags

EmailOTP

Default value

$TOKEN$

Example

Authentication Code

In order to access our services, please provide the following security code: $TOKEN$

Best Regards,
Your Airlock IAM Server

Message Template Is HTML (messageTemplateIsHtml)

Description

Enable if the message template is HTML code.

Attributes

Boolean

Optional

License-Tags

EmailOTP

Default value

true

Email Subject (emailSubject)

Description

The subject used in the email.

Attributes

String

Mandatory

License-Tags

EmailOTP

Example

Security Code for Login

Ignore Case (ignoreCase)

Description

If enabled, the case of characters is ignored when checking OTPs.

Attributes

Boolean

Optional

License-Tags

EmailOTP

Default value

false

Credential Persister (credentialPersister)

Description

Credential persister to load the email address of the user.

Attributes

Plugin-Link

Mandatory

License-Tags

EmailOTP

Assignable plugins

Masking Settings (maskingSettings)

Description

Settings for masking the email address in the REST API responses. Please refer to the REST API documentation for further details.

If left empty, the email address will not be masked.

Attributes

Plugin-Link

Optional

License-Tags

EmailOTP

Assignable plugins

Masking Settings

OTP Generator (otpGenerator)

Description

The string generator plugin to generate the OTP.

Attributes

Plugin-Link

Optional

License-Tags

EmailOTP

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

OTP Validity [seconds] (otpValiditySeconds)

Description

The number of seconds for which an OTP is valid. If the OTP is entered correctly but after its expiration, authentication will fail. (TOKEN_EXPIRED).

The value 0 (zero) disables this feature, i.e. OTPs never expire (this is the default).

Attributes

Integer

Optional

License-Tags

EmailOTP

Default value

Max Retries (maxRetries)

Description

The number of times the user may enter a wrong OTP before the authentication process is aborted. If set to zero (the default), only one attempt is possible. This is more secure but less user-friendly.

Attributes

Integer

Optional

License-Tags

EmailOTP

Default value

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

License-Tags

EmailOTP

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

License-Tags

EmailOTP

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

License-Tags

EmailOTP

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

License-Tags

EmailOTP

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

License-Tags

EmailOTP

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

License-Tags

EmailOTP

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

License-Tags

EmailOTP

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

License-Tags

EmailOTP

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

License-Tags

EmailOTP

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

License-Tags

EmailOTP

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

License-Tags

EmailOTP

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.emailotp.LegacyEmailOtpAuthenticationStepConfig
id: LegacyEmailOtpAuthenticationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: EMAIL
  credentialPersister:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  emailService:
  emailSubject:
  ignoreCase: false
  interactiveGotoTargets:
  maskingSettings:
  maxRetries: 0
  messageTemplate: $TOKEN$
  messageTemplateIsHtml: true
  onFailureGotos:
  otpGenerator:
  otpValiditySeconds: 0
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Legacy ID Propagation Adapter

Description

Adapter for a legacy Identity Propagator plugin.

The set of identity propagators that can be configured is limited to those that don't redirect the response and don't require the HTTP request.

The roles made available to the identity propagator are those obtained by the Role Provider plugins configured here. Thus, if no Role Providers are configured, the identity propagator will not get any roles, not even the user's roles from the DB.

Class

com.airlock.iam.login.application.configuration.targetapp.LegacyIdPropagatorConfig

May be used by

Cookie Ticket Identity Propagator HTTP Basic Auth Identity Propagator HTTP Header Identity Propagator HTTP Response Header Identity Propagator Kerberos Identity Propagator (requires Airlock Gateway) NTLM Identity Propagator No Identity Propagator Plain Cookie Identity Propagator SAML Assertion Cookie Identity Propagator Username Cookie Identity Propagator

Properties

Identity Propagator (identityPropagator)

Description

The identity propagator plugin to be used.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Condition (condition)

Description

Defines the condition under which the users identity is propagated using the configured identity propagation.

Attributes

Plugin-Link

Optional

Assignable plugins

Role Providers (roleProviders)

Description

Plugins to determine the roles to propagate. These are only application-specific roles, not the Airlock Gateway (WAF) roles. If nothing is configured, no roles can be propagated.

Attributes

Plugin-List

Optional

Assignable plugins

Username Providers (usernameProviders)

Description

Plugins to determine an alternative username to propagate. This username is used as user ID for this identity propagation. The providers are asked to provide an alternative username in configured order. After the first username is supplied, subsequent providers are no longer invoked. If nothing configured, or no provider supplies a username, the user ID of the authenticated user is propagated.

Note that when possible these transformations should be configured in the target application instead. However, if username transformations are configured both here and in the target application, then the transformations defined in the target application will be ignored and the transformations defined here will be applied directly to the technical user ID.

Attributes

Plugin-List

Optional

License-Tags

SubIdentities

Assignable plugins

Context Data Username Provider

Context-Data Providers (contextDataProviders)

Description

Values provided by these value map providers are added to the persistent context-data of the authentee that is created for the identity propagator. They can then be referred to like normal context-data. Providers may overwrite each others values. The order of the list defines the runtime order and therefore influence the resulting data set.

Attributes

Plugin-List

Optional

Assignable plugins

Password Attribute Key (passwordAttributeKey)

Description

The optional key by which the password should be retrieved from password steps.

If no key is configured or no password was entered for this key, no password is propagated.

Attributes

String

Optional

Suggested values

PASSWORD

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.LegacyIdPropagatorConfig
id: LegacyIdPropagatorConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  contextDataProviders:
  identityPropagator:
  passwordAttributeKey:
  roleProviders:
  usernameProviders:

Legacy mTAN Registration Flow

Description

Simple configuration for an mTAN registration self-service flow.

The following steps are automatically generated:

A User Data Edit Step (step ID "register-mtan") with an mTAN number item and optionally an mTAN label item.
An mTAN Verification Step
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultMtanRegistrationFlowConfig

May be used by

License-Tags

mTan

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

mTAN Settings (mtanSettings)

Description

Defines the settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN OTP Check Settings (based on mTAN Settings) mTAN OTP Checks Settings

Number Key (numberKey)

Description

The key under which the client is expected to provide the number. The number will be a required field with a maximum length of 30 characters.

Attributes

String

Optional

Default value

mtanNumber

Label Key (labelKey)

Description

The key under which the client can provide the label. It will be an optional field with a maximum length of 30 characters. If left empty, only the number can be registered.

Attributes

String

Optional

Suggested values

mtanLabel

Message Provider (messageProvider)

Description

Creates the message for the verification SMS.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN Message Provider

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.flow.DefaultMtanRegistrationFlowConfig
id: DefaultMtanRegistrationFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  flowId:
  labelKey:
  messageProvider:
  mtanSettings:
  numberKey: mtanNumber

Letter Order Interval Condition (Public Self-Service)

Description

Condition that is true, if one of the following conditions is met:

The user has an active password order, which was ordered within the configured timeframe and has not been processed yet (i.e. the order new password flag is "true")
A password has been generated for the user within the configured timeframe (i.e. the "latest password generation date" is within the configured timeframe). The generation date corresponds to the time that either a password batch task has processed a password order, or an admin has manually generated a password for the user.

Class

com.airlock.iam.publicselfservice.application.configuration.selection.condition.PasswordLetterOrderIntervalConditionConfig

May be used by

Properties

Interval [d] (interval)

Description

The number of days that a user is not allowed to order a password letter after ordering one. Orders by an admin are ignored by this condition.

Attributes

Integer

Mandatory

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.selection.condition.PasswordLetterOrderIntervalConditionConfig
id: PasswordLetterOrderIntervalConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  interval:

License and Usage Analytics

Description

This plugin securely transmits both License and Usage Analytics to an Airlock cloud service.

License Analytics is always enabled and must be transmitted regularly, as per our terms and conditions. It includes:

License information from license.txt
The current IAM version
The number of users in the database
Whether IAM is running in a docker container
The status of the "Enable Usage Analytics" property

Usage Analytics are only sent if the "Enable Usage Analytics" property is enabled. Refer to that property’s documentation for details.

For review, the transferred data is also stored in plaintext in "iam/instances/{instance-name}/usage/usage-data.json"

Currently, IAM only sends License Analytics to an Airlock cloud service. No Usage Analytics are being transmitted at this time.

Class

com.airlock.iam.admin.application.configuration.analytics.LicenseAnalyticsConfig

May be used by

Adminapp

Properties

Enable Usage Analytics (enableUsageAnalytics)

Description

Enabling this property grants consent to transfer anonymized Usage Analytics to the Airlock cloud service in addition to License Analytics.

The following information is included:

Anonymized plugin configuration from medusa-configuration.xml
Anonymized instance configuration from instance.properties
Database schema information
IAM metrics

Currently, only License Analytics are sent to the Airlock cloud service. No Usage Analytics are transmitted at this time.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.analytics.LicenseAnalyticsConfig
id: LicenseAnalyticsConfig-xxxxxx
displayName: 
comment: 
properties:
  enableUsageAnalytics: true

Link Configuration Authentication UI

Description

User interface configuration for adding links and buttons to authentication flow steps. This is supported for:

Username Password Authentication Step
User Identification Step
Password-only Authentication Step
FIDO Passwordless Authentication Step
Airlock 2FA Usernameless Authentication Step

Class

com.airlock.iam.authentication.application.configuration.ui.LinkConfigurationAuthenticationStepUiConfig

May be used by

Administrators Management Administrators Management Users Configuration Users Configuration User Group Configuration

Properties

Step ID (stepId)

Description

The ID of the step to which this user interface is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

User Self-Registration Link (userSelfRegistrationLink)

Description

The user self-registration link to display on the page.

Attributes

Plugin-Link

Optional

License-Tags

SelfRegistration

Assignable plugins

Redirect to URI User Self-Registration Flow Link

Public Self-Service Link (publicSelfServiceLink)

Description

Link to a public self-service to display on the page, e.g. for password reset.

Attributes

Plugin-Link

Optional

Assignable plugins

Public Self-Service Flow Link Redirect to URI

Additional Authentication Buttons (additionalAuthenticationButtons)

Description

A list of additional flows to display on the page. Can be used to reference SSO (e.g. OAuth 2.0 / OpenId Connect) flows that can be started to authenticate the user.

Attributes

Plugin-List

Optional

Assignable plugins

Application ID

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.ui.LinkConfigurationAuthenticationStepUiConfig
id: LinkConfigurationAuthenticationStepUiConfig-xxxxxx
displayName: 
comment: 
properties:
  additionalAuthenticationButtons:
  publicSelfServiceLink:
  stepId:
  userSelfRegistrationLink:

List User Profile Item Config

Description

Plugin to hold a configurable user profile item of type list. The user can select from a list of items, which can be either strings or resource keys which will be translated to the language selected by the user. The selected value is added to the user's context data, provided that the property name matches the property name in the configured user data. If selected, the item list will be sorted before being presented to the user.

Class

com.airlock.iam.common.application.configuration.userprofile.ListUserProfileItemConfig

May be used by

Properties

Item List (itemList)

Description

List of items from which the user can select. Each line corresponds to one item (use Shift+Return to move to a new line). Empty lines are ignored, and all items must be unique. The items can either be simple strings that are displayed directly, or resource keys which are first translated to the selected language.

Attributes

String

Mandatory

Multi-line-text

Items Are Resource Keys (itemsAreResourceKeys)

Description

Indicates if the items are resource keys (which are translated to the language selected by the user), or strings, which will be displayed as entered.

Attributes

Boolean

Optional

Default value

false

Resource Key Prefix (resourceKeyPrefix)

Description

If the items are resource keys (i.e. keys for the language-dependent string tables), a common prefix can be defined, which will be used for looking up the keys in the string table, but will not be written into the user record. For instance, if the list are countries, they keys could be prefixed by 'countries', but only the actual country code would be saved for the user. If the items are not resource keys, this attribute is ignored.
The resulting resource key is composed from <resource key prefix>.<value>

Attributes

String

Optional

Sort Items (sortItems)

Description

Indicates if the items are sorted alphabetically when displayed. If the items are resource keys, they are first translated to the selected language and then sorted.

Attributes

Boolean

Optional

Default value

false

String Resource Key (stringResourceKey)

Description

String identifier for the language-specific string tables.

Attributes

String

Mandatory

Example

userdata.label.salutation

Example

userdata.label.firstname

Example

userdata.label.lastname

Example

userdata.label.email

Example

userdata.label.nationality

Example

userdata.label.birthdate

Example

userdata.label.street

Example

userdata.label.street-number

Example

userdata.label.address2

Example

userdata.label.zipcode

Example

userdata.label.town

Example

userdata.label.state

Example

userdata.label.country

Example

userdata.label.company

Example

userdata.label.department

Example

userdata.label.office-phone

Example

userdata.label.mobile-phone

Example

userdata.label.language

Example

userdata.label.correspondence-language

Example

userdata.label.realm

Property Name (propertyName)

Description

Name of the context-data field in which the value is stored.

Attributes

String

Mandatory

Example

surname

Example

givenname

Example

mtan_number

Optional (optional)

Description

If this field is optional or mandatory for the user.

Attributes

Boolean

Optional

Default value

true

Modifiable (modifiable)

Description

Attributes

Boolean

Optional

Default value

true

Validate Only Changed Values (validateOnlyChangedValues)

Description

If enabled, only values that have been changed by the user (compared to the data loaded from the data layer) are validated.

Attributes

Boolean

Optional

Default value

true

Sortable (sortable)

Description

If enabled, the attribute is sortable in the user list if the underlying user iterator supports sorting.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.userprofile.ListUserProfileItemConfig
id: ListUserProfileItemConfig-xxxxxx
displayName: 
comment: 
properties:
  itemList:
  itemsAreResourceKeys: false
  modifiable: true
  optional: true
  propertyName:
  resourceKeyPrefix:
  sortItems: false
  sortable: true
  stringResourceKey:
  validateOnlyChangedValues: true

LocalDate Context Data Item Name

Description

Context Data item of type LocalDate (a date without any time information).

Class

com.airlock.iam.core.application.configuration.contextdata.DateContextDataItemNameConfig

May be used by

OAuth 2.0 LocalDate Context Data Resource User Information Group Config String Context Data User Group Condition Config User Self Information Group Config Date User Context Data Item Date Context Data Item Config Formatted LocalDate Context Data Custom Claim User Information Self-Service User Attribute Is Unique

Properties

Context Data Name (contextDataName)

Description

The name of the context data field under which the date value is stored.

Attributes

String

Mandatory

Example

birthdate

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.contextdata.DateContextDataItemNameConfig
id: DateContextDataItemNameConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:

Location

Description

Configuration of a maintenance message location.

Class

com.airlock.iam.admin.application.configuration.maintenancemessages.MaintenanceMessageLocation

May be used by

Maintenance Message Configuration

Properties

Location Name (locationName)

Description

The name of this location displayed in the maintenance message editor of the Adminapp.

Note: In order for the Loginapp to be able to retrieve the messages for the different locations, the same 'Location Name' also has to be configured in the Loginapp's maintenance message settings.

Attributes

String

Mandatory

Validation RegEx: \w+

Example

bottom

Example

left

Example

right

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.maintenancemessages.MaintenanceMessageLocation
id: MaintenanceMessageLocation-xxxxxx
displayName: 
comment: 
properties:
  locationName:

Location Filter Config

Description

Location filter which is matched against the locations of the maintenance messages.

Class

com.airlock.iam.flow.api.application.configuration.LocationFilterConfig

May be used by

License-Tags

MaintenanceMessages

Properties

Location To Be Matched (locationToBeMatched)

Description

The filter to match against the location of maintenance messages.

Attributes

String

Mandatory

License-Tags

MaintenanceMessages

Substring Matching (subStringOnly)

Description

If this flag is enabled the location only needs to contain the location to be matched as a substring to match. If this flag is not enabled exact matching is done and the full strings will be compared.

Attributes

Boolean

Optional

License-Tags

MaintenanceMessages

Default value

false

YAML Template (with default values)


type: com.airlock.iam.flow.api.application.configuration.LocationFilterConfig
id: LocationFilterConfig-xxxxxx
displayName: 
comment: 
properties:
  locationToBeMatched:
  subStringOnly: false

Location Interpretations Configuration

Description

Analyzes an URI sent to the /<loginapp-uri>/rest/public/authentication/location/interpret endpoint and if it matches the specified pattern, returns a set of values to the client.

This could be the display language or other information extracted from the URI, that can be used by the client before showing its UI.

Class

com.airlock.iam.login.application.configuration.location.interpret.LocationInterpretersConfigImpl

May be used by

Properties

URI Pattern (uriPattern)

Description

The URI pattern (regular expression pattern) the provided URI must match in order to use the interpreters configured below. The matching is case-insensitive.

Attributes

RegEx

Optional

Default value

Location Interpreter Configs (locationInterpreterConfigs)

Description

The endpoint returns a JSON map of key/values that have been extracted or derived from the given URI.

This map specifies the keys returned and a corresponding plugin defining the logic to derive the value. For example, the key 'lang' could be mapped to a plugin that extracts a user language from the URI.

The resulting map of all key/value pairs is returned to the REST client.

Attributes

Plugin-Map

Mandatory

Assignable plugins

Advanced Location Interpreter Config Simple Location Interpreter Config

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.location.interpret.LocationInterpretersConfigImpl
id: LocationInterpretersConfigImpl-xxxxxx
displayName: 
comment: 
properties:
  locationInterpreterConfigs:
  uriPattern: .*

Lock Expired Initial Passwords Task

Description

Server task that checks all users for too old initial passwords.

If a user account satisfies all of the following conditions, it is locked:

The account is not marked invalid
The account is not locked
A password change is enforced
The generation date of the password is not null and older than the initial-password-validity-period (as specified by the configuration of this plugin.

Note: This task determines whether a password is an initial password based only on the facts that the password change flag is set and that there is a password generation date/time. Thus, setting the password change flag to true and not changing an "old" generation date may result in the account being locked by this task.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.LockExpiredInitialPasswordsTask

May be used by

Task Schedule

Properties

User Persister (userPersister)

Description

User persister plugin used to read user account data and lock it if necessary.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Iterator (userIterator)

Description

The user iterator plugin used to iterate over all users.
Usually this is the same as the "User Persister".

Attributes

Plugin-Link

Mandatory

Assignable plugins

Password Validity Days (passwordValidityDays)

Description

Number of days an initial password is considered valid before it is locked.

Attributes

Long

Mandatory

Delete Password (deletePassword)

Description

If enabled, the password is deleted if the account is locked.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.LockExpiredInitialPasswordsTask
id: LockExpiredInitialPasswordsTask-xxxxxx
displayName: 
comment: 
properties:
  deletePassword: true
  passwordValidityDays:
  userIterator:
  userPersister:

Lock Inactive Accounts Task

Description

Server task that checks all user accounts and locks the ones that have not been used for a configured amount of time.

The task looks at the latest successful login timestamp. If it is not empty and too far in the past (see configuration properties below), the account is locked. Login failures are not taken into account.
Accounts marked invalid and accounts that are already locked are ignored.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.LockInactiveAccountsTask

May be used by

Task Schedule

Properties

User Persister (userPersister)

Description

User persister plugin used to read user account data and lock it if necessary.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Iterator (userIterator)

Description

The user iterator plugin used to iterate over all users.
Usually this is the same as the UserPersister.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Expiration Days (expirationDays)

Description

Amount of days an account may be unused before it is locked.

Attributes

Long

Mandatory

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.LockInactiveAccountsTask
id: LockInactiveAccountsTask-xxxxxx
displayName: 
comment: 
properties:
  expirationDays:
  userIterator:
  userPersister:

Lock Self-Service Step

Description

Self-service step that locks a user.

This step is non-interactive and immediately locks the user with the configured lock reason. For usability reasons, it is recommended to precede this step with an interactive step that allows the user to confirm the lock action, such as an Acknowledge Message Step or an approval step.

Class

com.airlock.iam.selfservice.application.configuration.step.LockSelfServiceStepConfig

May be used by

Properties

Lock Reason (lockReason)

Description

The lock reason to be set upon locking.

When displayed in the Adminapp, the lock reason is translated using the key user.account-state., e.g. user.account-state.LockReason.SelfLockout.

Attributes

String

Optional

Default value

LockReason.SelfLockout

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.LockSelfServiceStepConfig
id: LockSelfServiceStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  lockReason: LockReason.SelfLockout
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Locked User Filter

Description

User search filter that allows to filter for locked or not locked users.

Class

com.airlock.iam.admin.application.configuration.usersearch.filter.LockedUserFilter

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.usersearch.filter.LockedUserFilter
id: LockedUserFilter-xxxxxx
displayName: 
comment: 
properties:

Locked User Restriction

Description

Does not allow locked users to perform public self-services, unless the lock reason is one of the white-listed reasons (see property "Allowed Lock Reasons").

Class

com.airlock.iam.publicselfservice.application.configuration.restrictions.LockedUserRestrictionConfig

May be used by

Properties

Allowed Lock Reasons (allowedLockReasons)

Description

List of lock reasons that still allow the user to perform public self-services. Locked users with any lock reason not listed here will not be allowed to perform public self-services.

Note that a user is not automatically unlocked after a successful public self-service. A "Unlock User Step (Public Self-Service)" step has to be configured to perform this task.

Attributes

String-List

Optional

Enable Feedback (enableFeedback)

Description

If enabled, the User Identification Step always returns a specific error code in case this restriction is violated.

Irrespective of this settings, once the identity verification step is passed, restriction are always checked before and after each method call and violations are always reported.

Security notice: Enabling this feature might allow a client to determine whether certain users exist in the system.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.restrictions.LockedUserRestrictionConfig
id: LockedUserRestrictionConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedLockReasons:
  enableFeedback: false

Locking Settings (Adminapp)

Description

This plugin defines the lock reasons admins can select when locking users, the behavior when users are locked temporarily, and the handling of active user sessions at the time of locking.

Users may be locked automatically (e.g. after a certain amount of failed logins) or manually by the administrator.

Class

com.airlock.iam.admin.application.configuration.users.LockingSettings

May be used by

Remote Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Email Event Subscriber (Loginapp) Filtered Flow Event

Properties

Lock Reasons (lockReasons)

Description

Identity strings that define the lock reasons administrators can select when manually locking a user. Typically, these strings are set to the locale identifiers used with translation.

The following manual lock reasons are predefined:

LockReason.InitiatedByUser = "Requested by user" LockReason.InitiatedByAdmin = "Locked by administrator"

Attributes

String-List

Optional

Default value

[LockReason.InitiatedByUser, LockReason.InitiatedByAdmin]

Temporary Locking (temporaryLockingConfig)

Description

Settings for displaying temporary locking information on the user detail page. These should be the same settings as those used in the Loginapp to ensure consistent locking durations.

Attributes

Plugin-Link

Optional

Assignable plugins

Temporary Locking

Session Lock Behavior (sessionLockBehavior)

Description

Defines how to handle existing user sessions at the time of locking.

Note: Only applicable if the Adminapp is deployed behind the same Airlock Gateway (WAF) as the Loginapp.

Attributes

Plugin-Link

Optional

Assignable plugins

Destroy Last User Session

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.users.LockingSettings
id: LockingSettings-xxxxxx
displayName: 
comment: 
properties:
  lockReasons: [LockReason.InitiatedByUser, LockReason.InitiatedByAdmin]
  sessionLockBehavior:
  temporaryLockingConfig:

Log Cleanup Task

Description

Deletes the oldest log files periodically so that only a configurable number of log files are kept. This can be used to limit log file growth.

Log file timestamps are extracted from the log file names in order to determine which ones to delete.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.LogCleanupTask

May be used by

Task Schedule

Properties

Number Of Log Files To Keep (numberOfLogFilesToKeep)

Description

The number of log files to keep.

If there are more log files, the oldest ones will be deleted, such that only the configured number of log files remain.

Attributes

Integer

Mandatory

Log Directory (logDirectory)

Description

The directory in which the log files are stored.

Attributes

File/Path

Mandatory

Log File Name Patterns (logFileNamePatterns)

Description

Log file path pattern to determine which logs to clean up.

The oldest log files that match an expression will be deleted so that for every entry only the configured number of log files remain. Use $(timestamp) to mark the location of the log file timestamps.

Files that don't match any pattern will be completely ignored by this task.

Attributes

String-List

Optional

Default value

[loginapp.log.$(timestamp), adminapp.log.$(timestamp), servicecontainerapp.log.$(timestamp), medusa-audit.log.$(timestamp)]

Timestamp Format (timestampFormat)

Description

The format of the timestamp in the log file names.

Timestamps are marked by $(timestamp) and are use to determine the oldest log files, which are deleted first.

yyyy stands for the year.
MM stands for the month.
dd stands for the day.

Attributes

Enum

Optional

Default value

DEFAULT

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.LogCleanupTask
id: LogCleanupTask-xxxxxx
displayName: 
comment: 
properties:
  logDirectory:
  logFileNamePatterns: [loginapp.log.$(timestamp), adminapp.log.$(timestamp), servicecontainerapp.log.$(timestamp), medusa-audit.log.$(timestamp)]
  numberOfLogFilesToKeep:
  timestampFormat: DEFAULT

Log File

Description

Defines a log file to be viewed. The file name is relative to the current directory or an absolute path name. The underlying log file loader also looks for rotated log files by adding .N to the file name. (Where N is a whole number starting with 1). This works for example with the rolling file appender of Log4J.

Class

com.airlock.iam.admin.application.configuration.logviewer.LogFile

May be used by

Log Viewer Log Viewer

Properties

Name Translation Key (nameTranslationKey)

Description

Defines the translation key for the logfile name. The translations must be provided in the string_XX.properties.

Attributes

String

Mandatory

Suggested values

logViewer.usertrail.name, logViewer.login-app.name, logViewer.admin-app.name, logViewer.servicecontainer-app.name

File (file)

Description

The path to the log file.

Attributes

File/Path

Mandatory

Encoding (encoding)

Description

The file encoding of the logfile. If left unconfigured the UTF-8 encoding (matching the Airlock IAM default logger configuration) is used.

Set to PLATFORM_DEFAULT to use the platform's default encoding.

Attributes

String

Optional

Default value

UTF-8

Suggested values

UTF-8, ISO-8859-1, windows-1252, PLATFORM_DEFAULT

Filter Patterns (filterPatterns)

Description

A set of predefined filter patterns can be defined per logfile.

Attributes

Plugin-List

Optional

Assignable plugins

Filter Pattern

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.logviewer.LogFile
id: LogFile-xxxxxx
displayName: 
comment: 
properties:
  encoding: UTF-8
  file:
  filterPatterns:
  nameTranslationKey:

Log Viewer

Description

When configured, enables the Log Viewer, which allows viewing messages from log files.

The available log files as well as their order can be customized here. You may also define a set of filter rules, which can be selected by admins to view specific log messages.

In addition, color schemes can be defined, which highlight specific messages with the selected colors.

Class

com.airlock.iam.admin.application.configuration.logviewer.LogViewer

May be used by

Adminapp

Properties

Logfiles (logfiles)

Description

The list of log files that will appear in the log viewer.

The order of the log files in this property is used in the Log Viewer as well.

Attributes

Plugin-List

Mandatory

Assignable plugins

Log File

Color Scheme (colorScheme)

Description

Defines color schemes for the Log Viewer. Messages are matched using regular expressions.

If the log line matches more than one pattern, the first matching rule is used. The log level is matched first and then the message text. If no scheme is defined, the following default scheme is used:

Error messages (log level "ERROR") are marked red.
Warning messages (log level "WARN") are marked yellow.
Successful authentication lines are marked green.

Attributes

Plugin-List

Optional

Assignable plugins

Coloring Rule

Initially Selected Log File (initiallySelectedLogFile)

Description

This property serves two purposes:

Firstly, it defines the log file that is selected when the Log Viewer is first opened during a browser session. When reopening the Log Viewer during the same session, the last selected log file is remembered.

Secondly, it defines the log file that is opened when switching to the Log Viewer from the User Activity Tab. In this case, it will always open the file defined by this property.

If left undefined, the first log file in the list is used instead.

Attributes

Plugin-Link

Optional

Assignable plugins

Log File

Log Config Changes (logConfigChanges)

Description

If enabled, the difference between the previously activated configuration and the newly activated configuration gets logged to the Adminapp log file when a configuration is activated in the Config Editor.

For example, if the Radius service port gets changed, the following log message is logged:

Please be aware that enabling this setting has no effect for the current activation, but for future ones.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.logviewer.LogViewer
id: LogViewer-xxxxxx
displayName: 
comment: 
properties:
  colorScheme:
  initiallySelectedLogFile:
  logConfigChanges: false
  logfiles:

Logged in from new Device

Description

Event that is published if a user logs in from a new device.

Class

com.airlock.iam.authentication.application.configuration.newdevice.LoggedInFromNewDeviceEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.newdevice.LoggedInFromNewDeviceEventConfig
id: LoggedInFromNewDeviceEventConfig-xxxxxx
displayName: 
comment: 
properties:

Logical AND

Description

Flow condition that performs a logical "AND" operation on a set of configurable conditions. The condition is fulfilled if and only if all of the configured conditions are fulfilled.

Class

com.airlock.iam.flow.application.configuration.selection.condition.LogicalAndFlowConditionConfig

May be used by

Properties

Conditions (conditions)

Description

Conditions to whose results the "AND" operation will be applied.

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.selection.condition.LogicalAndFlowConditionConfig
id: LogicalAndFlowConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  conditions:

Logical AND Condition

Description

Condition that performs a logical "AND" operation on a set of configurable conditions. The condition is fulfilled if and only if all of the configured conditions are fulfilled.

Class

com.airlock.iam.core.misc.persistency.usereventbus.conditions.LogicalAndEventCondition

May be used by

Cronto Letter User Event Listener mTAN Letter User Event Listener Set UUID For New Users Logical NOT Condition Airlock 2FA Activation Letter Order User Event Listener Logical OR Condition New User Defaults Setter

Properties

Conditions (conditions)

Description

Conditions to whose results the "AND" operation will be applied.

Attributes

Plugin-List

Mandatory

Assignable plugins

Authentication Method Condition Context Data Regex Condition Logical AND Condition Logical NOT Condition Logical OR Condition

YAML Template (with default values)


type: com.airlock.iam.core.misc.persistency.usereventbus.conditions.LogicalAndEventCondition
id: LogicalAndEventCondition-xxxxxx
displayName: 
comment: 
properties:
  conditions:

Logical AND Device Condition

Description

Plugin for filtering Airlock 2FA devices. It combines the result of the configured predicates using the logical AND operation.

Class

com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FADeviceLogicalAndPredicateConfig

May be used by

Logical NOT Device Condition Customizable Device List Logical OR Device Condition

Properties

Device Predicates (devicePredicates)

Description

The results of these predicates will be combined using the logical AND operation.

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FADeviceLogicalAndPredicateConfig
id: Airlock2FADeviceLogicalAndPredicateConfig-xxxxxx
displayName: 
comment: 
properties:
  devicePredicates:

Logical AND Role Derivation

Description

Condition that evaluates to 'true' only if the user has all specified roles and Risk Tags.

Class

com.airlock.iam.authentication.application.configuration.risk.accesspolicy.condition.LogicalAndRoleDerivationCondition

May be used by

Conditional Risk-based Role Derivation Logical NOT Role Derivation

Properties

Required Roles (requiredRoles)

Description

List of all roles the user must have.

Attributes

String-List

Optional

Required Risk Tags (requiredRiskTags)

Description

List of all Risk Tags the user must have.

Attributes

Plugin-List

Optional

Assignable plugins

Risk Tag Plugin

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.risk.accesspolicy.condition.LogicalAndRoleDerivationCondition
id: LogicalAndRoleDerivationCondition-xxxxxx
displayName: 
comment: 
properties:
  requiredRiskTags:
  requiredRoles:

Logical NOT

Description

Flow condition to negate the result of the configured condition.

Class

com.airlock.iam.flow.application.configuration.selection.condition.LogicalNotFlowConditionConfig

May be used by

Properties

Condition (condition)

Description

Condition which will be negated.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.selection.condition.LogicalNotFlowConditionConfig
id: LogicalNotFlowConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:

Logical NOT Condition

Description

Flow condition to negate the result of the configured condition.

Class

com.airlock.iam.core.misc.persistency.usereventbus.conditions.LogicalNotEventCondition

May be used by

Cronto Letter User Event Listener mTAN Letter User Event Listener Set UUID For New Users Logical AND Condition Airlock 2FA Activation Letter Order User Event Listener Logical OR Condition New User Defaults Setter

Properties

Condition (condition)

Description

Condition which will be negated.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method Condition Context Data Regex Condition Logical AND Condition Logical NOT Condition Logical OR Condition

YAML Template (with default values)


type: com.airlock.iam.core.misc.persistency.usereventbus.conditions.LogicalNotEventCondition
id: LogicalNotEventCondition-xxxxxx
displayName: 
comment: 
properties:
  condition:

Logical NOT Device Condition

Description

Plugin for filtering Airlock 2FA devices. It negates the result of the configured predicate.

Class

com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FADeviceLogicalNotPredicateConfig

May be used by

Logical AND Device Condition Customizable Device List Logical OR Device Condition

Properties

Device Predicate (devicePredicate)

Description

The result of this predicate will be negated.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FADeviceLogicalNotPredicateConfig
id: Airlock2FADeviceLogicalNotPredicateConfig-xxxxxx
displayName: 
comment: 
properties:
  devicePredicate:

Logical NOT Role Derivation

Description

Condition that evaluates to 'true' if the enclosed condition evaluates to false.

Class

com.airlock.iam.authentication.application.configuration.risk.accesspolicy.condition.LogicalNotRoleDerivationCondition

May be used by

Conditional Risk-based Role Derivation

Properties

Condition (condition)

Description

The one and only condition that should be negated.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Logical AND Role Derivation Logical OR Role Derivation

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.risk.accesspolicy.condition.LogicalNotRoleDerivationCondition
id: LogicalNotRoleDerivationCondition-xxxxxx
displayName: 
comment: 
properties:
  condition:

Logical OR

Description

Flow condition that performs a logical "OR" operation on a set of configurable conditions. The condition is fulfilled if any of the configured conditions are fulfilled.

Class

com.airlock.iam.flow.application.configuration.selection.condition.LogicalOrFlowConditionConfig

May be used by

Properties

Conditions (conditions)

Description

Conditions to whose results the "OR" operation will be applied.

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.selection.condition.LogicalOrFlowConditionConfig
id: LogicalOrFlowConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  conditions:

Logical OR Condition

Description

Condition that performs a logical "OR" operation on a set of configurable conditions. The condition is fulfilled if any of the configured conditions are fulfilled.

Class

com.airlock.iam.core.misc.persistency.usereventbus.conditions.LogicalOrEventCondition

May be used by

Properties

Conditions (conditions)

Description

Conditions to whose results the "OR" operation will be applied.

Attributes

Plugin-List

Mandatory

Assignable plugins

Authentication Method Condition Context Data Regex Condition Logical AND Condition Logical NOT Condition Logical OR Condition

YAML Template (with default values)


type: com.airlock.iam.core.misc.persistency.usereventbus.conditions.LogicalOrEventCondition
id: LogicalOrEventCondition-xxxxxx
displayName: 
comment: 
properties:
  conditions:

Logical OR Device Condition

Description

Plugin for filtering Airlock 2FA devices. It combines the result of the configured predicates using the logical OR operation.

Class

com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FADeviceLogicalOrPredicateConfig

May be used by

Logical AND Device Condition Logical NOT Device Condition Customizable Device List

Properties

Device Predicates (devicePredicates)

Description

The results of these predicates will be combined using the logical OR operation.

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FADeviceLogicalOrPredicateConfig
id: Airlock2FADeviceLogicalOrPredicateConfig-xxxxxx
displayName: 
comment: 
properties:
  devicePredicates:

Logical OR Role Derivation

Description

Condition that evaluates to 'true' if the user has at least one of the specified roles or Risk Tags.

Class

com.airlock.iam.authentication.application.configuration.risk.accesspolicy.condition.LogicalOrRoleDerivationCondition

May be used by

Conditional Risk-based Role Derivation Logical NOT Role Derivation

Properties

Required Roles (requiredRoles)

Description

List of roles one of which the user must have.

Attributes

String-List

Optional

Required Risk Tags (requiredRiskTags)

Description

List of Risk Tags one of which the user must have.

Attributes

Plugin-List

Optional

Assignable plugins

Risk Tag Plugin

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.risk.accesspolicy.condition.LogicalOrRoleDerivationCondition
id: LogicalOrRoleDerivationCondition-xxxxxx
displayName: 
comment: 
properties:
  requiredRiskTags:
  requiredRoles:

Login From New Device Step

Description

Step which publishes an event if the user logged in from a new device:

Looks for a cookie with the configured name.
Decrypts the cookie with the configured key.
Uses the cookie to find out if the user already logged in from the current device.
Triggers an event if it is the first login from that device or the time since the last login exceeds the configured validity.
Updates the cookie and sets it in the response.

Class

com.airlock.iam.authentication.application.configuration.newdevice.LoginFromNewDeviceStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Cookie Name (cookieName)

Description

The name of the cookie that is used to detect whether a login from a new device happened.

If this name is changed, the Airlock Gateway has to be reconfigured to pass-through and encrypt this cookie.

Attributes

String

Optional

Length <= 30

Length >= 1

Validation RegEx: [a-zA-Z0-9_]+

Default value

AL_LoginFromNewDevice

Key (key)

Description

The key used to encrypt the cookie. Must be 32 Bytes encoded as Base64 String.

One can, for example, generate a random base64 string with 256 bits (32 bytes) using OpenSSL as follows: openssl rand -base64 32

If this value is changed, all previously used devices are forgotten.

Attributes

String

Mandatory

Sensitive

Length <= 44

Length >= 44

Validity (validity)

Description

Token validity for a user on a device.

Attributes

String

Optional

Default value

365d

Example

10d

Example

2d 12h

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.newdevice.LoginFromNewDeviceStepConfig
id: LoginFromNewDeviceStepConfig-xxxxxx
displayName: 
comment: 
properties:
  cookieName: AL_LoginFromNewDevice
  customFailureResponseAttributes:
  customResponseAttributes:
  key:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  validity: 365d

Login History Consistency User Change Listener

Description

A listener that reacts on change events on users and keeps the login history in a consistent state. Currently, it performs the following actions:

on user deletion: delete all login history assigned to that user.
on user name change: update the login history to the new user name.

Class

com.airlock.iam.common.application.configuration.loginhistory.LoginHistoryConsistencyUserChangeListener

May be used by

Active Directory Connector LDAP User Persister LDAP Connector Database User Persister

Properties

Description

Repository providing the history of successful logins for each user.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database Login History Repository Config

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.loginhistory.LoginHistoryConsistencyUserChangeListener
id: LoginHistoryConsistencyUserChangeListener-xxxxxx
displayName: 
comment: 
properties:
  loginHistoryRepository:

Login History Processor

Description

After a successful authentication flow, this processor adds a login history entry into the configured Login History Repository. No entry is written to the database, if the

authentication flow was unsuccessful or
the session already has an entry in the login history repository.

Class

com.airlock.iam.authentication.application.configuration.processor.LoginHistoryProcessorConfig

May be used by

SAML2 Single-Logout Config Redirect On Logout Config Show Logout Disclaimer Page Config Parameter-based Target URI

Properties

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.processor.LoginHistoryProcessorConfig
id: LoginHistoryProcessorConfig-xxxxxx
displayName: 
comment: 
properties:

Login Page

Description

Redirects to the login page.

Class

com.airlock.iam.flow.ui.application.configuration.LoginPageTargetConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.LoginPageTargetConfig
id: LoginPageTargetConfig-xxxxxx
displayName: 
comment: 
properties:

Loginapp

Description

Configures the Loginapp component.

Class

com.airlock.iam.login.app.misc.configuration.Loginapp

Properties

Applications and Authentication (authenticationFlows)

Description

Settings for target applications with authentication and authorization flows. This property configures the behavior of the REST endpoints. To enable the user interface (single-page application), configure corresponding "UI Settings"

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Self-Registration (selfRegFlows)

Description

Settings for user self-registration flows. This property configures the behavior of the REST endpoints. To enable the user interface (single-page application), configure corresponding "UI Settings"

Attributes

Plugin-Link

Optional

Assignable plugins

User Self-Registration Flows

Public Self-Services (publicSelfServiceFlows)

Description

Settings for flow-based public self-service flows. This property configures the behavior of the REST endpoints. To enable the user interface (single-page application), configure corresponding "UI Settings"

Attributes

Plugin-Link

Optional

Assignable plugins

Public Self-Service Flows

Protected Self-Services (protectedSelfServices)

Description

Settings for protected self-services (flows and token management that are accessible to authenticated users). This property configures the behavior of the REST endpoints. To enable the user interface (single-page application), configure corresponding "UI Settings"

Attributes

Plugin-Link

Optional

Assignable plugins

Protected Self-Services

UI Settings (ui)

Description

User interface settings.

Attributes

Plugin-Link

Optional

Assignable plugins

UI Settings

User Store (userStore)

Description

The user store for the REST API.

Important: A user store is almost always required unless there are only persistency-less authentication flows configured.

Attributes

Plugin-Link

Optional

Assignable plugins

Security Settings (securitySettings)

Description

Loginapp security settings.

Attributes

Plugin-Link

Optional

Assignable plugins

Security Settings

Language Settings (languageSettings)

Description

Configures language settings.

Attributes

Plugin-Link

Optional

Assignable plugins

Language Settings

Event Settings (eventSettings)

Description

Configures handling of events in the Loginapp.

Attributes

Plugin-Link

Optional

Assignable plugins

Loginapp Event Settings

Maintenance Messages (maintenanceMessages)

Description

Configures settings related to maintenance messages.

Attributes

Plugin-Link

Optional

License-Tags

MaintenanceMessages

Assignable plugins

Maintenance Message Settings

Gateway Settings (gatewaySettings)

Description

Settings regarding an Airlock Gateway or Airlock Microgateway reverse proxy placed in front of Airlock IAM.

If no settings are configured, extra information from the reverse proxy will not be available and it may be harder to correlate log messages that are written to different log files.

Attributes

Plugin-Link

Optional

Assignable plugins

Airlock Gateway Settings (Loginapp) Airlock Microgateway Settings

Session Idle Timeout (sessionIdleTimeout)

Description

Session idle timeout for the Loginapp. When IAM is deployed behind an Airlock Gateway (WAF), timeout and lifetime values should always be longer than those maintained by the Gateway.

Attributes

String

Optional

Default value

30m

Example

30m

Example

2h 15m

Session Lifetime (sessionLifetime)

Description

Session lifetime for the Loginapp. Unlike an idle timeout, the lifetime cannot be extended by activity and is always terminated once the lifetime has been reached. When IAM is deployed behind an Airlock Gateway (WAF), timeout and lifetime values should always be longer than those maintained by the Gateway.

Attributes

String

Optional

Default value

Example

4h 30m

Example

SAML Settings (samlSettings)

Description

Defines SAML IdP (identity propagator) and SAML SP (service provider) settings.

Attributes

Plugin-Link

Optional

License-Tags

SamlIdp,SamlSp

Assignable plugins

SAML 2.0 Config

OAuth 2.0/OIDC Clients (oAuth2SSOSettings)

Description

Configuration for OAuth 2.0 SSO (Airlock IAM as Client).

Attributes

Plugin-Link

Optional

License-Tags

OAuthClient

Assignable plugins

OAuth 2.0/OIDC Clients

OAuth 2.0/OIDC Authorization Servers (oAuth2ASSettings)

Description

Configuration for OAuth 2.0 / OpenID Connect SSO (Airlock IAM as Authorization Server (AS)).

Attributes

Plugin-Link

Optional

License-Tags

OAuthServer

Assignable plugins

OAuth 2.0/OIDC Authorization Servers

Technical Client Registration (techClientRegistration)

Description

Configures settings to the registration of technical clients.

Attributes

Plugin-Link

Optional

License-Tags

TechClientRegistration

Assignable plugins

Technical Client Registration Settings

One-Shot Authentication (oneShotAuthentication)

Description

Configures the one-shot authentication using Airlock Gateway.

Attributes

Plugin-Link

Optional

License-Tags

OneShotAuthentication

Assignable plugins

One-Shot Authentication Settings

Session-less REST Endpoints (rest)

Description

Configures session-less endpoints of the Loginapp REST API. These endpoints require authentication credentials attached to each request, but don't require previous authentication with a flow.

These REST endpoints begin with the resource path /<loginapp-uri>/rest/protected/my/.

For most of the session-less protected REST APIs, there is a corresponding flow-based API in the protected self-service REST APIs. Whenever possible, prefer the flow-based variant over the session-less configured here.

Attributes

Plugin-Link

Optional

Assignable plugins

Geolocation Provider (geolocationProvider)

Description

If configured, all IPs are geolocalized to provide additional input for the flow engine about approximate geographical location of the request origin. If a geolocation provider is specified, data is potentially persisted.

Attributes

Plugin-Link

Optional

Assignable plugins

MaxMind Geolocation Provider

State Repository (stateRepository)

Description

Defines where IAM stores all state. As long as only one instance of IAM is running (no horizontal scaling), the in-memory repository can be used.

If session context retention is used, this plugin may only be configured in the default context.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Expert Mode Redis State Repository Config In-Memory State Repository Single Mode Redis State Repository Config

Context Extractor (contextExtractor)

Description

Specifies how a context is to be extracted from a request.

Depending on what context retention policy is configured, this value might then retained e.g. for the duration of the request, or the duration of the session. Additionally, depending on what retention policy is used, this extractor might be evaluated e.g. for each request, or once per session.

Attributes

Plugin-Link

Optional

Assignable plugins

Context Retention Policy (contextRetentionPolicy)

Description

Specifies how contexts are retained.

This property defines when the context extractor is evaluated, and how long the resulting value is retained. Depending on the retention policy, the context extractor may be e.g. evaluated once per request, or once per session.

Attributes

Plugin-Link

Optional

Assignable plugins

Request Context Retention Policy Session Context Retention Policy

Cronto App Communication (crontoAppCommunication)

Description

Cronto Handler to handle direct communication from the Cronto apps. This handler is used by the technical Cronto servlets that handle requests to approve push or online validation messages, return the transaction list or handle push notificiation ID registration.

This Cronto Handler is only used if push or online validation are active.

Attributes

Plugin-Link

Optional

License-Tags

Cronto

Assignable plugins

Custom Extensions (customExtensions)

Description

Custom extensions for the Loginapp. Allows connecting custom configuration plugins to the IAM Loginapp module.

Attributes

Plugin-List

Optional

Assignable plugins

Readiness Health Check Endpoint (readinessHealthCheckEndpoint)

Description

Readiness health check endpoint for the Loginapp module.

Attributes

Plugin-Link

Optional

Assignable plugins

Readiness Health Check Endpoint

Log User Trail To Database (logUserTrailToDatabase)

Description

Configures the database settings to use when persisting user trail log entries.

If this value is defined, then all user trail log messages generated by the Loginapp module will additionally be forwarded to the database configured within the referenced repository plugin.

All forwarded log entries are stored inside the table "USER_TRAIL_LOG". Note that setting this value does not disable writing log messages to the Loginapp log file.

Attributes

Plugin-Link

Optional

Assignable plugins

SSO Ticket Authentication Step Representation SSO Ticket Identifying Step SSO Ticket Request Authentication Request Has SSO Ticket

Correlation ID Settings (correlationIdSettings)

Description

Defines settings for correlation ID transfer and logging inside the Loginapp module.

If undefined, no correlation ID will be logged for this module.

Attributes

Plugin-Link

Optional

Assignable plugins

Correlation ID Settings

Device Usage Repository Config (deviceUsageRepositoryConfig)

Description

Configures the database settings to use when persisting device usage data. This repository is used by the Device Usage Processor. If not configured, the device usages are not stored and thus no conditions and events based on previous/first device usage can be used.

Attributes

Plugin-Link

Optional

Assignable plugins

Device Usage Database Repository

JWKS Settings (jwksSettings)

Description

Enables a JWKS endpoint for all keys used in Loginapp, if configured.

The JWKS endpoint URL is /<loginapp-uri>/rest/public/jwks/

Attributes

Plugin-Link

Optional

Assignable plugins

Loginapp JWKS

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.Loginapp
id: Loginapp-xxxxxx
displayName: 
comment: 
properties:
  authenticationFlows:
  contextExtractor:
  contextRetentionPolicy:
  correlationIdSettings:
  crontoAppCommunication:
  customExtensions:
  deviceUsageRepositoryConfig:
  eventSettings:
  gatewaySettings:
  geolocationProvider:
  jwksSettings:
  languageSettings:
  logUserTrailToDatabase:
  maintenanceMessages:
  oAuth2ASSettings:
  oAuth2SSOSettings:
  oneShotAuthentication:
  protectedSelfServices:
  publicSelfServiceFlows:
  readinessHealthCheckEndpoint:
  rest:
  samlSettings:
  securitySettings:
  selfRegFlows:
  sessionIdleTimeout: 30m
  sessionLifetime: 8h
  stateRepository:
  techClientRegistration:
  ui:
  userStore:

Loginapp Event Settings

Description

Event settings for the Loginapp.

Class

com.airlock.iam.login.application.configuration.event.LoginappEventSettingsConfig

May be used by

Loginapp

Properties

Event Subscribers (eventSubscribers)

Description

List of event subscribers.

Attributes

Plugin-List

Mandatory

Assignable plugins

Email Event Subscriber (Loginapp) Remote Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp)

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.event.LoginappEventSettingsConfig
id: LoginappEventSettingsConfig-xxxxxx
displayName: 
comment: 
properties:
  eventSubscribers:

Loginapp JWKS

Description

Enables a global JWKS endpoint for all keys used by Loginapp for signing.

Class

com.airlock.iam.login.app.misc.configuration.JwksLoginappConfig

May be used by

Loginapp

Properties

Cache-Control Response Header (cacheControlResponseHeader)

Description

If left empty the 'Cache-Control' response header is set to 'no-store, no-cache, must-revalidate'. If configured, the 'Cache-Control' response header is set to the specified value.

Attributes

String

Optional

Example

public, max-age=3600

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.JwksLoginappConfig
id: JwksLoginappConfig-xxxxxx
displayName: 
comment: 
properties:
  cacheControlResponseHeader:

Loginapp UI Content Security Policy

Description

Enables a Content Security Policy (CSP) for the Loginapp UI.

Class

com.airlock.iam.login.rest.application.configuration.LoginappUiContentSecurityPolicyConfig

May be used by

UI Settings

Properties

Content Security Policy (contentSecurityPolicy)

Description

This property can be used to define a custom policy.

The default policy requires to insert a nonce into script tags. Script tags that do not include a nonce will be blocked.

Known use cases requiring CSP customization

IAM is embedded in an (i)frame: frame-ancestors directive must be relaxed.

Attributes

String

Optional

Default value

default-src 'self'; object-src 'none'; script-src ${cspNonce} 'strict-dynamic' 'self'; img-src 'self' data: https://api.futurae.com; connect-src 'self' https://api.futurae.com wss://api.futurae.com; base-uri 'self'; frame-ancestors 'none';

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.LoginappUiContentSecurityPolicyConfig
id: LoginappUiContentSecurityPolicyConfig-xxxxxx
displayName: 
comment: 
properties:
  contentSecurityPolicy: default-src 'self'; object-src 'none'; script-src ${cspNonce} 'strict-dynamic' 'self'; img-src 'self' data: https://api.futurae.com; connect-src 'self' https://api.futurae.com wss://api.futurae.com; base-uri 'self'; frame-ancestors 'none';

Loginapp UI SSO Ticket Extractor

Description

Extracts an SSO ticket from the Loginapp UI contained in the request headers. The header is expected to be named "X-IAM-SSO-Ticket".

Class

com.airlock.iam.authentication.application.configuration.sso.LoginappUiSsoTicketExtractorConfig

May be used by

License-Tags

SSOTickets

Properties

String Transformers (stringTransformers)

Description

The chain of string transformers that transform the extracted string value to the final extraction result.

Attributes

Plugin-List

Optional

Assignable plugins

Lowercase Transformation Regex-based String Transformer String Transformation Failed Config

URL-Decode Header Value (urlDecodeValue)

Description

If enabled, URL-decodes the extracted value using character set UTF8.

URL-decoding is applied before the 'String Transformers' run.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.sso.LoginappUiSsoTicketExtractorConfig
id: LoginappUiSsoTicketExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  stringTransformers:
  urlDecodeValue: true

Lookup and Accept Authenticator

Description

This authenticator expects credentials of type UserCredential (or subtypes) and responds with "authentication successful" if a corresponding user was found and is valid. The authentee object returned in the response contains the user's roles and context-data retrieved from the persistency layer. This authenticator is stateless (i.e. does not support multiple authentication steps), therefore the use of a session is not expected.

An example usage of this plugin is setting it up as the first authenticator of the MetaAuthenticator which allows to merge user roles and context-data with the results of the second authenticator.

The plugin writes the canonical class name description of this plugin to the context data container. The class name is stored under the key authPluginClassName. A short description of this authentication method is stored under the key authMethodShortDesc. This information may be used by callers.

Class

com.airlock.iam.core.misc.impl.authen.LookupAndAcceptAuthenticator

May be used by

Properties

User Persister (userPersister)

Description

The user persister plugin used to load and store user information.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Do Not Update User Statistics (doNotUpdateUserStatistics)

Description

If this property is set to TRUE, then this authenticator will not update the number of failed logins and the login dates on the persistency layer. This makes it suitable for use as a part in a bigger authentication scheme (e.g. as first part with the MetaAuthenticator)

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.LookupAndAcceptAuthenticator
id: LookupAndAcceptAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  doNotUpdateUserStatistics: true
  userPersister:

Lowercase Data Transformer

Description

Converts all string data to lowercase.

Class

com.airlock.iam.core.misc.util.datatransformer.LowercaseDataTransformer

May be used by

Loginapp UI SSO Ticket Extractor SSO Cookie Ticket Extractor OAuth 2.0 Remote Context Data Resource Advanced Location Interpreter Config SSO Header Ticket Extractor

Properties

Properties (properties)

Description

Selects the properties to apply the replacement to.
Use the asterisk character ("*") to replace all properties.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.datatransformer.LowercaseDataTransformer
id: LowercaseDataTransformer-xxxxxx
displayName: 
comment: 
properties:
  properties:

Lowercase String Transformer

Description

Converts the input string to lowercase.

Class

com.airlock.iam.common.application.configuration.transform.LowercaseStringTransformerConfig

May be used by

Transforming String Value Provider Transforming Value Map Provider

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.transform.LowercaseStringTransformerConfig
id: LowercaseStringTransformerConfig-xxxxxx
displayName: 
comment: 
properties:

Lowercase Transformation

Description

Transforms an input string to its lowercase representation.

Class

com.airlock.iam.common.application.configuration.location.transform.LowercaseStringTransformerConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.location.transform.LowercaseStringTransformerConfig
id: LowercaseStringTransformerConfig-xxxxxx
displayName: 
comment: 
properties:

Lowercase Transformer

Description

This plugin transforms usernames to lower case. The resulting username has all letters in lower case.

Class

com.airlock.iam.core.misc.impl.authen.LowercaseTransformer

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.LowercaseTransformer
id: LowercaseTransformer-xxxxxx
displayName: 
comment: 
properties:

Mail Notificator

Description

Event notificator that sends an email to a configured address for each event. It uses SMTP to send emails.

Class

com.airlock.iam.core.misc.impl.notification.MailNotificator

May be used by

Default TAN Service

Properties

SMTP Host (smtpHost)

Description

The name or ip address of the SMTP host (mail server).

Attributes

String

Mandatory

Example

smtp

Example

mailer.company.com

Example

192.168.0.13

SMTP Port (smtpPort)

Description

The port number of the SMTP server (mail server). Usually it is port 25.

Attributes

Integer

Optional

Default value

SMTP User (smtpUser)

Description

The user to authenticate at the SMTP server. This property is optional. If not set or empty, no authentication is performed when connecting to the SMTP server.

Attributes

String

Optional

Example

mail

Example

root

Example

userxyz

SMTP Password (smtpPassword)

Description

The password to authenticate at the SMTP server. This property is optional. If not set or empty, no authentication is performed when connecting to the SMTP server.

Attributes

String

Optional

Sensitive

From Address (fromAddress)

Description

The from-address of the email being sent when handling an event.

Attributes

String

Mandatory

Example

airlock@yourcompany.com

Example

authserver@intranet.net

To Addresses (toAddresses)

Description

The to-address of the email being sent when handling an event. Multiple addresses can be specified using a comma-separated list (no spaces!).

Attributes

String-List

Mandatory

Mail Subject (mailSubject)

Description

The subject of the email being sent when handling an event.

Attributes

String

Mandatory

Example

Airlock IAM Notification: Renew Matrix Card

Example

Notificator for Password Letters

Mail Template (mailTemplate)

Description

The name of mail template file used to generate the mail body.

The mail template may contain references enclosed in <%...%>. A corresponding get-method call (bean-like) is performed on the event object and the return value of the method call is used to replace the reference.
Example: let the mail template contain the following excerpt.
Dear Mrs. <%lastName%>

You are subject to our ...
The method getLastName() is invoked on the event object handled and the return value of the method replaces the <%lastName%> in the mail.

Attributes

File/Path

Mandatory

Mail Template Encoding (mailTemplateEncoding)

Description

This optional property specifies the file encoding of the mail template file.

This configuration property is optional. If the property is not set, the default file encoding (as returned by System.getProperty("file.encoding") is used.

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.notification.MailNotificator
id: MailNotificator-xxxxxx
displayName: 
comment: 
properties:
  fromAddress:
  mailSubject:
  mailTemplate:
  mailTemplateEncoding: UTF-8
  smtpHost:
  smtpPassword:
  smtpPort: 25
  smtpUser:
  toAddresses:

Main Authentication Settings

Description

Configures the most important authentication settings. Note that more detailed settings can be specified in the specific modules (e.g. login application, admin application).

Class

com.airlock.iam.core.misc.plugin.config.GlobalAuthenticationSettings

May be used by

Main Settings

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

Main settings for Airlock 2FA authentication, migration and management. Used in various components of Airlock IAM.

Attributes

Plugin-Link

Optional

License-Tags

Airlock2FA

Assignable plugins

Airlock 2FA Settings

FIDO Settings (fidoSettings)

Description

Main settings for FIDO authentication, migration and management. Used in various components of Airlock IAM.

Attributes

Plugin-Link

Optional

License-Tags

FIDO

Assignable plugins

FIDO Settings

MTAN/SMS Settings (mtanSettings)

Description

Main settings for MTAN/SMS authentication, registration and management. Used in various components of Airlock IAM.

Attributes

Plugin-Link

Optional

License-Tags

mTan

Assignable plugins

MTAN/SMS Settings

CrontoSign Settings (crontoSignSettings)

Description

Main settings for CrontoSign (PhotoTAN) authentication, registration and management. Used in various components of Airlock IAM.

Attributes

Plugin-Link

Optional

License-Tags

Cronto

Assignable plugins

Accepting Authenticator Active Directory Connector Configuration-based Authenticator Denying Authenticator LDAP Connector Password Authenticator RADIUS Authenticator Static Authenticator

OATH OTP Settings (oathOtpSettings)

Description

Main settings for OATH OTP authentication (mobile app generating OTP codes), registration and management. Used in various components of Airlock IAM.

Attributes

Plugin-Link

Optional

License-Tags

MobileOTP,OathOtp

Assignable plugins

OATH OTP Settings

YAML Template (with default values)


type: com.airlock.iam.core.misc.plugin.config.GlobalAuthenticationSettings
id: GlobalAuthenticationSettings-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  crontoSignSettings:
  fidoSettings:
  mtanSettings:
  oathOtpSettings:

Main Authenticator

Description

Standard Authenticator for Airlock IAM/Login.

This is used for simple username/password authentication or for combining a password authenticator with a second authentication step (e.g. mTAN, Cronto, OTP, matrix card, mobile app token, etc.).

Class

com.airlock.iam.core.misc.impl.authen.MainAuthenticator

May be used by

Properties

First (first)

Description

The password authenticator for the first step.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Second (second)

Description

The optional second authenticator verifies a second token after successful password verification.

Attributes

Plugin-Link

Optional

Assignable plugins

User Persister (userPersister)

Description

The user persister used to update latest-login dates and number of failed logins (and some other fields if present).

This assumes that the first and the second authentication steps do not update the information.

The persister is also used to check whether the user is locked or a password change is enforced. The persister does not load any roles; this must be performed by the enclosed authenticators.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Enable Stealth Mode (enableStealthMode)

Description

Enables the "Stealth Mode": if enabled and the overall authentication process fails, the authentication process does not give away information about whether the first or the second factor was wrong.

This mode increases security by preventing attacks on passwords (since not even a small number of potential passwords can be tested for a given user) and prevents user enumeration under certain conditions (i.e. when the simulation of the second factor cannot be distinguished from the real authentication).

However, note that legitimate users get less information about what went wrong during the authentication process, which could lead to increased help desk demand.

Not all authenticaton steps support this mode.

Attributes

Boolean

Optional

Default value

false

Max Failed Logins (maxFailedLogins)

Description

The number of failed logins before a user is locked. Set to zero (0) to disable this feature. This feature only works if a user persister is configured.

Attributes

Integer

Optional

Default value

Display Last Login Timestamp (displayLastLoginTimestamp)

Description

If enabled, displays the timestamp of the last login attempt and the information, whether it was successful or not. The information is displayed on the page of the second authentication step (if available).

Attributes

Boolean

Optional

Default value

false

Use Username From User Persister (useUsernameFromUserPersister)

Description

If enabled, the username from the credential is always replaced with the username of the persisted user. Only disable to support legacy use-cases.

Attributes

Boolean

Optional

Default value

true

Additional User Validators (additionalUserValidators)

Description

To validate users beyond the usual tests for being locked or invalid, additional plugins can be added, which e.g. check context data fields. This is only functional if a User Persister is configured.

Attributes

Plugin-List

Optional

Assignable plugins

Authentication & Authorization UI Protected Self-Service UI User Self-Registration UI Public Self-Service UI Non-Flow UI Settings

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.MainAuthenticator
id: MainAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  additionalUserValidators:
  displayLastLoginTimestamp: false
  enableStealthMode: false
  first:
  maxFailedLogins: 5
  second:
  useUsernameFromUserPersister: true
  userPersister:

Main Settings

Description

Configures globally available plugins that can act as default plugins for selected places so that identically configured plugins do not have to be added to the plugins again and again.

Class

com.airlock.iam.core.misc.plugin.config.GlobalConfiguration

Properties

Authentication Settings (authenticationSettings)

Description

Main settings related to authentication.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Main Authentication Settings

Password Settings (passwordSettings)

Description

Main password-related settings. Used in authentication, policy enforcement, password management and so on.

Attributes

Plugin-Link

Optional

Assignable plugins

Password Settings

Data Sources (dataSources)

Description

Configures data sources (e.g. databases or directories) for the following data (excerpt):

User data
Token data

Note that data sources for some tokens are configured directly in the corresponding token-specific settings.

Attributes

Plugin-Link

Optional

Assignable plugins

Data Sources

State Repository (stateRepository)

Description

Defines where IAM stores all state. As long as only one instance of IAM is running (no horizontal scaling), the in-memory repository can be used.

Attributes

Plugin-Link

Optional

Assignable plugins

Expert Mode Redis State Repository Config In-Memory State Repository Single Mode Redis State Repository Config

Correlation ID Settings (correlationIdSettings)

Description

Defines settings for correlation ID transfer and logging across all modules.

Attributes

Plugin-Link

Optional

Assignable plugins

Correlation ID Settings

YAML Template (with default values)


type: com.airlock.iam.core.misc.plugin.config.GlobalConfiguration
id: GlobalConfiguration-xxxxxx
displayName: 
comment: 
properties:
  authenticationSettings:
  correlationIdSettings:
  dataSources:
  passwordSettings:
  stateRepository:

Maintenance Message Configuration

Description

Configuration of the maintenance messages facility.

Class

com.airlock.iam.admin.application.configuration.maintenancemessages.MaintenanceMessageConfiguration

May be used by

Adminapp

License-Tags

MaintenanceMessages

Properties

Enable Menu Item (enableMenuItem)

Description

Set to false to disable the navigation item for the maintenance messages facility.

Attributes

Boolean

Optional

License-Tags

MaintenanceMessages

Default value

true

Messages Per Page (messagesPerPage)

Description

Maximum number of messages per page to display on the maintenance messages list page.

Attributes

Integer

Optional

License-Tags

MaintenanceMessages

Default value

Persister (persister)

Description

The persister plugin used to load and store maintenance message (e.g. from/to a database or directory.

Attributes

Plugin-Link

Mandatory

License-Tags

MaintenanceMessages

Assignable plugins

Database Maintenance Message Persister Dummy Maintenance Message Persister Property Maintenance Message Persister

Languages (languages)

Description

List of valid languages. System messages can be configured for each defined language.
Use the ISO-2-letter language code.

Attributes

String-List

Mandatory

License-Tags

MaintenanceMessages

Locations (locations)

Description

Multiple locations on the login page can be defined for separate maintenance messages.

The here configured locations are selectable in the maintenance message editor in the Adminapp.

Attributes

Plugin-List

Optional

License-Tags

MaintenanceMessages

Assignable plugins

Location

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.maintenancemessages.MaintenanceMessageConfiguration
id: MaintenanceMessageConfiguration-xxxxxx
displayName: 
comment: 
properties:
  enableMenuItem: true
  languages:
  locations:
  messagesPerPage: 50
  persister:

Maintenance Message Settings

Description

Configuration of maintenance messages. If a maintenance message is valid and it indicates that the system is not available, the system-not-available page is displayed instead of the requested page and the Airlock session is terminated.

Class

com.airlock.iam.login.misc.plugin.MaintenanceMessageConfig

May be used by

Loginapp

License-Tags

MaintenanceMessages

Properties

Message Service (messageService)

Description

The maintenance message service plugin.

Attributes

Plugin-Link

Mandatory

License-Tags

MaintenanceMessages

Assignable plugins

Database Maintenance Message Persister Dummy Maintenance Message Persister Property Maintenance Message Persister

Locations (locations)

Description

This property specifies all available locations used to display / retrieve maintenance messages. When defined, these identifiers are used to retrieve the messages for the corresponding locations from the session bean. If this property is left empty, the default location (null) is used.

Note: In order to manage the maintenance messages in the Adminapp, make sure to configure the same locations in the Adminapp's maintenance message settings.

Attributes

String-List

Optional

License-Tags

MaintenanceMessages

YAML Template (with default values)


type: com.airlock.iam.login.misc.plugin.MaintenanceMessageConfig
id: MaintenanceMessageConfig-xxxxxx
displayName: 
comment: 
properties:
  locations:
  messageService:

Maintenance Message UI Settings

Description

UI-specific maintenance message settings. These settings are not relevant when the system is not available. If the system is not available a separate page is displayed.

Class

com.airlock.iam.flow.api.application.configuration.MaintenanceMessageUiSettings

May be used by

License-Tags

MaintenanceMessages

Properties

Location Filters (locationFilters)

Description

The location filter for which maintenance messages should be displayed. Only maintenance message items whose location property is matched by at least one of the filters will be displayed if the corresponding locations are also configured at REST API Configuration > Maintenance Message Settings. If the location functionality is not used, this property should be empty. More information about filtering can be found in the Loginapp REST API documentation.

Attributes

Plugin-List

Optional

License-Tags

MaintenanceMessages

Assignable plugins

Location Filter Config

Display on first page only (firstPageOnly)

Description

If this flag is enabled the maintenance message is only displayed on the first page of the flow. The property has no effect on pages that do not belong to a specific flow.

Attributes

Boolean

Optional

License-Tags

MaintenanceMessages

Default value

true

YAML Template (with default values)


type: com.airlock.iam.flow.api.application.configuration.MaintenanceMessageUiSettings
id: MaintenanceMessageUiSettings-xxxxxx
displayName: 
comment: 
properties:
  firstPageOnly: true
  locationFilters:

Mandatory HTTP Signature Header

Description

Verifies that the header is included in the signature if the condition is met.

Class

com.airlock.iam.login.app.misc.oneshot.impl.MandatoryHttpSignatureHeadersConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

HTTP Signature Header (httpSignatureHeader)

Description

The name of the header.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Request Target HTTP Signature Header String HTTP Signature Header

Condition (condition)

Description

The header is mandatory only if this condition is met. If no condition is defined, the header is always mandatory.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Request Body Is Present HTTP Request Header Is Present

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.MandatoryHttpSignatureHeadersConfig
id: MandatoryHttpSignatureHeadersConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  httpSignatureHeader:

Mandatory Password Change Red Flag

Description

Red Flag for mandatory password change. Typically raised by a 'password check step' and handled by a 'mandatory password change step'.

Class

com.airlock.iam.authentication.application.configuration.password.MandatoryPasswordChangeRedFlagConfig

May be used by

Properties

Name (name)

Description

The name of the red flag.

Attributes

String

Optional

Default value

MANDATORY_PASSWORD_CHANGE

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.password.MandatoryPasswordChangeRedFlagConfig
id: MandatoryPasswordChangeRedFlagConfig-xxxxxx
displayName: 
comment: 
properties:
  name: MANDATORY_PASSWORD_CHANGE

Mandatory Password Change Step Config

Description

An authentication flow step that forces the user to change the password if the corresponding "red flag" has been raised by a previous step (e.g. during password check).

Note: If the step is configured such that the old password does not have to be entered (defined by separate password change configuration), do not forget to configure the "Password Attribute Key" in both the password authentication step(s) and in this step.

Class

com.airlock.iam.authentication.application.configuration.password.MandatoryPasswordChangeStepConfig

May be used by

Properties

Password Repository (passwordRepository)

Description

The repository of user passwords.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Password Policy (passwordPolicy)

Description

The password policy that is checked on a mandatory password change.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Active Directory Password Policy Customizable Password Policy Null Password Policy Simple Password Policy

Old Password Attempts (oldPasswordAttempts)

Description

If this property is defined, the flow is aborted when the number of failed attempts on the old password reaches this limit. Failed attempts on the old password always count as failed logins, even if not limited here.

Attributes

Integer

Optional

Old Password Required (oldPasswordRequired)

Description

If enabled, the old password is also required for the mandatory password change. If disabled, the password from the authentication step is used as the old password. In this case, the same "Password Attribute Key" must be configured in both the password authentication step as well as the mandatory password change step.

Attributes

Boolean

Optional

Default value

true

Red Flag (redFlag)

Description

Handles ('takes down') this red flag concerning mandatory password change if it has been raised. The step will be skipped if this red flag has not been raised by a previous step.

Attributes

Plugin-Link

Optional

Assignable plugins

Account Linking Required Red Flag Mandatory Password Change Red Flag Red Flag

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

PASSWORD

Password Attribute Key (passwordAttributeKey)

Description

The optional key under which the new password is made available in the identity propagation or from which it should be retrieved if the old password is not required in the request.

The value can also be retrieved from the session using the "User Passwords Map" value map provider.

If no key is configured, the new password can not be used by identity propagators and the new password must always be provided with the request.

Important: Multiple Mandatory Password Change steps or Password Authentication steps which have the same value for this property might override each others passwords.

Note: This feature will not work when end-to-end encryption is used.

Attributes

String

Optional

Suggested values

PASSWORD

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Encoded User Data Response Header Cookie Ticket Identity Propagator Encoded User Data Header SSO Ticket Identity Propagator

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.password.MandatoryPasswordChangeStepConfig
id: MandatoryPasswordChangeStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: PASSWORD
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  oldPasswordAttempts:
  oldPasswordRequired: true
  onFailureGotos:
  passwordAttributeKey:
  passwordPolicy:
  passwordRepository:
  preCondition:
  redFlag:
  stepId:
  tagsOnSuccess:

Mapped Context Data Field

Description

Allows to define the name under which this context data field is mapped to an external interface.

Class

com.airlock.iam.admin.application.configuration.generic.MappedContextDataField

May be used by

Credential-based Attribute Mapping

Properties

Mapped Name (name)

Description

The name under which this context data field is mapped to an external interface.

Note that an entry named 'myName' will be nested in a map called 'contextData' and thus mapped to an external interface as data.attributes.contextData.myName.

Attributes

String

Mandatory

Type (dataType)

Description

The type of the context data field.

Attributes

Enum

Optional

Default value

STRING

Access Type (accessType)

Description

The access type that applies to this attribute and which gets enforced in REST.

Attributes

Enum

Optional

Default value

READ_WRITE

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.generic.MappedContextDataField
id: MappedContextDataField-xxxxxx
displayName: 
comment: 
properties:
  accessType: READ_WRITE
  dataType: STRING
  name:

Mapped Ticket Element

Description

This Ticket Element allows transforming the values in a ticket with a map that can be specified.

Class

com.airlock.iam.core.misc.util.ticket.service.MappedTicketElement

May be used by

Mapping Ticket Service Mapping Ticket Service

Properties

Value transformation map (transformationMap)

Description

Defines a key-value list with transformation rules for ticket element values.

For every ticket element value, a look-up into the map is performed. The value of the first matching entry replaces the original ticket element value. If no matching entry is found, the resulting ticket element value is determined by the configured 'No Match Behavior' which returns the original value by default.

Attributes

Plugin-List

Optional

Assignable plugins

Key Value Pair

No Match Behavior (noMatchBehavior)

Description

Defines which value is to be returned if no entry in the transformation map matches the input.

Attributes

Enum

Optional

Default value

ORIGINAL_VALUE

Ticket Key (ticketKey)

Description

This property defines the key used to put the value in the ticket.

Note that for the special valueRef @all-context-data, the value of this property is ignored because the keys of the context data entries are used.

Attributes

String

Mandatory

Example

username

Example

roles

Example

lang

Example

authentication-method

Value Reference (valueRef)

Description

This property specifies the context data key to use as value.
Some keys have special meanings to add the username, the roles or all additional values.

Attributes

String

Mandatory

Example

@username

Example

@roles

Example

@all-additional-values

Example

givenname

Example

surname

Example

country

Example

company

Example

language

Example

authMethod

Mandatory (mandatory)

Description

Enforces that the value of the corresponding key is set and has only non-empty values. Depending on the valueRef this enforces after the transformation:

@username: only non empty usernames are allowed
@roles: at least one role must is assigned
context data key: the corresponding context data must exist and all values of the key must be non-empty
@all-context-data: the values of all context data must be non-empty
@all-additional-values: all additional data must have at least one value and all values must be non-empty
additional value key : the selected additional data must exist, have at least one value and all values must be non-empty

In case of violations, the ticket cannot be created and an exception, which will result in a technical error in most cases, is created.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ticket.service.MappedTicketElement
id: MappedTicketElement-xxxxxx
displayName: 
comment: 
properties:
  mandatory: false
  noMatchBehavior: ORIGINAL_VALUE
  ticketKey:
  transformationMap:
  valueRef:

Mapping Ticket Service

Description

The mapping ticket service is a configurable ticket service.

The pieces of information to be encoded in an authentication ticket are selected from the authentee name, roles, context data as well as the additional key-value-pairs passed to the plugin.

All pieces of data selected to be stored in the ticket can be stored under a configurable name. This plugin is thus suitable for using different user ids for different receiving applications.

Class

com.airlock.iam.core.misc.util.ticket.service.MappingTicketService

May be used by

Properties

Constant Content (constantContent)

Description

Defines a list of data elements to be stored in the ticket.

Note that values selected here can be overwritten by content or additional content (see other configuration properties) using the same ticket key.

Attributes

Plugin-List

Optional

Assignable plugins

Key Value Pair

Content from Authentee (content)

Description

Defines a list of data elements to be stored in the ticket taken from the authentee. The values can be transformed using regular expression replacement patterns or a map.

The values are interpreted as follows:

The value @username refers to the authentee's name.
The value @roles refers to the authentee's roles.
The value @all-context-data refers to all context data of the authentee. If used, all context data entries are stored in the ticket using their own keys. The ticketKey (see other property description) is ignored for this value. Even if this special value is used, selected context data container entries can still be selected by their name (see item below).
All other values are used to reference a value in the context data container of the authentee.

Note that values selected here can be overwritten by additional values (see other configuration property) using the same ticket key.

Attributes

Plugin-List

Optional

Assignable plugins

Mapped Ticket Element Regex Ticket Element

Additional Content (additionalContent)

Description

This property defines values to be stored in the issued ticket taken from the list of additional key-value-pairs passed to this plugin.

The values are interpreted as follows:

The value @all-additional-values refers to all additional key-value-pairs provided to this plugin. If used, these values are stored in the ticket using their own keys. The ticketKey (see other property description of list elements) is ignored for this value. Even if this special value is used, selected additional values can still be selected by their name (see item below).
All other values are used to reference single additional value in the list of additional key-value-pairs.

Note that values selected here can overwrite values from the context data container of the authentee (see other configuration property) using the same ticket key.

Values available for identity propagation: The following values are available for identity propagation, if the corresponding feature is licensed and configured.
Values available in REST login identity propagation, when using the 'REST Identity Propagation' plugin:

AUTH_TIMESTAMP: the time of authentication
AUTH_TOKEN_ID: the auth token id as used for transaction approval
REPRESENTER_ID: the representer's ID, as used for user representation

Values available in the HTML login application identity propagation:

AUTH_TIMESTAMP: the time of authentication
AUTH_TOKEN_ID: the auth token id as used for transaction approval
AUTH_PLUGIN: the authentication plugin identifier
LANG: the user's language as used in the login forms
GSID: the global session identifier
CLIENT_IP: the client's IP address
GEOLOCATION_CITY: the geolocation city
GEOLOCATION_CONTINENT_CODE: the geolocation continent code
GEOLOCATION_COUNTRY_CODE: the geolocation country code
GEOLOCATION_LATITUDE: the geolocation latitude
GEOLOCATION_LONGITUDE: the geolocation longitude
GEOLOCATION_SUBDIVISION_CODE: the geolocation subdivision code
GEOLOCATION_TIMEZONE: the geolocation timezone
GEOLOCATION_ZIP: the geolocation zip
REPRESENTER_ID: the representer's ID, as used for user representation
OPENID_CONNECT_ID_TOKEN: the OpenID Connect ID Token that may have been used for the authentication.
OAUTH2_ACCESS_TOKEN: the OAuth 2.0 or OpenID Connect Access Token that may have been used for the authentication.

Attributes

Plugin-List

Optional

Assignable plugins

Mapped Ticket Element Regex Ticket Element

Validity Millis (validityMillis)

Description

Defines the number of milliseconds the tickets issued by this service are valid for.

Attributes

Long

Optional

Default value

28800000

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ticket.service.MappingTicketService
id: MappingTicketService-xxxxxx
displayName: 
comment: 
properties:
  additionalContent:
  constantContent:
  content:
  validityMillis: 28800000

Mask Token

Description

Logs an excerpt of the token. The parameters must be chosen considering the 'Token Random Part Length' in the OAuth 2.0 configuration: a larger token length may allow for a larger number of characters to be logged.

Be aware that logging token information is detrimental to security.

Class

com.airlock.iam.oauth2.application.configuration.logging.MaskTokenLogStrategy

May be used by

Email OTP Transaction Approval Step Email Verification Step Email OTP Authentication Step Email Change Verification Step Legacy Email OTP Authentication Step

Properties

Number Of Leading Characters (numberOfLeadingCharacters)

Description

Number of leading characters to log.

Attributes

Integer

Mandatory

Number Of Trailing Characters (numberOfTrailingCharacters)

Description

Number of trailing characters to log.

Attributes

Integer

Mandatory

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.logging.MaskTokenLogStrategy
id: MaskTokenLogStrategy-xxxxxx
displayName: 
comment: 
properties:
  numberOfLeadingCharacters:
  numberOfTrailingCharacters:

Masking Settings

Description

Settings for masking a string value.

Class

com.airlock.iam.common.application.configuration.masking.StringMaskingConfig

May be used by

Properties

Visible Start (visibleStart)

Description

The number of visible characters at the start of the string.

Note that if the length of the string is shorter or equal to the number of visible characters at the start and end, the string is not masked.

Attributes

Integer

Optional

Default value

Visible End (visibleEnd)

Description

The number of visible characters at the end of the string.

Note that if the length of the string is shorter or equal to the number of visible characters at the start and end, the string is not masked.

Attributes

Integer

Optional

Default value

Masking Character (maskingCharacter)

Description

The character used for masking.

Attributes

String

Optional

Length <= 1

Default value

Example

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.masking.StringMaskingConfig
id: StringMaskingConfig-xxxxxx
displayName: 
comment: 
properties:
  maskingCharacter: *
  visibleEnd: 5
  visibleStart: 3

Matching Username

Description

Condition that is fulfilled if the username matches the configured regex.

This condition uses the transformed "tentative" username, which is available as soon as the provided username is resolved. This means that it can be used inside, but not before, a user identifying step.

If no user has been identified yet, the condition is not fulfilled.

Class

com.airlock.iam.flow.shared.application.configuration.condition.UsernameMatchingConditionConfig

May be used by

Properties

Pattern (pattern)

Description

The regular expression against which the username is matched.

Attributes

RegEx

Mandatory

Case Sensitive (caseSensitive)

Description

If disabled, the case of characters is ignored when matching the pattern against the username.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.condition.UsernameMatchingConditionConfig
id: UsernameMatchingConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  caseSensitive: true
  pattern:

Matrix Authentication Step

Description

Configuration for a matrix/index list authentication flow step.

Class

com.airlock.iam.authentication.application.configuration.matrix.MatrixAuthStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Transaction Approval Flow Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

Matrixcard

Properties

TAN Service (tanService)

Description

The TAN service to be used.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Default TAN Service

TAN List Type (tanListType)

Description

The type of the Matrix Card/TAN list to be used. It is one of the following:

Indexed TAN list: A token list with an index next to each token. The tokens are queried in random order.
Matrix card: A matrix card with the tokens organized in rows and columns. The tokens are queried in random order.

Attributes

Enum

Mandatory

Token List Renderer (tokenListRenderer)

Description

Tells the authenticator which token list renderer has been used for producing the matrix card. This is needed for the translation of internal indices to challenge coordinates.
This property is only required if "TAN List Type" is set to Matrix card.

Attributes

Plugin-Link

Optional

Assignable plugins

Dummy Token List Renderer Text File Token List Renderer Word Template Token List Renderer

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

MATRIX

Start Index (startIndex)

Description

If indexed token lists (see configuration property "TAN List Type") are used, this property defines the lowest index. Usually the start index is zero or one (default).
If the "TAN List Type" is not "Indexed TAN list", this property is ignored.

Attributes

Integer

Optional

Default value

Challenge Validity [ms] (responseValidityMillis)

Description

The number of milliseconds a response is valid for. If a response is provided correctly but after its expiration, the step will fail.

If not set, this feature is disabled, i.e. challenges never expire (this is the default).

Attributes

Integer

Optional

Max Retries (maxRetries)

Description

The number of times a wrong response can be sent before the flow is aborted. If set to zero (the default), only one attempt is possible.

The purpose of this settings is usability. The failed attempts counter is always increased upon receiving a wrong response and the user is locked when the global failed attempts limit is exceeded.

Attributes

Integer

Optional

Default value

New Challenge On Retry (newChallengeOnRetry)

Description

If "Max Retries" is set to a value bigger than 0, this property specifies if a new challenge is generated for the retry.

Attributes

Boolean

Optional

Default value

true

Count Unanswered Challenges (countUnansweredChallenges)

Description

If enabled, any pending challenge that is abandoned will be counted as an unanswered challenge. After too many unanswered challenges (see the "Max Unanswered Challenges" property), further attempts will always fail. This prevents an attacker from being able to "wait" for a specific challenge that has been leaked.

Important: This feature requires the properties 'Col Challenge Open Since' and 'Col Unanswered Challenges' on the Token List Persister to be configured, otherwise it will not work properly.

Attributes

Boolean

Optional

Default value

true

Unanswered Challenge Timeout [in Hours] (unansweredChallengeTimeout)

Description

When "Count Unanswered Challenges" is enabled, this property sets the timeout for unanswered challenges. When an unanswered challenge times out, the unanswered challenges counter is reset. Make sure to also configure the properties 'Col Challenge Open Since' and 'Col Unanswered Challenges' on the Token List Persister, otherwise this feature will not work properly.

Attributes

Integer

Optional

Default value

Max Unanswered Challenges (maxUnansweredChallenges)

Description

When "Count Unanswered Challenges" is enabled, this property sets the maximum number of unanswered challenges. Once this limit is exceeded, the step will always fail.

Attributes

Integer

Optional

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.matrix.MatrixAuthStepConfig
id: MatrixAuthStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: MATRIX
  countUnansweredChallenges: true
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxRetries: 0
  maxUnansweredChallenges: 3
  newChallengeOnRetry: true
  onFailureGotos:
  preCondition:
  requiresActivation: false
  responseValidityMillis:
  skipCondition:
  startIndex: 1
  stepId:
  tagsOnSuccess:
  tanListType:
  tanService:
  tokenListRenderer:
  unansweredChallengeTimeout: 12

Matrix Card Generator Config

Description

Configuration settings for the generation of matrix cards.

Class

com.airlock.iam.admin.application.configuration.matrixcard.MatrixCardGeneratorConfig

May be used by

Matrix Token Controller

License-Tags

Matrixcard

Properties

Token Alphabet (tokenAlphabet)

Description

Defines the alphabet (or set of characters) of which a token is composed.

Attributes

Enum

Mandatory

Token Length (tokenLength)

Description

Specifies the length of each token on the token list.

Attributes

Integer

Mandatory

Tokens Per List (tokensPerList)

Description

Specifies the total number of tokens per token list.

Attributes

Integer

Mandatory

Hash Function (hashFunction)

Description

Attributes

Plugin-Link

Mandatory

Assignable plugins

Token List Renderer (tokenListRenderer)

Description

Specifies the token list renderer plugin used.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Token List Renderer Text File Token List Renderer Word Template Token List Renderer

Delete Old Token Lists (deleteOldTokenLists)

Description

Deletes old rendered token lists of a user from the file system when a new one is rendered. Setting this to TRUE results in at most one rendered token list per user.
If this property is set to TRUE, the plugin must have permission to delete files from the directory.

Attributes

Boolean

Optional

Default value

true

Working Directory (workingDirectory)

Description

A writable directory used to store partial reports.
If this property is defined, the token lists are not directly generated into the output directory (see other property) but they are generated into this working directory and are moved to the output directory once they are done.
This helps to solve problems with processes automatically reading the rendered token lists and reading partial token lists during the generation process. Make sure that the working directory and the output directory reside in the same file system (if not the moving of the generated file will not be atomic).
The directory is either absolute or relative to the JVMs current directory.

Attributes

File/Path

Optional

Output Directory (outputDirectory)

Description

Directory in the file system to put the rendered token lists in. The directory is either absolute or relative to the JVMs current directory.

This property is not required if the renderer plugin (see separate property) does not write on the output stream (e.g. sends it somewhere else). It is required otherwise.

Note: If this property is not defined and the used renderer plugin writes on the output stream, then the result (e.g. a PDF file) is lost.

Attributes

File/Path

Optional

File Name Prefix (fileNamePrefix)

Description

Do not use the prefix "pwd-" if password- reports are stored in the same directory. This prefix is the default for password letters (and not configurable in older plugin versions).

This property is optional to be backwards compatible. It is strongly recommended to define a prefix.

Attributes

String

Optional

Suggested values

tan-, matrix-, gridcard-

File Name Suffix (fileNameSuffix)

Description

Filename suffix for rendered token list files.

Attributes

String

Optional

Suggested values

.pdf, .docx, .txt

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.matrixcard.MatrixCardGeneratorConfig
id: MatrixCardGeneratorConfig-xxxxxx
displayName: 
comment: 
properties:
  deleteOldTokenLists: true
  fileNamePrefix:
  fileNameSuffix:
  hashFunction:
  outputDirectory:
  tokenAlphabet:
  tokenLength:
  tokenListRenderer:
  tokensPerList:
  workingDirectory:

Matrix Public Self-Service Approval Step

Description

Configuration for a matrix approval step for public self-service flows.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.MatrixCardPublicSelfServiceApprovalStepConfig

May be used by

License-Tags

Matrixcard

Properties

TAN Service (tanService)

Description

The TAN service to be used.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Default TAN Service

TAN List Type (tanListType)

Description

The type of the Matrix Card/TAN list to be used. It is one of the following:

Indexed TAN list: A token list with an index next to each token. The tokens are queried in random order.
Matrix card: A matrix card with the tokens organized in rows and columns. The tokens are queried in random order.

Attributes

Enum

Mandatory

Token List Renderer (tokenListRenderer)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Dummy Token List Renderer Text File Token List Renderer Word Template Token List Renderer

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

MATRIX

Start Index (startIndex)

Description

Attributes

Integer

Optional

Default value

Challenge Validity [ms] (responseValidityMillis)

Description

The number of milliseconds a response is valid for. If a response is provided correctly but after its expiration, the step will fail.

If not set, this feature is disabled, i.e. challenges never expire (this is the default).

Attributes

Integer

Optional

Max Retries (maxRetries)

Description

The number of times a wrong response can be sent before the flow is aborted. If set to zero (the default), only one attempt is possible.

The purpose of this settings is usability. The failed attempts counter is always increased upon receiving a wrong response and the user is locked when the global failed attempts limit is exceeded.

Attributes

Integer

Optional

Default value

New Challenge On Retry (newChallengeOnRetry)

Description

If "Max Retries" is set to a value bigger than 0, this property specifies if a new challenge is generated for the retry.

Attributes

Boolean

Optional

Default value

true

Count Unanswered Challenges (countUnansweredChallenges)

Description

Important: This feature requires the properties 'Col Challenge Open Since' and 'Col Unanswered Challenges' on the Token List Persister to be configured, otherwise it will not work properly.

Attributes

Boolean

Optional

Default value

true

Unanswered Challenge Timeout [in Hours] (unansweredChallengeTimeout)

Description

Attributes

Integer

Optional

Default value

Max Unanswered Challenges (maxUnansweredChallenges)

Description

When "Count Unanswered Challenges" is enabled, this property sets the maximum number of unanswered challenges. Once this limit is exceeded, the step will always fail.

Attributes

Integer

Optional

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.MatrixCardPublicSelfServiceApprovalStepConfig
id: MatrixCardPublicSelfServiceApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: MATRIX
  countUnansweredChallenges: true
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxRetries: 0
  maxUnansweredChallenges: 3
  newChallengeOnRetry: true
  onFailureGotos:
  preCondition:
  requiresActivation: false
  responseValidityMillis:
  skipCondition:
  startIndex: 1
  stepId:
  tagsOnSuccess:
  tanListType:
  tanService:
  tokenListRenderer:
  unansweredChallengeTimeout: 12

Matrix Self-Service Approval Step

Description

Configuration for a matrix approval step for self-service flows. This can be used to validate self-service operations such as user data changes. Typically, this step is configured between the step where a change is initiated and the step where the change is persisted.

Be aware that matrix approval does not allow verification of the data via a separate channel. If this additional level of security is required, use Airlock 2FA, Cronto or mTAN approval.

Class

com.airlock.iam.selfservice.application.configuration.step.MatrixCardSelfServiceApprovalStepConfig

May be used by

License-Tags

Matrixcard

Properties

TAN Service (tanService)

Description

The TAN service to be used.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Default TAN Service

TAN List Type (tanListType)

Description

The type of the Matrix Card/TAN list to be used. It is one of the following:

Indexed TAN list: A token list with an index next to each token. The tokens are queried in random order.
Matrix card: A matrix card with the tokens organized in rows and columns. The tokens are queried in random order.

Attributes

Enum

Mandatory

Token List Renderer (tokenListRenderer)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Dummy Token List Renderer Text File Token List Renderer Word Template Token List Renderer

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

MATRIX

Start Index (startIndex)

Description

Attributes

Integer

Optional

Default value

Challenge Validity [ms] (responseValidityMillis)

Description

The number of milliseconds a response is valid for. If a response is provided correctly but after its expiration, the step will fail.

If not set, this feature is disabled, i.e. challenges never expire (this is the default).

Attributes

Integer

Optional

Max Retries (maxRetries)

Description

The number of times a wrong response can be sent before the flow is aborted. If set to zero (the default), only one attempt is possible.

The purpose of this settings is usability. The failed attempts counter is always increased upon receiving a wrong response and the user is locked when the global failed attempts limit is exceeded.

Attributes

Integer

Optional

Default value

New Challenge On Retry (newChallengeOnRetry)

Description

If "Max Retries" is set to a value bigger than 0, this property specifies if a new challenge is generated for the retry.

Attributes

Boolean

Optional

Default value

true

Count Unanswered Challenges (countUnansweredChallenges)

Description

Important: This feature requires the properties 'Col Challenge Open Since' and 'Col Unanswered Challenges' on the Token List Persister to be configured, otherwise it will not work properly.

Attributes

Boolean

Optional

Default value

true

Unanswered Challenge Timeout [in Hours] (unansweredChallengeTimeout)

Description

Attributes

Integer

Optional

Default value

Max Unanswered Challenges (maxUnansweredChallenges)

Description

When "Count Unanswered Challenges" is enabled, this property sets the maximum number of unanswered challenges. Once this limit is exceeded, the step will always fail.

Attributes

Integer

Optional

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.MatrixCardSelfServiceApprovalStepConfig
id: MatrixCardSelfServiceApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: MATRIX
  countUnansweredChallenges: true
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxRetries: 0
  maxUnansweredChallenges: 3
  newChallengeOnRetry: true
  onFailureGotos:
  preCondition:
  requiresActivation: false
  responseValidityMillis:
  skipCondition:
  startIndex: 1
  stepId:
  tagsOnSuccess:
  tanListType:
  tanService:
  tokenListRenderer:
  unansweredChallengeTimeout: 12

Matrix Token Controller

Description

Credential controller to manage matrix cards in the admintool.

Class

com.airlock.iam.admin.application.configuration.matrixcard.MatrixTokenController

May be used by

Cipher Token List Persister Database Token List Persister Dummy Token List Persister LDAP Token List Persister Property Token List Persister

License-Tags

Matrixcard

Properties

Identifier (identifier)

Description

Identifier for the credential. This is used as value in the authentication method field in the persistence layer. Make sure this value is the same (for the same credential) in all Airlock IAM components.

Make sure the identifier is unique among all configured credential controllers.

The identifier is also used as key to translate the display name of this credential controller. The key is assembled as follows: edituserpage.cred.XYZ.title (where XYZ is the identifier).

Attributes

String

Optional

Default value

MATRIX

Suggested values

MATRIX, GRIDCARD, TAN, TOKENLIST

Auto Order (autoOrder)

Description

Set this flag to true to automatically order a matrix card when it is added to a user.

Attributes

Boolean

Optional

Default value

false

Auto Order For New Users (autoOrderForNewUsers)

Description

Set this flag to true to automatically order a matrix card if the user is created.

Attributes

Boolean

Optional

Default value

false

May Be Selected As Auth Method (mayBeSelectedAsAuthMethod)

Description

Set this flag to false to prevent this credential from being selected as active authentication method.

Attributes

Boolean

Optional

Default value

true

May Be Selected As Next Auth Method (mayBeSelectedAsNextAuthMethod)

Description

Set this flag to false to prevent this credential from being selected as the next (migration) authentication method.

Attributes

Boolean

Optional

License-Tags

TokenSelfService

Default value

true

Token List Persister (tokenListPersister)

Description

The token list persister used to read and write matrix card data from some persistence layer (e.g. a database or directory).

Attributes

Plugin-Link

Mandatory

Assignable plugins

Validity Days (validityDays)

Description

The number of days a token list is considered valid for. This number is used to calculate the expiration date of a token list based on the token list generation date.

Make sure to use the same value here as in other Airlock IAM components.

If this property is not defined, no token list expiry date is displayed.

Attributes

Integer

Optional

Matrix Card Generator (matrixCardGenerator)

Description

If specified, matrix cards can be generated from the admintool.

Attributes

Plugin-Link

Optional

Assignable plugins

Matrix Card Generator Config

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.matrixcard.MatrixTokenController
id: MatrixTokenController-xxxxxx
displayName: 
comment: 
properties:
  autoOrder: false
  autoOrderForNewUsers: false
  identifier: MATRIX
  matrixCardGenerator:
  mayBeSelectedAsAuthMethod: true
  mayBeSelectedAsNextAuthMethod: true
  tokenListPersister:
  validityDays:

Matrixcard Authenticator (TAN Challenge)

Description

Authenticator based on the tan service interface TanService.

This authenticator always authenticates in two steps:
In the first call a UserCredentail is expected. If the user exists and the account is active, a AuthenticationFailedChallenge or a AuthenticationFailedToken response is returned.
In the second step, the answer to the challenge is expected: The credential instance must be of type ChallengeResponseCredential.

This authenticator takes its authentication decisions by calling the configured tan service.

Class

com.airlock.iam.core.misc.impl.authen.MatrixcardAuthenticator

May be used by

License-Tags

Matrixcard

Properties

TAN Service (tanService)

Description

The TAN service to be used.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Default TAN Service

TAN List Type (tanListType)

Description

The type of the TAN list to be used. It is one of the following:

INDEXED_LIST: A token list with an index next to each token. The tokens are queried in random order.
MATRIX_CARD: A matrix card with the tokens organized in rows and columns. The tokens are queried in random order.
TOKEN_LIST: (not recommended) A normal token list that is processed from left to right (or top to bottom, depending on used token list renderer). There are no indices on the list.

Attributes

Enum

Mandatory

Token List Renderer (tokenListRenderer)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Dummy Token List Renderer Text File Token List Renderer Word Template Token List Renderer

Start Index (startIndex)

Description

Attributes

Integer

Optional

Default value

Challenge Validity Millis (responseValidityMillis)

Description

The number of milliseconds a response or token is valid for. If the token is entered correctly but after its expiration, authentication will fail. (TOKEN_EXPIRED).

The value 0 (zero) disables this feature, i.e. tokens never expire (this is the default).

Attributes

Integer

Optional

Default value

Max Retries (maxRetries)

Description

The number of times the user may enter a wrong response or token before the authentication process is aborted (and the token gets useless). If set to zero (the default), only one attempt is possible.

Attributes

Integer

Optional

Default value

New Challenge On Retry (newChallengeOnRetry)

Description

If maxRetries is set to a value bigger than 0, this property specifies if a new challenge is generated for the retry.

Attributes

Boolean

Optional

Default value

true

Count Unanswered Challenges (countUnansweredChallenges)

Description

Important: This feature requires the fields 'Challenge Open Since' and 'Unanswered Challenges' on the Token List Persister to be configured, otherwise it will not work properly.

Attributes

Boolean

Optional

Default value

true

Unanswered Challenge Timeout [in Hours] (unansweredChallengeTimeout)

Description

When "Count Unanswered Challenges" is enabled, this property sets the timeout for unanswered challenges. When an unanswered challenge times out, the unanswered challenges counter is reset. Make sure to also configure the 'Challenge Open Since' and 'Unanswered Challenges' fields on the Token List Persister, otherwise this feature will not work properly.

Attributes

Integer

Optional

Default value

Max Unanswered Challenges (maxUnansweredChallenges)

Description

When "Count Unanswered Challenges" is enabled, this property sets the maximum number of unanswered challenges. Once this limit is exceeded, authentication will always fail.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.MatrixcardAuthenticator
id: MatrixcardAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  countUnansweredChallenges: true
  maxRetries: 0
  maxUnansweredChallenges: 3
  newChallengeOnRetry: true
  responseValidityMillis: 0
  startIndex: 1
  tanListType:
  tanService:
  tokenListRenderer:
  unansweredChallengeTimeout: 12

Maximal Length

Description

Validates that the maximal number of characters is not exceeded.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.validation.MaxLengthValidationConfig

May be used by

Input UI Element

Properties

Translation Key (translationKey)

Description

The translation key to use for the error message in case the validation fails. In the translation, the number of allowed characters can be referred to using {{requiredLength}}. A default translation is used when no translation key is configured.

Attributes

String

Optional

Max Number Of Characters (maxNumberOfCharacters)

Description

The maximal number of allowed characters.

Attributes

Integer

Mandatory

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.validation.MaxLengthValidationConfig
id: MaxLengthValidationConfig-xxxxxx
displayName: 
comment: 
properties:
  maxNumberOfCharacters:
  translationKey:

Maximum Date

Description

Validates that a date has a upper limit (last possible date).

Class

com.airlock.iam.flow.ui.application.configuration.configurable.validation.MaxDateValidationConfig

May be used by

Date UI Element

Properties

Maximum Relative [days] (maxRelative)

Description

The "maximum relative value" is the upper limit (last possible) for allowed difference in days to the current date. This cannot be used together with "Max Date".

Attributes

Integer

Optional

Max Date (maxDate)

Description

The latest date allowed to be filled in. This cannot be used together with "Maximum Relative" and it must be in ISO 8601 format.

Attributes

String

Optional

Example

2011-12-03

Example

2018-02-06

Translation Key (translationKey)

Description

The translation key to use for the error message in case the validation fails. In the translation, the maximum date can be referred to using {{before}}. A default translation is used when no translation key is configured.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.validation.MaxDateValidationConfig
id: MaxDateValidationConfig-xxxxxx
displayName: 
comment: 
properties:
  maxDate:
  maxRelative:
  translationKey:

MaxMind Geolocation Provider

Description

Geolocation provider based on a local MaxMind GeoLite2 City or Country database.

Class

com.airlock.iam.login.application.configuration.geolocation.MaxMindGeolocationProviderConfig

May be used by

Loginapp

Properties

Db File Location (dbFileLocation)

Description

The Location of the GeoLite2 City or Country database (*.mmdb). GeoIP Legacy databases are not supported.

Updates to this file are detected automatically.

Attributes

File/Path

Mandatory

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.geolocation.MaxMindGeolocationProviderConfig
id: MaxMindGeolocationProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  dbFileLocation:

MD5 Base64 Password Hash

Description

Password hash plug-in that uses MD5 for hashing and base-64 for encoding the result.

Returns the base-64 encoded version of MD5(password) as hash value, i.e. no salt is included. The hash values is 16 bytes long and results in 24 bytes after base-64 encoding.

Class

com.airlock.iam.core.misc.util.password.hash.MD5Base64PasswordHash

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.MD5Base64PasswordHash
id: MD5Base64PasswordHash-xxxxxx
displayName: 
comment: 
properties:

MD5 Hex Password Hash

Description

Password hash plug-in that uses MD5 for hashing and HEX-encoding for the result.

Returns the HEX-encoded version of MD5(password) as hash value, i.e. no salt is included. The hash values is 16 bytes long and results in 32 bytes after HEX-encoding.

Class

com.airlock.iam.core.misc.util.password.hash.MD5HexPasswordHash

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.MD5HexPasswordHash
id: MD5HexPasswordHash-xxxxxx
displayName: 
comment: 
properties:

Meta Authenticator

Description

This authenticator combines two authenticators and presents them as one. It is can be used to combine for example username/password authentication with another authentication step.

First, the first authenticator is called. If authentication with the first authenticator succeeds (or only a password change is enforced), the second authenticator is called. The second authenticator can also depend on user data. Therefore a user dependent second authentication step can be achieved.
Example: Username and password verification in the first step and token verification in the second step for user A but challenge-response authentication for user B.

The first authenticator must be one that accepts credentials with a user name (UserCredential or subclass).
The second authenticator is then called for the first time with the credential that was passed to the first authenticator in the first step. This is always a credential with a user name.

The overall authentication is considered to be successful if (and only if) the first authentication step succeeds (or a password change is required) and the second authentication step succeeds. The resulting authentee returned with the successful authentication result is a combination of the results from both authenticators. The set of roles contains both roles from the first and the second authenticator. The context data container contains both the data from the first and the second authenticator. If a key in the context data container is used in both the results from the first and the second authenticators, then the value from the second authenticator's result overwrites the one from the first. If the first and the second authenticators provide a different user name in the authentee object, the one from the second authenticator is used.

Be careful when using authenticator plug-ins that automatically adjust user information after successful or failed authentication. If an authenticator, for example, resets the number of failed logins after successful authentication, it will not produce what you want when used as first authenticator. It would reset the number of failed logins even if the second authentication step fails. Most authenticators provided by Airlock IAM allow to turn off automatic used data updates for this purpose. Make sure to configure them accordingly when using them as part of a bigger authentication process with this plug-in.

Typical example application: Check username and password against a directory or database and then check a third credential (token, smart card, matrix card) with a separate, used-dependent authentication mechanism.

For the configured authenticator plugins used in the second step, a channel-prefix can be configured (optionally). If configured, this prefix is prepended to the current channel when loading the plugins. This is useful for example when two authentiators use the same plugin with different configuration sets or if the an authenticator plugin is used multiple times with a different configuration.

If a user persister is configured (this is mandatory if different second authenticator plugins are configured), it is also consulted to check whether the user is locked or if a password change is required after the first authenticator said ok. This is useful if the first authenticator does not support these concepts.

The plugin writes the canonical class name description (including packages) of the authenticator plugin used in the second step into the context data container of the authentication result. The information is written into the context data container as soon as the second authenticator is defined (i.e. after successful authentication with first authenticator). The class name is stored under the key authPluginClassName
A short description of the second authentication method (and only the second one) is stored under the key authMethodShortDesc . This information may be used by callers.

Class

com.airlock.iam.core.misc.impl.authen.MetaAuthenticator

May be used by

Radius Authentication Service Persister Password Service User to Authenticator Mapping Target Application/Service Administrators Configuration User-based Authenticator Selector Fallback Authenticator

Properties

First (first)

Description

The plug-in class name of the authenticator to be used in the first step. The authenticator must accept a credential with a username (UserCredential or subclass) when called for the first time.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Default Second Authenticator (defaultSecondAuthenticator)

Description

The plugin to be used in the second step by default.

All specified second authenticators must accept a credential with a username only (UserCredential) when called for the first time.

The default authenticator is used when no second authenticators is found for a given authentication method identifier.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Second Authenticators By Auth Method (secondAuthenticatorsByAuthMethod)

Description

A map of auth method identifiers to authenticator plugins used in the second step.

All specified second authenticators must accept a credential with a username only (UserCredential) when called for the first time.

If no authenticator is found for the chosen method identifier the default second authenticator is used.

The key in the map corresponds to the authentication method identifier (e.g. "MTAN" or "EMAIL") which must be chosen identically in all Airlock IAM modules for each authentication method. Example values are:

PASSWORD
MATRIX
MTAN
OATH_OTP
CERTIFICATE
EMAILOTP
SECURID
SECOVID

Attributes

Plugin-Map

Optional

Assignable plugins

Second Authenticator Selector (secondAuthenticatorSelector)

Description

Optional property used to select the second authenticator from a list of authenticators (see properties "second.XXX") based on the context data of the user instead of the user's auth-method field. This property specifies the name of a context data value selecting the authenticator for the second authentication step. This property is now obsolete and exists to be backwards compatible with Airlock IAM releases before the introduction of the user's auth method field. If neither this property nor the user's auth method field is specified, the authenticator specified by property second is always used.

Attributes

String

Optional

Example

auth_method

User Persister (userPersister)

Description

The user persister used to update latest-login dates and number of failed logins (and some other fields if present).

This assumes that the first and the second authenticators do not update the information.

The persister is also used to the authentication method from the user to select the second authenticator plugin and to check whether the user is locked or a password change is enforced according to the persister.

Attributes

Plugin-Link

Optional

Assignable plugins

Max Failed Logins (maxFailedLogins)

Description

The number of failed logins before a user is locked. Set to zero (0) to disable this feature. This feature only works if a user persister is configured.

Attributes

Integer

Optional

Default value

Display Last Login Timestamp (displayLastLoginTimestamp)

Description

Attributes

Boolean

Optional

Default value

false

Use Username From User Persister (useUsernameFromUserPersister)

Description

If enabled, the username from the credential is always replaced with the username of the persisted user. Only disable to support legacy use-cases.

Attributes

Boolean

Optional

Default value

true

Additional User Validators (additionalUserValidators)

Description

To validate users beyond the usual tests for being locked or invalid, additional plugins can be added, which e.g. check context data fields. This is only functional if a User Persister is configured.

Attributes

Plugin-List

Optional

Assignable plugins

Expert Mode Redis State Repository Config Single Mode Redis State Repository Config

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.MetaAuthenticator
id: MetaAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  additionalUserValidators:
  defaultSecondAuthenticator:
  displayLastLoginTimestamp: false
  first:
  maxFailedLogins: 5
  secondAuthenticatorSelector:
  secondAuthenticatorsByAuthMethod:
  useUsernameFromUserPersister: true
  userPersister:

Meta Password Policy

Description

A password policy check that contains a list of password policy checks. If any of the of the policy checks is violated, the first violation is returned. Otherwise, no violation is reported. The goal is to make the same password policy reusable in the configuration without having to list all rules again.

Class

com.airlock.iam.core.misc.impl.authen.PwdPolicyMetaCheck

May be used by

Customizable Password Policy Customizable Password Policy

Properties

Password Policy (passwordPolicy)

Description

Defines a list of password policy checks that must be passed when the user chooses a new password.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PwdPolicyMetaCheck
id: PwdPolicyMetaCheck-xxxxxx
displayName: 
comment: 
properties:
  passwordPolicy:

Migrating State Encryption Config

Description

State encryption intended for migration from one encryption to a different one. Values are always written with the new encryption. If reading with the new encryption fails, decryption with the previous encryption is attempted as a fallback. After the migration period, this plugin should be replaced by the new encryption.

Specifically, this plugin can be used to migrate from unencrypted state to encrypted state. This plugin can not be used to migrate from encrypted state to unencrypted state.

Class

com.airlock.iam.common.application.configuration.state.MigratingStateEncryptionConfig

May be used by

Properties

Previous Encryption (previousEncryption)

Description

The encryption to use as a fallback when reading values from Redis.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AES 128 GCM State Encryption Migrating State Encryption Config No State Encryption

New Encryption (newEncryption)

Description

The encryption to use before reading and writing data from/to Redis.

Migrating to unencrypted state is not supported.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AES 128 GCM State Encryption Migrating State Encryption Config No State Encryption

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.state.MigratingStateEncryptionConfig
id: MigratingStateEncryptionConfig-xxxxxx
displayName: 
comment: 
properties:
  newEncryption:
  previousEncryption:

Migration Selection Step

Description

Selection between different migration subflows depending on configurable options.

Class

com.airlock.iam.authentication.application.configuration.migration.MigrationSelectionStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Available options (availableOptions)

Description

All available options for this migration selection. For each option, a condition can be configured that determines if it is available in a specific situation and for a particular user. If no option is available the step fails.

Attributes

Plugin-List

Mandatory

Assignable plugins

Advanced Migration Selection Option Simple Migration Selection Option Config

Never Migrate Possible (neverMigratePossible)

Description

Activate the feature "Never Migrate" allowing the user to permanently reject the migration.

If this property is enabled, it is possible for a user to reject the migration if:

No migration date is set for the user OR
A migration date is set and the property "Allow 'Never Migrate' Despite Migration Date" is enabled.

Attributes

Boolean

Optional

Default value

false

Never Migrate Possible Despite Migration Date (neverMigratePossibleWithToDate)

Description

Enables the feature "Never Migrate" even if there is a migration date set for the corresponding user.

Whether it is possible to "Never Migrate" depends on whether or not a migration date is set and whether the authentication is happening during the "Never Migrate Period" (if set at all).

Attributes

Boolean

Optional

Default value

false

Never Migrate Period (neverMigratePeriod)

Description

Defines the period before the migration date in which the feature "Never Migrate" is active.

Prerequisites for this property to take effect:

A migration date must be set for the user.
"Never Migrate Possible" must be enabled.
"Never Migrate Possible Despite Migration Date" must be enabled.
At least one available option must define a "Hint Period" greater or equal to this property.

If this property is not set, the feature "Never Migrate" is possible (if enabled) during and after the entire "Hint Period".

The duration must be specified in the format "(d)ays (h)ours (m)inutes (s)econds" e.g. "2d 4h 10m 5s" (any part can be omitted).

Attributes

String

Optional

Example

30d

Example

14d 6h 30m

Custom Never Migrate Condition (customNeverMigrateCondition)

Description

By default the "Never Migrate" condition is considered to decide whether it is possible for a user to reject the migration. This default condition can be overwritten by configuring a custom condition.

Attributes

Plugin-Link

Optional

Assignable plugins

Custom Never Migrate Steps (customNeverMigrateSteps)

Description

By default the "Never Migrate" step is executed if the "Never Migrate" condition is fulfilled. This default step can be overwritten by configuring a custom step.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Skip Migration Steps (customSkipMigrationSteps)

Description

By default the "No Operation Step" step is executed if the "Skip Migration" condition is fulfilled. This default step can be overwritten by configuring a custom step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.migration.MigrationSelectionStepConfig
id: MigrationSelectionStepConfig-xxxxxx
displayName: 
comment: 
properties:
  availableOptions:
  customFailureResponseAttributes:
  customNeverMigrateCondition:
  customNeverMigrateSteps:
  customResponseAttributes:
  customSkipMigrationSteps:
  dynamicStepActivations:
  interactiveGotoTargets:
  neverMigratePeriod:
  neverMigratePossible: false
  neverMigratePossibleWithToDate: false
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:

Minimum Date

Description

Validates that a date has a lower limit (earliest possible date).

Class

com.airlock.iam.flow.ui.application.configuration.configurable.validation.MinDateValidationConfig

May be used by

Date UI Element

Properties

Minimum Relative [days] (minRelative)

Description

The "minimum relative value" is the lower limit (earliest possible) for allowed difference in days to the current date.

Examples: A value of 1 means that tomorrow is the earliest possible date to enter, a value of -365 means that the entered date can be at most one year in the past.

Attributes

Integer

Optional

Min Date (minDate)

Description

The earliest date allowed to be filled in. This cannot be used together with "Minimum Relative" and must be in ISO 8601 format.

Attributes

String

Optional

Example

2011-12-03

Example

2018-02-06

Translation Key (translationKey)

Description

The translation key to use for the error message in case the validation fails. In the translation, the minimum date can be referred to using {{after}}. A default translation is used when no translation key is configured.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.validation.MinDateValidationConfig
id: MinDateValidationConfig-xxxxxx
displayName: 
comment: 
properties:
  minDate:
  minRelative:
  translationKey:

Minimum Length

Description

Validates that there is a minimal number of characters.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.validation.MinLengthValidationConfig

May be used by

Input UI Element

Properties

Translation Key (translationKey)

Description

The translation key to use for the error message in case the validation fails. In the translation, the number of minimal characters can be referred to using {{requiredLength}}. A default translation is used when no translation key is configured.

Attributes

String

Optional

Min Number Of Characters (minNumberOfCharacters)

Description

The minimal number of required characters.

Attributes

Integer

Mandatory

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.validation.MinLengthValidationConfig
id: MinLengthValidationConfig-xxxxxx
displayName: 
comment: 
properties:
  minNumberOfCharacters:
  translationKey:

Missing Account Link Step

Description

For the user identified within the current authentication flow, this step creates an account link to the provider account, which was also identified within the current authentication flow. This step will take down the corresponding "red flag" that has been raised by a previous step (e.g. OAuth 2.0 SSO Step). The step will be skipped, if the "red flag" was not raised by a previous step.

Class

com.airlock.iam.oauth2.application.configuration.accountlinking.MissingAccountLinkStepConfig

May be used by

License-Tags

OAuthAccountLinking

Properties

Red Flag (redFlag)

Description

Handles ('takes down') this red flag concerning a missing account link, if it has been raised. The step will be skipped, if this red flag has not been raised by a previous step.

Attributes

Plugin-Link

Optional

Assignable plugins

Account Linking Required Red Flag Mandatory Password Change Red Flag Red Flag

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.accountlinking.MissingAccountLinkStepConfig
id: MissingAccountLinkStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  redFlag:
  stepId:
  tagsOnSuccess:

Most Recently Registered Device Condition

Description

Plugin for filtering Airlock 2FA devices. It only returns true for the newest device, i.e. the device which has been registered most recently.

Class

com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FAMostRecentlyRegisteredDevicePredicateConfig

May be used by

Logical AND Device Condition Logical NOT Device Condition Customizable Device List Logical OR Device Condition

Properties

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.provider.predicate.Airlock2FAMostRecentlyRegisteredDevicePredicateConfig
id: Airlock2FAMostRecentlyRegisteredDevicePredicateConfig-xxxxxx
displayName: 
comment: 
properties:

MS-OFBA One-Shot Target Application

Description

Microsoft Office Forms Based Authentication (MS-OFBA) One-Shot Target Application
Note: This target application allows to authenticate HTTP requests based on the original HTTP request sent by the client to Airlock WAF. Therefore, this plugin only works with Airlock Gateway (WAF) Settings being configured.

MS-OFBA Protocol
The MS-OFBA protocol provides a mechanism by which Microsoft Office clients (e.g. Word, Excel, ...) can establish an authenticated session with a server or gateway like Airlock WAF. The three steps for establishing an identity using forms based authentication between a protocol client and a protocol server are as follows:

Initialization: Prior to opening the document on the remote server, the client sends a so called protocol discovery request, which is a HTTP OPTIONS request allowing the server to determine whether the client is a browser or not, based on the headers sent (see Browser vs. Nonbrowser Clients below). In the case of an nonbrowser client, this target application responds that its authentication method is forms based authentication, by returning a 403 HTTP response including a X-FORMS_BASED_AUTH_REQUIRED header with a URL, pointing to the location to which the client should navigate to authenticate. The response also includes a X-FORMS_BASED_AUTH_RETURN_URL header, which is the location to which the protocol server will redirect the user after a successful authentication.
Negotiation: Having determined that the protocol server is capable of establishing an identity by using forms based authentication, the protocol client renders the HTML returned from the request to the remote location provided by the server in step 1 (X-FORMS_BASED_AUTH_REQUIRED header). Note that the duration of this step is neither deterministic nor specified by this protocol. The reason is that the client will continue to follow as many redirects and refreshes as necessary to successfully establish the identity, until the server redirects to the return URI provided by the server in step 1 (X-FORMS_BASED_AUTH_RETURN_URL header)
Finalization: After the protocol server redirects the protocol client to the return URI, the protocol client assumes that the identity has been successfully established and reissues the original request from step 1. Note that the process for actually establishing the user's identity is not specified by this protocol.

Browser vs. Nonbrowser Clients
If the request from the client contains a X-FORMS_BASED_AUTH_ACCEPTED HTTP header or the User-Agent header matches the configured user agent regular expression, the client is considered to be a nonbrowser client. In this case, a forms based authentication required response is returned as described in the Initialization step of the protocol.
In the other case, where the client is considered to be a browser, a HTTP 302 redirect to the configured redirect url is returned. In addition, a location parameter is added to the redirect location, pointing to the initially accessed URL on the WAF. Therefore, the effect of accessing this target application with a browser is the same as if the Authentication Flow on the WAF mapping would have been set to Redirect instead of One-Shot.

Class

com.airlock.iam.login.app.misc.configuration.oneshot.MsOfbaOneShotTargetApplication

May be used by

One-Shot Authentication Settings One-Shot Authentication Settings

License-Tags

OneShotAuthentication

Properties

URL Pattern (urlPattern)

Description

The URL pattern (regular expression pattern) to identify this target application.

The first pattern (in the list of target applications) that matches the forward URL is used.
The matching is case-insensitive.

The URL pattern is ignored for the default target application.

Attributes

RegEx

Mandatory

License-Tags

OneShotAuthentication

User Agent HTTP Header Pattern (userAgentPattern)

Description

To be recognized as a nonbrowser client that supports the MS-OFBA protocol, the protocol client MUST specify either a X-FORMS_BASED_AUTH_ACCEPTED header or a user agent string in an HTTP OPTIONS request.

IAM responds with a Forms Based Authentication Required response, as specified in the plugin description, iff

The X-FORMS_BASED_AUTH_ACCEPTED header field is present with a value of "t" or "f" (otherwise it is ignored) or
The request contains a User-Agent HTTP header that matches this regular expression pattern.

Attributes

RegEx

Optional

License-Tags

OneShotAuthentication

Default value

Microsoft Office(.*)

Browser Redirect URL (redirectUrl)

Description

In case the client is considered to be a browser, the MS-OFBA One-Shot Target Application redirects the client to this URL. In addition, a location parameter, which corresponds to the initially accessed URL on the WAF, is added to the redirect location. Therefore, the effect of accessing this target application with a browser is the same as if the Authentication Flow on the WAF mapping would have been set to Redirect instead of One-Shot.

Attributes

String

Optional

License-Tags

OneShotAuthentication

Default value

/auth/check-login

Example

/auth/check-login

Example

https://myhost.com/iamPath/check-login

MS-OFBA Authentication URL (msofbaAuthUrl)

Description

The URL which will be returned to the client as X-FORMS_BASED_AUTH_REQUIRED HTTP header value in the MS-OFBA response. It MUST point to an HTTP-based server. A Location URL parameter, that points to the configured MS-OFBA Success URL will be added to this URL automatically. Therefore, the final MS-OFBA Authentication URL as received by the client wil look similar to https://myhost.com/iamPath/check-login?Location=https%3A%2F%2Fmyhost.com%2Fauth%2Fsuccess.

Attributes

String

Mandatory

License-Tags

OneShotAuthentication

Example

https://myhost.com/iamPath/check-login

MS-OFBA Success URL (msofbaSuccessUrl)

Description

The URL which will be returned to the client as X-FORMS_BASED_AUTH_RETURN_URL HTTP header value in the MS-OFBA response. It MUST point to an HTTP-based server and accessing the URL has to result in a HTTP 200 response. For this, the IAM Success Servlet, deployed under /&ltiam-deployment-path>/msofba-success can be used.

Attributes

String

Mandatory

License-Tags

OneShotAuthentication

Example

https://myhost.com/auth/msofba-success

MS-OFBA Display Size (msofbaDialogSize)

Description

Optional value of the X-FORMS_BASED_AUTH_DIALOG_SIZE HTTP header as returned to the client in the MS-OFBA response. This value determines the size of the window which is opened by the client when accessing the MS-OFBA Authentication URL. It must follow the format &ltwidth in pixels&gtx&ltheight in pixels>. If the size of the dialog box is not specified, the value "660x495" is used by the protocol client.

Attributes

String

Optional

License-Tags

OneShotAuthentication

Example

800x600

Location Parameter Name (locationParameterName)

Description

The name of the request parameter telling the authentication application what page the user requested when he/she was redirected to the authentication application.

Attributes

String

Optional

License-Tags

OneShotAuthentication

Default value

Location

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oneshot.MsOfbaOneShotTargetApplication
id: MsOfbaOneShotTargetApplication-xxxxxx
displayName: 
comment: 
properties:
  locationParameterName: Location
  msofbaAuthUrl:
  msofbaDialogSize:
  msofbaSuccessUrl:
  redirectUrl: /auth/check-login
  urlPattern:
  userAgentPattern: Microsoft Office(.*)

mTAN Authentication Step

Description

Configuration for an mTAN authentication flow step.

Class

com.airlock.iam.authentication.application.configuration.mtan.MtanAuthStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Message Provider (messageProvider)

Description

Creates the message sent in the authentication SMS.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN Message Provider

mTAN Settings (mtanSettings)

Description

Defines the required settings for checking mTAN OTPs.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN OTP Check Settings (based on mTAN Settings) mTAN OTP Checks Settings

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

MTAN

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.mtan.MtanAuthStepConfig
id: MtanAuthStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: MTAN
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  messageProvider:
  mtanSettings:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

mTAN IAK Token Report Strategy

Description

This task strategy plugin iterates over mTAN tokens and generates a report for all tokens where the order flag is set.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.token.MtanIakTokenReportStrategyConfig

May be used by

Token Task

Properties

Mtan Settings (mtanSettings)

Description

Defines all kinds of aspects concerning mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

MTAN/SMS Settings

Token Data Provider (tokenDataProvider)

Description

The token data provider plugin is used to read all tokens to be handled by this task. Should be configured to only return the tokens that should be handled by this task.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Report Type Short Desc (reportTypeShortDesc)

Description

Attributes

String

Optional

Default value

UNSPECIFIED

Example

password letter

Example

keyfile accompanying report

Example

mobile number registration letter

User Store (userStore)

Description

The user store to retrieve all user data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Report Renderer (reportRenderer)

Description

Tells this task which generic renderer to use to render reports.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

Barcode Generator (barcodeGenerator)

Description

BarcodeImage: placeholder for the barcode image.
BarcodeContent: placeholder for the barcode content.
BarcodeContentDisplay: placeholder for the barcode content in a human-readable format.

Attributes

Plugin-Link

Optional

Assignable plugins

mTAN Transaction Approval Step Legacy mTAN Registration Flow mTAN Authentication Step Default mTAN Token Registration Flow mTAN Public Self-Service Approval Step SMS Identity Verification Step Default mTAN Token Edit Flow mTAN Self-Service Approval Step mTAN Verification Step

Language Attribute Name (languageAttributeName)

Description

Attributes

String

Optional

Suggested values

language

Output Directory (outputDirectory)

Description

Directory in the file system to put the rendered reports in. The directory is either absolute or relative to the JVMs current directory.

This property is not required if the renderer plugin (see separate property) does not write on the outputstream (e.g. sends it somewhere else). It is required otherwise.

Note: If this property is not defined and the used renderer plugin writes on the output stream, then the result (e.g. a PDF file) is lost.

Attributes

File/Path

Optional

Working Directory (workingDirectory)

Description

Attributes

File/Path

Optional

Delete Old Reports (deleteOldReports)

Description

Attributes

Boolean

Optional

Default value

false

File Name Prefix (fileNamePrefix)

Description

Attributes

String

Mandatory

Example

token-letter

Example

smartcardLetter

File Name Suffix (fileNameSuffix)

Description

Attributes

String

Mandatory

Suggested values

.pdf, .docx, .txt

Aggregate Report (aggregateReport)

Description

Optional property to describe an aggregate report over all generated reports in a batch. If none is configured, no aggregate report will be generated.

Attributes

Plugin-Link

Optional

Assignable plugins

Aggregate Report

Required Order Options (requiredOrderOptions)

Description

Attributes

String-List

Optional

Excluding Order Options (excludingOrderOptions)

Description

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.token.MtanIakTokenReportStrategyConfig
id: MtanIakTokenReportStrategyConfig-xxxxxx
displayName: 
comment: 
properties:
  aggregateReport:
  barcodeGenerator:
  deleteOldReports: false
  excludingOrderOptions:
  fileNamePrefix:
  fileNameSuffix:
  languageAttributeName:
  mtanSettings:
  outputDirectory:
  reportRenderer:
  reportTypeShortDesc: UNSPECIFIED
  requiredOrderOptions:
  tokenDataProvider:
  userStore:
  workingDirectory:

mTAN Label Item Definition

Description

Item to register a label for an mTAN number. The label is saved in the flow session and later persisted together with the (potentially verified) mTAN number. Note that the credential mTAN handler does not support labels.

In protected self-service flows, the dedicated "mTAN Token Edit Step" or "mTAN Token Registration Step" are the preferred way to edit or register mTAN tokens, respectively.

Class

com.airlock.iam.flow.shared.application.configuration.item.mtan.MtanLabelItemDefinitionConfig

May be used by

User Data Edit Step User Data Registration Step Config

Properties

Key (key)

Description

The key under which the client is expected to provide the label.

Attributes

String

Optional

Default value

mtanLabel

Required (required)

Description

Specifies whether this item is required for the step to validate successfully. An optional label may be deleted.

Attributes

Boolean

Optional

Default value

false

Maximum Length (maximumLength)

Description

Maximum length of the label.

Attributes

Integer

Optional

Default value

Validators (validators)

Description

Validators for the label.

Attributes

Plugin-List

Optional

Assignable plugins

Email Address Validator Phone Number Validator Config Regex String Validator Config

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.item.mtan.MtanLabelItemDefinitionConfig
id: MtanLabelItemDefinitionConfig-xxxxxx
displayName: 
comment: 
properties:
  key: mtanLabel
  maximumLength: 30
  required: false
  validators:

mTAN Letter User Event Listener

Description

Listens to 'after insert user events'. When notified that a new user has been inserted into the persistency layer, an mTAN IAK letter is ordered for this user.

Class

com.airlock.iam.common.application.configuration.token.mtan.MtanLetterUserEventListener

May be used by

Active Directory Connector LDAP User Persister LDAP Connector Database User Persister

Properties

mTAN Handler for IAK Order (mtanHandlerForIakOrder)

Description

A mTAN handler used to order mTAN IAK letters.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Data mTAN Handler Token Data mTAN Handler for IAK Order

Condition (condition)

Description

The condition to decide whether the event should be handled. If not configured, the event is always handled.

Attributes

Plugin-Link

Optional

Assignable plugins

Authentication Method Condition Context Data Regex Condition Logical AND Condition Logical NOT Condition Logical OR Condition

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.token.mtan.MtanLetterUserEventListener
id: MtanLetterUserEventListener-xxxxxx
displayName: 
comment: 
properties:
  condition:
  mtanHandlerForIakOrder:

mTAN Message Provider

Description

Generic provider for mTAN messages.

Class

com.airlock.iam.flow.shared.application.configuration.message.GenericMtanMessageProviderConfig

May be used by

Properties

Resource Key (resourceKey)

Description

Resource key to select the localized template to display the data. The localized template can contain variables (e.g. ${town}) and supports the same formatting options (including shrinking of values to fit to limited size) as are available for Transaction Approval messages. The template must contain the variable ${TOKEN} which will be replaced by the OTP token.

Attributes

String

Mandatory

Example

self-service.user-data-edit.approval.mtan

Example

password-reset.factors.mtan.message

Example

mtan-registration.verification.message

Value Providers (valueProviders)

Description

Attributes

Plugin-List

Optional

Assignable plugins

Maximum Message Length (maxLength)

Description

Defines the maximum length for the mTAN message. If the message cannot be fit into this length (potentially after shrinking values), an exception is thrown.

Attributes

Integer

Optional

Default value

160

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.message.GenericMtanMessageProviderConfig
id: GenericMtanMessageProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  maxLength: 160
  resourceKey:
  valueProviders:

mTAN Number Changed

Description

Condition that determines whether the current user has edited an mTAN number. This condition is needed to determine whether an mTAN Verification Step is necessary or not. Changes to the label are ignored since they don't need to be verified.

Class

com.airlock.iam.selfservice.application.configuration.selection.condition.MtanNumberChangedConditionConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.selection.condition.MtanNumberChangedConditionConfig
id: MtanNumberChangedConditionConfig-xxxxxx
displayName: 
comment: 
properties:

mTAN Number Deletion Possible

Description

Condition that determines whether the current user can delete an mTAN number. For number deletion to be possible, the user needs to have at least one number. If "Allow Deleting Last Number" is enabled, at least two numbers are required.

Class

com.airlock.iam.selfservice.application.configuration.selection.condition.MtanNumberDeletionPossibleConditionConfig

May be used by

Properties

mTAN Settings (mtanSettings)

Description

Settings for handling mTAN numbers.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

Allow Deleting Last Number (allowDeletingLastNumber)

Description

If enabled, the last number can be deleted. This can leave the user without a means to login again.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.selection.condition.MtanNumberDeletionPossibleConditionConfig
id: MtanNumberDeletionPossibleConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  allowDeletingLastNumber: false
  mtanSettings:

mTAN Number Item Definition

Description

Item to edit or register an mTAN number. By default, all numbers that can be normalized are accepted, but additional configurable validators can further restrict the number. Once validated, the normalized number is kept in the session to be verified and persisted later in the flow.

In protected self-service flows, the dedicated "mTAN Token Edit Step" or "mTAN Token Registration Step" are the preferred way to edit or register mTAN tokens, respectively.

Class

com.airlock.iam.flow.shared.application.configuration.item.mtan.MtanNumberItemDefinitionConfig

May be used by

User Data Edit Step Email Verification Step Phone Number Verification Step User Data Registration Step Config

Properties

Key (key)

Description

The key under which the client is expected to provide the number.

Attributes

String

Optional

Default value

mtanNumber

Required (required)

Description

Specifies whether this item is required for the step to validate successfully. If required, the number must be registered or changed. An optional number cannot be deleted. To delete an mTAN number, use a "Delete mTAN Number Initiation Step" or the pre-configured "Default mTAN Deletion Flow".

Attributes

Boolean

Optional

Default value

true

Maximum Input Length (maximumInputLength)

Description

Maximum length of the entered phone number, before normalization.

Attributes

Integer

Optional

Default value

Validators On Normalized (validatorsOnNormalized)

Description

Validators for the normalized mTAN number. E.g. to restrict the number to certain area codes.

No validator can be configured for the raw input of the phone number. The input is always required to be normalizable by IAM, otherwise a validation error is returned. Normalization requires the number to start with "0" or the plus sign ("+") followed by digits and separation characters like white-space, dashes and parentheses. Normalized numbers always start with a plus sign, followed by digits only.

Attributes

Plugin-List

Optional

Assignable plugins

Email Address Validator Phone Number Validator Config Regex String Validator Config

mTAN Settings (mtanSettings)

Description

Defines the required settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.item.mtan.MtanNumberItemDefinitionConfig
id: MtanNumberItemDefinitionConfig-xxxxxx
displayName: 
comment: 
properties:
  key: mtanNumber
  maximumInputLength: 30
  mtanSettings:
  required: true
  validatorsOnNormalized:

mTAN Number List

Description

Configures the mTAN number list REST self-service. Additional self-service functionality can be configured in "Protected Self-Service Flows".

Class

com.airlock.iam.selfservice.application.configuration.token.MtanNumberListSelfServiceRestConfig

May be used by

License-Tags

mTan

Properties

mTAN Settings (mtanSettings)

Description

Settings for handling mTAN numbers.

Attributes

Plugin-Link

Mandatory

License-Tags

mTan

Assignable plugins

Basic mTAN Settings

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access the mTAN number list.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

License-Tags

mTan

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access the mTAN number list without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

License-Tags

mTan

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.token.MtanNumberListSelfServiceRestConfig
id: MtanNumberListSelfServiceRestConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  mtanSettings:

mTAN Number Management UI

Description

Configures mTAN number management user interface.

Depending on the configuration, the user interface allows an authenticated user:

to delete an mTAN number.
to edit an mTAN phone number.
to activate a new mTAN number.

The number management interface is accessible at /<loginapp-uri>/ui/app/protected/tokens/mtan after user authentication.

Class

com.airlock.iam.selfservice.application.configuration.ui.tokens.MtanNumberManagementUiConfig

May be used by

mTAN Transaction Approval Step Legacy mTAN Registration Flow mTAN Authentication Step Default mTAN Token Registration Flow mTAN Public Self-Service Approval Step Default mTAN Token Edit Flow mTAN Self-Service Approval Step mTAN Verification Step

License-Tags

mTan

Properties

Flow To Delete Number (flowToDeleteNumber)

Description

ID of the flow which is used for deletion of an mTAN number. If not configured, the user will not be able to delete a number via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Edit Number (flowToEditNumber)

Description

ID of the flow which is used for changing the label of an mTAN number. If not configured, the user will not be able to edit the label of a number via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Register Number (flowToRegisterNumber)

Description

ID of the flow which is used for registering an mTAN number. If not configured, the user will not be able to register a new number via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Page Exit Target (pageExitTarget)

Description

If configured, an additional button is displayed on the mTAN number management to exit the page. On click, this button redirects the user to the configured target.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.tokens.MtanNumberManagementUiConfig
id: MtanNumberManagementUiConfig-xxxxxx
displayName: 
comment: 
properties:
  flowToDeleteNumber:
  flowToEditNumber:
  flowToRegisterNumber:
  pageExitTarget:

mTAN Number Registration Possible

Description

Condition that determines whether the current user can register an mTAN token. This depends on the number of already registered tokens and the limit in the configured mTAN Handler.

Class

com.airlock.iam.selfservice.application.configuration.selection.condition.MtanRegistrationPossibleConditionConfig

May be used by

Properties

mTAN Settings (mtanSettings)

Description

Settings for handling mTAN numbers.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.selection.condition.MtanRegistrationPossibleConditionConfig
id: MtanRegistrationPossibleConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  mtanSettings:

mTAN OTP Check Settings (based on mTAN Settings)

Description

The settings for mTAN OTP checks based on the existing "MTAN/SMS Settings".

Class

com.airlock.iam.authentication.application.configuration.mtan.ExistingMtanOtpCheckConfig

May be used by

Properties

mTAN Settings (mtanSettings)

Description

Defines all settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

MTAN/SMS Settings

Choose Last Number Automatically (chooseLastNumberAutomatically)

Description

If enabled, the number used for the last successful login attempt is chosen automatically without any user interaction.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.mtan.ExistingMtanOtpCheckConfig
id: ExistingMtanOtpCheckConfig-xxxxxx
displayName: 
comment: 
properties:
  chooseLastNumberAutomatically: false
  mtanSettings:

mTAN OTP Checks Settings

Description

Settings for mTAN OTP Checks.

Class

com.airlock.iam.authentication.application.configuration.mtan.MtanOtpCheckConfig

May be used by

Properties

Basic mTAN Settings (basicSettings)

Description

Basic mTAN configuration settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

OTP Generator (otpGenerator)

Description

The string generator plugin to generate the one time password (OTP) token.

Attributes

Plugin-Link

Optional

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Case-Sensitive OTP Check (otpCaseSensitive)

Description

If enabled, the case of characters is respected when checking OTP tokens.

Attributes

Boolean

Optional

Default value

true

Max Wrong OTP Checks (maxWrongOtpChecks)

Description

The number of times a user may retry after a wrong OTP is entered before the flow is aborted. If set to zero (the default), only one attempt is possible for each OTP. This is more secure but may increase costs (if sending an SMS is costly) and negatively affects usability.
Setting this value to n means that the user has n+1 tries in total. This should not be confused with the limit of failed attempts before the user is locked, which is configured globally for each flow type.

Attributes

Integer

Optional

Default value

Max OTP Resends (maxOtpResends)

Description

Maximum number of times an OTP token may be requested to be resent during one authentication process. Authentication is aborted if this limit is exceeded. Token retransmissions are disabled if this value is 0. Restricting this value to a small number prevents the abusive use of SMS delivery.

Attributes

Integer

Optional

Default value

Resend Same OTP (resendSameOtp)

Description

If token resends are enabled, this property sets whether the OTP token should be resent or whether a new OTP should be generated for each retransmission. Setting this property to true is less secure but helps avoiding erroneous user input when the initial OTP is received before retransmission.

Attributes

Boolean

Optional

Default value

false

OTP Validity [s] (otpValidity)

Description

Determines how long the OTP is valid (in seconds).

Attributes

Integer

Optional

Default value

300

Last Token Automatically Selected (lastTokenAutomaticallySelected)

Description

Controls whether the last used mTAN token is selected by default instead of presenting a selection to the user.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.mtan.MtanOtpCheckConfig
id: MtanOtpCheckConfig-xxxxxx
displayName: 
comment: 
properties:
  basicSettings:
  lastTokenAutomaticallySelected: false
  maxOtpResends: 0
  maxWrongOtpChecks: 0
  otpCaseSensitive: true
  otpGenerator:
  otpValidity: 300
  resendSameOtp: false

mTAN Public Self-Service Approval Step

Description

Configuration for an mTAN approval step for public self-service flows.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.MtanPublicSelfServiceApprovalStepConfig

May be used by

Properties

Message Provider (messageProvider)

Description

Creates the message based on the self-service operation.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN Message Provider

mTAN Settings (mtanSettings)

Description

Defines the required settings for checking mTAN OTPs.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN OTP Check Settings (based on mTAN Settings) mTAN OTP Checks Settings

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

MTAN

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.MtanPublicSelfServiceApprovalStepConfig
id: MtanPublicSelfServiceApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: MTAN
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  messageProvider:
  mtanSettings:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

mTAN Registration Number Provider

Description

Provides the mTAN number stored in the flow session for mTAN number registration. This provider must find a mTAN number in the flow session, otherwise it fails.

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.MtanRegistrationNumberProviderConfig

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.MtanRegistrationNumberProviderConfig
id: MtanRegistrationNumberProviderConfig-xxxxxx
displayName: 
comment: 
properties:

mTAN Self-Service Approval Step

Description

Configuration for an mTAN approval step for self-service flows. This can be used to validate self-service operations such as user data changes or registrations of additional devices. Typically, this step is configured between the step where a change is initiated and the step where the change is persisted.

Class

com.airlock.iam.selfservice.application.configuration.step.MtanSelfServiceApprovalStepConfig

May be used by

Properties

Message Provider (messageProvider)

Description

Creates the message based on the self-service operation.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN Message Provider

mTAN Settings (mtanSettings)

Description

Defines the required settings for checking mTAN OTPs.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN OTP Check Settings (based on mTAN Settings) mTAN OTP Checks Settings

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

MTAN

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.MtanSelfServiceApprovalStepConfig
id: MtanSelfServiceApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: MTAN
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  messageProvider:
  mtanSettings:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

mTAN Self-Service Settings (based on mTAN Settings, Legacy)

Description

The settings for managing mTAN tokens based on the existing mTAN Settings.

Class

com.airlock.iam.login.application.configuration.mtan.MtanSelfServiceConfig

May be used by

Properties

mTAN Settings (mtanSettings)

Description

Defines all settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

MTAN/SMS Settings

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.mtan.MtanSelfServiceConfig
id: MtanSelfServiceConfig-xxxxxx
displayName: 
comment: 
properties:
  mtanSettings:

mTAN Self-Services (Legacy)

Description

The settings for managing mTAN tokens.

Class

com.airlock.iam.login.application.configuration.mtan.MtanSelfServicesLegacyConfig

May be used by

Properties

mTAN Settings (mtanSettings)

Description

General settings for SMS/mTAN handling.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

Message Template Key (messageTemplateKey)

Description

Key of the message template in the string resource files to enable language-specific messages to be sent to the user. The string $TOKEN$ in the message template is mandatory and is replaced by the token.

Attributes

String

Optional

Default value

sms-authenticator.default-message

OTP Generator (tokenGenerator)

Description

The string generator plugin to generate the one time password (OTP) token.

Attributes

Plugin-Link

Optional

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Case-Sensitive OTP Check (otpCaseSensitive)

Description

If enabled, the case of characters is respected when checking OTP tokens.

Attributes

Boolean

Optional

Default value

true

Allow Phone Number Change (allowPhoneNumberChange)

Description

If enabled, the user may change an already registered mobile phone number by starting the registration process for mobile phone numbers. If disabled (the default), changing an already registered number is not possible.

Attributes

Boolean

Optional

Default value

false

OTP Validity [s] (otpValidity)

Description

Determines how long the OTP is valid (in seconds).

Attributes

Integer

Optional

Default value

300

Normalized Number Validation Regex (phoneNumberValidationRegex)

Description

Regular expression to restrict phone numbers (e.g. to a specific country or internal company numbers).
If configured, the normalized phone number is matched against this regular expression.

Attributes

RegEx

Optional

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.mtan.MtanSelfServicesLegacyConfig
id: MtanSelfServicesLegacyConfig-xxxxxx
displayName: 
comment: 
properties:
  allowPhoneNumberChange: false
  messageTemplateKey: sms-authenticator.default-message
  mtanSettings:
  otpCaseSensitive: true
  otpValidity: 300
  phoneNumberValidationRegex:
  tokenGenerator:

MTAN Token Deleted

Description

Event that is triggered by the deletion of an MTAN Token.

Class

com.airlock.iam.common.application.configuration.event.MtanTokenDeletedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.MtanTokenDeletedSubscribedEventConfig
id: MtanTokenDeletedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

mTAN Token Edit Step

Description

Self-service step for editing an mTAN token. This steps requires a preceding Select mTAN Token Step to select a token.

Class

com.airlock.iam.selfservice.application.configuration.step.MtanTokenEditStepConfig

May be used by

Properties

mTAN Settings (mtanSettings)

Description

Defines the settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

Number Editable (numberEditable)

Description

If enabled, the mTAN number can be edited in this step.

Attributes

Boolean

Optional

Default value

true

Number Required (numberRequired)

Description

If enabled, the mTAN number is required, i.e. it must be changed.

Attributes

Boolean

Optional

Default value

false

Validators On Normalized (validatorsOnNormalized)

Description

Validators for the normalized mTAN number. E.g. to restrict the number to certain area codes.

Attributes

Plugin-List

Optional

Assignable plugins

Email Address Validator Phone Number Validator Config Regex String Validator Config

Label Editable (labelEditable)

Description

If enabled, the label can be edited in this step.

Attributes

Boolean

Optional

Default value

true

Label Required (labelRequired)

Description

If enabled, the label is required, i.e. it must be set or changed.

Attributes

Boolean

Optional

Default value

false

Label Validators (labelValidators)

Description

Validators for the label.

Attributes

Plugin-List

Optional

Assignable plugins

Email Address Validator Phone Number Validator Config Regex String Validator Config

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Advanced Migration Selection Option Custom Protected Self-Service Flow Authorization Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.MtanTokenEditStepConfig
id: MtanTokenEditStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  labelEditable: true
  labelRequired: false
  labelValidators:
  mtanSettings:
  numberEditable: true
  numberRequired: false
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  validatorsOnNormalized:

mTAN Token Import Handler

Description

Handles the import of mTAN tokens. It reads all mTAN tokens from the provided list of tokens. For each item in the list, it updates the corresponding mTAN item if there already exists a token with the same phone number for the given user. If no such item exists, it creates a new item. The handler assumes that all mTAN items of the user are contained in the list, i.e., already existing items with a phone number that is not contained in the provided list are deleted. Already existing items that have no phone number are deleted as well. If the list is empty, the handler does not change any existing items.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.MtanTokenImportHandler

May be used by

XML File Importer Task

Properties

Mtan Settings (mtanSettings)

Description

Defines settings concerning mTAN. In particular, it provides access to the configured MtanHandler to read and write mTAN tokens. Furthermore, it provides phone number normalization settings. All imported phone numbers are normalized according to these settings while existing phone numbers in storage are assumed to be normalized according to these same settings already.

Attributes

Plugin-Link

Mandatory

Assignable plugins

MTAN/SMS Settings

Only Import For New Users (onlyImportForNewUsers)

Description

If enabled, existing values in the DB are not updated with values read from the file.

Attributes

Boolean

Optional

Default value

false

Normalize Phone Numbers (normalizePhoneNumbers)

Description

If enabled, the phone number entered by the user is normalized before being stored. Normalizing means that it is transformed into the international form like "+41761234567"
A default country code (see separate property) must be specified if this feature is enabled.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.MtanTokenImportHandler
id: MtanTokenImportHandler-xxxxxx
displayName: 
comment: 
properties:
  mtanSettings:
  normalizePhoneNumbers: true
  onlyImportForNewUsers: false

mTAN Token Insertion Handler

Description

Persists a newly registered mTAN token that was defined through a registration data item.

Class

com.airlock.iam.userselfreg.application.configuration.step.MtanInsertionHandlerConfig

May be used by

User Persisting Step Config

License-Tags

Airlock2FA,SelfRegistration

Properties

mTAN Settings (mtanSettings)

Description

Defines the required settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.step.MtanInsertionHandlerConfig
id: MtanInsertionHandlerConfig-xxxxxx
displayName: 
comment: 
properties:
  mtanSettings:

mTAN Token Management UI Redirect

Description

Redirects to the "mTAN Number Management UI".

Class

com.airlock.iam.selfservice.application.configuration.ui.tokens.MtanNumberManagementFlowRedirectTargetConfig

May be used by

License-Tags

mTan

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.tokens.MtanNumberManagementFlowRedirectTargetConfig
id: MtanNumberManagementFlowRedirectTargetConfig-xxxxxx
displayName: 
comment: 
properties:

MTAN Token Phone Number Changed

Description

Event that is triggered by the change of an mTAN Token phone number.

Class

com.airlock.iam.common.application.configuration.event.MtanTokenPhoneNumberChangedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.MtanTokenPhoneNumberChangedSubscribedEventConfig
id: MtanTokenPhoneNumberChangedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

MTAN Token Registered

Description

Event that is triggered by a completed registration of an MTAN Token.

Class

com.airlock.iam.common.application.configuration.event.MtanTokenRegisteredSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.MtanTokenRegisteredSubscribedEventConfig
id: MtanTokenRegisteredSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

mTAN Token Registration Step

Description

Flow step for registering an mTAN token. This step only keeps the token information in the flow session, which allows for verification of the number in a separate step. To persist the registered (and potentially verified) token, use an "Apply Changes Step" with an "Apply mTAN Registration Change" handler.

Class

com.airlock.iam.flow.shared.application.configuration.step.mtan.MtanTokenRegistrationStepConfig

May be used by

Properties

mTAN Settings (mtanSettings)

Description

Defines the settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

Validators On Normalized (validatorsOnNormalized)

Description

Validators for the normalized mTAN number. E.g. to restrict the number to certain area codes.

Attributes

Plugin-List

Optional

Assignable plugins

Email Address Validator Phone Number Validator Config Regex String Validator Config

Label Editable (labelEditable)

Description

If enabled, a label can be registered in this step.

Attributes

Boolean

Optional

Default value

true

Label Required (labelRequired)

Description

If enabled, the label is required, i.e. it must be set.

Attributes

Boolean

Optional

Default value

false

Label Validators (labelValidators)

Description

Validators for the label.

Attributes

Plugin-List

Optional

Assignable plugins

Email Address Validator Phone Number Validator Config Regex String Validator Config

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Selection Step for Public Self-Service Flow Step Sequence Transaction Approval Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.step.mtan.MtanTokenRegistrationStepConfig
id: MtanTokenRegistrationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  labelEditable: true
  labelRequired: false
  labelValidators:
  mtanSettings:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  validatorsOnNormalized:

mTAN Transaction Approval Step

Description

Configuration for an mTAN transaction approval flow step.

Class

com.airlock.iam.transactionapproval.application.configuration.mtan.MtanTransactionApprovalStepConfig

May be used by

License-Tags

TransactionApproval

Properties

Message Provider (messageProvider)

Description

Creates the message for transaction approval.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN Message Provider

mTAN Settings (mtanSettings)

Description

Defines the required settings for checking mTAN OTPs.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN OTP Check Settings (based on mTAN Settings) mTAN OTP Checks Settings

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

MTAN

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Advanced Migration Selection Option Custom Protected Self-Service Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.transactionapproval.application.configuration.mtan.MtanTransactionApprovalStepConfig
id: MtanTransactionApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: MTAN
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  messageProvider:
  mtanSettings:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

mTAN Verification Step

Description

Flow step to verify the registration of an mTAN number of a previous user data edit step to be used as an authentication method. It sends an OTP to the number to be verified and optionally also verifies an IAK that was sent by letter. This step is typically followed by an "Apply Changes Step" with an "Apply mTAN Registration Change" handler, unless the number is already pre-registered and persisting is not needed.

