Plugin Referenz - Airlock IAM 8.6.0

License-Tags

OAuthAccountLinking

Properties

Account Link Persister (accountLinkPersister)

Description

Repository providing the account links of users.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Account Link Database Repository

YAML Template (with default values)


type: AccountLinkManagement
id: AccountLinkManagement-xxxxxx
displayName: 
comment: 
properties:
  accountLinkPersister:

Account Link Management UI

Description

Configures the account link management user interface.

Depending on the configuration, the user interface allows an authenticated user:

to delete an account link.
to add an account link.

The account link management interface is accessible at /<loginapp-uri>/ui/app/protected/account-links after user authentication.

Type name

AccountLinkManagementUi

Class

com.airlock.iam.selfservice.application.configuration.ui.accountlinks.AccountLinkManagementUiConfig

May be used by

Remember-Me Device Management UI Cronto Device Management UI OAuth 2.0 Consent Management UI Protected Self-Service UI Protected Self-Service UI Protected Self-Service UI Application Portal Target Airlock 2FA Device Management UI OAuth 2.0 Session Management UI FIDO Credential Management UI Device Token Management UI mTAN Number Management UI Authentication & Authorization UI User Self-Registration UI User Self-Registration UI Account Link Management UI Public Self-Service UI Public Self-Service UI

License-Tags

OAuthAccountLinking

Properties

Flow To Link Account (flowToLinkAccount)

Description

ID of the flow which is used for adding an account link.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Unlink Account (flowToUnlinkAccount)

Description

ID of the flow which is used for removing an account link.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Page Exit Target (pageExitTarget)

Description

If configured, an additional button is displayed on the account link management to exit the page. On click, this button redirects the user to the configured target.

To redirect to a target application, redirect to the corresponding "Authentication Flow". If the flow can be skipped due to the obtained tags, the user is directly forwarded to the target application.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: AccountLinkManagementUi
id: AccountLinkManagementUi-xxxxxx
displayName: 
comment: 
properties:
  flowToLinkAccount:
  flowToUnlinkAccount:
  pageExitTarget:

Account Link Management UI Redirect

Description

Redirects to the "Account Link Management UI".

Type name

AccountLinkManagementFlowRedirectTarget

Class

com.airlock.iam.selfservice.application.configuration.ui.accountlinks.AccountLinkManagementFlowRedirectTargetConfig

May be used by

License-Tags

OAuthAccountLinking

Properties

YAML Template (with default values)


type: AccountLinkManagementFlowRedirectTarget
id: AccountLinkManagementFlowRedirectTarget-xxxxxx
displayName: 
comment: 
properties:

Account Link Removal Initiation Step

Description

Step to initiate the removal of an account link. The actual removal will be done in the "Apply Changes Step" which requires an "Apply Account Link Deletion" to perform the actual deletion.

Type name

AccountLinkDeletionInitiationStep

Class

com.airlock.iam.selfservice.application.configuration.step.AccountLinkDeletionInitiationStepConfig

May be used by

License-Tags

OAuthAccountLinking

Properties

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: AccountLinkDeletionInitiationStep
id: AccountLinkDeletionInitiationStep-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Account Linking Lists Self Services

Description

Configures the account link and provider list REST APIs. Additional self-service functionality can be configured in "Protected Self-Service Flows". Requires an Account Link Persister in OAuth 2.0/OIDC Client settings.

Type name

AccountLinkingListsSelfServiceRest

Class

com.airlock.iam.selfservice.application.configuration.token.AccountLinkingListsSelfServiceRestConfig

May be used by

Protected Self-Services

License-Tags

OAuthAccountLinking

Properties

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access the account link and provider list.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access the account link and provider list without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: AccountLinkingListsSelfServiceRest
id: AccountLinkingListsSelfServiceRest-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:

Account Linking Required Red Flag

Description

Red Flag for account linking required. Typically raised by an 'OAuth 2.0 SSO Step' and handled by a 'Missing Account Link Step'.

Type name

AccountLinkingRequiredRedFlag

Class

com.airlock.iam.oauth2.application.configuration.accountlinking.AccountLinkingRequiredRedFlagConfig

May be used by

HTTP Basic Authentication Step Username Password Authentication Step Account Linking Required Red Flag Condition Missing Account Link Step Red Flag Raising Step Password-only Authentication Step Username Password with FIDO Authentication Step OIDC Flow Client OAuth 2.0 Flow Client OIDC Discovery Flow Client Mandatory Password Change Step Red Flag Raised

License-Tags

OAuthAccountLinking

Properties

Name (name)

Description

The name of the red flag.

Attributes

String

Optional

Default value

OAUTH2_ACCOUNT_LINKING_REQUIRED

YAML Template (with default values)


type: AccountLinkingRequiredRedFlag
id: AccountLinkingRequiredRedFlag-xxxxxx
displayName: 
comment: 
properties:
  name: OAUTH2_ACCOUNT_LINKING_REQUIRED

Account Linking Required Red Flag Condition

Description

Flow condition which evaluates to true, if the configured red flag is raised.

Type name

AccountLinkingRequiredCondition

Class

com.airlock.iam.oauth2.application.configuration.accountlinking.AccountLinkingRequiredConditionConfig

May be used by

License-Tags

OAuthAccountLinking

Properties

Red Flag (redFlag)

Description

While the configured red flag is raised, this condition evaluates to true.

Attributes

Plugin-Link

Optional

Assignable plugins

Account Linking Required Red Flag Mandatory Password Change Red Flag Red Flag

YAML Template (with default values)


type: AccountLinkingRequiredCondition
id: AccountLinkingRequiredCondition-xxxxxx
displayName: 
comment: 
properties:
  redFlag:

Account Linking Self Service

Description

Allows users to manage a link to their account of the provider.

Type name

AccountLinkingSelfService

Class

com.airlock.iam.oauth2.application.configuration.accountlinking.AccountLinkingSelfServiceConfig

May be used by

OIDC Flow Client OAuth 2.0 Flow Client OIDC Discovery Flow Client

License-Tags

OAuthAccountLinking,OAuthSocialRegistration

Properties

Ask For Confirmation Before Linking (askForConfirmationBeforeLinking)

Description

If enabled, an additional confirmation page is shown when a user starts linking a new account before being redirected to the external provider for authentication.

Attributes

Boolean

Optional

Default value

true

Account Info Resource Key (accountInfo)

Description

Defines a resource key that is used to look up and display additional data of a linked account on the account link management page. To obtain the data, it is required to add an 'OAuth 2.0 Remote Context Data Resource' with a 'Local Context Data Key' equal to this resource key to the resource mappings. Please note that the remote data might only be available if it was requested with the corresponding scope from the authorization endpoint.
This property is helpful to display data that uniquely and understandably identifies an account, e.g. to display the user's email if available.

Attributes

String

Optional

Suggested values

YAML Template (with default values)


type: AccountLinkingSelfService
id: AccountLinkingSelfService-xxxxxx
displayName: 
comment: 
properties:
  accountInfo:
  askForConfirmationBeforeLinking: true

Ace Radius Token Verifier

Description

Token verifier to test ACE/RSA tokens using the RADIUS protocol.
This plug-in supports multiple ACE/RSA servers and failover.

The ACE server must be installed/configured to support RADIUS. Here are some configuration hints (may be different for more recent ACE server versions):

RADIUS support must be activated.
Create an agent host of type "Unix Agent" with the name and the IP of the host running this client. This makes sure that the ACE server accepts RADIUS requests from the client host.
Activate the users you like to use on the just created agent host.

Since the RADIUS protocol does not know anything about the different challenge responses (next token required, new pin required, etc.), some RSA/ACE server versions encode them in the state attribute (like a session id). This implementation can check for these special state values and behave accordingly. This is the default setting. If the next token mode (and new pin mode) does not work properly, enable the property Interpret Challenge Messages. In this case, this plug-in intreprets the reply messages rather than the special state attributes.

Type name

AceRadiusTokenVerifier

Class

com.airlock.iam.core.misc.impl.tokenverifier.ace.AceRadiusTokenVerifier

May be used by

Token Authenticator

License-Tags

RadiusClient,SecurID,SecureID

Properties

Radius Servers (radiusServers)

Description

The RADIUS Server(s). If more than one is provided, the list is used for failover.

Non-backward compatibility: Before hierarchical plugins were released, the RadiusServer informations were all configured directly in this plugin with a comma separated list. This must be converted by hand.

Attributes

Plugin-List

Mandatory

Assignable plugins

Radius Connection Settings

Interpret Challenge Messages (interpretChallengeMessages)

Description

If set to TRUE, this plug-in will look at the reply messages in RADIUS responses. The messages are used to distinguish next-token-mode, new-pin-mode, and new-pin-accepted-mode.
If the property is set to FALSE (default), this plugin interprets the RADIUS state attribute to make this distinction. This is may not work with newer RSA/ACE servers.

Attributes

Boolean

Optional

Default value

false

Nas Identifier (nasIdentifier)

Description

The NAS-Identifier to set in all requests.

Attributes

String

Optional

Length >= 3

YAML Template (with default values)


type: AceRadiusTokenVerifier
id: AceRadiusTokenVerifier-xxxxxx
displayName: 
comment: 
properties:
  interpretChallengeMessages: false
  nasIdentifier:
  radiusServers:

Acknowledge Message Step

Description

Configures a message ID or a message to be acknowledged by a client during a flow.

This can be used for example to inform users about a concrete event happening inside the flow, e.g., a successful mandatory password change, steps inside user self-registration, etc. This step can return a static message ID or a message that was generated by the server. At least one has to be configured. The message ID expects the client to display a corresponding message, while the server message is composed on the server and can therefore contain dynamic properties available in the IAM flow.

The message ID and the server message will both be provided as an additional attribute inside the flow response under the key messageId and serverMessage respectively.

Type name

AcknowledgeMessageStep

Class

com.airlock.iam.flow.shared.application.configuration.acknowledgemessage.AcknowledgeMessageStepConfig

Properties

Message ID (messageId)

Description

ID of the corresponding message which a client is expected to display. If a Server Message is configured, this is optional, but could still be useful, e.g. for the client to determine the title or styling.

Attributes

String

Optional

Server Message (serverMessage)

Description

The message composed on the server, which can be displayed directly. If a Message ID is configured, this is optional, but can still be used to determine the actual message to be displayed.

Attributes

Plugin-Link

Optional

Assignable plugins

Changed Email Address Provider Display Language String Provider Fallback String Value Provider Generic Session Attribute String Provider HTTP Request Header Value Provider Identity Value Provider OAuth2 Access Token String Value Provider Static String Value Provider String Context Data Value Provider String From Map Value Provider Template-based String Provider Ticket String Provider Transforming String Value Provider Translated String Provider User Principal Name Provider mTAN Registration Label Provider mTAN Registration Number Provider

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: AcknowledgeMessageStep
id: AcknowledgeMessageStep-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  messageId:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  serverMessage:
  skipCondition:
  stepId:
  tagsOnSuccess:

ACR to Flow Application ID Mapping

Description

An authentication flow can be started based on a requested ACR value. If a configured ACR Value is found in the OpenID Connect request, the authentication flow of the configured application ID is started.

Type name

OpenIdConnectAcrToApplicationId

Class

com.airlock.iam.login.application.configuration.oauth2.OpenIdConnectAcrToApplicationIdConfig

May be used by

OAuth 2.0 Static Client OIDC Authorization Code / Hybrid Flow

Properties

ACR Value (acrValue)

Description

When a requested ACR value matches this ACR, the configured Flow Application ID is started. Note: The ACR value is case sensitive.

Attributes

String

Mandatory

Flow Application ID (flowApplicationId)

Description

Application ID Flow to start, if a configured ACR is found in the OpenID Connect request.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Application ID

YAML Template (with default values)


type: OpenIdConnectAcrToApplicationId
id: OpenIdConnectAcrToApplicationId-xxxxxx
displayName: 
comment: 
properties:
  acrValue:
  flowApplicationId:

Active Authentication Method

Description

Condition that is fulfilled if the configured "Auth Method" matches the user's active authentication method.

Type name

AuthMethodBasedCondition

Class

com.airlock.iam.flow.shared.application.configuration.condition.AuthMethodBasedConditionConfig

May be used by

Properties

Auth Method (authMethod)

Description

Expected value of the auth method field on the user for this condition to be fulfilled.

Attributes

String

Mandatory

Suggested values

AIRLOCK_2FA, CRONTO, EMAILOTP, FIDO, MATRIX, MTAN, OATH_OTP, OTP, PASSWORD

YAML Template (with default values)


type: AuthMethodBasedCondition
id: AuthMethodBasedCondition-xxxxxx
displayName: 
comment: 
properties:
  authMethod:

Active Directory Authentication Failure Mapper

Description

Maps messages returned in LDAP exceptions (in the case of bind failures) to authentication result types. Known Active Directory errors are:

data 525 - user not found
data 52e - invalid credentials
data 530 - not permitted to logon at this time
data 531 - not permitted to logon at this workstation
data 532 - password expired
data 533 - account disabled
data 701 - account expired
data 773 - user must reset password
data 775 - user account locked

Type name

ActiveDirectoryAuthenticationFailureMapper

Class

com.airlock.iam.core.misc.impl.authen.ldap.ActiveDirectoryAuthenticationFailureMapper

May be used by

LDAP Password Authenticator LDAP Connector

Properties

YAML Template (with default values)


type: ActiveDirectoryAuthenticationFailureMapper
id: ActiveDirectoryAuthenticationFailureMapper-xxxxxx
displayName: 
comment: 
properties:

Active Directory Connector

Description

Microsoft Active Directory Connector

General Information
If a Microsoft Active Directory is used to manage the users, only this Plugin needs to be configured to handle the different user-related directory tasks. This MS AD connector implements the Airlock IAM Plugin interfaces: Authenticator, UserIterator, LicenseUserCounter, UserPersister, CredentialPersister, PasswordService, PasswordPolicy, and PasswordAuthenticator

Only standard Active Directory user attributes are used. Therefore its not necessary to extend the schema.
Active Directory features like recursive group membership, password policies and password histories are supported.
Changing passwords is possible when the connection to the AD is secured using SSL/TLS.
Multiple AD servers can be configured for failover or load balancing.
Multiple "User Search Bases" and "Group Search Bases" can be specified.

This plugin works best with Microsoft Active Directory server 2008R2 and later.

Note on Stealth-Mode (Zero-Information Leakage)
This plugin provides "stealth" in the sense that it does not reveal information about the factor that prevented the successful login but it does not provide protection against denial of service attacks based on locking user accounts.
If used in conjunction with the "Stealth Mode" (see "Main Authenticator" plugin), it is strongly recommended to enable the "soft account lock" feature of this plugin (see property below).

Note on using this plugin only for password checks
When only using this plugin to check the user's password, additional features like role lookup or context data retrieval may not work as expected.

Type name

ActiveDirectoryConnector

Class

com.airlock.iam.core.misc.impl.activedirectory.ActiveDirectoryConnector

May be used by

Secret Questions Token Controller Password Settings Password Settings Client Certificate (X.509) Request Authentication Persister Password Service Persister Password Service Auth Method-based Authenticator Selector JSP Remember-Me Settings HTTP Basic Authentication Step Email User Profile Item Certificate Authenticator Certificate Authenticator Radius Authentication Service Radius Authentication Service Self Reg Users Clean Up Task SMS Notifier Password Change Self-Service Step Service Container Airlock 2FA Activation Letter Task Admin SSO Ticket Request Authentication Credential Data mTAN Handler Credential Data mTAN Handler Fallback Authenticator Delete Users Task Delete Users Task OATH OTP Settings Transaction Approval Data Sources Set Password Step Username Password Authentication Step User Sync Task User Sync Task Password Batch Task Password Batch Task Password Token Controller XML File Importer Task Password Authenticator Self Reg Users Reminder Task mTAN IAK Token Report Strategy Token Data mTAN Handler Static Request Authentication Combining User Persister Administrators Configuration Administrators Configuration Administrators Configuration User Store Configuration User Store Configuration User to Password Service Mapping User to Password Service Mapping Authenticator-based One-Shot Target Application Primary Key Lookup Lock Inactive Accounts Task Lock Inactive Accounts Task Vasco Letter Generator Certificate Token Authenticator Airlock 2FA Authenticator Credential Secret Batch Task Token Authenticator Composite Password Service Composite Password Service Composite Password Service Cronto Report Strategy String User Profile Item OAuth 2.0 Token Request Authentication Lookup and Accept Authenticator Credential Report Task Email Notifier Password Reset Step Main Authenticator Main Authenticator Credential-based Generic Token Repository Password-only Authentication Step Username Password with FIDO Authentication Step Legacy Email OTP Authentication Step Email Otp Authenticator Export Users Task Export Users Task Has Email Address SSO Ticket Request Authentication Custom User Persister-based User Store Provider Remember-Me Reset Step User Persister Configuration User Persister Configuration User Persister Configuration Administrators Management Certificate Data Extractor Task OAuth 2.0/OIDC Authorization Server Vasco Token Report Strategy Lock Expired Initial Passwords Task Lock Expired Initial Passwords Task Selection Authenticator Pattern-based Random String Generator User-based Authenticator Selector Combining Extended User Persister Extended String User Profile Item Role-based Authenticator Selector Basic Auth Request Authentication Basic Auth Request Authentication User-based Password Service Selector Credential Data Certificate Matcher Cipher Credential Persister Password User Item Meta Authenticator Meta Authenticator Meta Authenticator Meta Authenticator HTTP Password Service Token Activation On Delivery Strategy Destroy Last User Session Loginapp Voluntary Password Change Step User Persister Email Certificate Provider Mandatory Password Change Step User Persister-based User Store User to Authenticator Mapping Active Directory Password Repository New Email Clean-up Strategy Context Data Username Transformer Email Notification Task Email Notification Task Persister IAK Verifier

Properties

Connection Settings (connectionPool)

Description

The connection settings for communicating with one or more Microsoft Active Directory servers.

Attributes

Plugin-Link

Mandatory

Assignable plugins

LDAP Connection Pool

Is Read Only (isReadOnly)

Description

If enabled, the Active Connector plugin does not write any data to the AD except for new passwords (changing and setting passwords can be disabled in the global password settings).
This allows using a service account user with only few privileges.

If enabled, the following data is not written to the AD (and therefore some features may not work as expected):

Context data (e.g. changes to user's postal address)
Credential data (e.g. change of mobile phone number)
User unlocking (after password change or from the Adminapp)
Enforcing password change (after setting a new password in the Adminapp)

Note that individual context attributes can be made read-only using the configuration property "Read-Only Attributes".

Attributes

Boolean

Optional

Default value

false

Username Attribute (userIdAttributeName)

Description

The name of the attribute that holds the user ID. Usually the default value 'sAMAccountName' should not be changed.

Attributes

String

Optional

Default value

sAMAccountName

Suggested values

cn, sAMAccountName, userPrincipalName

Credential Data Attribute (credentialDataAttribute)

Description

The LDAP attribute with credential data (e.g. mobile phone number for mTAN/SMS authentication or email address for certificate validation).
If the same attribute is listed in the property "Binary Attributes", it will be treated as binary data, otherwise it is assumed to be UTF-8 string data.

This property is only required when an additional credential should be checked besides the password.

Attributes

String

Optional

Default value

mobile

Suggested values

mobile, mail, cn, userPrincipalName

User Search Bases (userSearchBases)

Description

Specifies the LDAP tree node(s) for users. If multiple nodes are defined, all are considered in the defined order when finding users.

The separate property "User Search Scope" controls whether users are only searched in the nodes defined by this property or in its subtrees as well.

Attributes

String-List

Mandatory

User Search Scope (userSearchScope)

Description

Specifies whether the search should consider the complete subtree of the search base "User Search Bases" or only its direct child nodes.

ONE_LEVEL: Search users only in the specified "User Search Bases" - the subtree is ignored.
SUBTREE: Search users recursively in the specified "User Search Bases" - considers the complete subtree.
SUBORDINATE_SUBTREE: Search users recursively in the specified "User Search Bases" - considers the complete subtree from one level below the specified "User Search Bases" and ignores users directly in it.
BASE: Only the exact entries in the specified "User Search Bases" are considered.

Attributes

Enum

Optional

Default value

SUBTREE

User Search Filter (userSearchFilter)

Description

LDAP search filter expression applied when searching for users.
Note that this filter is automatically combined (logical AND) with a username filter based on the "Username Attribute".
The format and interpretation of filter follow RFC 2254.

Example 1 - Consider only entries with object class user: (objectCategory=user)
Example 2 - Consider only entries with object class person: (objectClass=person)
Example 3 - Consider only users in a specific group (no nested groups): (&(objectCategory=Person)(memberOf=cn=snakeOilDepartment,ou=groups,dc=company,dc=com))
Example 4 - Same as example 1 but considering nested groups: (&(objectCategory=Person)(memberOf:1.2.840.113556.1.4.1941:=cn=snakeOilDepartment,ou=groups,dc=company,dc=com))

Attributes

String

Optional

Multi-line-text

Default value

(objectCategory=user)

Example

(objectCategory=user)

Example

(objectClass=person)

Username Conversion Pattern (usernameConversionPattern)

Description

Regular expression pattern containing a group (a region embraced by parentheses) that can be used in conjunction with property "Username Conversion Replacement" in order to transform the username before it is used for searching the user in the directory. If the username does not match the pattern at all, no transformation is performed.

Example: The pattern "(.*)" and the replacement pattern "user.$1" will transform the username "jdoe" to "user.jdoe" before it is used in the directory.

Example: The pattern "user\.(.*)" and the replacement pattern "$1" will transform the username "user.jdoe" to "jdoe" before it is used in the directory.

Attributes

RegEx

Optional

Username Conversion Replacement (usernameConversionReplacement)

Description

The replacement string used in conjunction with property "Username Conversion Pattern" in order to transform the username. The token "$1" is used to reference the string matching the group in the pattern. See property "Username Conversion Pattern" for examples.

Attributes

String

Optional

Example

user.$1

Example

Group Search Bases (groupSearchBases)

Description

Specifies the LDAP tree node(s) for groups/roles. If multiple nodes are defined, all are considered in the defined order when finding groups.

Groups/roles are not searched if this property is not configured.

The separate property "Group Search Scope" controls whether groups are only searched in the nodes defined by this property or in its subtrees as well.

Attributes

String-List

Optional

Group Search Scope (groupSearchScope)

Description

Specifies whether the search should consider the complete subtree of the search base "User Search Bases" or only its direct child nodes.

ONE_LEVEL: Search groups only in the specified "Group Search Bases" - the subtree is ignored.
SUBTREE: Search groups recursively in the specified "Group Search Bases" - considers the complete subtree.
SUBORDINATE_SUBTREE: Search groups recursively in the specified "Group Search Bases" - considers the complete subtree from one level below the specified "Group Search Bases" and ignores groups directly in it.
BASE: Only the exact entries in the specified "Group Search Bases" are considered.

Attributes

Enum

Optional

Default value

SUBTREE

Group Search Filter (groupSearchFilter)

Description

LDAP search filter expression applied when searching for groups.

Note that this filter is automatically combined (logical AND) with a username filter based on the "Username Attribute".
The format and interpretation of filter follow RFC 2254.

Attributes

String

Optional

Multi-line-text

Default value

(objectClass=group)

Example

(objectClass=group)

Example

(objectCategory=group)

Example

(objectClass=*)

Resolve Nested Groups (resolveNestedGroups)

Description

If enabled, also nested groups are assigned to a user as roles. If disabled, only groups directly connected to the user (memberOf) are read from the Active Directory and are assigned to the user as roles.

Notice that in any case, only groups in the "Group Search Bases" will be found.

Attributes

Boolean

Optional

Default value

true

Static Roles (staticRoles)

Description

Static list of roles added to all users. Every user found in the AD gets these roles in addition to his roles/groups in the Active Directory (if configured).

Attributes

String-List

Optional

Role Filters (roleFilters)

Description

Allows filtering of retrieved user roles by regular expressions. If configured, only roles that match at least one of the filter patterns are assigned to the user. Static roles are not filtered.

Attributes

RegEx-List

Optional

Match Roles Case Sensitive (matchRolesCaseSensitive)

Description

If enabled, roles are matched against the role filters considering the case (the default).

Attributes

Boolean

Optional

Default value

true

Use Groups From memberOf Attribute (useGroupsFromMemberOfAttribute)

Description

If enabled, the group values from the memberOf attribute are imported as user roles. This is combinable with the groups search. The values from the memberOf attribute will also be filtered by the role filter.

Note that nested roles can NOT be resolved via the memberOf attribute. This can only be done using the groups search. The role lookup through the memberOf attribute is readonly, as is the lookup through the groups search.

Attributes

Boolean

Optional

Default value

false

Search Result Page Size (searchResultPageSize)

Description

If set to a value greater than zero and the Active Directory supports the SimplePaging control, "paging" is enabled for LDAP searches: This property defines the number of entries to fetch at once when searching in a directory.

This setting may be useful if the Active Directory limits the number of entries in a search result.
If the property is set to zero (the default) or if the server does not announce to support the SimplePaging control, paging is disabled

Attributes

Integer

Optional

Default value

1000

Suppress Substring Search (suppressSubstringSearch)

Description

If enabled, substring searches are suppressed, i.e. attributes do only match a filter if the whole filter string matches.
This may greatly improve search performance in large directories.

Attributes

Boolean

Optional

Default value

false

Soft Account Lock (softAccountLock)

Description

Lock users when they have more than the configured number of successive incorrect password checks on the AD. (E.g.: the value "2" means that 2 incorrect passwords are still OK).

If the number is smaller than the corresponding setting in AD, this allows "soft-locking" the account if accessed via Airlock IAM without actually locking the account on the AD. This feature may be used to prevent AD accounts from being locked by unsuccessful remote logins.

Note: if "Stealth Mode" is used (see "Main Authenticator" plugin), it is strongly recommended to enable this feature.

Attributes

Integer

Optional

Unlock User On Password Reset (unlockUserOnPasswordReset)

Description

If set to TRUE the user attribute "Lockout Time" is reset to 0 upon password reset.

Attributes

Boolean

Optional

Default value

true

Check Server-Side Password Policies On Change/Reset (checkServersidePasswordPoliciesOnChange)

Description

If enabled the server side password policy is checked when a user changes or resets the password (not when an administrator sets one). This is for example useful to enforce advanced server-side policies like password histories.

Note that the AD might impose further password constraints (e.g. minimal length), that cannot be weakened or disabled with these settings.

Attributes

Boolean

Optional

Default value

true

Context Data Attributes (contextDataAttributes)

Description

A list of attribute names that are loaded into the context data container of the user, e.g. address data.
Notice: Context data attributes are string based. Values will be read as strings and are converted to string when written.

To prevent attributes from being changed by Airlock IAM/Login, add them also to the list of "Read-only Attributes".

Notice: The attributes "objectGUID" and "ImmutableID" are always considered read-only.

Attributes

String-List

Optional

Binary Attributes (binaryAttributes)

Description

A list of attribute names that should be treated as binary data (instead of string data).

Those attributes are Base64 encoded for use in Airlock IAM/Login.

If the attribute name from "Credential Data Attribute" is also listed here, the credential data will be treated as binary.

Attributes

String-List

Optional

Read-only Attributes (readOnlyAttributes)

Description

A list of attribute names that are never written when updating a user. This must be a subset of the attributes listed in Context Data Attributes.

Attributes

String-List

Optional

User DN Context Data Attribute (userDNContextDataAttribute)

Description

The name of the context data field to hold the user's distinguished name (DN).
This DN is in the format "uid=user,ou=People,dc=company,dc=ch"

Attributes

String

Optional

Example

User Change Event Listeners (userChangeEventListeners)

Description

This property defines a list of event handlers that listen to one or more events posted by this persister and perform corresponding actions, e.g. to maintain consistency with token data.

Attributes

Plugin-List

Optional

Assignable plugins

Domain DN (domainDN)

Description

The distinguished name (DN) of the root domain. If left unconfigured the default naming context of the Active Directory server is used.

Attributes

String

Optional

Example

DC=example, DC=org

Password Settings Container DN (passwordSettingsContainerDN)

Description

The distinguished name (DN) of the Password Settings Container (PSC). If left unconfigured the PSC "CN=Password Settings Container, CN=System" in the default naming context of the Active Directory server is used.

Attributes

String

Optional

Example

CN=Password Settings Container, CN=System, DC=example, DC=org

User Count Search Filter (userCountSearchFilter)

Description

The search filter expression applied (in addition to the "User Search Filter" expression if present) to count the users. If no filter expression is given, the "User Search Filter" expression is used to count users. If also no "User Search Filter" expression is given the default filter is used to count users. The format and interpretation of filter follow RFC 2254.

Note: The user count is relevant for the product license. This filter should therefore describe the set of users who are able to authenticate through Airlock IAM.

Attributes

String

Optional

Example

(objectCategory=user)

LDS Mode (adLdsMode)

Description

Activates the AD LDS mode of operation ("Lightweight Directory Services")

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: ActiveDirectoryConnector
id: ActiveDirectoryConnector-xxxxxx
displayName: 
comment: 
properties:
  adLdsMode: false
  binaryAttributes:
  checkServersidePasswordPoliciesOnChange: true
  connectionPool:
  contextDataAttributes:
  credentialDataAttribute: mobile
  domainDN:
  groupSearchBases:
  groupSearchFilter: (objectClass=group)
  groupSearchScope: SUBTREE
  isReadOnly: false
  matchRolesCaseSensitive: true
  passwordSettingsContainerDN:
  readOnlyAttributes:
  resolveNestedGroups: true
  roleFilters:
  searchResultPageSize: 1000
  softAccountLock:
  staticRoles:
  suppressSubstringSearch: false
  unlockUserOnPasswordReset: true
  useGroupsFromMemberOfAttribute: false
  userChangeEventListeners:
  userCountSearchFilter:
  userDNContextDataAttribute:
  userIdAttributeName: sAMAccountName
  userSearchBases:
  userSearchFilter: (objectCategory=user)
  userSearchScope: SUBTREE
  usernameConversionPattern:
  usernameConversionReplacement:

Active Directory Password Policy

Description

A password policy that validates a password against different requirements. Those requirements are retrieved from the configured Active Directory connector. Validation can be done for different contexts, e.g. only on login or on password reset.

Note: This plugin does only check against certain requirements of the current password if this information is made available in the user data (e.g. latest-password-change-timestamp). Whether this is the case, may depend on the configuration of the underlying user persister.

Type name

ActiveDirectoryPasswordPolicy

Class

com.airlock.iam.core.misc.impl.authen.ldap.ActiveDirectoryPasswordPolicy

May be used by

Password Settings HTTP Basic Authentication Step Password Change Self-Service Step Set Password Step Username Password Authentication Step Administrators Configuration Dynamic Active Directory String Generator Password Reset Step Password-only Authentication Step Username Password with FIDO Authentication Step Pattern-based Random String Generator Basic Auth Request Authentication Password User Item Voluntary Password Change Step Mandatory Password Change Step

Properties

Active Directory Connector (activeDirectoryConnector)

Description

Provides access to the schema of an Active Directory to retrieve the current password policy for certain users.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Password Policy Connector

YAML Template (with default values)


type: ActiveDirectoryPasswordPolicy
id: ActiveDirectoryPasswordPolicy-xxxxxx
displayName: 
comment: 
properties:
  activeDirectoryConnector:

Active Directory Password Policy Connector

Description

This plugin retrieves a Password Policy Object (PSO) for a specific user from an Active Directory (AD) via the configured LDAP connection.

Type name

ActiveDirectoryPasswordPolicyConnector

Class

com.airlock.iam.core.misc.impl.authen.ldap.ActiveDirectoryPasswordPolicyConnector

May be used by

Active Directory Password Policy

Properties

Connection Pool (connectionPool)

Description

The settings used to talk to the LDAP directory (or active directory).

Attributes

Plugin-Link

Mandatory

Assignable plugins

LDAP Connection Pool

Domain DN (domainDN)

Description

The distinguished name (DN) of the domain the active directory schema.

Attributes

String

Mandatory

Example

dc=example, dc=org

Password Settings Container DN (passwordSettingsContainerDN)

Description

The distinguished name (DN) of the Password Settings Container (PSC) in the active directory schema.

Attributes

String

Mandatory

Example

cn=Password Settings Container, cn=System, dc=example, dc=org

Username Attribute (userIdAttributeName)

Description

The name of the attribute that holds the user id.

Attributes

String

Optional

Default value

sAMAccountName

Suggested values

cn, sAMAccountName, userPrincipalName

User Search Bases (searchBases)

Description

Defines a list of search contexts (search trees with search levels) to use when looking for users. The search contexts are used in the defined order. If left unconfigured sensible defaults apply.

Attributes

String-List

Optional

User Search Scope (searchScope)

Description

Specifies whether the search should also recurse down the subtrees of the search base nodes or only the direct children nodes of the search base nodes should be searched.

Valid values are SUB and ONE.

Attributes

Enum

Optional

Default value

SUBTREE

User Search Filter (searchFilter)

Description

The additional LDAP search filter expression used when searching the user to check the password for. This filter is automatically combined (by a logical and) with a username filter based on the Username Attribute name.

The format and interpretation of filter follows RFC 2254.

Attributes

String

Optional

Multi-line-text

Default value

(objectClass=person)

Example

(objectClass=person)

LDS Mode (adLdsMode)

Description

Activates the AD LDS mode of operation ("Lightweight Directory Services")

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: ActiveDirectoryPasswordPolicyConnector
id: ActiveDirectoryPasswordPolicyConnector-xxxxxx
displayName: 
comment: 
properties:
  adLdsMode: false
  connectionPool:
  domainDN:
  passwordSettingsContainerDN:
  searchBases:
  searchFilter: (objectClass=person)
  searchScope: SUBTREE
  userIdAttributeName: sAMAccountName

Active Directory Password Repository

Description

Retrieves the password of the user from Active Directory.

Type name

ActiveDirectoryPasswordRepository

Class

com.airlock.iam.common.application.configuration.password.repository.ActiveDirectoryPasswordRepositoryConfig

May be used by

HTTP Basic Authentication Step Password Change Self-Service Step Default End-To-End Encryption Password Repository Set Password Step Username Password Authentication Step Selection Password Repository (Request Authentication) Selection Password Repository Password Reset Step Password-only Authentication Step Username Password with FIDO Authentication Step User Self-Registration Flow Password Repository Mapping Basic Auth Request Authentication Password Repository Mapping (Request Authentication Voluntary Password Change Step Mandatory Password Change Step

Properties

Connector (connector)

Description

The connector for the Active Directory.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector

Allowed Password Validity Duration (allowedPasswordValidityDuration)

Description

The number of days a password may be used before it must be changed.

If a password is changed, the 'latest password change timestamp' is set and, if this property is defined, the 'next enforced password change timestamp' is updated.

If this property is not defined, the 'next enforced password change timestamp' is not updated.

Attributes

Integer

Optional

YAML Template (with default values)


type: ActiveDirectoryPasswordRepository
id: ActiveDirectoryPasswordRepository-xxxxxx
displayName: 
comment: 
properties:
  allowedPasswordValidityDuration:
  connector:

Actor Claim from Actor Token (OAuth 2.0 Token Exchange)

Description

Sets the act claim to a claim set containing sub and iss claim from the (required) actor token and nests the original act claim from the subject token data into this claim set.

Nesting the act claim within another expresses a chain of delegation. The outermost act claim represents the current actor while nested act claims represent prior actors. The least recent actor is the most deeply nested. The nested act claims serve as a history trail that connects the initial request and subject through the various delegation steps undertaken before reaching the current actor.

Type name

OAuth2ActorClaimFromActorToken

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2ActorClaimFromActorTokenConfig

May be used by

License-Tags

OAuthTokenExchange

Properties

YAML Template (with default values)


type: OAuth2ActorClaimFromActorToken
id: OAuth2ActorClaimFromActorToken-xxxxxx
displayName: 
comment: 
properties:

Actor Token Unsigned Claims Extractor

Description

Requires an actor token to be present in the token exchange request, but does not check the signature. Tokens are expected to have at least the following claims: iss sub. If present, the claims exp and nbf are validated.
Caution: JWT tokens with alg=none are accepted: This may be a security risk.

Type name

OAuth2ActorTokenUnsignedClaimsExtractor

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2ActorTokenUnsignedClaimsExtractorConfig

May be used by

OAuth 2.0 Static Client Transforming Role Provider OAuth 2.0/OIDC Authorization Server

License-Tags

OAuthTokenExchange

Properties

Allowed Token Issuers (allowedTokenIssuers)

Description

Only tokens issued by these issuers can be exchanged at the endpoint. If left empty, all issuers are allowed.

Attributes

Plugin-List

Optional

Assignable plugins

OAuth 2.0 Issuer ID

YAML Template (with default values)


type: OAuth2ActorTokenUnsignedClaimsExtractor
id: OAuth2ActorTokenUnsignedClaimsExtractor-xxxxxx
displayName: 
comment: 
properties:
  allowedTokenIssuers:

Add Authentee Attribute

Description

Adds an attribute to the RADIUS response packet. The value of the attribute is extracted from a configurable context data field of the authenticated user.

Type name

AddAuthenteeAttribute

Class

com.airlock.iam.servicecontainer.app.application.configuration.radius.AddAuthenteeAttributeConfig

May be used by

Radius Authentication Service

Properties

Radius Attribute (radiusAttribute)

Description

The attribute to add to the RADIUS response.

The suffix of the attribute name gives a hint on the data type that this attribute expects in the context data field:

NV a named value meaning one of a known set of well string keys as defined in the latest FreeRadius dictionary.
STRING an UTF8 encoded string.
INT a number that can be represented by 4 bytes.
BYTES either a byte array or a base64 encoded string.
IPV4 either an IPv4 address object, a host name or a raw 4 bytes internet address.
IPV6 either an IPv6 address object, a host name or a raw 16 bytes internet address.
DATE either a Date object or a number representing seconds since 1.1.1970.

Attributes

Enum

Mandatory

Context Data Field (contextDataField)

Description

The context data field to get the value from. If the context data does not contain this field, the radius attribute will not be added.

Attributes

String

Mandatory

Is Sensitive (isSensitive)

Description

If true, only the attribute name (and not its value) will be logged. If false, the attribute value will be logged.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: AddAuthenteeAttribute
id: AddAuthenteeAttribute-xxxxxx
displayName: 
comment: 
properties:
  contextDataField:
  isSensitive: true
  radiusAttribute:

Add Roles

Description

Add static roles to the list of propagated roles.

Type name

AddRoleTransformation

Class

com.airlock.iam.common.application.configuration.role.AddRoleTransformationConfig

May be used by

Properties

Add static roles (staticRoles)

Description

A list of static roles. If the list of propagated roles already contains the same role, the role won't be added again.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: AddRoleTransformation
id: AddRoleTransformation-xxxxxx
displayName: 
comment: 
properties:
  staticRoles:

Add Scope From Request Parameter

Description

Will add the scopes from the token exchange "scope" request parameter.

If the token exchange "scope" request parameter is not provided or empty, no scopes will be added.

Type name

OAuth2TokenExchangeRequestParameterScopeProcessor

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.scope.OAuth2TokenExchangeRequestParameterScopeProcessorConfig

May be used by

JWT Scope Handling

License-Tags

OAuthTokenExchange

Properties

Add only scopes matching (patterns)

Description

An optional list of regular expressions. If the list is configured, only scope values matching any of the regular expressions will be added. Scope values that do not match any of the configured regular expressions will be ignored. If the list is not configured, all the scope values will be added.

Attributes

RegEx-List

Optional

YAML Template (with default values)


type: OAuth2TokenExchangeRequestParameterScopeProcessor
id: OAuth2TokenExchangeRequestParameterScopeProcessor-xxxxxx
displayName: 
comment: 
properties:
  patterns:

Add Scope From Subject Token

Description

Will add the scopes from the subject token's "scope" data.

If the subject token's "scope" data is string-valued, it is parsed as an OAuth 2.0 access token scope as defined in RFC6749. If the subject token's "scope" data is string-valued but its format does not conform with the specification, it will be ignored.

If the subject token's "scope" data is a string array, each value is parsed as a single OAuth 2.0 scope value as defined in RFC6749. If the subject token's "scope" data is an array but any of its values is not a string or does not conform with the specification, the whole array will be ignored.

If the subject token's "scope" data is not present, is neither a string nor a string array, or is an empty array, it will be ignored.

Type name

OAuth2TokenExchangeSubjectTokenScopeProcessor

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.scope.OAuth2TokenExchangeSubjectTokenScopeProcessorConfig

May be used by

JWT Scope Handling

License-Tags

OAuthTokenExchange

Properties

Add only scopes matching (patterns)

Description

Attributes

RegEx-List

Optional

YAML Template (with default values)


type: OAuth2TokenExchangeSubjectTokenScopeProcessor
id: OAuth2TokenExchangeSubjectTokenScopeProcessor-xxxxxx
displayName: 
comment: 
properties:
  patterns:

Add Static Scope

Description

Will add the scopes values from the configured list.

Type name

OAuth2TokenExchangeStaticScopeProcessor

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.scope.OAuth2TokenExchangeStaticScopeProcessorConfig

May be used by

JWT Scope Handling

License-Tags

OAuthTokenExchange

Properties

Values (values)

Description

The values that will be added to the scope.

Scope tokens must consist of the following characters: %x21 / %x23-5B / %x5D-7E (see RFC6749)

Attributes

String-List

Mandatory

YAML Template (with default values)


type: OAuth2TokenExchangeStaticScopeProcessor
id: OAuth2TokenExchangeStaticScopeProcessor-xxxxxx
displayName: 
comment: 
properties:
  values:

Additional Context Data

Description

Specifies how to determine a read-only context data value using an SQL query.

The query may use ${xxx} variables to refer to database columns in the main object (e.g. user) the context data is added to.
Example (reading a user): SELECT separateColum FROM OTHER_TABLE WHERE username = ${username}

From the result of the query, the first selected column is interpreted as string and used as context data value.

Type name

AdditionalContextData

Class

com.airlock.iam.core.misc.impl.persistency.db.AdditionalContextData

May be used by

Database User Persister Database Credential Persister

Properties

Name (name)

Description

The name of the context data field.

Attributes

String

Mandatory

Example

customField1

Query (query)

Description

The SQL query used to retrieve the value for the context data field. See plugin description for details.

Attributes

String

Mandatory

Example

SELECT separateColum FROM OTHER_TABLE WHERE username = ${username}

YAML Template (with default values)


type: AdditionalContextData
id: AdditionalContextData-xxxxxx
displayName: 
comment: 
properties:
  name:
  query:

Additional Password Check Attribute Map

Description

Provides additional attributes that were sent with the password check request.

Note: The actual additional attributes must be configured in the corresponding authentication flow.

Type name

AdditionalPasswordCheckAttributesValueMapProvider

Class

com.airlock.iam.authentication.application.configuration.password.AdditionalPasswordCheckAttributesValueMapProviderConfig

May be used by

Properties

YAML Template (with default values)


type: AdditionalPasswordCheckAttributesValueMapProvider
id: AdditionalPasswordCheckAttributesValueMapProvider-xxxxxx
displayName: 
comment: 
properties:

Admin Role Specific Setting

Description

Used to overwrite certain behaviour for administrators with specified roles.

Type name

AdminRoleSpecificSetting

Class

com.airlock.iam.admin.application.configuration.users.AdminRoleSpecificSetting

May be used by

AES256 Decryption Ticket Decoder Esp Sign Ticket Decoder JWT Ticket Decoder OAuth 2.0 Access Token Ticket Decoder Plain Base64 Ticket Decoder Plain Ticket Decoder RSA Sign Ticket Decoder

Properties

Required Admin Roles (requiredRoles)

Description

The roles to match the administrator's roles for selecting the settings defined in this plugin. If multiple required roles are configured, the configured "Role Specific Settings Selection" determines whether or not the roles are matching.

Attributes

String-List

Mandatory

User Data Source (userDataSource)

Description

The User Data Source to be used for administrators with matching "Required Admin Roles" configured above.

If not configured, the User Data Source from the Users Configuration is used.

Attributes

Plugin-Link

Optional

Assignable plugins

User Persister Configuration User Store Configuration

Available User Roles (availableUserRoles)

Description

Set of roles assignable to users for administrators with matching "Required Admin Roles" configured above.

Translations for the roles displayed in the Adminapp user management UI can be defined using the Adminapp translation keys roles.user.labels.[rolename].

If no roles are configured, the default user roles are used.

Attributes

String-List

Optional

YAML Template (with default values)


type: AdminRoleSpecificSetting
id: AdminRoleSpecificSetting-xxxxxx
displayName: 
comment: 
properties:
  availableUserRoles:
  requiredRoles:
  userDataSource:

Admin SSO Ticket Request Authentication

Description

Extracts an SSO ticket from a request to authenticate the current session.

Type name

AdminSsoTicketRequestAuthentication

Class

com.airlock.iam.admin.application.configuration.credential.AdminSsoTicketRequestAuthenticationConfig

May be used by

Administrators Configuration

Properties

Query Parameter Name (queryParameterName)

Description

The name of the query parameter bearing the SSO ticket to be extracted.

Attributes

String

Mandatory

Example

sso

Ticket Decoder (ticketDecoder)

Description

The ticket decoder plugin used to decode the SSO ticket.

Security note: If tickets are transported via the web browser (in the URL), they need to be protected. Make sure to use an appropriate ticket decoder securing the ticket (e.g. digitally signed and/or encrypted)!

Attributes

Plugin-Link

Mandatory

Assignable plugins

Accepted SSO Tickets Repository (acceptedSsoTicketRepository)

Description

Configures the repository used to store accepted SSO tickets and reject previously accepted ones.

The in-memory repository cannot be used if multiple instances of IAM are deployed in parallel (failover, horizontal scaling). Furthermore, the in-memory repository does not preserve previously accepted SSO tickets across IAM restarts.

Attributes

Plugin-Link

Mandatory

Assignable plugins

In-Memory Accepted SSO Tickets Repository Persistent Accepted SSO Tickets Repository

Context Data Extractors (contextDataExtractors)

Description

List of ticket context data extractors that extract custom data from the ticket.

Attributes

Plugin-List

Optional

Assignable plugins

SSO Ticket Context Data Extractor

Username Key (usernameKey)

Description

The ticket key containing the username.

Attributes

String

Optional

Default value

username

Provided Username Key (providedUsernameKey)

Description

The ticket key containing the provided username, which is used for logging and possibly displayed.

This is not combinable with Username Transformation. If the ticket does not contain a provided username, the value from "Username Key" is used.

Attributes

String

Optional

Roles Key (rolesKey)

Description

The ticket key containing the user's roles. If not configured, no roles are extracted from the ticket.

Attributes

String

Optional

Example

roles

User Store (userStore)

Description

If configured, the user is loaded from local persistence and checked for validity. Authentication fails if the user is not found or is invalid. If no user store is configured, no persistency look-up takes place and the authentication is performed on data contained within the credential only.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Username Transformation (usernameTransformers)

Description

Transforms the provided username from the credential to a technical user ID.

Attributes

Plugin-List

Optional

Assignable plugins

Airlock 2FA Username Transformer Context Data Username Transformer Identity Username Transformer Lowercase Transformer Primary Key Lookup Regex Username Transformer Template-based Username Transformer Token Data Username Transformer Uppercase Transformer

Static Roles (staticRoles)

Description

Static list of roles granted to the authenticated user.

Attributes

String-List

Optional

Roles Blocklist (rolesBlocklist)

Description

List of role names that won't be granted to the authenticated user. The block list is also applied to persistent roles (if available).

Attributes

String-List

Optional

YAML Template (with default values)


type: AdminSsoTicketRequestAuthentication
id: AdminSsoTicketRequestAuthentication-xxxxxx
displayName: 
comment: 
properties:
  acceptedSsoTicketRepository:
  contextDataExtractors:
  providedUsernameKey:
  queryParameterName:
  rolesBlocklist:
  rolesKey:
  staticRoles:
  ticketDecoder:
  userStore:
  usernameKey: username
  usernameTransformers:

Adminapp

Description

Configures the Adminapp module used to administrate users, credentials, and messages.

Type name

Adminapp

Class

com.airlock.iam.admin.application.configuration.Adminapp

Properties

Start Pages (startPages)

Description

The admin application page to be displayed after login. If more than one start page is configured, the system displays the first page for which the current user is authorized. If none is found, the system displays an empty page.

Attributes

String-List

Optional

Default value

[viewLog, listUsers, manageTokens]

Users (users)

Description

Defines settings related to users. This includes

Authentication of users
Management of user credentials and tokens
Management of users

If not provided, the users management is disabled.

Attributes

Plugin-Link

Optional

Assignable plugins

Users Configuration

Access Control (accessControl)

Description

Defines access control in the Adminapp and to the Adminapp REST API.

Attributes

Plugin-Link

Mandatory

Assignable plugins

No Access Control Role-based Access Control

Maintenance Messages (maintenanceMessages)

Description

Configures the maintenance message facility of the Adminapp.

Attributes

Plugin-Link

Optional

Assignable plugins

Maintenance Message Configuration

Administrators (administrators)

Description

Defines settings related to administrators. This includes

Authentication of administrators
Authorization of administrators
Management of administrators (optional)

Attributes

Plugin-Link

Mandatory

Assignable plugins

Administrators Configuration

Tokens (tokens)

Description

Defines settings related to tokens. This includes

Management of tokens

Attributes

Plugin-Link

Optional

Assignable plugins

Tokens Configuration

Technical Clients (technicalClients)

Description

Defines settings related to technical clients.

Attributes

Plugin-Link

Optional

License-Tags

TechClients

Assignable plugins

Technical Clients Settings

REST API Configuration (rest)

Description

Enables REST services for the Adminapp.

Attributes

Plugin-Link

Optional

Assignable plugins

Adminapp REST API Configuration Denying Adminapp REST API Configuration

Gateway Settings (gatewaySettings)

Description

Settings regarding an Airlock Gateway or Airlock Microgateway reverse proxy placed in front of Airlock IAM.

If no settings are configured, extra information from the reverse proxy will not be available and it may be harder to correlate log messages that are written to different log files.

Attributes

Plugin-Link

Optional

Assignable plugins

Airlock Gateway Settings Airlock Microgateway Settings

Event Settings (eventSettings)

Description

Configures handling of events in the Adminapp.

Attributes

Plugin-Link

Optional

Assignable plugins

Adminapp Event Settings

Service Container Shared Secret (serviceContainerSharedSecret)

Description

The service container secret is used to access the service container from the Adminapp. The shared secret will be used to encrypt the SSO ticket, sent from the Adminapp to the service container in order to authenticate the admin. The shared secret must be identical to the property Service Container Shared Secret within Service Container (Advanced Settings). When not configured, no Service Container link will be displayed in Adminapp.

Attributes

String

Optional

Sensitive

Log Viewer (logViewer)

Description

Configuration of the Log Viewer.

Attributes

Plugin-Link

Optional

Assignable plugins

Log Viewer

Realm Administration (realmAdministration)

Description

Enables realm administration. This feature limits the rights of administrators to a single realm. All users that a realm administrator creates are assigned to his realm and he can only administer users of his own realm.

The assignment of a realm to an administrator requires super administrator authorization.

Attributes

Plugin-Link

Optional

License-Tags

RealmAdministration

Assignable plugins

Realm Administration

Session Idle Timeout (sessionIdleTimeout)

Description

Session idle timeout for the Adminapp (including Config Editor). When IAM is deployed behind an Airlock Gateway (WAF), timeout and lifetime values should always be longer than those maintained by the Gateway.

Attributes

String

Optional

Default value

30m

Example

30m

Example

2h 15m

Session Lifetime (sessionLifetime)

Description

Session lifetime for the Adminapp (but not for the Config Editor). Unlike an idle timeout, the lifetime cannot be extended by activity and is always terminated once the lifetime has been reached. When IAM is deployed behind an Airlock Gateway (WAF), timeout and lifetime values should always be longer than those maintained by the Gateway.

Attributes

String

Optional

Default value

Example

4h 30m

Example

Session Cookie SameSite Policy (sameSitePolicy)

Description

Specifies the 'SameSite' cookie attribute of the IAM session cookie 'iam-session-id'. The 'Secure' attribute is automatically set based on whether the request was performed using http or https (see exception for 'None' below).

Strict: The cookie is not sent in cross-origin requests.
Lax: The cookie is sent in some cross-origin requests, such as GET requests.
None: The cookie is sent in cross-origin requests. In this case, the 'Secure' Cookie-Attribute is always set, regardless of whether the request was performed using http or https.Use this setting when using SAML2 in combination with cross-domain POST Bindings.
No SameSite Attribute: No attribute is set. Browsers apply their default behaviour, usually 'Lax'.

Attributes

Enum

Optional

Default value

LAX

Language Settings (languageSettings)

Description

Configures language settings.
If not set, the default language is German and the allowed languages are German, English and French.

Attributes

Plugin-Link

Optional

Assignable plugins

Adminapp Language Settings

State Repository (stateRepository)

Description

Defines where IAM stores all state. As long as only one instance of IAM is running (no horizontal scaling), the in-memory repository can be used.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Expert Mode Redis State Repository In-Memory State Repository Single Mode Redis State Repository

Custom Login URL (customLoginUrl)

Description

The page displayed instead of the default login page. This can be used if authentication is done by an external service.

This value must not be URL encoded. Only URLs starting with "https://" or "http://" are treated as absolute URLs, otherwise the redirect is relative. Furthermore, if the URL starts with "app/" or "/app/" the redirect is performed within the Adminapp UI (context path not needed).

This property can be overridden by the loginUrl URL parameter (see Allowed Login URL Pattern).

Attributes

String

Optional

Example

https://another.server.com/login

Example

app/login

Example

/mycustomresource/login

After Logout URL (afterLogoutUrl)

Description

The forward page displayed after the logout if no location parameter is set.

This property can be overridden by the afterLogout URL parameter (see Allowed After Logout URL Pattern).

Attributes

String

Optional

Default value

app/login

Example

https://another.server.com/logout-disclaimer

Example

app/login

Example

/mycustomresource/logout-disclaimer

Allowed Login URL Pattern (allowedLoginUrlPattern)

Description

A regular expression describing the Login URLs that are allowed to be sent to IAM in the loginUrl URL parameter.

A matching URL will be used to redirect users who have not yet authenticated or whose session has expired. If no pattern is configured, no URL will match. Matching URLs will have precedence over the URL configured in Custom Login URL.

Attributes

RegEx

Optional

Allowed After Logout URL Pattern (allowedAfterLogoutUrlPattern)

Description

A regular expression describing the Logout URLs that are allowed to be sent to IAM in the afterLogoutUrl URL parameter.

A matching URL will be used to redirect the user after a successful logout in IAM. If no pattern is configured, no URL will match. Matching URLs will have precedence over the URL configured in After Logout URL.

Attributes

RegEx

Optional

Skin Color (skin)

Description

The skin of the Adminapp. This configuration may be overridden by the skin URL parameter, if the property "Allow Skin URI Parameter" is enabled.

Attributes

String

Optional

Default value

blue

Allowed values

blue, green, red, orange, violet, purple, grey, black

Allow Skin URL Parameter (skinFromParamAllowed)

Description

Enables overriding the Adminapp skin with the skin URL parameter.

Attributes

Boolean

Optional

Default value

false

Custom Instance Tag (instanceTag)

Description

Labels the instance with a custom tag that is displayed in the Adminapp. This can be used in combination with the 'Skin Color' property to visually identify an instance.

Attributes

String

Optional

Content Security Policy (CSP) (contentSecurityPolicy)

Description

Content Security Policy (CSP) for the Adminapp.

Neither the Config Editor nor the Service Container are covered by this CSP.

Attributes

Plugin-Link

Optional

Assignable plugins

Adminapp Content Security Policy No Adminapp Content Security Policy

License and Usage Analytics (licenseAnalytics)

Description

Airlock IAM always collects and transmits license analytics data, as per our terms and conditions.

In this property, you may enable additional usage data collection to help improve Airlock IAM.

Attributes

Plugin-Link

Mandatory

Assignable plugins

License and Usage Analytics

Log User Trail To Database (logUserTrailToDatabase)

Description

Configures the database settings to use when persisting user trail log entries.

If this value is defined, then all user trail log messages generated by the Adminapp module will additionally be forwarded to the database configured within the referenced repository plugin.

All forwarded log entries are stored inside the table "USER_TRAIL_LOG". Note that setting this value does not disable writing log messages to the Adminapp log file.

Attributes

Plugin-Link

Optional

Assignable plugins

User Trail Log Database Repository

Correlation ID Settings (correlationIdSettings)

Description

Defines settings for correlation ID transfer and logging inside the Adminapp module.

If undefined, no correlation ID will be logged for this module.

Attributes

Plugin-Link

Optional

Assignable plugins

Correlation ID Settings

Custom Extensions (customExtensions)

Description

Custom extensions for the Adminapp.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Adminapp
id: Adminapp-xxxxxx
displayName: 
comment: 
properties:
  accessControl:
  administrators:
  afterLogoutUrl: app/login
  allowedAfterLogoutUrlPattern:
  allowedLoginUrlPattern:
  contentSecurityPolicy:
  correlationIdSettings:
  customExtensions:
  customLoginUrl:
  eventSettings:
  gatewaySettings:
  instanceTag:
  languageSettings:
  licenseAnalytics:
  logUserTrailToDatabase:
  logViewer:
  maintenanceMessages:
  realmAdministration:
  rest:
  sameSitePolicy: LAX
  serviceContainerSharedSecret:
  sessionIdleTimeout: 30m
  sessionLifetime: 8h
  skin: blue
  skinFromParamAllowed: false
  startPages: [viewLog, listUsers, manageTokens]
  stateRepository:
  technicalClients:
  tokens:
  users:

Adminapp Content Security Policy

Description

Enables a Content Security Policy (CSP) for the Adminapp.

Neither the Config Editor nor the Service Container are covered by this CSP.

Type name

AdminappContentSecurityPolicy

Class

com.airlock.iam.admin.application.configuration.csp.AdminappContentSecurityPolicyConfig

May be used by

Adminapp

Properties

Content Security Policy (contentSecurityPolicy)

Description

This property can be used to define a custom policy.

The default policy requires to insert a nonce into script tags. Script tags that do not include a nonce will be blocked.

The placeholder '${cspNonce}' in the policy will be replaced with a fresh, randomly generated nonce for each request. The same nonce must be present in all policy relevant tags that were generated by a specific request.

Known use cases requiring CSP customization

IAM is embedded in an (i)frame: frame-ancestors directive must be relaxed.

Security Warning: The default CSP was designed to offer a good level of security and maintainability. The CSP is validated to work with IAM (see limitations above). Defining a custom CSP may reduce the level of security and may lead to browsers blocking IAM pages. Therefore, the security benefits of a custom policy must be evaluated carefully and IAM must be tested to work with the policy.

Attributes

String

Optional

Default value

default-src 'self'; object-src 'none'; script-src ${cspNonce} 'strict-dynamic' 'self'; img-src 'self' data:; connect-src 'self'; base-uri 'self'; frame-ancestors 'none';

YAML Template (with default values)


type: AdminappContentSecurityPolicy
id: AdminappContentSecurityPolicy-xxxxxx
displayName: 
comment: 
properties:
  contentSecurityPolicy: default-src 'self'; object-src 'none'; script-src ${cspNonce} 'strict-dynamic' 'self'; img-src 'self' data:; connect-src 'self'; base-uri 'self'; frame-ancestors 'none';

Adminapp Event Settings

Description

Event settings for the Adminapp.

Type name

AdminappEventSettings

Class

com.airlock.iam.admin.application.configuration.event.AdminappEventSettingsConfig

May be used by

Adminapp

Properties

Event Subscribers (eventSubscribers)

Description

List of event subscribers. These subscribers receive events exactly once, but since they are not connected to the outbox, no retries are attempted if a subscriber fails (e.g. because a remote server is not available.)

Attributes

Plugin-List

Mandatory

Assignable plugins

Email Event Subscriber (Adminapp) Gateway Session Terminator Subscriber (Adminapp) Remote Event Subscriber (Adminapp) SMS Event Subscriber (Adminapp)

Outbox Repository (outboxRepository)

Description

Settings for the event outbox repository. If configured, all events are stored in an outbox database table until they have successfully been forwarded to a message broker.

Attributes

Plugin-Link

Optional

Assignable plugins

Outbox Repository

Add Context Data (addContextData)

Description

If enabled, the context data of the managed user is added as customData to the event.

The data contains all context data values configured in the User Store for loading the managed users. Note that these values might contain sensitive information such as email addresses or phone numbers.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: AdminappEventSettings
id: AdminappEventSettings-xxxxxx
displayName: 
comment: 
properties:
  addContextData: false
  eventSubscribers:
  outboxRepository:

Adminapp Language Settings

Description

Configures the language settings of the Adminapp.

Type name

AdminappLanguageSettings

Class

com.airlock.iam.admin.application.configuration.AdminappLanguageSettings

May be used by

Adminapp

Properties

Valid Languages (validLanguages)

Description

A list of values that are accepted as language parameter values. Corresponding Locales must be available. If the requested language is not in the list, the default language is used. The values in the list are not case-sensitive.

Attributes

String-List

Optional

Default value

[de, fr, en]

Default Language (defaultLanguage)

Description

The default language code used when no (or no valid) information about the current language is present. A corresponding Locale must be available.

Attributes

String

Optional

Default value

Suggested values

de, fr, en

Resources File Prefix (resourcesFilePrefix)

Description

Language dependent string resources for server-side translation (e.g. for emails and SMS) are located in property files. This setting configures the prefix of these property files.

Example: If the value of this property is strings, the language dependent files must be "strings_de.properties", "strings_en.properties" and so on and the default file must be "strings.properties".

Attributes

String

Optional

Default value

strings

YAML Template (with default values)


type: AdminappLanguageSettings
id: AdminappLanguageSettings-xxxxxx
displayName: 
comment: 
properties:
  defaultLanguage: de
  resourcesFilePrefix: strings
  validLanguages: [de, fr, en]

Adminapp REST API Configuration

Description

Configures the Adminapp REST interface.

Type name

AdminappRest

Class

com.airlock.iam.admin.application.configuration.AdminappRestConfig

May be used by

Adminapp

Properties

SMS Service Settings (smsServiceConfig)

Description

Enables and configures endpoints for sending SMS and checking the delivery status over the REST API.

Attributes

Plugin-Link

Optional

Assignable plugins

SMS Service

Request Authentication (requestAuthentication)

Description

Determines how a credential is extracted and used to authenticate single requests.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic Auth Request Authentication Client Certificate (X.509) Request Authentication Denying Request Authentication SSO Ticket Request Authentication Static Request Authentication

Hash Function (hashFunction)

Description

The hash function used to hash information that is transferred over the public network.

Attributes

Plugin-Link

Optional

Assignable plugins

AWS KMS Password Hash Argon2id Password Hash Bcrypt Password Hash Combined Password Hash Encrypted Password Hash History Password Hash Identity Password Hash LDAP Password Hash MD5 Base64 Password Hash MD5 Hex Password Hash Multi Password Hash (LDAP-style) Password Hash Configuration SHA1 Base64 Password Hash SHA1 Hex Password Hash SHA1 Password Hash SHA256 Base64 Password Hash SHA256 Hex Password Hash SHA256 Password Hash Scrypt Password Hash

Hash Shared Secret (hashSharedSecret)

Description

The shared secret to be included in the hashed information.

Can be used together with the 'Hash Function' to externalize session information to the client.

Attributes

String

Optional

Sensitive

CORS Settings (corsSettings)

Description

The settings to allow cross-domain REST calls.

Attributes

Plugin-Link

Optional

Assignable plugins

CORS Settings

CSRF Protection (csrfProtection)

Description

If enabled, REST endpoints are protected against CSRF attacks.

With this protection, the REST API only accepts requests that contain the custom header X-Same-Domain with an arbitrary non-empty value. In cross-origin resource sharing (CORS), such requests are not considered simple requests and thus must always be preceded by a preflight request, which prevents cross-site request forgery (CSRF) attacks.

Security warning: Disabling this feature may allow CSRF attacks. Only do so if the REST client is unable to comply with the aforementioned restrictions.

Attributes

Boolean

Optional

Default value

true

Username Transformation (usernameTransformers)

Description

Transforms user name aliases in REST resource URLs into real user names.

Attributes

Plugin-List

Optional

Assignable plugins

Link Response Rewriting Enabled (linkResponseRewritingEnabled)

Description

Enables rewriting of links in REST responses. If rewriting is disabled or cannot be done correctly due to missing information, the internal URI is written to the response.

If a 'Base URI' is configured, links are rewritten according to the configured value. Otherwise, links are rewritten according to the external view provided by the WAF (if configured an a WAF environment cookie is present).

Attributes

Boolean

Optional

Default value

true

Base URI (baseUri)

Description

Allows to change the base URI for all links in REST responses.

This property is useful in test environments where you want links contained in REST responses to be relative to the configured base URI. Note that configuring this property will take precedence over link rewriting based on the WAF environment cookie.

Example:

Property value: http://myhost:8090/test
The response from the REST call to /<adminapp-uri>/rest/maintenance-messages will contain a link to http://myhost:8090/test/rest/maintenance-messages.

Attributes

String

Optional

Example

https://myhost:8090/test

Default Page Size (defaultPageSize)

Description

The amount of records returned by a resource if the page size is not explicitly specified in the request by the page[limit] query parameter. Must be greater than 0 and smaller than or equal to the 'Max Page Size'.

Attributes

Integer

Optional

Default value

500

Max Page Size (maxPageSize)

Description

The maximum amount of records returned by a pageable resource. Must be greater than or equal to the 'Default Page Size'. This parameter also limits the maximum number of displayed results in some searches of the Adminapp.

Attributes

Integer

Optional

Default value

5000

YAML Template (with default values)


type: AdminappRest
id: AdminappRest-xxxxxx
displayName: 
comment: 
properties:
  baseUri:
  corsSettings:
  csrfProtection: true
  defaultPageSize: 500
  hashFunction:
  hashSharedSecret:
  linkResponseRewritingEnabled: true
  maxPageSize: 5000
  requestAuthentication:
  smsServiceConfig:
  usernameTransformers:

Administrators Configuration

Description

Configuration of administrators, i.e. authentication, authorization and management of administrators.

Type name

AdministratorsConfiguration

Class

com.airlock.iam.admin.application.configuration.administrators.AdministratorsConfiguration

May be used by

Adminapp

Properties

Authenticator (authenticator)

Description

Defines how administrators are authenticated interactively. If only authentication using SSO tickets is required, this property is optional.

Note that the Adminapp authentication UI only support username/password login. Configuring second factors or other authentication means will not work and users will not be able to login.

Attributes

Plugin-Link

Optional

Assignable plugins

Accepting Authenticator Active Directory Connector Airlock 2FA Authenticator Certificate Authenticator Certificate Token Authenticator Configuration-based Authenticator Credential-based Authenticator Selector Denying Authenticator Dummy Matrix Authenticator Dummy Polling Authenticator Dummy Two Step Authenticator Email Otp Authenticator Fallback Authenticator LDAP Connector LDAP Password Authenticator Lookup and Accept Authenticator MTAN/SMS Authenticator Main Authenticator Matrixcard Authenticator (TAN Challenge) Meta Authenticator NextGenPSD2 Certificate Authenticator OATH OTP Authenticator OAuth 2.0 Access Token Authenticator Password Authenticator RADIUS Authenticator SSO Credential Authenticator STET PSD2 Authenticator Selection Authenticator Static Authenticator Token Authenticator User-based Authenticator Selector

Password Service (passwordService)

Description

Password service used to change passwords by administrators.

Attributes

Plugin-Link

Optional

Assignable plugins

Accepting Password Service Active Directory Connector Composite Password Service Dummy Password Service HTTP Password Service LDAP Connector LDAP Password Authenticator Persister Password Service User-based Authenticator Selector User-based Password Service Selector

Password Policy (passwordPolicy)

Description

Defines a password policy that must be passed when the administrator chooses a new password.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Active Directory Password Policy Customizable Password Policy Null Password Policy Simple Password Policy

SSO Ticket Authentication (ssoTicketAuthentication)

Description

If specified, ticket-based single sign-on (SSO) is enabled for the Adminapp: Externally authenticated administrators may access the Adminapp without additional login, provided they bring a valid SSO ticket. The ticket is passed to the Adminapp as URL parameter.

Attributes

Plugin-Link

Optional

Assignable plugins

Admin SSO Ticket Request Authentication

Administrators Management (administratorsManagement)

Description

Configures the management of administrators.

Attributes

Plugin-Link

Optional

Assignable plugins

Administrators Management

Username Transformation (usernameTransformers)

Description

Username transformation enables authentication with an alias name, by transforming the name entered into the login form to the internal user ID.

The username transformation configured here is only applied to the interactive username/password login.

Transformers can be chained, e,g. a first transformer could normalize the entered name, and the next transformer would then search for a user with a matching context-data field. A transformer can also signal that it already found the final user ID and that no further transformations should be performed.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: AdministratorsConfiguration
id: AdministratorsConfiguration-xxxxxx
displayName: 
comment: 
properties:
  administratorsManagement:
  authenticator:
  passwordPolicy:
  passwordService:
  ssoTicketAuthentication:
  usernameTransformers:

Administrators Management

Description

Configuration of administrators in the Adminapp.

Type name

AdministratorsManagement

Class

com.airlock.iam.admin.application.configuration.administrators.AdministratorsManagement

May be used by

Administrators Configuration

Properties

Enforce Role Combinations (enforceRoleCombinations)

Description

If enabled, role combinations can be defined. The system then enforces that only one role combination can be chosen. If disabled, roles can arbitrarily be assigned. However, the configuration of role combinations is not allowed.

Attributes

Boolean

Optional

Default value

true

Assignable Role Combinations (assignableRoleCombinations)

Description

Defines a list of roles (or combination of roles). Only the specified roles (or combination of roles) can be assigned to the administrators.

Role combinations are specified using comma-separate entries (e.g. "useradmin,tokenadmin"). These combinations can only be assigned to or removed from an admin together. At least one role (or combination of roles) must contain the "superadmin" role.

Translations for the roles displayed in the administrators management UI can be defined using the Adminapp translation keys roles.admin.labels.[rolename], where [rolename] is one of the entries. E.g.:

roles.admin.labels.useradmin = User Admin
roles.admin.labels.useradmin,tokenadmin = Special Admin

Attributes

String-List

Mandatory

Privilege Escalation Protected Admin Roles (PEPAR) (privilegeEscalationProtectedAdminRoles)

Description

Defines a list of protected roles. Operations on an administrator with one of these roles can only be performed by another administrator that also at least has one of these roles assigned.

Each entry contains a single role.

Attributes

String-List

Optional

Super Admin Role (superAdminRole)

Description

Defines the name of the "superadmin" role. Access control must be configured accordingly to define the allowed actions of this role.

Attributes

String

Mandatory

Suggested values

superadmin

Password Generator (passwordGenerator)

Description

Plugin used to generate passwords for administrators. It defines the length and the characters in the generator passwords.

Attributes

Plugin-Link

Optional

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Password Hash Function (passwordHashFunction)

Description

The hash function used to store the password. Make sure it is the same as used when verifying the password.

NOTE: Some password hashes, such as SHA 256 Password Hash or Scrypt Password Hash, produce binary output. If one of these is used, make sure the persistence layer supports binary data in the hash field and the corresponding persistence plugins (e.g. Database User Store or Ldap Connector) are configured to treat hash values as binary values.
In case the persistence layer expects a string, encode the password hash by wrapping it with an encoder. To achieve this, use the Password Hash Configuration plugin and specify the hash function (such as Scrypt Password Hash) together with the desired encoder. We recommend using the Base64 Password Hash Encoder.

Attributes

Plugin-Link

Optional

Assignable plugins

Columns In Admin List (columnsInAdminList)

Description

The property names and labels of context data to be displayed on the admin list page. Usually, this is the first- and last name of the administrator.

The data for the columns is taken from the context data container of the available administrators. The configuration of the used admin persister must include the context data properties referenced here.

The columns are displayed in addition to the following columns:

username
assigned roles
locked flag

Attributes

Plugin-List

Optional

Assignable plugins

Boolean User Profile Item Date User Profile Item Email User Profile Item Extended String User Profile Item International Phone Number User Profile Item List User Profile Item String User Profile Item Username User Profile Item

Rows On Admin Detail Page (rowsOnAdminDetailPage)

Description

The property names and labels of context data to be displayed on the admin detail page.

The data for is taken from the context data container of the selected administrator. The configuration of the used admin persister must include the context data properties referenced here.

Attributes

Plugin-List

Optional

Assignable plugins

Admin User Store (adminUserStore)

Description

User store to manage administrator data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Lock Reasons (lockReasons)

Description

Lock reasons listed in this property define the options selectable by an administrator when locking an administrator manually. Any string can be used to identify a lock reason. The following is a set of predefined lockout reasons: LockReason.TooManyLoginFailed= Too many login failedLockReason.InitialPasswordExpired= Initial password expiredLockReason.MaxWrongOldPassword= Wrong old passwordLockReason.InitiatedByUser= Initiated by userLockReason.InitiatedByAdmin= Initiated by administrator

Attributes

String-List

Optional

Default value

[LockReason.InitiatedByAdmin]

YAML Template (with default values)


type: AdministratorsManagement
id: AdministratorsManagement-xxxxxx
displayName: 
comment: 
properties:
  adminUserStore:
  assignableRoleCombinations:
  columnsInAdminList:
  enforceRoleCombinations: true
  lockReasons: [LockReason.InitiatedByAdmin]
  passwordGenerator:
  passwordHashFunction:
  privilegeEscalationProtectedAdminRoles:
  rowsOnAdminDetailPage:
  superAdminRole:

Advanced Location Interpreter

Description

Highly customizable plugin to transform the given URI and potentially extract a value by applying the following procedure:

The optional "URI Transformers" are called in the configured order to transform the URI to a new URI. The output of a preceding transformer is used as input of a subsequent transformer. If an URI transformer returns a veto, the default value configured in this plugin is used as the resulting value.
Those plugins are used to perform generic transformations on the URI like regular expression replacements or to use a query parameter as the new URI.
The optional "Value Extractors" are now called in the configured order to extract a string value from the potentially transformed URI. The first extractor able to return a non-empty value stops the chain. If no extractor returns a non-empty value, the whole URI is passed on unchanged.
Those extractors are used to extract a query parameter or a path segment containing the target value.
Finally the optional "String Transformers" are called in the configured order to transform the final string. The output of the preceding transformer is used as input of the subsequent transformer. If a string transformer returns a veto, the default value configured in this plugin is used as overall value.
They can for example be used to normalize values, for example convert the string to lowercase or convert values from one format to another (e.g. convert 'GER' to 'de').

Type name

AdvancedLocationInterpreter

Class

com.airlock.iam.login.application.configuration.location.interpret.AdvancedLocationInterpreterConfig

May be used by

Location Interpretations Configuration Authentication & Authorization UI

Properties

Default Value (defaultValue)

Description

The default value to be returned if a transformer produces a veto.

Attributes

String

Optional

URI Transformers (uriTransformers)

Description

The chain of URI transformers that transform the original URI.

Attributes

Plugin-List

Optional

Assignable plugins

Query Parameter URI Transformation Regex-based URI Transformer To Query Parameter URI Transformer

Value Extractors (valueExtractors)

Description

The extractors that extract string values from the transformed URI. The result of the first extractor returning a non-empty value is used.

Attributes

Plugin-List

Optional

Assignable plugins

Query Parameter URI Value Extraction Regex-based URI Value Extraction

String Transformers (stringTransformers)

Description

The chain of string transformers that transform the extracted string value to the final interpretation result.

Attributes

Plugin-List

Optional

Assignable plugins

Lowercase String Transformation Regex String Transformation String Transformation Failed

YAML Template (with default values)


type: AdvancedLocationInterpreter
id: AdvancedLocationInterpreter-xxxxxx
displayName: 
comment: 
properties:
  defaultValue:
  stringTransformers:
  uriTransformers:
  valueExtractors:

Advanced Migration Selection Option

Description

Advanced configuration of a migration subflow. The condition and all steps (including the "Complete Migration Step", if needed) must be configured manually.

Type name

AdvancedMigrationSelectionOption

Class

com.airlock.iam.authentication.application.configuration.migration.AdvancedMigrationSelectionOptionConfig

May be used by

Migration Selection Step

Properties

Option Name (optionName)

Description

Name of the selection option for this migration subflow.

This includes POST /<loginapp-uri>/rest/public/authentication/migration/options/retrieve and POST /<loginapp-uri>/rest/public/authentication/migration/options/<id>/select

Attributes

String

Mandatory

Validation RegEx: [A-Za-z0-9_-]+

Suggested values

MIGRATE_NOW, SPECIAL, MTAN, CRONTO

Steps (steps)

Description

Steps of this subflow. A "Complete Migration Step" must be configured manually, if needed.

Attributes

Plugin-List

Mandatory

Assignable plugins

Condition (condition)

Description

Condition that determines whether this migration subflow is available or not.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: AdvancedMigrationSelectionOption
id: AdvancedMigrationSelectionOption-xxxxxx
displayName: 
comment: 
properties:
  condition:
  optionName:
  steps:

AES 128 GCM State Encryption

Description

State encryption that uses AES/GCM with 128-bit keys to encrypt all values stored in the state repository.

Type name

Aes128GcmStateEncryption

Class

com.airlock.iam.common.application.configuration.state.Aes128GcmStateEncryptionConfig

May be used by

Single Mode Redis State Repository Expert Mode Redis State Repository Migrating State Encryption Migrating State Encryption

Properties

Secret Key (secretKey)

Description

Key used for encryption and decryption, 128 bit encoded in Base64.

A random Base64 string with 128 bits (16 bytes) can be generated e.g. using openssl as follows: openssl rand -base64 16

CAUTION: Once the key is set and has been used to encrypt the key must not be changed!. Data encrypted with a different key cannot be recovered.

Attributes

String

Mandatory

Sensitive

Length >= 8

YAML Template (with default values)


type: Aes128GcmStateEncryption
id: Aes128GcmStateEncryption-xxxxxx
displayName: 
comment: 
properties:
  secretKey:

AES256 Decryption Ticket Decoder

Description

Decodes the ticket produced by the AES256 Encryption Ticket Encoder plugin.