Class

com.airlock.iam.flow.shared.application.configuration.step.MtanVerificationStepConfig

May be used by

Properties

mTAN Settings (mtanSettings)

Description

Defines the required settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN OTP Check Settings (based on mTAN Settings) mTAN OTP Checks Settings

IAK Verification Required (iakVerificationRequired)

Description

If enabled, IAK verification is required. Make sure that the configured mTAN Handler also supports IAK verification.

Typically, this is not needed if the step is configured in a migration subflow, but it is essential for security reasons if the step is used during authentication for new users that have not yet registered an mTAN number.

Attributes

Boolean

Optional

Default value

true

Phone Number Provider (phoneNumberProvider)

Description

Provides the phone number to be verified.

Attributes

Plugin-Link

Optional

Assignable plugins

Message Provider (messageProvider)

Description

Creates the message for the verification SMS.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN Message Provider

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

MTAN

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

mTAN Token Import Handler mTAN/SMS Token Controller Main Authentication Settings mTAN IAK Token Report Strategy mTAN OTP Check Settings (based on mTAN Settings) MTAN/SMS Authenticator mTAN Self-Service Settings (based on mTAN Settings, Legacy)

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.step.MtanVerificationStepConfig
id: MtanVerificationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: MTAN
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  iakVerificationRequired: true
  interactiveGotoTargets:
  messageProvider:
  mtanSettings:
  onFailureGotos:
  phoneNumberProvider:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

mTAN was used for login (Transaction Approval only)

Description

Flow selection condition that selects the subflow if mTAN was used for login (as determined by the authTokenId provided in a previous Transaction Approval Parameter Step).

Class

com.airlock.iam.transactionapproval.application.configuration.selection.MtanAuthTokenIdSelectionConditionConfig

May be used by

License-Tags

TransactionApproval

Properties

Selectable If Login Method Unknown (selectableIfNoAuthTokenIdPresent)

Description

If this flag is set, the condition is always true (i.e. the option is selectable) if the login method is unknown.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.transactionapproval.application.configuration.selection.MtanAuthTokenIdSelectionConditionConfig
id: MtanAuthTokenIdSelectionConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  selectableIfNoAuthTokenIdPresent: true

MTAN/SMS Authenticator

Description

This authenticator sends an SMS with a one-time password (OTP) to the user's mobile phone. If this OTP is correctly provided back to IAM, the authentication step is successfully completed.

Class

com.airlock.iam.core.misc.impl.authen.mtan.SmsAuthenticator

May be used by

License-Tags

mTan

Properties

mTAN Settings (mtanSettings)

Description

Defines the settings for handling mTAN.

Attributes

Plugin-Link

Mandatory

License-Tags

mTan

Assignable plugins

MTAN/SMS Settings

Choose Last Number Automatically (chooseLastNumberAutomatically)

Description

If enabled, the number used for the last successful login attempt is chosen automatically without any user interaction.

Attributes

Boolean

Optional

License-Tags

mTan

Default value

false

Send SMS in Stealth Mode (sendSmsInStealthMode)

Description

Send SMS messages in stealth mode for existing users even if first factor was wrong and the user is not locked. The number of sent SMS per user is limited to the maximum allowed first factor attempts (see Main Authenticator).

Attributes

Boolean

Optional

License-Tags

mTan

Default value

false

Message Template (messageTemplate)

Description

Message template used to create the message text sent to the user. Use Shift-Return to insert line breaks.

This template is only used, if no language-specific template is configured in the mTAN Settings.

Special Variables:

The string $TOKEN$ in the message template is mandatory and is replaced by the token.
${Now,...} contains the current timestamp and can be used for both date and time display in the SMS. Since this represents a Date object, it can be formatted directly using MessageFormat, for example ${Now,date,short} displays a short date using the user's locale, e.g. 09.01.12. A specific date format can be specified in a SimpleDateFormat compatible form, e.g. ${Now,date,dd.MM.yyyy HH:mm.ss} resulting in 09.01.2012 17:32.19.

Attributes

String

Optional

Multi-line-text

License-Tags

mTan

Default value

$TOKEN$

Example

Please insert the following code: $TOKEN$.

Example

Current time: ${Now,date,HH:mm}; Token = $TOKEN$

String Resources File (stringResourcesFile)

Description

Attributes

String

Optional

License-Tags

mTan

Default value

strings

Default Language (defaultLanguage)

Description

Default language to be used for login message if the display language could not be determined. This is only used for translating the language-specific message template.

Attributes

String

Optional

License-Tags

mTan

Default value

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.mtan.SmsAuthenticator
id: SmsAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  chooseLastNumberAutomatically: false
  defaultLanguage: de
  messageTemplate: $TOKEN$
  mtanSettings:
  sendSmsInStealthMode: false
  stringResourcesFile: strings

MTAN/SMS Settings

Description

Settings related to mTAN/SMS (authentication, self-registration, administration, etc.). These settings are used by various components in Airlock IAM.

Loginapp flows typically have step-specific mTAN settings and only refer to these global settings if plugins with "(based on mTAN Settings)" in the name are used.

Class

com.airlock.iam.core.misc.impl.authen.mtan.MtanSettings

May be used by

License-Tags

mTan

Properties

mTAN Handler (mtanHandler)

Description

An mTAN handler retrieves, creates and updates MTAN number tokens.

in the mTAN/SMS Authenticator
in the Adminapp
in Service Container tasks
in flow steps if the settings "based on mTAN Settings" are used
for the /protected/my/tokens/mtan/ REST endpoints if the settings "based on mTAN Settings" are used.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Data mTAN Handler Token Data mTAN Handler

Sms Gateway (smsGateway)

Description

The SMS gateway used to send messages.

This property is used for the following:

in the mTAN/SMS Authenticator
in the Adminapp
in flow steps if the settings "based on mTAN Settings" are used
for the /protected/my/tokens/mtan/ REST endpoints if the settings "based on mTAN Settings" are used.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Originator (originatorName)

Description

The originator that is displayed for the SMS messages (instead of the phone number).

There may be restrictions on the originator imposed by the SMS gateway service and by local law.

The format of the originator must be one of:

Numeric characters only, optionally prefixed with a plus sign '+', at most 16 characters
Alphanumeric characters, at most 11 characters

The allowed characters might depend on the SMS gateway provider.

This property is used for the following:

in the mTAN/SMS Authenticator
in the Adminapp
in flow steps if the settings "based on mTAN Settings" are used
for the /protected/my/tokens/mtan/ REST endpoints if the settings "based on mTAN Settings" are used.

Attributes

String

Mandatory

Example

Airlock

Use Flash Messages (useFlashMessages)

Description

If enabled, SMS messages are sent as 'flash SMS' by default. A flash message is shown directly on the mobile phone display.

Note: If the per-user setting is set, it takes precedence as long as a value is set for a user. If it is empty or not set, this default value is used.

Note: This has to be supported by the SMS gateway. Some recipients might have not be able to receive flash messages.

This property is used for the following:

in the mTAN/SMS Authenticator
in the Adminapp
in flow steps if the settings "based on mTAN Settings" are used
for the /protected/my/tokens/mtan/ REST endpoints if the settings "based on mTAN Settings" are used.

Attributes

Boolean

Optional

Default value

false

Default Country Code (defaultCountryCode)

Description

Default country code to be used if a phone number does not contain a country code.

This property is used for the following:

in the mTAN/SMS Authenticator
in the Adminapp
in flow steps if the settings "based on mTAN Settings" are used
for the /protected/my/tokens/mtan/ REST endpoints if the settings "based on mTAN Settings" are used.

Attributes

String

Optional

Length <= 3

Length >= 1

Default value

Suggested values

41, 39, 49, 423

OTP Generator (otpGenerator)

Description

The string generator plugin to generate the OTP token.

This property is used for the following:

in the mTAN/SMS Authenticator
in the Adminapp
in flow steps if the settings "based on mTAN Settings" are used
for the /protected/my/tokens/mtan/ REST endpoints if the settings "based on mTAN Settings" are used.

Attributes

Plugin-Link

Optional

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Visible Phone Number Digits (visiblePhoneNumberDigits)

Description

Defines the number of phone number digits that are displayed to the user or the administrator.

If the value is zero, all digits are masked, if it is large enough (e.g. 100), all digits are visible. Example: if set to 3, logged number looks like ********965.

This property is used for the following:

in the mTAN/SMS Authenticator
in the Adminapp
in flow steps if the settings "based on mTAN Settings" are used
for the /protected/my/tokens/mtan/ REST endpoints if the settings "based on mTAN Settings" are used.

Attributes

Integer

Optional

Default value

100

Message Template Key (messageTemplateKey)

Description

The message template can be defined in the string resource files, to enable language-specific messages to be sent to the user.

This property is only used in the mTAN/SMS Authenticator and for the /protected/my/tokens/mtan/ REST endpoints if the settings "based on mTAN Settings" are used.

Attributes

String

Optional

Example

sms-authenticator.default-message

Ignore Token Case (ignoreTokenCase)

Description

If enabled the case of characters is ignored when checking OTP tokens.

This property is used for the following:

in the mTAN/SMS Authenticator
in flow steps if the settings "based on mTAN Settings" are used
for the /protected/my/tokens/mtan/ REST endpoints if the settings "based on mTAN Settings" are used.

Attributes

Boolean

Optional

Default value

false

Max Token Retransmissions (maxTokenRetransmissions)

Description

Maximum number of times an OTP token may be requested to be retransmitted during one authentication process. The authentication is aborted if this limit is exceeded. Token retransmissions are disabled if this value is 0. Restricting this value to a small number prevents the abusive use of SMS delivery.

This property is only used in the mTAN/SMS Authenticator and the mTAN Authentication Step if the settings "based on mTAN Settings" are used.

Attributes

Integer

Optional

Default value

Retransmit Same Token (retransmitSameToken)

Description

If token retransmissions are enabled this sets whether the OTP token should be retransmitted or whether a new OTP should be generated for each retransmission.Setting this property totrue is less secure but helps avoiding erroneous user input when the initial OTP is received before retransmission.

This property is only used in the mTAN/SMS Authenticator and the mTAN Authentication Step if the settings "based on mTAN Settings" are used.

Attributes

Boolean

Optional

Default value

false

OTP Validity [s] (otpValidity)

Description

Determines how long the OTP is valid (in seconds).

This property is only used in the mTAN/SMS Authenticator and for the /protected/my/tokens/mtan/ REST endpoints if the settings "based on mTAN Settings" are used.

Attributes

Integer

Optional

Default value

300

Max Token Retries (maxTokenRetries)

Description

The number of times a user may retry after a wrong token is entered before the authentication process is aborted.

If set to zero (the default), only one attempt is possible for each token. This is more secure but may increase costs (if sending a token is costly) and negatively affects usability. Setting this value to n means that the user has n+1 tries in total.

This property is only used in the mTAN/SMS Authenticator and the mTAN Authentication Step if the settings "based on mTAN Settings" are used.

Attributes

Integer

Optional

Default value

Allow Phone Number Change (allowPhoneNumberChange)

Description

This property is only used for the /protected/my/tokens/mtan/ REST endpoints if the settings "based on mTAN Settings" are used.

Attributes

Boolean

Optional

Default value

false

Phone Number Validation Regex (phoneNumberValidationRegex)

Description

If enabled the phone number entered by the user is matched against this regular expression. This regex match takes place after (optional) normalization. Using with normalization allows to check for simpler rules, because it means that the number is already transformed into the international form without spaces, e.g. "+41761234567".

E.g. to only allow Swiss numbers, set the default Country Code to 41, and validate the resulting number with \+41(\d){9,9}

This property is only used for the /protected/my/tokens/mtan/ REST endpoints if the settings "based on mTAN Settings" are used.

Attributes

RegEx

Optional

May Be Selected As Auth Method (mayBeSelectedAsAuthMethod)

Description

Disable to prevent mTAN from being selected as active authentication method.

Attributes

Boolean

Optional

Default value

true

May Be Selected As Next Auth Method (mayBeSelectedAsNextAuthMethod)

Description

Disable to prevent mTAN/SMS from being selected as the next (migration) authentication method.

Attributes

Boolean

Optional

Default value

true

Admin May Edit Phone Number (adminMayEditPhoneNumber)

Description

Enable to make the mTAN data editable by the admin.

Attributes

Boolean

Optional

Default value

false

Notify New Number (notifyNewNumber)

Description

Set to true to send a notification SMS to the new number when a phone number is changed or registered by an administrator. The message is defined by the property "Notification SMS Template". If the template contains the "$TOKEN$"-variable, it is replaced by a randomly generated OTP that can be verified by the administrator.

Attributes

Boolean

Optional

Default value

false

Notification SMS Template (notificationSmsTemplate)

Description

Message template for the notification SMS. Defining this property enables the "Send Test SMS" button on the mTAN detail view on the user page. If the property "Notify New Number" is enabled, it is also used for the SMS that is sent to a new or changed phone number.

If the template contains the "$TOKEN$"-variable, it is replaced by a randomly generated OTP that can be verified by the administrator.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.mtan.MtanSettings
id: MtanSettings-xxxxxx
displayName: 
comment: 
properties:
  adminMayEditPhoneNumber: false
  allowPhoneNumberChange: false
  defaultCountryCode: 41
  ignoreTokenCase: false
  maxTokenRetransmissions: 0
  maxTokenRetries: 0
  mayBeSelectedAsAuthMethod: true
  mayBeSelectedAsNextAuthMethod: true
  messageTemplateKey:
  mtanHandler:
  notificationSmsTemplate:
  notifyNewNumber: false
  originatorName:
  otpGenerator:
  otpValidity: 300
  phoneNumberValidationRegex:
  retransmitSameToken: false
  smsGateway:
  useFlashMessages: false
  visiblePhoneNumberDigits: 100

mTAN/SMS Token Controller

Description

Token controller plugin to handle mTAN (SMS) tokens. In addition to adding, changing and removing phone numbers, this plugin offers the following features:

Send OTP code to user's phone (e.g. to authenticate user calling help desk or to verify the number entered manually).
When changing the phone number, a notification about this can be sent to the old phone number.
A notification about the registration of a phone number may be sent to the corresponding number.
Part (or all of) the configured phone numbers may be masked, so the administrator does not see entire numbers.

Class

com.airlock.iam.admin.application.configuration.mtan.MtanTokenController

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

mTan

Properties

mTAN Settings (mtanSettings)

Description

Global mTAN settings configuring all kind of aspects concerning mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

MTAN/SMS Settings

Notify Old Number (notifyOldNumber)

Description

Set to true to inform the old phone number when changing a user's phone number. The message defined by property "notifyOldNumberTemplate".

Attributes

Boolean

Optional

Default value

false

Notify Old Number Template (notifyOldNumberTemplate)

Description

Template text used to inform the old phone number when a new phone number is registered. The template may contain the token "$OLDNUMBER$". It is replaced by the old phone number. The template may contain the token "$NEWNUMBER$". It is replaced by the new phone number.

This property is only relevant if "notifyOldNumber" is true.

Attributes

String

Optional

Secret Letter Renderer (secretLetterRenderer)

Description

If configured, allows to generate an mTAN IAK directly from the admin tool. The administrator requires the 'generateMtanIak' right to perform the operation. Also note that whenever this property is configured, the mTAN Handler configured in the mTAN Settings must be configured such that it supports immediate generation of IAKs.

Attributes

Plugin-Link

Optional

Assignable plugins

Credential Secret Generator Secret Letter Renderer

Identifier (identifier)

Description

Make sure the identifier is unique among all configured token controllers.

The identifier is also used as key to translate the display name of this token controller. The key is assembled as follows: edituserpage.cred.XYZ.title (where XYZ is the identifier).

Attributes

String

Optional

Default value

MTAN

Suggested values

MTAN, SMS

Auto Order Credential (autoOrderCredential)

Description

Set this flag to true to automatically order the credential when it is added to a user.

Attributes

Boolean

Optional

Default value

false

Auto Order For New Users (autoOrderForNewUsers)

Description

Set this flag to true to automatically order the credential if the user is created. This flag is not required if the "mTAN Letter User Event Listener" is configured in the "Database User Persister". It is no issue to have configured both.

Attributes

Boolean

Optional

Default value

false

Show Letter Attributes (showLetterAttributes)

Description

Set this flag to true to display the letter attributes (used to display generation and delivery dates of credential letters).

Attributes

Boolean

Optional

Default value

false

Delete Properties With Credential (deletePropertiesWithCredential)

Description

Defines a list of context data properties that are considered to part of the credential data. The specified context data properties are deleted (set to "null") when the credential is deleted (in addition to the credential data field, the serial number, the letter attribute and the order flag).
Make sure, the underlying persister plugin is configured to persist the specified context data properties.

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.mtan.MtanTokenController
id: MtanTokenController-xxxxxx
displayName: 
comment: 
properties:
  autoOrderCredential: false
  autoOrderForNewUsers: false
  deletePropertiesWithCredential:
  identifier: MTAN
  mtanSettings:
  notifyOldNumber: false
  notifyOldNumberTemplate:
  secretLetterRenderer:
  showLetterAttributes: false

Multi Password Hash (LDAP-style)

Description

Password hash plugin that uses existing plugins to generate and verify hash values in an LDAP styled format.

Note: This hash function is not compatible with hashes generated by an LDAP server, it only uses a similar format. For LDAP compatibility, use the LDAP Password Hash.

The syntax is {hash-func}hash-value, where hash-func is the hash function identifier and hash-value is the base64-encoded hash value (except for CLEARTEXT, there the hash is not base64-encoded). Currently supported hash functions are:

SSHA: Salted SHA-1
SSHA256: Salted SHA-256
CLEARTEXT: Identity function (results in clear text passwords)

Security Warning: The use of this plugin is discouraged due to security reasons. Consider using Scrypt Password Hash instead (within a PasswordHashConfiguration for Encoded Hash Values).

Class

com.airlock.iam.core.misc.util.password.hash.MultiPasswordHash

Properties

Hash Function (hashFunction)

Description

The hash function used to generate password hashes.

Attributes

Enum

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.MultiPasswordHash
id: MultiPasswordHash-xxxxxx
displayName: 
comment: 
properties:
  hashFunction:

NAS-based Target Service

Description

This target service is associated with a NAS identifier.

The target service is meant to be used if a NAS identifier, sent by a RADIUS client, matches the one in the configuration.

Class

com.airlock.iam.servicecontainer.app.application.configuration.radius.NASBasedTargetServiceConfig

May be used by

Radius Authorization Config Radius Authorization Config

License-Tags

RadiusServer

Properties

NAS Identifier Pattern (nasIdentifierPattern)

Description

The NAS-Identifier (if available) is matched against this pattern. If it matches, this target service is chosen.

Attributes

RegEx

Mandatory

Match Case Sensitive (matchCaseSensitive)

Description

Disable to match case-insensitive when matching the NAS-Identifier against this target service's pattern.

Attributes

Boolean

Optional

Default value

true

Required Roles (requiredRoles)

Description

A list of roles used to access the target service.

The user needs one of the roles in order to get access to the target service.

If no roles are configured, all authenticated users may access the target service.

The roles may be transformed before being compared to this list using the role transformers (see separate property).

Attributes

String-List

Optional

Role Transformation Rules (roleTransformationRules)

Description

A list of transformation rules used to modify user roles before being compared to the roles required by an application.

Attributes

Plugin-List

Optional

Assignable plugins

Role Transformation Rule (Radius)

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.radius.NASBasedTargetServiceConfig
id: NASBasedTargetServiceConfig-xxxxxx
displayName: 
comment: 
properties:
  matchCaseSensitive: true
  nasIdentifierPattern:
  requiredRoles:
  roleTransformationRules:

NAS-IP-Address-based Target Service

Description

This target service is associated with a NAS-IP-Address attribute.

The target service is meant to be used if the NAS-IP-Address of the RADIUS client matches the one in the configuration.

Class

com.airlock.iam.servicecontainer.app.application.configuration.radius.NasIpBasedTargetServiceConfig

May be used by

Radius Authorization Config Radius Authorization Config

License-Tags

RadiusServer

Properties

Client NAS-IP-Address (clientNasIp)

Description

NAS-IP-Address of the RADIUS client.

Attributes

String

Mandatory

Example

192.168.1.55

Required Roles (requiredRoles)

Description

A list of roles used to access the target service.

The user needs one of the roles in order to get access to the target service.

If no roles are configured, all authenticated users may access the target service.

The roles may be transformed before being compared to this list using the role transformers (see separate property).

Attributes

String-List

Optional

Role Transformation Rules (roleTransformationRules)

Description

A list of transformation rules used to modify user roles before being compared to the roles required by an application.

Attributes

Plugin-List

Optional

Assignable plugins

Role Transformation Rule (Radius)

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.radius.NasIpBasedTargetServiceConfig
id: NasIpBasedTargetServiceConfig-xxxxxx
displayName: 
comment: 
properties:
  clientNasIp:
  requiredRoles:
  roleTransformationRules:

Native Vasco Handler

Description

This plugin uses the native Vacman Controller library to do all the work.

Class

com.airlock.iam.core.misc.util.vasco.NativeVascoHandler

May be used by

License-Tags

Digipass

Properties

Runtime Parameters (runtimeParameters)

Description

Configuration Parameters for the VascoTokenVerifier.

Attributes

Plugin-Link

Optional

Assignable plugins

Vasco Runtime Parameters

Cipher Password (cipherPassword)

Description

Password used for the encryption and decryption of the Vasco blob.

As long as this property is not configured, the Vasco blob is not encrypted. When set to a non-null value, the Vasco blobs are encrypted on the fly when accessed the next time. Once set, do not change this value. Otherwise, decryption of existing Vasco blobs will fail.

Attributes

String

Optional

Sensitive

Secure Channel Crypto Application Index (secureChannelCryptoApplicationIndex)

Description

Defines the crypto application index for the "Secure Channel" feature. This index is used when a new token is activated. If left empty, Airlock IAM will try to automatically detect the correct application (the first application with type "Signature" and the substring "SC" in the application name).

Attributes

Integer

Optional

Otp Crypto Application Index (otpCryptoApplicationIndex)

Description

Defines the crypto application index for the "OTP" feature. This index is used when a new token is activated. If left empty, Airlock IAM will try to automatically detect the correct application (the first application with type "RESPONSE_ONLY").

Attributes

Integer

Optional

Use Software Vector For Activation Challenge (useSoftwareVectorForActivationChallenge)

Description

If this flag is set, a different static vector is used for software devices when generating the second activation message. This static vector (called software vector in Airlock IAM) must be specified during license file import in Adminapp. It is then stored with every license that is imported and used for generating the second activation challenge, if the device has one of the following platform types:

IOS
ROOTED_IOS
ANDROID
ROOTED_ANDROID
WINDOWS
BLACKBERRY

For all other device platform types the static vector from the license file is used. It will be also used when there is no software vector available.

Setting this flag also requires the input of a software vector during license import in Adminapp.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.vasco.NativeVascoHandler
id: NativeVascoHandler-xxxxxx
displayName: 
comment: 
properties:
  cipherPassword:
  otpCryptoApplicationIndex:
  runtimeParameters:
  secureChannelCryptoApplicationIndex:
  useSoftwareVectorForActivationChallenge: false

Never Migrate Possible

Description

Flow migration condition that is fulfilled if:

the user has no migration date set and the feature "Never Migrate" is enabled.
the features "Never Migrate" and "Never Migrate with to Date" are enabled and the migration date is within or after the "Never Migrate Period Days".

Class

com.airlock.iam.authentication.application.configuration.migration.condition.NeverMigrateConditionConfig

May be used by

Properties

Enable "Never Migrate" Despite Migration Date (neverMigratePossibleWithToDate)

Description

Enables the feature "Never Migrate" even if there is a migration date set for the corresponding user.

Whether it is possible to "Never Migrate" depends on whether or not a migration date is set and whether the authentication is happening during the "Never Migrate Period" (if set at all).

Attributes

Boolean

Optional

Default value

false

Never Migrate Period (neverMigratePeriod)

Description

Defines the period before the migration date in which the feature "Never Migrate" is active.

Prerequisites for this property to take effect:

A migration date must be set.
The "Never Migrate" feature must be enabled.
The feature "Never Migrate Despite Migration Date" must be enabled.
A "Hint Period" must be specified.

If this property is not set, the feature "Never Migrate" is possible during and after the entire "Hint Period" if the"Never Migrate" feature is enabled.

The value of this property must be smaller or equal "Hint Period Days".

The duration must be specified in the format "(d)ays (h)ours (m)inutes (s)econds" e.g. "2d 4h 10m 5s" (any part can be omitted).

Attributes

String

Optional

Example

30d

Example

14d 6h 30m

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.migration.condition.NeverMigrateConditionConfig
id: NeverMigrateConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  neverMigratePeriod:
  neverMigratePossibleWithToDate: false

Never Migrate Step

Description

A flow step to complete the migration if the user rejects the migration and stays on their current authentication method. The step clears the "nextAuthMethod" and "migrationDate" fields on the user.

Class

com.airlock.iam.authentication.application.configuration.migration.NeverMigrateStepConfig

May be used by

Properties

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.migration.NeverMigrateStepConfig
id: NeverMigrateStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

New Email Clean-up Strategy

Description

Task strategy that deletes all IAK tokens that are older than the configured days. Sets the new email attribute back to null as it has not been confirmed.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.token.NewEmailCleanUpStrategyConfig

May be used by

Token Task

Properties

Token Data Provider (tokenDataProvider)

Description

The token data provider plugin is used to read all tokens to be handled by this task. Should be configured to only return the tokens that should be handled by this task.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Persister (userPersister)

Description

User persister to load and update technical user data (such as authentication data, login statistics, locking status etc).

Attributes

Plugin-Link

Mandatory

Assignable plugins

New Email Attribute (newEmailAttribute)

Description

Name of the user context data attribute that contains the user's new and not yet active email address. Make sure this attribute is configured as a context data column in the user persister.

Attributes

String

Optional

Default value

new_email

Days To Keep New Email (daysToKeepNewEmail)

Description

The number of days to keep the unverified email addresses in the database.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.token.NewEmailCleanUpStrategyConfig
id: NewEmailCleanUpStrategyConfig-xxxxxx
displayName: 
comment: 
properties:
  daysToKeepNewEmail: 1
  newEmailAttribute: new_email
  tokenDataProvider:
  userPersister:

New User Defaults Setter

Description

Event listener to set default values for newly created users.

Class

com.airlock.iam.core.misc.impl.persistency.usereventbus.NewUserDefaultsSetter

May be used by

Active Directory Connector LDAP User Persister LDAP Connector Database User Persister

Properties

Enable Secret Questions Default (enableSecretQuestionsDefault)

Description

Set default value of "Secret Questions enabled" property.

Attributes

String

Optional

Allowed values

true, false

Condition (condition)

Description

The condition to decide whether the event should be handled. If not configured, the event is always handled.

Attributes

Plugin-Link

Optional

Assignable plugins

Authentication Method Condition Context Data Regex Condition Logical AND Condition Logical NOT Condition Logical OR Condition

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.usereventbus.NewUserDefaultsSetter
id: NewUserDefaultsSetter-xxxxxx
displayName: 
comment: 
properties:
  condition:
  enableSecretQuestionsDefault:

Next Authentication Method-based Migration Condition

Description

Condition that is fulfilled if the configured "Target Auth Method" matches the user's next authentication method and the current date is within or after the migration hint period.

Class

com.airlock.iam.authentication.application.configuration.migration.condition.NextAuthMethodBasedMigrationConditionConfig

May be used by

Properties

Target Auth Method (targetAuthMethod)

Description

Expected value of the next auth method field on the user for this condition to be fulfilled.

Attributes

String

Mandatory

Suggested values

MTAN, CRONTO, DEVICE_TOKEN, MATRIX

Hint Period (hintPeriod)

Description

Ask the user to migrate during this period before the migration becomes mandatory. Any immediate period (e.g. 0d) leads to the users always being forced to migrate at the migration date and the migration hint page never being displayed before.

To always show the migration hint page as soon as a migration date is set for a user, set this property to a very high value.

Notice that this setting has no effect if the user has a "Next Auth Method" but no migration date set; in this case the user is always displayed the migration hint page and never forced to migrate.

The duration must be specified in the format "(d)ays (h)ours (m)inutes (s)econds" e.g. "2d 4h 10m 5s" (any part can be omitted).

Attributes

String

Optional

Default value

10d

Example

30d

Example

14d 6h 30m

Migration To Same Auth Method Allowed (migrationToSameAuthMethodAllowed)

Description

Defines whether the migration to the same authentication method the user already has is allowed.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.migration.condition.NextAuthMethodBasedMigrationConditionConfig
id: NextAuthMethodBasedMigrationConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  hintPeriod: 10d
  migrationToSameAuthMethodAllowed: true
  targetAuthMethod:

NextGenPSD2 Certificate Authenticator

Description

Certificate authenticator for PSD2 QWACs (Qualified Website Authentication Certificates).

If the certificate passes all of the configured validity checks, the resulting authenticated technical user will contain the following elements from the certificate:

The subject DN's organizationIdentifier (oid 2.5.4.97 according to ITU-T Recommendations X.520) as the username.
The payment service roles contained in the QCStatement (RFC 3739) with ID "0.4.0.19495.2" as granted user roles. The roles can be one of: PSP_AS, PSP_PI, PSP_AI or PSP_IC.

Technical clients are inserted into the configured persistence. A technical client is identified by the certificate's subject DN and will have the organizationIdentifier as display name. A TPP therefore can have multiple technical clients.

This plugin must not be used in other locations than in a HTTP Request Authentication (using Airlock Gateway One-Shot Flow).

Class

com.airlock.iam.login.app.application.configuration.psd2.NextGenPsd2CertificateAuthenticator

May be used by

License-Tags

PSD2NextGen

Properties

Client Repository (clientRepository)

Description

The technical client repository to implicitly register technical clients.

Attributes

Plugin-Link

Mandatory

Assignable plugins

API Policy Service Transaction Approval Loginapp Combining Context Extractor Concatenating Context Extractor

Technical Client Interceptors (interceptors)

Description

Defines interceptors that get notified upon changes on technical clients.

Attributes

Plugin-List

Optional

Assignable plugins

Check Validity Period (checkValidityPeriod)

Description

If enabled, the validity period of the certificate is checked. If disabled, expired (or not-yet-valid) certificates are also accepted.

Attributes

Boolean

Optional

Default value

true

Certificate Status Checkers (certStatusCheckers)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.app.application.configuration.psd2.NextGenPsd2CertificateAuthenticator
id: NextGenPsd2CertificateAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  certStatusCheckers:
  checkValidityPeriod: true
  clientRepository:
  interceptors:

No Access Control

Description

Does not restrict access control to the adminapp.

Class

com.airlock.iam.admin.application.configuration.NoAccessControl

May be used by

Adminapp

Properties

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.NoAccessControl
id: NoAccessControl-xxxxxx
displayName: 
comment: 
properties:

No Adminapp Content Security Policy

Description

Disables the Content Security Policy (CSP) for the Adminapp.

Class

com.airlock.iam.admin.application.configuration.csp.NoAdminappContentSecurityPolicyConfig

May be used by

Adminapp

Properties

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.csp.NoAdminappContentSecurityPolicyConfig
id: NoAdminappContentSecurityPolicyConfig-xxxxxx
displayName: 
comment: 
properties:

No Context Extractor

Description

Simple context extractor that does not return an explicit context (implicitly leading to the default context).

Class

com.airlock.iam.core.misc.util.context.NoContextExtractor

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.context.NoContextExtractor
id: NoContextExtractor-xxxxxx
displayName: 
comment: 
properties:

No CRL Persister

Description

A persister that does nothing.

Class

com.airlock.iam.core.misc.impl.cert.crl.NoCRLPersister

May be used by

Configurable HTTP CRL Obtainer

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.crl.NoCRLPersister
id: NoCRLPersister-xxxxxx
displayName: 
comment: 
properties:

No Email Address Restriction

Description

Does not allow users without an email address to perform public self-services and returns a corresponding feedback message.

For public self-service flows using email identity verification, the purpose of this restriction is only to add an informative feedback message. This increases usability but could allow user enumeration since it makes it possible to find existing users without an email address.

We recommend to configure this restriction as the last restriction to be checked.

Class

com.airlock.iam.publicselfservice.application.configuration.restrictions.NoEmailAddressRestrictionConfig

May be used by

Properties

Email Item (emailContextData)

Description

The context data field that contains the email address of the user.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Legacy ID Propagation Adapter Chaining Identity Propagator Target Application/Service Conditional Identity Propagator

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.restrictions.NoEmailAddressRestrictionConfig
id: NoEmailAddressRestrictionConfig-xxxxxx
displayName: 
comment: 
properties:
  emailContextData:

No Identity Propagator

Description

An identity propagator that does nothing. It can be useful when an identity provider has to be provided but nothing should be done.

Class

com.airlock.iam.core.misc.impl.sso.NoIdentityPropagator

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.NoIdentityPropagator
id: NoIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:

No Loginapp UI Content Security Policy

Description

Disables the Content Security Policy (CSP) for the Loginapp UI.

Class

com.airlock.iam.login.rest.application.configuration.NoLoginappUiContentSecurityPolicyConfig

May be used by

UI Settings

Properties

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.NoLoginappUiContentSecurityPolicyConfig
id: NoLoginappUiContentSecurityPolicyConfig-xxxxxx
displayName: 
comment: 
properties:

No mTAN Token Restriction

Description

Does not allow users without an mTAN token to perform public self-services and returns a corresponding feedback message.

For public self-service flows using mTAN identity verification, the purpose of this restriction is only to add an informative feedback message. This increases usability but could allow user enumeration since it makes it possible to find existing users without an mTAN token.

We recommend to configure this restriction as the last restriction to be checked.

Class

com.airlock.iam.publicselfservice.application.configuration.restrictions.NoMtanTokenRestrictionConfig

May be used by

Properties

mTAN Handler (mtanHandler)

Description

Retrieves the user's mTAN tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Data mTAN Handler Token Data mTAN Handler

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.restrictions.NoMtanTokenRestrictionConfig
id: NoMtanTokenRestrictionConfig-xxxxxx
displayName: 
comment: 
properties:
  mtanHandler:

No Operation Step

Description

A flow step that does nothing, the initialization of the step lets the step be successful. This can be useful in subflow selection for an option that requires no further action.

Class

com.airlock.iam.flow.application.configuration.step.NoOperationStepConfig

Properties

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.step.NoOperationStepConfig
id: NoOperationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

No Retry Policy

Description

Never retry to send a request.

Class

com.airlock.iam.common.infrastructure.restclient.NoRetryPolicy

May be used by

Expert Mode Redis State Repository Config Migrating State Encryption Config Migrating State Encryption Config Single Mode Redis State Repository Config

Properties

YAML Template (with default values)


type: com.airlock.iam.common.infrastructure.restclient.NoRetryPolicy
id: NoRetryPolicy-xxxxxx
displayName: 
comment: 
properties:

No State Encryption

Description

Plugin to disable state encryption and store state information in plaintext.

CAUTION: As IAM state contains sensitive information, storing unencrypted state is not recommended in production setups!

Class

com.airlock.iam.common.application.configuration.state.NoStateEncryptionConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.state.NoStateEncryptionConfig
id: NoStateEncryptionConfig-xxxxxx
displayName: 
comment: 
properties:

Non-Flow UI Settings

Description

These settings apply to all UI pages that are not part of a flow, e.g. the logout disclaimer page. For flow-specific settings, refer to "Flow UIs".

Class

com.airlock.iam.authentication.application.configuration.ui.NonFlowAuthenticationUiConfig

May be used by

Properties

Maintenance Message UI Settings (maintenanceMessageUi)

Description

Settings to define if and how maintenance messages are displayed for pages that are not part of a flow. If this property is not set no maintenance messages are displayed.

Attributes

Plugin-Link

Optional

License-Tags

MaintenanceMessages

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.ui.NonFlowAuthenticationUiConfig
id: NonFlowAuthenticationUiConfig-xxxxxx
displayName: 
comment: 
properties:
  maintenanceMessageUi:

None (Airlock 2FA Account Display Name)

Description

Does not provide a display name during user's enrollment for Airlock 2FA.

Class

com.airlock.iam.airlock2fa.application.configuration.enrollment.Airlock2FANoDisplayNameProviderConfig

May be used by

License-Tags

Airlock2FA

Properties

YAML Template (with default values)


type: com.airlock.iam.airlock2fa.application.configuration.enrollment.Airlock2FANoDisplayNameProviderConfig
id: Airlock2FANoDisplayNameProviderConfig-xxxxxx
displayName: 
comment: 
properties:

None (FIDO Attestation Verification)

Description

Does not verify the attestation of a FIDO authenticator during registration.

Class

com.airlock.iam.fido.application.configuration.registration.FidoNoAttestationVerificationConfig

May be used by

FIDO Settings

License-Tags

FIDO

Properties

YAML Template (with default values)


type: com.airlock.iam.fido.application.configuration.registration.FidoNoAttestationVerificationConfig
id: FidoNoAttestationVerificationConfig-xxxxxx
displayName: 
comment: 
properties:

Nonexistent User Restriction

Description

Ensures that for users that don't exist, public self-service continues in Stealth Mode (simulating the next step), or that they are immediately rejected (if the "Enable Feedback" property is enabled).

Class

com.airlock.iam.publicselfservice.application.configuration.restrictions.NonexistentUserRestrictionConfig

May be used by

Username Custom Claim OAuth 2.0 LocalDate Context Data Resource Static String Custom Claim OAuth 2.0 User Roles Resource Claim Set Custom Claim Context Data String Custom Claim OAuth 2.0 Static Resource OAuth 2.0 Username Resource Or Claim Condition Config Session ID Custom Claim String Format Custom Claim OIDC Birthdate Standard Claim (String) OIDC Phone Number Standard Claim OAuth 2.0 SSO Ticket Resource OAuth 2.0 String Context Data Resource OIDC Birthdate Standard Claim (Date) OAuth 2.0 Date Context Data Resource And Claim Condition Config Formatted LocalDate Context Data Custom Claim OIDC Email Standard Claim OIDC Family Name Standard Claim OIDC Given Name Standard Claim Formatted Date And Time Context Data Custom Claim User Roles Custom Claim Custom Claim (OAuth 2.0 Token Exchange) Client ID Custom Claim OIDC Name Standard Claim String Value Provider Custom Claim

Properties

Enable Feedback (enableFeedback)

Description

If enabled, the User Identification Step always returns a specific error code in case this restriction is violated.

Irrespective of this settings, once the identity verification step is passed, restriction are always checked before and after each method call and violations are always reported.

Security notice: Enabling this feature might allow a client to determine whether certain users exist in the system.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.restrictions.NonexistentUserRestrictionConfig
id: NonexistentUserRestrictionConfig-xxxxxx
displayName: 
comment: 
properties:
  enableFeedback: false

Not Claim Condition Config

Description

This condition is fulfilled if its configured condition is not fulfilled.

Class

com.airlock.iam.oauth2.application.configuration.claims.conditions.NotClaimConditionConfig

May be used by

License-Tags

OAuthServer

Properties

Condition (condition)

Description

This condition is fulfilled if the following condition is not fulfilled.

Attributes

Plugin-Link

Mandatory

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.conditions.NotClaimConditionConfig
id: NotClaimConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:

NTLM Identity Propagator

Description

An identity propagator that instructs the Airlock Gateway (WAF) to send an HTTP NTLM auth header to the back-end.

This propagator only works together with Airlock Gateway. It uses the control API to propagate username and password.

Attention: due to a known limitation (AP-27159), only passwords only containing characters in the iso-8859-1 character set can be used. Incompatible passwords will result in an error.

Class

com.airlock.iam.core.misc.impl.sso.NtlmIdentityPropagator

May be used by

Legacy ID Propagation Adapter Chaining Identity Propagator Target Application/Service Conditional Identity Propagator

Properties

Control Cookie Name (controlCookieName)

Description

The name of the Airlock control cookie. The name must match the control cookie name defined in the Airlock server.

Attributes

String

Optional

Default value

AL_CONTROL

Suggested values

AL_CONTROL

Username Property (usernameProperty)

Description

The name of the context key holding the username to be used for idenitity propagation.

Use the special value "@username" to use the username the user entered during authentication.

Use the prefix "STATIC:" to indicate that what follows is the statically configured username to be used for all users. Example: "STATIC:techaccount" means that the username "techaccount" is used for all users.

Attributes

String

Optional

Default value

@username

Example

@username

Example

db_col_sso_username

Example

STATIC:techaccount

Password Property (passwordProperty)

Description

The name of the context key holding the password to be used for identity propagation.

Use the special value "@password" to use the password the user entered during authentication. Note that depending on the authentication scheme, there is no such password (e.g. when using client certificates).

Use the special value "@roles" to use the user's roles as the password. The roles are represented as comma-separated list (e.g. "admin,empoloyee,user").
Notice: If there are users with no roles and basic-auth headers with no passwords are accepted by the backend, the property "Allow Empty Passwords" must be enabled.

Use the prefix "STATIC:" to indicate that what follows is the statically configured password to be used for all users. Example: "STATIC:abcd1234" means that the password "abcd1234" is used for all users.

Attributes

String

Optional

Default value

@password

Example

@password

Example

db_col_sso_pwd

Example

STATIC:abcd1234

Example

@roles

Allow Empty Passwords (allowEmptyPasswords)

Description

If enabled, empty passwords are accepted and propagated. Only enable this option if your backend is able to handle NTLM authentication with empty passwords.

Attributes

Boolean

Optional

Default value

false

Target Mapping Name (targetMappingName)

Description

The NTLM auth header can be restricted to just one back-end by specifying its name here. If left unset, the NTLM auth header is sent to every back-end having the 'on-behalf' login configured.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.NtlmIdentityPropagator
id: NtlmIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  allowEmptyPasswords: false
  controlCookieName: AL_CONTROL
  passwordProperty: @password
  targetMappingName:
  usernameProperty: @username

Null Password Policy

Description

A dummy password policy accepting all new passwords.

Class

com.airlock.iam.core.misc.impl.authen.NullPasswordPolicy

May be used by

Password-only Authentication Step Password Reset Step Basic Auth Request Authentication Pattern-based Random String Generator Mandatory Password Change Step Config Password User Item Username Password Authentication Step Administrators Configuration Set Password Step Config Password Change Self-Service Step HTTP Basic Authentication Step Voluntary Password Change Step Password Settings

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.NullPasswordPolicy
id: NullPasswordPolicy-xxxxxx
displayName: 
comment: 
properties:

Null SMS Gateway

Description

SMS gateway that does not send an SMS.

This SMS gateway only logs a generic message when sending an SMS. It can be used to block/disregard certain phone numbers and not send them SMS.

Class

com.airlock.iam.core.misc.impl.sms.NullSmsGateway

May be used by

Number-based Selection SMS Gateway Phone Number Verification Step SMS Gateway Selection Option SMS Notifier Failover SMS Gateway Basic mTAN Settings MTAN/SMS Settings SMS Service

Properties

Visible Phone Number Digits In Log (visiblePhoneNumberDigitsInLog)

Description

Defines the number of phone number digits visible in log statements.

Thus, if the value is zero, all digits are masked, if it is large enough, all digits are visible. If set to 3, for example, the logged number looks like ********965.

The default is 100, i.e. showing all digits.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.NullSmsGateway
id: NullSmsGateway-xxxxxx
displayName: 
comment: 
properties:
  visiblePhoneNumberDigitsInLog: 100

Number-based Selection SMS Gateway

Description

SMS gateway selection based on phone number.

Allows selecting an SMS gateway based on phone number pattern matching.

Class

com.airlock.iam.core.misc.impl.sms.NumberBasedSelectionSmsGateway

May be used by

Phone Number Verification Step SMS Gateway Selection Option SMS Notifier Failover SMS Gateway Basic mTAN Settings MTAN/SMS Settings SMS Service

Properties

Sms Gateway Selection Options (smsGatewaySelectionOptions)

Description

Defines the mapping between phone numbers and SMS gateways.

When sending an SMS, the phone number is checked against the regex patterns defined in this map, and the first gateway whose corresponding pattern matches the phone number is selected to send the SMS. If no SMS gateway matches the phone number, the default gateway is used.

Note that the phone number is always normalized before checking it against the configured regex patterns meaning all whitespace is removed and the country code is added if it is missing, e.g. "+411234567".

Attributes

Plugin-List

Optional

Assignable plugins

SMS Gateway Selection Option

Default Gateway (defaultGateway)

Description

Default SMS gateway, used if no other gateway matches the provided phone number.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Visible Phone Number Digits In Log (visiblePhoneNumberDigitsInLog)

Description

Defines the number of phone number digits visible in log statements.

Thus, if the value is zero, all digits are masked, if it is large enough, all digits are visible. If set to 3, for example, the logged number looks like ********965.

The default is 100, i.e. showing all digits.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.NumberBasedSelectionSmsGateway
id: NumberBasedSelectionSmsGateway-xxxxxx
displayName: 
comment: 
properties:
  defaultGateway:
  smsGatewaySelectionOptions:
  visiblePhoneNumberDigitsInLog: 100

O Auth2 Authorization Server

Description

Configures the removal of OAuth 2.0 tokens after credential generation.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.token.OAuth2AuthorizationServer

May be used by

O Auth2 Token Cleanup

License-Tags

OAuthServer

Properties

OAuth 2.0 Authorization Server Identifier (authorizationServerIdentifier)

Description

The authorization server identifier.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Session Repository (sessionRepository)

Description

The OAuth 2.0 session repository to use with the server identifier defined above.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.token.OAuth2AuthorizationServer
id: OAuth2AuthorizationServer-xxxxxx
displayName: 
comment: 
properties:
  authorizationServerIdentifier:
  sessionRepository:

O Auth2 Response Mode Config

Description

Restricts the accepted response mode(s) per OpenId Connect Flow.

By default only the standard response mode for each flow is allowed ('query' for Authorization Code Grant, 'fragment' for Hybrid Flow).

If the standard response mode of a particular flow is unselected, requests without a response_mode parameter will be rejected.

Class

com.airlock.iam.login.app.misc.configuration.oauth.as.oauth2.OAuth2ResponseModeConfig

May be used by

License-Tags

OAuthServer

Properties

Allow "query" (authorizationCodeFlowQueryResponseMode)

Description

Enables the query response mode for Authorization Code Flow. This is the default mode according to the specification if a client does not request a particular response mode.

If unselected, requests without a response_mode parameter will be rejected.

Attributes

Boolean

Optional

Default value

true

Allow "fragment" (authorizationCodeFlowFragmentResponseMode)

Description

Enables the fragment response mode for Authorization Code Flow.

If not enabled, requests that explicitly request this mode will be rejected.

Attributes

Boolean

Optional

Default value

false

Allow "form_post" (authorizationCodeFlowFormPostResponseMode)

Description

Enables the form_post response mode for Authorization Code Flow.

If not enabled, requests that explicitly request this mode will be rejected.

Attributes

Boolean

Optional

Default value

false

Allow "query" (hybridFlowQueryResponseMode)

Description

Enables the query response mode for Hybrid Flow.

If not enabled, requests that explicitly request this mode will be rejected.

Attributes

Boolean

Optional

Default value

false

Allow "fragment" (hybridFlowFragmentResponseMode)

Description

Enables the fragment response mode for Hybrid Flow. This is the default mode according to the specification if a client does not request a particular response mode.

If unselected, requests without a response_mode parameter will be rejected.

Attributes

Boolean

Optional

Default value

true

Allow "form_post" (hybridFlowFormPostResponseMode)

Description

Enables the form_post response mode for Hybrid Flow.

If not enabled, requests that explicitly request this mode will be rejected.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oauth.as.oauth2.OAuth2ResponseModeConfig
id: OAuth2ResponseModeConfig-xxxxxx
displayName: 
comment: 
properties:
  authorizationCodeFlowFormPostResponseMode: false
  authorizationCodeFlowFragmentResponseMode: false
  authorizationCodeFlowQueryResponseMode: true
  hybridFlowFormPostResponseMode: false
  hybridFlowFragmentResponseMode: true
  hybridFlowQueryResponseMode: false

O Auth2 Token Cleanup

Description

Configures the cleanup of OAuth 2.0 tokens after credential generation.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.token.OAuth2TokenCleanup

May be used by

Credential Secret Batch Task Password Batch Task

License-Tags

OAuthServer

Properties

Authorization Servers (authorizationServers)

Description

A list of OAuth 2.0 Authorization Server Identifiers, for which to clean up tokens.

Attributes

Plugin-List

Optional

Assignable plugins

O Auth2 Authorization Server

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.token.OAuth2TokenCleanup
id: OAuth2TokenCleanup-xxxxxx
displayName: 
comment: 
properties:
  authorizationServers:

OATH OTP Activation Step

Description

Allows adding or replacing an OATH (T)OTP token.

When existing shared secrets are not overwritten, the shared secret is read from the database and presented to the user who may register it in an authenticator app. If the secret has been read into another app, it will remain functional. This can only be done with TOTP tokens, as HOTP token counters will diverge on different devices.

When used for user self-registration, this step needs an "OATH Token Insertion Handler" to be configured.

This step can trigger two kinds of events, depending on the value of the flag "Overwrite Existing Shared Secret":

An "OATH OTP Secret Viewed" event, if the flag is set to false and the user has an existing secret. This event is triggered whenever this step is entered, without any user interaction (the existing shared secret is communicated to the SPA at the start), and signifies an intended exposure of the secret. Irrespective of how this step ends (success or failure), the (exposed) secret can be used to generate OTPs.
An "OATH OTP Secret Added" event, if a new secret is persisted.

Class

com.airlock.iam.flow.shared.application.configuration.oath.OathOtpActivationStepConfig

May be used by

License-Tags

OathOtp

Properties

OATH OTP Settings (oathOtpSettings)

Description

The OATH OTP Settings.

Attributes

Plugin-Link

Mandatory

License-Tags

OathOtp

Assignable plugins

OATH OTP Settings

Overwrite Existing Shared Secret (overwriteExistingSharedSecret)

Description

Whether to overwrite (i.e. delete) the old shared secret and set a new one. If this is set to true, existing OATH tokens will not function any longer.

This setting has no effect if the step is used in a self-registration flow.

Attributes

Boolean

Optional

License-Tags

OathOtp

Default value

true

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

License-Tags

OathOtp

Default value

PASSWORD

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

License-Tags

OathOtp

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

License-Tags

OathOtp

Assignable plugins

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

License-Tags

OathOtp

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

License-Tags

OathOtp

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

License-Tags

OathOtp

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

License-Tags

OathOtp

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

License-Tags

OathOtp

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

License-Tags

OathOtp

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

License-Tags

OathOtp

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

License-Tags

OathOtp

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.oath.OathOtpActivationStepConfig
id: OathOtpActivationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: PASSWORD
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  oathOtpSettings:
  onFailureGotos:
  overwriteExistingSharedSecret: true
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

OATH OTP Authentication Step

Description

Configuration for an OATH OTP authentication flow step.

Class

com.airlock.iam.authentication.application.configuration.oath.OathOtpAuthStepConfig

May be used by

License-Tags

OathOtp

Properties

OATH OTP settings (oathOtpSettings)

Description

The OATH OTP settings.

Attributes

Plugin-Link

Mandatory

License-Tags

OathOtp

Assignable plugins

OATH OTP Settings

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

License-Tags

OathOtp

Default value

OATH_OTP

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

License-Tags

OathOtp

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

License-Tags

OathOtp

Assignable plugins

Remote Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Email Event Subscriber (Loginapp) Filtered Flow Event

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

License-Tags

OathOtp

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

License-Tags

OathOtp

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

License-Tags

OathOtp

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

License-Tags

OathOtp

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

License-Tags

OathOtp

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

License-Tags

OathOtp

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

License-Tags

OathOtp

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

License-Tags

OathOtp

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.oath.OathOtpAuthStepConfig
id: OathOtpAuthStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: OATH_OTP
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  oathOtpSettings:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

OATH OTP Authenticator

Description

A HMAC based OTP (one time password) authenticator.
It can be used to verify counter based HOTP one time passwords (event-triggered, incrementing counter) or to verify time based TOTP one time passwords (draft standard). On the client side we tested it with 'Google Authenticator' which is available for Android, iPhone and Blackberry.

Note: Does not support getLatestUsedToken().

References:
HOTP RFC 4226 http://www.ietf.org/rfc/rfc4226.txt
TOTP http://www.ietf.org/id/draft-mraihi-totp-timebased-06.txt

Class

com.airlock.iam.core.misc.impl.authen.OathOtpAuthenticator

May be used by

License-Tags

MobileOTP,OathOtp

Properties

Oath Otp Settings (oathOtpSettings)

Description

The OATH OTP settings.

Attributes

Plugin-Link

Mandatory

License-Tags

MobileOTP,OathOtp

Assignable plugins

OATH OTP Settings

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.OathOtpAuthenticator
id: OathOtpAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  oathOtpSettings:

OATH OTP Event-based Challenge Handler

Description

Handle the Challenges for HOTP. In this case the challenges are a small number of incrementing counter values.

Class

com.airlock.iam.core.misc.impl.tokenverifier.oathotp.HotpChallengeHandler

May be used by

OATH OTP Settings

License-Tags

MobileOTP,OathOtp

Properties

Windows Size (windowsSize)

Description

The window size defines the number of codes that are allowed to be skipped. This is required if the user accidentally generated OTPs that he did not use.

This value cannot be to big for security reasons. If the value is too small, the convenience is not given, since the users must to often synchronize his token.

Attributes

Integer

Optional

License-Tags

MobileOTP,OathOtp

Default value

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.tokenverifier.oathotp.HotpChallengeHandler
id: HotpChallengeHandler-xxxxxx
displayName: 
comment: 
properties:
  windowsSize: 10

OATH OTP Letter Task

Description

This task plug-in iterates over user or credential records and - if certain conditions are met - executes a report renderer on the user (or credential). It can produce letters for initialization of newly issued (software) OATH OTP tokens (time-based and event-based).

Note: This generates letters with QR codes. This 2-D barcode pictures are a convenient way for initializing/provisioning of the mobile phone software application 'Google Authenticator'.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.OathOtpReportTask

May be used by

Task Schedule

License-Tags

MobileOTP,OathOtp

Properties

OATH OTP Settings (oathOtpSettings)

Description

The OATH OTP settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OATH OTP Settings

Credential Iterator (credentialIterator)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Database Credential Persister Dummy Credential Persister LDAP Connector LDAP Credential Persister Property Credential Persister

Report Renderer (reportRenderer)

Description

Renderer plugin used to generate the reports (PDFs, etc) for the OATH OTP token.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

Delivery Security Gap (deliverySecurityGap)

Description

Attributes

Integer

Optional

Default value

Language Attribute Name (languageAttributeName)

Description

Attributes

String

Mandatory

Suggested values

language

Working Directory (workingDirectory)

Description

Attributes

File/Path

Optional

Output Directory (outputDirectory)

Description

Directory in the file system to put the rendered reports in. The directory is either absolute or relative to the JVMs current directory.

This property is not required if the renderer plugin (see separate property) does not write on the output stream (e.g. sends it somewhere else). It is required otherwise.

Note: If this property is not defined and the used renderer plugin writes on the output stream, then the result (e.g. a PDF file) is lost.

Attributes

File/Path

Optional

File Name Prefix (fileNamePrefix)

Description

Attributes

String

Mandatory

Suggested values

oathotp-letter

File Name Suffix (fileNameSuffix)

Description

Attributes

String

Optional

Suggested values

.pdf, .txt

Delete Old Reports (deleteOldReports)

Description

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.OathOtpReportTask
id: OathOtpReportTask-xxxxxx
displayName: 
comment: 
properties:
  credentialIterator:
  deleteOldReports: false
  deliverySecurityGap: 0
  fileNamePrefix:
  fileNameSuffix:
  languageAttributeName:
  oathOtpSettings:
  outputDirectory:
  reportRenderer:
  workingDirectory:

OATH OTP Secret Added

Description

Event that is triggered by a user activating a new OATH OTP device. Technically, it is triggered when a new shared secret is persisted for the user.

Consult the "OATH OTP Activation Step" for details.

Class

com.airlock.iam.common.application.configuration.event.OathOtpSecretAddedSubscribedEventConfig

May be used by

License-Tags

OathOtp

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.OathOtpSecretAddedSubscribedEventConfig
id: OathOtpSecretAddedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

OATH OTP Secret Viewed

Description

Event that is triggered by a user viewing an existing (not newly generated) OATH OTP shared secret (to import into an authenticator app).

Consult the "OATH OTP Activation Step" for details.

Class

com.airlock.iam.common.application.configuration.event.OathOtpSecretViewedSubscribedEventConfig

May be used by

Remote Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Email Event Subscriber (Loginapp) Filtered Flow Event

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.OathOtpSecretViewedSubscribedEventConfig
id: OathOtpSecretViewedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

OATH OTP Settings

Description

Settings for OATH OTP (one time password) authentication.
It can be used to verify counter based HOTP (event-triggered, incrementing counter) or to verify time based TOTP (draft standard).
On the client side we tested it with 'Google Authenticator' which was available for Android, iPhone and Blackberry at the time this plugin has been developed.

References:
HOTP RFC 4226 http://www.ietf.org/rfc/rfc4226.txt
TOTP RFC 6238 http://www.ietf.org/rfc/rfc6238.txt

Class

com.airlock.iam.core.misc.impl.tokenverifier.oathotp.OathOtpSettings

May be used by

OATH OTP Activation Step OATH OTP Token Controller OATH OTP Token Verifier Main Authentication Settings OATH OTP Letter Task OATH OTP Authenticator OATH Token Insertion Handler OATH OTP Authentication Step Has OATH OTP Token

License-Tags

MobileOTP,OathOtp

Properties

Password (password)

Description

The password to encrypt the shared secret of each users OATH OTP token.

Attributes

String

Mandatory

Sensitive

License-Tags

MobileOTP,OathOtp

Credential Persister (credentialPersister)

Description

Configure which persister is used to store token information.

Attributes

Plugin-Link

Mandatory

License-Tags

MobileOTP,OathOtp

Assignable plugins

Token Type (tokenType)

Description

This property defines if we use time based one time passwords (TOTP), or HMAC based one time passwords (HOTP). HOTP uses an incrementing counter; each OTP is generated on the client by an explicit request, as pressing a button, which will increment the counter on client side. TOTP uses time slots instead of counters.

More formal:
hotp := truncate(secureHash(sharedSecret, counter))
totp := truncate(secureHash(sharedSecret, time_slot))

We implement HOTP as defined in RFC 4226
and for TOTP we follow the draft standard
http://www.ietf.org/id/draft-mraihi-totp-timebased-06.txt).

The default is TOTP.

Attributes

Plugin-Link

Optional

License-Tags

MobileOTP,OathOtp

Assignable plugins

OATH OTP Event-based Challenge Handler OATH OTP Time-based Challenge Handler

Token Label Context Property (orgLabelContextProperty)

Description

Defines the name of a context data property with the organization label.

The label is used together with the username as label of the OTP generator (usually, a mobile app can display multiple OTP generators).

Make sure the context data property is provided by the configured credential persister.

Note that spaces will be removed from the label (not allowed in some mobile clients).

If this property is not defined or the referenced context data value is empty, the default label is used (see separate configuration property).

Attributes

String

Optional

License-Tags

MobileOTP,OathOtp

Example

company

Example

instance_id

Token Label Default (orgLabelDefault)

Description

Default organization label used when no information is available from the context data of the user.

The label is used together with the username as label of the OTP generator (usually, a mobile app can display multiple OTP generators).

Attributes

String

Optional

License-Tags

MobileOTP,OathOtp

Default value

Airlock

Number of Digits (digits)

Description

Defines the length (number of decimal digits) of the one time password.

Attributes

Integer

Optional

License-Tags

MobileOTP,OathOtp

Default value

Selectable As Auth Method (selectableAsAuthMethod)

Description

If enabled, OATH OTP may be selected as active authentication method in the admin tool.

Attributes

Boolean

Optional

License-Tags

MobileOTP,OathOtp

Default value

true

Selectable As Next Auth Method (selectableAsNextAuthMethod)

Description

If enabled, OATH OTP may be selected as the next (migration) authentication method.

Attributes

Boolean

Optional

License-Tags

MobileOTP,OathOtp

Default value

true

Synchronize/Increase Counter Button (synchronizeIncreaseCounterButton)

Description

Set to false to hide the button in the Adminapp.
Using this button, the administrator can reset the time offset (for time-based OATH OTP) or increase the counter-value (event-based OATH OTP) in order to manually re-synchronize the token with the server.

Attributes

Boolean

Optional

License-Tags

MobileOTP,OathOtp

Default value

true

Show Letter Attributes (showLetterAttributes)

Description

Set to false to hide the activation letter attributes, e.g. generation date.

Attributes

Boolean

Optional

License-Tags

MobileOTP,OathOtp

Default value

true

Show Secret as QR Code (showSecretAsQrCode)

Description

Set to false to hide the QR code (2d-barcode) in the Adminapp.
The QR code allows admins to transfer the token key more easily to a compatible mobile app. This also eases "cloning" the OTP generator!

Attributes

Boolean

Optional

License-Tags

MobileOTP,OathOtp

Default value

true

Show Secret in HEX (showSecretInHex)

Description

Set to true to show the secret in HEX-code (hexa-decimal representation of the token key) in the Adminapp.
The HEX representation allows admins to transfer the token key to a mobile app. This also allows "cloning" the OTP generator!

Attributes

Boolean

Optional

License-Tags

MobileOTP,OathOtp

Default value

false

Show Secret in Base 32 (showSecretInBase32)

Description

Set to false to hide the secret in Base 32 in the Adminapp used by some mobile apps. The Base 32 representation allows admins to transfer the token key to a mobile app. This also allows "cloning" the OTP generator!

Attributes

Boolean

Optional

License-Tags

MobileOTP,OathOtp

Default value

true

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.tokenverifier.oathotp.OathOtpSettings
id: OathOtpSettings-xxxxxx
displayName: 
comment: 
properties:
  credentialPersister:
  digits: 6
  orgLabelContextProperty:
  orgLabelDefault: Airlock
  password:
  selectableAsAuthMethod: true
  selectableAsNextAuthMethod: true
  showLetterAttributes: true
  showSecretAsQrCode: true
  showSecretInBase32: true
  showSecretInHex: false
  synchronizeIncreaseCounterButton: true
  tokenType:

OATH OTP Time-based Challenge Handler

Description

Handle TOTP Challenges (Timeslots).

Class

com.airlock.iam.core.misc.impl.tokenverifier.oathotp.TotpChallengeHandler

May be used by

OATH OTP Settings

License-Tags

MobileOTP,OathOtp

Properties

Windows Size (windowsSize)

Description

The window size defines how many time slots before and after the current time slot that are allowed for the OTP verification. The length of a time slot is 30s. The window is symmetric. For a window size of 1, the time slots before and after the current time slot are allowed, in addition to the current time slot. Extending the time-window is required if the client's clock is not in perfect sync with the server clock (e.g. for hardware tokens).

This value must be as small as possible for security reasons. On the other hand, if the value is too small, usability may be impacted.

Attributes

Integer

Optional

License-Tags

MobileOTP,OathOtp

Default value

Auto Time Shift (autoTimeShift)

Description

This property enables automatic clock sync. This can be handy in case of slowly diverging clocks. If enabled, when the user provided a correct OTP, the concerning time-slot is considered as the user's current time-slot. (this may be different from the servers current time-slot, because the window-size is usually > 0. )

Attributes

Boolean

Optional

License-Tags

MobileOTP,OathOtp

Default value

true

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.tokenverifier.oathotp.TotpChallengeHandler
id: TotpChallengeHandler-xxxxxx
displayName: 
comment: 
properties:
  autoTimeShift: true
  windowsSize: 1

OATH OTP Token Controller

Description

Manages OATH OTP (software OTP generators on mobile devices) tokens according to OATH standards based on H-MAC.

Time-based OTP ("TOTP" according to draft standard http://www.ietf.org/id/draft-mraihi-totp-timebased-06.txt) and counter-based OTP ("HOTP" according to RFC 4226) are supported.
There are number of freely available clients ("apps") for various mobile phone operating systems. The plugin has been tested with the "Google Authenticator" app.

Class

com.airlock.iam.admin.application.configuration.oathotp.OathOtpTokenController

May be used by

License-Tags

MobileOTP,OathOtp

Properties

OATH OTP Settings (oathOtpSettings)

Description

The OATH OTP settings.

Attributes

Plugin-Link

Mandatory

License-Tags

OathOtp

Assignable plugins

OATH OTP Settings

Auto Order Activation Letter (autoOrderCredential)

Description

Set this flag to true to automatically order an activation letter once this token is added to a user.

Attributes

Boolean

Optional

Default value

false

Auto Order For New Users (autoOrderForNewUsers)

Description

Set this flag to true to automatically order the credential if the user is created.

Attributes

Boolean

Optional

Default value

false

Identifier (identifier)

Description

Make sure the identifier is unique among all configured token controllers.

The identifier is also used as key to translate the display name of this token controller. The key is assembled as follows: edituserpage.cred.XYZ.title (where XYZ is the identifier).

Attributes

String

Optional

License-Tags

OathOtp

Default value

OATH_OTP

Suggested values

OATH_OTP

Delete Properties With Credential (deletePropertiesWithCredential)

Description

Attributes

String-List

Optional

License-Tags

OathOtp

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.oathotp.OathOtpTokenController
id: OathOtpTokenController-xxxxxx
displayName: 
comment: 
properties:
  autoOrderCredential: false
  autoOrderForNewUsers: false
  deletePropertiesWithCredential:
  identifier: OATH_OTP
  oathOtpSettings:

OATH OTP Token Verifier

Description

This is an OATH OTP token verifier implementation. It can be used to verify counter-based HOTP one-time passwords (event-triggered, incrementing counter) or time-based TOTP one-time passwords. OATH is compatible with standard authenticator apps, e.g. Goole Authenticator.

References:
HOTP RFC 4226 http://www.ietf.org/rfc/rfc4226.txt
TOTP http://www.ietf.org/id/draft-mraihi-totp-timebased-06.txt

Class

com.airlock.iam.core.misc.impl.tokenverifier.oathotp.OathOtpTokenVerifier

May be used by

License-Tags

MobileOTP,OathOtp

Properties

Oath Otp Settings (oathOtpSettings)

Description

The OATH OTP settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OATH OTP Settings

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.tokenverifier.oathotp.OathOtpTokenVerifier
id: OathOtpTokenVerifier-xxxxxx
displayName: 
comment: 
properties:
  oathOtpSettings:

OATH Token Insertion Handler

Description

Persists an OATH token that was created through a previous step.

Class

com.airlock.iam.userselfreg.application.configuration.step.OathOtpInsertionHandlerConfig

May be used by

User Persisting Step Config

License-Tags

OathOtp,SelfRegistration

Properties

OATH OTP settings (oathOtpSettings)

Description

The OATH OTP settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OATH OTP Settings

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.step.OathOtpInsertionHandlerConfig
id: OathOtpInsertionHandlerConfig-xxxxxx
displayName: 
comment: 
properties:
  oathOtpSettings:

OAuth 2.0 Access Token Authenticator

Description

Authenticator that validates an OAuth 2.0 Access Token against the local persistence layer.

Note: When using certificate-bound access tokens with this Authenticator a "Certificate Token Credential Extractor" must be used as credential extractor to successfully authenticate the access token.

Class

com.airlock.iam.login.app.application.configuration.oauth.OAuth2AccessTokenAuthenticatorConfig

May be used by

License-Tags

OAuthServer

Properties

OAuth 2.0 Authorization Server Reference (authorizationServerReference)

Description

The unique identifier of the Authorization Server.
This must reference an Authorization Server in the top-level OAuth 2.0 Settings of the Loginapp.

Attributes

Plugin-Link

Mandatory

Assignable plugins

SSO Ticket Authentication Step HTTP Header Token Extractor (as SSO Credential) Representation SSO Ticket Identifying Step Admin SSO Ticket Request Authentication SSO Ticket Request Authentication

Add Roles From Persistence (addRolesFromPersistence)

Description

Controls whether the user's roles from the persistency layer are added to the authenticated user.

Attributes

Boolean

Optional

Default value

true

Add Scopes As Roles (addScopesAsRoles)

Description

Controls whether the Access Token's scopes are added as roles to the authenticated user.

Attributes

Boolean

Optional

Default value

true

Add Context Data From Persistence (addContextDataFromPersistence)

Description

Controls whether the context data from the persistence layer is added to the authenticated user.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.login.app.application.configuration.oauth.OAuth2AccessTokenAuthenticatorConfig
id: OAuth2AccessTokenAuthenticatorConfig-xxxxxx
displayName: 
comment: 
properties:
  addContextDataFromPersistence: true
  addRolesFromPersistence: true
  addScopesAsRoles: true
  authorizationServerReference:

OAuth 2.0 Access Token Ticket Decoder

Description

Decodes an OAuth 2.0 Access Token to a ticket containing the username and roles. This plugin can only be used within the Loginapp.

Class

com.airlock.iam.login.app.application.configuration.oauth.OAuth2AccessTokenDecoderConfig

May be used by

License-Tags

OAuthServer

Properties

OAuth 2.0 Authorization Server Reference (authorizationServerReference)

Description

The unique identifier of the Authorization Server.
This must reference an Authorization Server in the top-level OAuth 2.0 Settings of the Loginapp.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Add Scopes As Roles (addScopesAsRoles)

Description

Controls whether the Access Token's scopes are added as roles to the authenticated user.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.login.app.application.configuration.oauth.OAuth2AccessTokenDecoderConfig
id: OAuth2AccessTokenDecoderConfig-xxxxxx
displayName: 
comment: 
properties:
  addScopesAsRoles: true
  authorizationServerReference:

OAuth 2.0 Authorization Code Grant

Description

Configures an OAuth 2.0 Authorization Code Grant.

The Authorization Code Grant uses the following endpoints:

/<loginapp-uri>/oauth2/v3/<as-identifier>/authorize - The Authorize Endpoint
/<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/token - The Token Endpoint

Class

com.airlock.iam.login.app.misc.configuration.oauth.as.oauth2.OAuth2AuthorizationCodeGrantConfig

May be used by

O Auth2 Authorization Server OAuth 2.0 Token Request Authentication Users OAuth 2.0 Authorization Server STET PSD2 Authenticator OAuth 2.0/OIDC Authorization Server OAuth 2.0 Access Token Authenticator OAuth 2.0 Access Token Ticket Decoder

License-Tags

OAuthServer

Properties

Authorization Code Validity [s] (authorizationCodeExpiresIn)

Description

Time in seconds for which an Authorization Code is valid. Set to 0 for infinite validity.

Security Warning: Infinite Authorization Code validity is not recommended. If long lasting access is required and acceptable from a security perspective, consider increasing the Refresh Token validity instead.

Attributes

Integer

Optional

Default value

PKCE Code Challenge Method (pkceCodeChallengeMethod)

Description

Proof Key for Code Exchange by OAuth 2.0 Public Clients (RFC 7636)

It is strongly recommended to use PKCE in setups involving native mobile apps (see the RFC 8252).

PKCE is always performed if the client starts it; however this property defines the minimum challenge hash method necessary and therefore allows to enforce the usage of PKCE.

If PKCE is required, "plain" should only be used if a legacy client doesn't support S256.

The value configured here applies to all clients, however, it's possible to override it in the configuration of each static client.

Background on PKCE:
OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the Authorization Code interception attack. PKCE helps to mitigate this risk through the use of Proof Key for Code Exchange (pronounced "pixy").

This extension utilizes a dynamically created cryptographic random key called "code verifier". A unique code verifier is created for every authorization request, and its transformed value, called "code challenge", is sent to the authorization server to obtain the Authorization Code. The Authorization Code obtained is later sent to the token endpoint with the "code verifier", which allows the server to verify the possession of the "code verifier" before issuing an Access Token.

Attributes

Enum

Optional

Default value

PKCE_NOT_ENFORCED

Pushed Authorization Requests (pushedAuthorizationRequests)

Description

Configures the Pushed Authorization Requests (PAR) endpoint.

If configured, IAM will provide an endpoint that allows starting an authentication flow with PAR.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Pushed Authorization Requests

Invalidate Old Access Tokens On Refresh (invalidateOldAccessTokensOnRefresh)

Description

Indicates whether Access Tokens issued together with a Refresh Token should be invalidated when said Refresh Token is used.

Attributes

Boolean

Optional

Default value

false

Access Token Validity [s] (accessTokenExpiresIn)

Description

Time in [s] for which an Access Token is valid. Set to 0 for infinite validity.

Security Warning: Infinite Access Token validity is not recommended. If long lasting access is required and acceptable from a security perspective, consider increasing the Refresh Token validity instead.

Attributes

Integer

Optional

Default value

180

Single Use Access Tokens (singleUseAccessTokens)

Description

Indicates whether an Access Token is valid only for a single request.

When enabled, any Access Token may only be used once for example in resource requests, authentications using one-shot, or when used as bearer tokens in REST calls.

Attributes

Boolean

Optional

Default value

false

Access Token Format (accessTokenFormat)

Description

Defines the format and structure of the issued OAuth 2.0 Access Tokens.

Tokens will be persisted in the token persister regardless of their format and therefore can be revoked at any time. Changing the format will not result in an invalidation of existing tokens.

Attributes

Plugin-Link

Optional

Assignable plugins

JWT Access Token Format Opaque Access Token Format

Generate Refresh Token (generateRefreshToken)

Description

Indicates whether Refresh Tokens are generated.

Attributes

Boolean

Optional

Default value

true

Refresh Token Validity [s] (refreshTokenExpiresIn)

Description

Time in seconds for which a Refresh Token is valid. Set to 0 for infinite validity.

Security Warning: Only consider infinite Refresh Token validity if this is acceptable from a security perspective.

Attributes

Integer

Optional

Default value

900

Single Use Refresh Tokens (singleUseRefreshTokens)

Description

Indicates whether Refresh Tokens are only valid for a single refresh request.

When enabled, all other Refresh Tokens of the current OAuth 2.0 session will be invalidated on successful refresh. This ensures that the Refresh Token issued during the current refresh is the only valid Refresh Token for this OAuth 2.0 session.

Attributes

Boolean

Optional

Default value

true

Grace Period [s] (gracePeriod)

Description

The time in seconds during which a single use Refresh Token can still be used after completing a successful refresh. Only relevant if 'Single Use Refresh Tokens' is enabled. If a Refresh Token is used to obtain several new token pairs, only the most recent new token pair is valid.

Warning: This option has security impact!

Configuring a grace period weakens the single use property of Refresh Tokens. If a grace period is not strictly necessary, it is not recommended to use this option.

By configuring a grace period, such a client is able to reuse an already used Refresh Token within the configured time (called grace period) as long as the previously issued new tokens have not been used.

Attributes

Integer

Optional

Flow Application ID (flowApplicationId)

Description

Specifies the application ID of the authentication flow to start for every authorization request to this authorization server.
When left empty, the default authentication flow is started. The Application ID configured here for all clients can be overridden for individual clients in the corresponding client configuration (static clients only).

Attributes

Plugin-Link

Optional

Assignable plugins

Application ID

Scope Filtering (scopeFiltering)

Description

Configures the scope filtering applied by the configured "OAuth 2.0 Consent Step" before presenting them to the user to be granted/denied on the consent page.
This filtering takes place after processing the requested scopes (using "Scope Policy" and any allowed scopes of the client).
When not configured explicitly, all requested scopes must be covered by a persistent user role or an acquired flow tag.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Custom Scopes Flow Settings OAuth 2.0 Default Scopes Flow Settings

Consent (consent)

Description

If configured, enables displaying a consent page to the user to accept or refuse certain requested scopes.

For "Local Consents", a page is displayed by IAM and only scopes matching the user's roles are offered.

For "Remote Consents", the user is redirected to the configured remote consent URL to confirm OAuth 2.0 scopes at a third party.

If nothing is configured, all requested scopes allowed by Scope Filtering are automatically granted and no page is displayed.

If "Local Consent" is configured, all requested scopes allowed by Scope Filtering are allowed to be granted by the "Consent Step".

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Local Consent OAuth 2.0 Remote Consent

Scope Translator (scopeTranslator)

Description

Translator to convert (technical) scopes to human readable strings.

This allows for multi-language, user friendly explanations of the different access rights.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Scope Translator

Require Redirect URI (requireRedirectURI)

Description

Indicates whether the redirect_uri parameter is mandatory in OAuth 2.0 requests from the client.

Caution: When the redirect_uri is not mandatory, only clients having exactly one registered redirect_uri will be able to login, otherwise the correct value cannot be determined.

Attributes

Boolean

Optional

Default value

true

Scope Policy (scopePolicy)

Description

The scope policy defines how the requested scopes are validated and processed (before they are used for scope consent or scope filtering).

Depending on the selected policy, the following rules apply:

Scopes Mandatory: It is mandatory for the client to request at least one scope, otherwise the request is denied.
- For static clients for which 'Filter Requested Scopes' is enabled: the requested scopes are filtered against the client's allowed scopes and if the client has no allowed scopes, this is treated as if the client has not requested any scopes at all.
- For static clients for which 'Filter Requested Scopes' is disabled: the requested scopes are not filtered (i.e. all scopes are allowed to be requested).
- For persisted clients, the allowed scopes to request are stored per client and it can be configured there what the effect of an empty list of allowed scopes is.
Empty Scopes Allowed: It is optional for the client to request scopes.
If scopes are requested:
- For static clients for which 'Filter Requested Scopes' is enabled: the requested scopes are filtered against the client's allowed scopes and if the client has no allowed scopes, this is treated as if the client has not requested any scopes at all.
- For static clients for which 'Filter Requested Scopes' is disabled: the requested scopes are not filtered (i.e. all scopes are allowed to be requested).
- For persisted clients, the allowed scopes to request are stored per client and it can be configured there what the effect of an empty list of allowed scopes is.
Always Overwrite Scopes: The scopes requested by the client are ignored and replaced by the default scopes of the client. If the client has no default scopes, this is treated as if the client has not requested any scopes at all.
With this policy, the 'Filter Requested Scopes' flag of static clients is ignored.
Empty Scopes Overwritten: When the client does not request any scopes, the request is treated as if the default scopes of this client were requested.
If scopes are requested:
- For static clients for which 'Filter Requested Scopes' is enabled: the requested scopes are filtered against the client's allowed scopes and if the client has no allowed scopes, this is treated as if the client has not requested any scopes at all.
- For static clients for which 'Filter Requested Scopes' is disabled: the requested scopes are not filtered (i.e. all scopes are allowed to be requested).
- For persisted clients, the allowed scopes to request are stored per client and it can be configured there what the effect of an empty list of allowed scopes is.

Attributes

Enum

Optional

Default value

SCOPES_MANDATORY

Allow Issuing Tokens With No Scope (allowEmptyScope)

Description

Indicates if Access / Refresh Tokens and Authorization Codes with no scopes may be issued.

If set to false, no tokens are issued when there are no scopes; instead the authorization server returns an 'access denied' response.

Notice: 'No scopes' can be caused by the client not requesting any scopes, the configured scope policy (especially in combination with 'Filter Requested Scopes' enabled and empty 'Allowed/Default Scopes'), the scope processors or when the user just denies all scopes.

Attributes

Boolean

Optional

Default value

false

Always Granted Scopes (alwaysGrantedScopes)

Description

A list of technical scopes that the user doesn't have to grant explicitly. Each scope listed here will always be granted by IAM implicitly. These scopes apply to all clients. Each statically configured client can also extend this list individually. Always Granted Scopes are never persisted, even if a Consent Storage Repository is configured.

Attributes

String-List

Optional

Granted Scope Processors (grantedScopeProcessors)

Description

Allows to further restrict the granted scopes before issuing the tokens.

The processors will be applied in the configured order and only scopes allowed by all processors may be granted.

If not configured, all granted scopes are assigned to all tokens.

Notice: the scope processors are applied after the configured Scope Policy and thus have no influence on whether the requested scopes are allowed.

Attributes

Plugin-List

Optional

Assignable plugins

OAuth 2.0 Granted Scope Whitelist STET PSD2 OAuth 2.0 Scope Filter

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oauth.as.oauth2.OAuth2AuthorizationCodeGrantConfig
id: OAuth2AuthorizationCodeGrantConfig-xxxxxx
displayName: 
comment: 
properties:
  accessTokenExpiresIn: 180
  accessTokenFormat:
  allowEmptyScope: false
  alwaysGrantedScopes:
  authorizationCodeExpiresIn: 90
  consent:
  flowApplicationId:
  generateRefreshToken: true
  gracePeriod:
  grantedScopeProcessors:
  invalidateOldAccessTokensOnRefresh: false
  pkceCodeChallengeMethod: PKCE_NOT_ENFORCED
  pushedAuthorizationRequests:
  refreshTokenExpiresIn: 900
  requireRedirectURI: true
  scopeFiltering:
  scopePolicy: SCOPES_MANDATORY
  scopeTranslator:
  singleUseAccessTokens: false
  singleUseRefreshTokens: true

OAuth 2.0 Authorization Code Grant In Progress

Description

Flow condition which evaluates to true if the current flow has been started using OAuth 2.0 / OpenID Connect Authorization Code Grant.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2CodeGrantInProgressConditionConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2CodeGrantInProgressConditionConfig
id: OAuth2CodeGrantInProgressConditionConfig-xxxxxx
displayName: 
comment: 
properties:

OAuth 2.0 Authorization Server Identifier

Description

Unique identifier of an OAuth 2.0 / OpenID Connect Authorization Server.

This identifier is used in all 'v3'-URLs of this AS.

Class

com.airlock.iam.common.application.configuration.oauth2.OAuth2ASIdentifierConfig

May be used by

License-Tags

OAuthServer

Properties

Identifier (identifier)

Description

The unique identifier of this AS. This identifier is used in the endpoint URLs.

When changed, all persisted clients have to re-register because their association with this AS is stored in the database.

Note that the issuer ID also contains this identifier.

Attributes

String

Mandatory

Length <= 50

Length >= 1

Validation RegEx: [a-zA-Z0-9-._]+

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.oauth2.OAuth2ASIdentifierConfig
id: OAuth2ASIdentifierConfig-xxxxxx
displayName: 
comment: 
properties:
  identifier:

OAuth 2.0 Basic Auth Client Secret

Description

Basic auth scheme for OAuth 2.0 requests.

Note: The basic auth scheme in OAuth 2.0 requests must comply to the specification in RFC 6749

Class

com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2BasicAuthClientSecretConfig

May be used by

OIDC Flow Client OIDC Discovery Flow Client OAuth 2.0 Flow Client

License-Tags

OAuthClient

Properties

Charset (charset)

Description

Defines the charset of the Basic Auth HTTP header. If you have trouble accepting special characters, try "ISO-8859-1" instead.

Attributes

String

Optional

Default value

UTF-8

Example

UTF-8

Example

ISO-8859-1

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2BasicAuthClientSecretConfig
id: OAuth2BasicAuthClientSecretConfig-xxxxxx
displayName: 
comment: 
properties:
  charset: UTF-8

OAuth 2.0 Basic Auth Client Secret (AS)

Description

Basic auth scheme for OAuth 2.0 requests.

Note: The basic auth scheme in OAuth 2.0 requests must comply to the specification in RFC 6749

Class

com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2BasicAuthClientSecretMethodConfig

May be used by

OAuth 2.0 Client Secret Authentication

License-Tags

OAuthServer

Properties

Charset (charset)

Description

Defines the charset of the Basic Auth HTTP header. If you have trouble accepting special characters, try "ISO-8859-1" instead.

Attributes

String

Optional

Default value

UTF-8

Example

UTF-8

Example

ISO-8859-1

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2BasicAuthClientSecretMethodConfig
id: OAuth2BasicAuthClientSecretMethodConfig-xxxxxx
displayName: 
comment: 
properties:
  charset: UTF-8

OAuth 2.0 Bearer Access Token

Description

Configuration for a OAuth 2.0 Access Token in a Bearer Authorization header.

Example of such an authorization header: Authorization: Bearer mF_9.B5f-4.1JqM.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2BearerAccessTokenConfig

May be used by

OAuth 2.0 Resource Endpoint OAuth 2.0 Session Management Endpoint

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2BearerAccessTokenConfig
id: OAuth2BearerAccessTokenConfig-xxxxxx
displayName: 
comment: 
properties:

OAuth 2.0 Clean-up Task

Description

Task to clean up expired OAuth 2.0 / OpenID Connect tokens and sessions.

In order to minimize database locks, the task doesn't delete all expired tokens in one transaction but deletes the tokens in configurable batches.

It is recommended to schedule this task with a daily interval during a time with little traffic. Depending on the total number of tokens and the number of deletable OAuth 2.0 tokens, the task might take some time but a proper "Batch Size" will keep row locks at a minimum.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.oauth2.OAuth2CleanupTask

May be used by

Task Schedule

License-Tags

OAuthServer

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Batch Size (batchSize)

Description

During clean-up, tokens are deleted in batches of this size. This ensures that any row locks on the database are very short-lived, and do not affect parallel token modifications. This value should not be set too high to prevent very long running transactions.

Token clean-up will repeatedly delete this number of tokens until all expired tokens have been removed. Therefore, this task can take some time when a lot of expired tokens are present.

This size should be chosen such that every batch does not take longer than 5 seconds. The average runtime of the batches can be found in the task's logs.

Attributes

Integer

Optional

Default value

1000

Cleanup Pushed Authorization Requests (cleanupPushedAuthorizationRequests)

Description

If set to true, expired Pushed Authorization Requests will be removed during clean-up.

Note that if this is set to true, the database must contain an oauth2_par_request table, otherwise an exception will be thrown during clean-up.

Attributes

Boolean

Optional

Default value

true

Cleanup Accepted Client Assertions (cleanupAcceptedClientAssertions)

Description

If set to true, expired private key JWTs previously accepted as client_assertion during client authentication will be removed during clean-up.

Note that if this is set to true, the database must contain an oauth2_accepted_client_assertions table, otherwise an exception will be thrown during clean-up.

Attributes

Boolean

Optional

Default value

true

Token Table Name (tokenTableName)

Description

The name of the database table containing the tokens.

Attributes

String

Optional

Default value

token

Token Assignment Table Name (tokenAssignmentTableName)

Description

The name of the database table containing the token assignments.

Attributes

String

Optional

Default value

token_assignment

Log Queries (logQueries)

Description

If enabled, all SQL queries executed during cleanup will be written to the module's corresponding log file. This is only effective if the log level is set to at least INFO.

Warning: query values (including potentially sensitive data) will be logged as well.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.oauth2.OAuth2CleanupTask
id: OAuth2CleanupTask-xxxxxx
displayName: 
comment: 
properties:
  batchSize: 1000
  cleanupAcceptedClientAssertions: true
  cleanupPushedAuthorizationRequests: true
  logQueries: false
  sqlDataSource:
  tokenAssignmentTableName: token_assignment
  tokenTableName: token

OAuth 2.0 Client Certificate

Description

Defines a certificate which can be used during the client authentication in OAuth 2.0.

Class

com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2ClientCertificateConfig

May be used by

OAuth 2.0 Static Client

License-Tags

OAuthServer

Properties

Subject DN (subjectDN)

Description

The subject distinguished name of of the certificate in the comma separated format, e.g. "CN=John Smith,OU=Marketing,O=Company,C=CH".

For RDN types without a string representation defined, the OID format with values starting with a '#', followed by the hexadecimal representation, must be used (see RFC 2253. An example of such a value in OID notation would be 1.3.6.1.4.1.1466.0=#04024869 (OCTET String value "Hi" for OID 1.3.6.1.4.1.1466.0).

OpenSSL can be used to extract the subject as follows:

openssl x509 -in cert.pem -noout -subject -nameopt sep_comma_plus -nameopt dn_rev -nameopt utf8

if this produces an error the subject should be configured with the RDNs in their OID's and hexadecimal values as mentioned above. This format can be generated by:

openssl x509 -in cert.pem -noout -subject -nameopt dump_all -nameopt dump_der -nameopt oid -nameopt sep_comma_plus

Attributes

String

Mandatory

Issuer DN (issuerDN)

Description

The optional issuer distinguished name of of the certificate in the comma separated format, e.g. "CN=Company Trusted Root,O=Company,C=CH". If defined, this value is also used to compare the certificates during the authentication.

OpenSSL can be used to extract the issuer as follows:

openssl x509 -in cert.pem -noout -issuer -nameopt sep_comma_plus -nameopt dn_rev -nameopt utf8

if this produces an error the issuer should be configured with the RDNs in their OID's and hexadecimal values as mentioned above. This format can be generated by:

openssl x509 -in cert.pem -noout -issuer -nameopt dump_all -nameopt dump_der -nameopt oid -nameopt sep_comma_plus

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2ClientCertificateConfig
id: OAuth2ClientCertificateConfig-xxxxxx
displayName: 
comment: 
properties:
  issuerDN:
  subjectDN:

OAuth 2.0 Client Credentials Grant

Description

Configures an OAuth 2.0 Client Credentials Grant. Issued Access Token are self contained JWTs. Therefore, tokens will not be persisted and cannot be revoked.

The Client Credentials Grant uses the following endpoint:

/<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/token - The Token Endpoint

Class

com.airlock.iam.oauth2.application.configuration.OAuth2ClientCredentialsGrantConfig

May be used by

License-Tags

OAuthServer

Properties

Access Token Validity [s] (accessTokenValidity)

Description

Time in seconds for which an Access Token is valid. Set to 0 for infinite validity. Security Warning: Infinite Access Token validity is not recommended.

Attributes

Integer

Optional

Default value

180

Issuer (issuer)

Description

The issuer claim (iss) to include in the Access Token. If left empty the claim will not be included.

Attributes

String

Optional

Example

https://example.org/auth/rest/oauth2/authorization-servers/as-identifier

Example

custom-issuer

Audience (audience)

Description

The audience claim (aud) to include in the Access Token. If left empty the claim will not be included.

If there is one audience, the claim is written as a string, for multiple values as an array.

Attributes

String-List

Optional

Scope Policy (scopePolicy)

Description

The scope policy defines how the requested scopes are validated and processed (before the scope processors are applied).

Depending on the selected policy, the following rules apply:

Scopes Mandatory: It is mandatory for the client to request at least one scope, otherwise the request is denied.
- For static clients for which 'Filter Requested Scopes' is enabled: the requested scopes are filtered against the client's allowed scopes and if the client has no allowed scopes, this is treated as if the client has not requested any scopes at all.
- For static clients for which 'Filter Requested Scopes' is disabled: the requested scopes are not filtered (i.e. all scopes are allowed to be requested).
- For persisted clients, the allowed scopes to request are stored per client and it can be configured there what the effect of an empty list of allowed scopes is.
Empty Scopes Allowed: It is optional for the client to request scopes.
If scopes are requested:
- For static clients for which 'Filter Requested Scopes' is enabled: the requested scopes are filtered against the client's allowed scopes and if the client has no allowed scopes, this is treated as if the client has not requested any scopes at all.
- For static clients for which 'Filter Requested Scopes' is disabled: the requested scopes are not filtered (i.e. all scopes are allowed to be requested).
- For persisted clients, the allowed scopes to request are stored per client and it can be configured there what the effect of an empty list of allowed scopes is.
Always Overwrite Scopes: The scopes requested by the client are ignored and replaced by the default scopes of the client. If the client has no default scopes, this is treated as if the client has not requested any scopes at all.
With this policy, the 'Filter Requested Scopes' flag of static clients is ignored.
Empty Scopes Overwritten: When the client does not request any scopes, the request is treated as if the default scopes of this client were requested.
If scopes are requested:
- For static clients for which 'Filter Requested Scopes' is enabled: the requested scopes are filtered against the client's allowed scopes and if the client has no allowed scopes, this is treated as if the client has not requested any scopes at all.
- For static clients for which 'Filter Requested Scopes' is disabled: the requested scopes are not filtered (i.e. all scopes are allowed to be requested).
- For persisted clients, the allowed scopes to request are stored per client and it can be configured there what the effect of an empty list of allowed scopes is.

Attributes

Enum

Optional

Default value

EMPTY_SCOPES_ALLOWED

Granted Scope Processors (grantedScopeProcessors)

Description

Allows to further restrict the granted scopes (after applying the scope policy) before issuing the tokens.

The processors will be applied in the configured order and only scopes allowed by all processors may be granted.

If not configured, all granted scopes are assigned to the access token.

Notice: the scope processors are applied after the configured Scope Policy and thus have no influence on whether the requested scopes are allowed.

Attributes

Plugin-List

Optional

Assignable plugins

OAuth 2.0 Granted Scope Whitelist STET PSD2 OAuth 2.0 Scope Filter

Signature (signature)

Description

The signature of the Access Token.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JWT Access Token Private Key Signature

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2ClientCredentialsGrantConfig
id: OAuth2ClientCredentialsGrantConfig-xxxxxx
displayName: 
comment: 
properties:
  accessTokenValidity: 180
  audience:
  grantedScopeProcessors:
  issuer:
  scopePolicy: EMPTY_SCOPES_ALLOWED
  signature:

OAuth 2.0 Client ID Pattern UI Tenant ID Rule

Description

Sets the UI Tenant ID to a static value if the OAuth 2.0 client ID for an authorization code grant request matches a regex pattern.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2ClientIdPatternUiTenantIdRuleConfig

May be used by

UI Settings

License-Tags

OAuthServer

Properties

OAuth 2.0 Client ID Pattern (clientIdPattern)

Description

If the OAuth 2.0 client ID matches this pattern, the UI tenant ID will be set to the value of UI Tenant ID Value.

Attributes

RegEx

Mandatory

UI Tenant ID Value (uiTenantIdValue)

Description

If the OAuth 2.0 client ID matches OAuth 2.0 Client ID Pattern, the UI tenant ID will be set to the value configured by this plugin. This replacement pattern may contain back-references to the pattern configured in OAuth 2.0 Client ID Pattern.

Attributes

String

Mandatory

Example

fixed-value

Example

tenant-id-$1

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2ClientIdPatternUiTenantIdRuleConfig
id: OAuth2ClientIdPatternUiTenantIdRuleConfig-xxxxxx
displayName: 
comment: 
properties:
  clientIdPattern:
  uiTenantIdValue:

OAuth 2.0 Client ID UI Tenant ID Rule

Description

Sets the UI tenant ID value to the OAuth 2.0 client ID for an authorization code grant request.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2ClientIdUiTenantIdRuleConfig

May be used by

UI Settings

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2ClientIdUiTenantIdRuleConfig
id: OAuth2ClientIdUiTenantIdRuleConfig-xxxxxx
displayName: 
comment: 
properties:

OAuth 2.0 Client mTLS Authentication

Description

Configures a client authentication that is based on a client certificate which is used in the TLS handshake.

The certificate from the TLS handshake is verified with the certificates of the client, which is either configured (static client) or stored in the database.

Note: If a gateway is used, the corresponding Gateway Settings must be configured in the Loginapp.

Class

com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2ClientMTLSAuthenticationConfig

May be used by

Technical Client Registration Flow Selection Step for Public Self-Service Flow Step Sequence Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

OAuthServer

Properties

Cert Status Checkers (certStatusCheckers)

Description

A list of certificate status checker plug-ins used to check the revocation status of the client certificate. If more than one status checker plug-ins is configured, all of them are consulted and the certificate is considered to be revoked if at least one of them says so.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2ClientMTLSAuthenticationConfig
id: OAuth2ClientMTLSAuthenticationConfig-xxxxxx
displayName: 
comment: 
properties:
  certStatusCheckers:

OAuth 2.0 Client Persisting Step

Description

Step for persisting a registered OAuth 2.0 client.

Class

com.airlock.iam.techclientreg.application.configuration.step.OAuth2ClientPersistingStepConfig

May be used by

License-Tags

TechClientRegistration

Properties

Technical Client Interceptors (interceptors)

Description

Defines interceptors that get notified upon changes on technical clients.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.techclientreg.application.configuration.step.OAuth2ClientPersistingStepConfig
id: OAuth2ClientPersistingStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  interceptors:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

OAuth 2.0 Client Public Key

Description

RSA or EC public key used by an OAuth 2.0 client for authentication to the authorization server, e.g. when accessing the token endpoint (if configured to use private_key_jwt)

Class

com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2ClientPublicKeyConfig

May be used by

OAuth 2.0 Static Client

License-Tags

OAuthServer

Properties

Public Key (publicKey)

Description

An RSA or EC public key encoded using Base64. It can optionally be wrapped in "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----".

Attributes

String

Mandatory

Multi-line-text

Key ID (keyId)

Description

Used to differentiate between multiple public keys, optional if only one key is configured.

Must match the value of the "kid" sent in the header of the private_key_jwt JWT.

Note that the "Key ID" property is only optional if a singular public key is configured. If more than one public key is configured, each must have a (unique) Key ID.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2ClientPublicKeyConfig
id: OAuth2ClientPublicKeyConfig-xxxxxx
displayName: 
comment: 
properties:
  keyId:
  publicKey:

OAuth 2.0 Client Registration Step

Description

Step for registering an OAuth 2.0 client (Dynamic Client Registration).

The step uses the properties from the "Dynamic Client Registration" settings of the Loginapp's "OAuth 2.0 AS Settings".

Class

com.airlock.iam.techclientreg.application.configuration.step.OAuth2ClientRegistrationStepConfig

May be used by

Technical Client Registration Flow Selection Step for Public Self-Service Flow Step Sequence Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

TechClientRegistration

Properties

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.techclientreg.application.configuration.step.OAuth2ClientRegistrationStepConfig
id: OAuth2ClientRegistrationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

OAuth 2.0 Client Secret Authentication

Description

Configures a client authentication that is based on a client secret.

Class

com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2ClientSecretAuthenticationConfig

May be used by

License-Tags

OAuthServer

Properties

Client Secret Transmission Strategy (clientSecretConfig)

Description

Specifies how the client secret to be authenticated is transmitted in a client's request. Usually, basic authentication ('OAuth 2.0 Basic Auth Client Secret (AS)') is used.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Basic Auth Client Secret (AS) OAuth 2.0 Header Client Secret (AS) OAuth 2.0 Parameter Client Secret (AS)

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2ClientSecretAuthenticationConfig
id: OAuth2ClientSecretAuthenticationConfig-xxxxxx
displayName: 
comment: 
properties:
  clientSecretConfig:

OAuth 2.0 Consent Deny Initiation Step

Description

Step to initiate the denial of an OAuth 2.0 Consent. The actual denial will be done in the "Apply Changes Step" which requires an "Apply OAuth 2.0 Consent Deny" to perform the actual denial.

Class

com.airlock.iam.selfservice.application.configuration.step.OAuth2SelfServiceDenyConsentStepConfig

May be used by

License-Tags

OAuthServer

Properties

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.OAuth2SelfServiceDenyConsentStepConfig
id: OAuth2SelfServiceDenyConsentStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

OAuth 2.0 Consent Grant Initiation Step

Description

Step to initiate the grant of an OAuth 2.0 Consent. The actual grant will be done in the "Apply Changes Step" which requires an "Apply OAuth 2.0 Consent Grant" to perform the actual grant.

Class

com.airlock.iam.selfservice.application.configuration.step.OAuth2SelfServiceGrantConsentStepConfig

May be used by

License-Tags

OAuthServer

Properties

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.OAuth2SelfServiceGrantConsentStepConfig
id: OAuth2SelfServiceGrantConsentStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

OAuth 2.0 Consent List

Description

Configures the OAuth 2.0 consent list REST self-service. Additional self-service functionality can be configured in "Protected Self-Service Flows".

Class

com.airlock.iam.selfservice.application.configuration.oauth2.OAuth2ConsentListSelfServiceRestConfig

May be used by

License-Tags

OAuthServer

Properties

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access the OAuth 2.0 consent list.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access the OAuth 2.0 consent list without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.oauth2.OAuth2ConsentListSelfServiceRestConfig
id: OAuth2ConsentListSelfServiceRestConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:

OAuth 2.0 Consent Management UI

Description

Configures the OAuth 2.0 Consent Management user interface.

Depending on the configuration, the user interface allows an authenticated user to view, grant, deny or delete OAuth 2.0 Consents.

The OAuth 2.0 Consent Management is accessible at /<loginapp-uri>/ui/app/protected/oauth2/consents after user authentication.

Class

com.airlock.iam.selfservice.application.configuration.ui.oauth2.OAuth2ConsentManagementUiConfig

May be used by

OAuth 2.0 Consent Storage OAuth 2.0 Token Controller OAuth 2.0/OIDC Consent Consistency User Change Listener

License-Tags

OAuthServer

Properties

Page Exit Target (pageExitTarget)

Description

If configured, an additional button is displayed on the OAuth 2.0 Consent Management to exit the page. On click, this button redirects the user to the configured target.

To redirect to a target application, redirect to the corresponding "Authentication Flow".

If the flow can be skipped due to the obtained tags, the user is directly forwarded to the target application.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow To Grant A Consent (flowToGrantAConsent)

Description

ID of the flow which is used to grant a stored OAuth 2.0 consent.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Flow To Deny A Consent (flowToDenyAConsent)

Description

ID of the flow which is used to deny a stored OAuth 2.0 consent.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Flow To Delete Consents By Client (flowToDeleteConsentsByClient)

Description

ID of the flow which is used to delete OAuth 2.0 consents by client.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.oauth2.OAuth2ConsentManagementUiConfig
id: OAuth2ConsentManagementUiConfig-xxxxxx
displayName: 
comment: 
properties:
  flowToDeleteConsentsByClient:
  flowToDenyAConsent:
  flowToGrantAConsent:
  pageExitTarget:

OAuth 2.0 Consent Management UI Redirect

Description

Redirects to the "OAuth 2.0 Consent Management UI".

Class

com.airlock.iam.selfservice.application.configuration.ui.oauth2.OAuth2ConsentManagementFlowRedirectTargetConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.oauth2.OAuth2ConsentManagementFlowRedirectTargetConfig
id: OAuth2ConsentManagementFlowRedirectTargetConfig-xxxxxx
displayName: 
comment: 
properties:

OAuth 2.0 Consent Repository

Description

OAuth 2.0 / OpenID Connect Consent Repository for relational databases. For each OAuth 2.0 / OpenID Connect Authorization Server and Client, the consent repository stores whether the user has granted or denied a certain OAuth 2.0 scope.

Class

com.airlock.iam.oauth2.application.configuration.consentstorage.OAuth2ConsentRepositoryConfig

May be used by

License-Tags

OAuthServer

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Log Queries (logQueries)

Description

If enabled, all SQL queries executed on this repository will be written to the module's corresponding log file. This is only effective if the log level is set to at least INFO.

Warning: query values (including potentially sensitive data) will be logged as well.

Attributes

Boolean

Optional

Default value

false

Tenant ID (tenantId)

Description

Identity added to the database records to distinguish between different tenants. Only consents that match the tenant ID specified here will be retrieved on query.

If left empty, 'no_tenant' is used as the effective value for tenant ID.

Attributes

String

Optional

Length <= 50

Validation RegEx: (?!no_tenant$).*

Example

customerA

Example

customerB

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.consentstorage.OAuth2ConsentRepositoryConfig
id: OAuth2ConsentRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  logQueries: false
  sqlDataSource:
  tenantId:

OAuth 2.0 Consent Step

Description

The OAuth 2.0 consent step. Depending on the configured consent in the grant settings this step will handle the consent. If no consent is configured, the step is non-interactive and will implicitly allow all scopes that were not restricted.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2ConsentStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

OAuthServer

Properties

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2ConsentStepConfig
id: OAuth2ConsentStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  stepId:
  tagsOnSuccess:

OAuth 2.0 Consent Storage

Description

IAM stores a user's consent decisions and only shows the consent page when prior consent decisions do not exist for all requested OAuth 2.0 scopes.

Attention: A 'OAuth 2.0/OIDC Consent Consistency User Change Listener' must be configured in the user persister to account for user deletion and username changes.

Class

com.airlock.iam.oauth2.application.configuration.consentstorage.OAuth2ConsentStorageConfig

May be used by

License-Tags

OAuthServer

Properties

OAuth 2.0 Consent Repository (repository)

Description

OAuth 2.0 consent repository configuration. Stores information about the user's decisions regarding consenting to OAuth 2.0 scopes.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Consent Repository

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.consentstorage.OAuth2ConsentStorageConfig
id: OAuth2ConsentStorageConfig-xxxxxx
displayName: 
comment: 
properties:
  repository:

OAuth 2.0 Consents Delete Initiation Step

Description

Step to initiate the deletion of OAuth 2.0 Consents. The actual deletion will be done in the "Apply Changes Step" which requires an "Apply OAuth 2.0 Consents Deletion" to perform the actual deletion.

Class

com.airlock.iam.selfservice.application.configuration.step.OAuth2SelfServiceDeleteConsentsStepConfig

May be used by

License-Tags

OAuthServer

Properties

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.OAuth2SelfServiceDeleteConsentsStepConfig
id: OAuth2SelfServiceDeleteConsentsStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

OAuth 2.0 Credential Context Data Map

Description

Provides all context data of the OAuth 2.0 / OpenId Connect credential that may have been used for authentication. The credential contains all resources from the resource requests (in case of OpenID connect, additionally the ID Token resources), that were configured in the client settings.

Class

com.airlock.iam.oauth2.application.configuration.valueprovider.OAuth2CredentialContextDataValueMapProviderConfig

May be used by

License-Tags

OAuthClient

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.valueprovider.OAuth2CredentialContextDataValueMapProviderConfig
id: OAuth2CredentialContextDataValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:

OAuth 2.0 Credential Roles Provider

Description

Provides all roles of the OAuth 2.0 / OpenID Connect credential that have been collected during authentication. The credential contains all mapped data from the resource requests (in case of OpenID Connect, additionally the ID Token resources), that were configured in the client settings.

Class

com.airlock.iam.oauth2.application.configuration.valueprovider.OAuth2CredentialRolesProviderConfig

May be used by

License-Tags

OAuthClient

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.valueprovider.OAuth2CredentialRolesProviderConfig
id: OAuth2CredentialRolesProviderConfig-xxxxxx
displayName: 
comment: 
properties:

OAuth 2.0 Custom Application UI

Description

Redirects OAuth 2.0 browser requests to the configured endpoints.

Class

com.airlock.iam.oauth2.application.configuration.ui.OAuth2CustomApplicationUiConfig

May be used by

License-Tags

OAuthServer

Properties

Custom Authorization Endpoint URI (authorizationEndpointUri)

Description

Custom Authorization Endpoint URI to redirect the requests to. Either a relative path to the IAM base URL to which the request was sent or an absolute URI can be configured.

Attributes

String

Optional

Example

ui/custom/oauth2/authorize

Example

https://airlock.iam/auth/ui/custom/oauth2/authorize

Example

https://custom.app.com/oauth2/authorize

Custom Check Session Endpoint URI (checkSessionEndpointUri)

Description

Custom Check Session Endpoint URI to redirect the requests to. Either a relative path to the IAM base URL to which the request was sent or an absolute URI can be configured.

Attributes

String

Optional

Example

ui/custom/oauth2/check-session

Example

https://airlock.iam/auth/ui/custom/oauth2/check-session

Example

https://custom.app.com/oauth2/check-session

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.ui.OAuth2CustomApplicationUiConfig
id: OAuth2CustomApplicationUiConfig-xxxxxx
displayName: 
comment: 
properties:
  authorizationEndpointUri:
  checkSessionEndpointUri:

OAuth 2.0 Custom Client Endpoint Redirect URI

Description

Includes redirect URI for a custom client endpoint in OAuth 2.0 authorization requests. The URI must not contain a fragment.

Class

com.airlock.iam.oauth2.application.configuration.client.OAuth2CustomClientEndpointRedirectUriConfig

May be used by

OIDC Flow Client OIDC Discovery Flow Client OAuth 2.0 Flow Client

License-Tags

OAuthClient

Properties

Redirect URI (redirectUri)

Description

Absolute URI pointing to the custom OAuth 2.0 client endpoint.

Attributes

String

Mandatory

Example

https://example.ch/custom/oauth2/client

Example

https://iam.ch/auth/ui/app/oauth2/client

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OAuth2CustomClientEndpointRedirectUriConfig
id: OAuth2CustomClientEndpointRedirectUriConfig-xxxxxx
displayName: 
comment: 
properties:
  redirectUri:

OAuth 2.0 Custom Scopes Flow Settings

Description

Configures the OAuth 2.0 scope handling in the configured OAuth 2.0 Consent Step before presenting them to the user to confirm or implicitly granting them.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2CustomScopesSettingsConfig

May be used by

OAuth 2.0 Authorization Code Grant OIDC Authorization Code / Hybrid Flow

License-Tags

OAuthServer

Properties

Conditions (conditions)

Description

Restricts the requested scopes. The list will be processed in the configured order. The first fulfilled condition allows the requested scope and no further conditions are evaluated.

Attributes

Plugin-List

Optional

Assignable plugins

Flow Condition-based OAuth 2.0 Scope Condition Role-based OAuth 2.0 Scope Condition

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2CustomScopesSettingsConfig
id: OAuth2CustomScopesSettingsConfig-xxxxxx
displayName: 
comment: 
properties:
  conditions:

OAuth 2.0 Custom Session Attribute

Description

Configuration of an OAuth 2.0 custom session attribute.

An OAuth 2.0 session can have various custom attributes that are defined as a name-value pair.

Class

com.airlock.iam.oauth2.application.configuration.session.OAuth2CustomSessionAttributeConfig

May be used by

OAuth 2.0 Session Management Endpoint

License-Tags

OAuthServer

Properties

Name (name)

Description

Name of the OAuth 2.0 custom session attribute.

Attributes

String

Mandatory

Length <= 50

Value Pattern (valuePattern)

Description

An optional regular expression to validate the value.

Attributes

RegEx

Optional

Default value

.{1,200}

Updatable (updatable)

Description

Whether the value of this OAuth 2.0 custom session attribute can be updated after being set once. If unchecked, the OAuth 2.0 custom session attribute can only be created once but never be updated nor deleted.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.session.OAuth2CustomSessionAttributeConfig
id: OAuth2CustomSessionAttributeConfig-xxxxxx
displayName: 
comment: 
properties:
  name:
  updatable: true
  valuePattern: .{1,200}

OAuth 2.0 Date Context Data Resource

Description

A resource provider providing formatted dates from a context data field.

Class

com.airlock.iam.oauth2.application.configuration.resource.OAuth2DateContextDataResourceProviderConfig

May be used by

License-Tags

OAuthServer

Properties

Context Data Item (contextDataItem)

Description

The date and time context data element to be returned by this resource.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Pattern (pattern)

Description

The pattern to format the date value.

Attributes

String

Optional

Default value

yyyy-MM-dd

Suggested values

yyyy-MM-dd, dd.MM.yyyy, MM/dd/yyyy, dd-MMM-yyyy HH:mm:ss, yyyy-MM-dd HH:mm:ss

Timezone (timezone)

Description

The timezone that should be used when formatting the date value. If nothing is configured the timezone of the server is taken.

Attributes

String

Optional

Suggested values

Africa/Abidjan, Africa/Accra, Africa/Addis_Ababa, Africa/Algiers, Africa/Asmara, Africa/Asmera, Africa/Bamako, Africa/Bangui, Africa/Banjul, Africa/Bissau, Africa/Blantyre, Africa/Brazzaville, Africa/Bujumbura, Africa/Cairo, Africa/Casablanca, Africa/Ceuta, Africa/Conakry, Africa/Dakar, Africa/Dar_es_Salaam, Africa/Djibouti, Africa/Douala, Africa/El_Aaiun, Africa/Freetown, Africa/Gaborone, Africa/Harare, Africa/Johannesburg, Africa/Juba, Africa/Kampala, Africa/Khartoum, Africa/Kigali, Africa/Kinshasa, Africa/Lagos, Africa/Libreville, Africa/Lome, Africa/Luanda, Africa/Lubumbashi, Africa/Lusaka, Africa/Malabo, Africa/Maputo, Africa/Maseru, Africa/Mbabane, Africa/Mogadishu, Africa/Monrovia, Africa/Nairobi, Africa/Ndjamena, Africa/Niamey, Africa/Nouakchott, Africa/Ouagadougou, Africa/Porto-Novo, Africa/Sao_Tome, Africa/Timbuktu, Africa/Tripoli, Africa/Tunis, Africa/Windhoek, America/Adak, America/Anchorage, America/Anguilla, America/Antigua, America/Araguaina, America/Argentina/Buenos_Aires, America/Argentina/Catamarca, America/Argentina/ComodRivadavia, America/Argentina/Cordoba, America/Argentina/Jujuy, America/Argentina/La_Rioja, America/Argentina/Mendoza, America/Argentina/Rio_Gallegos, America/Argentina/Salta, America/Argentina/San_Juan, America/Argentina/San_Luis, America/Argentina/Tucuman, America/Argentina/Ushuaia, America/Aruba, America/Asuncion, America/Atikokan, America/Atka, America/Bahia, America/Bahia_Banderas, America/Barbados, America/Belem, America/Belize, America/Blanc-Sablon, America/Boa_Vista, America/Bogota, America/Boise, America/Buenos_Aires, America/Cambridge_Bay, America/Campo_Grande, America/Cancun, America/Caracas, America/Catamarca, America/Cayenne, America/Cayman, America/Chicago, America/Chihuahua, America/Coral_Harbour, America/Cordoba, America/Costa_Rica, America/Creston, America/Cuiaba, America/Curacao, America/Danmarkshavn, America/Dawson, America/Dawson_Creek, America/Denver, America/Detroit, America/Dominica, America/Edmonton, America/Eirunepe, America/El_Salvador, America/Ensenada, America/Fort_Wayne, America/Fortaleza, America/Glace_Bay, America/Godthab, America/Goose_Bay, America/Grand_Turk, America/Grenada, America/Guadeloupe, America/Guatemala, America/Guayaquil, America/Guyana, America/Halifax, America/Havana, America/Hermosillo, America/Indiana/Indianapolis, America/Indiana/Knox, America/Indiana/Marengo, America/Indiana/Petersburg, America/Indiana/Tell_City, America/Indiana/Vevay, America/Indiana/Vincennes, America/Indiana/Winamac, America/Indianapolis, America/Inuvik, America/Iqaluit, America/Jamaica, America/Jujuy, America/Juneau, America/Kentucky/Louisville, America/Kentucky/Monticello, America/Knox_IN, America/Kralendijk, America/La_Paz, America/Lima, America/Los_Angeles, America/Louisville, America/Lower_Princes, America/Maceio, America/Managua, America/Manaus, America/Marigot, America/Martinique, America/Matamoros, America/Mazatlan, America/Mendoza, America/Menominee, America/Merida, America/Metlakatla, America/Mexico_City, America/Miquelon, America/Moncton, America/Monterrey, America/Montevideo, America/Montreal, America/Montserrat, America/Nassau, America/New_York, America/Nipigon, America/Nome, America/Noronha, America/North_Dakota/Beulah, America/North_Dakota/Center, America/North_Dakota/New_Salem, America/Ojinaga, America/Panama, America/Pangnirtung, America/Paramaribo, America/Phoenix, America/Port-au-Prince, America/Port_of_Spain, America/Porto_Acre, America/Porto_Velho, America/Puerto_Rico, America/Rainy_River, America/Rankin_Inlet, America/Recife, America/Regina, America/Resolute, America/Rio_Branco, America/Rosario, America/Santa_Isabel, America/Santarem, America/Santiago, America/Santo_Domingo, America/Sao_Paulo, America/Scoresbysund, America/Shiprock, America/Sitka, America/St_Barthelemy, America/St_Johns, America/St_Kitts, America/St_Lucia, America/St_Thomas, America/St_Vincent, America/Swift_Current, America/Tegucigalpa, America/Thule, America/Thunder_Bay, America/Tijuana, America/Toronto, America/Tortola, America/Vancouver, America/Virgin, America/Whitehorse, America/Winnipeg, America/Yakutat, America/Yellowknife, Antarctica/Casey, Antarctica/Davis, Antarctica/DumontDUrville, Antarctica/Macquarie, Antarctica/Mawson, Antarctica/McMurdo, Antarctica/Palmer, Antarctica/Rothera, Antarctica/South_Pole, Antarctica/Syowa, Antarctica/Vostok, Arctic/Longyearbyen, Asia/Aden, Asia/Almaty, Asia/Amman, Asia/Anadyr, Asia/Aqtau, Asia/Aqtobe, Asia/Ashgabat, Asia/Ashkhabad, Asia/Baghdad, Asia/Bahrain, Asia/Baku, Asia/Bangkok, Asia/Beirut, Asia/Bishkek, Asia/Brunei, Asia/Calcutta, Asia/Choibalsan, Asia/Chongqing, Asia/Chungking, Asia/Colombo, Asia/Dacca, Asia/Damascus, Asia/Dhaka, Asia/Dili, Asia/Dubai, Asia/Dushanbe, Asia/Gaza, Asia/Harbin, Asia/Hebron, Asia/Ho_Chi_Minh, Asia/Hong_Kong, Asia/Hovd, Asia/Irkutsk, Asia/Istanbul, Asia/Jakarta, Asia/Jayapura, Asia/Jerusalem, Asia/Kabul, Asia/Kamchatka, Asia/Karachi, Asia/Kashgar, Asia/Kathmandu, Asia/Katmandu, Asia/Khandyga, Asia/Kolkata, Asia/Krasnoyarsk, Asia/Kuala_Lumpur, Asia/Kuching, Asia/Kuwait, Asia/Macao, Asia/Macau, Asia/Magadan, Asia/Makassar, Asia/Manila, Asia/Muscat, Asia/Nicosia, Asia/Novokuznetsk, Asia/Novosibirsk, Asia/Omsk, Asia/Oral, Asia/Phnom_Penh, Asia/Pontianak, Asia/Pyongyang, Asia/Qatar, Asia/Qyzylorda, Asia/Rangoon, Asia/Riyadh, Asia/Saigon, Asia/Sakhalin, Asia/Samarkand, Asia/Seoul, Asia/Shanghai, Asia/Singapore, Asia/Taipei, Asia/Tashkent, Asia/Tbilisi, Asia/Tehran, Asia/Tel_Aviv, Asia/Thimbu, Asia/Thimphu, Asia/Tokyo, Asia/Ujung_Pandang, Asia/Ulaanbaatar, Asia/Ulan_Bator, Asia/Urumqi, Asia/Ust-Nera, Asia/Vientiane, Asia/Vladivostok, Asia/Yakutsk, Asia/Yekaterinburg, Asia/Yerevan, Atlantic/Azores, Atlantic/Bermuda, Atlantic/Canary, Atlantic/Cape_Verde, Atlantic/Faeroe, Atlantic/Faroe, Atlantic/Jan_Mayen, Atlantic/Madeira, Atlantic/Reykjavik, Atlantic/South_Georgia, Atlantic/St_Helena, Atlantic/Stanley, Australia/ACT, Australia/Adelaide, Australia/Brisbane, Australia/Broken_Hill, Australia/Canberra, Australia/Currie, Australia/Darwin, Australia/Eucla, Australia/Hobart, Australia/LHI, Australia/Lindeman, Australia/Lord_Howe, Australia/Melbourne, Australia/NSW, Australia/North, Australia/Perth, Australia/Queensland, Australia/South, Australia/Sydney, Australia/Tasmania, Australia/Victoria, Australia/West, Australia/Yancowinna, Brazil/Acre, Brazil/DeNoronha, Brazil/East, Brazil/West, CET, CST6CDT, Canada/Atlantic, Canada/Central, Canada/East-Saskatchewan, Canada/Eastern, Canada/Mountain, Canada/Newfoundland, Canada/Pacific, Canada/Saskatchewan, Canada/Yukon, Chile/Continental, Chile/EasterIsland, Cuba, EET, EST5EDT, Egypt, Eire, Etc/GMT, Etc/GMT+0, Etc/GMT+1, Etc/GMT+10, Etc/GMT+11, Etc/GMT+12, Etc/GMT+2, Etc/GMT+3, Etc/GMT+4, Etc/GMT+5, Etc/GMT+6, Etc/GMT+7, Etc/GMT+8, Etc/GMT+9, Etc/GMT-0, Etc/GMT-1, Etc/GMT-10, Etc/GMT-11, Etc/GMT-12, Etc/GMT-13, Etc/GMT-14, Etc/GMT-2, Etc/GMT-3, Etc/GMT-4, Etc/GMT-5, Etc/GMT-6, Etc/GMT-7, Etc/GMT-8, Etc/GMT-9, Etc/GMT0, Etc/Greenwich, Etc/UCT, Etc/UTC, Etc/Universal, Etc/Zulu, Europe/Amsterdam, Europe/Andorra, Europe/Athens, Europe/Belfast, Europe/Belgrade, Europe/Berlin, Europe/Bratislava, Europe/Brussels, Europe/Bucharest, Europe/Budapest, Europe/Busingen, Europe/Chisinau, Europe/Copenhagen, Europe/Dublin, Europe/Gibraltar, Europe/Guernsey, Europe/Helsinki, Europe/Isle_of_Man, Europe/Istanbul, Europe/Jersey, Europe/Kaliningrad, Europe/Kiev, Europe/Lisbon, Europe/Ljubljana, Europe/London, Europe/Luxembourg, Europe/Madrid, Europe/Malta, Europe/Mariehamn, Europe/Minsk, Europe/Monaco, Europe/Moscow, Europe/Nicosia, Europe/Oslo, Europe/Paris, Europe/Podgorica, Europe/Prague, Europe/Riga, Europe/Rome, Europe/Samara, Europe/San_Marino, Europe/Sarajevo, Europe/Simferopol, Europe/Skopje, Europe/Sofia, Europe/Stockholm, Europe/Tallinn, Europe/Tirane, Europe/Tiraspol, Europe/Uzhgorod, Europe/Vaduz, Europe/Vatican, Europe/Vienna, Europe/Vilnius, Europe/Volgograd, Europe/Warsaw, Europe/Zagreb, Europe/Zaporozhye, Europe/Zurich, GB, GB-Eire, GMT, GMT0, Greenwich, Hongkong, Iceland, Indian/Antananarivo, Indian/Chagos, Indian/Christmas, Indian/Cocos, Indian/Comoro, Indian/Kerguelen, Indian/Mahe, Indian/Maldives, Indian/Mauritius, Indian/Mayotte, Indian/Reunion, Iran, Israel, Jamaica, Japan, Kwajalein, Libya, MET, MST7MDT, Mexico/BajaNorte, Mexico/BajaSur, Mexico/General, NZ, Navajo, PST8PDT, Pacific/Apia, Pacific/Auckland, Pacific/Chatham, Pacific/Chuuk, Pacific/Easter, Pacific/Efate, Pacific/Enderbury, Pacific/Fakaofo, Pacific/Fiji, Pacific/Funafuti, Pacific/Galapagos, Pacific/Gambier, Pacific/Guadalcanal, Pacific/Guam, Pacific/Honolulu, Pacific/Johnston, Pacific/Kiritimati, Pacific/Kosrae, Pacific/Kwajalein, Pacific/Majuro, Pacific/Marquesas, Pacific/Midway, Pacific/Nauru, Pacific/Niue, Pacific/Norfolk, Pacific/Noumea, Pacific/Pago_Pago, Pacific/Palau, Pacific/Pitcairn, Pacific/Pohnpei, Pacific/Ponape, Pacific/Port_Moresby, Pacific/Rarotonga, Pacific/Saipan, Pacific/Samoa, Pacific/Tahiti, Pacific/Tarawa, Pacific/Tongatapu, Pacific/Truk, Pacific/Wake, Pacific/Wallis, Pacific/Yap, Poland, Portugal, ROK, Singapore, Turkey, UCT, US/Alaska, US/Aleutian, US/Arizona, US/Central, US/East-Indiana, US/Eastern, US/Hawaii, US/Indiana-Starke, US/Michigan, US/Mountain, US/Pacific, US/Pacific-New, US/Samoa, UTC, Universal, W-SU, WET, Zulu

Identifier (identifier)

Description

The identifier of this resource provider.

Attributes

String

Mandatory

Example

user

Example

language

Condition (condition)

Description

This resource value will only be added to the response if the configured condition is satisfied.

If no condition is configured, the resource value will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.resource.OAuth2DateContextDataResourceProviderConfig
id: OAuth2DateContextDataResourceProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  contextDataItem:
  identifier:
  pattern: yyyy-MM-dd
  timezone:

OAuth 2.0 Default Application UI

Description

Redirects OAuth 2.0 browser requests to the default IAM Loginapp UI endpoints.

Class

com.airlock.iam.oauth2.application.configuration.ui.OAuth2DefaultSpaApplicationUiConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.ui.OAuth2DefaultSpaApplicationUiConfig
id: OAuth2DefaultSpaApplicationUiConfig-xxxxxx
displayName: 
comment: 
properties:

OAuth 2.0 Default Scopes Flow Settings

Description

Restricts all requested scopes to be covered by either a matching persistent user role or a matching acquired flow tag.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2DefaultScopesSettingsConfig

May be used by

OAuth 2.0 Authorization Code Grant OIDC Authorization Code / Hybrid Flow

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2DefaultScopesSettingsConfig
id: OAuth2DefaultScopesSettingsConfig-xxxxxx
displayName: 
comment: 
properties:

OAuth 2.0 Default UI Client Redirect URI

Description

Includes the redirect URI for the default IAM UI in OAuth 2.0 authorization requests.

Class

com.airlock.iam.oauth2.application.configuration.client.OAuth2RestUiClientRedirectUriConfig

May be used by

OIDC Flow Client OIDC Discovery Flow Client OAuth 2.0 Flow Client

License-Tags

OAuthClient

Properties

External Base URL (externalIamURL)

Description

External facing absolute http(s) URL of this Loginapp. This URL is used to calculate the UI URL of the Airlock IAM: <External Base URL>/ui/app/oauth2/client

Attributes

String

Mandatory

Example

https://external-airlock-iam.example.ch/auth/

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OAuth2RestUiClientRedirectUriConfig
id: OAuth2RestUiClientRedirectUriConfig-xxxxxx
displayName: 
comment: 
properties:
  externalIamURL:

OAuth 2.0 Dynamic Client Registration

Description

Service for OAuth 2.0 Dynamic Client Registration Protocol that can be used for the most common use cases.

Dynamic Client Registration uses the following endpoint:

/<loginapp-uri>/rest/public/tech-client-registration/oauth2/<as-identifier>/register - The DCR Endpoint

Class

com.airlock.iam.techclientreg.application.configuration.oauth2dcr.DefaultOAuth2ClientRegistrationConfig

May be used by

Client Name Processor Contacts Processor Scope Processor Software ID and Software Version Processor Token Endpoint Auth Method Processor URIs Processor

License-Tags

TechClientRegistration

Properties

Client ID Generator (clientIdGenerator)

Description

Generator for the client_id.

Attributes

Plugin-Link

Optional

Assignable plugins

UUID Identity Generator

Client Secret Generator (clientSecretGenerator)

Description

Generator for the client_secret. The client secret is only generated, if this property is configured and the determined token_endpoint_auth_method is either "client_secret_basic" or "client_secret_post".
In addition, a "Token Endpoint Auth Method Processor" is required to determine the authentication method.

Attributes

Plugin-Link

Optional

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Attribute Processors (additionalProcessors)

Description

Processors that handle the attributes of the registration request (other than the requested grants). Only attributes for which a processor is configured here are handled; all other aspects of the registration request are ignored.

Attributes

Plugin-List

Optional

Assignable plugins

Authorization Code Grant (authorizationCodeGrant)

Description

If enabled, Authorization Code Grant is supported.

The registered client will be enabled to perform the authorization code grant in any of the following cases:

If the "grant_types" requested by the client include "authorization_code". In this case a "redirect_uri" must be present.
If the requested "response_types" include "code". In this case a "redirect_uri" must be present.
If the client requests no "grant_types" and no "response_types", but supplies a "redirect_uri".

The "grant_types" of the registered client will include "authorization_code" and the "response_types" will include "code".

If this property is disabled, authorization code grant is never enabled for the client.

Attributes

Boolean

Optional

Default value

true

Implicit Grant (implicitGrant)

Description

If enabled, Implicit Grant is supported.

The registered client will be enabled to perform implicit grant in any of the following cases:

If the "grant_types" requested by the client include "implicit". In this case, a "redirect_uri" must be present.
If the requested "response_types" include "token". In this case, a "redirect_uri" must also be present.
If the client requests no "grant_types" and no "response_types", but supplies a "redirect_uri".

The "grant_types" of the registered client will include "implicit" and the "response_types" will include "token".

If this property is disabled, implicit grant is never enabled for the client.

Attributes

Boolean

Optional

Default value

false

Client Credentials Grant (clientCredentialsGrant)

Description

If enabled, Client Credentials Grant is supported.

The registered client will be enabled to perform client credentials grant in any of the following cases:

If the "grant_types" requested by the client include "client_credentials".
If the client specifies no "grant_types" in the registration request.

If this property is disabled, client credentials grant is never enabled for the client.

Attributes

Boolean

Optional

Default value

false

Access Token Refresh (accessTokenRefresh)

Description

If enabled, refreshing an access token is supported.

The registered client will be enabled to refresh access tokens in any of the following cases:

If the "grant_types" requested by the client include "refresh_token".
If the client specifies no "grant_types" in the registration request.

If this property is disabled, refreshing of access tokens is never enabled for the client.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.techclientreg.application.configuration.oauth2dcr.DefaultOAuth2ClientRegistrationConfig
id: DefaultOAuth2ClientRegistrationConfig-xxxxxx
displayName: 
comment: 
properties:
  accessTokenRefresh: true
  additionalProcessors:
  authorizationCodeGrant: true
  clientCredentialsGrant: false
  clientIdGenerator:
  clientSecretGenerator:
  implicitGrant: false

OAuth 2.0 Flow Client

Description

OAuth 2.0 Flow Client Settings. The settings define the OAuth 2.0 handshake and can be referenced in flows through the provider ID. When the OAuth 2.0 authorization was successful, the OAuth 2.0 Access Token is stored in the user session and can be used by the plugin OAuth 2.0 Tokens Mapin the ID Propagation to provide the Access Token to for the backends.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2SsoFlowClientSettings

May be used by

OAuth 2.0 Basic Auth Client Secret OAuth 2.0 Header Client Secret OAuth 2.0 No Client Secret Authentication OAuth 2.0 Parameter Client Secret OIDC Private Key JWT Client Authentication

License-Tags

OAuthClient

Properties

HTTP Client (httpClient)

Description

HTTP client used for token endpoint requests.

Attributes

Plugin-Link

Mandatory

Assignable plugins

HTTP Client Config HTTP Client With Client Certificate

Token/PAR Endpoint Authentication (tokenEndpointAuthentication)

Description

Specifies how the client secret is included in requests to the token and pushed authorization request (PAR) endpoints.

RFC 6749 suggests to use the HTTP Basic authentication scheme ('OAuth 2.0 Basic Auth Client Secret').

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Endpoint URL (authorizationEndpointURL)

Description

Authorization endpoint URL to obtain Authorization Codes from.

Attributes

String

Mandatory

Example

https://airlock.iam/auth/ui/app/auth/oauth2/authorization-servers/asId/authorize

Example

https://airlock.iam/auth/oauth2/v3/asId/authorize

Example

https://accounts.google.com/o/oauth2/auth

Example

https://login.live.com/oauth20_authorize.srf

Pushed Authorization Request Endpoint URL (pushedAuthorizationRequestEndpointURL)

Description

The pushed authorization request endpoint URI to send the Authorization Request to. If this property is set, the OAuth2 client will send all Authorization Requests according to the PAR specification as defined in RFC 9126.

Attributes

String

Optional

Example

https://airlock.iam/auth/rest/oauth2/authorization-servers/asId/par

Example

https://as.example.org/as/par

Token Endpoint URL (tokenEndpointURL)

Description

Token endpoint URL to get Access and Refresh Tokens.

Attributes

String

Mandatory

Example

https://airlock.com/auth/rest/oauth2/authorization-servers/asId/token

Example

https://accounts.google.com/o/oauth2/token

Example

https://login.live.com/oauth20_token.srf

Scopes To Request (scopesToRequest)

Description

Scopes to request from the authorization endpoint. Note that some authorization servers deny requests with no requested scopes.

Scopes may only contain the following characters: 0-9, A-Z, a-z, !, #, $, %, &, ', (, ), *, +, ',', -, ., /, :, ;, <, >, =, ?, @, [, ], ^, _, `, {, }, |, ~

Attributes

String-List

Optional

PKCE Challenge Method (pkceChallengeMethod)

Description

Configures the PKCE challenge method.

Attributes

Enum

Optional

Default value

S256

Provider Identifier (providerId)

Description

An identifier to identify the OAuth 2.0 Authorization Server or OpenID Provider.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Custom Client Endpoint Redirect URI OAuth 2.0 Default UI Client Redirect URI OAuth 2.0 Legacy Client Endpoint Redirect URI OAuth 2.0 No Redirect URI

Client Redirect URI (clientRedirectURI)

Description

Defines the redirect URI (redirect_uri) parameter value to be included in OAuth 2.0 requests. The authorization response will then be sent to this URI by the authorization server (AS) or OpenID Provider (OP).

For redirects to the default IAM Loginapp UI use the "OAuth 2.0 Default UI Client Redirect URI".

Attributes

Plugin-Link

Mandatory

Assignable plugins

Resource Requests (resourceRequests)

Description

Resource requests that will be executed to determine the identity of the user on the provider.

An OAuth 2.0 credential containing data of these resources is instantiated. This credential can then be used by plugins such as OAuth 2.0 Credential Roles Provider and OAuth 2.0 Credential Context Data Map to provide the data from the Authorization Server to the ID Propagation. This enables the ability to propagate the data to the backends.

Attributes

Plugin-List

Optional

Assignable plugins

Account Linking Self-Service (accountLinkingSelfService)

Description

If enabled, this provider is available in the account linking self-service.

Users can link their IAM account with this provider to have an alternative authentication method.

The account link management is available for authenticated users under the Loginapp URL: <loginapp-uri>/ui/app/protected/account-links

Attributes

Plugin-Link

Optional

License-Tags

OAuthAccountLinking,OAuthSocialRegistration

Assignable plugins

Account Linking Self Service Config

Missing Account Link Red Flag (missingAccountLinkRedFlag)

Description

If configured, the flow will raise the configured red flag and continue in case no user could be identified using an account link.

This red flag can then be used by a following subflow to:

be triggered (by using Account Linking Required Red Flag Condition as condition for the subflow)
identify the local user with authentication steps
link the identified user to the provider account and take down the red flag (by using Missing Account Link Step as step in the subflow)

Attributes

Plugin-Link

Optional

License-Tags

OAuthAccountLinking,OAuthSocialRegistration

Assignable plugins

Account Linking Required Red Flag Mandatory Password Change Red Flag Red Flag

Client ID (clientId)

Description

Client ID identifying Airlock IAM at the authorization / token and resource endpoint of the OAuth 2.0 provider.
Only alphanumeric characters and '-_.' are allowed.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9-_.]+

Example

example-app

Example

crypticyButUniqueAppId01953utjhu91823rih

Client Secret (clientSecret)

Description

Client secret used to verify the client.

Attributes

String

Mandatory

Sensitive

Access Token Request Method (accessTokenRequestMethod)

Description

HTTP method to use for Access Token requests.

Attributes

Enum

Optional

Default value

POST

Logging Settings (loggingSettings)

Description

Custom OAuth 2.0 client logging behaviour for integration or error diagnostics.

Attributes

Plugin-Link

Optional

Assignable plugins

Enable Account Linking (enableAccountLinking)

Description

If enabled, this provider will solely function as an alternative authentication method for the accounts of the Loginapp's user store. Meaning that users having an IAM account and an account link to a provider account can authenticate using this provider. Account links can be created by

Users using the self-service
The automated registration
Auto-link feature

Attributes

Boolean

Optional

License-Tags

OAuthAccountLinking,OAuthSocialRegistration

Default value

false

Auto-link IAM Account Based on Context Data Field (autoLinkExistingUsersContextDataField)

Description

If the provider's account has the same unique value for the given context data field as an existing account of the Loginapp's user persister, it will be linked with the provider's account. If left empty none of the existing accounts will be linked.

To be able to match the context data value, it is required to add an 'OAuth 2.0 Remote Context Data Resource' with a 'Local Context Data Key' equal to this value to the resource mappings and have a context data column entry equal to this value in the Loginapp's user persister.

If this feature is used in combination with 'Automated Account Registration', no accounts will be registered that have been auto-linked.

Security Warning: For security reasons this should always be a context data field that is globally unique (e.g. email or phone number) and was previously verified by the IAM registration process (channel verification) and the provider's registration process. If this is not guaranteed, an attacker may be able to use this feature to log into a victim's IAM account.

Attributes

String

Optional

License-Tags

OAuthAccountLinking,OAuthSocialRegistration

Suggested values

email, mtan_number

Automated Account Registration (accountRegistrationConfig)

Description

Enables automated IAM account registration with data from this provider.

The user must always confirm the account registration.

If this feature is used in combination with 'Auto-link IAM Account Based on Context Data Field', no accounts will be registered that have been auto-linked.

Security Warning: For automated account registration, the provider's data is used without additional validation. In particular:

Identity verification for mTAN numbers and/or email addresses is currently not supported.
Data validation (e.g. using regular expressions) is currently not supported.
The provider's data that is used to create the account is not displayed to the user and the user is not asked to confirm the data, e.g. using transaction approval.

Therefore, if this feature is used, the provider must guarantee that the provided data is valid (e.g. identity-verified and validated). IAM must trust the provider to do appropriate validation.

Attributes

Plugin-Link

Optional

License-Tags

OAuthSocialRegistration

Assignable plugins

OAuth 2.0 Client Credentials Grant OAuth 2.0 Authorization Code Grant OIDC Authorization Code / Hybrid Flow

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2SsoFlowClientSettings
id: OAuth2SsoFlowClientSettings-xxxxxx
displayName: 
comment: 
properties:
  accessTokenRequestMethod: POST
  accountLinkingSelfService:
  accountRegistrationConfig:
  authorizationEndpointURL:
  autoLinkExistingUsersContextDataField:
  clientId:
  clientRedirectURI:
  clientSecret:
  enableAccountLinking: false
  httpClient:
  loggingSettings:
  missingAccountLinkRedFlag:
  pkceChallengeMethod: S256
  providerId:
  pushedAuthorizationRequestEndpointURL:
  resourceRequests:
  scopesToRequest:
  tokenEndpointAuthentication:
  tokenEndpointURL:

OAuth 2.0 Granted Scope Whitelist

Description

Allows to restrict scope of issued tokens to the configured values.

Class

com.airlock.iam.oauth2.application.configuration.as.OAuth2GrantedScopeWhitelistProcessorConfig

May be used by

License-Tags

OAuthServer

Properties

Allowed Scopes (allowedScopes)

Description

Restricts the scope of issued tokens to the configured values.

Scopes may only contain the following characters: 0-9, A-Z, a-z, !, #, $, %, &, ', (, ), *, +, ',', -, ., /, :, ;, <, >, =, ?, @, [, ], ^, _, `, {, }, |, ~

Attributes

String-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.as.OAuth2GrantedScopeWhitelistProcessorConfig
id: OAuth2GrantedScopeWhitelistProcessorConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedScopes:

OAuth 2.0 Grants / OIDC Flows

Description

OAuth 2.0 Grants / OpenID Connect Flows.

Class

com.airlock.iam.login.app.misc.configuration.oauth.as.oauth2.OAuth2GrantsAndEndpointsConfig

May be used by

License-Tags

OAuthServer

Properties

OAuth 2.0 Authorization Code Grant (authorizationCodeGrant)

Description

The OAuth 2.0 Authorization Code Grant.

If configured, clients can authorize using the RFC 6749 Authorization Code Grant.

Either this or the OpenID Connect Authorization Code Flow can be active at any time, however all other grants or endpoints can be active in parallel.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Authorization Code Grant

OIDC Authorization Code / Hybrid Flow (oidcAuthorizationCodeGrant)

Description

The OpenID Connect Authorization Code / Hybrid Flow.

If configured, clients can authorize using the OpenID Connect Authorization Code Flow and optionally the OpenID Connect Hybrid Flow.

Either this or the OAuth 2.0 Authorization Code Grant can be active at any time, however all other grants or endpoints can be active in parallel.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Client Credentials Grant (clientCredentialsGrant)

Description

The OAuth 2.0 Client Credentials Grant.

If configured, clients can authorize using the RFC 6749 Client Credentials Grant.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Client Credentials Grant

OAuth 2.0 Token Exchange Grant (tokenExchangeGrant)

Description

The OAuth 2.0 Token Exchange Grant.

If configured, the token endpoint supports the grant type "urn:ietf:params:oauth:grant-type:token-exchange" and exchanges tokens according to the configuration.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Token Exchange

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oauth.as.oauth2.OAuth2GrantsAndEndpointsConfig
id: OAuth2GrantsAndEndpointsConfig-xxxxxx
displayName: 
comment: 
properties:
  authorizationCodeGrant:
  clientCredentialsGrant:
  oidcAuthorizationCodeGrant:
  tokenExchangeGrant:

OAuth 2.0 Header Access Token Config

Description

Configuration for the OAuth 2.0 Access Token header format.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2HeaderAccessTokenConfig

May be used by

OIDC Discovery Actor Token Validation Actor Token Unsigned Claims Extractor OAuth 2.0/OIDC Authorization Server OIDC Discovery Subject Token Validation Subject Token Unsigned Claims Extractor

License-Tags

OAuthClient,OAuthServer

Properties

Header Field Name (headerFieldName)

Description

Name of the header field containing the OAuth 2.0 Access Token.

Attributes

String

Optional

Default value

Authorization

Header Prefix (headerPrefix)

Description

Header field value prefix. The prefix must match exactly.
A header prefix denotes the first part of a space delimited header value.
Eg. "Authorization: Bearer 2q93nf8q23UIZFR2qfh98" where "Authorization" denotes the header field name, "Bearer" the header prefix and "2q93nf8q23UIZFR2qfh98" the Access Token.

Attributes

String

Optional

Suggested values

Bearer, OAuth

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2HeaderAccessTokenConfig
id: OAuth2HeaderAccessTokenConfig-xxxxxx
displayName: 
comment: 
properties:
  headerFieldName: Authorization
  headerPrefix:

OAuth 2.0 Header Client Secret

Description

Specifies the format of the client secret passed in the header of OAuth 2.0 requests.

Class

com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2HeaderClientSecretConfig

May be used by

OIDC Flow Client OIDC Discovery Flow Client OAuth 2.0 Flow Client

License-Tags

OAuthClient

Properties

Header Field (headerField)

Description

Name of the header field containing the client secret.

Attributes

String

Optional

Default value

Authorization

Header Prefix (headerPrefix)

Description

Header field value prefix. The prefix must match exactly. May be empty.
A header prefix denotes the first part of a space delimited header value.
E.g. "Authorization: Basic 2q93nf8q23UIZFR2qfh98" where "Authorization" denotes the header field name, "Basic" the header prefix and "2q93nf8q23UIZFR2qfh98" the client secret value.

Attributes

String

Optional

Suggested values

Basic

Client Secret Format (clientSecretFormat)

Description

Client secret extraction pattern. If left blank, the client secret is the whole string. Otherwise this field must contain "$CLIENT_SECRET$" exactly once and may additionally contain "$CLIENT_ID$". When building requests the placeholders get replaced by their respective values, as specified in the OAuth 2.0 identity propagator plugin.

Attributes

String

Optional

Suggested values

$CLIENT_ID$:$CLIENT_SECRET$

Base64-Encoded Client Secret Value (base64EncodeClientSecretValue)

Description

Flag indicating whether the entire value (behind the optional prefix) is encoded in Base64; must be enabled for Basic-Auth.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2HeaderClientSecretConfig
id: OAuth2HeaderClientSecretConfig-xxxxxx
displayName: 
comment: 
properties:
  base64EncodeClientSecretValue: false
  clientSecretFormat:
  headerField: Authorization
  headerPrefix:

OAuth 2.0 Header Client Secret (AS)

Description

Specifies the format of the client secret passed in the header of OAuth 2.0 requests.

Class

com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2HeaderClientSecretMethodConfig

May be used by

OAuth 2.0 Client Secret Authentication

License-Tags

OAuthServer

Properties

Header Field (headerField)

Description

Name of the header field containing the client secret.

Attributes

String

Optional

Default value

Authorization

Header Prefix (headerPrefix)

Description

Header field value prefix. The prefix must match exactly. May be empty.
A header prefix denotes the first part of a space delimited header value.
Eg. "Authorization: Basic 2q93nf8q23UIZFR2qfh98" where "Authorization" denotes the header field name, "Basic" the header prefix and "2q93nf8q23UIZFR2qfh98" the client secret value.

Attributes

String

Optional

Suggested values

Basic

Client Secret Format (clientSecretFormat)

Description

Attributes

String

Optional

Suggested values

$CLIENT_ID$:$CLIENT_SECRET$

Base64-Encoded Client Secret Value (base64EncodeClientSecretValue)

Description

Flag indicating whether the entire value (behind the optional prefix) is encoded in Base64; must be enabled for Basic-Auth.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2HeaderClientSecretMethodConfig
id: OAuth2HeaderClientSecretMethodConfig-xxxxxx
displayName: 
comment: 
properties:
  base64EncodeClientSecretValue: false
  clientSecretFormat:
  headerField: Authorization
  headerPrefix:

OAuth 2.0 Issuer ID

Description

Defines an OAuth 2.0 issuer ID by an absolute URL with "https" scheme.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2IssuerIdConfig

May be used by

License-Tags

OAuthServer

Properties

Issuer ID (issuerId)

Description

Issuer ID.

Must be an absolute URL with "https" scheme and may not contain a query or fragment component.

Attributes

String

Mandatory

Example

https://example.org/auth/rest/oauth2/authorization-servers/as-identifier

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2IssuerIdConfig
id: OAuth2IssuerIdConfig-xxxxxx
displayName: 
comment: 
properties:
  issuerId:

OAuth 2.0 Legacy Client Endpoint Redirect URI

Description

Includes the redirect URI for the legacy client endpoint (/oauth2-client) in OAuth 2.0 authorization requests. The URI must not contain a fragment.

Class

com.airlock.iam.oauth2.application.configuration.client.OAuth2LegacyClientEndpointRedirectUriConfig

May be used by

OIDC Flow Client OIDC Discovery Flow Client OAuth 2.0 Flow Client

License-Tags

OAuthClient

Properties

External Base URL (externalIamURL)

Description

External facing absolute https URL of this Loginapp. This URL is used to calculate the legacy client endpoint URL of Airlock IAM: <External Base URL>/oauth2-client

Attributes

String

Mandatory

Example

https://external-airlock-iam.example.ch/auth/

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OAuth2LegacyClientEndpointRedirectUriConfig
id: OAuth2LegacyClientEndpointRedirectUriConfig-xxxxxx
displayName: 
comment: 
properties:
  externalIamURL:

OAuth 2.0 Legacy Client Endpoint UI Redirect

Description

Redirects (relative) to the UI.

Class

com.airlock.iam.oauth2.application.configuration.client.OAuth2LegacyClientEndpointRestUiSupport

May be used by

License-Tags

OAuthClient

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OAuth2LegacyClientEndpointRestUiSupport
id: OAuth2LegacyClientEndpointRestUiSupport-xxxxxx
displayName: 
comment: 
properties:

OAuth 2.0 Legacy Custom Client Endpoint Redirect

Description

Redirects to the configured URL.

Class

com.airlock.iam.oauth2.application.configuration.client.OAuth2LegacyCustomClientEndpointSupport

May be used by

License-Tags

OAuthClient

Properties

Redirect URI (redirectUri)

Description

Absolute https URL pointing to the custom OAuth 2.0 client endpoint.

Attributes

String

Mandatory

Example

https://iam.example.ch/custom/oauth2/client

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OAuth2LegacyCustomClientEndpointSupport
id: OAuth2LegacyCustomClientEndpointSupport-xxxxxx
displayName: 
comment: 
properties:
  redirectUri:

OAuth 2.0 Local Consent

Description

IAM will display a consent page to the user to confirm OAuth 2.0 scopes.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2LocalConsentConfig

May be used by

OAuth 2.0 Authorization Code Grant OIDC Authorization Code / Hybrid Flow

License-Tags

OAuthServer

Properties

Enable Consent Storage (enableConsentStorage)

Description

If enabled, consents are stored in the "Consent Storage Repository" configured in the Authorization Server configuration. Otherwise, no consents will be persisted and the user will have to explicitly grant consents every time.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2LocalConsentConfig
id: OAuth2LocalConsentConfig-xxxxxx
displayName: 
comment: 
properties:
  enableConsentStorage: false

OAuth 2.0 LocalDate Context Data Resource

Description

A resource provider providing LocalDates from a context data field. A LocalDate is a date without a time zone, as used for birthdays for example.

Class

com.airlock.iam.oauth2.application.configuration.resource.OAuth2LocalDateContextDataResourceProviderConfig

May be used by

License-Tags

OAuthServer

Properties

Context Data Item (contextDataItem)

Description

The date context data element to be returned by this resource.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OIDC Flow Client OAuth 2.0/OIDC Authorization Server OIDC Discovery Flow Client OAuth 2.0 Flow Client

Pattern (pattern)

Description

The pattern to format the local date value.

Attributes

String

Optional

Default value

yyyy-MM-dd

Suggested values

yyyy-MM-dd, dd.MM.yyyy, MM/dd/yyyy, dd-MMM-yyyy, yyyy-MM-dd

Identifier (identifier)

Description

The identifier of this resource provider.

Attributes

String

Mandatory

Example

user

Example

language

Condition (condition)

Description

This resource value will only be added to the response if the configured condition is satisfied.

If no condition is configured, the resource value will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.resource.OAuth2LocalDateContextDataResourceProviderConfig
id: OAuth2LocalDateContextDataResourceProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  contextDataItem:
  identifier:
  pattern: yyyy-MM-dd

OAuth 2.0 Logging Settings

Description

Configures OAuth 2.0 logging behaviour for integration or error diagnostics.

Be aware that this settings are not meant for productive service unless it is required for error diagnostics.

Class

com.airlock.iam.oauth2.application.configuration.logging.OAuth2LoggingSettings

May be used by

License-Tags

OAuthClient,OAuthServer

Properties

DEBUG Logs On INFO (logOnInfo)

Description

If enabled, all DEBUG logs are written to INFO instead.

Be aware that logging DEBUG information is detrimental to security because sensitive data might be logged. In addition, increased log output decreases the performance of the system

Attributes

Boolean

Optional

Default value

false

Token Logging Strategy (strategy)

Description

Configures how many characters of OAuth 2.0 Tokens are logged, e.g. during Token Introspection, Token Refresh or when receiving tokens as a client. If not configured, token content is always hidden in logs.

Security implications: Logging token information is detrimental to security. The logs will contain parts of OAuth 2.0 Tokens, which is generally not recommended. This increases the probability of guessing correct tokens for attackers with log access.
Especially in cases where tokens (e.g. Refresh Tokens) are long living, we advise against using this feature.