Type name

AES256DecryptionTicketDecoder

Class

com.airlock.iam.core.misc.util.ticket.codec.AES256DecryptionTicketDecoder

May be used by

Representation SSO Ticket Identifying Step Admin SSO Ticket Request Authentication HTTP Header Token Extractor (as SSO Credential) SSO Ticket Request Authentication SSO Ticket Authentication Step

Properties

Password (password)

Description

Specifies the password used to decrypt the ticket.

Attributes

String

Mandatory

Sensitive

Length >= 4

Require Authenticated Encryption (requireAuthenticatedEncryption)

Description

If integrity is essential, it is strongly recommended to forbid tickets which are not authenticated encrypted by GCM. Only for backward compatibility reasons we do not enforce incoming tickets to be encrypted in GCM mode. If this flag is set to false, this encoder also accepts tickets that were encrypted without authentication, using the CBC mode. That may be a threat if the ticket is exposed to an attacker.

If possible this flag should be enabled.

The AES256EncryptionTicketEncoder uses the GCM Mode by default.

Attributes

Boolean

Optional

Default value

true

Max PBKDF2 Iterations (maxPBKDF2Iterations)

Description

Specifies the maximum number of PBKDF2 iterations allowed for decryption. Choose this maximum as small as possible. Allowing a large number of iterations may require a considerable amount of computing time when decoding the ticket.

Attributes

Integer

Optional

Default value

32000

YAML Template (with default values)


type: AES256DecryptionTicketDecoder
id: AES256DecryptionTicketDecoder-xxxxxx
displayName: 
comment: 
properties:
  maxPBKDF2Iterations: 32000
  password:
  requireAuthenticatedEncryption: true

AES256 Encryption Ticket Encoder

Description

Encodes the ticket and encrypts the contents with a password.

The key-value pairs are first encoded as described in KeyMultiValue, the expiry timestamp is added and then encrypted using a password based encryption scheme with salt. The resulting ticket value is the base-64 representation of the ciphertext.

Type name

AES256EncryptionTicketEncoder

Class

com.airlock.iam.core.misc.util.ticket.codec.AES256EncryptionTicketEncoder

May be used by

Encoded User Data Header OAuth 2.0 SSO Ticket Resource Start User Representation Step Encoded User Data Response Header SSO Ticket Identity Propagator Cookie Ticket Identity Propagator Ticket String Provider

Properties

Password (password)

Description

Specifies the password used to encrypt the ticket.

Attributes

String

Mandatory

Sensitive

Length >= 4

Require Authenticated Encryption (requireAuthenticatedEncryption)

Description

By default, password based encryption now uses the GCM mode for authenticated encryption. If this flag is disabled, the legacy CBC mode is used. This mode does not provide authenticity and is only provided for backward compatibility for cases where the ticket is decrypted in an external system.

If possible this flag should be enabled.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: AES256EncryptionTicketEncoder
id: AES256EncryptionTicketEncoder-xxxxxx
displayName: 
comment: 
properties:
  password:
  requireAuthenticatedEncryption: true

Age Check Password Policy

Description

A password policy check that tests that the existing password has a minimum age before a new password can be set. This can be used to make password rotation harder to perform.

Note: This plugin does only check the minimum age of the current password if this information is made available in the user data (latest-password-change-timestamp). Whether this is the case, may depend on the configuration of the underlying user persister.

Note: This check should not be performed if the user is forced to change the password.

Type name

PwdPolicyAgeCheck

Class

com.airlock.iam.core.misc.impl.authen.PwdPolicyAgeCheck

May be used by

Customizable Password Policy Customizable Password Policy Meta Password Policy

Properties

Minimum password age [secs] (minRequiredPasswordAge)

Description

The minimum required age of the old (current) password in seconds before a new may be set.

Attributes

Integer

Mandatory

YAML Template (with default values)


type: PwdPolicyAgeCheck
id: PwdPolicyAgeCheck-xxxxxx
displayName: 
comment: 
properties:
  minRequiredPasswordAge:

Aggregate Report

Description

An aggregation report over several reports of a task. It uses an aggregation strategy to create the parameter map passed into the report renderer that generates this aggregate report.

Type name

AggregateReport

Class

com.airlock.iam.core.misc.util.report.aggregation.AggregateReport

May be used by

Password Batch Task mTAN IAK Token Report Strategy TAN Batch Task Credential Secret Batch Task Cronto Report Strategy Vasco Token Report Strategy

Properties

File Name Prefix (fileNamePrefix)

Description

Filename prefix for rendered report files.

The prefix "aggregate-" is used if none is defined.

The generated name is -timestamp[.]

Attributes

String

Optional

Default value

aggregate-

Example

aggregate-

Example

swissPostSummary-

File Name Suffix (fileNameSuffix)

Description

Filename suffix for rendered password files.

Attributes

String

Optional

Suggested values

.pdf

Properties Aggregator (propertiesAggregator)

Description

Creates the properties needed for the aggregation report.

Attributes

Plugin-Link

Optional

Assignable plugins

Default Aggregate Report Strategy

Report Renderer (reportRenderer)

Description

Specifies which generic renderer to use to render the aggregate report.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

YAML Template (with default values)


type: AggregateReport
id: AggregateReport-xxxxxx
displayName: 
comment: 
properties:
  fileNamePrefix: aggregate-
  fileNameSuffix:
  propertiesAggregator:
  reportRenderer:

Airlock 2FA Activation Authentication UI

Description

User interface configuration for "Airlock 2FA Activation Step" authentication flow step.

Type name

Airlock2FAActivationAuthenticationStepUi

Class

com.airlock.iam.login.rest.application.configuration.ui.authentication.Airlock2FAActivationAuthenticationStepUiConfig

May be used by

Properties

Step ID (stepId)

Description

The ID of the step to which this user interface is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Show App Device Activation Link (showAppDeviceActivationLink)

Description

If enabled, an app device link is displayed below the QR code to register the device directly in the mobile app, instead of scanning the QR code. This is useful when users register on their mobile devices and thus cannot scan the displayed QR code.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: Airlock2FAActivationAuthenticationStepUi
id: Airlock2FAActivationAuthenticationStepUi-xxxxxx
displayName: 
comment: 
properties:
  showAppDeviceActivationLink: true
  stepId:

Airlock 2FA Activation Authentication UI (with additional Activation)

Description

User interface configuration for "Airlock 2FA Activation Step (with additional Activation)" authentication flow step.

Type name

Airlock2FAAdditionalActivationAuthenticationStepUi

Class

com.airlock.iam.login.rest.application.configuration.ui.authentication.Airlock2FAAdditionalActivationAuthenticationStepUiConfig

May be used by

One-Shot Authentication Flow Selection Step for Self-Service Flow Step Sequence Selection Option For Public Self-Service Selection Step Simple Migration Selection Option Migration Selection Step Migration Selection Step Selection Option Authentication Flow Public Self-Service Flow Selection Step for User Self-Registration Advanced Migration Selection Option Selection Step for Public Self-Service

Properties

Step ID (stepId)

Description

The ID of the step to which this user interface is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Show App Device Activation Link (showAppDeviceActivationLink)

Description

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: Airlock2FAAdditionalActivationAuthenticationStepUi
id: Airlock2FAAdditionalActivationAuthenticationStepUi-xxxxxx
displayName: 
comment: 
properties:
  showAppDeviceActivationLink: true
  stepId:

Airlock 2FA Activation Letter Order Step

Description

Step to non-interactively order an activation letter.
This step doesn't create the letter, but places an order. It is thus recommended to use 'Airlock 2FA Device Activation Letter Order (Batch)' for the 'Activation Letters' option in the 'Airlock 2FA Token Controller' to create the letters.
This step has to be added after an identifying step, e.g. a Password Authentication Step. Further, the user has to have an Airlock 2FA Account.

When this step completes successfully, either a new letter order is created or a letter order is already pending.

Type name

Airlock2FALetterOrderStep

Class

com.airlock.iam.flow.shared.application.configuration.airlock2fa.Airlock2FALetterOrderStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2FALetterOrderStep
id: Airlock2FALetterOrderStep-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Activation Letter Order User Event Listener

Description

A listener that reacts to the insertion of a new user in the persistency layer by creating automatically:

an Airlock 2FA account;
an order for an Airlock 2FA activation letter to register the first Airlock 2FA device. All opened orders will be batch processed by the "Airlock 2FA Activation Letter Order Task" in service container to create the necessary activation letters.

Type name

Airlock2FAActivationLetterOrderUserEventListener

Class

com.airlock.iam.factor.application.configuration.airlock2fa.Airlock2FAActivationLetterOrderUserEventListener

May be used by

Active Directory Connector Database User Persister LDAP Connector LDAP User Persister

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Condition (condition)

Description

The condition to decide whether the event should be handled. If not configured, the event is always handled.

Attributes

Plugin-Link

Optional

Assignable plugins

Authentication Method Condition Context Data Regex Condition Logical AND Condition Logical NOT Condition Logical OR Condition

YAML Template (with default values)


type: Airlock2FAActivationLetterOrderUserEventListener
id: Airlock2FAActivationLetterOrderUserEventListener-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  condition:

Airlock 2FA Activation Letter Task

Description

Settings to batch process Airlock 2FA activation letter orders. Each order will generate at most one activation letter. No activation letter will be generated for a permanently disabled Airlock 2FA account. Each order will be deleted after being processed.

An Airlock 2FA letter contains a QR code to be scanned and is typically necessary for the registration of the first Airlock 2FA device.

Note that once the letter is generated, Airlock IAM is no longer involved in the activation of a user's device. This implies in particular, that a user who has been locked out after the generation of an activation letter could still use it to successfully register an Airlock 2FA device. Login will of course remain impossible as long the the user is locked out.

Type name

Airlock2FAActivationLetterOrderTask

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.airlock2fa.Airlock2FAActivationLetterOrderTaskConfig

May be used by

Task Schedule

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

User Store (userStore)

Description

The user store to retrieve all user data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Renderer (renderer)

Description

Defines how activation letters (e.g. PDFs) are rendered.

The following placeholders can be used in the templates

${User Context Data Name} - context data of the user.
${activationQRCode} - QR code image for the activation. Image size in document can be adjusted: ${activationQRCode,imageSize,width in points,height in points}
${expires} - expiring date of the activation. Can be used with extended format (e.g. ${expires,date,short})
${activationCodeShort} - Short 16-digit activation code as an additional option for the activation.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

Working Directory (workingDirectory)

Description

A writable directory used to store a partially rendered activation letter.
If this property is defined, activation letters are not directly generated into the output directory (see other property) but they are generated into this working directory and are then moved into the output directory once they are done.
This helps to solve problems with processes that automatically read the rendered activation letters and therefore might not see the fully rendered result. Make sure that the working directory and the output directory reside in the same file system (otherwise the moving of the generated file will not be atomic).
The directory is either absolute or relative to the JVMs current directory.

Attributes

File/Path

Optional

Output Directory (outputDirectory)

Description

The directory where the printable letters will be stored.

Attributes

File/Path

Mandatory

Language Context Data Name (languageContextDataName)

Description

The user's context data attribute containing its language. The language is used to choose the template in the renderer. If left empty, the default template will be used.

Attributes

String

Optional

Suggested values

language

Enrollment Validity [s] (enrollmentValidityInSeconds)

Description

The duration (in seconds) an enrollment code should be valid.

Note: This value is only used for the validity of the QR code in the enrollment letter and does not affect enrollment self-services.

Attributes

Integer

Optional

Default value

604800

YAML Template (with default values)


type: Airlock2FAActivationLetterOrderTask
id: Airlock2FAActivationLetterOrderTask-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  enrollmentValidityInSeconds: 604800
  languageContextDataName:
  outputDirectory:
  renderer:
  userStore:
  workingDirectory:

Airlock 2FA Activation Step

Description

Step to add a new Airlock 2FA device. This step will generate a QR code (and an Airlock 2FA account if necessary) that needs to be scanned by the device to be added.

Depending on the use-case, this step should be configured as an 'Authentication Flow Step', 'Protected Self-Service Flow Step' or 'User-Self-Registration Flow Step'.

Migration to Airlock 2FA (Authentication Flow): In this case, the user does not yet have any Airlock 2FA device, but already has a different second authentication factor (see Security note) that needs to be migrated to Airlock 2FA. This step needs to be configured as an 'Authentication Flow Step' inside a 'Migration Selection Step'. Upon successful migration, the user will have an Airlock 2FA account and a newly registered Airlock 2FA device that can be used for strong authentication. The user's default authentication method will have been changed to Airlock 2FA.
Activation of an Airlock 2FA device (Protected Self-Service Flow): In this case, the user already has a second authentication factor (see Security note) and needs to activate an Airlock 2FA device. This typically happens when the user already has Airlock 2FA as a second authentication factor and needs to activate an additional device. This step needs to be configured as a 'Protected Self-Service Flow Step'. Upon successful activation, the user will have an Airlock 2FA account and a newly registered Airlock 2FA device that can be used for strong authentication. In contrast to the migration scenario above, the user's default authentication method will remain unchanged.
Activation of an Airlock 2FA device (User-Self-Registration Flow): In this case, the flow step will register a futurae user account with the device, that was used to scan the activation code. It is required to add an 'Airlock 2FA Token Persisting Handler' in the 'User Persisting Step' to persist the linked futurae user account with the IAM user.

In the migration and self-service scenarios, an optional 'Airlock 2FA Device Edit Step' can be configured afterwards, to allow the user to edit the newly registered device, e.g., changing its display name.

Note: This step can only register one device in one flow execution. The flow has to be started multiple times when more devices are needed.

Security note: For migration and self-service flows this step should be restricted to strongly authenticated users. To do so, a 'Pre-Condition Tag' should be used to ensure that the user is strongly authenticated (using at least one of his pre-existing second authentication factors). In particular, this step should not be used for a user authenticated with username and password only. In the password only use-case, the (physical) generation of an 'Airlock 2FA Device Activation Letter' is necessary.

Type name

Airlock2FAActivationStep

Class

com.airlock.iam.flow.shared.application.configuration.airlock2fa.Airlock2FAActivationStepConfig

May be used by

One-Shot Authentication Flow Selection Step for Self-Service Flow Step Sequence Custom Protected Self-Service Flow Selection Option For User Self-Registration Selection Step Selection Option For Self-Service Simple Migration Selection Option Migration Selection Step Migration Selection Step Selection Option Authentication Flow User Self-Registration Flow Selection Step for User Self-Registration Advanced Migration Selection Option Selection Step for Public Self-Service

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Enrollment Timeout [s] (enrollmentTimeoutSeconds)

Description

The duration (in seconds) an enrollment QR code should be valid.

Note: This value is not used when generating activation letters.

Attributes

Integer

Optional

Default value

300

Provide Short Activation Code (provideActivationCodeShort)

Description

If enabled, the activation step will provide a short activation code as an additional option to enroll a new device.

Attributes

Boolean

Optional

Default value

false

Enable Short-Lived Online QR Codes (enableShortLivedOnlineQrCodes)

Description

Whether to enable short-lived Online QR Codes. Unlike regular Online QR Codes, these are refreshed regularly, allowing for shorter individual validities.

Shorter validities enhance security, since forwarding a QR code to victims and tricking them to scan the QR code becomes more difficult if the available time window is small.

Attributes

Boolean

Optional

Default value

false

QR Code Validity [s] (shortLivedQrCodeValidity)

Description

The maximum amount of time in seconds for which an Online QR Code is valid after it is first displayed to the end user (ignoring latency). This duration includes the time defined for the validity overlap. It only limits the time for scanning the QR code, not for the confirmation or approval afterwards.

Security Notice: The validity duration represents the attack window. Choosing a small validity makes attacks more difficult, in cases where an attacker attempts to forward a QR code to a victim for scanning.

This setting is only active if short-lived Online QR Codes are enabled.

Attributes

Integer

Optional

Default value

QR Code Validity Overlap [s] (shortLivedQrCodeValidityOverlap)

Description

Defines the duration in seconds during which the previously displayed QR Code is still valid after being replaced by the next QR code in sequence.

This provides time for pending requests to complete and ensures that a valid QR code is displayed at every moment in time, provided that there are no network or performance issues.

The validity overlap must meet the following criteria:

It must be smaller than half the overall validity of the QR code.
It must be larger than the Loginapp UI polling interval (1s) plus the network latency (IAM backend → Loginapp UI plus Mobile Device → Futurae Backend).
Note that the polling interval may differ for custom user interfaces.

This setting is only active if short-lived Online QR Codes are enabled.

Attributes

Integer

Optional

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2FAActivationStep
id: Airlock2FAActivationStep-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  enableShortLivedOnlineQrCodes: false
  enrollmentTimeoutSeconds: 300
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  provideActivationCodeShort: false
  requiresActivation: false
  shortLivedQrCodeValidity: 10
  shortLivedQrCodeValidityOverlap: 3
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Activation Step (with additional Activation)

Description

Step to add a new Airlock 2FA device. This step will generate a QR code (and an Airlock 2FA account if necessary) that needs to be scanned by the device to be added.

This Step allows device activation during the authentication flow even when the user already has a device. This step is able to add both the first device during a migration or an additional device.

Type name

Airlock2FAAdditionalActivationStep

Class

com.airlock.iam.authentication.application.configuration.airlock2fa.Airlock2FAAdditionalActivationStepConfig

May be used by

One-Shot Authentication Flow Selection Step for Self-Service Flow Step Sequence Selection Step Simple Migration Selection Option Migration Selection Step Migration Selection Step Selection Option Authentication Flow Selection Step for User Self-Registration Advanced Migration Selection Option Selection Step for Public Self-Service

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Enrollment Timeout [s] (enrollmentTimeoutSeconds)

Description

The duration (in seconds) an enrollment QR code should be valid.

Note: This value is not used when generating activation letters.

Attributes

Integer

Optional

Default value

300

Provide Short Activation Code (provideActivationCodeShort)

Description

If enabled, the activation step will provide a short activation code as an additional option to enroll a new device.

Note: This feature cannot be used in combination with short-lived Online QR Codes.

Attributes

Boolean

Optional

Default value

false

Enable Short-Lived Online QR Codes (enableShortLivedOnlineQrCodes)

Description

Whether to enable short-lived Online QR Codes. Unlike regular Online QR Codes, these are refreshed regularly, allowing for shorter individual validities.

Shorter validities enhance security, since forwarding a QR code to victims and tricking them to scan the QR code becomes more difficult if the available time window is small.

Attributes

Boolean

Optional

Default value

false

QR Code Validity [s] (shortLivedQrCodeValidity)

Description

This setting is only active if short-lived Online QR Codes are enabled.

Attributes

Integer

Optional

Default value

QR Code Validity Overlap [s] (shortLivedQrCodeValidityOverlap)

Description

Defines the duration in seconds during which the previously displayed QR Code is still valid after being replaced by the next QR code in sequence.

This provides time for pending requests to complete and ensures that a valid QR code is displayed at every moment in time, provided that there are no network or performance issues.

The validity overlap must meet the following criteria:

It must be smaller than half the overall validity of the QR code.
It must be larger than the Loginapp UI polling interval (1s) plus the network latency (IAM backend → Loginapp UI plus Mobile Device → Futurae Backend).
Note that the polling interval may differ for custom user interfaces.

This setting is only active if short-lived Online QR Codes are enabled.

Attributes

Integer

Optional

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2FAAdditionalActivationStep
id: Airlock2FAAdditionalActivationStep-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  enableShortLivedOnlineQrCodes: false
  enrollmentTimeoutSeconds: 300
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  provideActivationCodeShort: false
  requiresActivation: false
  shortLivedQrCodeValidity: 10
  shortLivedQrCodeValidityOverlap: 3
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Activation Step Self-Registration UI

Description

User interface configuration for "Airlock 2FA Activation Step" user-self registration flow step.

Type name

Airlock2FAActivationUserSelfRegStepUi

Class

com.airlock.iam.userselfreg.application.configuration.ui.Airlock2FAActivationUserSelfRegStepUiConfig

May be used by

User Self-Registration UI

Properties

Step ID (stepId)

Description

The ID of the step to which this user interface is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Show App Device Activation Link (showAppDeviceActivationLink)

Description

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: Airlock2FAActivationUserSelfRegStepUi
id: Airlock2FAActivationUserSelfRegStepUi-xxxxxx
displayName: 
comment: 
properties:
  showAppDeviceActivationLink: true
  stepId:

Airlock 2FA Activation Step Self-Service UI

Description

User interface configuration for "Airlock 2FA Activation Step" self-service flow step.

Type name

Airlock2FAActivationSelfServiceStepUi

Class

com.airlock.iam.selfservice.application.configuration.ui.Airlock2FAActivationSelfServiceStepUiConfig

May be used by

One-Shot Authentication Flow Selection Step for Self-Service Flow Step Sequence Custom Protected Self-Service Flow Selection Step Selection Option For Self-Service Simple Migration Selection Option Migration Selection Step Migration Selection Step Selection Option Authentication Flow Selection Step for User Self-Registration Advanced Migration Selection Option Selection Step for Public Self-Service

Properties

Step ID (stepId)

Description

The ID of the step to which this user interface is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Show App Device Activation Link (showAppDeviceActivationLink)

Description

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: Airlock2FAActivationSelfServiceStepUi
id: Airlock2FAActivationSelfServiceStepUi-xxxxxx
displayName: 
comment: 
properties:
  showAppDeviceActivationLink: true
  stepId:

Airlock 2FA Activation Trusted Session Binding Step

Description

This step can be used if an Airlock 2FA activation letter has previously been sent to the user. If 'Trusted Session Binding for Activation' is set to 'Only with Letter' or 'Always' in the 'Airlock 2FA Settings', this step is necessary for users to activate devices using activation letters. Airlock IAM does not provide a UI for this step, since it is intended to be used by custom mobile apps. The intended use-case is a mobile app to scan an activation letter and extract the activation code. The activation code is sent to Airlock IAM, which will return a trusted session binding token. The mobile app can then use the binding token together with the activation code, to complete the Airlock 2FA device activation. If Airlock IAM does not receive a flow binding token from Futurae, it will return an empty response and the step will not fail.

This step also provides a REST endpoint to poll the status of an activation.

Type name

Airlock2faActivationTrustedSessionBindingStep

Class

com.airlock.iam.flow.shared.application.configuration.airlock2fa.Airlock2faActivationTrustedSessionBindingStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Authentication Method ID (authenticationMethodId)

Description

The identifier of the authentication method for this step. Since the authentication method is also the identifier for failed login attempts for this step, distinct identifiers must be chosen if multiple instances of the same step type are used to check different credentials (e.g., two password step instances check two different passwords).

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

If only one identifier (e.g. "PASSWORD") is used, this may allow brute force attacks on the password as follows. Assuming an attacker knows the user's password 1, they get an unlimited number of attempts on flow B, as the 'PASSWORD' counter can repeatedly be reset to 0 by performing a successful login on flow A.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

AIRLOCK_2FA

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2faActivationTrustedSessionBindingStep
id: Airlock2faActivationTrustedSessionBindingStep-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  authenticationMethodId: AIRLOCK_2FA
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Apply Device Deletion Change

Description

Applies the "Airlock 2FA Device Deletion" change. Performs the actual deletion.

Type name

Airlock2FAApplyDeviceDeletionChange

Class

com.airlock.iam.selfservice.application.configuration.step.Airlock2FAApplyDeviceDeletionChangeConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

The Airlock 2FA Settings. Verify that the initiation step use the same settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: Airlock2FAApplyDeviceDeletionChange
id: Airlock2FAApplyDeviceDeletionChange-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:

Airlock 2FA Apply Device Edit Change

Description

Applies the "Airlock 2FA Device Edit" change. Performs the actual edit.

Type name

Airlock2FAApplyDeviceEditChange

Class

com.airlock.iam.selfservice.application.configuration.step.Airlock2FAApplyDeviceEditChangeConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

The Airlock 2FA Settings. Verify that the initiation step use the same settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: Airlock2FAApplyDeviceEditChange
id: Airlock2FAApplyDeviceEditChange-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:

Airlock 2FA Approval UI (Protected Self-service)

Description

User interface configuration for "Airlock 2FA Self-Service Approval Step".

Type name

Airlock2FASelfServiceApprovalStepUi

Class

com.airlock.iam.selfservice.application.configuration.ui.Airlock2FASelfServiceApprovalStepUiConfig

May be used by

Properties

Step ID (stepId)

Description

The ID of the step to which this user interface is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Show App Approval Link (showAppApprovalLink)

Description

If enabled, when approving an operation using the Online QR Code factor, an app device link is displayed below the QR code. This link can be clicked to approve the operation in a mobile app (e.g. the Airlock 2FA app) instead of scanning the QR code. This is useful when the self-service is used on a mobile device and the displayed QR code cannot be scanned.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: Airlock2FASelfServiceApprovalStepUi
id: Airlock2FASelfServiceApprovalStepUi-xxxxxx
displayName: 
comment: 
properties:
  showAppApprovalLink: true
  stepId:

Airlock 2FA Approval UI (Public Self-service)

Description

User interface configuration for "Airlock 2FA Public Self-Service Approval Step".

Type name

Airlock2FAPublicSelfServiceApprovalStepUi

Class

com.airlock.iam.publicselfservice.application.configuration.ui.Airlock2FAPublicSelfServiceApprovalStepUiConfig

May be used by

Public Self-Service UI

Properties

Step ID (stepId)

Description

The ID of the step to which this user interface is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Show App Approval Link (showAppApprovalLink)

Description

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: Airlock2FAPublicSelfServiceApprovalStepUi
id: Airlock2FAPublicSelfServiceApprovalStepUi-xxxxxx
displayName: 
comment: 
properties:
  showAppApprovalLink: true
  stepId:

Airlock 2FA Authentication Data Map

Description

Provides Airlock 2FA authentication information regarding the Auth Token ID device, as well as cooldown information of the authentication device.

The provided Auth Token ID information concerns the device from the Auth Token ID and is available as soon as the user has used or activated an Airlock 2FA device as a second factor for authentication in this session. Currently, the following values are provided:

a2fa-auth-token-device-id: This key provides the device ID of the Airlock 2FA device.
a2fa-auth-token-device-type: This key provides the device type of the Airlock 2FA device. It can have the following values:
- ios
- android
- hardware
a2fa-auth-token-device-display-name: This key provides the display name of the Airlock 2FA device.
a2fa-auth-token-device-enrollment-timestamp: Timestamp (as date-time object) of the point in time when the Airlock 2FA device was enrolled. This value can be used by template-based providers to format the timestamp into a specific date format.

The cooldown information concerns the device that was used for authentication and is available as soon as the user has successfully used an Airlock 2FA device for authentication in this session. Unlike the Auth Token ID, which is also updated after registering a new device, the values provided here only concern the device used for the actual authentication. Currently, the following values are provided:

a2fa-cooldown-auth-device: This key reports whether or not the Airlock 2FA device used during authentication is in cooldown. This key can have the following values:
- cooldown: the device is in cooldown
- active: the device is fully active
a2fa-cooldown-ends: Timestamp (as date-time object) of the point in time when cooldown will end for the Airlock 2FA device that was used during authentication. If the Airlock 2FA device used for authentication is active (not in cooldown), this key is not supplied. This value can be used by template-based providers to format the timestamp into a specific date format.

The following key is always provided and reports what type of devices the user has in the account:

a2fa-cooldown-devices: This key can have the following values:
- has_active: at least one active Airlock 2FA device is available
- all_cooldown: only Airlock 2FA devices in cooldown are available
- none: no Airlock 2FA devices are available

Type name

Airlock2FAAuthenticationDataValueMapProvider

Class

com.airlock.iam.flow.shared.application.configuration.airlock2fa.Airlock2FAAuthenticationDataValueMapProviderConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA. It is recommended to use the same settings everywhere. Otherwise, the values provided by this data map can seem inconsistent.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: Airlock2FAAuthenticationDataValueMapProvider
id: Airlock2FAAuthenticationDataValueMapProvider-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:

Airlock 2FA Authentication Step

Description

Configuration of an Airlock 2FA authentication step for any of the factors One-Touch, Online QR Code, Passcode or Offline QR Code.

The identifier of the authentication method for this step is 'AIRLOCK_2FA' and is also the identifier for failed authentication attempts.

Note that for mobile-only authentication scenarios, the other authentication plugin "Airlock 2FA Mobile Only Authentication Step" should be used.

Type name

Airlock2FAUserFactorAuthenticationStep

Class

com.airlock.iam.authentication.application.configuration.airlock2fa.Airlock2FAUserFactorAuthenticationStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Factors (factors)

Description

Priority list of all enabled factors. Only factors that are in this list can be used for authentication. The factors are offered in the configured order.

Online factors (One-Touch and Online QR Code) must come before all other factors. It is recommended to include at least one offline factor.

Available factors:

One-Touch: a push message is sent to the user's mobile app, where it must be approved. This is an online factor and will require device selection if the user has multiple devices.
Online QR Code: a QR code is displayed in the browser, which has to be scanned by a mobile app and approved there. This is an online factor. No prior device selection is required.
Passcode: the device (mobile app or hardware token) generates a time-dependent code (OTP) that has to be entered manually in the browser. This is an offline factor. No prior device selection is required.
Offline QR Code: a QR code is displayed in the browser which has to be scanned by a mobile app or hardware token. The device displays a code (OTP) that must be entered manually in the browser. This is an offline factor and will require device selection if the user has multiple devices.

Attributes

String-List

Optional

Default value

[One-Touch, Passcode, Offline QR Code]

Max Failed Passcode Check Attempts (maxFailedPasscodeCheckAttempts)

Description

Defines the number of failed passcode checks that may occur before the flow is aborted. Setting this value to n means that the flow is aborted on the n + 1st failed attempt. This value must be less than "Max Failed Logins" in the "Authentication Flows" settings to be effective.

Attributes

Integer

Optional

Default value

Enforce Device Selection (enforceDeviceSelection)

Description

Defines if the device has to be selected even when there is only one selectable device.

Attributes

Boolean

Optional

Default value

false

Enable Push-to-All (enablePushToAll)

Description

If Push-to-All is enabled for One-Touch, device selection is never required for One-Touch. Push notifications are sent to all of a user's devices and authentication can be approved on any of the devices.

The combination of Push-to-All and "Cooldown Period" can result in push notifications being sent to devices that are currently still in cooldown. However, those devices can not be used for successfully completing the authentication.

The combination of Push-to-All and "Lock User on Fraud" could have undesired effects, because users might report fraud in legitimate use-cases.

Attributes

Boolean

Optional

Default value

false

One-Touch Message Provider (messageProvider)

Description

Creates the message that will be displayed on the user's device when using One-Touch. If no message provider is configured, only a title with the fixed translation key "airlock2fa.one-touch.authentication-title" or its fallback value "Login" is used.

Using a custom Message Provider could prevent authentication with a smartwatch: Because additional information is included, the app forces the user to scroll through the message (which might not be supported by the watch).

Attributes

Plugin-Link

Optional

Assignable plugins

QR Code Message Provider (qrCodeMessageProvider)

Description

Creates the message that will be displayed on the user's device when using Online QR Code or Offline QR Code factors. If no message provider is configured, the default title of Futurae will be shown (without any additional information items).

Note that the Login ID cannot be included because it is only available in the One-Touch Message Provider.

Also, because of technical limitations, the title of Offline QR Codes is always the default title from Futurae, the configuration is ignored.

Attributes

Plugin-Link

Optional

Assignable plugins

Enable Short-Lived Online QR Codes (enableShortLivedOnlineQrCodes)

Description

Whether to enable short-lived Online QR Codes. Unlike regular Online QR Codes, these are refreshed regularly, allowing for shorter individual validities.

Shorter validities enhance security, since forwarding a QR code to victims and tricking them to scan the QR code becomes more difficult if the available time window is small.

Attributes

Boolean

Optional

Default value

false

QR Code Validity [s] (shortLivedQrCodeValidity)

Description

This setting is only active if short-lived Online QR Codes are enabled.

Attributes

Integer

Optional

Default value

QR Code Validity Overlap [s] (shortLivedQrCodeValidityOverlap)

Description

Defines the duration in seconds during which the previously displayed QR Code is still valid after being replaced by the next QR code in sequence.

This provides time for pending requests to complete and ensures that a valid QR code is displayed at every moment in time, provided that there are no network or performance issues.

The validity overlap must meet the following criteria:

It must be smaller than half the overall validity of the QR code.
It must be larger than the Loginapp UI polling interval (1s) plus the network latency (IAM backend → Loginapp UI plus Mobile Device → Futurae Backend).
Note that the polling interval may differ for custom user interfaces.

This setting is only active if short-lived Online QR Codes are enabled.

Attributes

Integer

Optional

Default value

Session Timeout [s] (shortLivedSessionTimeout)

Description

Maximum duration in seconds during which short-lived Online QR Codes are displayed until a session timeout occurs.

This setting is used exclusively for short-lived Online QR Codes. It has no effect if short-lived Online QR Codes are disabled.

Attributes

Integer

Optional

Default value

Generate One-Touch Login ID (generateLoginId)

Description

If enabled, a random ID is generated and shown to the user during One-Touch authentication.

The ID is generated according to the pattern configured below.

The ID is shown on the Airlock 2FA device and on the login page, allowing the user to correlate the session.

The "One-Touch Message Provider" property must be configured for the Login ID to be displayed on the device. The message provider can use the Login ID by configuring a dedicated value provider.

If the multi-numbered challenge feature is enabled on the Futurae service, "Generate One-Touch Login ID" should be disabled. In that case, the Login ID does not provide any security enhancement but severely impacts usability.

Attributes

Boolean

Optional

Default value

true

Pattern (loginIdPattern)

Description

If enabled through the Generate One-Touch Login ID property, an ID is generated and shown to the user during One-Touch authentication according to the pattern defined in this property.

Pattern syntax:
pattern = fix_part | random_part [fix_part | random_part]*
random_part = {alphabet_name:number_of_characters}
fix_part = any_string_without_'{'

The alphabet_name refers either to a built-in alphabet (see below) or to a custom alphabet defined in the separate Alphabets property below.

Examples:
{digits:6} → 482913
OTP-{digits:4} → OTP-4821
{HEX:8} (with HEX defined in the custom Alphabets property below) → A9F03C1B

Built-in and ready-to-use alphabets are:

"digits" all decimal digits (i.e. the characters 0123456790)
"lower26" standard alphabet with 26 lowercase letters (i.e. the characters abcdefghijklmnopqrstuvwxyz)
"upper26" standard alphabet with 26 uppercase letters (i.e. the characters ABCDEFGHIJKLMNOPQRSTUVWXYZ)
"alpha52" standard alphabet with 26 upper- and 26 lowercase letters (i.e. the characters ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz)
"distinct" distinct standard characters: digits, upper- and lowercase letter without the hard to distinguish '0,O,1,l,I' (i.e. the characters 23456789abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ)
"DISTINCT" distinct standard characters (with uppercase letters): digits and uppercase letter without the hard to distinguish '0,O,1,I' (i.e. the characters 23456789ABCDEFGHJKLMNPQRSTUVWXYZ)
"extended" contains most of the characters visible on a computer keyboard without the hard to distinguish '0,O,1,l,I' (i.e. the characters +-.,:;$<>()[]{}%&!?/*@#=_23456789abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ)
NOTE: Characters in this pattern do not pass the input filter for tokens (OTP, SMS, and alike). Choose a different pattern for tokens or relax the corresponding pattern (in the Loginapp's security settings). Characters may be blocked by a WAF deny rule.

Using custom alphabets:
1. Define an alphabet in the Alphabets property below.
2. Reference it in the pattern using {alphabet_name:number_of_characters} where the is the key of the alphabet in the Alphabets property.

NOTE: A pattern that results in a very long Login ID may negatively impact usability. It may also cause issues when generating the push message, as push messages are limited in length. To avoid rejection by Futurae during authentication, do not use special characters (e.g. from the 'extended' alphabet).

Attributes

String

Optional

Default value

{digits:6}

Example

{digits:6}

Example

{DISTINCT:4}

Example

OTP-{digits:4}

Alphabets (loginIdAlphabets)

Description

A map of custom alphabets that can be referenced in the Pattern property.

How it works:
The map key defines the alphabet_name:number_of_characters.
The plugin (alphabet) defines the characters used for sampling during random generation.
The alphabet can then be referenced in the Pattern property above using {alphabet_name:number_of_characters}.

Example configuration:
Key (alphabet_name): HEX
Plugin: Alphabet with the following characters 0123456789ABCDEF

Example usage in the Pattern property above:
{HEX:8} → A9F03C1B
OTP-{HEX:6} → OTP-4F9A2C

Attributes

Plugin-Map

Optional

Assignable plugins

Alphabet

Tags On Successful One-Touch (tagsOnSuccessfulOneTouch)

Description

Additional success tags to be granted if the step is completed using One-Touch.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags On Successful Online QR Code (tagsOnSuccessfulOnlineQrCode)

Description

Additional success tags to be granted if the step is completed using online QR Code.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags On Successful Passcode Check (tagsOnSuccessfulPasscodeCheck)

Description

Additional success tags to be granted if the step is completed using passcode.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags On Successful Offline QR Code (tagsOnSuccessfulOfflineQrCode)

Description

Additional success tags to be granted if the step is completed using Offline QR Code.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags On Successful Bypass (tagsOnSuccessfulBypass)

Description

Additional success tags to be granted if the step is completed using bypass.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown cannot be used for authentication.

If disabled, the step ignores the "Cooldown Period" for new devices configured in the "Airlock 2FA Settings". This is typically used for authentication steps that protect low-risk applications, such as a portal page, which can also be accessed using devices in cooldown.

If no "Cooldown Period" is defined, enabling this property has no effect.

Attributes

Boolean

Optional

Default value

true

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2FAUserFactorAuthenticationStep
id: Airlock2FAUserFactorAuthenticationStep-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  enablePushToAll: false
  enableShortLivedOnlineQrCodes: false
  enforceDeviceSelection: false
  factors: [One-Touch, Passcode, Offline QR Code]
  generateLoginId: true
  interactiveGotoTargets:
  loginIdAlphabets:
  loginIdPattern: {digits:6}
  maxFailedPasscodeCheckAttempts: 3
  messageProvider:
  onFailureGotos:
  preCondition:
  qrCodeMessageProvider:
  requiresActivation: false
  respectCooldownPeriod: true
  shortLivedQrCodeValidity: 10
  shortLivedQrCodeValidityOverlap: 3
  shortLivedSessionTimeout: 60
  skipCondition:
  stepId:
  tagsOnSuccess:
  tagsOnSuccessfulBypass:
  tagsOnSuccessfulOfflineQrCode:
  tagsOnSuccessfulOneTouch:
  tagsOnSuccessfulOnlineQrCode:
  tagsOnSuccessfulPasscodeCheck:

Airlock 2FA Authentication UI

Description

User interface configuration for "Airlock 2FA Authentication Step" authentication flow step.