Attributes

Plugin-Link

Optional

Assignable plugins

Mask Token Plain Token

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.logging.OAuth2LoggingSettings
id: OAuth2LoggingSettings-xxxxxx
displayName: 
comment: 
properties:
  logOnInfo: false
  strategy:

OAuth 2.0 Metadata Endpoint

Description

Configuration of an endpoint for OAuth 2.0 Authorization Server Metadata. (RFC 8414).

Note that this endpoint also works for authentication servers in OpenID Connect mode.

As dictated by RFC 8414, the front-facing URL of this endpoint must be derived from the configured issuer ID. For instance, if the issuer ID is "https://example.com/auth/rest/oauth2/authorization-servers/main-as", the front-facing URL of this endpoint must be "https://example.com/.well-known/oauth-authorization-server/auth/rest/oauth2/authorization-servers/main-as".

Note that the well-known URI string ".well-known/oauth-authorization-server/" is not appended but inserted after the host part of the issuer ID to be compliant. Regardless of this fact, IAM serves this endpoint at a URL where the well-known URI string is appended to the base URL of the AS (e.g., "https://example.com/auth/rest/oauth2/authorization-servers/main-as/.well-known/oauth-authorization-server"). In order to fully meet the specification, an Airlock Gateway (WAF) mapping should be used to map the compliant URL to the one used by IAM.

Class

com.airlock.iam.login.app.misc.configuration.oauth.as.OAuth2MetadataEndpointConfig

May be used by

License-Tags

OAuthServer

Properties

Issuer Validation Mode (issuerValidationMode)

Description

Defines how IAM should behave when a mismatch is detected at runtime between the configured issuer ID and the front-facing URL of the request to this endpoint.

Available options:

Ignore: Ignore a mismatch and respond with metadata
Log Only: Log a warning and respond with metadata when there is a mismatch
Fail: Respond with a server error when there is a mismatch

Attributes

Enum

Optional

Default value

FAIL

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oauth.as.OAuth2MetadataEndpointConfig
id: OAuth2MetadataEndpointConfig-xxxxxx
displayName: 
comment: 
properties:
  issuerValidationMode: FAIL

OAuth 2.0 No Client Authentication

Description

If configured, no client authentication is performed on requests. Therefore the client is considered to be a public client according to RFC6749

Class

com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2NoClientAuthenticationConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2NoClientAuthenticationConfig
id: OAuth2NoClientAuthenticationConfig-xxxxxx
displayName: 
comment: 
properties:

OAuth 2.0 No Client Secret Authentication

Description

No authentication of the client. Security Warning: Always use client authentication. Use this plugin only if the client is authenticated using another channel (for example client certificates).

Class

com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2NoAuthenticationClientSecretConfig

May be used by

OIDC Flow Client OIDC Discovery Flow Client OAuth 2.0 Flow Client

License-Tags

OAuthClient

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2NoAuthenticationClientSecretConfig
id: OAuth2NoAuthenticationClientSecretConfig-xxxxxx
displayName: 
comment: 
properties:

OAuth 2.0 No Redirect URI

Description

Does not include the redirect URI in OAuth 2.0 authorization requests.

Class

com.airlock.iam.oauth2.application.configuration.client.OAuth2NoRedirectUriConfig

May be used by

OIDC Flow Client OIDC Discovery Flow Client OAuth 2.0 Flow Client

License-Tags

OAuthClient

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OAuth2NoRedirectUriConfig
id: OAuth2NoRedirectUriConfig-xxxxxx
displayName: 
comment: 
properties:

OAuth 2.0 Parameter Access Token Config

Description

Configuration for the OAuth 2.0 Access Token parameter format.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2ParameterAccessTokenConfig

May be used by

License-Tags

OAuthClient,OAuthServer

Properties

Parameter Name (parameterName)

Description

Name of the Access Token parameter.

Attributes

String

Optional

Default value

access_token

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2ParameterAccessTokenConfig
id: OAuth2ParameterAccessTokenConfig-xxxxxx
displayName: 
comment: 
properties:
  parameterName: access_token

OAuth 2.0 Parameter Client Secret

Description

Specifies the format of the client secret passed as a parameter of OAuth 2.0 requests.

Class

com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2ParameterClientSecretConfig

May be used by

OIDC Flow Client OIDC Discovery Flow Client OAuth 2.0 Flow Client

License-Tags

OAuthClient

Properties

Client Id Name (clientIdName)

Description

Parameter name of the request parameter containing the Client ID.

Attributes

String

Optional

Default value

client_id

Parameter Name (parameterName)

Description

Parameter name of the request parameter containing the client secret.

Attributes

String

Optional

Default value

client_secret

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2ParameterClientSecretConfig
id: OAuth2ParameterClientSecretConfig-xxxxxx
displayName: 
comment: 
properties:
  clientIdName: client_id
  parameterName: client_secret

OAuth 2.0 Parameter Client Secret (AS)

Description

Specifies the format of the client secret passed as a parameter of OAuth 2.0 requests.

Class

com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2ParameterClientSecretMethodConfig

May be used by

OAuth 2.0 Client Secret Authentication

License-Tags

OAuthServer

Properties

Client Id Name (clientIdName)

Description

Parameter name of the request parameter containing the client ID.

Attributes

String

Optional

Default value

client_id

Parameter Name (parameterName)

Description

Parameter name of the request parameter containing the client secret.

Attributes

String

Optional

Default value

client_secret

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.clientauthentication.OAuth2ParameterClientSecretMethodConfig
id: OAuth2ParameterClientSecretMethodConfig-xxxxxx
displayName: 
comment: 
properties:
  clientIdName: client_id
  parameterName: client_secret

OAuth 2.0 Persisted Clients

Description

Persisted OAuth 2.0 / OpenID Connect Clients.
These clients are stored in the database and can be inserted using Dynamic Client Registration.

Class

com.airlock.iam.login.app.misc.configuration.oauth.as.client.OAuth2PersistedClientConfig

May be used by

License-Tags

OAuthServer

Properties

OAuth 2.0 Client Repository (clientRepository)

Description

Configures the repository to store OAuth 2.0 clients.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Empty Scope Attribute Interpreted As All Scopes Allowed (emptyScopeAttributeInterpretedAsAllScopesAllowed)

Description

Determines how to interpret a persisted client with an empty list of registered scopes. This happens when a client is being registered without sending any scopes or by filtering the requested scopes.

If this option is enabled, a persisted client whose registered scopes are empty will be interpreted as having an undefined list of allowed scopes meaning that all scopes may be requested. Otherwise, a persisted client whose registered scopes are empty will be interpreted as having an empty list of allowed scopes i.e. no scope is allowed.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oauth.as.client.OAuth2PersistedClientConfig
id: OAuth2PersistedClientConfig-xxxxxx
displayName: 
comment: 
properties:
  clientRepository:
  emptyScopeAttributeInterpretedAsAllScopesAllowed: true

OAuth 2.0 Post Logout Redirect Base URL

Description

Redirect URI to the IAM SPA endpoint after an RP-initiated logout at the AS.

Class

com.airlock.iam.oauth2.application.configuration.client.OAuth2SpaPostLogoutRedirectUriConfig

May be used by

License-Tags

OAuthClient

Properties

Post Logout Redirect Base URL (postLogoutRedirectBaseUrl)

Description

The external base URL of the IAM instance that initiated the logout on the AS should redirect
after a logout has been performed. This URL must previously have been registered with the AS.

Attributes

String

Mandatory

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OAuth2SpaPostLogoutRedirectUriConfig
id: OAuth2SpaPostLogoutRedirectUriConfig-xxxxxx
displayName: 
comment: 
properties:
  postLogoutRedirectBaseUrl:

OAuth 2.0 Provider Identifier

Description

An ID to identify an OAuth 2.0 Authorization Server or OpenID Provider.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2ProviderIdentifierConfig

May be used by

OIDC Flow Client OAuth 2.0 SSO Step OIDC Discovery Flow Client OAuth 2.0 Flow Client

License-Tags

OAuthClient

Properties

Provider Identifier (identifier)

Description

An identifier, which is used to identify the OAuth 2.0 Authorization Server or OpenID Provider. Only alphanumeric characters are allowed.

Attributes

String

Mandatory

Length <= 20

Validation RegEx: [a-zA-Z0-9]+

Example

swissid

Example

twitter

Example

google

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2ProviderIdentifierConfig
id: OAuth2ProviderIdentifierConfig-xxxxxx
displayName: 
comment: 
properties:
  identifier:

OAuth 2.0 Pushed Authorization Request (PAR) Repository

Description

OAuth 2.0 / OpenID Connect Pushed Authorization Request (PAR) Repository for relational databases.

Requests made to the PAR endpoint are saved in this repository and later retrieved when the user makes a request to the authorization endpoint with the generated request_uri.

Class

com.airlock.iam.oauth2.application.configuration.par.OAuth2ParRequestRepositoryConfig

May be used by

OAuth 2.0 Pushed Authorization Requests

License-Tags

OAuthServer

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Log Queries (logQueries)

Description

If enabled, all SQL queries executed on this repository will be written to the module's corresponding log file. This is only effective if the log level is set to at least INFO.

Warning: query values (including potentially sensitive data) will be logged as well.

Attributes

Boolean

Optional

Default value

false

Tenant ID (tenantId)

Description

Identity added to the database records to distinguish between different tenants. Only requests that match the tenant ID specified here will be retrieved on query.

If left empty, 'no_tenant' is used as the effective value for tenant ID.

Attributes

String

Optional

Length <= 50

Validation RegEx: (?!no_tenant$).*

Example

customerA

Example

customerB

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.par.OAuth2ParRequestRepositoryConfig
id: OAuth2ParRequestRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  logQueries: false
  sqlDataSource:
  tenantId:

OAuth 2.0 Pushed Authorization Requests

Description

Configures OAuth 2.0 Pushed Authorization Requests (PAR).

The endpoint is located at /<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/par. Clients must authenticate to call this endpoint. The PAR endpoint uses the same authentication method as configured for the token endpoint.

To prevent attacks like swapping an obtained request_uri, clients should make use of PKCE, use a unique state parameter, or use the OIDC "nonce" parameter.

Class

com.airlock.iam.oauth2.application.configuration.par.OAuth2ParConfig

May be used by

OAuth 2.0 Authorization Code Grant OIDC Authorization Code / Hybrid Flow

License-Tags

OAuthServer

Properties

Request URI Lifetime [s] (requestUriLifetime)

Description

The lifetime of the generated PAR request URI in seconds.

A general guidance for the validity time would be less than a minute.

Attributes

Integer

Optional

Default value

OAuth 2.0 PAR Repository (repository)

Description

OAuth 2.0 PAR repository configuration to store pushed authorization requests in the database.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Pushed Authorization Request (PAR) Repository

Require PAR (requirePar)

Description

If this flag is set, all authorization requests made to the authorization server must use PAR. Non-PAR requests will lead to an invalid_request error.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.par.OAuth2ParConfig
id: OAuth2ParConfig-xxxxxx
displayName: 
comment: 
properties:
  repository:
  requestUriLifetime: 30
  requirePar: false

OAuth 2.0 Remote Consent

Description

IAM will redirect the user to the configured remote consent URL to confirm OAuth 2.0 scopes.

The remote site must implement the Remote Consent Protocol. Please refer to the documentation for further information.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2RemoteConsentConfig

May be used by

OAuth 2.0 Authorization Code Grant OIDC Authorization Code / Hybrid Flow

License-Tags

RemoteConsent

Properties

Remote Consent URL (remoteConsentUrl)

Description

URL for the remote consent page to redirect the user to. For security reasons, only https URLs are allowed.

Attributes

String

Mandatory

Example

https://example.com/remoteconsent

JWT Signer (signer)

Description

Settings that are used for signing the JWT contained in the consent request. This JWT is sent to the remote site.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JWT Ticket EC Signer Settings JWT Ticket HMAC Settings JWT Ticket RSA Signer Settings

JWT Encrypter (encrypter)

Description

Settings that are used for encrypting the JWT contained in the consent request.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Validity [s] (validity)

Description

Number of seconds JWT contained in the consent request is valid for.

Attributes

Integer

Optional

Default value

1800

Callback URL (callbackUrl)

Description

URL for the callback from the remote consent page. This URL is included in the consent request JWT. The remote site must use this URL to redirect the user back to IAM. For security reasons, only https URLs are allowed.

Attributes

String

Mandatory

Example

https://iam.example.com/auth-login/ui/app/auth/oauth2/consent/confirm

Example

https://iam.example.com/auth-login/oauth2-confirm

JWT Signature Verifier (verifier)

Description

Settings that are used for verifying the MAC or signature of the JWT containing the user consent. This JWT is sent by the remote site.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JWKS Ticket Verifier Settings JWT Ticket EC Verifier Settings JWT Ticket HMAC Settings JWT Ticket RSA Verifier Settings

JWT Decrypter (decrypter)

Description

Settings that are used for decrypting the JWT sent by the remote site.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Date Context Data Resource OAuth 2.0 LocalDate Context Data Resource OAuth 2.0 SSO Ticket Resource OAuth 2.0 Static Resource OAuth 2.0 String Context Data Resource OAuth 2.0 User Roles Resource OAuth 2.0 Username Resource

Airlock Gateway (WAF) Role for Remote Consent Site (airlockGatewayRole)

Description

The Airlock Gateway (WAF) role / credential that is set when accessing the remote consent site.

This can be used when IAM and the remote consent site provider are behind the same Airlock Gateway and you want to restrict the access to the remote consent site by a specific Gateway mapping.

The name of the credential can be followed by a colon and the idle timeout of the credential in seconds, e.g. "myrole:300" sets the credential "myrole" that will expire after 5 minutes of client inactivity.

With a second colon and a second number, the life-time can be set, e.g. "myrole:300:3600" will set the credential "myrole" for a maximum of 1 hour, but it will also expire after 5 minutes of client inactivity.

Attributes

String

Optional

Example

remote_consent_site

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2RemoteConsentConfig
id: OAuth2RemoteConsentConfig-xxxxxx
displayName: 
comment: 
properties:
  airlockGatewayRole:
  callbackUrl:
  decrypter:
  encrypter:
  remoteConsentUrl:
  signer:
  validity: 1800
  verifier:

OAuth 2.0 Remote Context Data Resource

Description

Extracts a single value from a remote resource. The value will finally be available in the authentee's context data.

Class

com.airlock.iam.oauth2.application.configuration.client.OAuth2RemoteContextDataResource

May be used by

OIDC Flow Client OIDC Discovery Flow Client OAuth 2.0 SSO Resource Request

License-Tags

OAuthClient

Properties

Local Context Data Key (localContextDataKey)

Description

The key used to store this data item in the authentee's context data.

Attributes

String

Mandatory

Optional (optional)

Description

If set to false, the resource must be present. In case the resource cannot be obtained, authentication fails.
If set to true, the authentee's context data field is only set in case the resource is present. In case the resource cannot be obtained, the context data field will not be added to the authentee.

Attributes

Boolean

Optional

Default value

false

String Transformers (stringTransformers)

Description

If the selected resource is a string value, a chain of string transformers may be specified to transform the selected resource.
Note: If the resource is not a string, but a list of string transformers is configured, authentication fails.

Attributes

Plugin-List

Optional

Assignable plugins

Lowercase Transformation Regex-based String Transformer String Transformation Failed Config

Resource Selector (resourceSelector)

Description

OAuth 2.0 Resource Selector allowing to specify how this specific resource is contained within the JSON response expected from the resource request.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Resource Selector OAuth 2.0 Simple Resource Selector

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OAuth2RemoteContextDataResource
id: OAuth2RemoteContextDataResource-xxxxxx
displayName: 
comment: 
properties:
  localContextDataKey:
  optional: false
  resourceSelector:
  stringTransformers:

OAuth 2.0 Remote User Role Resource

Description

Extracts user roles from a remote OAuth 2.0 resource endpoint.

Class

com.airlock.iam.oauth2.application.configuration.client.OAuth2RemoteUserRoleResource

May be used by

OIDC Flow Client OIDC Discovery Flow Client OAuth 2.0 SSO Resource Request

License-Tags

OAuthClient

Properties

Resource Selector (resourceSelector)

Description

OAuth 2.0 Resource Selector allowing to specify how this specific resource is contained within the JSON response expected from the resource request.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Resource Selector OAuth 2.0 Simple Resource Selector

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OAuth2RemoteUserRoleResource
id: OAuth2RemoteUserRoleResource-xxxxxx
displayName: 
comment: 
properties:
  resourceSelector:

OAuth 2.0 Remote Username Resource

Description

Represents the username as made available by the OAuth 2.0 resource endpoint.

Class

com.airlock.iam.oauth2.application.configuration.client.OAuth2RemoteUsernameResource

May be used by

OIDC Flow Client OIDC Discovery Flow Client OAuth 2.0 SSO Resource Request

License-Tags

OAuthClient

Properties

Resource Selector (resourceSelector)

Description

OAuth 2.0 Resource Selector allowing to specify how this specific resource is contained within the JSON response expected from the resource request.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Resource Selector OAuth 2.0 Simple Resource Selector

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OAuth2RemoteUsernameResource
id: OAuth2RemoteUsernameResource-xxxxxx
displayName: 
comment: 
properties:
  resourceSelector:

OAuth 2.0 Resource

Description

An OAuth 2.0 resource configuration.

Class

com.airlock.iam.oauth2.application.configuration.resource.OAuth2ResourceConfig

May be used by

OAuth 2.0 Resource Endpoint

License-Tags

OAuthServer

Properties

Resource Name (resourceName)

Description

The name of this resource.

This value will be part of the URL: /<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/resources/<resource-name>

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9._-]+

Example

username

Example

surname

Resource Content Providers (resourceProviders)

Description

A list of OAuth 2.0 resource content providers.

Each provider may contribute any number of claims to the final result of this resource.

Multiple claims with the same name can be configured if each has a claim condition which ensures that only one of them will be included at runtime.

Attributes

Plugin-List

Mandatory

Assignable plugins

Required Scopes (requiredScopes)

Description

Scopes required to access this resource.

If scope values are added to this list, the access token has to cover at least all configured scopes to be able to access this resource.

If this list is left empty, there are no required scopes to access this resource, meaning it is accessible to anyone presenting a valid access token, regardless of the presented scopes. Note however, that the individual resource providers may have a configured condition requiring that certain scopes be present to include the corresponding data element in the response.

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.resource.OAuth2ResourceConfig
id: OAuth2ResourceConfig-xxxxxx
displayName: 
comment: 
properties:
  requiredScopes:
  resourceName:
  resourceProviders:

OAuth 2.0 Resource Endpoint

Description

OAuth 2.0 / OpenID Connect resource endpoint configuration.

Authentication against those endpoints must be done using an Access Token provided in a Bearer Token header; for example: Authorization: Bearer pQ8x4f8PXcp9aS84

The endpoint will be available under /<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/resources/<resource-name>

Class

com.airlock.iam.oauth2.application.configuration.resource.OAuth2ResourceEndpointConfig

May be used by

OAuth 2.0 Remote User Role Resource OAuth 2.0 Remote Context Data Resource OAuth 2.0 Remote Username Resource

License-Tags

OAuthServer

Properties

Resources (resources)

Description

A list of available resources.

Attributes

Plugin-List

Mandatory

Assignable plugins

OAuth 2.0 Resource

Access Token Authentication Config (accessTokenAuthenticationConfig)

Description

Configures how the Access Token is extracted from the request.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Bearer Access Token

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.resource.OAuth2ResourceEndpointConfig
id: OAuth2ResourceEndpointConfig-xxxxxx
displayName: 
comment: 
properties:
  accessTokenAuthenticationConfig:
  resources:

OAuth 2.0 Resource Selector

Description

Plugin selecting a specific resource from a parsed response.
To find a resource in the response tree, the configured regex patterns are applied to the identifiers in the following way:
The first pattern of the matcher list is applied to the keys of the root level. The element corresponding to the first matching key is retrieved and the next pattern is applied to the keys of the nested element.
The last pattern must apply to a single value or a list of values (then the first one is used).

Class

com.airlock.iam.oauth2.application.configuration.client.OAuth2ResourceSelectorImpl

May be used by

License-Tags

OAuthClient

Properties

Matcher List (matcherList)

Description

List of patterns that will be applied in sequence on the keyset of nested maps. If the pattern is ambiguous (multiple matches) the first one is selected.

Attributes

RegEx-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OAuth2ResourceSelectorImpl
id: OAuth2ResourceSelectorImpl-xxxxxx
displayName: 
comment: 
properties:
  matcherList:

OAuth 2.0 Scope Matcher

Description

A matcher that allows to match one or more scopes in the context of OAuth2 / OpenID Connect.

Class

com.airlock.iam.oauth2.application.configuration.scope.OAuth2ScopeMatcherConfig

May be used by

OAuth 2.0 Token Endpoint Flow Condition-based OAuth 2.0 Scope Condition Role-based OAuth 2.0 Scope Condition

License-Tags

OAuthServer

Properties

Scope Name Pattern (scopeNamePattern)

Description

The regular expression the scope name is matched against.

Attributes

RegEx

Mandatory

Case Sensitive (caseSensitive)

Description

If enabled, the case of characters is considered when matching the scope name against the pattern.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.scope.OAuth2ScopeMatcherConfig
id: OAuth2ScopeMatcherConfig-xxxxxx
displayName: 
comment: 
properties:
  caseSensitive: true
  scopeNamePattern:

OAuth 2.0 Scope Translation Entry

Description

Defines translation rules for OAuth 2.0 scopes to human-readable explanations.

Class

com.airlock.iam.login.app.misc.oauth2.provider.configuration.OAuth2ScopeTranslationEntry

May be used by

OAuth 2.0 Scope Translator

License-Tags

OAuthServer

Properties

Scope Pattern (scopePattern)

Description

Regular expression matched against the OAuth 2.0 scopes. If the expression matches, the "Translation Key" is used instead of the scope name.

Attributes

RegEx

Mandatory

Translation Key (translationKey)

Description

Property key used to obtain a human-readable name or description of the scope. This key must be present in strings_xx.properties file or manually added otherwise. If no translation is found, the key will be displayed instead of the scope name.

Attributes

String

Mandatory

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oauth2.provider.configuration.OAuth2ScopeTranslationEntry
id: OAuth2ScopeTranslationEntry-xxxxxx
displayName: 
comment: 
properties:
  scopePattern:
  translationKey:

OAuth 2.0 Scope Translator

Description

Plugin to transform OAuth 2.0 scopes to human-readable versions. These translations are used on multiple pages, where end-users interact with scopes, e.g. on the consent or self-service session management page.

Class

com.airlock.iam.login.app.misc.oauth2.provider.configuration.OAuth2ScopeTranslator

May be used by

OAuth 2.0 Authorization Code Grant OIDC Authorization Code / Hybrid Flow

License-Tags

OAuthServer

Properties

Scope Translations (scopeTranslations)

Description

List of translation rules for OAuth 2.0 scopes.

Attributes

Plugin-List

Mandatory

Assignable plugins

OAuth 2.0 Scope Translation Entry

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oauth2.provider.configuration.OAuth2ScopeTranslator
id: OAuth2ScopeTranslator-xxxxxx
displayName: 
comment: 
properties:
  scopeTranslations:

OAuth 2.0 Session List

Description

Configures the OAuth 2.0 session list REST self-service. Additional self-service functionality can be configured in "Protected Self-Service Flows".

Class

com.airlock.iam.selfservice.application.configuration.oauth2.OAuth2SessionListSelfServiceRestConfig

May be used by

License-Tags

OAuthServer

Properties

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access the OAuth 2.0 session list.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access the OAuth 2.0 session list without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.oauth2.OAuth2SessionListSelfServiceRestConfig
id: OAuth2SessionListSelfServiceRestConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:

OAuth 2.0 Session Management Endpoint

Description

Configuration for the OAuth 2.0 / OpenID Connect Session Management Endpoint where users can list, delete or modify their current OAuth 2.0 / OpenID Connect sessions.

Class

com.airlock.iam.oauth2.application.configuration.session.OAuth2SessionManagementEndpointConfig

May be used by

License-Tags

OAuthServer

Properties

Access Token Config (accessTokenConfig)

Description

Plugin defining how the Access Token is extracted from the request header.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Bearer Access Token

Custom Session Attributes (customSessionAttributes)

Description

List of allowed OAuth 2.0 custom session attributes. This endpoint can only add or modify custom session attributes listed here.

Attributes

Plugin-List

Optional

Assignable plugins

OAuth 2.0 Custom Session Attribute

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.session.OAuth2SessionManagementEndpointConfig
id: OAuth2SessionManagementEndpointConfig-xxxxxx
displayName: 
comment: 
properties:
  accessTokenConfig:
  customSessionAttributes:

OAuth 2.0 Session Management UI

Description

Configures the OAuth 2.0 session management user interface.

Depending on the configuration, the user interface allows an authenticated user to view and delete OAuth 2.0 sessions.

The OAuth 2.0 session management is accessible at /<loginapp-uri>/ui/app/protected/oauth2/sessions after user authentication.

Class

com.airlock.iam.selfservice.application.configuration.ui.oauth2.OAuth2SessionManagementUiConfig

May be used by

O Auth2 Authorization Server Users OAuth 2.0 Authorization Server OAuth 2.0/OIDC Authorization Server OAuth 2.0 Token Controller OAuth 2.0 Session Reset Step

License-Tags

OAuthServer

Properties

Flow To Delete Session (flowToDeleteSession)

Description

ID of the flow which is used for deletion of an OAuth 2.0 session.

If not configured, the user will not be able to delete a session via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Page Exit Target (pageExitTarget)

Description

If configured, an additional button is displayed on the OAuth 2.0 session management to exit the page. On click, this button redirects the user to the configured target.

To redirect to a target application, redirect to the corresponding "Authentication Flow".

If the flow can be skipped due to the obtained tags, the user is directly forwarded to the target application.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.oauth2.OAuth2SessionManagementUiConfig
id: OAuth2SessionManagementUiConfig-xxxxxx
displayName: 
comment: 
properties:
  flowToDeleteSession:
  pageExitTarget:

OAuth 2.0 Session Management UI Redirect

Description

Redirects to the "OAuth 2.0 Session Management UI".

Class

com.airlock.iam.selfservice.application.configuration.ui.oauth2.OAuth2SessionManagementFlowRedirectTargetConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.oauth2.OAuth2SessionManagementFlowRedirectTargetConfig
id: OAuth2SessionManagementFlowRedirectTargetConfig-xxxxxx
displayName: 
comment: 
properties:

OAuth 2.0 Session Repository

Description

OAuth 2.0 / OpenID Connect Session Repository for relational databases. Stores information about the user's OAuth 2.0 sessions.

Class

com.airlock.iam.oauth2.application.configuration.session.OAuth2SessionRepositoryConfig

May be used by

License-Tags

OAuthServer

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Token Table Name (tokenTableName)

Description

The name of the database table containing the tokens.

Attributes

String

Optional

Default value

token

Token Assignment Table Name (tokenAssignmentTableName)

Description

The name of the database table containing the token assignments.

Attributes

String

Optional

Default value

token_assignment

Log Queries (logQueries)

Description

If enabled, all SQL queries executed on this repository will be written to the module's corresponding log file. This is only effective if the log level is set to at least INFO.

Warning: query values (including potentially sensitive data) will be logged as well.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.session.OAuth2SessionRepositoryConfig
id: OAuth2SessionRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  logQueries: false
  sqlDataSource:
  tokenAssignmentTableName: token_assignment
  tokenTableName: token

OAuth 2.0 Session Reset Step

Description

Non-interactive step to delete all OAuth 2.0 sessions of a user.

Class

com.airlock.iam.oauth2.application.configuration.step.OAuth2SessionResetStepConfig

May be used by

Advanced Migration Selection Option Custom Protected Self-Service Flow Authorization Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Public Self-Service Flow Selection Option For Public Self-Service Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

OAuthServer

Properties

Session Repository (sessionRepository)

Description

OAuth 2.0 session repository repository config.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Remote User Role Resource OAuth 2.0 Remote Context Data Resource OAuth 2.0 Remote Username Resource

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.step.OAuth2SessionResetStepConfig
id: OAuth2SessionResetStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  sessionRepository:
  skipCondition:
  stepId:
  tagsOnSuccess:

OAuth 2.0 Simple Resource Selector

Description

Plugin to select a specific resource out of a response given its key. If the attribute contains multiple values, the first is used.

Class

com.airlock.iam.oauth2.application.configuration.client.OAuth2SimpleResourceSelector

May be used by

License-Tags

OAuthClient

Properties

Key (key)

Description

Key associated with the object to be selected.

Attributes

String

Mandatory

Suggested values

sub, iss, aud, iat, exp, username

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OAuth2SimpleResourceSelector
id: OAuth2SimpleResourceSelector-xxxxxx
displayName: 
comment: 
properties:
  key:

OAuth 2.0 SSO Resource Request

Description

Represents a resource request executed during OAuth 2.0 SSO in order to fetch information about the identity of the user on the provider.

Class

com.airlock.iam.oauth2.application.configuration.client.OAuth2ClientResourceRequest

May be used by

OIDC Flow Client OIDC Discovery Flow Client OAuth 2.0 Flow Client

License-Tags

OAuthClient

Properties

Resource URL (resourceURL)

Description

Resource URL to the protected resources.

Attributes

String

Mandatory

Example

https://airlock.iam/auth/rest/oauth2/authorization-servers/myAS/resources/myResource

Example

https://www.googleapis.com/plus/v1/people/me

Example

https://apis.live.net/v5.0/me

Contained Resources (containedResources)

Description

List of remote resources that will be included in the response to this request.

Attributes

Plugin-List

Mandatory

Assignable plugins

OAuth 2.0 Remote Context Data Resource OAuth 2.0 Remote User Role Resource OAuth 2.0 Remote Username Resource

Request Method (requestMethod)

Description

HTTP method to use for this request.

Attributes

Enum

Optional

Default value

GET

Access Token Config (accessTokenConfig)

Description

Specifies the Access Token format for resource requests.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Header Access Token Config OAuth 2.0 Parameter Access Token Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OAuth2ClientResourceRequest
id: OAuth2ClientResourceRequest-xxxxxx
displayName: 
comment: 
properties:
  accessTokenConfig:
  containedResources:
  requestMethod: GET
  resourceURL:

OAuth 2.0 SSO Step

Description

SSO step using OAuth 2.0. This step starts an OAuth 2.0 flow to identify the user and awards tags to this user.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2SsoStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

OAuthClient

Properties

Provider Identifier (providerId)

Description

The provider id of the flow based client settings to identify the OAuth 2.0 Authorization Server or OpenID Provider.
An OAuth 2.0/OIDC Flow Client Settings configuration must be present below the Loginapp referencing the same Provider Identifier.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Message ID (messageId)

Description

ID of the corresponding message which a client is expected to display to confirm the automated account registration.

Attributes

String

Optional

Default value

automated-account-registration-confirmation

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

OAUTH2

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2SsoStepConfig
id: OAuth2SsoStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: OAUTH2
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  messageId: automated-account-registration-confirmation
  onFailureGotos:
  preCondition:
  providerId:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

OAuth 2.0 SSO Ticket Resource

Description

OAuth 2.0 resource provider returning an SSO Ticket to be used for authentication.

Security Warning: This resource allows exchanging an Access Token for an SSO Ticket which may provide much more access than intended. This implies that everyone in possession of an access token can impersonate the user.

The ticket only contains the username and the static roles.

This plugin is intended to be used as login_hint parameter in OpenID Connect flows and requires a configured "OpenID Connect SSO Ticket Login Hint" on the authorization server.

Class

com.airlock.iam.oauth2.application.configuration.resource.OAuth2SsoTicketResourceProviderConfig

May be used by

License-Tags

OAuthServer

Properties

Ticket Lifetime [s] (ticketLifetimeInSeconds)

Description

The SSO ticket lifetime in seconds.

This should be configured as short as possible.

Attributes

Integer

Optional

Default value

Encoder (encoder)

Description

The ticket encoder plugin used to sign and encrypt the SSO ticket.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AES256 Encryption Ticket Encoder JWT Ticket Encoder RSA Sign Ticket Encoder

Static Roles (staticRoles)

Description

Static list of roles granted to the user in the ticket. Can be used to assign special roles to the user, for example for Step-Up scenarios.

Attributes

String-List

Optional

Identifier (identifier)

Description

The identifier of this resource provider.

Attributes

String

Mandatory

Example

user

Example

language

Condition (condition)

Description

This resource value will only be added to the response if the configured condition is satisfied.

If no condition is configured, the resource value will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.resource.OAuth2SsoTicketResourceProviderConfig
id: OAuth2SsoTicketResourceProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  encoder:
  identifier:
  staticRoles:
  ticketLifetimeInSeconds: 10

OAuth 2.0 Static Client

Description

Static OAuth 2.0 / OpenID Connect client.

Class

com.airlock.iam.login.app.misc.configuration.oauth.as.client.OAuth2StaticClientConfig

May be used by

OAuth 2.0 Static Clients

License-Tags

OAuthServer

Properties

Client ID (clientId)

Description

The Client ID.
Must be unique across all static clients of this AS.

Attributes

String

Mandatory

Length <= 50

Validation RegEx: [\x20-\x7E]+

Client Name (clientName)

Description

The Client Name.
An optional human readable name of this client for display purposes.

Attributes

String

Optional

Redirect URIs (redirectUris)

Description

Allowed Redirect URIs of this client.

Required if the client is used in a flow requiring redirect URIs, e.g. the Authorization Code Grant.

Notice that any Redirect URI sent by the client must match exactly one of the configured URIs in this property. No prefix or regular expression matching is performed.

Attributes

String-List

Optional

Filter Requested Scopes (filterRequestedScopes)

Description

Whether to filter all requested scopes against those configured in 'Allowed/Default Scopes'.

If disabled, all requested scopes are accepted for further processing.

If enabled, only scopes also explicitly configured in 'Allowed/Default Scopes' are accepted for this client. If that list is empty, the request is treated as if the client had not requested any scopes at all.

Notice: This property only affects the requested scopes. The configured scope policy, scope filtering and granted scope processors may still affect the final resulting scopes such that they might be different than the requested scopes even if this option is disabled.

Attributes

Boolean

Optional

Default value

false

Allowed/Default Scopes (allowedScopes)

Description

The list of allowed or default scopes for this client.

When "Filter Requested Scopes" is disabled, this list is only relevant if a scope policy is chosen in the grant/flow that replaces the requested scopes with these default scopes.

When "Filter Requested Scopes" is enabled, all scopes requested by the client are always filtered against this list. If there are no allowed scopes, the request is treated as if the client had not requested any scopes at all.

Notice that for OpenID connect, the 'openid' scope does not have to be added to this list since it only acts as a marker for OpenID connect requests and will never be explicitly granted.

Attributes

String-List

Optional

Always Granted Scopes (alwaysGrantedScopes)

Description

A list of technical scopes that the user doesn't have to grant explicitly in the OAuth 2.0 Authorization Code Grant or the OIDC Authorization Code / Hybrid Flow. Each scope listed here will always be granted by IAM implicitly. The scopes listed here are added to the implicitly granted scopes in the Authorization Code Grant/Flow. Always Granted Scopes are never persisted, even if a Consent Storage Repository is configured.

Attributes

String-List

Optional

PKCE Code Challenge Method (pkceCodeChallengeMethodOverride)

Description

Overrides the default Proof Key for Code Exchange (PKCE, see RFC 7636) configuration of the Authorization Code Flow/Grant for this particular client.

This allows to either disable PKCE enforcement for this client if enforced by default or to enforce PKCE for this client if not enforced by default.

Attributes

Enum

Optional

Default value

DEFAULT

Client Secret (clientSecret)

Description

The client secret, used for authentication.
Required, for example, if the client secret is used for token endpoint authentication using a post parameter or basic authentication.

Attributes

String

Optional

Sensitive

Client Certificates (clientCertificates)

Description

The information about the certificates of a client. The information of the certificate used in the TLS handshake must be defined here for the request to be successfully authenticated.

Attributes

Plugin-List

Optional

Assignable plugins

OAuth 2.0 Client Certificate

JWKS Settings (jwksSettings)

Description

A JSON Web Key Set (JWKS) containing the keys that can be used by the client for authentication to the authorization server, e.g. when accessing the token endpoint (if configured to use private_key_jwt).

For this client to authenticate using private_key_jwt, either this property or at least one public key must be configured. However, both may not be configured at the same time, i.e. if a public key is configured, then this property must not be set.

Attributes

Plugin-Link

Optional

Assignable plugins

JWKS Ticket Verifier Settings

Public Keys (publicKeys)

Description

Public keys that can be used by the client for authentication to the authorization server, e.g. when accessing the token endpoint (if configured to use private_key_jwt).

For this client to authenticate using private_key_jwt, either this property or a JWKS must be configured. However, both may not be configured at the same time, i.e. if a JWKS is configured, then this list must be empty.

Attributes

Plugin-List

Optional

Assignable plugins

OAuth 2.0 Client Public Key

Audience (accessTokenAudience)

Description

List of values that are added to the audience claim (aud) of the issued access tokens for this client.

The values configured here are combined with the values configured in the authorization server, duplicate values are discarded.

If there is one audience, the claim is written as a string, for multiple values as an array.

Attributes

String-List

Optional

Custom Claims (accessTokenCustomClaims)

Description

List of custom claims that are added to the issued access tokens for this client.

Multiple claims with the same name can be configured if each has a claim condition which ensures that only one of them will be included at runtime.

The following claims are automatically set by Airlock IAM and therefore will be ignored if defined as custom claim.

iss
aud
exp
nbf
iat
jti
random
scope

The claims configured here are combined with the values configured in the authorization server. If claims configured here and in the authorization server have the same name, the claims configured here will override the ones configured at the authorization server level.

Note: This only works on Authorization Code Grant/Flow and Hybrid Flow. For the latter, both Hybrid Flow ID tokens (Authorization Endpoint and Token Endpoint) use this functionality. It only applies to JWT access token and not to opaque tokens.

Attributes

Plugin-List

Optional

Assignable plugins

Distributed Claims (accessTokenDistributedClaims)

Description

List of distributed claims that are added to the issued access tokens for this client.

These claims allow providing a URL to a 3rd party claims provider in the response where additional claims may be obtained.

Attributes

Plugin-List

Optional

Assignable plugins

Distributed Claim Config

Custom Claims (idTokenCustomClaims)

Description

List of custom claims that are added to the issued OpenID Connect ID tokens for this client.

Multiple claims with the same name can be configured if each has a claim condition which ensures that only one of them will be included at runtime.

The following claims are automatically set by Airlock IAM and therefore will be ignored if defined as custom claim.

auth_time
nonce
acr

Note: This only works on Authorization Code Grant/Flow and Hybrid Flow. For the latter, both Hybrid Flow ID tokens (Authorization Endpoint and Token Endpoint) use this functionality.

Note: When "Persist Claims" is disabled, custom claims are collected when the ID Token is requested by an OpenID Connect relying party and not when the ID Token is issued. Therefore the values of the custom claims may change between issue and request time.

Attributes

Plugin-List

Optional

Assignable plugins

Distributed Claims (idTokenDistributedClaims)

Description

List of distributed claims that are added to the issued OpenID Connect ID tokens for this client.

These claims allow providing a URL to a 3rd party claims provider in the response where additional claims may be obtained.

Note: This only works on Authorization Code Grant/Flow and Hybrid Flow. For the latter, both Hybrid Flow ID tokens (Authorization Endpoint and Token Endpoint) use this functionality.

Attributes

Plugin-List

Optional

Assignable plugins

Distributed Claim Config

Role Transformation (roleTransformations)

Description

A list of role transformation rules used to modify the collection of roles to propagate.

The role transformation rules are executed at the following locations in-order from top to bottom:

OpenID Connect ID Token
Access Token as JWT
UserInfo Endpoint
User Roles Resource

The role transformations defined here override those defined in "OAuth 2.0/OIDC Authorization Server".

Attributes

Plugin-List

Optional

Assignable plugins

Add Roles Delete Roles Keep Roles Transform Roles

Flow Application ID (flowApplicationId)

Description

Specifies the application ID of the authentication flow to start for every authentication request made by this client.
When left empty, the setting in "OIDC Authorization Code / Hybrid Flow" or "OAuth 2.0 Authorization Code Grant" applies.

Attributes

Plugin-Link

Optional

Assignable plugins

Application ID

ACR To Flow Application ID (acrToFlowAppId)

Description

Maps an ACR value requested in the authentication request made by this client to an Application ID. The mappings defined here are merged with the mappings defined in "OIDC Authorization Code / Hybrid Flow"; if the same "ACR Value" is defined in "OIDC Authorization Code / Hybrid Flow" and here, the mapping configured here takes precedence.

How the application ID is selected:

The merged ACR mappings (explained above) are evaluated first, if there is a match, the mapped Application ID is selected
If there is no match, the flow is selected based on the Flow Application ID property:

First at the level of the Static Client
Then at the level of the Authorization Server ("OIDC Authorization Code / Hybrid Flow" or "OAuth 2.0 Authorization Code Grant")
If both are not configured, the default application is selected

Attributes

Plugin-List

Optional

Assignable plugins

ACR to Flow Application ID Mapping

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oauth.as.client.OAuth2StaticClientConfig
id: OAuth2StaticClientConfig-xxxxxx
displayName: 
comment: 
properties:
  accessTokenAudience:
  accessTokenCustomClaims:
  accessTokenDistributedClaims:
  acrToFlowAppId:
  allowedScopes:
  alwaysGrantedScopes:
  clientCertificates:
  clientId:
  clientName:
  clientSecret:
  filterRequestedScopes: false
  flowApplicationId:
  idTokenCustomClaims:
  idTokenDistributedClaims:
  jwksSettings:
  pkceCodeChallengeMethodOverride: DEFAULT
  publicKeys:
  redirectUris:
  roleTransformations:

OAuth 2.0 Static Clients

Description

Static OAuth 2.0 / OpenID Connect clients.
These clients only reside in the configuration.

Class

com.airlock.iam.login.app.misc.configuration.oauth.as.client.OAuth2StaticClientsConfig

May be used by

License-Tags

OAuthServer

Properties

Static Clients (staticClients)

Description

The list of static clients available to this AS.

Attributes

Plugin-List

Mandatory

Assignable plugins

OAuth 2.0 Static Client

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oauth.as.client.OAuth2StaticClientsConfig
id: OAuth2StaticClientsConfig-xxxxxx
displayName: 
comment: 
properties:
  staticClients:

OAuth 2.0 Static Resource

Description

Static OAuth 2.0 resource provider returning a fixed string value.

Class

com.airlock.iam.oauth2.application.configuration.resource.OAuth2StaticResourceProviderConfig

May be used by

License-Tags

OAuthServer

Properties

Static Value (staticValue)

Description

Static value of this resource.

Attributes

String

Mandatory

Identifier (identifier)

Description

The identifier of this resource provider.

Attributes

String

Mandatory

Example

user

Example

language

Condition (condition)

Description

This resource value will only be added to the response if the configured condition is satisfied.

If no condition is configured, the resource value will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.resource.OAuth2StaticResourceProviderConfig
id: OAuth2StaticResourceProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  identifier:
  staticValue:

OAuth 2.0 String Context Data Resource

Description

OAuth 2.0 resource provider returning a string context data field.

Class

com.airlock.iam.oauth2.application.configuration.resource.OAuth2StringContextDataResourceProviderConfig

May be used by

License-Tags

OAuthServer

Properties

Context Data Item (contextDataItem)

Description

The string context data element to be returned by this resource.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Identifier (identifier)

Description

The identifier of this resource provider.

Attributes

String

Mandatory

Example

user

Example

language

Condition (condition)

Description

This resource value will only be added to the response if the configured condition is satisfied.

If no condition is configured, the resource value will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.resource.OAuth2StringContextDataResourceProviderConfig
id: OAuth2StringContextDataResourceProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  contextDataItem:
  identifier:

OAuth 2.0 Token Controller

Description

Token controller to manage a user's OAuth 2.0 Tokens.

Class

com.airlock.iam.admin.application.configuration.oauth2.OAuth2TokenController

May be used by

License-Tags

OAuthServer

Properties

Token Data Provider (tokenDataProvider)

Description

Token Data Provider responsible for persisting OAuth 2.0 Tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Session Repository (sessionRepository)

Description

OAuth 2.0 session repository repository config.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Consent Repository (consentRepository)

Description

Configures a repository storing OAuth 2.0 consent decisions.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Consent Repository

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.oauth2.OAuth2TokenController
id: OAuth2TokenController-xxxxxx
displayName: 
comment: 
properties:
  consentRepository:
  sessionRepository:
  tokenDataProvider:

OAuth 2.0 Token Endpoint

Description

Configuration of the token endpoint for OAuth 2.0 or OpenID Connect.

The endpoint will be available under /<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/token

Class

com.airlock.iam.oauth2.application.configuration.as.OAuth2TokenEndpointConfig

May be used by

OAuth 2.0 Client Secret Authentication OAuth 2.0 Client mTLS Authentication OAuth 2.0 No Client Authentication OIDC Private Key JWT Authentication

License-Tags

OAuthServer

Properties

Client Authentication (clientAuthentication)

Description

Specifies if and how requests to the token endpoint and to the 'Pushed Authorization Requests' (PAR) endpoint are authenticated.

Attributes

Plugin-Link

Optional

Assignable plugins

Scopes To Remove On Refresh (scopesToRemoveOnRefresh)

Description

List of matchers that defines the set of scopes not to be refreshed in a refresh token grant. If a scope matches against any entry in the list, it will be removed from the session and not be part of newly acquired tokens.

Attributes

Plugin-List

Optional

Assignable plugins

OAuth 2.0 Scope Matcher

Issue Certificate-Bound Access Tokens (bindAccessTokens)

Description

If enabled, Certificate-Bound Access Tokens (see RFC8705) are issued.

Issued Access Tokens will be bound to the client certificate that was used for client authentication for the Token Endpoint Authentication. This will enable the "cnf" claim to be included in the Token Introspection Endpoint result as well as in the JWT Access Token (if enabled). All consumers must utilise the claim to verify the client certificate being used with the Access Token.

IAM consumes such Access Tokens (Token Revocation Endpoint, Session Management Endpoint, Resource Endpoints, UserInfo Endpoint and One-Shot Authenticators) and will therefore automatically verify the mTLS client certificate, if an Certificate-Bound Access Token is used for authorization.

Note: Currently this setting is restricted to client authentications using mTLS.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.as.OAuth2TokenEndpointConfig
id: OAuth2TokenEndpointConfig-xxxxxx
displayName: 
comment: 
properties:
  bindAccessTokens: false
  clientAuthentication:
  scopesToRemoveOnRefresh:

OAuth 2.0 Token Exchange

Description

Configuration of the token endpoint for token exchange (see RFC8693).

The token endpoint supports the grant type "urn:ietf:params:oauth:grant-type:token-exchange" and exchanges tokens according to the configuration.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.OAuth2TokenExchangeGrantConfig

May be used by

License-Tags

OAuthTokenExchange

Properties

Subject Token Validation (subjectTokenValidation)

Description

Subject Token Validation.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OIDC Discovery Subject Token Validation Subject Token Unsigned Claims Extractor

Token Exchange Rules (tokenExchangeRules)

Description

List of token exchange rules that define the issued token.

Attributes

Plugin-List

Mandatory

Assignable plugins

JWT Token Exchange Rule

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.OAuth2TokenExchangeGrantConfig
id: OAuth2TokenExchangeGrantConfig-xxxxxx
displayName: 
comment: 
properties:
  subjectTokenValidation:
  tokenExchangeRules:

OAuth 2.0 Token Generator Settings

Description

Token generation settings.

Class

com.airlock.iam.oauth2.application.configuration.OAuth2TokenGeneratorConfig

May be used by

License-Tags

OAuthServer

Properties

Token Random Part Length (tokenRandomPartLength)

Description

Length (in characters) of the random part in generated OAuth 2.0 Tokens.

With random tokens, this forms part of the token string itself, for JWT tokens, this string is included in the JWT as "jti" claim.

For security reasons, as recommended by RFC 6749, the randomness must be at least 160 bit corresponding to about 28 characters. Overly large values may have a negative performance impact.

Attributes

Integer

Optional

Default value

Password Hash (passwordHash)

Description

Hash function used to hash the generated OAuth 2.0 Tokens. Only a random ID and the hash of the token will be persisted.

Warning: When changing this hash, all previously issued tokens will be come invalid!
Security Warning: A cryptographic hash function should be used.

Attributes

Plugin-Link

Optional

Assignable plugins

AWS KMS Password Hash Bcrypt Password Hash Identity Password Hash SHA1 Password Hash SHA256 Password Hash Scrypt Password Hash

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OAuth2TokenGeneratorConfig
id: OAuth2TokenGeneratorConfig-xxxxxx
displayName: 
comment: 
properties:
  passwordHash:
  tokenRandomPartLength: 40

OAuth 2.0 Token Introspection Endpoint

Description

RFC 7662 Token Introspection endpoint allows authenticated clients to fetch information about Access and Refresh Tokens.

The endpoint will be available under /<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/introspect

Class

com.airlock.iam.oauth2.application.configuration.introspection.OAuth2TokenIntrospectionConfig

May be used by

License-Tags

OAuthServer

Properties

Authentication Settings (authenticationSettings)

Description

Defines how callers authenticate against this endpoint.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic Auth Token Introspection Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.introspection.OAuth2TokenIntrospectionConfig
id: OAuth2TokenIntrospectionConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationSettings:

OAuth 2.0 Token Request Authentication

Description

Extracts an OAuth 2.0 access token (bearer token) from a request to authenticate single requests.

Class

com.airlock.iam.login.app.application.configuration.oauth.OAuth2TokenRequestAuthenticationConfig

May be used by

Properties

Authorization Server ID (authorizationServerId)

Description

The unique identifier of the OAuth 2.0 Authorization Server.

This must reference an Authorization Server in the top-level OAuth 2.0 Settings of the Loginapp.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Add Scopes As Roles (addScopesAsRoles)

Description

If enabled, the scopes from the Access Token are added as roles to the authenticated user.

Attributes

Boolean

Optional

Default value

true

User Store (userStore)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Static Roles (staticRoles)

Description

Static list of roles granted to the authenticated user.

Attributes

String-List

Optional

Roles Blocklist (rolesBlocklist)

Description

List of role names that won't be granted to the authenticated user. The block list is also applied to persistent roles (if available).

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.login.app.application.configuration.oauth.OAuth2TokenRequestAuthenticationConfig
id: OAuth2TokenRequestAuthenticationConfig-xxxxxx
displayName: 
comment: 
properties:
  addScopesAsRoles: true
  authorizationServerId:
  rolesBlocklist:
  staticRoles:
  userStore:

OAuth 2.0 Token Revocation Endpoint

Description

RFC 7009 Token Revocation endpoint allows clients to revoke Access and Refresh Tokens.

The endpoint is available under /<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/revoke

Class

com.airlock.iam.oauth2.application.configuration.revocation.OAuth2TokenRevocationConfig

May be used by

License-Tags

OAuthServer

Properties

Access Token Revocation Strategy (accessTokenInvalidationStrategy)

Description

If the revoked token is an access token, this property defines which tokens to invalidate.

Attributes

Plugin-Link

Optional

Assignable plugins

Invalidate All Tokens Of The Grant Invalidate Single Token

Refresh Token Revocation Strategy (refreshTokenInvalidationStrategy)

Description

If the revoked token is a refresh token, this property defines which tokens to invalidate.

Attributes

Plugin-Link

Optional

Assignable plugins

Invalidate All Tokens Of The Grant Invalidate Single Token

Authentication Method (authenticationMethod)

Description

Enforce the client authentication of the token revocation endpoint.

BASIC_AUTH: Basic Authentication using the client id and secret, see RFC 6749.
POST_PARAM: Authentication is done using the POST parameters client_id and client_secret, see RFC 6749.
Warning: Including the client credentials in the request-body using the two parameters is not recommended for security reasons.
NONE: No authentication required (should only used for public clients without any credentials). However, a client_id parameter must still be provided.

Attributes

Enum

Optional

Default value

BASIC_AUTH

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.revocation.OAuth2TokenRevocationConfig
id: OAuth2TokenRevocationConfig-xxxxxx
displayName: 
comment: 
properties:
  accessTokenInvalidationStrategy:
  authenticationMethod: BASIC_AUTH
  refreshTokenInvalidationStrategy:

OAuth 2.0 Tokens Map

Description

Provides access tokens and ID tokens of the OAuth 2.0 / OpenId Connect handshake that may have been used for authentication. The tokens (if present) will be provided under the following keys:

Access Token: access_token
ID Token (OpenId Connect): id_token

Class

com.airlock.iam.oauth2.application.configuration.valueprovider.OAuth2TokensValueMapProviderConfig

May be used by

License-Tags

OAuthClient

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.valueprovider.OAuth2TokensValueMapProviderConfig
id: OAuth2TokensValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:

OAuth 2.0 User Roles Resource

Description

OAuth 2.0 resource provider returning the user's persistent roles.

Obtained roles are only part of the user's specific session and thus cannot be returned by this resource.

Class

com.airlock.iam.oauth2.application.configuration.resource.OAuth2UserRolesResourceProviderConfig

May be used by

License-Tags

OAuthServer

Properties

Identifier (identifier)

Description

The identifier of this resource provider.

Attributes

String

Mandatory

Example

user

Example

language

Condition (condition)

Description

This resource value will only be added to the response if the configured condition is satisfied.

If no condition is configured, the resource value will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.resource.OAuth2UserRolesResourceProviderConfig
id: OAuth2UserRolesResourceProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  identifier:

OAuth 2.0 Username Resource

Description

OAuth 2.0 resource provider returning the user name.

If the authorization server has username transformation configured, the username returned by this resource will be transformed according to the config.

Class

com.airlock.iam.oauth2.application.configuration.resource.OAuth2UsernameResourceProviderConfig

May be used by

License-Tags

OAuthServer

Properties

Identifier (identifier)

Description

The identifier of this resource provider.

Attributes

String

Mandatory

Example

user

Example

language

Condition (condition)

Description

This resource value will only be added to the response if the configured condition is satisfied.

If no condition is configured, the resource value will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.resource.OAuth2UsernameResourceProviderConfig
id: OAuth2UsernameResourceProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  identifier:

OAuth 2.0/OIDC Authorization Server

Description

OAuth 2.0 / OpenID Connect Authorization Server settings for all AS-centric endpoints under the paths /<loginapp-uri>/oauth2/v3/ and /<loginapp-uri>/rest/oauth2/.

Class

com.airlock.iam.login.app.misc.configuration.oauth.as.OAuth2ASConfig

May be used by

OAuth 2.0/OIDC Authorization Servers

License-Tags

OAuthServer

Properties

Identifier (identifier)

Description

The unique identifier of this AS. This identifier is used in the endpoint URLs.

Attributes

Plugin-Link

Optional

Assignable plugins

Application UI (applicationUi)

Description

Defines which application UI will handle the authorization requests or redirect to a custom application UI.

This allows clients to use the URL (/<loginapp-uri>/oauth2/v3/<as-identifier>/authorize) from the OAuth 2.0 metadata to redirect to a custom application UI.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Custom Application UI OAuth 2.0 Default Application UI

Issuer ID (issuerId)

Description

The issuer ID of this AS.

This is used both for the metadata endpoint and the OIDC authorization code flow, therefore it must be configured when using either one.

It must end with a slash followed by the unique identifier of the AS.

Note that the issuer ID usually represents the front-facing URL of this authentication server and may be used by clients to derive the URL of the OpenID Connect Discovery or the OAuth 2.0 Metadata endpoint. See plugin documentation of those endpoints for more details about the logic and rules of this derivation.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Issuer ID

OAuth 2.0 Grants/OIDC Flows (oauth2Grants)

Description

The supported OAuth 2.0 / OpenID Connect grants and related endpoints of this AS.

Attributes

Plugin-Link

Optional

Assignable plugins

Static Clients (staticClients)

Description

The statically configured clients of this AS.

In contrast to the "Persisted Clients", these clients are only contained in the configuration and are not stored on the database. This is useful when the entire set of clients is known upfront at configuration time.

Static clients can be combined with persisted clients. If both sources contain a client with the same name, the static client will take precedence without raising an error.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Static Clients

Persisted Clients (persistedClients)

Description

The persisted clients on the database of this AS.

This plugin is required when Dynamic Client Registration is used. Persisted clients are stored on the database and currently can only be inserted using Dynamic Client Registration.

Persisted clients can be combined with static clients. If both sources contain a client with the same name, the static client will take precedence without raising an error.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Persisted Clients

Metadata Endpoint (metadataEndpoint)

Description

Endpoint for OAuth 2.0 Authorization Server Metadata (RFC 8414).

The Endpoint is located at /<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/.well-known/oauth-authorization-server and must be mapped by a WAF or proxy to the external URL <issuer id>/.well-known/oauth-authorization-server

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Metadata Endpoint

Token Endpoint (tokenEndpoint)

Description

Configuration of the token endpoint.

This endpoint is called by the clients in order to exchange an authorization code or to refresh a Refresh Token.

The token endpoint is located at /<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/token

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Token Endpoint

Token Introspection Endpoint (tokenIntrospectionEndpoint)

Description

Endpoint for OAuth 2.0 Token Introspection (RFC 7662) located at /<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/introspect

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Token Introspection Endpoint

Token Revocation Endpoint (tokenRevocationEndpoint)

Description

Endpoint for OAuth 2.0 Token Revocation (RFC 7009) located at /<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/revoke

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Token Revocation Endpoint

Dynamic Client Registration (dynamicClientRegistration)

Description

The OAuth 2.0 Dynamic Client Registration endpoint settings.

The registration endpoint must be configured as "Technical Client Registration Flow" with an "OAuth 2.0 Client Registration Step" in the Loginapp REST API.

Attributes

Plugin-Link

Optional

License-Tags

TechClientRegistration

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Resource Endpoint (resourceEndpoint)

Description

Configuration of all resource endpoints located at /<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/resources/<resource-name>

For all resource endpoints, a valid access token must be provided.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Resource Endpoint

Session Management Endpoint (sessionManagementEndpoint)

Description

Endpoint for the custom OAuth 2.0 Session Management.

If not configured, the session management endpoint is disabled for this AS.

The session management endpoint is located under /<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/sessions/

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Session Management Endpoint

Discovery Endpoint (discoveryEndpoint)

Description

Enables the OpenID Connect Discovery Endpoint.

The endpoint is available under /<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/.well-known/openid-configuration

This endpoint can only be configured when an OpenID Connect flow has been configured.

Attributes

Plugin-Link

Optional

Assignable plugins

OIDC Discovery Endpoint

UserInfo Endpoint (userInfoEndpoint)

Description

Enables the UserInfo Endpoint according to the OpenID Connect Specification.

The endpoint is available under /<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/userinfo

This endpoint can only be configured when an OpenID Connect flow has been configured.

Attributes

Plugin-Link

Optional

Assignable plugins

OIDC UserInfo Endpoint

Session Management 1.0 (openIdConnectSessionManagement)

Description

Enables OpenID Connect Session Management 1.0 according to the OpenID Connect Session Management Specification.

It allows a website relying on the user's authentication to monitor his login status at the OpenID Provider on an ongoing basis so that the Relying Party can log out an End-User who has logged out of the OpenID Provider.

Enabling this will allows the client to embed the OP-Iframe using the url /<loginapp-uri>/oauth2/v3/<as-identifier>/check-session

Attributes

Plugin-Link

Optional

Assignable plugins

OIDC Session Management

User Data Source (userStore)

Description

Data source to read and update user related data during OAuth 2.0 requests.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Token Data Provider (tokenDataProvider)

Description

Token Data Provider responsible for persisting OAuth 2.0 Tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Session Repository (sessionRepository)

Description

OAuth 2.0 session repository config.

Attributes

Plugin-Link

Optional

Assignable plugins

Consent Storage Repository (consentStorageRepository)

Description

If configured, enables storing user given consent in a database.

During an OAuth 2.0 flow, IAM can remember the scopes for which a user has given his consent and therefore skips the consent screen if all requested scopes were granted/denied in a previous flow.

This setting is required when a Local Consent is used with enabled Consent Storage.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Consent Storage

Username Transformation (usernameTransformation)

Description

Allows to convey a different username than the IAM user ID.

This transformed username is used in the following locations:

OpenID Connect ID Token: sub claim
OpenID Connect ID Token: Custom username claim
Access Token as JWT: sub claim
UserInfo Endpoint: sub claim
Token Introspection Endpoint: sub claim
Username Resource

The transformers are asked to provide an alternative name in the configured order. Every transformer may interrupt the transformation chain and provide a final result or pass it on to the next transformer to potentially apply further transformations.

If left blank, the username of the authenticated user is used for all endpoints mentioned above.

Note that this setting can be overridden for each "OAuth 2.0 Static Client".

Attributes

Plugin-List

Optional

Assignable plugins

Lowercase Transformer Regex Username Transformer Uppercase Transformer User To Context Data Transformer Config

Role Transformation (roleTransformationConfigs)

Description

A list of role transformation rules used to modify the collection of roles to propagate.

The role transformation rules are executed at the following locations in-order from top to bottom:

OpenID Connect ID Token
Access Token as JWT
UserInfo Endpoint
User Roles Resource

Attributes

Plugin-List

Optional

Assignable plugins

Add Roles Delete Roles Keep Roles Transform Roles

Token Generator Settings (tokenGeneratorConfig)

Description

All tokens, e.g. Access Tokens, will be generated using these settings.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Token Generator Settings

Logging Settings (loggingSettings)

Description

Custom OAuth 2.0 server logging behaviour for integration or error diagnostics.

Attributes

Plugin-Link

Optional

Assignable plugins

Delete Tokens On Logout (deleteTokensOnLogout)

Description

Indicates whether all persisted tokens and sessions of the user are deleted when the user logs out.

Security Warning: Affects only actively triggered logouts, but not session timeouts. Therefore, the validity of each OAuth 2.0 token type should be configured and checked appropriately.

Attributes

Boolean

Optional

Default value

false

Delete Tokens On Password Change (deleteTokensOnPasswordChange)

Description

Indicates whether all persisted tokens and sessions of the user are deleted when the user changes a password.

Attributes

Boolean

Optional

Default value

false

Delete Tokens On User Locked (deleteTokensOnUserLocked)

Description

Indicates whether all persisted tokens and sessions of the user are deleted when the user is locked.

Note: This setting only applies to users locked in the Loginapp. To delete tokens for users locked by admins, configure the corresponding settings within the Adminapp.

Attributes

Boolean

Optional

Default value

false

Persist Claims (persistClaims)

Description

When enabled, custom claims in Access- and ID Tokens are generated and persisted on successful flow completion. On token generation, the claim values are loaded from the database. This allows deterministic claim values in tokens, i.e. claim values do not change when tokens are refreshed.

When not enabled, claim values are newly evaluated every time a new token is created. This may lead to different claim values every time a token is requested. This was the default behaviour in all IAM <= version 8.2 releases.

However, regardless of this setting, the following claims are always freshly evaluated every time a token is requested:

iat - Issue Time
nbf - Not Valid Before
exp - Expiration Time (claim is not included if token has infinite validity)
jti - JWT ID (random value)
random - A random value for the token entropy
scope - A JSON array defining the scope of the access token
cnf - The token binding (if applicable)

Note: The column 'claims' in the database table 'oauth2_session' is required to use this feature. A runtime error occurs if this feature is active and the database was not migrated.

Attributes

Boolean

Optional

Default value

true

Cache-Control Response Header (cacheControlResponseHeader)

Description

If left empty the 'Cache-Control' response header is set to 'no-store, no-cache, must-revalidate'. If configured, the 'Cache-Control' response header is set to the specified value for the following endpoints:

/auth-login/rest/oauth2/authorization-servers/authorizationServerId/jwks/
/auth-login/rest/oauth2/authorization-servers/authorizationServerId/.well-known/openid-configuration/
/auth-login/rest/oauth2/authorization-servers/authorizationServerId/.well-known/oauth-authorization-server/

Attributes

String

Optional

Example

public, max-age=3600

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oauth.as.OAuth2ASConfig
id: OAuth2ASConfig-xxxxxx
displayName: 
comment: 
properties:
  applicationUi:
  cacheControlResponseHeader:
  consentStorageRepository:
  deleteTokensOnLogout: false
  deleteTokensOnPasswordChange: false
  deleteTokensOnUserLocked: false
  discoveryEndpoint:
  dynamicClientRegistration:
  identifier:
  issuerId:
  loggingSettings:
  metadataEndpoint:
  oauth2Grants:
  openIdConnectSessionManagement:
  persistClaims: true
  persistedClients:
  resourceEndpoint:
  roleTransformationConfigs:
  sessionManagementEndpoint:
  sessionRepository:
  staticClients:
  tokenDataProvider:
  tokenEndpoint:
  tokenGeneratorConfig:
  tokenIntrospectionEndpoint:
  tokenRevocationEndpoint:
  userInfoEndpoint:
  userStore:
  usernameTransformation:

OAuth 2.0/OIDC Authorization Servers

Description

Configuration for all OAuth 2.0 Authorization Servers.

Class

com.airlock.iam.login.app.misc.configuration.OAuth2AuthorizationServersConfig

May be used by

Loginapp

License-Tags

OAuthServer

Properties

Authorization Servers (authorizationServers)

Description

The list of configured Authorization Servers (AS).

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.OAuth2AuthorizationServersConfig
id: OAuth2AuthorizationServersConfig-xxxxxx
displayName: 
comment: 
properties:
  authorizationServers:

OAuth 2.0/OIDC Clients

Description

Configuration for OAuth 2.0 / OpenID Connect SSO (Airlock IAM as Client).

Class

com.airlock.iam.login.app.misc.configuration.OAuth2SSOClientSettings

May be used by

Loginapp

License-Tags

OAuthClient

Properties

AS Setting For Flow Clients (flowClientSettings)

Description

The settings for the OAuth 2.0 / OpenID Connect providers for flow based authorizations.

Attributes

Plugin-List

Mandatory

Assignable plugins

OAuth 2.0 Flow Client OIDC Discovery Flow Client OIDC Flow Client

Legacy Client Endpoint Support (legacyClientEndpointSupport)

Description

OAuth 2.0 legacy client endpoint (/oauth2-client) compatibility support.

This property must be configured when flow-based OAuth 2.0/OpenID Connect is used, and the client endpoint (redirect_uri) URI cannot be changed on the Authorization Server to the new endpoint URI:

/<loginapp-uri>/ui/app/oauth2/client

When this property is set, the browser accessing the legacy client endpoint URI will be redirected to the configured target, if and only if all of the following conditions apply:

The request contains an authorization response
"AS Setting For Flow Clients" has at least one entry configured

All OAuth 2.0 URL parameters will be retained in the redirect.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Legacy Client Endpoint UI Redirect OAuth 2.0 Legacy Custom Client Endpoint Redirect

Account Link Persister (accountLinkPersister)

Description

Persists links from IAM accounts to provider accounts.

The database entry contains

The IAM user name
The configured 'Provider Identifier' of the 'OAuth 2.0 Flow Client' or 'OIDC Flow Client'
The provider's username defined by the 'OAuth 2.0 Remote Username Resource' resource mapping
Optionally the additional information to help the user identify the provider's account defined by 'Account Info Resource Key' of the 'Account Linking Self-Service'

If a user chooses to login in with a provider that has 'Account Linking Self-Service' enabled and a link matching the 'Provider Identifier' and the provider's username is found, the IAM user of the entry will be authenticated.

If users are allowed to change their usernames, a 'Account Link Consistency User Change Listener' in the Loginapp's user persister should be configured.

Attributes

Plugin-Link

Optional

License-Tags

OAuthAccountLinking,OAuthSocialRegistration

Assignable plugins

Account Link Database Repository

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.OAuth2SSOClientSettings
id: OAuth2SSOClientSettings-xxxxxx
displayName: 
comment: 
properties:
  accountLinkPersister:
  flowClientSettings:
  legacyClientEndpointSupport:

OAuth 2.0/OIDC Consent Consistency User Change Listener

Description

A listener that reacts on change events on users and keeps the OAuth 2.0 / OIDC consents in a consistent state. Currently, it performs the following actions:

on user deletion: delete all OAuth 2.0 / OIDC Consents stored for that user.
on user name change: change the OAuth 2.0 / OIDC Consents to the new user name.

Class

com.airlock.iam.oauth2.application.configuration.consentstorage.OAuth2ConsentConsistencyUserChangeListener

May be used by

Active Directory Connector LDAP User Persister LDAP Connector Database User Persister

License-Tags

OAuthServer

Properties

OAuth 2.0 Consent Repository (consentRepository)

Description

OAuth 2.0 consent repository configuration. Stores information about the user's decisions regarding consenting to OAuth 2.0 scopes.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Consent Repository

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.consentstorage.OAuth2ConsentConsistencyUserChangeListener
id: OAuth2ConsentConsistencyUserChangeListener-xxxxxx
displayName: 
comment: 
properties:
  consentRepository:

OAuth 2.0/OIDC ID Propagator

Description

If the current flow was started using OAuth 2.0 Authorization Code Grant / OpenID Connect Authorization Code Flow, this identity propagator finishes the handshake by issuing the target URI pointing to the client with the authorization response (either containing the authorization code or an error).
This target URI to the client will be propagated in a header named "X-Forward-URL" and the browser should always be redirected to this URI.

Class

com.airlock.iam.authentication.application.configuration.idpropagation.OAuth2IdentityPropagatorConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.idpropagation.OAuth2IdentityPropagatorConfig
id: OAuth2IdentityPropagatorConfig-xxxxxx
displayName: 
comment: 
properties:

OCSP Certificate Status Checker

Description

A configurable certificate status checker using OCSP (Online Certificate Status Protocol) to check the status of certificates.

The OCSP responder used the check the revocation status of a certificate is determined through the X509v3 Authority-Information-Access-Extension of the certificate. The issuer certificate used by the responder to sign the response must be provided in the configured truststore (OCSP signing delegation is not supported, therefore the certificate used to sign the reponse must be equal to the issuer certificate of the certificate for which the request was performed).

Class

com.airlock.iam.core.misc.impl.cert.ocsp.OcspCertificateStatusChecker

May be used by

License-Tags

ClientCertificate

Properties

Ocsp Client (ocspClient)

Description

The OCSP-Client that should be used to perform the OCSP requests.

Different protocols can be used as transport mechanism for the OCSP protocol. An OCSP-Client represents an OCSP implementation that uses a particular transport protocol.

Attributes

Plugin-Link

Mandatory

License-Tags

ClientCertificate

Assignable plugins

OCSP Over HTTP Client

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificates of trusted OCSP responders.

Attributes

File/Path

Mandatory

License-Tags

ClientCertificate

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

String

Optional

License-Tags

ClientCertificate

Default value

JKS

Allowed values

JKS, PKCS12

Trust Store Password (trustStorePassword)

Description

The password used verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

JKS: the keystore can be opened and used but the integrity of the keystore is not checked.
PKCS12: an error occurs.

Attributes

String

Optional

Sensitive

License-Tags

ClientCertificate

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.ocsp.OcspCertificateStatusChecker
id: OcspCertificateStatusChecker-xxxxxx
displayName: 
comment: 
properties:
  ocspClient:
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS

OCSP Over HTTP Client

Description

An OCSP Client implementation that performs OCSP requests over the HTTP protocol.

Class

com.airlock.iam.core.misc.impl.cert.ocsp.OcspOverHttpClient

May be used by

OCSP Certificate Status Checker

Properties

HTTP Client (httpClientConfig)

Description

Configuration of the HTTP-Client which is used to perform the OCSP requests.

Attributes

Plugin-Link

Mandatory

Assignable plugins

HTTP Client Config HTTP Client With Client Certificate

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.ocsp.OcspOverHttpClient
id: OcspOverHttpClient-xxxxxx
displayName: 
comment: 
properties:
  httpClientConfig:

OIDC Authorization Code / Hybrid Flow

Description

Configures OpenID Connect Authorization Code and optionally Hybrid Flows.

The Authorization Code and Hybrid Flows use the following endpoints:

/<loginapp-uri>/oauth2/v3/<as-identifier>/authorize - The Authorize Endpoint
/<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/token - The Token Endpoint

Class

com.airlock.iam.login.app.misc.configuration.oauth.as.oauth2.OpenIdConnectAuthorizationCodeGrantConfig

May be used by

License-Tags

OAuthServer

Properties

Authorization Code Validity [s] (authorizationCodeExpiresIn)

Description

Time in seconds for which an Authorization Code is valid.

Attributes

Integer

Optional

Default value

PKCE Code Challenge Method (pkceCodeChallengeMethod)

Description

Proof Key for Code Exchange by OAuth 2.0 Public Clients (RFC 7636)

It is strongly recommended to use PKCE in setups involving native mobile apps (see the RFC 8252).

PKCE is always performed if the client starts it; however this property defines the minimum challenge hash method necessary and therefore allows to enforce the usage of PKCE.

If PKCE is required, "plain" should only be used if a legacy client doesn't support S256.

The value configured here applies to all clients, however, it's possible to override it in the configuration of each static client.

This extension utilizes a dynamically created cryptographic random key called "code verifier". A unique code verifier is created for every authentication request, and its transformed value, called "code challenge", is sent to the authorization server to obtain the Authorization Code. The Authorization Code obtained is later sent to the token endpoint with the "code verifier", which allows the server to verify the possession of the "code verifier" before issuing an Access Token.

Attributes

Enum

Optional

Default value

PKCE_NOT_ENFORCED

Pushed Authorization Requests (pushedAuthorizationRequests)

Description

Configures the Pushed Authorization Requests (PAR) endpoint.

If configured, IAM will provide an endpoint that allows starting OpenID Connect Authorization Code and/or Hybrid Flows with PAR.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Pushed Authorization Requests

Invalidate Old Access Tokens On Refresh (invalidateOldAccessTokensOnRefresh)

Description

Indicates whether Access Tokens issued together with a Refresh Token should be invalidated when said Refresh Token is used.

Notice that in a Hybrid Flow, the Access Token issued directly via the fragment has no corresponding Refresh Token. Therefore it will never be invalidated when any Refresh Token is used to perform an Access Token refresh.

Attributes

Boolean

Optional

Default value

false

Access Token Validity [s] (accessTokenExpiresIn)

Description

Time in [s] for which an Access Token is valid. Set to 0 for infinite validity. Security Warning: Infinite Access Token validity is not recommended. If long lasting access is required and acceptable from a security perspective, consider increasing the Refresh Token validity instead.

Attributes

Integer

Optional

Default value

180

Single Use Access Tokens (singleUseAccessTokens)

Description

Indicates whether an Access Token is valid only for a single request.

When enabled, any Access Token (including Access Tokens issued by a Hybrid Flow) may only be used once for example in resource requests, authentications using one-shot, or when used as bearer tokens in REST calls.

Attributes

Boolean

Optional

Default value

false

Access Token Format (accessTokenFormat)

Description

Defines the format and structure of the issued OAuth 2.0 Access Tokens.

Tokens will be persisted in the token persister regardless of their format and therefore can be revoked at any time.

Changing the format will not result in an invalidation of existing tokens.

Attributes

Plugin-Link

Optional

Assignable plugins

JWT Access Token Format Opaque Access Token Format

Generate Refresh Token (generateRefreshToken)

Description

Indicates whether Refresh Tokens are generated.

Attributes

Boolean

Optional

Default value

true

Refresh Token Validity [s] (refreshTokenExpiresIn)

Description

Time in seconds for which a Refresh Token is valid. Set to 0 for infinite validity.

Security Warning: Only consider infinite Refresh Token validity if this is acceptable from a security perspective.

Attributes

Integer

Optional

Default value

900

Single Use Refresh Tokens (singleUseRefreshTokens)

Description

Indicates whether Refresh Tokens are only valid for a single refresh request.

Attributes

Boolean

Optional

Default value

true

Grace Period [s] (gracePeriod)

Description

This option has security impact! Configuring a grace period weakens the single use property of Refresh Tokens. If a grace period is not strictly necessary, it is not recommended to use this option.

This is only relevant if 'Single Use Refresh Tokens' is enabled: time in seconds during which a single use Refresh Token can still be used after completing a successful refresh.

This option may be used if the client can be unreachable so that the refresh response never reaches the client (e.g. mobile apps losing connection). Normally, the Refresh Token is invalidated in this case, leaving the client without valid tokens. By configuring a grace period, such a client is able to reuse an already used Refresh Token within the configured time (called grace period) as long as the previously issued new tokens have not been used. If a Refresh Token is used to obtain several new token pairs, only the most recent new token pair is valid.

Attributes

Integer

Optional

Flow Application ID (flowApplicationId)

Description

Specifies the application ID of the authentication flow to start for every authentication request to this authorization server.
When left empty, the default authentication flow is started. The Application ID configured here for all clients can be overridden for individual clients in the corresponding client configuration (static clients only).

Attributes

Plugin-Link

Optional

Assignable plugins

Application ID

ACR To Flow Application ID (acrToFlowAppId)

Description

Maps the requested ACR values to an application ID of the authentication flow to start for every authentication request to this authorization server.
When left empty, the configured "Flow Application ID" authentication flow is always started. The mappings configured here for all clients can be overridden for individual clients in the corresponding client configuration (static clients only).

Attributes

Plugin-List

Optional

Assignable plugins

ACR to Flow Application ID Mapping

Scope Filtering (scopeFiltering)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Custom Scopes Flow Settings OAuth 2.0 Default Scopes Flow Settings

Description

Defines the handling of the login_hint request parameter. If not configured, the parameter is ignored.

Attributes

Plugin-Link

Optional

Assignable plugins

OIDC SSO Ticket Login Hint Flow Settings OIDC Username Login Hint Flow Settings

ID Token Validity [s] (openIdConnectTokenExpiresIn)

Description

Time in seconds for which an OpenID Connect ID Token is valid. Infinite validity is not supported. This value is used to calculate the 'exp' claim of the ID Token.

Attributes

Integer

Optional

Default value

120

ID Token (idToken)

Description

Defines the format and structure of the issued OpenID Connect ID Tokens.

Attributes

Plugin-Link

Optional

Assignable plugins

OIDC ID Token

Enable Hybrid Flow (enableHybridFlow)

Description

If enabled, authentication with the OpenID Connection Hybrid Flow is supported. Otherwise, requests containing 'token' and/or 'id_token' in the 'response_type' parameter will be denied.

Attributes

Boolean

Optional

Default value

false

Hybrid Flow Access Token Validity [s] (hybridFlowAccessTokenExpiresIn)

Description

Time in [s] for which an Access Token issued during a Hybrid Flow is valid. Set to 0 for infinite validity. Security Warning: Infinite Access Token validity is not recommended. If long lasting access is required and acceptable from a security perspective, consider increasing the Refresh Token validity instead.

Attributes

Integer

Optional

Default value

180

Hybrid Flow Access Token Format (hybridFlowAccessTokenFormat)

Description

Defines the format and structure of the OAuth 2.0 Access Tokens issued in Hybrid Flows.

Tokens will be persisted in the token persister regardless of their format and therefore can be revoked at any time.

Changing the format will not result in an invalidation of existing tokens.

If not defined, no Hybrid Flow Access Tokens will be issued and requests containing 'token' in the 'response_type' parameter will be denied.

Attributes

Plugin-Link

Optional

Assignable plugins

JWT Access Token Format Opaque Access Token Format

Hybrid Flow ID Token Validity [s] (hybridFlowOpenIdConnectTokenExpiresIn)

Description

Time in seconds for which an OpenID Connect ID Token issued during a Hybrid Flow is valid. Infinite validity is not supported. This value is used to calculate the 'exp' claim of the ID Token.

Attributes

Integer

Optional

Default value

120

Hybrid Flow ID Token (hybridFlowIdToken)

Description

Defines the format and structure of the OpenID Connect ID Tokens issued in Hybrid Flows.

If not defined, no Hybrid Flow ID Tokens will be issued and requests containing 'id_token' in the 'response_type' parameter will be denied.

Attributes

Plugin-Link

Optional

Assignable plugins

OIDC ID Token

Consent (consent)

Description

If configured, enables displaying a consent page to the user to accept or refuse certain requested scopes.

For "Local Consents", a page is displayed by IAM and only scopes matching the user's roles are offered.

For "Remote Consents", the user is redirected to the configured remote consent URL to confirm OAuth 2.0 scopes at a third party.

If nothing is configured, all requested scopes matching a user role are automatically granted and no page is displayed.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Local Consent OAuth 2.0 Remote Consent

Scope Translator (scopeTranslator)

Description

Token management page/confirmation page: Translator to convert (technical) scopes to human readable strings. This allows for multi-language, user friendly explanations of the different access rights. Only applies if the local consent page above is enabled.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Scope Translator

Scope Policy (scopePolicy)

Description

The scope policy defines how the requested scopes are validated and processed (before they are used for scope consent or scope filtering).

Notice that the mandatory 'openid' scope requested by the client merely acts as a marker and is ignored when applying the policy (i.e. when requesting only the 'openid' scope, the scope policy treats this as if no scope had been requested at all).

Depending on the selected policy, the following rules apply:

Scopes Mandatory: It is mandatory for the client to request at least one scope in addition to 'openid', otherwise the request is denied.
- For static clients for which 'Filter Requested Scopes' is enabled: the requested scopes are filtered against the client's allowed scopes and if the client has no allowed scopes, this is treated as if the client has not requested any scopes at all.
- For static clients for which 'Filter Requested Scopes' is disabled: the requested scopes are not filtered (i.e. all scopes are allowed to be requested).
- For persisted clients, the allowed scopes to request are stored per client and it can be configured there what the effect of an empty list of allowed scopes is.
Empty Scopes Allowed: It is optional for the client to request scopes other than 'openid'.
If scopes are requested:
- For static clients for which 'Filter Requested Scopes' is enabled: the requested scopes are filtered against the client's allowed scopes and if the client has no allowed scopes, this is treated as if the client has not requested any scopes at all.
- For static clients for which 'Filter Requested Scopes' is disabled: the requested scopes are not filtered (i.e. all scopes are allowed to be requested).
- For persisted clients, the allowed scopes to request are stored per client and it can be configured there what the effect of an empty list of allowed scopes is.
Always Overwrite Scopes: The scopes requested by the client are ignored and replaced by the default scopes of the client. If the client has no default scopes, this is treated as if the client has not requested any scopes at all.
With this policy, the 'Filter Requested Scopes' flag of static clients is ignored.
Empty Scopes Overwritten: When the client does not request any scopes other than 'openid', the request is treated as if the default scopes of this client were requested.
If scopes are requested:
- For static clients for which 'Filter Requested Scopes' is enabled: the requested scopes are filtered against the client's allowed scopes and if the client has no allowed scopes, this is treated as if the client has not requested any scopes at all.
- For static clients for which 'Filter Requested Scopes' is disabled: the requested scopes are not filtered (i.e. all scopes are allowed to be requested).
- For persisted clients, the allowed scopes to request are stored per client and it can be configured there what the effect of an empty list of allowed scopes is.

Attributes

Enum

Optional

Default value

SCOPES_MANDATORY

Allow Issuing Tokens With No Scope (allowEmptyScope)

Description

Indicates if Access / Refresh Tokens and Authorization Codes with no scopes may be issued. Even though the 'openid' scope is required to be present in the authentication request, it will never be present as granted scopes.

If set to false, no tokens are issued when there are no scopes; instead the authorization server returns an 'access denied' response.

Attributes

Boolean

Optional

Default value

false

Always Granted Scopes (alwaysGrantedScopes)

Description

Attributes

String-List

Optional

Granted Scope Processors (grantedScopeProcessors)

Description

Allows to further restrict the granted scopes before issuing the tokens.

The processors will be applied in the configured order and only scopes allowed by all processors may be granted.

If not configured, all granted scopes are assigned to all tokens.

Notice: the scope processors are applied after the configured Scope Policy and thus have no influence on whether the requested scopes are allowed.

Attributes

Plugin-List

Optional

Assignable plugins

OAuth 2.0 Granted Scope Whitelist STET PSD2 OAuth 2.0 Scope Filter

Response Modes (responseModes)

Description

Defines the allowed response mode(s) per OpenId Connect Flow.

Attributes

Plugin-Link

Optional

Assignable plugins

O Auth2 Response Mode Config

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oauth.as.oauth2.OpenIdConnectAuthorizationCodeGrantConfig
id: OpenIdConnectAuthorizationCodeGrantConfig-xxxxxx
displayName: 
comment: 
properties:
  accessTokenExpiresIn: 180
  accessTokenFormat:
  acrToFlowAppId:
  allowEmptyScope: false
  alwaysGrantedScopes:
  authorizationCodeExpiresIn: 90
  consent:
  enableHybridFlow: false
  flowApplicationId:
  generateRefreshToken: true
  gracePeriod:
  grantedScopeProcessors:
  hybridFlowAccessTokenExpiresIn: 180
  hybridFlowAccessTokenFormat:
  hybridFlowIdToken:
  hybridFlowOpenIdConnectTokenExpiresIn: 120
  idToken:
  invalidateOldAccessTokensOnRefresh: false
  loginHintFlowSettings:
  openIdConnectTokenExpiresIn: 120
  pkceCodeChallengeMethod: PKCE_NOT_ENFORCED
  pushedAuthorizationRequests:
  refreshTokenExpiresIn: 900
  responseModes:
  scopeFiltering:
  scopePolicy: SCOPES_MANDATORY
  scopeTranslator:
  singleUseAccessTokens: false
  singleUseRefreshTokens: true

OIDC Authorization Request Parameter

Description

Defines a custom authorization request parameter for OpenID Connect Clients.

Class

com.airlock.iam.oauth2.application.configuration.OpenIdConnectAuthorizationRequestParameterConfig

May be used by

License-Tags

OAuthClient

Properties

Parameter Name (parameterName)

Description

The parameter name to use. If the value is in conflict with one of the standard parameters configured on the OIDC client itself, the standard parameter takes precedence.

Attributes

String

Mandatory

Validation RegEx: ^[a-zA-Z0-9_.~-]+$

Example

display

Example

login_hint

Parameter Values (parameterValues)

Description

The parameter values. If multiple values are specified, the parameter is repeated multiple times (e.g. param=value1&param=value2).

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OpenIdConnectAuthorizationRequestParameterConfig
id: OpenIdConnectAuthorizationRequestParameterConfig-xxxxxx
displayName: 
comment: 
properties:
  parameterName:
  parameterValues:

OIDC Birthdate Standard Claim (Date)

Description

The "birthdate" claim that will be read from a typed date context data field.

Class

com.airlock.iam.oauth2.application.configuration.openid.claims.OpenIDConnectTypedBirthdateStandardClaimConfig

May be used by

License-Tags

OAuthServer

Properties

Context Data Field (contextDataField)

Description

The context data field that should be included in the "birthdate" claim. If the context data field does not contain a typed date value, the claim will not be included in the response.

Attributes

String

Mandatory

Example

birthdate

Claim Condition (claimCondition)

Description

This claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the claim will always be added to the issued token.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.openid.claims.OpenIDConnectTypedBirthdateStandardClaimConfig
id: OpenIDConnectTypedBirthdateStandardClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  contextDataField:

OIDC Birthdate Standard Claim (String)

Description

The "birthdate" claim that will be parsed from a string context data field.

This plugin can be used for untyped string context data item (legacy). For typed date context data fields, the OIDC Birthdate Standard Claim (Date) plugin should be used

Class

com.airlock.iam.oauth2.application.configuration.openid.claims.OpenIDConnectStringBirthdateStandardClaimConfig

May be used by

License-Tags

OAuthServer

Properties

Context Data Field (contextDataField)

Description

The context data field that should be included in the "birthdate" claim. If the context data field does not contain a value or the value could not be parsed and therefore brought to the ISO 8601 format, the value will not be included in the response.

Attributes

String

Mandatory

Example

birthdate

Date Format (dateFormat)

Description

The date format of the context data field. The following letters can be used in the format.Symbol Meaning Presentation ExamplesG era text AD; Anno Domini; Au year year 2004; 04y year-of-era year 2004; 04D day-of-year number 189M/L month-of-year number/text 7; 07; Jul; July; Jd day-of-month number 10g modified-julian-day number 2451334Q/q quarter-of-year number/text 3; 03; Q3; 3rd quarterY week-based-year year 1996; 96w week-of-week-based-year number 27W week-of-month number 4E day-of-week text Tue; Tuesday; Te/c localized day-of-week number/text 2; 02; Tue; Tuesday; TF day-of-week-in-month number 3a am-pm-of-day text PMh clock-hour-of-am-pm (1-12) number 12K hour-of-am-pm (0-11) number 0k clock-hour-of-day (1-24) number 24H hour-of-day (0-23) number 0m minute-of-hour number 30s second-of-minute number 55S fraction-of-second fraction 978A milli-of-day number 1234n nano-of-second number 987654321N nano-of-day number 1234000000V time-zone ID zone-id America/Los_Angeles; Z; -08:30v generic time-zone name zone-name Pacific Time; PTz time-zone name zone-name Pacific Standard Time; PSTO localized zone-offset offset-O GMT+8; GMT+08:00; UTC-08:00X zone-offset 'Z' for zero offset-X Z; -08; -0830; -08:30; -083015; -08:30:15x zone-offset offset-x +0000; -08; -0830; -08:30; -083015; -08:30:15Z zone-offset offset-Z +0000; -0800; -08:00

Attributes

String

Mandatory

Suggested values

dd.MM.yyyy, dd-MM-yyyy, yyyy-MM-dd, MM-dd-yyyy, MM-dd-yyyy HH:mm:ss, yyyy-MM-dd'T'HH:mm:ss.SSSZ

Claim Condition (claimCondition)

Description

This claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the claim will always be added to the issued token.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.openid.claims.OpenIDConnectStringBirthdateStandardClaimConfig
id: OpenIDConnectStringBirthdateStandardClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  contextDataField:
  dateFormat:

OIDC Discovery Actor Token Validation

Description

Actor token validation based on OpenID Connect discovery.

Requires an actor token to be present in the token exchange request, and checks the signature using the issuer's OIDC endpoints. Tokens are expected to have at least the following claims: iss, sub, exp. The token must not be expired.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2OIDCDiscoveryActorTokenValidationConfig

May be used by

Properties

Allowed Token Issuers (allowedTokenIssuers)

Description

Only tokens issued by these issuers can be exchanged at the endpoint.

Attributes

Plugin-List

Mandatory

Assignable plugins

OAuth 2.0 Issuer ID

HTTP Client (httpClient)

Description

The HTTP client used to fetch the JWKS data.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Client Config HTTP Client With Client Certificate

Cache Refresh Time [minutes] (cacheRefreshTimeInMinutes)

Description

Time in minutes until the data from the discovery endpoint URL and the JWKs URL will be invalidated and refreshed on the next use.

The JWKS Cache is reloaded as needed. In particular:

if the Cache Refresh Time is exceeded
if a key is not yet known
if the verification of a signature with a previously known key fails

If the data cannot be refreshed because of an error, the previous data will be used.

Attributes

Integer

Optional

Default value

2880

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2OIDCDiscoveryActorTokenValidationConfig
id: OAuth2OIDCDiscoveryActorTokenValidationConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedTokenIssuers:
  cacheRefreshTimeInMinutes: 2880
  httpClient:

OIDC Discovery Endpoint

Description

Configuration of an OpenID Connect discovery endpoint. (Specification)

Class

com.airlock.iam.oauth2.application.configuration.openid.OpenIdConnectDiscoveryEndpointConfig

May be used by

License-Tags

OAuthServer

Properties

Issuer Validation Mode (issuerValidationMode)

Description

Defines how IAM should behave when a mismatch is detected at runtime between the configured issuer ID and the front-facing URL of the request to this endpoint.

Available options:

Ignore: Ignore a mismatch and respond with metadata
Log Only: Log a warning and respond with metadata when there is a mismatch
Fail: Respond with a server error when there is a mismatch

Attributes

Enum

Optional

Default value

IGNORE

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.openid.OpenIdConnectDiscoveryEndpointConfig
id: OpenIdConnectDiscoveryEndpointConfig-xxxxxx
displayName: 
comment: 
properties:
  issuerValidationMode: IGNORE

OIDC Discovery Flow Client

Description

OIDC Discovery Flow Client Settings.

The information from the discovery and JWKs requests will be lazy loaded and then cached for the configured time (see property 'Cache Refresh Time [minutes]').

The settings define the OIDC handshake and can be referenced in flows through the provider id. When the OpenID Connect authorization was successful, the OAuth 2.0 Access Token and OpenID Connect ID Token is stored in the user session and can be used by the plugin OAuth 2.0 Tokens Map in the ID Propagation to provide the tokens to the backends.

Class

com.airlock.iam.oauth2.application.configuration.OpenIDConnectDiscoverySsoFlowClientSettings

May be used by

OAuth 2.0 Basic Auth Client Secret OAuth 2.0 Header Client Secret OAuth 2.0 No Client Secret Authentication OAuth 2.0 Parameter Client Secret OIDC Private Key JWT Client Authentication

License-Tags

OAuthClient

Properties

HTTP Client (httpClient)

Description

HTTP client used for discovery, JWKs, token and pushed authorization request endpoint requests.

Attributes

Plugin-Link

Mandatory

Assignable plugins

HTTP Client Config HTTP Client With Client Certificate

Discovery Endpoint URL (discoveryEndpointURL)

Description

Discovery endpoint URL to obtain the configuration from. The data will be lazy loaded when the first login with this provider is initiated.

Attributes

String

Mandatory

Example

https://airlock.iam/auth/oauth2/clientId/.well-known/openid-configuration

Example

https://airlock.iam/auth/rest/oauth2/authorization-servers/asId/.well-known/openid-configuration

Example

https://accounts.google.com/.well-known/openid-configuration

Cache Refresh Time [minutes] (cacheRefreshTimeInMinutes)

Description

Time in minutes until the data from the discovery endpoint URL and the JWKS URL will be invalidated and refreshed on the next use.

If the data cannot be refreshed because of an error or incompatibility, the previous data will be used.

The JWKS Cache is reloaded as needed. In particular:

if the Cache Refresh Time is exceeded
if a key is not yet known
if the verification of a signature with a previously known key fails

Attributes

Integer

Optional

Default value

240

Signature Validator (signatureValidator)

Description

ID token signature validation. If left empty the id token's signature will be validated as follows:

HMAC based signatures (HS256, HS384, HS512) will be validated using the client secret.
Asymmetric key based signatures (RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES256K, ES384, ES512) will be validated using the matching public key from the JWKs URL. The JWKs URL included in the discovery data is used.

Attributes

Plugin-Link

Optional

Assignable plugins

OIDC HS256 Signature Validator OIDC No Signature Validator OIDC RS256 Signature Validator

Token/PAR Endpoint Authentication (tokenEndpointAuthentication)

Description

Specifies how the client secret is included in requests to the token and pushed authorization request (PAR) endpoints.

If left empty the supported token endpoint auth methods as specified by the discovery endpoint will be used in the following priority:

client_secret_basic
client_secret_post

For security reasons client authentication must always be used.

Attributes

Plugin-Link

Optional

Assignable plugins

Call End Session Endpoint (callEndSessionEndpoint)

Description

If enabled, IAM notifies the AS that an end-user has logged out (RP-initiated logout). This is done by calling the end session endpoint as specified by the discovery endpoint.

The end session endpoint is not called if not defined by the discovery endpoint, regardless of this property.

Attributes

Boolean

Optional

Default value

false

Prefer Pushed Authorization Requests (preferPushedAuthorizationRequests)

Description

Configures whether the client should enable Pushed Authorization Requests (PAR; RFC 9126) extension if the OIDC Authorization Server supports it as an optional extension.

Note: This property is disregarded if the discovery document has the option require_pushed_authorization_requests set to true (PAR is always used if that flag is enabled).

Attributes

Boolean

Optional

Default value

true

Use PKCE if offered (usePkceIfOffered)

Description

Configures whether the client should enable PKCE if it is offered by the OIDC Authorization Server.

Only S256 is allowed as the challenge method. If this setting is active and PKCE is offered without S256 as challenge method, the flow will fail.

Attributes

Boolean

Optional

Default value

true

Scopes To Request (scopesToRequest)

Description

Scopes to request from the authorization endpoint. The scope 'openid' is always requested.

Scopes may only contain the following characters: 0-9, A-Z, a-z, !, #, $, %, &, ', (, ), *, +, ',', -, ., /, :, ;, <, >, =, ?, @, [, ], ^, _, `, {, }, |, ~

Attributes

String-List

Optional

Claims To Request (claimsToRequest)

Description

Allows requesting specific claims using the claims parameter as specified by the OpenID Connect Core Specification. The claims can be requested from the UserInfo Endpoint and/or in the ID Token. Note that support for the claims parameter by authorization servers is optional.

If the client wants to validate claims (e.g. returned in the ID Token), "Additional Claim Validators" can be configured. Note that the acr claim is validated separately. Refer to the property description of "Validate ACR Claim".

Attributes

Plugin-List

Optional

Assignable plugins

ID Token Claim UserInfo Claim

ACR Values Claim (acrValuesClaim)

Description

Authentication Context Class Reference (acr) values to request in order of preference from the authorization server (AS) using the acr_values parameter. The configured values are requested as voluntary claim as specified by the OpenID Connect Core Specification. If the AS supports this claim, the performed acr is included in the ID Token as 'acr' claim and validated according to "Validate ACR Claim". Note that the AS is not obligated to return the acr claim.

If the client wants to enforce a certain acr (e.g. to enforce strong authentication), "Additional Claim Validators" can be configured to validate if the requested acr is contained in the ID Token. Otherwise the authorization fails.

Attributes

String-List

Optional

Include Nonce (includeNonce)

Description

If enabled, a nonce is included in the authorization request and verified against the received ID Token. The nonce is used to associate a client session with an ID Token, and to mitigate replay attacks.

Attributes

Boolean

Optional

Default value

true

Include Language Parameter (includeLanguageParameter)

Description

Whether or not the Loginapp should specifically request the currently used language for the user interaction at the authorization server.

Attributes

Boolean

Optional

Default value

false

Max Authentication Age [s] (maxAuthenticationAge)

Description

Maximum age in seconds of a preexisting authenticated session at the authorization server. Forces re-authentication if the authenticated session is older than the specified value. This parameter is only included if the value is greater than 0. To always force authentication, use of the prompt parameter is recommended.

Attributes

Integer

Optional

Default value

Send Prompt Parameter (prompt)

Description

Prompt parameter value(s) sent during the OpenID Connect Authorization Code Flow. Used to either suppress or force user interaction at the authorization endpoint. If left empty, the prompt parameter will be omitted.

Available options:

none: Suppress all user interaction at the authorization server.

consent: Force user consent at the authorization server.

select_account: Force the authorization server to prompt the end-user to select a user account.

Note: If the setting does not match the authorization server policy the authorization process may fail. For example, if user interaction is suppressed but login is required.

Attributes

String-List

Optional

Custom Request Parameters (customAuthorizationRequestParameters)

Description

Custom authorization request parameters to be sent to the authorization server (AS). This can be used to define otherwise not configurable parameters such as login_hint or display as well as non-standard parameters.

Note: If a parameter is set both using the standard functionality and custom authorization request parameter, the standard parameter will take precedence.

Attributes

Plugin-List

Optional

Assignable plugins

OIDC Authorization Request Parameter

Custom Issuer Claim (customIssuerClaim)

Description

Custom issuer ('iss') claim to use for ID token validation. The issuer ('iss') value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components. Some OpenID Connect providers may not adhere to the standard in this matter and successful ID token validation may therefore require to accept a custom issuer claim.

Attributes

String

Optional

Example

urn:windows:liveid

Audience Claim Validation Method (audienceClaimValidationMethod)

Description

Audience claim validation method to use for the ID token validation.

Options:

STANDARD: Standard audience claim validation as defined in the OpenID Connect Core specification.
REDIRECT_URL: Compatibility option. The audience claim must be a valid URL and the host must match the host of the redirect URL used by Airlock IAM.
CUSTOM: Compatibility option. The audience claim must exactly match a custom value supplied by 'Custom Audience Claim'.

Attributes

Enum

Optional

Default value

STANDARD

Custom Audience Claim (customAudienceClaim)

Description

Custom audience ('aud') claim to use for ID token validation. Some OpenID Connect providers may not adhere to the standard completely and successful ID token validation may therefore require to accept a custom audience ('aud') claim.

Attributes

String

Optional

Example

custom_audience

Validate ACR Claim (enableAcrValidation)

Description

If enabled, acr values being requested by "ACR Values Claim" or "Claims To Request" are validated to be contained in the received ID Token.
Validation fails if no acr claim is present or the contained value does not match one of the requested acr values.
Validation succeeds if no acr values are requested or the value of the acr claim in the ID Token matches one of the requested acr values.

Disable to not validate the acr claim. In addition, it is possible to define custom acr validation using "Additional Claim Validators".

Attributes

Boolean

Optional

Default value

true

Additional Claim Validators (additionalClaimValidators)

Description

List of additional claim validators. Allows to validate the presence and value of specific claims. This can be useful to e.g. validate ID Token claims that were requested in an authorization request. See the configuration of "Claims To Request" and "ACR Values Claim".

If any of the validators fail, the ID Token is rejected and authorization fails.

Attributes

Plugin-List

Optional

Assignable plugins

Claim Validator

ID Token Resources (idTokenResources)

Description

List of remote resources that are contained in the OpenID Connect ID token. These resources are included into the OAuth 2.0 credential described in Resource Requests.

Attributes

Plugin-List

Optional

Assignable plugins

OAuth 2.0 Remote Context Data Resource OAuth 2.0 Remote User Role Resource OAuth 2.0 Remote Username Resource

Post Logout Redirect URL (postLogoutRedirectUrl)

Description

The URL to which the AS should redirect after a logout has been performed.

It is recommended to define this property to ensure a seamless application flow. If not configured, the AS defines how to respond to the logout request.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Post Logout Redirect Base URL OIDC No Post Logout Redirect URI

Provider Identifier (providerId)

Description

An identifier to identify the OAuth 2.0 Authorization Server or OpenID Provider.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Custom Client Endpoint Redirect URI OAuth 2.0 Default UI Client Redirect URI OAuth 2.0 Legacy Client Endpoint Redirect URI OAuth 2.0 No Redirect URI

Client Redirect URI (clientRedirectURI)

Description

For redirects to the default IAM Loginapp UI use the "OAuth 2.0 Default UI Client Redirect URI".

Attributes

Plugin-Link

Mandatory

Assignable plugins

Resource Requests (resourceRequests)

Description

Resource requests that will be executed to determine the identity of the user on the provider.

Attributes

Plugin-List

Optional

Assignable plugins

Account Linking Self-Service (accountLinkingSelfService)

Description

If enabled, this provider is available in the account linking self-service.

Users can link their IAM account with this provider to have an alternative authentication method.

The account link management is available for authenticated users under the Loginapp URL: <loginapp-uri>/ui/app/protected/account-links

Attributes

Plugin-Link

Optional

License-Tags

OAuthAccountLinking,OAuthSocialRegistration

Assignable plugins

Account Linking Self Service Config

Missing Account Link Red Flag (missingAccountLinkRedFlag)

Description

If configured, the flow will raise the configured red flag and continue in case no user could be identified using an account link.

This red flag can then be used by a following subflow to:

be triggered (by using Account Linking Required Red Flag Condition as condition for the subflow)
identify the local user with authentication steps
link the identified user to the provider account and take down the red flag (by using Missing Account Link Step as step in the subflow)

Attributes

Plugin-Link

Optional

License-Tags

OAuthAccountLinking,OAuthSocialRegistration

Assignable plugins

Account Linking Required Red Flag Mandatory Password Change Red Flag Red Flag

Client ID (clientId)

Description

Client ID identifying Airlock IAM at the authorization / token and resource endpoint of the OAuth 2.0 provider.
Only alphanumeric characters and '-_.' are allowed.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9-_.]+

Example

example-app

Example

crypticyButUniqueAppId01953utjhu91823rih

Client Secret (clientSecret)

Description

Client secret used to verify the client.

Attributes

String

Mandatory

Sensitive

Access Token Request Method (accessTokenRequestMethod)

Description

HTTP method to use for Access Token requests.

Attributes

Enum

Optional

Default value

POST

Logging Settings (loggingSettings)

Description

Custom OAuth 2.0 client logging behaviour for integration or error diagnostics.

Attributes

Plugin-Link

Optional

Assignable plugins

Enable Account Linking (enableAccountLinking)

Description

Users using the self-service
The automated registration
Auto-link feature

Attributes

Boolean

Optional

License-Tags

OAuthAccountLinking,OAuthSocialRegistration

Default value

false

Auto-link IAM Account Based on Context Data Field (autoLinkExistingUsersContextDataField)

Description

If this feature is used in combination with 'Automated Account Registration', no accounts will be registered that have been auto-linked.

Attributes

String

Optional

License-Tags

OAuthAccountLinking,OAuthSocialRegistration

Suggested values

email, mtan_number

Automated Account Registration (accountRegistrationConfig)

Description

Enables automated IAM account registration with data from this provider.

The user must always confirm the account registration.

If this feature is used in combination with 'Auto-link IAM Account Based on Context Data Field', no accounts will be registered that have been auto-linked.

Security Warning: For automated account registration, the provider's data is used without additional validation. In particular:

Identity verification for mTAN numbers and/or email addresses is currently not supported.
Data validation (e.g. using regular expressions) is currently not supported.
The provider's data that is used to create the account is not displayed to the user and the user is not asked to confirm the data, e.g. using transaction approval.

Therefore, if this feature is used, the provider must guarantee that the provided data is valid (e.g. identity-verified and validated). IAM must trust the provider to do appropriate validation.

Attributes

Plugin-Link

Optional

License-Tags

OAuthSocialRegistration

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OpenIDConnectDiscoverySsoFlowClientSettings
id: OpenIDConnectDiscoverySsoFlowClientSettings-xxxxxx
displayName: 
comment: 
properties:
  accessTokenRequestMethod: POST
  accountLinkingSelfService:
  accountRegistrationConfig:
  acrValuesClaim:
  additionalClaimValidators:
  audienceClaimValidationMethod: STANDARD
  autoLinkExistingUsersContextDataField:
  cacheRefreshTimeInMinutes: 240
  callEndSessionEndpoint: false
  claimsToRequest:
  clientId:
  clientRedirectURI:
  clientSecret:
  customAudienceClaim:
  customAuthorizationRequestParameters:
  customIssuerClaim:
  discoveryEndpointURL:
  enableAccountLinking: false
  enableAcrValidation: true
  httpClient:
  idTokenResources:
  includeLanguageParameter: false
  includeNonce: true
  loggingSettings:
  maxAuthenticationAge: 0
  missingAccountLinkRedFlag:
  postLogoutRedirectUrl:
  preferPushedAuthorizationRequests: true
  prompt:
  providerId:
  resourceRequests:
  scopesToRequest:
  signatureValidator:
  tokenEndpointAuthentication:
  usePkceIfOffered: true

OIDC Discovery Subject Token Validation

Description

Subject token validation based on OpenID Connect discovery.

The subject token "iss" claim will be checked against the list of allowed token issuers and used to determine the OIDC discovery endpoint (see the OIDC discovery specifications). The JWKS keys obtained through OIDC discovery at that URL will then be used for the subject token signature validation.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.OAuth2OIDCDiscoverySubjectTokenValidationConfig

May be used by

OAuth 2.0 Token Exchange

License-Tags

OAuthTokenExchange

Properties

Allowed Token Issuers (allowedTokenIssuers)

Description

Only tokens issued by these issuers can be exchanged at the endpoint.

Attributes

Plugin-List

Mandatory

Assignable plugins

OAuth 2.0 Issuer ID

HTTP Client (httpClient)

Description

The HTTP client used to fetch the JWKS data.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Client Config HTTP Client With Client Certificate

Cache Refresh Time [minutes] (cacheRefreshTimeInMinutes)

Description

Time in minutes until the data from the discovery endpoint URL and the JWKs URL will be invalidated and refreshed on the next use.

The JWKS Cache is reloaded as needed. In particular:

if the Cache Refresh Time (as configured with this property) is exceeded
if a key is not yet known
if the verification of a signature with a previously known key fails

If the data cannot be refreshed because of an error, the previous data will be used.

Attributes

Integer

Optional

Default value

2880

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.OAuth2OIDCDiscoverySubjectTokenValidationConfig
id: OAuth2OIDCDiscoverySubjectTokenValidationConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedTokenIssuers:
  cacheRefreshTimeInMinutes: 2880
  httpClient:

OIDC Email Standard Claim

Description

The "email" claim. The resulting email address must conform to RFC 5322.

Class

com.airlock.iam.oauth2.application.configuration.openid.claims.OpenIDConnectEmailStandardClaimConfig

May be used by

License-Tags

OAuthServer

Properties

Context Data Field (contextDataField)

Description

The context data field that should be included in the "email" claim. If the context data field does not contain a value or the value does not conform the format of RFC 5322, the claim will not be included in the response.

Attributes

String

Mandatory

Example

Claim Condition (claimCondition)

Description

This claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the claim will always be added to the issued token.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.openid.claims.OpenIDConnectEmailStandardClaimConfig
id: OpenIDConnectEmailStandardClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  contextDataField:

OIDC Family Name Standard Claim

Description

The "family_name" claim.

Class

com.airlock.iam.oauth2.application.configuration.openid.claims.OpenIDConnectFamilyNameStandardClaimConfig

May be used by

License-Tags

OAuthServer

Properties

Context Data Field (contextDataField)

Description

The context data field that should be included in the "family_name" claim. If the context data field does not contain a value or is empty, the claim will not be included in the response.

Attributes

String

Mandatory

Example

surname

Claim Condition (claimCondition)

Description

This claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the claim will always be added to the issued token.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.openid.claims.OpenIDConnectFamilyNameStandardClaimConfig
id: OpenIDConnectFamilyNameStandardClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  contextDataField:

OIDC Flow Client

Description

OIDC Flow Client Settings. The settings define the OIDC handshake and can be referenced in flows through the provider id. When the OpenID Connect authorization was successful, the OAuth 2.0 Access Token and OpenID Connect ID Token is stored in the user session and can be used by the plugin OAuth 2.0 Tokens Map in the ID Propagation to provide the tokens to the backends.

Class

com.airlock.iam.oauth2.application.configuration.OpenIDConnectSsoFlowClientSettings

May be used by

OAuth 2.0 Basic Auth Client Secret OAuth 2.0 Header Client Secret OAuth 2.0 No Client Secret Authentication OAuth 2.0 Parameter Client Secret OIDC Private Key JWT Client Authentication

License-Tags

OAuthClient

Properties

HTTP Client (httpClient)

Description

HTTP client used for token and pushed authorization endpoint requests.

Attributes

Plugin-Link

Mandatory

Assignable plugins

HTTP Client Config HTTP Client With Client Certificate

Token/PAR Endpoint Authentication (tokenEndpointAuthentication)

Description

Specifies how the client secret is included in requests to the token and pushed authorization request (PAR) endpoints.

RFC 6749 suggests to use the HTTP Basic authentication scheme ('OAuth 2.0 Basic Auth Client Secret').

Attributes

Plugin-Link

Optional

Assignable plugins

Token Endpoint URL (tokenEndpointURL)

Description

Token endpoint URL to get Access and Refresh Tokens.

Attributes

String

Mandatory

Example

https://airlock.com/auth/rest/oauth2/authorization-servers/asId/token

Example

https://accounts.google.com/o/oauth2/token

Example

https://login.live.com/oauth20_token.srf

Authorization Endpoint URL (authorizationEndpointURL)

Description

Authorization endpoint URL to obtain Authorization Codes from.

Attributes

String

Mandatory

Example

https://airlock.iam/auth/ui/app/auth/oauth2/authorization-servers/asId/authorize

Example

https://airlock.iam/auth/oauth2/v3/asId/authorize

Example

https://accounts.google.com/o/oauth2/auth

Example

https://login.live.com/oauth20_authorize.srf

Pushed Authorization Request Endpoint URL (pushedAuthorizationRequestEndpointURL)

Description

The pushed authorization request endpoint URI to send the Authorization Request to. If this property is set, the OpenID Connect client will send all Authorization Requests according to the PAR specification as defined in RFC 9126.

Attributes

String

Optional

Example

https://airlock.iam/auth/rest/oauth2/authorization-servers/asId/par

Example

https://as.example.org/as/par

PKCE Challenge Method (pkceChallengeMethod)

Description

Configures the PKCE challenge method.

Attributes

Enum

Optional

Default value

S256

Signature Validator (signatureValidator)

Description

ID token signature validation plugin.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OIDC HS256 Signature Validator OIDC No Signature Validator OIDC RS256 Signature Validator

End Session Endpoint (endSessionEndpoint)

Description

Defines the AS's logout endpoint URL. If configured, IAM notifies the AS that an end-user previously authenticated with this AS has logged out (RP-initiated logout).
Note that the AS must support this feature.

Attributes

String

Optional

Scopes To Request (scopesToRequest)

Description

Scopes to request from the authorization endpoint. The scope 'openid' is always requested.

Scopes may only contain the following characters: 0-9, A-Z, a-z, !, #, $, %, &, ', (, ), *, +, ',', -, ., /, :, ;, <, >, =, ?, @, [, ], ^, _, `, {, }, |, ~

Attributes

String-List

Optional

Claims To Request (claimsToRequest)

Description

Attributes

Plugin-List

Optional

Assignable plugins

ID Token Claim UserInfo Claim

ACR Values Claim (acrValuesClaim)

Description

Attributes

String-List

Optional

Include Nonce (includeNonce)

Description

Attributes

Boolean

Optional

Default value

true

Include Language Parameter (includeLanguageParameter)

Description

Whether or not the Loginapp should specifically request the currently used language for the user interaction at the authorization server.

Attributes

Boolean

Optional

Default value

false

Max Authentication Age [s] (maxAuthenticationAge)

Description

Attributes

Integer

Optional

Default value

Send Prompt Parameter (prompt)

Description

Available options:

none: Suppress all user interaction at the authorization server.

consent: Force user consent at the authorization server.

select_account: Force the authorization server to prompt the end-user to select a user account.

Note: If the setting does not match the authorization server policy the authorization process may fail. For example, if user interaction is suppressed but login is required.

Attributes

String-List

Optional

Custom Request Parameters (customAuthorizationRequestParameters)

Description

Note: If a parameter is set both using the standard functionality and custom authorization request parameter, the standard parameter will take precedence.

Attributes

Plugin-List

Optional

Assignable plugins

OIDC Authorization Request Parameter

Custom Issuer Claim (customIssuerClaim)

Description

Attributes

String

Optional

Example

urn:windows:liveid

Audience Claim Validation Method (audienceClaimValidationMethod)

Description

Audience claim validation method to use for the ID token validation.

Options:

STANDARD: Standard audience claim validation as defined in the OpenID Connect Core specification.
REDIRECT_URL: Compatibility option. The audience claim must be a valid URL and the host must match the host of the redirect URL used by Airlock IAM.
CUSTOM: Compatibility option. The audience claim must exactly match a custom value supplied by 'Custom Audience Claim'.

Attributes

Enum

Optional

Default value

STANDARD

Custom Audience Claim (customAudienceClaim)

Description

Attributes

String

Optional

Example

custom_audience

Validate ACR Claim (enableAcrValidation)

Description

Disable to not validate the acr claim. In addition, it is possible to define custom acr validation using "Additional Claim Validators".

Attributes

Boolean

Optional

Default value

true

Additional Claim Validators (additionalClaimValidators)

Description

If any of the validators fail, the ID Token is rejected and authorization fails.

Attributes

Plugin-List

Optional

Assignable plugins

Claim Validator

ID Token Resources (idTokenResources)

Description

List of remote resources that are contained in the OpenID Connect ID token. These resources are included into the OAuth 2.0 credential described in Resource Requests.

Attributes

Plugin-List

Optional

Assignable plugins

OAuth 2.0 Remote Context Data Resource OAuth 2.0 Remote User Role Resource OAuth 2.0 Remote Username Resource

Post Logout Redirect URL (postLogoutRedirectUrl)

Description

The URL to which the AS should redirect after a logout has been performed.

It is recommended to define this property to ensure a seamless application flow. If not configured, the AS defines how to respond to the logout request.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Post Logout Redirect Base URL OIDC No Post Logout Redirect URI

Provider Identifier (providerId)

Description

An identifier to identify the OAuth 2.0 Authorization Server or OpenID Provider.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Custom Client Endpoint Redirect URI OAuth 2.0 Default UI Client Redirect URI OAuth 2.0 Legacy Client Endpoint Redirect URI OAuth 2.0 No Redirect URI

Client Redirect URI (clientRedirectURI)

Description

For redirects to the default IAM Loginapp UI use the "OAuth 2.0 Default UI Client Redirect URI".

Attributes

Plugin-Link

Mandatory

Assignable plugins

Resource Requests (resourceRequests)

Description

Resource requests that will be executed to determine the identity of the user on the provider.

Attributes

Plugin-List

Optional

Assignable plugins

Account Linking Self-Service (accountLinkingSelfService)

Description

If enabled, this provider is available in the account linking self-service.

Users can link their IAM account with this provider to have an alternative authentication method.

The account link management is available for authenticated users under the Loginapp URL: <loginapp-uri>/ui/app/protected/account-links

Attributes

Plugin-Link

Optional

License-Tags

OAuthAccountLinking,OAuthSocialRegistration

Assignable plugins

Account Linking Self Service Config

Missing Account Link Red Flag (missingAccountLinkRedFlag)

Description

If configured, the flow will raise the configured red flag and continue in case no user could be identified using an account link.

This red flag can then be used by a following subflow to:

be triggered (by using Account Linking Required Red Flag Condition as condition for the subflow)
identify the local user with authentication steps
link the identified user to the provider account and take down the red flag (by using Missing Account Link Step as step in the subflow)

Attributes

Plugin-Link

Optional

License-Tags

OAuthAccountLinking,OAuthSocialRegistration

Assignable plugins

Account Linking Required Red Flag Mandatory Password Change Red Flag Red Flag

Client ID (clientId)

Description

Client ID identifying Airlock IAM at the authorization / token and resource endpoint of the OAuth 2.0 provider.
Only alphanumeric characters and '-_.' are allowed.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9-_.]+

Example

example-app

Example

crypticyButUniqueAppId01953utjhu91823rih

Client Secret (clientSecret)

Description

Client secret used to verify the client.

Attributes

String

Mandatory

Sensitive

Access Token Request Method (accessTokenRequestMethod)

Description

HTTP method to use for Access Token requests.

Attributes

Enum

Optional

Default value

POST

Logging Settings (loggingSettings)

Description

Custom OAuth 2.0 client logging behaviour for integration or error diagnostics.

Attributes

Plugin-Link

Optional

Assignable plugins

Enable Account Linking (enableAccountLinking)

Description

Users using the self-service
The automated registration
Auto-link feature

Attributes

Boolean

Optional

License-Tags

OAuthAccountLinking,OAuthSocialRegistration

Default value

false

Auto-link IAM Account Based on Context Data Field (autoLinkExistingUsersContextDataField)

Description

If this feature is used in combination with 'Automated Account Registration', no accounts will be registered that have been auto-linked.

Attributes

String

Optional

License-Tags

OAuthAccountLinking,OAuthSocialRegistration

Suggested values

email, mtan_number

Automated Account Registration (accountRegistrationConfig)

Description

Enables automated IAM account registration with data from this provider.

The user must always confirm the account registration.

If this feature is used in combination with 'Auto-link IAM Account Based on Context Data Field', no accounts will be registered that have been auto-linked.

Security Warning: For automated account registration, the provider's data is used without additional validation. In particular:

Identity verification for mTAN numbers and/or email addresses is currently not supported.
Data validation (e.g. using regular expressions) is currently not supported.
The provider's data that is used to create the account is not displayed to the user and the user is not asked to confirm the data, e.g. using transaction approval.

Therefore, if this feature is used, the provider must guarantee that the provided data is valid (e.g. identity-verified and validated). IAM must trust the provider to do appropriate validation.

Attributes

Plugin-Link

Optional

License-Tags

OAuthSocialRegistration

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OpenIDConnectSsoFlowClientSettings
id: OpenIDConnectSsoFlowClientSettings-xxxxxx
displayName: 
comment: 
properties:
  accessTokenRequestMethod: POST
  accountLinkingSelfService:
  accountRegistrationConfig:
  acrValuesClaim:
  additionalClaimValidators:
  audienceClaimValidationMethod: STANDARD
  authorizationEndpointURL:
  autoLinkExistingUsersContextDataField:
  claimsToRequest:
  clientId:
  clientRedirectURI:
  clientSecret:
  customAudienceClaim:
  customAuthorizationRequestParameters:
  customIssuerClaim:
  enableAccountLinking: false
  enableAcrValidation: true
  endSessionEndpoint:
  httpClient:
  idTokenResources:
  includeLanguageParameter: false
  includeNonce: true
  loggingSettings:
  maxAuthenticationAge: 0
  missingAccountLinkRedFlag:
  pkceChallengeMethod: S256
  postLogoutRedirectUrl:
  prompt:
  providerId:
  pushedAuthorizationRequestEndpointURL:
  resourceRequests:
  scopesToRequest:
  signatureValidator:
  tokenEndpointAuthentication:
  tokenEndpointURL:

OIDC Flow Condition To ACR Value Mapping

Description

Configures a mapping of a flow condition to an ACR value. The ID token may get the configured ACR value, if the flow condition is fulfilled.

Class

com.airlock.iam.oauth2.application.configuration.OpenIdConnectFlowConditionToAcrMappingConfig

May be used by

Flow Condition-based OIDC ID Token ACR Value

License-Tags

OAuthServer

Properties

Flow Condition (flowCondition)

Description

If this condition is fulfilled, the below ACR value may be in the ID token.

Attributes

Plugin-Link

Mandatory

Assignable plugins

ACR Value (acrValue)

Description

ACR value to write into the ID token. Note: The ACR value is case sensitive.

Attributes

String

Mandatory

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OpenIdConnectFlowConditionToAcrMappingConfig
id: OpenIdConnectFlowConditionToAcrMappingConfig-xxxxxx
displayName: 
comment: 
properties:
  acrValue:
  flowCondition:

OIDC Given Name Standard Claim

Description

The "given_name" claim.

Class

com.airlock.iam.oauth2.application.configuration.openid.claims.OpenIDConnectGivenNameStandardClaimConfig

May be used by

License-Tags

OAuthServer

Properties

Context Data Field (contextDataField)

Description

The context data field that should be included in the "given_name" claim. If the context data field does not contain a value or is empty, the claim will not be included in the response.

Attributes

String

Mandatory

Example

givenname

Claim Condition (claimCondition)

Description

This claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the claim will always be added to the issued token.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.openid.claims.OpenIDConnectGivenNameStandardClaimConfig
id: OpenIDConnectGivenNameStandardClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  contextDataField:

OIDC HS256 Signature Validator

Description

OpenID Connect ID Token signature validation plugin for HS256 signatures.

Class

com.airlock.iam.oauth2.application.configuration.client.OpenIDConnectHS256SignatureValidator

May be used by

OIDC Authorization Code / Hybrid Flow OIDC Authorization Code / Hybrid Flow

License-Tags

OAuthClient

Properties

Static Key (staticKey)

Description

Static key to use in place of the client secret. Must be at least 32 characters long. If left blank, the client secret is used as signature key and SHOULD be manually verified to be at least 32 characters long.

Attributes

String

Optional

Sensitive

Length >= 32

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OpenIDConnectHS256SignatureValidator
id: OpenIDConnectHS256SignatureValidator-xxxxxx
displayName: 
comment: 
properties:
  staticKey:

OIDC ID Token

Description

Defines the format and structure of the issued OpenID Connect ID Token.

Class

com.airlock.iam.login.app.misc.configuration.oauth.as.oauth2.OpenIdConnectIdTokenConfig

May be used by

License-Tags

OAuthServer

Properties

Claims (claims)

Description

OpenID Connect claim configuration for the issuer and additional custom claims written to the ID Tokens.

Attributes

Plugin-Link

Optional

Assignable plugins

OIDC ID Token Claims

ACR Claim (Flow) (acrClaim)

Description

OpenID Connect ACR value. If not configured, the ID Token will not contain any "acr" value for OpenID Connect handshakes using the flow authentication.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow Condition-based OIDC ID Token ACR Value Flow Selection-based OIDC ID Token ACR Value

Signer (signer)

Description

ID Token Signature configuration. Security Warning: Using 'No Signature' is not recommended.

Attributes

Plugin-Link

Optional

Assignable plugins

OIDC ID Token HMAC OIDC ID Token No Signature OIDC ID Token Private Key Signature

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oauth.as.oauth2.OpenIdConnectIdTokenConfig
id: OpenIdConnectIdTokenConfig-xxxxxx
displayName: 
comment: 
properties:
  acrClaim:
  claims:
  signer:

OIDC ID Token Claims

Description

Configuration plugin for the OpenID Connect ID Token Claims.

The 'iss' (issuer) claim is always filled from the issuer configured in the top level configuration.

Class

com.airlock.iam.login.app.application.configuration.oauth.as.openid.OpenIDConnectClaimsConfiguration

May be used by

OIDC ID Token

License-Tags

OAuthServer

Properties

Custom Claims (customClaims)

Description

List of custom claims added to the OpenID Connect ID Token as additional claims.

Multiple claims with the same name can be configured if each has a claim condition which ensures that only one of them will be included at runtime.

The following claims are automatically set by Airlock IAM and therefore will be ignored if defined as custom claim.

auth_time
nonce
acr

Note: When "Persist Claims" is disabled, custom claims are collected when the ID Token is requested by an OpenID Connect client and not when the ID Token is issued. Therefore the values of the custom claims may change between issue and request time.

Attributes

Plugin-List

Optional

Assignable plugins

Distributed Claims (distributedClaims)

Description

Distributed Claims to add to the ID Token.

These claims allow providing a URL to a 3rd party claims provider in the response where additional claims may be obtained.

Attributes

Plugin-List

Optional

Assignable plugins

Distributed Claim Config

YAML Template (with default values)


type: com.airlock.iam.login.app.application.configuration.oauth.as.openid.OpenIDConnectClaimsConfiguration
id: OpenIDConnectClaimsConfiguration-xxxxxx
displayName: 
comment: 
properties:
  customClaims:
  distributedClaims:

OIDC ID Token HMAC

Description

ID tokens will be signed using a Keyed-Hash Message Authentication Code (HMAC) using the client secret as key.
Notice that the client secret must have a minimum length depending on the selected algorithm (see property description).

Class

com.airlock.iam.oauth2.application.configuration.openid.signature.OpenIDConnectIDTokenMACSignatureSigner

May be used by

OIDC ID Token

License-Tags

OAuthServer

Properties

Algorithm (algorithm)

Description

MAC based signature algorithm to use.

Important: The ID Token is signed using the client secret. Therefore, the client must have registered such a secret and it must be long enough for the selected algorithm:

HS256: 32 characters
HS384: 48 characters
HS512: 64 characters

Attributes

Enum

Optional

Default value

HS256

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.openid.signature.OpenIDConnectIDTokenMACSignatureSigner
id: OpenIDConnectIDTokenMACSignatureSigner-xxxxxx
displayName: 
comment: 
properties:
  algorithm: HS256

OIDC ID Token No Signature

Description

ID tokens will not be signed.

Security Warning: ID tokens should always be signed. Do not use this plugin unless the client is unable to verify the signature.

Class

com.airlock.iam.oauth2.application.configuration.openid.signature.OpenIDConnectIDTokenNoSignatureSigner

May be used by

OIDC ID Token

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.openid.signature.OpenIDConnectIDTokenNoSignatureSigner
id: OpenIDConnectIDTokenNoSignatureSigner-xxxxxx
displayName: 
comment: 
properties:

OIDC ID Token Private Key Signature

Description

ID tokens will be signed using a private key signature.

Class

com.airlock.iam.oauth2.application.configuration.openid.signature.OpenIDConnectIDTokenPrivateKeySignatureSigner

May be used by

OIDC ID Token

License-Tags

OAuthServer

Properties

Algorithm (algorithm)

Description

Private key based signature algorithm to use.

Attributes

Enum

Optional

Default value

RS256

Keystore File (keystoreFile)

Description

Keystore file name containing the certificate and key used to sign the JWT.

Attributes

File/Path

Mandatory

Keystore Password (keystorePassword)

Description

The password used to open the keystore.

Attributes

String

Optional

Sensitive

Signing Key Alias (signingKeyAlias)

Description

The alias of the key used to sign the JWT. This field can be omitted if the keystore only contains one private key entry.

Attributes

String

Optional

Example

alias

Signing Key Password (signingKeyPassword)

Description

The password used to retrieve the key from the keystore. This password can be the same as the keystore password.

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.openid.signature.OpenIDConnectIDTokenPrivateKeySignatureSigner
id: OpenIDConnectIDTokenPrivateKeySignatureSigner-xxxxxx
displayName: 
comment: 
properties:
  algorithm: RS256
  keystoreFile:
  keystorePassword:
  signingKeyAlias:
  signingKeyPassword:

OIDC Name Standard Claim

Description

The "name" claim

Class

com.airlock.iam.oauth2.application.configuration.openid.claims.OpenIDConnectNameStandardClaimConfig

May be used by

License-Tags

OAuthServer

Properties

Value Format (format)

Description

The value is defined using a format string consisting of one or multiple context data values. Context data field items can be referenced with ${contextDataField} and will be replaced with the value of the referenced context data field.

Attributes

String

Mandatory

Suggested values

${surname} ${givenname}

Claim Condition (claimCondition)

Description

This claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the claim will always be added to the issued token.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.openid.claims.OpenIDConnectNameStandardClaimConfig
id: OpenIDConnectNameStandardClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  format:

OIDC No Post Logout Redirect URI

Description

Does not include a post logout redirect URI back to the SPA in a RP-initiated logout.

Possible further user agent redirects are handled by the AS.

Class

com.airlock.iam.oauth2.application.configuration.client.OAuth2NoPostLogoutRedirectUriConfig

May be used by

License-Tags

OAuthClient

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OAuth2NoPostLogoutRedirectUriConfig
id: OAuth2NoPostLogoutRedirectUriConfig-xxxxxx
displayName: 
comment: 
properties:

OIDC No Signature Validator

Description

OpenID Connect ID Token signature validation plugin which only accepts unsigned ID Tokens (with algorithm 'none').

Class

com.airlock.iam.oauth2.application.configuration.client.OpenIDConnectNoSignatureValidator

May be used by

License-Tags

OAuthClient

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OpenIDConnectNoSignatureValidator
id: OpenIDConnectNoSignatureValidator-xxxxxx
displayName: 
comment: 
properties:

OIDC Phone Number Standard Claim

Description

The "phone_number" claim. The phone number will be transformed to the E.164 format.

Class

com.airlock.iam.oauth2.application.configuration.openid.claims.OpenIDConnectPhoneNumberStandardClaimConfig

May be used by

License-Tags

OAuthServer

Properties

Context Data Field (contextDataField)

Description

The context data field that should be included in the "phone_number" claim. If the context data field does not contain a value or is not a valid phone number, the claim will not be included in the response.

Attributes

String

Mandatory

Example

mtan_number

Region Code (regionCode)

Description

If the context data field contains a region specific phone number format, the region code of the format must be provided in this property.

International phone numbers (starting with "+") do no require a region code property value.

Attributes

String

Optional

Allowed values

AC (+247), AD (+376), AE (+971), AF (+93), AG (+1), AI (+1), AL (+355), AM (+374), AO (+244), AR (+54), AS (+1), AT (+43), AU (+61), AW (+297), AX (+358), AZ (+994), BA (+387), BB (+1), BD (+880), BE (+32), BF (+226), BG (+359), BH (+973), BI (+257), BJ (+229), BL (+590), BM (+1), BN (+673), BO (+591), BQ (+599), BR (+55), BS (+1), BT (+975), BW (+267), BY (+375), BZ (+501), CA (+1), CC (+61), CD (+243), CF (+236), CG (+242), CH (+41), CI (+225), CK (+682), CL (+56), CM (+237), CN (+86), CO (+57), CR (+506), CU (+53), CV (+238), CW (+599), CX (+61), CY (+357), CZ (+420), DE (+49), DJ (+253), DK (+45), DM (+1), DO (+1), DZ (+213), EC (+593), EE (+372), EG (+20), EH (+212), ER (+291), ES (+34), ET (+251), FI (+358), FJ (+679), FK (+500), FM (+691), FO (+298), FR (+33), GA (+241), GB (+44), GD (+1), GE (+995), GF (+594), GG (+44), GH (+233), GI (+350), GL (+299), GM (+220), GN (+224), GP (+590), GQ (+240), GR (+30), GT (+502), GU (+1), GW (+245), GY (+592), HK (+852), HN (+504), HR (+385), HT (+509), HU (+36), ID (+62), IE (+353), IL (+972), IM (+44), IN (+91), IO (+246), IQ (+964), IR (+98), IS (+354), IT (+39), JE (+44), JM (+1), JO (+962), JP (+81), KE (+254), KG (+996), KH (+855), KI (+686), KM (+269), KN (+1), KP (+850), KR (+82), KW (+965), KY (+1), KZ (+7), LA (+856), LB (+961), LC (+1), LI (+423), LK (+94), LR (+231), LS (+266), LT (+370), LU (+352), LV (+371), LY (+218), MA (+212), MC (+377), MD (+373), ME (+382), MF (+590), MG (+261), MH (+692), MK (+389), ML (+223), MM (+95), MN (+976), MO (+853), MP (+1), MQ (+596), MR (+222), MS (+1), MT (+356), MU (+230), MV (+960), MW (+265), MX (+52), MY (+60), MZ (+258), NA (+264), NC (+687), NE (+227), NF (+672), NG (+234), NI (+505), NL (+31), NO (+47), NP (+977), NR (+674), NU (+683), NZ (+64), OM (+968), PA (+507), PE (+51), PF (+689), PG (+675), PH (+63), PK (+92), PL (+48), PM (+508), PR (+1), PS (+970), PT (+351), PW (+680), PY (+595), QA (+974), RE (+262), RO (+40), RS (+381), RU (+7), RW (+250), SA (+966), SB (+677), SC (+248), SD (+249), SE (+46), SG (+65), SH (+290), SI (+386), SJ (+47), SK (+421), SL (+232), SM (+378), SN (+221), SO (+252), SR (+597), SS (+211), ST (+239), SV (+503), SX (+1), SY (+963), SZ (+268), TA (+290), TC (+1), TD (+235), TG (+228), TH (+66), TJ (+992), TK (+690), TL (+670), TM (+993), TN (+216), TO (+676), TR (+90), TT (+1), TV (+688), TW (+886), TZ (+255), UA (+380), UG (+256), US (+1), UY (+598), UZ (+998), VA (+39), VC (+1), VE (+58), VG (+1), VI (+1), VN (+84), VU (+678), WF (+681), WS (+685), XK (+383), YE (+967), YT (+262), ZA (+27), ZM (+260), ZW (+263)

Claim Condition (claimCondition)

Description

This claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the claim will always be added to the issued token.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.openid.claims.OpenIDConnectPhoneNumberStandardClaimConfig
id: OpenIDConnectPhoneNumberStandardClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  contextDataField:
  regionCode:

OIDC Private Key JWT Authentication

Description

Configures a client authentication that is based on a private_key_jwt.

The subject and issuer claim in the JWT must be equal to the identifier of a client (client_id). The client must have a public key registered in order to verify the signature of the JWT.

Note: JWTs are persisted, the 'jti' claim must be unique during the lifetime of a JWT (i.e. until it expires). If a JWT with a previously seen 'jti' claim is sent, authentication fails. Automatic removal of persisted JWTs (after expiry) can be configured in an OAuth 2.0 Clean-up Task.

Class

com.airlock.iam.oauth2.application.configuration.clientauthentication.OpenIdConnectPrivateKeyJwtAuthenticationConfig

May be used by

License-Tags

OAuthServer

Properties

SQL Data Source (sqlDataSource)

Description

Defines where the JWT ID ('jti' claim of the JWT) is persisted.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Log Queries (logQueries)

Description

Enable to log SQL queries (only effective if the log level is at least INFO). Attention: query values (including potentially sensitive data) will be logged as well.

Attributes

Boolean

Optional

Default value

false

Tenant ID (tenantId)

Description

Identity added to the database records to distinguish between different tenants.

If left empty, 'no_tenant' is used as the effective value for tenant ID.

Attributes

String

Optional

Length <= 50

Validation RegEx: (?!no_tenant$).*

Example

customerA

Example

customerB

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.clientauthentication.OpenIdConnectPrivateKeyJwtAuthenticationConfig
id: OpenIdConnectPrivateKeyJwtAuthenticationConfig-xxxxxx
displayName: 
comment: 
properties:
  logQueries: false
  sqlDataSource:
  tenantId:

OIDC Private Key JWT Client Authentication

Description

Allows clients that have previously registered a public key on the authorization server to sign a JWT using the corresponding private key in order to authenticate with the authorization server.

The JWT is formatted according to the private_key_jwt client authentication as specified by the OpenID Connect Core Specification.

Class

com.airlock.iam.oauth2.application.configuration.signature.OpenIDConnectPrivateKeyJwtClientAuthenticationConfig

May be used by

OIDC Flow Client OIDC Discovery Flow Client OAuth 2.0 Flow Client

License-Tags

OAuthClient

Properties

Custom Audience (customAudience)

Description

Custom value used as audience claim (aud) of the JWT. According to the OpenID Connect Core Specification, the audience SHOULD be the URL of the authorization server's token endpoint. If not configured, the authorization server's token endpoint URL is used as "aud" claim.

Attributes

String

Optional

Example

https://airlock.com/auth/rest/oauth2/authorization-servers/as/token

Example

https://accounts.google.com/o/oauth2/token

Example

https://login.live.com/oauth20_token.srf

JWT Validity [s] (validityDuration)

Description

The duration (in seconds) for which the generated JWT will be accepted by the authorization server. Will be used for calculating the exp of the JWT.

Attributes

Integer

Optional

Default value

Valid Not Before Skew (validNotBeforeSkew)

Description

This claim identifies the time before which the JWT must not be accepted for processing. To determine the nbf claim value in the JWT, the number of seconds configured in this property are subtracted from the JWT issue time. The motivation to set a time in the past is to avoid clock synchronization problems with the authorization server.

Attributes

Integer

Optional

Default value

Include KID (includeKid)

Description

If enabled the KID of the public key used to sign a JWT is added to the JWT header. Consumers of the JWT can use the KID to identify the public key that is verifying the signature.

The KID is ignored by some servers but is usually necessary when the client has multiple keys (or wants to rotate them) or when the authorization server needs to look up the corresponding public key on the client's JWKS endpoint.

This property's testlet displays the KID that is included in the JWT header if the property is enabled.

Attributes

Boolean

Optional

Default value

true

Algorithm (algorithm)

Description

Private key based signature algorithm to use.

Attributes

Enum

Optional

Default value

RS256

Keystore File (keystoreFile)

Description

Keystore file name containing the certificate and key used to sign the JWT.

Attributes

File/Path

Mandatory

Keystore Password (keystorePassword)

Description

The password used to open the keystore.

Attributes

String

Optional

Sensitive

Signing Key Alias (signingKeyAlias)

Description

The alias of the key used to sign the JWT. This field can be omitted if the keystore only contains one private key entry.

Attributes

String

Optional

Example

alias

Signing Key Password (signingKeyPassword)

Description

The password used to retrieve the key from the keystore. This password can be the same as the keystore password.

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.signature.OpenIDConnectPrivateKeyJwtClientAuthenticationConfig
id: OpenIDConnectPrivateKeyJwtClientAuthenticationConfig-xxxxxx
displayName: 
comment: 
properties:
  algorithm: RS256
  customAudience:
  includeKid: true
  keystoreFile:
  keystorePassword:
  signingKeyAlias:
  signingKeyPassword:
  validNotBeforeSkew: 5
  validityDuration: 60

OIDC prompt=none Condition

Description

Condition that is fulfilled if the current OpenID Connect authorization request requires 'prompt=none' (and no other prompt). If there is no current OpenID Connect request, the condition is not fulfilled.

Class

com.airlock.iam.oauth2.application.configuration.authorization.OpenIdConnectPromptNoneConditionConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.authorization.OpenIdConnectPromptNoneConditionConfig
id: OpenIdConnectPromptNoneConditionConfig-xxxxxx
displayName: 
comment: 
properties:

OIDC RS256 Signature Validator

Description

OpenID Connect ID Token signature validation plugin for RS256 signatures.

Class

com.airlock.iam.oauth2.application.configuration.client.OpenIDConnectRS256SignatureValidator

May be used by

License-Tags

OAuthClient

Properties

Remote Key Location (remoteKeyLocation)

Description

URL of the remote JWKS endpoint publishing the public keys used for ID Token RS256 signature validation. This is used for OpenID Connect providers that cycle public keys (eg. Google).

The remote public key should be presented according to the 'JSON Web Key' specification otherwise the parsing may fail.

Attributes

String

Mandatory

Example

https://airlock.iam/auth/rest/oauth2/authorization-servers/asId/jwks

Example

https://www.googleapis.com/oauth2/v2/certs

Example

https://www.googleapis.com/oauth2/v3/certs

Example

https://login.microsoftonline.com/common/discovery/v2.0/keys

Example

https://login.windows.net/common/discovery/keys

Example

https://login.salesforce.com/id/keys

HTTP Client (httpClient)

Description

Configuration for the HTTP client used to fetch the remote public key.

Attributes

Plugin-Link

Mandatory

Assignable plugins

HTTP Client Config HTTP Client With Client Certificate

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.client.OpenIDConnectRS256SignatureValidator
id: OpenIDConnectRS256SignatureValidator-xxxxxx
displayName: 
comment: 
properties:
  httpClient:
  remoteKeyLocation:

OIDC Session Management

Description

OpenID Connect Session Management settings according to the OpenID Connect Session Management Specification

Class

com.airlock.iam.oauth2.application.configuration.OpenIDConnectSessionManagementConfig

May be used by

SSO Ticket Authentication Step Representation SSO Ticket Identifying Step SSO Ticket Request Authentication Request Has SSO Ticket

License-Tags

OAuthServer

Properties

Same Site Policy (sameSitePolicy)

Description

Specifies the 'SameSite' cookie attribute of the OP User Agent State cookie.

The correct choice of this property is essential for the correct operation of this feature:

For same-domain scenarios, 'Lax' should be chosen. In this case, the cookie will only be accessible when the top-level page (which includes the OP iframe) is in the same domain as the OP iframe)
For cross-domain scenarios, 'None' must be chosen. In this case, 'Secure' is also automatically appended because modern browsers only accept those cookies on a secure connection
To rely on browser default behavior (not recommended), 'No SameSite Attribute' can be chosen, resulting in cookies usually interpreted as 'Lax' depending on the browser version.

Attributes

Enum

Optional

Default value

LAX

Debug (debug)

Description

When enabled, the OP Iframe writes debug logs to the browser console on every message, allowing to debug the functionality and find the reason for a possible 'error' response. In addition, the origin check endpoint logs a debug log when an origin is not accepted with further information.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OpenIDConnectSessionManagementConfig
id: OpenIDConnectSessionManagementConfig-xxxxxx
displayName: 
comment: 
properties:
  debug: false
  sameSitePolicy: LAX

OIDC SSO Ticket Login Hint Extractor

Description

Extracts an SSO ticket from the session.

Class

com.airlock.iam.oauth2.application.configuration.sso.OpenIdConnectSsoTicketLoginHintExtractorConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.sso.OpenIdConnectSsoTicketLoginHintExtractorConfig
id: OpenIdConnectSsoTicketLoginHintExtractorConfig-xxxxxx
displayName: 
comment: 
properties:

OIDC SSO Ticket Login Hint Flow Settings

Description

The OIDC login_hint parameter will be interpreted as SSO ticket. The SSO ticket is stored in the session and can then be used by a "SSO Ticket Authentication Step" using a "OIDC SSO Ticket Login Hint Extractor" in the authentication flow.

Class

com.airlock.iam.oauth2.application.configuration.OpenIdConnectSsoTicketLoginHintFlowConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OpenIdConnectSsoTicketLoginHintFlowConfig
id: OpenIdConnectSsoTicketLoginHintFlowConfig-xxxxxx
displayName: 
comment: 
properties:

OIDC UserInfo Endpoint

Description

OpenID Connect UserInfo Endpoint according to the OpenID Connect Specification.

The endpoint is available under /<loginapp-uri>/rest/oauth2/authorization-servers/<as-identifier>/userinfo

The subject claim "sub" will contain the username and always be present in UserInfo Responses. It is not possible to overwrite the subject claim.

Class

com.airlock.iam.login.app.misc.configuration.oauth.as.oauth2.OpenIDConnectUserInfoEndpointConfig

May be used by

OIDC Birthdate Standard Claim (Date) OIDC Birthdate Standard Claim (String) OIDC Email Standard Claim OIDC Family Name Standard Claim OIDC Given Name Standard Claim OIDC Name Standard Claim OIDC Phone Number Standard Claim

License-Tags

OAuthServer

Properties

Standard Claims (standardClaims)

Description

Standard claims according to the OpenID Connect Standard Claims to add to the UserInfo Response. Note: Claims must be unique, therefore adding the same standard claim multiple times will result in a runtime error when issuing the response.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Claims (customClaims)

Description

Custom claims to add to the UserInfo Response.

Multiple claims with the same name can be configured if each has a claim condition which ensures that only one of them will be included at runtime. Configuring a custom claim that results in the same claim name as a standard claim will result in a runtime error.

Attributes

Plugin-List

Optional

Assignable plugins

Distributed Claims (distributedClaims)

Description

Distributed Claims to add to the UserInfo Response.

These claims allow providing a URL to a 3rd party claims provider in the response where additional claims may be obtained.

Attributes

Plugin-List

Optional

Assignable plugins

Distributed Claim Config

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oauth.as.oauth2.OpenIDConnectUserInfoEndpointConfig
id: OpenIDConnectUserInfoEndpointConfig-xxxxxx
displayName: 
comment: 
properties:
  customClaims:
  distributedClaims:
  standardClaims:

OIDC Username Login Hint Flow Settings

Description

This plugin checks the OIDC login_hint parameter and provides it as additional attribute usernameHint in the authentication flow response if valid. When using the Loginapp UI, a valid login_hint will be prefilled as the username on the password page.

Class

com.airlock.iam.oauth2.application.configuration.OpenIdConnectUsernameLoginHintFlowConfig

May be used by

License-Tags

OAuthServer

Properties

Username Pattern (usernamePattern)

Description

The value of the login_hint parameter (username) is validated against this pattern. If the username matches, it is reflected to the client as additional attribute usernameHint in the flow response. Otherwise, the login_hint is ignored.

Attributes

RegEx

Mandatory

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.OpenIdConnectUsernameLoginHintFlowConfig
id: OpenIdConnectUsernameLoginHintFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  usernamePattern:

Old Phone Number Provider

Description

Provides the user's old phone number in case of a phone number change or deletion.

Class

com.airlock.iam.common.application.configuration.sms.OldPhoneNumberProviderConfig

May be used by

SMS Event Subscriber (Adminapp) SMS Event Subscriber (Loginapp)

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.sms.OldPhoneNumberProviderConfig
id: OldPhoneNumberProviderConfig-xxxxxx
displayName: 
comment: 
properties:

On Behalf Cookie Authentee Extractor

Description

Extracts Context Data based on cookie values and adds them to a user. In addition it adds the configured roles to the user.

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.OnBehalfCookieAuthenteeExtractor

Properties

Static Roles (staticRoles)

Description

The roles a user gets assigned.

Attributes

String-List

Mandatory

Context Data Map (contextDataMap)

Description

This plugin map will be used to extract information from a cookie. The plugin to be used to extract the value of the cookie is configured as the value. The extracted information will be stored in the Context Data of the user under the given key.

Attributes

Plugin-Map

Mandatory

Assignable plugins

Plain Cookie Value Context Data Extractor

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.onbehalflogin.OnBehalfCookieAuthenteeExtractor
id: OnBehalfCookieAuthenteeExtractor-xxxxxx
displayName: 
comment: 
properties:
  contextDataMap:
  staticRoles:

On Behalf Login Identity Propagation Config

Description

This identity propagator performs a login 'on behalf' of the user at a backend web application. It performs the necessary login steps to obtain an authenticated session from login into the backend application. Then it attaches the session cookie to the user's authenticated session, thus enabling access to the backend application.

The login process is configured as a sequence of on behalf login steps. Each on behalf login step performs a HTTP operation and can store newly gathered information in an information storage for the next step.

For example: A first on behalf login step executes a HTTP GET request on the web application's login page and extracts the CSRF protection token. A next on behalf login step submits the login form with username, password and the extracted CSRF token.

On behalf logins are not robust against changes of the web application. Therefore, this identity propagation mechanism is only recommended for legacy application that do not accept another way of identity propagation.

Class

com.airlock.iam.login.application.configuration.idpropagation.OnBehalfLoginIdentityPropagationConfig

May be used by

Chaining Identity Propagator Target Application/Service Conditional Identity Propagator

Properties

HTTP Client (httpClient)

Description

The HTTP client that connects to the web application.

Attributes

Plugin-Link

Mandatory

Assignable plugins

HTTP Client Config HTTP Client With Client Certificate

On Behalf Login Steps (onBehalfLoginSteps)

Description

Sequence of on behalf login steps that are performed to simulate the user's login process.

Attributes

Plugin-List

Mandatory

Assignable plugins

CSRF Token Extraction Step HTTP GET Step HTTP POST Step

Cookie Mappings (cookieMappings)

Description

A list of cookies that are expected from the backend application and that are kept for subsequent access to this backend. Usually the only cookie to configure is the session cookie.

Attributes

Plugin-List

Mandatory

Assignable plugins

Cookie Mapping

Forward To Last Redirect Location (forwardToLastRedirectLocation)

Description

If enabled, the client will be redirected to the URL specified in the Location header in the response of the last "On Behalf Login Step", under the conditions that

a forward location is present in the last response from the backend and
the forward location matches at least one regex in the "Allowed Forward Location" patterns.

Attributes

Boolean

Optional

Default value

false

Allowed Forward Locations (allowedForwardLocations)

Description

A list of regular expressions defining the allowed forward locations in the response of the last "On Behalf Login Step".
This setting is only relevant if "Forward User To Last Redirect Location" is enabled. In that case the forward location must match at least one regex in order to be accepted. If the forward location does not match any regex, the default forward location is used.

The forward location will always be an absolute URL, relative URLs are not supported.
The forward location is from the on behalf HTTP clients perspective, which might be different from the users perspective, if Airlock IAM is behind an Airlock Gateway. This is because the Airlock Gateway may rewrite the forward location.
URLs with any 'User Information' part in front of the host name (for example "https://user@domain.com/") are never accepted.

Attributes

RegEx-List

Optional

Default value

[^/.*]

Value Providers (valueProviders)

Description

Providers for all values that will be available to perform the on-behalf steps. In the plugin documentation of the steps they are referred as "values provided to the identity propagation".

Attributes

Plugin-List

Optional

Assignable plugins

Condition (condition)

Description

Defines the condition under which this identity propagation is executed.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.idpropagation.OnBehalfLoginIdentityPropagationConfig
id: OnBehalfLoginIdentityPropagationConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedForwardLocations: [^/.*]
  condition:
  cookieMappings:
  forwardToLastRedirectLocation: false
  httpClient:
  onBehalfLoginSteps:
  valueProviders:

On Behalf Login Identity Propagator

Description

Note that on behalf logins are not robust against changes of the web application. Therefore we recommend this identity propagation mechanism only for legacy application that do not provide another way for identity propagation.

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.OnBehalfLoginIdentityPropagator

May be used by

Properties

HTTP Client (httpClientConfig)

Description

The HTTP client that connects to the web application.

Attributes

Plugin-Link

Mandatory

Assignable plugins

HTTP Client Config HTTP Client With Client Certificate

On Behalf Login Steps (onBehalfLoginSteps)

Description

Sequence of on behalf login steps that are performed to simulate the user's login process.

Attributes

Plugin-List

Mandatory

Assignable plugins

CSRF Token Extraction Step HTTP GET Step HTTP POST Step

Cookies (cookies)

Description

A list of cookies that are expected from the web application and that propagated. Usually the only cookie to configure is the session cookie.

Attributes

Plugin-List

Mandatory

Assignable plugins

Cookie Mapping

Forward User To Last Redirect Location (forwardUserToLastRedirectLocation)

Description

If set, the user will be forwarded to the URL specified in the Location header in the response of the last onBehalfLoginStep.
Note 1: The URL must match at least one regex in the allowedForwardLocationPatterns (see below).
Note 2: If set, the forward location sent in the response of the last onBehalfLoginStep is not followed.
Note 3: If set and the response to the last onBehalfLoginStep does not contain a Location header, the user is forwarded to the default forward location.

Attributes

Boolean

Optional

Default value

false

Allowed Forward Location Patterns (allowedForwardLocationPatterns)

Description

A list of regular expressions defining the allowed forward locations in the response of the last onBehalfLoginStep.
This setting is only relevant if forwardUserToLastRedirectLocation is set to true. In that case the forward location must match at least one regex in order to be accepted. If the forward location does not match any regex, the default forward location is used.

Notice that the forward location will always be an absolute URL, relative URLs are not supported.
Notice that the forward location is from the on behalf HTTP clients perspective, which might be different from the users perspective, if IAM is behind the Airlock Gateway (WAF). This is because the Airlock Gateway may rewrite the forward location.
Note that URLs with any 'User Information' part in front of the host name (for example "https://user@domain.com/") are never accepted.

Attributes

RegEx-List

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.onbehalflogin.OnBehalfLoginIdentityPropagator
id: OnBehalfLoginIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  allowedForwardLocationPatterns:
  cookies:
  forwardUserToLastRedirectLocation: false
  httpClientConfig:
  onBehalfLoginSteps:

One-Shot Authentication Settings

Description

Configures the end-point used to authenticated HTTP requests with the Airlock Gateway (WAF)'s one-shot flow. It can be used, for example, to authenticate stateless REST calls.

The HTTP header of non-authenticated request are sent to this IAM end-point by the Airlock Gateway.
Make sure to use ".../login-oneshot/" as denied access URL on the corresponding gateway mappings.

This end-point may roughly do the following with the requests:

Extract a credential from the HTTP header (e.g. a bearer token or a cookie).
Call an Authenticator plugin with the credential (e.g. verify the bearer token).
Authenticate the request on the Airlock Gateway and append ID propagation information for the target application/service.
Respond as expected by the HTTP client in all cases(e.g. use expected HTTP response code).

All settings are configured in the list of target applications/services (see properties).
The target application/service is selected by the original request by the HTTP client (provided to IAM in various environment cookies).
In case no target application/service matches, the default target application/service is used.

Class

com.airlock.iam.login.app.misc.configuration.oneshot.OneShotAuthenticationConfig

May be used by

Loginapp

License-Tags

OneShotAuthentication

Properties

Default Target Application/Service (defaultTargetApplication)

Description

The default target application/service to use in case no other target application/service matches. Note that the "URL Pattern" property is irrelevant for this target application/service.

Attributes

Plugin-Link

Mandatory

License-Tags

OneShotAuthentication

Assignable plugins

MS-OFBA One-Shot Target Application Target Application/Service

Target Application/Service (targetApplications)

Description

List of target applications/services:

One of the target applications/services is selected by matching the "URL Pattern" against URL of the original HTTP request sent by the client (provided to IAM by several environment cookies).

They are matched in the order they are declared and the first matching is used. In case no one matches, the default target application/service is used.

Attributes

Plugin-List

Optional

License-Tags

OneShotAuthentication

Assignable plugins

MS-OFBA One-Shot Target Application Target Application/Service

User-specific Role-Timeouts (userSpecificRoleTimeouts)

Description

Configuration of user-specific idle-timeout and role life-time values per role.

Attributes

Plugin-List

Optional

License-Tags

OneShotAuthentication

Assignable plugins

User Specific Role Timeout Definition

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oneshot.OneShotAuthenticationConfig
id: OneShotAuthenticationConfig-xxxxxx
displayName: 
comment: 
properties:
  defaultTargetApplication:
  targetApplications:
  userSpecificRoleTimeouts:

Opaque Access Token Format

Description

Generates OAuth 2.0 Access Tokens using random strings.

Class

com.airlock.iam.oauth2.application.configuration.token.OpaqueAccessTokenFormatConfig

May be used by

OAuth 2.0 Authorization Code Grant OIDC Authorization Code / Hybrid Flow OIDC Authorization Code / Hybrid Flow

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.token.OpaqueAccessTokenFormatConfig
id: OpaqueAccessTokenFormatConfig-xxxxxx
displayName: 
comment: 
properties:

Option UI Element

Description

An option for radio buttons or for drop-downs.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiOptionConfig

May be used by

Radio Buttons UI Element Drop-Down UI Element

Properties

ID (id)

Description

The ID of the option.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9_]+

Label (label)

Description

Label for the option. The UI treats it as a key to translate. If there is no translation, the configured value is what is shown in the UI.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9]+((\.|-)[a-zA-Z0-9]+)*

Value (value)

Description

The value of the option. This value will be sent to the server.

Attributes

String

Mandatory

Disabled (disabled)

Description

Whether the option is disabled.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiOptionConfig
id: ConfigurableUiOptionConfig-xxxxxx
displayName: 
comment: 
properties:
  disabled: false
  id:
  label:
  value:

Or Claim Condition Config

Description

This condition is fulfilled if at least one of its configured conditions are fulfilled.

Class

com.airlock.iam.oauth2.application.configuration.claims.conditions.OrClaimConditionConfig

May be used by

Username Custom Claim OAuth 2.0 LocalDate Context Data Resource Static String Custom Claim OAuth 2.0 User Roles Resource Claim Set Custom Claim Context Data String Custom Claim OAuth 2.0 Static Resource OAuth 2.0 Username Resource Session ID Custom Claim String Format Custom Claim OIDC Birthdate Standard Claim (String) OIDC Phone Number Standard Claim OAuth 2.0 SSO Ticket Resource OAuth 2.0 String Context Data Resource OIDC Birthdate Standard Claim (Date) OAuth 2.0 Date Context Data Resource Not Claim Condition Config And Claim Condition Config Formatted LocalDate Context Data Custom Claim OIDC Email Standard Claim OIDC Family Name Standard Claim OIDC Given Name Standard Claim Formatted Date And Time Context Data Custom Claim User Roles Custom Claim Custom Claim (OAuth 2.0 Token Exchange) Client ID Custom Claim OIDC Name Standard Claim String Value Provider Custom Claim

License-Tags

OAuthServer

Properties

Conditions (conditions)

Description

This condition is fulfilled if at least one of these conditions are fulfilled.

Attributes

Plugin-List

Mandatory

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.conditions.OrClaimConditionConfig
id: OrClaimConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  conditions:

Order Airlock 2FA Device Activation Letters

Description

Generates an order for an Airlock 2FA activation letter.

An order indicates the intention to later create an activation letter for the given user to allow for example the registration of the first Airlock 2FA device.

Compared to "Create Airlock 2FA Device Activation Letters", this plugin does not generate any activation letter. All orders can be batch processed by configuring an "Airlock 2FA Activation Letter Order Task" in the service container which will create the necessary activation letters.

Class

com.airlock.iam.admin.application.configuration.airlock2fa.Airlock2FAOrderActivationLettersConfig

May be used by

Airlock 2FA Token Controller

License-Tags

Airlock2FA

Properties

Auto Order (autoOrder)

Description

Automatically creates an order for an Airlock 2FA activation letter upon adding this authentication method to the user.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.airlock2fa.Airlock2FAOrderActivationLettersConfig
id: Airlock2FAOrderActivationLettersConfig-xxxxxx
displayName: 
comment: 
properties:
  autoOrder: false

OTP Check Access Challenge Rule

Description

Maps the reply message from a RADIUS access challenge reponse to an OTP authentication result type.

Class

com.airlock.iam.authentication.application.configuration.radiusotp.OtpCheckAccessChallengeRule

May be used by

OTP Check via RADIUS Step

Properties

Pattern (pattern)

Description

The regular expression matched against the reply message of the RADIUS access challenge response.

Attributes

RegEx

Mandatory

Authentication Result (authenticationResult)

Description

Defines the authentication result when the reply message matches the configured pattern.

Attributes

String

Mandatory

Allowed values

Token required, Token wrong, try again, Next token required, Credential not assigned

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.radiusotp.OtpCheckAccessChallengeRule
id: OtpCheckAccessChallengeRule-xxxxxx
displayName: 
comment: 
properties:
  authenticationResult:
  pattern:

OTP Check Access Reject Rule

Description

Maps the reply message from a RADIUS access reject reponse to an OTP authentication result type.

Class

com.airlock.iam.authentication.application.configuration.radiusotp.OtpCheckAccessRejectRule

May be used by

OTP Check via RADIUS Step

Properties

Pattern (pattern)

Description

The regular expression matched against the reply message of the RADIUS access reject response.

Attributes

RegEx

Mandatory

Authentication Result (authenticationResult)

Description

Defines the authentication result type to be used if the reply message matches the configured pattern.

Attributes

String

Mandatory

Allowed values

Unspecified, Token wrong, Credential inactive

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.radiusotp.OtpCheckAccessRejectRule
id: OtpCheckAccessRejectRule-xxxxxx
displayName: 
comment: 
properties:
  authenticationResult:
  pattern:

OTP Check via RADIUS Step

Description

Flow step to check an OTP by calling a RADIUS server (e.g. SecurID).

Note that the first request sent to the RADIUS server already contains the token code. It is therefore limited to RADIUS servers accepting the OTP with the first request. OTP authentication schemes that first send the OTP to the user (SMS, Email) are not supported.

The plugin usually works with the default configuration for basic use-cases. To interpret vendor-specific features like "new PIN required", corresponding rules have to be configured.

Class

com.airlock.iam.authentication.application.configuration.radiusotp.RadiusOtpAuthStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Transaction Approval Flow Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

RadiusClient

Properties

Radius Servers (radiusServers)

Description

The RADIUS server(s) to connect to. If more than one is provided, the list is used for failover.

Attributes

Plugin-List

Mandatory

License-Tags

RadiusClient

Assignable plugins

Log Radius Attributes (logRadiusAttributes)

Description

If enabled, the RADIUS attributes sent to the server and received from the server are logged at info level.
This is useful during integration and for debugging but it is generally not suitable for productive systems.

Attributes

Boolean

Optional

License-Tags

RadiusClient

Default value

false

Access Reject Rules (accessRejectRules)

Description

Defines a list of rules (processed in order of definition) that define how to map RADIUS access reject response's reply messages to authentication results.

If no rules are defined or no rule matches, an unspecified authentication failure is used for access reject responses.

Attributes

Plugin-List

Optional

License-Tags

RadiusClient

Assignable plugins

OTP Check Access Reject Rule

Access Challenge Rules (accessChallengeRules)

Description

Defines a list of rules (processed in order of definition) that define how to map RADIUS access challenge response's reply messages to authentication results.

If no rules are defined or no rule matches, an unspecified authentication failure is used for access challenge responses.

Attributes

Plugin-List

Optional

License-Tags

RadiusClient

Assignable plugins

OTP Check Access Challenge Rule

Reported Auth Method (reportedAuthMethod)

Description

Defines how the RADIUS authentication process is reported in the log (used for auditing, information and statistics): It can be desirable to report the actual authentication process type used on the RADIUS server side.

Attributes

String

Optional

Length <= 23

License-Tags

RadiusClient

Default value

RADIUS

Allowed values

RADIUS, SECURID, HW_OTP, SW_OTP

NAS Identifier (nasIdentifier)

Description

The Network access server identifier (NAS Identifier) to set in all requests.

The NAS Identifier is used to notify the source of a RADIUS access request, enabling the RADIUS server to choose a policy for that request. If set, the RADIUS server does not have to rely on a set of, potentially changing, IP addresses (for example when deploying multiple Airlock IAM servers). Also, different flows may require different policies.

Attributes

String

Optional

Length >= 3

License-Tags

RadiusClient

Username Transformation (usernameTransformers)

Description

Transforms the user ID to the username that is sent to the RADIUS server.

Note that not all Username Transformer plugins are useful for this purpose since here they are not used to find the user ID, but rather a user alias.

Attributes

Plugin-List

Optional

License-Tags

RadiusClient

Assignable plugins

Encoding (encoding)

Description

The encoding for the RADIUS attributes in an authentication request. The encoding should be the same as used on the RADIUS server.

Attributes

String

Optional

License-Tags

RadiusClient

Default value

UTF-8

Suggested values

UTF-8, ISO-8859-1, ISO-8859-15

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

License-Tags

RadiusClient

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

License-Tags

RadiusClient

Assignable plugins

Language Query Parameter Appender Query Parameter URI Transformation Regex-based URI Transformer To Query Parameter URI Transformer

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

License-Tags

RadiusClient

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

License-Tags

RadiusClient

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

License-Tags

RadiusClient

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

License-Tags

RadiusClient

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

License-Tags

RadiusClient

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

License-Tags

RadiusClient

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

License-Tags

RadiusClient

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

License-Tags

RadiusClient

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.radiusotp.RadiusOtpAuthStepConfig
id: RadiusOtpAuthStepConfig-xxxxxx
displayName: 
comment: 
properties:
  accessChallengeRules:
  accessRejectRules:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  encoding: UTF-8
  interactiveGotoTargets:
  logRadiusAttributes: false
  nasIdentifier:
  onFailureGotos:
  preCondition:
  radiusServers:
  reportedAuthMethod: RADIUS
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  usernameTransformers:

Parameter-based Target URI

Description

Defines an URI to be redirected to after completing a flow. Note that this plugin only works when used for a logout target of an authentication UI.

Class

com.airlock.iam.login.rest.application.configuration.ParameterBasedTargetUriConfig

May be used by

Redirect On Logout Config Show Logout Disclaimer Page Config

Properties

Default Target URI (defaultTargetUri)

Description

The URI to be redirected to (after applying the URI Transformers). Must result in a valid URI that is absolute or relative to the host.

Attributes

Plugin-Link

Optional

Assignable plugins

Query Parameter URI Extractor (queryParameterUriExtractor)

Description

Uses the value of a query parameter retrieved by the Loginapp UI upon invocation of /<loginapp-uri>/ui/app/auth/logout to determine the target URI. Falls back to the Default Target URI if no valid target URI can be inferred.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Query Parameter URI Value Extraction

URI Transformers (uriTransformers)

Description

The chain of URI transformers to transform the chosen target URI. The transformers are applied in the configured order. If any transformer produces a 'veto', the untransformed target URI is used.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.ParameterBasedTargetUriConfig
id: ParameterBasedTargetUriConfig-xxxxxx
displayName: 
comment: 
properties:
  defaultTargetUri:
  queryParameterUriExtractor:
  uriTransformers:

Password Authenticator

Description

Checks user passwords based on a password settings plugin.

Class

com.airlock.iam.core.misc.impl.authen.PasswordServicePasswordAuthenticator

May be used by

Properties

Password Settings (passwordSettings)

Description

The password settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Password Settings

User Persister (userPersister)

Description

Used to load the user to check the user's state (locked, valid).

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PasswordServicePasswordAuthenticator
id: PasswordServicePasswordAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  passwordSettings:
  userPersister:

Password Batch Task

Description

Server task that checks all users for a flag indicating that a new password should be generated.

Generated passwords are rendered (e.g. made a PDF file or printed) using a PasswordRenderer plugin.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.PasswordBatchTask

May be used by

Task Schedule

Properties

User Persister (userPersister)

Description

The user persister plugin used to read and store user data structures.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Iterator (userIterator)

Description

The user iterator plugin used to iterate over all users. Usually this is the same as the user persister.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Delivery Security Gap Days (deliverySecurityGapDays)

Description

Setting this property to zero (0) disables this feature.

Attributes

Long

Optional

Default value

Aggregate Report (aggregateReport)

Description

Optional property to describe an aggregate report over all generated reports in a batch. If none is configured, no aggregate report will be generated.

Attributes

Plugin-Link

Optional

Assignable plugins

Aggregate Report

Credential Secret Generator (credentialSecretGenerator)

Description

Allows the configuration of settings for the generation of the credential secret reports.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Secret Generator

Token Cleanup Configs (tokenCleanupConfigs)

Description

Allows the configuration of settings to remove tokens during the batch task.

Attributes

Plugin-List

Optional

Assignable plugins

O Auth2 Token Cleanup Remember Me Token Cleanup

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.PasswordBatchTask
id: PasswordBatchTask-xxxxxx
displayName: 
comment: 
properties:
  aggregateReport:
  credentialSecretGenerator:
  deliverySecurityGapDays: 0
  tokenCleanupConfigs:
  userIterator:
  userPersister:

Password Change Self-Service Step

Description

A flow step to voluntarily change the password within a protected self-service flow.

Class

com.airlock.iam.selfservice.application.configuration.step.PasswordChangeSelfServiceStepConfig

May be used by

Properties

Password Repository (passwordRepository)

Description

The repository of user passwords.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Password Policy (passwordPolicy)

Description

The password policy that the new password is checked against.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Active Directory Password Policy Customizable Password Policy Null Password Policy Simple Password Policy

Old Password Attempts (oldPasswordAttempts)

Description

Attributes

Integer

Optional

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

PASSWORD

Password Attribute Key (passwordAttributeKey)

Description

The optional key under which the new password is made available in the identity propagation.

The password can be retrieved from the session using the "User Passwords Map" value map provider.

If no key is configured, the new password will not be made available in the flow attributes, and cannot be used by identity propagators.

Note: This feature will not work together with end-to-end encryption.

Attributes

String

Optional

Suggested values

PASSWORD

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Remote Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Email Event Subscriber (Loginapp) Filtered Flow Event

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.PasswordChangeSelfServiceStepConfig
id: PasswordChangeSelfServiceStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: PASSWORD
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  oldPasswordAttempts:
  onFailureGotos:
  passwordAttributeKey:
  passwordPolicy:
  passwordRepository:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Password Changed

Description

Event that is triggered by a password change.

Note: This event is not triggered by a password reset or when an administrator sets the password.

Class

com.airlock.iam.login.application.configuration.event.PasswordChangedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.event.PasswordChangedSubscribedEventConfig
id: PasswordChangedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

Password Generator Config

Description

Configures the password generator facility on the user detail page.

The password generator configuration defines the length and alphabet of generated passwords.
If a password renderer is configured, the new password is printed on a "password letter". If not, it is displayed on the user detail page.

Class

com.airlock.iam.admin.application.configuration.password.PasswordGeneratorConfig

May be used by

Password Token Controller

Properties

Generator (generator)

Description

Defines the generator plugin that produces random passwords.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Renderer (renderer)

Description

If a renderer plugin is defined, the generated password is rendered using this plugin, i.e. usually printed on a letter.

If no renderer is configured, the generated password is displayed in a pop-up dialog in the Adminapp.

Attributes

Plugin-Link

Optional

Assignable plugins

Dummy Password Renderer Text File Password Renderer Word Template Password Renderer

Delete Old Password Letters (deleteOldPasswordLetters)

Description

Deletes old password letters of a user from the file system when a new one is rendered. Enabling this property results in at most one rendered password letter per user.

If this property is enabled, the application must have permission to delete files from the directory.

Attributes

Boolean

Optional

Default value

true

Working Directory (workingDirectory)

Description

A writable directory used to store partially generated password letters.
If this property is defined, the password letters are not directly generated into the output directory (see other property) but they are generated into this working directory and are moved to the output directory once they are done.
This helps to solve problems with processes automatically reading the rendered password letters and reading password letters during the generation process. Make sure that the working directory and the output directory reside in the same file system (if not, the moving of the generated file will not be atomic).
The directory is either absolute or relative to the JVMs current directory.

Attributes

File/Path

Optional

Output Directory (outputDirectory)

Description

Directory in the file system to put the rendered password letters in. The directory is either absolute or relative to the JVMs current directory.

This property is not required if the renderer plugin (see separate property) does not write on the output stream (e.g. sends it somewhere else). It is required otherwise.

Note: If this property is not defined and the used renderer plugin writes on the output stream, then the result (e.g. a PDF file) is lost.

Attributes

File/Path

Optional

File Name Prefix (fileNamePrefix)

Description

Filename prefix for rendered password letter files. It is important to set this to a unique value for the kind of reports generated by this task. When this task deletes old reports, it looks at this prefix (and the user id) in order to find out what files to delete. Thus, if this prefix is the same as for other reports located in the same directory, other reports may be deleted.

Attributes

String

Optional

Default value

pwd

Suggested values

pwd, password

File Name Suffix (fileNameSuffix)

Description

Filename suffix for rendered password letters.

Attributes

String

Optional

Suggested values

.pdf, .txt

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.password.PasswordGeneratorConfig
id: PasswordGeneratorConfig-xxxxxx
displayName: 
comment: 
properties:
  deleteOldPasswordLetters: true
  fileNamePrefix: pwd
  fileNameSuffix:
  generator:
  outputDirectory:
  renderer:
  workingDirectory:

Password Hash Configuration

Description

Configures a Raw Password Hash together with an encoder.

Class

com.airlock.iam.core.misc.util.password.hash.PasswordHashConfiguration

Properties

Password Hash (passwordHash)

Description

The password hash function.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AWS KMS Password Hash Bcrypt Password Hash Identity Password Hash SHA1 Password Hash SHA256 Password Hash Scrypt Password Hash

Encoder (encoder)

Description

The encoder to encode the resulting hash value. Leave empty to use unencoded hash value.

Attributes

Plugin-Link

Optional

Assignable plugins

Base64 Password Hash Encoder Hex Password Hash Encoder

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.PasswordHashConfiguration
id: PasswordHashConfiguration-xxxxxx
displayName: 
comment: 
properties:
  encoder:
  passwordHash:

Password Length Policy

Description

A password policy check that tests a new password against a configured minimum required and maximum allowed length.

Class

com.airlock.iam.core.misc.impl.authen.PwdPolicyLengthCheck

May be used by

Customizable Password Policy Customizable Password Policy Meta Password Policy

Properties

Min Required Length (minRequiredLength)

Description

The minimum required length (in number of characters) of a password. Shorter passwords are rejected.

Attributes

Integer

Mandatory

Max Allowed Length (maxAllowedLength)

Description

The maximum allowed length (in number of characters) of a password. Longer passwords are rejected.

Attributes

Integer

Optional

Default value

2147483647

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PwdPolicyLengthCheck
id: PwdPolicyLengthCheck-xxxxxx
displayName: 
comment: 
properties:
  maxAllowedLength: 2147483647
  minRequiredLength:

Password Letter Order Step (Public Self-Service)

Description

This non-interactive flow step orders a new password letter for the user. To restrict the user from ordering multiple letters within small timeframes, the condition 'Letter Order Interval Condition (Public Self-Service)' can be used.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.PasswordLetterOrderStepConfig

May be used by

Properties

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.PasswordLetterOrderStepConfig
id: PasswordLetterOrderStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Password Repository Mapping

Description

Maps a user data based condition to a password repository plugin.

Class

com.airlock.iam.authentication.application.configuration.password.repository.PasswordRepositoryMappingConfig

May be used by

Selection Password Repository

Properties

Condition (condition)

Description

Condition that has to be fulfilled for this repository to be selected.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Password Repository (passwordRepository)

Description

Defines the password repository plugin used when the condition is fulfilled.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.password.repository.PasswordRepositoryMappingConfig
id: PasswordRepositoryMappingConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  passwordRepository:

Password Repository Mapping (Request Authentication

Description

Maps a user ID pattern to a password repository.

Class

com.airlock.iam.common.application.configuration.credential.RequestAuthenticationPasswordRepositoryMappingConfig

May be used by

Selection Password Repository (Request Authentication)

Properties

Pattern (pattern)

Description

The regular expression pattern to be matched against the user ID (after transformation) of the authenticating user. If the user ID matches this pattern, the configured Password Repository is used.

Attributes

RegEx

Mandatory

Case Sensitive (caseSensitive)

Description

If disabled, the case of characters is ignored when matching the pattern against the user ID.

Attributes

Boolean

Optional

Default value

true

Password Repository (passwordRepository)

Description

Defines the password repository to be used if the pattern matches the user ID.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Password Repository External Database Password Repository Config LDAP Password Repository Selection Password Repository (Request Authentication)

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.credential.RequestAuthenticationPasswordRepositoryMappingConfig
id: RequestAuthenticationPasswordRepositoryMappingConfig-xxxxxx
displayName: 
comment: 
properties:
  caseSensitive: true
  passwordRepository:
  pattern:

Password Reset Step

Description

This step allows the user to set a new password.

Security note: It is important that this step is only configured after a credential check step (e.g. email OTP).

Class

com.airlock.iam.publicselfservice.application.configuration.steps.PasswordResetStepConfig

May be used by

Properties

Password Repository (passwordRepository)

Description

The repository of user passwords.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Password Policy (passwordPolicy)

Description

The password policy that the new password has to fulfill.

If a UI is configured, the text resource with key 'password-reset.password.requirements' must describe the password policy requirements for the configured policy.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Active Directory Password Policy Customizable Password Policy Null Password Policy Simple Password Policy

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Radius Authentication Service Password Authenticator Main Settings Password Token Controller User Self-Service Settings

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.PasswordResetStepConfig
id: PasswordResetStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  passwordPolicy:
  passwordRepository:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Password Service HTTP Parameter

Description

A HTTP parameter consisting of a name and a value.

Class

com.airlock.iam.core.misc.impl.authen.HttpParameter

May be used by

HTTP Password Service HTTP Password Service

Properties

Name (name)

Description

The name of the HTTP parameter.

Attributes

String

Mandatory

Example

uid

Example

userId

Example

username

Example

contractNo

Value (value)

Description

The value of the HTTP parameter.

Attributes

String

Mandatory

Example

submit

Example

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.HttpParameter
id: HttpParameter-xxxxxx
displayName: 
comment: 
properties:
  name:
  value:

Password Settings

Description

Settings related to handling passwords. Used by various components in Airlock IAM (Adminapp, RADIUS server etc.), but currently not in any Loginapp flows.

Class

com.airlock.iam.core.misc.authen.PasswordSettings

May be used by

Properties

Password Service (passwordService)

Description

Defines the password service plugin to be used for changing, resetting and checking user passwords.

This password service is used for the following:

in the Adminapp for managing the user passwords
in the "Password Authenticator" (typically in the RADIUS server)
in the /<loginapp-uri>/rest/protected/my/password/change protected Loginapp REST endpoint

Attributes

Plugin-Link

Mandatory

Assignable plugins

Password Policy (passwordPolicy)

Description

Defines a password policy that must be passed when a new password is chosen (by the user or the administrator).

This password policy is used for the following:

in the Adminapp for managing the user passwords
in the /<loginapp-uri>/rest/public/password/policy/check public Loginapp REST endpoint
in the RADIUS server

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Active Directory Password Policy Customizable Password Policy Null Password Policy Simple Password Policy

Password Generator (passwordGenerator)

Description

Defines the generator plugin that produces random passwords. It is used for example to generate new passwords printed on letters or displayed in the Adminapp.

Attributes

Plugin-Link

Optional

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

May Be Selected As Auth Method (mayBeSelectedAsAuthMethod)

Description

Set this flag to true to allow password-authentication (i.e. only username and password, no additional credential) as active authentication method.

Attributes

Boolean

Optional

Default value

false

Admin May Generate Password (adminMayGeneratePassword)

Description

If enabled, the administrator may generate (and therefore see) new random passwords for the users.

Note that this settings can be overruled in the Password Credential Controller's settings (for backwards compatibility reasons).

Attributes

Boolean

Optional

Default value

false

Admin May Set Password (adminMaySetPassword)

Description

If enabled, the administrator may set (i.e. choose) new passwords for the users. The configured policy is applied.

Attributes

Boolean

Optional

Default value

false

New Passwords Must Be Changed (newPasswordsMustBeChanged)

Description

Normally, new passwords - set by the administrator or generated by the Adminapp - must be changed during the first login process. Disable this property in order to avoid the forced password change.

Attributes

Boolean

Optional

Default value

true

New Password Unlocks User (newPasswordUnlocksUser)

Description

If this flag is enabled, the (potentially locked) user is unlocked if a password is generated, set, or ordered.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.authen.PasswordSettings
id: PasswordSettings-xxxxxx
displayName: 
comment: 
properties:
  adminMayGeneratePassword: false
  adminMaySetPassword: false
  mayBeSelectedAsAuthMethod: false
  newPasswordUnlocksUser: false
  newPasswordsMustBeChanged: true
  passwordGenerator:
  passwordPolicy:
  passwordService:

Password Token Controller

Description

Token controller used to display password information, generate and set the password of a user.

Class

com.airlock.iam.admin.application.configuration.password.PasswordTokenController

May be used by

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Properties

Password Settings (passwordSettings)

Description

Defines the most commonly used password settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Password Settings

Auto Order Password (autoOrderPassword)

Description

Set this flag to true to automatically order a password when a new user is created.

Attributes

Boolean

Optional

Default value

false

Password Reset Self Service (passwordResetSelfService)

Description

Configures a plugin that allows an admin to trigger a password reset service for a user: an email will be sent to the user, containing a link to change the password. Depending on the configured plugin, the corresponding password reset self-service must be configured in the Loginapp, where the process can be completed by the user.

Attributes

Plugin-Link

Optional

License-Tags

PasswordSelfService

Assignable plugins

Flow-based Password Reset

Password Generator (passwordGenerator)

Description

If defined, the administrator may generate a new password for the user. Depending on the configuration of the generator, the generated password is displayed or a password renderer plugin is called in order to generate (and e.g. print) a password letter.

Attributes

Plugin-Link

Optional

Assignable plugins

Password Generator Config

Identifier (identifier)

Description

Identifier for the password credential. This is used as value in the authentication method field in the persistence layer. Make sure this value is the same (for password credentials) in all Airlock IAM components.

Make sure the identifier is unique among all configured token controllers.

The identifier is also used as key to translate the display name of this token controller. The key is assembled as follows: edituserpage.cred.XYZ.title (where XYZ is the identifier).

Attributes

String

Optional

Default value

PASSWORD

Suggested values

PASSWORD, PWD

User Store (userStore)

Description

The user store is used to read and write password information for each user (order flag, latest password change, information used for policy enforcement, etc.). This is usually the same user store that is used to load and write user detail information.

There are two ways to "store" new passwords:

Using a password service. This method is chosen if a password service is defined (in the Password Settings).
Using this user store: This method is chosen if no password service is defined.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Show Letter Attributes (showLetterAttributes)

Description

Enable this property to display the order flag and the password letter generation date.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.password.PasswordTokenController
id: PasswordTokenController-xxxxxx
displayName: 
comment: 
properties:
  autoOrderPassword: false
  identifier: PASSWORD
  passwordGenerator:
  passwordResetSelfService:
  passwordSettings:
  showLetterAttributes: true
  userStore:

Password User Item

Description

Definition of a password user item.

Class

com.airlock.iam.userselfreg.application.configuration.definition.PasswordDefinitionConfig

May be used by

User Data Registration Step Config

Properties

Password Policy (passwordPolicy)

Description

The password policy that the password has to fulfill.

If a UI is configured, the text resource with key registration.data.page.password.requirements must describe the password policy requirements for the configured policy.

If end-to-end encryption is enabled, no policy checks are possible (i.e. the "Null Password Policy" must be used).

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Active Directory Password Policy Customizable Password Policy Null Password Policy Simple Password Policy

Required (required)

Description

Specifies whether a password must be provided for the step to validate successfully.

Attributes

Boolean

Optional

Default value

true

Password Attribute Key (passwordAttributeKey)

Description

The optional key under which this password will be available in the flow session, e.g. for identity propagation.

The value can be retrieved from the session using the "User Passwords Map" value map provider.

If no key is configured, the password will not be made available in the flow attributes, and cannot be used by identity propagators.

Important: Multiple password user items with the same value for this property might override each others passwords.

If end-to-end encryption is enabled, the plain password is not available and thus cannot be stored in the flow session.

Attributes

String

Optional

Suggested values

PASSWORD

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.definition.PasswordDefinitionConfig
id: PasswordDefinitionConfig-xxxxxx
displayName: 
comment: 
properties:
  passwordAttributeKey:
  passwordPolicy:
  required: true

Password-based Encryption

Description

AES Encryption using a key that is derived from a passphrase.

Class

com.airlock.iam.core.misc.util.crypto.PasswordBasedEncryption

May be used by

Target Application/Service Technical Client Database Repository

Properties

Encryption Passphrase (encryptionPassphrase)

Description

Passphrase that is used to generate a key for encryption and decryption.

CAUTION: Once this is set and the cipher has been used to encrypt data with this passphrase, the passphrase should not be changed!. Otherwise those stored data would not be recoverable.

Attributes

String

Mandatory

Sensitive

Length >= 8

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.crypto.PasswordBasedEncryption
id: PasswordBasedEncryption-xxxxxx
displayName: 
comment: 
properties:
  encryptionPassphrase:

Password-only Authentication Step

Description

Configuration for a password authentication flow step where the user has been identified in a previous step.

Class

com.airlock.iam.authentication.application.configuration.password.PasswordAuthenticationStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Password Repository (passwordRepository)

Description

User password repository to check identified user passwords against.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Policy To Check On Login (policyToCheckOnLogin)

Description

The password policy that is checked when authenticating. If the policy is violated, a mandatory password change is required.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Active Directory Password Policy Customizable Password Policy Null Password Policy Simple Password Policy

Password Change Red Flag (passwordChangeRedFlag)

Description

Raises this red flag if a mandatory password change is required. This flag must then be handled by a later step.

Attributes

Plugin-Link

Optional

Assignable plugins

Account Linking Required Red Flag Mandatory Password Change Red Flag Red Flag

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

PASSWORD

Password Attribute Key (passwordAttributeKey)

Description

The optional key under which this password will be available in the identity propagation.

The value can also be retrieved from the session using the "User Passwords Map" value map provider.

If no key is configured, the password cannot be used by identity propagators.

Important: Multiple Password Authentication steps or Mandatory Password Change steps which have the same value for this property might override each others passwords.

If you have configured a Mandatory Password Change step, you might consider to use the same key.

Note: This feature will not work together with end-to-end encryption.

Attributes

String

Optional

Suggested values

PASSWORD

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Word Template Token List Renderer Word Template Report Renderer Word Template Password Renderer

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.password.PasswordAuthenticationStepConfig
id: PasswordAuthenticationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: PASSWORD
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  passwordAttributeKey:
  passwordChangeRedFlag:
  passwordRepository:
  policyToCheckOnLogin:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Pattern Matching

Description

Validates that a field value matches the regular expression.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.validation.RegexValidationConfig

May be used by

Input UI Element

Properties

Translation Key (translationKey)

Description

The translation key to use for the error message in case the validation fails. A default translation is used when no translation key is configured.

Attributes

String

Optional

Validation Pattern (validationPattern)

Description

Validates the input against the defined pattern.

Attributes

RegEx

Mandatory

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.validation.RegexValidationConfig
id: RegexValidationConfig-xxxxxx
displayName: 
comment: 
properties:
  translationKey:
  validationPattern:

Pattern-based Random String Generator

Description

Random string generator plugin can be used to generate passwords or one time passwords.

The pattern may consist of multiple parts, where a part is either a fixed string or a random part.
Random parts are defined by an alphabet and the number of characters.
Characters are chosen from the alphabet with uniform distribution using a secure PRNG (random generator).

Class

com.airlock.iam.core.misc.impl.authen.ExtendedStringGenerator

Properties

Pattern (pattern)

Description

Pattern defining how the string is generated.

Syntax:
pattern = fix_part | random_part [fix_part | random_part]*
random_part = {alphabet_name:number_of_characters}
fix_part = any_string_without_'{'

Custom alphabets can be configured below; built-in alphabets are:

"digits" all decimal digits (i.e. the characters 0123456790)
"lower26" standard alphabet with 26 lower chars (i.e. the characters abcdefghijklmnopqrstuvwxyz)
"upper26" standard alphabet with 26 upper chars (i.e. the characters ABCDEFGHIJKLMNOPQRSTUVWXYZ)
"alpha52" standard alphabet with 26 upper and 26 lower chars (i.e. the characters ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz)
"distinct" distinct standard signs: digits, upper and lower case letter without the hard to distinguish '0,O,1,l,I' (i.e. the characters 23456789abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ)
"DISTINCT" distinct standard uppercase signs: digits and upper case letter without the hard to distinguish '0,O,1,I' (i.e. the characters 23456789ABCDEFGHJKLMNPQRSTUVWXYZ)
"extended" contains most of the signs visible on a computer keyboard without the hard to distinguish '0,O,1,l,I' (i.e. the characters +-.,:;$<>()[]{}%&!?/*@#=_23456789abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ)
NOTE: Characters in this pattern do not pass the input filter for tokens (OTP, SMS, and alike). Choose a different pattern for tokens or relax the corresponding pattern (in the Loginapp's security settings). Characters may be blocked by a WAF deny rule.

Attributes

String

Optional

Default value

{distinct:8}

Example

{distinct:5}

Example

changeme{digits:3}

Example

{lower26:1}{digits:3}{distinct:3}

Alphabets (alphabets)

Description

A list of alphabets used to generate the strings with.

Attributes

Plugin-Map

Optional

Assignable plugins

Alphabet

Password Policy (passwordPolicy)

Description

A generated string can be checked against the configured password policy. The configured Pattern must generate strings that are accepted by the policies.

If generating a string fails 10'000 times because none of the candidates fulfills the password policies, a runtime exception is thrown. To minimize the probability of such a failure during operations, 100 test strings are generated before the initialization of the plugin to verify the compatibility of the pattern with the policies. During this initial check, only 200 rejections from policies are allowed to further minimize the probability of a failure later.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Active Directory Password Policy Customizable Password Policy Null Password Policy Simple Password Policy

Check Policy On Initialize (checkPolicyOnInitialize)

Description

Uncheck to disable checking of generated strings against the policy.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.ExtendedStringGenerator
id: ExtendedStringGenerator-xxxxxx
displayName: 
comment: 
properties:
  alphabets:
  checkPolicyOnInitialize: true
  passwordPolicy:
  pattern: {distinct:8}

PDF Save Option

Description

Configuration generating a PDF file. Saves the document as PDF (Adobe Portable Document) format.

Class

com.airlock.iam.core.misc.renderer.saveaction.PdfSaveActionConfig

May be used by

Properties

File Name Extension (fileNameExtension)

Description

File name extension for the generated PDF file.

Attributes

String

Optional

Default value

.pdf

Fonts Path (fontsPath)

Description

Attributes

File/Path

Optional

PDF/A-1b compliance (pdfA1bCompliance)

Description

Produced PDFs shall be PDF/A-1b compliant (PDF 1.4) instead of default PDF 1.5 files.
PDF/A-1b has the objective of ensuring reliable reproduction of the visual appearance of the document.
All fonts are automatically embedded and must also be legally embeddable for unlimited, universal rendering.
Only set this value if this compliance is explicitly needed or if you need PDF 1.4 documents.

Attention: Please also specify the "Fonts Path" above and add all necessary fonts in order to generate PDF/A-1b compliant files.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.renderer.saveaction.PdfSaveActionConfig
id: PdfSaveActionConfig-xxxxxx
displayName: 
comment: 
properties:
  fileNameExtension: .pdf
  fontsPath:
  pdfA1bCompliance: false

Persistent Accepted SSO Tickets Repository

Description

Repository that stores accepted SSO tickets in a database.

The tickets are stored to prevent replay attacks.

For cleaning up expired tickets, the Accepted SSO Tickets Clean-up Task has to be configured in the service container.

Class

com.airlock.iam.common.application.configuration.sso.PersistentAcceptedSsoTicketRepositoryConfig

May be used by

SSO Ticket Authentication Step Representation SSO Ticket Identifying Step Service Container Admin SSO Ticket Request Authentication Accepted SSO Tickets Clean-up Task Data Sources

Properties

SQL Data Source (sqlDataSource)

Description

Database connection used to persist accepted SSO Tickets.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Log Queries (logQueries)

Description

If enabled, all SQL queries executed on this repository will be written to the module's corresponding log file. This is only effective if the log level is set to at least INFO.

Attributes

Boolean

Optional

Default value

false

Tenant ID (tenantId)

Description

Identity added to the database records to distinguish between different tenants.

If left empty, 'no_tenant' is used as the effective value for tenant ID.

Attributes

String

Optional

Length <= 50

Validation RegEx: (?!no_tenant$).*

Example

customerA

Example

customerB

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.sso.PersistentAcceptedSsoTicketRepositoryConfig
id: PersistentAcceptedSsoTicketRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  logQueries: false
  sqlDataSource:
  tenantId:

Persister IAK Verifier

Description

An IAK (initial activation key) verifier based on a password hash function and a credential persister.

This plugin uses a CredentialPersister plugin to read a hash value of the IAK. The hash value is checked using the configured hash function.

If the IAK is successfully verified, the hash value is cleared (null value set).

Class

com.airlock.iam.core.misc.impl.authen.PersisterIakVerifier

May be used by

Credential Data mTAN Handler

Properties

Credential Persister (credentialPersister)

Description

The credential persister plugin used to verify (and invalidate) the IAK.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Hash Function (hashFunction)

Description

The password hash function used for verification of the IAK.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PersisterIakVerifier
id: PersisterIakVerifier-xxxxxx
displayName: 
comment: 
properties:
  credentialPersister:
  hashFunction:

Persister Password Service

Description

A comprehensive password service plugin that operates directly on the configured user store plugin (exception: password check, see below).

This plugin allows the implementation of arbitrary password policies and supports password histories.

If the existing (current) password before the change is not correct, this plugin does increase the number of failed logins if "Maximum Wrong Old Passwords" is not 0.

The existing (current) password can be checked in two ways:

Using the configured user store by comparing the stored password hash value to the recomputed hash value. This variant requires only the configuration of a hash function plugin (see property "Hash Function").
Using a separate authenticator plugin called to verify the password. The specified authenticator plugin is called with a new authentication session and with the username and the password as credential. This variant requires the configuration of an authenticator plugin (see property "Password Check Authenticator") and a hash function plugin (see property "Hash Function").

Class

com.airlock.iam.core.misc.impl.authen.PersisterPasswordService

May be used by

Properties

User Store (userStore)

Description

The user store to verify and change passwords.

The capabilities and the configuration of the user store influence the capabilities of this plugin. If, for example, the user store does not load or store information about the latest password change, this plugin will not be able to use this information.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Password Validity Days (passwordValidityDays)

Description

The number of days a password may be used before it must be changed.

If a password is changed, this plugin sets the latest-password-change-timestamp and (if this property is defined) also updates the next-enforced-password-change-timestamp.

If this property is not defined, the next-enforced-password-change-timestamp is not updated.

Attributes

Integer

Optional

Hash Function (hashFunction)

Description

The password hash function used for verification and password change. This property is required if the existing (current) password should be checked directly using the user store plugin (see also plugin description above) and also when storing a new password.

Note that the password hash function may or may not support password history checks. If the configured password hash function does not support password history checks but a policy checker requires this capability, the history check is omitted and a log warning is written.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Password Check Authenticator (passwordCheckAuthenticator)

Description

An authenticator plugin used to verify the existing (current) password during the password change.

If this property is provided, the specified plugin is called with the username and password to verify the existing (current) password instead of loading the user data and comparing the password hashes (see also plugin description).

Attributes

Plugin-Link

Optional

Assignable plugins

Legacy Hash Functions (legacyHashFunctions)

Description

This feature allows changing the password hash function with automatic migration of all users that log in.

Attributes

Plugin-List

Optional

Assignable plugins

Check Using Latin1 Encoding (checkUsingLatin1Encoding)

Description

Attributes

Boolean

Optional

Default value

false

Check Truncated Password (checkTruncatedPassword)

Description

If enabled, all failed checks on passwords longer than 50 characters will lead to a second check using only the first 50 characters. If successful, the full password is stored.

Prior to IAM 7.3 the password input field on JSPs was limited to 50 characters, with overflowing characters being truncated by the browser. This limit has been removed with IAM 7.3, leading to the full password being sent to IAM. For new installations with IAM 7.3 or later, this setting should not be enabled.

Attributes

Boolean

Optional

Default value

false

Maximum Wrong Old Passwords (maximumWrongOldPasswords)

Description

The number of wrong old passwords during a password change before a user is locked.

Warning: Make sure that number of logins is not increased by the calling application, too.

Note: The number of failed logins is increased when providing a wrong password in a password change call. When only checking a wrong password, the number of failed logins is not increased.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PersisterPasswordService
id: PersisterPasswordService-xxxxxx
displayName: 
comment: 
properties:
  checkTruncatedPassword: false
  checkUsingLatin1Encoding: false
  hashFunction:
  legacyHashFunctions:
  maximumWrongOldPasswords: 5
  passwordCheckAuthenticator:
  passwordValidityDays:
  userStore:

Phone Number

Description

Validates that a field contains a phone number.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.validation.PhoneNumberValidationConfig

May be used by

Input UI Element

Properties

Translation Key (translationKey)

Description

The translation key to use for the error message in case the validation fails. A default translation is used when no translation key is configured.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.validation.PhoneNumberValidationConfig
id: PhoneNumberValidationConfig-xxxxxx
displayName: 
comment: 
properties:
  translationKey:

Phone Number Validator Config

Description

Validator to ensure that the provided string value potentially is a phone number.

Class

com.airlock.iam.common.application.configuration.validation.PhoneNumberValidatorConfig

May be used by

mTAN Number Item Definition Alias User Item String User Context Data Item Username User Item mTAN Label Item Definition mTAN Token Edit Step mTAN Token Edit Step mTAN Token Registration Step mTAN Token Registration Step Email Item Definition

Properties

Strict Mode (strictMode)

Description

If strict mode is enabled, the number must be in a normalized format, i.e. only consist of an optional plus sign, followed by digits. Otherwise, the number may also contain separating characters like spaces, dashes or parentheses.

Attributes

Boolean

Optional

Default value

false

Maximum Length (maximumLength)

Description

Maximum length of the phone number.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.validation.PhoneNumberValidatorConfig
id: PhoneNumberValidatorConfig-xxxxxx
displayName: 
comment: 
properties:
  maximumLength: 30
  strictMode: false

Phone Number Verification Step

Description

User self-registration flow step that verifies the phone number of a user by sending a text message with an OTP that has to be entered correctly for the flow to continue.

Note that channel verification is the only way to ensure the uniqueness of phone numbers while at the same time not revealing already registered phone numbers (if Stealth Mode is enabled).

Class

com.airlock.iam.userselfreg.application.configuration.step.PhoneNumberVerificationStepConfig

May be used by

License-Tags

SelfRegistration

Properties

Phone Number Item (phoneNumberItem)

Description

Verification target. This item must contain the phone number of the self-registering user.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Alias User Item String User Context Data Item Username User Item mTAN Number Item Definition

SMS Gateway (smsGateway)

Description

SMS service for sending the verification text messages.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OTP Generator (otpGenerator)

Description

Secret string generator to create the OTP. Make sure that the code is long enough to prevent brute-force attacks (by restarting the flow multiple times).

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Message Resource Key (messageResourceKey)

Description

The resource key for the SMS message.

The following syntax can be used to include data in the template:

${TOKEN} to include the generated OTP.
${USERNAME} to include the name of the registering user.
${Now,date,format} to include the current date/time, where "format" is a date pattern like "yyyy-MM-dd HH:mm:ss".
${contextDataName} to include the value of the context data field "contextDataName". Note that only context data of type "string" can be included.

Note that non-replaced variables result in a failure and no text message is sent. Therefore, only variable names should be used that are guaranteed to be available when the phone number verification is performed.

Attributes

String

Optional

Default value

user-self-reg.sms.verification.message

Originator (originator)

Description

Name to be displayed as the SMS originator.

Attributes

String

Mandatory

Example

Airlock

Example

MyHost

Max Failed Attempts (maxFailedAttempts)

Description

Number of allowed failed attempts before the flow is aborted.

Attributes

Integer

Optional

Default value

OTP Validity [s] (otpValidity)

Description

Determines how long the OTP is valid (in seconds).

Attributes

Integer

Optional

Default value

300

OTP Case Sensitive (otpCaseSensitive)

Description

If enabled, the case of characters is considered when matching the entered otp against the generated one.

Attributes

Boolean

Optional

Default value

true

Max OTP Resends (maxOtpResends)

Description

Maximum number of times an OTP token may be requested to be resent within this step. Token retransmissions are disabled if this value is 0. Restricting this value to a small number prevents the abusive use of SMS delivery.

Attributes

Integer

Optional

Default value

Resend Same OTP (resendSameOtp)

Description

Attributes

Boolean

Optional

Default value

false

Default Country Code (defaultCountryCode)

Description

Default country code to be used if a phone number does not contain a country code. It is only used when sending messages to the user.

Attributes

String

Optional

Length <= 3

Length >= 1

Default value

Suggested values

41, 39, 49, 423

CAPTCHA (captchaProvider)

Description

If a CAPTCHA is configured, a CAPTCHA challenge will be added to:

the response of the flow selecting request (when this step is the first interactive step in a flow).
the step response immediately preceding the protected step (when this step is not the first interactive step in a flow).

Attributes

Plugin-Link

Optional

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

SSO Ticket Authentication Step HTTP Header Token Extractor (as SSO Credential) Representation SSO Ticket Identifying Step Admin SSO Ticket Request Authentication SSO Ticket Request Authentication

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.step.PhoneNumberVerificationStepConfig
id: PhoneNumberVerificationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  captchaProvider:
  customFailureResponseAttributes:
  customResponseAttributes:
  defaultCountryCode: 41
  dynamicStepActivations:
  interactiveGotoTargets:
  maxFailedAttempts: 1
  maxOtpResends: 0
  messageResourceKey: user-self-reg.sms.verification.message
  onFailureGotos:
  originator:
  otpCaseSensitive: true
  otpGenerator:
  otpValidity: 300
  phoneNumberItem:
  preCondition:
  requiresActivation: false
  resendSameOtp: false
  skipCondition:
  smsGateway:
  stepId:
  tagsOnSuccess:

Plain Base64 Ticket Decoder

Description

Decodes the plain ticket without encryption or signature.

For a description of the encoding see class description of type PlainBase64TicketEncoder.

Class

com.airlock.iam.core.misc.util.ticket.codec.PlainBase64TicketDecoder

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ticket.codec.PlainBase64TicketDecoder
id: PlainBase64TicketDecoder-xxxxxx
displayName: 
comment: 
properties:

Plain Base64 Ticket Encoder

Description

Encodes the ticket using base-64.

The keys/values in the ticket are encoded as configured in the plugin that uses this encoder. The expiry date is then appended as binary (see below) and the resulting byte array is base-64 encoded. Thus, there is no cryptographic protection in place!

Example:
"medusaID=1234;uname=smith;roles=customer,employee;name1=value1;name2=value2;[1444838488]"
All keys and the individual values are URL-encoded with the character set that is specified within the Identity Propagator. The value in square brackets symbolizes the added timestamp.

Important: The expiry date which is appended as binary consists of the milliseconds since midnight of 01.01.1970 and is represented as 64 bit signed integer (MSB first). Please be aware that for the successful decoding of the value, it is important to either use the PlainBase64TicketDecoder plugin or make sure to strip away the last 8 bytes (the added timestamp) of the content, if it is not relevant in your setup.

Class

com.airlock.iam.core.misc.util.ticket.codec.PlainBase64TicketEncoder

May be used by

Encoded User Data Response Header Cookie Ticket Identity Propagator Encoded User Data Header SSO Ticket Identity Propagator Ticket String Provider Config

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ticket.codec.PlainBase64TicketEncoder
id: PlainBase64TicketEncoder-xxxxxx
displayName: 
comment: 
properties:

Plain Cookie Identity Propagator

Description

An identity propagator that sets a cookie with the defined name and other parameters. The cookieValue can be a composition of the roles of a user, its username and some context data of the user. The propagation fails by default if the "Cookie Value" gets resolved to an empty string (configurable).

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.PlainCookieIdentityPropagator

May be used by

Legacy ID Propagation Adapter Chaining Identity Propagator Target Application/Service Conditional Identity Propagator

Properties

Cookie Value (cookieValue)

Description

The cookie value to be used for identity propagation.

Use the special value "${ROLES}" to use the user's roles as the value of the cookie. The roles are represented as comma-separated list (e.g. admin,empoloyee,user).

Use the special value "${USERNAME}" to use the user's username as the value of the cookie.

Use the special value "${AUDIT_TOKEN}" to use the user's audit token (set by IAM) as the value of the cookie.

Use the special value "${context-data-field}" to use the user's context data field as the value of the cookie.

It is possible to use a combination of the special values and some static text that doesn't get replaced. Make sure the static part is not enclosed with ${ and }.

Attributes

String

Mandatory

Example

${ROLES}

Example

${USERNAME}

Example

${USERNAME}@{hostname}

Example

${USERNAME}@{other-context-data-field}

Example

${USERNAME}@{subdomain}.static.com

Example

${AUDIT_TOKEN}

Empty Cookie Value Behavior (emptyCookieValueBehavior)

Description

Behavior when the resulting cookie value is empty.

Attributes

Enum

Optional

Default value

FAIL

Cookie Name (cookieName)

Description

The name of the cookie to be sent to the browser or Airlock Gateway (WAF).

Attributes

String

Optional

Default value

username

Example

auth_cookie

Example

username

Cookie Path (cookiePath)

Description

The path for which the cookie is set. The path determines where the cookie is sent by the reverse proxy (or browser).

If one single access cookie is used for all applications, the value "/" can be used. If different tickets are used for different applications, the applications path should be used.

Make sure the configuration flag Interpret Cookie Domains is set in the Airlock Gateway (WAF) configuration. If not, the cookie path is ignored and cookies in the cookie store are sent to any back-end HTTP request of the same session. This also means that there may be only one cookie per cookie name!
It is best to consult the corresponding documentation of the Airlock Gateway to get more accurate information on cookie handling.

Attributes

String

Optional

Default value

Example

/appl1

Example

/appl2

Cookie Domain (cookieDomain)

Description

The domain for which the cookie is set. The domain determines where the cookie is sent by the reverse proxy (or browser).

Make sure the configuration flag Interpret Cookie Domains is set in the Airlock Gateway (WAF) configuration. If not, the cookie domain is ignored and cookies in the cookie store are sent to any back-end HTTP request of the same session. The cookie path is also ignored meaning that there may be only one cookie per cookie name!
Airlock also supports the following cookie domain values (if the flag Interpret Cookie Domains is set):

The value .* results in cookies being sent to all back-end servers. This is especially useful if one authentication ticket is used for multiple back-ends.
The value @<fully-qualified-host> results in the cookie being treated as if it were set by the host specified by "<fully-qualified-host>". If using this value, make sure the corresponding mapping also uses the fully qualified hostname.

It is best to consult the corresponding documentation of the Airlock Gateway to get more accurate information on cookie handling.

Attributes

String

Optional

Example

@anotherbackend.com

Example

mybackend.com

Set Secure Flag (setSecureFlag)

Description

If set to TRUE the "secure"-flag of the cookie is set.

Attributes

Boolean

Optional

Default value

false

Url Encoding Scheme (urlEncodingScheme)

Description

String values must be URL encoded in order to be suitable as cookie values. This optional property defines the URL encoding scheme to be used.
Make sure that the component receiving the ticket uses the same URL encoding scheme.
Specify NONE to disable URL-Encoding in case the target system cannot handle URL-Encoded cookies. Notice: This will only work if the username contains nothing but ASCII characters. Other characters like umlauts are never allowed unencoded in cookies and will result in an error.

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15, NONE

Max Age (maxAge)

Description

Sets the maximum age in seconds for this Cookie.

A positive value indicate that the cookie will expire after that many seconds have passed.
A negative value means that the cookie is not stored persistently and will usually be deleted when the Web browser exits (however, browsers may keep it for longer).
A value of 0 (zero) causes the cookie to be deleted by sending an expired cookie with the same name.

Attributes

Integer

Optional

Default value

-1

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.onbehalflogin.PlainCookieIdentityPropagator
id: PlainCookieIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  cookieDomain:
  cookieName: username
  cookiePath: /
  cookieValue:
  emptyCookieValueBehavior: FAIL
  maxAge: -1
  setSecureFlag: false
  urlEncodingScheme: UTF-8

Plain Cookie Value Context Data Extractor

Description

Extracts the value of a cookie out of a list of cookies based on its name.

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.PlainCookieValueContextDataExtractor

May be used by

On Behalf Cookie Authentee Extractor

Properties

Cookie Name (cookieName)

Description

The name of the cookie that the value should be extracted of.

Attributes

String

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.onbehalflogin.PlainCookieValueContextDataExtractor
id: PlainCookieValueContextDataExtractor-xxxxxx
displayName: 
comment: 
properties:
  cookieName:

Plain Static REST Request Header

Description

HTTP REST Request header with a static string value.

Class

com.airlock.iam.common.application.configuration.restclient.PlainStaticRestRequestHeaderConfig

May be used by

SSO Ticket Authentication Step HTTP Header Token Extractor (as SSO Credential) Representation SSO Ticket Identifying Step Admin SSO Ticket Request Authentication SSO Ticket Request Authentication

Properties

Header Name (headerName)

Description

The header name of the HTTP REST Request header.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9_-]+

Example

App-ID

Example

App-Key

Header Value (headerValue)

Description

The header value of the HTTP REST Request header.

Attributes

String

Mandatory

Validation RegEx: [\x20-\x7E]+

Example

App-1

Example

Key-123

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.restclient.PlainStaticRestRequestHeaderConfig
id: PlainStaticRestRequestHeaderConfig-xxxxxx
displayName: 
comment: 
properties:
  headerName:
  headerValue:

Plain Ticket Decoder

Description

Decodes a plain-encoded ticket like "name1=value1,value2;name2=value3,value4;".

Since no expiry date is encoded in plain-encoded tickets, the decoded tickets expire after 1 year.

Class

com.airlock.iam.core.misc.util.ticket.codec.PlainTicketDecoder

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ticket.codec.PlainTicketDecoder
id: PlainTicketDecoder-xxxxxx
displayName: 
comment: 
properties:

Plain Ticket Encoder

Description

Encodes a ticket as a plain string like "name1=value1,value2;name2=value3,value4;".

All keys and the individual values are URL-encoded with the character set that is specified within the Identity Propagator that uses this encoder.

Does NOT store any expiry date in the ticket!

Class

com.airlock.iam.core.misc.util.ticket.codec.PlainTicketEncoder

May be used by

Encoded User Data Response Header Cookie Ticket Identity Propagator Encoded User Data Header SSO Ticket Identity Propagator Ticket String Provider Config

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ticket.codec.PlainTicketEncoder
id: PlainTicketEncoder-xxxxxx
displayName: 
comment: 
properties:

Plain Token

Description

Logs the plain OAuth 2.0 Token.

Be aware that logging token information is detrimental to security.

Class

com.airlock.iam.oauth2.application.configuration.logging.PlainTokenLogStrategy

May be used by

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.logging.PlainTokenLogStrategy
id: PlainTokenLogStrategy-xxxxxx
displayName: 
comment: 
properties:

Plain User Data Header

Description

Holds information about values from the authentee to put in an HTTP header using the back-end Airlock control API.

Class

com.airlock.iam.core.misc.impl.sso.PlainUserDataHeader

May be used by

HTTP Header Identity Propagator

Properties

Name (name)

Description

This property defines the header name used for this entry.

Note that for the special value @all-context-data, the value of this property is ignored because the header name of the context data entries is used.

Attributes

String

Mandatory

Example

username

Example

roles

Example

lang

Example

authentication-method

Value (value)

Description

This property defines the values to be propagated as HTTP headers. The values are taken from the authentee including its context data container.

The values are interpreted as follows:

The value @username refers to the authentee's name.
The value @roles refers to the authentee's roles.
The value @info:key refers to the element of the additional input data with the given key.
The value @all-context-data refers to all context data of the authentee. If used, each context data entry is added as a separate header using its key as header name. The 'Name' propery is ignored.
Be careful with this setting as context-data entries may overwrite important HTTP headers in back-end requests. It is recommended to add multiple explicit headers instead to keep control over the headers set.
All other values are used to reference a value in the context data container of the authentee.

Attributes

String

Mandatory

Suggested values

@username, @roles, @all-context-data, @info:OAUTH2_ACCESS_TOKEN, givenname, surname, country, email, company, language, auth_method

Value Prefix (valuePrefix)

Description

If set, this prefix (plus a space) is prepended to the header value.

Attributes

String

Optional

Example

Bearer

Mapping Names (mappingNames)

Description

Note: Headers must never be defined globally and on a specific mapping at the same time.

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.PlainUserDataHeader
id: PlainUserDataHeader-xxxxxx
displayName: 
comment: 
properties:
  mappingNames:
  name:
  value:
  valuePrefix:

Plain User Data Response Header

Description

HTTP header holding information about values from the authentee to be set on the response of the identity propagation.

Class

com.airlock.iam.core.application.configuration.header.PlainUserDataResponseHeader

May be used by

HTTP Response Header Identity Propagator

Properties

Name (name)

Description

The name of the response header to be propagated to the HTTP client.

Attributes

String

Mandatory

Example

Authorization

Example

X-Access-Token

Value (value)

Description

The value of the response header to be propagated to the HTTP client.

The value is based on the authentee including its context data container:

The value @username refers to the authentee's name.
The value @roles refers to the authentee's roles. The roles are set as comma-separated string (e.g. role1,role2). If the authentee has no roles, the header is not set.
All other values are used to reference a value in the context data container of the authentee. If the value is not present on the context data container, the header is not set.

Attributes

String

Mandatory

Suggested values

@username, @roles, givenname, surname, country, email, company, language, auth_method

Encoder (encoder)

Description

Encodes the header value.

Attributes

Plugin-Link

Optional

Assignable plugins

URL Encoder

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.header.PlainUserDataResponseHeader
id: PlainUserDataResponseHeader-xxxxxx
displayName: 
comment: 
properties:
  encoder:
  name:
  value:

Primary Key Lookup

Description

This username transformer is not designed to transform usernames but it can make the transformer chain more efficient. Because lookups and transformations of username aliases may be inefficient, this plugin takes a user store and checks if a user with the given user ID exists. If the user store finds a user, the transformers chain is interrupted (no further transformations are applied). The ID of the retrieved user is returned as the transformation result. This makes this plugin also suitable to look up the stored user ID from a case-insensitive database.

Class

com.airlock.iam.core.misc.impl.authen.PrimaryKeyLookupTransformer

Properties

User Store (userStore)

Description

This user store is used to load the user. If the user is found, the chain of transformers is stopped.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PrimaryKeyLookupTransformer
id: PrimaryKeyLookupTransformer-xxxxxx
displayName: 
comment: 
properties:
  userStore:

Print Airlock 2FA Activation Letters

Description

Settings for printing a user's device activation letter to a file.

Class

com.airlock.iam.admin.application.configuration.airlock2fa.Airlock2FAActivationLetterPrintingConfig

May be used by

Create Airlock 2FA Device Activation Letters

License-Tags

Airlock2FA

Properties

Renderer (renderer)

Description

Defines how activation letters (e.g. PDFs) are rendered.

The following placeholders can be used in the templates

${User Context Data Name} - context data of the user.
${activationQRCode} - QR code image for the activation. Image size in document can be adjusted: ${activationQRCode,imageSize,width in points,height in points}
${expires} - expiring date of the activation. Can be used with extended format (e.g. ${expires,date,short})

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

Working Directory (workingDirectory)

Description

Attributes

File/Path

Optional

Output Directory (outputDirectory)

Description

The directory where the printable letters will be stored.

Attributes

File/Path

Mandatory

Language Context Data Name (languageContextDataName)

Description

The user's context data attribute containing its language. The language is used to choose the template in the renderer. If left empty, the default template will be used.

Attributes

String

Optional

Suggested values

language

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.airlock2fa.Airlock2FAActivationLetterPrintingConfig
id: Airlock2FAActivationLetterPrintingConfig-xxxxxx
displayName: 
comment: 
properties:
  languageContextDataName:
  outputDirectory:
  renderer:
  workingDirectory:

Property Credential Persister

Description

A credential persister plugin that uses a properties file as storage. The plugin is intended for demo and testing.

It is fully functional and can be accessed concurrently, but it is not optimized for performance, and it does not scale to a large number of entries. It keeps everything in memory and reads and writes the whole data file.

The following keys are used:

cred-active
cred-ordered
cred-ordered-user
cred-ordered-date
cred-binary-data
cred-string-data
cred-delivery-date
cred-generation-date
cred-serial
cred-next-binary-data
cred-next-string-data
cred-next-delivery-date
cred-next-generation-date
cred-next-serial

The properties are stored in the following format: userid.selector.key = value

Class

com.airlock.iam.core.misc.impl.persistency.property.PropertyCredentialPersister

Properties

File (file)

Description

Path to the properties file used to store the credential data.

This is either an absolute path, or a path relative to the config directory. If the file does not exist, it is created by the plugin.

Attributes

File/Path

Optional

Default value

users.properties

Is Binary Credential (isBinaryCredential)

Description

Set this property to true if the credential is stored as binary format instead of text.

Attributes

Boolean

Optional

Default value

false

Context Data Keys (contextDataKeys)

Description

A list of property keys used for the context data container. All context data columns are treated as strings.

Attributes

String-List

Optional

Other Credentials Delivery Dates (otherCredentialsDeliveryDates)

Description

Comma-separated list of secondary keys pointing to other credential's delivery dates.

Note that if you intend to reference properties from other persisters, you need to store them in the same file.

Attributes

String

Optional

Example

othercred.cred-delivery-date

Example

password-delivery-date

Selector (selector)

Description

A selector string used in the key to store the values of this credential. This is needed to allow storing different credentials in the same file (e.g. the file with all user data).

This selector is not used for context data and other credential delivery dates.

Attributes

String

Mandatory

Example

otp

Example

mtan

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.property.PropertyCredentialPersister
id: PropertyCredentialPersister-xxxxxx
displayName: 
comment: 
properties:
  contextDataKeys:
  file: users.properties
  isBinaryCredential: false
  otherCredentialsDeliveryDates:
  selector:

Property Maintenance Message Persister

Description

A maintenance message persister plugin that uses a properties file as storage. The plugin is intended for demo and testing.

It is fully functional and can be accessed concurrently, but it is not optimized for performance, and does not scale to a large number of entries. It keeps everything in memory and reads and writes the whole data file.

Class

com.airlock.iam.core.misc.impl.persistency.property.PropertyMaintenanceMessagePersister

May be used by

Maintenance Message Configuration Maintenance Message Settings

License-Tags

MaintenanceMessages

Properties

File (file)

Description

Path to the properties file used to store the maintenance messages.

This is either an absolute path, or a path relative to the IAM installation directory. If the file does not exist, it is created by the plugin.

Attributes

File/Path

Optional

License-Tags

MaintenanceMessages

Default value

maintenance-messages.properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.property.PropertyMaintenanceMessagePersister
id: PropertyMaintenanceMessagePersister-xxxxxx
displayName: 
comment: 
properties:
  file: maintenance-messages.properties

Property Token List Persister

Description

A token list (matrix card, grid card TAN-list, etc.) persister plugin that uses a properties file as storage. The plugin is intended for demo and testing.

Class

com.airlock.iam.core.misc.impl.persistency.property.PropertyTokenListPersister

May be used by

Matrix Token Controller Fixed TAN Generator Task Default TAN Service TAN Batch Task TAN Batch Task Cipher Token List Persister

Properties

File (file)

Description

Path to the properties file used to store the token data.

This is either an absolute path, or a path relative to the config directory. If the file does not exist, it is created by the plugin.

Attributes

File/Path

Optional

Default value

users.properties

Context Data Keys (contextDataKeys)

Description

A list of property keys used for the context data container. All context data columns are treated as strings.

Attributes

String-List

Optional

Other Credentials Delivery Dates (otherCredentialsDeliveryDates)

Description

Comma-separated list of secondary keys pointing to other credential's delivery dates.

Note that if you intend to reference properties from other persisters, you need to store them in the same file.

Attributes

String

Optional

Example

password-delivery-date

Example

otp.cred-delivery-date,mtan.cred-delivery-date

Selector (selector)

Description

A selector string used in the key to store the values of this credential. This is needed to make it possible to store different credentials in the same file (e.g. the file with all user data).

This selector is not used for context data and other credentials delivery dates.

Attributes

String

Optional

Default value

token-list

Example

token-list

Example

matrix

Example

tan

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.property.PropertyTokenListPersister
id: PropertyTokenListPersister-xxxxxx
displayName: 
comment: 
properties:
  contextDataKeys:
  file: users.properties
  otherCredentialsDeliveryDates:
  selector: token-list

Property User Persister

Description

A user persister plugin that uses a properties file as storage. The plugin is intended for demo and testing.

It is fully functional and can be accessed concurrently in a read-only manner, but it is not optimized for performance, and does not scale to a large number of entries. It keeps everything in memory and reads and writes the whole data file.

Class

com.airlock.iam.core.misc.impl.persistency.property.PropertyUserPersister

May be used by

Main Authenticator Email User Profile Item Config Airlock 2FA Authenticator User to Password Service Mapping Radius Authentication Service Certificate Authenticator Lock Inactive Accounts Task Lock Inactive Accounts Task Password Authenticator String User Profile Item Cipher User Persister Combining User Persister SMS Notifier User Persister Email Certificate Provider Delete Users Task Delete Users Task Token Activation On Delivery Strategy Combining Extended User Persister Combining Extended User Persister Certificate Token Authenticator Export Users Task Export Users Task User Persister-based User Store Email Notifier Meta Authenticator Self Reg Users Reminder Task Self Reg Users Reminder Task Vasco Letter Generator Credential Data Certificate Matcher Extended User Persister-based User Store Provider Password Batch Task Password Batch Task Auth Method-based Authenticator Selector Self Reg Users Clean Up Task Self Reg Users Clean Up Task Lock Expired Initial Passwords Task Lock Expired Initial Passwords Task Role-based Authenticator Selector Extended String User Profile Item Config HTTP Password Service Selection Authenticator Lookup and Accept Authenticator New Email Clean-up Strategy Custom User Persister-based User Store Provider Destroy Last User Session Email Notification Task Email Notification Task User Persister Configuration User Persister Configuration User Persister Configuration

Properties

File (file)

Description

Path to the properties file used to store the user information.

This is either an absolute path, or a path relative to the config directory. If the file does not exist, it is created by the plugin.

Attributes

File/Path

Optional

Default value

users.properties

Other Credentials Delivery Dates (otherCredentialsDeliveryDates)

Description

Comma-separated list of secondary keys pointing to other credential's delivery dates.

Note that if you intend to reference properties from other persisters, you need to store them in the same file.

Attributes

String

Optional

Example

token-delivery-date

Example

token-delivery-date,iak-delivery-date

Context Data Keys (contextDataKeys)

Description

A list of property keys used for the context data container. All context data columns are treated as strings.

Attributes

String-List

Optional

Additional Insert Data (additionalInsertData)

Description

This property defines a list of name/value pairs used in insert statements when a new user is inserted.

This allows you to add arbitrary fixed or dynamic values when a new user is created. This is useful if some fields may not be NULL but are not inserted by this plugin by default.

Attributes

Plugin-List

Optional

Assignable plugins

Database Field

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.property.PropertyUserPersister
id: PropertyUserPersister-xxxxxx
displayName: 
comment: 
properties:
  additionalInsertData:
  contextDataKeys:
  file: users.properties
  otherCredentialsDeliveryDates:

Protected Self-Service Flows

Description

Settings for flow-based self-services via protected REST.

Note that self-service flows require an authenticated flow session which can only be obtained by successfully completing an authentication flow. Request credentials and API access control are not applicable here.

Class

com.airlock.iam.selfservice.application.configuration.ProtectedSelfServiceFlowsConfig

May be used by

Properties

Flows (flows)

Description

The list of available self-service flows.

Attributes

Plugin-List

Mandatory

Assignable plugins

Max Failed Factor Attempts (maxFailedFactorAttempts)

Description

Maximal number of allowed attempts on a particular factor (like mTAN or Cronto). Factors are typically used to approve operations in self-service flows through a second channel. Whenever this limit is exceeded, the user is locked and the session is terminated. This is a global limit and it is enforced independently of how many retries a particular step allows.

Attributes

Integer

Optional

Default value

Legacy Response Behavior (legacyResponseBehavior)

Description

If enabled, unauthenticated requests to self-service flow endpoints will be answered with a 403 HTTP status code instead of 401. Additionally, an unauthenticated abort of a self-service flow will be answered with a 204 instead of 401. Enable this option if your clients rely on the undesired behavior of IAM 7.2.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ProtectedSelfServiceFlowsConfig
id: ProtectedSelfServiceFlowsConfig-xxxxxx
displayName: 
comment: 
properties:
  flows:
  legacyResponseBehavior: false
  maxFailedFactorAttempts: 5

Protected Self-Service UI

Description

User interface configuration for a protected self-service flow.

The flow can be accessed at /<loginapp-uri>/ui/app/protected/select/flow/<Flow ID> after user authentication.

Class

com.airlock.iam.selfservice.application.configuration.ui.SelfServiceUiConfig

May be used by

Airlock 2FA Activation Step Self-Service UI Airlock 2FA Approval UI (Protected Self-service) Custom Configuration-based Self-Service UI Custom JavaScript-based Self-Service UI

Properties

Flow ID (flowId)

Description

The identifier of the self-service flow that the user interface configuration refers to.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Customized Step UIs (customizedStepUis)

Description

The user interface configuration for the steps. Note: if using standard IAM steps, no user interface has to be configured manually.

Attributes

Plugin-List

Optional

Assignable plugins

Show Goto Buttons (showGotoButtons)

Description

For customized step UIs, Goto buttons have to be configured explicitly using the "Goto Button UI Element" plugin.

Notice: Goto buttons do not come with pre-defined labels. It is required to add i18n keys and values for each button manually. The key may looks as follows: 'protected.self-service.pages.actions.goto.<currentStepId>.<targetStepId>'.

Attributes

Boolean

Optional

Default value

true

Maintenance Message UI Settings (maintenanceMessageUiSettings)

Description

Settings to define if and how maintenance messages are displayed for this flow. If this property is not set no maintenance messages are displayed for this flow.

Attributes

Plugin-Link

Optional

License-Tags

MaintenanceMessages

Assignable plugins

Account Link Management UI Redirect Airlock 2FA Device Management UI Redirect Cronto Device Management UI Redirect Device Token Management UI Redirect FIDO Credential Management UI Redirect OAuth 2.0 Consent Management UI Redirect OAuth 2.0 Session Management UI Redirect Public Self-Service Flow Redirect Redirect to URI Remember-Me Device Management UI Redirect Self-Service Flow Redirect Target Application Redirect User Self-Registration Flow Redirect mTAN Token Management UI Redirect

Show Confirmation Page (showConfirmationPage)

Description

If enabled, a confirmation page is shown after a completed self-service flow. Otherwise, the user is directly redirected to the configured 'Completion Target' and a corresponding feedback message 'protected.self-service.pages.messages.completed' is shown.

Attributes

Boolean

Optional

Default value

true

Completion Target (completionTarget)

Description

The target to redirect to when the self-service flow is successfully completed. If "Show Confirmation Page" is enabled, the page is displayed first and the redirect happens after clicking the "continue" button. If the confirmation page is disabled, this property is mandatory.

Note: In order to redirect to a target application, redirect to the corresponding "Authentication Flow". If the flow can be skipped due to the obtained tags, the user is forwarded to the target application.

Attributes

Plugin-Link

Optional

Assignable plugins

Cancellation Target (cancellationTarget)

Description

If configured, shows a cancel button on all pages, except the first, using default UIs of this flow. Clicking the cancel button will abort the flow and redirect to the configured target.

For customized step UIs, cancel buttons have to be configured explicitly using the "Cancel Button UI Element" plugin.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow Failure Target (flowFailureTarget)

Description

Defines the redirect URL in the case of a failed flow. If not configured and the flow fails, the flow is restarted, unless it has failed immediately, in which case an error page is displayed.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.SelfServiceUiConfig
id: SelfServiceUiConfig-xxxxxx
displayName: 
comment: 
properties:
  cancellationTarget:
  completionTarget:
  customizedStepUis:
  flowFailureTarget:
  flowId:
  maintenanceMessageUiSettings:
  showConfirmationPage: true
  showGotoButtons: true

Protected Self-Service UIs

Description

User interface configurations for protected self-service flows.

Class

com.airlock.iam.selfservice.application.configuration.ui.SelfServiceUiConfigs

May be used by

UI Settings

Properties

Flow UIs (flowUis)

Description

Allows to configure the user interface for the steps belonging to a flow.

Attributes

Plugin-List

Optional

Assignable plugins

Protected Self-Service UI

Airlock 2FA (airlock2Fa)

Description

Enables the Airlock 2FA device management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Airlock 2FA Device Management UI

mTAN (mtan)

Description

Enables the mTAN number management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

mTAN Number Management UI

Device Token (deviceToken)

Description

Enables the device token management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Device Token Management UI

Cronto (cronto)

Description

Enables the Cronto device management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Cronto Device Management UI

FIDO (fido)

Description

Enables the FIDO credential management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

FIDO Credential Management UI

Application Portal (applicationPortal)

Description

Enables the application portal UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Application Portal UI

Account Link Management (accountLinkManagement)

Description

Enables the account link management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Account Link Management UI

OAuth 2.0 Session Management (oAuth2SessionManagement)

Description

Enables the OAuth 2.0 session management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Session Management UI

OAuth 2.0 Consent Management (oAuth2ConsentManagement)

Description

Enables the OAuth 2.0 Consent Management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Consent Management UI

Remember-Me Device Management (rememberMeDeviceManagement)

Description

Enables the Remember-Me device management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Remember-Me Device Management UI

User Representation (userRepresentation)

Description

Enables the user representation UI.

Attributes

Plugin-Link

Optional

Assignable plugins

User Representation UI

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.SelfServiceUiConfigs
id: SelfServiceUiConfigs-xxxxxx
displayName: 
comment: 
properties:
  accountLinkManagement:
  airlock2Fa:
  applicationPortal:
  cronto:
  deviceToken:
  fido:
  flowUis:
  mtan:
  oAuth2ConsentManagement:
  oAuth2SessionManagement:
  rememberMeDeviceManagement:
  userRepresentation:

Protected Self-Services

Description

Settings for protected self-services (i.e. self-services for authenticated users).

Class

com.airlock.iam.selfservice.application.configuration.ProtectedSelfServicesConfig

May be used by

Loginapp

Properties

Protected Self-Service Flows (selfServiceFlows)

Description

Settings for flow-based self-services in the protected part of the Loginapp REST API.

Attributes

Plugin-Link

Optional

Assignable plugins

Airlock 2FA Device List (airlock2FADeviceList)

Description

Settings for self-service related to Airlock 2FA device list.

Additional self-service functionality can be configured in "Protected Self-Service Flows".

Attributes

Plugin-Link

Optional

Assignable plugins

Airlock 2FA Device List

mTAN Number List (mtanNumberList)

Description

Settings for self-services related to mTAN number list.

Additional self-service functionality can be configured in "Protected Self-Service Flows".

Attributes

Plugin-Link

Optional

Assignable plugins

mTAN Number List

Device Token List (deviceTokenList)

Description

Settings for self-services related to Device Token list.

Additional self-service functionality can be configured in "Protected Self-Service Flows".

Attributes

Plugin-Link

Optional

Assignable plugins

Device Token List

Cronto Device List (crontoDeviceList)

Description

Settings for self-service related to Cronto device list.

Additional self-service functionality can be configured in "Protected Self-Service Flows".

Attributes

Plugin-Link

Optional

Assignable plugins

Cronto Device List

FIDO Credential List (fidoCredentialList)

Description

Settings for self-service related to FIDO credential list.

Additional self-service functionality can be configured in "Protected Self-Service Flows".

Attributes

Plugin-Link

Optional

Assignable plugins

FIDO Credential List

Account Linking Lists (accountLinkingLists)

Description

Settings for self-services related to account linking lists (providers and links).

Additional self-service functionality can be configured in "Protected Self-Service Flows".

Attributes

Plugin-Link

Optional

Assignable plugins

Account Linking Lists Self Services

OAuth 2.0 Session List (oAuth2SessionList)

Description

Settings for self-service related to OAuth 2.0 session list.

Additional self-service functionality can be configured in "Protected Self-Service Flows".

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Session List

OAuth 2.0 Consent List (oAuth2ConsentList)

Description

Settings for self-services related to OAuth 2.0 consent list.

Additional self-service functionality can be configured in "Protected Self-Service Flows".

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Consent List

Remember-Me Device List (rememberMeDeviceList)

Description

Settings for self-service related to Remember-Me device list.

Additional self-service functionality can be configured in "Protected Self-Service Flows".

Attributes

Plugin-Link

Optional

Assignable plugins

Remember-Me Device List

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ProtectedSelfServicesConfig
id: ProtectedSelfServicesConfig-xxxxxx
displayName: 
comment: 
properties:
  accountLinkingLists:
  airlock2FADeviceList:
  crontoDeviceList:
  deviceTokenList:
  fidoCredentialList:
  mtanNumberList:
  oAuth2ConsentList:
  oAuth2SessionList:
  rememberMeDeviceList:
  selfServiceFlows:

Public Self-Service Allowed Condition

Description

Condition that is true, if the identified user is allowed to perform a public self-service (i.e. does not violate any of the configured restrictions).

Class

com.airlock.iam.publicselfservice.application.configuration.selection.condition.PublicSelfServiceAllowedConditionConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.selection.condition.PublicSelfServiceAllowedConditionConfig
id: PublicSelfServiceAllowedConditionConfig-xxxxxx
displayName: 
comment: 
properties:

Public Self-Service Allowed Processor

Description

Processor for ensuring that a public self-service flow is aborted when a user no longer conforms to the flow restrictions. This processor becomes active once a user has successfully completed a factor check (typically the identity verification step). From then on, stealth mode is no longer necessary and the violation error code is always returned.

Class

com.airlock.iam.publicselfservice.application.configuration.processors.PublicSelfServiceAllowedProcessorConfig

May be used by

Abort Step Acknowledge Message Step Airlock 2FA Activation Letter Order Step Airlock 2FA Delete Devices Step Airlock 2FA Public Self-Service Approval Step Cronto Approval Stealth Step Cronto Device Reset Step Config Cronto Letter Order Step Config Cronto Public Self-Service Approval Step Device Token Identity Verification Step Config Email Identity Verification Step Email Notification Step FIDO Public Self-Service Approval Step Failure Step Flow Continuation Step Flow Continuation Token Consumption Step Matrix Public Self-Service Approval Step No Operation Step OAuth 2.0 Session Reset Step Password Letter Order Step (Public Self-Service) Password Reset Step Red Flag Raising Step Config Remember-Me Reset Step SMS Identity Verification Step SSI Verification Step Scriptable Step Secret Questions Identity Verification Step Selection Step for Public Self-Service Send Email Link Step Tag Removal Step Config Unlock User Step (Public Self-Service) User Identification By Data Step (Public Self-Service) User Identification Step (Public Self-Service) Vasco OTP Public Self-Service Approval Step mTAN Public Self-Service Approval Step

Properties

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.processors.PublicSelfServiceAllowedProcessorConfig
id: PublicSelfServiceAllowedProcessorConfig-xxxxxx
displayName: 
comment: 
properties:

Public Self-Service Flow

Description

Configuration for a public self-service flow.

Class

com.airlock.iam.publicselfservice.application.configuration.flow.PublicSelfServiceFlowConfig

May be used by

Public Self-Service Flows

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Steps (steps)

Description

Steps of the flow.

Attributes

Plugin-List

Mandatory

Assignable plugins

Restrictions (restrictions)

Description

Restrictions to define which users are allowed to perform this public self-service. These restrictions are checked for each step of the flow. Typically, it is also possible to configure whether feedback to the user is enabled or not (user enumeration protection).

Attributes

Plugin-Link

Mandatory

Assignable plugins

Custom Public Self-Service Restrictions Default Password Reset Restrictions Default Self-Unlock Restrictions

Processors (processors)

Description

Processors are notified at various stages of the flow and offer hooks for custom logic.

Attributes

Plugin-Link

Optional

Assignable plugins

Username Transformers (usernameTransformers)

Description

Attributes

Plugin-List

Optional

Assignable plugins

Initialize Next Auth Flow (initializeNextAuthFlow)

Description

If enabled, the next authentication flow after completing this public self-service flow will be initialized with the user identity and tags from the public self-service flow. By combining this feature with authentication flows where steps can be skipped based on tags from public self-service, a non-interactive authentication after completed public self-service can be achieved.

Information is propagated only if a user has been identified in the public flow.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.flow.PublicSelfServiceFlowConfig
id: PublicSelfServiceFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  flowId:
  initializeNextAuthFlow: false
  processors:
  restrictions:
  steps:
  usernameTransformers:

Public Self-Service Flow Link

Description

Redirects to a public self-service flow.

Class

com.airlock.iam.flow.ui.application.configuration.PublicSelfServiceFlowLinkConfig

May be used by

Authentication & Authorization UI Link Configuration Authentication UI

Properties

Flow ID (flowId)

Description

ID of the public self-service flow to which a redirect should be performed. Make sure that a UI is configured for this flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.PublicSelfServiceFlowLinkConfig
id: PublicSelfServiceFlowLinkConfig-xxxxxx
displayName: 
comment: 
properties:
  flowId:

Public Self-Service Flow Redirect

Description

Redirects to a public self-service flow.

Class

com.airlock.iam.publicselfservice.application.configuration.ui.PublicSelfServiceFlowRedirectTargetConfig

Properties

Flow ID (flowId)

Description

ID of the public self-service flow to which a redirect should be performed. Make sure that a UI is configured for this flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.ui.PublicSelfServiceFlowRedirectTargetConfig
id: PublicSelfServiceFlowRedirectTargetConfig-xxxxxx
displayName: 
comment: 
properties:
  flowId:

Public Self-Service Flows

Description

Settings for flow-based public self-services via REST.

Class

com.airlock.iam.publicselfservice.application.configuration.PublicSelfServiceFlowsConfig

May be used by

Loginapp

Properties

Flows (flows)

Description

The list of available public self-service flows.

Attributes

Plugin-List

Mandatory

Assignable plugins

Public Self-Service Flow

Max Failed Factor Attempts (maxFailedAttempts)

Description

Maximal number of allowed failed factor attempts. The user is locked if the number of failed attempts for any factor exceeds this limit.

Security Warning: The "Locked User Restriction" must be configured in order to disallow public self-services for users that have exceeded the allowed number of factor attempts configured in this property. The "Default Password Reset Restrictions " already include this restriction.

Attributes

Integer

Optional

Default value

Max Number of Unlocks (maxNumberOfUnlocks)

Description

Defines the maximum number of unlocks that can be performed by the user without logging in successfully in between. If not configured, unlocks are not counted. Typically, this limit is only needed, if no password is set during the flow, i.e. if it is an unlock-only flow giving the user more attempts on the password check. To prevent users with too many unlocks from gaining further attempts, configure the restrictions of the flow in one of the following ways:

Use the "Default Self-Unlock Restrictions"
Configure the "Too Many Unlocks Restriction" if using the "Custom Public Self-Service Restrictions"

Attributes

Integer

Optional

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.PublicSelfServiceFlowsConfig
id: PublicSelfServiceFlowsConfig-xxxxxx
displayName: 
comment: 
properties:
  flows:
  maxFailedAttempts: 3
  maxNumberOfUnlocks:

Public Self-Service UI

Description

User interface for a public self-service flow.

Note that the corresponding public self-service flow must also be configured in order for this user interface to be available.

Class

com.airlock.iam.publicselfservice.application.configuration.ui.PublicSelfServiceUiConfig

May be used by

Public Self-Service UIs

Properties

Flow ID (flowId)

Description

The identifier of the public self-service flow that the user interface configuration refers to.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Customized Step UIs (customizedStepUis)

Description

The user interface configuration for the steps. Note: if using standard IAM steps, no user interface has to be configured manually.

Attributes

Plugin-List

Optional

Assignable plugins

Airlock 2FA Approval UI (Public Self-service) Custom Configuration-based Public Self-Service UI Custom JavaScript-based Public Self-Service UI

Show Goto Buttons (showGotoButtons)

Description

For customized step UIs, Goto buttons have to be configured explicitly using the "Goto Button UI Element" plugin.

Notice: Goto buttons do not come with pre-defined labels. It is required to add i18n keys and values for each button manually. The key may looks as follows: 'public-self-service.pages.actions.goto.<currentStepId>.<targetStepId>'.

Attributes

Boolean

Optional

Default value

true

Maintenance Message UI Settings (maintenanceMessageUiSettings)

Description

Settings to define if and how maintenance messages are displayed for this flow. If this property is not set no maintenance messages are displayed for this flow.

Attributes

Plugin-Link

Optional

License-Tags

MaintenanceMessages

Assignable plugins

Account Link Management UI Redirect Airlock 2FA Device Management UI Redirect Cronto Device Management UI Redirect Device Token Management UI Redirect FIDO Credential Management UI Redirect OAuth 2.0 Consent Management UI Redirect OAuth 2.0 Session Management UI Redirect Public Self-Service Flow Redirect Redirect to URI Remember-Me Device Management UI Redirect Self-Service Flow Redirect Target Application Redirect User Self-Registration Flow Redirect mTAN Token Management UI Redirect

Completion Target (completionTarget)

Description

The target to redirect to when the public self-service flow is successfully completed. If "Show Confirmation Page" is enabled, the page is displayed first and the redirect happens after clicking the "continue" button. If the confirmation page is disabled, this property is mandatory.

Attributes

Plugin-Link

Optional

Assignable plugins

Cancellation Target (cancellationTarget)

Description

If configured, shows a cancel button on all pages, except the first, using default UIs of this flow. Clicking the cancel button will abort the flow and redirect to the configured target.

For customized step UIs, cancel buttons have to be configured explicitly using the "Cancel Button UI Element" plugin.

Attributes

Plugin-Link

Optional

Assignable plugins

Public Self-Service Flow Redirect Redirect to URI Same Flow Redirect Target Config Target Application Redirect User Self-Registration Flow Redirect

Flow Failure Target (flowFailureTarget)

Description

Defines the redirect URL in the case of a failed flow. If not configured and the flow fails, the flow is restarted, unless it has failed immediately, in which case an error page is displayed.

Attributes

Plugin-Link

Optional

Assignable plugins

Show Cancel Button On First Page (showCancelButtonOnFirstPage)

Description

If enabled, displays the cancel button also on the first interactive page of the flow. This can be useful if the "Cancellation Target" redirects to another flow or external page.

Note that even if this flag is disabled, a cancel button on the first page is always shown when the first page is reached again during the flow, e.g. by a Goto.

Attributes

Boolean

Optional

Default value

false

Show Confirmation Page (showConfirmationPage)

Description

If enabled, a confirmation page is shown after a completed public self-service. Otherwise, the user is directly redirected to the configured 'Completion Target' and a corresponding feedback message 'public-self-service.pages.messages.completed' is shown.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.ui.PublicSelfServiceUiConfig
id: PublicSelfServiceUiConfig-xxxxxx
displayName: 
comment: 
properties:
  cancellationTarget:
  completionTarget:
  customizedStepUis:
  flowFailureTarget:
  flowId:
  maintenanceMessageUiSettings:
  showCancelButtonOnFirstPage: false
  showConfirmationPage: true
  showGotoButtons: true

Public Self-Service UIs

Description

User interface configurations for public self-service flows.

Class

com.airlock.iam.publicselfservice.application.configuration.ui.PublicSelfServiceUiConfigs

May be used by

UI Settings

Properties

Flow UIs (flowUis)

Description

Allows to configure the user interface for the steps belonging to a flow.

Attributes

Plugin-List

Optional

Assignable plugins

Public Self-Service UI

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.ui.PublicSelfServiceUiConfigs
id: PublicSelfServiceUiConfigs-xxxxxx
displayName: 
comment: 
properties:
  flowUis:

Public/Private JWK Configuration

Description

Configuration for retrieving a public/private JWK, stored in a keystore.

Class

com.airlock.iam.common.application.configuration.jwt.JWKPairFromKeyStoreConfig

May be used by

JWE Password Decryption

Properties

Key Store (keyStore)

Description

The Keystore containing the corresponding private/public keypair.

Attributes

Plugin-Link

Mandatory

Assignable plugins

HSM Keystore Java Keystore

Key Pair Alias (keyPairAlias)

Description

Entry name of the Public/Private Keypair in the keystore.

Attributes

String

Mandatory

Private Key Password (privateKeyPassword)

Description

Password for decrypting the private key configured above. Can be left empty if the private key was not encrypted.

Attributes

String

Optional

Sensitive

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.jwt.JWKPairFromKeyStoreConfig
id: JWKPairFromKeyStoreConfig-xxxxxx
displayName: 
comment: 
properties:
  keyPairAlias:
  keyStore:
  privateKeyPassword:

Query Parameter URI Transformation

Description

Transforms an URI by replacing it with an URI from a query parameter. Vetoes the entire transformation if the query parameter with the given name doesn't exist, or if it doesn't contain a valid URI.

Class

com.airlock.iam.login.application.configuration.location.transform.QueryParameterToURITransformerConfig

May be used by

Target URI Resolver Parameter-based Target URI Advanced Location Interpreter Config Redirect to URI

Properties

Parameter Name (parameterName)

Description

The name of the query parameter that contains the URI to extract.

Attributes

String

Mandatory

Example

location

Stop After Successful Transformation (stopAfterSuccessfulTransformation)

Description

If this flag is set, the transformation doesn't continue after this transformer, and the extracted URI is used as the overall result of the entire transformer chain.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.location.transform.QueryParameterToURITransformerConfig
id: QueryParameterToURITransformerConfig-xxxxxx
displayName: 
comment: 
properties:
  parameterName:
  stopAfterSuccessfulTransformation: false

Query Parameter URI Value Extraction

Description

Extracts a query parameter of the input URI.

Class

com.airlock.iam.login.application.configuration.location.extract.QueryParameterURIValueExtractorConfig

May be used by

Parameter-based Target URI Advanced Location Interpreter Config

Properties

Parameter Name (parameterName)

Description

The name of the query parameter that contains the URI to extract.

Attributes

String

Mandatory

Example

lang

Example

Location

Allowed URI Patterns (allowedUriPatterns)

Description

A list of regular expressions defining the allowed URI patterns.

A URI is accepted if at least one of the configured regular expressions matches.

If no patterns are defined, no restrictions apply.

Attributes

RegEx-List

Optional

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.location.extract.QueryParameterURIValueExtractorConfig
id: QueryParameterURIValueExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedUriPatterns:
  parameterName:

Radio Buttons UI Element

Description

Displays radio buttons.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiRadioConfig

May be used by

Properties

Label (label)

Description

Label for the radio button. The UI treats it as a key to translate. If there is no translation, the configured value is what is shown in the UI.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9]+((\.|-)[a-zA-Z0-9]+)*

Property (property)

Description

The property of the radio button. This property will be sent to the server via REST as part of a JSON object. For example, if the property name is 'gender' and the options allow one of the values 'male' or 'female' with 'female' being chosen, the JSON sent to the server will be as follows: {"gender": "female"}.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9_]+(\.[a-zA-Z0-9_]+)*

Example

gender

Example

deviceType

Required (required)

Description

Requires a value to be chosen.

Attributes

Plugin-Link

Optional

Assignable plugins

Required Field

Inline (inline)

Description

Whether all radio button options should be rendered on one horizontal line or not.

Attributes

Boolean

Optional

Default value

true

Options (options)

Description

Defines the list options to choose from.

Attributes

Plugin-List

Mandatory

Assignable plugins

Option UI Element

HTML ID (htmlId)

Description

The ID of the element in the HTML. If no ID is set, the 'property' is used as the ID.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_]+

Submit To Server (submitToServer)

Description

If enabled, this value is submitted to the server. Otherwise, it is only used locally (e.g. to confirm inputs of other fields).

Attributes

Boolean

Optional

Default value

true

Initial Value Query (initialValueQuery)

Description

See the JSONPath documentation for the full documentation: https://github.com/dchester/jsonpath

Examples:

Assume the initial REST call returns the following JSON response:

{
 "meta": {
   "type": "jsonapi.metadata.document",
   "timestamp": "2023-03-10T13:06:01.294+02:00"
 },
 "data": [
  {
    "type": "user",
    "id": "user1",
    "attributes": {
      "contextData": {
         "givenname": "User1",
         "surname": "FSMTest",
         "roles": "customerA"
      }
    }
  },
  {
    "type": "user",
    "id": "user2",
    "attributes": {
      "contextData": {
        "givenname": "User2",
        "surname": "FSMTest",
        "roles": "customerB"
      }
    }
  }
 ]
}

The following table shows the results of various JSONPath queries given the JSON above:

Attributes

String

Optional

Example

$.store.bicycle.color

Example

$..phoneNumber

Example

$..data[?(@.id == 'language')].attributes.currentValue

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiRadioConfig
id: ConfigurableUiRadioConfig-xxxxxx
displayName: 
comment: 
properties:
  htmlId:
  initialValueQuery:
  inline: true
  label:
  options:
  property:
  required:
  submitToServer: true

Radius Authentication Service

Description

A RADIUS server implementation that provides the authentication scheme defined by a configurable underlying authenticator as RADIUS service.

Class

com.airlock.iam.servicecontainer.app.application.configuration.radius.RadiusServiceConfig

May be used by

Service Config

License-Tags

RadiusServer

Properties

Password Settings (passwordSettings)

Description

The password settings. If defined, password change is enabled over the RADIUS interface.

Attributes

Plugin-Link

Optional

Assignable plugins

Password Settings

Enable Password Change (enablePasswordChange)

Description

If enabled, password change is enabled over the RADIUS interface (requires password settings).

Attributes

Boolean

Optional

Default value

false

Port (port)

Description

The port to listen on for the RADIUS service. Typically 1812 or 1645 (older systems) is used.

Attributes

Integer

Mandatory

Interface Ip (interfaceIp)

Description

The IP of the interface the Radius server should listen on. This property is optional. If not present, the Radius service listens on all local interfaces.

Attributes

String

Optional

Example

192.168.1.13

Example

127.0.0.1

Example

localhost

Shared Secret (sharedSecret)

Description

The shared secret for the Radius service. The shared secret is used to protect sensitive information being sent from the Radius client to the Radius server. Since charsets on the server and the client may differ, use only ASCII characters (and choose a longer secret).

Attributes

String

Mandatory

Sensitive

Example

secret4th1ss3rv3r

Example

s843bdfl03h4

Example

wonttellu

Authenticator (authenticator)

Description

The authenticator to be used by the Radius service. Make sure that the authentication scheme provided by the authenticator can be used via RADIUS. Client certificate authentication, for example, is usually not done via RADIUS. Common examples are password-, token-, and challenge-response-authentication.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Temporary Locking Settings (temporaryLockingSettings)

Description

Configures the behavior of temporary user locking. Notice that responses are not delayed like in the login app not to trigger UDP retransmissions but any further request falling into the temporary lock timeout will be refused immediately with a special message.
If enabling the Temporary Locking settings, either a linear or an exponential factor must be provided or it will have no effect at all. Additionally, a user persister must be specified which must provide the number of failed logins and the last login attempt.

Attributes

Plugin-Link

Optional

Assignable plugins

Temporary Locking Settings

User Persister (userPersister)

Description

The user persister used to calculate the temporary locking and to read out roles after a mandatory password change.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Settings (authorizationSettings)

Description

Check user authorizations, i.e. check if the user may access the requested service or not. If not configured, no authorization checks are performed.

Attributes

Plugin-Link

Optional

Assignable plugins

Radius Authorization Config

Charset For Password (charsetForPassword)

Description

The charset to be used to decode the password. Leave empty to use the JVM default charset.

Attributes

String

Optional

Suggested values

UTF-8, ISO-8859-1

Blocking If Asynchronous (blockingIfAsynchronous)

Description

Certain authenticators support asynchronous authentication requests. That is, instead of a final result like accept or reject, an 'authentication pending' result is returned and the caller (in this case the radius service) must call the authenticator repeatedly to get a final result.

If this flag is enabled, the radius service performs the polling and blocks the response until a final result is available. If the flag is disabled, a response is immediately returned to the radius client, asking for a fake challenge (see property 'asynchronousReplyMessage'). When the challenge is returned (content is ignored), the authenticator is queried again and so on.

Note: If the radius service is blocking, the UDP timeout on the client side must be configured to be at least as long as the authenticator timeout.

Attributes

Boolean

Optional

Default value

true

Authenticator Polling Interval Millis (authenticatorPollingIntervalMillis)

Description

If "Blocking If Asynchronous" is TRUE, how long should the radius service pause between polling the authenticator for a new status.

Attributes

Integer

Optional

Default value

5000

Authenticator Polling Timeout [s] (authenticatorPollingTimeoutSecs)

Description

If "Blocking If Asynchronous" is TRUE, how long should the radius services keep polling the authenticator before returning a failure.

Attributes

Integer

Optional

Default value

Airlock 2FA Passcode Fallback (airlock2FAPasscodeFallback)

Description

If Airlock 2FA is used and "Blocking If Asynchronous" is enabled, fall back to Passcode after "Authenticator Polling Timeout [s]". Otherwise, the authentication is cancelled after the timeout.

Attributes

Boolean

Optional

Default value

true

Sso Attribute (ssoAttribute)

Description

If this attribute is set, the RADIUS server includes the plain password credential in an attribute in the RADIUS Access-Accept response when authentication succeeded.
The corresponding RADIUS attribute is used to transport the password to the RADIUS client. (The "Class" attribute has id 25, the "Filter-Id" attribute has id 11). Leave this property empty (or do not define the property) to turn this feature off.

CAUTION: If the feature is used, the password is sent in plaintext to the RADIUS client. This may be a security risk depending on the setup.

Attributes

String

Optional

Allowed values

Class, Filter-Id

Radius Roles Configuration (radiusRolesConfiguration)

Description

Use this property to enable returning of user roles with ACCEPT messages. This enables the Radius client to enforce authorization decisions made by Airlock IAM. If the property is undefined, no roles are returned.

Attributes

Plugin-Link

Optional

Assignable plugins

Fortinet Roles Configuration RADIUS Roles As Reply-Message

Log Radius Requests (logRadiusRequests)

Description

If enabled, all RADIUS requests are logged together with the client IP, NAS-Identifier and username. The log is written with INFO level.

Attributes

Boolean

Optional

Default value

false

Session Table Size (sessionTableSize)

Description

Determines the maximum number of open authentication sessions that are kept in the Radius server.

This value should be increased in high-traffic situations if authentication sessions are lost.

Attributes

Integer

Optional

Default value

4096

Retransmission Table Size (retransmissionTableSize)

Description

Determines the maximum number of handled packet that are kept in the Radius server in order to detect retransmissions of packets.

This value should be increased in high-traffic situations when retransmitted packets are not detected and requests are therefore answered twice.

Attributes

Integer

Optional

Default value

1024

Retransmission Interval Millis (retransmissionIntervalMillis)

Description

Determines the maximum number of milliseconds between two identical looking requests such that they are still considered to be the same request (retransmission).

This value should be increased when a Radius client sends retransmissions after more than the indicated time. The value should be lowered if Radius requests are ignored because identical requests are sent within the indicated amount of milliseconds.

Attributes

Long

Optional

Default value

30000

Packet Buffer Size (packetBufferSize)

Description

Determines the maximum size of a received UDP packet in bytes.

This value should be increased if you experience problems because receiving only parts extraodinaryly long Radius packets.

Attributes

Integer

Optional

Default value

8192

Use Rsa Ace Compatibility Mode (useRsaAceCompatibilityMode)

Description

Specifies if the RSA/ACE compatibility mode should be used or not. If set to "TRUE", this server behaves like a RSA/ACE service would (important for some clients to distinguish next-token-mode from new-pin-mode).
When this mode is enabled, only authenticators that return ACE-like responses can be used. It can - for example - be used in combination with challenge-response authenticators.

Attributes

Boolean

Optional

Default value

false

Static Rejected User (staticRejectedUser)

Description

Allows definition of a static test user for external monitoring of the Radius service. All login attempts with the static test user are rejected immediately without generating logfile entries. Even if the log level is set to DEBUG and option "logRadiusRequests" is enabled, requests with the static test user will not be logged.

Note: The static test user name must not coincide with an existing user name. Otherwise, the corresponding user will not be able to log in.

Attributes

String

Optional

Length >= 4

Example

_RejectedUser

Access Accept Reply Message (accessAcceptReplyMessage)

Description

Specifies the reply message sent with an Access-Accept response.
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, no reply message will be included in Access-Accept responses.

Attributes

String

Optional

Default value

Example

Authentication successful

Example

Access granted

Access Accept Password Changed Reply Message (accessAcceptPasswordChangedReplyMessage)

Description

Specifies the reply message sent with an Access-Accept response after the password has been changed successfully.
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, property "Access Accept Reply Message" will be included in Access-Accept responses.

Attributes

String

Optional

Default value

Example

Authentication after password change successful

Example

Access after password change granted

Access Denied Reply Message (accessDeniedReplyMessage)

Description

Specifies the reply message sent with an Access-Denied response.
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, no reply message will be included in Access-Denied responses.

Attributes

String

Optional

Default value

Example

Authentication failed

Example

Access denied

User Locked Reply Message (userLockedReplyMessage)

Description

Specifies the reply message sent with an Access-Denied response because the user account is locked.
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, the general access denied message (see separate property) is used.

Attributes

String

Optional

Default value

Your user account is locked.

Example

Account locked.

Example

Your account has been locked for security reasons. Please contact our hotline.

User Temporarily Locked Reply Message (userTemporarilyLockedReplyMessage)

Description

Specifies the reply message sent with an Access-Denied response because the user account is temporarily locked. This only happens if Temporary Locking settings and the user persister are configured.
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, the general access denied message (see separate property) is used.

Attributes

String

Optional

Default value

Your user account has been locked temporarily. Please try again in a few minutes.

Example

Account temporarily locked; please try again in a few minutes.

Not Authorized Reply Message (notAuthorizedReplyMessage)

Description

Specifies the reply message sent with an Access-Denied response because the user is not authorized (not enough rights).
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, no reply message will be included in the responses.

Attributes

String

Optional

Default value

Access denied. Not enough access rights.

Example

Not authorized.

Example

Not enough rights

Next Token Mode Reply Message (nextTokenModeReplyMessage)

Description

Specifies the reply message sent with an Access-Challenge response when in next-token mode.
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, no reply message will be included in Access-Challenge responses.

Attributes

String

Optional

Default value

Please wait for the NEXT token and enter it.

Example

Enter next token

Example

Please wait for next token and enter it

New Pin Reply Message (newPinReplyMessage)

Description

Specifies the reply message sent with an Access-Challenge response when in new-pin mode.
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, no reply message will be included in Access-Challenge responses.

Attributes

String

Optional

Default value

Please choose a new PIN.

Example

Set new PIN

Example

Please set a new PIN

Pin Accepted Reply Message (pinAcceptedReplyMessage)

Description

Specifies the reply message sent with an Access-Challenge response when in pin-accepted state.
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, no reply message will be included in Access-Challenge responses.

Attributes

String

Optional

Default value

PIN accepted. Please wait for the NEXT token and enter it.

Example

PIN Accepted. Enter next token

Example

PIN changed. Please wait for next token and enter it

Token Required Reply Message (tokenRequiredReplyMessage)

Description

Specifies the reply message sent with an Access-Challenge response when a token is required. Use the variable ${LAST_USED_TOKEN} to include the last used token (may be an empty string!).
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, no reply message will be included in Access-Challenge responses.

Attributes

String

Optional

Default value

Please enter next token.

Example

Please enter next token. Last used token: ${LAST_USED_TOKEN}

Example

Enter token

Credential Unassigned Reply Message (credentialUnassignedReplyMessage)

Description

Specifies the reply message sent with an Access-Denied response when a required credential is not assigned to the user. If not set, no reply message will be included in the Access-Denied response.

Attributes

String

Optional

Default value

No authentication token has been assigned to your account.

Example

No token has been assigned to your account. Please contact the hotline.

Index Challenge Reply Message (indexChallengeReplyMessage)

Description

Specifies the reply message sent with an Access-Challenge response when an index challenge is sent. This is the case when the underlying authenticator asks for a specific token and references it by an index. Use the variable ${INDEX} to include the index number in the message.
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, no reply message will be included in Access-Challenge responses.

Attributes

String

Optional

Default value

Please enter token at position ${INDEX}.

Example

Please enter token at position ${INDEX}

Example

Enter TAN at index ${INDEX}

Matrix Challenge Reply Message (matrixChallengeReplyMessage)

Description

Specifies the reply message sent with an Access-Challenge response when a matrix challenge is sent. This is the case when the underlying authenticator asks for a specific token and references it by one or more coordinate pairs. Use the variable ${CHALLENGE_COORDINATES} to include the coordinate pair(s) in the message.
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, no reply message will be included in Access-Challenge responses.

Attributes

String

Optional

Default value

Please enter token(s) ${CHALLENGE_COORDINATES}.

Example

Please enter tokens ${CHALLENGE_COORDINATES}

Change Password Reply Message (changePasswordReplyMessage)

Description

Specifies the reply message sent with an Access-Challenge response when asking to set a new password.
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, no reply message will be included in Access-Challenge responses.

Attributes

String

Optional

Default value

Please choose a new password.

Example

Set a new password:

Example

Your password has expired, please choose a new password:

Confirm Password Reply Message (confirmPasswordReplyMessage)

Description

Specifies the reply message sent with an Access-Challenge response when asking to retype (confirm) the new password.
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, no reply message will be included in Access-Challenge responses.

Attributes

String

Optional

Default value

Please enter the new password again for confirmation.

Example

Re-type the new password:

Example

Please re-type the new password to confirm it:

Passwords Do Not Match Reply Message (passwordsDoNotMatchReplyMessage)

Description

Specifies the reply message sent with an Access-Denied response when the new password and its confirmation do not match.
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, no reply message will be included in Access-Denied responses.

Attributes

String

Optional

Default value

The passwords do not match. Please login again.

Example

Passwords do not match. Login again.

Example

The new password did not match its confirmation. Please login again.

Password Not Accepted Reply Message (passwordNotAcceptedReplyMessage)

Description

Specifies the reply message sent with an Access-Denied response when the new password could not be accepted because of password policy violations.
Some RADIUS clients (such as keyboard-interactive authentication) may display this to the user. Other clients may make their behavior dependent on this message.

If not set, no reply message will be included in Access-Denied responses.

Attributes

String

Optional

Default value

The new password has not been accepted because it violates the password policy.

Example

Password not accepted.

Example

The new password could not be accepted because it does not meet the requirements for new passwords.

Asynchronous Reply Message (asynchronousReplyMessage)

Description

If property "Blocking If Asynchronous" is FALSE, the service forwards 'authentication pending' results directly to the radius client in form of a challenge response. This is the message that is displayed to the user in that case. The actual reply to the challenge is ignored and the state of the authentication is checked again.

Attributes

String

Optional

Default value

Please proceed authentication on your authentication device and press the login button when finished.

Example

Please proceed authentication on the mobile phone and press the login button when finished.

Username Transformation (usernameTransformers)

Description

Username transformers may transform the name received in a Radius request into the single unique user ID required for the authentication process.
The transformation of a username takes place before the authenticator reads the user from persistency layer. Transfomers can be chained, i.e. a first transformer could normalize the original name, after which the next transformer looks up the normalized name in a database for eventual transformation matches.
In addition to the above description of chaining, a transformer can also signal that it already found the final user ID and that the transformation must stop here.
For further details please refer to the documentation of the username transformer plugins.

Attributes

Plugin-List

Optional

Assignable plugins

Token Selection Choice Message (tokenSelectionChoiceMessage)

Description

Message displayed when the user is required to select a token from the given list.

Attributes

String

Optional

Default value

Please choose:

Example

Please choose:

Use Password As Token (usePasswordAsToken)

Description

Pass on the password to the authenticator as if it is a token code.

Attributes

Boolean

Optional

Default value

false

Accept Modifiers (acceptModifiers)

Description

The accept modifiers may modify the final RADIUS accept packet before it is sent to the client.

Attributes

Plugin-List

Optional

Assignable plugins

Add Authentee Attribute Config

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.radius.RadiusServiceConfig
id: RadiusServiceConfig-xxxxxx
displayName: 
comment: 
properties:
  acceptModifiers:
  accessAcceptPasswordChangedReplyMessage: Login and password change successful.
  accessAcceptReplyMessage: Login successful.
  accessDeniedReplyMessage: Login failed.
  airlock2FAPasscodeFallback: true
  asynchronousReplyMessage: Please proceed authentication on your authentication device and press the login button when finished.
  authenticator:
  authenticatorPollingIntervalMillis: 5000
  authenticatorPollingTimeoutSecs: 60
  authorizationSettings:
  blockingIfAsynchronous: true
  changePasswordReplyMessage: Please choose a new password.
  charsetForPassword:
  confirmPasswordReplyMessage: Please enter the new password again for confirmation.
  credentialUnassignedReplyMessage: No authentication token has been assigned to your account.
  enablePasswordChange: false
  indexChallengeReplyMessage: Please enter token at position ${INDEX}.
  interfaceIp:
  logRadiusRequests: false
  matrixChallengeReplyMessage: Please enter token(s) ${CHALLENGE_COORDINATES}.
  newPinReplyMessage: Please choose a new PIN.
  nextTokenModeReplyMessage: Please wait for the NEXT token and enter it.
  notAuthorizedReplyMessage: Access denied. Not enough access rights.
  packetBufferSize: 8192
  passwordNotAcceptedReplyMessage: The new password has not been accepted because it violates the password policy.
  passwordSettings:
  passwordsDoNotMatchReplyMessage: The passwords do not match. Please login again.
  pinAcceptedReplyMessage: PIN accepted. Please wait for the NEXT token and enter it.
  port:
  radiusRolesConfiguration:
  retransmissionIntervalMillis: 30000
  retransmissionTableSize: 1024
  sessionTableSize: 4096
  sharedSecret:
  ssoAttribute:
  staticRejectedUser:
  temporaryLockingSettings:
  tokenRequiredReplyMessage: Please enter next token.
  tokenSelectionChoiceMessage: Please choose:
  usePasswordAsToken: false
  useRsaAceCompatibilityMode: false
  userLockedReplyMessage: Your user account is locked.
  userPersister:
  userTemporarilyLockedReplyMessage: Your user account has been locked temporarily. Please try again in a few minutes.
  usernameTransformers:

RADIUS Authenticator

Description

Authenticator that calls a RADIUS server to check credentials.

Note: If used as second step in a two-step authentication process, this plugin must ask for a token in the first step (before calling the RADIUS server). Please check the property "If Credential Is Missing" to enable this.

Stealth Mode Support: For unknown users this plugin will always ask for a token (OTP) and never use a different challenge type. Example: The RADIUS server always responds with a matrix challenge. Therefore the expected response would be a matrix challenge and the attacker - knowing the setup - knows that a user id does not exist, if asked for an OTP token.

Class

com.airlock.iam.core.misc.impl.authen.RadiusAuthenticator

May be used by

License-Tags

RadiusClient

Properties

Radius Servers (radiusServers)

Description

The RADIUS server(s) to talk to.
If more than one is provided, the list is used for failover.

Attributes

Plugin-List

Mandatory

License-Tags

RadiusClient

Assignable plugins

If Credential Is Missing (ifCredentialIsMissing)

Description

Determines how the authenticator handles missing credentials.

Access-Reject: Rejects all requests with missing credential information.
Ask for token in first step: If the first credential does not encompass a token, the plugin prompts the user to enter a token before calling the RADIUS server. This is useful if this authenticator is used as second factor in an authentication process.
Send fixed password to RADIUS server: Sends the username and a fixed password to the RADIUS server. In such a case, the server is expected to respond with an Access-Challenge. This setting is useful if the Radius Authenticator is used as second step of a Main Authenticator.

Attributes

Enum

Optional

License-Tags

RadiusClient

Default value

ACCESS_REJECT

NAS Identifier (nasIdentifier)

Description

The NAS-Identifier to set in all requests.

Attributes

String

Optional

Length >= 3

License-Tags

RadiusClient

Static Roles (staticRoles)

Description

The set of roles granted to a user successfully authenticated using this authenticator.

Attributes

String-List

Optional

License-Tags

RadiusClient

Access Reject Rules (accessRejectRules)

Description

Defines a list of rules (processed in order of definition) that define how to map RADIUS access reject response's reply messages to authentication results.

If no rules are defined or no rule matches, an unspecified authentication failure is used for access reject responses.

Attributes

Plugin-List

Optional

License-Tags

RadiusClient

Assignable plugins

Reply Message Access Reject Rule Set Password Expiry Date

Access Challenge Rules (accessChallengeRules)

Description

Defines a list of rules (processed in order of definition) that define how to map RADIUS access challenge response's reply messages to authentication results.

If no rules are defined or no rule matches, an unspecified authentication failure is used for access challenge responses.

Attributes

Plugin-List

Optional

License-Tags

RadiusClient

Assignable plugins

Reply Message Access Challenge Rule Set Password Expiry Date

Access Accept Rules (accessAcceptRules)

Description

Configures rules that influence the authenticationr result in case of successful authentication ("AccessAccept").
This can be used for example to extract roles from the response.

Note: In contrast to the access challenge and access reject rules, all rules in the list are processed as long as the authentication result is successful.

Attributes

Plugin-List

Optional

License-Tags

RadiusClient

Assignable plugins

Roles from Attribute Set Password Expiry Date

Reported Auth Method (reportedAuthMethod)

Description

Attributes

Enum

Optional

License-Tags

RadiusClient

Default value

RADIUS

Log Radius Attributes (logRadiusAttributes)

Description

Attributes

Boolean

Optional

License-Tags

RadiusClient

Default value

false

Password And Token Usage (passwordAndTokenUsage)

Description

Airlock IAM supports login pages with username, password, and token input values. In this case all three values are available in this Radius authenticator. With this property, we can specify which information to use as secret attribute in the Radius protocol

Example:
password = pass
token = 1234

Result:
PASSWORD_ONLY = pass
TOKEN_ONLY = 1234
CONCATENATE = pass1234

Attributes

Enum

Optional

License-Tags

RadiusClient

Default value

TOKEN_ONLY

Username Transformation (usernameTransformers)

Description

Transforms the login user name to the user name that is sent to the RADIUS server.

Attributes

Plugin-List

Optional

License-Tags

RadiusClient

Assignable plugins

Encoding (encoding)

Description

The encoding for the RADIUS attributes in an authentication request. The encoding should be the same as used on the RADIUS server.

Attributes

String

Optional

License-Tags

RadiusClient

Default value

UTF-8

Suggested values

UTF-8, ISO-8859-1, ISO-8859-15

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.RadiusAuthenticator
id: RadiusAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  accessAcceptRules:
  accessChallengeRules:
  accessRejectRules:
  encoding: UTF-8
  ifCredentialIsMissing: ACCESS_REJECT
  logRadiusAttributes: false
  nasIdentifier:
  passwordAndTokenUsage: TOKEN_ONLY
  radiusServers:
  reportedAuthMethod: RADIUS
  staticRoles:
  usernameTransformers:

Radius Authorization Config

Description

Authorization checks performed after successful user authentication.

Authorization decisions are based on the user's roles granted by the authenticator plugin configured in the RADIUS service. Different target services may be configured and required roles are defined for each target service. The target service is determined based on the "NAS-Identifier" RADIUS attribute (sent by the RADIUS client).

Class

com.airlock.iam.servicecontainer.app.application.configuration.radius.RadiusAuthorizationConfig

May be used by

OTP Check via RADIUS Step Ace Radius Token Verifier RADIUS Authenticator RADIUS Password Repository

License-Tags

RadiusServer

Properties

Default Target Service (defaultTargetService)

Description

Required roles and other settings for the default target service.

The default target service is used if no information is available about which target service to choose and if none of the other target services matches the NAS-Identifier.

Attributes

Plugin-Link

Mandatory

Assignable plugins

IP-based Target Service NAS-IP-Address-based Target Service NAS-based Target Service

Target Services (targetServices)

Description

Defines required roles and other settings for each target service. The list is processed sequentially until the first service matches. If none matches, the default target service is used.

Attributes

Plugin-List

Optional

Assignable plugins

IP-based Target Service NAS-IP-Address-based Target Service NAS-based Target Service

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.radius.RadiusAuthorizationConfig
id: RadiusAuthorizationConfig-xxxxxx
displayName: 
comment: 
properties:
  defaultTargetService:
  targetServices:

Radius Connection Settings

Description

Information needed to connect to a RADIUS server.

Class

com.airlock.iam.core.misc.util.radius.RadiusConnectionSettings

May be used by

Properties

Host (host)

Description

RADIUS server name or IP.

Attributes

String

Mandatory

Example

radiushost

Example

192.168.12.13

Example

accessserver

Port (port)

Description

The RADIUS server port. The default RADIUS port is 1812 (1645 for older RADIUS servers). Do not use the RADIUS accounting port.

Attributes

Integer

Mandatory

Connection Timeout [s] (connectionTimeout)

Description

The RADIUS timeout in seconds. This plug-in will wait up the specified amount of seconds for an answer from the RADIUS server before it gives up.
Hint: If failover is used, it is useful to set a low timeout (e.g. 1) for the first RADIUS server and a higher timeout (e.g. 4) for the failover server. This results in fast switching when the first server fails but keeps the system running if the network or the servers are slow.

Attributes

Integer

Optional

Default value

Max Retries (maxRetries)

Description

Maximum number of retries to send an access request before giving up.

If multiple RADIUS servers are configured (for failover), it makes sense to set this value to zero (no retries) for the first and to a value greater than zero for the failover server(s). A typical value is 2.

Attributes

Integer

Optional

Default value

Shared Secret (sharedSecret)

Description

The shared secret. It is used to encrypt the secret credentials (e.g. passwords) passed to the RADIUS server. It must be the same in this plugin and the RADIUS server.

Attributes

String

Mandatory

Sensitive

Example

secret

Example

ai38d7f3

Example

password

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.radius.RadiusConnectionSettings
id: RadiusConnectionSettings-xxxxxx
displayName: 
comment: 
properties:
  connectionTimeout: 3
  host:
  maxRetries: 2
  port:
  sharedSecret:

RADIUS Password Repository

Description

Password repository that verifies the password by calling a RADIUS server.

This repository can only be used for password checks, not for changing or setting a password.

Class

com.airlock.iam.common.application.configuration.password.repository.radius.RadiusPasswordRepositoryConfig

May be used by

License-Tags

RadiusClient

Properties

Radius Servers (radiusServers)

Description

The RADIUS server(s) to connect to. If more than one is provided, the list is used for failover.

Attributes

Plugin-List

Mandatory

Assignable plugins

Log Radius Attributes (logRadiusAttributes)

Description

If enabled, the RADIUS attributes sent to the server and received from the server are logged at INFO level. This is useful during integration and for debugging but it is generally not suitable for productive systems.

Attributes

Boolean

Optional

Default value

false

NAS Identifier (nasIdentifier)

Description

The NAS-Identifier to set in all requests. The NAS-Identifier can be used instead of an IP address to identify the client.

Attributes

String

Optional

Length >= 3

Username Provider (usernameProvider)

Description

Provides the username to be sent to the RADIUS server.

Attributes

Plugin-Link

Optional

Assignable plugins

Static String Value Provider String Context Data Value Provider Transforming String Value Provider User Principal Name Provider

Roles Attribute Type (rolesAttributeType)

Description

In case of a successful password check, roles can be extracted from the "Access Accept" response. The roles are expected as comma-separated list in this attribute type. If not configured or no attribute of the expected type is present, no roles are extracted.

The configured value can either be one of the predefined attribute types (name and ID) or an attribute ID (number > 0).

Attributes

String

Optional

Suggested values

Reply-Message (18), Vendor Specific (26), Filter-Id (11), Class (25), Unassigned (21)

Encoding (encoding)

Description

The encoding for the RADIUS attributes in an authentication request. The encoding should be the same as used on the RADIUS server.

Attributes

String

Optional

Default value

UTF-8

Suggested values

UTF-8, ISO-8859-1, ISO-8859-15

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.password.repository.radius.RadiusPasswordRepositoryConfig
id: RadiusPasswordRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  encoding: UTF-8
  logRadiusAttributes: false
  nasIdentifier:
  radiusServers:
  rolesAttributeType:
  usernameProvider:

RADIUS Roles As Reply-Message

Description

Configures the RADIUS service for returning roles in ACCEPT messages. The roles are returned in the ReplyMessage attribute (type 18). Depending on the configuration, each role is returned in a separate attribute or all roles are concatenated and returned in a single attribute (see property Separator).

Class

com.airlock.iam.servicecontainer.app.application.configuration.radius.RadiusRolesAsReplyMessageConfiguration

May be used by

License-Tags

RadiusServer

Properties

Return Granted User Roles (returnGrantedUserRoles)

Description

Add the user's granted roles to the list of returned roles. If disabled, only static roles are returned.

Attributes

Boolean

Optional

Default value

true

Static Roles (staticRoles)

Description

Additional static roles that are added to the list of returned roles.

Attributes

String-List

Optional

Suppress Original Reply Message (suppressOriginalReplyMessage)

Description

If this flag is enabled, the original human-readable reply message sent with ACCEPT messages is suppressed. That is, only the roles are returned. If the option is disabled, roles are added as additional attributes after the original message.

Attributes

Boolean

Optional

Default value

true

Separator (separator)

Description

If a separator is defined, all roles are concatenated using the defined separator. The resulting list of roles is returned in a single ReplyMessage attribute. If no separator is defined, each role is returned in a separate ReplyMessage attribute.

For example, assume a user has roles RA, RB and RC. Defining the separator to be "--" results in the ReplyMessage "RA--RB--RC"

Attributes

String

Optional

Length <= 3

Example

;

Example

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.radius.RadiusRolesAsReplyMessageConfiguration
id: RadiusRolesAsReplyMessageConfiguration-xxxxxx
displayName: 
comment: 
properties:
  returnGrantedUserRoles: true
  separator:
  staticRoles:
  suppressOriginalReplyMessage: true

Readiness Health Check Endpoint

Description

Configuration of the Readiness endpoint.

The readiness endpoint can be used in Airlock Gateway or Kubernetes to determine whether IAM is ready to handle incoming requests.

The endpoint is available under: /health/ready

Class

com.airlock.iam.common.application.configuration.health.ModuleReadinessConfig

May be used by

Transaction Approval Loginapp

Properties

Checks (checks)

Description

List of health checks to perform when the readiness endpoint is called. A check with the name "configActivation" is always included and cannot be disabled. It results in the status DOWN if the initial config activation fails.

Attributes

Plugin-List

Optional

Assignable plugins

Always Down Check

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.health.ModuleReadinessConfig
id: ModuleReadinessConfig-xxxxxx
displayName: 
comment: 
properties:
  checks:

Realm Administration

Description

Settings for realm administration.

Class

com.airlock.iam.admin.application.configuration.realm.RealmAdministrationConfig

May be used by

Adminapp

License-Tags

RealmAdministration

Properties

Admin Realm Context Data Name (adminRealmContextDataName)

Description

The name of the context data field where the administrator's realm is stored. In the standard IAM database schema the field "realm" is reserved for this purpose. In order to assign a realm to an administrator, add a "String User Profile Item" for this context data field to the "Rows On Admin Detail Page" in the Administrators Management".

Note that this context data item must also be configured in the corresponding admin persister.

When using the default database schema the field "realm" is intended for this purpose.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Realm Context Data Name (userRealmContextDataName)

Description

The name of the context data field where the user's realm is stored. In the standard IAM database schema the field "realm" is reserved for this purpose. Users inherit the realm from the administrator who created them. Therefore, it is recommended to make this context data item readonly on users or to not show it at all.

Note that this context data item must also be configured in the corresponding user persister.

When using the default database schema the field "realm" is intended for this purpose.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.realm.RealmAdministrationConfig
id: RealmAdministrationConfig-xxxxxx
displayName: 
comment: 
properties:
  adminRealmContextDataName:
  userRealmContextDataName:

Realm Username Validator

Description

Validates that usernames created by a realm administrator match a given pattern.

Class

com.airlock.iam.admin.application.configuration.realm.RealmUsernameValidatorConfig

May be used by

Email User Profile Item Config String User Profile Item Users Configuration Extended String User Profile Item Config

License-Tags

RealmAdministration

Properties

Username Pattern (usernamePattern)

Description

Defines a regular expression that is matched against usernames when they are created by a realm administrator. Use the placeholder @realm@ in the pattern where the current administrator's realm is expected. The placeholder will be resolved to the administrator's realm when a user is being created.

Attributes

String

Mandatory

Example

@realm@_[\S]{2,}

Example

@realm@-[a-z]{4,}

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.realm.RealmUsernameValidatorConfig
id: RealmUsernameValidatorConfig-xxxxxx
displayName: 
comment: 
properties:
  usernamePattern:

Realm Value Provider

Description

Provides a value based on the administrator's realm.

Class

com.airlock.iam.admin.application.configuration.realm.RealmValueProviderConfig

May be used by

License-Tags

RealmAdministration

Properties

Value (value)

Description

The value that is provided by this plugin. Use the placeholder @realm@ where the current administrator's realm is expected.

Note that if the realm of an administrator cannot be determined, an empty string is provided independent of the configured value.

Attributes

String

Mandatory

Example

@realm@_

Example

@realm@-

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.realm.RealmValueProviderConfig
id: RealmValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  value:

reCAPTCHA

Description

Requires a user to solve a reCAPTCHA challenge.
If you use an HTTPS truststore, make sure to add the root certificate for https://google.com.
Further, you need to ensure that the correct Content Security Policy (CSP) is set. reCAPTCHA requires

script-src https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/
frame-src https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/

Consult the official reCAPTCHA documentation for further information.
Note: Currently only reCAPTCHA v2 ("I'm not a robot" Checkbox) is supported.

Class

com.airlock.iam.flow.shared.application.configuration.captcha.ReCaptchaConfig

May be used by

Properties

Site Key (siteKey)

Description

The site key can be assumed to be public knowledge and identifies the associated reCAPTCHA account.

The site key can be found on the reCAPTCHA admin page.

Attributes

String

Mandatory

Secret Key (secretKey)

Description

The secret is used to validate the CAPTCHA challenge response on the reCAPTCHA server. While a leaked secret key doesn't impact the security or validity of this CAPTCHA method, its misuse can infer costs as it is used for quota calculations at the CAPTCHA provider (similar to an API key).

The secret key can be found on the reCaptcha admin page.

Attributes

String

Mandatory

Sensitive

Proxy URI (proxyUri)

Description

URI of a HTTP proxy the connector should use. If the port component of the URI is absent then a default port of 8080 is assumed. If this property is left empty then no proxy will be used.

Attributes

String

Optional

Example

https://proxy.company.com

Proxy Login User (proxyLoginUser)

Description

Username for the proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.captcha.ReCaptchaConfig
id: ReCaptchaConfig-xxxxxx
displayName: 
comment: 
properties:
  proxyLoginPassword:
  proxyLoginUser:
  proxyUri:
  secretKey:
  siteKey:

Recipient From Context Data

Description

The recipient address for this email notification comes from a context data field of the managed user.

Class

com.airlock.iam.admin.application.configuration.event.ContextDataRecipientConfig

May be used by

Email Event Subscriber (Adminapp)

Properties

Context Data Name (contextDataName)

Description

The context data field whose value is to be used as the recipient's email address. If the provided email address is blank or invalid, no email will be sent.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Advanced Migration Selection Option Technical Client Registration Flow Authorization Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For User Self-Registration Simple Migration Selection Option Config Flow Step Sequence Transaction Approval Flow Public Self-Service Flow Selection Option For Public Self-Service Authentication Flow Selection Step for User Self-Registration User Self-Registration Flow Selection Option Selection Step for Self-Service Selection Step

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.event.ContextDataRecipientConfig
id: ContextDataRecipientConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:

Recipient From Event Value

Description

The recipient address for this email notification comes from a value from the event. The same keys as in the message templates can be used if the event does not provide the specified key or the value is not a valid email address, no email notification is sent.

Class

com.airlock.iam.common.application.configuration.event.EventValueRecipientConfig

May be used by

Email Event Subscriber (Loginapp) Email Event Subscriber (Adminapp)

Properties

Event Key (eventKey)

Description

The event message key that is used for the recipient address.

Attributes

String

Mandatory

Suggested values

event.data.oldEmailAddress, event.data.newEmailAddress

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.EventValueRecipientConfig
id: EventValueRecipientConfig-xxxxxx
displayName: 
comment: 
properties:
  eventKey:

Recipient From String Value Provider

Description

The recipient address for this email notification comes from a string value provider plugin.

Class

com.airlock.iam.login.application.configuration.event.StringProviderRecipientConfig

May be used by

Email Event Subscriber (Loginapp)

Properties

String Provider (stringProvider)

Description

A String Value Provider which provides the email address of the recipient. If no email address is provided or the provided email address is invalid, no email will be sent.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.event.StringProviderRecipientConfig
id: StringProviderRecipientConfig-xxxxxx
displayName: 
comment: 
properties:
  stringProvider:

Red Flag

Description

A step can raise a red flag to signal to a later step that some action must be performed before the flow can succeed.

Example: the password check step raises a red flag if a mandatory password change must be performed. A step later in the flow requires the user to change his password if this red flag is raised. If no subsequent step handles the red flag, the flow fails.

Class

com.airlock.iam.flow.application.configuration.redflag.RedFlagConfigImpl

May be used by

Properties

Name (name)

Description

The name of the red flag.

Attributes

String

Mandatory

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.redflag.RedFlagConfigImpl
id: RedFlagConfigImpl-xxxxxx
displayName: 
comment: 
properties:
  name:

Red Flag Raised

Description

Flow condition which evaluates to true if the configured red flag is raised.

Class

com.airlock.iam.flow.application.configuration.selection.condition.RedFlagConditionConfig

May be used by

Properties

Red Flag (redFlag)

Description

While the configured red flag is raised, this condition evaluates to true.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Account Linking Required Red Flag Mandatory Password Change Red Flag Red Flag

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.selection.condition.RedFlagConditionConfig
id: RedFlagConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  redFlag:

Red Flag Raising Step Config

Description

Non-interactive step that raises the configured red flag if the configured flow condition evaluates to true.

Class

com.airlock.iam.flow.application.configuration.step.RedFlagRaisingStepConfig

May be used by

Properties

Condition (condition)

Description

Defines the condition under which the configured red flag is raised.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Red Flag (redFlag)

Description

Red flag to be raised if the configured condition evaluates to true. This flag must then be handled by a later step.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Account Linking Required Red Flag Mandatory Password Change Red Flag Red Flag

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.step.RedFlagRaisingStepConfig
id: RedFlagRaisingStepConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  customFailureResponseAttributes:
  customResponseAttributes:
  preCondition:
  redFlag:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Redirect On Logout Config

Description

Performs a redirect after the logout.

Class

com.airlock.iam.authentication.application.configuration.ui.RedirectOnLogoutConfig

May be used by

Language Query Parameter Appender Query Parameter URI Transformation Regex-based URI Transformer To Query Parameter URI Transformer

Properties

Target (target)

Description

The target to redirect to after a logout.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.ui.RedirectOnLogoutConfig
id: RedirectOnLogoutConfig-xxxxxx
displayName: 
comment: 
properties:
  target:

Redirect to URI

Description

Defines an URI that can modified using transformers. The resulting URI is used as redirect target after completing a flow.

Class

com.airlock.iam.login.rest.application.configuration.ExternalTargetUriConfig

Properties

Target URI (targetUri)

Description

The URI to be redirected to (after applying the URI Transformers). Must result in a valid URI that is absolute or relative to the host.

Attributes

String

Mandatory

Example

https://my-ebanking.ch

Example

/ebanking

URI Transformers (uriTransformers)

Description

The chain of URI transformers to transform the Target URI. The transformers are applied in the configured order. If any transformer produces a 'veto', the untransformed Target URI is used.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.ExternalTargetUriConfig
id: ExternalTargetUriConfig-xxxxxx
displayName: 
comment: 
properties:
  targetUri:
  uriTransformers:

Regex Application Selector Config

Description

Matches the forward URI against a regular expression.

Class

com.airlock.iam.login.application.configuration.targetapp.RegexApplicationSelectorConfig

May be used by

Loginapp UI SSO Ticket Extractor SSO Cookie Ticket Extractor OAuth 2.0 Remote Context Data Resource Advanced Location Interpreter Config SSO Header Ticket Extractor

Properties

URI Pattern (uriPattern)

Description

The URI pattern (regular expression pattern) to identify this target application. The matching is case-insensitive.

Attributes

RegEx

Mandatory

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.RegexApplicationSelectorConfig
id: RegexApplicationSelectorConfig-xxxxxx
displayName: 
comment: 
properties:
  uriPattern:

Regex String Transformer

Description

Applies a regular expression transformation to the input string.

Class

com.airlock.iam.common.application.configuration.transform.RegexStringTransformerConfig

May be used by

Transforming String Value Provider Transforming Value Map Provider

Properties

Transform strings matching (pattern)

Description

The regular expression. The input string is transformed if it matches this pattern.

Attributes

RegEx

Mandatory

Replace with (replacement)

Description

The replacement expression. If the string matches the pattern, it will be replaced by this replacement expression. If the string does not match the pattern, the original string will be returned.

Attributes

String

Mandatory

Example

replacementString

Example

admin-$2

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.transform.RegexStringTransformerConfig
id: RegexStringTransformerConfig-xxxxxx
displayName: 
comment: 
properties:
  pattern:
  replacement:

Regex String Validator Config

Description

Validate a string value using a regular expression.

Class

com.airlock.iam.common.application.configuration.validation.RegexStringValidatorConfig

May be used by

Properties

Validation Pattern (validationPattern)

Description

Pattern for validating a string value.

Attributes

RegEx

Mandatory

Validation Pattern Case Sensitive (validationPatternCaseSensitive)

Description

If the above validation pattern is case-sensitive.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.validation.RegexStringValidatorConfig
id: RegexStringValidatorConfig-xxxxxx
displayName: 
comment: 
properties:
  validationPattern:
  validationPatternCaseSensitive: true

Regex Ticket Element

Description

Specifies a ticket element in the Mapping Ticket Service. Strings retrieved from the values are transformed by matching and replacing them with a regular expression which can be configured.

Class

com.airlock.iam.core.misc.util.ticket.service.RegexTicketElement

May be used by

Mapping Ticket Service Mapping Ticket Service

Properties

Transform Match Pattern (transformMatchPattern)

Description

A Java regular expression pattern for transforming the value.

Attributes

RegEx

Optional

Transform Replace Pattern (transformReplacePattern)

Description

A Java regular expression replace string using the standard dollar notation to reference match groups.

Attributes

String

Optional

Example

Ticket Key (ticketKey)

Description

This property defines the key used to put the value in the ticket.

Note that for the special valueRef @all-context-data, the value of this property is ignored because the keys of the context data entries are used.

Attributes

String

Mandatory

Example

username

Example

roles

Example

lang

Example

authentication-method

Value Reference (valueRef)

Description

This property specifies the context data key to use as value.
Some keys have special meanings to add the username, the roles or all additional values.

Attributes

String

Mandatory

Example

@username

Example

@roles

Example

@all-additional-values

Example

givenname

Example

surname

Example

country

Example

company

Example

language

Example

authMethod

Mandatory (mandatory)

Description

Enforces that the value of the corresponding key is set and has only non-empty values. Depending on the valueRef this enforces after the transformation:

@username: only non empty usernames are allowed
@roles: at least one role must is assigned
context data key: the corresponding context data must exist and all values of the key must be non-empty
@all-context-data: the values of all context data must be non-empty
@all-additional-values: all additional data must have at least one value and all values must be non-empty
additional value key : the selected additional data must exist, have at least one value and all values must be non-empty

In case of violations, the ticket cannot be created and an exception, which will result in a technical error in most cases, is created.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ticket.service.RegexTicketElement
id: RegexTicketElement-xxxxxx
displayName: 
comment: 
properties:
  mandatory: false
  ticketKey:
  transformMatchPattern:
  transformReplacePattern:
  valueRef:

Regex Username Transformer

Description

This username transformer transforms a user name with a regular expression (regex). Specifically, it searches for the specified pattern and replaces all matches with the replacement string (using the method replaceAll(replacement)).

Class

com.airlock.iam.core.misc.impl.authen.RegexUsernameTransformer

Properties

Regex (regex)

Description

Regular expression to match the input user name or part of it. The expression '(.+)' matches the whole string and saves it as a group which can be referenced as '$1' in the replacement expression.
Notice: To match any string, always use "(.+)", and never "(.*)" since the latter also matches against the empty string and thus the replacement will be applied twice.

Examples:

To add the prefix 'SubjectEmail:', use Regex='^(.+)$' and Replacement='SubjectEmail:$1'.
To remove all whitespace from the user name, use Regex='\s' and Replacement=''.
To remove the domain part of an email address, use Regex='@.*$' and Replacement=''.

Attributes

RegEx

Mandatory

Replacement (replacement)

Description

The expression to replace the matched text with. The first matching group of the regex is denoted '$1'.

Attributes

String

Optional

Stop After Successful Transformation (stopAfterSuccessfulTransformation)

Description

With this flag the chaining of username transformers can be interrupted. If it is enabled and the regular expression matched the user name (no matter whether the replacement actually resulted in a different username), following username transformers are not executed.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.RegexUsernameTransformer
id: RegexUsernameTransformer-xxxxxx
displayName: 
comment: 
properties:
  regex:
  replacement:
  stopAfterSuccessfulTransformation: false

Regex-based String Transformer

Description

Matches the input string using a regular regular expressing and replaces it with the specified replacement string.

Class

com.airlock.iam.common.application.configuration.location.transform.RegexStringTransformerConfig

May be used by

Properties

Pattern (pattern)

Description

The regular expression used for matching the input string.

Attributes

RegEx

Mandatory

Replacement (replacement)

Description

The text returned as transformation result. Can be a constant string, or a string containing a capturing group number like $1.

Attributes

String

Mandatory

Example

Stop After Successful Transformation (stopAfterSuccessfulTransformation)

Description

If this flag is set, the transformation doesn't continue after this transformer, and the configured replacement text is used as the overall result of the entire transformer chain.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.location.transform.RegexStringTransformerConfig
id: RegexStringTransformerConfig-xxxxxx
displayName: 
comment: 
properties:
  pattern:
  replacement:
  stopAfterSuccessfulTransformation: false

Regex-based URI Transformer

Description

Transforms an URI using a regular expression.

Class

com.airlock.iam.login.application.configuration.location.transform.RegexURITransformerConfig

May be used by

Target URI Resolver Parameter-based Target URI Advanced Location Interpreter Config Redirect to URI

Properties

Pattern (pattern)

Description

The regular expression matched against the URI to replace parts or all of its content. All capture groups (i.e. expressions between parentheses) are replaced with the value of the "Replacement" property below. In case of a mismatch the result of the transformation is the original URI. Use "(.+)" to match the whole URI (".*" would match the whole input twice).

Attributes

RegEx

Mandatory

Replacement (replacement)

Description

The value to replace all matched parts of the input URI with. Variables "$1" etc. can be used to reference the matching capture groups of the "Pattern" defined above.

Attributes

String

Mandatory

Example

myhost.com

Example

/target?$1

Example

/en/

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.location.transform.RegexURITransformerConfig
id: RegexURITransformerConfig-xxxxxx
displayName: 
comment: 
properties:
  pattern:
  replacement:

Regex-based URI Value Extraction

Description

Extracts a string from an URI using a regular expression. Do not use this extractor for query parameters as they might be url encoded.

Class

com.airlock.iam.login.application.configuration.location.extract.RegexURIValueExtractorConfig

May be used by

Advanced Location Interpreter Config

Properties

Pattern (pattern)

Description

The regular expression matched against the URI to extract a target string. It must contain exactly one capturing group.

Note that if the expression matches multiple times, the first match is always returned. Care should therefore be taken while defining this pattern to avoid multiple matches.

Attributes

RegEx

Mandatory

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.location.extract.RegexURIValueExtractorConfig
id: RegexURIValueExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  pattern:

Regexp Data Transformer

Description

This plugin transforms selected values using a regular expression containing a capturing group and using a replacement pattern.

Class

com.airlock.iam.core.misc.util.datatransformer.RegexpDataTransformer

May be used by

Properties

Properties (properties)

Description

Selects the properties to apply the replacement to.
Use the asterisk character ("*") to replace all properties.

Attributes

String-List

Mandatory

Pattern (pattern)

Description

Regular expression pattern containing a group (a region embraced by parentheses) that can be used in conjunction with property "Replacement" in order to transform data. If the string does not match, no transformation is performed.

Example: The pattern "(.*)" and the replacement "user.$1" will transform the string "jdoe" to "user.jdoe".

Example: The pattern "user\.(.*)" and the replacement "$1" will transform the string "user.jdoe" to "jdoe".

Attributes

RegEx

Mandatory

Replacement (replacement)

Description

The replacement string used in conjunction with property "Pattern" in order to transform a string. The token "$1" is used to reference the string matching the group in the pattern. Use notation "${foo}" to access context data attribute "foo".

Attributes

String

Mandatory

Example

user.$1

Example

user.$1-${lastname}

Missing Context Data Behaviour (missingContextDataBehaviour)

Description

The behaviour to adopt when a referenced value in "Replacement" is missing.

Example: The replacement is "email:${email}" but the email context data is not set.

"Unresolved Reference Value": leave the matching pattern as is. In the above example, the resulting string will be "email:${email}"

"Empty String": use an empty string. In the above example, the resulting string will be "email:"

"Error": missing context data, such as the above example, leads to an error.

Attributes

Enum

Optional

Default value

UNRESOLVED_REFERENCE_VALUE

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.datatransformer.RegexpDataTransformer
id: RegexpDataTransformer-xxxxxx
displayName: 
comment: 
properties:
  missingContextDataBehaviour: UNRESOLVED_REFERENCE_VALUE
  pattern:
  properties:
  replacement:

Remember Me Token Cleanup

Description

Configures the cleanup of Remember-Me tokens after credential generation.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.token.RememberMeTokenCleanup

May be used by

Credential Secret Batch Task Password Batch Task

Properties

Remember-Me Repository (rememberMeConfig)

Description

The Remember-Me Repository Config, used to remove Remember-Me tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Remember-Me Database Repository

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.token.RememberMeTokenCleanup
id: RememberMeTokenCleanup-xxxxxx
displayName: 
comment: 
properties:
  rememberMeConfig:

Remember-Me Consistency User Change Listener

Description

A listener that reacts on change events on users and keeps the Remember-Me tokens in a consistent state. Actions:

on user deletion: delete associated Remember-Me tokens.
on user name change: updates all user references for the Remember-Me tokens.

Class

com.airlock.iam.common.application.configuration.rememberme.RememberMeConsistencyUserChangeListener

May be used by

Active Directory Connector LDAP User Persister LDAP Connector Database User Persister

Properties

Remember-Me Settings (rememberMeSettings)

Description

Configuration enabling the Remember-Me feature.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Remember-Me Settings

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.rememberme.RememberMeConsistencyUserChangeListener
id: RememberMeConsistencyUserChangeListener-xxxxxx
displayName: 
comment: 
properties:
  rememberMeSettings:

Remember-Me Database Repository

Description

Persists and loads data for Remember-Me.

Class

com.airlock.iam.common.application.configuration.rememberme.RememberMeRepositoryConfig

May be used by

Remember Me Token Cleanup Remember-Me Settings Remember-Me Reset Step

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Log Queries (logQueries)

Description

Enable to log SQL queries (only effective if the log level is at least INFO). Attention: query values (including potentially sensitive data) will be logged as well.

Attributes

Boolean

Optional

Default value

false

Tenant ID (tenantId)

Description

Attributes

String

Optional

Length <= 50

Validation RegEx: (?!no_tenant$).*

Example

customerA

Example

customerB

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.rememberme.RememberMeRepositoryConfig
id: RememberMeRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  logQueries: false
  sqlDataSource:
  tenantId:

Remember-Me Device List

Description

Configures the Remember-Me device list REST self-service. Additional self-service functionality can be configured in "Protected Self-Service Flows".

Class

com.airlock.iam.selfservice.application.configuration.rememberme.RememberMeDeviceListSelfServiceRestConfig

May be used by

Properties

Remember-Me Settings (rememberMeConfig)

Description

Common configuration for the Remember-Me feature.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Remember-Me Settings

Include Geolocation (includeGeolocation)

Description

If enabled, the geolocation data of Remember-Me devices is included. For privacy reasons, it may be desirable to disable this feature.

Attributes

Boolean

Optional

Default value

false

Include IP Address (includeIpAddress)

Description

If enabled, the IP address of Remember-Me devices is included. For privacy reasons, it may be desirable to disable this feature.

Attributes

Boolean

Optional

Default value

false

User-Agent Mapping (userAgentMappings)

Description

If configured, the listed devices contain the result of this mapping in addition to the original user-agent header. The mappings are processed in order and the first matching mapping is used. If none matches, no display value is provided. This may be useful in cases where a non-standard user-agent header is present and a specific display value is desired.

The Loginapp UI will use this value if available. Otherwise, the UI tries to display the user-agent header in a compact representation.

Attributes

Plugin-List

Optional

Assignable plugins

User-Agent Mapping

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access the Remember-Me device list.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access the Remember-Me device list without further authentication.

Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.rememberme.RememberMeDeviceListSelfServiceRestConfig
id: RememberMeDeviceListSelfServiceRestConfig-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  includeGeolocation: false
  includeIpAddress: false
  rememberMeConfig:
  userAgentMappings:

Remember-Me Device Management UI

Description

Configures the Remember-Me device management user interface.