Type name

Airlock2FAUserFactorAuthenticationStepUi

Class

com.airlock.iam.login.rest.application.configuration.ui.authentication.Airlock2FAUserFactorAuthenticationStepUiConfig

May be used by

Persister Password Service Auth Method-based Authenticator Selector Radius Authentication Service Fallback Authenticator Administrators Configuration Authenticator-based One-Shot Target Application Main Authenticator Selection Authenticator Roles-to-Authenticator Mapping User-based Authenticator Selector Credential-based Authenticator Selector Role-based Authenticator Selector Meta Authenticator Meta Authenticator Meta Authenticator Credential to Authenticator Mapping User to Authenticator Mapping Authentication Method Identifier Mapping

Properties

Step ID (stepId)

Description

The ID of the step to which this user interface is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Show App Approval Link (showAppApprovalLink)

Description

If enabled, when authenticating using the Online QR Code factor, an app device link is displayed below the QR code. The user may then click the link to approve the authentication in the mobile app instead of scanning the QR code. This is useful when users authenticate on their mobile devices and thus cannot scan the displayed QR code.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: Airlock2FAUserFactorAuthenticationStepUi
id: Airlock2FAUserFactorAuthenticationStepUi-xxxxxx
displayName: 
comment: 
properties:
  showAppApprovalLink: true
  stepId:

Airlock 2FA Authenticator

Description

Authenticator for Airlock 2FA.

Customize the string resource airlock2fa.one-touch.authentication-title to define the text that is displayed after the word "Approve" for One-Touch authentications.

Type name

Airlock2FAAuthenticator

Class

com.airlock.iam.factor.application.configuration.airlock2fa.Airlock2FAAuthenticatorConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Factors (factors)

Description

Priority list of all enabled factors. Only factors that are in this list can be used for authentication. The factors are offered in the configured order.

Online factors (One-Touch and Online QR Code) must come before all other factors. It is recommended to include at least one offline factor.

Available factors:

One-Touch: a push message is sent to the user's mobile app, where it must be approved. This is an online factor and will require device selection if the user has multiple devices.
Passcode: the device (mobile app or hardware token) generates a time-dependent code (OTP) that has to be entered manually. This is an offline factor. No prior device selection is required.
Offline QR Code: a QR code is returned which has to be scanned by a mobile app or hardware token. The device displays a code (OTP) that must be entered manually. This is an offline factor and will require device selection if the user has multiple devices.

If this plugin is configured in a 'Radius Authentication Service', the only two valid configurations here are: 1) One-Touch followed by Passcode or 2) One-Touch.

Attributes

String-List

Optional

Default value

[One-Touch, Passcode, Offline QR Code]

User Persister (userPersister)

Description

The user persister to access IAM users.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector Cipher User Persister Combining Extended User Persister Combining User Persister Database User Persister Dummy Extended User Persister LDAP Connector LDAP User Persister Property User Persister

String Resources File (stringResourcesFile)

Description

Specifies the prefix of the file(s) containing the language dependent string resources. Example: If the value of this property is strings, the language dependent files must be strings_de.properties, strings_en.properties and so on and the default file must be strings.properties.

Attributes

String

Optional

Default value

strings

YAML Template (with default values)


type: Airlock2FAAuthenticator
id: Airlock2FAAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  factors: [One-Touch, Passcode, Offline QR Code]
  stringResourcesFile: strings
  userPersister:

Airlock 2FA Consistency User Change Listener

Description

A listener that reacts on change events on users and keeps the Airlock 2FA account in a consistent state. Actions:

on user deletion: delete associated Airlock 2FA account.
on user name change: updates the user reference for the Airlock 2FA account.

Type name

Airlock2FAConsistencyUserChangeListener

Class

com.airlock.iam.factor.application.configuration.airlock2fa.Airlock2FAConsistencyUserChangeListener

May be used by

Active Directory Connector Database User Persister LDAP Connector LDAP User Persister

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: Airlock2FAConsistencyUserChangeListener
id: Airlock2FAConsistencyUserChangeListener-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:

Airlock 2FA Database Repository

Description

Persists and loads data for Airlock 2FA.

Type name

Airlock2FARepository

Class

com.airlock.iam.factor.application.configuration.airlock2fa.Airlock2FARepositoryConfig

May be used by

Airlock 2FA Username Transformer Airlock 2FA Settings

License-Tags

Airlock2FA

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Storage Encryption (storageEncryptionConfig)

Description

Defines how activation codes are encrypted when stored on the database. This ensures that an adversary obtaining data from the database cannot read or modify activation codes without knowing the secret for decryption.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Storage Encryption Configuration

Log Queries (logQueries)

Description

Enable to log SQL queries (only effective if the log level is at least INFO). Attention: query values (including potentially sensitive data) will be logged as well.

Attributes

Boolean

Optional

Default value

false

Tenant ID (tenantId)

Description

The value which is added to database records to distinguish between different tenants. The value is also used when retrieving data from the persistence.
If no value is configured, then 'no_tenant' is used as value on the database.

Attributes

String

Optional

Length <= 50

Validation RegEx: (?!no_tenant$).*

Example

customerA

Example

customerB

YAML Template (with default values)


type: Airlock2FARepository
id: Airlock2FARepository-xxxxxx
displayName: 
comment: 
properties:
  logQueries: false
  sqlDataSource:
  storageEncryptionConfig:
  tenantId:

Airlock 2FA Delete Devices Step

Description

Step to non-interactively delete Airlock 2FA devices of the current user.
The devices which will be deleted can be configured by the corresponding property.
In case the user does not have an Airlock 2FA Account, the step succeeds without deleting any devices.

Common use cases which can be achieved with this step are:

Remove all Airlock 2FA devices.
Remove all Airlock 2FA devices except previously activated devices in this flow.
Remove all Airlock 2FA devices except the last registered device.
Remove the Airlock 2FA device which was used for login unless it is the last device.

Type name

Airlock2FADeleteDevicesStep

Class

com.airlock.iam.flow.shared.application.configuration.airlock2fa.Airlock2FADeleteDevicesStepConfig

May be used by

One-Shot Authentication Flow Selection Step for Self-Service Flow Step Sequence Custom Protected Self-Service Flow Selection Option For Public Self-Service Selection Step Selection Option For Self-Service Simple Migration Selection Option Migration Selection Step Migration Selection Step Transaction Approval Flow Selection Option Authentication Flow Public Self-Service Flow Selection Step for User Self-Registration Advanced Migration Selection Option Selection Step for Public Self-Service

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Devices To Delete (devicesToDelete)

Description

Devices which will be deleted.
In case no device ID is provided, the step succeeds without deleting any devices.

Attributes

Plugin-Link

Mandatory

Assignable plugins

All Devices Except Most Recently Registered All Devices Except Registered In Flow App Device Used For Login Unless Last App Device Customizable Device List

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2FADeleteDevicesStep
id: Airlock2FADeleteDevicesStep-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  devicesToDelete:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Device Activated

Description

Event that is triggered by an activation of an Airlock 2FA device.

Type name

Airlock2FADeviceActivatedSubscribedEvent

Class

com.airlock.iam.login.application.configuration.event.Airlock2FADeviceActivatedSubscribedEventConfig

May be used by

Filtered Flow Event Gateway Session Terminator Subscriber (Loginapp) Email Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Remote Event Subscriber (Loginapp)

Properties

YAML Template (with default values)


type: Airlock2FADeviceActivatedSubscribedEvent
id: Airlock2FADeviceActivatedSubscribedEvent-xxxxxx
displayName: 
comment: 
properties:

Airlock 2FA Device Deleted

Description

Event that is triggered by the deletion of an Airlock 2FA device.

Type name

Airlock2FADeviceDeletedSubscribedEvent

Class

com.airlock.iam.common.application.configuration.event.Airlock2FADeviceDeletedSubscribedEventConfig

May be used by

Filtered Flow Event Gateway Session Terminator Subscriber (Adminapp) Gateway Session Terminator Subscriber (Loginapp) Email Event Subscriber (Loginapp) SMS Event Subscriber (Adminapp) SMS Event Subscriber (Loginapp) Remote Event Subscriber (Adminapp) Remote Event Subscriber (Loginapp) Email Event Subscriber (Adminapp)

Properties

YAML Template (with default values)


type: Airlock2FADeviceDeletedSubscribedEvent
id: Airlock2FADeviceDeletedSubscribedEvent-xxxxxx
displayName: 
comment: 
properties:

Airlock 2FA Device Deletion Initiation Step

Description

Step to initiate the deletion of an Airlock 2FA device. The actual deletion will be done in the "Apply Changes Step" which requires an "Airlock 2FA Apply Device Deletion Change" to perform the actual deletion.

Type name

Airlock2FASelfServiceDeviceDeleteInitiationStep

Class

com.airlock.iam.selfservice.application.configuration.step.Airlock2FASelfServiceDeviceDeleteInitiationStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

The Airlock 2FA Settings. Verify that the corresponding apply handler uses the same settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Allow Deleting All Devices (canUserDeleteAllDevices)

Description

If this option is enabled, a user may delete all his Airlock 2FA app devices in the Airlock 2FA device management. In this case, the user will no longer be able to log in with Airlock 2FA unless he/she is in possession of an Airlock 2FA hardware device. Note that a user cannot delete assigned Airlock 2FA hardware-devices and so this setting affects only app devices.

Deprecated: this property will be removed in the next major version of Airlock IAM. Instead, configure the plugin "Airlock 2FA Device Deletion Possible" as an Access Condition inside the protected self-service flow where this step is configured. This ensures that a user has sufficiently many Airlock 2FA app devices before entering the flow.
After this flag is removed, this step will act as if this flag is enabled, which means that it will potentially delete the last device of a user.

Attributes

Boolean

Optional

Default value

false

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2FASelfServiceDeviceDeleteInitiationStep
id: Airlock2FASelfServiceDeviceDeleteInitiationStep-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  canUserDeleteAllDevices: false
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Device Deletion Possible

Description

Condition that determines whether the current user is allowed to delete an Airlock 2FA app device. For device deletion to be possible, the user needs to have at least one app device. If "Allow Deleting All Devices" is disabled, at least two app devices are required. This is to ensure that the user will still be able to log in with Airlock 2FA after device deletion was performed.

Type name

Airlock2FADeviceDeletionPossibleCondition

Class

com.airlock.iam.flow.shared.application.configuration.condition.Airlock2FADeviceDeletionPossibleConditionConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Allow Deleting All Devices (canUserDeleteAllDevices)

Description

If this option is enabled, a user may delete all his Airlock 2FA app devices. In this case, the user will no longer be able to log in with Airlock 2FA unless he/she is in possession of an Airlock 2FA hardware device. Note that a user cannot delete assigned Airlock 2FA hardware-devices and so this setting affects only app devices.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: Airlock2FADeviceDeletionPossibleCondition
id: Airlock2FADeviceDeletionPossibleCondition-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  canUserDeleteAllDevices: false

Airlock 2FA Device Edit Initiation Step

Description

Step to initiate the edit of an Airlock 2FA device. The actual edit will be done in the "Apply Changes Step" which requires an "Airlock 2FA Apply Device Edit Change" to perform the actual edit.

Type name

Airlock2FASelfServiceDeviceEditInitiationStep

Class

com.airlock.iam.selfservice.application.configuration.step.Airlock2FASelfServiceDeviceEditInitiationStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

The Airlock 2FA Settings. Verify that the corresponding apply handler uses the same settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Enforce Unique Display Names (enforceUniqueDisplayNames)

Description

If enabled, this step will ensure that the changed display name is not already used by another device. Invisible leading and trailing spaces are ignored. For example, changing the device name from "My Device" to " My Device " will lead to a validation error. This property does not forbid entering the same display name as already used by the current device, i.e., not changing the display name.

Attributes

Boolean

Optional

Default value

true

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2FASelfServiceDeviceEditInitiationStep
id: Airlock2FASelfServiceDeviceEditInitiationStep-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  enforceUniqueDisplayNames: true
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Device Edit Step

Description

Step to edit a newly added Airlock 2FA device.

This step can be used after an 'Airlock 2FA Activation Step' to, for example, change the display name of the new device. See the documentation of 'Airlock 2FA Activation Step' to know in which cases this step should be configured as an 'Authentication Flow Step' or as a 'Protected Self-Service Flow Step'.

Note that this step can not be used to edit already activated Airlock 2FA devices (which were not activated by an 'Airlock 2FA Activation Step' in the same session). For this use-case, a 'Protected Self-Service Flow' with an 'Airlock 2FA Device Edit Initiation Step' and a corresponding 'Apply Changes Step' should be used.

Type name

Airlock2FADeviceEditStep

Class

com.airlock.iam.flow.shared.application.configuration.airlock2fa.Airlock2FADeviceEditStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Enforce Unique Display Names (enforceUniqueDisplayNames)

Description

If enabled, this step will ensure that the display name is not already used by another device.

Attributes

Boolean

Optional

Default value

true

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2FADeviceEditStep
id: Airlock2FADeviceEditStep-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  enforceUniqueDisplayNames: true
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Device In Cooldown Used

Description

Event that is triggered if an Airlock 2FA device is used during its cooldown period.

Type name

Airlock2FADeviceInCooldownUsedSubscribedEvent

Class

com.airlock.iam.login.application.configuration.event.Airlock2FADeviceInCooldownUsedSubscribedEventConfig

May be used by

Filtered Flow Event Gateway Session Terminator Subscriber (Loginapp) Email Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Remote Event Subscriber (Loginapp)

Properties

YAML Template (with default values)


type: Airlock2FADeviceInCooldownUsedSubscribedEvent
id: Airlock2FADeviceInCooldownUsedSubscribedEvent-xxxxxx
displayName: 
comment: 
properties:

Airlock 2FA Device List

Description

Configures the Airlock 2FA device list REST self-service. Additional self-service functionality can be configured in "Protected Self-Service Flows".

Type name

Airlock2FADeviceListSelfServiceRest

Class

com.airlock.iam.selfservice.application.configuration.Airlock2FADeviceListSelfServiceRestConfig

May be used by

Protected Self-Services

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2FASettings)

Description

The Airlock 2FA Settings.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access the Airlock 2FA device list.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access the Airlock 2FA device list without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2FADeviceListSelfServiceRest
id: Airlock2FADeviceListSelfServiceRest-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  airlock2FASettings:
  authorizationCondition:

Airlock 2FA Device Management UI

Description

Configures Airlock 2FA device management user interface.

Depending on the configuration, the user interface allows an authenticated user:

to delete an Airlock 2FA device;
to change the display name of an Airlock 2FA device;
to activate a new Airlock 2FA device.

The device management interface is accessible at /<loginapp-uri>/ui/app/protected/tokens/airlock-2fa/devices after user authentication.

Type name

Airlock2FADeviceManagementUi

Class

com.airlock.iam.selfservice.application.configuration.ui.tokens.Airlock2FADeviceManagementUiConfig

May be used by

License-Tags

Airlock2FA

Properties

Flow To Delete Device (flowToDeleteDevice)

Description

ID of the flow which is used for deletion of an Airlock 2FA device. If not configured, the user will not be able to delete a device via the management UI. The first interactive step in the specified flow must be an "Airlock 2FA Device Deletion Initiation Step".

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Change Display Name (flowToChangeDisplayName)

Description

ID of the flow which is used for changing the display name of an Airlock 2FA device. If not configured, the user will not be able to edit the display name of a device via the management UI. The first interactive step in the specified flow must be an "Airlock 2FA Device Edit Initiation Step".

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Activate App Device (flowToActivateAppDevice)

Description

ID of the flow which is used for activating an Airlock 2FA device. If not configured, the user will not be able to activate a new device via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Page Exit Target (pageExitTarget)

Description

If configured, an additional button is displayed on the Airlock 2FA device management to exit the page. On click, this button redirects the user to the configured target.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2FADeviceManagementUi
id: Airlock2FADeviceManagementUi-xxxxxx
displayName: 
comment: 
properties:
  flowToActivateAppDevice:
  flowToChangeDisplayName:
  flowToDeleteDevice:
  pageExitTarget:

Airlock 2FA Device Management UI Redirect

Description

Redirects to the "Airlock 2FA Device Management UI".

Type name

Airlock2FADeviceManagementFlowRedirectTarget

Class

com.airlock.iam.selfservice.application.configuration.ui.tokens.Airlock2FADeviceManagementFlowRedirectTargetConfig

May be used by

License-Tags

Airlock2FA

Properties

YAML Template (with default values)


type: Airlock2FADeviceManagementFlowRedirectTarget
id: Airlock2FADeviceManagementFlowRedirectTarget-xxxxxx
displayName: 
comment: 
properties:

Airlock 2FA Information Item

Description

An information item (key-value pair) that is shown on the Airlock 2FA app and has to be approved by the user. Both the key and the value can be parameterised.

Type name

Airlock2FAInformationItem

Class

com.airlock.iam.flow.shared.application.configuration.message.Airlock2FAInformationItemConfig

May be used by

Airlock 2FA Authentication Step Airlock 2FA Authentication Step Airlock 2FA Public Self-Service Approval Step Airlock 2FA Transaction Approval Step Airlock 2FA Usernameless Authentication Step Airlock 2FA Self-Service Approval Step

License-Tags

Airlock2FA

Properties

Translation Key for the Key (keyTranslationKey)

Description

Identifies the string resource used to generate the key of this contextual information. The translated string as well as the resource key itself may contain variables, e.g. 'airlock2fa.message.${type}.key'. Variables are replaced with the corresponding values provided by the "Value Providers". For more information about formatting, consult the customer documentation.

Attributes

String

Mandatory

Example

self-service.user-data-edit.approval.airlock-2fa.key

Example

password-reset.factors.airlock-2fa.username.key

Example

airlock2fa.one-touch.login-id.key

Translation Key for Value (valueTranslationKey)

Description

Identifies the string resource used to generate the value of this contextual information. The translated string as well as the resource key itself may contain variables, e.g. 'airlock2fa.message.${type}.value'. Variables are replaced with the corresponding values provided by the "Value Providers". For more information about formatting, consult the customer documentation.

Attributes

String

Mandatory

Example

self-service.user-data-edit.approval.airlock-2fa.value

Example

password-reset.factors.airlock-2fa.username.value

Example

airlock2fa.one-touch.login-id.value

Omit If Value Empty (omitIfValueEmpty)

Description

If enabled, the whole information item (key and value) is omitted, if the value results in an empty string (after variable substitution and trimming of whitespace).

Attributes

Boolean

Optional

Default value

false

Maximum Key Length (maxKeyLength)

Description

Defines the maximum length of the generated contextual information key. If the translated string is longer than this, shrinking is attempted until it is shorter than the limit. If it cannot be shrunk enough, generating the message fails.

Attributes

Integer

Optional

Default value

100

Maximum Value Length (maxValueLength)

Description

Defines the maximum length of the generated contextual information value. If the translated string is longer than this, shrinking is attempted until it is shorter than the limit. If it cannot be shrunk enough, generating the message fails.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: Airlock2FAInformationItem
id: Airlock2FAInformationItem-xxxxxx
displayName: 
comment: 
properties:
  keyTranslationKey:
  maxKeyLength: 100
  maxValueLength: 100
  omitIfValueEmpty: false
  valueTranslationKey:

Airlock 2FA Login ID Parameter

Description

Provides the "loginId" parameter that is used to correlate the authentication in the Loginapp with the approval on the 2FA device. The Login ID is displayed if One-Touch is used and "Generate One-Touch Login ID" is set in the Airlock 2FA Authentication Step

This value is only available while the current flow is in the Airlock 2FA Authentication Step

Type name

Airlock2FALoginIdValueMapProvider

Class

com.airlock.iam.authentication.application.configuration.airlock2fa.Airlock2FALoginIdValueMapProviderConfig

May be used by

License-Tags

Airlock2FA

Properties

YAML Template (with default values)


type: Airlock2FALoginIdValueMapProvider
id: Airlock2FALoginIdValueMapProvider-xxxxxx
displayName: 
comment: 
properties:

Airlock 2FA Message Provider

Description

Generic message provider for Airlock 2FA.

Type name

GenericAirlock2FAMessageProvider

Class

com.airlock.iam.flow.shared.application.configuration.message.GenericAirlock2FAMessageProviderConfig

May be used by

License-Tags

Airlock2FA

Properties

Title Translation Key (titleTranslationKey)

Description

This key identifies the message template that is used to generate the message title. The title is displayed in the Airlock 2FA mobile app after the word "Approve", e.g. "Login" or "Password Reset".

It is displayed for One-Touch, Online QR Code and Usernameless QR Code factors.

It is ignored for Offline QR Code. Because of technical limitations, the title of Offline QR Codes is always the default title from Futurae.

The string resource key itself may also contain variables, e.g. 'airlock2fa.message.${type}.title'. Variables are replaced with the corresponding values provided by the "Value Providers". For more information about formatting, consult the customer documentation.

Attributes

String

Mandatory

Example

self-service.user-data-edit.approval.airlock-2fa.title

Example

password-reset.factors.airlock-2fa.title

Example

airlock2fa.one-touch.authentication-title

Information Items (informationItems)

Description

Configures the various contextual information that will be displayed on the Airlock 2FA app of a user when a message approval is started. Note that for readability reasons it is not recommended to provide more than three entries of such contextual information.

These information items are displayed for One-Touch, Online QR Code, Offline QR Code and Usernameless QR Code factors.

Attributes

Plugin-List

Optional

Assignable plugins

Airlock 2FA Information Item

Value Providers (valueProviders)

Description

List of value map providers that are used to replace the variables in the localized template. The values providers are called in the configured order and their values are added to a map. Later providers can overwrite values from earlier providers. If no value providers are configured, the localized template should not contain any variables, since all of them would be replaced by empty strings.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: GenericAirlock2FAMessageProvider
id: GenericAirlock2FAMessageProvider-xxxxxx
displayName: 
comment: 
properties:
  informationItems:
  titleTranslationKey:
  valueProviders:

Airlock 2FA Mobile Only Authentication Step

Description

Airlock 2FA authentication step for "Mobile Only" authentication.

This step allows an app on an enrolled mobile device to authenticate with Airlock 2FA by using the Loginapp REST API. The authentication is either performed by switching from the main app to a dedicated authentication app (Airlock 2FA, Futurae or compatible) or directly within an app that has an integrated SDK.

There is no UI for this step.

The identifier of the authentication method for this step is 'AIRLOCK_2FA' and is also the identifier for failed authentication attempts.

Type name

Airlock2FAMobileOnlyAuthenticationStep

Class

com.airlock.iam.authentication.application.configuration.airlock2fa.Airlock2FAMobileOnlyAuthenticationStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Redirect URI (redirectUri)

Description

The URI used on iOS to switch from the authentication app (Airlock 2FA or compatible) back to the main app where the authentication was initiated. This value is not applicable if the authentication is directly performed by the main app. Furthermore, this value is ignored on Android, where the back stack mechanism is used instead.

Attributes

String

Optional

Scheme Override (schemeOverride)

Description

Allows to override the scheme of the mobile authentication URI which is returned by the authentication step. The scheme of the authentication URI determines, which app to open on the mobile device for authentication. This is useful when migrating from one authentication app (such as Airlock 2FA) to a different authentication app. For example, during a migration, this step can be used to support the previous authentication app by overriding the scheme of the new app with the scheme of the previous app.

Attributes

String

Optional

Validation RegEx: ^[a-zA-Z][a-zA-Z0-9\+\-\.]*$

Example

airlock2fa

Example

OneApp-1

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown cannot be used for authentication.

If no "Cooldown Period" is defined, enabling this property has no effect.

Attributes

Boolean

Optional

Default value

true

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2FAMobileOnlyAuthenticationStep
id: Airlock2FAMobileOnlyAuthenticationStep-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  redirectUri:
  requiresActivation: false
  respectCooldownPeriod: true
  schemeOverride:
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Public Self-Service Approval Step

Description

This step allows using Airlock 2FA to approve operations in public self-service flows.

Note that unlike identity verification steps, approval steps require an existing user and cannot prevent username enumeration (no stealth mode). It is therefore important that approval steps are only used after an identity verification step.

Type name

Airlock2FAPublicSelfServiceApprovalStep

Class

com.airlock.iam.publicselfservice.application.configuration.steps.Airlock2FAPublicSelfServiceApprovalStepConfig

May be used by

Selection Step for Self-Service Flow Step Sequence Selection Option For Public Self-Service Selection Step Selection Option Public Self-Service Flow Selection Step for User Self-Registration Selection Step for Public Self-Service

License-Tags

Airlock2FA

Properties

Message Provider (messageProvider)

Description

Creates the message that will be displayed on the user's device.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Enable Push-to-All (enablePushToAll)

Description

If Push-to-All for One-Touch is enabled, device selection is never required for One-Touch. Push notifications are sent to all devices of a user and approval can be given on any of the devices.

The combination of Push-to-All and "Lock User on Fraud" could have undesired effects, because users might report fraud in legitimate use-cases.

Attributes

Boolean

Optional

Default value

false

Enable Short-Lived Online QR Codes (enableShortLivedOnlineQrCodes)

Description

Whether to enable short-lived Online QR Codes. Unlike regular Online QR Codes, these are refreshed regularly, allowing for shorter individual validities.

Shorter validities enhance security, since forwarding a QR code to victims and tricking them to scan the QR code becomes more difficult if the available time window is small.

Note that this approval step should always be used after a verification step so that error response delays are not active. With response delays being active, QR codes are displayed delayed as well, which reduces their effective validity.

Attributes

Boolean

Optional

Default value

false

QR Code Validity [s] (shortLivedQrCodeValidity)

Description

This setting is only active if short-lived Online QR Codes are enabled.

Attributes

Integer

Optional

Default value

QR Code Validity Overlap [s] (shortLivedQrCodeValidityOverlap)

Description

Defines the duration in seconds during which the previously displayed QR Code is still valid after being replaced by the next QR code in sequence.

This provides time for pending requests to complete and ensures that a valid QR code is displayed at every moment in time, provided that there are no network or performance issues.

The validity overlap must meet the following criteria:

It must be smaller than half the overall validity of the QR code.
It must be larger than the Loginapp UI polling interval (1s) plus the network latency (IAM backend → Loginapp UI plus Mobile Device → Futurae Backend).
Note that the polling interval may differ for custom user interfaces.

This setting is only active if short-lived Online QR Codes are enabled.

Attributes

Integer

Optional

Default value

Session Timeout [s] (shortLivedSessionTimeout)

Description

Maximum duration in seconds during which short-lived Online QR Codes are displayed until a session timeout occurs.

This setting is used exclusively for short-lived Online QR Codes. It has no effect if short-lived Online QR Codes are disabled.

Attributes

Integer

Optional

Default value

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Redirect URI (mobileOnlyRedirectUri)

Description

Attributes

String

Optional

Scheme Override (mobileOnlySchemeOverride)

Description

Allows to override the scheme of the mobile authentication URI which is returned by the approval step. The scheme of the authentication URI determines, which app to open on the mobile device for authentication. This is useful when migrating from one authentication app (such as Airlock 2FA) to a different authentication app. For example, during a migration, this step can be used to support the previous authentication app by overriding the scheme of the new app with the scheme of the previous app.

Attributes

String

Optional

Validation RegEx: ^[a-zA-Z][a-zA-Z0-9\+\-\.]*$

Example

airlock2fa

Example

OneApp-1

Approval Factors (approvalFactors)

Description

Priority list of all factors that can be used in this approval step. Only factors that are in this list can be used. The factors are offered in the configured order.

One-Touch and Online QR Code must come before all other factors. It is recommended to include at least one offline factor.

Available factors:

One-Touch: a push message is sent to the user's mobile app, where it must be approved. This is an online factor and will require device selection if the user has multiple devices.
Online QR Code: a QR code is displayed in the browser, which has to be scanned by a mobile app and approved there. This is an online factor. No prior device selection is required.
Offline QR Code: a QR code is displayed in the browser which has to be scanned by a mobile app or hardware token. The device displays a code (OTP) that must be entered manually in the browser. This is an offline factor and will require device selection if the user has multiple devices.
Passcode: the device (mobile app or hardware token) generates a time-dependent code (OTP) that has to be entered manually. This is an offline factor. No prior device selection is required.
Mobile Only: the approval is handled directly by the mobile app. This is an online factor. No prior device selection is required. There is no fallback from this factor to other factors or vice-versa. Therefore, the only use case for combining this with other factors is in transaction approval, where the factor previously used for authentication determines whether mobile-only or another factor will be used. Since there is no way to use any factors configured after Mobile Only, it should always be configured as the last factor.

AuthTokenId:
The AuthTokenId identifies the device and factor that was used during the authentication and links it to the approval process. It is used to ensure that, for certain flows, the same device must perform the approval. The AuthTokenId is evaluated only for transaction approval. It has no effect on other flow types.

When the AuthTokenId is present in the transaction approval flow and contains the factor Mobile Only:

and the Mobile Only factor is configured in this approval step: the Mobile Only factor will be enforced.
and the Mobile Only factor is not configured in this approval step: any of the configured factors may be used.

Attributes

String-List

Optional

Default value

[One-Touch, Offline QR Code, Mobile Only]

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown cannot be used for approval.

If disabled, this step ignores the "Cooldown Period" for new devices configured in the "Airlock 2FA Settings". This is typically used for approval steps that protect low-risk operations, which can also be performed with devices in cooldown.

If no "Cooldown Period" is defined, enabling this property has no effect.

Attributes

Boolean

Optional

Default value

true

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2FAPublicSelfServiceApprovalStep
id: Airlock2FAPublicSelfServiceApprovalStep-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  approvalFactors: [One-Touch, Offline QR Code, Mobile Only]
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  enablePushToAll: false
  enableShortLivedOnlineQrCodes: false
  interactiveGotoTargets:
  messageProvider:
  mobileOnlyRedirectUri:
  mobileOnlySchemeOverride:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  respectCooldownPeriod: true
  shortLivedQrCodeValidity: 10
  shortLivedQrCodeValidityOverlap: 3
  shortLivedSessionTimeout: 60
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Recovery Trusted Session Binding Step

Description

This step can be used to recover previously enrolled Airlock 2FA accounts on a fresh installation of a mobile app. This refers to mobile apps which integrate the Futurae SDK and can therefore be enrolled as a device for an Airlock 2FA account. An enrollment of an Airlock 2FA account on a mobile app is subsequently referred to as a (virtual) device. One physical device can host multiple virtual devices. If 'Trusted Session Binding for Recovery' is enabled in the 'Airlock 2FA Settings', this step is necessary for users to recover their devices.

Airlock IAM does not provide a UI for this step, since it exposes a REST API which is intended to be used by custom mobile apps.

The following describes the recovery use case which is enabled by this step:

A fresh installation of a mobile app extracts the device identifiers of a previous installation from a backup.
A user authenticates with Airlock IAM (via the mobile app).
This is where the 'Airlock 2FA Recovery Trusted Session Binding Step' has to be active in the IAM flow. The step can be completed successfully with the following actions:
- The mobile app sends the device identifiers Airlock IAM.
- Airlock IAM checks whether one of the devices to be recovered belongs to the authenticated user and aborts the flow otherwise.
- Airlock IAM requests a Trusted Session Binding token from Futurae and returns it to the mobile app. If Airlock IAM does not receive a flow binding token from Futurae, it will return an empty response and the step will continue as if the retrieval was successful.
- The mobile app forwards the Trusted Session Binding token to the Futurae SDK to complete the recovery.
- The mobile app polls Airlock IAM for the status of the recovery.
After successful recovery, all users who had devices on the previous installation will have new devices and the ones from the previous installation cannot be used anymore.

The security guarantee provided by Trusted Session Binding for recovery is the following: The devices on a mobile app can only be recovered by someone who owns one of the devices. One user of a device is able to recover the devices of the other users of the same physical device.

Type name

Airlock2faRecoveryTrustedSessionBindingStep

Class

com.airlock.iam.flow.shared.application.configuration.airlock2fa.Airlock2faRecoveryTrustedSessionBindingStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

AIRLOCK_2FA

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2faRecoveryTrustedSessionBindingStep
id: Airlock2faRecoveryTrustedSessionBindingStep-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  authenticationMethodId: AIRLOCK_2FA
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Self-Service Approval Step

Description

This step allows using Airlock 2FA to approve operations in protected self-services flows, such as user data changes or registrations of additional devices. Typically, this step is configured between the step where a change is initiated and the step where the change is persisted.

Type name

Airlock2FASelfServiceApprovalStep

Class

com.airlock.iam.selfservice.application.configuration.step.Airlock2FASelfServiceApprovalStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Message Provider (messageProvider)

Description

Creates the message that will be displayed on the user's device.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Has Suitable Airlock 2FA Device Airlock 2FA Activation Trusted Session Binding Step Airlock 2FA Authentication Step All Devices Except Registered In Flow Airlock 2FA Authentication Data Map Airlock 2FA Device Deletion Initiation Step Airlock 2FA Activation Step (with additional Activation) Airlock 2FA Activation Letter Task Airlock 2FA Mobile Only Authentication Step Airlock 2FA Public Self-Service Approval Step All Devices Except Most Recently Registered Airlock 2FA Transaction Approval Step Airlock 2FA Recovery Trusted Session Binding Step Airlock 2FA Device Deletion Possible Airlock 2FA Device List Airlock 2FA Activation Letter Order Step Airlock 2FA Device Edit Initiation Step Airlock 2FA Authenticator Airlock 2FA Consistency User Change Listener Customizable Device List Airlock 2FA Apply Device Deletion Change Airlock 2FA Token Insertion Handler Airlock 2FA Activation Letter Order User Event Listener Airlock 2FA Delete Devices Step App Device Used For Login Unless Last App Device Airlock 2FA Token Controller Airlock 2FA Usernameless Authentication Step Is In Cooldown Device Condition Airlock 2FA Device Edit Step Airlock 2FA Self-Service Approval Step Airlock 2FA Apply Device Edit Change Airlock 2FA Activation Step Main Authentication Settings

Enable Push-to-All (enablePushToAll)

Description

If Push-to-All for One-Touch is enabled, device selection is never required for One-Touch. Push notifications are sent to all devices of a user and approval can be given on any of the devices.

The combination of Push-to-All and "Lock User on Fraud" could have undesired effects, because users might report fraud in legitimate use-cases.

Attributes

Boolean

Optional

Default value

false

Enable Short-Lived Online QR Codes (enableShortLivedOnlineQrCodes)

Description

Whether to enable short-lived Online QR Codes. Unlike regular Online QR Codes, these are refreshed regularly, allowing for shorter individual validities.

Shorter validities enhance security, since forwarding a QR code to victims and tricking them to scan the QR code becomes more difficult if the available time window is small.

Attributes

Boolean

Optional

Default value

false

QR Code Validity [s] (shortLivedQrCodeValidity)

Description

This setting is only active if short-lived Online QR Codes are enabled.

Attributes

Integer

Optional

Default value

QR Code Validity Overlap [s] (shortLivedQrCodeValidityOverlap)

Description

Defines the duration in seconds during which the previously displayed QR Code is still valid after being replaced by the next QR code in sequence.

This provides time for pending requests to complete and ensures that a valid QR code is displayed at every moment in time, provided that there are no network or performance issues.

The validity overlap must meet the following criteria:

It must be smaller than half the overall validity of the QR code.
It must be larger than the Loginapp UI polling interval (1s) plus the network latency (IAM backend → Loginapp UI plus Mobile Device → Futurae Backend).
Note that the polling interval may differ for custom user interfaces.

This setting is only active if short-lived Online QR Codes are enabled.

Attributes

Integer

Optional

Default value

Session Timeout [s] (shortLivedSessionTimeout)

Description

Maximum duration in seconds during which short-lived Online QR Codes are displayed until a session timeout occurs.

This setting is used exclusively for short-lived Online QR Codes. It has no effect if short-lived Online QR Codes are disabled.

Attributes

Integer

Optional

Default value

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Redirect URI (mobileOnlyRedirectUri)

Description

Attributes

String

Optional

Scheme Override (mobileOnlySchemeOverride)

Description

Attributes

String

Optional

Validation RegEx: ^[a-zA-Z][a-zA-Z0-9\+\-\.]*$

Example

airlock2fa

Example

OneApp-1

Approval Factors (approvalFactors)

Description

Priority list of all factors that can be used in this approval step. Only factors that are in this list can be used. The factors are offered in the configured order.

One-Touch and Online QR Code must come before all other factors. It is recommended to include at least one offline factor.

Available factors:

One-Touch: a push message is sent to the user's mobile app, where it must be approved. This is an online factor and will require device selection if the user has multiple devices.
Online QR Code: a QR code is displayed in the browser, which has to be scanned by a mobile app and approved there. This is an online factor. No prior device selection is required.
Offline QR Code: a QR code is displayed in the browser which has to be scanned by a mobile app or hardware token. The device displays a code (OTP) that must be entered manually in the browser. This is an offline factor and will require device selection if the user has multiple devices.
Passcode: the device (mobile app or hardware token) generates a time-dependent code (OTP) that has to be entered manually. This is an offline factor. No prior device selection is required.
Mobile Only: the approval is handled directly by the mobile app. This is an online factor. No prior device selection is required. There is no fallback from this factor to other factors or vice-versa. Therefore, the only use case for combining this with other factors is in transaction approval, where the factor previously used for authentication determines whether mobile-only or another factor will be used. Since there is no way to use any factors configured after Mobile Only, it should always be configured as the last factor.

When the AuthTokenId is present in the transaction approval flow and contains the factor Mobile Only:

and the Mobile Only factor is configured in this approval step: the Mobile Only factor will be enforced.
and the Mobile Only factor is not configured in this approval step: any of the configured factors may be used.

Attributes

String-List

Optional

Default value

[One-Touch, Offline QR Code, Mobile Only]

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown cannot be used for approval.

If no "Cooldown Period" is defined, enabling this property has no effect.

Attributes

Boolean

Optional

Default value

true

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2FASelfServiceApprovalStep
id: Airlock2FASelfServiceApprovalStep-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  approvalFactors: [One-Touch, Offline QR Code, Mobile Only]
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  enablePushToAll: false
  enableShortLivedOnlineQrCodes: false
  interactiveGotoTargets:
  messageProvider:
  mobileOnlyRedirectUri:
  mobileOnlySchemeOverride:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  respectCooldownPeriod: true
  shortLivedQrCodeValidity: 10
  shortLivedQrCodeValidityOverlap: 3
  shortLivedSessionTimeout: 60
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Settings

Description

Global settings related to Airlock 2FA.

Type name

Airlock2FASettings

Class

com.airlock.iam.factor.application.configuration.airlock2fa.Airlock2FASettings

May be used by

License-Tags

Airlock2FA

Properties

Repository (repository)

Description

Configures the repository to store Airlock 2FA data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Database Repository

Futurae Server (futuraeServer)

Description

Configures access to Futurae servers.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Futurae Server

Account Display Name Provider (accountDisplayNameProvider)

Description

An optional display name that is displayed in the Airlock 2FA/Futurae mobile application. As an example, it could be the IAM username or a configured context data item such as the user's email address. Note that currently the display name will not be updated if the underlying user data changed after the user being enrolled.

Privacy warning: The display name, when configured, will be stored on Futurae's servers. Sensitive data should therefore not be used as display name.

Attributes

Plugin-Link

Optional

Assignable plugins

Context Data Item (Airlock 2FA Account Display Name) IAM Username (Airlock 2FA Account Display Name) None (Airlock 2FA Account Display Name)

Trusted Session Binding for Activation (trustedSessionBindingForActivation)

Description

If enabled, activation codes (from a letter or on-screen QR code) can only be used as part of an authenticated session with Airlock IAM. If enabled, activation codes are only accepted together with a "Trusted Session Binding Token". This short-lived token can only be retrieved from an Airlock IAM flow and must be sent to the Futurae server together with the activation code.

This feature ensures that only the intended user can activate a 2FA app/device with a given activation code. The standard Airlock 2FA app does not support this feature, a custom mobile app built using the Futurae SDK is required.

Airlock IAM supports three modes for Trusted Session Binding:

Never: Trusted Session Binding is disabled.
Only with Letter: Trusted Session Binding is only enabled for activation letters.
Always: Trusted Session Binding is enabled both for activation letters and on-screen activation. For on-screen activation, Trusted Session Binding does not provide additional security because the activation code is already bound to an authenticated IAM session, but it could simplify the implementation of the activation process in the mobile app.

Attributes

Enum

Optional

Default value

OFF

Trusted Session Binding for Recovery (trustedSessionBindingForRecovery)

Description

If enabled, "Trusted Session Binding for Recovery" will be enabled on newly activated Airlock 2FA devices. This means that these devices can only be recovered from a backup as part of an authenticated session with Airlock IAM. Already activated devices are not retrospectively affected by this setting.

Attributes

Boolean

Optional

Default value

false

Binding Token Validity [s] (trustedSessionBindingValidity)

Description

The amount of time a Trusted Session Binding Token for device activation and recovery is valid in seconds. This setting only has an effect if at least one of the two following conditions is met:

Trusted Session Binding for Activation is set to "Only with Letter" or "Always".
Trusted Session Binding for Recovery is enabled.

The duration should not be larger than the "Session Idle Timeout" in the Loginapp, to avoid session timeouts when polling the IAM status.

Attributes

Integer

Optional

Default value

120

Lock User on Fraud (lockUserOnFraud)

Description

If enabled, the user is locked with reason LockReason.FraudReportedByUser when reporting a possible fraudulent authentication attempt via the Airlock 2FA app. This is done by rejecting the authentication attempt and then confirming that the attempt was not initiated by the user (in the app dialog).

Self-unlock is possible when locked by this option.

Attributes

Boolean

Optional

Default value

false

Allow Futurae Bypass Mode (allowFuturaeBypassMode)

Description

If enabled, Futurae users that have the bypass mode enabled will be allowed to authenticate / perform approval with IAM. Otherwise, any authentication or approval attempts for users with the bypass mode enabled will result in a failure.

Warning: Enabling bypass mode effectively disables all Airlock 2FA second factor checks. Bypass mode should not be used in production environments.

Attributes

Boolean

Optional

Default value

false

Payload Encryption Key (payloadEncryptionKey)

Description

The symmetric key to encrypt the authentication/transaction payloads. If left empty, the payloads are not encrypted.

The encryption of payloads in requests to the Futurae API prevents that intermediate infrastructure such as a reverse proxy is able to read or alter the confidential data therein. The encryption key can be obtained from the Futurae Admin Dashboard.

Attributes

String

Optional

Sensitive

Unencrypted Payload for Hardware Tokens (unencryptedPayloadForHWTokens)

Description

When a 'Payload Encryption Key' is configured, 'Unencrypted Payload for Hardware Tokens' should be enabled. This setting only applies when a hardware token is used for authentication or approval via Offline QR Code.

If the option is enabled, the payload is transmitted in plain text (unencrypted).
If the option is disabled, hardware tokens will not be available for authentication or approval via Offline QR Code, since Futurae does not support payload encryption for hardware tokens.

For security reasons, this exception must be explicitly configured.

Note: Enabling this property without configuring a 'Payload Encryption Key' has no effect, as the payload is transmitted unencrypted by default.

Attributes

Boolean

Optional

Default value

false

Cooldown Period (cooldownPeriod)

Description

If configured, a cooldown period is enabled during which a newly registered device cannot be used for certain operations.

By default, all Airlock 2FA steps are configured so that devices may not be used during the "Cooldown Period". Exceptions can be configured directly on the step by de-activating the "Respect Cooldown Period" property.

The duration must be specified in the format "2d 4h 10m 5s" (any part can be omitted).

Attributes

String

Optional

Example

10m

Example

12h

Example

YAML Template (with default values)


type: Airlock2FASettings
id: Airlock2FASettings-xxxxxx
displayName: 
comment: 
properties:
  accountDisplayNameProvider:
  allowFuturaeBypassMode: false
  cooldownPeriod:
  futuraeServer:
  lockUserOnFraud: false
  payloadEncryptionKey:
  repository:
  trustedSessionBindingForActivation: OFF
  trustedSessionBindingForRecovery: false
  trustedSessionBindingValidity: 120
  unencryptedPayloadForHWTokens: false

Airlock 2FA Token Controller

Description

Plugin to manage a user's Airlock 2FA account.

Type name

Airlock2FATokenController

Class

com.airlock.iam.admin.application.configuration.airlock2fa.Airlock2FATokenControllerConfig

May be used by

User Group Configuration Users Configuration

License-Tags

Airlock2FA

Properties

ID (id)

Description

Unique identifier for the token controller. Serves as token type ID in the REST interface.

This is also the "auth method" that is set on the user as active/next authentication method, i.e. it must match the "Authentication Method ID" of corresponding authentication flow steps.

Finally, this ID also determines the name (label) of this token controller in the Adminapp UI, as defined by the resource key 'user.auth-methods.type.generic.<id>', as well as the label for "auth method" specific lock reasons defined by the resource key 'user.account-state.LockReason.TooManyAuthAtts.<id>'.

Please note that the length of this ID must not be longer than 22 characters in order to comply with the default DB schema restrictions for column lock_reason.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_]+

Default value

AIRLOCK_2FA

Example

AIRLOCK_2FA

Example

AIRLOCK_2FA_CUSTOM

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Create Activation Letters (createActivationLetters)

Description

Settings for creating device activation letters. If not configured, activation letters cannot be created.

Attributes

Plugin-Link

Optional

Assignable plugins

Create Airlock 2FA Device Activation Letters

Order Activation Letters (orderActivationLetters)

Description

Settings for ordering a device activation letter. If not configured, activation letters cannot be ordered.

Attributes

Plugin-Link

Optional

Assignable plugins

Order Airlock 2FA Device Activation Letters

Create Shipment Letters (createShipmentLetters)

Description

Settings for hardware token shipment letters. If not configured, shipment letter cannot be created.

Attributes

Plugin-Link

Optional

Assignable plugins

Create Airlock 2FA Hardware Token Shipment Letters

Assign Hardware Tokens to Multiple Users (shareHardwareTokensAmongUsers)

Description

If checked, a hardware token can be assigned to multiple users.

Once a hardware token is assigned to a user, it is only available within the corresponding Futurae service.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: Airlock2FATokenController
id: Airlock2FATokenController-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  createActivationLetters:
  createShipmentLetters:
  id: AIRLOCK_2FA
  orderActivationLetters:
  shareHardwareTokensAmongUsers: false

Airlock 2FA Token Insertion Handler

Description

Persists an Airlock 2FA account that was created through a previous step.

Note: The Airlock 2FA Account Display Name can only be set when the registering user is persisted. Therefore the Account Display Name in the Airlock 2FA mobile app might not be displayed correctly, until the registration is fully completed.

Type name

Airlock2FAInsertionHandler

Class

com.airlock.iam.userselfreg.application.configuration.step.Airlock2FAInsertionHandlerConfig

May be used by

User Persisting Step

License-Tags

SelfRegistration

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: Airlock2FAInsertionHandler
id: Airlock2FAInsertionHandler-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:

Airlock 2FA Transaction Approval Step

Description

A flow step to perform transaction approval using Airlock 2FA.

The transaction data will be displayed on the Airlock 2FA app, where the user can verify the data and approve the transaction if satisfied.

Type name

Airlock2FATransactionApprovalStep

Class

com.airlock.iam.transactionapproval.application.configuration.airlock2fa.Airlock2FATransactionApprovalStepConfig

May be used by

Selection Step for Self-Service Flow Step Sequence Selection Step Transaction Approval Flow Selection Option Selection Step for User Self-Registration Selection Step for Public Self-Service

License-Tags

Airlock2FA

Properties

Message Provider (messageProvider)

Description

Creates the message for transaction approval that will be displayed on the user's device.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Enable Push-to-All (enablePushToAll)

Description

If Push-to-All for One-Touch is enabled, device selection is never required for One-Touch. Push notifications are sent to all devices of a user and approval can be given on any of the devices.

The combination of Push-to-All and "Lock User on Fraud" could have undesired effects, because users might report fraud in legitimate use-cases.

If an AuthTokenId is provided, notifications are only sent to the device specified in the AuthTokenId.

Attributes

Boolean

Optional

Default value

false

Enable Short-Lived Online QR Codes (enableShortLivedOnlineQrCodes)

Description

Whether to enable short-lived Online QR Codes. Unlike regular Online QR Codes, these are refreshed regularly, allowing for shorter individual validities.

Shorter validities enhance security, since forwarding a QR code to victims and tricking them to scan the QR code becomes more difficult if the available time window is small.

Attributes

Boolean

Optional

Default value

false

QR Code Validity [s] (shortLivedQrCodeValidity)

Description

This setting is only active if short-lived Online QR Codes are enabled.

Attributes

Integer

Optional

Default value

QR Code Validity Overlap [s] (shortLivedQrCodeValidityOverlap)

Description

Defines the duration in seconds during which the previously displayed QR Code is still valid after being replaced by the next QR code in sequence.

This provides time for pending requests to complete and ensures that a valid QR code is displayed at every moment in time, provided that there are no network or performance issues.

The validity overlap must meet the following criteria:

It must be smaller than half the overall validity of the QR code.
It must be larger than the Loginapp UI polling interval (1s) plus the network latency (IAM backend → Loginapp UI plus Mobile Device → Futurae Backend).
Note that the polling interval may differ for custom user interfaces.

This setting is only active if short-lived Online QR Codes are enabled.

Attributes

Integer

Optional

Default value

Session Timeout [s] (shortLivedSessionTimeout)

Description

Maximum duration in seconds during which short-lived Online QR Codes are displayed until a session timeout occurs.

This setting is used exclusively for short-lived Online QR Codes. It has no effect if short-lived Online QR Codes are disabled.

Attributes

Integer

Optional

Default value

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Redirect URI (mobileOnlyRedirectUri)

Description

Attributes

String

Optional

Scheme Override (mobileOnlySchemeOverride)

Description

Attributes

String

Optional

Validation RegEx: ^[a-zA-Z][a-zA-Z0-9\+\-\.]*$

Example

airlock2fa

Example

OneApp-1

Approval Factors (approvalFactors)

Description

Priority list of all factors that can be used in this approval step. Only factors that are in this list can be used. The factors are offered in the configured order.

One-Touch and Online QR Code must come before all other factors. It is recommended to include at least one offline factor.

Available factors:

One-Touch: a push message is sent to the user's mobile app, where it must be approved. This is an online factor and will require device selection if the user has multiple devices.
Online QR Code: a QR code is displayed in the browser, which has to be scanned by a mobile app and approved there. This is an online factor. No prior device selection is required.
Offline QR Code: a QR code is displayed in the browser which has to be scanned by a mobile app or hardware token. The device displays a code (OTP) that must be entered manually in the browser. This is an offline factor and will require device selection if the user has multiple devices.
Passcode: the device (mobile app or hardware token) generates a time-dependent code (OTP) that has to be entered manually. This is an offline factor. No prior device selection is required.
Mobile Only: the approval is handled directly by the mobile app. This is an online factor. No prior device selection is required. There is no fallback from this factor to other factors or vice-versa. Therefore, the only use case for combining this with other factors is in transaction approval, where the factor previously used for authentication determines whether mobile-only or another factor will be used. Since there is no way to use any factors configured after Mobile Only, it should always be configured as the last factor.

When the AuthTokenId is present in the transaction approval flow and contains the factor Mobile Only:

and the Mobile Only factor is configured in this approval step: the Mobile Only factor will be enforced.
and the Mobile Only factor is not configured in this approval step: any of the configured factors may be used.

Attributes

String-List

Optional

Default value

[One-Touch, Offline QR Code, Mobile Only]

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown cannot be used for approval.

If no "Cooldown Period" is defined, enabling this property has no effect.

Attributes

Boolean

Optional

Default value

true

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2FATransactionApprovalStep
id: Airlock2FATransactionApprovalStep-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  approvalFactors: [One-Touch, Offline QR Code, Mobile Only]
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  enablePushToAll: false
  enableShortLivedOnlineQrCodes: false
  interactiveGotoTargets:
  messageProvider:
  mobileOnlyRedirectUri:
  mobileOnlySchemeOverride:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  respectCooldownPeriod: true
  shortLivedQrCodeValidity: 10
  shortLivedQrCodeValidityOverlap: 3
  shortLivedSessionTimeout: 60
  skipCondition:
  stepId:
  tagsOnSuccess:

Airlock 2FA Username Transformer

Description

Username transformer that takes a Futurae Account ID as an input and returns the corresponding Airlock IAM username.

Type name

Airlock2FAUsernameTransformer

Class

com.airlock.iam.factor.application.configuration.airlock2fa.Airlock2FAUsernameTransformer

License-Tags

Airlock2FA

Properties

Airlock 2FA User Repository (a2faUserRepositoryConfig)

Description

The repository to look up Airlock 2FA data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Database Repository

YAML Template (with default values)


type: Airlock2FAUsernameTransformer
id: Airlock2FAUsernameTransformer-xxxxxx
displayName: 
comment: 
properties:
  a2faUserRepositoryConfig:

Airlock 2FA Usernameless Authentication Step

Description

Step for Airlock 2FA Usernameless QR Code authentication.

This step allows authentication without requiring the user to enter their username. Instead, a QR code (identifying the session) is displayed on the login page and can be scanned by any user with the Airlock 2FA app. The app then authenticates this session on the server and thus enables Airlock IAM to connect the browser session with the user who scanned the QR code.

Type name

Airlock2FAUsernamelessQrCodeAuthenticationStep

Class

com.airlock.iam.authentication.application.configuration.airlock2fa.Airlock2FAUsernamelessQrCodeAuthenticationStepConfig

May be used by

License-Tags

Airlock2FA

Properties

Airlock 2FA Settings (airlock2faSettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

Message Provider (messageProvider)

Description

Creates the message that will be displayed on the user's device when using Usernameless QR Code. If no message provider is configured, the default title of Futurae will be shown (without any additional information items).

Note that since no user ID is known when creating a username-less QR code, no message providers relying on user-specific data can be used.

Attributes

Plugin-Link

Optional

Assignable plugins

All User Roles Combining Role Provider Condition-based Role Provider OAuth 2.0 Credential Roles Provider Roles from Password Check SSO Ticket Roles Provider Static Roles String-based Role Provider Tag-based Role Provider Transforming Role Provider

QR Code Validity [s] (qrCodeValidity)

Description

The amount of time a QR Code is valid in seconds.

Attributes

Integer

Optional

Default value

Maximum QR Code Renewals (maxRenewals)

Description

The maximum number of times the QR code is renewed, which means that it is replaced by an unrelated new QR code.

QR codes will be renewed already before they expire. This ensures that users can complete ongoing authentication seamlessly even if they scan a QR code shortly before it is refreshed.

Fewer renewals do not lead to enhanced security. The only reason not to renew indefinitely is to save server resources.

Attributes

Integer

Optional

Default value

Timeout Goto Target (timeoutGoto)

Description

The ID of the target step to go to on timeout.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown cannot be used for authentication.

If no "Cooldown Period" is defined, enabling this property has no effect.

Attributes

Boolean

Optional

Default value

true

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: Airlock2FAUsernamelessQrCodeAuthenticationStep
id: Airlock2FAUsernamelessQrCodeAuthenticationStep-xxxxxx
displayName: 
comment: 
properties:
  airlock2faSettings:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxRenewals: 10
  messageProvider:
  onFailureGotos:
  preCondition:
  qrCodeValidity: 60
  requiresActivation: false
  respectCooldownPeriod: true
  skipCondition:
  stepId:
  tagsOnSuccess:
  timeoutGoto:

Airlock 2FA was used for login (Transaction Approval only)

Description

Flow selection condition that selects the subflow if Airlock 2FA was used for login (as determined by the authTokenId provided in a preceding Transaction Approval Parameter Step).

Type name

Airlock2FAAuthTokenIdSelectionCondition

Class

com.airlock.iam.transactionapproval.application.configuration.selection.Airlock2FAAuthTokenIdSelectionConditionConfig

May be used by

License-Tags

Airlock2FA

Properties

Selectable If Login Method Unknown (selectableIfNoAuthTokenIdPresent)

Description

If this option is selected, the condition is always true (i.e. the option is selectable) if the login method is unknown.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: Airlock2FAAuthTokenIdSelectionCondition
id: Airlock2FAAuthTokenIdSelectionCondition-xxxxxx
displayName: 
comment: 
properties:
  selectableIfNoAuthTokenIdPresent: true

Airlock Gateway Roles

Description

Roles from the Role Provider will be added to the Airlock Gateway session. The Timeout Provider can be used to set custom session idle timeouts and lifetimes. The timeouts are applied to all provided roles. If no timeouts are provided and the role doesn't have timeouts, the Airlock Gateway defaults are applied.

Type name

AirlockGatewayRoles

Class

com.airlock.iam.login.application.configuration.targetapp.AirlockGatewayRolesConfig

May be used by

Target Application One-Shot Target Application

Properties

Role Provider (roleProvider)

Description

All roles which are provided will be added to the Airlock Gateway session.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Timeout Provider (timeoutProvider)

Description

The Timeout Provider will be applied to all provided roles. The roles idle timeouts and lifetimes are preserved, when neither is overwritten by a timeout provider.

Attributes

Plugin-Link

Optional

Assignable plugins

Static Timeout Provider User Specific Timeout Provider

YAML Template (with default values)


type: AirlockGatewayRoles
id: AirlockGatewayRoles-xxxxxx
displayName: 
comment: 
properties:
  roleProvider:
  timeoutProvider:

Airlock Gateway Settings

Description

Configuration for Airlock Gateway (WAF) running in front of Airlock IAM. While active, IAM parses HTTP request environment cookies.

Type name

AirlockGateway

Class

com.airlock.iam.core.application.configuration.waf.AirlockGatewayConfig

May be used by

Adminapp Transaction Approval Client Certificate Context Extractor IP Address Context Extractor URL Context Extractor

Properties

Add Credentials To Session (addCredentialsToSession)

Description

Usually, existing roles should be kept, i.e., the roles granted to a user in Airlock IAM should be added to the existing set of roles of an Airlock Gateway session. This is achieved by using the Airlock Control Cookie command ADD_CREDENTIALS. If every identity propagation shall replace all previously set roles, disable this property, which results in the Airlock Control Cookie command SET_CREDENTIALS.

Attributes

Boolean

Optional

Default value

true

Control Cookie Name (controlCookieName)

Description

The name of the control cookie used to communicate with the Airlock Gateway (WAF) backend control API. This must be the same as configured in Airlock.

A control cookie is set after successful authentication with the roles granted to the user as credentials/roles. Additionally, a new session ID is generated (to prevent session fixation attacks) and the global session ID is set as audit token.

This property also enables so-called "session tickets". After successful authentication the user's name and the granted roles are stored in the current session plus a session ticket cookie including this information is stored in the Airlock Gateway cookie store. The session ticket is needed to re-authenticate any new session later.

Attributes

String

Optional

Default value

AL_CONTROL

Environment Cookie Prefix (environmentCookiePrefix)

Description

The name of the prefix that Airlock Gateway (WAF) prepends to all environment cookies it sends to its backends. This must be the same as configured in Airlock Gateway. It is used to extract, for example, the client IP address or the client certificate.

Attributes

String

Optional

Default value

AL_ENV_

Audit Token (auditToken)

Description

Type of the audit token set in the Airlock Gateway (WAF) after the authentication.

"Username": The audit token contains just the username.
"SessionID": The audit token contains just the session id.
"Username and SessionID": The audit token contains the username followed by a "-" and the session ID.
"None": The audit token is empty.

Attributes

Enum

Optional

Default value

USERNAME

YAML Template (with default values)


type: AirlockGateway
id: AirlockGateway-xxxxxx
displayName: 
comment: 
properties:
  addCredentialsToSession: true
  auditToken: USERNAME
  controlCookieName: AL_CONTROL
  environmentCookiePrefix: AL_ENV_

Airlock Gateway Settings (Loginapp)

Description

Gateway settings for the Loginapp. These settings are essential to ensure correct and secure behavior if Airlock IAM is deployed behind an Airlock Gateway.

Type name

LoginappGateway

Class

com.airlock.iam.login.application.configuration.gateway.LoginappGatewayConfig

May be used by

Loginapp

Properties

Removed Roles Mappings (removedRolesMappings)

Description

Airlock Gateway can indicate (using an environment cookie) that roles have been dropped. Dropped roles can be mapped to tags in Airlock IAM that should be dropped as a consequence.

Attributes

Plugin-List

Optional

Assignable plugins

Removed Roles Mapping

Client Fingerprinting Lockout Threshold (clientFingerprintingLockoutThreshold)

Description

If the Airlock Gateway terminates a session because of a high client fingerprinting (CFP) score, IAM is informed about this as part of the Airlock Gateway logout propagation.
This property defines a CFP score threshold: If the CFP score reported by the Airlock Gateway is above or equal to the threshold, the user account is locked in IAM. This way not only the current Airlock Gateway session is terminated but also the user account is locked for further login attempts. The user can't unlock his account by using the "Unlock Self-Service".

Note: Ensure that the logout propagation path in the corresponding Airlock Gateway mapping for IAM points to the corresponding REST endpoint.

Please refer to the Airlock Gateway manual for further information about client fingerprinting.

Attributes

Integer

Optional

Add Credentials To Session (addCredentialsToSession)

Description

Attributes

Boolean

Optional

Default value

true

Control Cookie Name (controlCookieName)

Description

The name of the control cookie used to communicate with the Airlock Gateway (WAF) backend control API. This must be the same as configured in Airlock.

Attributes

String

Optional

Default value

AL_CONTROL

Environment Cookie Prefix (environmentCookiePrefix)

Description

Attributes

String

Optional

Default value

AL_ENV_

Audit Token (auditToken)

Description

Type of the audit token set in the Airlock Gateway (WAF) after the authentication.

"Username": The audit token contains just the username.
"SessionID": The audit token contains just the session id.
"Username and SessionID": The audit token contains the username followed by a "-" and the session ID.
"None": The audit token is empty.

Attributes

Enum

Optional

Default value

USERNAME

YAML Template (with default values)


type: LoginappGateway
id: LoginappGateway-xxxxxx
displayName: 
comment: 
properties:
  addCredentialsToSession: true
  auditToken: USERNAME
  clientFingerprintingLockoutThreshold:
  controlCookieName: AL_CONTROL
  environmentCookiePrefix: AL_ENV_
  removedRolesMappings:

Airlock Microgateway Settings

Description

Configuration for Airlock Microgateway running in front of Airlock IAM. While active, IAM parses HTTP request headers.

Type name

AirlockMicrogateway

Class

com.airlock.iam.common.application.configuration.gateway.AirlockMicrogatewayConfig

May be used by

Adminapp Transaction Approval Client Certificate Context Extractor IP Address Context Extractor URL Context Extractor Loginapp

Properties

HTTP Request Client IP Extractor (clientIpExtractor)

Description

Extracts the client IP address from the incoming HTTP request. The request ID is written by the gateway in front and is required by IAM in various places, e.g. when writing log files.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Request Client IP Extractor

HTTP Request ID Extractor (requestIdExtractor)

Description

Extracts the ID from the incoming HTTP request. The request ID is required by IAM in various places, e.g. when writing log files.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Request ID Extractor

HTTP Request URL Extractor (requestUrlExtractor)

Description

Extracts the request URL as seen by the client from the incoming HTTP request. The request URL is required by IAM in various places, e.g. when using OAuth 2.0.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Request URL Extractor

HTTP Request Client mTLS Certificate Extractor (requestMtlsClientCertExtractor)

Description

Extracts the mutual TLS client certificate from the incoming HTTP request. The client certificate is required by IAM in various places, e.g. when using OAuth 2.0.

Attributes

Plugin-Link

Optional

Assignable plugins

HTTP Request mTLS Client Certificate Extractor

YAML Template (with default values)


type: AirlockMicrogateway
id: AirlockMicrogateway-xxxxxx
displayName: 
comment: 
properties:
  clientIpExtractor:
  requestIdExtractor:
  requestMtlsClientCertExtractor:
  requestUrlExtractor:

Alias User Item

Description

Definition of a user alias. An alias is a special context data item that can be used as a login name in the same way as the username.

Note that by definition, all login names (i.e., aliases and usernames) must be unique across all users.

Type name

AliasDefinition

Class

com.airlock.iam.userselfreg.application.configuration.definition.AliasDefinitionConfig

May be used by

Phone Number Verification Step User Data Registration Step Email Verification Step

Properties

Context Data Name (contextDataName)

Description

The string-typed context data item in which the alias is stored.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Required (required)

Description

Specifies whether this alias must be provided before the step validates successfully.

Attributes

Boolean

Optional

Default value

true

Validators (validators)

Description

The validators for the alias. Additionally, alias names are automatically validated against the global Username Filter Pattern (configured in the Security Settings).

Attributes

Plugin-List

Mandatory

Assignable plugins

Email Address Validator Phone Number Validator Regex String Validator

Input Purpose (inputPurpose)

Description

The input purpose allows labeling data items using standardized values (see https://www.w3.org/TR/WCAG22/#input-purposes).

It is rendered using the HTML attribute "autocomplete". Browsers can use this to automatically fill input fields with data that was previously entered in other fields with the same purpose.

Note that the input purpose provided here will be used in the default Loginapp UI components and is available to custom single-page applications via the REST endpoints */info/retrieve.

If the Loginapp UI is used with configuration-based 'Customized Step UIs', the input purpose has to be defined on the UI elements ('Input UI Element', 'Drop-Down UI Element', 'Date UI Element').

Attributes

String

Optional

Suggested values

username, nickname, email, tel

YAML Template (with default values)


type: AliasDefinition
id: AliasDefinition-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  inputPurpose:
  required: true
  validators:

All Devices Except Most Recently Registered

Description

This plugin returns the IDs of all the Airlock 2FA devices of the current user except for the Airlock 2FA device which has been registered most recently.

In case no Airlock 2FA account is associated with the current user, no device IDs are returned.

Use case: This plugin can be used to enforce a single-device policy, meaning a user must only be able to use a single device simultaneously. For this, in any flow allowing the user to authenticate with Airlock 2FA, this plugin must be used with an 'Airlock 2FA Delete Devices Step' upfront.

Type name

AllAirlock2FADevicesExceptMostRecentlyRegisteredProvider

Class

com.airlock.iam.flow.shared.application.configuration.airlock2fa.provider.AllAirlock2FADevicesExceptMostRecentlyRegisteredProviderConfig

May be used by

License-Tags

Airlock2FA

Properties

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown are never returned and do not count towards determining the latest registered device.

Attributes

Boolean

Optional

Default value

true

Airlock 2FA Settings (airlock2FASettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: AllAirlock2FADevicesExceptMostRecentlyRegisteredProvider
id: AllAirlock2FADevicesExceptMostRecentlyRegisteredProvider-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  respectCooldownPeriod: true

All Devices Except Registered In Flow

Description

This plugin returns the IDs of all the Airlock 2FA devices of the current user except for the Airlock 2FA devices registered in the current flow.

In case no Airlock 2FA account is associated with the current user, no device IDs are returned.

Use case: This plugin is designed to facilitate the secure migration of users from the Airlock 2FA app to either an alternative 2FA app or a new business app that includes built-in two-factor authentication using the Futurae Mobile SDK (One App solution). During this migration, all old tokens associated with the user's previous business application are deleted to ensure security and prevent unauthorized access.
For this use case, the plugin should be used with an 'Airlock 2FA Delete Devices Step' which is configured after the step activating the new Airlock 2FA device.

Type name

AllAirlock2FADevicesExceptRegisteredInFlowProvider

Class

com.airlock.iam.flow.shared.application.configuration.airlock2fa.provider.AllAirlock2FADevicesExceptRegisteredInFlowProviderConfig

May be used by

License-Tags

Airlock2FA

Properties

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown are never returned.

Attributes

Boolean

Optional

Default value

true

Airlock 2FA Settings (airlock2FASettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: AllAirlock2FADevicesExceptRegisteredInFlowProvider
id: AllAirlock2FADevicesExceptRegisteredInFlowProvider-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  respectCooldownPeriod: true

All Ok On Behalf Login Step Validator

Description

Validates a login step successfully regardless of the result (access denied or not) of the login step as long as the login step does not encounter technical errors.

Type name

AllOkOnBehalfLoginStepValidator

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.AllOkOnBehalfLoginStepValidator

May be used by

HTTP GET Step CSRF Token Extraction Step HTTP POST Step

Properties

YAML Template (with default values)


type: AllOkOnBehalfLoginStepValidator
id: AllOkOnBehalfLoginStepValidator-xxxxxx
displayName: 
comment: 
properties:

All Phone Numbers Provider

Description

Provides all of the user's phone numbers.

Type name

AllPhoneNumbersProvider

Class

com.airlock.iam.common.application.configuration.sms.AllPhoneNumbersProviderConfig

May be used by

SMS Event Subscriber (Adminapp) SMS Event Subscriber (Loginapp)

Properties

mTAN Handler (mtanHandler)

Description

An mTAN handler retrieves mTAN number tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Data mTAN Handler Token Data mTAN Handler

YAML Template (with default values)


type: AllPhoneNumbersProvider
id: AllPhoneNumbersProvider-xxxxxx
displayName: 
comment: 
properties:
  mtanHandler:

All Required Roles Match

Description

Strategy to select role specific configurations based on the admin's roles.

Selects a configuration if the admin has all of the roles required by the configuration. If a configuration requires no roles, it is always selected.

Type name

AllRequiredRolesMatcher

Class

com.airlock.iam.admin.application.configuration.users.AllRequiredRolesMatcher

May be used by

Legacy ID Propagation Adapter Start User Representation Step Airlock Gateway Roles Transforming Role Provider Has Matching Role Roles SAML 2.0 Attribute Roles Provider Role-based OAuth 2.0 Scope Condition Role-based Tag Acquisition Step Combining Role Provider

Properties

YAML Template (with default values)


type: AllRequiredRolesMatcher
id: AllRequiredRolesMatcher-xxxxxx
displayName: 
comment: 
properties:

All User Roles

Description

Provides all roles from the user. Note that this includes only roles loaded from the persistency.

Type name

UserRolesProvider

Class

com.airlock.iam.login.application.configuration.targetapp.UserRolesProviderConfig

May be used by

Properties

YAML Template (with default values)


type: UserRolesProvider
id: UserRolesProvider-xxxxxx
displayName: 
comment: 
properties:

Allowed Characters Password Policy

Description

A password policy check that checks whether all characters of the password are allowed.

Type name

PwdPolicyAllowedCharsCheck

Class

com.airlock.iam.core.misc.impl.authen.PwdPolicyAllowedCharsCheck

May be used by

Customizable Password Policy Customizable Password Policy Meta Password Policy

Properties

Allowed Chars Pattern (allowedCharsPattern)

Description

The regular expression pattern defining the set of allowed characters.

Every character of the password is matched against this pattern and must match or the password is not allowed.

For details about regular expression syntax, please refer to the class description of the Java JDK class java.util.regex.Pattern of the used Java JDK.

Because every single character is checked against the expression anchors ('^') and end-of-line chars ('$') don't make sense and can be left out.

Attributes

RegEx

Mandatory

YAML Template (with default values)


type: PwdPolicyAllowedCharsCheck
id: PwdPolicyAllowedCharsCheck-xxxxxx
displayName: 
comment: 
properties:
  allowedCharsPattern:

Allowed Username Password Combination

Description

A combination of a username and password that shall be allowed for this endpoint.

Type name

AllowedUsernamePasswordCombination

Class

com.airlock.iam.login.app.misc.oauth2.introspection.config.AllowedUsernamePasswordCombination

May be used by

Basic Auth Token Introspection

License-Tags

OAuthServer

Properties

Username (username)

Description

The username.

Attributes

String

Mandatory

Password (password)

Description

The user's password.

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: AllowedUsernamePasswordCombination
id: AllowedUsernamePasswordCombination-xxxxxx
displayName: 
comment: 
properties:
  password:
  username:

Alphabet

Description

An alphabet defined by a list of characters.

Type name

Alphabet

Class

com.airlock.iam.core.misc.impl.authen.Alphabet

May be used by

Customizable Identity Generator Airlock 2FA Authentication Step Pattern-based Random String Generator

Properties

Characters (characters)

Description

The allowed characters in the alphabet.

NOTE: When used for random string generation, repeating characters will be generated with higher probability. Usually, a uniform distribution of characters is desired. Therefore, repeating characters should be avoided in these use cases.

Attributes

String

Mandatory

Length >= 1

Example

abcde

YAML Template (with default values)


type: Alphabet
id: Alphabet-xxxxxx
displayName: 
comment: 
properties:
  characters:

Always Down Check

Description

A health check that always results in the status "DOWN".

Type name

AlwaysDownCheck

Class

com.airlock.iam.common.application.configuration.health.AlwaysDownCheckConfig

May be used by

Readiness Health Check Endpoint

Properties

YAML Template (with default values)


type: AlwaysDownCheck
id: AlwaysDownCheck-xxxxxx
displayName: 
comment: 
properties:

Always False

Description

Flow selection condition that is never fulfilled.

Type name

AlwaysFalseCondition

Class

com.airlock.iam.flow.application.configuration.selection.condition.AlwaysFalseConditionConfig

May be used by

Properties

YAML Template (with default values)


type: AlwaysFalseCondition
id: AlwaysFalseCondition-xxxxxx
displayName: 
comment: 
properties:

Always Revoked Status Checker

Description

A status checker that returns revoked for all certificates.

Type name

AlwaysRevokedStatusChecker

Class

com.airlock.iam.core.misc.impl.cert.crl.AlwaysRevokedStatusChecker

May be used by

HTTP Signature Verification Credential Extractor Client Certificate (X.509) Request Authentication OAuth 2.0 Client mTLS Authentication Certificate Authenticator Certificate Authenticator NextGenPSD2 Certificate Authenticator Caching Certificate Status Checker Certificate Token Authenticator STET PSD2 Authenticator CRL Distribution Point Extension CRL Checker

License-Tags

ClientCertificate

Properties

YAML Template (with default values)


type: AlwaysRevokedStatusChecker
id: AlwaysRevokedStatusChecker-xxxxxx
displayName: 
comment: 
properties:

Always True

Description

Flow selection condition that is always fulfilled.

Type name

AlwaysTrueCondition

Class

com.airlock.iam.flow.application.configuration.selection.condition.AlwaysTrueConditionConfig

May be used by

Properties

YAML Template (with default values)


type: AlwaysTrueCondition
id: AlwaysTrueCondition-xxxxxx
displayName: 
comment: 
properties:

Always True Representation Authorization

Description

Condition that always allows to start a user representation.

Type name

AlwaysTrueRepresentationAuthorization

Class

com.airlock.iam.selfservice.application.configuration.representation.AlwaysTrueRepresentationAuthorizationConfig

May be used by

Start User Representation Step

Properties

YAML Template (with default values)


type: AlwaysTrueRepresentationAuthorization
id: AlwaysTrueRepresentationAuthorization-xxxxxx
displayName: 
comment: 
properties:

And Claim Condition

Description

This condition is fulfilled if all of its configured conditions are fulfilled.

Type name

AndClaimCondition

Class

com.airlock.iam.oauth2.application.configuration.claims.conditions.AndClaimConditionConfig

May be used by

OIDC Email Standard Claim Session ID Custom Claim Claim Set Custom Claim OAuth 2.0 SSO Ticket Resource Formatted Date And Time Context Data Custom Claim Custom Claim (OAuth 2.0 Token Exchange) Client ID Custom Claim String Value Provider Custom Claim Username Custom Claim Static Boolean Custom Claim OAuth 2.0 LocalDate Context Data Resource Static String Custom Claim OIDC Phone Number Standard Claim Formatted LocalDate Context Data Custom Claim User Roles Custom Claim OAuth 2.0 String Context Data Resource Dynamic Boolean Custom Claim Context Data String Custom Claim OAuth 2.0 User Roles Resource OIDC Given Name Standard Claim Not Claim Condition OAuth 2.0 Static Resource Or Claim Condition OIDC Birthdate Standard Claim (Date) String Format Custom Claim OAuth 2.0 Username Resource OIDC Name Standard Claim OAuth 2.0 Date Context Data Resource OIDC Birthdate Standard Claim (String) OIDC Family Name Standard Claim

License-Tags

OAuthServer

Properties

Conditions (conditions)

Description

This condition is fulfilled if every one of these conditions are fulfilled.

Attributes

Plugin-List

Mandatory

Assignable plugins

And Claim Condition Not Claim Condition Or Claim Condition Required Scopes Claim Condition

YAML Template (with default values)


type: AndClaimCondition
id: AndClaimCondition-xxxxxx
displayName: 
comment: 
properties:
  conditions:

Anomaly Shield State Risk Extractor

Description

Risk Extractor that extracts the state of the Gateway Anomaly Shield and compares it to the configured anomaly states. No tags are granted, if the request does not contain an anomaly shield environment cookie.

Type name

AnomalyShieldStateRiskExtractor

Class

com.airlock.iam.authentication.application.configuration.risk.extractor.anomaly.AnomalyShieldStateRiskExtractorConfig

May be used by

Risk Assessment Step

Properties

Expected Anomaly States (expectedAnomalyStates)

Description

The expected Airlock Gateway (WAF) Anomaly Shield state of the request. If the request's anomaly shield state is within this list of states, it is considered to be a 'match'. The match is case-insensitive. Note: Airlock Gateway 8.3 and newer no longer issue anomaly state "redeemed".

Attributes

String-List

Optional

Default value

[anomalous]

Tags If One Of Expected Anomaly States (tagsIfOneOfExpectedAnomalyStates)

Description

The tags to grant if the current request's anomaly shield state equals any of the configured anomaly states.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags If None Of Expected Anomaly States (tagsIfNoneOfExpectedAnomalyStates)

Description

The tags to grant if the current request's anomaly shield state does not match any of the configured states.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

YAML Template (with default values)


type: AnomalyShieldStateRiskExtractor
id: AnomalyShieldStateRiskExtractor-xxxxxx
displayName: 
comment: 
properties:
  expectedAnomalyStates: [anomalous]
  tagsIfNoneOfExpectedAnomalyStates:
  tagsIfOneOfExpectedAnomalyStates:

Any Required Role Matches

Description

Strategy to select role specific configurations based on the admin's roles.

Selects a configuration if the admin has any of the roles required by the configuration.

Type name

AnyRequiredRoleMatcher

Class

com.airlock.iam.admin.application.configuration.users.AnyRequiredRoleMatcher

May be used by

Client Certificate Context Extractor Combining Context Extractor Concatenating Context Extractor HTTP Query Parameter Context Extractor IP Address Context Extractor No Context Extractor Static Context Extractor URL Context Extractor

Properties

YAML Template (with default values)


type: AnyRequiredRoleMatcher
id: AnyRequiredRoleMatcher-xxxxxx
displayName: 
comment: 
properties:

API Policy Service

Description

Configures the API Policy Service web application.