Depending on the configuration, the user interface allows an authenticated user to view and delete Remember-Me devices.

The Remember-Me device management is accessible at /<loginapp-uri>/ui/app/protected/remember-me/devices after user authentication.

Class

com.airlock.iam.selfservice.application.configuration.ui.rememberme.RememberMeDeviceManagementUiConfig

May be used by

Advanced Migration Selection Option Custom Protected Self-Service Flow Authorization Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Public Self-Service Flow Selection Option For Public Self-Service Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Flow To Delete Device (flowToDeleteDevice)

Description

ID of the flow which is used for deletion of a Remember-Me device. If not configured, the user will not be able to delete a device via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Page Exit Target (pageExitTarget)

Description

If configured, an additional button is displayed on the Remember-Me device management to exit the page. On click, this button redirects the user to the configured target.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.rememberme.RememberMeDeviceManagementUiConfig
id: RememberMeDeviceManagementUiConfig-xxxxxx
displayName: 
comment: 
properties:
  flowToDeleteDevice:
  pageExitTarget:

Remember-Me Device Management UI Redirect

Description

Redirects to the "Remember-Me Device Management UI".

Class

com.airlock.iam.selfservice.application.configuration.ui.rememberme.RememberMeDeviceManagementFlowRedirectTargetConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.rememberme.RememberMeDeviceManagementFlowRedirectTargetConfig
id: RememberMeDeviceManagementFlowRedirectTargetConfig-xxxxxx
displayName: 
comment: 
properties:

Remember-Me Reset Step

Description

Non-interactive step to invalidate all Remember-Me sessions of a user.

Class

com.airlock.iam.authentication.application.configuration.rememberme.RememberMeResetStepConfig

May be used by

Properties

Remember-Me Repository (repository)

Description

Repository where the Remember-Me sessions are persisted.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Remember-Me Database Repository

JSP Credential Persister (jspCredentialPersister)

Description

Credential persister to delete the legacy cookie secrets from JSP-based authentication. Only needed as long as there are still users with valid Remember-Me secrets from JSP-based authentication.

Attributes

Plugin-Link

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.rememberme.RememberMeResetStepConfig
id: RememberMeResetStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  jspCredentialPersister:
  onFailureGotos:
  preCondition:
  repository:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Remember-Me Settings

Description

Settings for the Remember-Me feature that allows to skip certain authentication steps if a valid token is present in the request.

When using this feature, the Remember-Me cookie must be configured as an encrypted pass-through cookie on the Airlock Gateway.

Class

com.airlock.iam.common.application.configuration.rememberme.RememberMeConfig

May be used by

Remember-Me Token Clean-up Task Apply Remember-Me Device Deletion Delete Remember-Me Device Initiation Step Remember-Me Consistency User Change Listener Users Configuration Default Remember-Me Device Deletion Flow Target Applications and Authentication Remember-Me Device List

Properties

Repository (repository)

Description

Configures the repository to store Remember-Me data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Remember-Me Database Repository

Logout Behavior (logoutBehavior)

Description

This property controls what happens when a user explicitly logs out. It determines whether an explicit logout removes or keeps the Remember-Me cookie.

Attributes

Enum

Optional

Default value

REMOVE_COOKIE

Remove Remember-Me Tokens On Password Changes (removeRememberMeTokensOnPasswordChanges)

Description

If enabled, Remember-Me tokens will be removed on password changes.

Attributes

Boolean

Optional

Default value

true

Remove Remember-Me Tokens On User Locked (removeRememberMeTokensOnUserLocked)

Description

If enabled, Remember-Me tokens will be removed on locked users.

Attributes

Boolean

Optional

Default value

true

Lifetime (lifetime)

Description

The maximum duration the user will be remembered for. After this time, the token will be invalidated no matter whether it has been used recently or not.

Duration must be specified like "2d 4h 10m 5s" or any part thereof.

Attributes

String

Optional

Default value

Example

10d

Example

2d 12h

Idle Timeout (idleTimeout)

Description

The optional idle timeout of the Remember-Me token. If a token hasn't been used for this amount of time, it will be invalidated no matter whether it has reached its lifetime or not. When this property is not set, a token will only expire when its lifetime has been reached or it has been invalidated by other means.

Duration must be specified like "2d 4h 10m 5s" or any part thereof.

Attributes

String

Optional

Example

10d

Example

2d 12h

Cookie Name (cookieName)

Description

The name of the Remember-Me cookie.

If this name is changed, the Airlock Gateway has to be reconfigured to pass-through and encrypt this cookie.

Attributes

String

Optional

Default value

RememberMe

Example

RememberMe

Cookie Domain (cookieDomain)

Description

The domain for which the cookie is set. If left empty, it will be automatically be sent back only to the originating domain which set the cookie in the first place.

Attributes

String

Optional

Validation RegEx: (?:^[^.].*$|^$)

Example

www.airlock.com

Example

airlock.com

Cookie Path (cookiePath)

Description

The path for which the cookie is set. The path determines where the cookie is sent to by the browser.

Use the variable "%ENTRYPATH%" to automatically set the correct path even if used behind an Airlock Gateway.

Attributes

String

Optional

Default value

%ENTRYPATH%

Example

%ENTRYPATH%

Example

/auth

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.rememberme.RememberMeConfig
id: RememberMeConfig-xxxxxx
displayName: 
comment: 
properties:
  cookieDomain:
  cookieName: RememberMe
  cookiePath: %ENTRYPATH%
  idleTimeout:
  lifetime: 7d
  logoutBehavior: REMOVE_COOKIE
  removeRememberMeTokensOnPasswordChanges: true
  removeRememberMeTokensOnUserLocked: true
  repository:

Remember-Me Token Clean-up Task

Description

Task to clean up either lifetime or idle timeout expired Remember-Me tokens. Idle timeout expired tokens will only be removed when renewed once.

In order to minimize database locks, the task doesn't delete all expired tokens in one transaction but deletes the tokens in configurable batches.

It is recommended to schedule this task with a daily interval during a time with little traffic. Depending on the total number of tokens and the number of deletable Remember-Me tokens, the task might take some time but a proper "Batch Size" will keep row locks at a minimum.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.rememberme.RememberMeTokenCleanupTaskConfig

May be used by

Task Schedule

Properties

Remember-Me Settings (rememberMeConfig)

Description

Configuration defining the Remember-Me settings used for clean-up.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Remember-Me Settings

Batch Size (batchSize)

Description

Token clean-up will repeat deleting this number of tokens until all expired tokens have been cleaned up. Therefore, this task can take some time when a lot of expired tokens are present.

This size should be chosen so that every batch does not take longer than 5 seconds. The average runtime of the batches can be found in the task's logs.

Attributes

Integer

Optional

Default value

1000

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.rememberme.RememberMeTokenCleanupTaskConfig
id: RememberMeTokenCleanupTaskConfig-xxxxxx
displayName: 
comment: 
properties:
  batchSize: 1000
  rememberMeConfig:

Remember-Me Token Generating Step

Description

Step that generates a 'Remember-Me' token and adds it to the response as cookie.

In most use cases this step must be activated by the end-user and configured accordingly. If the step does not have to be activated, valid Remember-Me cookies are issued automatically. Depending on their usage, this may impose a security risk.

Class

com.airlock.iam.authentication.application.configuration.rememberme.RememberMeTokenGeneratingStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Requires Activation (requiresActivation)

Description

By default the token is only generated if the step has been dynamically activated from a previous step.

Attributes

Boolean

Optional

Default value

true

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.rememberme.RememberMeTokenGeneratingStepConfig
id: RememberMeTokenGeneratingStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: true
  skipCondition:
  stepId:
  tagsOnSuccess:

Remember-Me User Identifying Step

Description

Step that identifies the user by means of a Remember-Me token.

The step is skipped if no valid token is found in the request.

Class

com.airlock.iam.authentication.application.configuration.rememberme.RememberMeUserIdentifyingStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Migrate JSP Remember-Me Cookies (migrateJspRememberMeCookies)

Description

If configured, Remember-Me cookies which originated from the JSP-Loginapp will be automatically migrated to the the new flow-based Remember-Me tokens. Be aware that invalid Remember-Me cookies will be forcibly removed from the client.

Attributes

Plugin-Link

Optional

Assignable plugins

JSP Remember-Me Settings

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

REMEMBER_ME

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.rememberme.RememberMeUserIdentifyingStepConfig
id: RememberMeUserIdentifyingStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: REMEMBER_ME
  customFailureResponseAttributes:
  customResponseAttributes:
  migrateJspRememberMeCookies:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Remote Event Subscriber (Adminapp)

Description

An event subscriber that executes an HTTP request to forward the event data to a remote endpoint.

Class

com.airlock.iam.admin.application.configuration.event.AdminappRemoteEventSubscriberConfig

May be used by

Adminapp Event Settings

Properties

Remote URL (remoteUrl)

Description

URL to which the request will be sent. The URL can contain variables (using the ${variableName} notation) that will be replaced by the values provided by the event and the context-data of the managed user. See the "Body Template" property for a list of all available variables. All values are URL-encoded before being inserted into the URL.

Attributes

String

Mandatory

Example

https://my.remote.host/api/${event.data.userId}/notify

Body Template (bodyTemplate)

Description

Template for the request body. The following syntax can be used to include data in the template.

${contextDataName} for the value of contextDataName in the context-data of the managed user.
${event.createdAt,date,format} for the date/time at which the event was created, where "format" is a date pattern like "yyyy-MM-dd HH:mm:ss".

Depending on the event and on the conditions in which the event originated, the following variables may also be available:

event.createdAt
event.data.addedRoles (list of strings)
event.data.airlock2FAAccountId
event.data.airlock2FADeviceId
event.data.activeAuthenticationMethod
event.data.contextDataChanged.%s.newValue (where "%s" is replaced by the context-data field name).
event.data.contextDataChanged.%s.oldValue (where "%s" is replaced by the context-data field name).
event.data.crontoDeviceId
event.data.fidoCredentialId
event.data.lockReason
event.data.mtanNewPhoneNumber
event.data.mtanNumberId
event.data.mtanOldPhoneNumber
event.data.newEmailAddress
event.data.newRoles (list of strings)
event.data.oldEmailAddress
event.data.oldRoles (list of strings)
event.data.previousAuthenticationMethod
event.data.removedRoles (list of strings)
event.data.userId
event.id
event.metadata.requestIp
event.metadata.userAgent
event.source.adminId

Variables that are not defined are replaced by an empty string. The Airlock IAM documentation provides further information about the availability of specific variables. All values are encoded/escaped before being inserted into the request body.

Attributes

String

Optional

Multi-line-text

Example

{"type": "user-locked", "userId": "${event.data.userId}"}

Value Encoding/Escaping (valueEncoding)

Description

The encoding/escaping to be applied to all string values before they are inserted into the request body template.

Security warning: using no encoding allows unvalidated user input to be sent in the request body.

The JSON encoder also transforms string lists into (escaped) JSON arrays.

Attributes

Enum

Optional

Default value

JSON

HTTP Client (httpClient)

Description

The HTTP client that executes the request.

Attributes

Plugin-Link

Mandatory

Assignable plugins

HTTP Client Config HTTP Client With Client Certificate

HTTP Method (httpMethod)

Description

HTTP Method to be used.

Attributes

Enum

Optional

Default value

POST

Content Type (contentType)

Description

Value of the content-type header to be used in the request.

Attributes

String

Optional

Default value

application/json

Suggested values

application/json, application/x-www-form-urlencoded, application/xml, text/plain

Event (event)

Description

Event for which the user should be notified.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.event.AdminappRemoteEventSubscriberConfig
id: AdminappRemoteEventSubscriberConfig-xxxxxx
displayName: 
comment: 
properties:
  bodyTemplate:
  contentType: application/json
  event:
  httpClient:
  httpMethod: POST
  remoteUrl:
  valueEncoding: JSON

Remote Event Subscriber (Loginapp)

Description

An event subscriber that executes an HTTP request to forward the event data to a remote endpoint.

Class

com.airlock.iam.login.application.configuration.event.LoginappRemoteEventSubscriberConfig

May be used by

Loginapp Event Settings

Properties

Remote URL (url)

Description

URL to which the request will be sent. The URL can contain variables (using the ${variableName} notation) that will be replaced by the values provided by the event and the configured value providers. See the "Body Template" property for a list of all available variables. All values are URL-encoded before being inserted into the URL.

Attributes

String

Mandatory

Example

https://my.remote.host/api/${event.data.userId}/notify

Body Template (bodyTemplate)

Description

Template for the request body. The following syntax can be used to include data in the template.

${valueMapKey} for the value of valueMapKey provided by any of the configured Value Map Providers.
${event.createdAt,date,format} to include the date/time at which the event was created, where "format" is a date pattern like "yyyy-MM-dd HH:mm:ss".

Depending on the event and on the conditions in which the event originated, the following variables may also be available:

event.createdAt
event.data.airlock2FAAccountId
event.data.airlock2FADeviceId
event.data.activeAuthenticationMethod
event.data.authenticationMethods
event.data.browser
event.data.city
event.data.contextDataChanged.%s.newValue (where "%s" is replaced by the context-data field name).
event.data.contextDataChanged.%s.oldValue (where "%s" is replaced by the context-data field name).
event.data.countryCode
event.data.crontoDeviceId
event.data.device
event.data.deviceTokenId
event.data.fidoCredentialId
event.data.fidoPublicKeyCredentialId
event.data.fidoRelyingPartyId
event.data.lockReason
event.data.mtanNewPhoneNumber
event.data.mtanNumberId
event.data.mtanOldPhoneNumber
event.data.newEmailAddress
event.data.oldEmailAddress
event.data.operatingSystem
event.data.previousAuthenticationMethod
event.data.stepResult.attributes.<attribute-name> (where <attribute-name> ist the name of the additional attribute, could be nested.)
event.data.stepResult.errorCode
event.data.stepResult.nextAction
event.data.stepResult.type
event.data.userId
event.id
event.metadata.requestIp
event.metadata.userAgent
event.source.applicationId
event.source.configurationContext
event.source.flowId
event.source.stepId

Attributes

String

Optional

Multi-line-text

Example

{"type": "user-locked", "userId": "${event.data.userId}"}

Value Encoding/Escaping (valueEncoding)

Description

The encoding/escaping to be applied to string all values before they are inserted into the request body template.

Security warning: using no encoding allows unvalidated user input to be sent in the request body.

The JSON encoder also transforms string lists into (escaped) JSON arrays.

Attributes

Enum

Optional

Default value

JSON

HTTP Client (httpClient)

Description

The HTTP client that executes the request.

Attributes

Plugin-Link

Mandatory

Assignable plugins

HTTP Client Config HTTP Client With Client Certificate

HTTP Method (httpMethod)

Description

HTTP Method to be used.

Attributes

Enum

Optional

Default value

POST

Content Type (contentType)

Description

Value of the content-type header to be used in the request.

Attributes

String

Optional

Default value

application/json

Suggested values

application/json, application/x-www-form-urlencoded, application/xml, text/plain

Event (event)

Description

Event for which the user should be notified.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Value Map Providers (valueMapProviders)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.event.LoginappRemoteEventSubscriberConfig
id: LoginappRemoteEventSubscriberConfig-xxxxxx
displayName: 
comment: 
properties:
  bodyTemplate:
  contentType: application/json
  event:
  httpClient:
  httpMethod: POST
  url:
  valueEncoding: JSON
  valueMapProviders:

Removed Roles Mapping

Description

Mapping from roles removed by Airlock Gateway to tags to be removed in Airlock IAM.

Class

com.airlock.iam.flow.shared.application.configuration.RemovedRolesMapping

May be used by

Airlock Gateway Settings (Loginapp)

Properties

Role Name (roleName)

Description

Name of the role removed by Airlock Gateway. This is the role that triggers the removal of the tags configured below.

Attributes

String

Mandatory

Tags (tags)

Description

List of tags that will be removed whenever the role configured above has been removed by Airlock Gateway. Tag timeouts are ignored, all tags with the same name as the tags configured here are removed.

Attributes

Plugin-List

Mandatory

Assignable plugins

Tag

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.RemovedRolesMapping
id: RemovedRolesMapping-xxxxxx
displayName: 
comment: 
properties:
  roleName:
  tags:

Rename Cronto Device Step

Description

Step to rename a Cronto device. This step must be preceeded by a Cronto Device Selection Step to select the device to be renamed. The change is applied by a "Apply Changes Step" which requires an "Apply Cronto Device Renaming" to persist the new name.

Class

com.airlock.iam.selfservice.application.configuration.step.CrontoDeviceRenamingStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.CrontoDeviceRenamingStepConfig
id: CrontoDeviceRenamingStepConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Renew Session ID Processor

Description

To prevent session fixation attacks, this processor renews the session id if a flow step is successful or provides tags.

Class

com.airlock.iam.flow.shared.application.configuration.processor.RenewSessionIdProcessorConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.processor.RenewSessionIdProcessorConfig
id: RenewSessionIdProcessorConfig-xxxxxx
displayName: 
comment: 
properties:

Reply Message Access Challenge Rule

Description

Maps a RADIUS access challenge response's reply messages to a authentication result type.

Class

com.airlock.iam.core.misc.impl.authen.radius.ReplyMessageAccessChallengeRule

May be used by

RADIUS Authenticator

Properties

Pattern (pattern)

Description

The regular expression matched against the reply message of the RADIUS access challenge response.

To extract challenges from the reply messages, exactly one regular expression capture group must be present in the pattern.
Example reply message: "Challenge: G4"
Example pattern with capture group: "Challenge: (.+)"

Attributes

RegEx

Mandatory

Authentication Result (authenticationResult)

Description

Defines the authentication result when the reply message matches the configured pattern.

Attention: When using the "Authentication successful" result, please notice that obtaining additional roles from the response is not possible as it is with AccessAccept packets. Interpreting a challenge message as successful authentication result is a shortcut not usually intended by the RADIUS server.
However this can be useful especially when using an RSA ACE Server which requests another authentication step after successfully changing the PIN, which can be ignored by treating the "PIN Accepted." challenge as successful authentication.

Attributes

String

Mandatory

Allowed values

Password required, Password wrong, try again, Password change required, Token required, Token wrong, try again, Next token required, New PIN required, Authentication pending, Credential not assigned, Challenge: matrix, Challenge: index, Challenge: string, Authentication successful

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.radius.ReplyMessageAccessChallengeRule
id: ReplyMessageAccessChallengeRule-xxxxxx
displayName: 
comment: 
properties:
  authenticationResult:
  pattern:

Reply Message Access Reject Rule

Description

Maps a RADIUS access reject response's reply messages to an authentication result type.

Class

com.airlock.iam.core.misc.impl.authen.radius.ReplyMessageAccessRejectRule

May be used by

RADIUS Authenticator

Properties

Pattern (pattern)

Description

The regular expression matched against the reply message of the RADIUS access reject response.

Attributes

RegEx

Mandatory

Authentication Result (authenticationResult)

Description

Defines the authentication result type to be used if the reply message matches the configured pattern.

Attributes

String

Mandatory

Allowed values

Unspecified, User not found, User locked, Password wrong, Token wrong, Token expired, New token request refused, Certificate does not match user, Certificate not yet valid, Certificate expired, Certificate revoked, Certificate issuer not trusted, User invalid, User not permitted at this time, User not permitted at this client, User ambiguous, Credential inactive, Insufficient security level, User cancelled authentication process

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.radius.ReplyMessageAccessRejectRule
id: ReplyMessageAccessRejectRule-xxxxxx
displayName: 
comment: 
properties:
  authenticationResult:
  pattern:

Report Exec Task

Description

This task plug-in iterates over the files in a directory (e.g. rendered reports) and executes an OS command (e.g. print command) with the file.

The task can for example be used to send PDFs to a printer.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.ReportExecTask

May be used by

Task Schedule

Properties

Directory (directory)

Description

Denotes the directory containing the files to be processed.

This may be either an absolute path or relative to the current directory of the running VM.

The directory must be writable (if files are deleted after processing).

Attributes

File/Path

Mandatory

Command (command)

Description

Specifies the command to be executed.

The command may contain the following variables:

"${FILE}" is substituted by the file name (no path) being processed.
"${DIR}" is substituted by the file path of the directory the file is in (relative to the JVMs current directory). This corresponds to the path of the directory specified by configuration property "directory".
"${ABSOLUTE_DIR}" is substituted by the absolute file path of the directory the file is in. This corresponds to the path of the directory specified by configuration property "directory".

The variable names are case-sensitive. The curly braces are mandatory. Each variable may be used more than once.
The command is executed in the directory denoted by the configuration property "directory".

Attributes

String

Mandatory

Example

lp -d myprinter ${FILE}

Example

cp ${FILE} ${DIR}/../otherdir/

Example

cp ${FILE} ${ABSOLUTE_DIR}/../otherdir/

Filename Suffix (filenameSuffix)

Description

A file in the configured directory is only processed if its name matches this suffix.
The suffix is NOT case-sensitive.

Attributes

String

Optional

Example

.pdf

Example

.txt

Filename Prefix (filenamePrefix)

Description

A file in the configured directory is only processed if its name matches this prefix.
The prefix matched against the filename only, i.e. without the path to the folder it is in.
The prefix is NOT case-sensitive.

Attributes

String

Optional

Example

pwd-letter-

Example

matrix-

Delete Processed Files (deleteProcessedFiles)

Description

If set to true (the default), the processed files are deleted after executing the OS command successfully.

Note: Not deleting the file usually means that it gets executed again and again. Setting this property to "false" makes sense if the OS-command removes the file from the directory.

Attributes

Boolean

Optional

Default value

true

Success Return Codes (successReturnCodes)

Description

Defines what return code(s) of the OS command should be interpreted as success.

Multiple return codes may be specified as comma-separted list.

If more than one return code is specified, they are all compared to the result code.

If the return code from the OS command does not match any of the specified return codes, it is considered to be a failure.

The elements must be integers.

Attributes

String-List

Optional

Default value

[0]

Output Pattern (outputPattern)

Description

Regular expression pattern compared against the standard output and the standard error of the OS command to detect successful execution.
The pattern is compared against the whole output, i.e. including line breaks. The "." also matches line breaks ("DOTALL" is enabled).

If defined, this check is done after the result code has been checked (see property "success-return-code".

Multiple patterns may be defined using the group/selector notation.

If the output from the OS command does not match any of the patterns, it is considered to be a failure.

Attributes

RegEx-List

Optional

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.ReportExecTask
id: ReportExecTask-xxxxxx
displayName: 
comment: 
properties:
  command:
  deleteProcessedFiles: true
  directory:
  filenamePrefix:
  filenameSuffix:
  outputPattern:
  successReturnCodes: [0]

Report Mailer Task

Description

This task plug-in iterates over the files in a directory (e.g. rendered reports) and emails each file as attachment to a configured list of recipients.

The task can for example be used to send generated PDFs to administrators.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.ReportMailerTask

May be used by

Task Schedule

Properties

Directory (directory)

Description

Denotes the directory containing the files to be emailed.

This may be either an absolute path or relative to the current directory of the running VM.

The directory must be writable (if processed files must be deleted).

Attributes

File/Path

Mandatory

Filename Suffix (filenameSuffix)

Description

A file in the configured directory is only mailed if its name matches this suffix.
The suffix is NOT case-sensitive. If the property is not configured all files are considered.

Attributes

String

Optional

Example

.pdf

Example

.txt

Filename Prefix (filenamePrefix)

Description

A file in the configured directory is only mailed if its name matches this prefix.
The prefix matched against the filename only, i.e. without the path to the folder it is in.
The prefix is NOT case-sensitive. If the property is not configured all files are considered.

Attributes

String

Optional

Example

pwd-letter-

Example

matrix-

Delete Processed Files (deleteProcessedFiles)

Description

If set to true (the default), the processed files are deleted after successful mailing.

Note: Not deleting the file usually means that it gets mailed again and again.

Attributes

Boolean

Optional

Default value

true

Mail Text (mailText)

Description

The email text that is sent with the file. If the text is HTML code, then the property "mail-text-is-html" must be set to true.

Attributes

String

Mandatory

Multi-line-text

Example

Dear Administrator

The attached file has been generated by Airlock IAM and should be taken care of.

Best Regards
Your Airlock IAM Server

Email Text Is HTML (mailTextIsHtml)

Description

Set to true if the email text is HTML code.

Attributes

Boolean

Optional

Default value

true

Mail Subject (mailSubject)

Description

The subject text that is sent with the file.

Attributes

String

Mandatory

Example

Airlock Gridcard to Print

Email Service (emailService)

Description

The Email-Service plugin to be used to send the Emails. It defines the sender address of the email, the SMTP server and alike.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Recipients (recipients)

Description

The list of recipient email addresses.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.ReportMailerTask
id: ReportMailerTask-xxxxxx
displayName: 
comment: 
properties:
  deleteProcessedFiles: true
  directory:
  emailService:
  filenamePrefix:
  filenameSuffix:
  mailSubject:
  mailText:
  mailTextIsHtml: true
  recipients:

Representation SSO Ticket Identifying Step

Description

SSO ticket step that expects an SSO ticket containing at least a user ID (the representee) and a representer ID.

Class

com.airlock.iam.authentication.application.configuration.sso.RepresentationSsoTicketIdentifyingStepConfig

May be used by

License-Tags

Representation

Properties

Allow Locked Users (allowLockedUsers)

Description

If enabled, locked users are allowed to be represented.

Security note: This disables the regular checks whether a user is locked.

Attributes

Boolean

Optional

Default value

false

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

SSO_REPRESENT_TICKET

Ticket Extractors (ticketExtractors)

Description

List of ticket extractors that can extract an SSO ticket from the request. The ticket of the first successful extractor is used.

Attributes

Plugin-List

Mandatory

Assignable plugins

Loginapp UI SSO Ticket Extractor OIDC SSO Ticket Login Hint Extractor SSO Cookie Ticket Extractor SSO Header Ticket Extractor

Ticket Decoder (ticketDecoder)

Description

Decodes the SSO ticket.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AES256 Decryption Ticket Decoder Esp Sign Ticket Decoder JWT Ticket Decoder OAuth 2.0 Access Token Ticket Decoder Plain Base64 Ticket Decoder Plain Ticket Decoder RSA Sign Ticket Decoder

Accepted SSO Tickets Repository (acceptedSsoTicketRepository)

Description

Configures the repository used to store accepted SSO tickets and reject previously accepted ones.

Attributes

Plugin-Link

Mandatory

Assignable plugins

In-Memory Accepted SSO Tickets Repository Persistent Accepted SSO Tickets Repository

Username Ticket Key (usernameTicketKey)

Description

The ticket key where the username is stored. The value stored under this key is used to identify the user.

Attributes

String

Optional

Default value

username

Ticket Tag Extractors (ticketTagExtractors)

Description

List of ticket tag extractors that extract flow tags from the ticket that the user receives, when they complete this step successfully. The tags of all configured extractors are granted in addition to the tags configured under 'Tags On Success'.

Attributes

Plugin-List

Optional

Assignable plugins

SSO Ticket Tag Extractor

Ticket Role Extractors (ticketRoleExtractors)

Description

List of ticket role extractors that extract roles from the ticket, if this step is completed successfully. These roles are stored in the user session and can be accessed with the SSO Ticket Roles Provider.

Attributes

Plugin-List

Optional

Assignable plugins

SSO Ticket Role Extractor

Ticket Context Data Extractors (ticketContextDataExtractors)

Description

List of ticket context data extractors that extract context data from the ticket, if this step is completed successfully. These data are stored in the user session and can be accessed with the SSO Ticket Context Data Provider.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.sso.RepresentationSsoTicketIdentifyingStepConfig
id: RepresentationSsoTicketIdentifyingStepConfig-xxxxxx
displayName: 
comment: 
properties:
  acceptedSsoTicketRepository:
  allowLockedUsers: false
  authenticationMethodId: SSO_REPRESENT_TICKET
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  ticketContextDataExtractors:
  ticketDecoder:
  ticketExtractors:
  ticketRoleExtractors:
  ticketTagExtractors:
  usernameTicketKey: username

Representer ID SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing the representer's username.

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.RepresenterIdAttributeConfig

May be used by

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion. If there is no representer username, the attribute will not be included in the assertion.

Attributes

String

Mandatory

Example

Representer

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.assertion.attribute.RepresenterIdAttributeConfig
id: RepresenterIdAttributeConfig-xxxxxx
displayName: 
comment: 
properties:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:

Request Attribute

Description

Defines a request attribute name with a value validation pattern.

Class

com.airlock.iam.flow.shared.application.configuration.HttpParameterSpec

May be used by

Transaction Approval Parameter Step Authentication Flow

Properties

Attribute Name (attributeName)

Description

The name of the attribute (case-insensitive).

Attributes

String

Mandatory

Value Validator Pattern (valueValidatorPattern)

Description

Pattern defining valid values. Values not matching the pattern are rejected by the server. Use .* if any value is considered to be valid and should be accepted.

Attributes

RegEx

Optional

Default value

[a-zA-Z0-9.,:_ -]*

Max Value Length (maxValueLength)

Description

Restricts the value's maximum length.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.HttpParameterSpec
id: HttpParameterSpec-xxxxxx
displayName: 
comment: 
properties:
  attributeName:
  maxValueLength: 30
  valueValidatorPattern: [a-zA-Z0-9.,:_ -]*

Request Context Retention Policy

Description

The configuration context is evaluated once at the beginning of every request.

Class

com.airlock.iam.flow.shared.application.configuration.context.policy.RequestContextRetentionPolicy

May be used by

Loginapp

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.context.policy.RequestContextRetentionPolicy
id: RequestContextRetentionPolicy-xxxxxx
displayName: 
comment: 
properties:

Request Has SSO Ticket

Description

Flow selection condition that selects the subflow depending on whether the current request has an SSO ticket that can be extracted by one of the configured extractors.

Class

com.airlock.iam.authentication.application.configuration.selection.condition.SsoTicketConditionConfig

May be used by

License-Tags

SSOTickets

Properties

Ticket Extractors (ticketExtractors)

Description

List of ticket extractors that can extract an SSO ticket from the request. If extraction succeeds for at least one extractor, the condition is fulfilled.

Attributes

Plugin-List

Mandatory

Assignable plugins

Loginapp UI SSO Ticket Extractor OIDC SSO Ticket Login Hint Extractor SSO Cookie Ticket Extractor SSO Header Ticket Extractor

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.selection.condition.SsoTicketConditionConfig
id: SsoTicketConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  ticketExtractors:

Request Header

Description

HTTP-Header definitions for on-behalf-login steps.

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.HttpRequestHeaderConfig

May be used by

CSRF Token Extraction Step HTTP POST Step HTTP GET Step

Properties

Name (name)

Description

The name of the header.

Attributes

String

Mandatory

Example

accept-language

Value (value)

Description

The value of the header. It can contain fixed strings and/or a variables from the identity propagation, referenced as ${variable-name}.

Attributes

String

Mandatory

Example

${language}

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.onbehalflogin.HttpRequestHeaderConfig
id: HttpRequestHeaderConfig-xxxxxx
displayName: 
comment: 
properties:
  name:
  value:

Request Header Ticket Adder Config

Description

Instructs Airlock Gateway (WAF) to add a request header to backend requests. This requires that an Airlock Gateway is used and configured in IAM.

Class

com.airlock.iam.login.application.configuration.idpropagation.RequestHeaderTicketAdderConfig

May be used by

Properties

Header Name (headerName)

Description

The name of the header.

Attributes

String

Mandatory

Example

X-AUTH-TICKET

Content Prefix (contentPrefix)

Description

Header content prefix.

Attributes

String

Optional

Example

Bearer

Mapping Names (mappingNames)

Description

This property optionally defines the name of the Airlock Gateway (WAF) mappings on which the header is used. If no mapping name is specified, the HTTP header is used on all Airlock Gateway mappings.

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.idpropagation.RequestHeaderTicketAdderConfig
id: RequestHeaderTicketAdderConfig-xxxxxx
displayName: 
comment: 
properties:
  contentPrefix:
  headerName:
  mappingNames:

Request Target HTTP Signature Header

Description

The (request-target) header which represents the target (method and path) of the request.

Class

com.airlock.iam.login.app.misc.oneshot.impl.RequestTargetHttpSignatureHeader

May be used by

Whitelist HTTP Signature Headers Mandatory HTTP Signature Header

Properties

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.RequestTargetHttpSignatureHeader
id: RequestTargetHttpSignatureHeader-xxxxxx
displayName: 
comment: 
properties:

Request URL Pattern UI Resource Set Rule

Description

Changes the directory from which UI resources are retrieved if the request URL for this resource matches a regex pattern.

Class

com.airlock.iam.login.application.configuration.uiresource.RequestUrlPatternUiResourceSetRuleConfig

May be used by

UI Settings

Properties

Request URL Pattern (requestUrlPattern)

Description

If the request URL to a UI resource matches this pattern, then the resource is retrieved from the resource set specified in the "UI Resource Set File Name" property.

Note that each request for a resource has its URL matched separately.

The request URL checked against this pattern includes the protocol, host, port and path, but excludes query parameters.

This feature is intended to be used to set a custom UI resource set for a particular domain. Changing the UI resource set, e.g. between different flows with the same domain, is not supported. Therefore it is not advised to define a "Request URL Pattern" matching specific request paths.

Attributes

RegEx

Mandatory

UI Resource Set File Name (uiResourceSetFileName)

Description

Name of the UI resource set zip file that contains the Loginapp Design Kit customization.

If the request URL matches the pattern configured in the "Request URL Pattern" property, the resource is retrieved from this zip file instead of the default UI resource set.

The zip file is required to be located in the directory specified in the instance.properties file under iam.loginapp.ui.resource-sets.dir. It can also be located in a subfolder if necessary.

It must be ensured that the zip file names only occur once, regardless of the file path.

It is possible to add new zip files or replace existing zip files while the application is running. Note that it is important to use an atomic file operation so that the zip files are recognized correctly.

Changing the folder structure by adding, renaming or removing folders as well as moving, renaming or deleting existing zip files is not supported. A restart is required for this to work properly.

Note that "UI Resource Set File Name" must only contain the file name without the file extension and only the characters A-Z, a-z, 0-9 as well as the special characters '-' and '_' are allowed as zip file names.

If there are zip files with duplicate names in the iam.loginapp.ui.resource-sets.dir directory, an exception is thrown during startup. If a duplicate zip file is added while the application is running, an error message is displayed in the console.

Attributes

String

Mandatory

Validation RegEx: [\w_-]+

Example

resource-set-A

Example

resource_set_B

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.uiresource.RequestUrlPatternUiResourceSetRuleConfig
id: RequestUrlPatternUiResourceSetRuleConfig-xxxxxx
displayName: 
comment: 
properties:
  requestUrlPattern:
  uiResourceSetFileName:

Request URL Pattern UI Tenant ID Rule

Description

Sets the UI Tenant ID to a static value if the request URL matches a regex pattern.

Class

com.airlock.iam.flow.shared.application.configuration.uitenantid.RequestUrlPatternUiTenantIdRuleConfig

May be used by

UI Settings

Properties

Request URL Pattern (requestUrlPattern)

Description

If the request URL matches this pattern, the UI Tenant ID is set to the value configured in UI Tenant ID Value.

The request URL considered here is the URL of the first request made to the IAM backend to start the flow, not the URL entered into the end-client browser.

The request URL checked against this pattern includes the protocol, host, port and path, but excludes query parameters.

Attributes

RegEx

Mandatory

UI Tenant ID Value (uiTenantIdValue)

Description

If the request URL matches the pattern configured in Request URL Pattern, the UI Tenant ID is set to this value.

Attributes

String

Mandatory

Example

example-tenant-id

Example

exampleTenantId

Example

value1

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.uitenantid.RequestUrlPatternUiTenantIdRuleConfig
id: RequestUrlPatternUiTenantIdRuleConfig-xxxxxx
displayName: 
comment: 
properties:
  requestUrlPattern:
  uiTenantIdValue:

Requested Authentication Context Mapping

Description

A specific authentication flow can be started based on a Requested Authentication Context (RequestedAuthnContext element) in the Authentication Request. If the configured Authentication Context is requested in the Authentication Request, the configured application's authentication flow is started.

Class

com.airlock.iam.saml2.application.configuration.Saml2RequestedAuthnContextToApplicationIdConfig

May be used by

License-Tags

SamlIdp

Properties

Requested Authentication Context (requestedAuthnContextValue)

Description

If the configured value is requested in the Authentication Request, the configured application's authentication flow is started. Note: The value is case sensitive.

Attributes

String

Mandatory

Suggested values

Flow Application ID (flowApplicationId)

Description

Application Flow to start.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Application ID

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.Saml2RequestedAuthnContextToApplicationIdConfig
id: Saml2RequestedAuthnContextToApplicationIdConfig-xxxxxx
displayName: 
comment: 
properties:
  flowApplicationId:
  requestedAuthnContextValue:

Requested Resource Or Audience Condition

Description

Condition matching the resource or audience parameter. If either resource or audience matches, the condition evaluates to true.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.condition.TargetOAuth2TokenExchangeRuleConditionConfig

May be used by

Username Custom Claim OAuth 2.0 LocalDate Context Data Resource Static String Custom Claim OAuth 2.0 User Roles Resource Claim Set Custom Claim Context Data String Custom Claim OAuth 2.0 Static Resource OAuth 2.0 Username Resource Or Claim Condition Config Session ID Custom Claim String Format Custom Claim OIDC Birthdate Standard Claim (String) OIDC Phone Number Standard Claim OAuth 2.0 SSO Ticket Resource OAuth 2.0 String Context Data Resource OIDC Birthdate Standard Claim (Date) OAuth 2.0 Date Context Data Resource Not Claim Condition Config And Claim Condition Config Formatted LocalDate Context Data Custom Claim OIDC Email Standard Claim OIDC Family Name Standard Claim OIDC Given Name Standard Claim Formatted Date And Time Context Data Custom Claim User Roles Custom Claim Custom Claim (OAuth 2.0 Token Exchange) Client ID Custom Claim OIDC Name Standard Claim String Value Provider Custom Claim

License-Tags

OAuthTokenExchange

Properties

Requested Resource (requestedResource)

Description

Matches the "resource" parameter(s) from the token exchange request. Matches only if configured.

Notice that ".*" even matches when there is no resource parameter in the request.

Attributes

RegEx

Optional

Requested Audience (requestedAudience)

Description

Matches the "audience" parameter(s) from the token exchange request. Matches only if configured.

Notice that ".*" even matches when there is no audience parameter in the request.

Attributes

RegEx

Optional

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.condition.TargetOAuth2TokenExchangeRuleConditionConfig
id: TargetOAuth2TokenExchangeRuleConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  requestedAudience:
  requestedResource:

Required Characters Password Policy

Description

A password policy check that assures that there is at least one character of each defined class in a new password.

This plugin can - for example - be used to assure that a password contains at least one letter and one digit.

Class

com.airlock.iam.core.misc.impl.authen.PwdPolicyRequiredCharsCheck

May be used by

Customizable Password Policy Customizable Password Policy Meta Password Policy

Properties

Patterns (patterns)

Description

The regular expression pattern a class of characters.

Every character of the password is matched against this pattern.

For details about regular expression syntax, please refer to the class description of the Java JDK class java.util.regex.Pattern of the used Java JDK.

Attributes

RegEx-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PwdPolicyRequiredCharsCheck
id: PwdPolicyRequiredCharsCheck-xxxxxx
displayName: 
comment: 
properties:
  patterns:

Required Checkbox State

Description

Validates the state of a checkbox.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.validation.CheckboxStateValidationConfig

May be used by

Checkbox UI Element

Properties

Translation Key (translationKey)

Description

The translation key to use for the error message in case the validation fails. A default translation is used when no translation key is configured.

Attributes

String

Optional

Checked Expected (checkedExpected)

Description

The state, i.e., checked or unchecked that the validation will enforce upon the generated checkbox element.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.validation.CheckboxStateValidationConfig
id: CheckboxStateValidationConfig-xxxxxx
displayName: 
comment: 
properties:
  checkedExpected: true
  translationKey:

Required Field

Description

Validates that a field has a value.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.validation.RequiredValidationConfig

May be used by

Radio Buttons UI Element Drop-Down UI Element Date UI Element Input UI Element

Properties

Translation Key (translationKey)

Description

The translation key to use for the error message in case the validation fails. A default translation is used when no translation key is configured.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.validation.RequiredValidationConfig
id: RequiredValidationConfig-xxxxxx
displayName: 
comment: 
properties:
  translationKey:

Required Scopes Claim Condition Config

Description

This condition is fulfilled if all of the configured scopes are present.

Class

com.airlock.iam.oauth2.application.configuration.claims.conditions.RequiredScopesClaimConditionConfig

May be used by

License-Tags

OAuthServer

Properties

Scopes (scopes)

Description

This condition is fulfilled if every one of the following scopes is present.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.conditions.RequiredScopesClaimConditionConfig
id: RequiredScopesClaimConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  scopes:

Resource Access Controller

Description

A role-based access controller that provides access to resources based on URL path patterns.

Class

com.airlock.iam.common.application.configuration.authorization.ResourceAccessController

May be used by

Session-less REST Endpoints Role-based Access Control

Properties

Allow Rules (allowRules)

Description

List of access rules defining required roles per resource pattern.

Attributes

Plugin-List

Mandatory

Assignable plugins

Resource Access Rule

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.authorization.ResourceAccessController
id: ResourceAccessController-xxxxxx
displayName: 
comment: 
properties:
  allowRules:

Resource Access Rule

Description

Defines how a user in a specific role can access a resource.

Class

com.airlock.iam.common.application.configuration.authorization.ResourceAccessControllerAccessRule

May be used by

Resource Access Controller

Properties

Path Pattern (pathPattern)

Description

A pattern for matching the path of a resource. The matched path starts with the slash ('/') that separates the context path from the resource path.

Attributes

RegEx

Mandatory

Method Pattern (methodPattern)

Description

A pattern for matching the methods of a HTTP request. Multiple methods are specified as a comma-separated list. Use an asterisk ('*') to match any method.

Attributes

String

Mandatory

Suggested values

GET, GET,PUT,POST,PATCH,DELETE, *

Roles (roles)

Description

Defines the set of required roles needed to access the resource. Multiple roles are specified as comma-separated list. At least one of the roles is needed to be granted to take the action. No value means not allowed for anyone. 'NO RESTRICTION' allows access to everyone.

Attributes

String

Optional

Suggested values

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.authorization.ResourceAccessControllerAccessRule
id: ResourceAccessControllerAccessRule-xxxxxx
displayName: 
comment: 
properties:
  methodPattern:
  pathPattern:
  roles:

Response Header Ticket Adder Config

Description

Adds a ticket string as a response header.

Class

com.airlock.iam.login.application.configuration.idpropagation.ResponseHeaderTicketAdderConfig

May be used by

Properties

Header Name (headerName)

Description

The name of the header.

Attributes

String

Mandatory

Example

X-AUTH_TICKET

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.idpropagation.ResponseHeaderTicketAdderConfig
id: ResponseHeaderTicketAdderConfig-xxxxxx
displayName: 
comment: 
properties:
  headerName:

REST API Invocation

Description

Allows the UI to invoke the IAM REST API.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.RestApiInvocationConfig

May be used by

Button UI Element Form UI Element

Properties

URL (url)

Description

Attributes

String

Mandatory

Example

/public/my-company/my-endpoint

Example

/protected/self-service/my-endpoint

Method (method)

Description

The HTTP method to used when calling the URL.

Attributes

String

Optional

Default value

POST

Allowed values

GET, POST, PATCH, PUT, DELETE

Without Payload (withoutPayload)

Description

If enabled, no payload/JSON will be sent to the server.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.RestApiInvocationConfig
id: RestApiInvocationConfig-xxxxxx
displayName: 
comment: 
properties:
  method: POST
  url:
  withoutPayload: false

REST Client Config

Description

Configures an HTTPS REST client. Can be used to issue REST calls from Airlock IAM to REST servers.

Note that this REST client does not support cookies.

Class

com.airlock.iam.common.infrastructure.restclient.RestClientConfig

Properties

Server URLs (serverUrls)

Description

The REST server addresses. These have to be specified without a trailing slash.

Attributes

String-List

Mandatory

Retry Policy (retryPolicy)

Description

The retry policy used to decide if a REST request should be repeated (using the next server URL in the list) depending on its outcome (response or exception).

Attributes

Plugin-Link

Mandatory

Assignable plugins

No Retry Policy Retry If Server Not Reachable Policy

Timeout [ms] (timeout)

Description

The timeout (in milliseconds) for connection establishment and response receiving when issuing a request to a server. Setting this value to 0 disables the timeout.

Attributes

Integer

Optional

Default value

10000

Connection Pool Max Size (connectionPoolMaxSize)

Description

The maximum size of the connection pool.

Attributes

Integer

Optional

Default value

Trust Store Path (trustStorePath)

Description

The keystore containing the web server certificate. These certificates are trusted when establishing mutual SSL connections for HTTPS REST calls.

Attributes

File/Path

Optional

Trust Store Password (trustStorePassword)

Description

The password used to check the integrity of the truststore, or to unlock the truststore.

Attributes

String

Optional

Sensitive

Key Store Path (keyStorePath)

Description

The keystore containing a client certificate (including a private key) for Airlock IAM. The client certificate is used to establish mutual SSL connections for HTTPS REST calls.

Attributes

File/Path

Optional

Key Store Password (keyStorePassword)

Description

The password used to check the integrity of the keystore, or to unlock the keystore. Must be provided in case the keystore is configured.

Attributes

String

Optional

Sensitive

Basic Auth Credentials (basicAuthCredentials)

Description

The credentials for HTTP Basic Authentication. If configured, the Basic Authentication header is sent along with each REST call. If not configured, no Basic Authentication header is sent.

Attributes

Plugin-Link

Optional

Assignable plugins

Basic Auth Credentials

Request Entity Processing (requestEntityProcessing)

Description

This property specifies how the entity is serialized to the output stream; if buffering is used or the entity is streamed in chunked encoding.

The options are:

BUFFERED: the entity will be buffered and the content length will be sent in the Content-Length header.
CHUNKED: chunked encoding will be used and the entity will be streamed.

Attributes

Enum

Optional

Default value

CHUNKED

Connection Manager Timeout [ms] (connectionManagerTimeout)

Description

The timeout (in milliseconds) to wait for connection from the connection manager/pool (http.connection-manager.timeout). Setting this value to 0 disables the timeout and the thread would be blocked by waiting indefinitely for a new connection until one gets released back to the pool.

Attributes

Integer

Optional

Default value

10000

Proxy URI (proxyUri)

Description

URI of a HTTP proxy the connector should use. If the port component of the URI is absent then a default port of 8080 is assumed. If this property is left empty then no proxy will be utilized.

Attributes

String

Optional

Example

proxy.company.com

Proxy Login User (proxyLoginUser)

Description

Username for the proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

Static REST Request Headers (staticRestRequestHeaders)

Description

A list of static request headers added to each request made with this REST Client.

Attributes

Plugin-List

Optional

Assignable plugins

Plain Static REST Request Header Sensitive Static REST Request Header

Static REST Request Header Strategy (staticRestRequestHeaderStrategy)

Description

This property specifies the behaviour when the request already contains a header for a configured header name. If no static request headers are configured, this property has no impact.

The options are:

OVERWRITE_EXISTING: if there is already a value for the configured header name it is overwritten with the configured value.
KEEP_ORIGINAL: the already existing header value is kept and the configured value is ignored.

Attributes

Enum

Optional

Default value

OVERWRITE_EXISTING

YAML Template (with default values)


type: com.airlock.iam.common.infrastructure.restclient.RestClientConfig
id: RestClientConfig-xxxxxx
displayName: 
comment: 
properties:
  basicAuthCredentials:
  connectionManagerTimeout: 10000
  connectionPoolMaxSize: 50
  keyStorePassword:
  keyStorePath:
  proxyLoginPassword:
  proxyLoginUser:
  proxyUri:
  requestEntityProcessing: CHUNKED
  retryPolicy:
  serverUrls:
  staticRestRequestHeaderStrategy: OVERWRITE_EXISTING
  staticRestRequestHeaders:
  timeout: 10000
  trustStorePassword:
  trustStorePath:

Retry If Server Not Reachable Policy

Description

Retry if the REST server is not reachable.

Class

com.airlock.iam.common.infrastructure.restclient.RetryIfServerNotReachablePolicy

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

YAML Template (with default values)


type: com.airlock.iam.common.infrastructure.restclient.RetryIfServerNotReachablePolicy
id: RetryIfServerNotReachablePolicy-xxxxxx
displayName: 
comment: 
properties:

Risk Assessment Step

Description

Based on risk extractors this non-interactive step adds a set of flow tags to the current flow. Subsequent flow steps can be controlled based on these collected tags.

Class

com.airlock.iam.authentication.application.configuration.risk.RiskAssessmentStepConfig

May be used by

Properties

Risk Extractors (riskExtractorConfigs)

Description

The list of risk extractors. These plugins analyze a wide range of information about the current session and the user to determine the flow tags associated with this session. All extractors are evaluated in the configured order.

Attributes

Plugin-List

Mandatory

Assignable plugins

Anomaly Shield State Risk Extractor Config Client Fingerprinting Score Risk Extractor IP Address Range Risk Extractor Impossible Journey Risk Extractor Session Hijacking Notification Risk Extractor Config Typical Geolocation Risk Extractor Typical User Agent Risk Extractor

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.risk.RiskAssessmentStepConfig
id: RiskAssessmentStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  riskExtractorConfigs:
  skipCondition:
  stepId:
  tagsOnSuccess:

Risk Tag Plugin

Description

A Risk Tag that is produced by a Risk Extractor and consumed by the Access Policy.

Class

com.airlock.iam.authentication.application.configuration.risk.RiskTagPlugin

May be used by

Logical AND Role Derivation Logical OR Role Derivation Simple Risk-based Role Derivation Simple Risk-based Role Derivation

Properties

Name (name)

Description

The name of the risk tag. This can be any identifier.

Attributes

String

Mandatory

Example

typical browser

Example

internal network

Example

europe

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.risk.RiskTagPlugin
id: RiskTagPlugin-xxxxxx
displayName: 
comment: 
properties:
  name:

Role Timeout Rule Config

Description

Defines the resulting idle timeout and lifetime of a role for a given timeout identifier.

Class

com.airlock.iam.login.application.configuration.targetapp.RoleTimeoutRuleConfig

May be used by

User Specific Role Timeout Definition User Specific Timeout Provider Config

Properties

Timeout Identifier (timeoutIdentifier)

Description

Identifier of this rule as stored in the context data. If the identifier matches the one of the user, the configured timeout(s) are added to the role. This value is case-sensitive.

Attributes

String

Mandatory

Example

LONG

Example

admin

Example

office-zurich

Idle Timeout [s] (idleTimeout)

Description

Idle timeout in seconds. If set to 0, the default Airlock Gateway idle timeout is applied.

Attributes

Integer

Mandatory

Lifetime [s] (lifeTime)

Description

Role lifetime in seconds. If set to 0 or not defined, the default Airlock Gateway lifetime is applied.

Attributes

Integer

Optional

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.RoleTimeoutRuleConfig
id: RoleTimeoutRuleConfig-xxxxxx
displayName: 
comment: 
properties:
  idleTimeout:
  lifeTime:
  timeoutIdentifier:

Role Transformation Rule

Description

Rule based on regular expression patterns and substitutions used to transform user roles.

Class

com.airlock.iam.login.app.misc.configuration.targetapps.RoleTransformationRule

May be used by

Target Application/Service Target Application/Service

License-Tags

StepUpAuthentication

Properties

Pattern (pattern)

Description

Regular expression pattern of the transformation rule. In each role name all the parts that are matched by the expression are replaced by the template string. Non matched parts are appended as is. Use Matching groups to refer to them in the template.

If no substring of the input matches the expression then an empty role name is returned which effectively deletes it.

Attributes

RegEx

Mandatory

License-Tags

StepUpAuthentication

Template (template)

Description

Template expression pattern of the rule. In each role name all the parts that are matched by the expression are replaced by the template string. Non matched parts are appended as is. Refer to the match by $0 and to matching groups by specifying $1, $2, ...

Attributes

String

Mandatory

License-Tags

StepUpAuthentication

Example

transformedRole

Example

role-$0

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.targetapps.RoleTransformationRule
id: RoleTransformationRule-xxxxxx
displayName: 
comment: 
properties:
  pattern:
  template:

Role Transformation Rule (Radius)

Description

Rule based on regular expression patterns and substitutions used to transform user roles before processing them.

Class

com.airlock.iam.servicecontainer.app.application.configuration.RoleTransformationRuleConfig

May be used by

NAS-IP-Address-based Target Service IP-based Target Service NAS-based Target Service

Properties

Pattern (pattern)

Description

Regular expression pattern of the rule. Each role that matches the regular expression is transformed using the corresponding template.

Attributes

RegEx

Mandatory

Template (template)

Description

Template expression pattern of the rule. Each role that matches the regular expression is transformed using the corresponding template.

Attributes

String

Mandatory

Example

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.RoleTransformationRuleConfig
id: RoleTransformationRuleConfig-xxxxxx
displayName: 
comment: 
properties:
  pattern:
  template:

Role-based Access Control

Description

Defines access control for the Adminapp REST API. REST calls are permitted whenever the corresponding rule defined in this plugin or a rule defined within the REST Access Controller is fulfilled.

Class

com.airlock.iam.admin.application.configuration.RoleBasedAccessControllerConfig

May be used by

Adminapp

Properties

REST Access Controller (restServiceAccessController)

Description

The access controller plugin checking REST resources are allowed for the logged in administrator. The REST access controller can only allow additional access to REST resources, but not restrict it more than defined by the role based access rules below.

Attributes

Plugin-Link

Optional

Assignable plugins

Resource Access Controller

List Users (listUsers)

Description

Roles required to list and search for users. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

View User Details (viewUser)

Description

Roles required to view user details. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

View User Logs (viewUserLogs)

Description

Roles required to view user related logs in the user details. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,superadmin

View User Context Data (viewContextData)

Description

Roles required to view user context data. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

View User Context Data (fine-grained) (detailedViewContextData)

Description

Fine-grained access rules for context data fields view. Has precedence over 'View User Context Data'.

Attributes

Plugin-List

Optional

Assignable plugins

Context Data Access Rule

Display User Management Extensions (displayUserManagementExtensions)

Description

Administrators with these roles that can see User Management Extensions.
The JavaScript file that contains the User Management Extensions always has the same accessibility as the rest of the Adminapp UI and can be accessed by unauthenticated users/administrators.
At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Display User Management Extensions (fine-grained) (detailedDisplayUserManagementExtensions)

Description

Fine-grained display rules for User Management Extensions. Has precedence over 'Display User Management Extensions'.
This setting does not influence the delivered JavaScript for the User Management Extension. It will always contain the code for all User Management Extensions.

Attributes

Plugin-List

Optional

Assignable plugins

User Management Extension Access Rule Config

Edit User Details (editUser)

Description

Roles required to edit user details. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Edit User Context Data (detailedEditContextData)

Description

Fine-grained access rules for context data fields editing. 'Edit User Details' has precedence over these access rules.

Attributes

Plugin-List

Optional

Assignable plugins

Context Data Access Rule

Edit Username (editUsername)

Description

Roles required to edit the user name. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Delete User (deleteUser)

Description

Roles required to delete a user. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Add New User (createUser)

Description

Roles required to add users. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Lock User (lockUser)

Description

Roles required to lock a user. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Unlock User (unlockUser)

Description

Roles required to unlock a user. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Manage OAuth 2.0 User Consents (manageOAuth2Consents)

Description

Roles required to manage OAuth 2.0 consents for a user. If granted, takes precedence over "Edit User Details". At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Order Password Letter (orderPassword)

Description

Roles required to order a password letter. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Cancel Password Letter Order (unorderPassword)

Description

Roles required to cancel an order for a password letter. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Delete User Password (deletePassword)

Description

Roles required to delete a user's password. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Generate Or Set User Password (generatePassword)

Description

Roles required to generate or set a user's password. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Trigger Password Reset (triggerPasswordReset)

Description

Roles required to trigger a password reset. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

View Authentication Token (viewToken)

Description

Roles required to view token details on users or in the token manager. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Edit Authentication Token (editToken)

Description

Roles required to edit a token. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Order New Authentication Token (orderNewToken)

Description

Roles required to order a new token. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Cancel Authentication Token Order (unorderNewToken)

Description

Roles required to cancel a token order. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Delete Authentication Token (deleteToken)

Description

Roles required to delete a token. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Activate Authentication Token (activateToken)

Description

Roles required to activate a token. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Deactivate Authentication Token (deactivateToken)

Description

Roles required to deactivate a token. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Generate Token Activation Key IAK (generateTokenIak)

Description

Roles required to generate an IAK activation key. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Token Management (manageTokens)

Description

Roles required to manage (import) tokens. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

View OATH OTP Token Secret (viewOathOtpTokenSecret)

Description

Roles required to view the shared secret of OATH OTP tokens. At least one of the listed, comma-separated roles are sufficient. No value means not allowed for anyone. 'NO RESTRICTION' allows access to everyone.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

View Airlock 2FA Activation Secret (viewAirlock2FAActivationSecret)

Description

Roles required to view the Airlock 2FA activation code(s), e.g. when creating or fetching Airlock 2FA activation letters. At least one of the listed, comma-separated roles are sufficient. No value means not allowed for anyone. 'NO RESTRICTION' allows access to everyone.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

View Cronto Activation Secret (viewCrontoActivationSecret)

Description

Roles required to view the Cronto activation code(s). At least one of the listed, comma-separated roles are sufficient. No value means not allowed for anyone. 'NO RESTRICTION' allows access to everyone.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

View Technical Clients (viewTechnicalClients)

Description

Roles required to view technical clients (list with details). At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Create And Edit Technical Clients / API Keys / Plans (createEditTechnicalClient)

Description

Roles required to create and edit technical clients, its API keys and plans. Also allows to delete API keys and plans. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Delete Technical Clients (deleteTechnicalClient)

Description

Roles required to delete technical clients. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Lock Technical Clients / API Keys (lockTechnicalClient)

Description

Roles required to lock technical clients and API keys. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Unlock Technical Clients / API Keys (unlockTechnicalClient)

Description

Roles required to unlock technical clients and API keys. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

List Maintenance Messages (listMaintenanceMessages)

Description

Roles required to list maintenance messages. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Edit Maintenance Messages (editMaintenanceMessage)

Description

Roles required to edit maintenance messages. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Delete Maintenance Messages (deleteMaintenanceMessage)

Description

Roles required to delete maintenance messages. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

List Administrators (listAdministrators)

Description

Roles required to list administrators. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

View Administrators (viewAdministrator)

Description

Roles required to view administrator details. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Edit Administrators (editAdministrator)

Description

Roles required to edit administrators. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

CAUTION: Editing administrators includes assigning roles to administrators. Thus, an administrator with this privilege is able to assign this privilege also to other administrators.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Delete Administrators (deleteAdministrator)

Description

Roles required to delete administrators. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Add New Administrators (createAdministrator)

Description

Roles required to create administrators. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Lock Administrators (lockAdministrator)

Description

Roles required to lock administrators. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Unlock Administrators (unlockAdministrator)

Description

Roles required to unlock administrators. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Delete Administrator's Password (deleteAdministratorPassword)

Description

Roles required to delete administrators password. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Change Administrator's Password (changeAdministratorPassword)

Description

Roles required for an administrator to change his own password. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Generate Administrator Password (generateAdministratorPassword)

Description

Roles required to generate administrators password. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Edit Configuration (editConfig)

Description

Roles required to edit configurations. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Apply Configuration (applyConfig)

Description

Roles required to apply configurations. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

CAUTION: Because administrator access control is also part of the configuration, an administrator with this privilege can possibly gain all possible administrator rights.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

View Log Files (viewLog)

Description

Roles required to view log files. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

View License (viewLicense)

Description

Roles required to view and edit the license. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Access Service Container Management (accessServiceContainer)

Description

Roles required to access the service container. At least one of the listed, comma-separated roles are sufficient. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, helpdesk, useradmin,helpdesk, useradmin,tokenadmin, tokenadmin,helpdesk, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.RoleBasedAccessControllerConfig
id: RoleBasedAccessControllerConfig-xxxxxx
displayName: 
comment: 
properties:
  accessServiceContainer:
  activateToken:
  applyConfig:
  changeAdministratorPassword:
  createAdministrator:
  createEditTechnicalClient:
  createUser:
  deactivateToken:
  deleteAdministrator:
  deleteAdministratorPassword:
  deleteMaintenanceMessage:
  deletePassword:
  deleteTechnicalClient:
  deleteToken:
  deleteUser:
  detailedDisplayUserManagementExtensions:
  detailedEditContextData:
  detailedViewContextData:
  displayUserManagementExtensions:
  editAdministrator:
  editConfig:
  editMaintenanceMessage:
  editToken:
  editUser:
  editUsername:
  generateAdministratorPassword:
  generatePassword:
  generateTokenIak:
  listAdministrators:
  listMaintenanceMessages:
  listUsers:
  lockAdministrator:
  lockTechnicalClient:
  lockUser:
  manageOAuth2Consents:
  manageTokens:
  orderNewToken:
  orderPassword:
  restServiceAccessController:
  triggerPasswordReset:
  unlockAdministrator:
  unlockTechnicalClient:
  unlockUser:
  unorderNewToken:
  unorderPassword:
  viewAdministrator:
  viewAirlock2FAActivationSecret:
  viewContextData:
  viewCrontoActivationSecret:
  viewLicense:
  viewLog:
  viewOathOtpTokenSecret:
  viewTechnicalClients:
  viewToken:
  viewUser:
  viewUserLogs:

Role-based Access Controller

Description

An access controller plugin making access decisions based on a user's roles. For each action, a set of required roles is defined in the configuration. If the user has at least one of the specified roles, access is granted.

Class

com.airlock.iam.core.misc.impl.authorization.RoleBasedAccessController

May be used by

Properties

Rules (rules)

Description

List of access rules defining required roles per action.

Attributes

Plugin-List

Mandatory

Assignable plugins

Role-based Access Rule

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authorization.RoleBasedAccessController
id: RoleBasedAccessController-xxxxxx
displayName: 
comment: 
properties:
  rules:

Role-based Access Rule

Description

Defines the required roles for an action.

Class

com.airlock.iam.core.misc.impl.authorization.RoleBasedAccessControllerAccessRule

May be used by

Role-based Access Controller

Properties

Required Roles (requiredRoles)

Description

Defines the set of required roles needed to perform the action. Multiple roles are specified as comma-separated list. At least one of the roles is needed to be granted to take the action.

Attributes

String

Mandatory

Suggested values

useradmin, tokenadmin, helpdesk, sysadmin, superadmin, useradmin,tokenadmin, useradmin,helpdesk, tokenadmin,helpdesk, sysadmin,superadmin, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

Action (action)

Description

The name of the action.

Attributes

String

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authorization.RoleBasedAccessControllerAccessRule
id: RoleBasedAccessControllerAccessRule-xxxxxx
displayName: 
comment: 
properties:
  action:
  requiredRoles:

Role-based Authenticator Selector

Description

Authenticator plugin that selects one of several configured authenticators depending on the user roles granted before the authentication process. The user roles are compared against a list of mappings. One mapping consists of a list of roles and an authenticator. The first mapping containing a role of the user defines the authenticator to be used for the rest of the authentication process.
If no mapping matches, the default authenticator is used.

Class

com.airlock.iam.core.misc.impl.authen.RoleBasedAuthenticatorSelector

May be used by

Properties

Mappings (mappings)

Description

Ordered list of mappings between user roles and authenticators. The first matching mapping is chosen for the authentication process.

Attributes

Plugin-List

Mandatory

Assignable plugins

Roles-to-Authenticator Mapping

Default Authenticator (defaultAuthenticator)

Description

The authenticator to use when none of the defined mappings match the roles of the user to authenticate.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Persister (userPersister)

Description

The user persister used to load the user's roles.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.RoleBasedAuthenticatorSelector
id: RoleBasedAuthenticatorSelector-xxxxxx
displayName: 
comment: 
properties:
  defaultAuthenticator:
  mappings:
  userPersister:

Role-based Gateway Role

Description

Provides a Airlock Gateway role conditional on the presence of a user role.

Class

com.airlock.iam.login.application.configuration.targetapp.UserRoleWafCredentialProviderConfig

May be used by

Advanced Migration Selection Option Authorization Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

User Role Name (userRoleName)

Description

The name of a user role. If the user has this role on the database / persistence layer, an Airlock Gateway role is added as follows:

If the "Gateway Mapping Role" is not defined, the user role name is used as Airlock Gateway role. In this case, the role name must not include special characters.
Otherwise, the "Gateway Mapping Role" is used as Airlock Gateway role.

Attributes

String

Mandatory

Gateway Mapping Role (wafCredentialName)

Description

The name can be defined in case a name different from the 'User Role Name' must be used. Please refer to the property description of 'User Role Name'.

Attributes

String

Optional

Length <= 50

Validation RegEx: [a-zA-Z0-9_.\-]+

Idle Timeout [s] (idleTimeout)

Description

The WAF credential's idle timeout in seconds. The credential will be removed after the WAF session has been idle for this duration.

Attributes

Integer

Optional

Lifetime [s] (lifetime)

Description

The WAF credential's lifetime in seconds. The credential will be removed from the WAF session after this duration.

Attributes

Integer

Optional

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.UserRoleWafCredentialProviderConfig
id: UserRoleWafCredentialProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  idleTimeout:
  lifetime:
  userRoleName:
  wafCredentialName:

Role-based OAuth 2.0 Scope Condition

Description

Configures a OAuth 2.0 scope condition.

The scope is matched against the "Scope Matcher" pattern. A scope is allowed if it matches the regex and it is covered by a matching role.

Class

com.airlock.iam.oauth2.application.configuration.scope.RoleBasedOAuth2ScopeConditionConfig

May be used by

OAuth 2.0 Custom Scopes Flow Settings

License-Tags

OAuthServer

Properties

Scope Matcher (scopeMatcher)

Description

Matches the scope to check.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Scope Matcher

Role Provider (roleProvider)

Description

Plugin to determine the roles to match the scope against.

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.scope.RoleBasedOAuth2ScopeConditionConfig
id: RoleBasedOAuth2ScopeConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  roleProvider:
  scopeMatcher:

Role-based Tag Acquisition Step

Description

Non-interactive step which generates flow tags from user roles.
Note that this step must be preceded by a user-identifying step.

Class

com.airlock.iam.flow.shared.application.configuration.step.RoleBasedTagAcquisitionStepConfig

May be used by

Properties

Role Providers (roleProviders)

Description

Plugins to determine the roles which this provider considers. These are only application-specific roles, not the Airlock Gateway (WAF) roles. Typically, the "All User Roles" plugin would be configured.

Attributes

Plugin-List

Mandatory

Assignable plugins

Role To Tag Mappings (roleToTagMappings)

Description

Mapping of user roles to flow tags.

Attributes

Plugin-Map

Mandatory

Assignable plugins

Tag

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.step.RoleBasedTagAcquisitionStepConfig
id: RoleBasedTagAcquisitionStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  roleProviders:
  roleToTagMappings:
  skipCondition:
  stepId:
  tagsOnSuccess:

Roles from Attribute

Description

Extracts user roles from a RADIUS AccessAccept response (from a RADIUS server) by examining an arbitrary RADIUS attribute of the response. Adds the roles to the authenticated user.

Class

com.airlock.iam.core.misc.impl.authen.radius.RadiusAttributeRoleExtractor

May be used by

RADIUS Authenticator

Properties

Attribute Type (attributeType)

Description

The RADIUS attribute type of the attribute to look at.

Either one of the suggested attributes or the number (not the name) of any other attribute can be chosen. The attribute type must be String.

Attributes

String

Mandatory

Suggested values

Reply-Message (18), Vendor Specific (26), Filter-Id (11), Class (25), Unassigned (21)

Representation (representation)

Description

Representation of the role(s) in the RADIUS attribute. Determines how the value read from the RADIUS attribute is interpreted.

Attributes

String

Optional

Default value

Comma-separated

Allowed values

Comma-separated

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.radius.RadiusAttributeRoleExtractor
id: RadiusAttributeRoleExtractor-xxxxxx
displayName: 
comment: 
properties:
  attributeType:
  representation: Comma-separated

Roles from Password Check

Description

Provides all roles that have been obtained during password checks (e.g. from RADIUS).

Class

com.airlock.iam.login.application.configuration.targetapp.PasswordCheckRolesProviderConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.PasswordCheckRolesProviderConfig
id: PasswordCheckRolesProviderConfig-xxxxxx
displayName: 
comment: 
properties:

Roles Provider Config

Description

Value map provider of a list of roles or a single separator concatenated string. Note that not all consumers of these values can handle values of type "list of string", in particular it doesn't work with string formatting.

The following values are provided:

roles: a string with the concatenated roles (including timeout and lifetime if present).
roles-list: the roles as a list (including timeout and lifetime if present).
role-names: a string with the concatenated role names (without timeout and lifetime).
role-names-list: the role names as a list (without timeout and lifetime).

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.RolesProviderConfig

May be used by

Properties

Role Providers (roleProviders)

Description

The roles provided by these providers are combined into one string by this plugin.

Attributes

Plugin-List

Optional

Assignable plugins

Separator (separator)

Description

Separator between the roles.

Attributes

String

Optional

Default value

Encoders (encoders)

Description

Encodes the roles before concatenating them.

Attributes

Plugin-List

Optional

Assignable plugins

Base64 String Encoder HTML String Escaper JSON String Escaper URL String Encoder

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.RolesProviderConfig
id: RolesProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  encoders:
  roleProviders:
  separator: ,

Roles SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing the roles from a list of role providers.

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.RolesFlowAttributeConfig

May be used by

SSO Ticket Authentication Step HTTP Header Token Extractor (as SSO Credential) Representation SSO Ticket Identifying Step Admin SSO Ticket Request Authentication SSO Ticket Request Authentication

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion.

Attributes

String

Mandatory

Example

Roles

Example

Groups

Role Providers (roleProviders)

Description

Providers for the roles to add to the assertion. If the role contains a timeout, it is also included in the attribute value.

Attributes

Plugin-List

Mandatory

Assignable plugins

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.assertion.attribute.RolesFlowAttributeConfig
id: RolesFlowAttributeConfig-xxxxxx
displayName: 
comment: 
properties:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  roleProviders:
  samlAttributeName:

Roles-to-Authenticator Mapping

Description

Maps user roles to an authenticator plugin.

Class

com.airlock.iam.core.misc.impl.authen.RoleBasedAuthenticatorSelectorMapping

May be used by

Role-based Authenticator Selector

Properties

Roles Before Authentication (rolesBeforeAuthentication)

Description

Defines a list of roles to compare against the user to authenticate. If the user to authenticate has one of the specified roles, the corresponding authenticator of the mapping is chosen for the authentication process. Only user roles before the authentication process are considered for the comparison. Roles acquired during the authentication are ignored.

Attributes

String-List

Mandatory

Authenticator (authenticator)

Description

The authenticator to use if this mapping is matches the user's roles.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.RoleBasedAuthenticatorSelectorMapping
id: RoleBasedAuthenticatorSelectorMapping-xxxxxx
displayName: 
comment: 
properties:
  authenticator:
  rolesBeforeAuthentication:

RSA Encryption

Description

String Cipher implementation using asymmetric encryption using an RSA private/public key pair.

Class

com.airlock.iam.core.misc.util.crypto.RsaEncryption

May be used by

Target Application/Service Technical Client Database Repository

Properties

Public Key File (publicKeyFile)

Description

The public key used to encrypt the password. Notice that it has to be in DER format.

Attributes

File/Path

Mandatory

Private Key File (privateKeyFile)

Description

The private key used to decrypt the password. Notice that it has to be in PKCS#8 DER format (not 'openSSL format'). If the private key file is encrypted, the passphrase has to be set below.

Such a key can for example be generated using:

openssl genrsa -des3 -out newkey.pem
openssl pkcs8 -topk8 -in newkey.pem -out encryptedprivatekey.key -outform der

Attributes

File/Path

Mandatory

Private Key Passphrase (privateKeyPassphrase)

Description

Passphrase to protect the private key file. If no passphrase is configured, it is assumed that the private key file is not password-protected.

Attributes

String

Optional

Sensitive

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.crypto.RsaEncryption
id: RsaEncryption-xxxxxx
displayName: 
comment: 
properties:
  privateKeyFile:
  privateKeyPassphrase:
  publicKeyFile:

RSA Sign Ticket Decoder

Description

Decodes the ticket with RSA signature.

For a description of the encoding see class description RSASignTicketEncoder.

Class

com.airlock.iam.core.misc.util.ticket.codec.sign.RSASignTicketDecoder

May be used by

Properties

Verification Key File (verificationKeyFile)

Description

Filename of the X.509 encoded 512 bit RSA public key for signature verification.

Attributes

File/Path

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ticket.codec.sign.RSASignTicketDecoder
id: RSASignTicketDecoder-xxxxxx
displayName: 
comment: 
properties:
  verificationKeyFile:

RSA Sign Ticket Encoder

Description

Encodes the ticket with an RSA Signature without encryption.

The ticket value syntax is as follows:
{name=[value{,value}];} where the names, values and rolenames are UTF-8 encoded.

Example:
medusaID=1234;uname=smith;roles=customer,employee;name1=value1;name2=value2;

An RSA signature is calculated over the result from above and preprended to the result from above.

Use openssl to produce the key files like this:
openssl genrsa -out signkey.pem 4096
openssl pkcs8 -topk8 -nocrypt -in signkey.pem -outform der -out signkey.pkcs8
openssl rsa -in signkey.pem -pubout -outform der -out verifykey.x509

Class

com.airlock.iam.core.misc.util.ticket.codec.sign.RSASignTicketEncoder

May be used by

Properties

Signing Key File (signingKeyFile)

Description

The Filename of the PKCS#8 encoded RSA private key for signing.

Attributes

File/Path

Mandatory

Compress (compress)

Description

Tells if the value should be GZIP compressed before base64 encoding.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.ticket.codec.sign.RSASignTicketEncoder
id: RSASignTicketEncoder-xxxxxx
displayName: 
comment: 
properties:
  compress: false
  signingKeyFile:

RSA v1.5 Key Transport Algorithm

Description

The RSA v1.5 Key Transport algorithm is a public key encryption algorithm especially specified for encrypting and decrypting keys as described in the W3C Recommendation XML Encryption Syntax and Processing.

Class

com.airlock.iam.saml2.application.configuration.SamlRsa15KeyTransportAlgorithmConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.SamlRsa15KeyTransportAlgorithmConfig
id: SamlRsa15KeyTransportAlgorithmConfig-xxxxxx
displayName: 
comment: 
properties:

RSA-OAEP Key Transport Algorithm

Description

The RSA-OAEP Key Transport algorithm ('http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p') is a public key encryption algorithm especially specified for encrypting and decrypting keys as described in the W3C Recommendation XML Encryption Syntax and Processing.

Class

com.airlock.iam.saml2.application.configuration.SamlRsaOaepKeyTransportAlgorithmConfig

May be used by

OAuth 2.0 Consent Management UI Authentication & Authorization UI Authentication & Authorization UI FIDO Credential Management UI Account Link Management UI Airlock 2FA Device Management UI Protected Self-Service UI Protected Self-Service UI mTAN Number Management UI User Self-Registration UI User Self-Registration UI Public Self-Service UI Public Self-Service UI Cronto Device Management UI Device Token Management UI Application Portal Target Config OAuth 2.0 Session Management UI Remember-Me Device Management UI

Properties

OAEPparams (oaepParams)

Description

Encoding parameters P as described in RFC 2437.

Must be a Base64 encoded value.

Attributes

String

Optional

Example

9lWu3Q==

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.SamlRsaOaepKeyTransportAlgorithmConfig
id: SamlRsaOaepKeyTransportAlgorithmConfig-xxxxxx
displayName: 
comment: 
properties:
  oaepParams:

Same Flow Redirect Target Config

Description

Redirects to the same flow the user is currently on. This is effectively a restart of the same flow.

This plugin cannot be used outside of flows (e.g. on portal or token management pages).

Class

com.airlock.iam.flow.ui.application.configuration.SameFlowRedirectTargetConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.SameFlowRedirectTargetConfig
id: SameFlowRedirectTargetConfig-xxxxxx
displayName: 
comment: 
properties:

SAML 2.0 Assertion String Attribute Importer

Description

Import a single-value String attribute from a SAML 2.0 assertion into a flow session.

If the provided attribute is multi-valued, the last value is used (for backward compatibility) and a warning is logged (if there are multiple attributes with the same name, the last value of the last attribute is used).

An imported attribute can be used afterwards in any plugin that uses a String value provider by configuring a 'Generic Session Attribute String Provider'.

Class

com.airlock.iam.saml2.application.configuration.sp.Saml2SpAssertionStringAttributeImportConfig

May be used by

SAML 2.0 Flow SP

License-Tags

SamlSp

Properties

Attribute Name (attributeName)

Description

Name of the SAML attribute in the assertion to import.

Attributes

String

Mandatory

Length >= 1

Example

Key (key)

Description

Key under which the value of the imported attribute will be available in the flow session. If none is configured, the name of the attribute will be used as key.

Attributes

String

Optional

Fail If Empty (failIfEmpty)

Description

Fail if the SAML 2.0 assertion does not contain the configured attribute or the value provided is blank. When false, no value will be imported in such a case.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.sp.Saml2SpAssertionStringAttributeImportConfig
id: Saml2SpAssertionStringAttributeImportConfig-xxxxxx
displayName: 
comment: 
properties:
  attributeName:
  failIfEmpty: false
  key:

SAML 2.0 Config

Description

Configures the SAML 2.0 Identity Provider (IdP) and Service Providers (SP) of the login application.

Class

com.airlock.iam.saml2.application.configuration.SamlConfig

May be used by

Loginapp

License-Tags

SamlIdp,SamlSp

Properties

SAML 2.0 Identity Provider (samlFlowIdpSettings)

Description

Configures the SAML Identity Provider (IdP) and the associated service providers (SPs) that rely on this IdP to authenticate a user.

Attributes

Plugin-Link

Optional

License-Tags

SamlIdp

Assignable plugins

SAML 2.0 Flow IdP

SAML 2.0 Service Providers (samlFlowSpSettings)

Description

Enables and configures the local SAML Service Providers (SPs).

Attributes

Plugin-List

Optional

License-Tags

SamlSp

Assignable plugins

SAML 2.0 Flow SP

Use Single-Logout (SLO) Behaviour (enableSingleLogoutOnSps)

Description

When enabled, IAM (as Service Provider) will automatically initiate a Single-Logout with the Identity Provider when the logout endpoint is called. If this flag is disabled, only a local logout will take place.

Attributes

Boolean

Optional

License-Tags

SamlSp

Default value

true

Flow SSO Initialization URI (customSpSsoInitializationUri)

Description

The URI to start or continue the correct authentication flow after receiving an assertion from the Identity Provider (either using IdP- or SP-initiated SSO).

Must only be configured when using a custom SPA.

Relative URIs not starting with a slash are resolved against the current context path.

When customized and behind an Airlock Gateway (WAF), a "URL Encryption Exception" must be configured.

Attributes

String

Optional

License-Tags

SamlSp

Example

https://example.com/custom-ui/saml2/sp/sso/init

Example

/custom-ui/sp/sso/init

Logout URI (customLogoutUri)

Description

The URI to start the logout process in the UI.

This is used during IdP-initiated Single-Logout (the logout is started by an Identity Provider). In this case, the browser must first be redirected to the UI in order to start the regular logout before being able to finish the SAML 2.0 Single-Logout.

Must only be configured when using a custom SPA.

Relative URIs not starting with a slash are resolved against the current context path.

When customized and behind an Airlock Gateway (WAF), a "URL Encryption Exception" must be configured.

Attributes

String

Optional

License-Tags

SamlSp

Example

https://example.com/custom-ui/logout

Example

/custom-ui/logout

Logout Resume URI Pattern (customLogoutResumeUriPattern)

Description

During SP-Initiated Single-Logout (SLO), the SPA has to send the location where to resume the logout process after SAML 2.0 Single-Logout has been finished using a "Location" URL parameter.

If not configured, the standard URL for logout resume in the Loginapp UI (ui/app/auth/logout/resume) will be used.

That absolute location will be validated against this pattern.

Must only be configured when using a custom SPA.

If behind an Airlock Gateway (WAF), a "URL Encryption Exception" must also be configured for this URL.

Attributes

RegEx

Optional

License-Tags

SamlSp

SAML Federation Settings (samlFederationConfig)

Description

Federation settings used for all SAML 2.0 use-cases.

Attributes

Plugin-Link

Optional

License-Tags

SamlIdp,SamlSp

Assignable plugins

SAML Federation Config

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.SamlConfig
id: SamlConfig-xxxxxx
displayName: 
comment: 
properties:
  customLogoutResumeUriPattern:
  customLogoutUri:
  customSpSsoInitializationUri:
  enableSingleLogoutOnSps: true
  samlFederationConfig:
  samlFlowIdpSettings:
  samlFlowSpSettings:

SAML 2.0 Flow IdP

Description

Enables and configures the SAML 2.0 Identity Provider (IdP) for use in the flow-based authentication.

The IdP provides assertions to receiving applications called "SAML Service Providers".

Class

com.airlock.iam.saml2.application.configuration.Saml2FlowIdpConfig

May be used by

SAML 2.0 Config

License-Tags

SamlIdp

Properties

IdP Entity Settings (idpEntitySettings)

Description

Configures the identity provider (IdP) entity.

Attributes

Plugin-Link

Optional

Assignable plugins

SAML 2.0 Identity Provider Entity

Service Providers (serviceProviders)

Description

The list of supported Service Providers.

Attributes

Plugin-List

Mandatory

Assignable plugins

SAML 2.0 Service Provider

Authentication Context Mappings (authnContextMappings)

Description

Assertions contain an 'Authentication Context Class Reference' referencing the type or strength of the performed authentication of the user. This can be used by a Service Provider (SP) in order to assess the level of confidence it can put in the assertion.

If configured, the first fulfilled condition defines the final 'Authentication Context Class Reference'. If left empty (or no condition is fulfilled), the logic of the "Default Authentication Context" takes place. (See property description)

Attributes

Plugin-List

Optional

Assignable plugins

Flow Condition To Authentication Context Mapping

Default Authentication Context (defaultAuthnContextUri)

Description

This property defines the default 'Authentication Context Class Reference' used if no URI can be determined based on the 'Authentication Context Mappings'.

If left empty, the SAML default resolution is used which also honors the requested URI of an SP in the SP-initiated SSO scenario. For IdP-initiated SSO or if no requested 'Authentication Context Class Reference' can be met in SP-initiated SSO, the first URI defined in the IdP extended metadata file is used (see the "Extended Metadata File" property in the IdP entity settings).

The available context classes are configured in the IdP extended metadata attribute "idpAuthncontextClassrefMapping". Only URIs defined by the attribute are valid to be set here.

Attributes

String

Optional

Suggested values

Authentication URI (customAuthenticationUri)

Description

The URI to start authentication in case of SP-Initiated SSO.

Must only be configured when using a custom SPA.

Relative URIs not starting with a slash are resolved against the current context path.

When customized and behind an Airlock Gateway (WAF), a "URL Encryption Exception" must be configured.

Attributes

String

Optional

Example

https://example.com/custom-ui/saml2/init

Example

/custom-ui/saml2/init

Logout URI (customLogoutUri)

Description

The URI to start the logout process in the UI.

This is mainly used in SP-initiated Single-Logout (the logout is started by a Service Provider). In this case, the browser must first be redirected to the UI in order to start the regular logout before being able to finish the SAML 2.0 Single-Logout (SLO).
It is also used in certain error cases where a logout must be performed.

Must only be configured when using a custom SPA.

Relative URIs not starting with a slash are resolved against the current context path.

When customized and behind an Airlock Gateway (WAF), a "URL Encryption Exception" must be configured.

Attributes

String

Optional

Example

https://example.com/custom-ui/logout

Example

/custom-ui/logout

Logout Resume URI Pattern (customLogoutResumeUriPattern)

Description

During IdP-Initiated Single-Logout (SLO), the SPA has to send the location where to resume the logout process after SAML 2.0 Single-Logout has been finished using a "Location" URL parameter.

If not configured, the standard URL for logout resume in the Loginapp UI (ui/app/auth/logout/resume) is used.

That absolute location will be validated against this pattern.

Must only be configured when using a custom SPA.

If behind an Airlock Gateway (WAF), a "URL Encryption Exception" must also be configured for this URL.

Attributes

RegEx

Optional

Temporary Single-Logout Gateway Credential (temporarySloCredentialProvider)

Description

The Airlock Gateway (WAF) role granted to a user on IdP logout before performing the SP logout requests.

Allows requests to temporarily access protected logout endpoints during single-logout if the SP is protected by the same Airlock Gateway (WAF). Without a temporary credential, the logout might not work properly on the SP.

The temporary credential should only be used to protect the logout URLs of the SPs in their corresponding mapping configuration in Airlock Gateway (WAF).

For the sake of security, it is recommended to set an Idle Timeout and a Lifetime as low as possible. In order to guarantee that the SLO flow terminates even with slow connections (e.g. mobile connections), a value of 60 seconds is recommended for both properties.

Attributes

Plugin-Link

Optional

Assignable plugins

Static Gateway Role

Clear Gateway Session on Single-Logout (clearGatewaySessionOnSlo)

Description

If enabled, the Airlock Gateway (WAF) session will be cleared at the beginning of a Single-Logout. The Cookies and Credentials stored at the Airlock Gateway (WAF) for backend services will be deleted already at the beginning of a Single-Logout, before the logout has been propagated to the backend services. This means that:

SPs which are behind the same Airlock Gateway (WAF) as Airlock IAM to which the logout is propagated, will not recognize the session because the session-cookie has already been deleted at that point.
Logout propagation configured on the Airlock Gateway (WAF) does not work, because the session cookie of the corresponding backend will have been deleted at this point.

If disabled, no cookies on the Airlock Gateway (WAF) will be deleted. Credentials will still be cleared or overriden by the "Temporary Single-Logout Gateway Credential" in case it is set. A temporary credential is usually necessary to properly log out an SP which is behind the same Airlock Gateway (WAF).

Regardless of this setting, the Airlock Gateway (WAF) session will be terminated at the end of a single-logout, which means that all cookies and credentials will be deleted.

Attributes

Boolean

Optional

Default value

false

Protocol (protocol)

Description

If load balancing is used, specify the IdP's protocol. Make sure it matches the URLs in the IdP metadata files.
(see the "Metadata File" and "Extended Metadata File" properties in the IdP entity settings. Together with the other values, this must match one of the entries in 'Server List'.

Attributes

String

Optional

Default value

https

Allowed values

https, http

Host (host)

Description

If load balancing is used, specify the IdP's host name. Make sure it matches the URLs in the IdP metadata files.
(see the "Metadata File" and "Extended Metadata File" properties in the IdP entity settings. Together with the other values, this must match one of the entries in 'Server List'.

Attributes

String

Optional

Example

localhost

Example

idp

Port (port)

Description

If load balancing is used, specify the IdP's port. Make sure it matches the URLs in the IdP metadata files.
(see the "Metadata File" and "Extended Metadata File" properties in the IdP entity settings. Together with the other values, this must match one of the entries in 'Server List'.

Attributes

Integer

Optional

Context Path (contextPath)

Description

If load balancing is used, specify the IdP's context path with leading but no trailing slash. Make sure it matches the URLs in the IdP metadata files.
(see the "Metadata File" and "Extended Metadata File" properties in the IdP entity settings. Together with the other values, this must match one of the entries in 'Server List'.

Attributes

String

Optional

Example

/auth

Example

/saml-login

Server List (serverList)

Description

For load balancing, specify all participating servers in the form "<protocol>://<hostname>:<port>/<path>".

This list must be specified on ALL participating load balanced servers for all servers identically.

This setting is only used if more than one server is involved.

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.Saml2FlowIdpConfig
id: Saml2FlowIdpConfig-xxxxxx
displayName: 
comment: 
properties:
  authnContextMappings:
  clearGatewaySessionOnSlo: false
  contextPath:
  customAuthenticationUri:
  customLogoutResumeUriPattern:
  customLogoutUri:
  defaultAuthnContextUri:
  host:
  idpEntitySettings:
  port:
  protocol: https
  serverList:
  serviceProviders:
  temporarySloCredentialProvider:

SAML 2.0 Flow SP

Description

Configures a local SAML Service Provider (SP).

The SAML SP receives assertions from other SAML Identity Providers (IdPs). The Airlock IAM Loginapp can also act as identity provider, i.e. issue SAML assertions for other SPs. See separate configuration section for further details.

Class

com.airlock.iam.saml2.application.configuration.sp.Saml2FlowSpConfig

May be used by

SAML 2.0 Config

License-Tags

SamlSp

Properties

SP Entity Settings (spEntityConfig)

Description

Configures the Service Provider (SP) entity.

Attributes

Plugin-Link

Mandatory

Assignable plugins

SAML 2.0 Service Provider Entity

IdP Entity Settings (remoteIdpEntitySettings)

Description

Configures the remote identity provider (IdP) entity.

Attributes

Plugin-Link

Mandatory

Assignable plugins

SAML 2.0 Identity Provider Entity

Username Transformation (usernameTransformers)

Description

Transforms the username provided by the IdP. The transformation precedes the flow's Username Transformation. If one of the transformers configured here interrupts the transformation chain, username transformations in the authentication flow's configuration will be skipped.

Attributes

Plugin-List

Optional

Assignable plugins

Authn Request Binding (authnRequestBinding)

Description

The binding to be used for the authentication request in SP-Initiated SSO.

Important: if an explicit binding type is configured, the same binding must also be enabled in the IdP's standard metadata.

Automatic: Automatically selects the first enabled binding in the IdP standard metadata.
HTTP Redirect Binding: The authentication request is carried directly in the URL query string of an HTTP GET request. Since the length of URLs is limited in practice, the HTTP Redirect binding is only suitable for short messages. Longer messages (e.g. signed requests or if large extensions are added) should be transmitted via the POST binding.
HTTP POST Binding: The authentication request is sent by the user's browser as a POST parameter via a self-posting form using JavaScript. This binding is recommended for long authentication requests or when there is no direct communication between the IdP and the SP. It requires that JavaScript is enabled in the user's browser.

Attributes

Enum

Optional

Default value

AUTOMATIC

Custom Authn Request Extensions (customAuthnRequestExtensions)

Description

With this property any custom extensions can be added to the AuthnRequest. This can e.g. be used to request additional attributes from the IdP. The extensions must be given as valid XML string, without the surrounding <Extension> tag.

Attributes

String

Optional

Multi-line-text

Example

<tag>custom-extension</tag>

Default Flow Application ID (defaultFlowApplicationId)

Description

Defines the application ID of the authentication flow to start in case an Authentication Request received by this Service Provider (IdP-initiated SSO) does not have any relay state or the one provided is not valid.

If this property is not configured, the "Default Application" defined in "Authentication Flows" will be used.

Attributes

Plugin-Link

Optional

Assignable plugins

Application ID

Attribute to Import as User ID (attributeToImportAsUserId)

Description

Set this property to the name of an attribute to use as user ID instead of the NameID. The obtained user ID completely replaces the Name ID sent by the IdP. It can then be subject to further "Username Transformers" (depending on the selected authentication flow).

Attributes

String

Optional

Example

surname

Example

Attribute to Import as Language (attributeToImportAsLanguage)

Description

Set this property to the name of an assertion attribute to use as display language.

Valid language values from the IdP should conform to the format specified by ISO 639-1 (two characters).

Attributes

String

Optional

Example

language

Attribute to Import as Audit Token (attributeToImportAsAuditToken)

Description

Set this property to the name of an assertion attribute to use as audit token. This allows the SAML SP (service provider) to use the same Audit Token as the SAML IdP (identity provider) which makes it easy to correlate SP and IdP sessions.

Note that the audit token cannot be overwritten. This means if it was previously already set (e.g. upon successful completion of a previous authentication flow), the value imported here will be ignored.

Attributes

String

Optional

Example

auditTokenAttr

Attribute to Import as Auth Token ID (attributeToImportAsAuthTokenId)

Description

Set this property to the name of an assertion attribute to use as Auth Token ID.

Attributes

String

Optional

Example

authTokenAttr

Attributes to Import as Tags (attributeNameToTagMappingConfigs)

Description

Import attributes from a SAML 2.0 assertion as flow tags.

Attributes

Plugin-List

Optional

Assignable plugins

Tags From SAML 2.0 Assertion Attribute

Attributes to Import in Flow (attributesToImport)

Description

Import additional attributes from a SAML 2.0 assertion into the user's flow session. The imported attributes can for example be used during the identity propagation to be propagated to a back-end.

Attributes

Plugin-List

Optional

Assignable plugins

SAML 2.0 Assertion String Attribute Importer

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.sp.Saml2FlowSpConfig
id: Saml2FlowSpConfig-xxxxxx
displayName: 
comment: 
properties:
  attributeNameToTagMappingConfigs:
  attributeToImportAsAuditToken:
  attributeToImportAsAuthTokenId:
  attributeToImportAsLanguage:
  attributeToImportAsUserId:
  attributesToImport:
  authnRequestBinding: AUTOMATIC
  customAuthnRequestExtensions:
  defaultFlowApplicationId:
  remoteIdpEntitySettings:
  spEntityConfig:
  usernameTransformers:

SAML 2.0 Identity Propagator

Description

Either starts SAML 2.0 IdP-Initiated Single-Sign On (SSO) with the configured default Service Provider or continues SP-Initiated SSO if a previous Authentication Request has been sent by the SP.

Class

com.airlock.iam.saml2.application.configuration.Saml2IdentityPropagatorConfig

May be used by

Audit Token SAML 2.0 Attribute Auth Token ID SAML 2.0 Attribute Authentication Instant SAML 2.0 Attribute AuthnContextClassRef URI SAML 2.0 Attribute Client IP SAML 2.0 Attribute Context Data SAML 2.0 Attribute Display Language SAML 2.0 Attribute Generic String SAML 2.0 Attribute Representer ID SAML 2.0 Attribute Roles SAML 2.0 Attribute Static SAML 2.0 Attribute Username SAML 2.0 Attribute

License-Tags

SamlIdp

Properties

SP Entity ID (serviceProviderId)

Description

The identifier of the SP to use in case of IdP-Initiated SSO. For SP-Initiated SSO, the SP in the Authentication Request must always match this configured identifier.

Attributes

Plugin-Link

Mandatory

License-Tags

SamlIdp

Assignable plugins

SAML 2.0 Service Provider Entity ID

Custom Header URI Propagation Settings (headerURIPropagationConfig)

Description

If configured, overrides the default 'X-Forward-URL' header used to transmit the redirect URI to the SPA. Useful for custom SPAs.

Attributes

Plugin-Link

Optional

License-Tags

SamlIdp

Assignable plugins

Header URI Propagation Config

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.Saml2IdentityPropagatorConfig
id: Saml2IdentityPropagatorConfig-xxxxxx
displayName: 
comment: 
properties:
  headerURIPropagationConfig:
  serviceProviderId:

SAML 2.0 Identity Provider Entity

Description

Configures a specific SAML 2.0 Identity Provider (IdP).

Class

com.airlock.iam.saml2.application.configuration.Saml2IDPEntityConfig

May be used by

SAML 2.0 Flow SP SAML 2.0 Flow IdP

License-Tags

SamlIdp,SamlSp

Properties

IdP Entity ID (entityId)

Description

The entity ID of the Identity Provider. Needs to match the entity ID in the metadata files (see separate "Metadata File" and "Extended Metadata File" properties). Must be unique over all entities.

Attributes

String

Mandatory

Example

idp

Example

custom-idp

Metadata File (metaDataFile)

Description

The name of the file containing the standard metadata of this entity.

Can either be relative to the config root or absolute.

NOTE: When the metadata is changed, the login application needs to be restarted.

Attributes

File/Path

Mandatory

Extended Metadata File (extendedMetaDataFile)

Description

The name of the file containing the extended metadata of this entity.

Can either be relative to the config root or absolute.

NOTE: When the metadata is changed, the login application needs to be restarted.

Attributes

File/Path

Mandatory

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.Saml2IDPEntityConfig
id: Saml2IDPEntityConfig-xxxxxx
displayName: 
comment: 
properties:
  entityId:
  extendedMetaDataFile:
  metaDataFile:

SAML 2.0 Service Provider

Description

Configures a SAML 2.0 Service Provider (SP) for use in the Flow-Based Authentication.

Class

com.airlock.iam.saml2.application.configuration.Saml2ServiceProviderAccessConfig

May be used by

SAML 2.0 Flow IdP

License-Tags

SamlIdp

Properties

SP Entity Config (spEntityConfig)

Description

Configures the Service Provider (SP) entity.

Attributes

Plugin-Link

Mandatory

Assignable plugins

SAML 2.0 Service Provider Entity

Default Flow Application ID (defaultFlowApplicationId)

Description

Defines the default application ID of the authentication flow to start when an Authentication Request is received by this Service Provider.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Application ID

RequestedAuthnContext to Flow Application ID (requestedAuthnContextToFlowAppId)

Description

If the Authentication Request from the Service Provider contains any Requested Authentication Contexts (AuthnContextClassRef element), a specific flow can be started instead of the default flow.
The mappings are applied in the order in which they are configured. When left empty, the configured "Default Flow Application ID" authentication flow is started.

Attributes

Plugin-List

Optional

Assignable plugins

Requested Authentication Context Mapping

Relay State URI (IdP-Initiated SSO) (idpInitiatedRelayStateUri)

Description

If this property is set, the RelayState during IdP-Initiated SSO will be set to the configured URI.

Attributes

Plugin-Link

Optional

Assignable plugins

Target URI Resolver

Attributes (attributes)

Description

List of Attributes to add to every Assertion.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.Saml2ServiceProviderAccessConfig
id: Saml2ServiceProviderAccessConfig-xxxxxx
displayName: 
comment: 
properties:
  attributes:
  defaultFlowApplicationId:
  idpInitiatedRelayStateUri:
  requestedAuthnContextToFlowAppId:
  spEntityConfig:

SAML 2.0 Service Provider Entity

Description

Configures a specific SAML 2.0 Service Provider (SP).

Class

com.airlock.iam.saml2.application.configuration.Saml2SPEntityConfig

May be used by

SAML 2.0 Flow SP SAML 2.0 Service Provider

License-Tags

SamlIdp,SamlSp

Properties

SP Entity ID (entityId)

Description

Unique ID of this Service Provider.

Attributes

Plugin-Link

Mandatory

Assignable plugins

SAML 2.0 Service Provider Entity ID

Metadata File (metaDataFile)

Description

The name of the file containing the standard metadata of this entity.

Can either be relative to the config root or absolute.

NOTE: When the metadata is changed, the login application needs to be restarted.

Attributes

File/Path

Mandatory

Extended Metadata File (extendedMetaDataFile)

Description

The name of the file containing the extended metadata of this entity.

Can either be relative to the config root or absolute.

NOTE: When the metadata is changed, the login application needs to be restarted.

Attributes

File/Path

Mandatory

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.Saml2SPEntityConfig
id: Saml2SPEntityConfig-xxxxxx
displayName: 
comment: 
properties:
  entityId:
  extendedMetaDataFile:
  metaDataFile:

SAML 2.0 Service Provider Entity ID

Description

Configures the identifier for a SAML 2.0 Service Provider (SP).

Class

com.airlock.iam.saml2.application.configuration.Saml2ServiceProviderIdConfig

May be used by

SAML 2.0 Identity Propagator SAML 2.0 Service Provider Entity SAML 2.0 SP User Identifying Step

License-Tags

SamlIdp,SamlSp

Properties

SP Entity ID (spEntityId)

Description

The ID of the Service Provider. Needs to match the entity ID in the metadata files (see separate "Metadata File" and "Extended Metadata File" properties within the Service Provider settings). Must be unique over all entities.

Attributes

String

Mandatory

Example

custom-sp

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.Saml2ServiceProviderIdConfig
id: Saml2ServiceProviderIdConfig-xxxxxx
displayName: 
comment: 
properties:
  spEntityId:

SAML 2.0 SP Entity ID Pattern UI Tenant ID Rule

Description

Sets the UI Tenant ID to a static value if the SAML 2.0 SP entity ID of the issuer for an SP-initiated request on IAM as IdP matches a regex pattern.

Class

com.airlock.iam.saml2.application.configuration.idp.Saml2SpEntityIdPatternUiTenantIdRuleConfig

May be used by

UI Settings

License-Tags

SamlIdp

Properties

SAML 2.0 SP Entity ID Pattern (spEntityIdPattern)

Description

If the SAML 2.0 SP entity ID of the issuer matches this pattern, the UI tenant ID will be set to the value of UI Tenant ID Value.

Attributes

RegEx

Mandatory

UI Tenant ID Value (uiTenantIdValue)

Description

If the SAML 2.0 SP entity ID of the issuer matches SAML 2.0 SP Entity ID Pattern, the UI tenant ID will be set to the value configured by this plugin. This replacement pattern may contain back-references to the pattern configured in SAML 2.0 SP Entity ID Pattern.

Attributes

String

Mandatory

Example

fixed-value

Example

tenant-id-$1

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.idp.Saml2SpEntityIdPatternUiTenantIdRuleConfig
id: Saml2SpEntityIdPatternUiTenantIdRuleConfig-xxxxxx
displayName: 
comment: 
properties:
  spEntityIdPattern:
  uiTenantIdValue:

SAML 2.0 SP Entity ID UI Tenant ID Rule

Description

Sets the UI tenant ID value to the SAML 2.0 SP entity ID of the issuer for an SP-initiated request on IAM as IdP.

Class

com.airlock.iam.saml2.application.configuration.idp.Saml2SpEntityIdUiTenantIdRuleConfig

May be used by

UI Settings

Properties

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.idp.Saml2SpEntityIdUiTenantIdRuleConfig
id: Saml2SpEntityIdUiTenantIdRuleConfig-xxxxxx
displayName: 
comment: 
properties:

SAML 2.0 SP User Identifying Step

Description

User identifying step for SAML 2.0 single sign-on (SSO) on IAM as service provider (SP).

If the SAML 2.0 handshake was already initiated by the identity provider (IdP), this step consumes the assertion. If no handshake took place yet, this step first initiates an SP-Initiated SSO (and redirects to the IdP) and when returning consumes the assertion.

Class

com.airlock.iam.saml2.application.configuration.sp.Saml2UserIdentifyingStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

SamlSp

Properties

SP Entity ID (entityId)

Description

Configures the Unique ID of the Service Provider (SP) used for SP-initiated SSO. In case of SSO initiated by the identity provider (IdP-initiated SSO), the SP is determined by the SAML 2.0 assertion sent by the IdP.

Attributes

Plugin-Link

Mandatory

Assignable plugins

SAML 2.0 Service Provider Entity ID

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

SAML2

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.sp.Saml2UserIdentifyingStepConfig
id: Saml2UserIdentifyingStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: SAML2
  customFailureResponseAttributes:
  customResponseAttributes:
  entityId:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

SAML Access Cookie Identity Propagator

Description

An identity propagator that authenticates against another web application using a SAML 2.0 assertion and obtains one or more cookies and uses them for identity propagation.

This plugin performs a HTTP POST request with a SAML 2.0 assertion to an application and expects this application to set one or more access cookies. Those cookies are then added to the current response.

Class

com.airlock.iam.saml2.application.configuration.SamlAccessCookieIdentityPropagator

May be used by

Chaining Identity Propagator Target Application/Service Conditional Identity Propagator

Properties

Access Cookie Source URL (accessCookieSourceUrl)

Description

The full URL of the application that provides the access cookies. A POST request is sent to this URL containing a SAML assertion.

Attributes

String

Mandatory

Example

http://someapp.somehost.com/auth/login

Example

https://securehost.com/login.php

HTTP Parameter SAML (httpParamSaml)

Description

The name of the HTTP parameter for the SAML assertion.

Attributes

String

Mandatory

Example

saml

Example

assertion

HTTP Parameters (httpParams)

Description

List of fixed (statically defined) HTTP parameters that are sent with the request when obtaining an access cookie.

In many cases, the submit button value must be sent to an application to make it think that the button has been pressed.

Attributes

Plugin-List

Optional

Assignable plugins

HTTP Parameter

Allow Only Trusted Certs (allowOnlyTrustedCerts)

Description

Only allow connections to servers whose certificate is trusted. See documentation of property "Trust Store Path" for more information about what certificates are trusted.

Security warning: Trusting all certificates allows connections to adversarial hosts. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

String

Optional

Default value

JKS

Allowed values

JKS, PKCS12

Trust Store Password (trustStorePassword)

Description

The password used verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

In keystores like JKS, the keystore can be opened and used but the integrity of the keystore is not checked.
In keystores like PKCS12, the keystore cannot be opened an an error occurs.

Attributes

String

Optional

Sensitive

Connect Timeout (connectTimeout)

Description

The connection timeout in seconds. A timeout value of zero is interpreted as an infinite timeout.

Attributes

Integer

Optional

Default value

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Suggested values

X-Correlation-ID

Proxy Host (proxyHost)

Description

The hostname of the HTTP proxy server (if any).

Attributes

String

Optional

Example

proxy.company.com

Proxy Port (proxyPort)

Description

The port of the HTTP proxy server (if any).

Attributes

Integer

Optional

Proxy Login User (proxyLoginUser)

Description

Username for the HTTP proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the HTTP proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

Cookies (cookies)

Description

A list of cookies to expect and send back to the client.

Attributes

Plugin-List

Mandatory

Assignable plugins

Cookie Mapping

Issuer (issuer)

Description

The Issuer set in the SAML2 Assertion.

Attributes

String

Mandatory

Example

AirlockIAM

Example

AirlockIdp

Subject Template (subjectTemplate)

Description

The template used to insert the user's ID in the Subject element of the Assertion. The string "${userId}" gets replaced by the user's name.

Attributes

String

Optional

Default value

${userId}

Example

${userId}

Example

User_${userId}

Subject Confirmation Method (subjectConfirmationMethod)

Description

The subject confirmation method to use in the assertion.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:cm:sender-vouches

Suggested values

urn:oasis:names:tc:SAML:2.0:cm:sender-vouches, urn:oasis:names:tc:SAML:2.0:cm:bearer, urn:oasis:names:tc:SAML:2.0:cm:holder-of-key

Name Id Format (nameIdFormat)

Description

The NameID Format to use in the assertion.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Suggested values

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Sp Provided Id (spProvidedId)

Description

The SPProvidedId is an attribute of the NameID tag and refers to the actual name that was provided at authentication. If set, this attribute will be added to the assertion. The name of the attribute does not matter. Use @param:PROVIDED_USERNAME as "value" to refer to the username as provided by the user.

Attributes

Plugin-Link

Optional

Assignable plugins

Assertion Attribute

Attributes (attributes)

Description

Defines a list of attributes to be added to the issued assertion. The value of the attribute can either be statically configured or taken from the user.

Attributes

Plugin-List

Optional

Assignable plugins

Assertion Attribute

Assertion Validity Millis (assertionValidityMillis)

Description

The Assertion Validity time in milliseconds. This sets the NotOnOrAfter attribute to the specified instant in the future.

Attributes

Integer

Optional

Default value

30000

Assertion Not Before Skew Millis (assertionNotBeforeSkewMillis)

Description

The maximum number of milliseconds the clocks on the involved parties are allowed to be different. This sets the NotBefore attribute in the SAML assertion to the current time minus the specified number of milliseconds.

Attributes

Integer

Optional

Default value

5000

Xml Signature Algorithm (xmlSignatureAlgorithm)

Description

XML signature algorithm. Used for SAML XML signature generation.
The (deprecated) value "SHA1 (automatic RSA/DSA)" automatically chooses "http://www.w3.org/2000/09/xmldsig#rsa-sha1" or "http://www.w3.org/2000/09/xmldsig#dsa-sha1" depending on the type of the key found in the keystore. However please use a more secure hash instead, as SHA-1 is not considered to be secure.

Attributes

String

Optional

Default value

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

Allowed values

http://www.w3.org/2001/04/xmldsig-more#rsa-sha512, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, http://www.w3.org/2000/09/xmldsig#rsa-sha1, http://www.w3.org/2000/09/xmldsig#dsa-sha1, http://www.w3.org/2000/09/xmldsig#hmac-sha1, http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160, http://www.w3.org/2001/04/xmldsig-more#rsa-md5, http://www.w3.org/2001/04/xmldsig-more#hmac-md5, http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160, http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, SHA1 (automatic RSA/DSA)

Xml Signature Digest Method (xmlSignatureDigestMethod)

Description

XML signature digest method. Used for SAML XML signature generation and verification.

Attributes

String

Optional

Default value

http://www.w3.org/2001/04/xmlenc#sha256

Allowed values

http://www.w3.org/2001/04/xmlenc#sha512, http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2000/09/xmldsig#sha1, http://www.w3.org/2001/04/xmlenc#ripemd160

Keystore File (keystoreFile)

Description

JKS Keystore file name containing the certificate and key used to sign the SAML2 Assertion.

Attributes

File/Path

Mandatory

Keystore Password (keystorePassword)

Description

The password used open the keystore.

Attributes

String

Mandatory

Sensitive

Signing Key Alias (signingKeyAlias)

Description

The alias of the key used to sign the Assertion.

Attributes

String

Mandatory

Example

medusaCert

Signing Key Password (signingKeyPassword)

Description

The password used to retrieve the key from the keystore. This password can be the same as the keystore password.

Attributes

String

Mandatory

Sensitive

Audience Restrictions (audienceRestrictions)

Description

If set, adds the given audiences to an AudienceRestriction element. This is usually not required. Each element of this list is included in the AudienceRestriction as a separate Audience.

e.g. If this list contains the Strings: {"https://1.airlock.com","https://2.airlock.com"} the resulting condition contains:


<saml:Conditions ...>
 <saml:AudienceRestriction>
 <saml:Audience>https://1.airlock.com</saml:Audience>
 <saml:Audience>https://2.airlock.com</saml:Audience>
 </saml:AudienceRestriction>
</saml:Conditions>

Attributes

String-List

Optional

Enable Subject Confirmation (enableSubjectConfirmation)

Description

If enabled, a SubjectConfirmation element is added to the Assertion. This should only be disabled if the receiver doesn't support this element.

Attributes

Boolean

Optional

Default value

true

Enable Authn Statement (enableAuthnStatement)

Description

If enabled, an AuthnStatement element is added to the Assertion. This should only be disabled if the receiver doesn't support this element.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.SamlAccessCookieIdentityPropagator
id: SamlAccessCookieIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  accessCookieSourceUrl:
  allowOnlyTrustedCerts: true
  assertionNotBeforeSkewMillis: 5000
  assertionValidityMillis: 30000
  attributes:
  audienceRestrictions:
  connectTimeout: 10
  cookies:
  correlationIdHeaderName:
  enableAuthnStatement: true
  enableSubjectConfirmation: true
  httpParamSaml:
  httpParams:
  issuer:
  keystoreFile:
  keystorePassword:
  nameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  signingKeyAlias:
  signingKeyPassword:
  spProvidedId:
  subjectConfirmationMethod: urn:oasis:names:tc:SAML:2.0:cm:sender-vouches
  subjectTemplate: ${userId}
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  verifyServerHostname: true
  xmlSignatureAlgorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
  xmlSignatureDigestMethod: http://www.w3.org/2001/04/xmlenc#sha256

SAML Assertion Cookie Identity Propagator

Description

Cookie based identity propagator that sets a cookie containing a SAML2 assertion.

The assertion contains the "sender-vouches" subject confirmation method which can be used by the receiver for example for the "Web Services Security SAML Token Profile".

Class

com.airlock.iam.saml2.application.configuration.SamlAssertionCookieIdentityPropagator

May be used by

Legacy ID Propagation Adapter Chaining Identity Propagator Target Application/Service Conditional Identity Propagator

Properties

Cookie Name (cookieName)

Description

The name of the cookie used to transport the SAML2 Assertion.

Attributes

String

Mandatory

Example

assertionCookie

Example

medusaAuth

Cookie Path (cookiePath)

Description

The path for which the cookie is set. The path determines where the cookie is sent by the reverse proxy (or browser).

If one single assertion cookie is used for all applications, the value "/" can be used. If different tickets are used for different applications, the application's path should be used.

Attributes

String

Optional

Default value

Example

/appl1

Example

/appl2

Cookie Domain (cookieDomain)

Description

The domain for which the cookie is set. The domain determines where the cookie is sent by the reverse proxy (or browser).

Make sure the configuration flag Interpret Cookie Domains is set in the Airlock Gateway (WAF) configuration. If not the cookie domain is ignored and cookies in the cookie store are sent to any back-end HTTP request of the same session. The cookie path is also ignored meaning that there may be only one cookie per cookie name!
Airlock also supports the following cookie domain values (if the flag Interpret Cookie Domains is set):

The value .* results in cookies being sent to all back-end servers. This is especially useful if one authentication ticket is used for multiple back-ends.
The value @<fully-qualified-host> results in the cookie being treated as if it were set by the host specified by "<fully-qualified-host>". If using this value, make sure the corresponding mapping also uses the fully qualified hostname.

It is best to consult the corresponding documentation of the web entry server or reverse proxy to get more accurate information on cookie handling.

If one single assertion cookie is used for all applications, the value "/" can be used. If different cookies are used for different applications, the applications path should be used.

Attributes

String

Optional

Example

@anotherbackend.com

Example

mybackend.com

Cookie Secure Flag (cookieSecureFlag)

Description

If set to TRUE the "secure"-flag of the cookie is set.

If the cookie is marked as secure, the browser (and any HTTP proxy behaving like a browser) should send the cookie only over secure connections.
Caution: If you think that setting this flag makes your application more secure, remember that this flag just "asks" the browser to not transmit the cookie over unencrypted connections.

Attributes

Boolean

Optional

Default value

false

Cookie Encoding Scheme (cookieEncodingScheme)

Description

Assertions must be URL encoded in order to be suitable as cookie values. This optional property defines the URL encoding scheme to be used.
Make sure that the component receiving the ticket uses the same URL encoding scheme.

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15

Issuer (issuer)

Description

The Issuer set in the SAML2 Assertion.

Attributes

String

Mandatory

Example

AirlockIAM

Example

AirlockIdp

Subject Template (subjectTemplate)

Description

The template used to insert the user's ID in the Subject element of the Assertion. The string "${userId}" gets replaced by the user's name.

Attributes

String

Optional

Default value

${userId}

Example

${userId}

Example

User_${userId}

Subject Confirmation Method (subjectConfirmationMethod)

Description

The subject confirmation method to use in the assertion.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:cm:sender-vouches

Suggested values

urn:oasis:names:tc:SAML:2.0:cm:sender-vouches, urn:oasis:names:tc:SAML:2.0:cm:bearer, urn:oasis:names:tc:SAML:2.0:cm:holder-of-key

Name Id Format (nameIdFormat)

Description

The NameID Format to use in the assertion.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Suggested values

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Sp Provided Id (spProvidedId)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Assertion Attribute

Attributes (attributes)

Description

Defines a list of attributes to be added to the issued assertion. The value of the attribute can either be statically configured or taken from the user.

Attributes

Plugin-List

Optional

Assignable plugins

Assertion Attribute

Assertion Validity Millis (assertionValidityMillis)

Description

The Assertion Validity time in milliseconds. This sets the NotOnOrAfter attribute to the specified instant in the future.

Attributes

Integer

Optional

Default value

30000

Assertion Not Before Skew Millis (assertionNotBeforeSkewMillis)

Description

Attributes

Integer

Optional

Default value

5000

Xml Signature Algorithm (xmlSignatureAlgorithm)

Description

Attributes

String

Optional

Default value

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

Allowed values

Xml Signature Digest Method (xmlSignatureDigestMethod)

Description

XML signature digest method. Used for SAML XML signature generation and verification.

Attributes

String

Optional

Default value

http://www.w3.org/2001/04/xmlenc#sha256

Allowed values

http://www.w3.org/2001/04/xmlenc#sha512, http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2000/09/xmldsig#sha1, http://www.w3.org/2001/04/xmlenc#ripemd160

Keystore File (keystoreFile)

Description

JKS Keystore file name containing the certificate and key used to sign the SAML2 Assertion.

Attributes

File/Path

Mandatory

Keystore Password (keystorePassword)

Description

The password used open the keystore.

Attributes

String

Mandatory

Sensitive

Signing Key Alias (signingKeyAlias)

Description

The alias of the key used to sign the Assertion.

Attributes

String

Mandatory

Example

medusaCert

Signing Key Password (signingKeyPassword)

Description

The password used to retrieve the key from the keystore. This password can be the same as the keystore password.

Attributes

String

Mandatory

Sensitive

Audience Restrictions (audienceRestrictions)

Description

If set, adds the given audiences to an AudienceRestriction element. This is usually not required. Each element of this list is included in the AudienceRestriction as a separate Audience.

e.g. If this list contains the Strings: {"https://1.airlock.com","https://2.airlock.com"} the resulting condition contains:


<saml:Conditions ...>
 <saml:AudienceRestriction>
 <saml:Audience>https://1.airlock.com</saml:Audience>
 <saml:Audience>https://2.airlock.com</saml:Audience>
 </saml:AudienceRestriction>
</saml:Conditions>

Attributes

String-List

Optional

Enable Subject Confirmation (enableSubjectConfirmation)

Description

If enabled, a SubjectConfirmation element is added to the Assertion. This should only be disabled if the receiver doesn't support this element.

Attributes

Boolean

Optional

Default value

true

Enable Authn Statement (enableAuthnStatement)

Description

If enabled, an AuthnStatement element is added to the Assertion. This should only be disabled if the receiver doesn't support this element.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.SamlAssertionCookieIdentityPropagator
id: SamlAssertionCookieIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  assertionNotBeforeSkewMillis: 5000
  assertionValidityMillis: 30000
  attributes:
  audienceRestrictions:
  cookieDomain:
  cookieEncodingScheme: UTF-8
  cookieName:
  cookiePath: /
  cookieSecureFlag: false
  enableAuthnStatement: true
  enableSubjectConfirmation: true
  issuer:
  keystoreFile:
  keystorePassword:
  nameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  signingKeyAlias:
  signingKeyPassword:
  spProvidedId:
  subjectConfirmationMethod: urn:oasis:names:tc:SAML:2.0:cm:sender-vouches
  subjectTemplate: ${userId}
  xmlSignatureAlgorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
  xmlSignatureDigestMethod: http://www.w3.org/2001/04/xmlenc#sha256

SAML Federation Config

Description

Federation settings used for all SAML 2.0 use-cases.

Class

com.airlock.iam.saml2.application.configuration.SamlFederationConfig

May be used by

SAML 2.0 Config

License-Tags

SamlIdp,SamlSp

Properties

Error Page URL (errorpageUrl)

Description

URL where the user is redirected to when an internal SAML2 error happens. Use

ui/app/error/message for Flow-based SAML2
Relative URIs not starting with a slash are resolved against the current context path.

When customized and behind an Airlock Gateway (WAF), a "URL Encryption Exception" must be configured.

Attributes

String

Optional

Default value

ui/app/error/message

Suggested values

ui/app/error/message

Max Content Length (maxContentLength)

Description

The maximum content-length in bytes for an HTTP Request that will be allowed.
This avoids unnecessary parsing of very long payloads, avoiding DoS attacks. Set to 0 (zero) to disable this check.

Attributes

Integer

Optional

Default value

16384

XML Signature Keystore Provider (xmlSignatureKeystoreProvider)

Description

The keystore provider to use for XML signatures and encryption.
If this IAM instance is only used as a service provider and does not make use of any signature nor encryption, the special "SAML No Cert Key Provider" can be used which does not require any keystores. Notice though that even a simple service provider should make use of signatures, especially with SP-initiated SSO and with Single-Logout (SLO).

Attributes

Plugin-Link

Mandatory

Assignable plugins

SAML No Cert Key Provider SAML XML Signature Provider

XML Canonicalization Algorithm (xmlCanonicalizationAlgorithm)

Description

XML canonicalization algorithm. Used for SAML XML signature generation and verification.

Attributes

String

Optional

Default value

http://www.w3.org/2001/10/xml-exc-c14n#

Allowed values

XML Signature Algorithm (xmlSignatureAlgorithm)

Description

XML signature algorithm. Used for SAML XML and query signature generation.
The (deprecated) value "SHA1 (automatic RSA/DSA)" automatically chooses "http://www.w3.org/2000/09/xmldsig#rsa-sha1" or "http://www.w3.org/2000/09/xmldsig#dsa-sha1" depending on the type of the key found in the keystore. However please use a more secure hash instead, as SHA-1 is not considered to be secure.

Attributes

String

Optional

Default value

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

Allowed values

Allowed XML Signature Algorithm(s) (allowedXmlSignatureAlgorithms)

Description

Allowed XML signature algorithm(s) used for XML and query signature verification.

Attributes

String-List

Optional

Default value

[http://www.w3.org/2001/04/xmldsig-more#rsa-sha512, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256]

XML Signature Digest Method (xmlSignatureDigestMethod)

Description

XML signature digest method. Used for SAML XML signature generation and verification.

Attributes

String

Optional

Default value

http://www.w3.org/2001/04/xmlenc#sha256

Allowed values

http://www.w3.org/2001/04/xmlenc#sha512, http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2000/09/xmldsig#sha1, http://www.w3.org/2001/04/xmlenc#ripemd160

XML Transformation Algorithm (xmlTransformationAlgorithm)

Description

XML transformation algorithm. Used for SAML XML signature generation and verification.

Attributes

String

Optional

Default value

http://www.w3.org/2001/10/xml-exc-c14n#

Allowed values

http://www.w3.org/2001/10/xml-exc-c14n#, http://www.w3.org/2001/10/xml-exc-c14n#WithComments, http://www.w3.org/TR/2001/REC-xml-c14n-20010315, http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments, http://www.w3.org/TR/1999/REC-xslt-19991116, http://www.w3.org/2000/09/xmldsig#base64, http://www.w3.org/TR/1999/REC-xpath-19991116, http://www.w3.org/2000/09/xmldsig#enveloped-signature, http://www.w3.org/TR/2001/WD-xptr-20010108, http://www.w3.org/2002/04/xmldsig-filter2, http://www.w3.org/2002/06/xmldsig-filter2, http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/#xpathFilter

Key Transport Algorithm (keyTransportAlgorithm)

Description

The Key Transport algorithm used to encrypt and decrypt keys.

Attributes

Plugin-Link

Optional

Assignable plugins

RSA v1.5 Key Transport Algorithm RSA-OAEP Key Transport Algorithm

Password Decoder (passwordDecoder)

Description

Used to decode a possibly encrypted password from a file to access a keystore and the keys contained. Will also be used to decode the configured BASIC AUTH password.
The default implementation also supports encrypted passwords using the "[ENC]" prefix.

Attributes

String

Optional

Default value

com.airlock.iam.saml2.infrastructure.plugin.Saml2PasswordDecoder

Debug Provider (debugProvider)

Description

Defines the class name of the DebugProvider to use to create instances used for debug logging.

Attributes

String

Optional

Default value

com.airlock.iam.saml2.infrastructure.plugin.DebugProviderImpl

Log Provider (logProvider)

Description

Specifies the implementation for the Logger interface to log errors and special access logs.

Attributes

String

Optional

Default value

com.airlock.iam.saml2.infrastructure.plugin.LoggerImpl

Configuration Provider (configurationProvider)

Description

Specifies the implementation of the ConfigurationInstance providing all library-wide settings as well as specific SAML properties and entities.

Attributes

String

Optional

Default value

com.airlock.iam.saml2.infrastructure.plugin.configuration.ConfigurationInstanceImpl

Datastore Provider (datastoreProvider)

Description

Specifies the default implementation for the DataStoreProvider interface providing access to an optional data store holding user data to include in an assertion.

Attributes

String

Optional

Default value

com.airlock.iam.saml2.infrastructure.plugin.DataStoreProviderImpl

Session Provider (sessionProvider)

Description

Specifies the implementation for the SessionProvider interface providing access to a federation session storing information about protocols used and service providers accessed for a specific authenticated user.

Attributes

String

Optional

Default value

com.airlock.iam.saml2.infrastructure.plugin.SessionProviderImpl

IdP AuthnContext Mapper (idpAuthnContextMapper)

Description

Specifies the implementation for the IDPAuthnContextMapper interface which defines how the AuthnContext is created in the Assertion.

Attributes

String

Optional

Default value

com.airlock.iam.saml2.infrastructure.plugin.IDPAuthnContextMapperImpl

IdP Account Mapper (idpAccountMapper)

Description

Specifies the implementation for the IDPAccountMapper interface which defines how the NameID is created in the Assertion.

Attributes

String

Optional

Default value

com.airlock.iam.saml2.infrastructure.plugin.IDPAccountMapperImpl

IdP Attribute Mapper (idpAttributeMapper)

Description

Specifies the implementation for the IDPAttributeMapper interface which defines how the Attributes are created in the Assertion.

Attributes

String

Optional

Default value

com.airlock.iam.saml2.infrastructure.plugin.IDPAttributeMapperImpl

SP Adapter (spAdapter)

Description

Specifies the implementation of the SAML2ServiceProviderAdapter. The SP Adapter is called on certain events during SAMLv2 protocol processing on the Service Provider side.

Attributes

String

Optional

Default value

com.airlock.iam.saml2.infrastructure.plugin.Saml2ServiceProviderAdapter

SP AuthnContext Mapper (spAuthnContextMapper)

Description

Specifies the implementation for the SPAuthnContextMapper interface which defines how the AuthnContext is created in the Assertion.

Attributes

String

Optional

Default value

com.airlock.iam.saml2.infrastructure.plugin.SPAuthnContextMapper

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.SamlFederationConfig
id: SamlFederationConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedXmlSignatureAlgorithms: [http://www.w3.org/2001/04/xmldsig-more#rsa-sha512, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256]
  configurationProvider: com.airlock.iam.saml2.infrastructure.plugin.configuration.ConfigurationInstanceImpl
  datastoreProvider: com.airlock.iam.saml2.infrastructure.plugin.DataStoreProviderImpl
  debugProvider: com.airlock.iam.saml2.infrastructure.plugin.DebugProviderImpl
  errorpageUrl: ui/app/error/message
  idpAccountMapper: com.airlock.iam.saml2.infrastructure.plugin.IDPAccountMapperImpl
  idpAttributeMapper: com.airlock.iam.saml2.infrastructure.plugin.IDPAttributeMapperImpl
  idpAuthnContextMapper: com.airlock.iam.saml2.infrastructure.plugin.IDPAuthnContextMapperImpl
  keyTransportAlgorithm:
  logProvider: com.airlock.iam.saml2.infrastructure.plugin.LoggerImpl
  maxContentLength: 16384
  passwordDecoder: com.airlock.iam.saml2.infrastructure.plugin.Saml2PasswordDecoder
  sessionProvider: com.airlock.iam.saml2.infrastructure.plugin.SessionProviderImpl
  spAdapter: com.airlock.iam.saml2.infrastructure.plugin.Saml2ServiceProviderAdapter
  spAuthnContextMapper: com.airlock.iam.saml2.infrastructure.plugin.SPAuthnContextMapper
  xmlCanonicalizationAlgorithm: http://www.w3.org/2001/10/xml-exc-c14n#
  xmlSignatureAlgorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
  xmlSignatureDigestMethod: http://www.w3.org/2001/04/xmlenc#sha256
  xmlSignatureKeystoreProvider:
  xmlTransformationAlgorithm: http://www.w3.org/2001/10/xml-exc-c14n#

SAML No Cert Key Provider

Description

Keystore provider implementation which can only be used on the SP side if the SP does not create any signatures at all (no SP-initiated SSO can thus be used).
This means that no keystore needs to be created in such a minimal setup.

Class

com.airlock.iam.saml2.application.configuration.SamlNoCertKeyProvider

May be used by

License-Tags

SamlIdp,SamlSp

Properties

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.SamlNoCertKeyProvider
id: SamlNoCertKeyProvider-xxxxxx
displayName: 
comment: 
properties:

SAML XML Signature Provider

Description

SAML2 Signature Provider for XML signatures using a keystore on the file system.

Class

com.airlock.iam.login.app.misc.configuration.saml.SamlXmlSignatureProvider

May be used by

License-Tags

SamlIdp,SamlSp

Properties

Keystore (keystore)

Description

The keystore used for SAML2 XML signatures and encryption.

Attributes

File/Path

Mandatory

Keystore Type (keystoreType)

Description

The keystore type.

Attributes

String

Optional

Default value

jks

Allowed values

jks, pkcs12

Keystore Password File (keystorePasswordFile)

Description

The file containing the keystore password.
The contents are decoded using the "Password Decoder" in the "SAML Federation Config".

Attributes

File/Path

Mandatory

Keystore Private Key Password File (keystorePrivateKeyPasswordFile)

Description

The file containing the private key password.
The contents are decoded using the "Password Decoder" in the "SAML Federation Config".

Attributes

File/Path

Mandatory

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.saml.SamlXmlSignatureProvider
id: SamlXmlSignatureProvider-xxxxxx
displayName: 
comment: 
properties:
  keystore:
  keystorePasswordFile:
  keystorePrivateKeyPasswordFile:
  keystoreType: jks

SAML2 Single-Logout Config

Description

Configures the redirect behavior for single logout on SAML IDPs and SPs.

Class

com.airlock.iam.login.rest.application.configuration.ui.authentication.logout.Saml2SingleLogoutConfig

May be used by

License-Tags

SamlIdp,SamlSp

Properties

Default Target URI (defaultTargetUri)

Description

The URI to be redirected in either of the following cases:

No Location parameter is present on the request to the UI logout URI
The Location parameter does not conform to the expected format for 'SP-initiated Single-Logout' or 'IdP-initiated Single-Logout'

As a consequence, this URI will be redirected to in all scenarios except an 'SP-initiated Single-Logout' or 'IdP-initiated Single-Logout' on a valid SAML session.

Attributes

Plugin-Link

Optional

License-Tags

SamlIdp,SamlSp

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.ui.authentication.logout.Saml2SingleLogoutConfig
id: Saml2SingleLogoutConfig-xxxxxx
displayName: 
comment: 
properties:
  defaultTargetUri:

Scope Processor

Description

Processes the "scope" metadata attribute. The value from the request is interpreted as a space-separated list of scopes. All scopes that match against at least one of the allowed scope patterns are accepted, the others are ignored.

Class

com.airlock.iam.techclientreg.application.configuration.registration.ScopeProcessorConfig

May be used by

License-Tags

TechClientRegistration

Properties

Allowed Scopes (allowedScopes)

Description

A list of regular expressions that define the allowed scopes. Requested scopes not matching any of these patterns are ignored.

The default value makes sure the scopes do not include characters outside the set %x20-21 / %x23-5B / %x5D-7E (NQCHAR). For more information see RFC 6749.

Attributes

RegEx-List

Optional

Default value

[[\x21\x23-\x5B\x5D-\x7E]+]

YAML Template (with default values)


type: com.airlock.iam.techclientreg.application.configuration.registration.ScopeProcessorConfig
id: ScopeProcessorConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedScopes: [[\x21\x23-\x5B\x5D-\x7E]+]

Script Execution Result Value Map Provider

Description

Provides a map of result values of scriptable steps with matching namespace.

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.ScriptExecutionResultValueMapProviderConfig

May be used by

Properties

Namespace Config (namespaceConfig)

Description

The script namespace from which to provide the values. If left empty, the values from scriptable steps with no configured namespace are provided.

Attributes

Plugin-Link

Optional

Assignable plugins

Script Namespace Config

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.ScriptExecutionResultValueMapProviderConfig
id: ScriptExecutionResultValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  namespaceConfig:

Script Namespace Config

Description

The namespace to use for the Scriptable Step. It can be used in the Script Execution Result Value Map Provider to select the output of scriptable steps where this namespace is configured.

Class

com.airlock.iam.flow.shared.application.configuration.script.ScriptNamespaceConfig

May be used by

Scriptable Step Script Execution Result Value Map Provider

Properties

Identifier (identifier)

Description

The identifier of the namespace. Allowed character set: [a-zA-Z0-9-_].

Attributes

String

Mandatory

Length >= 1

Validation RegEx: [A-Za-z0-9-_]+

Example

myNamespace

Example

my_namespace

Example

MY-NAMESPACE-9

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.script.ScriptNamespaceConfig
id: ScriptNamespaceConfig-xxxxxx
displayName: 
comment: 
properties:
  identifier:

Script Output Declaration

Description

Defines expected properties for a single script output, such as the type of the value.

Class

com.airlock.iam.flow.shared.application.configuration.script.ScriptExpectedOutputTypeConfig

May be used by

Scriptable Step

Properties

Output Value Type (outputValueType)

Description

The expected value type in a key-value pair of the output map. The supported types are:

String: Can be any variable-length UTF-8 character sequence.
Boolean: Required to be either "true" or "false" (i.e. not a binary digit).
Number: Required to be an integer between -2⁶³ and 2⁶³-1. Non-integer numbers are currently not supported.
Date-Time: Required to be a positive integer between 0 and 2⁶³-1, representing a Unix timestamp in milliseconds.
Date: Required to be a valid date string in the format "yyyy-MM-dd" (e.g. 2021-06-04).

Attributes

Enum

Mandatory

Required (required)

Description

If checked, then this output must be present in script results. Otherwise, it may be absent.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.script.ScriptExpectedOutputTypeConfig
id: ScriptExpectedOutputTypeConfig-xxxxxx
displayName: 
comment: 
properties:
  outputValueType:
  required: true

Script Secret Config

Description

Configures a secret that can be passed to an IAM script in a "Scriptable Step".

Reference this secret in the script by calling the API method iam.secrets:get(identifier) with the here configured identifier.

Class

com.airlock.iam.flow.shared.application.configuration.script.ScriptSecretConfig

May be used by

Scriptable Step

Properties

Identifier (identifier)

Description

A unique identifier that can be used in the IAM script to reference this secret.

Must only contain alphanumeric characters and underscores.

Attributes

String

Mandatory

Length <= 40

Validation RegEx: [a-zA-Z0-9_]+

Secret (secret)

Description

Contains the secret that should be passed to the IAM script.

Secrets are always passed in plaintext to the IAM script even if referenced here by external storage ID.

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.script.ScriptSecretConfig
id: ScriptSecretConfig-xxxxxx
displayName: 
comment: 
properties:
  identifier:
  secret:

Scriptable Step

Description

A non-interactive flow step that runs the configured script. The script will be provided with inputs from the configured value providers. The result of the script is validated against the configured output map and is stored in the session. It can be retrieved using the "Script Execution Result Value Map Provider" plugin in subsequent steps.

IAM uses Lua as its scripting engine. Please refer to official documentation on https://www.lua.org/ for more information about the Lua language and its features.

Class

com.airlock.iam.flow.shared.application.configuration.step.ScriptableStepConfig

Properties

Inputs (inputs)

Description

Defines a mapping of input values that are made available to the lua script. The inputs can be accessed as a table through the "iam" API object: iam.input_map

If a value cannot be provided by the configured map, its corresponding key will not exist in the resulting mapping. When writing a script, one should always first check if the key is present before trying to operate on its value.

If two value providers contain an entry with the same key, then only the entry of the provider that appears last in the list will be available within the script.

Note that simple date values without a specific time (i.e. LocalDate) are passed as string arguments in the format "yyyy-MM-dd", while more specific date-time values are provided as epoch time with millisecond precision.

Attributes

Plugin-List

Optional

Assignable plugins

Script (script)

Description

The Lua script that will be run when the step is initialized.

Each script must define the following function:

function iam_on_step_init ()
    return <output_map>
end

The values returned by this function can be accessed using the "Script Execution Result Value Map Provider" with matching namespace. Note that the outputs returned by the script must be declared in the "Outputs" property. If no outputs are expected, then the function's return statement can either be removed, or return an empty mapping.

Attributes

String

Mandatory

Multi-line-text

Outputs (outputs)

Description

Declares the mapping of key-value pairs that are expected to be returned by the Lua script. The outputs are made available under the namespace configured for the step.

The script's outputs are required to match the expected output exactly. If the script's output contains additional results, this will also produce an error.

Individual key-value pairs may be tagged as optional, in which case they are not required to be in the script's output. Note that the order in which the key-value pairs are listed does not matter.

If left undefined, then the output map is expected to be empty.

Attributes

Plugin-Map

Optional

Assignable plugins

Script Output Declaration

Input Secrets (inputSecrets)

Description

Secret strings that are passed in plaintext as environment variables to the IAM script process.

The script is always executed on the server and therefore no secrets are transmitted to an external client, e.g. browser.

An example are HTTP basic authentication credentials for the configuration of a REST client.

Secrets must only be referenced in the script by calling the API method iam.secrets:get(identifier) with their configured string identifier.

Secrets must be handled with care, e.g. they must never be passed on to a logger.

Attributes

Plugin-List

Optional

Assignable plugins

Script Secret Config

Namespace (namespace)

Description

The namespace under which the output of the step is stored. If left empty, it is stored under the default namespace.

To retrieve the output values of this step, configure the same namespace in the corresponding Script Execution Result Value Map Provider.

Attributes

Plugin-Link

Optional

Assignable plugins

Script Namespace Config

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.step.ScriptableStepConfig
id: ScriptableStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  inputSecrets:
  inputs:
  namespace:
  onFailureGotos:
  outputs:
  preCondition:
  requiresActivation: false
  script:
  skipCondition:
  stepId:
  tagsOnSuccess:

Scrypt Password Hash

Description

Password hash plug-in that uses SCrypt for hashing. See https://www.tarsnap.com/scrypt/scrypt.pdf for more details.

Returns 'iterations' + '|' + 'salt' + 'hash' as hash value.

Class

com.airlock.iam.core.misc.util.password.hash.ScryptPasswordHash

Properties

Iterations Exponent (iterationsExponent)

Description

The exponent used to compute the number of iterations, i.e. the actual number of iterations is 2 to the power of the value defined here. The value must be less than 128 * r / 8, where r is the block size. The number of iterations is stored together with the hash value. That means, this value can be increased or decreased without losing backward compatibility.

Attributes

Integer

Optional

Default value

Block Size (blockSize)

Description

The block size, must be >= 1. The default value should be fine for usual applications. If higher cost for brute force attacks is desired, change the iteration exponent instead. This value does not get stored with the hash value. That means, that any change to this value will break existing hashes. Use the Combined Password Hash to allow for a transition from an old value to a new value.

Attributes

Integer

Optional

Default value

Parallelization Parameter (parallelizationParameter)

Description

Parallelization parameter. Must be a positive integer less than or equal to Integer.MAX_VALUE / (128 * r * 8), where r is the block size. The default value should be fine for usual applications. If higher cost for brute force attacks is desired, change the iteration exponent instead. This value does not get stored with the hash value. That means, that any change to this value will break existing hashes. Use the Combined Password Hash to allow for a transition from an old value to a new value.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.ScryptPasswordHash
id: ScryptPasswordHash-xxxxxx
displayName: 
comment: 
properties:
  blockSize: 8
  iterationsExponent: 14
  parallelizationParameter: 1

Secret Letter Renderer

Description

Responsible for rendering letters with secrets that are provided to the renderer.

Class

com.airlock.iam.core.misc.renderer.SecretLetterRenderer

May be used by

mTAN/SMS Token Controller

Properties

Output Directory Path (outputDirectoryPath)

Description

Directory in the file system to put the rendered passwords in. The directory is either absolute or relative to the JVMs current directory.

This property is not required if the renderer plugin (see separate property) does not write on the outputstream (e.g. sends it somewhere else). It is required otherwise.

Note: If this property is not defined and the used renderer plugin writes on the output stream, then the result (e.g. a PDF file) is lost.

Attributes

File/Path

Optional

Working Directory Path (workingDirectoryPath)

Description

Attributes

File/Path

Optional

File Name Prefix (fileNamePrefix)

Description

Do not use the empty prefixes if token-list reports are stored in the same directory. The empty prefix is the default for token list letters (and not configurable in older plugin versions).

This property is optional to be backwards compatible. The prefix "pwd-" is used if none is defined.

Attributes

String

Optional

Default value

pwd-

Example

pwd-

Example

passwordLetter-

Configured File Name Suffix (configuredFileNameSuffix)

Description

Filename suffix for rendered password files. The configured file name suffix will be extended with a leading dot, before using as suffix if necessary.

Attributes

String

Optional

Suggested values

.pdf, .docx

Report Type Short Desc (reportTypeShortDesc)

Description

Attributes

String

Optional

Example

password letter

Example

activation key letter

Example

PIN letter

Password Renderer (passwordRenderer)

Description

Tells the password batch task which password renderer to use for the rendering of newly generated passwords.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Password Renderer Text File Password Renderer Word Template Password Renderer

Language Attribute Name (languageAttributeName)

Description

Attributes

String

Optional

Suggested values

language

Delete Old Passwords (deleteOldPasswords)

Description

Deletes old rendered passwords of a user from the file system when a new one is rendered. Setting this to TRUE results in at most one rendered password per user.

Attributes

Boolean

Optional

Default value

false

Barcode Generator (barcodeGenerator)

Description

BarcodeImage: placeholder for the barcode image.
BarcodeContent: placeholder for the barcode content.
BarcodeContentDisplay: placeholder for the barcode content in a human-readable format.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.renderer.SecretLetterRenderer
id: SecretLetterRenderer-xxxxxx
displayName: 
comment: 
properties:
  barcodeGenerator:
  configuredFileNameSuffix:
  deleteOldPasswords: false
  fileNamePrefix: pwd-
  languageAttributeName:
  outputDirectoryPath:
  passwordRenderer:
  reportTypeShortDesc:
  workingDirectoryPath:

Secret Questions Identity Verification Step

Description

Public self-service flow step that verifies the user identity by asking secret questions that the user has to answer correctly for the flow to continue.

This is an identity verification step that differs from an "approval" step in the following ways:

It doesn't fail with non-existing users or users without provisioned secret questions.
It implements stealth mode: if a user does not exist or cannot do public self-services for whatever reason, no error is returned, but any answers entered are rejected, so that the step can never be completed successfully.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.SecretQuestionsIdentityVerificationStepConfig

May be used by

Properties

Secret Questions Settings (secretQuestionsSettings)

Description

Settings related to secret questions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic Secret Question Settings

Max Failed Attempts (maxFailedAttempts)

Description

Number of allowed failed attempts before the flow is aborted.

Attributes

Integer

Optional

Default value

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

SECRET_QUESTIONS

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.SecretQuestionsIdentityVerificationStepConfig
id: SecretQuestionsIdentityVerificationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: SECRET_QUESTIONS
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxFailedAttempts: 1
  onFailureGotos:
  preCondition:
  requiresActivation: false
  secretQuestionsSettings:
  skipCondition:
  stepId:
  tagsOnSuccess:

Secret Questions Provisioning Step

Description

Configuration for a flow step for provisioning answers to secret questions.

Note: This step is only interactive for users that have secret questions enabled.

Class

com.airlock.iam.authentication.application.configuration.secretquestions.SecretQuestionsProvisioningStepConfig

May be used by

Properties

Secret Questions Settings (secretQuestionsSettings)

Description

Settings for secret questions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic Secret Question Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.secretquestions.SecretQuestionsProvisioningStepConfig
id: SecretQuestionsProvisioningStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  secretQuestionsSettings:
  skipCondition:
  stepId:
  tagsOnSuccess:

Secret Questions Settings

Description

Secret Questions are a common way to check if a user is allowed to reset his password. This plugin centrally configures the details concerning set-up of secret answers and how to use them for recovery.

The 'questions' are part of this configuration, represented as resource keys. Their translation – the question as displayed to the user – are in the string resource files, like other translations.

In the set-up or provisioning phase a user answers some of the predefined 'secret questions'. These secret answers are persisted as secret-answer tokens in the IAM persistency model, so they can be verified later.

Class

com.airlock.iam.common.application.configuration.secretquestion.SecretQuestionsSettings

May be used by

Secret Questions Token Controller User Token Settings

Properties

Question Resource Keys (questionResourceKeys)

Description

List of resource keys of the available questions. Each key represents one question. If you remove a question (resource key) from this list, all answers to that question become invalid.

Ensure that no new question with the same key is introduced later. Any user's answer to the previous question would not match the new question.

The keys must contain a period "." somewhere to avoid name clashes in the REST API.

Attributes

String-List

Mandatory

Token Data Provider (tokenDataProvider)

Description

The provider for token data takes care of persisting the secret answers.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Hash Function Plugin (hashFunctionPlugin)

Description

It is recommended not to store the secret answers in plain text. The hash algorithm configured here is used to hash the answers.

Attributes

Plugin-Link

Optional

Assignable plugins

Required Number Of Provisioned Answers (requiredNumberOfProvisionedAnswers)

Description

Defines how many questions a user has to answer during the provisioning phase. If not enough questions are answered yet, the user must answer additional questions upon login and the user cannot use Secret Questions for recovery.

Attributes

Integer

Optional

Default value

Allowed Number Of Attempts (allowedNumberOfAttempts)

Description

Defines the number of allowed failed attempts until a Secret answer token is blocked. When a question is answered correctly the counter on the specific answer-token will be reset. A blocked answer can be unblocked by an administrator.

Attributes

Integer

Optional

Default value

Normalization (normalization)

Description

OFF:
No normalization. Provisioned and challenged answers must match exactly.
TRIM:
Removes whitespaces at the beginning and end of the answer string.
TRIM_CASEINSENSITIVE:
Does the same as TRIM and additionally converts all characters to lower case.
TRIM_CASEINSENSITIVE_NOWHITESPACE:
Does the same as CASEINSENSITIVE_TRIM and additionally removes all whitespace.
TRIM_CASEINSENSITIVE_NOWHITESPACE_NOSPECIALCHARS:
Does the same as CASEINSENSITIVE_TRIM_NOWHITESPACE and additionally removes all non-word characters (all characters except letters, digits and the underscore).

Attributes

Enum

Optional

Default value

TRIM_CASEINSENSITIVE

Min Length (minLength)

Description

Defines the mininum length of an answer.

Attributes

Integer

Optional

Default value

Max Length (maxLength)

Description

Defines the maximum length of an answer.

Attributes

Integer

Optional

Default value

100

Number Of Challenge Questions (numberOfChallengeQuestions)

Description

Verifying if a user knows his provisioned secret answers involves two steps:

Display some of the questions to the user (challenge).
Check the user's answers to these questions.

This property defines the number of questions which are selected to challenge the user. If this field is empty, the challenge will show the "Required Number Of Provisioned Answers"

Attributes

Integer

Optional

Number Of Challenge Answers (numberOfChallengeAnswers)

Description

Defines how many of the questions from the challenge must be answered. A question is only unanswered if the answer string is empty.
Example: Show two questions to the user, but only one has to be answered.

Attributes

Integer

Optional

Answer Regex Pattern (answerRegexPattern)

Description

Regex pattern to check the given answer (after normalization).

Attributes

RegEx

Optional

Allow Admin Answer Check (allowAdminAnswerCheck)

Description

Allow admins to check answers of a user in the adminapp.

Attributes

Boolean

Optional

Default value

false

Duplicate Answers Forbidden (duplicateAnswersForbidden)

Description

Forbid the same answer for more than one question per user.

Attributes

Boolean

Optional

Default value

true

Check Using Latin1 Encoding (checkUsingLatin1Encoding)

Description

To support legacy answers, those with special characters are additionally checked using their legacy encoding in latin1.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.secretquestion.SecretQuestionsSettings
id: SecretQuestionsSettings-xxxxxx
displayName: 
comment: 
properties:
  allowAdminAnswerCheck: false
  allowedNumberOfAttempts: 2
  answerRegexPattern:
  checkUsingLatin1Encoding: false
  duplicateAnswersForbidden: true
  hashFunctionPlugin:
  maxLength: 100
  minLength: 2
  normalization: TRIM_CASEINSENSITIVE
  numberOfChallengeAnswers:
  numberOfChallengeQuestions:
  questionResourceKeys:
  requiredNumberOfProvisionedAnswers: 2
  tokenDataProvider:

Secret Questions Token Controller

Description

Token controller for Secret Questions.

Class

com.airlock.iam.admin.application.configuration.secretquestion.SecretQuestionsTokenController

May be used by

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Properties

Secret Questions Settings (secretQuestionsSettings)

Description

The Secret Questions settings to be used.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Secret Questions Settings

User Store Provider (userStoreProvider)

Description

Defines the service to be used for finding users.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.secretquestion.SecretQuestionsTokenController
id: SecretQuestionsTokenController-xxxxxx
displayName: 
comment: 
properties:
  secretQuestionsSettings:
  userStoreProvider:

Security Settings

Description

Loginapp security settings.

Class

com.airlock.iam.login.app.application.configuration.SecurityConfig

May be used by

Loginapp

Properties

Encryption Key (Base64 Encoded) (encryptionKey)

Description

The encryption key (encoded in base64) is required to encrypt sensitive data in cookies or in REST responses.

The openssl tool can be used to generate a random base64 string with 256 bits (32 bytes): openssl rand -base64 32

Attributes

String

Mandatory

Sensitive

HMAC Key (Base64 Encoded) (hmacKey)

Description

The HMAC Key (encoded in base64) is required to sign sensitive data that is stored in cookies or REST responses.

The openssl tool can be used to generate a random base64 string with 512 bits (64 bytes): openssl rand -base64 64

Attributes

String

Mandatory

Sensitive

CORS Settings (corsSettings)

Description

The settings to allow cross-domain REST calls.

Attributes

Plugin-Link

Optional

Assignable plugins

CORS Settings

CSRF Protection (csrfProtection)

Description

If enabled, REST endpoints are protected against CSRF attacks.

Security warning: Disabling this feature may allow CSRF attacks. Only do so if the REST client is unable to comply with the aforementioned restrictions.

To be RFC-compliant, the endpoint /<loginapp-uri>/rest/public/tech-client-registration/oauth2/<as-identifier>/register never requires the X-Same-Domain header.

Requests to this endpoint are guaranteed to be non-simple, because of the enforced non-simple content type application/json

Attributes

Boolean

Optional

Default value

true

Minimal Error Response Duration [ms] (fixedResponseDuration)

Description

Defines how long it takes (in milliseconds) until IAM answers an unsuccessful request in the public part of the API. Faster answers are delayed until the configured duration is reached. This helps to avoid timing attacks. Successful or slower responses are not affected by this property. Protection against timing attacks is only provided if IAM is able to process 'unsuccessful' requests within the configured duration.

The endpoints for the password policy check, application access check, and the user self-registration are excluded from response delaying.

Attributes

Integer

Optional

Default value

2000

Username Filter Pattern (usernameFilterPattern)

Description

Regular expression pattern used to validate usernames entered by the user. If the username does not match the pattern, the corresponding process is aborted and a message is logged.