This web application currently offers a REST endpoint targeted at Airlock WAF that allows to retrieve information about a technical client by resolving a given API key. Among other, the returned information contains details about the technical client and associated plans (including rate limits).

Type name

ApiPolicyServiceApp

Class

com.airlock.iam.apipolicyservice.application.configuration.ApiPolicyServiceAppConfig

License-Tags

ApiPolicyService

Properties

Repository (repository)

Description

A repository that allows to configure the DB access concerning API policy service functionality.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Technical Client Database Repository

Shared Secret (sharedSecret)

Description

Shared secret to verify the JWT signature. Must be the same as on the Airlock Gateway (WAF) using this API Policy Service endpoint.

The shared secret must be encoded in base64. The minimal required unencoded length is at least 512 bits. Configuration validation fails if the secret is too short.

One can, for example, generate a random secret with 512 bits (64 bytes) as base64 encoded string using openssl as follows: openssl rand -base64 96

Attributes

String

Mandatory

Sensitive

Context Extractor (contextExtractor)

Description

Specifies how a context is to be extracted from a request.

Attributes

Plugin-Link

Optional

Assignable plugins

Log User Trail To Database (logUserTrailToDatabase)

Description

Configures the database settings to use when persisting user trail log entries.

If this value is defined, then all user trail log messages generated by the API Policy Service App module will additionally be forwarded to the database configured within the referenced repository plugin.

All forwarded log entries are stored inside the table "USER_TRAIL_LOG". Note that setting this value does not disable writing log messages to the API Policy Service log file.

Attributes

Plugin-Link

Optional

Assignable plugins

User Trail Log Database Repository

Correlation ID Settings (correlationIdSettings)

Description

Defines settings for correlation ID transfer and logging inside the Api Policy Service module.

If undefined, no correlation ID will be logged for this module.

Attributes

Plugin-Link

Optional

Assignable plugins

Correlation ID Settings

YAML Template (with default values)


type: ApiPolicyServiceApp
id: ApiPolicyServiceApp-xxxxxx
displayName: 
comment: 
properties:
  contextExtractor:
  correlationIdSettings:
  logUserTrailToDatabase:
  repository:
  sharedSecret:

App Device Used For Login Unless Last App Device

Description

This plugin returns the ID of the Airlock 2FA App device which has been used for login in an authentication flow of the current user session.
This provider returns nothing in case the login device is the only App device of the user or the login device is not an App device, e.g. Hardware device.

In case no Airlock 2FA account is associated with the current user, no device IDs are returned.

Note: This plugin should only be used in authentication and protected self-service flows since the other flows do not contain information on the last device used for login.

Use case: This plugin is designed to facilitate the secure migration of users from the Airlock 2FA app to either an alternative 2FA app or a new business app that includes built-in two-factor authentication using the Futurae Mobile SDK (One App solution). In contrast to the 'All Devices Except Registered In Flow' plugin, this plugin does not delete all old tokens during a migration but only the one used in this session. This is beneficial when a user has multiple devices, and you want to avoid unintended deletions that could disrupt access from other devices.
For this use case, the plugin should be used with an 'Airlock 2FA Delete Devices Step' which is configured after the step activating the new Airlock 2FA device.

Type name

Airlock2FALoginDeviceUnlessLastDeviceIdProvider

Class

com.airlock.iam.flow.shared.application.configuration.airlock2fa.provider.Airlock2FALoginDeviceUnlessLastDeviceIdProviderConfig

May be used by

OAuth 2.0 Static Client Target Application Redirect ACR to Flow Application ID Mapping Target Application OIDC Authorization Code / Hybrid Flow Link Configuration Authentication UI SAML 2.0 Flow SP SAML 2.0 Service Provider Authentication & Authorization UI One-Shot Target Application Requested Authentication Context Mapping OAuth 2.0 Authorization Code Grant

License-Tags

Airlock2FA

Properties

Respect Cooldown Period (respectCooldownPeriod)

Description

If enabled, devices in cooldown are never returned. Consequently, if the login device is in cooldown or if there is only one device which is not in cooldown, no devices are returned.

Attributes

Boolean

Optional

Default value

false

Airlock 2FA Settings (airlock2FASettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: Airlock2FALoginDeviceUnlessLastDeviceIdProvider
id: Airlock2FALoginDeviceUnlessLastDeviceIdProvider-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  respectCooldownPeriod: false

Application ID

Description

Configuration of the Application ID.

In the SPA, this property defines the access path of the respective application. For example:

/<loginapp-uri>/ui/app/auth/application/access/<APP_ID>

Type name

ApplicationId

Class

com.airlock.iam.login.application.configuration.targetapp.ApplicationIdConfig

May be used by

Properties

ID (applicationId)

Description

The ID of the application.

Attributes

String

Mandatory

Length <= 30

Validation RegEx: [a-z0-9_-]+

YAML Template (with default values)


type: ApplicationId
id: ApplicationId-xxxxxx
displayName: 
comment: 
properties:
  applicationId:

Application Portal Group

Description

Groups portal targets.

Type name

ApplicationPortalGroup

Class

com.airlock.iam.selfservice.application.configuration.ui.portal.ApplicationPortalGroupConfig

May be used by

Application Portal UI

License-Tags

ApplicationPortal

Properties

Identifier (identifier)

Description

Unique ID of this portal group. The ID is used for customizations, e.g. in the string resource properties. The following string resource properties are available:

protected.application-portal.group.${identifier}.title for the group title
protected.application-portal.group.${identifier}.description for the description text of the group

The suggested values correlate with already existing string resources. If there is no translation, the Identifier is displayed.

Attributes

String

Mandatory

Suggested values

self-services

Portal Targets (portalTargets)

Description

List of portal targets in this group.

Attributes

Plugin-List

Mandatory

Assignable plugins

Application Portal Target

YAML Template (with default values)


type: ApplicationPortalGroup
id: ApplicationPortalGroup-xxxxxx
displayName: 
comment: 
properties:
  identifier:
  portalTargets:

Application Portal Target

Description

Configures a target to be displayed on the portal page.

Type name

ApplicationPortalTarget

Class

com.airlock.iam.selfservice.application.configuration.ui.portal.ApplicationPortalTargetConfig

May be used by

Application Portal Group

License-Tags

ApplicationPortal

Properties

Identifier (identifier)

Description

Unique ID of this target. The ID is used in the string resource properties and to customize the styling of the target on the portal page. The following string resource properties are available:

protected.application-portal.group.${group-identifier}.target.${identifier}.title for the portal target on the portal page

The suggested values correlate with already existing string resources. If there is no translation, the Identifier is displayed.

Attributes

String

Mandatory

Suggested values

account-link-management, address-change, airlock2fa-device-management, cronto-device-management, device-token-management, email-address-change, fido-registration, mtan-token-management, oauth2-consent-management, oauth2-session-management, password-change, self-lockout

Redirect Target (redirectTarget)

Description

Defines the URL or service of this target.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Redirect via Application Access (redirectByAccess)

Description

If enabled, an application access is performed prior to being redirected to the target. This is used to enable step-up and/or identity propagation.

This functionality is not needed for Protected Self-Services, where access control is already provided by the "Access Condition" and "Authorization Condition".

Attributes

Boolean

Optional

Default value

true

Precondition (precondition)

Description

The target is displayed on the portal if this condition is fulfilled. If no target within a group is displayed, the whole group is not shown.

Attributes

Plugin-Link

Optional

Assignable plugins

Open In New Tab (openInNewTab)

Description

Opens the target in a new browser tab.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: ApplicationPortalTarget
id: ApplicationPortalTarget-xxxxxx
displayName: 
comment: 
properties:
  identifier:
  openInNewTab: false
  precondition:
  redirectByAccess: true
  redirectTarget:

Application Portal UI

Description

Configures the application portal. The portal lists the configured portal target applications, i.e. self-services or backends.

The portal is accessible at /<loginapp-uri>/ui/app/protected/portal after user authentication.

Type name

ApplicationPortalUi

Class

com.airlock.iam.selfservice.application.configuration.ui.portal.ApplicationPortalUiConfig

May be used by

License-Tags

ApplicationPortal

Properties

Portal Groups (portalGroups)

Description

Groups portal targets.

Attributes

Plugin-List

Mandatory

Assignable plugins

Application Portal Group

Auto Forward (autoForward)

Description

If enabled and only one application is accessible, the user is automatically forwarded to the application instead of displaying the portal page.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: ApplicationPortalUi
id: ApplicationPortalUi-xxxxxx
displayName: 
comment: 
properties:
  autoForward: false
  portalGroups:

Apply Account Link Deletion

Description

Applies the "Account Link Deletion" change. Performs the actual deletion.

Type name

ApplyAccountLinkDeletion

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyAccountLinkDeletionConfig

May be used by

License-Tags

OAuthAccountLinking

Properties

YAML Template (with default values)


type: ApplyAccountLinkDeletion
id: ApplyAccountLinkDeletion-xxxxxx
displayName: 
comment: 
properties:

Apply Account Link Linking

Description

Applies the "Account Link Linking" change. Performs the actual linking of the provider account.

Type name

ApplyAccountLinkLinking

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyAccountLinkLinkingConfig

May be used by

One-Shot Authentication Flow Selection Step for Self-Service Flow Step Sequence Authorization Flow Custom Protected Self-Service Flow Selection Step Selection Option For Self-Service Simple Migration Selection Option Migration Selection Step Migration Selection Step Selection Option Authentication Flow Selection Step for User Self-Registration Advanced Migration Selection Option Selection Step for Public Self-Service

License-Tags

OAuthAccountLinking

Properties

YAML Template (with default values)


type: ApplyAccountLinkLinking
id: ApplyAccountLinkLinking-xxxxxx
displayName: 
comment: 
properties:

Apply Changes Step

Description

Flow step that applies (persists) all changes performed during the flow so far.

Type name

ApplyChangesStep

Class

com.airlock.iam.flow.shared.application.configuration.step.apply.ApplyChangesStepConfig

May be used by

Properties

Handlers (handlers)

Description

List of Apply Change Handlers. Each handler can apply (persist) the change from a specific self-service step (which typically stores a description of the change in the flow session).

Attributes

Plugin-List

Mandatory

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: ApplyChangesStep
id: ApplyChangesStep-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  handlers:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Apply Cronto Device Deletion

Description

Applies the "Cronto Device Deletion" change. Performs the actual deletion.

Type name

ApplyCrontoDeviceDeletion

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoDeviceDeletionConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: ApplyCrontoDeviceDeletion
id: ApplyCrontoDeviceDeletion-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Apply Cronto Device Disabling

Description

Applies the "Cronto Device Disabling" change. Performs the actual disabling.

Type name

ApplyCrontoDeviceDisabling

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoDeviceDisablingConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: ApplyCrontoDeviceDisabling
id: ApplyCrontoDeviceDisabling-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Apply Cronto Device Enabling

Description

Applies the "Cronto Device Enabling" change. Performs the actual enabling.

Type name

ApplyCrontoDeviceEnabling

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoDeviceEnablingConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: ApplyCrontoDeviceEnabling
id: ApplyCrontoDeviceEnabling-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Apply Cronto Device Renaming

Description

Applies the "Cronto Device Renaming" change. Persists the new device name.

Type name

ApplyCrontoDeviceRenaming

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoDeviceRenamingConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: ApplyCrontoDeviceRenaming
id: ApplyCrontoDeviceRenaming-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Apply Cronto Push Disabling

Description

Applies the "Cronto Push Disabling" change. Performs the actual disabling.

Type name

ApplyCrontoPushDisabling

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoPushDisablingConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: ApplyCrontoPushDisabling
id: ApplyCrontoPushDisabling-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Apply Cronto Push Enabling

Description

Applies the "Cronto Push Enabling" change. Performs the actual enabling.

Type name

ApplyCrontoPushEnabling

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyCrontoPushEnablingConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: ApplyCrontoPushEnabling
id: ApplyCrontoPushEnabling-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Apply Device Token Registration

Description

Applies the "Device Token Registration" change. Persists the registered device token.

Note that only the last registered device token will be persisted.

Type name

ApplyDeviceTokenRegistration

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyDeviceTokenRegistrationConfig

May be used by

License-Tags

DeviceToken

Properties

Device Token Settings (deviceTokenSettings)

Description

Defines the device token settings to be used in this handler. Must match the one used in the "Device Token Registration Step ".

Attributes

Plugin-Link

Mandatory

Assignable plugins

Device Token Settings

YAML Template (with default values)


type: ApplyDeviceTokenRegistration
id: ApplyDeviceTokenRegistration-xxxxxx
displayName: 
comment: 
properties:
  deviceTokenSettings:

Apply Email Change

Description

Applies an "Email" change by assigning the registered email address to the user as a context-data value.

Type name

ApplyEmailChange

Class

com.airlock.iam.flow.shared.application.configuration.step.apply.ApplyEmailChangeConfig

May be used by

License-Tags

UserProfileSelfService

Properties

Context Data Name (contextDataName)

Description

Name of the context-data in which to store the email address in.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: ApplyEmailChange
id: ApplyEmailChange-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:

Apply FIDO Credential Deletion

Description

Applies the "FIDO Credential Deletion" change. Performs the actual deletion.

Type name

ApplyFidoCredentialDeletion

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyFidoCredentialDeletionConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

YAML Template (with default values)


type: ApplyFidoCredentialDeletion
id: ApplyFidoCredentialDeletion-xxxxxx
displayName: 
comment: 
properties:
  fidoSettings:

Apply FIDO Credential Disabling

Description

Applies the "FIDO Credential Disabling" change. Performs the actual disabling.

Type name

ApplyFidoCredentialDisabling

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyFidoCredentialDisablingConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

YAML Template (with default values)


type: ApplyFidoCredentialDisabling
id: ApplyFidoCredentialDisabling-xxxxxx
displayName: 
comment: 
properties:
  fidoSettings:

Apply FIDO Credential Display Name Change

Description

Applies the "FIDO Credential Display Name Change" change. Persists the new display name.

Type name

ApplyFidoCredentialDisplayNameChange

Class

com.airlock.iam.flow.shared.application.configuration.step.ApplyFidoCredentialDisplayNameChangeConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

YAML Template (with default values)


type: ApplyFidoCredentialDisplayNameChange
id: ApplyFidoCredentialDisplayNameChange-xxxxxx
displayName: 
comment: 
properties:
  fidoSettings:

Apply FIDO Credential Enabling

Description

Applies the "FIDO Credential Enabling" change. Performs the actual enabling.

Type name

ApplyFidoCredentialEnabling

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyFidoCredentialEnablingConfig

May be used by

License-Tags

FIDO

Properties

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

YAML Template (with default values)


type: ApplyFidoCredentialEnabling
id: ApplyFidoCredentialEnabling-xxxxxx
displayName: 
comment: 
properties:
  fidoSettings:

Apply mTAN Deletion

Description

Applies the "mTAN Number Deletion" change. Performs the actual deletion.

Type name

ApplyMtanDeletion

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyMtanDeletionConfig

May be used by

Properties

mTAN Settings (mtanSettings)

Description

Defines the required settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

YAML Template (with default values)


type: ApplyMtanDeletion
id: ApplyMtanDeletion-xxxxxx
displayName: 
comment: 
properties:
  mtanSettings:

Apply mTAN Edit Change

Description

Persists an edited mTAN token. Use this change handler if an existing mTAN token has been edited. If a new token has been registered, use the "Apply mTAN Registration Change".

Type name

ApplyMtanEditChange

Class

com.airlock.iam.flow.shared.application.configuration.step.apply.ApplyMtanEditChangeConfig

May be used by

Properties

mTAN Settings (mtanSettings)

Description

Defines the required settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

YAML Template (with default values)


type: ApplyMtanEditChange
id: ApplyMtanEditChange-xxxxxx
displayName: 
comment: 
properties:
  mtanSettings:

Apply mTAN Registration Change

Description

Persists a registered mTAN token. Use this change handler if a new mTAN token has been registered. If an existing token has been edited, use the "Apply mTAN Edit Change".

Type name

ApplyMtanRegistrationChange

Class

com.airlock.iam.flow.shared.application.configuration.step.apply.ApplyMtanRegistrationChangeConfig

May be used by

License-Tags

UserProfileSelfService

Properties

mTAN Settings (mtanSettings)

Description

Defines the required settings for mTAN.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic mTAN Settings

YAML Template (with default values)


type: ApplyMtanRegistrationChange
id: ApplyMtanRegistrationChange-xxxxxx
displayName: 
comment: 
properties:
  mtanSettings:

Apply OAuth 2.0 Consent Deny

Description

Applies the "OAuth 2.0 Consent Deny" change. Performs the actual denial.

Type name

ApplyOAuth2DenyConsent

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyOAuth2DenyConsentConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: ApplyOAuth2DenyConsent
id: ApplyOAuth2DenyConsent-xxxxxx
displayName: 
comment: 
properties:

Apply OAuth 2.0 Consent Grant

Description

Applies the "OAuth 2.0 Consent Grant" change. Performs the actual grant.

Type name

ApplyOAuth2GrantConsent

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyOAuth2GrantConsentConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: ApplyOAuth2GrantConsent
id: ApplyOAuth2GrantConsent-xxxxxx
displayName: 
comment: 
properties:

Apply OAuth 2.0 Consents Deletion

Description

Applies the "OAuth 2.0 Consents Deletion" change. Performs the actual deletion.

Type name

ApplyOAuth2DeleteConsents

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyOAuth2DeleteConsentsConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: ApplyOAuth2DeleteConsents
id: ApplyOAuth2DeleteConsents-xxxxxx
displayName: 
comment: 
properties:

Apply OAuth 2.0 Session Deletion

Description

Applies the "OAuth 2.0 Session Deletion" change. Performs the actual deletion.

Type name

OAuth2DeleteSessionApply

Class

com.airlock.iam.selfservice.application.configuration.step.OAuth2DeleteSessionApplyConfig

May be used by

License-Tags

OAuthServer

Properties

YAML Template (with default values)


type: OAuth2DeleteSessionApply
id: OAuth2DeleteSessionApply-xxxxxx
displayName: 
comment: 
properties:

Apply Remember-Me Device Deletion

Description

Applies the "Remember-Me Device Deletion" change. Performs the actual deletion.

Type name

ApplyRememberMeDeviceDeletion

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyRememberMeDeviceDeletionConfig

May be used by

Properties

Remember-Me Settings (rememberMeConfig)

Description

Common configuration for the Remember-Me feature.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Remember-Me Settings

YAML Template (with default values)


type: ApplyRememberMeDeviceDeletion
id: ApplyRememberMeDeviceDeletion-xxxxxx
displayName: 
comment: 
properties:
  rememberMeConfig:

Apply User Data Edit Change

Description

Applies the context-data changes from the "User Data Edit" step to the user (which is then automatically persisted at the end of the request).

Type name

ApplyUserDataEditChange

Class

com.airlock.iam.selfservice.application.configuration.step.apply.ApplyUserDataEditChangeConfig

May be used by

Phone Number Verification Step Number-based Selection SMS Gateway SMS Notifier MTAN/SMS Settings SMS Service SMS Gateway Selection Option Basic mTAN Settings Failover SMS Gateway

License-Tags

UserProfileSelfService

Properties

YAML Template (with default values)


type: ApplyUserDataEditChange
id: ApplyUserDataEditChange-xxxxxx
displayName: 
comment: 
properties:

Argon2id Password Hash

Description

This is a password hash plugin that uses Argon2id for hashing. Argon2id is a key derivation function that is designed to be computationally expensive and memory-hard. This makes it resistant to brute-force attacks.

The configuration allows you to adjust the parameters of the algorithm (m, t, and p). Correctly tuning these parameters is crucial to ensuring strong security and reasonable performance on the target hardware.

Benchmark tests should be performed with this plugin on the actual hardware of the production system to determine the highest possible parameters while ensuring a good user experience (e.g., acceptable authentication times). See also Performance tuning and scaling best practices in the documentation.

The default configuration settings are based on the latest OWASP security recommendations and do not take specific hardware characteristics into account.

All three parameters (m, t, and p) are stored with the password hash and used to check passwords. Changing the values does not break existing password hashes. The salt length is 16 bytes, and the hash (tag) length is 32 bytes. However, since the hash parameters are stored as well, an Argon2id hash is longer than a Scrypt hash, which may affect the number of hashes in a "History Password Hash" plugin.

The persisted hash is stored as a PHC-formatted string.

Type name

Argon2idPasswordHash

Class

com.airlock.iam.core.misc.util.password.hash.Argon2idPasswordHash

Properties

Memory size (KiB) (memorySizeKb)

Description

The amount of memory to use (m), in kibibytes. Minimum allowed is 8*p KiB as required by RFC 9106. This primarily affects memory cost.

Attributes

Integer

Optional

Default value

19456

Iterations (iterations)

Description

Number of passes (t). This primarily affects CPU cost.

Attributes

Integer

Optional

Default value

Parallelism (parallelism)

Description

Number of lanes (p). Affects CPU parallelism. Increasing p may reduce single-hash latency on multi-core CPUs but requires a higher minimum memory m (m ≥ 8*p KiB). Values above the number of physical cores usually do not help.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: Argon2idPasswordHash
id: Argon2idPasswordHash-xxxxxx
displayName: 
comment: 
properties:
  iterations: 2
  memorySizeKb: 19456
  parallelism: 1

ASP SMS Gateway

Description

Sms gateway implementation for www.aspsms.com.
This plug-in uses the XML/HTTP(S) interface of ASPSMS to send SMS messages.

Type name

AspSmsGateway

Class

com.airlock.iam.core.misc.impl.sms.AspSmsGateway

May be used by

Properties

Account Username (accountUsername)

Description

Userkey as provided in the ASPSMS portal.

Attributes

String

Mandatory

Example

myaspsmslogin

Account Password (accountPassword)

Description

API Password as provided in the ASPSMS portal.

Attributes

String

Mandatory

Sensitive

Service URI (serviceUri)

Description

The URI of the ASPSMS service.
See note in plug-in description when using SSL (HTTPS instead of HTTP).

Use the plugin FailoverSmsGateway to use multiple ASPSMS URLs for increased availability.

Attributes

String

Mandatory

Suggested values

https://xml3.aspsms.com/xmlsvr.asp, https://xml4.aspsms.com/xmlsvr.asp

Proxy Host (proxyHost)

Description

The hostname of the HTTP proxy server (if any).

Attributes

String

Optional

Example

proxy.company.com

Proxy Port (proxyPort)

Description

The port of the HTTP proxy server (if any).

Attributes

Integer

Optional

Proxy Login User (proxyLoginUser)

Description

Username for the http proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the http proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

Allow Only Trusted Certs (allowOnlyTrustedCerts)

Description

Only allow connections to servers whose certificate is trusted. See documentation of property "Trust Store Path" for more information about what certificates are trusted.

Security warning: Trusting all certificates allows connections to adversarial hosts. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

String

Optional

Default value

JKS

Allowed values

JKS, PKCS12

Trust Store Password (trustStorePassword)

Description

The password used verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

JKS: the keystore can be opened and used but the integrity of the keystore is not checked.
PKCS12: an error occurs.

Attributes

String

Optional

Sensitive

Connect/Read Timeout [s] (connectTimeout)

Description

The connection and read timeout in seconds.

Attributes

Integer

Optional

Default value

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Suggested values

X-Correlation-ID

Visible Phone Number Digits In Log (visiblePhoneNumberDigitsInLog)

Description

Defines the number of phone number digits visible in log statements.

Thus, if the value is zero, all digits are masked, if it is large enough, all digits are visible. If set to 3, for example, the logged number looks like ********965.

The default is 100, i.e. showing all digits.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: AspSmsGateway
id: AspSmsGateway-xxxxxx
displayName: 
comment: 
properties:
  accountPassword:
  accountUsername:
  allowOnlyTrustedCerts: true
  connectTimeout: 10
  correlationIdHeaderName:
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  serviceUri:
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  verifyServerHostname: true
  visiblePhoneNumberDigitsInLog: 100

Assertion Attribute

Description

Holds information about an attribute to put into the assertion.

Type name

AssertionAttribute

Class

com.airlock.iam.saml2.application.configuration.AssertionAttribute

May be used by

SAML Access Cookie Identity Propagator SAML Access Cookie Identity Propagator SAML Assertion Cookie Identity Propagator SAML Assertion Cookie Identity Propagator

Properties

Name (name)

Description

The name of an additional SAML2 Attribute to be added to the Assertion. The value of the attribute is defined by the corresponding value-property or static-value property. One of valueor static-value must be set, but not both at the same time.

Attributes

String

Mandatory

Example

username

Example

lang

Example

authentication-method

Value (value)

Description

The value(s) of an additional SAML2 Attribute to be added to the Assertion. The specified value is interpreted as follows:

The value @username refers to the user's name.
The value @roles refers to the user's roles.
The value @info:key refers to the element of the additional input data with the given key.
The value @param:key refers to the element of the parameter map with the given key.
Any other value is retrieved from the user's context data container.

Attributes

String

Optional

Example

@username

Example

language

Example

auth_method

Example

@info:authLevel

Value Transformations (valueTransformations)

Description

A list of Value Transformations that is applied to the Value. If multiple transformations are defined, the first matching one will be executed and the later ones ignored.

Attributes

Plugin-List

Optional

Assignable plugins

Value Transformation

Static Value (staticValue)

Description

The static value(s) of an additional SAML2 Attribute to be added to the Assertion.

Attributes

String

Optional

Example

security-level

Example

language

Example

Airlock

YAML Template (with default values)


type: AssertionAttribute
id: AssertionAttribute-xxxxxx
displayName: 
comment: 
properties:
  name:
  staticValue:
  value:
  valueTransformations:

Audience From Request Parameter (OAuth 2.0 Token Exchange)

Description

Sets the claim value to that of the token exchange "audience" request parameter.

If the request does not contain an "audience" parameter or if the request's "audience" parameter is an empty array, the claim value will not be set (unless when the claim is required, for example for the "aud" target claim).

If the request contains one "audience" parameter, the claim value will be set to a single string value. If the request contains multiple "audience" parameters, the claim value will be set to an array.

Type name

OAuth2TokenExchangeJwtAudienceRequestParameterClaimValue

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtAudienceRequestParameterClaimValueConfig

May be used by

Custom Claim (OAuth 2.0 Token Exchange) JWT Token Exchange Rule

License-Tags

OAuthTokenExchange

Properties

YAML Template (with default values)


type: OAuth2TokenExchangeJwtAudienceRequestParameterClaimValue
id: OAuth2TokenExchangeJwtAudienceRequestParameterClaimValue-xxxxxx
displayName: 
comment: 
properties:

Audience From Subject Token (OAuth 2.0 Token Exchange)

Description

Sets the claim value to that of the subject token's "aud" claim value.

If present, the subject token's "aud" data is parsed as either a single string audience value or an array of string audience values as per RFC7519. If the subject token's "aud" data is present but does not conform with the specification, the token exchange request will lead to an invalid request error.

If the subject token's "aud" data is single-valued after removing non-allowed values (i.e. it is either a string or an array with a single element after removing the values not matching any of the configured patterns) and conforms with the specification, the claim value will be set to a string. If the subject token's "aud" data is multi-valued and conforms with the specification, the claim value will be set to an array.

If the subject token's "aud" data is not present, is an empty array or none of the values match the configured filters, the claim value will not be set.

Type name

OAuth2TokenExchangeJwtSubjectTokenAudienceClaimValue

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtSubjectTokenAudienceClaimValueConfig

May be used by

Custom Claim (OAuth 2.0 Token Exchange) JWT Token Exchange Rule

License-Tags

OAuthTokenExchange

Properties

Value Filters (valueFilters)

Description

An optional list of regular expressions. If the list is configured, only values in in the subject token's "aud" data matching at least one of the regular expressions will be added. Values that do not match any of the configured regular expressions will be ignored. If the list is not configured, all the values in the subject token's "aud" claim will be added.

Attributes

RegEx-List

Optional

YAML Template (with default values)


type: OAuth2TokenExchangeJwtSubjectTokenAudienceClaimValue
id: OAuth2TokenExchangeJwtSubjectTokenAudienceClaimValue-xxxxxx
displayName: 
comment: 
properties:
  valueFilters:

Audit Token SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing the audit token.

Type name

AuditTokenAttribute

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.AuditTokenAttributeConfig

May be used by

Main Authenticator Roles-to-Authenticator Mapping Credential-based Authenticator Selector Role-based Authenticator Selector Credential to Authenticator Mapping Authentication Method Identifier Mapping

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion.

Attributes

String

Mandatory

Example

Audit-Token

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: AuditTokenAttribute
id: AuditTokenAttribute-xxxxxx
displayName: 
comment: 
properties:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:

Auth Method-based Authenticator Selector

Description

Authenticator plugin that selects one of several configured authenticators depending on the user's active authentication method.

Note: This plugin does not check the status of the user account (locked, invalid) and does not update login statistics (failed logins, etc.). It can therefore only be used in conjunction with another authenticator (e.g. Main Authenticator or Meta Authenticator).

Type name

AuthMethodBasedAuthenticatorSelector

Class

com.airlock.iam.core.misc.impl.authen.AuthMethodBasedAuthenticatorSelector

May be used by

Properties

Mappings (mappings)

Description

Maps authentication method identifiers (e.g. "MTAN") to corresponding authenticators (e.g. "MTAN/SMS Authenticator").

Attributes

Plugin-List

Mandatory

Assignable plugins

Authentication Method Identifier Mapping

Default Authenticator (defaultAuthenticator)

Description

The authenticator to use when none of the defined authentication identifiers match the user's active authentication method.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Accepting Authenticator Airlock 2FA Authenticator Auth Method-based Authenticator Selector Credential-based Authenticator Selector Denying Authenticator Dummy Matrix Authenticator Dummy Two Step Authenticator Email Otp Authenticator MTAN/SMS Authenticator Matrixcard Authenticator (TAN Challenge) OATH OTP Authenticator RADIUS Authenticator Role-based Authenticator Selector Selection Authenticator Static Authenticator Token Authenticator

User Persister (userPersister)

Description

The user persister used to load the user's active authentication method.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: AuthMethodBasedAuthenticatorSelector
id: AuthMethodBasedAuthenticatorSelector-xxxxxx
displayName: 
comment: 
properties:
  defaultAuthenticator:
  mappings:
  userPersister:

Auth Token ID SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing the Authentication Token ID.

Type name

AuthTokenIdAttribute

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.AuthTokenIdAttributeConfig

May be used by

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion. If there is no Auth Token in the session, the attribute will not be included in the assertion.

Attributes

String

Mandatory

Example

Auth-Token

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: AuthTokenIdAttribute
id: AuthTokenIdAttribute-xxxxxx
displayName: 
comment: 
properties:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:

Authenticated Client ID (OAuth 2.0 Token Exchange)

Description

Sets the act claim to a claim set containing the authenticated client ID as sub claim and nests the original act claim from the subject token data into this claim set.

If the subject token data has no act claim, the new claim only contains the sub claim.

Type name

OAuth2TokenExchangeAuthenticatedClientIdActorClaim

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeAuthenticatedClientIdActorClaimConfig

May be used by

Airlock 2FA Activation Authentication UI Airlock 2FA Activation Authentication UI (with additional Activation) Airlock 2FA Authentication UI Custom Configuration-based Authentication UI Custom JavaScript-based Authentication UI Link Configuration Authentication UI

License-Tags

OAuthTokenExchange

Properties

YAML Template (with default values)


type: OAuth2TokenExchangeAuthenticatedClientIdActorClaim
id: OAuth2TokenExchangeAuthenticatedClientIdActorClaim-xxxxxx
displayName: 
comment: 
properties:

Authentication & Authorization UI

Description

User interface configuration for authentication and authorization.

Type name

AuthenticationUi

Class

com.airlock.iam.authentication.application.configuration.ui.AuthenticationUiConfig

May be used by

Authentication & Authorization UIs

Properties

Target Application ID (targetApplicationId)

Description

The identifier of the target application that the user interface configuration refers to.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Application ID

Customized Step UIs (customizedStepUis)

Description

The user interface configuration for the steps. Note: if using standard IAM steps, no user interface has to be configured manually.

Attributes

Plugin-List

Optional

Assignable plugins

Language Extractor (languageExtractor)

Description

The Language Extractor is a Location Interpreter which allows the UI to extract the language from the forward location. It is added to the value map from the location interpretation endpoint (/<loginapp-uri>/rest/public/authentication/location/interpret/) with the key IAM_UI_LANGUAGE.

The IAM UI uses this endpoint, when application access with a forward location is requested. For this, an "Application Selector" must be configured on the "Target Application" configuration for the respective authentication flow. Otherwise, this setting has no effect for the default IAM UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Advanced Location Interpreter Simple Location Interpreter

Show Goto Buttons (showGotoButtons)

Description

Show Goto buttons for all configured Goto targets on all pages using default UIs of this flow. Clicking a Goto button will redirect to the corresponding Goto target. The Goto targets are configured in the flows themselves, not the UIs.

For customized step UIs, Goto buttons have to be configured explicitly using the "Goto Button UI Element" plugin.

Notice: Goto buttons do not come with pre-defined labels. It is required to add i18n keys and values for each button manually. The key may looks as follows: 'authentication.pages.actions.goto.<currentStepId>.<targetStepId>'.

Attributes

Boolean

Optional

Default value

true

Maintenance Message UI Settings (maintenanceMessageUiSettings)

Description

Settings to define if and how maintenance messages are displayed for this flow. If this property is not set no maintenance messages are displayed for this flow.

Attributes

Plugin-Link

Optional

Assignable plugins

Maintenance Message UI Settings

Self-Unlock Flow (selfUnlockFlow)

Description

The self-unlock flow to use when a user is locked on this authentication flow. If configured, a message is displayed with a link to start this self-unlock flow. The link is displayed using the resource key: authentication.pages.messages.self-unlock

Attributes

Plugin-Link

Optional

Assignable plugins

Public Self-Service Flow Link

Target URI Resolver (targetURIResolver)

Description

Resolves the URI to be propagated to after successful authentication.

The resolved URL must either be absolute (i.e. using https://) or start with a slash.
It may be necessary to configure 'Identity Propagation' to make the authentication work.
Uses the custom 'X-Forward-URL' header to inform the SPA about the target. Do not set the same header again in the identity propagation of the respective authentication flow.
Note: this setting is irrelevant for SAML 2.0 target applications (a target application where the "SAML 2.0 Identity Propagator" is configured). For such an application, simply configure a resolver with "/" as default value.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Target URI Resolver

Cancellation Target (cancellationTarget)

Description

If configured, shows a cancel button on all pages, except the first, using default UIs of this flow. Clicking the cancel button will abort the flow and redirect to the configured target.

For customized step UIs, cancel buttons have to be configured explicitly using the "Cancel Button UI Element" plugin.

Attributes

Plugin-Link

Optional

Assignable plugins

Public Self-Service Flow Redirect Redirect to URI Same Flow Redirect Target Target Application Redirect User Self-Registration Flow Redirect

Flow Failure Target (flowFailureTarget)

Description

Defines the redirect URL in the case of a failed flow. If not configured and the flow fails, the flow is restarted, unless it has failed immediately, in which case an error page is displayed.

Attributes

Plugin-Link

Optional

Assignable plugins

Show Cancel Button On First Page (showCancelButtonOnFirstPage)

Description

If enabled, displays the cancel button also on the first interactive page of the flow. This can be useful if the "Cancellation Target" redirects to another flow or external page.

Note that even if this flag is disabled, a cancel button on the first page is always shown when the first page is reached again during the flow, e.g. by a Goto.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: AuthenticationUi
id: AuthenticationUi-xxxxxx
displayName: 
comment: 
properties:
  cancellationTarget:
  customizedStepUis:
  flowFailureTarget:
  languageExtractor:
  maintenanceMessageUiSettings:
  selfUnlockFlow:
  showCancelButtonOnFirstPage: false
  showGotoButtons: true
  targetApplicationId:
  targetURIResolver:

Authentication & Authorization UIs

Description

User interface configurations for authentication and authorization.

Type name

AuthenticationUiConfigs

Class

com.airlock.iam.authentication.application.configuration.ui.AuthenticationUiConfigs

May be used by

UI Settings

Properties

Flow UIs (flowUis)

Description

Allows to configure the user interface for the flow belonging to a target application.

Attributes

Plugin-List

Mandatory

Assignable plugins

Custom Flow Processors Default Authentication Processors Default Authorization Processors Default One-Shot Authentication Processors Default Persistency-less Authentication Processors Default Persistency-less Protected Self-Service Processors Default Protected Self-Service Processors Default Public Self-Service Processors Default Technical Client Registration Processors Default Transaction Approval Processors Default User Self-Registration Processors

Non-Flow UI Settings (nonFlowUiSettings)

Description

Defines UI settings for pages that are not flow specific.

Attributes

Plugin-Link

Optional

Assignable plugins

Non-Flow UI Settings

On Logout (onLogout)

Description

The action to take after a logout.

Attributes

Plugin-Link

Optional

Assignable plugins

Redirect On Logout SAML2 Single-Logout Config Show Logout Disclaimer Page

SSO Parameter Names (ssoParameterNames)

Description

Names of SSO parameters that the SPA tries to extract. The names are used in the configured order and extracting stops with the first parameter that is present.

Attributes

String-List

Optional

Default value

[sso]

YAML Template (with default values)


type: AuthenticationUiConfigs
id: AuthenticationUiConfigs-xxxxxx
displayName: 
comment: 
properties:
  flowUis:
  nonFlowUiSettings:
  onLogout:
  ssoParameterNames: [sso]

Authentication Data Map

Description

Provides some data about the successful authentication of the user.

Currently, the following values are provided:

auth-token-id: Auth Token ID (available as soon as the user has used a second factor for authentication in this session).
authentication-timestamp: timestamp (as date object) of the successful authentication (available as soon as the user has successfully authenticated for the first time in this session). Can be used by template-based providers to format the timestamp into a specific date format.
authentication-timestamp-millis: timestamp (as number of milliseconds since epoch) of the successful authentication (available as soon as the user has successfully authenticated for the first time in this session).

Type name

AuthenticationDataValueMapProvider

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.AuthenticationDataValueMapProviderConfig

May be used by

Properties

YAML Template (with default values)


type: AuthenticationDataValueMapProvider
id: AuthenticationDataValueMapProvider-xxxxxx
displayName: 
comment: 
properties:

Authentication Flow

Description

Configuration for an authentication flow.

Type name

AuthenticationFlow

Class

com.airlock.iam.authentication.application.configuration.AuthenticationFlowConfig

May be used by

Target Application

Properties

Steps (steps)

Description

Steps of the flow.

Attributes

Plugin-List

Mandatory

Assignable plugins

Processors (processors)

Description

Processors get notified about the various stages of the flow and offer hooks to plug in custom logic. These processors realize the entire authentication logic such as incrementing failed login counters or checking of user validity.