Attributes

RegEx

Optional

Default value

[a-zA-Z0-9@._+-]{1,100}

Session Cookie SameSite Policy (sameSitePolicy)

Description

Strict: The cookie is not sent in cross-origin requests.
Lax: The cookie is sent in some cross-origin requests, such as GET requests.
None: The cookie is sent in cross-origin requests. In this case, the 'Secure' Cookie-Attribute is always set, regardless of whether the request was performed using http or https.Use this setting when using SAML2 in combination with cross-domain POST Bindings.
No SameSite Attribute: No attribute is set. Browsers apply their default behaviour, usually 'Lax'.

Attributes

Enum

Optional

Default value

LAX

YAML Template (with default values)


type: com.airlock.iam.login.app.application.configuration.SecurityConfig
id: SecurityConfig-xxxxxx
displayName: 
comment: 
properties:
  corsSettings:
  csrfProtection: true
  encryptionKey:
  fixedResponseDuration: 2000
  hmacKey:
  sameSitePolicy: LAX
  usernameFilterPattern: [a-zA-Z0-9@._+-]{1,100}

Select mTAN Token Step

Description

Step to select an mTAN token for further processing. Typically, this is used for editing a token in a "mTAN Token Edit Step" and then persisting it with an "Apply Changes Step" using an "Apply mTAN Edit Change" .

Class

com.airlock.iam.selfservice.application.configuration.step.MtanTokenSelectionStepConfig

May be used by

Properties

mTAN Settings (mtanSettings)

Description

Settings for handling mTAN numbers.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Accepting Authenticator Airlock 2FA Authenticator Dummy Two Step Authenticator Email Otp Authenticator MTAN/SMS Authenticator Matrixcard Authenticator (TAN Challenge) OATH OTP Authenticator Token Authenticator

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.MtanTokenSelectionStepConfig
id: MtanTokenSelectionStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  mtanSettings:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Selection Authenticator

Description

Authenticator that allows dynamic selection of another authenticator based on the credentials available to the user. All configured authenticators for which the user has a suitable credential are presented to the user. The user can then manually select one of the authenticators. If there is only one authenticator available it is automatically selected without user interaction. Actual authentication is only performed with the selected authenticator.

Class

com.airlock.iam.core.misc.impl.authen.SelectionAuthenticator

May be used by

Properties

Selectable Authenticators (selectableAuthenticators)

Description

A map of selectable authenticators. An authenticator is only presented to the user as an option if the user actually has suitable credentials. E.g., if an SMS Authenticator is configured here but the user does not have a phone number registered, they will not be able to select SMS authentication.

On the choice page, a translated string is displayed for each option (or the key itself if no translation is available). Translation strings use the prefix "userchoicepage.option." followed by the key in lowercase as the resource name. E.g. for "MTAN" the resource name is userchoicepage.option.mtan.

Attributes

Plugin-Map

Mandatory

Assignable plugins

Always Selectable Authenticators (alwaysSelectableAuthenticators)

Description

Authenticators that are always selectable, i.e. they are always among the options presented to the user. These authenticators cannot determine whether a user has a suitable credential or not. Therefore, they must be able to handle users that have no such credential.

See the description of "Selectable Authenticators" on how the options are displayed on the choice page.

Attributes

Plugin-Map

Optional

Assignable plugins

RADIUS Authenticator

Auto Select If One Option (autoSelectIfOneOption)

Description

If the user has only one possible selection and this flag is enabled, the selection is automatically chosen for the user. If the flag is disabled and the user has only one selection, a selection with one possibility is displayed.

Attributes

Boolean

Optional

Default value

true

User Persister (userPersister)

Description

The user persister used to load and store user information regarding a user's last selected authentication method.

Attributes

Plugin-Link

Optional

Assignable plugins

Context Data Column Last Selected Auth Method (contextDataColumnLastSelectedAuthMethod)

Description

The context data column used to persist and retrieve the user's last selected authentication method.

The last selected authentication method is persisted in this context data column in the database as soon as a user continues the login process from the choice page.
If the last selected authentication method can be retrieved from the database upon displaying the choice page, and this method is a selectable choice, it is pre-selected for the user.
If a choice is pre-selected, the button on the choice page to continue the login process automatically receives the focus.
Persistance and pre-selection of the last selected authentication method are performed only if both the user persister and this context data column are configured.
The last selected authentication method in the database is represented by the corresponding selectable authenticator key.

Attributes

String

Optional

Example

last_selected_auth_method

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.SelectionAuthenticator
id: SelectionAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  alwaysSelectableAuthenticators:
  autoSelectIfOneOption: true
  contextDataColumnLastSelectedAuthMethod:
  selectableAuthenticators:
  userPersister:

Selection Option

Description

Configuration of a selectable subflow.

Class

com.airlock.iam.flow.application.configuration.selection.step.SelectionOptionConfig

May be used by

Selection Step

Properties

Name (name)

Description

Name of this option.

This name appears in the list of available options (POST /<loginapp-uri>/rest/public/authentication/selection/options/retrieve) and is used as the "id" parameter to select an option (POST /<loginapp-uri>/rest/public/authentication/selection/options/<id>/select).

The name is also used in the UI (single-page application) as "id" of the options string resource key "authentication.selection.options.<id>".

Note that the name is converted to lowercase and underscores "_" are replaced by a hyphen "-", e.g. the resource key for AIRLOCK_2FA would be "authentication.selection.options.airlock-2fa".

Attributes

String

Mandatory

Suggested values

AIRLOCK_2FA, MTAN, CRONTO, CRONTO_ACTIVATION, FIDO, OATH_OTP, RADIUS_OTP, VASCO_OTP, DEVICE_TOKEN, MATRIX, SSO_TICKET

Steps (steps)

Description

Steps of this subflow.

Attributes

Plugin-List

Mandatory

Assignable plugins

Condition (condition)

Description

Defines the condition under which this option can be selected.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.selection.step.SelectionOptionConfig
id: SelectionOptionConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  name:
  steps:

Selection Option For Public Self-Service

Description

Configuration of a selectable subflow.

Class

com.airlock.iam.publicselfservice.application.configuration.selection.SelectionOptionConfigForPublicSelfServiceFlows

May be used by

Selection Step for Public Self-Service

Properties

Name (name)

Description

Name of this option.

This name appears in the list of available options (POST /<loginapp-uri>/rest/public/self-service/selection/options/retrieve) and is used as the "id" parameter to select an option (POST /<loginapp-uri>/rest/public/self-service/selection/options/{id}/select).

The name is also used in the UI (single-page application) as "id" of the options string resource key "public-self-service.selection.options.<id>".

Note that the name is converted to lowercase and underscores "_" are replaced by a hyphen "-", e.g. the resource key for AIRLOCK_2FA would be "public-self-service.selection.options.airlock-2fa".

Attributes

String

Mandatory

Steps (steps)

Description

Steps of this subflow.

Attributes

Plugin-List

Mandatory

Assignable plugins

Condition (condition)

Description

Defines the condition under which this option can be selected.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.selection.SelectionOptionConfigForPublicSelfServiceFlows
id: SelectionOptionConfigForPublicSelfServiceFlows-xxxxxx
displayName: 
comment: 
properties:
  condition:
  name:
  steps:

Selection Option For Self-Service

Description

Configuration of a selectable subflow.

Class

com.airlock.iam.selfservice.application.configuration.selection.SelectionOptionConfigForSelfServiceFlows

May be used by

Selection Step for Self-Service

Properties

Name (name)

Description

Name of this option.

This name appears in the list of available options (POST /<loginapp-uri>/rest/protected/self-service/selection/options/retrieve) and is used as the "id" parameter to select an option (POST /<loginapp-uri>/rest/protected/self-service/selection/options/<id>/select).

The name is also used in the UI (single-page application) as "id" of the options string resource key "protected.self-service.selection.options.<id>".

Note that the name is converted to lowercase and underscores "_" are replaced by a hyphen "-", e.g. the resource key for AIRLOCK_2FA would be "protected.self-service.selection.options.airlock-2fa".

Attributes

String

Mandatory

Steps (steps)

Description

Steps of this subflow.

Attributes

Plugin-List

Mandatory

Assignable plugins

Condition (condition)

Description

Defines the condition under which this option can be selected.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.selection.SelectionOptionConfigForSelfServiceFlows
id: SelectionOptionConfigForSelfServiceFlows-xxxxxx
displayName: 
comment: 
properties:
  condition:
  name:
  steps:

Selection Option For User Self-Registration

Description

Configuration of a selectable subflow.

Class

com.airlock.iam.userselfreg.application.configuration.selection.SelectionOptionConfigForUserSelfRegFlows

May be used by

Selection Step for User Self-Registration

Properties

Name (name)

Description

Name of this option.

This name appears in the list of available options (POST /<loginapp-uri>/rest/public/user-self-registration/selection/options/retrieve) and is used as the "id" parameter to select an option (POST /<loginapp-uri>/rest/public/user-self-registration/selection/options/<id>/select).

The name is also used in the UI (single-page application) as "id" of the options string resource key "registration.selection.options.<id>".

Note that the name is converted to lowercase and underscores "_" are replaced by a hyphen "-", e.g. the resource key for AIRLOCK_2FA would be "registration.selection.options.airlock-2fa".

Attributes

String

Mandatory

Steps (steps)

Description

Steps of this subflow.

Attributes

Plugin-List

Mandatory

Assignable plugins

Condition (condition)

Description

Defines the condition under which this option can be selected.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.selection.SelectionOptionConfigForUserSelfRegFlows
id: SelectionOptionConfigForUserSelfRegFlows-xxxxxx
displayName: 
comment: 
properties:
  condition:
  name:
  steps:

Selection Password Repository

Description

A password repository plugin that selects a password repository based on a configurable condition. The first fulfilled condition defines the password repository plugin to use. If none matches, the default password repository is used.

Class

com.airlock.iam.authentication.application.configuration.password.repository.SelectionPasswordRepositoryConfig

May be used by

Default End-To-End Encryption Password Repository Password-only Authentication Step Password Reset Step Mandatory Password Change Step Config Username Password Authentication Step Set Password Step Config Password Change Self-Service Step User Self-Registration Flow Password Repository Mapping HTTP Basic Authentication Step Voluntary Password Change Step

Properties

Password Repository Mappings (passwordRepositoryMappings)

Description

Mappings between conditions and password repository plugins.

Attributes

Plugin-List

Mandatory

Assignable plugins

Password Repository Mapping

Default Password Repository (defaultPasswordRepository)

Description

The default password repository plugin that will be used when none of the configured conditions is fulfilled.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.password.repository.SelectionPasswordRepositoryConfig
id: SelectionPasswordRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  defaultPasswordRepository:
  passwordRepositoryMappings:

Selection Password Repository (Request Authentication)

Description

A password repository that selects a password repository based on the user ID (after transformation) of the authenticating user. The first matching pattern defines the password repository to use. If none matches, the default password repository is used.

Class

com.airlock.iam.common.application.configuration.credential.RequestAuthenticationSelectionPasswordRepositoryConfig

May be used by

Basic Auth Request Authentication Password Repository Mapping (Request Authentication

Properties

Repository Mappings (repositoryMappings)

Description

Mappings between user ID patterns and password repositories.

Attributes

Plugin-List

Mandatory

Assignable plugins

Password Repository Mapping (Request Authentication

Default Repository (defaultRepository)

Description

The default password repository that will be used when the user ID matches none of the patterns.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Password Repository External Database Password Repository Config LDAP Password Repository Selection Password Repository (Request Authentication)

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.credential.RequestAuthenticationSelectionPasswordRepositoryConfig
id: RequestAuthenticationSelectionPasswordRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  defaultRepository:
  repositoryMappings:

Selection Step

Description

Selection between different subflows depending on configurable options.

Class

com.airlock.iam.flow.shared.application.configuration.selection.SelectionStepConfig

May be used by

Advanced Migration Selection Option Authorization Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Transaction Approval Flow Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service

Properties

Available Options (availableOptions)

Description

All available options for this selection. For each option, a condition can be configured that determines if it is available in a specific situation and for a particular user. If no option is available and a "Fallback Flow" is configured, it is executed, otherwise the step fails. If exactly one option is available, it could be selected automatically (see "Auto Select One Option" flag). If more than one option is available, the user is asked to interactively select one.

Attributes

Plugin-List

Mandatory

Assignable plugins

Selection Option

Auto Select Only Option (autoSelectOnlyOption)

Description

If only one option is available, it is selected automatically. Disable this setting to always present a choice to the user, even if there is only one option.

Attributes

Boolean

Optional

Default value

true

Fallback Flow (fallbackFlow)

Description

Fallback flow that is executed if none of the other options are available. If no fallback flow is configured and no option is fulfilled, the selection fails. To do nothing as a fallback, a flow with a "No Operation Step" can be configured.

Attributes

Plugin-List

Optional

Assignable plugins

Last Selection Repository (lastSelectionRepository)

Description

A repository which persists the last selection for this step. If this repository is configured, a step ID is mandatory as the selection is identified by the step ID among other things. This also means, that the last selection is lost if the step ID is altered.

Attributes

Plugin-Link

Optional

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Flow Step Sequence Public Self-Service Flow Selection Option For Public Self-Service Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.selection.SelectionStepConfig
id: SelectionStepConfig-xxxxxx
displayName: 
comment: 
properties:
  autoSelectOnlyOption: true
  availableOptions:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  fallbackFlow:
  interactiveGotoTargets:
  lastSelectionRepository:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:

Selection Step for Public Self-Service

Description

Selection between different subflows depending on configurable options.

Note that most selection conditions can only work once the user's identity is verified to exist, i.e. after an identity verification step has successfully been completed.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.SelectionStepConfigForPublicSelfServiceFlows

May be used by

Properties

Available Options (availableOptions)

Description

Attributes

Plugin-List

Mandatory

Assignable plugins

Selection Option For Public Self-Service

Auto Select Only Option (autoSelectOnlyOption)

Description

If only one option is available, it is selected automatically. Disable this setting to always present a choice to the user, even if there is only one option.

Attributes

Boolean

Optional

Default value

true

Fallback Flow (fallbackFlow)

Description

Attributes

Plugin-List

Optional

Assignable plugins

Last Selection Repository (lastSelectionRepository)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.SelectionStepConfigForPublicSelfServiceFlows
id: SelectionStepConfigForPublicSelfServiceFlows-xxxxxx
displayName: 
comment: 
properties:
  autoSelectOnlyOption: true
  availableOptions:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  fallbackFlow:
  interactiveGotoTargets:
  lastSelectionRepository:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:

Selection Step for Self-Service

Description

Selection between different subflows depending on configurable options.

Class

com.airlock.iam.selfservice.application.configuration.step.SelectionStepConfigForSelfServiceFlows

May be used by

Properties

Available Options (availableOptions)

Description

Attributes

Plugin-List

Mandatory

Assignable plugins

Selection Option For Self-Service

Auto Select Only Option (autoSelectOnlyOption)

Description

If only one option is available, it is selected automatically. Disable this setting to always present a choice to the user, even if there is only one option.

Attributes

Boolean

Optional

Default value

true

Fallback Flow (fallbackFlow)

Description

Attributes

Plugin-List

Optional

Assignable plugins

Last Selection Repository (lastSelectionRepository)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Selection Step for Public Self-Service Selection Option For User Self-Registration Flow Step Sequence User Self-Registration Flow Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.SelectionStepConfigForSelfServiceFlows
id: SelectionStepConfigForSelfServiceFlows-xxxxxx
displayName: 
comment: 
properties:
  autoSelectOnlyOption: true
  availableOptions:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  fallbackFlow:
  interactiveGotoTargets:
  lastSelectionRepository:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:

Selection Step for User Self-Registration

Description

Selection between different subflows depending on configurable options.

Class

com.airlock.iam.userselfreg.application.configuration.step.SelectionStepConfigForUserSelfRegFlows

May be used by

License-Tags

SelfRegistration

Properties

Available Options (availableOptions)

Description

Attributes

Plugin-List

Mandatory

Assignable plugins

Selection Option For User Self-Registration

Auto Select Only Option (autoSelectOnlyOption)

Description

If only one option is available, it is selected automatically. Disable this setting to always present a choice to the user, even if there is only one option.

Attributes

Boolean

Optional

Default value

true

Fallback Flow (fallbackFlow)

Description

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Cipher User Persister Combining Extended User Persister Database User Persister Dummy Extended User Persister LDAP Connector LDAP User Persister Property User Persister

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.step.SelectionStepConfigForUserSelfRegFlows
id: SelectionStepConfigForUserSelfRegFlows-xxxxxx
displayName: 
comment: 
properties:
  autoSelectOnlyOption: true
  availableOptions:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  fallbackFlow:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:

Self Reg Users Clean Up Task

Description

Server task that checks all self-registered users and deletes unused accounts. This prevents the database from being filled with inactive self-registered users. Self-registered users that have never logged in are deleted after a configurable number of minutes. If they have logged in at least once, this task will never delete them.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.SelfRegUsersCleanUpTask

May be used by

Task Schedule

License-Tags

SelfRegistration

Properties

User Persister (userPersister)

Description

User persister plugin used to read and modify user account data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Iterator (userIterator)

Description

The user iterator plugin used to iterate over all users.
Usually this is the same as the UserPersister.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Never Logged In Minutes (neverLoggedInMinutes)

Description

Number of minutes after registration after which the action is executed if the user did not log in.

Attributes

Integer

Mandatory

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.SelfRegUsersCleanUpTask
id: SelfRegUsersCleanUpTask-xxxxxx
displayName: 
comment: 
properties:
  neverLoggedInMinutes:
  userIterator:
  userPersister:

Self Reg Users Reminder Task

Description

Server task that looks at all self-registered users and sends a reminder email to self-registered users that have never logged in after a configurable number of minutes.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.SelfRegUsersReminderTask

May be used by

Task Schedule

License-Tags

SelfRegistration

Properties

Email Service (emailService)

Description

Email service through which the emails are sent if the user did never login. This property is mandatory if "Never Logged In Minutes" is configured.

Attributes

Plugin-Link

Optional

Assignable plugins

Cipher User Persister Combining Extended User Persister Database User Persister Dummy Extended User Persister LDAP Connector LDAP User Persister Property User Persister

Email Property Name (emailPropertyName)

Description

Name of the context data field that contains the user's email address. Used to send an email if the user did never login.

Attributes

String

Optional

Default value

Example

new_email

Already Sent Property Name (alreadySentPropertyName)

Description

Name of the context data field where it is remembered that a reminder email has been sent already. If this is not configured, an email will be sent every time the task is executed. Make sure to also configure this field in the user persister.

Attributes

String

Optional

Example

activity_reminder_sent

Language Property Name (languagePropertyName)

Description

Name of the context data field that contains the user language. Used when sending a reminder email if the user did never login.

Attributes

String

Optional

Default value

language

Example

language

Default Language (defaultLanguage)

Description

Default language to be used if none is defined for the user.

Attributes

String

Optional

Default value

Example

Not Logged In Reminder Email Subject Key (notLoggedInReminderEmailSubjectKey)

Description

Resource key for the email subject. Used when sending an email if the user did never login.

Attributes

String

Optional

Default value

selfregistration.reminder-email-subject

Example

selfregistration.reminder-email-subject

Example

selfregistration.not-logged-in-reminder-email-subject

Not Logged In Reminder Email Body Key (notLoggedInReminderEmailBodyKey)

Description

Resource key for the email body (the message). Used when sending an email if the user did never login.

Attributes

String

Optional

Default value

selfregistration.reminder-email-body

Example

selfregistration.reminder-email-body

Example

selfregistration.not-logged-in-reminder-email-body

Resources File Prefix (resourcesFilePrefix)

Description

Language dependent string resources (e.g. texts for email subject and body) are located in property files. This setting configures the prefix of these property files. Used when sending an email if the user did never login.

Attributes

String

Optional

Default value

strings

User Persister (userPersister)

Description

User persister plugin used to read and modify user account data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Iterator (userIterator)

Description

The user iterator plugin used to iterate over all users.
Usually this is the same as the UserPersister.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Never Logged In Minutes (neverLoggedInMinutes)

Description

Number of minutes after registration after which the action is executed if the user did not log in.

Attributes

Integer

Mandatory

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.SelfRegUsersReminderTask
id: SelfRegUsersReminderTask-xxxxxx
displayName: 
comment: 
properties:
  alreadySentPropertyName:
  defaultLanguage: de
  emailPropertyName: email
  emailService:
  languagePropertyName: language
  neverLoggedInMinutes:
  notLoggedInReminderEmailBodyKey: selfregistration.reminder-email-body
  notLoggedInReminderEmailSubjectKey: selfregistration.reminder-email-subject
  resourcesFilePrefix: strings
  userIterator:
  userPersister:

Self-Service Flow Redirect

Description

Redirects to a self-service flow.

Class

com.airlock.iam.selfservice.application.configuration.ui.SelfServiceFlowRedirectTargetConfig

May be used by

Properties

Flow ID (flowId)

Description

ID of the self-service flow to which a redirect should be performed. Make sure that a UI is configured for this flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.SelfServiceFlowRedirectTargetConfig
id: SelfServiceFlowRedirectTargetConfig-xxxxxx
displayName: 
comment: 
properties:
  flowId:

Send Email Link Step

Description

Flow step that sends an email with a link to the current user. This link allows the user to perform further steps in a specified public self-service flow. Because the link contains an unguessable token, no further identity verification is necessary in the target flow.

Typical use-cases:

Password reset with identity verification using email link: Flow 1: public self-service flow with user identification step, followed by email link step. Flow 2: flow continuation step followed by password reset set.
Email address verification after self-registration: Flow 1: user self-registration flow that locks the user, email link step at the end of the flow. Flow 2: Flow 2: flow continuation step followed by unlock step.

Class

com.airlock.iam.flow.shared.application.configuration.continuation.SendEmailLinkStepConfig

May be used by

Selection Step for Public Self-Service Selection Option For User Self-Registration Flow Step Sequence Public Self-Service Flow Selection Option For Public Self-Service Selection Step for User Self-Registration User Self-Registration Flow Selection Option Selection Step for Self-Service Selection Step

Properties

Target Flow ID (targetFlowId)

Description

Flow ID of the public self-service flow where the token is verified and the user can perform further steps. The target flow must start with a "Flow Continuation Step" that interprets the token.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Recipient Address (recipientAddress)

Description

A String Value Provider which provides the email address of the recipient. Make sure that this always provides a valid email address, otherwise this step will fail.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Email Service (emailService)

Description

Email service for sending emails.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Subject Resource Key (subjectResourceKey)

Description

Resource key to select the localized template to generate the subject line. The localized template can contain variables (e.g. ${town}). All variables are defined by the Value Providers configured below.

Attributes

String

Mandatory

Example

public-self-service.email.link.subject

Example

password-reset.email.link.subject

Body Resource Key (bodyResourceKey)

Description

Resource key to select the localized template to generate the email body. The localized template can contain variables (e.g. ${town}). The template must contain the variable "${LINK}" which will be replaced by the continuation link. All other variables are defined by the Value Providers configured below.

Attributes

String

Mandatory

Example

public-self-service.email.link.body

Example

password-reset.email.link.body

Repository (repository)

Description

Configures the repository to store flow continuation data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Continuation URL (continuationUrl)

Description

Absolute URL that handles flow continuation links. If left empty, the IAM Loginapp UI URL is used. Otherwise, a custom URL can be configured with the use of the following parameters that will be replaced when the link is generated:

${token} - the random continuation token
${flowId} - the ID of the target flow to continue
${language} - the current language used in the flow

Attributes

String

Optional

Example

https://myhost.com/auth/ui/app/self-service/select/flow/${flowId}?lang=${language}&token=${token}

Example

https://myhost.com/continue/flow/${flowId}?lang=${language}&token=${token}

Value Providers (valueProviders)

Description

Attributes

Plugin-List

Optional

Assignable plugins

Send As HTML (sendAsHtml)

Description

If enabled, the verification email will be sent as an HTML mail. Otherwise it will be sent as plain text.

Attributes

Boolean

Optional

Default value

false

Token Validity (tokenValidity)

Description

Determines how long the generated token (and thus the link) is valid.

The duration must be specified in the format "2d 4h 10m 5s" (any part can be omitted).

Attributes

String

Optional

Default value

24h

Example

10d

Example

2d 12h

Store Forward URL (storeForwardUrl)

Description

If enabled, the forward URL (if available) is stored together with the token information and will be used after the target flow is completed to redirect the user.

Attributes

Boolean

Optional

Default value

true

Escape Values in HTML (escapeHtmlValues)

Description

HTML-escape all provided values if property Send As HTML is enabled.

Attributes

Boolean

Optional

Default value

true

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.continuation.SendEmailLinkStepConfig
id: SendEmailLinkStepConfig-xxxxxx
displayName: 
comment: 
properties:
  bodyResourceKey:
  continuationUrl:
  customFailureResponseAttributes:
  customResponseAttributes:
  emailService:
  escapeHtmlValues: true
  onFailureGotos:
  preCondition:
  recipientAddress:
  repository:
  requiresActivation: false
  sendAsHtml: false
  skipCondition:
  stepId:
  storeForwardUrl: true
  subjectResourceKey:
  tagsOnSuccess:
  targetFlowId:
  tokenValidity: 24h
  valueProviders:

Sensitive HTTP Parameter

Description

HTTP Parameter with a value that is static and also sensitive (e.g. password).

Class

com.airlock.iam.core.misc.impl.sms.StaticSensitiveHttpParameter

May be used by

HTTP SMS Gateway

Properties

Name (name)

Description

The name of the HTTP Parameter.

Attributes

String

Mandatory

Value (value)

Description

The sensitive value of the HTTP Parameter.

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.StaticSensitiveHttpParameter
id: StaticSensitiveHttpParameter-xxxxxx
displayName: 
comment: 
properties:
  name:
  value:

Sensitive Static REST Request Header

Description

A HTTP REST Request header with a sensitive header value.

Class

com.airlock.iam.common.application.configuration.restclient.SensitiveStaticRestRequestHeaderConfig

May be used by

Properties

Header Name (headerName)

Description

The header name of the HTTP REST Request header.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9_-]+

Example

App-ID

Example

App-Key

Header Value (headerValue)

Description

The header value of the HTTP REST Request header.

Attributes

String

Mandatory

Sensitive

Example

App-1

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.restclient.SensitiveStaticRestRequestHeaderConfig
id: SensitiveStaticRestRequestHeaderConfig-xxxxxx
displayName: 
comment: 
properties:
  headerName:
  headerValue:

Service Config

Description

Configuration used for each service.

Class

com.airlock.iam.servicecontainer.app.application.configuration.ServiceConfig

May be used by

Service Container

Properties

Service (service)

Description

The service plugin to use.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Demo Service Config Radius Authentication Service Task Scheduler Service

Auto Start (autoStart)

Description

If enabled, the service is automatically started when the server is started.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.ServiceConfig
id: ServiceConfig-xxxxxx
displayName: 
comment: 
properties:
  autoStart: true
  service:

Service Container

Description

The server component used to run services such as the RADIUS interface or the task scheduler.

Class

com.airlock.iam.servicecontainer.app.application.configuration.Server

Properties

Services (services)

Description

The list of services to run.

Attributes

Plugin-List

Optional

Assignable plugins

Service Config

Accepted SSO Tickets Repository (acceptedSsoTicketRepository)

Description

Configures the repository used to store accepted SSO tickets and reject previously accepted ones.

Attributes

Plugin-Link

Mandatory

Assignable plugins

In-Memory Accepted SSO Tickets Repository Persistent Accepted SSO Tickets Repository

Session Idle Timeout [m] (sessionTimeout)

Description

Session idle timeout of the service container UI in minutes.

Attributes

Integer

Optional

Default value

Statistics Log Interval [s] (statisticLogInterval)

Description

The server logs a line with statistic information periodically. This setting defines the amount of seconds between such logs.

Attributes

Integer

Optional

Default value

Minimum Threads (minimumThreads)

Description

Minimum number of threads in pool.

Attributes

Integer

Optional

Default value

Maximum Threads (maximumThreads)

Description

Maximum number of threads in pool.

Attributes

Integer

Optional

Default value

100

Service Container Shared Secret (serviceContainerSharedSecret)

Description

Attributes

String

Mandatory

Sensitive

Log User Trail To Database (logUserTrailToDatabase)

Description

Configures the database settings to use when persisting user trail log entries.

If this value is defined, then all user trail log messages generated by the Service Container App module will additionally be forwarded to the database configured within the referenced repository plugin.

All forwarded log entries are stored inside the table "USER_TRAIL_LOG". Note that setting this value does not disable writing log messages to the Service Container App log file.

Attributes

Plugin-Link

Optional

Assignable plugins

Correlation ID Settings (correlationIdSettings)

Description

Defines settings for correlation ID transfer and logging inside the Service Container module.

If undefined, no correlation ID will be logged for this module.

Attributes

Plugin-Link

Optional

Assignable plugins

Correlation ID Settings

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.Server
id: Server-xxxxxx
displayName: 
comment: 
properties:
  acceptedSsoTicketRepository:
  correlationIdSettings:
  logUserTrailToDatabase:
  maximumThreads: 100
  minimumThreads: 10
  serviceContainerSharedSecret:
  services:
  sessionTimeout: 30
  statisticLogInterval: 60

Session Context Retention Policy

Description

With this context retention policy, the configuration context is evaluated once for every session.

The context is determined during the first request in the session and is re-used for subsequent requests.

Class

com.airlock.iam.flow.shared.application.configuration.context.policy.SessionContextRetentionPolicy

May be used by

Loginapp

Properties

Allow Change (allowChange)

Description

If this option is enabled, the context is allowed to change and therefore is re-evaluated for each request.

If the context extractor determines a new context for a request, the context is changed. Otherwise, the session context will be re-used. For this to work, the context extractor must be configured without a fallback context, otherwise the fallback context will always be used instead of the session context.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.context.policy.SessionContextRetentionPolicy
id: SessionContextRetentionPolicy-xxxxxx
displayName: 
comment: 
properties:
  allowChange: false

Session Hijacking Notification Risk Extractor Config

Description

Risk Extractor that extracts the notification flag of the Airlock Gateway (WAF) client fingerprinting (CFP) request. The notification flag indicates whether client fingerprinting has detected a potential session hijacking. No tags are granted, if the request does not contain a CFP notification environment cookie.

Class

com.airlock.iam.authentication.application.configuration.risk.extractor.clientfingerprinting.SessionHijackingNotificationRiskExtractorConfig

May be used by

OIDC UserInfo Endpoint Claim Set Custom Claim OAuth 2.0 Static Client OAuth 2.0 Static Client JWT Access Token Format OIDC ID Token Claims

Properties

Tags On Detected Session Hijacking (tagsOnDetectedSessionHijacking)

Description

The tags to grant if session hijacking has been detected. This means that the CFP notification flag is TRUE.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags On Session Without Hijacking (tagsOnSessionWithoutHijacking)

Description

The tags to grant if no session hijacking has been detected. This means that the CFP notification flag is FALSE.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.risk.extractor.clientfingerprinting.SessionHijackingNotificationRiskExtractorConfig
id: SessionHijackingNotificationRiskExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  tagsOnDetectedSessionHijacking:
  tagsOnSessionWithoutHijacking:

Session ID Custom Claim

Description

A custom claim for the OAuth2/OIDC Session ID.

Class

com.airlock.iam.oauth2.application.configuration.claims.CustomSessionIdClaimConfig

May be used by

License-Tags

OAuthServer

Properties

Claim Name (claimName)

Description

The name (JSON key) of the claim.

Attention: If a custom claim with this same claim name already exists, it will result in a runtime error.

Using a registered claim name (see RFC 7519) might cause the claim to be ignored or an exception to be thrown.

Attributes

String

Mandatory

Example

firstname

Example

street

Example

zip

Example

country

Example

roles

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.CustomSessionIdClaimConfig
id: CustomSessionIdClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:

Session-less REST Endpoints

Description

Configures protected session-less endpoints of the Loginapp REST API. These endpoints require authentication credentials attached to each request, but don't require previous authentication with a flow.

These REST endpoints begin with the resource path /<loginapp-uri>/rest/protected/my/.

Class

com.airlock.iam.login.rest.application.configuration.LoginappRestConfig

May be used by

Loginapp

Properties

User Self-Service Settings (userSelfServiceSettings)

Description

Configures session-less user self-service REST endpoints.

These REST endpoints begin with the resource path /<loginapp-uri>/rest/protected/my/.

Attributes

Plugin-Link

Optional

Assignable plugins

Basic Auth Request Authentication Client Certificate (X.509) Request Authentication Denying Request Authentication OAuth 2.0 Token Request Authentication SSO Ticket Request Authentication Static Request Authentication

User Token Settings (userTokenSettings)

Description

Configures session-less token REST endpoints related to user tokens.

These REST endpoints begin with the resource path /<loginapp-uri>/rest/protected/my/tokens/.

Attributes

Plugin-Link

Optional

Assignable plugins

User Token Settings

Request Authentication (requestAuthentication)

Description

Determines how a credential is extracted and used to authenticate single requests.

This property is only effective for the protected Loginapp REST API outside of the "self-service" sub-path.

Attributes

Plugin-Link

Optional

Assignable plugins

Request Authorization (accessController)

Description

Controls how authenticated users can access and modify resources. When no access controller is configured, all authenticated incoming requests are per default authorized.

This property is only effective for the protected Loginapp REST API outside of the "self-service" sub-path.

Attributes

Plugin-Link

Optional

Assignable plugins

Enabling All Access Controller Resource Access Controller Role-based Access Controller

Username Transformation (usernameTransformers)

Description

Transforms user name aliases into real user names for these REST endpoints. This allows for e.g. the email to be used instead of the username.

Transformation is done for:

Resource URLs: the user id in the REST resource URL (e.g. in self-registration) is transformed before further processing is done.
Authentication: for protected calls, the username of the provided credential (request credential policy) is transformed before passing it to the configured authenticator.

Attributes

Plugin-List

Optional

Assignable plugins

Link Response Rewriting (linkResponseRewritingEnabled)

Description

Enables rewriting of links in REST responses. If rewriting is disabled or cannot be done correctly due to missing information, the internal URI is written to the response.

Attributes

Boolean

Optional

Default value

true

Base URI (baseUri)

Description

Allows to change the base URI for all links in REST responses.

In order to produce correct links, the property must be configured up to and including the /rest subpath. IAM will automatically append public to the configured value for calls to the public API and protected for calls to the protected API of the Loginapp (or oauth2 for OAuth 2.0/OpenId Connect endpoints).

Example:

Property value: http://myhost:8090/test/rest
The response from the REST call to /<loginapp-uri>/rest/public/users/register will contain a link to http://myhost:8090/test/rest/protected/my/self

Attributes

String

Optional

Validation RegEx: .*(?

Example

https://myhost:8090/test/rest

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.LoginappRestConfig
id: LoginappRestConfig-xxxxxx
displayName: 
comment: 
properties:
  accessController:
  baseUri:
  linkResponseRewritingEnabled: true
  requestAuthentication:
  userSelfServiceSettings:
  userTokenSettings:
  usernameTransformers:

Set Authentication Method Migration Step

Description

Non-interactive step to set the user's authentication method migration and optionally a migration deadline.

Any authentication method set in previous steps is overwritten by this step.

Class

com.airlock.iam.userselfreg.application.configuration.step.NonInteractiveAuthMethodMigrationStepConfig

May be used by

License-Tags

SelfRegistration

Properties

Authentication Method (authenticationMethod)

Description

The authentication method to migrate to.

Attributes

String

Mandatory

Suggested values

AIRLOCK_2FA, CRONTO, FIDO, MTAN, EMAILOTP, OATH_OTP

Migration Deadline (migrationDeadline)

Description

The migration date is set to this period of time after the step is executed. If no period is defined, no migration date is set.

The duration must be specified in the format "(d)ays (h)ours (m)inutes (s)econds" e.g. "2d 4h 10m 5s" (any part can be omitted).

For the usage of the migration date, please refer to the documentation of the "Migration Selection Step".

Attributes

String

Optional

Example

30d

Example

14d 6h 30m

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.step.NonInteractiveAuthMethodMigrationStepConfig
id: NonInteractiveAuthMethodMigrationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethod:
  customFailureResponseAttributes:
  customResponseAttributes:
  migrationDeadline:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Set Authentication Method Step

Description

Non-interactive step to set the default authentication method for the user.

Any authentication method which has been set in previous steps will be overwritten by this step.

Class

com.airlock.iam.userselfreg.application.configuration.step.NonInteractiveSetAuthMethodStepConfig

May be used by

License-Tags

SelfRegistration

Properties

User Auth Method (userAuthMethod)

Description

The authentication method to be automatically set in this step.

Attributes

String

Mandatory

Suggested values

AIRLOCK_2FA, CRONTO, EMAILOTP, FIDO, MATRIX, MTAN, OATH_OTP, OTP, PASSWORD

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.step.NonInteractiveSetAuthMethodStepConfig
id: NonInteractiveSetAuthMethodStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  userAuthMethod:

Set Context Data Step

Description

Non-interactive step to set user data that is provided by the system and not by the user.

User Data Items which were provided in previous steps can be overwritten by this step.

Security Notice: This step should be configured as late as possible and after the user is sufficiently authenticated. Otherwise data might be set too early.

Class

com.airlock.iam.flow.shared.application.configuration.step.user.data.NonInteractiveSetContextDataStepConfig

May be used by

Advanced Migration Selection Option Custom Protected Self-Service Flow Authorization Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For User Self-Registration Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration User Self-Registration Flow Selection Option Selection Step for Self-Service Selection Step

Properties

User Data Items (userDataItems)

Description

The user data items that are automatically set in this step.

Attributes

Plugin-List

Mandatory

Assignable plugins

Boolean Context Data Date And Time Context Data Integer Context Data String Context Data

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.step.user.data.NonInteractiveSetContextDataStepConfig
id: NonInteractiveSetContextDataStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  userDataItems:

Set Password Expiry Date

Description

Extracts the password expiry date RADIUS AccessAccept response (from a RADIUS server) by examining an arbitrary RADIUS attribute of the response. If an expiry date can be extracted and it is in the past, the user is forced to change the password.

Class

com.airlock.iam.core.misc.impl.authen.radius.RadiusAttributePasswordExpiry

May be used by

RADIUS Authenticator RADIUS Authenticator RADIUS Authenticator

Properties

Attribute Type (attributeType)

Description

The RADIUS attribute type of the attribute to look at.

If providing a different than the suggested attributes, the type identifier (a number) must be specified and not the attribute name!

Attributes

String

Mandatory

Suggested values

Reply-Message (18), Vendor Specific (26), Filter-Id (11), Class (25), Unassigned (21)

Representation (representation)

Description

Representation of the expiry date in the RADIUS attribute. Determines how the value read from the RADIUS attribute is interpreted.

Attributes

String

Mandatory

Allowed values

String as yyyyMMddHHmmss., UNIX timestamp as string (in milliseconds), UNIX timestamp as string (in seconds), Binary UNIX timestamp (in milliseconds), Binary UNIX timestamp (in seconds)

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.radius.RadiusAttributePasswordExpiry
id: RadiusAttributePasswordExpiry-xxxxxx
displayName: 
comment: 
properties:
  attributeType:
  representation:

Set Password Step Config

Description

An authentication flow step that forces the user to set a password. This step is only intended for users which do not have a password set.

Class

com.airlock.iam.authentication.application.configuration.password.SetPasswordStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Password Attribute Key (passwordAttributeKey)

Description

The optional key under which the new password is made available in the identity propagation.

The value can also be retrieved from the session using the "User Passwords Map" value map provider.

If no key is configured, the new password will not be made available in the flow attributes, and cannot be used by identity propagators.

Note: This feature will not work together with end-to-end encryption.

Attributes

String

Optional

Suggested values

PASSWORD

Policy To Check On Set Password (policyToCheckOnSetPassword)

Description

The password policy that is checked when the new password is set.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Active Directory Password Policy Customizable Password Policy Null Password Policy Simple Password Policy

Password Repository (passwordRepository)

Description

The repository of user passwords.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.password.SetPasswordStepConfig
id: SetPasswordStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  passwordAttributeKey:
  passwordRepository:
  policyToCheckOnSetPassword:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Set UI Tenant ID Processor

Description

This processor evaluates the UI Tenant ID rules configured in the Loginapp UI Settings in order and sets the UI Tenant ID to the value provided by the first rule that is satisfied. If no rule is satisfied (or no rule is configured), the UI Tenant ID is not set.

Class

com.airlock.iam.flow.shared.application.configuration.uitenantid.SetUiTenantIdProcessorConfig

May be used by

SAML2 Single-Logout Config Authentication & Authorization UIs Parameter-based Target URI

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.uitenantid.SetUiTenantIdProcessorConfig
id: SetUiTenantIdProcessorConfig-xxxxxx
displayName: 
comment: 
properties:

Set UUID For New Users

Description

Sets a random UUID into a configurable context data field when a user is created (before it is added to the user repository).

Class

com.airlock.iam.core.misc.impl.persistency.usereventbus.SetUuidForNewUsers

May be used by

Active Directory Connector LDAP User Persister LDAP Connector Database User Persister

Properties

UUID Attribute Name (uuidAttributeName)

Description

Name of the context data property to store the UUID in. Must be configured as context data field in the affected persister.

Attributes

String

Mandatory

Example

userUuid

Condition (condition)

Description

The condition to decide whether the event should be handled. If not configured, the event is always handled.

Attributes

Plugin-Link

Optional

Assignable plugins

Authentication Method Condition Context Data Regex Condition Logical AND Condition Logical NOT Condition Logical OR Condition

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.usereventbus.SetUuidForNewUsers
id: SetUuidForNewUsers-xxxxxx
displayName: 
comment: 
properties:
  condition:
  uuidAttributeName:

SHA-256 HTTP Instance Digest Algorithm

Description

SHA-256 HTTP Instance Digest algorithm.

Class

com.airlock.iam.login.app.misc.oneshot.impl.SHA256HttpInstanceDigestAlgorithmConfig

May be used by

HTTP Instance Digest Verification

Properties

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.SHA256HttpInstanceDigestAlgorithmConfig
id: SHA256HttpInstanceDigestAlgorithmConfig-xxxxxx
displayName: 
comment: 
properties:

SHA-512 HTTP Instance Digest Algorithm

Description

SHA-512 HTTP Instance Digest algorithm.

Class

com.airlock.iam.login.app.misc.oneshot.impl.SHA512HttpInstanceDigestAlgorithmConfig

May be used by

HTTP Instance Digest Verification

Properties

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.SHA512HttpInstanceDigestAlgorithmConfig
id: SHA512HttpInstanceDigestAlgorithmConfig-xxxxxx
displayName: 
comment: 
properties:

SHA1 Base64 Password Hash

Description

Password hash plug-in that uses SHA-1 for hashing and base-64 for encoding the result.

Returns the base-64 encoded version of salt|SHA1(salt|password) as hash value. Both the salt and the hash values are each 20 bytes long and together result in 56 bytes after base-64 encoding.

Class

com.airlock.iam.core.misc.util.password.hash.SHA1Base64PasswordHash

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.SHA1Base64PasswordHash
id: SHA1Base64PasswordHash-xxxxxx
displayName: 
comment: 
properties:

SHA1 Hex Password Hash

Description

Password hash plug-in that uses SHA1 for hashing and HEX-encoding for the result.

Returns the HEX-encoded version of SHA1(salt|password) as hash value. Both the salt and the hash value are each 20 bytes (160 bits) long and together result in 80 bytes after HEX-encoding.

Class

com.airlock.iam.core.misc.util.password.hash.SHA1HexPasswordHash

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.SHA1HexPasswordHash
id: SHA1HexPasswordHash-xxxxxx
displayName: 
comment: 
properties:

SHA1 Password Hash

Description

Password hash plug-in that uses SHA-1 for hashing.

Returns salt|SHA1(salt|password) as hash value. Both the salt and the hash values are each 20 bytes long.

Class

com.airlock.iam.core.misc.util.password.hash.SHA1PasswordHash

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.SHA1PasswordHash
id: SHA1PasswordHash-xxxxxx
displayName: 
comment: 
properties:

SHA256 Base64 Password Hash

Description

Password hash plug-in that uses SHA-256 for hashing and base-64 for encoding the result.

Returns the base-64 encoded version of SHA256(salt|password) as hash value. Both the salt and the hash values are each 32 bytes long and together result in 88 bytes after base-64 encoding.

Security Warning: The use of this plugin is discouraged due to security reasons. Consider using Scrypt Password Hash instead (within a PasswordHashConfiguration for Encoded Hash Values).

Class

com.airlock.iam.core.misc.util.password.hash.SHA256Base64PasswordHash

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.SHA256Base64PasswordHash
id: SHA256Base64PasswordHash-xxxxxx
displayName: 
comment: 
properties:

SHA256 Hex Password Hash

Description

Password hash plugin that uses SHA-256 for hashing and Hex for encoding the result.

Returns the hex-encoded version of SHA256(salt|password) as hash value. Both the salt and the hash values are each 32 bytes long and together result in 128 bytes after hex encoding.

Security Warning: The use of this plugin is discouraged due to security reasons. Consider using Scrypt Password Hash instead (within a PasswordHashConfiguration for Encoded Hash Values).

Class

com.airlock.iam.core.misc.util.password.hash.SHA256HexPasswordHash

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.SHA256HexPasswordHash
id: SHA256HexPasswordHash-xxxxxx
displayName: 
comment: 
properties:

SHA256 Password Hash

Description

Password hash plug-in that uses SHA-256 for hashing.

Returns salt|SHA256(salt|password) as hash value. Both the salt and the hash values are each 32 bytes long.

Security Warning: The use of this plugin is discouraged due to security reasons. Consider using Scrypt Password Hash instead (within a PasswordHashConfiguration for Encoded Hash Values).

Class

com.airlock.iam.core.misc.util.password.hash.SHA256PasswordHash

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.hash.SHA256PasswordHash
id: SHA256PasswordHash-xxxxxx
displayName: 
comment: 
properties:

Show Logout Disclaimer Page Config

Description

Displays a logout disclaimer page.

Class

com.airlock.iam.flow.ui.application.configuration.ShowLogoutDisclaimerPageConfig

May be used by

Properties

Target On Continue (targetOnContinue)

Description

The target to redirect to when clicking the 'Login' button.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.ShowLogoutDisclaimerPageConfig
id: ShowLogoutDisclaimerPageConfig-xxxxxx
displayName: 
comment: 
properties:
  targetOnContinue:

Silly Password Policy

Description

A password policy check that tests for several very specific properties of a password (e.g. sequences, only one letter/digit, empty password, keyboard layout based, etc.).
Each test can be enabled or disabled in the configuration. See configuration properties to learn more about the specific tests.

Class

com.airlock.iam.core.misc.impl.authen.PwdPolicySillyCheck

May be used by

Customizable Password Policy Customizable Password Policy Meta Password Policy

Properties

Detect Empty Password (detectEmptyPassword)

Description

Enables (TRUE) or disables (FALSE) the check detecting empty passwords. If such a password is detected, a PasswordTooSillyViolation is returned by this plugin.

A password is considered to be empty, if it only consists of whitespace.

Attributes

Boolean

Optional

Default value

true

Detect Sequences (detectSequences)

Description

Enables (TRUE) or disables (FALSE) the check detecting passwords consisting of an ascending or descending character sequence such as "abcdef", "456789", or "mlkjih". If such a password is detected, a PasswordTooSillyViolation is returned by this plugin.

A password is considered to consist of a sequence, if - after converting it to lowercase characters - the ASCII-code-difference between any two adjacent characters is either 1 or -1. The sign of the difference is ignored, i.e. the sequence "abcdefedce" is also considered such a sequence.

Attributes

Boolean

Optional

Default value

true

Detect Single Character Passwords (detectSingleCharacterPasswords)

Description

Enables (TRUE) or disables (FALSE) the check detecting passwords consisting of only one character. If such a password is detected, a PasswordTooSillyViolation is returned by this plugin.

A password matches, if - after converting it to lowercase characters - the ASCII-code of all characters is the same.

Example: "aaaaaaa" or "AaaAa"

Attributes

Boolean

Optional

Default value

true

Detect Keyboard Layout Based Passwords (detectKeyboardLayoutBasedPasswords)

Description

Enables (TRUE) or disables (FALSE) the check detecting passwords that are "keyboard-layout based". If such a password is detected, a PasswordTooSillyViolation is returned by this plugin.

A password is considered to be based on the keyboard-layout if it can be typed by pressing keys on a computer keyboard from left to right or from right to left.
Case of characters is not considered.

Example on a Swiss-German keyboard, starting with the letter "k" and going left is: "kjhgfd".

The plugin supports the following keyboard layouts: QWERTY, QWERTZ, AZERTY, QZERTY. For these layouts several subvariants regarding special characters such as umlauts and other special characters are implemented.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PwdPolicySillyCheck
id: PwdPolicySillyCheck-xxxxxx
displayName: 
comment: 
properties:
  detectEmptyPassword: true
  detectKeyboardLayoutBasedPasswords: true
  detectSequences: true
  detectSingleCharacterPasswords: true

Simple File Renderer Config

Description

Simple file renderer config that directly writes the rendered report to a file.

Class

com.airlock.iam.core.misc.util.report.SimpleFileRendererConfig

Properties

Report Renderer (reportRenderer)

Description

The renderer plugin to render the reports.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

Language Attribute Name (languageAttributeName)

Description

Specifies the context data attribute that contains the language to be used for rendering the report.

Attributes

String

Optional

Default value

language

Suggested values

language, lang, locale

Output Directory (outputDirectory)

Description

Directory in the file system to put the rendered reports in. The directory is either absolute or relative to the JVMs current directory (the Airlock IAM installation directory).

Attributes

File/Path

Mandatory

File Name Prefix (fileNamePrefix)

Description

Filename prefix for rendered report files. It is important to set this to a unique value for the kind of reports generated by this task.

Attributes

String

Mandatory

Example

token-letter

Example

smartcardLetter

File Name Suffix (fileNameSuffix)

Description

Attributes

String

Optional

Suggested values

.pdf, .txt

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.report.SimpleFileRendererConfig
id: SimpleFileRendererConfig-xxxxxx
displayName: 
comment: 
properties:
  fileNamePrefix:
  fileNameSuffix:
  languageAttributeName: language
  outputDirectory:
  reportRenderer:

Simple Latest Login Attempt Filter

Description

Filter users by the date of their latest login attempt with a simple selection of last day, week, month or year.

Class

com.airlock.iam.admin.application.configuration.usersearch.filter.SimpleLatestLoginAttemptFilter

May be used by

Properties

Default Value (defaultValue)

Description

Default selected period.

Attributes

Enum

Optional

Default value

LAST_WEEK

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.usersearch.filter.SimpleLatestLoginAttemptFilter
id: SimpleLatestLoginAttemptFilter-xxxxxx
displayName: 
comment: 
properties:
  defaultValue: LAST_WEEK

Simple Latest Successful Login Filter

Description

Filter users by the date of their latest successful login with a simple selection of last day, week, month or year.

Class

com.airlock.iam.admin.application.configuration.usersearch.filter.SimpleLatestSuccessfulLoginFilter

May be used by

Password-only Authentication Step Password Reset Step Basic Auth Request Authentication Pattern-based Random String Generator Mandatory Password Change Step Config Password User Item Username Password Authentication Step Administrators Configuration Set Password Step Config Password Change Self-Service Step HTTP Basic Authentication Step Voluntary Password Change Step Password Settings

Properties

Default Value (defaultValue)

Description

Default selected period.

Attributes

Enum

Optional

Default value

LAST_WEEK

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.usersearch.filter.SimpleLatestSuccessfulLoginFilter
id: SimpleLatestSuccessfulLoginFilter-xxxxxx
displayName: 
comment: 
properties:
  defaultValue: LAST_WEEK

Simple Location Interpreter Config

Description

A simple location interpreter to be used to extract a value either from a query parameter or with a regex from the whole location URL.

Class

com.airlock.iam.login.application.configuration.location.interpret.SimpleLocationInterpreterConfig

May be used by

Authentication & Authorization UI Location Interpretations Configuration

Properties

Default Value (defaultValue)

Description

The default value to be returned if no value could be extracted.

Attributes

String

Optional

From Query Param (fromQueryParam)

Description

Query param from which the value should be extracted.

Attributes

String

Optional

Example

lang

With URL Regex (withUrlRegex)

Description

Regex to extract the value from the whole location URL. The value to be extracted (the capturing group) has to be surrounded by parentheses.

Attributes

RegEx

Optional

Transform To Lowercase (transformToLowercase)

Description

If enabled, the extracted value is transformed to lowercase.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.location.interpret.SimpleLocationInterpreterConfig
id: SimpleLocationInterpreterConfig-xxxxxx
displayName: 
comment: 
properties:
  defaultValue:
  fromQueryParam:
  transformToLowercase: false
  withUrlRegex:

Simple Migration Selection Option Config

Description

Simplified configuration of a migration subflow.

Essentially equivalent to an "Advanced Migration Selection Option" with a "Next Authentication Method-based Migration Condition" condition and an implicit "Complete Migration Step" as the last step. Only the credential activation step needs to be configured.

Class

com.airlock.iam.authentication.application.configuration.migration.SimpleMigrationSelectionOptionConfig

May be used by

Migration Selection Step

Properties

Target Auth Method (targetAuthMethod)

Description

Target authentication method of this migration. This is used as follows:

As ID in the list of available options (for POST /<loginapp-uri>/rest/public/authentication/migration/options/retrieve and POST /<loginapp-uri>/rest/public/authentication/migration/options/<id>/select)
As the "Target Auth Method" in the automatically generated "Next Authentication Method-based Migration Condition" condition
As the "Target Auth Method" in the automatically generated "Complete Migration Step"

Attributes

String

Mandatory

Validation RegEx: [A-Za-z0-9_-]+

Suggested values

AIRLOCK_2FA, MTAN, CRONTO, FIDO, DEVICE_TOKEN, MATRIX, OATH_OTP

Hint Period (hintPeriod)

Description

To always ask the user to migrate as soon as a migration date is set for the user, set this property to a very high value. This setting has no effect if the user has a "Next Auth Method" but no migration date set; in this case the user is always asked to migrate and never forced to migrate.

This property is used to configure the hint period in the automatically created "Next Authentication Method-based Migration Condition" condition.

The duration must be specified in the format "(d)ays (h)ours (m)inutes (s)econds" e.g. "2d 4h 10m 5s" (any part can be omitted).

Attributes

String

Optional

Default value

10d

Example

30d

Example

14d 6h 30m

Steps (steps)

Description

Steps of this subflow. A "Complete Migration Step" is always automatically configured and added to the end of this step sequence.

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.migration.SimpleMigrationSelectionOptionConfig
id: SimpleMigrationSelectionOptionConfig-xxxxxx
displayName: 
comment: 
properties:
  hintPeriod: 10d
  steps:
  targetAuthMethod:

Simple Password Policy

Description

Password policy that allows to configure the most common password policy checks.

Class

com.airlock.iam.core.misc.impl.authen.SimplePasswordPolicy

May be used by

Properties

Required Characters (requiredCharacters)

Description

Assure that a password contains at least one character from every configured character class.

For example, "Characters and digits" assures that at least one character and one digit is used.

In addition, the following character classes include:

"Normal characters" include a-z (case insensitive)
"Special characters" include . , ; : - _ ! $ ( ) { } [ ] < > = ? + * & % \ / | @ # ^ ` ~

Attributes

Enum

Optional

Default value

CHARS_AND_DIGITS

Min Required Length (minRequiredLength)

Description

The minimum required number of characters of a password. Shorter passwords are rejected.

Attributes

Integer

Optional

Default value

Max Allowed Length (maxAllowedLength)

Description

The maximum allowed number of characters of a password. Longer passwords are rejected.

Attributes

Integer

Optional

Default value

100

No Silly Passwords (noSillyPasswords)

Description

Rejects passwords that are easy to guess, such as:

Character sequences such as "abcde" or "1234321"
Passwords consisting of a single character such as "AaAaaaaAa"
Passwords constructed by typing a sequence on keyboard such as "asdfgh". A variety of keyboard layouts are supported.

Attributes

Boolean

Optional

Default value

true

No Previously Used Passwords (noPreviouslyUsedPasswords)

Description

Check that new password is the same as one in the password history (i.e. a previously used password).
The number of "forbidden" used passwords (= the password history length) is defined by the password hash plugin passed to this plugin when performing the check.

Note: The check requires that the used password hash function supports password histories (i.e. implements "PasswordHashWithHistory"). If not, an error occurs.

Attributes

Boolean

Optional

Default value

false

Allowed Characters (allowedCharacters)

Description

A regular expression pattern defining the set of allowed characters.

Every character of the password is matched against this pattern and must match or the password is not allowed.

Attributes

RegEx

Optional

Forbidden Characters (forbiddenCharacters)

Description

A regular expression pattern defining the set of forbidden characters.

If the pattern matches the whole password or only a part of it, the password is rejected.

Attributes

RegEx

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.SimplePasswordPolicy
id: SimplePasswordPolicy-xxxxxx
displayName: 
comment: 
properties:
  allowedCharacters:
  forbiddenCharacters:
  maxAllowedLength: 100
  minRequiredLength: 8
  noPreviouslyUsedPasswords: false
  noSillyPasswords: true
  requiredCharacters: CHARS_AND_DIGITS

Simple Risk-based Role Derivation

Description

An access policy rule deriving new roles from existing roles and Risk Tags.

Class

com.airlock.iam.authentication.application.configuration.risk.accesspolicy.SimpleRiskBasedRoleDerivationConfig

Properties

Required Roles (requiredRoles)

Description

If defined, this rule only matches if the user has at least one of the specified roles.

Attributes

String-List

Optional

Mandatory Risk Tags (mandatoryRiskTags)

Description

If defined, this rule only matches if the user has all of the specified Risk Tags.

Attributes

Plugin-List

Optional

Assignable plugins

Risk Tag Plugin

Excluding Risk Tags (excludingRiskTags)

Description

A list of Risk Tags that must not be present.

Attributes

Plugin-List

Optional

Assignable plugins

Risk Tag Plugin

Target Role (targetRole)

Description

The resulting role if all required roles and risk tags can be satisfied.

Attributes

String

Mandatory

Example

strong

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.risk.accesspolicy.SimpleRiskBasedRoleDerivationConfig
id: SimpleRiskBasedRoleDerivationConfig-xxxxxx
displayName: 
comment: 
properties:
  excludingRiskTags:
  mandatoryRiskTags:
  requiredRoles:
  targetRole:

Simple Text Renderer

Description

Renders a language-dependent text with variable substitution.

Class

com.airlock.iam.core.misc.renderer.SimpleTextRenderer

May be used by

Email Notification Task Email Notification Task

Properties

Default Text (defaultText)

Description

Specifies the default text.

Multiple templates for different languages can be specified with the property template. A default template has always to be specified.

Attributes

String

Mandatory

Text (text)

Description

Language dependent text taking precedence over the default text.
Selectors must be choosen according to the ISO-2-letter language codes, i.e. "fr" for french.
See also description of default-text.

Attributes

Plugin-List

Optional

Assignable plugins

Language Specific Text

YAML Template (with default values)


type: com.airlock.iam.core.misc.renderer.SimpleTextRenderer
id: SimpleTextRenderer-xxxxxx
displayName: 
comment: 
properties:
  defaultText:
  text:

Single Mode Redis State Repository Config

Description

State repository that stores all values in a single Redis instance.

Class

com.airlock.iam.common.application.configuration.state.SingleModeRedisStateRepositoryConfig

May be used by

Adminapp Main Settings Transaction Approval Loginapp

Properties

Redis URI (redisUri)

Description

The URI to connect to Redis.

For TLS, use rediss://host:port (double 's' in 'rediss:', recommended)
For an unencrypted connection, use redis://host:port (not recommended for production setups)

Attributes

String

Mandatory

Example

rediss://redis:6379

Example

redis://localhost:6379

Username (username)

Description

The username to login on Redis.

Attributes

String

Optional

Password (password)

Description

The password to login on Redis.

Attributes

String

Optional

Sensitive

Minimum Idle Connections (minimumIdleConnections)

Description

The minimum amount of idle Redis connections.

Attributes

Integer

Optional

Default value

Maximum Pool Size (maximumPoolSize)

Description

The maximum Redis connection pool size.

Attributes

Integer

Optional

Default value

Idle Timeout [ms] (idleTimeoutInMs)

Description

The maximum time in milliseconds a connection is allowed to be idle before it is closed and removed from the pool. The connection is closed and removed from the pool only if the current number of connections exceeds the minimum idle connections pool size.

Attributes

Integer

Optional

Default value

10000

Connection Timeout [ms] (connectionTimeoutInMs)

Description

The maximum time in milliseconds to wait to acquire a live connection to the Redis server.

Attributes

Integer

Optional

Default value

10000

Response Timeout [ms] (responseTimeoutInMs)

Description

The Redis server response timeout. The timer starts as soon as the Redis command is sent successfully.

Attributes

Integer

Optional

Default value

10000

Ping Connection Interval [ms] (pingConnectionIntervalInMs)

Description

The time interval with which "PING" commands (https://redis.io/commands/ping/) are sent to Redis for each connection. To disable the pinging set the value to 0.

Attributes

Integer

Optional

Default value

30000

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers and trusted certificates.

Attributes

File/Path

Optional

Trust Store Password (trustStorePassword)

Description

The password used to check the integrity of the trust store, or to unlock the trust store.

The password must be provided if a trust store is configured.

Attributes

String

Optional

Sensitive

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Attributes

Boolean

Optional

Default value

true

Key Store Path (keyStorePath)

Description

The keystore containing a client certificate (including a private key) for Airlock IAM. The client certificate is used to establish a mutual SSL connection with Redis.

Attributes

File/Path

Optional

Key Store Password (keyStorePassword)

Description

The password used to check the integrity of the keystore, or to unlock the keystore.

The password must be provided if a keystore is configured.

Attributes

String

Optional

Sensitive

Encryption (encryption)

Description

To enable state encryption with non-encrypted state already present, use the "Migrating State Encryption" plugin.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AES 128 GCM State Encryption Migrating State Encryption Config No State Encryption

Use Legacy Key Format (legacyKeyFormat)

Description

When changing this setting after state has already been stored in Redis, that state will be lost and the corresponding sessions will be terminated.

Attributes

Boolean

Optional

Default value

false

Namespace (namespace)

Description

A string that will be used as a namespace for the keys in Redis.

This is useful if, for example, multiple IAM instances share the same Redis instance and one must ensure that their Redis keys don't interfere with each other

When changing this setting after state has already been stored in Redis, that state will be lost and the corresponding sessions will be terminated.

Attributes

String

Optional

Validation RegEx: ^[A-Za-z0-9]+$

Default value

default

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.state.SingleModeRedisStateRepositoryConfig
id: SingleModeRedisStateRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  connectionTimeoutInMs: 10000
  encryption:
  idleTimeoutInMs: 10000
  keyStorePassword:
  keyStorePath:
  legacyKeyFormat: false
  maximumPoolSize: 64
  minimumIdleConnections: 24
  namespace: default
  password:
  pingConnectionIntervalInMs: 30000
  redisUri:
  responseTimeoutInMs: 10000
  trustStorePassword:
  trustStorePath:
  username:
  verifyServerHostname: true

SMPP SMS Gateway

Description

SMS Gateway implementation that support sending short messages over an SMSC's SMPP v3.4 interface.

Class

com.airlock.iam.common.application.configuration.sms.SmppSmsGatewaySettings

May be used by

Number-based Selection SMS Gateway Phone Number Verification Step SMS Gateway Selection Option SMS Notifier Failover SMS Gateway Basic mTAN Settings MTAN/SMS Settings SMS Service

Properties

Server With Port (serverWithPort)

Description

Host address with port of the SMPP SMS Gateway.

Attributes

String

Mandatory

Example

194.298.234.64:8080

Example

smpp3.infobip.com:8888

Example

smpp2.infobip.com:8887

Account Username (accountUsername)

Description

Username or System ID of the registered SMPP account.

Attributes

String

Mandatory

Account Password (accountPassword)

Description

Password of the SMPP account.

Attributes

String

Mandatory

Sensitive

Smpp Bind Type (smppBindType)

Description

How to bind to the SMPP Gateway.
SMPP supports:

Transceiver: send and receive SMS
Transmitter: send SMS
Receiver: receive SMS

Attributes

Enum

Optional

Default value

TRANSCEIVER

Message Encoding Charset (messageEncodingCharset)

Description

The charset to encode messages. This parameter is specified by the SMSC Server and must correlate with the "Data Coding Scheme" below. Notice that some charsets use more bytes than others to encode (certain) characters and thus reduce the maximum size of the message.

Attributes

Enum

Optional

Default value

ISO_8859_1

Data Coding Scheme (dataCodingScheme)

Description

The DCS or Data Coding Scheme indicates to the SMSC Server how the binary message shall be interpreted. A value of 0x00 (the default) leaves the decision to the server. Unless it is configurable on the server, a more specific DCS should be chosen based on the charset above.

Attributes

Enum

Optional

Default value

DEFAULT

Max Number Of Sessions (maxNumberOfSessions)

Description

Maximum number of concurrent sessions to open with SMPP SMS Gateway. If this SMPP gateway is used in different modules (Adminapp, Loginapp, etc) please consider that you can not configure the maximum number of allowed sessions of your provider, as each module will get its own instance of this SMPP gateway. Keep in mind that in multi-instance setups (active-active or horizontally scaling cloud setups) with n instances, the number of connection pools is multiplied by n.

Attributes

Integer

Optional

Default value

Window Size (windowSize)

Description

The window size to use.
The number of unacknowledged requests is called a window; for the best performance both communicating sides must be configured with the same window size.

Attributes

Integer

Optional

Default value

Connection And Send Timeout (connectionAndSendTimeout)

Description

The connection timeout in milliseconds.
The time how long to wait while trying to connect to the SMPP provider.

The send timeout in milliseconds.
The time how long to wait for a response when sending an SMS.
The timeout value includes both waiting for a "window" slot, the time it takes to transmit the actual bytes on the socket, and for the remote endpoint to send a response back.

Attributes

Integer

Optional

Default value

10000

Source TON (sourceTon)

Description

The TON (type of number) value to use for the source number. If your provider doesn't need a specific one use the default value "Unknown" as this is supported by most of the providers.

Attributes

Enum

Optional

Default value

UNKNOWN

Source NPI (sourceNpi)

Description

The NPI (numbering plan identification) value to use for the source number. If your provider doesn't need a specific one use the default value "Unknown" as this is supported by most of the providers.

Attributes

Enum

Optional

Default value

UNKNOWN

Destination TON (destTon)

Description

The TON value to use for the destination number. If your provider doesn't need a specific one use the default value "Unknown" as this is supported by most of the providers.

Attributes

Enum

Optional

Default value

UNKNOWN

Destination NPI (destNpi)

Description

The NPI value to use for the destination number. If your provider doesn't need a specific one use the default value "Unknown" as this is supported by most of the providers.

Attributes

Enum

Optional

Default value

UNKNOWN

Flash Mode (flashMode)

Description

When sending a message as flash message (Message Class 0), there are multiple ways of marking the message as such.

DCS code 0xF0: Use 0xF0 as DCS code (SMPP 3.4 default)
DCS code 0x10: Use 0x10 as DCS code (legacy GSM mode supported by some providers)
dest_addr_subunit code: Use the optional parameter 'dest_addr_subunit' (as suggested as the recommended way by SMPP 3.4 standard)
Ignore Flash: In case flash doesn't work correctly or isn't able to display special characters, send flash messages as normal messages instead

Attributes

Enum

Optional

Default value

DCS_CODE_F0

Session Name (sessionName)

Description

The name of the session to the SMPP provider.
If you need to give them a specific name you can do this here. Otherwise just keep the default name.

Attributes

String

Optional

Default value

IAM-SmppSmsGateway

Enable Debugging (enableDebugging)

Description

Enable debug logging of all communication. Please note that the logged communication may contain the account password, mobile numbers and tokens. Only enable this option while debugging connection problems.

Attributes

Boolean

Optional

Default value

false

Use SSL (useSsl)

Description

If set to true SSL will be used to communicate with the SMPP provider. If set to true make sure all other properties needed for SSL are set as well. These are the values for the key store and the trust store.

Attributes

Boolean

Optional

Default value

false

Trust Store Path (trustStorePath)

Description

The path of the JKS trust store. Mandatory property if SSL is turned on.

Attributes

File/Path

Optional

Trust Store Password (trustStorePassword)

Description

The password of the JKS trust store. Mandatory property if SSL is turned on.

Attributes

String

Optional

Sensitive

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.sms.SmppSmsGatewaySettings
id: SmppSmsGatewaySettings-xxxxxx
displayName: 
comment: 
properties:
  accountPassword:
  accountUsername:
  connectionAndSendTimeout: 10000
  dataCodingScheme: DEFAULT
  destNpi: UNKNOWN
  destTon: UNKNOWN
  enableDebugging: false
  flashMode: DCS_CODE_F0
  maxNumberOfSessions: 1
  messageEncodingCharset: ISO_8859_1
  serverWithPort:
  sessionName: IAM-SmppSmsGateway
  smppBindType: TRANSCEIVER
  sourceNpi: UNKNOWN
  sourceTon: UNKNOWN
  trustStorePassword:
  trustStorePath:
  useSsl: false
  windowSize: 1

SMS Event Subscriber (Adminapp)

Description

An event subscriber that sends an SMS to notify a user.

Class

com.airlock.iam.admin.application.configuration.event.AdminappSmsEventSubscriberConfig

May be used by

Adminapp Event Settings

Properties

SMS settings (smsSettings)

Description

Settings to send a SMS to the notified user.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

Phone Number Providers (phoneNumberProviders)

Description

Provides the phone numbers to which the notification will be sent.

Attributes

Plugin-List

Mandatory

Assignable plugins

All Phone Numbers Provider Old Phone Number Provider

Message Resource Key (messageResourceKey)

Description

The resource key under which the localized template for the sms message can be found. The following syntax can be used to include data in the template.

${contextDataName} for the value of contextDataName in the context-data of the managed user.
${event.createdAt,date,format} for the date/time at which the event was created, where "format" is a date pattern like "yyyy-MM-dd HH:mm:ss".

Depending on the event and on the conditions in which the event originated, the following variables may also be available:

event.createdAt
event.data.addedRoles (list of strings)
event.data.airlock2FAAccountId
event.data.airlock2FADeviceId
event.data.activeAuthenticationMethod
event.data.contextDataChanged.%s.newValue (where "%s" is replaced by the context-data field name).
event.data.contextDataChanged.%s.oldValue (where "%s" is replaced by the context-data field name).
event.data.crontoDeviceId
event.data.fidoCredentialId
event.data.lockReason
event.data.mtanNewPhoneNumber
event.data.mtanNumberId
event.data.mtanOldPhoneNumber
event.data.newEmailAddress
event.data.newRoles (list of strings)
event.data.oldEmailAddress
event.data.oldRoles (list of strings)
event.data.previousAuthenticationMethod
event.data.removedRoles (list of strings)
event.data.userId
event.id
event.metadata.requestIp
event.metadata.userAgent
event.source.adminId

Variables that are not defined are replaced by an empty string. The Airlock IAM documentation provides further information about the availability of specific variables.

Attributes

String

Optional

Default value

sms.notification.message

Language Context Data Name (languageContextDataName)

Description

The context data field whose value is to be used as the recipient's message language. If the provided value is blank or invalid, the default language will be used.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Number-based Selection SMS Gateway Phone Number Verification Step SMS Gateway Selection Option SMS Notifier Failover SMS Gateway Basic mTAN Settings MTAN/SMS Settings SMS Service

Default Language (defaultLanguage)

Description

The default language code used when no (or no valid) information about the current language is present. A corresponding locale must be available.

Attributes

String

Optional

Default value

Suggested values

de, fr, en

Event (event)

Description

Event for which the user should be notified.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.event.AdminappSmsEventSubscriberConfig
id: AdminappSmsEventSubscriberConfig-xxxxxx
displayName: 
comment: 
properties:
  defaultLanguage: de
  event:
  languageContextDataName:
  messageResourceKey: sms.notification.message
  phoneNumberProviders:
  smsSettings:

SMS Event Subscriber (Loginapp)

Description

An event subscriber that sends an SMS to notify a user.

Class

com.airlock.iam.login.application.configuration.event.LoginappSmsEventSubscriberConfig

May be used by

Loginapp Event Settings

Properties

SMS Settings (smsSettings)

Description

Settings to send a SMS to the notified user.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

Phone Number Providers (phoneNumberProviders)

Description

Provides the phone numbers to which the notification will be sent.

Attributes

Plugin-List

Mandatory

Assignable plugins

All Phone Numbers Provider Old Phone Number Provider

Message Resource Key (messageResourceKey)

Description

The resource key under which the localized template for the sms message can be found. The following syntax can be used to include data in the template.

${valueMapKey} for the value of valueMapKey provided by any of the configured Value Map Providers.
${event.createdAt,date,format} to include the date/time at which the event was created, where "format" is a date pattern like "yyyy-MM-dd HH:mm:ss".

Depending on the event and on the conditions in which the event originated, the following variables may also be available:

event.createdAt
event.data.airlock2FAAccountId
event.data.airlock2FADeviceId
event.data.activeAuthenticationMethod
event.data.authenticationMethods
event.data.browser
event.data.city
event.data.contextDataChanged.%s.newValue (where "%s" is replaced by the context-data field name).
event.data.contextDataChanged.%s.oldValue (where "%s" is replaced by the context-data field name).
event.data.countryCode
event.data.crontoDeviceId
event.data.device
event.data.deviceTokenId
event.data.fidoCredentialId
event.data.fidoPublicKeyCredentialId
event.data.fidoRelyingPartyId
event.data.lockReason
event.data.mtanNewPhoneNumber
event.data.mtanNumberId
event.data.mtanOldPhoneNumber
event.data.newEmailAddress
event.data.oldEmailAddress
event.data.operatingSystem
event.data.previousAuthenticationMethod
event.data.stepResult.attributes.<attribute-name> (where <attribute-name> ist the name of the additional attribute, could be nested.)
event.data.stepResult.errorCode
event.data.stepResult.nextAction
event.data.stepResult.type
event.data.userId
event.id
event.metadata.requestIp
event.metadata.userAgent
event.source.applicationId
event.source.configurationContext
event.source.flowId
event.source.stepId

Variables that are not defined are replaced by an empty string. The Airlock IAM documentation provides further information about the availability of specific variables.

Attributes

String

Optional

Default value

sms.notification.message

Language (language)

Description

Attributes

Plugin-Link

Mandatory

Assignable plugins

Event (event)

Description

Event for which the user should be notified.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Value Map Providers (valueMapProviders)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.event.LoginappSmsEventSubscriberConfig
id: LoginappSmsEventSubscriberConfig-xxxxxx
displayName: 
comment: 
properties:
  event:
  language:
  messageResourceKey: sms.notification.message
  phoneNumberProviders:
  smsSettings:
  valueMapProviders:

SMS Finder Gateway

Description

SMS gateway implementation for the MultiModem iSMS (formerly known as SMSFinder) appliance. Uses HTTP GET requests with a defined set of parameters in the query string to send SMS messages.
Note:

As the appliance uses an internal GSM modem to send SMS messages, the originator name is configured in the device itself and cannot be set by this plugin, i.e. the originator set by Airlock IAM will be ignored.
The appliance supports querying the delivery status of SMS messages.

Class

com.airlock.iam.core.misc.impl.sms.SmsFinderGateway

May be used by

Properties

Username (username)

Description

Username used to send an SMS over this gateway.

Attributes

String

Mandatory

Example

fmuster

Password (password)

Description

Password used to send and SMS over this gateway.

Attributes

String

Mandatory

Sensitive

Service URL (serviceUrl)

Description

URL of the Gateway's HTTP interface.

Attributes

String

Mandatory

Example

http://172.24.33.55:5000/sendmsg

Modem Index (modemIndex)

Description

Modem index to send SMS (available only for SF 400/800 models). If modem is not specified in the request, the send request will be distributed via all the available modems.

Attributes

Integer

Optional

Silently Handled Error Codes (silentlyHandledErrorCodes)

Description

Specifies the error codes which will be silently handled by the plugin, i.e. no exception will be thrown when occurring, instead a warn-level log message will be emitted.

Attributes

String-List

Optional

Proxy Host (proxyHost)

Description

The hostname of the HTTP proxy server (if any).

Attributes

String

Optional

Example

proxy.company.com

Proxy Port (proxyPort)

Description

The port of the HTTP proxy server (if any).

Attributes

Integer

Optional

Proxy Login User (proxyLoginUser)

Description

Username for the http proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the http proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

Allow Only Trusted Certs (allowOnlyTrustedCerts)

Description

Only allow connections to servers whose certificate is trusted. See documentation of property "Trust Store Path" for more information about what certificates are trusted.

Security warning: Trusting all certificates allows connections to adversarial hosts. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

String

Optional

Default value

JKS

Allowed values

JKS, PKCS12

Trust Store Password (trustStorePassword)

Description

The password used verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

JKS: the keystore can be opened and used but the integrity of the keystore is not checked.
PKCS12: an error occurs.

Attributes

String

Optional

Sensitive

Connection/Read Timeout [s] (connectTimeout)

Description

The timeout in seconds used for connection timeout and read timeout.
Therefore, a connection may take a maximum of twice this time until it is aborted.

Attributes

Integer

Optional

Default value

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Suggested values

X-Correlation-ID

Visible Phone Number Digits In Log (visiblePhoneNumberDigitsInLog)

Description

Defines the number of phone number digits visible in log statements.

Thus, if the value is zero, all digits are masked, if it is large enough, all digits are visible. If set to 3, for example, the logged number looks like ********965.

The default is 100, i.e. showing all digits.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.SmsFinderGateway
id: SmsFinderGateway-xxxxxx
displayName: 
comment: 
properties:
  allowOnlyTrustedCerts: true
  connectTimeout: 10
  correlationIdHeaderName:
  modemIndex:
  password:
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  serviceUrl:
  silentlyHandledErrorCodes:
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  username:
  verifyServerHostname: true
  visiblePhoneNumberDigitsInLog: 100

SMS Gateway Selection Option

Description

SMS gateway selection option based on phone number regex matching.

Allows to use a specific SMS gateway for phone numbers matching a regex pattern. If the phone number matches the pattern, the configured gateway is then used to send the SMS.

Class

com.airlock.iam.core.misc.impl.sms.SmsGatewaySelectionRegexOption

May be used by

Number-based Selection SMS Gateway

Properties

Pattern (pattern)

Description

The phone number will be checked against this pattern.

Attributes

RegEx

Mandatory

Gateway (gateway)

Description

The SMS gateway selected if the configured pattern matches the phone number.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.SmsGatewaySelectionRegexOption
id: SmsGatewaySelectionRegexOption-xxxxxx
displayName: 
comment: 
properties:
  gateway:
  pattern:

SMS Identity Verification Step

Description

Public self-service flow step that verifies the user identity by sending an SMS with an OTP that the user has to enter correctly for the flow to continue.

This is an identity verification step that differs from a general "factor check" step in the following ways:

It doesn't fail with non-existing users or users without a phone number.
It never presents a phone number selection, but automatically selects the last used number.
It implements stealth mode: if a user does not exist or cannot do public self-services for whatever reason, no error is returned, but any OTP entered is rejected, so that the step can never be completed successfully.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.SmsIdentityVerificationStepConfig

May be used by

Properties

mTAN Settings (mtanSettings)

Description

General settings for SMS/mTAN handling.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

Message Provider (messageProvider)

Description

Creates the message sent in the verification SMS.

Attributes

Plugin-Link

Mandatory

Assignable plugins

mTAN Message Provider

OTP Generator (otpGenerator)

Description

The string generator plugin to generate the one-time password (OTP) token.

Attributes

Plugin-Link

Optional

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Max Failed Attempts (maxFailedAttempts)

Description

Number of allowed failed attempts before the flow is aborted.

Attributes

Integer

Optional

Default value

OTP Validity [s] (otpValidity)

Description

Determines how long the OTP is valid (in seconds).

Attributes

Integer

Optional

Default value

300

Case-Sensitive OTP Check (otpCaseSensitive)

Description

If enabled, the case of characters is considered when matching the entered OTP against the generated one.

Attributes

Boolean

Optional

Default value

true

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

MTAN

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.SmsIdentityVerificationStepConfig
id: SmsIdentityVerificationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: MTAN
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxFailedAttempts: 1
  messageProvider:
  mtanSettings:
  onFailureGotos:
  otpCaseSensitive: true
  otpGenerator:
  otpValidity: 300
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

SMS Notifier

Description

Configuration of an SMSNotifier which sends an notification SMS message to a user.

Class

com.airlock.iam.core.misc.impl.notification.SmsNotifier

May be used by

Vasco OTP Token Controller

Properties

SMS Gateway (smsGateway)

Description

SMS gateway to send the notification SMS.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Persister (userPersister)

Description

The user persister plug-in used to load the phone number of an user.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Originator (originatorName)

Description

The originator name is displayed as the sender of the sms on the recipients phone.

Attributes

String

Mandatory

Mobile Number Context Data Field (mobileNumberContextDataField)

Description

Context data field in which the mobile number is stored in.

Attributes

String

Mandatory

Message Body (smsBody)

Description

The template used as body. This text may contain specific variable strings defined one plugin level higher (e.g. $USERNAME$) or context data variables (e.g. ${givenname}).

Attributes

String

Mandatory

Multi-line-text

Example

Hi $USERNAME$, this sms notifies you about something.

Example

Hi Mr/Ms ${givenname}, this sms notifies you about something.

Example

Hi Mr/Ms ${givenname}, your username is $USERNAME$.

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.notification.SmsNotifier
id: SmsNotifier-xxxxxx
displayName: 
comment: 
properties:
  mobileNumberContextDataField:
  originatorName:
  smsBody:
  smsGateway:
  userPersister:

SMS Service

Description

SMS Service Configuration.

Class

com.airlock.iam.common.application.configuration.SmsServiceConfig

May be used by

Adminapp REST API Configuration

Properties

Originator (originator)

Description

The originator is displayed as the sender of the sms on the recipients phone. If configured, clients are not allowed to send an originator.

Attributes

String

Optional

Length <= 16

Length >= 1

SMS Gateway (smsGateway)

Description

SMS gateway to send the notification SMS.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.SmsServiceConfig
id: SmsServiceConfig-xxxxxx
displayName: 
comment: 
properties:
  originator:
  smsGateway:

SMTP Email Server

Description

Connection parameters of an SMTP email server.

Class

com.airlock.iam.core.misc.impl.email.SmtpServerConfig

May be used by

SMTP Email Service

Properties

Host (host)

Description

The host name or IP address.

Attributes

String

Mandatory

Example

smtp

Example

mailer.company.com

Example

192.168.0.13

Port (port)

Description

The port number.

Attributes

Integer

Optional

Default value

Protocol (protocol)

Description

Protocol to be used. Either SMTP or SMTPS (SMTP over SSL/TLS).
For SMTPS the trust store has to be added as a Java system property: -Djavax.net.ssl.trustStore=trustStoreFile

Attributes

Enum

Optional

Default value

SMTP

Use STARTTLS (useStarttls)

Description

If enabled, STARTTLS is triggered by the client when using plain SMTP transport to switch to encrypted communication.

This setting isn't relevant when using SMTPS (SMTP over SSL/TLS), or when STARTTLS is enforced by the server.

Attributes

Boolean

Optional

Default value

false

User (user)

Description

The user to authenticate at the mail server. This property is optional. If not set or empty, no authentication is performed when connecting to the mail server.

Attributes

String

Optional

Example

mail

Example

root

Example

userxyz

Password (password)

Description

The password to authenticate at the mail server. This property is optional. If not set or empty, no authentication is performed when connecting to the mail server.

Attributes

String

Optional

Sensitive

Connection Timeout (connectionTimeout)

Description

The TCP connection timeout in milliseconds to set for all service connections made by this plugin. This property defines the time the client is waiting for an answer when trying to open a new TCP connection.
For SMTPS, a timeout of 7000ms is recommended.

Attributes

Integer

Optional

Default value

5000

Read Timeout (readTimeout)

Description

The TCP read timeout in milliseconds to set for all service connections made by this plugin. This property defines the time the client is waiting for an answer on an already established connection. Adjusting this property might be necessary if the server needs a long time to answer to a request, for example if sending an SMS to an external system can take a long time.

If left empty or not defined, the OS defaults are used (which may result in infinite timeouts in some cases).

Attributes

Integer

Optional

Default value

10000

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.email.SmtpServerConfig
id: SmtpServerConfig-xxxxxx
displayName: 
comment: 
properties:
  connectionTimeout: 5000
  host:
  password:
  port: 25
  protocol: SMTP
  readTimeout: 10000
  useStarttls: false
  user:

SMTP Email Service

Description

Email sending service supporting SMIME signed and encrypted emails.

Class

com.airlock.iam.core.misc.impl.email.SmtpEmailService

May be used by

Properties

Email Servers (emailServers)

Description

List of servers that can be used to send an email.
An email is generally sent using the last known working server. Initially, the first server in the list is used. If a server fails, an automatic failover to the next server is triggered. If the end of the list is reached, a rollover to the beginning of the list occurs. The failover process is repeated until all servers have been tried at most once.

Attributes

Plugin-List

Mandatory

Assignable plugins

SMTP Email Server

From Address (fromAddress)

Description

The from-address of the email being sent when handling an event.

Attributes

String

Mandatory

Example

airlock@yourcompany.com

Example

authserver@intranet.net

Content Transfer Encoding (contentTransferEncoding)

Description

The Content-Transfer-Encoding for emails being sent. If none is set, the default algorithm to detect it automatically will be applied.

Attributes

String

Optional

Suggested values

base64, quoted-printable, 7bit, 8bit, binary, uuencode

Content Charset (contentCharset)

Description

The character set used for the mail body.

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15

Enable Smime Sign (enableSmimeSign)

Description

If set to TRUE, sign the emails using SMIME.

Attributes

Boolean

Optional

Default value

false

Keystore File (keystoreFile)

Description

The file name of the Java keystore used for SMIME operations. It must contain the private key and a certificate. This is only used if the SMIME is used.
Note: If the keystore file name is relative, it is loaded relative to the current directory of the JVM process.

Attributes

File/Path

Optional

Keystore Password (keystorePassword)

Description

The password used to read the keystore. This is only used if SMIME is used.

Attributes

String

Optional

Sensitive

Key Alias (keyAlias)

Description

The keystore alias of the private key used for SMIME signing. If the alias is not set, the first matching key is selected.

Attributes

String

Optional

Example

signingKey

Example

mykey

Key Password (keyPassword)

Description

The password needed to access the private key used for SMIME signing.

Attributes

String

Optional

Sensitive

Enable Smime Encryption (enableSmimeEncryption)

Description

If set to TRUE, emails are sent encrypted using SMIME.

Attributes

Boolean

Optional

Default value

false

Encryption Error Message (encryptionErrorMessage)

Description

The error message to be sent to those recipients that do not have a certificate, i.e., that can not decrypt the encrypted message.

Only needed when encryption is enabled.

Attributes

String

Optional

Encryption Algorithm (encryptionAlgorithm)

Description

The encryption algorithm as provided by org.bouncycastle.mail.smime.SMIMEEnvelopedGenerator.

Only needed when encryption is enabled.

Attributes

String

Optional

Default value

AES256_CBC

Allowed values

DES_EDE3_CBC, RC2_CBC, IDEA_CBC, CAST5_CBC, AES128_CBC, AES192_CBC, AES256_CBC, CAMELLIA128_CBC, CAMELLIA192_CBC, CAMELLIA256_CBC, SEED_CBC, DES_EDE3_WRAP, AES128_WRAP, AES256_WRAP, CAMELLIA128_WRAP, CAMELLIA192_WRAP, CAMELLIA256_WRAP, SEED_WRAP, ECDH_SHA1KDF

Email Certificate Provider (emailCertificateProvider)

Description

The Certificate Provider is used to load the certificate given an email address.

Only needed when encryption is enabled.

Attributes

Plugin-Link

Optional

Assignable plugins

User Persister Email Certificate Provider

Recipient Whitelist (recipientWhitelist)

Description

A list of regular expressions to only send emails to certain recipients. If this property is not set, all emails will be sent. If at least one regular expression is defined, only emails matching one of the regular expressions will be sent.

Attributes

RegEx-List

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.email.SmtpEmailService
id: SmtpEmailService-xxxxxx
displayName: 
comment: 
properties:
  contentCharset: UTF-8
  contentTransferEncoding:
  emailCertificateProvider:
  emailServers:
  enableSmimeEncryption: false
  enableSmimeSign: false
  encryptionAlgorithm: AES256_CBC
  encryptionErrorMessage:
  fromAddress:
  keyAlias:
  keyPassword:
  keystoreFile:
  keystorePassword:
  recipientWhitelist:

Software ID and Software Version Processor

Description

Processes the "software_id" and "software_version" metadata attributes. The values are taken from the request as long as they match the configured regular expression and don't exceed the length limits imposed by the database.

Class

com.airlock.iam.techclientreg.application.configuration.registration.SoftwareIdAndVersionProcessorConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

TechClientRegistration

Properties

Allowed Ids (allowedIds)

Description

Regex limiting the software_id provided by the client.

Attributes

RegEx

Optional

Default value

[a-zA-Z0-9_.-]+

Allowed Versions (allowedVersions)

Description

Regex limiting the software_version provided by the client.

Attributes

RegEx

Optional

Default value

[a-zA-Z0-9_.-]+

Mandatory (mandatory)

Description

If mandatory, an error is returned in case either software_id or software_version is missing or at least one doesn't match the respective configured pattern. Otherwise, both software_id and software_version are ignored and not set on the registered client.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.techclientreg.application.configuration.registration.SoftwareIdAndVersionProcessorConfig
id: SoftwareIdAndVersionProcessorConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedIds: [a-zA-Z0-9_.-]+
  allowedVersions: [a-zA-Z0-9_.-]+
  mandatory: true

Sql Executor Task

Description

Task that executes an SQL statement on a relational database.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.SqlExecutorTask

May be used by

Task Schedule

Properties

Sql Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Sql Statement (sqlStatement)

Description

The SQL statement to be executed (without a semicolon at the end). The statement is executed within a transaction.

Attributes

String

Mandatory

Multi-line-text

Example

DELETE FROM medusa_user WHERE not_valid_after < now()

Example

UPDATE medusa_user SET locked = 1 WHERE not_valid_after < now()

Log Executed Statements (logExecutedStatements)

Description

Uncheck to suppress logging of executed statements.

Attributes

Boolean

Optional

Default value

true

Execution Time Threshold (executionTimeThreshold)

Description

Defines after how many milliseconds of SQL statement execution a warning should be logged.

Attributes

Long

Optional

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.SqlExecutorTask
id: SqlExecutorTask-xxxxxx
displayName: 
comment: 
properties:
  executionTimeThreshold:
  logExecutedStatements: true
  sqlDataSource:
  sqlStatement:

SSI Age Check Predicate

Description

A predicate for performing an age check. The specified age in years is compared to the threshold value (also in years) using the selected relation.
Example: To check if someone is over 18, set the attribute name to e.g. birthdate_dateint (where the attribute contains a date in the format YYYYMMDD), the predicate type to GREATER_EQ and the age threshold to 18.

Class

com.airlock.iam.ssi.application.configuration.AgePredicateConfig

May be used by

SSI Claim

Properties

Attribute name (name)

Description

The attribute checked by the predicate.

Attributes

String

Mandatory

Example

birthDate

Example

bestBeforeDate

Example

employmentStartDate

Predicate type (type)

Description

The type of the predicate.

Attributes

Enum

Mandatory

Age Threshold (ageThreshold)

Description

An age expressed in years.

Attributes

Integer

Mandatory

Provider Key (providerKey)

Description

The key which can be used for obtaining information on the verified predicate from the SSI Verification Data Provider.

Attributes

String

Mandatory

Example

over18

YAML Template (with default values)


type: com.airlock.iam.ssi.application.configuration.AgePredicateConfig
id: AgePredicateConfig-xxxxxx
displayName: 
comment: 
properties:
  ageThreshold:
  name:
  providerKey:
  type:

SSI Attribute

Description

Represents a single attribute to be requested from the user.

Class

com.airlock.iam.ssi.application.configuration.SsiAttributeConfig

May be used by

SSI Passwordless Authentication Step SSI Claim SSI Authentication Step

Properties

Name (name)

Description

Name of the attribute as it appears in the schema.

Attributes

String

Mandatory

Example

firstName

Provider Key (providerKey)

Description

The key which can be used for obtaining the attribute value from the SSI Verification Data Provider. If omitted, the attribute name will be used as the key.

Attributes

String

Optional

Example

givenName

YAML Template (with default values)


type: com.airlock.iam.ssi.application.configuration.SsiAttributeConfig
id: SsiAttributeConfig-xxxxxx
displayName: 
comment: 
properties:
  name:
  providerKey:

SSI Attribute Mapping

Description

Specifies an attribute and its value to be issued in the credential.

Class

com.airlock.iam.ssi.application.configuration.SsiAttributeMapping

May be used by

SSI Issuance Step

Properties

Attribute Name (attributeName)

Description

The name of the attribute as defined in the schema.

Attributes

String

Mandatory

Value Map Key (valueMapKey)

Description

The key used to retrieve the attribute value from the value maps.

Attributes

String

Mandatory

YAML Template (with default values)


type: com.airlock.iam.ssi.application.configuration.SsiAttributeMapping
id: SsiAttributeMapping-xxxxxx
displayName: 
comment: 
properties:
  attributeName:
  valueMapKey:

SSI Authentication Step

Description

SSI authentication step.

This feature is incubating. Please consult the documentation for more information.

Class

com.airlock.iam.ssi.application.configuration.step.SsiAuthenticationStepConfig

May be used by

Properties

Service (service)

Description

The SSI service to be used by this step.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AcaPy SSI Service

Schema ID (schemaId)

Description

Restricts credential to this schema ID.

Attributes

String

Mandatory

Example

NaTPHTHwrSm1vPKg6TiYnf:2:TestSchema:1.0

Trusted Issuers (trustedIssuers)

Description

Restricts credential to these issuer DIDs. If left empty, a credential is accepted from any issuer.

Attributes

String-List

Optional

Proof Request Title Key (proofRequestTitleKey)

Description

Translation key for the title of the authentication request. This is displayed to the user in the wallet app, translated to the current browser language.

Attributes

String

Optional

Default value

authentication.ssi.proof-request-name

User Name Attribute (userNameAttribute)

Description

Attribute in the schema which identifies the user. The received attribute value can be transformed to a User ID with the username transformers configured for the authentication flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

SSI Attribute

Username Transformation (usernameTransformers)

Description

Transforms the username obtained from the verifiable credential. The transformation precedes the flow's Username Transformation. If one of the transformers configured here interrupts the transformation chain, username transformations in the authentication flow's configuration will be skipped.

Attributes

Plugin-List

Optional

Assignable plugins

Additional Claims (additionalClaims)

Description

The list of additional claims to be requested from the holder. Each item in the list specifies the attributes and predicates to be obtained from a single verifiable credential.

Attributes

Plugin-List

Optional

Assignable plugins

SSI Claim

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

SSI

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Advanced Migration Selection Option Custom Protected Self-Service Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.ssi.application.configuration.step.SsiAuthenticationStepConfig
id: SsiAuthenticationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  additionalClaims:
  authenticationMethodId: SSI
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  proofRequestTitleKey: authentication.ssi.proof-request-name
  requiresActivation: false
  schemaId:
  service:
  skipCondition:
  stepId:
  tagsOnSuccess:
  trustedIssuers:
  userNameAttribute:
  usernameTransformers:

SSI Claim

Description

Information item to be requested from the holder and verified.

Class

com.airlock.iam.ssi.application.configuration.SsiClaimConfig

May be used by

SSI Passwordless Authentication Step SSI Verification Step SSI Authentication Step

Properties

Schema ID (schemaId)

Description

Restricts credential to this schema ID.

Attributes

String

Mandatory

Example

NaTPHTHwrSm1vPKg6TiYnf:2:TestSchema:1.0

Trusted Issuers (trustedIssuers)

Description

Restricts credential to these issuer DIDs. If left empty, a credential is accepted from any issuer.

Attributes

String-List

Optional

Requested Attributes (requestedAttributes)

Description

Attributes to request from holder.

Attributes

Plugin-List

Optional

Assignable plugins

SSI Attribute

Requested Predicates (requestedPredicates)

Description

Predicates to request from holder.

Attributes

Plugin-List

Optional

Assignable plugins

Generic SSI Proof Predicate SSI Age Check Predicate

YAML Template (with default values)


type: com.airlock.iam.ssi.application.configuration.SsiClaimConfig
id: SsiClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  requestedAttributes:
  requestedPredicates:
  schemaId:
  trustedIssuers:

SSI Issuance Step

Description

SSI issuance step. Instructs the SSI service to issue a verifiable credential based on string values obtained from the specified value map providers.

This feature is incubating. Please consult the documentation for more information.

Class

com.airlock.iam.ssi.application.configuration.step.SsiIssuanceStepConfig

May be used by

Properties

Service (service)

Description

The SSI service to be used by this step.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AcaPy SSI Service

Schema ID (schemaId)

Description

Identifier of the schema for issuing the credential.

Attributes

String

Mandatory

Example

NaTPHTHwrSm1vPKg6TiYnf:2:TestSchema:1.0

Value Providers (valueProviders)

Description

Values that will be used for issuing the credential. The value map providers are called in the configured order and their values are added to a map. Values added later will overwrite earlier ones with the same key. The resulting map is used to select the attribute values in the "Attribute Mappings".

Attributes

Plugin-List

Mandatory

Assignable plugins

Attribute Mappings (attributeMappings)

Description

Specifies the correspondences between all attribute names of the schema and the keys used for obtaining the value from the data sources.

Attributes

Plugin-List

Mandatory

Assignable plugins

SSI Attribute Mapping

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.ssi.application.configuration.step.SsiIssuanceStepConfig
id: SsiIssuanceStepConfig-xxxxxx
displayName: 
comment: 
properties:
  attributeMappings:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  schemaId:
  service:
  skipCondition:
  stepId:
  tagsOnSuccess:
  valueProviders:

SSI Passwordless Authentication Step

Description

SSI authentication step which identifies the user. This step identifies the user based on an SSI credential and thus does not require previous user identification (e.g. from a username/password step).

This feature is incubating. Please consult the documentation for more information.

Class

com.airlock.iam.ssi.application.configuration.step.SsiPasswordlessAuthenticationStepConfig

May be used by

Properties

Service (service)

Description

The SSI service to be used by this step.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AcaPy SSI Service

Schema ID (schemaId)

Description

Restricts credential to this schema ID.

Attributes

String

Mandatory

Example

NaTPHTHwrSm1vPKg6TiYnf:2:TestSchema:1.0

Trusted Issuers (trustedIssuers)

Description

Restricts credential to these issuer DIDs. If left empty, a credential is accepted from any issuer.

Attributes

String-List

Optional

Proof Request Title Key (proofRequestTitleKey)

Description

Translation key for the title of the authentication request. This is displayed to the user in the wallet app, translated to the current browser language.

Attributes

String

Optional

Default value

authentication.ssi.proof-request-name

User Name Attribute (userNameAttribute)

Description

Attribute in the schema which identifies the user. The received attribute value can be transformed to a User ID with the username transformers configured for the authentication flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

SSI Attribute

Username Transformation (usernameTransformers)

Description

Attributes

Plugin-List

Optional

Assignable plugins

Additional Claims (additionalClaims)

Description

The list of additional claims to be requested from the holder. Each item in the list specifies the attributes and predicates to be obtained from a single verifiable credential.

Attributes

Plugin-List

Optional

Assignable plugins

SSI Claim

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

SSI

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For User Self-Registration Simple Migration Selection Option Config Flow Step Sequence Public Self-Service Flow Selection Option For Public Self-Service Authentication Flow Selection Step for User Self-Registration User Self-Registration Flow Selection Option Selection Step for Self-Service Selection Step

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.ssi.application.configuration.step.SsiPasswordlessAuthenticationStepConfig
id: SsiPasswordlessAuthenticationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  additionalClaims:
  authenticationMethodId: SSI
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  proofRequestTitleKey: authentication.ssi.proof-request-name
  requiresActivation: false
  schemaId:
  service:
  skipCondition:
  stepId:
  tagsOnSuccess:
  trustedIssuers:
  userNameAttribute:
  usernameTransformers:

SSI Verification Data Provider

Description

Provides attribute values and predicates obtained from a previous SSI verification step.

Class

com.airlock.iam.ssi.application.configuration.SsiVerificationDataProviderConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.ssi.application.configuration.SsiVerificationDataProviderConfig
id: SsiVerificationDataProviderConfig-xxxxxx
displayName: 
comment: 
properties:

SSI Verification Step

Description

SSI verification step.

This feature is incubating. Please consult the documentation for more information.

Class

com.airlock.iam.ssi.application.configuration.step.SsiVerificationStepConfig

May be used by

Properties

Service (service)

Description

The SSI service to be used by this step.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AcaPy SSI Service

Proof Request Title Key (proofRequestTitleKey)

Description

Translation key for the title of the proof request. This is displayed to the user in the wallet app, translated to the current browser language.

Attributes

String

Optional

Default value

authentication.ssi.proof-request-name

Claims (claims)

Description

The list of claims to be requested from the holder. Each item in the list specifies the attributes and predicates to be obtained from a single verifiable credential.

Attributes

Plugin-List

Mandatory

Assignable plugins

SSI Claim

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

SSO Ticket Authentication Step Representation SSO Ticket Identifying Step SSO Ticket Request Authentication Request Has SSO Ticket

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.ssi.application.configuration.step.SsiVerificationStepConfig
id: SsiVerificationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  claims:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  proofRequestTitleKey: authentication.ssi.proof-request-name
  requiresActivation: false
  service:
  skipCondition:
  stepId:
  tagsOnSuccess:

SSO Cookie Ticket Extractor

Description

Extracts an SSO ticket from a specified HTTP cookie contained in the request.

Class

com.airlock.iam.common.application.configuration.sso.SsoCookieTicketExtractorConfig

May be used by

License-Tags

SSOTickets

Properties

Cookie Name (cookieName)

Description

The name of the cookie containing the value to be extracted.

Attributes

String

Mandatory

Example

URL-Decode Cookie Value (urlDecodeValue)

Description

If enabled, URL-decodes the extracted value using character set UTF8.

URL-decoding is applied before the 'String Transformers' run.

Attributes

Boolean

Optional

Default value

true

String Transformers (stringTransformers)

Description

The chain of string transformers that transform the extracted string value to the final extraction result.

Attributes

Plugin-List

Optional

Assignable plugins

Lowercase Transformation Regex-based String Transformer String Transformation Failed Config

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.sso.SsoCookieTicketExtractorConfig
id: SsoCookieTicketExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  cookieName:
  stringTransformers:
  urlDecodeValue: true

SSO Credential Authenticator

Description

Authenticates a user based on a Single-Sign-On-Credential.

Class

com.airlock.iam.login.misc.oneshot.SSOCredentialAuthenticator

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.login.misc.oneshot.SSOCredentialAuthenticator
id: SSOCredentialAuthenticator-xxxxxx
displayName: 
comment: 
properties:

SSO Header Ticket Extractor

Description

Extracts an SSO ticket from a specified HTTP header contained in the request.

Class

com.airlock.iam.common.application.configuration.sso.SsoHeaderTicketExtractorConfigImpl

May be used by

SSO Ticket Authentication Step Representation SSO Ticket Identifying Step SSO Ticket Request Authentication Request Has SSO Ticket

License-Tags

SSOTickets

Properties

Header Name (headerName)

Description

The name of the header bearing the value to be extracted.

Attributes

String

Mandatory

Example

X-Login-OTP

Example

X-LOGIN-TOKEN

URL-Decode Header Value (urlDecodeValue)

Description

If enabled, URL-decodes the extracted value using character set UTF8.

URL-decoding is applied before the 'String Transformers' run.

Attributes

Boolean

Optional

Default value

true

String Transformers (stringTransformers)

Description

The chain of string transformers that transform the extracted string value to the final extraction result.

Attributes

Plugin-List

Optional

Assignable plugins

Lowercase Transformation Regex-based String Transformer String Transformation Failed Config

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.sso.SsoHeaderTicketExtractorConfigImpl
id: SsoHeaderTicketExtractorConfigImpl-xxxxxx
displayName: 
comment: 
properties:
  headerName:
  stringTransformers:
  urlDecodeValue: true

SSO Ticket Authentication Step

Description

Non-interactive SSO ticket flow step. This step extracts an SSO ticket from the request to identify the user and award tags to this user. Up to 100000 tickets are kept in memory (until expiration) to prevent re-use of the same ticket.

Class

com.airlock.iam.authentication.application.configuration.sso.SsoTicketIdentifyingStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

SSOTickets

Properties

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

SSO_TICKET

Ignore Ticket Data Of Tickets For Authenticated User (ignoreTicketDataOfTicketsForAuthenticatedUser)

Description

Ignores ticket data of tickets for the already authenticated user in the session. The step will be successful in such cases. Tickets will in any case still be validated and the step will fail for invalid tickets or tickets identifying a different user than the already authenticated user.

This configuration might be useful in combination with other features (e.g. OpenId Connect SSO Login Hint), so that the ticket is ignored in case of an existing user session with the same user as in the ticket.

Attributes

Boolean

Optional

Default value

false

Ticket Extractors (ticketExtractors)

Description

List of ticket extractors that can extract an SSO ticket from the request. The ticket of the first successful extractor is used.

Attributes

Plugin-List

Mandatory

Assignable plugins

Loginapp UI SSO Ticket Extractor OIDC SSO Ticket Login Hint Extractor SSO Cookie Ticket Extractor SSO Header Ticket Extractor

Ticket Decoder (ticketDecoder)

Description

Decodes the SSO ticket.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AES256 Decryption Ticket Decoder Esp Sign Ticket Decoder JWT Ticket Decoder OAuth 2.0 Access Token Ticket Decoder Plain Base64 Ticket Decoder Plain Ticket Decoder RSA Sign Ticket Decoder

Accepted SSO Tickets Repository (acceptedSsoTicketRepository)

Description

Configures the repository used to store accepted SSO tickets and reject previously accepted ones.

Attributes

Plugin-Link

Mandatory

Assignable plugins

In-Memory Accepted SSO Tickets Repository Persistent Accepted SSO Tickets Repository

Username Ticket Key (usernameTicketKey)

Description

The ticket key where the username is stored. The value stored under this key is used to identify the user.

Attributes

String

Optional

Default value

username

Ticket Tag Extractors (ticketTagExtractors)

Description

Attributes

Plugin-List

Optional

Assignable plugins

SSO Ticket Tag Extractor

Ticket Role Extractors (ticketRoleExtractors)

Description

Attributes

Plugin-List

Optional

Assignable plugins

SSO Ticket Role Extractor

Ticket Context Data Extractors (ticketContextDataExtractors)

Description

Attributes

Plugin-List

Optional

Assignable plugins

SSO Ticket Authentication Step Representation SSO Ticket Identifying Step Admin SSO Ticket Request Authentication SSO Ticket Request Authentication

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.sso.SsoTicketIdentifyingStepConfig
id: SsoTicketIdentifyingStepConfig-xxxxxx
displayName: 
comment: 
properties:
  acceptedSsoTicketRepository:
  authenticationMethodId: SSO_TICKET
  customFailureResponseAttributes:
  customResponseAttributes:
  ignoreTicketDataOfTicketsForAuthenticatedUser: false
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  ticketContextDataExtractors:
  ticketDecoder:
  ticketExtractors:
  ticketRoleExtractors:
  ticketTagExtractors:
  usernameTicketKey: username

SSO Ticket Context Data Extractor

Description

Extracts the configured values from a ticket and transforms them into context data. This context data can then be provided in the ID propagation configuration.

Class

com.airlock.iam.common.application.configuration.sso.DefaultSsoTicketContextDataExtractorConfig

May be used by

License-Tags

SSOTickets

Properties

Ticket Keys (ticketKeys)

Description

List of ticket keys, whose values should be transformed into context data. Non-existing ticket keys are ignored.

Attributes

Plugin-List

Optional

Assignable plugins

Key Entry

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.sso.DefaultSsoTicketContextDataExtractorConfig
id: DefaultSsoTicketContextDataExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  ticketKeys:

SSO Ticket Context Data Provider

Description

Provides all context data that have been extracted from an SSO ticket.

Class

com.airlock.iam.login.application.configuration.targetapp.SsoTicketContextDataProviderConfig

May be used by

License-Tags

SSOTickets

Properties

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.SsoTicketContextDataProviderConfig
id: SsoTicketContextDataProviderConfig-xxxxxx
displayName: 
comment: 
properties:

SSO Ticket Identity Propagator

Description

SSO ticket identity propagator.

Redirects to another Loginapp and provides the user ID, user roles as a query parameter (encryption strongly recommended).

This identity propagator works together with the SSO facility of the Loginapp. Using this plugin one Loginapp could play the IdP role and the other Loginapp could play the SP role in a very simple cross-domain SSO setup.

Class

com.airlock.iam.core.misc.impl.sso.SsoTicketIdentityPropagator

May be used by

Chaining Identity Propagator Target Application/Service Conditional Identity Propagator

Properties

Ticket Parameter Name (ticketParameterName)

Description

The SSO ticket query parameter name.

To use it together with another Loginapp instance as service provider always configure sso as parameter name.

Attributes

String

Optional

Default value

sso

Example

sso

Example

ticket

Ticket Lifetime In Seconds (ticketLifetimeInSeconds)

Description

The SSO ticket lifetime in seconds.

How long should the SSO ticket be considered valid.

Attributes

Integer

Optional

Default value

Redirect URL (redirectUrl)

Description

The intermediate redirect URL.

Configure this if you do not want to redirect the browser to the original target URL but rather to a static URL and provide the original target URL as a query parameter.

Attributes

String

Optional

Example

https://www.test.com/medusa-login/check-login

Forward Location Parameter (forwardLocationParameter)

Description

The forward location URL parameter.

Only used if "Redirect URL" is configured and not empty.

The original target URL is appended to the "Redirect URL" as a query parameter with this name.

Attributes

String

Optional

Default value

Location

Example

Location

Encoder (encoder)

Description

The ticket encoder plugin used to sign and encrypt the SSO ticket.

Note: for browser compatibility make sure the resulting redirect URL is no longer than 2000 characters.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AES256 Encryption Ticket Encoder Esp Sign Ticket Encoder Gzip Base64 Ticket Encoder JWT Ticket Encoder Plain Base64 Ticket Encoder Plain Ticket Encoder RSA Sign Ticket Encoder

Additional Data Ticket Service (additionalDataTicketService)

Description

The ticket service providing additional ticket data.

Attributes

Plugin-Link

Optional

Assignable plugins

Mapping Ticket Service

Additional Data Key Value Pairs (additionalDataKeyValuePairs)

Description

Attributes

Plugin-List

Optional

Assignable plugins

Key Value Pair

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.SsoTicketIdentityPropagator
id: SsoTicketIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  additionalDataKeyValuePairs:
  additionalDataTicketService:
  encoder:
  forwardLocationParameter: Location
  redirectUrl:
  ticketLifetimeInSeconds: 5
  ticketParameterName: sso

SSO Ticket Request Authentication

Description

Extracts an SSO ticket from a request to authenticate single requests.

SSO tickets are not remembered and can be used for multiple requests.

Class

com.airlock.iam.common.application.configuration.credential.SsoTicketRequestAuthenticationConfig

May be used by

Session-less REST Endpoints Transaction Approval Adminapp REST API Configuration

Properties

SSO Ticket Extractor (ssoTicketExtractor)

Description

Determines where the SSO ticket is to be extracted from.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Loginapp UI SSO Ticket Extractor OIDC SSO Ticket Login Hint Extractor SSO Cookie Ticket Extractor SSO Header Ticket Extractor

Ticket Decoder (ticketDecoder)

Description

The ticket decoder plugin used to decode the SSO ticket.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AES256 Decryption Ticket Decoder Esp Sign Ticket Decoder JWT Ticket Decoder OAuth 2.0 Access Token Ticket Decoder Plain Base64 Ticket Decoder Plain Ticket Decoder RSA Sign Ticket Decoder

Context Data Extractors (contextDataExtractors)

Description

List of ticket context data extractors that extract custom data from the ticket.

Attributes

Plugin-List

Optional

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Username Key (usernameKey)

Description

The ticket key containing the username.

Attributes

String

Optional

Default value

username

Provided Username Key (providedUsernameKey)

Description

The ticket key containing the provided username, which is used for logging and possibly displayed.

This is not combinable with Username Transformation. If the ticket does not contain a provided username, the value from "Username Key" is used.

Attributes

String

Optional

Roles Key (rolesKey)

Description

The ticket key containing the user's roles. If not configured, no roles are extracted from the ticket.

Attributes

String

Optional

Example

roles

User Store (userStore)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Username Transformation (usernameTransformers)

Description

Transforms the provided username from the credential to a technical user ID.

Attributes

Plugin-List

Optional

Assignable plugins

Static Roles (staticRoles)

Description

Static list of roles granted to the authenticated user.

Attributes

String-List

Optional

Roles Blocklist (rolesBlocklist)

Description

List of role names that won't be granted to the authenticated user. The block list is also applied to persistent roles (if available).

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.credential.SsoTicketRequestAuthenticationConfig
id: SsoTicketRequestAuthenticationConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataExtractors:
  providedUsernameKey:
  rolesBlocklist:
  rolesKey:
  ssoTicketExtractor:
  staticRoles:
  ticketDecoder:
  userStore:
  usernameKey: username
  usernameTransformers:

SSO Ticket Role Extractor

Description

Extracts the configured values from a ticket and transforms them into roles. The roles can then be provided in the ID propagation configuration.

Class

com.airlock.iam.common.application.configuration.sso.DefaultSsoTicketRoleExtractorConfig

May be used by

SSO Ticket Authentication Step Representation SSO Ticket Identifying Step

License-Tags

SSOTickets

Properties

Ticket Keys (ticketKeys)

Description

List of ticket keys, whose values should be transformed into roles. Non-existing ticket keys are ignored.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.sso.DefaultSsoTicketRoleExtractorConfig
id: DefaultSsoTicketRoleExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  ticketKeys:

SSO Ticket Roles Provider

Description

Provides all roles that have been extracted from an SSO ticket.

Class

com.airlock.iam.login.application.configuration.targetapp.SsoTicketRolesProviderConfig

May be used by

License-Tags

SSOTickets

Properties

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.SsoTicketRolesProviderConfig
id: SsoTicketRolesProviderConfig-xxxxxx
displayName: 
comment: 
properties:

SSO Ticket Tag Extractor

Description

Extracts values from a ticket for the configured keys and transforms them into tags using the configured mapping. The tags of all configured extractors are granted in addition to the tags configured under 'Tags On Success'.

Class

com.airlock.iam.authentication.application.configuration.sso.DefaultSsoTicketTagExtractorConfig

May be used by

SSO Ticket Authentication Step Representation SSO Ticket Identifying Step

License-Tags

SSOTickets

Properties

Ticket Keys (ticketKeys)

Description

List of ticket keys, whose values should be transformed into tags. Non-existing ticket keys are ignored.

Attributes

String-List

Mandatory

Ticket Value To Tag (ticketValueToTag)

Description

Mapping of ticket values to tags. If no mapping for a ticket value exists, it is ignored. If multiple tags with the same name but different timeouts are used, it is undefined which tag gets applied.

Attributes

Plugin-Map

Mandatory

Assignable plugins

Tag

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.sso.DefaultSsoTicketTagExtractorConfig
id: DefaultSsoTicketTagExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  ticketKeys:
  ticketValueToTag:

Start User Representation Step

Description

Self-service step that starts a user representation process on the representer's side.

Class

com.airlock.iam.selfservice.application.configuration.step.StartUserRepresentationStepConfig

May be used by

License-Tags

Representation

Properties

Representation Authorization (representationAuthorization)

Description

Defines the condition that checks if a representer is authorized to represent a specific user. If the desired condition is independent of the representee, the flow's "Access Condition" could be configured instead.

Attributes

Plugin-Link

Optional

Assignable plugins

Always True Representation Authorization

Role Providers (roleProviders)

Description

Plugins to determine the roles to be incorporated into the SSO ticket.

The roles will be added to the SSO ticket under the key 'roles'.

Attributes

Plugin-List

Optional

Assignable plugins

Ticket Encoder (ticketEncoder)

Description

The ticket encoder plugin used to sign and encrypt the SSO ticket.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AES256 Encryption Ticket Encoder JWT Ticket Encoder RSA Sign Ticket Encoder

Allowed Target Locations (allowedTargetLocationPatterns)

Description

A list of regular expressions defining the allowed target locations.

A target location is accepted if at least one of the configured regular expressions matches.

The default pattern is "/(?!/).*", which allows all context-relative URLs, i.e. URLs starting with a forward slash.

Security warning: The provided forward location may contain arbitrary user input! It is therefore highly recommended that the configured patterns be as restrictive as possible. Overly lax patterns like '.*' expose Airlock IAM and the target application to severe attacks, e.g.: open redirect, server-side request forgery and injection attacks (SQL, XSS, etc ...). Such patterns are therefore not allowed.

Attributes

RegEx-List

Optional

Default value

[/(?!/).*]

Representee Access URI (representeeAccessUri)

Description

The URI of the login application in which the representee session will be created.

Note the different URIs for SPA or Non-SPA IAM on the representee side.

Attributes

String

Mandatory

Validation RegEx: https?:\/\/.*

Example

https://represent.bank.ch/auth/ui/app/auth/application/access

Example

https://represent.bank.ch/auth/check-login

Representee Logout URI (representeeLogoutUri)

Description

The logout URI to be called on the representee side.

Note the different URIs for SPA or Non-SPA IAM on the representee side.

Attributes

String

Mandatory

Validation RegEx: https?:\/\/.*

Example

https://represent.bank.ch/auth/ui/app/auth/logout

Example

https://represent.bank.ch/auth/logout

Language Parameter Name (languageParameterName)

Description

The name of the language parameter to be propagated into the receiving IAM.

No language is propagated, if this parameter is not configured.

Attributes

String

Optional

Example

lang

Example

language

Ticket Parameter Name (ticketParameterName)

Description

The SSO ticket request parameter name. The same value must be configured on the receiver side.

Attributes

String

Optional

Default value

representation

Example

representation

Example

sso

Example

ticket

Representer ID Value Provider (representerIdValueProvider)

Description

Determines which value is propagated as representer ID. If not specified, the representer's username is used.

Attributes

Plugin-Link

Optional

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

API Policy Service Transaction Approval Loginapp Combining Context Extractor Concatenating Context Extractor

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.StartUserRepresentationStepConfig
id: StartUserRepresentationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedTargetLocationPatterns: [/(?!/).*]
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  languageParameterName:
  onFailureGotos:
  preCondition:
  representationAuthorization:
  representeeAccessUri:
  representeeLogoutUri:
  representerIdValueProvider:
  requiresActivation: false
  roleProviders:
  skipCondition:
  stepId:
  tagsOnSuccess:
  ticketEncoder:
  ticketParameterName: representation

Static Authenticator

Description

This authenticator accepts any credentials and either returns the entered or a statically configured authentee. The name and the granted roles of the authentee can be configured.
If the username is left empty, the username entered by the user will be used, else the configured username will be used.

Class

com.airlock.iam.core.misc.impl.authen.StaticAuthenticator

May be used by

Properties

Username (username)

Description

The name of the authenticated user to return or empty to use the entered username.

Attributes

String

Optional

Example

jdoe

Example

12345

Granted Roles (grantedRoles)

Description

Roles granted to the authenticated user.

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.StaticAuthenticator
id: StaticAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  grantedRoles:
  username:

Static Blacklist Password Policy

Description

A password policy to check whether the new password is on a static blacklist (dictionary).

The black-listed passwords are read from a simple text file with one password per line.
Example:
secret
changeme
password
letmein

Line-breaks can be Windows- or Unix-style.

Class

com.airlock.iam.core.misc.impl.authen.PwdPolicyStaticBlacklistCheck

May be used by

Customizable Password Policy Customizable Password Policy Meta Password Policy

Properties

Black List File (blackListFile)

Description

Name of the file with the black-listed passwords (see plugin description). If using a relative path name, it is loaded relative to the current directory of the JVM.

Attributes

File/Path

Mandatory

Ignore Case (ignoreCase)

Description

If set to TRUE, the case of characters is ignored when comparing the new password to the black-list items.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PwdPolicyStaticBlacklistCheck
id: PwdPolicyStaticBlacklistCheck-xxxxxx
displayName: 
comment: 
properties:
  blackListFile:
  ignoreCase: false

Static Boolean Value Provider

Description

Defines a static boolean value to be provided.

Class

com.airlock.iam.common.application.configuration.valueprovider.BooleanStaticValueProviderConfig

May be used by

Boolean Context Data Value Provider Map Boolean Condition Config

Properties

Value (value)

Description

The value to be provided. If the checkox is ticked, 'true' is provied. Otherwise, 'false' is provided.

Attributes

Boolean

Mandatory

Default value

false

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.valueprovider.BooleanStaticValueProviderConfig
id: BooleanStaticValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  value: false

Static Context Extractor

Description

Simple context extractor that always returns the configured context.

Class

com.airlock.iam.core.misc.util.context.StaticContextExtractor

May be used by

Properties

Static Context (staticContext)

Description

The static context of this context extractor. If left empty, the default context is used.

Attributes

String

Optional

Example

CTX1

Example

EXT

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.context.StaticContextExtractor
id: StaticContextExtractor-xxxxxx
displayName: 
comment: 
properties:
  staticContext:

Static Credential Persister

Description

Static credential persister that can be used in the admin tool if credential data is not available.

Class

com.airlock.iam.core.misc.impl.persistency.StaticCredentialPersister

May be used by

Cipher Credential Persister Certificate Authenticator JSP Remember-Me Settings Has Email Address Credential-based Generic Token Repository Email Otp Authenticator Certificate Data Extractor Task Credential Secret Batch Task Credential Report Task OATH OTP Settings Credential Data mTAN Handler Credential Data mTAN Handler Persister IAK Verifier Legacy Email OTP Authentication Step Token Authenticator Remember-Me Reset Step

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.StaticCredentialPersister
id: StaticCredentialPersister-xxxxxx
displayName: 
comment: 
properties:

Static Date And Time Value Provider

Description

Defines a static date and time value to be provided.

Class

com.airlock.iam.common.application.configuration.valueprovider.DateAndTimeStaticValueProviderConfig

May be used by

Date And Time With Offset Value Provider Config Date And Time Context Data Value Provider Map

Properties

Value (value)

Description

The date and time value to be provided.

The string provided by this plugin will be parsed as a date and time value with the format specified in Format.

Attributes

String

Mandatory

Example

2023-02-08T14:27:16+0100

Example

01.01.1970

Example

07/30/1947

Example

Jul 20, 1969 at 20:17 CET

Format (format)

Description

The date and time format used to parse the value provided by Value.

The format is interpreted as specified in the java.text.SimpleDateFormat documentation.

Attributes

String

Optional

Default value

yyyy-MM-dd'T'HH:mm:ssZ

Example

yyyy-MM-dd'T'HH:mm:ssZ

Example

dd.MM.yyyy

Example

MM/dd/yyyy

Example

MMM dd, YYYY 'at' HH:mm z

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.valueprovider.DateAndTimeStaticValueProviderConfig
id: DateAndTimeStaticValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  format: yyyy-MM-dd'T'HH:mm:ssZ
  value:

Static Gateway Role

Description

Provides a static Airlock Gateway role.

Class

com.airlock.iam.login.application.configuration.targetapp.StaticWafCredentialProviderConfig

May be used by

Target Application Config SAML 2.0 Flow IdP

Properties

Gateway Role (airlockGatewayRole)

Description

A role with this name will be added to the Airlock Gateway session.

Attributes

String

Mandatory

Length <= 50

Validation RegEx: [a-zA-Z0-9_.\-]+

Idle Timeout [s] (idleTimeout)

Description

The WAF credential's idle timeout in seconds. The credential will be removed after the WAF session has been idle for this duration.

Attributes

Integer

Optional

Lifetime [s] (lifetime)

Description

The WAF credential's lifetime in seconds. The credential will be removed from the WAF session after this duration.

Attributes

Integer

Optional

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.StaticWafCredentialProviderConfig
id: StaticWafCredentialProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  airlockGatewayRole:
  idleTimeout:
  lifetime:

Static Header

Description

Holds information about statically configured values to put in a HTTP header using the back-end Airlock control API.

Class

com.airlock.iam.core.misc.impl.sso.StaticHeader

May be used by

HTTP Header Identity Propagator

Properties

Name (name)

Description

The name of an additional static header to be propagated to the back-end application. The value of the header is defined by the corresponding value-property.

Attributes

String

Mandatory

Example

mandate

Example

stage

Value (value)

Description

The value of an additional static header to be propagated to the back-end application.

Attributes

String

Mandatory

Example

foo.com

Example

PROD

Mapping Names (mappingNames)

Description

Note: Headers must never be defined globally and on a specific mapping at the same time.

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.StaticHeader
id: StaticHeader-xxxxxx
displayName: 
comment: 
properties:
  mappingNames:
  name:
  value:

Static HTTP Parameter

Description

HTTP Parameter with a static and optional value.

Class

com.airlock.iam.core.misc.impl.sms.StaticHttpParameter

May be used by

HTTP SMS Gateway

Properties

Name (name)

Description

The name of the HTTP Parameter.

Attributes

String

Mandatory

Value (value)

Description

The value of the HTTP Parameter. Leaving it empty will only add the name to the URL of the HTTP request, e.g. mydomain.com?name instead of mydomain.com?name=value.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.StaticHttpParameter
id: StaticHttpParameter-xxxxxx
displayName: 
comment: 
properties:
  name:
  value:

Static Integer Value Provider

Description

Defines a static integer value to be provided.

Class

com.airlock.iam.common.application.configuration.valueprovider.IntegerStaticValueProviderConfig

May be used by

Date And Time With Offset Value Provider Config Value Provider Map Integer Context Data

Properties

Value (value)

Description

The value to be provided.

Attributes

Integer

Mandatory

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.valueprovider.IntegerStaticValueProviderConfig
id: IntegerStaticValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  value:

Static Request Authentication

Description

Provides a static username and roles for the authentee.

Security warning:With this plugin, all requests to the REST API are considered authenticated and authorized accoring to the granted roles. Use this only for testing or in a trusted enviroment.

Class

com.airlock.iam.common.application.configuration.credential.StaticRequestAuthenticationConfig

May be used by

Session-less REST Endpoints Transaction Approval Adminapp REST API Configuration

Properties

Username (username)

Description

The username to authenticate with.

Attributes

String

Mandatory

User Store (userStore)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Static Roles (staticRoles)

Description

Static list of roles granted to the authenticated user.

Attributes

String-List

Optional

Roles Blocklist (rolesBlocklist)

Description

List of role names that won't be granted to the authenticated user. The block list is also applied to persistent roles (if available).

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.credential.StaticRequestAuthenticationConfig
id: StaticRequestAuthenticationConfig-xxxxxx
displayName: 
comment: 
properties:
  rolesBlocklist:
  staticRoles:
  userStore:
  username:

Static Response Header

Description

Static HTTP header that is always added as configured to the response of the identity propagation.

Class

com.airlock.iam.core.application.configuration.header.StaticResponseHeader

May be used by

HTTP Response Header Identity Propagator

Properties

Name (name)

Description

The name of the response header to be propagated to the HTTP client.

Attributes

String

Mandatory

Example

Authorization

Example

X-Access-Token

Example

Cache-Control

Value (value)

Description

The value of the response header to be propagated to the HTTP client. Ensure the configured value is correctly encoded, e.g. URL encoded, to be used as header value.

Attributes

String

Mandatory

Example

foo.com

Example

no-cache

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.header.StaticResponseHeader
id: StaticResponseHeader-xxxxxx
displayName: 
comment: 
properties:
  name:
  value:

Static Roles

Description

Provides a list of statically configured roles.

Class

com.airlock.iam.login.application.configuration.targetapp.StaticRolesProviderConfig

May be used by

Properties

Roles (roles)

Description

List of role names. The role can be followed by an idle timeout and a lifetime, each seperated by a colon.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.StaticRolesProviderConfig
id: StaticRolesProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  roles:

Static SAML 2.0 Attribute

Description

A SAML 2.0 attribute that has fixed value(s).

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.StaticSamlAttributeConfig

May be used by

JWT Token Exchange Rule JWT Token Exchange Rule Custom Claim (OAuth 2.0 Token Exchange)

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion.

Attributes

String

Mandatory

Example

SpecialAttribute

Example

user_type

Static Values (staticValues)

Description

The value(s) to set for this attribute.

Attributes

String-List

Mandatory

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.assertion.attribute.StaticSamlAttributeConfig
id: StaticSamlAttributeConfig-xxxxxx
displayName: 
comment: 
properties:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:
  staticValues:

Static String (OAuth 2.0 Token Exchange)

Description

Sets the claim to a specific single string value.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtStaticStringClaimValueConfig

May be used by

License-Tags

OAuthTokenExchange

Properties

Value (value)

Description

The value that should be set for the claim.

Attributes

String

Mandatory

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtStaticStringClaimValueConfig
id: OAuth2TokenExchangeJwtStaticStringClaimValueConfig-xxxxxx
displayName: 
comment: 
properties:
  value:

Static String Custom Claim

Description

A static string claim.

Class

com.airlock.iam.oauth2.application.configuration.claims.CustomStaticStringClaimConfig

May be used by

OIDC UserInfo Endpoint Claim Set Custom Claim OAuth 2.0 Static Client OAuth 2.0 Static Client JWT Access Token Format OIDC ID Token Claims

License-Tags

OAuthServer

Properties

Static Value (staticValue)

Description

Static value of this claim.

Attributes

String

Mandatory

Example

value

Claim Name (claimName)

Description

The name (JSON key) of the claim.

Attention: If a custom claim with this same claim name already exists, it will result in a runtime error.

Using a registered claim name (see RFC 7519) might cause the claim to be ignored or an exception to be thrown.

Attributes

String

Mandatory

Example

firstname

Example

street

Example

zip

Example

country

Example

roles

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.CustomStaticStringClaimConfig
id: CustomStaticStringClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:
  staticValue:

Static String Value Provider

Description

Defines a static string value to be provided.

Class

com.airlock.iam.common.application.configuration.valueprovider.StringStaticValueProviderConfig

May be used by

Email User Profile Item Config Email OTP Transaction Approval Step Send Email Link Step String-based Role Provider Generic String SAML 2.0 Attribute Recipient From String Value Provider Target Application Config String User Profile Item Translated String Provider Fallback String Value Provider Email OTP Authentication Step Email Change Verification Step Email Notification Step Start User Representation Step SMS Event Subscriber (Loginapp) FIDO Settings Transforming String Value Provider Value Provider Map Users Configuration RADIUS Password Repository OIDC Authorization Request Parameter Email Item Definition String Context Data mTAN Verification Step Extended String User Profile Item Config Email Event Subscriber (Loginapp) String Regex Condition Config Acknowledge Message Step Generic ID Propagator User Attribute Is Unique String Value Provider Custom Claim

Properties

Value (value)

Description

The value to be provided.

If this field is not configured, the provided value will be an empty string.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.valueprovider.StringStaticValueProviderConfig
id: StringStaticValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  value:

Static String-Array (OAuth 2.0 Token Exchange)

Description

Sets the claim to a specific string-array value.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtStaticStringArrayClaimValueConfig

May be used by

JWT Token Exchange Rule Custom Claim (OAuth 2.0 Token Exchange)

License-Tags

OAuthTokenExchange

Properties

Values (values)

Description

The values that should be set for the claim. If left empty, an empty array is set.

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtStaticStringArrayClaimValueConfig
id: OAuth2TokenExchangeJwtStaticStringArrayClaimValueConfig-xxxxxx
displayName: 
comment: 
properties:
  values:

Static Timeout Provider Config

Description

Static timeouts, which are always applied. Use 0 to apply the default Airlock Gateway idle timeout or lifetime.

If both values are set, "Idle Timeout" has to be smaller or equal to "Lifetime".
Either "Idle Timeout" or "Lifetime" has to be set. If only one is set, the other value is implicitly treated as 0 and the default Airlock Gateway timeout is used.

Class

com.airlock.iam.authentication.application.configuration.wafcredentials.StaticTimeoutProviderConfig

May be used by

Airlock Gateway Roles Config

Properties

Idle Timeout [s] (idleTimeout)

Description

Idle timeout in seconds. The Airlock Gateway default idle timeout is used when the value is not set or set to 0. Either "Idle Timeout" or "Lifetime" has to be set. If only one is set, the other value is implicitly treated as 0 and the default Airlock Gateway timeout is used.

Attributes

Integer

Optional

Lifetime [s] (lifetime)

Description

Lifetime in seconds. The Airlock Gateway default lifetime is used when the value is is not set or set to 0. Either "Idle Timeout" or "Lifetime" has to be set. If only one is set, the other value is implicitly treated as 0 and the default Airlock Gateway timeout is used.

Attributes

Integer

Optional

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.wafcredentials.StaticTimeoutProviderConfig
id: StaticTimeoutProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  idleTimeout:
  lifetime:

Static Username Password Extractor

Description

This plugin provides a username/password credential for testing purposes.

Class

com.airlock.iam.login.app.misc.configuration.oneshot.impl.StaticUsernamePasswordExtractorConfig

May be used by

Target Application/Service HTTP Signature Verification Credential Extractor

License-Tags

OneShotAuthentication

Properties

Username (username)

Description

The username for the test.

Attributes

String

Optional

License-Tags

OneShotAuthentication

Default value

test

Password (password)

Description

The password for the test.

Attributes

String

Optional

Sensitive

License-Tags

OneShotAuthentication

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oneshot.impl.StaticUsernamePasswordExtractorConfig
id: StaticUsernamePasswordExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  password:
  username: test

Static Values To Tags

Description

Configures how to map a collection of string values to tags.

Class

com.airlock.iam.flow.shared.application.configuration.tag.StaticTagMappingConfig

May be used by

Tags From SAML 2.0 Assertion Attribute

Properties

Value To Tag Mappings (valueToTagMappings)

Description

Mapping from static values to flow tags.

For each string value matching a key in this mapping, the corresponding tag will be added. Unknown values (i.e. not matching a key in this map) will be ignored.

Note that the string matching is case-sensitive and the value must match exactly for the corresponding tag to be created.

Attributes

Plugin-Map

Mandatory

Assignable plugins

Tag

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.tag.StaticTagMappingConfig
id: StaticTagMappingConfig-xxxxxx
displayName: 
comment: 
properties:
  valueToTagMappings:

Step Activated

Description

Flow condition which evaluates to true if the step identified by the configured step ID has been activated.

Class

com.airlock.iam.flow.application.configuration.selection.condition.StepActivationConditionConfig

May be used by

Properties

Step ID (stepId)

Description

ID of this step whose activated state is checked.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.selection.condition.StepActivationConditionConfig
id: StepActivationConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  stepId:

Step ID

Description

Identifier for a flow step.

Class

com.airlock.iam.flow.api.application.configuration.step.StepIdConfig

May be used by

Properties

ID (id)

Description

The ID of the flow step. It must be unique within a flow.

Attributes

String

Mandatory

Length <= 30

Validation RegEx: [a-z0-9_-]+

YAML Template (with default values)


type: com.airlock.iam.flow.api.application.configuration.step.StepIdConfig
id: StepIdConfig-xxxxxx
displayName: 
comment: 
properties:
  id:

STET PSD2 Authenticator

Description

Authenticator for STET PSD2 Access Tokens / Client Certificates. The resulting authenticated technical client (TPP) will contain the following elements:

The subject's organizationIdentifier (TPP) of the client certificate as the username.
The access token's scopes as roles (MUST be restricted accordingly in the authorization server configuration)
For authorization code grants, the user (PSU) that has granted the TPP access. Available in the context data as "PSU_ID"

Further constraints will be validated:

The used client certificate (QWAC) for the TLS connection will be validated according to the configuration.
The access token must belong to the same technical client as the client certificate.

Class

com.airlock.iam.login.app.application.configuration.psd2.StetPsd2CertificateAuthenticatorConfig

May be used by

License-Tags

PSD2STET

Properties

OAuth 2.0 Authorization Server Reference (authorizationServerIdentifier)

Description

The reference to the authorization server (v3) that was used to generate the access token. The authorization server must be configured in the top-level settings in the Loginapp or else the authentication will fail.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OAuth 2.0 Client Credentials Grant OAuth 2.0 Authorization Code Grant OIDC Authorization Code / Hybrid Flow

Check Validity Period (checkValidityPeriod)

Description

If enabled, the validity period of the certificate is checked. If disabled, expired (or not-yet-valid) certificates are also accepted.

Attributes

Boolean

Optional

Default value

true

Certificate Status Checkers (certStatusCheckers)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.app.application.configuration.psd2.StetPsd2CertificateAuthenticatorConfig
id: StetPsd2CertificateAuthenticatorConfig-xxxxxx
displayName: 
comment: 
properties:
  authorizationServerIdentifier:
  certStatusCheckers:
  checkValidityPeriod: true

STET PSD2 OAuth 2.0 Scope Filter

Description

Restricts the scope of the issued tokens to the PSD2 roles in the certificate which has been used for the OAuth 2.0 client authentication (mTLS).

STET OAuth 2.0 scope values

aisp (covered by PSP_AI role)
extended_transaction_history (covered by PSP_AI role)
cbpii (covered by PSP_IC role)
pisp (covered by PSP_PI role)

If no PSD2 certificate was used for the token request, all scopes will be removed.

Prevents AISP and CBPII roles from being mixed in a single scope definition.

Class

com.airlock.iam.oauth2.application.configuration.as.OAuth2GrantedScopeStetPsd2FilterProcessorConfig

May be used by

License-Tags

PSD2STET

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.as.OAuth2GrantedScopeStetPsd2FilterProcessorConfig
id: OAuth2GrantedScopeStetPsd2FilterProcessorConfig-xxxxxx
displayName: 
comment: 
properties:

Stop User Representation Step

Description

A non-interactive self-service step that stops a user representation process on the representer's side.

Class

com.airlock.iam.selfservice.application.configuration.step.StopUserRepresentationStepConfig

May be used by

License-Tags

Representation

Properties

Representee Logout Path (representeeLogoutPath)

Description

The logout URL to be called on the representee side.

Note the different URLs for SPA or Non-SPA IAM on the representee side.

Attributes

String

Mandatory

Validation RegEx: https?:\/\/.*

Example

https://represent.bank.ch/auth/ui/app/auth/logout

Example

https://represent.bank.ch/auth/logout

Language Parameter Name (languageParameterName)

Description

The name of the language parameter to be propagated into the receiving IAM.

No language is propagated, if this parameter is not configured.

Attributes

String

Optional

Example

lang

Example

language

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.StopUserRepresentationStepConfig
id: StopUserRepresentationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  languageParameterName:
  onFailureGotos:
  preCondition:
  representeeLogoutPath:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Storage Encryption Configuration

Description

Defines how data is encrypted when stored on the database.

Beware that changing the configured secret may result in data loss.

Class

com.airlock.iam.common.application.configuration.security.StorageEncryptionConfig

May be used by

Airlock 2FA Database Repository Technical Client Database Repository

Properties

Secret (Base64-encoded) (secret)

Description

A Base64-encoded secret. It must be exactly 768 bits (96 bytes or 128 Base64-encoded characters) long.

One can, for example, generate a random Base64 string with 768 bits (96 bytes) using openssl as follows: openssl rand -base64 96

Attributes

String

Mandatory

Sensitive

Length <= 128

Length >= 128

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.security.StorageEncryptionConfig
id: StorageEncryptionConfig-xxxxxx
displayName: 
comment: 
properties:
  secret:

String Context Data

Description

Non-interactive user context data item that stores a string value.

Class

com.airlock.iam.userselfreg.application.configuration.definition.StringNonInteractiveUserDataItemDefinitionConfig

May be used by

Properties

Context Data Item Name (contextDataItemNameConfig)

Description

The name of the context data where the value will be stored.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database Credential Persister Database Token List Persister Database User Persister

String Value Provider (valueProviderConfig)

Description

Provides the string value for the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.definition.StringNonInteractiveUserDataItemDefinitionConfig
id: StringNonInteractiveUserDataItemDefinitionConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataItemNameConfig:
  valueProviderConfig:

String Context Data Item Config

Description

Context Data item of type String.

The database column must be of a string type (e.g. VARCHAR/VARCHAR2 or CHAR (whitespaces are trimmed)) and the values in the context data container are guaranteed to be of type java.lang.String.

Class

com.airlock.iam.core.application.configuration.contextdata.StringContextDataItemConfig

May be used by

Properties

Context Data Name (contextDataName)

Description

Defines the reusable context data item representing the name and type of a value in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow-based Password Reset Email Identity Verification Step Context Data Regex Condition Enumeration User Context Data Item No Email Address Restriction User Information Group Config String Context Data User Group Condition Config User Self Information Group Config Context Data String Custom Claim SMS Event Subscriber (Adminapp) Cronto Legacy Login Message Provider Config Alias User Item String User Context Data Item Realm Administration Realm Administration OAuth 2.0 String Context Data Resource User To Context Data Transformer Config Users Configuration Recipient From Context Data Context Data Uniqueness Check User Information Self-Service String Context Data Apply Email Change String Context Data Item Config String Context Data Value Provider User Attribute Is Unique Email Event Subscriber (Adminapp) Email Notification Task Email Notification Task Email Notification Task Email Notification Task Context Data Item (Airlock 2FA Account Display Name)

Database Column Name (databaseColumnName)

Description

The name of the database column to load into the context data in case it differs from the Context Data Name.

Attributes

String

Optional

Example

givenname

Example

name

Example

address

Readonly On Update (readonlyOnUpdate)

Description

If enabled, this context data field is treated readonly during updates of the user data. However, the field will still be persisted while inserting the user.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.contextdata.StringContextDataItemConfig
id: StringContextDataItemConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  databaseColumnName:
  readonlyOnUpdate: false

String Context Data Item Name

Description

Context Data item of type String.

Class

com.airlock.iam.core.application.configuration.contextdata.StringContextDataItemNameConfig

May be used by

Properties

Context Data Name (contextDataName)

Description

The name of the context data field under which the string value is stored.

Attributes

String

Mandatory

Example

givenname

Example

name

Example

address

Example

realm

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.contextdata.StringContextDataItemNameConfig
id: StringContextDataItemNameConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:

String Context Data User Group Condition Config

Description

Condition that compares a string context data value against a regular expression.

Class

com.airlock.iam.common.application.configuration.StringContextDataUserGroupConditionConfig

May be used by

User Information Group Config User Self Information Group Config

Properties

Pattern (pattern)

Description

Regular expression pattern matched against the (default string representation of the) context data value. If it matches, the user is considered to be member of the group.

Attributes

RegEx

Mandatory

Group Name (groupName)

Description

The name of the user group. May be used in log files and may be displayed in the admin tool.

Attributes

String

Mandatory

Example

Administrator

Example

Employee

Example

Customer

Example

CertificateUser

Example

MtanUser

Context Data Item Name (contextDataItemName)

Description

Name of the context data item to be examined. Make sure the user persister provides the item.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Boolean Context Data Item Name Date And Time Context Data Item Name Integer Context Data Item Name LocalDate Context Data Item Name String Context Data Item Name

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.StringContextDataUserGroupConditionConfig
id: StringContextDataUserGroupConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataItemName:
  groupName:
  pattern:

String Context Data Value Provider

Description

Provides the string value contained in the specified context data item of the user.

Make sure the configured context data item is also configured on the user persister.

Class

com.airlock.iam.common.application.configuration.valueprovider.contextdata.ContextDataStringValueProviderConfig

Properties

Context Data Field (contextDataField)

Description

Context data field whose value will be returned.

Attributes

Plugin-Link

Mandatory

Assignable plugins

OIDC UserInfo Endpoint Claim Set Custom Claim OAuth 2.0 Static Client OAuth 2.0 Static Client JWT Access Token Format OIDC ID Token Claims

Mandatory (mandatory)

Description

If enabled, the value provided by this context data item is not allowed to be null.

If this option is enabled and the context data item is null (e.g. if the configured context data is not configured on the user persister), an exception will be thrown at runtime.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.valueprovider.contextdata.ContextDataStringValueProviderConfig
id: ContextDataStringValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataField:
  mandatory: false

String Format Custom Claim

Description

A custom formatted string claim.

Class

com.airlock.iam.oauth2.application.configuration.claims.CustomStringFormatClaimConfig

May be used by

License-Tags

OAuthServer

Properties

Value Format (format)

Description

Attributes

String

Mandatory

Multi-line-text

Suggested values

${surname} ${givenname}, ${street} ${streetNumber}, ${zipcode} ${town}

Claim Name (claimName)

Description

The name (JSON key) of the claim.

Attention: If a custom claim with this same claim name already exists, it will result in a runtime error.

Using a registered claim name (see RFC 7519) might cause the claim to be ignored or an exception to be thrown.

Attributes

String

Mandatory

Example

firstname

Example

street

Example

zip

Example

country

Example

roles

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.CustomStringFormatClaimConfig
id: CustomStringFormatClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:
  format:

String From Actor Token (OAuth 2.0 Token Exchange)

Description

Sets the claim to the configured data value of the actor token.

Only string values are considered. If the configured data value of the actor token contains a non-string value, it will be ignored.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2StringFromActorTokenConfig

May be used by

JWT Token Exchange Rule JWT Token Exchange Rule Custom Claim (OAuth 2.0 Token Exchange)

License-Tags

OAuthTokenExchange

Properties

Actor Token Data Name (actorTokenDataName)

Description

The actor token claim to use. The referenced value must be a string.

Attributes

String

Mandatory

Example

sub

Example

iss

Example

claim1

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2StringFromActorTokenConfig
id: OAuth2StringFromActorTokenConfig-xxxxxx
displayName: 
comment: 
properties:
  actorTokenDataName:

String From Map Value Provider

Description

Defines a string value to be provided from a Value Map Provider and a key. If the key is not present, nothing is returned.

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.StringFromMapValueProviderConfig

Properties

Value Maps (valueMaps)

Description

Value maps from which the string to be provided is selected. If a key occurs in more than one value map, the providers further down in the list take precedence.

Attributes

Plugin-List

Mandatory

Assignable plugins

Key (key)

Description

Case-sensitive key to select the string in the value map.

Attributes

String

Mandatory

Example

identifyingAttribute

Example

PASSWORD

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.StringFromMapValueProviderConfig
id: StringFromMapValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  key:
  valueMaps:

String From Subject Token (OAuth 2.0 Token Exchange)

Description

Will set the claim to the configured data value of the subject token.

Only string values are considered. If the configured data value of the subject token contains a non string value, it will be ignored.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtSubjectTokenStringClaimValueConfig

May be used by

JWT Token Exchange Rule JWT Token Exchange Rule Custom Claim (OAuth 2.0 Token Exchange)

License-Tags

OAuthTokenExchange

Properties

Subject Token Data Name (subjectTokenDataName)

Description

The subject token claim to use. The referenced value must be a string.

Attributes

String

Mandatory

Example

sub

Example

username

Example

claim1

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtSubjectTokenStringClaimValueConfig
id: OAuth2TokenExchangeJwtSubjectTokenStringClaimValueConfig-xxxxxx
displayName: 
comment: 
properties:
  subjectTokenDataName:

String HTTP Signature Header

Description

An arbitrary HTTP header.

Class

com.airlock.iam.login.app.misc.oneshot.impl.StringHttpSignatureHeader

May be used by

HTTP Request Header Is Present Whitelist HTTP Signature Headers Mandatory HTTP Signature Header

Properties

Header Name (headerName)

Description

The header name consists of any visible ASCII characters except delimiters "(),/:;<=>?@[\]{}". The letter case is ignored (for example, "date" matches the "Date" header).

Attributes

String

Mandatory

Suggested values

Digest, Date, Content-Type, Content-Length, X-Request-ID

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.StringHttpSignatureHeader
id: StringHttpSignatureHeader-xxxxxx
displayName: 
comment: 
properties:
  headerName:

String Input Token Controller Element

Description

Renders an HTML input tag for a string property.

Class

com.airlock.iam.admin.application.configuration.generic.ui.StringInputTokenControllerUiElementConfig

May be used by

Loginapp UI SSO Ticket Extractor SSO Cookie Ticket Extractor OAuth 2.0 Remote Context Data Resource Advanced Location Interpreter Config SSO Header Ticket Extractor

Properties

Label (label)

Description

Label for the field. The UI treats it as a key to translate. If there is no translation, the label is shown in the UI as is.

Attributes

String

Mandatory

Example

userdata.label.email

Example

user.securid.username

Property (property)

Description

The property to use as value for this field.

The ID of the response is referenced by using the reserved value @id.

Attributes

String

Mandatory

Example

serialNumber

Example

contextData.email

Example

@id

Placeholder (placeholder)

Description

Displays a placeholder when the field has no value. The placeholder is not interpreted as value and disappears when typing in the field.

Attributes

String

Optional

Required (required)

Description

Whether this field must have a value when the token is added or updated. Required fields are marked with an asterisk.

Attributes

Boolean

Optional

Default value

false

Read-only (readOnly)

Description

If enabled, the field is read-only and cannot be altered by administrators via the UI.

Attributes

Boolean

Optional

Default value

false

Hide If Empty (hideIfEmpty)

Description

If enabled, this UI element is hidden if it has no value.

Attributes

Boolean

Optional

Default value

false

Validation (validation)

Description

Validates the input against the defined expression. If validation fails, an error on this field is shown to the administrator and the token cannot be added or updated.

Attributes

RegEx

Optional

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.generic.ui.StringInputTokenControllerUiElementConfig
id: StringInputTokenControllerUiElementConfig-xxxxxx
displayName: 
comment: 
properties:
  hideIfEmpty: false
  label:
  placeholder:
  property:
  readOnly: false
  required: false
  validation:

String Regex Condition Config

Description

This condition is fulfilled if the regex pattern matches the value provided by the string value provider.

Class

com.airlock.iam.flow.shared.application.configuration.condition.StringRegexConditionConfig

May be used by

Properties

Value Provider (valueProvider)

Description

String value provider whose provided value the regex pattern is applied to decide whether the condition is fulfilled.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Regex Pattern (regexPattern)

Description

If the regex pattern matches the value provided by the value provider, the condition is fulfilled.