The configured processors are extended with the following processors (if not already present):

User Enumeration Protection Processor (only if "Prevent User Enumeration" enabled)
Temporary Locking Processor (only if "Enable Temporary Locking" enabled)

Attributes

Plugin-Link

Optional

Assignable plugins

Prevent User Enumeration (preventUserEnumeration)

Description

If enabled, user enumeration is prevented by not revealing what went wrong in a user identifying step ("Stealth Mode"). In particular, all failures because of wrong password or not existing, locked or invalid user are answered with the same generic error code AUTHENTICATION_FAILED. Furthermore, the sessions of the user will be terminated on IAM and on the Airlock Gateway (WAF).

Note that this feature is not compatible with Temporary Locking. It is recommended to configure a "Fixed Response Duration" for failed responses to prevent user enumeration timing attacks.

Important note: This feature only protects against user enumeration if the identifying step identifies the user and at the same time checks a credential, e.g. in case of "Password Authentication" or "Device Token Authentication". If the "User Identifying Step" is used, this feature does not protect against user enumeration.

If enabled, a "User Enumeration Protection Processor" is automatically added to the list of flow processors.

Attributes

Boolean

Optional

Default value

false

Enable Temporary Locking (temporaryLockingActive)

Description

Enables Temporary Locking for this flow.

Note: This is only effective, if temporary locking is also enabled in the "Target Applications and Authentication" plugin.

If enabled, a "Temporary Locking Processor" is automatically added to the list of flow processors.

Note: Disabling and re-enabling this feature does not reset temporary locks.

Attributes

Boolean

Optional

Default value

true

Add Remaining Attempts Info (addRemainingAttemptsInfo)

Description

If enabled, for any step result that caused an increase in the number of failed attempts, the remaining number of attempts for that factor is returned with the step result.

This feature is not combinable with username enumeration protection.

Attributes

Boolean

Optional

Default value

false

Username Transformers (usernameTransformers)

Description

Username transformers may transform the provided username into the single unique user ID required for the flow.
The transformation of a username takes place in the first step before the user is loaded. Note that username transformers have no effect on the propagated username value. Transformers can be chained, i.e. a first transformer could normalize the original name, where the next transformer looks up the normalized name in a database for potential transformation matches.
In contrary to the above description of chaining, a transformer can also signal that it already found the final user ID and the chain must stop after it.
For further details please refer to the documentation of the username transformer plugins.

Attributes

Plugin-List

Optional

Assignable plugins

Additional Attributes (additionalAttributes)

Description

Whitelist of additional attributes (e.g. headers or REST attributes) for the check password authentication REST call (/<loginapp-uri>/rest/public/authentication/password/check/).

Attributes with matching names and valid values are made available to the flow.

Attributes

Plugin-List

Optional

Assignable plugins

Request Attribute

Persistency-less (persistencyless)

Description

If enabled, this flow does not consider persistency, i.e. users don't have to exist locally in order to be authenticated. This is typically used with SSO tickets or external authentication using OAuth or SAML.

Persistency-less flows are very limited in their capabilities, in particular:

Password checks and second factor authentication are not possible.
The user state (locked, invalid etc.) cannot be verified.
Identity propagation is limited to the information received from external systems.

Note that configuration validation support is limited. It is essential to test such a flow extensively to ensure it behaves correctly in all situations.

It is recommended to use the "Default Persistency-less Authentication Processors" when using a persistency-less flow.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: AuthenticationFlow
id: AuthenticationFlow-xxxxxx
displayName: 
comment: 
properties:
  addRemainingAttemptsInfo: false
  additionalAttributes:
  persistencyless: false
  preventUserEnumeration: false
  processors:
  steps:
  temporaryLockingActive: true
  usernameTransformers:

Authentication Flow Successfully Completed

Description

Event that is triggered by the successful completion of an authentication flow.

Type name

AuthenticationFlowSuccessfullyCompletedSubscribedEvent

Class

com.airlock.iam.login.application.configuration.event.AuthenticationFlowSuccessfullyCompletedSubscribedEventConfig

May be used by

Filtered Flow Event Gateway Session Terminator Subscriber (Loginapp) Email Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Remote Event Subscriber (Loginapp)

Properties

YAML Template (with default values)


type: AuthenticationFlowSuccessfullyCompletedSubscribedEvent
id: AuthenticationFlowSuccessfullyCompletedSubscribedEvent-xxxxxx
displayName: 
comment: 
properties:

Authentication Instant SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing the authentication instant.

Type name

AuthenticationInstantAttribute

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.AuthenticationInstantAttributeConfig

May be used by

Logical NOT Condition mTAN Letter User Event Listener Airlock 2FA Activation Letter Order User Event Listener New User Defaults Setter Logical AND Condition Cronto Letter User Event Listener Logical OR Condition Set UUID For New Users

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion.

Attributes

String

Mandatory

Example

AuthInstant

Date And Time Format (dateAndTimeFormat)

Description

If this property is set, the SAML 2.0 attribute will contain the authentication instant formatted using the configured date and time format. The format is interpreted as specified in the java.text.SimpleDateFormat documentation. Note that the output time zone is fixed to GMT.

If this property is not set, the attribute value will contain the authentication instant as a Unix timestamp (i.e. milliseconds since epoch).

Attributes

String

Optional

Example

yyyy-MM-dd'T'HH:mm:ss'Z'

Example

yyyy-MM-dd'T'HH:mm:ss.SSS'Z'

Example

yyyy-MM-dd HH:mm:ss

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: AuthenticationInstantAttribute
id: AuthenticationInstantAttribute-xxxxxx
displayName: 
comment: 
properties:
  dateAndTimeFormat:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:

Authentication Method Changed

Description

Event that is published when the authentication method of a user changes.

This event is not published in the following cases:

The authentication method is edited via context data - use a "Context Data Changed" event instead
The user is newly created
The user is imported, e.g. via a service container task or from external persistency (AD/LDAP)

Type name

AuthenticationMethodChangedEvent

Class

com.airlock.iam.common.application.configuration.event.AuthenticationMethodChangedEventConfig

May be used by

Properties

Ignore Empty Previous Method (ignoreEmptyPreviousMethod)

Description

If enabled, the event will not be handled when the user did not have an active previous authentication method.

Attributes

Boolean

Optional

Default value

false

Ignore Empty Active Method (ignoreEmptyActiveMethod)

Description

If enabled, the event will not be handled when the active authentication method has been removed.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: AuthenticationMethodChangedEvent
id: AuthenticationMethodChangedEvent-xxxxxx
displayName: 
comment: 
properties:
  ignoreEmptyActiveMethod: false
  ignoreEmptyPreviousMethod: false

Authentication Method Condition

Description

Condition that is fulfilled, if the active authentication method of the user is equal to the configured expected authentication method.

Type name

AuthMethodEqualsEventCondition

Class

com.airlock.iam.core.misc.persistency.usereventbus.conditions.AuthMethodEqualsEventCondition

May be used by

Properties

Authentication Method (authMethod)

Description

The expected authentication method for the condition to be fulfilled.

Attributes

String

Mandatory

Suggested values

AIRLOCK_2FA, CRONTO, EMAILOTP, FIDO, MATRIX, MTAN, OATH_OTP, OTP, PASSWORD

YAML Template (with default values)


type: AuthMethodEqualsEventCondition
id: AuthMethodEqualsEventCondition-xxxxxx
displayName: 
comment: 
properties:
  authMethod:

Authentication Method Identifier Mapping

Description

Maps authentication method identifiers to authenticators.

Type name

AuthMethodBasedAuthenticatorSelectorMapping

Class

com.airlock.iam.core.misc.impl.authen.AuthMethodBasedAuthenticatorSelectorMapping

May be used by

Auth Method-based Authenticator Selector

Properties

Auth Method Identifier (authMethodIdentifier)

Description

Authentication method identifier. Corresponds to the "authentication method" value stored in the user directory or database.

Attributes

String

Mandatory

Suggested values

AIRLOCK_2FA, CRONTO, EMAILOTP, FIDO, MATRIX, MTAN, OATH_OTP, OTP, PASSWORD

Authenticator (authenticator)

Description

The authenticator to use for the identifier.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: AuthMethodBasedAuthenticatorSelectorMapping
id: AuthMethodBasedAuthenticatorSelectorMapping-xxxxxx
displayName: 
comment: 
properties:
  authMethodIdentifier:
  authenticator:

Authenticator-based One-Shot Target Application

Description

Defines how to authenticate HTTP requests based on the original HTTP request sent by the client (provided to IAM in various Airlock Gateway environment cookies).

The following actions are applied for each request:

Credential Extraction: Extract credential from the HTTP request (e.g. a bearer token or a cookie).
Authentication: Call specified authenticator with credential (e.g. verify JWT ticket).
Error handling: If authentication failes, the specified error mapper defines how to respond (e.g. send 401 to client).
Authorization: Assure roles required to access application/services are given after authentication.
ID-Propagation: provide information about authenticated user to target application/service.
Set Airlock Gateway (WAF) roles: provide credentials/roles to Airlock Gateway to allow request to pass to target application/service.

Type name

AuthenticatorBasedOneShotTargetApplication

Class

com.airlock.iam.login.app.misc.configuration.oneshot.OneShotTargetApplicationConfig

May be used by

One-Shot Authentication Settings One-Shot Authentication Settings

Properties

Credential Extractor (credentialExtractorFactory)

Description

Extracts credential (e.g. basic auth, bearer token, cookie) from the request received from the Airlock Gateway (one-shot flow). The credential serves as input for the authenticator.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Basic Auth HTTP Header Extractor Bearer Token HTTP Header Extractor (as Token Credential) Certificate Token Credential Extractor Client Certificate (X.509) Credential Extractor HTTP Header Token Extractor (as SSO Credential) HTTP Header Token Extractor (as Token Credential) HTTP Signature Verification Credential Extractor Kerberos SPNEGO Extractor Static Username Password Extractor

Authenticator (authenticator)

Description

Validates the credential from the credential extractor in order to authenticate the HTTP request.

Note:

Only non-interactive authentication steps (there is no way to interact with the HTTP client at this point - use the REST authentication API to do so if desired) may be configured.
The authenticator must know how to handle the credential type provided by the credential extractor.

A common use-case is to verify JWT tokens issued by an upfront authentication process (as "Authorization Bearer" header):

Extract bearer token from HTTP header (using the "HTTP Header Token Extractor (as SSO Credential)").
Authenticate the request using the "Lookup and Accept Authenticator" or the "SSO Credential Authenticator".

Attributes

Plugin-Link

Mandatory

Assignable plugins

Failure Responses (failureResponses)

Description

Defines how to respond if authentication fails (for wrong credentials and other errors).

Attributes

Plugin-Link

Optional

Assignable plugins

Basic Auth Error Mapper Configurable Error Mapper Kerberos SPNEGO Error Mapper

Identity Propagator (identityPropagator)

Description

Defines how to transport information about the authenticated user to the target application/service.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Enable User Trail Log (enableUserTrailLog)

Description

If enabled, a message is logged to the user trail log for every successful or unsuccessful authentication.

Caution: If the Airlock Gateway (WAF) is used in stateless mode, every single request may have to be authenticated by IAM due to missing roles. Hence, every request may generate a message in the user trail log depending on the Airlock Gateway configuration.

Attributes

Boolean

Optional

Default value

true

URL Pattern (urlPattern)

Description

The URL pattern (regular expression pattern) to identify this target application.

The first pattern (in the list of target applications) that matches the forward URL is used.
The matching is case-insensitive.

The URL pattern is ignored for the default target application.

Attributes

RegEx

Mandatory

Use Different Username (useDifferentUsername)

Description

If a user can have a different username at this target application, it can be specified here how the other username should be obtained. The following options are possible:

The name of the context data field in which this username is stored. Note that this field needs to be made persistent via the User Persister.
A fixed username (which is the same for all users). This should start with FIXED: followed by the username. E.g.: if the username is "admin", set this to "FIXED:admin".
Leave this empty, if no username is required or the standard username should be used.

The resulting username can be transformed further by using the Username Transformation property.

Attributes

String

Optional

License-Tags

SubIdentities

Example

applA_username

Example

FIXED:admin

Username Transformation (usernameTransformation)

Description

List of transformation plugins which allow various mutations of the username. The transformations are applied in order. Note that some username transformer stop the transformation chain after successful application.

These transformations are applied after the "Use Different Username" property.

Attributes

Plugin-List

Optional

Assignable plugins

Use Different Password (useDifferentPassword)

Description

If a user needs a password for this target application, it can be specified here how it should be obtained. This is not supported by all plugins though. The following options are possible:

If no password is required for this application: leave empty.
If the user has (or can have) a different password at this application: The name of the context data field in which this password is to be stored. Remember that this field needs to be made persistent via the User Persister.
If a fixed password is used that is the same for all users: Prefix with FIXED: followed by the password, e.g. "FIXED:123456".
If the user's main password (i.e. the password used to login to Airlock IAM) is used: Leave the field empty, but see the notes below.

If the user's main password is also used to sign on to target applications, please note the following points:

The main password can only be used if the user was required to enter the password upon login. This is not the case for Kerbos and other SSO-Logins. In those cases, this option is not possible.
Normally, the user's password is only available directly after login. If the user comes back to the Loginapp later, e.g. to access a different application, the password is normally not available anymore.
If only one target application is configured, this should not be a problem, since the user only needs to be authenticated at the very beginning (directly after the authentication).
If the user's password is needed for several target application, then it is has to be available every time the user wants to access another application in the same session. In this case, the password should be saved in the session ticket (see Security Settings).

Attributes

String

Optional

License-Tags

SubIdentities

Example

applA_password

Example

FIXED:123456

Password Encryption Method (passwordEncryptionMethod)

Description

The type of password encryption used to decrypt this password.
Leave empty if the password is not encrypted (not recommended if the password is read from a context data field).

Attributes

Plugin-Link

Optional

License-Tags

SubIdentities

Assignable plugins

Password-based Encryption RSA Encryption Unsupported Encryption (to be replaced)

Required Roles (requiredRoles)

Description

A list of roles used to access this target application.

The user needs at least one of the roles in order to get access to the application.

If no roles are configured, all authenticated users may access the application.

The user's roles may be transformed before being compared to this list using the Role Transformation Rules (see separate property).

If the user doesn't have any of these roles, the "Step-Up Authenticators" (in Authentication Settings) are consulted in order to find out whether they can be obtained using a Step-Up.

Attributes

String-List

Optional

Airlock Gateway (WAF) Roles (airlockGatewayRoles)

Description

The Airlock Gateway (WAF) roles that should be set when accessing this target application, instead of using the users roles as Gateway roles.

The name of the role can be followed by a colon and the idle timeout of the role in seconds, e.g. "myrole:300" sets the role "myrole" that will expire after 5 minutes of client inactivity.

With a second colon and a second number, the life-time can be set, e.g. "myrole:300:3600" will set the role "myrole" for a maximum of 1 hour, but it will also expire after 5 minutes of client inactivity.

Note: If you want to replace (instead of add) target application's Gateway roles in the session upon the first visit of each target application, you have to disable the "Add Credentials To Session" flag in the "Airlock Gateway (WAF) Settings" of the Login Application.

Attributes

String-List

Optional

Role Transformation Rules (roleTransformationRules)

Description

A list of transformation rules used to modify user roles before being compared to the "Required Roles" of an application.

Attributes

Plugin-List

Optional

Assignable plugins

Role Transformation Rule

Propagated Roles To Delete (propagatedRolesToDelete)

Description

A list of regular expressions. Any role matching one of these expressions is not propagated to the target application, unless it also matches one of the "Propagated Roles To Keep". The matching is performed before any transformation.

Attributes

RegEx-List

Optional

Propagated Roles To Keep (propagatedRolesToKeep)

Description

A list of regular expressions. If set, only roles matching at least one of these expressions are propagated to the target application, even if they match one of the "Propagated Roles To Delete". Notice that any "Propagated Roles To Add" are always added. The matching is performed before any transformation.

Attributes

RegEx-List

Optional

Propagated Roles Transformation Rules (propagatedRolesTransformationRules)

Description

A list of transformation rules used to modify roles names that are sent to an application by the identity propagator. All transformations are applied to every role that has not been deleted before as a pipeline.

Attributes

Plugin-List

Optional

Assignable plugins

Role Transformation Rule

Propagated Roles To Add (propagatedRolesToAdd)

Description

The static roles that will always be added to the final list of propagated roles (no transformation is applied to those).

Attributes

String-List

Optional

YAML Template (with default values)


type: AuthenticatorBasedOneShotTargetApplication
id: AuthenticatorBasedOneShotTargetApplication-xxxxxx
displayName: 
comment: 
properties:
  airlockGatewayRoles:
  authenticator:
  credentialExtractorFactory:
  enableUserTrailLog: true
  failureResponses:
  identityPropagator:
  passwordEncryptionMethod:
  propagatedRolesToAdd:
  propagatedRolesToDelete:
  propagatedRolesToKeep:
  propagatedRolesTransformationRules:
  requiredRoles:
  roleTransformationRules:
  urlPattern:
  useDifferentPassword:
  useDifferentUsername:
  usernameTransformation:

AuthnContextClassRef URI SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing the AuthnContextClassRef URI if an explicit Authentication Context Mapping (or a default Authentication Context) has been configured in the IdP config.

Type name

AuthnClassRefAttribute

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.AuthnClassRefAttributeConfig

May be used by

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion.

Attributes

String

Mandatory

Example

AuthnContextClassRef

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: AuthnClassRefAttribute
id: AuthnClassRefAttribute-xxxxxx
displayName: 
comment: 
properties:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:

Authorization Flow

Description

Configuration for an authorization flow.

Type name

AuthorizationFlow

Class

com.airlock.iam.authentication.application.configuration.AuthorizationFlowConfig

May be used by

Target Application

Properties

Steps (steps)

Description

Steps of the flow.

Attributes

Plugin-List

Mandatory

Assignable plugins

Processors (processors)

Description

Processors get notified about the various stages of the flow and offer hooks to plug in custom logic. These processors ensure user validity during the authorization process.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: AuthorizationFlow
id: AuthorizationFlow-xxxxxx
displayName: 
comment: 
properties:
  processors:
  steps:

Automated Account Registration

Description

Configuration for the registration of IAM accounts with data from the provider. The created account will be persisted in the user persister of the Loginapp and linked with the provider.

Type name

AccountRegistration

Class

com.airlock.iam.oauth2.application.configuration.accountregistration.AccountRegistrationConfig

May be used by

OIDC Flow Client OAuth 2.0 Flow Client OIDC Discovery Flow Client

License-Tags

OAuthSocialRegistration

Properties

Determine Username (usernameProvider)

Description

Determines the username of the created IAM account.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Context Data Username Generated Username

User Context Data Items (userContextDataItems)

Description

Context Data items from the provider that will be included in the created IAM account. There must exist a corresponding context data column entry in the user persister to successfully persist the item.

Attributes

Plugin-List

Optional

Assignable plugins

Context Data Item

Static Roles (staticRoles)

Description

The set of roles to add to the created IAM account.

Attributes

String-List

Optional

Status Upon Creation (statusUponCreation)

Description

Defines the status of the IAM user after creation:

logged-in: the new user will be automatically logged-in.
locked: the new user will be locked, allowing an administrator to review the registration before unlocking the account. The user will be locked with reason AwaitingAdminApproval. The string resource key "account-registration-user-locked-message" is used for the corresponding feedback message.

Attributes

Enum

Optional

Default value

LOGGED_IN

YAML Template (with default values)


type: AccountRegistration
id: AccountRegistration-xxxxxx
displayName: 
comment: 
properties:
  staticRoles:
  statusUponCreation: LOGGED_IN
  userContextDataItems:
  usernameProvider:

AWS Access Key Authentication

Description

AWS access key based authentication. Keys are created and maintained within AWS services.

This plugin provides credentials to allow IAM to access AWS services. If configured, no other credentials are considered, such as AWS cloud environment credentials.

Type name

AwsAccessKeyAuthentication

Class

com.airlock.iam.keymanagementservice.application.configuration.authentication.AwsAccessKeyAuthenticationConfig

May be used by

Properties

Access Key ID (accessKeyId)

Description

AWS IAM users access key ID.

Attributes

String

Mandatory

Secret Access Key (secretAccessKey)

Description

AWS IAM users secret access key.

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: AwsAccessKeyAuthentication
id: AwsAccessKeyAuthentication-xxxxxx
displayName: 
comment: 
properties:
  accessKeyId:
  secretAccessKey:

AWS Custom Service Access

Description

This plugin allows to manually configure the AWS region and service endpoint to use.

Type name

AwsCustomServiceAccess

Class

com.airlock.iam.keymanagementservice.application.configuration.access.AwsCustomServiceAccessConfig

May be used by

Properties

Region (region)

Description

Specifies the AWS region to use for the service connection and endpoints. Regions enable you to access AWS services that physically reside in a specific geographic area.

If no explicit AWS region is specified, IAM will attempt to identify the region in the following order:

Java system property aws.region
Environment variable AWS_REGION
Config files at location {user.home}/.aws/credentials and {user.home}/.aws/config
Region delivered through the Amazon EC2 metadata service

IAM requires a region to connect to the AWS service, otherwise connection fails with an error.

Attributes

String

Optional

Suggested values

eu-central-1, eu-central-2, eu-west-1, eu-west-2, eu-west-3, eu-south-1, eu-south-2, eu-west-2, eu-north-1

Endpoint URL (endpointUrl)

Description

This property defines the endpoint (URL) of the entry point for an AWS web service.

If left empty, the default endpoint for the selected region is used (refer to the official AWS documentation).

If configured, the default endpoint is overwritten with this URL.

Attributes

String

Optional

Example

https://kms.eu-west-2.amazonaws.com

Example

https://kms.us-east-1.amazonaws.com

YAML Template (with default values)


type: AwsCustomServiceAccess
id: AwsCustomServiceAccess-xxxxxx
displayName: 
comment: 
properties:
  endpointUrl:
  region:

AWS Default Authentication

Description

AWS default authentication to allow IAM access to AWS services. If configured, IAM looks for AWS credentials in the following order:

Java system properties aws.accessKeyId and aws.secretAccessKey
Environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
Web Identity Token credentials from system properties or environment variables
Credential profiles file at location {user.home}/.aws/credentials
Credentials delivered through the Amazon EC2 container service
Instance profile credentials delivered through the Amazon EC2 metadata service

Type name

AwsDefaultAuthentication

Class

com.airlock.iam.keymanagementservice.application.configuration.authentication.AwsDefaultAuthenticationConfig

May be used by

Properties

YAML Template (with default values)


type: AwsDefaultAuthentication
id: AwsDefaultAuthentication-xxxxxx
displayName: 
comment: 
properties:

AWS Default Service Access

Description

This plugin handles how IAM can access AWS service endpoints. It automatically selects the AWS region and thus the default endpoint for each service in that region, e.g. AWS Key Management Service (KMS).

Regions enable you to access AWS services that physically reside in a specific geographic area.

Default access selection is useful when IAM is deployed in an AWS cluster where the region is already provided in one of the formats described below.

IAM attempts to identify the AWS region in the following order:

Java system property aws.region
Environment variable AWS_REGION
Config files at location {user.home}/.aws/credentials and {user.home}/.aws/config
Region delivered through the Amazon EC2 metadata service

IAM requires a region to connect to the AWS service, otherwise connection fails with an error.

Multiple AWS regions for the same service are currently not supported.

Type name

AwsDefaultServiceAccess

Class

com.airlock.iam.keymanagementservice.application.configuration.access.AwsDefaultServiceAccessConfig

May be used by

Properties

YAML Template (with default values)


type: AwsDefaultServiceAccess
id: AwsDefaultServiceAccess-xxxxxx
displayName: 
comment: 
properties:

AWS Key Management Service

Description

Configures account and key details to use with the Amazon Web Services (AWS) Key Management Service (KMS).

AWS KMS provides a web interface to generate and manage cryptographic keys and acts as a cryptographic service provider.

Airlock IAM utilizes AWS KMS to store encrypted data in its database without having access to the cryptographic key material. AWS KMS can also be used for end-to-end encryption.

Type name

AwsKms

Class

com.airlock.iam.keymanagementservice.application.configuration.AwsKmsConfig

May be used by

AWS KMS Password Hash AWS KMS Password Decryption

License-Tags

AWSKMS

Properties

Service Access (serviceAccessSettings)

Description

Specifies how IAM can access AWS services.

If IAM is deployed in an AWS cluster, it is recommended to use "AWS Default Service Access".

If you want to manually configure AWS access (region/service endpoint), use "AWS Custom Service Access" instead.

Attributes

Plugin-Link

Optional

Assignable plugins

AWS Custom Service Access AWS Default Service Access

Authentication Method (authenticationSettings)

Description

Specifies how IAM authenticates against AWS services.

If IAM is deployed in an AWS cluster, it is recommended to use "AWS Default Authentication".

If you want to manually configure AWS authentication (access key ID and secret), use "AWS Access Key Authentication" instead.

Attributes

Plugin-Link

Optional

Assignable plugins

AWS Access Key Authentication AWS Default Authentication

Symmetric Key ARN (symmetricKeyArn)

Description

The symmetric KMS key. A symmetric key is used to encrypt/decrypt data on the IAM database, e.g. password hashes.

This key is created in AWS and referenced here by its Amazon Resource Name (ARN). Key ARN and alias ARN are supported.

When automatic key rotation is active on AWS KMS, or if you intend to manually rotate keys, you must specify an alias ARN in this property.

Attributes

String

Optional

RSA Asymmetric Key ARN (asymmetricKeyArn)

Description

The asymmetric KMS key. An asymmetric key is only required if end-to-end encryption in the Loginapp is required.

This key is created in AWS and referenced here by its Amazon Resource Name (ARN). Key ARN and alias ARN are supported.

Since the lifetime of the public key is long, it is possible to save one AWS KMS round trip by downloading the public key and configuring it in "RSA Public Key". Make sure "RSA Asymmetric Key ARN" and "RSA Public Key" always point to the same asymmetric key material.

Attributes

String

Optional

RSA Public Key (publicKey)

Description

The RSA public key of the asymmetric KMS key referenced by "RSA Asymmetric Key ARN".

The public key can be downloaded from AWS directly and referenced here. A Base64 encoded key with or without RSA public key wrapping "BEGIN PUBLIC KEY"/"END PUBLIC KEY" is expected. This is an optimization so that the public key is taken from this property instead of requesting it by its "RSA Asymmetric Key ARN" from AWS for every operation.

Attributes

String

Optional

Multi-line-text

RSA Algorithm (rsaAlgorithm)

Description

The RSA encryption algorithm to use for end-to-end encryption.

The algorithm must be compatible with the KMS key referenced by "RSA Asymmetric Key ARN".

Attributes

Enum

Optional

Default value

RSAES_OAEP_SHA_256

YAML Template (with default values)


type: AwsKms
id: AwsKms-xxxxxx
displayName: 
comment: 
properties:
  asymmetricKeyArn:
  authenticationSettings:
  publicKey:
  rsaAlgorithm: RSAES_OAEP_SHA_256
  serviceAccessSettings:
  symmetricKeyArn:

AWS KMS Password Decryption

Description

Decryption service accepting passwords encrypted with AWS KMS key material. On AWS KMS two keys are required:

Asymmetric key to encrypt the randomly generated key which encrypts a users password on client side. Configure this ARN in "RSA Asymmetric Key ARN".
Symmetric key to encrypt the password hashes that are stored on Airlock IAM's database. Configure this ARN in "Symmetric Key ARN".

Type name

AwsKmsPasswordDecryption

Class

com.airlock.iam.keymanagementservice.application.configuration.password.AwsKmsPasswordDecryptionConfig

May be used by

Default End-To-End Encryption Password Repository

License-Tags

AWSKMS

Properties

AWS KMS Settings (awsKmsSettings)

Description

Specifies the AWS account and key material for cryptographic operations.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: AwsKmsPasswordDecryption
id: AwsKmsPasswordDecryption-xxxxxx
displayName: 
comment: 
properties:
  awsKmsSettings:

AWS KMS Password Hash

Description

Password hash for AWS Key Management Service (KMS).

The password is first hashed with the defined hash function and then encrypted by AWS KMS.

This plugin does no encoding on the resulting hash. Therefore it should be used in combination with a 'Password Hash Configuration' or 'History Password Hash'.

If a password history is required, wrap this plugin in a 'History Password Hash'. However, bear in mind that an encrypted hash can be longer than the hash value itself. This affects the number of possible entries of 'Max History Length' in 'History Password Hash'.

Type name

AwsKmsPasswordHash

Class

com.airlock.iam.keymanagementservice.application.configuration.password.hash.AwsKmsPasswordHashConfig

License-Tags

AWSKMS

Properties

Hash Function (hashFunction)

Description

The password hash function to apply before the hash is encrypted by AWS KMS.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AWS KMS Settings (awsKmsSettings)

Description

Specifies the AWS account and key material for cryptographic operations.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Transforming Value Map Provider Template-based String Provider Template-based Username Transformer Transforming String Value Provider Roles Provider Generic ID Propagator

YAML Template (with default values)


type: AwsKmsPasswordHash
id: AwsKmsPasswordHash-xxxxxx
displayName: 
comment: 
properties:
  awsKmsSettings:
  hashFunction:

Azure Certificate Authentication

Description

Handles authentication to Azure using client certificates with Microsoft Entra ID, providing authenticated access to Azure services.

Refer to the official Azure documentation on how to set up identity management and access control.

Type name

AzureCertificateAuthentication

Class

com.airlock.iam.servicecontainer.app.application.configuration.event.azure.AzureCertificateAuthenticationConfig

May be used by

Azure Message Broker Connector

Properties

Tenant ID (tenantId)

Description

Identifies the Azure Active Directory (Entra ID) tenant that owns and manages the application being used for authentication.

This value is available in the Azure portal, e.g., in the tenant properties.

Attributes

String

Mandatory

Client ID (clientId)

Description

Identifies the registered application or service principal requesting access to Azure resources.

This value is available in the Azure portal, e.g., in the overview of your application registration.

Attributes

String

Mandatory

Keystore (keystore)

Description

Path of the keystore file containing the service principal's certificate and private key. The keystore file must be in PKCS12 format (.pfx-file).

The corresponding public key certificate must be registered for your application in the Azure portal, e.g., in the certificates & secrets page of your application registration.

The path must be absolute or relative to the instance root directory.

Attributes

File/Path

Mandatory

Keystore Password (keystorePassword)

Description

Password for reading the service principal's private key from the keystore file.

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: AzureCertificateAuthentication
id: AzureCertificateAuthentication-xxxxxx
displayName: 
comment: 
properties:
  clientId:
  keystore:
  keystorePassword:
  tenantId:

Azure Client Secret Authentication

Description

Handles authentication to Azure using OAuth client secret with Microsoft Entra ID, providing authenticated access to Azure services.

Refer to the official Azure documentation on how to set up identity management and access control.

Type name

AzureClientSecretAuthentication

Class

com.airlock.iam.servicecontainer.app.application.configuration.event.azure.AzureClientSecretAuthenticationConfig

May be used by

Azure Message Broker Connector

Properties

Tenant ID (tenantId)

Description

Identifies the Azure Active Directory (Entra ID) tenant that owns and manages the application being used for authentication.

This value is available in the Azure portal, e.g., in the tenant properties.

Attributes

String

Mandatory

Client ID (clientId)

Description

Identifies the registered application or service principal requesting access to Azure resources.

This value is available in the Azure portal, e.g., in the overview of your application registration.

Attributes

String

Mandatory

Client Secret (clientSecret)

Description

Client secret associated with the registered application (client ID).

This value is available in the Azure portal, e.g., in the certificates & secrets page of your application registration.

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: AzureClientSecretAuthentication
id: AzureClientSecretAuthentication-xxxxxx
displayName: 
comment: 
properties:
  clientId:
  clientSecret:
  tenantId:

Azure Default Authentication

Description

Automatically handles authentication to Azure and provides authenticated access to Azure services.

The plugin attempts to authenticate using the first available credential in the following order:

Environment-based credentials
Managed Identity (if running in Azure)
Azure CLI credentials

Refer to the official Azure documentation on how to provide credentials.

Type name

AzureDefaultAuthentication

Class

com.airlock.iam.servicecontainer.app.application.configuration.event.azure.AzureDefaultAuthenticationConfig

May be used by

Azure Message Broker Connector

Properties

YAML Template (with default values)


type: AzureDefaultAuthentication
id: AzureDefaultAuthentication-xxxxxx
displayName: 
comment: 
properties:

Azure Message Broker Connector

Description

Sends events to the configured Azure Event Hub.

Setup and configuration of Azure Event Hub and authentication infrastructure must be available, according to the Azure documentation.

Type name

AzureMessageBrokerConnector

Class

com.airlock.iam.servicecontainer.app.application.configuration.event.azure.AzureMessageBrokerConnectorConfig

May be used by

Message Broker Selector

Properties

Event Hub Namespace (eventHubNamespace)

Description

The fully qualified name for the Event Hub namespace. This is likely to be similar to {your-namespace}.servicebus.windows.net

This value is available in the Azure portal.

Attributes

String

Mandatory

Event Hub Name (eventHubName)

Description

The name of the Event Hub to connect to. The Event Hub must exist in the configured namespace.

This value is available in the Azure portal.

Attributes

String

Mandatory

Authentication (authentication)

Description

Configures how IAM authenticates to Azure services (Microsoft Entra ID).

Dependending on the setup and available infrastructure, different methods may suit better. Refer to the individual plugin documentation for further explanations.

If authentication with Microsoft Entra ID is not possible, consider using a "Connection String" for direct access.

For successful authentication, ensure that the necessary certificates are available when a custom truststore is used with IAM.

For integration or if necessary, additional logging regarding connections to Azure can be enabled in the Log4J configuration. IAM documentation explains custom logging configuration.

Adjust the log levels for "com.azure", "com.azure.core.amqp", "com.microsoft.azure.proton.transport.proxy" or other libraries to your needs.

Attributes

Plugin-Link

Optional

Assignable plugins

Azure Certificate Authentication Azure Client Secret Authentication Azure Default Authentication

Connection String (connectionString)

Description

Alternative service authentication method if general authentication with Microsoft Entra ID is not possible.

An Azure connection string contains all information required for an application to securely authenticate with and connect to an Azure Event Hub. It includes the service endpoint, authentication credentials (Shared Access Key), and an optional entity path (Event Hub name).

A namespace-level connection string grants the specified permissions (manage, read, or write) for all Event Hubs within the namespace.
An Event Hub–level connection string (ends with ;EntityPath=<EventHubName>) grants the specified permissions only for that specific Event Hub.

Connection strings should only be used when authentication with Microsoft Entra ID is not available or for integration.

It is recommended to rotate connection strings regularly.

For successful authentication, ensure that the necessary certificates are available when a custom truststore is used with IAM.

For integration or if necessary, additional logging regarding connections to Azure can be enabled in the Log4J configuration. IAM documentation explains custom logging configuration.

Adjust the log levels for "com.azure", "com.azure.core.amqp" or other libraries to your needs.

Attributes

String

Optional

Sensitive

Example

Endpoint=sb://<NamespaceName>.servicebus.windows.net/;SharedAccessKeyName=<KeyName>;SharedAccessKey=<KeyValue>

Example

Endpoint=sb://<NamespaceName>.servicebus.windows.net/;SharedAccessKeyName=<KeyName>;SharedAccessKey=<KeyValue>;EntityPath=<EventHubName>

Transport Type (transportType)

Description

Defines the transport type by which all the communication with Azure Event Hub occurs.

AMQP is the default transport type and is recommended for most scenarios. Outbound connections use port 5671.

AMQP over Web Sockets is useful for environments where networking is restrictive or when a proxy configuration must be used. Outbound connections use port 443.

Attributes

Enum

Optional

Default value

AMQP

Proxy Host (proxyHost)

Description

Hostname of an HTTP proxy the connector should use.

If this property is left empty, no proxy will be used.

Attributes

String

Optional

Example

proxy.company.com

Proxy Port (proxyPort)

Description

HTTP port of the proxy the connector should use.

Attributes

Integer

Optional

Proxy Authentication Type (proxyAuthenticationType)

Description

Specifies the type of authentication to use with the proxy.

None: The proxy requires no authentication. Configuration of a proxy login user and password is ignored.
Basic Authentication: Uses a username and password sent in plaintext (Base64 encoded but not encrypted).
Digest Authentication: Uses a username and password with challenge-response hashing for improved security.

Attributes

Enum

Optional

Default value

NONE

Proxy Login User (proxyLoginUser)

Description

Username for the proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

Partition Key (partitionKey)

Description

A partition key is used to map event data into specific partitions for data organization.

It enables keeping related events together in the same partition and in the exact order in which they arrived.

The partition key is derived from the application context and identifies the interrelationship of the events.

The partition key is used for all events sent to the event hub by this message broker connector.

Attributes

String

Optional

YAML Template (with default values)


type: AzureMessageBrokerConnector
id: AzureMessageBrokerConnector-xxxxxx
displayName: 
comment: 
properties:
  authentication:
  connectionString:
  eventHubName:
  eventHubNamespace:
  partitionKey:
  proxyAuthenticationType: NONE
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  transportType: AMQP

Base64 Password Hash Encoder

Description

Password Hash Plugin that Base64 encodes and decodes raw hash values.

Type name

Base64PasswordHashEncoder

Class

com.airlock.iam.core.misc.util.password.hash.Base64PasswordHashEncoder

May be used by

Password Hash Configuration

Properties

YAML Template (with default values)


type: Base64PasswordHashEncoder
id: Base64PasswordHashEncoder-xxxxxx
displayName: 
comment: 
properties:

Base64 String Encoder

Description

Base64-encodes a string.

Type name

Base64StringEncoder

Class

com.airlock.iam.common.application.configuration.encoder.Base64StringEncoderConfig

May be used by

Properties

Encoding Scheme (encodingScheme)

Description

The scheme used for character encoding.

Attributes

String

Optional

Default value

UTF-8

URL-safe Encoding (urlSafeEncoding)

Description

Whether URL-safe encoding should be used ("+" and "/" are replaced by "-" and "_", respectively, and trailing "=" are omitted).

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: Base64StringEncoder
id: Base64StringEncoder-xxxxxx
displayName: 
comment: 
properties:
  encodingScheme: UTF-8
  urlSafeEncoding: false

Basic Auth Credentials

Description

Configures a HTTP Basic Authentication header containing username and password.

Type name

BasicAuthCredentials

Class

com.airlock.iam.core.application.configuration.basicauth.BasicAuthCredentialsConfig

May be used by

REST Client Config HTTP Client Config HTTP Client With Client Certificate

Properties

User Name (userName)

Description

The username for HTTP Basic Authentication.

Attributes

String

Mandatory

Password (password)

Description

The password for HTTP Basic Authentication.

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: BasicAuthCredentials
id: BasicAuthCredentials-xxxxxx
displayName: 
comment: 
properties:
  password:
  userName:

Basic Auth Error Mapper

Description

Error Mapper that initiates Basic Authentication when the client does not send credentials or the credentials are not valid.

This plugin is designed to be used with "Basic Auth HTTP Header Extractor".

Type name

BasicAuthErrorMapperFactory

Class

com.airlock.iam.login.app.misc.oneshot.impl.BasicAuthErrorMapperFactory

May be used by

Authenticator-based One-Shot Target Application

Properties

Realm (realm)

Description

The realm that is sent to the client when basic authentication is initiated.