Attributes

RegEx

Mandatory

Is Fulfilled If Value Is Null (isFulfilledIfValueIsNull)

Description

If checked, the condition is fulfilled if the provided value is null. If unchecked, the condition is unfulfilled in that situation.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.condition.StringRegexConditionConfig
id: StringRegexConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  isFulfilledIfValueIsNull: false
  regexPattern:
  valueProvider:

String Transformation Failed Config

Description

Lets the string transformation process fail. Can be used as last step in a string transformation chain to ensure that transformation fails if no transformer stopped the transformation.

Class

com.airlock.iam.common.application.configuration.location.transform.StringTransformationFailedConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.location.transform.StringTransformationFailedConfig
id: StringTransformationFailedConfig-xxxxxx
displayName: 
comment: 
properties:

String User Context Data Item

Description

User context data item that stores a string value. This plugin must not be used for aliases.

Class

com.airlock.iam.flow.shared.application.configuration.item.StringContextDataItemDefinitionConfig

May be used by

User Data Edit Step Email Verification Step Phone Number Verification Step User Data Registration Step Config User Identification By Data Step (Public Self-Service) User Identification By Data Step User Self-Registration Flow

Properties

Context Data Name (contextDataName)

Description

The context data item in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Administrators Management Administrators Management Users Configuration Users Configuration User Group Configuration

Required (required)

Description

Specifies whether this context data item is required for the step to validate successfully.

Attributes

Boolean

Optional

Default value

true

Validators (validators)

Description

The validators for this context data item.

Attributes

Plugin-List

Optional

Assignable plugins

Email Address Validator Phone Number Validator Config Regex String Validator Config

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.item.StringContextDataItemDefinitionConfig
id: StringContextDataItemDefinitionConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  required: true
  validators:

String User Profile Item

Description

Plugin to hold a configurable user profile item of type string. This will be represented as a text input field and its value is added to the user's context data, provided that the property name matches the property name in the configured user data. A regular expression can be given to check the input, e.g. to ensure that it has the format of an email address.

Class

com.airlock.iam.common.application.configuration.userprofile.StringUserProfileItemConfig

May be used by

Properties

Validation Pattern (validationPattern)

Description

Pattern for validating the value of the field.

Attributes

RegEx

Optional

Check Uniqueness (checkUniqueness)

Description

If defined, the user persister is used to check whether the value is unique by querying the corresponding user iterator plugin.

This user iterator must provide the context data value specified by this profile item.
Usually, the same plugin is used that was used to load the user data to the form this profile item is part of.

Attributes

Plugin-Link

Optional

Assignable plugins

Check Uniqueness Against Username (checkUniquenessAgainstUsername)

Description

This flag is only checked if checkUniqueness is configured.

Attributes

Boolean

Optional

Default value

false

Prefill (prefill)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Identity Value Provider Config Realm Value Provider Static String Value Provider

String Resource Key (stringResourceKey)

Description

String identifier for the language-specific string tables.

Attributes

String

Mandatory

Example

userdata.label.salutation

Example

userdata.label.firstname

Example

userdata.label.lastname

Example

userdata.label.email

Example

userdata.label.nationality

Example

userdata.label.birthdate

Example

userdata.label.street

Example

userdata.label.street-number

Example

userdata.label.address2

Example

userdata.label.zipcode

Example

userdata.label.town

Example

userdata.label.state

Example

userdata.label.country

Example

userdata.label.company

Example

userdata.label.department

Example

userdata.label.office-phone

Example

userdata.label.mobile-phone

Example

userdata.label.language

Example

userdata.label.correspondence-language

Example

userdata.label.realm

Property Name (propertyName)

Description

Name of the context-data field in which the value is stored.

Attributes

String

Mandatory

Example

surname

Example

givenname

Example

mtan_number

Optional (optional)

Description

If this field is optional or mandatory for the user.

Attributes

Boolean

Optional

Default value

true

Modifiable (modifiable)

Description

Attributes

Boolean

Optional

Default value

true

Validate Only Changed Values (validateOnlyChangedValues)

Description

If enabled, only values that have been changed by the user (compared to the data loaded from the data layer) are validated.

Attributes

Boolean

Optional

Default value

true

Sortable (sortable)

Description

If enabled, the attribute is sortable in the user list if the underlying user iterator supports sorting.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.userprofile.StringUserProfileItemConfig
id: StringUserProfileItemConfig-xxxxxx
displayName: 
comment: 
properties:
  checkUniqueness:
  checkUniquenessAgainstUsername: false
  modifiable: true
  optional: true
  prefill:
  propertyName:
  sortable: true
  stringResourceKey:
  validateOnlyChangedValues: true
  validationPattern:

String Value Provider Custom Claim

Description

A custom string value claim that contains the values of the specified String Provider.

This custom claim allows providing flow information into JWT tokens as a custom claim.

Class

com.airlock.iam.oauth2.application.configuration.claims.CustomStringValueProviderClaimConfig

May be used by

OAuth 2.0 Static Client OAuth 2.0 Static Client JWT Access Token Format OIDC ID Token Claims

License-Tags

OAuthServer

Properties

String Provider (stringProvider)

Description

String value that is included in the claim.

Note: No claim is added if the string value provider returns null.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Claim Name (claimName)

Description

The name (JSON key) of the claim.

Attention: If a custom claim with this same claim name already exists, it will result in a runtime error.

Using a registered claim name (see RFC 7519) might cause the claim to be ignored or an exception to be thrown.

Attributes

String

Mandatory

Example

firstname

Example

street

Example

zip

Example

country

Example

roles

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.CustomStringValueProviderClaimConfig
id: CustomStringValueProviderClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:
  stringProvider:

String Value Token Controller Element

Description

Renders a read-only field for a string property.

Class

com.airlock.iam.admin.application.configuration.generic.ui.StringValueTokenControllerUiElementConfig

May be used by

JWT Token Exchange Rule JWT Token Exchange Rule Custom Claim (OAuth 2.0 Token Exchange)

Properties

Label (label)

Description

Label for the field. The UI treats it as a key to translate. If there is no translation, the label is shown in the UI as is.

Attributes

String

Mandatory

Example

userdata.label.email

Example

user.securid.username

Property (property)

Description

The property to use as value for this field.

The ID of the response is referenced by using the reserved value @id.

Attributes

String

Mandatory

Example

serialNumber

Example

contextData.email

Example

@id

Hide If Empty (hideIfEmpty)

Description

If enabled, this UI element is hidden if it has no value.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.generic.ui.StringValueTokenControllerUiElementConfig
id: StringValueTokenControllerUiElementConfig-xxxxxx
displayName: 
comment: 
properties:
  hideIfEmpty: true
  label:
  property:

String-Array From Subject Token (OAuth 2.0 Token Exchange)

Description

Sets the claim to the configured string-array data value of the subject token.

Only string-array values will be considered. If the referenced subject token data is not an array or if its elements are not all strings, it will be ignored and the claim value will not be set.

If the configured subject token data is not present, is an empty array, or none of its values match a configured pattern, the claim value will not be set.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtSubjectTokenStringArrayClaimValueConfig

May be used by

JWT Token Exchange Rule Custom Claim (OAuth 2.0 Token Exchange)

License-Tags

OAuthTokenExchange

Properties

Subject Token Data Name (subjectTokenDataName)

Description

The subject token claim to use. The referenced value must be a string array.

Attributes

String

Mandatory

Example

aud

Example

claim1

Example

roles

Example

context-data

Value Filters (valueFilters)

Description

An optional list of regular expressions. If the list is configured, only values in the configured subject token data matching at least one of the regular expressions will be added. Claim values that do not match any of the configured regular expressions will be ignored. If the list is not configured, all the values in the configured subject token data will be added.

If the list is configured and none of the subject token data values match any of the configured patterns, the claim value will not be set.

Attributes

RegEx-List

Optional

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtSubjectTokenStringArrayClaimValueConfig
id: OAuth2TokenExchangeJwtSubjectTokenStringArrayClaimValueConfig-xxxxxx
displayName: 
comment: 
properties:
  subjectTokenDataName:
  valueFilters:

String-based Role Provider

Description

Provides a list of roles by parsing the values provided by a string provider.

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.StringBasedRoleProviderConfig

May be used by

Properties

Value Provider (valueProvider)

Description

String provider providing a list of roles separated by the separator below. Each role consists of a name that can be followed by an idle timeout and a lifetime, each seperated by a colon. Example: "roleA,admin:600:3600,roleB"

Attributes

Plugin-Link

Mandatory

Assignable plugins

Separator (separator)

Description

Separator between the roles.

Attributes

String

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.StringBasedRoleProviderConfig
id: StringBasedRoleProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  separator: ,
  valueProvider:

Subject From Subject Token (OAuth 2.0 Token Exchange)

Description

Sets the claim value to that of the subject token's "sub" data.

Only string values are considered. If the subject token's "sub" data is a not a string value, it will be ignored.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtSubjectTokenSubjectClaimValueConfig

May be used by

License-Tags

OAuthTokenExchange

Properties

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtSubjectTokenSubjectClaimValueConfig
id: OAuth2TokenExchangeJwtSubjectTokenSubjectClaimValueConfig-xxxxxx
displayName: 
comment: 
properties:

Subject Token Unsigned Claims Extractor

Description

Requires a subject token to be present in the token exchange request, but does not check the signature. Tokens are expected to have at least the following claims: iss sub. If present, the claims exp and nbf are validated.
Caution: JWT tokens with alg=none are accepted: This may be a security risk.

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.OAuth2SubjectTokenUnsignedClaimsExtractorConfig

May be used by

OAuth 2.0 Token Exchange

License-Tags

OAuthTokenExchange

Properties

Allowed Token Issuers (allowedTokenIssuers)

Description

Only tokens issued by these issuers can be exchanged at the endpoint. If left empty, all issuers are allowed.

Attributes

Plugin-List

Optional

Assignable plugins

OAuth 2.0 Issuer ID

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.tokenexchange.OAuth2SubjectTokenUnsignedClaimsExtractorConfig
id: OAuth2SubjectTokenUnsignedClaimsExtractorConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedTokenIssuers:

Swiss Post Barcode Generator

Description

This plugin generates barcodes compatible with the Swiss post. The barcodes can be added to the address section of letters and contain the franking licence (Frankierlizenz) as well as a unique sequence number (Sendungsnummer) identifying the letter.

Class

com.airlock.iam.core.misc.util.report.barcode.SwissPostBarcodeGenerator

May be used by

Credential Secret Generator Vasco Token Report Strategy mTAN IAK Token Report Strategy Secret Letter Renderer Cronto Report Strategy

Properties

Service Code (serviceCode)

Description

The 2-digit service code.

98: Used for shipping letters (Briefpost)

Attributes

String

Mandatory

Length <= 2

Length >= 2

Suggested values

Franking Licence (frankingLicence)

Description

The 8-digit franking licence (Frankierlizenz) provided by Swiss post. Please enter without punctuation. That is, if the franking licence is 34.065128 please enter 34065128. Include leading zeros.

Attributes

String

Mandatory

Length <= 8

Length >= 8

Example

34065128

Example

00123456

Sequence Generator (sequenceGenerator)

Description

The sequence generator used to generate the unique sequence number.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database Sequence Generator In-Memory Sequence Generator

Width (width)

Description

Width of the barcode image in pixels.

Note:The barcode uses a fixed number of pixels per encoded character. Therefore, the resulting barcode image may contain padding bits to the left and right if the width is larger than required but not large enough to support more bits per character. Widths resulting in little padding are, e.g., 150, 280, 410, or 540.

Attributes

Integer

Optional

Default value

280

Height (height)

Description

Height of the barcode in pixels.

Attributes

Integer

Optional

Default value

Margins (margins)

Description

The margins before and after the barcode (horizontally) in pixels. Note that even if margins are set to zero, the resulting barcode may contain padding pixels.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.report.barcode.SwissPostBarcodeGenerator
id: SwissPostBarcodeGenerator-xxxxxx
displayName: 
comment: 
properties:
  frankingLicence:
  height: 30
  margins: 0
  sequenceGenerator:
  serviceCode:
  width: 280

Swiss Post Tracking Service

Description

Webservice client accessing the Swiss Post TrackAndTrace Services.

Class

com.airlock.iam.core.misc.impl.trackingservice.SwissPostTrackingService

May be used by

Token Activation On Delivery Strategy

Properties

Username (username)

Description

The username of the technical user for the post service.

Attributes

String

Mandatory

Password (password)

Description

The password of the technical user for the post service.

Attributes

String

Mandatory

Sensitive

WSDL Location (wsdlLocation)

Description

The path to fetch the WSDL at runtime.

Attributes

String

Optional

Default value

/ch/post/npp/trackandtracedfuws/v02/TrackAndTraceDFU.wsdl

Namespace URI (namespaceUri)

Description

The namespace of the post services.

Attributes

String

Optional

Default value

http://www.post.ch/npp/trackandtracedfuws/v02

Track And Trace Service (trackAndTraceService)

Description

The service name.

Attributes

String

Optional

Default value

TrackAndTraceDFU.ws

Enable Detailed Event Number Mapping (enableDetailedEventNumberMapping)

Description

Enables the individual mapping for event codes (webservice) to internal states. The first mapping that gets found will be applied. If no mapping is found, the resulting internal status is UNKNOWN.

Attributes

Boolean

Optional

Default value

false

Delivered Event Codes (deliveredEventCodes)

Description

The event codes mapped to the status "DELIVERED". Comma-seperated list of numbers.

Attributes

String

Optional

Default value

7,20,21,24,38,39,40,42,46,63

Example

1,2,3

Being Processed Event Codes (beingProcessedEventCodes)

Description

The event codes mapped to the status "BEING PROCESSED". Comma-seperated list of numbers.

Attributes

String

Optional

Default value

1,2,4,5,6,10,11,12,13,14,15,18,19,35,54,55,88,91,92,94

Example

1,2,3

Not Delivered Event Codes (notDeliveredEventCodes)

Description

The event codes mapped to the status "NOT DELIVERED". Comma-seperated list of numbers.

Attributes

String

Optional

Default value

16,17,31,34,36,37,41,47,48,49,51,98

Example

1,2,3

Return To Sender Event Codes (returnToSenderEventCodes)

Description

The event codes mapped to the status "NOT DELIVERED". Comma-seperated list of numbers. These event codes lead to the "NOT DELIVERED" status even if the appear not in the newest event but in an older, preceding event.

Attributes

String

Optional

Default value

Example

1,2,3

Maintain Session State (maintainSessionState)

Description

Set this property to true if the web service client is part of a client that should maintain session state across multiple calls to the service. When using HTTP to transport the request, this means that the web service client sends back cookies set by the server.
This is usually not necessary. By default this feature is turned off.

Attributes

Boolean

Optional

Default value

false

Proxy Host (proxyHost)

Description

The http proxy host to use for all HTTP connections if any.

IMPORTANT NOTE: If there is a proxy specified, it is set by the java system properties and therefore is set for the whole java virtual machine. This may influence other software pieces or plug-ins. Furthermore different instances of this plug-in can only have the same proxy, because the system properties are global.

Attributes

String

Optional

Example

proxy.company.com

Proxy Port (proxyPort)

Description

The http proxy port to use for all HTTP connections if any.

Attributes

Integer

Optional

Service Endpoint Urls (serviceEndpointUrls)

Description

The URL(s) of the web service endpoint(s). If more than one service endpoint is specified, the client will operate in failover mode. In case of connection failure, addresses one entry after the other in the given order until successfully connected.
Notice that the service name must not be added to the URL here.

Attributes

String-List

Mandatory

Revert To First Server Timeout (revertToFirstServerTimeout)

Description

Used only for failover with multiple service endpoints:
Timeout in milliseconds after which the first server in the list is tried again, even though another server could be reached recently. This is used to prioritize the first server and make sure the current client doesn't permanently switch to another server even though the first one could be available again.

Use this property if you want to make sure that every client mostly uses his preferred server. It should not be set too short to avoid trying the first (unreachable) server again for every consecutive call.

If left empty or not defined, the client will keep using whatever server he can connect to successfully at the moment.

Attributes

Integer

Optional

Connection Timeout (connectionTimeout)

Description

If left empty or not defined, the OS defaults are used (which may result in infinite timeouts in some cases).

Attributes

Integer

Optional

Read Timeout (readTimeout)

Description

If left empty or not defined, the OS defaults are used (which may result in infinite timeouts in some cases).

Attributes

Integer

Optional

Keystore (keystore)

Description

To enable SSL connections, provide a JKS or PKCS12 keystore containing

Airlock IAM client certificate for authenticating towards the server
The trusted server certificate(s)

Attributes

File/Path

Optional

Keystore Password (keystorePassword)

Description

The password for the keystore and private key of the client certificate.

Attributes

String

Optional

Sensitive

Example

secret

Trust All Server Certificates (trustAllServerCertificates)

Description

Tells if all server certificates should be trusted.Note: Only enable this flag for testing.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.trackingservice.SwissPostTrackingService
id: SwissPostTrackingService-xxxxxx
displayName: 
comment: 
properties:
  beingProcessedEventCodes: 1,2,4,5,6,10,11,12,13,14,15,18,19,35,54,55,88,91,92,94
  connectionTimeout:
  deliveredEventCodes: 7,20,21,24,38,39,40,42,46,63
  enableDetailedEventNumberMapping: false
  keystore:
  keystorePassword:
  maintainSessionState: false
  namespaceUri: http://www.post.ch/npp/trackandtracedfuws/v02
  notDeliveredEventCodes: 16,17,31,34,36,37,41,47,48,49,51,98
  password:
  proxyHost:
  proxyPort:
  readTimeout:
  returnToSenderEventCodes: 36
  revertToFirstServerTimeout:
  serviceEndpointUrls:
  trackAndTraceService: TrackAndTraceDFU.ws
  trustAllServerCertificates: false
  username:
  wsdlLocation: /ch/post/npp/trackandtracedfuws/v02/TrackAndTraceDFU.wsdl

Swisscom REST SMS Gateway

Description

SMS gateway implementation used to send SMS over the Swisscom SMS Large Account REST gateway.

Please note: Only characters of the ISO 8859-1 charset can be used. Additionally, the charset that can be used depends on the settings of the Swisscom SMS Large Account.

Class

com.airlock.iam.core.misc.impl.sms.SwisscomRestSmsGateway

May be used by

Number-based Selection SMS Gateway Phone Number Verification Step SMS Gateway Selection Option SMS Notifier Failover SMS Gateway Basic mTAN Settings MTAN/SMS Settings SMS Service

Properties

Service URI (serviceUri)

Description

The service URI of the Swisscom REST SMS gateway using the HTTPS protocol.

Attributes

String

Mandatory

Example

https://messagingproxy.swisscom.ch:4300/rest/1.0.0/

Account ID (accountId)

Description

The account id as provided by Swisscom (e.g. Short ID).

Attributes

String

Mandatory

System ID (systemId)

Description

The system id as provided by Swisscom (e.g. Short ID).

Attributes

String

Mandatory

Password (password)

Description

The password as provided by Swisscom.

Attributes

String

Mandatory

Sensitive

Proxy Host (proxyHost)

Description

The hostname of the HTTP proxy server (if any).

Attributes

String

Optional

Example

proxy.company.com

Proxy Port (proxyPort)

Description

The port of the HTTP proxy server (if any).

Attributes

Integer

Optional

Proxy Login User (proxyLoginUser)

Description

Username for the http proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the http proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

Allow Only Trusted Certs (allowOnlyTrustedCerts)

Description

Only allow connections to servers whose certificate is trusted. See documentation of property "Trust Store Path" for more information about what certificates are trusted.

Security warning: Trusting all certificates allows connections to adversarial hosts. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

String

Optional

Default value

JKS

Allowed values

JKS, PKCS12

Trust Store Password (trustStorePassword)

Description

The password used verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

JKS: the keystore can be opened and used but the integrity of the keystore is not checked.
PKCS12: an error occurs.

Attributes

String

Optional

Sensitive

Connection/Read Timeout [s] (connectTimeout)

Description

The timeout in seconds used for connection timeout and read timeout.
Therefore, a connection may take a maximum of twice this time until it is aborted.

Attributes

Integer

Optional

Default value

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Suggested values

X-Correlation-ID

Visible Phone Number Digits In Log (visiblePhoneNumberDigitsInLog)

Description

Defines the number of phone number digits visible in log statements.

Thus, if the value is zero, all digits are masked, if it is large enough, all digits are visible. If set to 3, for example, the logged number looks like ********965.

The default is 100, i.e. showing all digits.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.SwisscomRestSmsGateway
id: SwisscomRestSmsGateway-xxxxxx
displayName: 
comment: 
properties:
  accountId:
  allowOnlyTrustedCerts: true
  connectTimeout: 10
  correlationIdHeaderName:
  password:
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  serviceUri:
  systemId:
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  verifyServerHostname: true
  visiblePhoneNumberDigitsInLog: 100

Swissphone SMS Gateway

Description

SMS gateway implementation used to send SMS messages over the highly secured Swissphone IMASYS XML gateway.

The URL configured in this plugin (SwissphoneSmsGateway.Portal List Distribution URL) is called to get a list of available gateways.

Class

com.airlock.iam.core.misc.impl.sms.SwissphoneSmsGateway

May be used by

Number-based Selection SMS Gateway Phone Number Verification Step SMS Gateway Selection Option SMS Notifier Failover SMS Gateway Basic mTAN Settings MTAN/SMS Settings SMS Service

Properties

Portal List Distribution URL (portalListDistributionUrl)

Description

URL of the portal list distribution host. This server provides a constantly updated list of ISPortals, i.e. the message gateways used to submit SMS messages.

Attributes

String

Mandatory

Suggested values

https://imasys1.swissphone-gateway.com/IS/GetPortalList.aspx

Portal List Distribution Port (portalListDistributionPort)

Description

The port of the portal list distribution server.

Attributes

Integer

Optional

Default value

443

Username (username)

Description

Username used to access the IMASYS XML gateway functions.

Attributes

String

Mandatory

Example

user1234

Password (password)

Description

Password used to accesss to IMASYS XML gateway functions.

Attributes

String

Mandatory

Sensitive

Long Sms Option Enabled (longSmsOptionEnabled)

Description

Long SMS option is enabled.

Attributes

Boolean

Optional

Default value

false

Priority (priority)

Description

The priority of the message.

Attributes

Enum

Optional

Default value

high

Proxy Host (proxyHost)

Description

The hostname of the HTTP proxy server (if any).

Attributes

String

Optional

Example

proxy.company.com

Proxy Port (proxyPort)

Description

The port of the HTTP proxy server (if any).

Attributes

Integer

Optional

Proxy Login User (proxyLoginUser)

Description

Username for the http proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the http proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

Allow Only Trusted Certs (allowOnlyTrustedCerts)

Description

Only allow connections to servers whose certificate is trusted. See documentation of property "Trust Store Path" for more information about what certificates are trusted.

Security warning: Trusting all certificates allows connections to adversarial hosts. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

String

Optional

Default value

JKS

Allowed values

JKS, PKCS12

Trust Store Password (trustStorePassword)

Description

The password used verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

JKS: the keystore can be opened and used but the integrity of the keystore is not checked.
PKCS12: an error occurs.

Attributes

String

Optional

Sensitive

Connection/Read Timeout [s] (connectTimeout)

Description

The timeout in seconds used for connection timeout and read timeout.
Therefore, a connection may take a maximum of twice this time until it is aborted.

Attributes

Integer

Optional

Default value

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Suggested values

X-Correlation-ID

Visible Phone Number Digits In Log (visiblePhoneNumberDigitsInLog)

Description

Defines the number of phone number digits visible in log statements.

Thus, if the value is zero, all digits are masked, if it is large enough, all digits are visible. If set to 3, for example, the logged number looks like ********965.

The default is 100, i.e. showing all digits.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.SwissphoneSmsGateway
id: SwissphoneSmsGateway-xxxxxx
displayName: 
comment: 
properties:
  allowOnlyTrustedCerts: true
  connectTimeout: 10
  correlationIdHeaderName:
  longSmsOptionEnabled: false
  password:
  portalListDistributionPort: 443
  portalListDistributionUrl:
  priority: high
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  username:
  verifyServerHostname: true
  visiblePhoneNumberDigitsInLog: 100

Tag

Description

Can be used for precondition and skip condition checks.

Class

com.airlock.iam.flow.application.configuration.tag.TagConfigImpl

May be used by

Properties

Name (name)

Description

The name of the tag.

Attributes

String

Mandatory

Length <= 50

Length >= 1

Validation RegEx: [a-zA-Z0-9_.\-]+

Suggested values

PASSWORD_VERIFIED, MTAN_OTP_VERIFIED, CRONTO_OTP_VERIFIED, OATH_OTP_VERIFIED, VASCO_OTP_VERIFIED, OTP_VERIFIED, EMAIL_OTP_VERIFIED, MATRIX_VERIFIED, SSO_TICKET_VERIFIED

Timeout (timeout)

Description

Configures tag timeouts. If not configured, the tag never expires.

Attributes

Plugin-Link

Optional

Assignable plugins

Tag Lifetime Tag Timeout Using Gateway (WAF)

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.tag.TagConfigImpl
id: TagConfigImpl-xxxxxx
displayName: 
comment: 
properties:
  name:
  timeout:

Tag Lifetime

Description

Allows to define a tag's lifetime.

Class

com.airlock.iam.flow.application.configuration.tag.TagLifetimeConfig

May be used by

Tag

Properties

Lifetime [s] (lifetime)

Description

The tag's lifetime in seconds.

Attributes

Integer

Mandatory

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.tag.TagLifetimeConfig
id: TagLifetimeConfig-xxxxxx
displayName: 
comment: 
properties:
  lifetime:

Tag Removal Step Config

Description

A flow step to remove tags from the current session.

Class

com.airlock.iam.flow.application.configuration.step.TagRemovalStepConfig

Properties

Tags To Be Removed (tagsToBeRemoved)

Description

The tags, which will be removed from the flow-session. In case a tag which should be removed is not present in the session, nothing happens.

Attributes

Plugin-List

Mandatory

Assignable plugins

Tag

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.step.TagRemovalStepConfig
id: TagRemovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  tagsToBeRemoved:

Tag Timeout Using Gateway (WAF)

Description

Allows to define a tag's lifetime and idle timeout.
Warning: Requires Airlock Gateway (WAF), which must be configured using the 'Airlock Gateway Settings' in the 'Loginapp REST Settings'. If no Airlock Gateway Settings are present, the tag will time out immediately after flow completion.

Class

com.airlock.iam.flow.application.configuration.tag.TagWafTimeoutConfig

May be used by

Tag

Properties

Idle Timeout [s] (idleTimeout)

Description

The tag's idle timeout in seconds. If no value is defined, the tag will not idle out if no requests are sent.

Attributes

Integer

Optional

Lifetime [s] (lifetime)

Description

The tag's lifetime in seconds. If no value is defined, the tag will be valid as long as the user's session.

Attributes

Integer

Optional

YAML Template (with default values)


type: com.airlock.iam.flow.application.configuration.tag.TagWafTimeoutConfig
id: TagWafTimeoutConfig-xxxxxx
displayName: 
comment: 
properties:
  idleTimeout:
  lifetime:

Tag-based Gateway Role

Description

Provides an Airlock Gateway role conditional on the presence of a tag.

Class

com.airlock.iam.login.application.configuration.targetapp.TagBasedGatewayRoleConfig

May be used by

Cipher Token List Persister Database Token List Persister Dummy Token List Persister LDAP Token List Persister Property Token List Persister

Properties

Tag (tag)

Description

If the user has this tag, an Airlock Gateway role is added as follows:

If the 'Gateway Role Name' is not defined, the tag name is used as an Airlock Gateway role.
Otherwise, the 'Gateway Role Name' is used as an Airlock Gateway role.
If 'Ignore Tag Timeouts' is not selected:
- If this plugin has no lifetime, the tag's lifetime, if present, is added to the Airlock Gateway role.
- If this plugin has no idle timeout the tag's idle timeout, if present, is added to the Airlock Gateway role.
Otherwise, the lifetime and idle timeout from this plugin are used.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Tag

Gateway Role Name (airlockGatewayRole)

Description

The name can be defined in case a name different from the tag name must be used. Please refer to the property description of 'Tag'.

Attributes

String

Optional

Length <= 50

Validation RegEx: [a-zA-Z0-9_.\-]+

Ignore Tag Timeouts (ignoreTagTimeouts)

Description

If enabled, the given timeouts in a tag are overwritten by the values configured in this plugin. Otherwise, all tag timeouts are unchanged.

Attributes

Boolean

Optional

Default value

false

Idle Timeout [s] (idleTimeout)

Description

The WAF credential's idle timeout in seconds. The credential will be removed after the WAF session has been idle for this duration.

Attributes

Integer

Optional

Lifetime [s] (lifetime)

Description

The WAF credential's lifetime in seconds. The credential will be removed from the WAF session after this duration.

Attributes

Integer

Optional

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.TagBasedGatewayRoleConfig
id: TagBasedGatewayRoleConfig-xxxxxx
displayName: 
comment: 
properties:
  airlockGatewayRole:
  idleTimeout:
  ignoreTagTimeouts: false
  lifetime:
  tag:

Tag-based Role Provider

Description

Provides a role for identity propagation conditional on the presence of a tag.

Class

com.airlock.iam.login.application.configuration.targetapp.TagBasedRoleProviderConfig

May be used by

Properties

Tag (tag)

Description

If the user has this tag, a role is added for identity propagation as follows:

If the 'Role Name' is not defined, the tag name name is used as role.
Otherwise, the 'Role Name' is used.

Note that the role only exists for the moment of identity propagation, thus there is no need for timeouts.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Tag

Role Name (roleName)

Description

The name can be defined in case a name different from the tag name must be used. Please refer to the property description of 'Tag'.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.TagBasedRoleProviderConfig
id: TagBasedRoleProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  roleName:
  tag:

Tags From SAML 2.0 Assertion Attribute

Description

SAML 2.0 Assertion Attribute to Import as Tags.

This plugin configures how to import a SAML 2.0 assertion attribute's values as flow tags.

When the attribute is present in the assertion, the attribute's values are mapped to tags by the configured mapping. The resulting tags are then added to the user's flow session.

When the attribute is not present in the assertion, no tags are added to the flow session.

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.Saml2AttributeNameToTagMappingConfig

May be used by

SAML 2.0 Flow SP

License-Tags

SamlSp

Properties

Attribute Name (attributeName)

Description

Attribute name in assertion.

Attributes

String

Mandatory

License-Tags

SamlSp

Example

TAN Batch Task

Description

This plug-in implements a task that is used in the TAN authentication server. It performs tasks, which are not triggered by user a user action (e.g. by a user attempting to log in) but must be done by a batch job regularly.

In order to understand the following task description, it is important to understand, that a user can have zero, one, or two token lists or matrix cards at the same time: The active token list is the one being used for authentication. The next token list is a new token list waiting to become active. It is generated some time before the current active token list expires so it can be sent to the user. The new token list becomes active, if the current token list expires or is removed. Depending on configuration, just using the new token list will also activate it.

When executed, this task looks at all users with the configured token list iterator plug-in and does the following tasks. The process is done only for active users returned by the token list iterator:

Remove expired token lists or matrix cards.
Remove empty token lists.
If the user has no active list but a valid new token list, the new token list is made the active token list.
Generate new token lists or new matrix cards where necessary. This is the case if at least one of the following conditions is true:
- If the current token list or matrix card of the user is about to expire and there is no "next token list".
- If there is no token list at all.
- If there is no "next token list" and the corresponding flag ("order new list flag") is set.
Newly generated token lists are rendered by calling the configured token list renderer.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.TanBatchTask

May be used by

Task Schedule

License-Tags

Matrixcard

Properties

Token List Persister (tokenListPersister)

Description

The token list persister plugin used to read and store token list structures.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Token List Iterator (tokenListIterator)

Description

The token list iterator plugin used to iterate over all token users. Usually this is the same as the token list persister.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database Token List Persister Dummy Token List Persister LDAP Token List Persister Property Token List Persister

Maximum Validity Days (maximumValidityDays)

Description

Specifies the number of days a token list is valid after its generation. After the period has elapsed, the list can no longer be used and is replaced by the new token list (if there is any). If there is no new list, the list is deleted. If the value -1 is used, the token list does not expire.

Attributes

Integer

Optional

Default value

-1

Remaining Days Threshold (remainingDaysThreshold)

Description

If a list is about to expire, generates an event and/or sets the flag to generate a new list. This property specifies the number of remaining validity days that trigger this event.
The value is only relevant when the property maximum-validity-days is not -1.

Attributes

Integer

Optional

Delivery Security Gap (deliverySecurityGap)

Description

Attributes

Integer

Optional

Default value

Token Type Name (tokenTypeName)

Description

This property is used when new token lists are generated. The type of tokens (for new token list generation).

Attributes

String

Mandatory

Allowed values

DIGITS, DIGITS_CAPITAL_LETTERS, DIGITS_LETTERS

Token Length (tokenLength)

Description

This property is used when new token lists are generated. The length of each generated token (number of characters).

Attributes

Integer

Mandatory

Tokens Per List (tokensPerList)

Description

This property is used when new token lists are generated. The number of tokens in each generated list. Setting for standard matrix card (credit-card-format)

Attributes

Integer

Mandatory

Hash Function Plugin (hashFunctionPlugin)

Description

This property is used when new token lists are generated.
The hash function used to hash the generated tokens. It must be the same (or hash value compatible) as used when generating the token lists.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Token List Renderer (tokenListRenderer)

Description

Tells the tan batch task which token list renderer to use for the rendering of newly generated token lists.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Token List Renderer Text File Token List Renderer Word Template Token List Renderer

Language Attribute Name (languageAttributeName)

Description

Tells the TAN batch task which attribute in the context data container contains the language to be used for rendering the password. If this property is configured and if the context data container of the user has a value for this attribute, it is used when calling the password renderer plugin.

If this property is not defined, the user's language is not taken into account when rendering token lists!

Attributes

String

Optional

Suggested values

language

Delete Old Token Lists (deleteOldTokenLists)

Description

Attributes

Boolean

Optional

Default value

false

Working Directory (workingDirectory)

Description

Attributes

File/Path

Optional

Output Directory (outputDirectory)

Description

Directory in the file system to put the rendered token lists in. The directory is either absolute or relative to the JVMs current directory.

This property is not required if the renderer plugin (see separate property) does not write on the outputstream (e.g. sends it somewhere else). It is required otherwise.

Note: If this property is not defined and the used renderer plugin writes on the output stream, then the result (e.g. a PDF file) is lost.

Attributes

File/Path

Optional

File Name Prefix (fileNamePrefix)

Description

Do not use the prefix "pwd-" if password- reports are stored in the same directory. This prefix is the default for password letters (and not configurable in older plugin versions).

This property is optional to be backwards compatible. It is strongly recommended to define a prefix.

Attributes

String

Optional

Suggested values

matrix-, gridcard-

File Name Suffix (fileNameSuffix)

Description

Filename suffix for rendered token list files.

Attributes

String

Optional

Suggested values

.pdf, .docx, .txt

Generation Date Export Property (generationDateExportProperty)

Description

Name of a context property (make sure it is persisted in the used token list persister plugin) used to store the generation date of the current token list.

The generation date of the current token list is extracted from the token list data during the task and stored as date object (date and time) using the configured persister.

Attributes

String

Optional

Example

tok_list_inf_gen

Validity Date Export Property (validityDateExportProperty)

Description

Name of a context property (make sure it is persisted in the used token list persister plugin) used to store the validity date of the current token list.

The validity date of the current token list is computed using the generation date and the configured validity of the token list and stored as date object (date and time) using the configured persister.

Attributes

String

Optional

Example

tok_list_inf_val

Serial Number Export Property (serialNumberExportProperty)

Description

Name of a context property (make sure it is persisted in the used token list persister plugin) used to store serial number of the current token list.

The serial number of the current token list is extracted from the token list data during the task and stored as string using the configured persister.

Attributes

String

Optional

Example

tok_list_inf_val

Remaining Tokens Export Property (remainingTokensExportProperty)

Description

Name of a context property (make sure it is persisted in the used token list persister plugin) used to store remaining number of tokens on the current token list.

The remaining number of tokens on the current token list is extracted from the token list data during the task and stored as integer number using the configured persister.

Attributes

String

Optional

Example

tok_list_inf_val

Aggregate Report (aggregateReport)

Description

Optional property to describe an aggregate report over all generated reports in a batch. If none is configured, no aggregate report will be generated.

Attributes

Plugin-Link

Optional

Assignable plugins

Aggregate Report

Max No Of Cards To Print Per Day (maxNoOfCardsToPrintPerDay)

Description

When set, this property limits the number of matrix cards that are printed per day by shifting their generation date at creation time. The property can only be set, if a 'maximumValidityDays' has been configured.
Example: if the property is set to 500 but 1000 new cards are to be produced, the generation dates of the cards are set in a way, that the cards expire in blocks of 500 on 2 different days.

Please note:

Setting this property doubles the runtime of the task. Consider to only set it before bulk generation of matrix cards.
The actual amount of cards to be printed on a given day could exceed the value of this property due to: 'delivery security gap' configuration, explicitly (manually) ordered cards or used up cards.
The mechanism does not work retroactive, i.e. the expiration or print date of existing cards will not be altered.

Attributes

Integer

Optional

Shift Direction (shiftDirection)

Description

This property determines whether the generation date should be shifted into the future or past when 'maxNoOfCardsToPrintPerDay' is exceeded for the prospective print date.

Shifting into the past reduces the validity period, shifting into the future extends the validity period.

Attributes

Enum

Optional

Default value

PAST

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.TanBatchTask
id: TanBatchTask-xxxxxx
displayName: 
comment: 
properties:
  aggregateReport:
  deleteOldTokenLists: false
  deliverySecurityGap: 0
  fileNamePrefix:
  fileNameSuffix:
  generationDateExportProperty:
  hashFunctionPlugin:
  languageAttributeName:
  maxNoOfCardsToPrintPerDay:
  maximumValidityDays: -1
  outputDirectory:
  remainingDaysThreshold:
  remainingTokensExportProperty:
  serialNumberExportProperty:
  shiftDirection: PAST
  tokenLength:
  tokenListIterator:
  tokenListPersister:
  tokenListRenderer:
  tokenTypeName:
  tokensPerList:
  validityDateExportProperty:
  workingDirectory:

TAN Token Verifier

Description

A token verifier based on the TAN service extension point.

Class

com.airlock.iam.core.misc.impl.tokenverifier.TanTokenVerifier

May be used by

Target Applications and Authentication Target Applications and Authentication

License-Tags

Matrixcard

Properties

Tan Service (tanService)

Description

The TAN service plugin to use.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Default TAN Service

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.tokenverifier.TanTokenVerifier
id: TanTokenVerifier-xxxxxx
displayName: 
comment: 
properties:
  tanService:

Target Application Config

Description

Configuration for an application that is protected by the REST Authentication API.

Class

com.airlock.iam.login.application.configuration.targetapp.TargetApplicationConfig

May be used by

Properties

Application ID (applicationId)

Description

Unique ID of this application. The ID must be used in the authorization endpoint to indicate that access to this application is requested.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Application ID

Application Selector (applicationSelector)

Description

Instead of the application ID, an URI might be used in the authorization endpoint to indicate that access to this application is requested.

The first application that matches the forward URI is used.

The selector is ignored for the default application, which is always used when none of the other applications match.

In combination with Authorization Conditions in Protected Self-Service Flows, the Application Selector can be used to trigger step-up authentication.

Attributes

Plugin-Link

Optional

Assignable plugins

Regex Application Selector Config

Authentication Flow (authenticationFlow)

Description

The authentication flow determines the user identity and awards tags to the user session for completed authentication steps. After successful completion of the authentication flow, the user is considered identified and the tags are awarded, but identity propagation will not be performed until the authorization flow is also completed successfully.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Flow

Authorization Flow (authorizationFlow)

Description

The authorization flow that comes after successful completion of the authentication flow. Identity propagation and awarding of Airlock Gateway roles are only done once the authorization is successfully completed.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Flow

Airlock Gateway Roles (airlockGatewayRoles)

Description

These are the Airlock Gateway roles (credentials) that are set after the authentication flow and the corresponding authorization flow (if configured) have successfully been completed. These roles are used on the Gateway to control the access to protected backends. If backend applications need user roles, those must be configured in the identity propagators.

Depending on the Gateway Settings, these roles either replace the current Gateway roles or are added to them (default).

Attributes

Plugin-List

Optional

Assignable plugins

Airlock Gateway Roles Config Role-based Gateway Role Static Gateway Role Tag-based Gateway Role

Identity Propagation (identityPropagation)

Description

Identity propagators add cookies and/or headers to the response after successful authorization. The identity propagators are applied in the order in which they are configured.

Attributes

Plugin-List

Optional

Assignable plugins

Generic ID Propagator Legacy ID Propagation Adapter OAuth 2.0/OIDC ID Propagator On Behalf Login Identity Propagation Config SAML 2.0 Identity Propagator Target URI ID Propagator

Username To Propagate Provider (usernameToPropagateProvider)

Description

Provides a value to be propagated to the backend applications by the identity propagators.

Attributes

Plugin-Link

Optional

Assignable plugins

Static String Value Provider String Context Data Value Provider Transforming String Value Provider User Principal Name Provider

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.TargetApplicationConfig
id: TargetApplicationConfig-xxxxxx
displayName: 
comment: 
properties:
  airlockGatewayRoles:
  applicationId:
  applicationSelector:
  authenticationFlow:
  authorizationFlow:
  identityPropagation:
  usernameToPropagateProvider:

Target Application Redirect

Description

Redirects to an authentication target application.

Class

com.airlock.iam.authentication.application.configuration.ui.AuthFlowRedirectTargetConfig

Properties

Application ID (applicationId)

Description

ID of the target application to which a redirect should be performed. Make sure that a UI is configured for this application. If no ID is configured, the redirect goes to the generic access URL, where an application is selected based on the forward location.

Attributes

Plugin-Link

Optional

Assignable plugins

Application ID

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.ui.AuthFlowRedirectTargetConfig
id: AuthFlowRedirectTargetConfig-xxxxxx
displayName: 
comment: 
properties:
  applicationId:

Target Application/Service

Description

Defines how to authenticate HTTP requests based on the original HTTP request sent by the client (provided to IAM in various Airlock Gateway environment cookies).

The following actions are applied for each request:

Credential Extraction: Extract credential from the HTTP request (e.g. a bearer token or a cookie).
Authentication: Call specified authenticator with credential (e.g. verify JWT ticket).
Error handling: If authentication failes, the specified error mapper defines how to respond (e.g. send 401 to client).
Authorization: Assure roles required to access application/services are given after authentication.
ID-Propagation: provide information about authenticated user to target application/service.
Set Airlock Gateway (WAF) roles: provide credentials/roles to Airlock Gateway to allow request to pass to target application/service.

Class

com.airlock.iam.login.app.misc.configuration.oneshot.OneShotTargetApplicationConfig

May be used by

One-Shot Authentication Settings One-Shot Authentication Settings

License-Tags

OneShotAuthentication

Properties

Credential Extractor (credentialExtractorFactory)

Description

Extracts credential (e.g. basic auth, bearer token, cookie) from the request received from the Airlock Gateway (one-shot flow). The credential serves as input for the authenticator.

Attributes

Plugin-Link

Mandatory

License-Tags

OneShotAuthentication

Assignable plugins

Authenticator (authenticator)

Description

Validates the credential from the credential extractor in order to authenticate the HTTP request.

Note:

Only non-interactive authentication steps (there is no way to interact with the HTTP client at this point - use the REST authentication API to do so if desired) may be configured.
The authenticator must know how to handle the credential type provided by the credential extractor.

A common use-case is to verify JWT tokens issued by an upfront authentication process (as "Authorization Bearer" header):

Extract bearer token from HTTP header (using the "HTTP Header Token Extractor (as SSO Credential)").
Authenticate the request using the "Lookup and Accept Authenticator" or the "SSO Credential Authenticator".

Attributes

Plugin-Link

Mandatory

License-Tags

OneShotAuthentication

Assignable plugins

Failure Responses (failureResponses)

Description

Defines how to respond if authentication fails (for wrong credentials and other errors).

Attributes

Plugin-Link

Optional

License-Tags

OneShotAuthentication

Assignable plugins

Basic Auth Error Mapper Configurable Error Mapper Kerberos SPNEGO Error Mapper

Identity Propagator (identityPropagator)

Description

Defines how to transport information about the authenticated user to the target application/service.

Attributes

Plugin-Link

Mandatory

License-Tags

OneShotAuthentication

Assignable plugins

Enable User Trail Log (enableUserTrailLog)

Description

If enabled, a message is logged to the user trail log for every successful or unsuccessful authentication.

Caution: If the Airlock Gateway (WAF) is used in stateless mode, every single request may have to be authenticated by IAM due to missing roles. Hence, every request may generate a message in the user trail log depending on the Airlock Gateway configuration.

Attributes

Boolean

Optional

License-Tags

OneShotAuthentication

Default value

true

URL Pattern (urlPattern)

Description

The URL pattern (regular expression pattern) to identify this target application.

The first pattern (in the list of target applications) that matches the forward URL is used.
The matching is case-insensitive.

The URL pattern is ignored for the default target application.

Attributes

RegEx

Mandatory

License-Tags

OneShotAuthentication

Use Different Username (useDifferentUsername)

Description

If a user can have a different username at this target application, it can be specified here how the other username should be obtained. The following options are possible:

The name of the context data field in which this username is stored. Note that this field needs to be made persistent via the User Persister.
A fixed username (which is the same for all users). This should start with FIXED: followed by the username. E.g.: if the username is "admin", set this to "FIXED:admin".
Leave this empty, if no username is required or the standard username should be used.

The resulting username can be transformed further by using the Username Transformation property.

Attributes

String

Optional

License-Tags

OneShotAuthentication,SubIdentities

Example

applA_username

Example

FIXED:admin

Username Transformation (usernameTransformation)

Description

List of transformation plugins which allow various mutations of the username. The transformations are applied in order. Note that some username transformer stop the transformation chain after successful application.

These transformations are applied after the "Use Different Username" property.

Attributes

Plugin-List

Optional

License-Tags

OneShotAuthentication

Assignable plugins

Use Different Password (useDifferentPassword)

Description

If a user needs a password for this target application, it can be specified here how it should be obtained. This is not supported by all plugins though. The following options are possible:

If no password is required for this application: leave empty.
If the user has (or can have) a different password at this application: The name of the context data field in which this password is to be stored. Remember that this field needs to be made persistent via the User Persister.
If a fixed password is used that is the same for all users: Prefix with FIXED: followed by the password, e.g. "FIXED:123456".
If the user's main password (i.e. the password used to login to Airlock IAM) is used: Leave the field empty, but see the notes below.

If the user's main password is also used to sign on to target applications, please note the following points:

The main password can only be used if the user was required to enter the password upon login. This is not the case for Kerbos and other SSO-Logins. In those cases, this option is not possible.
Normally, the user's password is only available directly after login. If the user comes back to the Loginapp later, e.g. to access a different application, the password is normally not available anymore.
If only one target application is configured, this should not be a problem, since the user only needs to be authenticated at the very beginning (directly after the authentication).
If the user's password is needed for several target application, then it is has to be available every time the user wants to access another application in the same session. In this case, the password should be saved in the session ticket (see Security Settings).

Attributes

String

Optional

License-Tags

OneShotAuthentication,SubIdentities

Example

applA_password

Example

FIXED:123456

Password Encryption Method (passwordEncryptionMethod)

Description

The type of password encryption used to decrypt this password.
Leave empty if the password is not encrypted (not recommended if the password is read from a context data field).

Attributes

Plugin-Link

Optional

License-Tags

OneShotAuthentication,SubIdentities

Assignable plugins

Password-based Encryption RSA Encryption Unsupported Encryption (to be replaced)

Required Roles (requiredRoles)

Description

A list of roles used to access this target application.

The user needs at least one of the roles in order to get access to the application.

If no roles are configured, all authenticated users may access the application.

The user's roles may be transformed before being compared to this list using the Role Transformation Rules (see separate property).

If the user doesn't have any of these roles, the "Step-Up Authenticators" (in Authentication Settings) are consulted in order to find out whether they can be obtained using a Step-Up.

Attributes

String-List

Optional

License-Tags

OneShotAuthentication

Airlock Gateway (WAF) Roles (airlockGatewayRoles)

Description

The Airlock Gateway (WAF) roles that should be set when accessing this target application, instead of using the users roles as Gateway roles.

The name of the role can be followed by a colon and the idle timeout of the role in seconds, e.g. "myrole:300" sets the role "myrole" that will expire after 5 minutes of client inactivity.

With a second colon and a second number, the life-time can be set, e.g. "myrole:300:3600" will set the role "myrole" for a maximum of 1 hour, but it will also expire after 5 minutes of client inactivity.

Note: If you want to replace (instead of add) target application's Gateway roles in the session upon the first visit of each target application, you have to disable the "Add Credentials To Session" flag in the "Airlock Gateway (WAF) Settings" of the Login Application.

Attributes

String-List

Optional

License-Tags

OneShotAuthentication

Role Transformation Rules (roleTransformationRules)

Description

A list of transformation rules used to modify user roles before being compared to the "Required Roles" of an application.

Attributes

Plugin-List

Optional

License-Tags

OneShotAuthentication

Assignable plugins

Role Transformation Rule

Propagated Roles To Delete (propagatedRolesToDelete)

Description

A list of regular expressions. Any role matching one of these expressions is not propagated to the target application, unless it also matches one of the "Propagated Roles To Keep". The matching is performed before any transformation.

Attributes

RegEx-List

Optional

License-Tags

OneShotAuthentication

Propagated Roles To Keep (propagatedRolesToKeep)

Description

A list of regular expressions. If set, only roles matching at least one of these expressions are propagated to the target application, even if they match one of the "Propagated Roles To Delete". Notice that any "Propagated Roles To Add" are always added. The matching is performed before any transformation.

Attributes

RegEx-List

Optional

License-Tags

OneShotAuthentication

Propagated Roles Transformation Rules (propagatedRolesTransformationRules)

Description

A list of transformation rules used to modify roles names that are sent to an application by the identity propagator. All transformations are applied to every role that has not been deleted before as a pipeline.

Attributes

Plugin-List

Optional

License-Tags

OneShotAuthentication

Assignable plugins

Role Transformation Rule

Propagated Roles To Add (propagatedRolesToAdd)

Description

The static roles that will always be added to the final list of propagated roles (no transformation is applied to those).

Attributes

String-List

Optional

License-Tags

OneShotAuthentication

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.oneshot.OneShotTargetApplicationConfig
id: OneShotTargetApplicationConfig-xxxxxx
displayName: 
comment: 
properties:
  airlockGatewayRoles:
  authenticator:
  credentialExtractorFactory:
  enableUserTrailLog: true
  failureResponses:
  identityPropagator:
  passwordEncryptionMethod:
  propagatedRolesToAdd:
  propagatedRolesToDelete:
  propagatedRolesToKeep:
  propagatedRolesTransformationRules:
  requiredRoles:
  roleTransformationRules:
  urlPattern:
  useDifferentPassword:
  useDifferentUsername:
  usernameTransformation:

Target Applications and Authentication

Description

Configuration of target applications including authentication and authorization flows.

Class

com.airlock.iam.login.application.configuration.authentication.TargetApplicationsConfig

May be used by

Loginapp

Properties

Default Application (defaultApplication)

Description

The default application that is selected if a user/client directly accesses an authentication flow resource without explicitly selecting a flow by using the authorization resource.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Target Application Config

Applications (applications)

Description

List of other protected applications. The default application must not be part of this list.

Attributes

Plugin-List

Optional

Assignable plugins

Target Application Config

Max Failed Factor Attempts (maxFailedLogins)

Description

Maximal number of allowed login attempts. The user is locked if the number of failed attempts for some credential exceeds this limit.

Attributes

Integer

Optional

Default value

Temporary Locking (temporaryLockingConfig)

Description

Locks users temporarily after unsuccessful authentication attempts.
This configuration can be enabled or disabled in each "Authentication Flow" with the setting "Enable Temporary Locking".

Attributes

Plugin-Link

Optional

Assignable plugins

Temporary Locking

Remember-Me Settings (rememberMeConfig)

Description

Configuration enabling the Remember-Me feature. This feature allows a user to skip certain authentication steps if a valid token is presented with the request.

Attributes

Plugin-Link

Optional

Assignable plugins

Remember-Me Settings

Description

If configured, a history of successful logins per user is stored.

Attributes

Plugin-Link

Optional

Assignable plugins

Database Login History Repository Config

Behavior Upon Existing Session (behaviorUponExistingSession)

Description

Defines what action is taken when a user already has another authenticated Airlock Gateway session when logging in or logging out. For example, this can happen if the user left a previous session without an explicit logout or attempts to authenticate multiple concurrent sessions (with different devices or browsers).

Note:The configured behavior may depend on the user store being able to read (and write) the session ID to/from the database/directory. Verify that the corresponding column or attribute is mapped in the used user store ("Col Latest GSID" for default database plugins; "Last GSID Value Attribute" in LDAP plugins).

Attributes

Plugin-Link

Optional

Assignable plugins

Destroy Multiple Existing Sessions Config Destroy Other User Session Ignore Existing User Sessions Config

Disable Session Behavior When Represented (disableSessionBehaviorWhenRepresented)

Description

Disables the "Behavior Upon Existing Session" for represented sessions: no stored session IDs are updated, nor are existing sessions terminated. This prevents any interference with regular sessions from the represented user.

Attributes

Boolean

Optional

Default value

true

Location Interpreters (locationInterpreters)

Description

Enables the REST endpoint used for interpreting a forward location URI prior to starting an authentication flow (REST endpoint /<loginapp-uri>/rest/public/authentication/location/interpret/).

This endpoint could extract the display language or other information from the given URI so that the client can configure itself.

The order of the configured plugins is relevant. The first plugin which can handle the forward location URI is used, all remaining plugins are ignored. If no plugins are configured or no plugin can handle the provided URI, an empty interpretation result is returned.

Attributes

Plugin-List

Optional

Assignable plugins

Location Interpretations Configuration

Authentication Information Accessible Condition (authenticationInformationAccessibleCondition)

Description

Condition for allowing unauthenticated access to the /public/authentication endpoint. Once a user is authenticated, access to this endpoint is always allowed, regardless of this setting.

By default, access to the information endpoint is not allowed for unauthenticated users.

Security Note: If publicly available, this endpoint could be exploited for user enumeration attacks. To prevent these attacks, it is recommended that access to the endpoint is restricted to authenticated users only.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.authentication.TargetApplicationsConfig
id: TargetApplicationsConfig-xxxxxx
displayName: 
comment: 
properties:
  applications:
  authenticationInformationAccessibleCondition:
  behaviorUponExistingSession:
  defaultApplication:
  disableSessionBehaviorWhenRepresented: true
  locationInterpreters:
  loginHistoryRepository:
  maxFailedLogins: 5
  rememberMeConfig:
  temporaryLockingConfig:

Target URI ID Propagator

Description

Returns a target URI for identity propagation based on the initial forward location.

Class

com.airlock.iam.login.application.configuration.location.propagate.TargetURIIdentityPropagatorConfig

May be used by

Authentication & Authorization UI Target URI ID Propagator SAML 2.0 Service Provider

Properties

Target URI Resolver (targetURIResolver)

Description

Resolves the target URI to be propagated during identity propagation.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Target URI Resolver

Condition (condition)

Description

Defines the condition under which the users identity is propagated using the configured identity propagation.

Attributes

Plugin-Link

Optional

Assignable plugins

Propagation (propagation)

Description

Defines how the target URI is propagated within the HTTP response.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Header URI Propagation Config

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.location.propagate.TargetURIIdentityPropagatorConfig
id: TargetURIIdentityPropagatorConfig-xxxxxx
displayName: 
comment: 
properties:
  condition:
  propagation:
  targetURIResolver:

Target URI Resolver

Description

Uses the original forward location (extracted from the URI parameter 'Location') to resolve the target URI for identity propagation.

If the original forward location matches any of the allowed URI patterns, the forward location is passed to the chain of URI transformers, where it gets transformed to the target URI to be used for identity propagation. If none of the allowed URI pattern matches the forward location, the default value is instead passed to the transformation chain. If any of the URI transformers vetoes the transformation, the default value is provided as target URI.

This is typically used to allow or block certain deep links into target applications and to add information to the URI like a language parameter.

Class

com.airlock.iam.login.application.configuration.location.propagate.TargetURIResolverConfig

May be used by

Properties

Default Value (defaultValue)

Description

The default URI to be used as input for transformation if the original forward location is not allowed. This URI is also used if an URI transformer produces a veto.

Attributes

String

Mandatory

Example

https://domain.com/public

Allowed URIs (allowedURIs)

Description

A list of regular expressions defining the allowed forward locations.
If the authentication flow was started using such a location, its value is matched against the specified list of allowed location parameter patterns. If at least one matches, the location parameter is accepted. If not, it is not accepted and the "Default Value" is used instead.

If left empty, any provided location is ignored and the default value is always used.
To only allow context relative locations (starting with a slash), the pattern "/(?!/).*" should be used. The pattern "/.*" is not sufficient as it allows URLs starting with "//" which can be used to specify an absolute URL including a domain. See also CVE-2013-2764.
Note that forward locations provided by Airlock Gateway (WAF) always contain the full URL including protocol and hostname. It is therefore usually necessary to add a pattern for the application specific URLs, e.g. "https?://example\.com/my-path/.*".
Note that URLs with any 'User Information' part in front of the host name (for example "https://user@domain.com/") are never accepted.
Security warning: The provided forward location may contain arbitrary user input! It is therefore highly recommended that the configured patterns be as restrictive as possible. Overly lax patterns like '.*' expose Airlock IAM and the target application to severe attacks, e.g.: open redirect, server-side request forgery and injection attacks (SQL, XSS, etc ...). Such patterns are therefore not allowed.
Security warning: Unescaped dots in URLs match any single character in RegExes. If unescaped dots are used by mistake, this can be exploited for attacks! E.g.: If pattern "https://subdomain.example.com/.*" is configured, attackers can register "subdomain-example.com" which will be allowed by this pattern.

Attributes

RegEx-List

Optional

URI Transformers (uriTransformers)

Description

The chain of URI transformers that transform the forward location to the provided target URI.

Attributes

Plugin-List

Optional

Assignable plugins

Language Query Parameter Appender Query Parameter URI Transformation Regex-based URI Transformer To Query Parameter URI Transformer

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.location.propagate.TargetURIResolverConfig
id: TargetURIResolverConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedURIs:
  defaultValue:
  uriTransformers:

Task Schedule

Description

Defines scheduling information about a task.

Class

com.airlock.iam.servicecontainer.app.application.configuration.TaskSchedule

May be used by

Task Scheduler Service

Properties

Task (task)

Description

The task to execute.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Interval (interval)

Description

The time between two executions of the task. The interval can be specified in one of the following formats (where n is a positive integer: n days, n hours, n minutes, n seconds, never)

Attributes

String

Mandatory

Suggested values

never, 10 seconds, 20 seconds, 30 seconds, 1 minute, 2 minutes, 5 minutes, 10 minutes, 15 minutes, 20 minutes, 30 minutes, 45 minutes, 1 hour, 2 hours, 3 hours, 4 hours, 5 hours, 6 hours, 8 hours, 10 hours, 12 hours, 1 day, 2 days, 3 days, 4 days, 5 days, 6 days, 7 days, 10 days, 14 days, 20 days, 30 days, 60 days, 90 days

First Time (firstTime)

Description

The time of the first execution of the task in the form hh:mm:ss (e.g. 14:48:56). Leave this value empty to execute the task the first time when the scheduler service is started. Set it to after-interval to execute the task for the first time after waiting as specified in interval after the service has been started.

Attributes

String

Optional

Example

11:48:56

Example

after-interval

Name (name)

Description

A task name that is used in log statements and in the service console. It helps identifying the task. Do not use very long names.

Attributes

String

Mandatory

Example

Task 1

Example

Example Task

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.TaskSchedule
id: TaskSchedule-xxxxxx
displayName: 
comment: 
properties:
  firstTime:
  interval:
  name:
  task:

Task Scheduler Service

Description

The task scheduler is a service that allows regular execution of tasks.

Class

com.airlock.iam.servicecontainer.app.application.configuration.TaskSchedulerService

May be used by

Service Config

Properties

Tasks (tasks)

Description

Defines the task and their scheduling information.

Attributes

Plugin-List

Optional

Assignable plugins

Task Schedule

Check Interval Millis (checkIntervalMillis)

Description

The interval in milliseconds in which the scheduler service checks whether a task should be executed. Task execution may be late for this amount of time at most.

Attributes

Long

Optional

Default value

5000

Run Tasks Concurrently (runTasksConcurrently)

Description

If the tasks should be run concurrently or sequentially.
If enabled, all tasks may run concurrently. If disabled, all tasks run sequentially.
This configuration applies to all tasks of this scheduler.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.TaskSchedulerService
id: TaskSchedulerService-xxxxxx
displayName: 
comment: 
properties:
  checkIntervalMillis: 5000
  runTasksConcurrently: true
  tasks:

Technical Client Database Repository

Description

Persists and loads technical clients and associated data from the configured data source.

Class

com.airlock.iam.techclient.application.configuration.TechClientRepositoryConfig

May be used by

OAuth 2.0 Persisted Clients NextGenPSD2 Certificate Authenticator API Policy Service Technical Clients Settings

License-Tags

TechClients

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Storage Encryption (storageEncryptionConfig)

Description

Defines how sensitive values are encrypted when stored on the database. This ensures that an adversary obtaining data from the database cannot read or modify sensitive values without knowing the secret for decryption.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Storage Encryption Configuration

Log Queries (logQueries)

Description

Enable to log SQL queries (only effective if the log level is at least INFO). Attention: query values (including potentially sensitive data) will be logged as well.

Attributes

Boolean

Optional

Default value

false

Tenant ID (tenantId)

Description

The value which is used in queries related to technical clients to distinguish between different tenants.

If no value is configured, then 'no_tenant' is used as value on the database.

Attributes

String

Optional

Length <= 50

Validation RegEx: (?!no_tenant$).*

Example

customerA

Example

customerB

Cipher (cipher)

Description

Cipher to encrypt and decrypt sensitive values in the database.

This setting is deprecated and has been replaced by Storage Encryption. If set, this property was configured by an automatic configuration migration and should not be changed manually. The property takes precedence over Storage Encryption, which means that OAuth 2.0 client secrets will be encrypted / decrypted using this cipher for backward compatibility. Other secrets on the DB are not affected by this property.

To migrate from Cipher to Storage Encryption, encrypted data on the DB must be changed manually. Please contact Airlock Support for further guidelines.

Attributes

Plugin-Link

Optional

Assignable plugins

Password-based Encryption RSA Encryption Unsupported Encryption (to be replaced)

YAML Template (with default values)


type: com.airlock.iam.techclient.application.configuration.TechClientRepositoryConfig
id: TechClientRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  cipher:
  logQueries: false
  sqlDataSource:
  storageEncryptionConfig:
  tenantId:

Technical Client Registration Flow

Description

Configuration for a technical client registration flow.

Class

com.airlock.iam.techclientreg.application.configuration.TechClientRegFlowConfig

May be used by

Technical Client Registration Settings

License-Tags

TechClientRegistration

Properties

Steps (steps)

Description

Steps of the flow.

Attributes

Plugin-List

Mandatory

Assignable plugins

Abort Step Certificate Credential Extraction Step Config Email Notification Step Failure Step No Operation Step OAuth 2.0 Client Persisting Step OAuth 2.0 Client Registration Step Red Flag Raising Step Config Scriptable Step Tag Removal Step Config

Processors (processors)

Description

Processors are notified at various stages of the flow and offer hooks for custom logic.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.techclientreg.application.configuration.TechClientRegFlowConfig
id: TechClientRegFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  processors:
  steps:

Technical Client Registration Settings

Description

Configuration of technical client registration flows.

Class

com.airlock.iam.techclientreg.application.configuration.TechClientRegistrationRestConfig

May be used by

Loginapp

License-Tags

TechClientRegistration

Properties

Default Flow (defaultFlow)

Description

The default technical client registration flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Technical Client Registration Flow

YAML Template (with default values)


type: com.airlock.iam.techclientreg.application.configuration.TechClientRegistrationRestConfig
id: TechClientRegistrationRestConfig-xxxxxx
displayName: 
comment: 
properties:
  defaultFlow:

Technical Clients Settings

Description

Configuration for managing technical clients.

Class

com.airlock.iam.admin.application.configuration.techclients.TechClientsConfig

May be used by

Adminapp

License-Tags

TechClients

Properties

Repository (repository)

Description

A repository that allows to configure the DB access concerning technical clients.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Technical Client Interceptors (interceptors)

Description

Defines interceptors that get notified upon changes on technical clients.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.techclients.TechClientsConfig
id: TechClientsConfig-xxxxxx
displayName: 
comment: 
properties:
  interceptors:
  repository:

Template-based String Provider

Description

String value provider to create a string from a template.

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.TemplateStringValueProviderConfig

Properties

Value Map Providers (valueMapProviders)

Description

These plugins provide the map of all values that are available as variables in the template.

Attributes

Plugin-List

Optional

Assignable plugins

Value Encoders (valueEncoders)

Description

Encode the values before they are inserted into the template. The encoders are applied in the configured order.

For a more flexible setup, use the plugins Transforming Value Map Provider and Transforming String Value Provider together with encoders.

Attributes

Plugin-List

Optional

Assignable plugins

Base64 String Encoder HTML String Escaper JSON String Escaper URL String Encoder

Template (template)

Description

Template from which the provided string is created. Placeholders (${value-selector}) are replaced by the corresponding value selected from the "Value Providers". The templating mechanism also allows for date formatting, e.g. ${my-date,date,yyyy-MM-dd}.

Security warning: If you use this plugin to build a technical document (JSON, XML, etc.), make sure the value encoders contain a matching encoder in the last position to prevent it from breaking out of the defined structures.

Attributes

String

Mandatory

Multi-line-text

Example

username=${user-id};

Example

{"username": "${user-id}"}

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.TemplateStringValueProviderConfig
id: TemplateStringValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  template:
  valueEncoders:
  valueMapProviders:

Template-based Username Transformer

Description

Adds the ability to render any values provided by the configured value map provider into a template, that will define the transformed username.

Class

com.airlock.iam.flow.shared.application.configuration.user.TemplateBasedUsernameTransformerConfig

Properties

Template (template)

Description

Template from which the username is transformed. Placeholders (${value-selector}) are replaced by the corresponding value selected from the "Value Providers". Additionally the input username (current username in the transformation chain) is always provided as a value and can be referenced by ${input-username}.

Note: Placeholders that cannot be resolved, will be replaced with an empty value and the transformation chain will continue. Depending on the template and the usernames in the user data source, this might lead to an unintended identification of a user.

Attributes

String

Mandatory

Example

${input-username}.${organization}

Example

uid.${input-username}

Value Providers (valueProviders)

Description

These plugins provide the map of all values that are available as variables in the template.

Note: Providers providing values that are dependent on the user identity can't provide any values when the username transformation is evaluated. Thus only a few providers (e.g. additional attributes) can provide values at username transformation time.

Attributes

Plugin-List

Optional

Assignable plugins

Value Encoders (valueEncoders)

Description

Encode the values before they are inserted into the template. The encoders are applied in the configured order.

Attributes

Plugin-List

Optional

Assignable plugins

Base64 String Encoder HTML String Escaper JSON String Escaper URL String Encoder

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.user.TemplateBasedUsernameTransformerConfig
id: TemplateBasedUsernameTransformerConfig-xxxxxx
displayName: 
comment: 
properties:
  template:
  valueEncoders:
  valueProviders:

Temporary Locking

Description

Lock out users temporarily after unsuccessful authentication attempts, typically for increasingly longer durations until successful authentication is achieved.

Note that Temporary Locking is only applied in authentication flows where the "Temporary Locking Processor" is configured.

Class

com.airlock.iam.common.application.configuration.templock.TemporaryLockingConfig

May be used by

Locking Settings (Adminapp) Target Applications and Authentication

Properties

Strategy (temporaryLockingStrategyConfig)

Description

Strategy to calculate the duration of the user lock depending on the number of failed attempts.

Note: Changing these settings may affect the duration of currently active temporary locks.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Exponential Temporary Locking Strategy

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.templock.TemporaryLockingConfig
id: TemporaryLockingConfig-xxxxxx
displayName: 
comment: 
properties:
  temporaryLockingStrategyConfig:

Temporary Locking Processor

Description

Processor to perform Temporary Locking: blocks requests for temporarily locked users and adds Temporary Locking information to failed step results.

Class

com.airlock.iam.authentication.application.configuration.processor.TemporaryLockingProcessorConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.processor.TemporaryLockingProcessorConfig
id: TemporaryLockingProcessorConfig-xxxxxx
displayName: 
comment: 
properties:

Temporary Locking Settings

Description

These settings configure temporary user locking.

Class

com.airlock.iam.core.misc.authen.locking.TemporaryLockingSettings

May be used by

Advanced Migration Selection Option Authorization Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For User Self-Registration Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration User Self-Registration Flow Selection Option Selection Step for Self-Service Selection Step

Properties

Base Duration [ms] (baseDurationInMs)

Description

After an unsuccessful login a delay of a certain amount of time is produced to make brute-force-attacks more difficult. This setting defines the number of milliseconds to wait before showing the login page again after an unsuccessful login.

Attributes

Integer

Optional

Default value

3000

Exponential Factor (exponentialLockoutFactor)

Description

If this property has a value greater than 1 then the delay after failed logins is increased with every failed login (per user): After the first failed login, the delay is as specified by property Base Duration. After the second failure, the delay is multiplied by the factor specified by this property, after the third it is again multiplied by this factor etc. After n failed logins, the delay is

(Base Duration) * (Exponential Factor)^(n-1) + (Additional Duration)*(n-1)

Example: If the exponential factor is 2.0, then the delay is doubled with every failed login. Note that this property can be combined with property Additional Duration.

Attributes

Double

Optional

Default value

1.0

Additional Duration (in ms) (linearLockoutFactor)

Description

If this property has a value greater than 0 (zero) then the delay after failed logins is increased with every failed login (per user): After the first failed login, the delay is as specified by property Base Duration. After the second failure, the amount of milliseconds specified by this property is added. It is again added after the third failed login, etc. After n failed logins, the delay is (in milliseconds):

(Base Duration) * (Exponential Factor)^(n-1) + (Additional Duration)*(n-1) – Notice that the first part is always >=(Base Duration)

Note that this property can be combined with property Exponential Factor.

Attributes

Integer

Optional

Default value

Lockout Message Threshold (lockoutMessageThreshold)

Description

If the exponential factor is used, long delays may arise which may result in connection timeouts if the response is just held back. Therefore it makes sense to display a message to the user if a certain amount of delay is exceeded. This property specifies the threshold for this delay in milliseconds. If the login failure delay is longer than the value of this property, a message is displayed to the user rather than blocking the request. No value or a value of zero disables this feature.

Attributes

Integer

Optional

Default value

Delay Between Login Steps (delayBetweenLoginSteps)

Description

Delays responses to the client when asking for another authentication step (e.g. OTP after entering username and password) for the specified number of milliseconds.

Enhances security because it makes it impossible for an attacker to tell whether the first factor was wrong or correct based on timing.

Choose a value larger than the slowest expected response from the system checking the first factor.

Attributes

Integer

Optional

Default value

500

YAML Template (with default values)


type: com.airlock.iam.core.misc.authen.locking.TemporaryLockingSettings
id: TemporaryLockingSettings-xxxxxx
displayName: 
comment: 
properties:
  baseDurationInMs: 3000
  delayBetweenLoginSteps: 500
  exponentialLockoutFactor: 1.0
  linearLockoutFactor: 0
  lockoutMessageThreshold: 0

Terms Of Service Config

Description

Configures the terms of services (legal disclaimer) that has to be accepted by the user during self-registration or when accessing an application.

When accessing a target application, the Loginapp checks whether the currently valid terms of services have been accepted by the user. The currently valid terms of services are referenced by the "TOS-tag" defined in this configuration. The accepted terms of services is stored in a user property (within context data container).

In order to perform the check, the login application must be configured such that it is involved every time an application is accessed for the first time within a session. Usually, this means that only the credentials/roles needed for the currently accessed application are granted to the Airlock Gateway (WAF) session.

Class

com.airlock.iam.common.application.configuration.termsofservice.TermsOfServiceConfig

May be used by

Terms Of Services Step

License-Tags

TermsOfServices

Properties

Description

An arbitrary string uniquely defining the currently valid legal disclaimer used for this application. The tag may be shared among several applications or with the self-registration process. Once the user accepts the disclaimer, this tag is saved with the user data (see next properties). If the user data has no or a different tag saved, the user is prompted to accept the current disclaimer.

The tag may not contain commas (",") or the timestamp separator (in case the timestamp pattern is specified).

Attributes

String

Mandatory

License-Tags

TermsOfServices

Example

AGB_2009

Example

TOS-1.2.1

Storage Strategy (storageStrategy)

Description

Defines how the terms of services tag is stored in the user's context data container:

Shared property (comma-separated) : The context data property (see below) is shared among several applications. The accepted tags are stored in a comma-separated value list.
Private property : The context data property (see below) is used only by this application.
Shared property (multi-value) : The context data property (see below) is shared among several applications. The accepted tags are stored in a multi-value attribute.

Attributes

String

Optional

License-Tags

TermsOfServices

Default value

Shared property (comma-separated)

Allowed values

Shared property (comma-separated), Private property, Shared property (multi-value)

Timestamp Format (timestampFormat)

Description

If set, a timestamp is stored with the tag in the user's context data container using the specified date format.
For example resulting in: TOS-2013:20130828134559+0100

Attributes

String

Optional

License-Tags

TermsOfServices

Suggested values

yyyyMMddHHmmssZ, yyyyMMdd

Timestamp Separator (timestampSeparator)

Description

If a timestamp is saved, this property specifies the separator used between the tag and the timestamp.
Notice that if storing them using Shared property (comma-separated), the comma cannot be used.

Attributes

String

Optional

Length <= 1

License-Tags

TermsOfServices

Default value

User Property Name (userPropertyName)

Description

The name of the property in the user's context data container holding the accepted tag(s).
Make sure that the used persister is configured to read/write the property!

Attributes

String

Mandatory

License-Tags

TermsOfServices

Suggested values

disclaimer_tag

Disclaimer Texts (disclaimerTexts)

Description

Defines a language-dependent, formatted disclaimer text displayed to the user.

If the user accessing an application and the terms of services have to be accepted, the whole terms / legal disclaimer can be displayed on the page.

If the user has to accept the terms of services during the self-registration, it makes sense to show only a link to the terms / legal disclaimer (it's only a checkbox label).

Attributes

Plugin-List

Mandatory

License-Tags

TermsOfServices

Assignable plugins

Disclaimer Text Config

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.termsofservice.TermsOfServiceConfig
id: TermsOfServiceConfig-xxxxxx
displayName: 
comment: 
properties:
  disclaimerTexts:
  storageStrategy: Shared property (comma-separated)
  tag:
  timestampFormat:
  timestampSeparator: :
  userPropertyName:

Terms Of Services Step

Description

Configuration for a Terms of Services flow step.

Class

com.airlock.iam.flow.shared.application.configuration.termsofservice.TermsOfServiceStepConfig

May be used by

License-Tags

TermsOfServices

Properties

Terms Of Services (termsOfServices)

Description

The list of terms of services that need to be accepted in this step.

Attributes

Plugin-List

Mandatory

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.termsofservice.TermsOfServiceStepConfig
id: TermsOfServiceStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  termsOfServices:

Test Task

Description

Task for testing.

Task counting from 1 to 100 in about 30 seconds. The task logs the counter to the log file on error level.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.TestTask

May be used by

Task Schedule

Properties

Sleep Millis (sleepMillis)

Description

Number of milliseconds between each written log statement.

Attributes

Long

Optional

Default value

300

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.TestTask
id: TestTask-xxxxxx
displayName: 
comment: 
properties:
  sleepMillis: 300

Text File Password Renderer

Description

Simple password renderer using a shell like variable syntax to produce a text file. Available data:
${password}
${DateString}
${any context data key}
Example:
text-file-password-renderer.template = ${userid};${password};${firstname};${lastname}

Class

com.airlock.iam.core.misc.util.password.generator.TextFilePasswordRenderer

May be used by

Password Generator Config Credential Secret Generator Secret Letter Renderer

Properties

Template (template)

Description

The text template. Available data:
${password} - the new plaintext password
${DateString} - the current date dd.MM.yyyy formatted
${context data key} - any context data field as configured in the user persister

Attributes

String

Mandatory

Suggested values

${userid};${password}, User: ${userid}, Password: ${password}, Generated: ${DateString}

Encoding (encoding)

Description

The output encoding.

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.generator.TextFilePasswordRenderer
id: TextFilePasswordRenderer-xxxxxx
displayName: 
comment: 
properties:
  encoding: UTF-8
  template:

Text File Renderer

Description

Renders a language-dependent text file with variable substitution.

Class

com.airlock.iam.core.misc.renderer.TextFileRenderer

May be used by

Email Notification Task Email Notification Task

Properties

Default Template (defaultTemplate)

Description

Specifies the default template file.

The file has to be a simple text file in UTF-8 encoding.

The file name is either absolute or relative to the JVMs current directory.

Multiple templates for different languages can be specified with the property template. A default template has always to be specified.

Attributes

File/Path

Mandatory

Template (template)

Description

Language dependent templates taking precedence over the default template.
Selectors must be choosen according to the ISO-2-letter language codes, i.e. "fr" for french.
See also description of default-template.

Attributes

Plugin-List

Optional

Assignable plugins

Matrix Public Self-Service Approval Step Matrix Self-Service Approval Step TAN Batch Task Matrixcard Authenticator (TAN Challenge) Matrix Authentication Step Matrix Card Generator Config

YAML Template (with default values)


type: com.airlock.iam.core.misc.renderer.TextFileRenderer
id: TextFileRenderer-xxxxxx
displayName: 
comment: 
properties:
  defaultTemplate:
  template:

Text File Token List Renderer

Description

Configurable renderer that renders a token list as a simple text file.

Class

com.airlock.iam.core.misc.impl.renderer.TextFileTokenListRenderer

May be used by

License-Tags

Matrixcard

Properties

Line Break Style (lineBreakStyle)

Description

Specifies whether a line break should be done in Windows-Style (carriage return followed by line feed) or in Unix-Style (new line only).

Attributes

String

Optional

Default value

UNIX-STYLE

Allowed values

WINDOWS-STYLE, UNIX-STYLE

Separation Lines (separationLines)

Description

The number of blank lines between lines of tokens.

Attributes

Integer

Optional

Default value

Top Margin (topMargin)

Description

Number of blank lines on top of the page.

Attributes

Integer

Optional

Default value

Left Margin (leftMargin)

Description

Number of blanks on the left of each line.

Attributes

Integer

Optional

Default value

Header Separation Lines (headerSeparationLines)

Description

The number of blank lines between header and list.

Attributes

Integer

Optional

Default value

Spaces Between Tokens (spacesBetweenTokens)

Description

Number of spaces between tokens.

Attributes

Integer

Optional

Default value

Tokens Per Line (tokensPerLine)

Description

Number of tokens on each line.

Attributes

Integer

Optional

Default value

List Mode (listMode)

Description

Determines the way the list is rendered:

Standard: Token list without indices.
Indexed: Token list with indices.
Matrix: Token Matrix.

Attributes

Enum

Optional

Default value

STANDARD

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.renderer.TextFileTokenListRenderer
id: TextFileTokenListRenderer-xxxxxx
displayName: 
comment: 
properties:
  headerSeparationLines: 3
  leftMargin: 2
  lineBreakStyle: UNIX-STYLE
  listMode: STANDARD
  separationLines: 1
  spacesBetweenTokens: 2
  tokensPerLine: 10
  topMargin: 2

Text Message Token Controller Element

Description

Renders a full-width message with static text.

Class

com.airlock.iam.admin.application.configuration.generic.ui.TextMessageTokenControllerUiElementConfig

May be used by

AES256 Encryption Ticket Encoder Esp Sign Ticket Encoder Gzip Base64 Ticket Encoder JWT Ticket Encoder Plain Base64 Ticket Encoder Plain Ticket Encoder RSA Sign Ticket Encoder

Properties

Message (message)

Description

The message is interpreted as translation key. If no translation is found, the message is displayed as configured.

Attributes

String

Mandatory

Type (type)

Description

Defines how the message is displayed.

Paragraph: text is displayed without any style.
Header: bold text with margins around to separate it from other elements.
Info: text in a blue box.
Warning: text in a yellow box.
Error: text in a red box.

Attributes

Enum

Optional

Default value

PARAGRAPH

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.generic.ui.TextMessageTokenControllerUiElementConfig
id: TextMessageTokenControllerUiElementConfig-xxxxxx
displayName: 
comment: 
properties:
  message:
  type: PARAGRAPH

Text Report Renderer

Description

Text report renderer outputting report contents in plain text. Outputs the report parameters in plain text to the OutputStream. This can be useful for Testing or Debugging purposes.

Class

com.airlock.iam.core.misc.util.report.TextReportRenderer

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.report.TextReportRenderer
id: TextReportRenderer-xxxxxx
displayName: 
comment: 
properties:

Text UI Element

Description

Renders text.

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableTextConfig

May be used by

Properties

Text (text)

Description

The text to show. The UI treats it as a key to translate. If there is no translation, the configured value is what is shown in the UI. Note that the translated text may contain HTML. This allows you to control the styling of the text or to embed HTML elements like links.

Attributes

String

Mandatory

HTML ID (htmlId)

Description

The ID of the element in the HTML.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_]+

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableTextConfig
id: ConfigurableTextConfig-xxxxxx
displayName: 
comment: 
properties:
  htmlId:
  text:

Ticket Key Value

Description

Key-value pair to be added to the ticket.

Class

com.airlock.iam.login.application.configuration.targetapp.TicketKeyValue

May be used by

Ticket String Provider Config

Properties

Ticket Key (ticketKey)

Description

The key of the ticket element. This is the key under which the key-value pair is added to the ticket.

Attributes

String

Mandatory

Example

username

Example

Value Selector (valueSelector)

Description

This selects an entry from the "Value Providers" to obtain the value for this key-value pair.

Attributes

String

Mandatory

Example

user-id

Example

Omit If Empty (omitIfEmpty)

Description

If enabled and the obtained value is empty, this key-value pair is omitted from the ticket. A value is considered empty, if it is not provided or is null or the empty string.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.TicketKeyValue
id: TicketKeyValue-xxxxxx
displayName: 
comment: 
properties:
  omitIfEmpty: false
  ticketKey:
  valueSelector:

Ticket String Provider Config

Description

Provides an SSO ticket (e.g. a JWT ticket) as a string.

Class

com.airlock.iam.login.application.configuration.targetapp.TicketStringProviderConfig

Properties

Value Providers (valueProviders)

Description

These plugins provide the map of all values that are available to create the ticket. Use the "Key-Value Pairs" property to define how the provided values are mapped into the ticket. The value providers are applied in the configured order. Later providers can overwrite values of earlier ones.

Attributes

Plugin-List

Optional

Assignable plugins

Key-Value Pairs (keyValues)

Description

List of key-value pairs that are included in the ticket. Each of them selects a value provided by the "Value Providers" and includes it in the ticket under a specified key.

Example: the Value Providers provide an entry with key "user-id" and value "tester". A key-value pair configuration with ticket key "username" and value selector "user-id" results in a ticket entry with key "username" and value "tester".

Attributes

Plugin-List

Optional

Assignable plugins

Ticket Key Value

Validity [s] (validitySeconds)

Description

That validity duration of the ticket (in seconds).

Attributes

Long

Optional

Default value

600

URL Encoding Scheme (urlEncodingScheme)

Description

Encoding scheme for creating the ticket.

Attributes

String

Optional

Default value

UTF-8

Ticket Encoder (ticketEncoder)

Description

The ticket encoder plugin used to encode the ticket to a string.

Some ticket encoders do not support ticket expiry, i.e. they do not encode the ticket validity into the ticket.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.TicketStringProviderConfig
id: TicketStringProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  keyValues:
  ticketEncoder:
  urlEncodingScheme: UTF-8
  validitySeconds: 600
  valueProviders:

To Query Parameter URI Transformer

Description

Transforms an URI by appending it as a query parameter to a constant base URI.

Class

com.airlock.iam.login.application.configuration.location.transform.LocationAsQueryParameterToBaseURIAppenderConfig

May be used by

Target URI Resolver Parameter-based Target URI Advanced Location Interpreter Config Redirect to URI

Properties

Base URI (baseURI)

Description

The URI to which the input of this transformer is appended as a query parameter.

Attributes

String

Mandatory

Example

/ebanking

Parameter Name (parameterName)

Description

The name of the query parameter.

Attributes

String

Mandatory

Example

location

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.location.transform.LocationAsQueryParameterToBaseURIAppenderConfig
id: LocationAsQueryParameterToBaseURIAppenderConfig-xxxxxx
displayName: 
comment: 
properties:
  baseURI:
  parameterName:

Token Activation On Delivery Strategy

Description

Task strategy that checks for each assigned but not-activated Vasco token if the corresponding letter has arrived at the customer. If this is the case, the token is activated.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.token.TokenActivationOnDeliveryStrategyConfig

May be used by

Token Task

License-Tags

Digipass

Properties

Token Data Provider (tokenDataProvider)

Description

The token data provider plugin is used to read all tokens to be handled by this task. Should be configured to only return the tokens that should be handled by this task.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Tracking Service (trackingService)

Description

The tracking service used to track the status of the letter.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Swiss Post Tracking Service

Email Service (emailService)

Description

The email service plugin used to send a confirmation letter after token activation. Specifying an email service is required for sending a confirmation email to the users.

Attributes

Plugin-Link

Optional

Assignable plugins

User Persister (userPersister)

Description

User persister plugin used to load and store user information. Specifying a persister plugin is required for sending a confirmation email to the users.

Attributes

Plugin-Link

Optional

Assignable plugins

Context Data Recipient Field (contextDataRecipientField)

Description

The name of the context data field containing the email address. Specifying this context data field is required for sending a confirmation email to the users.

Attributes

String

Optional

Example

Mail Subject (mailSubject)

Description

The string used as subject.

Attributes

String

Optional

Example

Token Activated

Mail Body (mailBody)

Description

The template used as body. This text may contain the string " $SERIALID$ ", which will be replaced by the serial ID of the activated token.

Attributes

String

Optional

Multi-line-text

Example

Your Vasco token with Serial ID $SERIALID$ has been activated.

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.token.TokenActivationOnDeliveryStrategyConfig
id: TokenActivationOnDeliveryStrategyConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataRecipientField:
  emailService:
  mailBody:
  mailSubject:
  tokenDataProvider:
  trackingService:
  userPersister:

Token Authenticator

Description

Provides the functionality of a token verifier (TokenVerifier) as Authenticator plugin.

This authenticator loads and initializes the specified token verifier plug-in and presents its functionality as an Authenticator.

There are two modes of operation:

Stand-alone: In this mode, the authenticator can be used itself to authenticate users against a token verifier (e.g. an RSA/ACE server).
It expects the first credential type to be a UserTokenCredential and passes the username and the token value to the token verifier.
Note:This mode of operation is automatically selected when the type of credential passed in the first step of authentication is UserTokenCredential and does not contain a token.
Authentication-step: In this mode, the authenticator is used in conjunction with the MetaAuthenticator as second (or following) step in the authentication process. It thus expects a credential of type UserCredential when called first.
Note:This mode of operation is automatically selected when the type of credential passed in the first step of authentication is UserCredential

An authentication session is always required by this authenticator.

A credential persister plugin can be used (optionally) to translate the username presented to this plugin to an "internal" ACE-user. The username in the authentee object returned after successful authentication is always the one presented to this plugin and not the one on the ACE-Server.

In the case of successful authentication, the returned authentee consists of the username only.

Class

com.airlock.iam.core.misc.impl.authen.TokenAuthenticator

May be used by

Properties

Token Verifier (tokenVerifier)

Description

Plugin class name of the token verifier.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Ace Radius Token Verifier Dummy Token Verifier OATH OTP Token Verifier TAN Token Verifier Vasco Token Verifier

Credential Persister (credentialPersister)

Description

Defines a credential persister plugin. If this property is defined, the configured credential persister plugin is used to look up the username used in communication with the ACE-server (the "ACE-user") given the username presented to this plugin:
A credential bean is fetched with the username used with this plugin and the credential-data (string or binary) of the credential bean is used as ACE-user.

This property can be used if a mapping between the actual username and the ACE-username is used.

Attributes

Plugin-Link

Optional

Assignable plugins

Pin (pin)

Description

If required, a PIN may be defined using this property. The specified PIN will be used together with the provided token code to authenticate the user. This may be useful if a PIN is associated to the token but you don't want the authenticating users to type it.

The PIN can be defined as a static value or its value may be retrieved from a context-value field of a persisted credential. Latter case requires that a credential persister is configured. Prepend the value with the @-character to use it as a reference to a context-data field.

Attributes

String

Optional

Sensitive

Example

1234

Example

secret

Example

@token_pin

Example

@securid_pin

Use Password As Pin (usePasswordAsPin)

Description

If set to TRUE the password of the credential is used as token PIN.

Attributes

Boolean

Optional

Default value

false

Use Password As Token (usePasswordAsToken)

Description

If set to TRUE the password is used as token. This mode cannot be used in conjunction with the "MetaAuthenticator".

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.TokenAuthenticator
id: TokenAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  credentialPersister:
  pin:
  tokenVerifier:
  usePasswordAsPin: false
  usePasswordAsToken: false

Token Consistency User Change Listener

Description

A listener that reacts on change events on users and keeps the tokens in a consistent state. Currently, it performs the following actions:

on user deletion: delete or unassign all tokens assigned to that user.
on user name change: change the token assignments to the new user name.

Class

com.airlock.iam.core.misc.impl.persistency.usereventbus.TokenConsistencyUserChangeListener

May be used by

Active Directory Connector LDAP User Persister LDAP Connector Database User Persister

Properties

Token Data Provider (tokenDataProvider)

Description

Plugin to load tokens from persistence.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Token Services (tokenServices)

Description

The list of Token Services to handle the specifics of each token type.

Attributes

Plugin-List

Optional

Assignable plugins

Cronto Token Service Generic Token Service Vasco Token Service

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.usereventbus.TokenConsistencyUserChangeListener
id: TokenConsistencyUserChangeListener-xxxxxx
displayName: 
comment: 
properties:
  tokenDataProvider:
  tokenServices:

Token Data Certificate Matcher

Description

Default implementation for certificate token lookup. This plugin tries to match the certificate in the token table of the persistency layer based on serial number, subject DN and issuer DN (all must match). This should be sufficient for most cases.

Class

com.airlock.iam.core.misc.impl.authen.certificate.DefaultCertificateMatcher

May be used by

Certificate Token Authenticator

License-Tags

ClientCertificate

Properties

Token Data Provider (tokenDataProvider)

Description

Connection to the token data persistency layer.

Attributes

Plugin-Link

Mandatory

Assignable plugins

No mTAN Token Restriction Has mTAN Token Basic mTAN Settings All Phone Numbers Provider MTAN/SMS Settings Has mTAN Activation Letter

Multi Format Dn Comparison (multiFormatDnComparison)

Description

If set to true, comparison of distinguished names (DNs) supports various formats. Specifically, the following DNs are considered to be equal:

a=A,b=B,c=C
c=C,b=B,a=A (backwards)
/a=A/b=B/c=C (slash notation)
/c=C/b=B/a=A (slash notation backwards)
a=A,b=B,x.y.z=C (where x.y.z is the OID for attribute c)

This is used if the tokens in the database are written by a different system than Airlock IAM which might use a different DB format.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.certificate.DefaultCertificateMatcher
id: DefaultCertificateMatcher-xxxxxx
displayName: 
comment: 
properties:
  multiFormatDnComparison: false
  tokenDataProvider:

Token Data mTAN Handler

Description

An mTAN Handler that uses the token table of the IAM database. Supports multiple mTAN numbers per user.

Class

com.airlock.iam.core.misc.impl.authen.mtan.TokenDataMtanHandler

May be used by

Properties

Token Data Provider (tokenDataProvider)

Description

Provider for the token data from the persistency layer.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Hash Function (hashFunction)

Description

The hash function used for generation and verification of IAKs (initial activation keys). If no hash function is provided in the configuration, no activation codes will be available and checks of activation codes will always fail.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AWS KMS Password Hash Bcrypt Password Hash Identity Password Hash SHA1 Password Hash SHA256 Password Hash Scrypt Password Hash

Activation Key Generator (activationKeyGenerator)

Description

The string generator to generate the new IAKs (initial activation keys).

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Max Token Count (maxTokenCount)

Description

The maximum number of mTAN numbers for a user. If no value is specified, a user can have an unlimited number of mTAN numbers.

Attributes

Integer

Optional

User Store (userStore)

Description

The user store is used to load context data for users which are relevant to creating activation code (IAK) letters.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.mtan.TokenDataMtanHandler
id: TokenDataMtanHandler-xxxxxx
displayName: 
comment: 
properties:
  activationKeyGenerator:
  hashFunction:
  maxTokenCount:
  tokenDataProvider:
  userStore:

Token Data mTAN Handler for IAK Order

Description

An mTAN Handler for IAK ordering that uses the token table of the IAM database. Supports multiple mTAN numbers per user.

Class

com.airlock.iam.core.misc.impl.authen.mtan.TokenDataMtanHandlerForIakOrder

May be used by

mTAN Letter User Event Listener

Properties

Token Data Provider (tokenDataProvider)

Description

Provider for the token data from the persistency layer.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Max Number Count (maxNumberCount)

Description

The maximum number of mTAN numbers for a user. If no value is specified, a user can have an unlimited number of mTAN numbers.

Attributes

Integer

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.mtan.TokenDataMtanHandlerForIakOrder
id: TokenDataMtanHandlerForIakOrder-xxxxxx
displayName: 
comment: 
properties:
  maxNumberCount:
  tokenDataProvider:

Token Data Username Transformer

Description

Similar to the Context Data Username Transformer, this plugin tries to look up the user name in a specified field in the token database and returns the username of the user to whom this token is assigned.

Class

com.airlock.iam.core.misc.impl.authen.TokenDataUsernameTransformer

Properties

Token Data Provider (tokenDataProvider)

Description

Token data provider to load the token data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Token Type (tokenType)

Description

Restricts the search to a specific token type. Leave empty to search all token types.

Attributes

String

Mandatory

Suggested values

CERTIFICATE, VASCO, CRONTO

Data Field (dataField)

Description

Specifies the field of the token that has to exactly match the entered user name. If a prefix or other modifications are necessary, chain this transformer after other transformers.

Attributes

Enum

Mandatory

Stop After Successful Transformation (stopAfterSuccessfulTransformation)

Description

With this flag the chaining of username transformers can be interrupted. If it is enabled and this transformer successfully transformed the username, following username transformers are not executed.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.TokenDataUsernameTransformer
id: TokenDataUsernameTransformer-xxxxxx
displayName: 
comment: 
properties:
  dataField:
  stopAfterSuccessfulTransformation: false
  tokenDataProvider:
  tokenType:

Token Endpoint Auth Method Processor

Description

Processes the "token_endpoint_auth_method" metadata attribute. The value is taken from the request as long as it matches the configured allowed values and doesn't exceed the length limit imposed by the database.

Class

com.airlock.iam.techclientreg.application.configuration.registration.TokenEndpointAuthMethodProcessorConfig

May be used by

License-Tags

TechClientRegistration

Properties

Allowed Values (allowedValues)

Description

Allowed values limiting the token endpoint auth method requested by the client.

Attributes

String-List

Optional

Default value

[none, client_secret_post, client_secret_basic]

Mandatory (mandatory)

Description

If the attribute is mandatory a valid value is required, or else an error is returned. If it is not mandatory, invalid values are silently ignored.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.techclientreg.application.configuration.registration.TokenEndpointAuthMethodProcessorConfig
id: TokenEndpointAuthMethodProcessorConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedValues: [none, client_secret_post, client_secret_basic]
  mandatory: false

Token IAK Handler

Description

Handles activation codes (IAK) using a token data provider.

Class

com.airlock.iam.core.misc.impl.authen.TokenIakHandler

May be used by

Credential Data mTAN Handler

Properties

Token Data Provider (tokenDataProvider)

Description

Provider to handle token-related tasks.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cronto Challenge Token Cleanup Strategy Cronto Report Strategy New Email Clean-up Strategy Token Activation On Delivery Strategy Vasco Cronto Online Activation Token Clean-up Strategy Vasco Token Report Strategy mTAN IAK Token Report Strategy

Password Hash (passwordHash)

Description

Hash function to hash the IAKs.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Code Generator (codeGenerator)

Description

Secret string generator to create device activation codes.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Validity Time (validityTime)

Description

The validity time (in hours) of the activation code, i.e. how long the activation code is valid and can be used to activate a new device. If set to 0, the validity time is not limited.

Attributes

Integer

Mandatory

Allowed Failed Attempts (allowedFailedAttempts)

Description

The number of times the user is allowed to enter a wrong activation code.

A value of 0 (zero) means the user has no retries (thus only one attempt).

Attributes

Integer

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.TokenIakHandler
id: TokenIakHandler-xxxxxx
displayName: 
comment: 
properties:
  allowedFailedAttempts:
  codeGenerator:
  passwordHash:
  tokenDataProvider:
  validityTime:

Token Task

Description

Task that iterates over tokens and handles them according to the configured strategy.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.token.TokenTaskConfig

May be used by

Task Schedule

Properties

Strategy (strategy)

Description

Strategy that defines the subset of tokens to be handled and how tokens should be handled. Additionally, it may define any required pre and postprocessing before and after iterating over tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.token.TokenTaskConfig
id: TokenTaskConfig-xxxxxx
displayName: 
comment: 
properties:
  strategy:

Token-based Attribute Mapping

Description

Filters and maps attributes from the outside to the generic token and vice versa.

All token attributes must be considered optional.

This plugin is designed to work only with the token-based repository that is shipped with IAM. For custom repository implementations, custom attribute mappings are needed.

Class

com.airlock.iam.admin.application.configuration.generic.TokenBasedAttributeMapping

May be used by

Credential-based Generic Token Repository Token-based Generic Token Repository

Properties

Serial ID (serialId)

Description

The serial ID of this token.

Attributes

String

Optional

Suggested values

serialId

Enabled (enabled)

Description

Indicates whether this token is enabled. This is a read-only property.

Attributes

String

Optional

Suggested values

enabled

Activation Date (activationDate)

Description

The activation date of this token. This is a read-only property.

Attributes

String

Optional

Suggested values

activationDate

Valid From (validFrom)

Description

Date as of which the token is valid.

Attributes

String

Optional

Suggested values

validFrom

Valid To (validTo)

Description

Expiration date of this token.

Attributes

String

Optional

Suggested values

validTo

Generation Date (generationDate)

Description

The activation date of this token. This is a read-only property.

Attributes

String

Optional

Suggested values

generationDate

First Usage Date (firstUsageDate)

Description

Date of first usage. This is a read-only property.

Attributes

String

Optional

Suggested values

firstUsageDate

Latest Usage Date (latestUsageDate)

Description

Date of latest usage. This is a read-only property.

Attributes

String

Optional

Suggested values

latestUsageDate

Total Usages (totalUsages)

Description

Total number of usages. This is a read-only property.

Attributes

String

Optional

Suggested values

totalUsages

Tracking ID (trackingId)

Description

The tracking ID of this token.

Attributes

String

Optional

Suggested values

trackingId

Other Assignees (otherAssignees)

Description

An array with the IDs of the other assignees of this token (excluding the current user).

Attributes

String

Optional

Suggested values

otherAssignees

Data (data)

Description

The actual data of this token.

Attributes

String

Optional

Generic Data Element1 (genericDataElement1)

Description

A general purpose data field.

Attributes

String

Optional

Generic Data Element2 (genericDataElement2)

Description

A general purpose data field.

Attributes

String

Optional

Generic Data Element3 (genericDataElement3)

Description

A general purpose data field.

Attributes

String

Optional

Generic Data Element4 (genericDataElement4)

Description

A general purpose data field.

Attributes

String

Optional

Generic Data Element5 (genericDataElement5)

Description

A general purpose data field.

Attributes

String

Optional

Generic Data Element6 (genericDataElement6)

Description

A general purpose data field.

Attributes

String

Optional

Generic Data Element7 (genericDataElement7)

Description

A general purpose data field.

Attributes

String

Optional

Generic Data Element8 (genericDataElement8)

Description

A general purpose data field.

Attributes

String

Optional

Generic Data Element9 (genericDataElement9)

Description

A general purpose data field.

Attributes

String

Optional

Generic Data Element10 (genericDataElement10)

Description

A general purpose data field.

Attributes

String

Optional

Generic Data Element11 (genericDataElement11)

Description

A general purpose data field.

Attributes

String

Optional

Generic Data Element12 (genericDataElement12)

Description

A general purpose data field.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.generic.TokenBasedAttributeMapping
id: TokenBasedAttributeMapping-xxxxxx
displayName: 
comment: 
properties:
  activationDate:
  data:
  enabled:
  firstUsageDate:
  generationDate:
  genericDataElement1:
  genericDataElement10:
  genericDataElement11:
  genericDataElement12:
  genericDataElement2:
  genericDataElement3:
  genericDataElement4:
  genericDataElement5:
  genericDataElement6:
  genericDataElement7:
  genericDataElement8:
  genericDataElement9:
  latestUsageDate:
  otherAssignees:
  serialId:
  totalUsages:
  trackingId:
  validFrom:
  validTo:

Token-based Generic Token Repository

Description

Repository that loads tokens from persistence.

Class

com.airlock.iam.admin.application.configuration.generic.TokenBasedGenericTokenRepositoryConfig

May be used by

Generic Token Endpoint

Properties

Token Data Provider (tokenDataProvider)

Description

Data provider to load tokens from persistence.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Max Tokens Per User (maxTokens)

Description

Defines the maximum number of tokens per user.

Attributes

Integer

Optional

Default value

Token Attribute Mapping (attributeMapping)

Description

Defines the set of supported attributes and optional name mappings.

Attributes

Plugin-Link

Optional

Assignable plugins

Credential-based Attribute Mapping Identity Attribute Mapping Token-based Attribute Mapping

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.generic.TokenBasedGenericTokenRepositoryConfig
id: TokenBasedGenericTokenRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  attributeMapping:
  maxTokens: 1
  tokenDataProvider:

Tokens Configuration

Description

Configuration of tokens, i.e. management of tokens.

Class

com.airlock.iam.admin.application.configuration.tokens.TokensConfiguration

May be used by

Adminapp

Properties

Token Managers (tokenManagers)

Description

Token managers for the Adminapp.

Attributes

Plugin-List

Mandatory

Assignable plugins

Vasco Cronto Token Manager Vasco OTP Token Manager

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.tokens.TokensConfiguration
id: TokensConfiguration-xxxxxx
displayName: 
comment: 
properties:
  tokenManagers:

Too Many Unlocks Restriction

Description

Excludes users that have exceeded the allowed number of unlocks (configurable in the "Public Self-Service Flow Settings"). If no maximum number of unlocks is configured, this restriction is never violated.

Class

com.airlock.iam.publicselfservice.application.configuration.restrictions.TooManyUnlocksRestrictionConfig

May be used by

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Properties

Enable Feedback (enableFeedback)

Description

If enabled, the User Identification Step always returns a specific error code in case this restriction is violated.

Irrespective of this settings, once the identity verification step is passed, restriction are always checked before and after each method call and violations are always reported.

Security notice: Enabling this feature might allow a client to determine whether certain users exist in the system.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.restrictions.TooManyUnlocksRestrictionConfig
id: TooManyUnlocksRestrictionConfig-xxxxxx
displayName: 
comment: 
properties:
  enableFeedback: false

Transaction Approval

Description

Configures the Transaction Approval web application.

Class

com.airlock.iam.transactionapproval.application.configuration.TransactionApprovalApp

License-Tags

TransactionApproval

Properties

Flows (flows)

Description

The transaction approval flows.

Attributes

Plugin-List

Mandatory

Assignable plugins

Transaction Approval Flow

User Store (userStore)

Description

The user store containing the users that approve transactions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Max Failed Factor Attempts (maxFailedTransactionApprovals)

Description

Maximal number of allowed transaction approval attempts. Failed transaction approval attempts are counted as failed logins for the given credential, i.e., the same counter is used. The user is locked if the number of failed attempts for some credential exceeds this limit.

Attributes

Integer

Optional

Default value

Gateway Settings (gatewaySettings)

Description

Settings regarding an Airlock Gateway or Airlock Microgateway reverse proxy placed in front of Airlock IAM.

If no settings are configured, extra information from the reverse proxy will not be available and it may be harder to correlate log messages that are written to different log files.

Attributes

Plugin-Link

Optional

Assignable plugins

Airlock Gateway Settings Airlock Microgateway Settings

Request Authentication (requestAuthentication)

Description

Determines how a credential is extracted and used to authenticate single requests.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic Auth Request Authentication Client Certificate (X.509) Request Authentication Denying Request Authentication SSO Ticket Request Authentication Static Request Authentication

CSRF Protection (csrfProtection)

Description

If enabled, REST endpoints are protected against CSRF attacks.

Security warning: Disabling this feature may allow CSRF attacks. Only do so if the REST client is unable to comply with the aforementioned restrictions.

Attributes

Boolean

Optional

Default value

true

Fixed Response Duration (fixedResponseDuration)

Description

Defines how long it takes (in milliseconds) until IAM answers an 'unsuccessful' request in the transaction approval API. Faster answers are delayed until the configured duration is reached. This helps to avoid timing attacks. Successful or slower responses are not affected by this property. Protection against timing attacks is only provided if IAM is able to process 'unsuccessful' requests within the configured duration.

The endpoint that checks a password against the configured policy is excluded from response delays.

Attributes

Integer

Optional

Default value

2000

CORS Settings (corsSettings)

Description

The settings to allow cross-domain REST calls.

Attributes

Plugin-Link

Optional

Assignable plugins

CORS Settings

State Repository (stateRepository)

Description

Defines where IAM stores all state. As long as only one instance of IAM is running (no horizontal scaling), the in-memory repository can be used.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Expert Mode Redis State Repository Config In-Memory State Repository Single Mode Redis State Repository Config

Language Settings (languageSettings)

Description

Configures language settings.

Attributes

Plugin-Link

Optional

Assignable plugins

Language Settings

Session Idle Timeout (sessionIdleTimeout)

Description

Session idle timeout for the Transaction Approval App. When IAM is deployed behind an Airlock Gateway (WAF), timeout and lifetime values should always be longer than those maintained by the Gateway.

Attributes

String

Optional

Default value

30m

Example

30m

Example

2h 15m

Session Lifetime (sessionLifetime)

Description

Session lifetime for the Transaction Approval App. Unlike an idle timeout, the lifetime cannot be extended by activity and is always terminated once the lifetime has been reached. When IAM is deployed behind an Airlock Gateway (WAF), timeout and lifetime values should always be longer than those maintained by the Gateway.

Attributes

String

Optional

Default value

Example

4h 30m

Example

Context Extractor (contextExtractor)

Description

Specifies how a context is to be extracted from a request.

Attributes

Plugin-Link

Optional

Assignable plugins

Custom Extensions (customExtensions)

Description

Custom extensions for the REST API.

Attributes

Plugin-List

Optional

Assignable plugins

Readiness Health Check Endpoint (readinessHealthCheckEndpoint)

Description

Readiness health check endpoint for the Transaction Approval module.

Attributes

Plugin-Link

Optional

Assignable plugins

Readiness Health Check Endpoint

Log User Trail To Database (logUserTrailToDatabase)

Description

Configures the database settings to use when persisting user trail log entries.

If this value is defined, then all user trail log messages generated by the Transaction Approval App module will additionally be forwarded to the database configured within the referenced repository plugin.

All forwarded log entries are stored inside the table "USER_TRAIL_LOG". Note that setting this value does not disable writing log messages to the Transaction Approval App log file.

Attributes

Plugin-Link

Optional

Assignable plugins

Cronto Transaction Approval Step Cronto Authentication Step Cronto Public Self-Service Approval Step Cronto Self-Service Approval Step

Correlation ID Settings (correlationIdSettings)

Description

Defines settings for correlation ID transfer and logging inside the Transaction Approval module.

If undefined, no correlation ID will be logged for this module.

Attributes

Plugin-Link

Optional

Assignable plugins

Correlation ID Settings

Device Usage Repository Config (deviceUsageRepositoryConfig)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Device Usage Database Repository

YAML Template (with default values)


type: com.airlock.iam.transactionapproval.application.configuration.TransactionApprovalApp
id: TransactionApprovalApp-xxxxxx
displayName: 
comment: 
properties:
  contextExtractor:
  correlationIdSettings:
  corsSettings:
  csrfProtection: true
  customExtensions:
  deviceUsageRepositoryConfig:
  fixedResponseDuration: 2000
  flows:
  gatewaySettings:
  languageSettings:
  logUserTrailToDatabase:
  maxFailedTransactionApprovals: 5
  readinessHealthCheckEndpoint:
  requestAuthentication:
  sessionIdleTimeout: 30m
  sessionLifetime: 8h
  stateRepository:
  userStore:

Transaction Approval Cronto Message Provider

Description

This message provider creates a customizable transaction approval message for Cronto using the Parameters received in the Transaction Approval Parameter Step. The message template is identified by the message translation key and may contain variables that will be replaced with parameters from the Parameter Step.
The resulting cronto Message will look as follows:
'Here goes the message template with the replaced variables'
'amount Label': 'amount' 'currency'.

Class

com.airlock.iam.transactionapproval.application.configuration.cronto.CrontoMessageProviderImplConfig

May be used by

License-Tags

TransactionApproval

Properties

Message Translation Key (messageTranslationKey)

Description

This key identifies the message template that is used to generate the message. It can contain variables, e.g. 'cronto.${type}.message'. Variables are replaced with the corresponding values sent in the Transaction Approval Parameter Step. This allows using different message templates for different transaction types. For more information about formatting, consult the description in the strings_*.properties located at instances/common/transaction-approval-texts.

Attributes

String

Mandatory

Example

cronto.payment.message

Push Title Resource Key (pushTitleResourceKey)

Description

Resource key to select the localized template to display the push title. The localized template can contain variables (e.g. ${town}).

Attributes

String

Optional

Default value

cronto.push.transaction-signing.title

Push Subject Resource Key (pushSubjectResourceKey)

Description

Resource key to select the localized template to display the push subject. The localized template can contain variables (e.g. ${town}).

Attributes

String

Optional

Default value

cronto.push.transaction-signing.subject

Cronto Handler (crontoHandler)

Description

The Cronto handler used to generate the message. This needs to be the same handler as in the Cronto Step where this Message Provider is used in.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Abort Step Acknowledge Message Step Airlock 2FA Delete Devices Step Airlock 2FA Transaction Approval Step Cronto Transaction Approval Step Email Notification Step Email OTP Transaction Approval Step Failure Step Matrix Authentication Step No Operation Step OTP Check via RADIUS Step Red Flag Raising Step Config Scriptable Step Selection Step Tag Removal Step Config Transaction Approval Parameter Step User Identification Step mTAN Transaction Approval Step

Amount Label Key (amountLabelKey)

Description

This key identifies the translation of the amount label (see message provider description).

Attributes

String

Optional

Default value

cronto.amountLabel

Amount Parameter Name (amountParameterName)

Description

This parameter name identifies the variable form the Transaction Approval Parameter Step that represents the amount. If left empty, no amount is set in the transaction details.

Attributes

String

Optional

Currency Parameter Name (currencyParameterName)

Description

This parameter name identifies the variable form the Transaction Approval Parameter Step that represents the currency. If left empty, no currency is set in the transaction details.

Attributes

String

Optional

String Resources File (stringResourcesFile)

Description

The following keys are defined as templates for the cronto messages:

cronto.message: the message template.
cronto.amountLabel: the amount label of the transaction.

Attributes

String

Optional

Default value

strings

YAML Template (with default values)


type: com.airlock.iam.transactionapproval.application.configuration.cronto.CrontoMessageProviderImplConfig
id: CrontoMessageProviderImplConfig-xxxxxx
displayName: 
comment: 
properties:
  amountLabelKey: cronto.amountLabel
  amountParameterName:
  crontoHandler:
  currencyParameterName:
  messageTranslationKey:
  pushSubjectResourceKey: cronto.push.transaction-signing.subject
  pushTitleResourceKey: cronto.push.transaction-signing.title
  stringResourcesFile: strings

Transaction Approval Flow

Description

Configuration for a transaction approval flow.

Class

com.airlock.iam.transactionapproval.application.configuration.flow.TransactionApprovalFlowConfig

May be used by

Transaction Approval

License-Tags

TransactionApproval

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Steps (steps)

Description

Steps of the flow.

Attributes

Plugin-List

Mandatory

Assignable plugins

Processors (processors)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Username Transformers (usernameTransformers)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.transactionapproval.application.configuration.flow.TransactionApprovalFlowConfig
id: TransactionApprovalFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  flowId:
  processors:
  steps:
  usernameTransformers:

Transaction Approval Parameter Step

Description

Configuration for a transaction approval parameter passing flow step.

Class

com.airlock.iam.transactionapproval.application.configuration.parameter.TransactionApprovalParameterStepConfig

May be used by

Selection Step for Public Self-Service Flow Step Sequence Transaction Approval Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

TransactionApproval

Properties

Message Parameters (messageParameters)

Description

List of request attributes that specify parameters of the transaction approval message. After validation the present attributes are made available to the flow.

Attributes

Plugin-List

Optional

Assignable plugins

Request Attribute

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Transforming Role Provider OAuth 2.0 Static Client OAuth 2.0/OIDC Authorization Server

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.transactionapproval.application.configuration.parameter.TransactionApprovalParameterStepConfig
id: TransactionApprovalParameterStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  messageParameters:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Transaction Approval Parameters Map

Description

Provides all the key-value pairs that were previously submitted in the Transaction Approval Parameter Step.

Class

com.airlock.iam.transactionapproval.application.configuration.parameter.TransactionApprovalParametersValueMapProviderConfig

May be used by

License-Tags

TransactionApproval

Properties

YAML Template (with default values)


type: com.airlock.iam.transactionapproval.application.configuration.parameter.TransactionApprovalParametersValueMapProviderConfig
id: TransactionApprovalParametersValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:

Transform Roles

Description

Transform matching roles from the list of propagated roles.

Class

com.airlock.iam.common.application.configuration.role.TransformRoleTransformationConfig

May be used by

Properties

Transform roles matching (pattern)

Description

The regular expression. Any role in the list of propagated roles matching the regular expression will be transformed.

Attributes

RegEx

Mandatory

Replace with (replacement)

Description

The replacement expression. The matching role will be replaced by this replacement expression.

Attributes

String

Mandatory

Example

transformedRole

Example

role-$2

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.role.TransformRoleTransformationConfig
id: TransformRoleTransformationConfig-xxxxxx
displayName: 
comment: 
properties:
  pattern:
  replacement:

Transforming Role Provider

Description

Applies transformations (e.g. blacklist, whitelist, Regex) to roles provided by the configured role providers.

Class

com.airlock.iam.login.application.configuration.targetapp.TransformingRoleProviderConfig

May be used by

Roles SAML 2.0 Attribute Roles Provider Config Has Matching Role Airlock Gateway Roles Config Legacy ID Propagation Adapter Start User Representation Step Combining Role Provider Role-based OAuth 2.0 Scope Condition Role-based Tag Acquisition Step

Properties

Role Providers (roleProviders)

Description

Role providers whose roles to transform.

Attributes

Plugin-List

Mandatory

Assignable plugins

Role Transformations (roleTransformations)

Description

Transformations to apply to roles. Note that these transformations are applied in the order in which they are defined in the list.

Attributes

Plugin-List

Mandatory

Assignable plugins

Add Roles Delete Roles Keep Roles Transform Roles

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.targetapp.TransformingRoleProviderConfig
id: TransformingRoleProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  roleProviders:
  roleTransformations:

Transforming String Value Provider

Description

Applies transformations (e.g. uppercase, lowercase, regex) to the output of the configured string value provider.

Class

com.airlock.iam.common.application.configuration.valueprovider.TransformingStringValueProviderConfig

Properties

Value Provider (valueProvider)

Description

String value provider whose output to transform.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Transformations (transformations)

Description

List of transformations to apply in order on the provided string.

Attributes

Plugin-List

Mandatory

Assignable plugins

Base64 String Encoder HTML String Escaper JSON String Escaper Lowercase String Transformer Regex String Transformer URL String Encoder Uppercase String Transformer

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.valueprovider.TransformingStringValueProviderConfig
id: TransformingStringValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  transformations:
  valueProvider:

Transforming Value Map Provider

Description

Applies string transformations (e.g. uppercase, lowercase, regex, encoder) to the all the values provided by the configured list of value provider maps and provides the transformed values.

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.TransformingValueMapProviderConfig

May be used by

Properties

Value Providers (valueProviders)

Description

List of value map providers from which the values will be derived to apply the transformations on.

Attributes

Plugin-List

Mandatory

Assignable plugins

Transformations (transformations)

Description

List of transformations to apply in order on all the provided values.

Attributes

Plugin-List

Mandatory

Assignable plugins

Base64 String Encoder HTML String Escaper JSON String Escaper Lowercase String Transformer Regex String Transformer URL String Encoder Uppercase String Transformer

Key Suffix (keySuffix)

Description

Suffix to be appended to the keys of transformed values. If no value is configured, no suffix is used and the transformed values are made available under the same keys.

Attributes

String

Optional

Example

_transformed

Example

New

Transform Non-String Values (transformNonStringValues)

Description

Automatically convert non-string value providers (such as dates) to strings before applying the transformations.

If this option is disabled, non-string values are provided unchanged.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.TransformingValueMapProviderConfig
id: TransformingValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  keySuffix:
  transformNonStringValues: false
  transformations:
  valueProviders:

Translated String Provider

Description

Provides a string which is translated to the current display language.

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.TranslationValueProviderConfig

Properties

Resource Key (resourceKey)

Description

Resource key for which the localized strings are defined. The key may contain variables, which are replaced with the provided values before the translation is loaded, e.g. to specify gender-dependent texts, such as salutations.

The translated string can also contain variables (e.g. ${givenname}) and supports the same formatting options (including date/time formatting) as are available for Transaction Approval messages.

Attributes

String

Mandatory

Example

general.yes

Example

salutation.${gender}

Value Providers (valueProviders)

Description

Attributes

Plugin-List

Optional

Assignable plugins

Language Provider (languageProvider)

Description

Provides the language that should be used to translate.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.TranslationValueProviderConfig
id: TranslationValueProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  languageProvider:
  resourceKey:
  valueProviders:

True Senses SMS Gateway

Description

SMS gateway implementation for "http://www.truesenses.com/".
This plugin uses the HTTP(S) interface of TrueSenses to send SMS messages.

Class

com.airlock.iam.core.misc.impl.sms.TrueSensesSmsGateway

May be used by

Number-based Selection SMS Gateway Phone Number Verification Step SMS Gateway Selection Option SMS Notifier Failover SMS Gateway Basic mTAN Settings MTAN/SMS Settings SMS Service

Properties

Account Username (accountUsername)

Description

Username for a registered TrueSenses account.

Attributes

String

Mandatory

Example

MyTruesensesLogin

Account Password (accountPassword)

Description

Password for the registered TrueSenses account.

Attributes

String

Mandatory

Sensitive

Service URI (serviceUri)

Description

The URI of the TrueSenses service.
See note in plug-in description when using SSL (HTTPS instead of HTTP).

Attributes

String

Mandatory

Suggested values

http://truesenses.com:80/cgi-bin/smsgateway.cgi

Proxy Host (proxyHost)

Description

The hostname of the HTTP proxy server (if any).

Attributes

String

Optional

Example

proxy.company.com

Proxy Port (proxyPort)

Description

The port of the HTTP proxy server (if any).

Attributes

Integer

Optional

Proxy Login User (proxyLoginUser)

Description

Username for the http proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the http proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

Allow Only Trusted Certs (allowOnlyTrustedCerts)

Description

Only allow connections to servers whose certificate is trusted. See documentation of property "Trust Store Path" for more information about what certificates are trusted.

Security warning: Trusting all certificates allows connections to adversarial hosts. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

String

Optional

Default value

JKS

Allowed values

JKS, PKCS12

Trust Store Password (trustStorePassword)

Description

The password used verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

JKS: the keystore can be opened and used but the integrity of the keystore is not checked.
PKCS12: an error occurs.

Attributes

String

Optional

Sensitive

Connection/Read Timeout [s] (connectTimeout)

Description

The timeout in seconds used for connection timeout and read timeout.
Therefore, a connection may take a maximum of twice this time until it is aborted.

Attributes

Integer

Optional

Default value

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Suggested values

X-Correlation-ID

Visible Phone Number Digits In Log (visiblePhoneNumberDigitsInLog)

Description

Defines the number of phone number digits visible in log statements.

Thus, if the value is zero, all digits are masked, if it is large enough, all digits are visible. If set to 3, for example, the logged number looks like ********965.

The default is 100, i.e. showing all digits.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.TrueSensesSmsGateway
id: TrueSensesSmsGateway-xxxxxx
displayName: 
comment: 
properties:
  accountPassword:
  accountUsername:
  allowOnlyTrustedCerts: true
  connectTimeout: 10
  correlationIdHeaderName:
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  serviceUri:
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  verifyServerHostname: true
  visiblePhoneNumberDigitsInLog: 100

Typical Geolocation Risk Extractor

Description

Emits tags based on whether the current geolocation of the end-user is typical or not by comparing it to stored geolocation information from preceding logins.

This risk extractor depends on the user identity. Make sure to place the corresponding Risk Assessment Step after the user-identifying step (e.g. the Password Authentication Step) in the authentication flow.
This plugin requires that a Login History Repository is configured in the Authentication Flows configuration.
This plugin requires a geolocation provider to be configured in Loginapp's REST settings.

Class

com.airlock.iam.authentication.application.configuration.risk.extractor.geolocation.TypicalGeolocationRiskExtractorFlowConfig

May be used by

Properties

Geolocation Attribute To Match (geolocationAttributeToMatch)

Description

The geolocation attribute to compare with those from previous logins.

Continent: Uses the continent for comparison
Country: Uses the country for comparison

Attributes

Enum

Optional

Default value

COUNTRY

Minimal Required History Entries (minimalRequiredHistoryEntries)

Description

The minimal number of previously recorded logins required. If the user's entire login history contains fewer entries, this extractor always returns the "Tags When Below Percentage Tage Of Matches".

The optimum value depends on the exact use-case:

A low value like 1 or 2 may be preferred in low-risk environments or in new setups with fresh users where the first login is often the most trusted one because it might have involved an IAK or alike.
A medium value like 5 may be preferred when a longer, consistent history is required; thus the user must perform strong logins for an extended period of time before he may be granted a relaxation of authentication.

Attributes

Integer

Optional

Default value

Maximal Considered History Entries (maximalConsideredHistoryEntries)

Description

The maximal number of previously recorded logins to compare with the current data. If the user's login history contains more entries, only this number of entries (the most recent ones) will be considered.

The optimum value depends on the exact use-case and on the setting of the "Percentage Of Matches":

A low value like 1 or 2 may be preferred in low-risk environments where changes in the user's context are frequent.
A medium value like 5 may be preferred when a longer, consistent history is the typical use case for users.

Attributes

Integer

Optional

Default value

Percentage Of Matches (percentageOfMatches)

Description

The minimum percentage of the login history that have to match.

The optimum value depends on the exact use-case and on the setting of the "Maximal Considered History Entries":

A low value like 25 or 30 may be preferred in low-risk environments where users often work in different locations and access the system with more than two devices. In such a scenario the "Maximal Considered History Entries" may be increased to a high value.
A medium value like 40 or 45 may be preferred where users often work in two locations and access the system with two different devices (e.g. office location, home office). In such a scenario the "Maximal Considered History Entries" may be increased to a medium to high value.
A high value like 80 or 90 may be preferred where users always use the same device and rarely change their context. In such a scenario the "Maximal Considered History Entries" may be set to a low to medium value so that an exception in the history will be recovered quickly.

Attributes

Integer

Optional

Default value

Tags When Above Or Equal Percentage Of Matches (tagsWhenAboveOrEqualPercentageOfMatches)

Description

The tags to grant if the current information matches at least the specified "Percentage Of Matches".

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags When Below Percentage Tage Of Matches (tagsWhenBelowPercentageOfMatches)

Description

The tags to grant if the current information does not match the specified "Percentage Of Matches" or there were too few history entries or the current information could not be determined.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.risk.extractor.geolocation.TypicalGeolocationRiskExtractorFlowConfig
id: TypicalGeolocationRiskExtractorFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  geolocationAttributeToMatch: COUNTRY
  maximalConsideredHistoryEntries: 6
  minimalRequiredHistoryEntries: 3
  percentageOfMatches: 80
  tagsWhenAboveOrEqualPercentageOfMatches:
  tagsWhenBelowPercentageOfMatches:

Typical User Agent Risk Extractor

Description

Risk Extractor that determines the typical browser (User-Agent) by comparing the current and previous User-Agents of the user. This risk extractor depends on the user identity. Make sure to place the corresponding Risk Assessment Step after the user-identifying step (e.g. the Password Authentication Step) in the authentication flow.

This plugin requires that a Login History Repository is configured in the Authentication Flows configuration.

Class

com.airlock.iam.authentication.application.configuration.risk.extractor.browser.TypicalUserAgentRiskExtractorFlowConfig

May be used by

Number-based Selection SMS Gateway Phone Number Verification Step SMS Gateway Selection Option SMS Notifier Failover SMS Gateway Basic mTAN Settings MTAN/SMS Settings SMS Service

Properties

Minimal Required History Entries (minimalRequiredHistoryEntries)

Description

The minimal number of previously recorded logins required. If the user's entire login history contains fewer entries, this extractor always returns the "Tags When Below Percentage Tage Of Matches".

The optimum value depends on the exact use-case:

A low value like 1 or 2 may be preferred in low-risk environments or in new setups with fresh users where the first login is often the most trusted one because it might have involved an IAK or alike.
A medium value like 5 may be preferred when a longer, consistent history is required; thus the user must perform strong logins for an extended period of time before he may be granted a relaxation of authentication.

Attributes

Integer

Optional

Default value

Maximal Considered History Entries (maximalConsideredHistoryEntries)

Description

The optimum value depends on the exact use-case and on the setting of the "Percentage Of Matches":

A low value like 1 or 2 may be preferred in low-risk environments where changes in the user's context are frequent.
A medium value like 5 may be preferred when a longer, consistent history is the typical use case for users.

Attributes

Integer

Optional

Default value

Percentage Of Matches (percentageOfMatches)

Description

The minimum percentage of the login history that have to match.

The optimum value depends on the exact use-case and on the setting of the "Maximal Considered History Entries":

A low value like 25 or 30 may be preferred in low-risk environments where users often work in different locations and access the system with more than two devices. In such a scenario the "Maximal Considered History Entries" may be increased to a high value.
A medium value like 40 or 45 may be preferred where users often work in two locations and access the system with two different devices (e.g. office location, home office). In such a scenario the "Maximal Considered History Entries" may be increased to a medium to high value.
A high value like 80 or 90 may be preferred where users always use the same device and rarely change their context. In such a scenario the "Maximal Considered History Entries" may be set to a low to medium value so that an exception in the history will be recovered quickly.

Attributes

Integer

Optional

Default value

Tags When Above Or Equal Percentage Of Matches (tagsWhenAboveOrEqualPercentageOfMatches)

Description

The tags to grant if the current information matches at least the specified "Percentage Of Matches".

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags When Below Percentage Tage Of Matches (tagsWhenBelowPercentageOfMatches)

Description

The tags to grant if the current information does not match the specified "Percentage Of Matches" or there were too few history entries or the current information could not be determined.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.risk.extractor.browser.TypicalUserAgentRiskExtractorFlowConfig
id: TypicalUserAgentRiskExtractorFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  maximalConsideredHistoryEntries: 6
  minimalRequiredHistoryEntries: 3
  percentageOfMatches: 80
  tagsWhenAboveOrEqualPercentageOfMatches:
  tagsWhenBelowPercentageOfMatches:

UCP SMS Gateway

Description

SMS Gateway Implementation that support sending short messages over an SMSC's UCP interface.

Documentation can e.g. be found at"http://www.swisscom.ch/solutions/Loesungen-Produkte/Mobile-Mehrwertdienste/". This gateway uses a binary interface and is used for sites with heavy traffic Unlike other gateways that call a URL to 'fire and forget' the message, UCP opens a socket which is kept alive for both alerts/notifications and to send/receive messages.

Important: This is not a 'fire and forget' implementation, but keeps a TCP connection open at all times. Since these connections are limited by the provider, it is important to not instantiate one such plugin per 'mandant', but once for several 'mandants'. The recommended approach for a multi-mandant environment is therefore to have one separate Airlock IAM instance, use the WebService plugin for that and let all 'mandants' use the {@link WebServiceSmsGateway} as their SMS gateway, connecting to this one Airlock IAM instance.

Summarized important constraints Due to the multi-threaded implementation of the plugin, there are several constraints that must be met in order for the plugin to run correctly:

The Web Server must be a Tomcat.
The total number of sessions allowed by Swisscom (typically 5) must not be exceeded. Every UcpSmsGateway plugin instance makes use of a configurable amount of sessions (1 per default).
To be sure that all threads are killed, restart the server instance where this Web Service WAR file is deployed after updating the Airlock IAM instance.

Class

com.airlock.iam.core.misc.impl.sms.ucp.UcpSmsGateway

May be used by

License-Tags

UcpSms

Properties

Number Of Sessions (numberOfSessions)

Description

Number of concurrent sessions to open with UCP SMS Gateway.

Attributes

Integer

Optional

Default value

Server Ip (serverIp)

Description

IP address of the UCP SMS Gateway in dot-decimal notation.

Attributes

String

Mandatory

Example

194.298.234.64

Server Port (serverPort)

Description

TCP port number of the UCP SMS Gateway.

Attributes

Integer

Mandatory

Account Username (accountUsername)

Description

Username for a registered UCP account.

Attributes

String

Mandatory

Example

MyUcpLoginname

Account Password (accountPassword)

Description

Password for a registered UCP account.

Attributes

String

Mandatory

Sensitive

Example

MyUcpPassword

Account Short Id (accountShortId)

Description

Short ID of of the UCP account.

Attributes

String

Mandatory

Example

123456

Connection Sleep Before Retry (connectionSleepBeforeRetry)

Description

The number of milliseconds to wait between reconnection attempts.

Attributes

Integer

Optional

Default value

5000

Connection Timeout (connectionTimeout)

Description

The TCP connection timeout in milliseconds.

Attributes

Integer

Optional

Default value

15000

Connection Keep Alive Interval (connectionKeepAliveInterval)

Description

The number of seconds between keep alive messages sent to the SMSC (server) to keep the connection alive.

Attributes

Integer

Optional

Default value

300

Message Confirmation Timeout (messageConfirmationTimeout)

Description

The number of seconds to wait for a confirmation from the SMSC (server) for a SMS message sent. No other messages can be sent until a confirmation arrives or this timeout occurs.

Attributes

Integer

Optional

Default value

Long Sms Option Enabled (longSmsOptionEnabled)

Description

Specifies if the Long SMS option is enabled which allows to send short messages with more than 160 characters. This value may be different depending on the SLA with the provider.

Attributes

Boolean

Optional

Default value

false

Use International Originator Format (useInternationalOriginatorFormat)

Description

Specifies that the originator's type of address is international in the SS7 layer. This may be required when transmitting SMS messages to foreign/international operators that would otherwise reject the originator address. When enabled, make sure to specify the originator address with the international prefix but without leading 00 or +, e.g. "41791112233". This implies a numeric address, this feature will not be effective when using an alphanumeric originator address.

Attributes

Boolean

Optional

Default value

false

Validity Period [minutes] (validityPeriod)

Description

Defines the validity period of a short message in minutes. If a short message cannot be sent within that period, it will be discarded. If this property is not set, the SMSC default of 72 hours applies.

Attributes

Integer

Optional

Ucp Timezone Identifier (ucpTimezoneIdentifier)

Description

Time zone identifier of the UCP gateway. In order to correctly translate timestamps between Airlock IAM and UCP gateway, the correct time zone of the UCP gatway must be configured here.

Specifying a time zone identifier (such as 'Europe/Zurich') instead of an absolute time zone (such as 'GMT+01') has the advantage of automatic adjustment for DST (daylight saving time) where applicable.

Attributes

String

Optional

Default value

Europe/Zurich

Suggested values

Europe/Athens, Europe/Bucharest, Europe/Chisinau, Europe/Helsinki, Europe/Istanbul, Europe/Kiev, Europe/Mariehamn, Europe/Nicosia, Europe/Riga, Europe/Simferopol, Europe/Sofia, Europe/Tallinn, Europe/Tiraspol, Europe/Uzhgorod, Europe/Vilnius, Europe/Zaporozhye, Etc/GMT+12, Etc/GMT+11, Pacific/Midway, Pacific/Niue, Pacific/Pago_Pago, Pacific/Samoa, US/Samoa, America/Adak, America/Atka, Etc/GMT+10, HST, Pacific/Honolulu, Pacific/Johnston, Pacific/Rarotonga, Pacific/Tahiti, SystemV/HST10, US/Aleutian, US/Hawaii, Pacific/Marquesas, AST, America/Anchorage, America/Juneau, America/Nome, America/Sitka, America/Yakutat, Etc/GMT+9, Pacific/Gambier, SystemV/YST9, SystemV/YST9YDT, US/Alaska, America/Dawson, America/Ensenada, America/Los_Angeles, America/Metlakatla, America/Santa_Isabel, America/Tijuana, America/Vancouver, America/Whitehorse, Canada/Pacific, Canada/Yukon, Etc/GMT+8, Mexico/BajaNorte, PST, PST8PDT, Pacific/Pitcairn, SystemV/PST8, SystemV/PST8PDT, US/Pacific, US/Pacific-New, America/Boise, America/Cambridge_Bay, America/Chihuahua, America/Creston, America/Dawson_Creek, America/Denver, America/Edmonton, America/Hermosillo, America/Inuvik, America/Mazatlan, America/Ojinaga, America/Phoenix, America/Shiprock, America/Yellowknife, Canada/Mountain, Etc/GMT+7, MST, MST7MDT, Mexico/BajaSur, Navajo, PNT, SystemV/MST7, SystemV/MST7MDT, US/Arizona, US/Mountain, America/Bahia_Banderas, America/Belize, America/Cancun, America/Chicago, America/Costa_Rica, America/El_Salvador, America/Guatemala, America/Indiana/Knox, America/Indiana/Tell_City, America/Knox_IN, America/Managua, America/Matamoros, America/Menominee, America/Merida, America/Mexico_City, America/Monterrey, America/North_Dakota/Beulah, America/North_Dakota/Center, America/North_Dakota/New_Salem, America/Rainy_River, America/Rankin_Inlet, America/Regina, America/Resolute, America/Swift_Current, America/Tegucigalpa, America/Winnipeg, CST, CST6CDT, Canada/Central, Canada/East-Saskatchewan, Canada/Saskatchewan, Chile/EasterIsland, Etc/GMT+6, Mexico/General, Pacific/Easter, Pacific/Galapagos, SystemV/CST6, SystemV/CST6CDT, US/Central, US/Indiana-Starke, America/Atikokan, America/Bogota, America/Cayman, America/Coral_Harbour, America/Detroit, America/Fort_Wayne, America/Grand_Turk, America/Guayaquil, America/Havana, America/Indiana/Indianapolis, America/Indiana/Marengo, America/Indiana/Petersburg, America/Indiana/Vevay, America/Indiana/Vincennes, America/Indiana/Winamac, America/Indianapolis, America/Iqaluit, America/Jamaica, America/Kentucky/Louisville, America/Kentucky/Monticello, America/Lima, America/Louisville, America/Montreal, America/Nassau, America/New_York, America/Nipigon, America/Panama, America/Pangnirtung, America/Port-au-Prince, America/Thunder_Bay, America/Toronto, Canada/Eastern, Cuba, EST, EST5EDT, Etc/GMT+5, IET, Jamaica, SystemV/EST5, SystemV/EST5EDT, US/East-Indiana, US/Eastern, US/Michigan, America/Caracas, America/Anguilla, America/Antigua, America/Argentina/San_Luis, America/Aruba, America/Asuncion, America/Barbados, America/Blanc-Sablon, America/Boa_Vista, America/Campo_Grande, America/Cuiaba, America/Curacao, America/Dominica, America/Eirunepe, America/Glace_Bay, America/Goose_Bay, America/Grenada, America/Guadeloupe, America/Guyana, America/Halifax, America/Kralendijk, America/La_Paz, America/Lower_Princes, America/Manaus, America/Marigot, America/Martinique, America/Moncton, America/Montserrat, America/Port_of_Spain, America/Porto_Acre, America/Porto_Velho, America/Puerto_Rico, America/Rio_Branco, America/Santiago, America/Santo_Domingo, America/St_Barthelemy, America/St_Kitts, America/St_Lucia, America/St_Thomas, America/St_Vincent, America/Thule, America/Tortola, America/Virgin, Antarctica/Palmer, Atlantic/Bermuda, Brazil/Acre, Brazil/West, Canada/Atlantic, Chile/Continental, Etc/GMT+4, PRT, SystemV/AST4, SystemV/AST4ADT, America/St_Johns, CNT, Canada/Newfoundland, AGT, America/Araguaina, America/Argentina/Buenos_Aires, America/Argentina/Catamarca, America/Argentina/ComodRivadavia, America/Argentina/Cordoba, America/Argentina/Jujuy, America/Argentina/La_Rioja, America/Argentina/Mendoza, America/Argentina/Rio_Gallegos, America/Argentina/Salta, America/Argentina/San_Juan, America/Argentina/Tucuman, America/Argentina/Ushuaia, America/Bahia, America/Belem, America/Buenos_Aires, America/Catamarca, America/Cayenne, America/Cordoba, America/Fortaleza, America/Godthab, America/Jujuy, America/Maceio, America/Mendoza, America/Miquelon, America/Montevideo, America/Paramaribo, America/Recife, America/Rosario, America/Santarem, America/Sao_Paulo, Antarctica/Rothera, Atlantic/Stanley, BET, Brazil/East, Etc/GMT+3, America/Noronha, Atlantic/South_Georgia, Brazil/DeNoronha, Etc/GMT+2, America/Scoresbysund, Atlantic/Azores, Atlantic/Cape_Verde, Etc/GMT+1, Africa/Abidjan, Africa/Accra, Africa/Bamako, Africa/Banjul, Africa/Bissau, Africa/Casablanca, Africa/Conakry, Africa/Dakar, Africa/El_Aaiun, Africa/Freetown, Africa/Lome, Africa/Monrovia, Africa/Nouakchott, Africa/Ouagadougou, Africa/Sao_Tome, Africa/Timbuktu, America/Danmarkshavn, Atlantic/Canary, Atlantic/Faeroe, Atlantic/Faroe, Atlantic/Madeira, Atlantic/Reykjavik, Atlantic/St_Helena, Eire, Etc/GMT, Etc/GMT+0, Etc/GMT-0, Etc/GMT0, Etc/Greenwich, Etc/UCT, Etc/UTC, Etc/Universal, Etc/Zulu, Europe/Belfast, Europe/Dublin, Europe/Guernsey, Europe/Isle_of_Man, Europe/Jersey, Europe/Lisbon, Europe/London, GB, GB-Eire, GMT, GMT0, Greenwich, Iceland, Portugal, UCT, UTC, Universal, WET, Zulu, Africa/Algiers, Africa/Bangui, Africa/Brazzaville, Africa/Ceuta, Africa/Douala, Africa/Kinshasa, Africa/Lagos, Africa/Libreville, Africa/Luanda, Africa/Malabo, Africa/Ndjamena, Africa/Niamey, Africa/Porto-Novo, Africa/Tripoli, Africa/Tunis, Africa/Windhoek, Arctic/Longyearbyen, Atlantic/Jan_Mayen, CET, ECT, Etc/GMT-1, Europe/Amsterdam, Europe/Andorra, Europe/Belgrade, Europe/Berlin, Europe/Bratislava, Europe/Brussels, Europe/Budapest, Europe/Busingen, Europe/Copenhagen, Europe/Gibraltar, Europe/Ljubljana, Europe/Luxembourg, Europe/Madrid, Europe/Malta, Europe/Monaco, Europe/Oslo, Europe/Paris, Europe/Podgorica, Europe/Prague, Europe/Rome, Europe/San_Marino, Europe/Sarajevo, Europe/Skopje, Europe/Stockholm, Europe/Tirane, Europe/Vaduz, Europe/Vatican, Europe/Vienna, Europe/Warsaw, Europe/Zagreb, Europe/Zurich, Libya, MET, Poland, ART, Africa/Blantyre, Africa/Bujumbura, Africa/Cairo, Africa/Gaborone, Africa/Harare, Africa/Johannesburg, Africa/Kigali, Africa/Lubumbashi, Africa/Lusaka, Africa/Maputo, Africa/Maseru, Africa/Mbabane, Asia/Amman, Asia/Beirut, Asia/Damascus, Asia/Gaza, Asia/Hebron, Asia/Istanbul, Asia/Jerusalem, Asia/Nicosia, Asia/Tel_Aviv, CAT, EET, Egypt, Etc/GMT-2, Israel, Turkey, Africa/Addis_Ababa, Africa/Asmara, Africa/Asmera, Africa/Dar_es_Salaam, Africa/Djibouti, Africa/Juba, Africa/Kampala, Africa/Khartoum, Africa/Mogadishu, Africa/Nairobi, Antarctica/Syowa, Asia/Aden, Asia/Baghdad, Asia/Bahrain, Asia/Kuwait, Asia/Qatar, Asia/Riyadh, EAT, Etc/GMT-3, Europe/Kaliningrad, Europe/Minsk, Indian/Antananarivo, Indian/Comoro, Indian/Mayotte, Asia/Riyadh87, Asia/Riyadh88, Asia/Riyadh89, Mideast/Riyadh87, Mideast/Riyadh88, Mideast/Riyadh89, Asia/Tehran, Iran, Asia/Baku, Asia/Dubai, Asia/Muscat, Asia/Tbilisi, Asia/Yerevan, Etc/GMT-4, Europe/Moscow, Europe/Samara, Europe/Volgograd, Indian/Mahe, Indian/Mauritius, Indian/Reunion, NET, W-SU, Asia/Kabul, Antarctica/Mawson, Asia/Aqtau, Asia/Aqtobe, Asia/Ashgabat, Asia/Ashkhabad, Asia/Dushanbe, Asia/Karachi, Asia/Oral, Asia/Samarkand, Asia/Tashkent, Etc/GMT-5, Indian/Kerguelen, Indian/Maldives, PLT, Asia/Calcutta, Asia/Colombo, Asia/Kolkata, IST, Asia/Kathmandu, Asia/Katmandu, Antarctica/Vostok, Asia/Almaty, Asia/Bishkek, Asia/Dacca, Asia/Dhaka, Asia/Qyzylorda, Asia/Thimbu, Asia/Thimphu, Asia/Yekaterinburg, BST, Etc/GMT-6, Indian/Chagos, Asia/Rangoon, Indian/Cocos, Antarctica/Davis, Asia/Bangkok, Asia/Ho_Chi_Minh, Asia/Hovd, Asia/Jakarta, Asia/Novokuznetsk, Asia/Novosibirsk, Asia/Omsk, Asia/Phnom_Penh, Asia/Pontianak, Asia/Saigon, Asia/Vientiane, Etc/GMT-7, Indian/Christmas, VST, Antarctica/Casey, Asia/Brunei, Asia/Choibalsan, Asia/Chongqing, Asia/Chungking, Asia/Harbin, Asia/Hong_Kong, Asia/Kashgar, Asia/Krasnoyarsk, Asia/Kuala_Lumpur, Asia/Kuching, Asia/Macao, Asia/Macau, Asia/Makassar, Asia/Manila, Asia/Shanghai, Asia/Singapore, Asia/Taipei, Asia/Ujung_Pandang, Asia/Ulaanbaatar, Asia/Ulan_Bator, Asia/Urumqi, Australia/Perth, Australia/West, CTT, Etc/GMT-8, Hongkong, PRC, Singapore, Australia/Eucla, Asia/Dili, Asia/Irkutsk, Asia/Jayapura, Asia/Pyongyang, Asia/Seoul, Asia/Tokyo, Etc/GMT-9, JST, Japan, Pacific/Palau, ROK, ACT, Australia/Adelaide, Australia/Broken_Hill, Australia/Darwin, Australia/North, Australia/South, Australia/Yancowinna, AET, Antarctica/DumontDUrville, Asia/Khandyga, Asia/Yakutsk, Australia/ACT, Australia/Brisbane, Australia/Canberra, Australia/Currie, Australia/Hobart, Australia/Lindeman, Australia/Melbourne, Australia/NSW, Australia/Queensland, Australia/Sydney, Australia/Tasmania, Australia/Victoria, Etc/GMT-10, Pacific/Chuuk, Pacific/Guam, Pacific/Port_Moresby, Pacific/Saipan, Pacific/Truk, Pacific/Yap, Australia/LHI, Australia/Lord_Howe, Antarctica/Macquarie, Asia/Sakhalin, Asia/Ust-Nera, Asia/Vladivostok, Etc/GMT-11, Pacific/Efate, Pacific/Guadalcanal, Pacific/Kosrae, Pacific/Noumea, Pacific/Pohnpei, Pacific/Ponape, SST, Pacific/Norfolk, Antarctica/McMurdo, Antarctica/South_Pole, Asia/Anadyr, Asia/Kamchatka, Asia/Magadan, Etc/GMT-12, Kwajalein, NST, NZ, Pacific/Auckland, Pacific/Fiji, Pacific/Funafuti, Pacific/Kwajalein, Pacific/Majuro, Pacific/Nauru, Pacific/Tarawa, Pacific/Wake, Pacific/Wallis, NZ-CHAT, Pacific/Chatham, Etc/GMT-13, MIT, Pacific/Apia, Pacific/Enderbury, Pacific/Fakaofo, Pacific/Tongatapu, Etc/GMT-14, Pacific/Kiritimati

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sms.ucp.UcpSmsGateway
id: UcpSmsGateway-xxxxxx
displayName: 
comment: 
properties:
  accountPassword:
  accountShortId:
  accountUsername:
  connectionKeepAliveInterval: 300
  connectionSleepBeforeRetry: 5000
  connectionTimeout: 15000
  longSmsOptionEnabled: false
  messageConfirmationTimeout: 60
  numberOfSessions: 1
  serverIp:
  serverPort:
  ucpTimezoneIdentifier: Europe/Zurich
  useInternationalOriginatorFormat: false
  validityPeriod:

UI Settings

Description

User interface configuration for Loginapp REST API.

Class

com.airlock.iam.login.rest.application.configuration.ui.LoginappUiConfig

May be used by

Loginapp

Properties

Authentication UIs (authenticationUi)

Description

Allows to configure the user interfaces for authentication flows.

Attributes

Plugin-Link

Optional

Assignable plugins

User Self-Registration UIs (userSelfRegUi)

Description

Allows to configure the user interfaces for user self-registration flows.

Attributes

Plugin-Link

Optional

License-Tags

SelfRegistration

Assignable plugins

User Self-Registration UIs

Public Self-Service UIs (publicSelfServiceUi)

Description

Allows to configure the user interfaces for public self-services.

Attributes

Plugin-Link

Optional

Assignable plugins

Public Self-Service UIs

Protected Self-Service UIs (selfServiceUi)

Description

Allows to configure the user interfaces for protected self-services.

Attributes

Plugin-Link

Optional

Assignable plugins

OAuth 2.0 Client ID Pattern UI Tenant ID Rule OAuth 2.0 Client ID UI Tenant ID Rule Request URL Pattern UI Tenant ID Rule SAML 2.0 SP Entity ID Pattern UI Tenant ID Rule SAML 2.0 SP Entity ID UI Tenant ID Rule

Loginapp UI Content Security Policy (CSP) (loginRestUiContentSecurityPolicy)

Description

Content Security Policy (CSP) for the Loginapp UI.

The Airlock Gateway (WAF) "CSRF Tokens" feature does not support CSP nonces before Gateway version 7.3. We recommend updating to Airlock Gateway 7.3 or higher and enabling both the CSP features on IAM and the "CSRF Tokens" feature on the mapping for IAM. If an update to Airlock Gateway 7.3 is currently not possible, we recommend temporarily disabling the Gateway "CSRF Tokens" feature and re-enabling it after the update.

Attributes

Plugin-Link

Optional

Assignable plugins

Loginapp UI Content Security Policy No Loginapp UI Content Security Policy

UI Tenant ID Rules (uiTenantIdRules)

Description

Define rules to set the UI Tenant ID.

Changing the UI Tenant ID allows defining custom behavior inside a single Loginapp Design Kit customization.

The rules are evaluated in the order in which they are configured, and the first rule that is satisfied is used to set the value of the UI Tenant ID. If no rule is satisfied (or if no rule is configured), the UI Tenant ID is not set.

The rules configured here are shared across all flow UI types.

Attributes

Plugin-List

Optional

Assignable plugins

UI Resource Set Rules (uiResourceSetRules)

Description

Defines rules to dynamically change the UI resource set to the specified customization.

This property permits dynamically changing the directory from which UI resources are loaded, based on the first matching rule.

The UI resource set zip files have to be located in a directory specified in the instance.properties under iam.loginapp.ui.resource-sets.dir.

The zip files must have unique file names, otherwise the contained resources will not be available.

The rules are evaluated in the order they are configured, and the first rule that is satisfied is used to set the path from which the resource is loaded.

If no rule is satisfied (or if no rules are configured), the UI resources located at iam.loginapp.rest.ui.customizations are used, if configured. Otherwise, the default UI resources are used.

Attributes

Plugin-List

Optional

Assignable plugins

Request URL Pattern UI Resource Set Rule

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.ui.LoginappUiConfig
id: LoginappUiConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationUi:
  loginRestUiContentSecurityPolicy:
  publicSelfServiceUi:
  selfServiceUi:
  uiResourceSetRules:
  uiTenantIdRules:
  userSelfRegUi:

Unique Across Services Password Policy

Description

A password policy which can be used to check that the new password is not already used for another service. Only password services which allow a side effect free check of the password can be used.

Class

com.airlock.iam.core.misc.impl.authen.PwdPolicyUniqueAcrossServicesCheck

May be used by

Customizable Password Policy Customizable Password Policy Meta Password Policy

Properties

Password Checkers (passwordCheckers)

Description

This is the list of all the password services which should check that the password is not already in use. Only password services which allow a side effect free check of the password can be used.

Attributes

Plugin-List

Mandatory

Assignable plugins

Accepting Password Service Dummy Password Service LDAP Connector Persister Password Service

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PwdPolicyUniqueAcrossServicesCheck
id: PwdPolicyUniqueAcrossServicesCheck-xxxxxx
displayName: 
comment: 
properties:
  passwordCheckers:

Universally Unique Identity (UUID) Generator

Description

Generates random UUIDs as user identities.

Class

com.airlock.iam.common.application.configuration.user.UniversalUniqueIdentityGenerator

May be used by

Users Configuration XML File Importer Task Generated Username Username Generation Step Config

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.user.UniversalUniqueIdentityGenerator
id: UniversalUniqueIdentityGenerator-xxxxxx
displayName: 
comment: 
properties:

Unlock Attempts Reset Processor

Description

Processor to reset the unlock attempts of the user in the event of a successful login.

Class

com.airlock.iam.authentication.application.configuration.processor.UnlockAttemptsResetProcessorConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.processor.UnlockAttemptsResetProcessorConfig
id: UnlockAttemptsResetProcessorConfig-xxxxxx
displayName: 
comment: 
properties:

Unlock User Step (Public Self-Service)

Description

This step unlocks a user in the following cases:

No 'Max Number of Unlocks' limit is configured in the 'Public Self-Service Flow Settings' configuration
The 'Max Number of Unlocks' limit configured in the 'Public Self-Service Flow Settings' has not yet been exceeded by the current user.

Note that in general, locked users are not allowed to perform a public self-service, unless custom restrictions are configured to allow public self-services for certain locked users (see Locked User Restriction). If this step is performed by a locked user, his failed logins for the configured authentication methods are reset. Otherwise, the failed logins are not reset.

Security Notice 1: This step should be the last step in the flow and must always come after at least one credential check step (e.g. email OTP). Precondition tags can help ensuring that only users that successfully completed a previous step are unlocked.

Security Notice 2: Automatically unlocking users can have unexpected security implications. Unlocking users that are locked for any reason other than too many failed password attempts is potentially a security risk, as it might allow brute-force attacks on the second authentication factor.

Security Notice 3: If users are unlocked with proof of only one verified factor, the number of unlocks must be limited in the 'Public Self-Service Flow Settings' plugin configuration. Otherwise bruteforce attacks on one factor are possible, lowering the security of a two login-factor setup to a similar one as a one-factor setup.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.PublicSelfServiceUnlockUserStepConfig

May be used by

License-Tags

UnlockSelfService

Properties

Reset Failed Logins (HTML Loginapp) (resetFailedLoginsForHtmlLoginapp)

Description

Reset the failed login counters for the HTML Loginapp to zero on unlock.

Attributes

Boolean

Optional

License-Tags

UnlockSelfService

Default value

false

Failed Attempts Counters To Reset (failedAttemptsCountersToReset)

Description

Reset the failed login counters for specified authentication methods to zero on unlock. Security Warning: resetting counters for authentication methods other than "PASSWORD" might allow brute-forcing of the second authentication factor.

Attributes

String-List

Optional

License-Tags

UnlockSelfService

Default value

[PASSWORD]

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

License-Tags

UnlockSelfService

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

License-Tags

UnlockSelfService

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

License-Tags

UnlockSelfService

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

License-Tags

UnlockSelfService

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

License-Tags

UnlockSelfService

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

License-Tags

UnlockSelfService

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

License-Tags

UnlockSelfService

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

License-Tags

UnlockSelfService

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.PublicSelfServiceUnlockUserStepConfig
id: PublicSelfServiceUnlockUserStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  failedAttemptsCountersToReset: [PASSWORD]
  onFailureGotos:
  preCondition:
  requiresActivation: false
  resetFailedLoginsForHtmlLoginapp: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Unsupported Encryption (to be replaced)

Description

Placeholder plugin for a missing encryption configuration. Any operation at runtime that attempts to encrypt or decrypt sensitive data will fail. Do not use this plugin in a new configuration.

Class

com.airlock.iam.core.misc.util.crypto.UnsupportedEncryptionConfig

May be used by

Target Application/Service Technical Client Database Repository

License-Tags

TechClients

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.crypto.UnsupportedEncryptionConfig
id: UnsupportedEncryptionConfig-xxxxxx
displayName: 
comment: 
properties:

Uppercase String Transformer

Description

Converts the input string to uppercase.

Class

com.airlock.iam.common.application.configuration.transform.UppercaseStringTransformerConfig

May be used by

Transforming String Value Provider Transforming Value Map Provider

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.transform.UppercaseStringTransformerConfig
id: UppercaseStringTransformerConfig-xxxxxx
displayName: 
comment: 
properties:

Uppercase Transformer

Description

This plugin transforms usernames to upper case. The resulting username has all letters capitalized.

Class

com.airlock.iam.core.misc.impl.authen.UppercaseTransformer

Properties

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.UppercaseTransformer
id: UppercaseTransformer-xxxxxx
displayName: 
comment: 
properties:

URI

Description

Defines an URI.

Class

com.airlock.iam.flow.ui.application.configuration.SimpleUriConfig

May be used by

SAML2 Single-Logout Config Parameter-based Target URI

Properties

URI (uri)

Description

A URI that is absolute or relative to the host.

Attributes

String

Mandatory

Example

https://my-ebanking.ch

Example

/ebanking

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.SimpleUriConfig
id: SimpleUriConfig-xxxxxx
displayName: 
comment: 
properties:
  uri:

URIs Processor

Description

Processes the "client_uri", "logo_uri", "policy_uri", and "tos_uri" metadata attributes. The values are taken from the request as long as they match the configured regular expression and don't exceed the length limits imposed by the database.

Class

com.airlock.iam.techclientreg.application.configuration.registration.UrisProcessorConfig

May be used by

API Policy Service Transaction Approval Loginapp Combining Context Extractor Concatenating Context Extractor

License-Tags

TechClientRegistration

Properties

Allowed Client URIs (allowedClientUris)

Description

Regex limiting the client_uri provided by the client.

Attributes

RegEx

Optional

Default value

https://[a-zA-Z0-9/_.-]+

Allowed Logo URIs (allowedLogoUris)

Description

Regex limiting the logo_uri provided by the client.

Attributes

RegEx

Optional

Default value

https://[a-zA-Z0-9/_.-]+

Allowed Privacy Policy URIs (allowedPolicyUris)

Description

Regex limiting the policy_uri provided by the client.

Attributes

RegEx

Optional

Default value

https://[a-zA-Z0-9/_.-]+

Allowed Terms of Service URIs (allowedTosUris)

Description

Regex limiting the tos_uri provided by the client.

Attributes

RegEx

Optional

Default value

https://[a-zA-Z0-9/_.-]+

Client URI mandatory (clientUriMandatory)

Description

If client_uri is mandatory a valid value is required, or else an error is returned. If it is not mandatory, invalid values are silently ignored.

Attributes

Boolean

Optional

Default value

false

Logo URI mandatory (logoUriMandatory)

Description

If logo_uri is mandatory a valid value is required, or else an error is returned. If it is not mandatory, invalid values are silently ignored.

Attributes

Boolean

Optional

Default value

false

Description

If policy_uri is mandatory a valid value is required, or else an error is returned. If it is not mandatory, invalid values are silently ignored.

Attributes

Boolean

Optional

Default value

false

Description

If tos_uri is mandatory a valid value is required, or else an error is returned. If it is not mandatory, invalid values are silently ignored.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.techclientreg.application.configuration.registration.UrisProcessorConfig
id: UrisProcessorConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedClientUris: https://[a-zA-Z0-9/_.-]+
  allowedLogoUris: https://[a-zA-Z0-9/_.-]+
  allowedPolicyUris: https://[a-zA-Z0-9/_.-]+
  allowedTosUris: https://[a-zA-Z0-9/_.-]+
  clientUriMandatory: false
  logoUriMandatory: false
  policyUriMandatory: false
  tosUriMandatory: false

URL Context Extractor

Description

Configures request URI to context mappings. If the request URI does not match, the fallback context is used.

The matching is performed against the part of the request URI after the protocol or after the host (depending on the configuration).

Example: If the request URL is "https://host/some/path" then the considered path is "host/some/path" (if "Use Virtual Host" is enabled) or "/some/path" otherwise.

To determine the request URI behind a gateway, Airlock IAM requires one of these gateway settings:

Airlock Gateway (WAF): Verify that "Environment Cookies" are activated on all Loginapp mappings and that the environment cookie prefix is the same in the Airlock Gateway and Airlock IAM. The URL parts are sent by the WAF in the HTTPS, SERVER_NAME, SERVER_REQUEST and SERVER_PORT cookies (with respect to the configured prefix)
Airlock Microgateway: Make sure to extract the request URI in Airlock Microgateway Settings.

Class

com.airlock.iam.common.application.configuration.context.URLContextExtractor

May be used by

Properties

Mappings (mappings)

Description

Defines a list of regular expressions matched against the request to determine the configuration contexts.

Attributes

Plugin-List

Mandatory

Assignable plugins

Context Pattern

Use Virtual Host (useVirtualHost)

Description

Also include the host name in the URL being matched.

If disabled, the Mappings only match against the path of the request URL, for example /auth/
If enabled, the Mappings match against the host name and path, for example www.server.com/auth/

Attributes

Boolean

Optional

Default value

false

Fallback Context (fallbackContext)

Description

Name of the context to be used if none of the mappings match.
Leave empty to implicitly use the default context. If this plugin is used within a "Combining Context Extractor", use "[DEFAULT]" to explicitly return the default context if necessary.

Attributes

String

Optional

Example

CTX1

Example

EXT

Example

[DEFAULT]

Gateway (gateway)

Description

Settings regarding an Airlock Gateway or Airlock Microgateway reverse proxy placed in front of Airlock IAM.

The request URI is extracted differently from the request based on this configuration:

Airlock Gateway (WAF): request URI is extracted from the environment cookie
Airlock Microgateway: request URI is extracted from the configured header
When no gateway is configured, the request URI is used

Attributes

Plugin-Link

Optional

Assignable plugins

Airlock Gateway Settings Airlock Microgateway Settings

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.context.URLContextExtractor
id: URLContextExtractor-xxxxxx
displayName: 
comment: 
properties:
  fallbackContext:
  gateway:
  mappings:
  useVirtualHost: false

URL CRL Fetcher

Description

CRL (certificate revocation list) fetcher that reads the latest CRL from a URL by performing a HTTP GET request. If more than one X509 objects are encoded in returned data, only the first X509 CRL is returned.

Class

com.airlock.iam.core.misc.impl.cert.crl.UrlCrlFetcher

May be used by

CRL Certificate Status Checker Fallback CRL Fetcher

License-Tags

ClientCertificate

Properties

URL (url)

Description

The URL to get the CRL from.

Attributes

String

Mandatory

License-Tags

ClientCertificate

Example

https://localhost:8080/mypki/clients.crl

Example

http://crl.verisign.com/Class3InternationalServer.crl

Basic Auth Username (basicAuthUsername)

Description

Username used to fetch the CRL when a basic authentication is required the access the URL. Used in conjunction with property basic-auth-password.

Attributes

String

Optional

License-Tags

ClientCertificate

Example

johndoe

Basic Auth Password (basicAuthPassword)

Description

Password used to fetch the CRL when basic authentication is required to access the URL. Used in conjunction with property basic-auth-username.

Attributes

String

Optional

Sensitive

License-Tags

ClientCertificate

Proxy Host (proxyHost)

Description

The http proxy host if connections to the specified URL must be made using a http proxy.

Attributes

String

Optional

License-Tags

ClientCertificate

Example

gw.foo.bar

Example

192.168.12.13

Proxy Port (proxyPort)

Description

The http proxy port if connections to the specified URL must be made using a http proxy.

Attributes

Integer

Optional

License-Tags

ClientCertificate

Proxy Login User (proxyLoginUser)

Description

The user for authentication at the http proxy server. Using a http proxy does not necessarily make this property necessary. This depends on the proxy configuration.

Attributes

String

Optional

License-Tags

ClientCertificate

Example

felix

Example

jdoe

Proxy Login Password (proxyLoginPassword)

Description

The password for authentication at the http proxy server. Using a http proxy does not necessarily make this property necessary. This depends on the proxy configuration.

Attributes

String

Optional

Sensitive

License-Tags

ClientCertificate

Allow Only Trusted Certs (allowOnlyTrustedCerts)

Description

Only allow connections to servers whose certificate is trusted. See documentation of property "Trust Store Path" for more information about what certificates are trusted.

Security warning: Trusting all certificates allows connections to adversarial hosts. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

License-Tags

ClientCertificate

Default value

true

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

License-Tags

ClientCertificate

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

License-Tags

ClientCertificate

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

String

Optional

License-Tags

ClientCertificate

Default value

JKS

Allowed values

JKS, PKCS12

Trust Store Password (trustStorePassword)

Description

The password used verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

JKS: the keystore can be opened and used but the integrity of the keystore is not checked.
PKCS12: an error occurs.

Attributes

String

Optional

Sensitive

License-Tags

ClientCertificate

Connect Timeout (connectTimeout)

Description

The connection timeout in seconds. A timeout value of zero is interpreted as an infinite timeout.

Attributes

Integer

Optional

License-Tags

ClientCertificate

Default value

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

License-Tags

ClientCertificate

Suggested values

X-Correlation-ID

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cert.crl.UrlCrlFetcher
id: UrlCrlFetcher-xxxxxx
displayName: 
comment: 
properties:
  allowOnlyTrustedCerts: true
  basicAuthPassword:
  basicAuthUsername:
  connectTimeout: 5
  correlationIdHeaderName:
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  url:
  verifyServerHostname: true

URL Encoder

Description

Translates a string into an urlencoded format using the specific encoding scheme.

Class

com.airlock.iam.core.application.configuration.encoding.UrlEncoder

May be used by

Plain User Data Response Header

Properties

Encoding Scheme (encodingScheme)

Description

The scheme used for character encoding.

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.encoding.UrlEncoder
id: UrlEncoder-xxxxxx
displayName: 
comment: 
properties:
  encodingScheme: UTF-8

URL String Encoder

Description

URL-encodes a string.

Class

com.airlock.iam.common.application.configuration.encoder.UrlStringEncoderConfig

May be used by

Roles Provider Config Template-based String Provider Transforming String Value Provider Template-based Username Transformer Transforming Value Map Provider Generic ID Propagator

Properties

Encoding Scheme (encodingScheme)

Description

The scheme used for character encoding.

Attributes

String

Optional

Default value

UTF-8

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.encoder.UrlStringEncoderConfig
id: UrlStringEncoderConfig-xxxxxx
displayName: 
comment: 
properties:
  encodingScheme: UTF-8

User Attribute Is Unique

Description

Condition that is fulfilled if the current user is the only one with the configured context-data value.

Class

com.airlock.iam.flow.shared.application.configuration.condition.UserAttributeUniquenessConditionConfig

May be used by

Properties

User Attribute (userAttribute)

Description

The user attribute that is verified for uniqueness.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Boolean Context Data Item Name Date And Time Context Data Item Name Integer Context Data Item Name LocalDate Context Data Item Name String Context Data Item Name

Attribute Value Provider (attributeValueProvider)

Description

The value of the user attribute that is verified for uniqueness.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.condition.UserAttributeUniquenessConditionConfig
id: UserAttributeUniquenessConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  attributeValueProvider:
  userAttribute:

User Condition

Description

Condition that matches the username and the role with configurable patterns. All patterns have to match for the {@link UserCondition} as a whole to be true (logical AND).

Class

com.airlock.iam.core.misc.impl.sso.UserCondition

May be used by

Conditional Identity Propagator

Properties

Username Pattern (usernamePattern)

Description

The pattern to check the propagated username with.

Attributes

RegEx

Optional

Role Pattern (rolePattern)

Description

The pattern to check the user's granted role(s) for the target application with.

Attributes

RegEx

Optional

No Roles Allowed (noRolesAllowed)

Description

If set to true, users with no roles will be allowed and the condition will be true. If set to false, users with no roles will make the condition false.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.UserCondition
id: UserCondition-xxxxxx
displayName: 
comment: 
properties:
  noRolesAllowed: true
  rolePattern:
  usernamePattern:

User Context Data Attribute Mapping

Description

Maps a source attribute from the context data container of the source persister to a target attribute (context data container of the target persister).

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.user.sync.ContextDataAttributeMappingConfig

May be used by

User Sync Task Config

Properties

Source Attribute (sourceAttribute)

Description

The name context data attribute in the source persister.

Do not reference the username column here. It is known by the source persister.

Attributes

String

Mandatory

Example

givenName

Example

street

Target Attribute (targetAttribute)

Description

The name context data attribute in the target persister.

Do not reference the username column here. It is known by the target persister.

Attributes

String

Mandatory

Example

givenname

Example

surname

Example

street

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.user.sync.ContextDataAttributeMappingConfig
id: ContextDataAttributeMappingConfig-xxxxxx
displayName: 
comment: 
properties:
  sourceAttribute:
  targetAttribute:

User Created

Description

Event that is published when a user is created through the Adminapp or Loginapp.

Class

com.airlock.iam.common.application.configuration.event.UserCreatedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.UserCreatedSubscribedEventConfig
id: UserCreatedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

User Data Blacklist Password Policy

Description

A password policy to check whether the new password corresponds to user data such as the user's name, home town, birth date, etc.

The items on the black-list - which will not be accepted as new password - must be part of the context data of the user or the username itself.

The plugin can be configured to either look at all context data or selected pieces of context data (see configuration properties below). The user name is handled separately.

Because birth dates (and other dates) are of special interest in this check, the configuration allows to specify one or more date-conversion patterns. If they are provided, the plugin converts any dates in the context data using all specified patterns when comparing them to the new password.

All pieces of context data that are not of type string and not of type date are converted to a string by calling the toString()-method on the object.

Class

com.airlock.iam.core.misc.impl.authen.PwdPolicyUserDataBlacklistCheck

May be used by

Customizable Password Policy Customizable Password Policy Meta Password Policy

Properties

Check User Name (checkUserName)

Description

If this property is set to TRUE, the new password will also be checked against the username (which is usually not part of the context data).
Note that this property does not depend on the selected context data items. Example: If the username is part of the context data and this property is FALSE, the username will be used nevertheless because it is part of context data.

Attributes

Boolean

Optional

Default value

true

Selected Context Data (selectedContextData)

Description

A of keys referencing the pieces of context data to include in the check. The special value "@ALL" can be used to reference all context data items.

Attributes

String-List

Optional

Conversion Patterns (conversionPatterns)

Description

Zero one or more date patterns used for the comparison the new passwords with dates or timestamps in the context data.
All dates or timestamps (everything with type java.util.Date or a subclass) in the context data is converted using all provided date-format patterns with this property.

The data-format patterns are as specified in JDK 1.6 Java class SimpleDateFormat.

Attributes

String-List

Optional

Ignore Case (ignoreCase)

Description

If set to TRUE, the case of characters is ignored when comparing the new password to the black-list items.

Attributes

Boolean

Optional

Default value

false

Comparison Strategy (comparisonStrategy)

Description

Specifies how user data is matched against the password.

EQUALS: the policy triggers if user data exactly matches the password (default).
CONTAINS: the policy triggers if the password contains user data.

Attributes

Enum

Optional

Default value

EQUALS

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PwdPolicyUserDataBlacklistCheck
id: PwdPolicyUserDataBlacklistCheck-xxxxxx
displayName: 
comment: 
properties:
  checkUserName: true
  comparisonStrategy: EQUALS
  conversionPatterns:
  ignoreCase: false
  selectedContextData:

User Data Edit Step

Description

Flow step for editing user data.

Note that for the changes made in this step to take effect, an "Apply Changes Step" must be configured after it in the same flow. If not, the user data changes made in this step are lost.

Class

com.airlock.iam.flow.shared.application.configuration.step.UserDataEditStepConfig

May be used by

Advanced Migration Selection Option Custom Protected Self-Service Flow Authorization Flow Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Selection Option For Self-Service Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

License-Tags

UserProfileSelfService

Properties

Editable Items (userDataItems)

Description

Defines the items that can be edited in this step.

Attributes

Plugin-List

Mandatory

Assignable plugins

Boolean User Context Data Item Date And Time User Context Data Item Date User Context Data Item Email Item Definition Enumeration User Context Data Item String User Context Data Item mTAN Label Item Definition mTAN Number Item Definition

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Alias User Item Boolean User Context Data Item Date And Time User Context Data Item Date User Context Data Item Email Item Definition Enumeration User Context Data Item Password User Item String User Context Data Item Username User Item mTAN Label Item Definition mTAN Number Item Definition

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.step.UserDataEditStepConfig
id: UserDataEditStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  userDataItems:

User Data Registration Step Config

Description

User self-registration step for registering user data such as login names (username and aliases), password and context data.

Class

com.airlock.iam.userselfreg.application.configuration.step.UserDataRegistrationStepConfig

May be used by

License-Tags

SelfRegistration

Properties

User Data Items (userDataItems)

Description

The user data items that can be registered in this step.

Attributes

Plugin-List

Mandatory

Assignable plugins

CAPTCHA (captchaProvider)

Description

If a CAPTCHA is configured, a CAPTCHA challenge will be added to:

the response of the flow selecting request (when this step is the first interactive step in a flow).
the step response immediately preceding the protected step (when this step is not the first interactive step in a flow).

To complete this step and proceed with the flow, the CAPTCHA must be solved successfully.

Attributes

Plugin-Link

Optional

Assignable plugins

Validators (validators)

Description

Validators that are executed on continue, i.e. before leaving this step.

Currently there are no product plugins for this feature, only custom plugins.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

SMS Event Subscriber (Adminapp) Remote Event Subscriber (Adminapp) Email Event Subscriber (Adminapp)

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.step.UserDataRegistrationStepConfig
id: UserDataRegistrationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  captchaProvider:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  userDataItems:
  validators:

User Deleted

Description

Event that is triggered by the deletion of a user in the Adminapp.

Class

com.airlock.iam.admin.application.configuration.event.UserDeletedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.event.UserDeletedSubscribedEventConfig
id: UserDeletedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

User Enumeration Protection Processor

Description

Processor that protects against user enumeration attacks by changing any failure of a user identifying step to a generic AUTHENTICATION_FAILED result.

To ensure that all failed results are made generic, this processor must be configured after the "Default Authentication Processor" and the "User Validity Processor".

Class

com.airlock.iam.authentication.application.configuration.processor.UserEnumerationProtectionProcessorConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.processor.UserEnumerationProtectionProcessorConfig
id: UserEnumerationProtectionProcessorConfig-xxxxxx
displayName: 
comment: 
properties:

User Group Configuration

Description

Defines user-group dependent user settings for the admin tool.

Class

com.airlock.iam.admin.application.configuration.users.UserGroupConfiguration

May be used by

Airlock 2FA Token Controller Certificate Token Controller Cronto Token Controller FIDO Token Controller Generic Token Controller Matrix Token Controller OATH OTP Token Controller OAuth 2.0 Token Controller Password Token Controller Secret Questions Token Controller Vasco OTP Token Controller mTAN/SMS Token Controller

Properties

Group Condition (groupCondition)

Description

The group condition selecting this admin tool settings for a user.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Context Data User Group Condition Username User Group Condition

Authentication Tokens (Credentials) (authenticationTokens)

Description

List of authentication tokens that can be managed in the Adminapp.

Attributes

Plugin-List

Optional

Assignable plugins

Editable (editable)

Description

If this property is set to "true", user data is editable and users can be deleted.

Attributes

Boolean

Optional

Default value

true

Show User Valid Section (showUserValidSection)

Description

If this property is set to "true", a section with the user valid status, valid-from and valid-to dates (if information is available) is displayed. On the user edit page, the valid-from and valid-to dates can be edited.

Attributes

Boolean

Optional

Default value

false

Available User Roles (availableUserRoles)

Description

Set of roles assignable to users.

Attributes

String-List

Optional

Rows On User Detail Page (rowsOnUserDetailPage)

Description

The property names and labels of context data to be displayed on the user detail page.

The data is taken from the context data container of the selected user. The configuration of the used user persister must include the context data properties referenced here.

Attributes

Plugin-List

Optional

Assignable plugins

Locking Settings (lockingSettings)

Description

Configures the behavior of user locking.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Locking Settings (Adminapp)

Show Credential Migration Section (showCredentialMigrationSection)

Description

If enabled, the credential migration section is be displayed on the user details page. This section contains a choice of authentication methods to be assigned to the user after migration.

Attributes

Boolean

Optional

License-Tags

TokenSelfService

Default value

false

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.users.UserGroupConfiguration
id: UserGroupConfiguration-xxxxxx
displayName: 
comment: 
properties:
  authenticationTokens:
  availableUserRoles:
  editable: true
  groupCondition:
  lockingSettings:
  rowsOnUserDetailPage:
  showCredentialMigrationSection: false
  showUserValidSection: false

User Identification By Data Step

Description

This step identifies users by their context data items (user data).

Caution: This step allows user enumeration attacks. Such attacks cannot be prevented, even if "Prevent User-Enumeration" is enabled on the "Authentication Flow".

Class

com.airlock.iam.authentication.application.configuration.data.UserByDataIdentifyingStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Context Data Items (contextDataItems)

Description

The context data items that are used to identify a user. Combined, they must uniquely identify a user.

Each item defines whether it is required for identification or not.

Required items must be provided for identification and must successfully validate (see validators on each item configuration).

Optional items can be omitted, but if they are provided, they must also successfully validate for the step to succeed.

Attributes

Plugin-List

Mandatory

Assignable plugins

String User Context Data Item

CAPTCHA (captchaProvider)

Description

If a CAPTCHA is configured, a CAPTCHA challenge will be added to:

the response of the flow selecting request (when this step is the first interactive step in a flow).
the step response immediately preceding the protected step (when this step is not the first interactive step in a flow).

To complete this step and proceed with the flow, the CAPTCHA must be solved successfully.

Attributes

Plugin-Link

Optional

Assignable plugins

Ignore Upper/Lower Case (ignoreCase)

Description

If this option is enabled, the strings entered to identify a user are compared without taking upper/lower case into account.

This is an improvement in user-friendliness, but carries a higher risk that the user cannot be clearly identified, resulting in a step error.

Attributes

Boolean

Optional

Default value

false

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.data.UserByDataIdentifyingStepConfig
id: UserByDataIdentifyingStepConfig-xxxxxx
displayName: 
comment: 
properties:
  captchaProvider:
  contextDataItems:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  ignoreCase: false
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

User Identification By Data Step (Public Self-Service)

Description

This step identifies users by their context data items (user data).

Note that if no restriction is violated, or if user feedback is disabled for violated restrictions, this step returns a "success" result and "Tags On Success" are also awarded, even if the user could not be identified. User feedback can be disabled in order to prevent user enumeration ("Stealth Mode").

For more details on restrictions consult the help of the corresponding property in the "Public Self-Service Flow" settings.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.PublicSelfServiceUserByDataIdentifyingStepConfig

May be used by

Properties

Context Data Items (contextDataItems)

Description

The context data items that are used to identify a user. Combined, they must uniquely identify a user.

Each item defines whether it is required for identification or not.

Required items must be provided for identification and must successfully validate (see validators on each item configuration).

Optional items can be omitted, but if they are provided, they must also successfully validate for the step to succeed.

Attributes

Plugin-List

Mandatory

Assignable plugins

String User Context Data Item

CAPTCHA (captchaProvider)

Description

If a CAPTCHA is configured, a CAPTCHA challenge will be added to:

the response of the flow selecting request (when this step is the first interactive step in a flow).
the step response immediately preceding the protected step (when this step is not the first interactive step in a flow).

To complete this step and proceed with the flow, the CAPTCHA must be solved successfully.

Attributes

Plugin-Link

Optional

Assignable plugins

Ignore Upper/Lower Case (ignoreCase)

Description

If this option is enabled, the strings entered to identify a user are compared without taking upper/lower case into account.

This is an improvement in user-friendliness, but carries a higher risk that the user cannot be clearly identified, resulting in a step error.

Attributes

Boolean

Optional

Default value

false

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.PublicSelfServiceUserByDataIdentifyingStepConfig
id: PublicSelfServiceUserByDataIdentifyingStepConfig-xxxxxx
displayName: 
comment: 
properties:
  captchaProvider:
  contextDataItems:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  ignoreCase: false
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

User Identification Processor

Description

Processor to update the user session and ensure consistency after a step has identified the user.

Class

com.airlock.iam.authentication.application.configuration.processor.UserIdentificationProcessorConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Transaction Approval Flow Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.processor.UserIdentificationProcessorConfig
id: UserIdentificationProcessorConfig-xxxxxx
displayName: 
comment: 
properties:

User Identification Step

Description

Configuration for a user identifying flow step.

This step identifies users only by their username, thus it should only be integrated into flows where either a trusted, authenticated entity acts on behalf of the user, or further authentication steps verify the user's identity.

Caution: This step allows user enumeration attacks. Such attacks cannot be prevented, even if "Prevent User-Enumeration" is enabled on the "Authentication Flow".

Class

com.airlock.iam.authentication.application.configuration.username.UserIdentifyingStepConfig

May be used by

Properties

CAPTCHA (captchaProvider)

Description

If a CAPTCHA is configured, a CAPTCHA challenge will be added to:

the response of the flow selecting request (when this step is the first interactive step in a flow).
the step response immediately preceding the protected step (when this step is not the first interactive step in a flow).

To complete this step and proceed with the flow, the CAPTCHA must be solved successfully.

Attributes

Plugin-Link

Optional

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.username.UserIdentifyingStepConfig
id: UserIdentifyingStepConfig-xxxxxx
displayName: 
comment: 
properties:
  captchaProvider:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

User Identification Step (Public Self-Service)

Description

Configuration for a user identifying flow step.

This step identifies users by their username, performing username transformation if configured (in the "Public Self-Service Flow" settings) and possible.

For more details on restrictions consult the help of the corresponding property in the "Public Self-Service Flow" settings.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.PublicSelfServiceUserIdentifyingStepConfig

May be used by

Properties

CAPTCHA (captchaProvider)

Description

If a CAPTCHA is configured, a CAPTCHA challenge will be added to:

the response of the flow selecting request (when this step is the first interactive step in a flow).
the step response immediately preceding the protected step (when this step is not the first interactive step in a flow).

To complete this step and proceed with the flow, the CAPTCHA must be solved successfully.

Attributes

Plugin-Link

Optional

Assignable plugins

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Boolean Context Data Item Name Date And Time Context Data Item Name Integer Context Data Item Name LocalDate Context Data Item Name String Context Data Item Name

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.PublicSelfServiceUserIdentifyingStepConfig
id: PublicSelfServiceUserIdentifyingStepConfig-xxxxxx
displayName: 
comment: 
properties:
  captchaProvider:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

User Identified

Description

Condition that is fulfilled if the user has been identified.

This condition uses the tentative user ID, which is available as soon as the provided username is resolved. This means that it can be used inside, but not before, a user identifying step.

If no user has been identified yet, the condition is not fulfilled.

Class

com.airlock.iam.flow.shared.application.configuration.condition.UserIdentifiedConditionConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.condition.UserIdentifiedConditionConfig
id: UserIdentifiedConditionConfig-xxxxxx
displayName: 
comment: 
properties:

User Identity Map

Description

Provides identity information of the user.

If a user has been identified, the following values are provided:

user-id: the ID of the current user.
provided-username: the provided username (if present).
username-to-propagate: the username to propagate for the current user (if present).
representer-user-id: the user ID of the representer (if present).

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.UserIdentityValueMapProviderConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.UserIdentityValueMapProviderConfig
id: UserIdentityValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:

User Info Mapping

Description

Mappings between XML UserInfo/Attribute/Ids and Airlock IAM context-data-keys. XML attributes that need not be mapped should be left out.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.xmlimporter.UserInfoMapping

May be used by

XML File Importer Task

Properties

XML Attribute Id (xmlAttributeId)

Description

This XML UserInfo/Attribute/Ids is mapped to the specified UserContextData key.

Attributes

String

Mandatory

Example

town

Example

surname

Context Data Key (contextDataKey)

Description

The name of the context-data-key the specified user-id-attribute is mapped to.

Attributes

String

Mandatory

Example

city

Example

lastname

Only Import For New Users (onlyImportForNewUsers)

Description

If enabled, existing values in the DB are not updated with values read from the file.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.xmlimporter.UserInfoMapping
id: UserInfoMapping-xxxxxx
displayName: 
comment: 
properties:
  contextDataKey:
  onlyImportForNewUsers: false
  xmlAttributeId:

User Information Group Config

Description

Defines user-group dependent settings of the user data self information call.

Class

com.airlock.iam.login.rest.application.configuration.UserInformationGroupConfig

Properties

Group Condition (groupCondition)

Description

The group condition selecting this user data context data settings for a user.

Attributes

Plugin-Link

Mandatory

Assignable plugins

String Context Data User Group Condition Config

Context Data Items (contextDataItems)

Description

List of configurable context data names.

Each context data name corresponds to a context data field of the persister and must be present there.

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.UserInformationGroupConfig
id: UserInformationGroupConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataItems:
  groupCondition:

User Information Self-Service

Description

Configures the protected session-less REST endpoint /<loginapp-uri>/rest/protected/my/self/.

Class

com.airlock.iam.login.rest.application.configuration.UserSelfInformationConfig

May be used by

Boolean Context Data Item Name Date And Time Context Data Item Name Integer Context Data Item Name LocalDate Context Data Item Name String Context Data Item Name

Properties

Context Data Item Names (contextDataItemNames)

Description

List of names of context data fields to be returned for reading if no group settings are matching. This must be a subset of the context data fields configured in the user persister.
In any case, even if no list is configured, the two fields 'latestSuccessfulAuthentication' and 'secondLatestSuccessfulAuthentication' are returned in the attributes.
Additionally configured context data is returned in a separate map 'contextData' within the attributes.

Attributes

Plugin-List

Optional

Assignable plugins

Group Settings (groupSettings)

Description

User data self information settings may be defined depending on a user's group membership.

This list defines group-specific settings:

If the group's condition is met by the user, the corresponding settings are used for this user.
It is processed in order of definition, i.e. the first matched group condition determines the settings used.
If no group condition is met, the configured group-independent context data names are used.

Attributes

Plugin-List

Optional

Assignable plugins

User Self Information Group Config

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.UserSelfInformationConfig
id: UserSelfInformationConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataItemNames:
  groupSettings:

User Locked

Description

Event that is triggered when a user's account is locked.

Class

com.airlock.iam.common.application.configuration.event.UserLockedSubscribedEventConfig

May be used by

Properties

Lock Reason (lockReason)

Description

A pattern for matching the lock reason. If the lock reason does not match, the event will not be handled.

Attributes

RegEx

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.UserLockedSubscribedEventConfig
id: UserLockedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:
  lockReason: .*

User Management Extension Access Rule Config

Description

Defines fine-grained permissions for User Management Extensions.

Class

com.airlock.iam.admin.application.configuration.UserManagementExtensionAccessRuleConfig

May be used by

Role-based Access Control

Properties

Id (id)

Description

The ID of a User Management Extension for which to configure the access.

Attributes

String

Mandatory

Roles (roles)

Description

Defines the set of required roles needed to view the specified User Management Extension. Multiple roles are specified as a comma-separated list. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.UserManagementExtensionAccessRuleConfig
id: UserManagementExtensionAccessRuleConfig-xxxxxx
displayName: 
comment: 
properties:
  id:
  roles:

User Management Extension Config

Description

User Management Extensions are added as a tab in the User Management of the Adminapp.

For someone to see the User Management Extension, they need to have the corresponding access rights. This has to be set in the Adminapp Access Control.

Please consult the official Airlock IAM documentation for more information

Class

com.airlock.iam.common.application.configuration.user.UserManagementExtensionConfig

May be used by

Properties

ID (id)

Description

An identifier which must be unique across all User Management Extensions. This identifier is also used to determine the translation for the name of the tab in the user details page (defined as the key 'user.user-management-extension.title.<id>').

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9]+

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.user.UserManagementExtensionConfig
id: UserManagementExtensionConfig-xxxxxx
displayName: 
comment: 
properties:
  id:

User Not Valid Anymore Predicate Config

Description

Returns true for users whose 'not valid after' fields lie in the past. If 'not valid after' is not set, the predicate is 'false'. The evaluation doesn't consider the current value of the 'valid' field.

Class

com.airlock.iam.common.application.configuration.user.UserNotValidAnymorePredicateConfig

May be used by

Delete Users Task

Properties

Grace Period [d] (gracePeriod)

Description

Number of days after 'not valid after' during which the predicate still returns 'true'. If not set, the grace period is implicitly set to 0.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.user.UserNotValidAnymorePredicateConfig
id: UserNotValidAnymorePredicateConfig-xxxxxx
displayName: 
comment: 
properties:
  gracePeriod: 0

User Passwords Map

Description

Provides entered passwords as strings, under the keys configured by the corresponding password check steps.

If the step does not have any key configured, no password attribute will be stored in the flow session.

Only passwords entered (and stored) during the current session can be provided. Persisted passwords are hashed and not available.

Provides all passwords under the key that they were stored during the current session.

Class

com.airlock.iam.authentication.application.configuration.password.UserPasswordValueMapProviderConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.password.UserPasswordValueMapProviderConfig
id: UserPasswordValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:

User Persister Configuration

Description

Configuration of user persister settings to access users in the admintool.

Class

com.airlock.iam.admin.application.configuration.users.UserPersisterConfiguration

May be used by

Users Configuration Admin Role Specific Setting

Properties

User Persister (userPersister)

Description

Persister plugin used to load and store users from a database, directory, or alike.

If the property "User Iterator" is not defined, this plugin is also used for listing and finding users.

Depending on the configured features, the plugin must be able to insert and delete users (i.e. implement the "ExtendedUserPersister" interface).

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Iterator (userIterator)

Description

Persister plugin used to list and search users querying a database, directory, or alike.

This property is not required unless a specially configured persister is required to list and search users.

Attributes

Plugin-Link

Optional

Assignable plugins

User List Detail Loader (userListDetailLoader)

Description

Persister plugin used to load user data for the user list page: Normally, user data is loaded using the user persister plugin defined in property "User Persister". However, this can be inefficient, if a lot of data is loaded that is not needed for the user list page.
By defining a differently configured persister plugin (or different plugin), loading user data for the user list page can be sped up.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.users.UserPersisterConfiguration
id: UserPersisterConfiguration-xxxxxx
displayName: 
comment: 
properties:
  userIterator:
  userListDetailLoader:
  userPersister:

User Persister Email Certificate Provider

Description

The Certificate Provider is used to load the certificate given an email address. The certificate can be stored either in PEM format or in a Base64-Encoding of the binary data.

Class

com.airlock.iam.core.misc.impl.email.UserPersisterEmailCertificateProvider

May be used by

SMTP Email Service

Properties

User Persister (userPersister)

Description

The User Persister is used to load the certificate for the user given his or her email address. Both the context data field containing the email address and the field containing the certificate must be configured. The configured User Persister must also be a UserIterator (usually this is the case).

Attributes

Plugin-Link

Mandatory

Assignable plugins

Context Data Field Containing Email (contextDataFieldContainingEmail)

Description

The name of the context data field containing the email address.

Attributes

String

Mandatory

Example

Context Data Field Containing Certificate (contextDataFieldContainingCertificate)

Description

The name of the context data field containing the certificate.

Attributes

String

Mandatory

Example

cert_x509_data

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.email.UserPersisterEmailCertificateProvider
id: UserPersisterEmailCertificateProvider-xxxxxx
displayName: 
comment: 
properties:
  contextDataFieldContainingCertificate:
  contextDataFieldContainingEmail:
  userPersister:

User Persister-based User Store

Description

This is a user store implementation that emulates the user store interface by calling user persister and user iterator methods of existing user persister plugins.

Note that this user store cannot handle complex queries and therefore is not suited for all use-cases.

Class

com.airlock.iam.core.application.configuration.store.user.UserPersisterBasedUserStoreProvider

Properties

User Persister (userPersister)

Description

A user persister that will be used to retrieve and update users.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.application.configuration.store.user.UserPersisterBasedUserStoreProvider
id: UserPersisterBasedUserStoreProvider-xxxxxx
displayName: 
comment: 
properties:
  userPersister:

User Persisting Step Config

Description

Non-interactive user self-registration flow step that persists the user.

Class

com.airlock.iam.userselfreg.application.configuration.step.UserPersistingStepConfig

May be used by

License-Tags

SelfRegistration

Properties

User Persistency Strategy (persistencyStrategy)

Description

Specifies the persistency strategy to be applied when storing the currently self-registering user.

INSERT: The user is persisted via insert operation. The step will fail, if a user with the same username as the self-registering user already exists.
UPDATE: The user is persisted via update operation. The step will fail, if no user with the same username as the self-registering user exists.
AUTO: The system will choose the 'insert' operation if no user with the self-registering user's username exists and the 'update' operation otherwise.

As it is usually clear whether the user must be inserted or updated in the current step of the flow, AUTO is not a recommended default value.

Attributes

Enum

Optional

Default value

INSERT

Token Insertion Handlers (tokenInsertionHandlers)

Description

List of Token Insertion Handlers. Each handler can apply (persist) a specific token from a previous step (which typically stores a description of the token in the flow session).

When using several User Persisting Steps please be aware of the following limitations:

Token Insertion Handlers are not able to update already persisted tokens
Only one token per token type (e.g. Airlock 2FA, mTAN) can be persisted during the overall flow

Attributes

Plugin-List

Optional

Assignable plugins

Airlock 2FA Token Insertion Handler OATH Token Insertion Handler mTAN Token Insertion Handler

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.step.UserPersistingStepConfig
id: UserPersistingStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  persistencyStrategy: INSERT
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  tokenInsertionHandlers:

User Principal Name Provider

Description

Provides the username of the current user.

Class

com.airlock.iam.common.application.configuration.valueprovider.UserPrincipalNameProviderConfig

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.valueprovider.UserPrincipalNameProviderConfig
id: UserPrincipalNameProviderConfig-xxxxxx
displayName: 
comment: 
properties:

User Profile Item Search Config

Description

Configuration of user profile search item. The property name must refer a configured User Profile Item of the user list.

Note: Currently only string and list items are supported by the search.

Class

com.airlock.iam.admin.application.configuration.usersearch.UserProfileItemSearchConfig

May be used by

Properties

Property Name (propertyName)

Description

Name of the context-data field in which the value is stored.

Attributes

String

Mandatory

Example

surname

Example

givenname

Example

mtan_number

Enabled By Default (enabledByDefault)

Description

Enables the profile item search to be active by default.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.usersearch.UserProfileItemSearchConfig
id: UserProfileItemSearchConfig-xxxxxx
displayName: 
comment: 
properties:
  enabledByDefault: true
  propertyName:

User Representation UI

Description

Settings required to start and stop a user representation process.

The representation interface is accessible at /<loginapp-uri>/ui/app/protected/representation/start and /<loginapp-uri>/ui/app/protected/representation/stop after user authentication.

Class

com.airlock.iam.selfservice.application.configuration.ui.representation.RepresentationUiConfig

May be used by

SMS Event Subscriber (Adminapp) Remote Event Subscriber (Adminapp) Email Event Subscriber (Adminapp)

License-Tags

Representation

Properties

Flow To Start Representation (flowToStartRepresentation)

Description

ID of the flow which is used to start a user representation.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Representee Parameter Name (representeeParameterName)

Description

The name of the request parameter that contains the representee's name.

Attributes

String

Optional

Default value

user

Example

user

Example

representee

Target Location Parameter Name (targetLocationParameterName)

Description

The name of the request parameter that contains the target location.

Attributes

String

Optional

Default value

target

Example

target

Example

targetLocation

Flow To Stop Representation (flowToStopRepresentation)

Description

ID of the flow which is used to stop a user representation process.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.ui.representation.RepresentationUiConfig
id: RepresentationUiConfig-xxxxxx
displayName: 
comment: 
properties:
  flowToStartRepresentation:
  flowToStopRepresentation:
  representeeParameterName: user
  targetLocationParameterName: target

User Represented Condition Config

Description

Condition that determines whether the current user is being represented or not. The condition is fulfilled when the user is being represented.

User representation is started by a "Start User Representation Step" on the representer's side. The condition is useful to control access to protected self-service flows on represented users.

Class

com.airlock.iam.selfservice.application.configuration.selection.condition.UserRepresentedConditionConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.selection.condition.UserRepresentedConditionConfig
id: UserRepresentedConditionConfig-xxxxxx
displayName: 
comment: 
properties:

User Role Assignment Step Config

Description

Non-interactive user self-registration step that assigns roles to the user.

Class

com.airlock.iam.userselfreg.application.configuration.step.UserRoleAssignmentStepConfig

May be used by

License-Tags

SelfRegistration

Properties

Roles (roles)

Description

Roles to be assigned to the user. Existing roles are retained. The roles need to be set as 'Available User Roles' in the Adminapp to be changeable by an administrator.

Attributes

String-List

Mandatory

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.step.UserRoleAssignmentStepConfig
id: UserRoleAssignmentStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  roles:
  skipCondition:
  stepId:
  tagsOnSuccess:

User Roles Changed

Description

Event that is published when user roles are changed in the Adminapp.

The event data contains the string lists event.data.oldRoles and event.data.newRoles (all the user's roles after the change), as well as (for convenience) event.data.addedRoles and event.data.removedRoles.

Class

com.airlock.iam.common.application.configuration.event.UserRolesChangedSubscribedEventConfig

May be used by

Properties

Role Pattern (rolePattern)

Description

A pattern for matching the changed roles. The event is only handled if at least one of the changed roles (added or removed) matches the pattern.

Attributes

RegEx

Optional

Default value

Handle Added Roles (handleAddedRoles)

Description

If enabled, events that involve at least one added role (matching the pattern above) will be handled.

Attributes

Boolean

Optional

Default value

true

Handle Removed Roles (handleRemovedRoles)

Description

If enabled, events that involve at least one removed role (matching the pattern above) will be handled.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.UserRolesChangedSubscribedEventConfig
id: UserRolesChangedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:
  handleAddedRoles: true
  handleRemovedRoles: true
  rolePattern: .*

User Roles Custom Claim

Description

A custom claim introducing a JSON Array containing the user's persistent roles in the response.

If a role transformation is configured in the Authorization Server, this claim will contain the transformed roles.

Class

com.airlock.iam.oauth2.application.configuration.claims.CustomUserRoleClaimConfig

May be used by

OIDC UserInfo Endpoint Claim Set Custom Claim OAuth 2.0 Static Client OAuth 2.0 Static Client JWT Access Token Format OIDC ID Token Claims

License-Tags

OAuthServer

Properties

Claim Name (claimName)

Description

The name (JSON key) of the claim.

Attention: If a custom claim with this same claim name already exists, it will result in a runtime error.

Using a registered claim name (see RFC 7519) might cause the claim to be ignored or an exception to be thrown.

Attributes

String

Mandatory

Example

firstname

Example

street

Example

zip

Example

country

Example

roles

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.CustomUserRoleClaimConfig
id: CustomUserRoleClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:

User Self Information Group Config

Description

Defines user group-dependent settings of the user data self information page.

Class

com.airlock.iam.login.rest.application.configuration.UserSelfInformationGroupConfig

May be used by

User Information Self-Service

Properties

Group Condition (groupCondition)

Description

The group condition selecting this user data information settings for a user.

Attributes

Plugin-Link

Mandatory

Assignable plugins

String Context Data User Group Condition Config

Context Data Item Names (contextDataItemNames)

Description

List of names of context data fields to be returned for reading if the group condition matches. This must be a subset of the context data fields configured in the user persister.

Attributes

Plugin-List

Mandatory

Assignable plugins

Boolean Context Data Item Name Date And Time Context Data Item Name Integer Context Data Item Name LocalDate Context Data Item Name String Context Data Item Name

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.UserSelfInformationGroupConfig
id: UserSelfInformationGroupConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataItemNames:
  groupCondition:

User Self-Registration Flow

Description

Configuration for a user self-registration flow.

Class

com.airlock.iam.userselfreg.application.configuration.flow.UserSelfRegFlowConfig

May be used by

User Self-Registration Flows User Self-Registration Flows

License-Tags

SelfRegistration

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Additional Unique Items (additionalUniqueItemDefinitions)

Description

List of additional user data items whose global uniqueness is enforced by the system. Note that all login names (username and alias names) are automatically considered for the uniqueness verification.

Attributes

Plugin-List

Optional

Assignable plugins

String User Context Data Item

Initial Lock Reason (initialLockReason)

Description

The lock reason used for initially locking the self-registered user.

At the start of the flow the user is initially locked and a User Unlock Step is needed to unlock it.

Attributes

String

Optional

Default value

LockReason.AwaitingAdminApproval

Suggested values

LockReason.PendingChannelVerification, LockReason.AwaitingAdminApproval

Password Repository (passwordRepository)

Description

The password repository used to persist passwords. Required if there is a data registration step with a "Password User Item" configured.

The "Default Password Repository" cannot be used here.

Attributes

Plugin-Link

Optional

Assignable plugins

Initialize Next Auth Flow (initializeNextAuthFlow)

Description

If enabled, the next authentication flow after completing this self-registration flow will be initialized with the user identity and tags from the self-registration. By combining this feature with authentication flows where steps can be skipped based on tags from self-registration, a non-interactive authentication after completed self-registration can be achieved.

Attributes

Boolean

Optional

Default value

false

Enable Stealth Mode (enableStealthMode)

Description

Determines whether the registration should run in Stealth Mode, which can protect against enumeration attacks on the first channel verification target. All other user items (including login names) are not protected against enumeration attacks.

Enabling this flag has the following effects:

The target item definition from the first channel verification step is protected from enumeration attacks.
At any stage (except when persisting the user), conflicts with existing users are not reported for that item. Hence the channel verification step has to precede persisting steps.
Any other unique user item (i.e. login names and items explicitly listed as 'unique' in Additional Unique Items), must not be valid according to the validation property configured for the first channel verification target. (E.g.: if channel verification is performed on the email address, no other unique item is allowed to be a valid email address).

Attributes

Boolean

Optional

Default value

false

Processors (processors)

Description

Processors are notified at various stages of the flow and offer hooks for custom logic.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.flow.UserSelfRegFlowConfig
id: UserSelfRegFlowConfig-xxxxxx
displayName: 
comment: 
properties:
  additionalUniqueItemDefinitions:
  enableStealthMode: false
  flowId:
  initialLockReason: LockReason.AwaitingAdminApproval
  initializeNextAuthFlow: false
  passwordRepository:
  processors:
  steps:

User Self-Registration Flow Link

Description

Redirects to a user self-registration flow.

Class

com.airlock.iam.flow.ui.application.configuration.UserSelfRegFlowLinkConfig

May be used by

Link Configuration Authentication UI

License-Tags

SelfRegistration

Properties

Flow ID (flowId)

Description

ID of the user self-registration flow to which a redirect should be performed. Make sure that a UI is configured for this flow.

Attributes

Plugin-Link

Mandatory

License-Tags

SelfRegistration

Assignable plugins

Flow ID

YAML Template (with default values)


type: com.airlock.iam.flow.ui.application.configuration.UserSelfRegFlowLinkConfig
id: UserSelfRegFlowLinkConfig-xxxxxx
displayName: 
comment: 
properties:
  flowId:

User Self-Registration Flow Redirect

Description

Redirects to a user self-registration flow.

Class

com.airlock.iam.userselfreg.application.configuration.ui.UserSelfRegFlowRedirectTargetConfig

Properties

Flow ID (flowId)

Description

ID of the user self-registration flow to which a redirect should be performed. Make sure that a UI is configured for this flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.ui.UserSelfRegFlowRedirectTargetConfig
id: UserSelfRegFlowRedirectTargetConfig-xxxxxx
displayName: 
comment: 
properties:
  flowId:

User Self-Registration Flows

Description

Configuration of flow-based user self-registration services via REST.

Class

com.airlock.iam.userselfreg.application.configuration.FlowBasedUserSelfRegRestConfig

May be used by

Loginapp

License-Tags

SelfRegistration

Properties

Default Flow (defaultFlow)

Description

The default flow is automatically selected if a user self-registration is started without explicitly selecting a flow first.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Self-Registration Flow

Flows (flows)

Description

List of available user self-registration flows.

Attributes

Plugin-List

Optional

Assignable plugins

User Self-Registration Flow

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.FlowBasedUserSelfRegRestConfig
id: FlowBasedUserSelfRegRestConfig-xxxxxx
displayName: 
comment: 
properties:
  defaultFlow:
  flows:

User Self-Registration Logging Processor

Description

This processor performs the logging after a successfully completed user self-registration flow.

Class

com.airlock.iam.userselfreg.application.configuration.processor.UserSelfRegLoggingProcessorConfig

May be used by

Airlock 2FA Activation Step Self-Registration UI Custom Configuration-based User Self-Registration UI Custom JavaScript-based User Self-Registration UI

License-Tags

SelfRegistration

Properties

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.processor.UserSelfRegLoggingProcessorConfig
id: UserSelfRegLoggingProcessorConfig-xxxxxx
displayName: 
comment: 
properties:

User Self-Registration UI

Description

User interface configuration for a user self-registration flow.

Class

com.airlock.iam.userselfreg.application.configuration.ui.UserSelfRegUiConfig

May be used by

User Self-Registration UIs

License-Tags

SelfRegistration

Properties

Flow ID (flowId)

Description

The identifier of the user self-registration flow that the user interface configuration refers to.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Customized Step UIs (customizedStepUis)

Description

The user interface configuration for the steps. Note: if using standard IAM steps, no user interface has to be configured manually.

Attributes

Plugin-List

Optional

Assignable plugins

Show Goto Buttons (showGotoButtons)

Description

For customized step UIs, Goto buttons have to be configured explicitly using the "Goto Button UI Element" plugin.

Notice: Goto buttons do not come with pre-defined labels. It is required to add i18n keys and values for each button manually. The key may looks as follows: 'registration.pages.actions.goto.<currentStepId>.<targetStepId>'.

Attributes

Boolean

Optional

Default value

true

Maintenance Message UI Settings (maintenanceMessageUiSettings)

Description

Settings to define if and how maintenance messages are displayed for this flow. If this property is not set no maintenance messages are displayed for this flow.

Attributes

Plugin-Link

Optional

License-Tags

MaintenanceMessages

Assignable plugins

Account Link Management UI Redirect Airlock 2FA Device Management UI Redirect Cronto Device Management UI Redirect Device Token Management UI Redirect FIDO Credential Management UI Redirect OAuth 2.0 Consent Management UI Redirect OAuth 2.0 Session Management UI Redirect Public Self-Service Flow Redirect Redirect to URI Remember-Me Device Management UI Redirect Self-Service Flow Redirect Target Application Redirect User Self-Registration Flow Redirect mTAN Token Management UI Redirect

Show Confirmation Page (showConfirmationPage)

Description

If enabled, a confirmation page is shown after a completed self-registration. Otherwise, the user is directly redirected to the configured 'Completion Target' and a corresponding feedback message 'registration.pages.messages.completed' is shown.

Attributes

Boolean

Optional

Default value

true

Completion Target (completionTarget)

Description

The target to redirect to when the self-registration is successfully completed. If "Show Confirmation Page" is enabled, the page is displayed first and the redirect happens after clicking the "continue" button. If the confirmation page is disabled, this property is mandatory.

Attributes

Plugin-Link

Optional

Assignable plugins

Cancellation Target (cancellationTarget)

Description

If configured, shows a cancel button on all pages, except the first, using default UIs of this flow. Clicking the cancel button will abort the flow and redirect to the configured target.

For customized step UIs, cancel buttons have to be configured explicitly using the "Cancel Button UI Element" plugin.

Attributes

Plugin-Link

Optional

Assignable plugins

Public Self-Service Flow Redirect Redirect to URI Same Flow Redirect Target Config Target Application Redirect User Self-Registration Flow Redirect

Flow Failure Target (flowFailureTarget)

Description

Defines the redirect URL in the case of a failed flow. If not configured and the flow fails, the flow is restarted, unless it has failed immediately, in which case an error page is displayed.

Attributes

Plugin-Link

Optional

Assignable plugins

Show Cancel Button On First Page (showCancelButtonOnFirstPage)

Description

If enabled, displays the cancel button also on the first interactive page of the flow. This can be useful if the "Cancellation Target" redirects to another flow or external page.

Note that even if this flag is disabled, a cancel button on the first page is always shown when the first page is reached again during the flow, e.g. by a Goto.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.ui.UserSelfRegUiConfig
id: UserSelfRegUiConfig-xxxxxx
displayName: 
comment: 
properties:
  cancellationTarget:
  completionTarget:
  customizedStepUis:
  flowFailureTarget:
  flowId:
  maintenanceMessageUiSettings:
  showCancelButtonOnFirstPage: false
  showConfirmationPage: true
  showGotoButtons: true

User Self-Registration UIs

Description

User interface configurations for user self-registration flows.

Class

com.airlock.iam.userselfreg.application.configuration.ui.UserSelfRegUiConfigs

May be used by

UI Settings

License-Tags

SelfRegistration

Properties

Flow UIs (flowUis)

Description

Allows to configure the user interface for the steps belonging to a flow.

Attributes

Plugin-List

Mandatory

Assignable plugins

User Self-Registration UI

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.ui.UserSelfRegUiConfigs
id: UserSelfRegUiConfigs-xxxxxx
displayName: 
comment: 
properties:
  flowUis:

User Self-Service Settings

Description

Settings for session-less user self-services. In contrast to the "Protected Self-Services" these self-services don't require an authenticated session. Instead, each request must contain authentication information, as defined by the "API Access Control" settings.

These REST endpoints begin with the resource path /<loginapp-uri>/rest/protected/my/.

Class

com.airlock.iam.login.rest.application.configuration.UserSelfServiceConfig

May be used by

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Properties

Password Settings (passwordSettings)

Description

Configures the session-less password change REST endpoint /<loginapp-uri>/rest/protected/my/password/change/ by using the "Password Service" and the "Password Policy" plugins from the referenced "Password Settings" plugin.

Deprecated: The session-less password self-service endpoints are deprecated and will be removed in a future IAM version. Use protected self-service flows instead.

Attributes

Plugin-Link

Optional

Assignable plugins

Password Settings

Enable Password Policy Check (enablePasswordPolicyCheck)

Description

Enables the public REST endpoint to check passwords against the policy configured in the configured "Password Settings" plugin.
Password policy checks are not applicable when using end-to-end encrypted passwords.

REST endpoint: /<loginapp-uri>/rest/public/password/policy/check/

Attributes

Boolean

Optional

Default value

false

User Information Self-Service (userInformationSelfService)

Description

Configures the protected session-less REST endpoint /<loginapp-uri>/rest/protected/my/self/.

Attributes

Plugin-Link

Optional

Assignable plugins

User Information Self-Service

mTAN Self-Service (Legacy) (mtanSelfService)

Description

Configures the protected session-less REST endpoints used to manage mobile phone numbers for mTAN authentication.

REST endpoints: /<loginapp-uri>/rest/protected/my/tokens/mtan/*

Deprecated: The session-less mTAN self-service endpoints are deprecated and will be removed in a future IAM version. Use protected self-service flows instead.

Attributes

Plugin-Link

Optional

Assignable plugins

mTAN Self-Service Settings (based on mTAN Settings, Legacy) mTAN Self-Services (Legacy)

Cronto Self-Service (Legacy) (crontoSelfService)

Description

Configures the protected session-less REST endpoints used to manage Cronto tokens.

REST endpoints: /<loginapp-uri>/rest/protected/my/tokens/cronto/*

Deprecated: The session-less Cronto self-service endpoints are deprecated and will be removed in a future IAM version. Use protected self-service flows instead.

Attributes

Plugin-Link

Optional

Assignable plugins

Cronto Self-Services (Legacy)

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.UserSelfServiceConfig
id: UserSelfServiceConfig-xxxxxx
displayName: 
comment: 
properties:
  crontoSelfService:
  enablePasswordPolicyCheck: false
  mtanSelfService:
  passwordSettings:
  userInformationSelfService:

User Specific Role Timeout Definition

Description

Defines user-specific idle-timeout and role life-time for a role.

Class

com.airlock.iam.login.app.misc.configuration.UserSpecificRoleTimeoutDefinition

May be used by

One-Shot Authentication Settings

Properties

Role (role)

Description

The name of the role to enhance with timeouts.

Attributes

String

Mandatory

Example

admin

Context Data Property (contextDataProperty)

Description

The context data field holding a user-specific timeout identifier to be matched against the Role-Timeout Rules.

Attributes

String

Mandatory

Example

adminTimeouts

Role-Timeout Rules (roleTimeoutRules)

Description

Mapping between timeout identifiers in the context data field and the resulting timeouts to add to the role.

Attributes

Plugin-List

Optional

Assignable plugins

Role Timeout Rule Config

Default Idle Timeout (defaultIdleTimeout)

Description

Default idle timeout in seconds. This value is taken, when the string in the context data doesn't match any of the identifiers in the Role-Timeout Rules.

Attributes

Integer

Mandatory

Default Life Time (defaultLifeTime)

Description

Default role life-time in seconds. This value is taken, when the string in the context data doesn't match any of the identifiers in the Role-Timeout Rules. If this value is not set, no life timeout is added to the role.

Attributes

Integer

Optional

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.configuration.UserSpecificRoleTimeoutDefinition
id: UserSpecificRoleTimeoutDefinition-xxxxxx
displayName: 
comment: 
properties:
  contextDataProperty:
  defaultIdleTimeout:
  defaultLifeTime:
  role:
  roleTimeoutRules:

User Specific Timeout Provider Config

Description

Timeouts are applied according to the "Role Timeout Rules".

If no rule matches, the "Default Idle Timeout" and "Default Lifetime" timeouts are applied.
If no rule matches and only one of "Default Idle Timeout" and "Default Lifetime" is set, the other value is implicitly set to 0, which is the default Gateway timeout.
If no rule matches and neither "Default Idle Timeout" nor "Default Lifetime" are set, the role timeouts are used. If none are set, the default Gateway timeouts are applied.

0 can be used to set the default Gateway timeout value explicitly.

Class

com.airlock.iam.authentication.application.configuration.wafcredentials.UserSpecificTimeoutProviderConfig

May be used by

Airlock Gateway Roles Config

Properties

Context Data String Value Provider (contextDataStringValueProvider)

Description

The Context Data string, which is matched against the rules defined in the "Role Timeout Rules".

Attributes

Plugin-Link

Mandatory

Assignable plugins

String Context Data Value Provider

Role Timeout Rules (roleTimeoutRules)

Description

Rules, which are matched against the Context Data string. If a rule matches, the according "Idle Timeout" and "Lifetime" are applied. Only the first match is applied. If no rule matches, "Default Idle Timeout" and "Default Lifetime" are applied.

Attributes

Plugin-List

Mandatory

Assignable plugins

Role Timeout Rule Config

Default Idle Timeout [s] (defaultIdleTimeout)

Description

"Default Idle Timeout" in seconds. This value is applied, when no "Role Timeout Rule" matches. The idle timeout configured on the Gateway is applied when this value is not set and:

the role doesn't have an idle timeout
the role does have an idle timeout and a lifetime has been set in this plugin

Attributes

Integer

Optional

Default Lifetime [s] (defaultLifetime)

Description

Default Lifetime in seconds. This value is applied, when no "Role Timeout Rule" matches. The lifetime configured on the Gateway (WAF) is applied when this value is not set and:

the role doesn't have a lifetime
the role does have a lifetime and an idle timeout has been set in this plugin

Attributes

Integer

Optional

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.wafcredentials.UserSpecificTimeoutProviderConfig
id: UserSpecificTimeoutProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataStringValueProvider:
  defaultIdleTimeout:
  defaultLifetime:
  roleTimeoutRules:

User Statistics Map

Description

Provides some login statistics of the user.

Currently, the following values are provided:

latest-successful-login: date of the latest successful login (if available).
second-latest-successful-login: date of the second latest successful login (if available).
total-logins: total number of successful logins.
failed-logins: number of failed login attempts since the latest successful login.
latest-login-attemp: date of the latest login attempt (successful or not, if available).
first-login: date of the first ever successful login (if available).

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.UserStatisticsValueMapProviderConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.UserStatisticsValueMapProviderConfig
id: UserStatisticsValueMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:

User Store Configuration

Description

User repository configuration for the Adminapp using User Store implementations.

Class

com.airlock.iam.admin.application.configuration.users.UserStoreConfiguration

May be used by

Users Configuration Admin Role Specific Setting

Properties

User Store (userStore)

Description

User store for searching, loading, creating and updating users.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User List Detail Loader (userListDetailLoader)

Description

User store to load user data for the user list page: Normally, user data is loaded using the user store defined in property "User Store". For an efficient user store this is unnecessary, but for a slow user store (e.g. one backed by a user persister) this property can speed up the user list page or user export.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.users.UserStoreConfiguration
id: UserStoreConfiguration-xxxxxx
displayName: 
comment: 
properties:
  userListDetailLoader:
  userStore:

User Sync Task Config

Description

A task that reads users using a source user store and writes the data using another user store.

It can be used to synchronise data (e.g. import data from an LDAP directory into a database for Airlock IAM) and to convert data.

Data may be modified while importing. When using LDAP / AD, all context data is treated as string data.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.user.sync.UserSyncTaskConfig

May be used by

Task Schedule

License-Tags

UserAggregation,UserProvisioning

Properties

Source User Store (sourceUserStore)

Description

The user store used to read user data from. Make sure to specify all context data attributes to be imported.

If the sync flag is configured, this user store will be used to reset the sync flag.

Attributes

Plugin-Link

Mandatory

License-Tags

UserAggregation,UserProvisioning

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Target User Store (targetUserStore)

Description

The user store used to write user data with. Make sure to specify all context data attributes to be imported.

Note: If an imported user cannot be found using the target user store, the task attempts to restore the user (possibly removing a "deleted" flag). If restore was not successful, a new user is inserted.

Attributes

Plugin-Link

Mandatory

License-Tags

UserAggregation,UserProvisioning

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Attribute Mappings (attributeMappings)

Description

Defines a list of mappings mapping source context data attributes to target context attributes.

NOTE: The context data attributes must be supported by the source and the target user store.

The username column doesn't need to be referenced here, because it is automatically mapped.

Attributes

Plugin-List

Optional

License-Tags

UserAggregation,UserProvisioning

Assignable plugins

User Context Data Attribute Mapping

Import Roles (importRoles)

Description

If enabled, roles are imported from the source user store and stored using the target user store. Note, that if there are no roles in the source user store, existing roles in the target user store are deleted.

Attributes

Boolean

Optional

License-Tags

UserAggregation,UserProvisioning

Default value

false

Import Auth Method (importAuthMethod)

Description

If enabled, the authentication method is imported from the source user store and stored using the target user store. If there is no authentication method in the source user store and no default authentication method is defined in the source user store (some plugins can do that), the authentication method in the target user store is deleted.

Attributes

Boolean

Optional

License-Tags

UserAggregation,UserProvisioning

Default value

false

Insert Users (insertUsers)

Description

If enabled, users that only exist in the source user store are inserted in the target user store. When disabled, users are not inserted in the target user store.

Attributes

Boolean

Optional

License-Tags

UserAggregation,UserProvisioning

Default value

true

Update Users (updateUsers)

Description

If enabled, users that exist in the source user store and the target user store are updated.

Attributes

Boolean

Optional

License-Tags

UserAggregation,UserProvisioning

Default value

true

Delete Users (deleteUsers)

Description

If enabled, users that don't exist in the source user store are deleted in the target user store.

Attributes

Boolean

Optional

License-Tags

UserAggregation,UserProvisioning

Default value

true

Sync Flag (syncFlag)

Description

If configured, only users with the configured flag set to true are synchronised. After successful synchronisation, this task modifies the user in the source user store by setting the sync flag to false.

Attributes

Plugin-Link

Optional

License-Tags

UserAggregation,UserProvisioning

Assignable plugins

Data Transformers (dataTransformers)

Description

Lists data transformers applied in order of definition to transform the imported data.

The username is available as attribute "username".
The roles are available as attribute "roles".
The authentication method is available as attribute "authMethod".
Context data attributes of the source user are handed over to the transfomers. These attributes are not used by all transformers. Check the transformer documentation to learn if and how they can be used.

Attributes

Plugin-List

Optional

License-Tags

UserAggregation,UserProvisioning

Assignable plugins

Boolean Data Transformer Date And Time Data Transformer Date Data Transformer Lowercase Data Transformer Regexp Data Transformer

Continue On Errors (continueOnErrors)

Description

If enabled, the task is not stopped when an error occurs while inserting, updating, or deleting a user in the target user store. A warning is logged in this case.

Errors related to reading users from the source user store are not recoverable and cause the task to fail even if this option is enabled.

Attributes

Boolean

Optional

License-Tags

UserAggregation,UserProvisioning

Default value

false

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.user.sync.UserSyncTaskConfig
id: UserSyncTaskConfig-xxxxxx
displayName: 
comment: 
properties:
  attributeMappings:
  continueOnErrors: false
  dataTransformers:
  deleteUsers: true
  importAuthMethod: false
  importRoles: false
  insertUsers: true
  sourceUserStore:
  syncFlag:
  targetUserStore:
  updateUsers: true

User to Authenticator Mapping

Description

Maps a user name pattern to an authenticator plugin.

Class

com.airlock.iam.core.misc.impl.authen.UserBasedAuthenticatorSelectorMapping

May be used by

User-based Authenticator Selector

Properties

Pattern (pattern)

Description

Defines a regular expression pattern matched against the username provided in the first step of the authentication.
If the username matches the pattern, the authenticator defined in property "authenticator" is used for the authentication process.

The username is extracted from the credential object passed to this plugin when the authenticate-method is called for the first time in the authentication session.

Attributes

RegEx

Mandatory

Case Sensitive (caseSensitive)

Description

If unchecked, the case of characters is ignored when matching the pattern against the username.

Attributes

Boolean

Optional

Default value

true

Authenticator (authenticator)

Description

Defines the authenticator plugin used when the username provided in the first step of the authentication matches the pattern.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.UserBasedAuthenticatorSelectorMapping
id: UserBasedAuthenticatorSelectorMapping-xxxxxx
displayName: 
comment: 
properties:
  authenticator:
  caseSensitive: true
  pattern:

User To Context Data Transformer Config

Description

This user name transformer returns the context data field value of the user. This allows to propagate a context value like an email address instead of the username.

Class

com.airlock.iam.common.application.configuration.user.UserToContextDataTransformerConfig

May be used by

Properties

Context Data Item (contextDataItem)

Description

The string-typed context data item to use as the value to propagate.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Mandatory Transformation (mandatoryTransformation)

Description

If the transformation is mandatory, the context data value must be present for this user, otherwise an exception is thrown. If not mandatory and the value is not present, this transformer is ignored (i.e. the name is not transformed and subsequent transformers (if any) are called).

Attributes

Boolean

Optional

Default value

true

Stop After Successful Transformation (stopAfterSuccessfulTransformation)

Description

With this flag the chaining of user name transformers can be interrupted. If it is enabled and the user name transformer found a value in the context field, this result will be the final result.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.user.UserToContextDataTransformerConfig
id: UserToContextDataTransformerConfig-xxxxxx
displayName: 
comment: 
properties:
  contextDataItem:
  mandatoryTransformation: true
  stopAfterSuccessfulTransformation: true

User to Password Service Mapping

Description

Maps a user pattern to a password service plugin.

Class

com.airlock.iam.core.misc.impl.authen.UserBasedPasswordServiceSelectorMapping

May be used by

User-based Password Service Selector

Properties

User Data To Check (userDataToCheck)

Description

Defines which context data field of the user should match the configured pattern.
If this property is set to @username which is also the default, the pattern will not be matched against a context data field but against the username.

Attributes

String

Optional

Default value

@username

User Persister (userPersister)

Description

The user persister to look up the context data field of the user.
The user persister is only needed if the User Data To Check above has not been set to:
@username

Attributes

Plugin-Link

Optional

Assignable plugins

Pattern (pattern)

Description

Defines a regular expression pattern matched against the provided username or context data entry (depending on the configuration in User Data To Check above).
If the selected resource matches the pattern, the password service defined in property "passwordService" is used.

Attributes

RegEx

Mandatory

Case Sensitive (caseSensitive)

Description

If unchecked, the case of characters is ignored when matching the pattern against the resource.

Attributes

Boolean

Optional

Default value

true

Password Service (passwordService)

Description

Defines the password service plugin used when the provided resource matches the pattern.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.UserBasedPasswordServiceSelectorMapping
id: UserBasedPasswordServiceSelectorMapping-xxxxxx
displayName: 
comment: 
properties:
  caseSensitive: true
  passwordService:
  pattern:
  userDataToCheck: @username
  userPersister:

User Token Settings

Description

Settings for session-less user token REST endpoints. In contrast to the "Protected Self-Services" these self-services don't require an authenticated session. Instead, each request must contain authentication information, as defined by the "API Access Control" settings.

These REST endpoints begin with the resource path /<loginapp-uri>/rest/protected/my/.

Class

com.airlock.iam.login.rest.application.configuration.UserTokenConfig

May be used by

Properties

Secret Questions Settings (secretQuestionsSettings)

Description

Configures the protected session-less REST endpoint used to set answers to secret questions.

REST endpoint: /<loginapp-uri>/rest/protected/my/secret-questions/questionId/answer

Attributes

Plugin-Link

Optional

Assignable plugins

Secret Questions Settings

Device Registration Settings (deviceRegistrationSettings)

Description

Configures the protected session-less REST endpoints used to manage device tokens.

REST endpoints: /<loginapp-uri>/rest/protected/my/tokens/device-tokens/*

Attributes

Plugin-Link

Optional

License-Tags

DeviceToken

Assignable plugins

Device Token Settings

YAML Template (with default values)


type: com.airlock.iam.login.rest.application.configuration.UserTokenConfig
id: UserTokenConfig-xxxxxx
displayName: 
comment: 
properties:
  deviceRegistrationSettings:
  secretQuestionsSettings:

User Trail Log Clean-up Task

Description

Task to clean up stale user trail log entries from the database.

It is recommended to schedule this task during a time with little traffic. Depending on the number of stale user trail logs, the task may take some time to complete.

Note: The clean up task ignores tenant IDs, all stale log are deleted regardless of their tenant IDs.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.usertrail.UserTrailLogCleanupTaskConfig

May be used by

Task Schedule

Properties

Database Repository (databaseRepository)

Description

Defines the user trail log database from which expired log entries are to be removed.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Adminapp API Policy Service Transaction Approval Loginapp Service Container User Trail Log Clean-up Task User Trail Log Import Task Data Sources

Log Retention Time (logRetentionTime)

Description

Duration to keep user trail log entries in the database after creation.

Log entries that are older than the specified duration are considered stale and will be removed at the next scheduled clean-up time.

Attributes

String

Optional

Default value

90d

Example

14d 12h

Batch Size (batchSize)

Description

During clean-up, user trail log entries are deleted in batches of this size.

This ensures that any row locks on the database are very short-lived, not affecting parallel log insertions. This value should not be set too high to prevent very long running transactions. User trail log clean-up will repeat deleting this number of logs until all logs not within the retention time have been cleaned up. Therefore, this task can take some time when a lot of user trail logs are present.

This size should be chosen so that every batch does not take longer than 5 seconds. The average runtime of the batches can be found in the task's logs.

Attributes

Integer

Optional

Default value

1000

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.usertrail.UserTrailLogCleanupTaskConfig
id: UserTrailLogCleanupTaskConfig-xxxxxx
displayName: 
comment: 
properties:
  batchSize: 1000
  databaseRepository:
  logRetentionTime: 90d

User Trail Log Database Repository

Description

Persists and loads data for the User Trail Log.

Class

com.airlock.iam.common.application.configuration.usertrail.UserTrailLogRepositoryConfig

May be used by

Properties

SQL Data Source (sqlDataSource)

Description

Database connection used to persist and load user trail log messages.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Log Queries (logQueries)

Description

If enabled, all SQL queries executed on this repository will be written to the module's corresponding log file. This is only effective if the log level is set to at least INFO.

Note: This does not write the SQL statements to the User Trail Log.

Warning: query values (including potentially sensitive data) will be logged as well.

Attributes

Boolean

Optional

Default value

false

Tenant ID (tenantId)

Description

Identity added to the database records to distinguish between different tenants. Only logs that match the tenant ID specified here will be retrieved on query.

If left empty, 'no_tenant' is used as the effective value for tenant ID.

Attributes

String

Optional

Length <= 50

Validation RegEx: (?!no_tenant$).*

Example

customerA

Example

customerB

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.usertrail.UserTrailLogRepositoryConfig
id: UserTrailLogRepositoryConfig-xxxxxx
displayName: 
comment: 
properties:
  logQueries: false
  sqlDataSource:
  tenantId:

User Trail Log Import Task

Description

Task to import user trail log files into the user trail log database.

This task is typically used once in a migration scenario where logs from existing user trail log files should be imported into the database. This task also imports logs from files in subdirectories.

Note:

This task should only be run on demand and should not be scheduled on a regular basis. Logs will be imported multiple times if the task is run multiple times for the same files.
A log file is always either imported completely or not at all. If an error occurs while importing a log file, the task is stopped, no logs are imported from this file and the source file remains unchanged.
This task works on parsable user trail log files only. The default naming of these files is "medusa-usertrail.log".

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.usertrail.UserTrailLogImportTaskConfig

May be used by

Task Schedule

Properties

Database Repository (databaseRepository)

Description

Defines the user trail log database into which file based logs are to be imported.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Import Directory (importDirectory)

Description

The directory from which user trail log files will be imported. All filenames matching the filter pattern are used.

If a relative path is specified, the task will look for directories within your config folder. Note that this task will search all nested subdirectories.

Attributes

File/Path

Mandatory

Filename Filter (filenameFilter)

Description

Import filename regular expression pattern.

Only filenames completely matching this regular expression are imported.

Attributes

RegEx

Optional

Default value

medusa-usertrail\.log(\.\d+)?

Delete Files After Import (deleteFilesAfterImport)

Description

If enabled, successfully imported user trail log files within the specified directory are deleted.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.usertrail.UserTrailLogImportTaskConfig
id: UserTrailLogImportTaskConfig-xxxxxx
displayName: 
comment: 
properties:
  databaseRepository:
  deleteFilesAfterImport: false
  filenameFilter: medusa-usertrail\.log(\.\d+)?
  importDirectory:

User Unlock Step (Self-Registration)

Description

Non-interactive user self-registration step that unlocks the initially locked user. At the start of the flow the user is initially locked.

Class

com.airlock.iam.userselfreg.application.configuration.step.SelfRegistrationUserUnlockStepConfig

May be used by

License-Tags

SelfRegistration

Properties

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.step.SelfRegistrationUserUnlockStepConfig
id: SelfRegistrationUserUnlockStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

User Unlocked

Description

Event that is triggered when a user's account is unlocked.

Class

com.airlock.iam.common.application.configuration.event.UserUnlockedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.event.UserUnlockedSubscribedEventConfig
id: UserUnlockedSubscribedEventConfig-xxxxxx
displayName: 
comment: 
properties:

User Validity Processor

Description

Processor that checks if a user is valid, enabled and unlocked before and after every step. Users that do not fulfill these requirements are logged out (session termination).

Class

com.airlock.iam.authentication.application.configuration.processor.UserValidityProcessorConfig

May be used by

User to Password Service Mapping Radius Authentication Service Persister Password Service Composite Password Service Composite Password Service Composite Password Service User to Authenticator Mapping Target Application/Service Meta Authenticator Meta Authenticator Meta Authenticator Administrators Configuration Administrators Configuration Fallback Authenticator Password Settings User-based Password Service Selector

Properties

Allowed Lock Reasons (allowedLockReasons)

Description

List of lock reasons that still allow the user to complete the flow, but once the flow is completed, the session is terminated.

Locked users with any lock reason not listed here are logged out immediately.

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.processor.UserValidityProcessorConfig
id: UserValidityProcessorConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedLockReasons:

User-Agent Mapping

Description

Maps a user-agent to a new value.

Class

com.airlock.iam.selfservice.application.configuration.rememberme.RememberMeUserAgentMappingConfig

May be used by

Remember-Me Device List

Properties

Pattern (pattern)

Description

The regular expression that is matched against the user-agent header. If it matches, the replacement is applied.

Attributes

RegEx

Mandatory

Replacement (replacement)

Description

The replacement expression. If the user-agent matches the pattern, it will be replaced by this expression.

Attributes

String

Mandatory

Example

Mobile App

Example

$1 (Web Browser)

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.rememberme.RememberMeUserAgentMappingConfig
id: RememberMeUserAgentMappingConfig-xxxxxx
displayName: 
comment: 
properties:
  pattern:
  replacement:

User-based Authenticator Selector

Description

An authenticator plugin that select one of several authenticators depending on the username provided in the first authentication step:
The username is compared against a list of regular expressions. The first matching expression defines the authenticator plugin to use for the rest of the authentication process.
If none matches, the default authenticator is used.

This plugin does not add or change data added to the authentication result but just passes on the results of the wrapped authenticator(s).

This authenticator implements the PasswordService interface: it can be used as password service, if the selected authenticator implements the PasswordService interface.

Class

com.airlock.iam.core.misc.impl.authen.UserBasedAuthenticatorSelector

May be used by

License-Tags

UserAggregation

Properties

Mappings (mappings)

Description

Mappings between user name patterns and authenticator plugins.

Attributes

Plugin-List

Mandatory

License-Tags

UserAggregation

Assignable plugins

User to Authenticator Mapping

Default Authenticator (defaultAuthenticator)

Description

The default authenticator plugin, i.e. the authenticator to be used when the username matches no pattern.

Attributes

Plugin-Link

Mandatory

License-Tags

UserAggregation

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.UserBasedAuthenticatorSelector
id: UserBasedAuthenticatorSelector-xxxxxx
displayName: 
comment: 
properties:
  defaultAuthenticator:
  mappings:

User-based Password Service Selector

Description

A password service plugin that selects one of several password services depending on the provided user:
The users data is compared against a list of regular expressions. The first matching expression defines the password service plugin to use.
If none matches, the default password service is used.

Class

com.airlock.iam.core.misc.impl.authen.UserBasedPasswordServiceSelector

May be used by

User to Password Service Mapping Composite Password Service Composite Password Service Composite Password Service Administrators Configuration Password Settings

License-Tags

UserAggregation

Properties

Mappings (mappings)

Description

Mappings between user patterns and authenticator plugins.

Attributes

Plugin-List

Mandatory

License-Tags

UserAggregation

Assignable plugins

User to Password Service Mapping

Default Password Service (defaultPasswordService)

Description

The default password service plugin, i.e. the password service to be used when the user matches no pattern.

Attributes

Plugin-Link

Mandatory

License-Tags

UserAggregation

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.UserBasedPasswordServiceSelector
id: UserBasedPasswordServiceSelector-xxxxxx
displayName: 
comment: 
properties:
  defaultPasswordService:
  mappings:

UserInfo Claim

Description

The configured claim is requested to be added to any claims that are requested using scope values from the UserInfo Endpoint. If no UserInfo claims are configured, the claims being requested from the UserInfo Endpoint are only those requested using scope values.

Class

com.airlock.iam.oauth2.application.configuration.UserInfoClaimConfig

May be used by

Legacy ID Propagation Adapter Chaining Identity Propagator Target Application/Service Conditional Identity Propagator

Properties

Claim (claim)

Description

The claim to request to be returned from the UserInfo Endpoint.

Attributes

String

Mandatory

Example

given_name

Example

nickname

Example

email_verified

Values (values)

Description

Requests that the claim be returned with a particular value. The value must be a valid value for the claim being requested.

If multiple values are configured, the request indicates that the claim should be returned with one of the given values. The values in the request appear in order of preference.

If not configured, the claim is requested without a restriction on its value.

Attributes

String-List

Optional

Requirement (requirement)

Description

The client indicates whether the claim being requested is an essential or a voluntary claim.

Essential: the claim is necessary to ensure a smooth authorization experience for the specific task requested by the end-user.
Voluntary: the claim is useful but not essential for the specific task requested by the end-user

Note that even if a claim is requested as 'essential', the authorization server is not obligated to return it.

Attributes

Enum

Optional

Default value

ESSENTIAL

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.UserInfoClaimConfig
id: UserInfoClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claim:
  requirement: ESSENTIAL
  values:

Username Cookie Identity Propagator

Description

Simple cookie based identity propagator that sets a cookie containing the user name.

This identity propagator can be used together with Airlock Gateway (WAF) to send a cookie bearing the username to back-end applications.

Class

com.airlock.iam.core.misc.impl.sso.UsernameCookieIdentityPropagator

May be used by

Properties

Cookie Name (cookieName)

Description

The name of the cookie to be sent to the browser or Airlock Gateway (WAF).

Attributes

String

Optional

Default value

username

Example

auth_cookie

Example

username

Cookie Path (cookiePath)

Description

The path for which the cookie is set. The path determines where the cookie is sent by the reverse proxy (or browser).

If one single access cookie is used for all applications, the value "/" can be used. If different tickets are used for different applications, the applications path should be used.

Make sure the configuration flag Interpret Cookie Domains is set in the Airlock Gateway (WAF) configuration. If not, the cookie path is ignored and cookies in the cookie store are sent to any back-end HTTP request of the same session. This also means that there may be only one cookie per cookie name!
It is best to consult the corresponding documentation of the Airlock Gateway to get more accurate information on cookie handling.

Attributes

String

Optional

Default value

Example

/appl1

Example

/appl2

Cookie Domain (cookieDomain)

Description

The domain for which the cookie is set. The domain determines where the cookie is sent by the reverse proxy (or browser).

Make sure the configuration flag Interpret Cookie Domains is set in the Airlock Gateway (WAF) configuration. If not, the cookie domain is ignored and cookies in the cookie store are sent to any back-end HTTP request of the same session. The cookie path is also ignored meaning that there may be only one cookie per cookie name!
Airlock also supports the following cookie domain values (if the flag Interpret Cookie Domains is set):

The value .* results in cookies being sent to all back-end servers. This is especially useful if one authentication ticket is used for multiple back-ends.
The value @<fully-qualified-host> results in the cookie being treated as if it were set by the host specified by "<fully-qualified-host>". If using this value, make sure the corresponding mapping also uses the fully qualified hostname.

It is best to consult the corresponding documentation of the Airlock Gateway to get more accurate information on cookie handling.

Attributes

String

Optional

Example

@anotherbackend.com

Example

mybackend.com

Set Secure Flag (setSecureFlag)

Description

If set to TRUE the "secure"-flag of the cookie is set.

Attributes

Boolean

Optional

Default value

false

Url Encoding Scheme (urlEncodingScheme)

Description

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15, NONE

Max Age (maxAge)

Description

Sets the maximum age in seconds for this Cookie.

A positive value indicate that the cookie will expire after that many seconds have passed.
A negative value means that the cookie is not stored persistently and will usually be deleted when the Web browser exits (however, browsers may keep it for longer).
A value of 0 (zero) causes the cookie to be deleted by sending an expired cookie with the same name.

Attributes

Integer

Optional

Default value

-1

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.UsernameCookieIdentityPropagator
id: UsernameCookieIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  cookieDomain:
  cookieName: username
  cookiePath: /
  maxAge: -1
  setSecureFlag: false
  urlEncodingScheme: UTF-8

Username Custom Claim

Description

A custom string claim containing the username.

If a username transformation is configured in the Authorization Server, this claim will contain the transformed username.

Class

com.airlock.iam.oauth2.application.configuration.claims.CustomUsernameClaimConfig

May be used by

OIDC UserInfo Endpoint Claim Set Custom Claim OAuth 2.0 Static Client OAuth 2.0 Static Client JWT Access Token Format OIDC ID Token Claims

License-Tags

OAuthServer

Properties

Claim Name (claimName)

Description

The name (JSON key) of the claim.

Attention: If a custom claim with this same claim name already exists, it will result in a runtime error.

Using a registered claim name (see RFC 7519) might cause the claim to be ignored or an exception to be thrown.

Attributes

String

Mandatory

Example

firstname

Example

street

Example

zip

Example

country

Example

roles

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Config Not Claim Condition Config Or Claim Condition Config Required Scopes Claim Condition Config

YAML Template (with default values)


type: com.airlock.iam.oauth2.application.configuration.claims.CustomUsernameClaimConfig
id: CustomUsernameClaimConfig-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:

Username Generation Step Config

Description

Non-interactive user self-registration flow step that generates a username.

Class

com.airlock.iam.userselfreg.application.configuration.step.UsernameGenerationStepConfig

May be used by

License-Tags

SelfRegistration

Properties

User Identity Generator (userIdentityGenerator)

Description

Generates a technical username.

Attributes

Plugin-Link

Optional

Assignable plugins

Customizable Identity Generator Universally Unique Identity (UUID) Generator

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.step.UsernameGenerationStepConfig
id: UsernameGenerationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  userIdentityGenerator:

Username Password Authentication Step

Description

Configuration of an authentication flow step, where users authenticate themselves with username and password.

Class

com.airlock.iam.authentication.application.configuration.password.UsernamePasswordAuthenticationStepConfig

May be used by

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

Properties

Password Repository (passwordRepository)

Description

User password repository to check identified user passwords against.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Policy To Check On Login (policyToCheckOnLogin)

Description

The password policy that is checked when authenticating. If the policy is violated, a mandatory password change is required.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Active Directory Password Policy Customizable Password Policy Null Password Policy Simple Password Policy

CAPTCHA (captchaProvider)

Description

If a CAPTCHA is configured, a CAPTCHA challenge will be added to:

the response of the flow selecting request (when this step is the first interactive step in a flow).
the step response immediately preceding the protected step (when this step is not the first interactive step in a flow).

To complete this step and proceed with the flow, the CAPTCHA must be solved successfully.

Attributes

Plugin-Link

Optional

Assignable plugins

Password Change Red Flag (passwordChangeRedFlag)

Description

Raises this red flag if a mandatory password change is required. This flag must then be handled by a later step.

Attributes

Plugin-Link

Optional

Assignable plugins

Account Linking Required Red Flag Mandatory Password Change Red Flag Red Flag

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

PASSWORD

Password Attribute Key (passwordAttributeKey)

Description

The optional key under which this password will be available in the identity propagation.

The value can also be retrieved from the session using the "User Passwords Map" value map provider.

If no key is configured, the password will not be made available in the flow attributes, and cannot be used by identity propagators.

Note: This feature will not work together with end-to-end encryption.

Attributes

String

Optional

Suggested values

PASSWORD

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.password.UsernamePasswordAuthenticationStepConfig
id: UsernamePasswordAuthenticationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: PASSWORD
  captchaProvider:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  passwordAttributeKey:
  passwordChangeRedFlag:
  passwordRepository:
  policyToCheckOnLogin:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Username SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing the username to propagate.

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.UsernameAttributeConfig

May be used by

Email Verification Step Phone Number Verification Step User Data Registration Step Config

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion.

Attributes

String

Mandatory

Example

Username

Example

AUTH_USER

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: com.airlock.iam.saml2.application.configuration.assertion.attribute.UsernameAttributeConfig
id: UsernameAttributeConfig-xxxxxx
displayName: 
comment: 
properties:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:

Username User Group Condition

Description

Checks user group membership by comparing the username with the specified value.

Class

com.airlock.iam.core.misc.impl.persistency.UsernameUserGroupCondition

May be used by

User Group Configuration

Properties

Group Name (groupName)

Description

The name of the user group. May be used in log files and may be displayed in the admin tool.

Attributes

String

Mandatory

Example

Administrator

Example

Employee

Example

Customer

Pattern (pattern)

Description

Regular expression pattern matched against the user's name. If it matches, the user is considered to be member of the group.

Attributes

RegEx

Mandatory

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.persistency.UsernameUserGroupCondition
id: UsernameUserGroupCondition-xxxxxx
displayName: 
comment: 
properties:
  groupName:
  pattern:

Username User Item

Description

Definition of a Username User Item.

Class

com.airlock.iam.userselfreg.application.configuration.definition.UsernameDefinitionConfig

May be used by

Properties

Required (required)

Description

Specifies whether a username must be provided for the step to validate successfully.

Attributes

Boolean

Optional

Default value

true

Validators (validators)

Description

The validators for the username. Additionally, the username is automatically validated against the global Username Filter Pattern (configured in the Security Settings).

Attributes

Plugin-List

Mandatory

Assignable plugins

Email Address Validator Phone Number Validator Config Regex String Validator Config

YAML Template (with default values)


type: com.airlock.iam.userselfreg.application.configuration.definition.UsernameDefinitionConfig
id: UsernameDefinitionConfig-xxxxxx
displayName: 
comment: 
properties:
  required: true
  validators:

Username User Profile Item Config

Description

A user profile item that displays the username. The item is always read-only.

Class

com.airlock.iam.common.application.configuration.userprofile.UsernameUserProfileItemConfig

May be used by

Administrators Management Administrators Management Users Configuration Users Configuration User Group Configuration

Properties

String Resource Key (stringResourceKey)

Description

String identifier for the language-specific string tables.

Attributes

String

Mandatory

Example

userdata.label.salutation

Example

userdata.label.firstname

Example

userdata.label.lastname

Example

userdata.label.email

Example

userdata.label.nationality

Example

userdata.label.birthdate

Example

userdata.label.street

Example

userdata.label.street-number

Example

userdata.label.address2

Example

userdata.label.zipcode

Example

userdata.label.town

Example

userdata.label.state

Example

userdata.label.country

Example

userdata.label.company

Example

userdata.label.department

Example

userdata.label.office-phone

Example

userdata.label.mobile-phone

Example

userdata.label.language

Example

userdata.label.correspondence-language

Example

userdata.label.realm

Sortable (sortable)

Description

If enabled, the attribute is sortable in the user list if the underlying user iterator supports sorting.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.userprofile.UsernameUserProfileItemConfig
id: UsernameUserProfileItemConfig-xxxxxx
displayName: 
comment: 
properties:
  sortable: true
  stringResourceKey:

Users Configuration

Description

Configuration of users, i.e. authentication, authorization and management of users.

Class

com.airlock.iam.admin.application.configuration.users.UsersConfiguration

May be used by

Adminapp

Properties

Authentication Tokens (Credentials) (authenticationTokens)

Description

List of authentication tokens that can be managed in the Adminapp.

Attributes

Plugin-List

Optional

Assignable plugins

Users Are Editable (editable)

Description

If this property is enabled, user data (profile items, roles and validity) are editable, new users can be inserted, and users can be deleted.

Attributes

Boolean

Optional

Default value

true

Available User Roles (availableUserRoles)

Description

Set of roles assignable to users.

Translations for the roles displayed in the Adminapp user management UI can be defined using the Adminapp translation keys roles.user.labels.[rolename].

This setting can be overwritten by "Admin Role Specific Settings".

Attributes

String-List

Optional

Show User Valid Section (showUserValidSection)

Description

If this property is enabled, a section with the user valid status, valid-from and valid-to dates (if information is available) is displayed. On the user edit page, the valid-from and valid-to dates can be edited.

Attributes

Boolean

Optional

Default value

false

User Locked Section (userLockedSection)

Description

Defines the visibility of the user-locked section on the user details page:

SHOW: show all attributes (the default)
RESTRICTED: show some attributes suitable for users in Active Directory (no lock reason or date; unlock button but no lock button)
HIDE: do not show the user locked section

Attributes

Enum

Optional

Default value

SHOW

Language Context Key (languageContextKey)

Description

Defines the name of the context data property with the users correspondence language. It is used when rendering letters. This property is optional (if it is not set, no language information is available for the renderer plugins.)

Attributes

String

Optional

Suggested values

language

Max Users To List (maxUsersToList)

Description

The maximum number of users to list per page.

Attributes

Integer

Optional

Default value

Username Search Field (usernameSearchField)

Description

Defines the context-data field that the user search uses instead of the actual 'username'. It has the following effects:

The user search never searches in the default 'username' field, but in the configured field instead.
This applies also if the 'Only search username' checkbox is selected.
The 'username' column in the search result list displays the value of this field.
The title of the user detail pages uses the value of this field.

Only fields that are set on all users (e.g. login alias) should be used. Users without a value in this field might not appear in search results or will be listed with empty usernames.

Attributes

Plugin-Link

Optional

Assignable plugins

Latest Login Attempt Date Range Filter Latest Successful Login Date Range Filter Locked User Filter Simple Latest Login Attempt Filter Simple Latest Successful Login Filter

Default Sort Column (defaultSortColumn)

Description

Defines the column in the user list to sort by default. Use the property name (e.g. "givenname") to refer to a context data column. If left empty, the default sort is unspecified.

Attributes

String

Optional

Suggested values

username, locked, lat_succ_login

Sort Ascending By Default (sortAscendingByDefault)

Description

If enabled (and a "Default Sort Column" is set), the default user sort is ascending, otherwise descending.

Attributes

Boolean

Optional

Default value

true

Columns In User List (columnsInUserList)

Description

The property names and labels of context data to be displayed on the user list page. For example, this could be the first-, lastname, and the assigned authentication method of the user.

The data for the columns is taken from the context data container of the displayed users. The configuration of the used user persister must include the context data properties referenced here.

The colums are displayed in addition to the following columns:

username
locked state
latest login date

Attributes

Plugin-List

Optional

Assignable plugins

User Profile Items For Search (userSearchProfileItems)

Description

The items referring to "Columns In User List" that can be included in the search on the user list page. If no properties are configured, the search will not filter on context data items. If the referred item is not configured in the "Columns In User List", it will be ignored. The configured properties are searchable in through the search functionality.

Note: Currently only string and list items are supported by the search. All other items will be ignored.

Attributes

Plugin-List

Optional

Assignable plugins

User Profile Item Search Config

Rows On User Detail Page (rowsOnUserDetailPage)

Description

The property names and labels of context data to be displayed on the user detail page.

The data is taken from the context data container of the selected user. The configuration of the used user persister must include the context data properties referenced here.

Note: The username is always displayed and can therefore not be configured here. Whether it is editable can be configured in the "Access Control" configuration in the "Admin Tool" root node.

Attributes

Plugin-List

Optional

Assignable plugins

User Data Source (userDataSource)

Description

Defines how to load and store users in the Adminapp.

This setting can be overwritten by "Admin Role Specific Settings".

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Persister Configuration User Store Configuration

Admin Role Specific Settings (adminRoleSpecificSettings)

Description

This list of admin role specific settings allows to overwrite certain settings for administrators with a specific set of roles. More details on what behaviour can be overwritten can be found within the plugin itself. The first Admin Role Specific Setting that matches the administrator's roles based on the "Role Specific Settings Selection" is used.

Attributes

Plugin-List

Optional

Assignable plugins

Admin Role Specific Setting

Role Specific Settings Selection (roleSpecificSettingsSelection)

Description

The strategy to select the role specific settings for an administrator. The first Admin Role Specific Settings that match the administrator's roles are used. If there is no matching entry, no role-specific settings are used.

Attributes

Plugin-Link

Optional

Assignable plugins

All Required Roles Match Any Required Role Matches

Account Link Management Config (accountLinkManagementConfig)

Description

Configures the account link management. If account linking is configured and a user has account links, the account links tab, including the users account links, is displayed on the user detail page.

Attributes

Plugin-Link

Optional

License-Tags

OAuthAccountLinking

Assignable plugins

Account Link Management Config

Locking Settings (lockingSettings)

Description

Configures the behavior of user locking.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Locking Settings (Adminapp)

Show Migration Section (showMigrationSection)

Description

If enabled, the credential migration section is displayed on the user details page. This section contains a choice of authentication methods to be assigned to the user after migration.

Attributes

Boolean

Optional

License-Tags

TokenSelfService

Default value

false

Enable Multiple Next Auth Methods (enableMultipleNextAuthMethods)

Description

If enabled, multiple methods can be selected to which the user can migrate. On the migration hint page the users will be given a choice to which methods they would like to migrate. This is only functional if "Show Migration Section" above is also activated. Also remember to enable support for multiple next authentication methods on the migration hint page settings for the login app.

Attributes

Boolean

Optional

License-Tags

TokenSelfService

Default value

false

User Management Extensions (userManagementExtensions)

Description

User Management Extensions are added as a tab in the User Management of the Adminapp.

For someone to see the User Management Extension, they need to have the corresponding access rights. This has to be set in the Adminapp Access Control.

Please consult the official Airlock IAM documentation for more information

Attributes

Plugin-List

Optional

Assignable plugins

User Management Extension Config

Additional Auth Method Properties (additionalAuthMethodProperties)

Description

This setting is used if more than one active authentication method must be managed in the Adminapp. It defines a list of user context properties. The properties are used to store the additional active authentication methods (and to select the corresponding translation for the label on the user details page).
Make sure that the corresponding context properties are supported (i.e. configured in) by the configured user persister.

Attributes

String-List

Optional

Allow Bulk Changes (allowBulkChanges)

Description

If enabled, some user properties may be changed for users simultaneously (bulk change). In this release, the following properties can be set as bulk change:

Next authentication method (token migration) and migration date.

Whether a property is available for bulk changes or not depends on the corresponding settings of the user details page (e.g. if the credential migration section is enabled on the user details page, it is also visible on the bulk changes page).

The bulk change page is accessible from the user list page.

Attributes

Boolean

Optional

Default value

false

User Identity Generator (userIdentityGenerator)

Description

If configured, this plugin is used to generate the ID (username) of new users. The "Create new user" dialogue in the Adminapp will not contain a username input field. REST requests to create a new user (POST /<adminapp-uri>/rest/users) will use this generator to create a user ID (instead of the default UUID generator)

Attributes

Plugin-Link

Optional

Assignable plugins

Customizable Identity Generator Universally Unique Identity (UUID) Generator

Username Prefill (usernamePrefill)

Description

If configured, the username field on the user create and username change dialog is prefilled with the provided value. This feature can be used to suggest administrators on possible usernames or to prefill a common username prefix.

Attributes

Plugin-Link

Optional

Assignable plugins

Identity Value Provider Config Realm Value Provider Static String Value Provider

Username Validator (usernameValidator)

Description

If configured, validates the username of new users before they are created. If the username is invalid, creation of this user fails with a corresponding validation error.

Be aware that independent of this validator, IAM enforces two default username validations on provided usernames:

Uniqueness Validation - the provided username must not already exist on the database
Minimum Length Validation - the provided username must be at least 2 characters long

Note that these validators (configured and default) are only applied for provided usernames and do not validate generated ones, i.e. when configuring a User Identity Generator.

Attributes

Plugin-Link

Optional

Assignable plugins

Email Address Validator Realm Username Validator Regex String Validator Config

Group Settings (groupSettings)

Description

Some settings may be defined depending on a user's group membership (e.g. if the user is readable or not).

This list defines group-specific settings:

If the group's condition is met by the user, the corresponding settings are used for this user.
It is processed in order of definition, i.e. the first matched group condition determines the settings used.
If no group condition is met, the global user settings are used (= the ones just above).

Attributes

Plugin-List

Optional

Assignable plugins

User Group Configuration

Case-Sensitive Search As Default (caseSensitiveSearchAsDefault)

Description

Sets the default strategy for searching users. If enabled, searching is case-sensitive. Otherwise, searching is case-insensitive. The search strategy can always be altered by the corresponding checkbox on the user search page.

Attributes

Boolean

Optional

Default value

true

Only Search Words As Default (onlySearchWordsAsDefault)

Description

Sets the default strategy for searching users. If enabled, the search term must exactly match the username or an attribute to be found (equals-matching). Otherwise, the search term must be contained within the data (contains-matching). The search strategy can always be altered by the corresponding checkbox on the user search page.

Attributes

Boolean

Optional

Default value

false

Search In Username As Default (searchInUsernameAsDefault)

Description

Sets the default strategy for searching users by their username. If enabled, the default search matches the term against the username (or the field configured as "Username Search Field", respectively). Otherwise, search is only performed on the configured "User Profile Items For Search". The search strategy can always be altered by the corresponding checkbox on the user search page.

Attributes

Boolean

Optional

Default value

true

Advanced Search Filters (advancedSearchFilters)

Description

Advanced search filters allow for extended search options. Please note that some filters can only be applied if a User Store with the required capability is configured.

Attributes

Plugin-List

Optional

Assignable plugins

Automatically Perform Last Search (automaticallyPerformLastSearch)

Description

When enabled, the last user search is automatically performed again when navigating back to the user search page. When disabled, the last search term is still retained but the search must be triggered manually by the administrator. Disabling can be helpful in cases where searches can take a lot of time.

Attributes

Boolean

Optional

Default value

true

Export (export)

Description

Configures the download of user data. If the download is not configured, it is not available in the Adminapp.

Attributes

Plugin-Link

Optional

Assignable plugins

CSV Users Export

Remember-Me Management Enabled (rememberMeManagementEnabled)

Description

If configured, the administrator will be able to delete all persisted Remember-Me tokens for a user on the user overview page.

Attributes

Boolean

Optional

Default value

false

Remember-Me Settings (rememberMeSettings)

Description

If configured, the administrator will be able to delete all persisted Remember-Me tokens for a user on the user overview page.

If there are still users with legacy Remember-Me tokens from the JSP Loginapp in earlier IAM versions, also configure the JSP Loginapp Remember-Me Settings.

Attributes

Plugin-Link

Optional

Assignable plugins

Remember-Me Settings

JSP Loginapp Remember-Me Settings (jspLoginappRememberMeSettings)

Description

These settings are only needed if there are still users with legacy Remember-Me tokens from the JSP Loginapp in earlier IAM versions. It allows an administrator to also see and delete the legacy Remember-Me tokens. Once all those tokens have been replaced or have expired, this setting can be removed.

Attributes

Plugin-Link

Optional

Assignable plugins

JSP Remember-Me Settings

OAuth 2.0 Authorization Servers (oauth2AuthorizationServers)

Description

List of authorization servers where the users have OAuth 2.0 Tokens. This can for example be used to delete tokens on password changes by administrators.

Attributes

Plugin-List

Optional

Assignable plugins

Users OAuth 2.0 Authorization Server

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.users.UsersConfiguration
id: UsersConfiguration-xxxxxx
displayName: 
comment: 
properties:
  accountLinkManagementConfig:
  additionalAuthMethodProperties:
  adminRoleSpecificSettings:
  advancedSearchFilters:
  allowBulkChanges: false
  authenticationTokens:
  automaticallyPerformLastSearch: true
  availableUserRoles:
  caseSensitiveSearchAsDefault: true
  columnsInUserList:
  defaultSortColumn:
  editable: true
  enableMultipleNextAuthMethods: false
  export:
  groupSettings:
  jspLoginappRememberMeSettings:
  languageContextKey:
  lockingSettings:
  maxUsersToList: 50
  oauth2AuthorizationServers:
  onlySearchWordsAsDefault: false
  rememberMeManagementEnabled: false
  rememberMeSettings:
  roleSpecificSettingsSelection:
  rowsOnUserDetailPage:
  searchInUsernameAsDefault: true
  showMigrationSection: false
  showUserValidSection: false
  sortAscendingByDefault: true
  userDataSource:
  userIdentityGenerator:
  userLockedSection: SHOW
  userManagementExtensions:
  userSearchProfileItems:
  usernamePrefill:
  usernameSearchField:
  usernameValidator:

Users OAuth 2.0 Authorization Server

Description

Defines an authorization server with the corresponding session repository.

Class

com.airlock.iam.admin.application.configuration.users.UsersOAuth2AuthorizationServerConfig

May be used by

License-Tags

OAuthServer

Properties

Authorization Server Identifier (authorizationServerIdentifier)

Description

The authorization server identifier.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Session Repository (sessionRepository)

Description

OAuth 2.0 session repository config.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Delete Tokens On Password Change (deleteTokensOnPasswordChange)

Description

Indicates whether all persisted tokens and sessions of the user are deleted on:

Password resets (setting or generating a password by admins)
Password delete (by admins)
Password letter orders (by admins)

Attributes

Boolean

Optional

Default value

true

Delete Tokens On User Locked (deleteTokensOnUserLocked)

Description

Indicates whether all persisted tokens and sessions of the user are deleted when the user is locked by an admin.

Note: To delete tokens for users locked in the Loginapp, configure the corresponding settings within the Loginapp.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.users.UsersOAuth2AuthorizationServerConfig
id: UsersOAuth2AuthorizationServerConfig-xxxxxx
displayName: 
comment: 
properties:
  authorizationServerIdentifier:
  deleteTokensOnPasswordChange: true
  deleteTokensOnUserLocked: true
  sessionRepository:

UUID Identity Generator

Description

Generates a UUID as identity.

Class

com.airlock.iam.common.application.configuration.UuidIdentityGeneratorConfig

May be used by

OAuth 2.0 Dynamic Client Registration Identity Value Provider Config

Properties

YAML Template (with default values)


type: com.airlock.iam.common.application.configuration.UuidIdentityGeneratorConfig
id: UuidIdentityGeneratorConfig-xxxxxx
displayName: 
comment: 
properties:

Valid Flag Password Policy

Description

A password policy check that evaluates a password's validity according to a user property. Passwords to be verified are accepted or rejected based exclusively on the boolean value of a specific context data field of the user record. The context data key is arbitrary and must be specified in the configuration. The semantic of the property's value is "true" means "accept password". The semantic may be inverted if required such that "true" means "reject password".

This feature can be used to selectively allow/reject passwords on a user basis (e.g. for password change).

Class

com.airlock.iam.core.misc.impl.authen.PwdPolicyPasswordValidFlagCheck

May be used by

Customizable Password Policy Customizable Password Policy Meta Password Policy

Properties

Context Data Key (contextDataKey)

Description

Context data key of the boolean user property specifying the password's validity. Expected values of this property are true and false.

Attributes

String

Mandatory

Suggested values

password-valid, password-invalid

Valid If True (validIfTrue)

Description

Specifies the meaning of the password validity flag: The default interpretation is to accept a password if the value is true. You may invert the behavior such that passwords are rejected when the value is true.

Attributes

Boolean

Optional

Default value

true

Default Value (defaultValue)

Description

Specifies the default value of the password validity flag if the value is unspecified or not set in a user record. The value of valid-if-true has no influence on this property.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.authen.PwdPolicyPasswordValidFlagCheck
id: PwdPolicyPasswordValidFlagCheck-xxxxxx
displayName: 
comment: 
properties:
  contextDataKey:
  defaultValue: true
  validIfTrue: true

Value Provider Map

Description

This plugin provides a key-value map where the values are derived from the configured value providers.

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.ValueProviderMapProviderConfig

May be used by

Properties

Value Providers (valueProviders)

Description

The map of value providers from which the values will be derived in order to provide the value map.

Attributes

Plugin-Map

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.valueprovider.ValueProviderMapProviderConfig
id: ValueProviderMapProviderConfig-xxxxxx
displayName: 
comment: 
properties:
  valueProviders:

Value Transformation

Description

The value transformer transforms a value with a regular expression (regex). Specifically, it searches for the specified pattern and replaces all matches with the replacement string (using the method replaceAll(replacement)).

Class

com.airlock.iam.core.misc.impl.sso.ValueTransformation

May be used by

Assertion Attribute

Properties

Regex (regex)

Description

Regular expression to match the input value or part of it. The expression '(.+)' matches the whole string and saves it as a group which can be referenced as '$1' in the replacement expression.
Notice: To match any string, always use "(.+)", and never "(.*)" since the latter also matches against the empty string and thus the replacement will be applied twice.

Examples:

To add the prefix 'IAM_', use Regex='^(.+)$' and Replacement='IAM_$1'.
To remove all whitespace from the value, use Regex='\s' and Replacement=''.
To remove the domain part of an email address, use Regex='@.*$' and Replacement=''.

Attributes

RegEx

Mandatory

Replacement (replacement)

Description

The expression to replace the matched text with. The first matching group of the regex is denoted '$1'.

Attributes

String

Optional

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.sso.ValueTransformation
id: ValueTransformation-xxxxxx
displayName: 
comment: 
properties:
  regex:
  replacement:

Vasco Activation Possible

Description

Condition that is fulfilled if the user can activate a Vasco (Digipass) OTP device. A Vasco OTP device activation is possible when at least one inactive Vasco OTP device is assigned to the current user.

Class

com.airlock.iam.flow.shared.application.configuration.selection.condition.VascoActivationPossibleConditionConfig

May be used by

License-Tags

Digipass

Properties

Token Data Provider (tokenDataProvider)

Description

Plugin to load tokens from persistence.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Default Enable Cronto Push Flow Cronto Device Selection Step Default Cronto Login Message Provider Config Cronto Letter User Event Listener Cronto Transaction Approval Step Cronto Authentication Step Apply Cronto Device Renaming CrontoSign Swiss Push Activation Step Cronto Token Service Enable Cronto Push Initiation Step Vasco Cronto Token Manager Cronto Approval Stealth Step Cronto Letter Order Condition Config Cronto Device Removal Possible Cronto Public Self-Service Approval Step Delete Cronto Device Initiation Step Main Authentication Settings Cronto Message Provider Cronto Activation Step Has Cronto Device Default Cronto Device Removal Flow Cronto Activation Required Disable Cronto Device Initiation Step Loginapp Cronto Device List Apply Cronto Push Disabling Has Cronto Account Enable Cronto Device Initiation Step Cronto Device Reset Step Config Default Disable Cronto Push Flow Cronto Token Controller Transaction Approval Cronto Message Provider Cronto Self-Service Approval Step Apply Cronto Device Deletion Default Enable Cronto Device Flow Apply Cronto Device Enabling Rename Cronto Device Step Default Cronto Device Renaming Flow Default Disable Cronto Device Flow Apply Cronto Push Enabling Cronto Self-Services (Legacy) Cronto Letter Order Step Config Apply Cronto Device Disabling Disable Cronto Push Initiation Step Cronto Report Strategy Cronto Activation Possible CrontoSign Swiss Push Activation Possible

YAML Template (with default values)


type: com.airlock.iam.flow.shared.application.configuration.selection.condition.VascoActivationPossibleConditionConfig
id: VascoActivationPossibleConditionConfig-xxxxxx
displayName: 
comment: 
properties:
  tokenDataProvider:

Vasco Cronto Handler

Description

Handles Cronto functionality for Vasco Cronto (using the Vacman Controller).

Class

com.airlock.iam.core.misc.impl.cronto.vascocronto.VascoCrontoHandler

May be used by

License-Tags

Cronto

Properties

Vasco Handler (vascoHandler)

Description

Handles calls to the native Vacman Controller.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Enable Online Validation (enableOnlineValidation)

Description

If this option is selected, online validation (Scan and Login) is enabled for users with a device that supports online validation.

Attributes

Boolean

Optional

Default value

false

Enable Online Activation (enableOnlineActivation)

Description

If this option is selected, online activation is enabled for users with a device that supports this feature. During online activation the user can activate a device by scanning the Cryptogram from a letter and the device activates itself without further interaction. If this feature is enabled, anyone with a valid letter can activate a cronto device without further authentication.

Attributes

Boolean

Optional

Default value

false

Enable Push Notifications (enablePushNotifications)

Description

If this option is selected, push notifications are enabled for users with a device that supports this feature.

Attributes

Boolean

Optional

Default value

false

Push App Handler (pushAppHandler)

Description

Defines which app is used for push workflows.

Attributes

Plugin-Link

Optional

Assignable plugins

CrontoSign Swiss App Digipass Push App Handler

Fallback To Offline Validation (fallbackToOfflineValidation)

Description

The fallback method from Cronto Push defines which Cronto method is chosen and initiated by IAM if push notifications are enabled and a user has no push-enabled device, but has a device that supports online validation (i.e., smartphone app with push disabled). If this property is enabled, the fallback method from push is offline validation (Scan and TAN). Otherwise, the fallback method is online validation (Scan and Login). Note that the user can in the latter case still choose to be authenticated by offline validation. Furthermore, Scan and TAN will be chosen independently of the value of this property for users that only have hardware devices.

Attributes

Boolean

Optional

Default value

false

Maximum Number Of Activated Devices (maximumNumberOfActivatedDevices)

Description

The maximum number of devices that a user can have activated simultaneously.

Attributes

Integer

Optional

Default value

Default Allowed Platforms (defaultAllowedPlatforms)

Description

Defines the platforms that may be activated per default. This can be overridden by an administrator for each individual letter.

Currently, the following platform codes are supported:

0: DIGIPASS 760
3: iOS
7: Android
11: Windows phone
13: Blackberry
5: jailbroken iOS
9: rooted Android

Enter the numbers for all allowed platforms as a comma-separated list (without spaces), e.g. "0,3,7" to allow stand-alone, iOS and Android devices.

Attributes

String

Optional

Default value

0,3,7,11,13

Platform Blacklist (platformBlacklist)

Description

Currently, the following platform codes are supported:

0: DIGIPASS 760
3: iOS
7: Android
11: Windows phone
13: Blackberry
5: jailbroken iOS
9: rooted Android

Enter the numbers for all allowed platforms as a comma-separated list (without spaces), e.g. "5,9" to block jailbroken iOS and rooted Android devices.

Attributes

String

Optional

Show MAC (showMac)

Description

If enabled, the device or app must present the calculated MAC to the user.

Attributes

Boolean

Optional

Default value

true

Show Warning (showWarning)

Description

If enabled, a flag is set in the challenge (cryptogram) that prompts the app/device to display a warning to the user.

Attributes

Boolean

Optional

Default value

false

Ask Approval (online) (askApproval)

Description

If this option is enabled, the user is asked to confirm the signature request during online validation (i.e. Scan&Login and push modes). Disabling this feature can increase usability during the login process but it should always be enabled for transaction approval. With Digipass for Mobile, this option is only effective if used together with the "Show Data" setting.

Attributes

Boolean

Optional

Default value

true

Ask Approval (offline) (askApprovalOffline)

Description

If this option is enabled, the user is asked to confirm the signature request during offline validation. This is normally not needed because the user actively approves the transaction/login by manually entering the TAN. Depending on the app implementations, it might be needed for app-to-app setups.

Attributes

Boolean

Optional

Default value

false

Ask for PIN (askForPin)

Description

If this option is set, a PIN will be asked by the DigiPass 780 device each time a transaction is to be signed. Note that this feature is only supported by the DigiPass 780 device.

Attributes

Boolean

Optional

Default value

false

Show Data (showData)

Description

If this option is enabled, the transaction data is displayed on the app before online validation. Note that with Digipass for Mobile, this option is only effective if used together with the "Ask Approval" setting. For offline validation (entering TAN manually), the data is always displayed.

Attributes

Boolean

Optional

Default value

true

Template Number (templateNumber)

Description

Index (encoded in the challenge cryptogram) that selects the template to be used by the Cronto app to display the challenge data.

Note that this option is currently not supported by DIGIPASS for Mobile and will be ignored by the application.

Attributes

Integer

Optional

Default value

Character Encoding Index (characterEncodingIndex)

Description

Index (encoded in the challenge cryptogram) that selects the character encoding (font table index) to be used by the Cronto app to display the challenge data.

Currently, the following languages are supported:

0: for encoding messages in ISO-8859-15
1: for encoding messages with Katakana support
2: for encoding messages with Central- and East-European languages support
3: for encoding messages with Greek language support

Attributes

Integer

Optional

Default value

App Security Version (appSecurityVersion)

Description

Minimum application version required to parse the transaction message.

Attributes

Integer

Optional

Default value

Challenge Token Lifetime (challengeTokenLifetime)

Description

Attributes

Integer

Optional

Default value

300

Show Newest Open Transaction Only (showNewestOpenTransactionOnly)

Description

If enabled, only the latest open transaction should be be offered to be signed if push is activated.

Attributes

Boolean

Optional

Default value

true

Store OTP Application for new Devices (storeOtpApplicationForNewDevices)

Description

Enable to always store the OTP crypto application upon activation of new devices. Should be enabled if push notifications are planned in the future but are not enabled yet.

Attributes

Boolean

Optional

Default value

true

Future Application Indices (futureApplicationIndices)

Description

Comma-separated list of indices of crypto applications that should be saved upon device activation for currently not implemented use-cases.

To allow future authentication with push, it is sufficient to enable the "Store OTP Application for new Devices" property.

Attributes

String

Optional

Log Response Codes (logResponseCodes)

Description

If enabled, response codes of Cronto challenge verifications are logged to INFO level.

Attributes

Boolean

Optional

Default value

false

Token Data Provider (tokenDataProvider)

Description

Plugin to load tokens from persistence.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Default Number of Letter Usages (defaultNumberOfActivations)

Description

Defines how many times an activation letter can be used per default to activate devices or apps. This can always be changed by an administrator for an individual letter.

Attributes

Integer

Optional

Default value

Default Letter Validity Time (defaultLetterValidityTime)

Description

Attributes

Integer

Optional

Selectable As Auth Method (selectableAsAuthMethod)

Description

Disable to prevent CrontoSign from being selected as active authentication method.

Attributes

Boolean

Optional

Default value

true

Selectable As Next Auth Method (selectableAsNextAuthMethod)

Description

Disable to prevent CrontoSign from being selected as the next authentication method (migration).

Attributes

Boolean

Optional

Default value

true

Enable On-Screen Activation (enableOnScreenActivation)

Description

On-screen activation is only possible in two situations: (1) during credential migration and (2) when activating an additional device.

Attention: make sure that such an activation can only be accessed by strongly authenticated users. For this, the "Strong Authentication Tag" must be configured on the following plugins (if used):

Cronto Activation Step
Cronto Activation Possible
Cronto Activation Required

Attributes

Boolean

Optional

Default value

false

Enable On-Screen Activation With Letter (enableOnScreenActivationWithLetter)

Description

If enabled, allows users who have a Cronto activation letter to register Cronto devices with the activation cryptogram from the letter being displayed in the browser.

Attention: make sure that such an activation can only be accessed by strongly authenticated users (refer to the documentation of "Enable On-Screen Activation")

Attributes

Boolean

Optional

Default value

false

Available Printing Options (availableOrderOptions)

Description

Attributes

String-List

Optional

Default value

[default]

Options Resource Key Prefix (optionsResourceKeyPrefix)

Description

Attributes

String

Optional

Default value

cronto-order-option.

Default Printing Options (defaultOrderOptions)

Description

Defines the default order options for a new letter (what will be set for a new letter).

Attributes

String-List

Optional

Default value

[default]

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.cronto.vascocronto.VascoCrontoHandler
id: VascoCrontoHandler-xxxxxx
displayName: 
comment: 
properties:
  appSecurityVersion: 0
  askApproval: true
  askApprovalOffline: false
  askForPin: false
  availableOrderOptions: [default]
  challengeTokenLifetime: 300
  characterEncodingIndex: 0
  defaultAllowedPlatforms: 0,3,7,11,13
  defaultLetterValidityTime:
  defaultNumberOfActivations: 8
  defaultOrderOptions: [default]
  enableOnScreenActivation: false
  enableOnScreenActivationWithLetter: false
  enableOnlineActivation: false
  enableOnlineValidation: false
  enablePushNotifications: false
  fallbackToOfflineValidation: false
  futureApplicationIndices:
  logResponseCodes: false
  maximumNumberOfActivatedDevices: 99
  optionsResourceKeyPrefix: cronto-order-option.
  platformBlacklist:
  pushAppHandler:
  selectableAsAuthMethod: true
  selectableAsNextAuthMethod: true
  showData: true
  showMac: true
  showNewestOpenTransactionOnly: true
  showWarning: false
  storeOtpApplicationForNewDevices: true
  templateNumber: 0
  tokenDataProvider:
  vascoHandler:

Vasco Cronto Online Activation Token Clean-up Strategy

Description

Task strategy that deletes all temporary online activation tokens which have not been consumed after a configured time.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.token.VascoCrontoOnlineActivationTokenCleanUpStrategyConfig

May be used by

Token Task

Properties

Token Data Provider (tokenDataProvider)

Description

The token data provider plugin is used to read all tokens to be handled by this task. Should be configured to only return the tokens that should be handled by this task.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Seconds To Keep Online Activation Token (secondsToKeepOnlineActivationToken)

Description

The number of seconds to keep the temporary online activation token after its creation date.

Attributes

Integer

Optional

Default value

300

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.token.VascoCrontoOnlineActivationTokenCleanUpStrategyConfig
id: VascoCrontoOnlineActivationTokenCleanUpStrategyConfig-xxxxxx
displayName: 
comment: 
properties:
  secondsToKeepOnlineActivationToken: 300
  tokenDataProvider:

Vasco Cronto Token Manager

Description

Token manager for Vasco Cronto account (master activation) tokens.

Class

com.airlock.iam.admin.application.configuration.tokens.vasco.VascoCrontoTokenManager

May be used by

Tokens Configuration

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Cronto handler for all Cronto functionality.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Vasco Cronto Handler

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.tokens.vasco.VascoCrontoTokenManager
id: VascoCrontoTokenManager-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Vasco Letter Generator

Description

Configuration settings for the generation of Vasco letters.

Class

com.airlock.iam.admin.application.configuration.vasco.VascoLetterGenerator

May be used by

Vasco OTP Token Controller

Properties

Report Renderer (reportRenderer)

Description

Tells this task which generic renderer to use to render reports.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

File Name Suffix (fileNameSuffix)

Description

Attributes

String

Optional

Suggested values

.pdf, .txt

User Persister (userPersister)

Description

The user persister plug-in used to load and store user information.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Recipient Email Address (recipientEmailAddress)

Description

The recipient's email address.

Attributes

String

Mandatory

Example

airlock@yourcompany.com

Example

authserver@intranet.net

Language Attribute Name (languageAttributeName)

Description

Tells the report renderer which attribute in the context data container contains the language to be used. If this property is configured and if the context data container of the user has a value for this attribute, it is used when calling the report renderer plug-in.

Attributes

String

Optional

Suggested values

language

Email Subject (emailSubject)

Description

The subject of the email to be sent.

Attributes

String

Optional

Default value

Vasco Token activation

Email Body (emailBody)

Description

The body of the email to be sent.

Attributes

String

Optional

Multi-line-text

Default value

Please refer to the attached document for token details.

Email Service (emailService)

Description

Email service plugin. This defines what mail server is used for sending the email. It also defines the sender address and whether the email should be signed or not.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Advanced Migration Selection Option Selection Step for Public Self-Service Migration Selection Step Migration Selection Step Simple Migration Selection Option Config Flow Step Sequence Authentication Flow Selection Step for User Self-Registration Selection Option Selection Step for Self-Service Selection Step

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.vasco.VascoLetterGenerator
id: VascoLetterGenerator-xxxxxx
displayName: 
comment: 
properties:
  emailBody: Please refer to the attached document for token details.
  emailService:
  emailSubject: Vasco Token activation
  fileNameSuffix:
  languageAttributeName:
  recipientEmailAddress:
  reportRenderer:
  userPersister:

Vasco OTP Authentication Step

Description

Configuration for a Vasco OTP authentication flow step. Can also be used for migration to Vasco OTP.

Class

com.airlock.iam.authentication.application.configuration.vasco.VascoOtpAuthStepConfig

May be used by

License-Tags

Digipass

Properties

Vasco Handler (vascoHandler)

Description

The Vasco Handler uses the native Vacman Controller to verify the OTPs.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Token Data Provider (tokenDataProvider)

Description

Token Data Provider that manages the Vasco tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

VASCO_OTP

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.authentication.application.configuration.vasco.VascoOtpAuthStepConfig
id: VascoOtpAuthStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: VASCO_OTP
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  tokenDataProvider:
  vascoHandler:

Vasco OTP Device Activation

Description

Allows to activate assigned but not yet activated Vasco (Digipass) OTP devices.

Class

com.airlock.iam.selfservice.application.configuration.step.VascoOtpDeviceActivationStepConfig

May be used by

License-Tags

Digipass

Properties

Token Data Provider (tokenDataProvider)

Description

The service layer to access the persistence layer.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Vasco Handler (vascoHandler)

Description

Vasco Handler used to verify the OTP.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Visible Digits (visibleDigits)

Description

The number of visible digits for the selectable device IDs. The rest of the digits are masked.

Attributes

Integer

Optional

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

VASCO_OTP

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.VascoOtpDeviceActivationStepConfig
id: VascoOtpDeviceActivationStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: VASCO_OTP
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  tokenDataProvider:
  vascoHandler:
  visibleDigits:

Vasco OTP Public Self-Service Approval Step

Description

Step to check a Vasco OTP to approve an operation.

Be aware that Vasco OTP approval does not allow verification of the data via a separate channel. If this additional level of security is required, use Airlock 2FA, Cronto or mTAN approval.

Class

com.airlock.iam.publicselfservice.application.configuration.steps.PublicSelfServiceVascoOtpApprovalStepConfig

May be used by

License-Tags

Digipass

Properties

Vasco Handler (vascoHandler)

Description

The Vasco Handler uses the native Vacman Controller to verify the OTPs.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Token Data Provider (tokenDataProvider)

Description

Token Data Provider that manages the Vasco tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

VASCO_OTP

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.publicselfservice.application.configuration.steps.PublicSelfServiceVascoOtpApprovalStepConfig
id: PublicSelfServiceVascoOtpApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: VASCO_OTP
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  tokenDataProvider:
  vascoHandler:

Vasco OTP Self-Service Approval Step

Description

Step to check a Vasco OTP to approve an operation.

Be aware that Vasco OTP approval does not allow verification of the data via a separate channel. If this additional level of security is required, use Airlock 2FA, Cronto or mTAN approval.

Class

com.airlock.iam.selfservice.application.configuration.step.VascoOtpSelfServiceApprovalStepConfig

May be used by

License-Tags

Digipass

Properties

Vasco Handler (vascoHandler)

Description

The Vasco Handler uses the native Vacman Controller to verify the OTPs.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Token Data Provider (tokenDataProvider)

Description

Token Data Provider that manages the Vasco tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

VASCO_OTP

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.selfservice.application.configuration.step.VascoOtpSelfServiceApprovalStepConfig
id: VascoOtpSelfServiceApprovalStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: VASCO_OTP
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  tokenDataProvider:
  vascoHandler:

Vasco OTP Token Controller

Description

Configures the token controller to manage Vasco OTP tokens.

Class

com.airlock.iam.admin.application.configuration.vasco.VascoOtpTokenControllerConfig

May be used by

Properties

Auto Order Token (autoOrderToken)

Description

Set this flag to true to automatically order a letter when a Vasco token is assigned to a user.

Attributes

Boolean

Optional

Default value

false

Only Enabled Tokens Assignable (onlyActiveTokensAssignable)

Description

If set to true, only enabled tokens are assignable to a user. Otherwise, enabled and disabled tokens can be assigned.

Attributes

Boolean

Optional

Default value

true

Assign Token To Multiple Users (assignTokenToMultipleUsers)

Description

Whether it should be allowed to assign the same token to multiple users.

Attributes

Boolean

Optional

Default value

false

Available Additional Information (availableAdditionalInformation)

Description

Token Assignments can be enriched with additional information, e.g. how the token was handed to the user, personally or by mail. This list defines a set of allowed values. The value defined here will be used in two ways: First, it is stored on the persistence. Second, it is used for display: If a resource key prefix is defined below, the prefix concatenated with the value defined here is used to look up a translated text in the string container. Otherwise, the value is displayed directly. If left empty, no additional information can be selected during assignment and no information will be shown.

Attributes

String-List

Optional

Allow Empty Additional Information (allowEmptyAdditionalInformation)

Description

If set to true, then the additional information field may be set to null.

Attributes

Boolean

Optional

Default value

true

Additional Info Resource Key Prefix (additionalInfoResourceKeyPrefix)

Description

If this property is defined, the string values defined for additional information are assumed to be resource keys and are used together with the prefix defined here to display a translated version of the options. If left empty, the additional information strings are displayed as defined above.

Attributes

String

Optional

May Be Selected As Next Auth Method (mayBeSelectedAsNextAuthMethod)

Description

Set this flag to false to prevent this credential from being selected as the next (migration) authentication method.

Attributes

Boolean

Optional

Default value

true

Vasco Letter Generator (vascoLetterGenerator)

Description

If specified, vasco letters can be generated from the admintool for immediate transmission.

Attributes

Plugin-Link

Optional

Assignable plugins

Vasco Letter Generator

Show Warning Within Token Assignment Dialog (showWarningWithinTokenAssignmentDialog)

Description

If this property is set to true, a warning will be shown within the token assignment dialog. The administrator has to confirm this warning when assigning a token to a user. To define the warning to be displayed, please edit the resource key user.vasco.device.assign.confirm-message.

Attributes

Boolean

Optional

Default value

false

Enable Comment (enableComment)

Description

If this property is set to true, a comment field is shown within the token assignment page. To set the label, please edit the resource key assignment.comment-label

Attributes

Boolean

Optional

Default value

false

Allow Empty Comment (allowEmptyComment)

Description

If set to true, then the comment field may be set to null / empty string.

Attributes

Boolean

Optional

Default value

false

Notifier (notifier)

Description

If this plugin is configured with a Notifier, the user is notified if an Administrator assigns a Vasco Token. The following variables can be used in the Notifier plugin in the notification template:

$USERNAME$
$SERIALID$

These variables will be replaced with the actual values when the notification is sent to a user.

Attributes

Plugin-Link

Optional

Assignable plugins

Email Notifier SMS Notifier

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.vasco.VascoOtpTokenControllerConfig
id: VascoOtpTokenControllerConfig-xxxxxx
displayName: 
comment: 
properties:
  additionalInfoResourceKeyPrefix:
  allowEmptyAdditionalInformation: true
  allowEmptyComment: false
  assignTokenToMultipleUsers: false
  autoOrderToken: false
  availableAdditionalInformation:
  enableComment: false
  mayBeSelectedAsNextAuthMethod: true
  notifier:
  onlyActiveTokensAssignable: true
  showWarningWithinTokenAssignmentDialog: false
  vascoLetterGenerator:

Vasco OTP Token Manager

Description

A token manager for Vasco Digipass OTP (response only) tokens.

Class

com.airlock.iam.admin.application.configuration.tokens.vasco.VascoOtpTokenManager

May be used by

Tokens Configuration

License-Tags

Digipass

Properties

Token Data Provider (tokenDataProvider)

Description

The token data provider loads, saves and updates token on the persistence layer.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Vasco Handler (vascoHandler)

Description

The Vasco handler provides access to the Vacman Controller native library.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Enable Imported Tokens (enableImportedTokens)

Description

If set to true, imported tokens are enabled immediately. Otherwise, they remain disabled.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.admin.application.configuration.tokens.vasco.VascoOtpTokenManager
id: VascoOtpTokenManager-xxxxxx
displayName: 
comment: 
properties:
  enableImportedTokens: true
  tokenDataProvider:
  vascoHandler:

Vasco Runtime Parameters

Description

Configuration settings of the Vasco Verifier.

Class

com.airlock.iam.core.misc.util.vasco.VascoRuntimeParameters

May be used by

Native Vasco Handler

License-Tags

Digipass

Properties

Allowed Token Types (allowedTokenTypes)

Description

This list defines all allowed types of tokens. If a token of different type is tried to be imported, an error is thrown. If this property is not set, all types are allowed.

Attributes

String-List

Optional

Allowed Application Names (allowedApplicationNames)

Description

This list defines all allowed application of vasco tokens to be imported. The first application to match will be used for all tokens to be imported. If this property is not set, the first application given by the vacman controller is used.

Attributes

String-List

Optional

I Time Window (iTimeWindow)

Description

Determines the acceptable time difference (in time steps) between a vasco token and the host system during authentication. The duration of a time step is characteristic to the used vasco token model.

The required number of time steps can be calculated as follows (rounded up to the next multiple of 2):

((Maximum period of inactivity in days * Maximum token clock drift per day)) * 2) / Time step of token

Where the maximum token clock drift per day is 2 seconds.

If this property is not set, the vacman controller default of 100 is used.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.vasco.VascoRuntimeParameters
id: VascoRuntimeParameters-xxxxxx
displayName: 
comment: 
properties:
  allowedApplicationNames:
  allowedTokenTypes:
  iTimeWindow: 23

Vasco Token Report Strategy

Description

This task strategy plugin iterates over token records and - if certain conditions are met - executes a report renderer on the token. It is thought to produce for example letters for newly issued tokens.

The task uses a token persister plugin to go through the set of tokens for which a report should be rendered using the configured report renderer.

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.token.VascoTokenReportStrategyConfig

May be used by

Token Task

License-Tags

Digipass

Properties

Manage Token Data Provider (manageTokenDataProvider)

Description

The token data provider plug-in is used to access all tokens (not only those for which a report should be created).(e.g. to retrieve a new token to be assigned)
Should be configured to return all accessible tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Select New Token (selectNewToken)

Description

Controls whether a the next available token should be automatically assigned if no hardware token is assigned.

Attributes

Boolean

Optional

Default value

false

Vasco Token Service (vascoTokenService)

Description

The service layer.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Vasco Token Service

Token Data Provider (tokenDataProvider)

Description

The token data provider plugin is used to read all tokens to be handled by this task. Should be configured to only return the tokens that should be handled by this task.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Report Type Short Desc (reportTypeShortDesc)

Description

Attributes

String

Optional

Default value

UNSPECIFIED

Example

password letter

Example

keyfile accompanying report

Example

mobile number registration letter

User Store (userStore)

Description

The user store to retrieve all user data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Report Renderer (reportRenderer)

Description

Tells this task which generic renderer to use to render reports.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

Barcode Generator (barcodeGenerator)

Description

BarcodeImage: placeholder for the barcode image.
BarcodeContent: placeholder for the barcode content.
BarcodeContentDisplay: placeholder for the barcode content in a human-readable format.

Attributes

Plugin-Link

Optional

Assignable plugins

Language Attribute Name (languageAttributeName)

Description

Attributes

String

Optional

Suggested values

language

Output Directory (outputDirectory)

Description

Directory in the file system to put the rendered reports in. The directory is either absolute or relative to the JVMs current directory.

This property is not required if the renderer plugin (see separate property) does not write on the outputstream (e.g. sends it somewhere else). It is required otherwise.

Note: If this property is not defined and the used renderer plugin writes on the output stream, then the result (e.g. a PDF file) is lost.

Attributes

File/Path

Optional

Working Directory (workingDirectory)

Description

Attributes

File/Path

Optional

Delete Old Reports (deleteOldReports)

Description

Attributes

Boolean

Optional

Default value

false

File Name Prefix (fileNamePrefix)

Description

Attributes

String

Mandatory

Example

token-letter

Example

smartcardLetter

File Name Suffix (fileNameSuffix)

Description

Attributes

String

Mandatory

Suggested values

.pdf, .docx, .txt

Aggregate Report (aggregateReport)

Description

Optional property to describe an aggregate report over all generated reports in a batch. If none is configured, no aggregate report will be generated.

Attributes

Plugin-Link

Optional

Assignable plugins

Aggregate Report

Required Order Options (requiredOrderOptions)

Description

Attributes

String-List

Optional

Excluding Order Options (excludingOrderOptions)

Description

Attributes

String-List

Optional

YAML Template (with default values)


type: com.airlock.iam.servicecontainer.app.application.configuration.task.token.VascoTokenReportStrategyConfig
id: VascoTokenReportStrategyConfig-xxxxxx
displayName: 
comment: 
properties:
  aggregateReport:
  barcodeGenerator:
  deleteOldReports: false
  excludingOrderOptions:
  fileNamePrefix:
  fileNameSuffix:
  languageAttributeName:
  manageTokenDataProvider:
  outputDirectory:
  reportRenderer:
  reportTypeShortDesc: UNSPECIFIED
  requiredOrderOptions:
  selectNewToken: false
  tokenDataProvider:
  userStore:
  vascoTokenService:
  workingDirectory:

Vasco Token Service

Description

Services for Vasco Digipass OTP (response only) tokens.

Class

com.airlock.iam.core.misc.tokenservice.VascoTokenService

May be used by

Token Consistency User Change Listener Vasco Token Report Strategy

License-Tags

Digipass

Properties

Token Data Provider (tokenDataProvider)

Description

Plugin to load tokens from persistence.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Enable Imported Tokens (enableImportedTokens)

Description

If set to true, imported tokens are enabled immediately. Otherwise, they remain disabled.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: com.airlock.iam.core.misc.tokenservice.VascoTokenService
id: VascoTokenService-xxxxxx
displayName: 
comment: 
properties:
  enableImportedTokens: true
  tokenDataProvider:

Vasco Token Verifier

Description

A token verifier based on the Vasco Vacman controller.

Class

com.airlock.iam.core.misc.impl.tokenverifier.vasco.VascoTokenVerifier

May be used by

License-Tags

Digipass

Properties

Vasco Handler (vascoHandler)

Description

The Vasco Handler uses the native Vacman Controller to verify the OTPs.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Token Data Provider (tokenDataProvider)

Description

Token Data Provider that manages the Vasco tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.core.misc.impl.tokenverifier.vasco.VascoTokenVerifier
id: VascoTokenVerifier-xxxxxx
displayName: 
comment: 
properties:
  tokenDataProvider:
  vascoHandler:

Voluntary Password Change Step

Description

A flow step to voluntarily change the password within an authentication flow.

Class

com.airlock.iam.login.application.configuration.password.VoluntaryPasswordChangeStepConfig

May be used by

Properties

Old Password Required (oldPasswordRequired)

Description

If enabled, the old password is required for the password change. If disabled, the password from the authentication is used as the old password. In this case, the same "Password Attribute Key" must be configured in both the password authentication step as well as the voluntary password change step.

Attributes

Boolean

Optional

Default value

true

Password Repository (passwordRepository)

Description

The repository of user passwords.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Password Policy (passwordPolicy)

Description

The password policy that the new password is checked against.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Active Directory Password Policy Customizable Password Policy Null Password Policy Simple Password Policy

Old Password Attempts (oldPasswordAttempts)

Description

Attributes

Integer

Optional

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

PASSWORD

Password Attribute Key (passwordAttributeKey)

Description

The optional key under which the new password is made available in the identity propagation.

The password can be retrieved from the session using the "User Passwords Map" value map provider.

If no key is configured, the new password will not be made available in the flow attributes, and cannot be used by identity propagators.

Note: This feature will not work together with end-to-end encryption.

Attributes

String

Optional

Suggested values

PASSWORD

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: com.airlock.iam.login.application.configuration.password.VoluntaryPasswordChangeStepConfig
id: VoluntaryPasswordChangeStepConfig-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: PASSWORD
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  oldPasswordAttempts:
  oldPasswordRequired: true
  onFailureGotos:
  passwordAttributeKey:
  passwordPolicy:
  passwordRepository:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Whitelist HTTP Signature Headers

Description

Verifies that only the whitelisted signature headers are included in the signature.

Class

com.airlock.iam.login.app.misc.oneshot.impl.HttpSignatureHeadersWhitelistConfig

May be used by

Properties

Allowed Signed Headers (allowedHttpSignatureHeaders)

Description

Defines which headers are allowed to be included in the signature. If the signature contains a header that is not whitelisted, the verification fails.

Attributes

Plugin-List

Mandatory

Assignable plugins

Request Target HTTP Signature Header String HTTP Signature Header

YAML Template (with default values)


type: com.airlock.iam.login.app.misc.oneshot.impl.HttpSignatureHeadersWhitelistConfig
id: HttpSignatureHeadersWhitelistConfig-xxxxxx
displayName: 
comment: 
properties:
  allowedHttpSignatureHeaders:

Word Template Password Renderer

Description

Simple password renderer using Aspose.Words to produce a file from a normal Microsoft Word file. Supported document types for the template are: DOC, DOCX, RTF and ODF. The format of the generated file is configurable.

Report Parameters (${...})

The word document may contain parameters as normal text elements that are replaced. Those parameters have the form ${ParamName}.

This renderer also supports arbitrary MessageFormat patterns for all input parameters; for example ${Now,date,short} will effectively be interpreted as MessageFormat {0,date,short} with the single parameter Now from the parameter map. For more information about MessageFormat, please consult the MessageFormat javadoc.

There are two predefined properties that are always added to the parameter map:

${PlainPassword} contains the plain text password to display
${Now} contains the current timestamp and can be used for both date and time display. Since this represents a Date object, it can be formatted directly using MessageFormat, for example:
${Now,date,short} displays a short date using the user's locale; for example: 09.01.12.
Alternatively, a date format can be specified in a SimpleDateFormat compatible form, for example:
${Now,date,dd.MM.yyyy} resulting in 09.01.2012.

This password renderer allows to pass arbitrary parameters to the conversion engine: the parameter map passed to the renderPassword() method is forwarded to the report engine. Thus, when placing the parameter Salutation with value "Dear Mr. Smith" into the parameter map when calling this renderer, you can display this value in the document using ${Salutation}.

Adding images is also supported by adding an instance of BufferedImage to the parameter map. This image replaces the entire text node where the parameter was found and is inserted as an inline image. Make sure there's enough place for that image in the template document.

Handling Multiple Languages

You can have this renderer use different documents for rendering depending on a language.
There must always be a default template configured which is used if there's no specific template defined for the passed-in language. Additionally you can define a specific template for every language expected.
Templates are read in when the renderer is initialized and are kept in memory by the renderer. Thus, reusing the renderer instance improves efficiency as the document needn't be re-parsed on every call.

Class

com.airlock.iam.core.misc.util.password.generator.WordTemplatePasswordRenderer

May be used by

Password Generator Config Credential Secret Generator Secret Letter Renderer

Properties

Default Template (defaultTemplate)

Description

Specifies the name of the default Word template file.

Supported formats are: DOC, DOCX, RTF and ODF.

The file name is either absolute or relative to the JVMs current directory.

Multiple templates for different languages can be specified with the property template. There must always be a default template.

Attributes

File/Path

Mandatory

Template (template)

Description

Language dependent templates taking precedence over the default template.
Selectors must be chosen according to the ISO-2-letter language codes, i.e. "fr" for french.
See also description of default-template.

Attributes

Plugin-List

Optional

Assignable plugins

Save Options (saveOptions)

Description

Configures the output format and related settings for saving the document in the desired format, e.g. fonts.

Attributes

Plugin-Link

Mandatory

Assignable plugins

DOCX Save Option PDF Save Option

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.password.generator.WordTemplatePasswordRenderer
id: WordTemplatePasswordRenderer-xxxxxx
displayName: 
comment: 
properties:
  defaultTemplate:
  saveOptions:
  template:

Word Template Report Renderer

Description

Simple report renderer using Aspose.Words to produce a file from a normal Microsoft Word file. Supported document types are: DOC, DOCX, RTF and ODF. The format of the generated file is configurable.

Report Parameters (${...})

The word document may contain parameters as normal text elements that are replaced. Those parameters have the form ${ParamName}.

There is one predefined property that is always added to the parameter map:

${Now} contains the current timestamp and can be used for both date and time display. Since this represents a Date object, it can be formatted directly using MessageFormat, for example:
${Now,date,short} displays a short date using the user's locale; for example: 09.01.12.
Alternatively, a date format can be specified in a SimpleDateFormat compatible form, for example:
${Now,date,dd.MM.yyyy} resulting in 09.01.2012.

This report renderer allows to pass arbitrary parameters to the conversion engine: the parameter map passed to the renderReport() method is forwarded to the report engine. Thus, when placing the parameter Salutation with value "Dear Mr. Smith" into the parameter map when calling this renderer, you can display this value in the document using ${Salutation}.

Handling Multiple Languages

Class

com.airlock.iam.core.misc.util.report.WordTemplateReportRenderer

May be used by

Properties

Default Template (defaultTemplate)

Description

Specifies the name of the default Word template file.

Supported formats are: DOC, DOCX, RTF and ODF.

The file name is either absolute or relative to the JVMs current directory.

Multiple templates for different languages can be specified with the property template. There must always be a default template.

Attributes

File/Path

Mandatory

Template (template)

Description

Attributes

Plugin-List

Optional

Assignable plugins

Matrix Public Self-Service Approval Step Matrix Self-Service Approval Step TAN Batch Task Matrixcard Authenticator (TAN Challenge) Matrix Authentication Step Matrix Card Generator Config

Save Options (saveOptions)

Description

Configures the output format and related settings for saving the document in the desired format, e.g. fonts.

Attributes

Plugin-Link

Mandatory

Assignable plugins

DOCX Save Option PDF Save Option

YAML Template (with default values)


type: com.airlock.iam.core.misc.util.report.WordTemplateReportRenderer
id: WordTemplateReportRenderer-xxxxxx
displayName: 
comment: 
properties:
  defaultTemplate:
  saveOptions:
  template:

Word Template Token List Renderer

Description

Simple token list renderer using Aspose.Words to produce a file from a normal Microsoft Word file. Supported document types for the template are: DOC, DOCX, RTF and ODF. The format of the generated file is configurable.

Report Parameters (${...})

The word document may contain parameters as normal text elements that are replaced. Those parameters have the form ${ParamName}.

There are multiple predefined properties that are always added to the parameter map:

${ListId} contains the token list's ID
${DateString} contains the current date already formatted as string
${Now} contains the current date as Date object
${ExpirationDate} contains the token list's expiration date already formatted as string
${ExpirationDateObject} contains the token list's expiration date as Date object
${ListGenerationDate} contains the token list's generation date as Date object
${NumberOfTokens} contains the total number of tokens in the current list
${T*} contains a single token value, where * is an integer starting at zero. So the first token value will always be ${T0} whereas the 100th token will be ${T99}

Some of the above parameters contain a timestamp and can be used for both date and time display. Since this represents a Date object, it can be formatted directly using MessageFormat, for example:
${Now,date,short} displays a short date using the user's locale; for example: 09.01.12.
Alternatively, a date format can be specified in a SimpleDateFormat compatible form, for example:
${Now,date,dd.MM.yyyy} resulting in 09.01.2012.

This token list renderer allows to pass arbitrary parameters to the conversion engine: the parameter map passed to the renderTokenList() method is forwarded to the report engine. Thus, when placing the parameter Salutation with value "Dear Mr. Smith" into the parameter map when calling this renderer, you can display this value in the document using ${Salutation}.

Handling Multiple Languages

Class

com.airlock.iam.core.misc.impl.renderer.WordTemplateTokenListRenderer

May be used by

License-Tags

Matrixcard

Properties

Tokens Per Row (tokensPerRow)

Description

Specifies the number of tokens per row in the template.
It has no influence on the rendered letter; the row labels are generated from the Word template. This property must be adjusted according to the letter design.

This property has no effect when using token lists or indexed lists.

Attributes

Integer

Optional

Default value

Zero Based Row Indices (zeroBasedRowIndices)

Description

When using the plugin with matrix-cards, this property specifies whether the row labels start with 0 or 1.

This property is used to correctly translate the matrix card coordinates back to internal indices. It has no influence on the rendered letter; the row labels are generated from the Word template. This property must be adjusted according to the letter design.

This property has no effect when using token lists or indexed lists.

Attributes

Boolean

Optional

Default value

false

Default Template (defaultTemplate)

Description

Specifies the name of the default Word template file.

Supported formats are: DOC, DOCX, RTF and ODF.

The file name is either absolute or relative to the JVMs current directory.

Multiple templates for different languages can be specified with the property template. There must always be a default template.

Attributes

File/Path

Mandatory

Template (template)

Description

Attributes

Plugin-List

Optional

Assignable plugins