Attributes

String

Mandatory

Example

My Server

YAML Template (with default values)


type: BasicAuthErrorMapperFactory
id: BasicAuthErrorMapperFactory-xxxxxx
displayName: 
comment: 
properties:
  realm:

Basic Auth HTTP Header Extractor

Description

Extracts username and password from the Basic Auth HTTP header.

Make sure to also configure the "Basic Auth Error Mapper" to respond with a corresponding "WWW-Authenticate" header in case of missing credentials.

Type name

BasicAuthCredentialExtractorFactory

Class

com.airlock.iam.login.app.misc.oneshot.impl.BasicAuthCredentialExtractorFactory

May be used by

HTTP Signature Verification Credential Extractor Authenticator-based One-Shot Target Application

Properties

Charset (charset)

Description

Defines the charset of the Basic Auth HTTP header. If you have trouble accepting special characters, try "ISO-8859-1" instead.

Attributes

String

Optional

Default value

UTF-8

Example

UTF-8

Example

ISO-8859-1

Username Transformers (usernameTransformers)

Description

Username transformers may transform the username to log in using different user IDs.
For further details please refer to the documentation of the username transformer plugins.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: BasicAuthCredentialExtractorFactory
id: BasicAuthCredentialExtractorFactory-xxxxxx
displayName: 
comment: 
properties:
  charset: UTF-8
  usernameTransformers:

Basic Auth Request Authentication

Description

Authenticates single requests with HTTP Basic Authentication.

Type name

BasicAuthRequestAuthentication

Class

com.airlock.iam.common.application.configuration.credential.BasicAuthRequestAuthenticationConfig

May be used by

Session-less REST Endpoints Transaction Approval Adminapp REST API Configuration

Properties

Password Repository (passwordRepository)

Description

The repository of user passwords.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Password Repository External Database Password Repository LDAP Password Repository Selection Password Repository (Request Authentication)

Policy To Check On Login (policyToCheckOnLogin)

Description

The password policy that is checked when authenticating. Authentication fails if password policies are violated.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Active Directory Password Policy Customizable Password Policy Null Password Policy Simple Password Policy

Max Failed Attempts (maxFailedAttempts)

Description

The maximum number of failed authentication attempts before the user is locked.

Effective only if a 'User Store' is configured.

Attributes

Integer

Optional

Default value

Charset Name (charsetName)

Description

The character set to use for decoding 'Authorization' headers.

Attributes

String

Optional

Default value

UTF-8

Suggested values

ISO-8859-1, UTF-8

User Store (userStore)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Username Transformation (usernameTransformers)

Description

Transforms the provided username from the credential to a technical user ID.

Attributes

Plugin-List

Optional

Assignable plugins

Static Roles (staticRoles)

Description

Static list of roles granted to the authenticated user.

Attributes

String-List

Optional

Roles Blocklist (rolesBlocklist)

Description

List of role names that won't be granted to the authenticated user. The block list is also applied to persistent roles (if available).

Attributes

String-List

Optional

YAML Template (with default values)


type: BasicAuthRequestAuthentication
id: BasicAuthRequestAuthentication-xxxxxx
displayName: 
comment: 
properties:
  charsetName: UTF-8
  maxFailedAttempts: 5
  passwordRepository:
  policyToCheckOnLogin:
  rolesBlocklist:
  staticRoles:
  userStore:
  usernameTransformers:

Basic Auth Token Introspection

Description

Checks a basic authentication header value against a fixed list of allowed users and passwords.

Note: The basic auth scheme in OAuth 2.0 requests must comply to the specification in RFC 6749

Type name

BasicAuthTokenIntrospection

Class

com.airlock.iam.login.app.misc.oauth2.introspection.config.BasicAuthTokenIntrospectionConfig

May be used by

OAuth 2.0 Token Introspection Endpoint

License-Tags

OAuthServer

Properties

Charset (charset)

Description

The name of the charset used to decode the basic authentication header.

Attributes

String

Optional

Default value

UTF-8

Suggested values

ISO-8859-1, UTF-8

Allowed Users (allowedUsers)

Description

A list of all allowed username and password combinations.

Attributes

Plugin-List

Mandatory

Assignable plugins

Allowed Username Password Combination

YAML Template (with default values)


type: BasicAuthTokenIntrospection
id: BasicAuthTokenIntrospection-xxxxxx
displayName: 
comment: 
properties:
  allowedUsers:
  charset: UTF-8

Basic mTAN Settings

Description

The basic settings for mTAN.

Type name

BasicMtanSettings

Class

com.airlock.iam.common.application.configuration.mtan.BasicMtanSettings

May be used by

mTAN Number Deletion Possible mTAN Self-Services (Legacy) mTAN Number Registration Possible Select mTAN Token Step Default mTAN Deletion Flow mTAN Token Edit Step SMS Event Subscriber (Adminapp) SMS Identity Verification Step mTAN OTP Checks Settings mTAN Token Registration Step SMS Event Subscriber (Loginapp) Apply mTAN Deletion mTAN Token Insertion Handler Apply mTAN Edit Change Delete mTAN Number Initiation Step Apply mTAN Registration Change mTAN Number List mTAN Number Item Definition

Properties

mTAN Handler (mtanHandler)

Description

An mTAN handler retrieves and updates mTAN number tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Data mTAN Handler Token Data mTAN Handler

SMS Gateway (smsGateway)

Description

The SMS gateway used to send messages.

Attributes

Plugin-Link

Mandatory

Assignable plugins

ASP SMS Gateway Dummy SMS Gateway Email SMS Gateway Failover SMS Gateway HTTP SMS Gateway Kannel SMS Gateway Null SMS Gateway Number-based Selection SMS Gateway SMPP SMS Gateway SMS Finder Gateway Swisscom REST SMS Gateway Swissphone SMS Gateway True Senses SMS Gateway UCP SMS Gateway eCall SMS Gateway (v1)

Originator (originator)

Description

Originator of the SMS messages.

There may be restrictions on the originator imposed by the SMS gateway service and by local law.

The format of the originator must be one of:

Numeric characters only, optionally prefixed with a plus sign '+', at most 16 characters
Alphanumeric characters, at most 11 characters

Furthermore, the characters that are allowed may depend on your SMS gateway provider.

Attributes

String

Mandatory

Example

Airlock

Default Country Code (defaultCountryCode)

Description

Default country code to be used if a phone number does not contain a country code. It is only used when sending messages to the user.

Attributes

String

Optional

Length <= 3

Length >= 1

Default value

Suggested values

41, 39, 49, 423

Use Flash Messages (useFlashMessages)

Description

If enabled, SMS messages are sent as flash SMS by default. A flash message is shown directly on the mobile phone display.

If the per-user setting is set, it takes precedence as long as a value is set for a user. If it is empty or not set, this default value is used.

Note: This has to be supported by the SMS gateway. Some recipients might not be able to receive flash messages.

Attributes

Boolean

Optional

Default value

false

Visible Phone Number Digits (visiblePhoneNumberDigits)

Description

Defines the number of phone number digits visible in log statements and in selection options sent to the user.

If the value is zero, all digits are masked, if it is large enough, all digits are visible. Example: if set to 3, logged number looks like ********965.

The default is 100, i.e. showing all digits.

Attributes

Integer

Optional

Default value

100

YAML Template (with default values)


type: BasicMtanSettings
id: BasicMtanSettings-xxxxxx
displayName: 
comment: 
properties:
  defaultCountryCode: 41
  mtanHandler:
  originator:
  smsGateway:
  useFlashMessages: false
  visiblePhoneNumberDigits: 100

Basic Secret Question Settings

Description

Configures common settings for secret questions. It is recommended to use the same settings for provisioning, administration and password reset.

Type name

BasicSecretQuestionSettings

Class

com.airlock.iam.common.application.configuration.secretquestion.BasicSecretQuestionSettings

May be used by

Secret Questions Identity Verification Step Secret Questions Provisioning Step Disabled Or Missing Secret Questions Restriction

Properties

Question Resource Keys (questionResourceKeys)

Description

List of resource keys of the available questions. Each key represents one question. Removing a question (resource key) from this list, causes all answers to that question to become invalid.

Ensure that no new question with the same key is introduced later. Any user's answer to the previous question would not match the new question.

Attributes

String-List

Mandatory

Number of Questions (numberOfQuestions)

Description

This property defines the number of questions which have to be provisioned and answered.

Attributes

Integer

Optional

Default value

Normalization (normalization)

Description

Normalization is a string-transformation applied to answers before they are persisted, and before they are verified. Therefore, an answer can be accepted even if it has minor differences to the provisioned answer. Currently, the following options exist:

OFF:
No normalization. Provisioned and challenged answers must match exactly.
TRIM:
Removes whitespaces at the beginning and end of the answer string.
TRIM_CASEINSENSITIVE:
Does the same as TRIM and additionally converts all characters to lowercase.
TRIM_CASEINSENSITIVE_NOWHITESPACE:
Does the same as CASEINSENSITIVE_TRIM and additionally removes all whitespace.
TRIM_CASEINSENSITIVE_NOWHITESPACE_NOSPECIALCHARS:
Does the same as CASEINSENSITIVE_TRIM_NOWHITESPACE and additionally removes all non-word characters (all characters except letters, digits and the underscore).

Attributes

Enum

Optional

Default value

TRIM_CASEINSENSITIVE

Token Data Provider (tokenDataProvider)

Description

The provider for token data for persisting the secret answers.

Attributes

Plugin-Link

Mandatory

Assignable plugins

HTTP Signature Verification Credential Extractor Authenticator-based One-Shot Target Application

Hash Function Plugin (hashFunctionPlugin)

Description

This hash algorithm is used to hash the answers.

Attributes

Plugin-Link

Optional

Assignable plugins

Min Length (minLength)

Description

Defines the minimum length of an answer.

Attributes

Integer

Optional

Default value

Max Length (maxLength)

Description

Defines the maximum length of an answer.

Attributes

Integer

Optional

Default value

100

Answer Regex Pattern (answerRegexPattern)

Description

Regex pattern to check the given answer (after normalization).

Attributes

RegEx

Optional

Duplicate Answers Forbidden (duplicateAnswersForbidden)

Description

Forbid the same answer for more than one question per user.

Attributes

Boolean

Optional

Default value

true

Check Using Latin1 Encoding (checkUsingLatin1Encoding)

Description

If enabled, answers containing special characters stored by IAM earlier than 6.3 are still accepted. This option does not have to be activated if all answers were set using IAM 6.3 or later or if all answers were set via webservices or REST.

To support legacy answers, those with special characters are additionally checked using their legacy encoding in latin1.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: BasicSecretQuestionSettings
id: BasicSecretQuestionSettings-xxxxxx
displayName: 
comment: 
properties:
  answerRegexPattern:
  checkUsingLatin1Encoding: false
  duplicateAnswersForbidden: true
  hashFunctionPlugin:
  maxLength: 100
  minLength: 2
  normalization: TRIM_CASEINSENSITIVE
  numberOfQuestions: 2
  questionResourceKeys:
  tokenDataProvider:

Bcrypt Password Hash

Description

Password hash plugin that uses bcrypt for hashing. Bcrypt only uses the first 72 bytes of the password in UTF-8 encoding. Therefore, consider using a policy to enforce a maximum password length restriction. See https://www.openbsd.org/papers/bcrypt-paper.pdf for more details.

Returns $[version]$[cost]$[22 character salt][31 character hash] as a bcrypt string.

Security note: The bcrypt algorithm is no longer recommended for password hashing. Use "Argon2id Password Hash" instead.

Type name

BcryptPasswordHash

Class

com.airlock.iam.core.misc.util.password.hash.BcryptPasswordHash

Properties

Cost (Iterations Exponent) (cost)

Description

The exponent used to compute the number of iterations, also known as cost. The actual number of iterations is 2 to the power of the value defined here.

The value must be greater than or equal to 4 and less than or equal to 31. The number of iterations is stored together with the bcrypt string. Therefore, this value can be increased or decreased without losing backward compatibility.

Attributes

Integer

Optional

Default value

Version (version)

Description

The version used to generate the password hashes. The implementations of these versions do not differ from one another, therefore you can choose which one is used for generating password hashes.

$2$: version prefix in the original specification.
$2a$: version prefix in the revised specification defining encoding and null-terminator explicitly.
$2y$, $2b$: version prefixes stating explicitly that the implementation is not affected by certain known bugs.

This has no effect when checking passwords as this implementation does not suffer from the known bugs and supports all versions. Therefore, this value can be changed without losing backward compatibility.

Attributes

String

Optional

Default value

Allowed values

2, 2a, 2b, 2y

YAML Template (with default values)


type: BcryptPasswordHash
id: BcryptPasswordHash-xxxxxx
displayName: 
comment: 
properties:
  cost: 12
  version: 2a

Bearer Token HTTP Header Extractor (as Token Credential)

Description

Extracts a bearer token from the "Authorization" HTTP header and provides it as "Token Credential" to the authenticator.

This extractor is suitable for authenticators that are able to process token credentials, such as the "Token Authenticator" or the "OAuth 2.0 Access Token Authenticator".

Type name

BearerTokenHttpHeaderExtractor

Class

com.airlock.iam.login.app.misc.oneshot.impl.BearerTokenHttpHeaderExtractorConfig

May be used by

Properties

YAML Template (with default values)


type: BearerTokenHttpHeaderExtractor
id: BearerTokenHttpHeaderExtractor-xxxxxx
displayName: 
comment: 
properties:

Body And HTTP Status On Behalf Login Step Validator

Description

Validates the HTTP response of a login step. Based on the HTTP status of the response, different validators can be configured. If the response contains an unmapped response code, a default validator will be used to validate the response.

Type name

BodyAndHttpStatusOnBehalfLoginStepValidator

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.BodyAndHttpStatusOnBehalfLoginStepValidator

May be used by

HTTP GET Step CSRF Token Extraction Step HTTP POST Step

Properties

HTTP Status Validators (httpStatusValidators)

Description

Provides a mean to have different validators depending on the HTTP status code of the response.

The map defines pairs of status codes (key) and validators (value). If the HTTP status code of the response matches to one of the following mappings, the corresponding validator gets executed. The key has to be a valid number.

If the response contains a status code that is not defined here, the "Default Body Status On Behalf Login Step Validator" is used for the validation.

Attributes

Plugin-Map

Mandatory

Assignable plugins

Body Status On Behalf Login Step Validator

Default Validator (defaultValidator)

Description

Default validator that gets selected if the received HTTP status code does not have a corresponding entry within the "HTTP Status Validators".

Attributes

Plugin-Link

Mandatory

Assignable plugins

Body Status On Behalf Login Step Validator

YAML Template (with default values)


type: BodyAndHttpStatusOnBehalfLoginStepValidator
id: BodyAndHttpStatusOnBehalfLoginStepValidator-xxxxxx
displayName: 
comment: 
properties:
  defaultValidator:
  httpStatusValidators:

Body Status On Behalf Login Step Validator

Description

Validates the HTTP response of a login step. If one of the patterns defined in "successCases" is found in the response and none of the other patterns ("accessDeniedCases" or "technicalErrorCases") are found, the validation is successful. More precisely, the following validation checks are performed in this order:

The technical error patterns are validated. In case one of the technical error patterns matches, the validation fails.
The access denied patterns are matched. In case one of the access denied patterns matches, the validation fails with an access denied error.
In case one of the success patterns matches, the validation is successful. In case none of the success patterns match, the validation fails with a technical error.

Type name

BodyStatusOnBehalfLoginStepValidator

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.BodyStatusOnBehalfLoginStepValidator

May be used by

HTTP GET Step CSRF Token Extraction Step Body And HTTP Status On Behalf Login Step Validator Body And HTTP Status On Behalf Login Step Validator HTTP POST Step

Properties

Success Cases (successCases)

Description

After the error and access denied validation is finished, one of the success patterns must match in order that the validation is successful.

Attributes

RegEx-List

Mandatory

Access Denied Cases (accessDeniedCases)

Description

None of the access denied patterns are allowed to match the response or the validation fails with an access denied error.

Attributes

RegEx-List

Optional

Technical Error Cases (technicalErrorCases)

Description

The technical error patterns are validated first. None of the technical error patterns are allowed to match the response or the validation fails with a technical error.

Attributes

RegEx-List

Optional

YAML Template (with default values)


type: BodyStatusOnBehalfLoginStepValidator
id: BodyStatusOnBehalfLoginStepValidator-xxxxxx
displayName: 
comment: 
properties:
  accessDeniedCases:
  successCases:
  technicalErrorCases:

Boolean Condition

Description

This condition is fulfilled if the configured boolean value provider provides the value true.

Type name

BooleanCondition

Class

com.airlock.iam.flow.shared.application.configuration.condition.BooleanConditionConfig

May be used by

Properties

Value Provider (valueProvider)

Description

Boolean value provider whose provided value will be used to determine whether the condition is fulfilled.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Boolean Context Data Value Provider Boolean From Map Value Provider Static Boolean Value Provider

Is Fulfilled If Value Is Null (isFulfilledIfValueIsNull)

Description

If checked, the condition is fulfilled if the provided value is null. If unchecked, the condition is unfulfilled in that situation.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: BooleanCondition
id: BooleanCondition-xxxxxx
displayName: 
comment: 
properties:
  isFulfilledIfValueIsNull: false
  valueProvider:

Boolean Context Data

Description

Non-interactive user context data item that stores a boolean value.

Type name

BooleanNonInteractiveUserDataItemDefinition

Class

com.airlock.iam.flow.shared.application.configuration.step.user.data.BooleanNonInteractiveUserDataItemDefinitionConfig

May be used by

Set Context Data Step

Properties

Context Data Item Name Config (contextDataItemNameConfig)

Description

The name of the context data where the value will be stored.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database User Persister Database Credential Persister Database Token List Persister

Value Provider Config (valueProviderConfig)

Description

Provides the value for the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Boolean Context Data Value Provider Boolean From Map Value Provider Static Boolean Value Provider

YAML Template (with default values)


type: BooleanNonInteractiveUserDataItemDefinition
id: BooleanNonInteractiveUserDataItemDefinition-xxxxxx
displayName: 
comment: 
properties:
  contextDataItemNameConfig:
  valueProviderConfig:

Boolean Context Data Item

Description

Context Data item of type Boolean.

The database column must either be of an integer type (e.g. TINYINT, INTEGER containing either 0 or 1) or of a string type (e.g. VARCHAR, CHAR containing either "0" or "1") and the values of this context data item are guaranteed to be of type java.lang.Boolean. If the persistency has a NULL value or its value does not match the values above, FALSE is assumed.

Type name

BooleanContextDataItem

Class

com.airlock.iam.core.application.configuration.contextdata.BooleanContextDataItemConfig

May be used by

Properties

Context Data Name (contextDataName)

Description

Defines the reusable context data item representing the name and type of a value in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Information Group User Sync Task User Self Information Group Boolean Context Data Value Provider Boolean Context Data User Attribute Is Unique Boolean User Context Data Item String Context Data User Group Condition Boolean Context Data Item User Information Self-Service

Database Column Name (databaseColumnName)

Description

The name of the database column to load into the context data in case it differs from the Context Data Name.

Attributes

String

Optional

Example

locked

Example

valid

Example

self_registered

Readonly On Update (readonlyOnUpdate)

Description

If enabled, this context data field is treated readonly during updates of the user data. However, the field will still be persisted while inserting the user.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: BooleanContextDataItem
id: BooleanContextDataItem-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  databaseColumnName:
  readonlyOnUpdate: false

Boolean Context Data Item Name

Description

Context Data item of type Boolean.

Type name

BooleanContextDataItemName

Class

com.airlock.iam.core.application.configuration.contextdata.BooleanContextDataItemNameConfig

May be used by

Properties

Context Data Name (contextDataName)

Description

The name of the context data field under which the boolean value is stored.

Attributes

String

Mandatory

Example

locked

Example

valid

Example

self_registered

YAML Template (with default values)


type: BooleanContextDataItemName
id: BooleanContextDataItemName-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:

Boolean Context Data Value Provider

Description

Provides the boolean value contained in the specified context data item of the user.

Make sure the configured context data item is also configured on the user persister.

Type name

ContextDataBooleanValueProvider

Class

com.airlock.iam.common.application.configuration.valueprovider.contextdata.ContextDataBooleanValueProviderConfig

May be used by

Value Provider Map Boolean Context Data Boolean Condition

Properties

Context Data Field (contextDataField)

Description

Context data field whose value will be returned.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Mandatory (mandatory)

Description

If enabled, the value provided by this context data item is not allowed to be null.

If this option is enabled and the context data item is null (e.g. if the configured context data is not configured on the user persister), an exception will be thrown at runtime.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: ContextDataBooleanValueProvider
id: ContextDataBooleanValueProvider-xxxxxx
displayName: 
comment: 
properties:
  contextDataField:
  mandatory: false

Boolean Data Transformer

Description

Parses the strings '0', '1', 'false', 'true' (ignoring case) and converts them to regular context data boolean objects. Any other string value will be transformed to 'false'.

Values which have been transformed by this transformer are guaranteed to be of type java.lang.Boolean.

Type name

BooleanDataTransformer

Class

com.airlock.iam.core.misc.util.datatransformer.BooleanDataTransformer

May be used by

Properties

Properties (properties)

Description

Selects the properties to apply the replacement to.
Use the asterisk character ("*") to replace all properties.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: BooleanDataTransformer
id: BooleanDataTransformer-xxxxxx
displayName: 
comment: 
properties:
  properties:

Boolean From Map Value Provider

Description

Defines a boolean value to be provided from a Value Map Provider and a key. If the key is not present, then depending on the configured settings, an empty value (null) or 'false' is returned.

If the provided value is a string, the provider will attempt to convert it to a boolean. Only true/false is recognized.

If the value is an incompatible type, or the string cannot be converted, an error is thrown.

Type name

BooleanFromMapValueProvider

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.BooleanFromMapValueProviderConfig

May be used by

Value Provider Map Boolean Context Data Boolean Condition

Properties

Value Maps (valueMaps)

Description

Value maps from which the boolean to be provided is selected. If a key occurs in more than one value map, the providers further down in the list take precedence.

Attributes

Plugin-List

Mandatory

Assignable plugins

Key (key)

Description

Case-sensitive key to select the boolean in the value map.

Attributes

String

Mandatory

Example

secret_questions_enabled

Example

tos_accepted

Provide false for missing entry (provideFalseIfEmpty)

Description

If set, the provider will return boolean 'false' instead of an empty value (null) if the key is not present in the value map.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: BooleanFromMapValueProvider
id: BooleanFromMapValueProvider-xxxxxx
displayName: 
comment: 
properties:
  key:
  provideFalseIfEmpty: false
  valueMaps:

Boolean Input Token Controller Element

Description

Renders a checkbox for a boolean property.

Type name

BooleanInputTokenControllerUiElement

Class

com.airlock.iam.admin.application.configuration.generic.ui.BooleanInputTokenControllerUiElementConfig

May be used by

Generic Token Controller UI

Properties

Label (label)

Description

Label for the field. The UI treats it as a key to translate. If there is no translation, the label is shown in the UI as is.

Attributes

String

Mandatory

Example

user.generic-token.device-token.enabled

Property (property)

Description

The property to use as value for this field.

The referenced property must be available in the attributes value of the generic token REST call response. If the property is nested, e.g. inside the contextData key, it can be referenced with dot notation (see example values).

Attributes

String

Mandatory

Example

enabled

Example

contextData.locked

Read-only (readOnly)

Description

If enabled, the field is read-only and cannot be altered by administrators via the UI.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: BooleanInputTokenControllerUiElement
id: BooleanInputTokenControllerUiElement-xxxxxx
displayName: 
comment: 
properties:
  label:
  property:
  readOnly: false

Boolean User Context Data Item

Description

User context data item that stores a boolean value.

Type name

BooleanContextDataItemDefinition

Class

com.airlock.iam.flow.shared.application.configuration.item.BooleanContextDataItemDefinitionConfig

May be used by

User Data Registration Step User Data Edit Step

Properties

Context Data Name (contextDataName)

Description

The context data item in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Group Configuration Users Configuration Users Configuration Administrators Management Administrators Management

Required (required)

Description

Specifies whether this context data item is required for the step to validate successfully.

Attributes

Boolean

Optional

Default value

true

Value Must Be True (valueMustBeTrue)

Description

If enabled, only 'true' is considered a valid value.

Attributes

Boolean

Optional

Default value

false

Value Must Be False (valueMustBeFalse)

Description

If enabled, only 'false' is considered a valid value.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: BooleanContextDataItemDefinition
id: BooleanContextDataItemDefinition-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  required: true
  valueMustBeFalse: false
  valueMustBeTrue: false

Boolean User Profile Item

Description

A configurable user profile item of type boolean. This will be represented as a checkbox in input form. The selected value is added to the user's context data, provided that the property name matches the property name in the configured user data. If the item is configured as not optional, the user is forced to check the field before they are allowed to continue. This can be used to require the user to accept terms and conditions.

Type name

BooleanUserProfileItem

Class

com.airlock.iam.common.application.configuration.userprofile.BooleanUserProfileItemConfig

May be used by

Properties

Format As Boolean Object (formatAsBooleanObject)

Description

Determines whether the value should be saved as a java.lang.Boolean object. If this is not selected, the value is saved as a String.

Attributes

Boolean

Optional

Default value

true

String Resource Key (stringResourceKey)

Description

String identifier for the language-specific string tables.

Attributes

String

Mandatory

Example

userdata.label.salutation

Example

userdata.label.firstname

Example

userdata.label.lastname

Example

userdata.label.email

Example

userdata.label.nationality

Example

userdata.label.birthdate

Example

userdata.label.street

Example

userdata.label.street-number

Example

userdata.label.address2

Example

userdata.label.zipcode

Example

userdata.label.town

Example

userdata.label.state

Example

userdata.label.country

Example

userdata.label.company

Example

userdata.label.department

Example

userdata.label.office-phone

Example

userdata.label.mobile-phone

Example

userdata.label.language

Example

userdata.label.correspondence-language

Example

userdata.label.realm

Property Name (propertyName)

Description

Name of the context-data field in which the value is stored.

Attributes

String

Mandatory

Example

surname

Example

givenname

Example

mtan_number

Optional (optional)

Description

If this field is optional or mandatory for the user.

Attributes

Boolean

Optional

Default value

true

Modifiable (modifiable)

Description

Indicates if the user is allowed to change this property once it is set. Specifically, if this flag is set to false, then during self-registration the property could be set, but when editing the user data, this property would be read-only.

Attributes

Boolean

Optional

Default value

true

Validate Only Changed Values (validateOnlyChangedValues)

Description

If enabled, only values that have been changed by the user (compared to the data loaded from the data layer) are validated.

Attributes

Boolean

Optional

Default value

true

Sortable (sortable)

Description

If enabled, the attribute is sortable in the user list if the underlying user iterator supports sorting.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: BooleanUserProfileItem
id: BooleanUserProfileItem-xxxxxx
displayName: 
comment: 
properties:
  formatAsBooleanObject: true
  modifiable: true
  optional: true
  propertyName:
  sortable: true
  stringResourceKey:
  validateOnlyChangedValues: true

Button Group UI Element

Description

A grouping element for buttons.

Type name

ConfigurableUiButtonGroup

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiButtonGroupConfig

May be used by

Custom Configuration-based Public Self-Service UI Custom Configuration-based Self-Service UI Custom Configuration-based User Self-Registration UI Form UI Element Custom Configuration-based Authentication UI

Properties

Buttons (buttons)

Description

Defines the buttons inside the button group.

Attributes

Plugin-List

Mandatory

Assignable plugins

Button UI Element Cancel Button UI Element Goto Button UI Element

YAML Template (with default values)


type: ConfigurableUiButtonGroup
id: ConfigurableUiButtonGroup-xxxxxx
displayName: 
comment: 
properties:
  buttons:

Button UI Element

Description

Displays a button.

Type name

ConfigurableUiButton

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiButtonConfig

May be used by

Button Group UI Element Custom Configuration-based Public Self-Service UI Custom Configuration-based Self-Service UI Custom Configuration-based User Self-Registration UI Form UI Element Custom Configuration-based Authentication UI

Properties

Label (label)

Description

Label for the button. The UI treats it as a key to translate. If there is no translation, the configured value is what is shown in the UI.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9]+((\.|-)[a-zA-Z0-9]+)*

Disabled On Validation Errors (disabledOnValidationErrors)

Description

If checked, the button is not clickable if the form that contains the button has validation errors. The setting is ignored if the button is not part of a form.

Attributes

Boolean

Optional

Default value

true

Disabled With No Changes (disabledWithNoChanges)

Description

If checked, the button is not clickable if the form's content did not change. The setting is ignored if the button is not part of a form.

Attributes

Boolean

Optional

Default value

true

Alignment (alignment)

Description

Defines the button's alignment.

Attributes

Enum

Optional

Default value

RIGHT

Submit (submit)

Description

If checked, the button is of type 'submit', otherwise the type is 'button'.

Attributes

Boolean

Optional

Default value

false

On Click (onClick)

Description

The REST API calls to execute in sequence when clicking the button.

Attributes

Plugin-List

Optional

Assignable plugins

REST API Invocation

HTML ID (htmlId)

Description

The ID of the element in the HTML.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_]+

YAML Template (with default values)


type: ConfigurableUiButton
id: ConfigurableUiButton-xxxxxx
displayName: 
comment: 
properties:
  alignment: RIGHT
  disabledOnValidationErrors: true
  disabledWithNoChanges: true
  htmlId:
  label:
  onClick:
  submit: false

Caching Certificate Status Checker

Description

Adds a cache for revocation status for another Certificate Status Checker. Can be used if faster response time is needed. The size and the lifetime of the cache entries influences the memory consumption.

Type name

CachingCertificateStatusChecker

Class

com.airlock.iam.core.misc.impl.cert.cached.CachingCertificateStatusChecker

May be used by

HTTP Signature Verification Credential Extractor Client Certificate (X.509) Request Authentication OAuth 2.0 Client mTLS Authentication Certificate Authenticator Certificate Authenticator NextGenPSD2 Certificate Authenticator Certificate Token Authenticator STET PSD2 Authenticator CRL Distribution Point Extension CRL Checker

License-Tags

ClientCertificate

Properties

Cache entry lifetime [minutes] (cacheEntryLifetime)

Description

Maximum lifetime of a cached revocation status in minutes.

Attributes

Integer

Optional

Default value

Maximum Cache Size (maximumCacheSize)

Description

Maximum number of cache entries.

Attributes

Integer

Optional

Default value

1000

Wrapped Status Checker (wrappedStatusChecker)

Description

The wrapped Certificate Status Checker.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Always Revoked Status Checker CRL Certificate Status Checker CRL Distribution Point Extension CRL Checker Caching Certificate Status Checker Dummy Certificate Status Checker OCSP Certificate Status Checker

YAML Template (with default values)


type: CachingCertificateStatusChecker
id: CachingCertificateStatusChecker-xxxxxx
displayName: 
comment: 
properties:
  cacheEntryLifetime: 60
  maximumCacheSize: 1000
  wrappedStatusChecker:

Cancel Button UI Element

Description

Displays a cancel button which aborts the current flow when clicked and redirects to the "Cancellation Target" configured on the flow UI config. If the corresponding "Cancellation Target" is not configured, the cancel button is not shown.

Type name

ConfigurableUiCancelButton

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiCancelButtonConfig

May be used by

Properties

Label (label)

Description

Label for the button. The UI treats it as a key to translate. If there is no translation, the configured value is what is shown in the UI.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9]+((\.|-)[a-zA-Z0-9]+)*

Default value

cancel

Alignment (alignment)

Description

Defines the button's alignment.

Attributes

Enum

Optional

Default value

RIGHT

HTML ID (htmlId)

Description

The ID of the element in the HTML.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_]+

Default value

cancelButton

YAML Template (with default values)


type: ConfigurableUiCancelButton
id: ConfigurableUiCancelButton-xxxxxx
displayName: 
comment: 
properties:
  alignment: RIGHT
  htmlId: cancelButton
  label: cancel

CAPTCHA Processor

Description

This processor checks if the current flow step requires CAPTCHA protection. It blocks all calls to the step until a correct CAPTCHA solution is provided.
Note: This processor must be the first in the list of available processors.

Type name

CaptchaProcessor

Class

com.airlock.iam.flow.shared.application.configuration.captcha.CaptchaProcessorConfig

May be used by

Custom Flow Processors

Properties

YAML Template (with default values)


type: CaptchaProcessor
id: CaptchaProcessor-xxxxxx
displayName: 
comment: 
properties:

CAPTCHA UI Element

Description

Displays the CAPTCHA challenge, if the step supports it and CAPTCHA is required.

Type name

ConfigurableCaptcha

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableCaptchaConfig

May be used by

Properties

YAML Template (with default values)


type: ConfigurableCaptcha
id: ConfigurableCaptcha-xxxxxx
displayName: 
comment: 
properties:

Certificate Authenticator

Description

Authenticator used to perform authentication based on X509 certificates.

Warning 1: This authenticator assumes that some external process can guarantee that the certificate belongs to the authenticating entity. This is typically done by challenging the entity to sign something with the corresponding private key. This is, for example, the case in an SSL handshake involving client certificate verification.

Warning 2: This authenticator does not check whether the certificate was signed by a trusted entity. This must be done prior to calling this authenticator, typically during an SSL handshake.

The credentials passed to this authenticator must be of type CertificateCredential or UserCredential.
If the credential contains a username (subtype of UserCredential) the user name is stored in the authentication session for usage after successful verification of the certificate.
If the credential contains a username but no certificate (type UserCredential but not of subtype CertificateCredential), this plugin responds with CERTIFICATE_REQUIRED. This makes it suitable for usage with the MetaAuthenticator plugin.

What checks are done on the certificate and how the user name and granted roles (and possibly other data) are determined is specified by the configuration.

There are two different (and mutual exclusive) ways how this plugin determines the username given the client certificate:
(1) Extract username from client certificate. In this case the username potentially passed as credential is ignored. Look at configuration property user-attribute for this case.
(2) Take user name from the credential. In this case, the credential must contain a username.
Independent of the way the username has been determined, a credential persister can be used to verify that the client certificate really belongs to the username. See property credential-persister for details. If the client certificate does not match the data stored under the determined username, the authentication response AuthenticationFailedCertificate.CERTIFICATE_DOES_NOT_MATCH_USER is returned.

Type name

CertificateAuthenticator

Class

com.airlock.iam.core.misc.impl.authen.CertificateAuthenticator

May be used by

Persister Password Service Radius Authentication Service Fallback Authenticator Administrators Configuration Authenticator-based One-Shot Target Application User-based Authenticator Selector Meta Authenticator Meta Authenticator Meta Authenticator User to Authenticator Mapping

License-Tags

ClientCertificate

Properties

User Attribute (userAttribute)

Description

Defines how the user's username (or other piece of data used to look up the username) is to be extracted from the certificate. If this property is not defined, the username is not extracted from the certificate but expected to be part of the credential passed to this plugin (see plugin description).

If a credential persister is configured (see below), the extracted user name is used to look up the credential bean. The bean can be used for further checks.
Note: This can be used to find a user mapped to the certificate (e.g. the CN of the certificate is stored with the username in the persistence layer). To do so, configure the credential persister accordingly to look up the credential data given the value defined by this property(which does not necessarily have to be the real username). Then use the credential-bean-username property below to read the real username from the credential bean.
Note: This property has precedence over the username in the credential object. Thus, if this property is defined, any user information passed as credential is ignored.

Usually the username is part of the DN (distinguished name) of the certified subject.
This attribute specifies the attribute name of the username in the DN. Example: The value "cn" will extract the common name from the DN and use this as username.

The following values are treated especially:

"dn": use this value to use the whole distinguished name as username.
"altSubjectName": use this value to use the alternative subject name as username.

See also configuration property "strip-domain-from-username".

If this property is not defined, the plugin takes the username from the credential.

Look at property credential-persister to see how to validate that the user is registered with for this client certificate.

Attributes

String

Optional

Suggested values

cn, sAMAccountName, dn, altSubjectName

Strip Domain From Username (stripDomainFromUsername)

Description

If this property is set to TRUE and the username (see configuration property "user-attribute") has a domain part (as in "john.doe@domain.com"), the domain part is stripped off (resulting in "john.doe").
This property is ignored if the configuration property "user-attribute" is not defined or set to "dn".

Attributes

Boolean

Optional

Default value

false

Credential Persister (credentialPersister)

Description

Class name of the credential persister used to validate that the client certificate really belongs to the user identifier by the username determined by this plugin (either taken from the credential or from the client certificate).

If this property is defined, the plugin is used to look up a credential bean using the determined username (or other id determined by this plugin). Then a check is performed whether the certificate really belongs to the user. The check is defined by the separate configuration property "matchPolicy".

How this plugin reacts if no credential record can be found is specified by the separate property "treat-no-credential-data-as-not-assigned".

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Cipher Credential Persister Database Credential Persister Dummy Credential Persister LDAP Connector LDAP Credential Persister Property Credential Persister Static Credential Persister

Username Transformation (usernameTransformers)

Description

Username transformers may transform the name a user states in the login-form into the single unique user-id required for the authentication process.

The transformation of a username takes place after extracting the user name from the presented certificate and before the authenticator reads the user from persistency layer. If a username is supplied from a previous authentication step, then no transformation is done here.

Transfomers can be chained, i.e. a first transformer could normalize the original name, where the next transformer looks-up the normalized name in a database for eventual transformation matches.

A transformer can also signal that it already found the final user-id and the chain must stop after him.

Attributes

Plugin-List

Optional

Assignable plugins

Do Not Update User Statistics (doNotUpdateUserStatistics)

Description

If a user persister is configured (see property "user-persister") and this property is set to TRUE, user statistics (failed logins, etc.) are not updated. This is helpful if this authenticator is part of a bigger authentication scheme (e.g. using the MetaAuthenticator plugin).

This property is only relevant if a user persister is configured.

Attributes

Boolean

Optional

Default value

false

Match Policy (matchPolicy)

Description

Defines how this plugin checks whether a certificate belongs to the user or not.

This check is only done if a credential bean has been loaded using the configured credential persister.
The credential data of the credential bean is compared to the certificate depending on the value of this property:

"DNs" : The distinguished names (DN) of the certificate subject and the issuer is compared to the string data of the credential bean. The comparison is case-insensitive. The DNs are encoded in the following form for comparison: <issuer-dn>ISSUER-DN</issuer-dn><subject-dn>SUBJECT-DN</subject-dn>
This is the default value.
"subject-DN" : The DN of the certificate subject is compared to the string data of the credential bean. The comparison is case-insensitive. This setting can be combined with the setting "issuer-dn-property"
"CN" : The common name (CN) of the certificate subject is compared to the string data of the credential bean. The comparison is case-insensitive. This setting can be combined with the setting "issuer-dn-property"
"TBS" : The TBS (to-be-signed) part of the certificate is compared to the string or binary data of the credential bean. If the credential data is binary, the comparison is done byte-wise, if it is a string type credential, the TBS-part is base64-encoded before comparing.
"certificate" : The X509 certificate is compared to the string or binary data of the credential bean. If the credential data is binary, the comparison is done byte-wise, if it is a string type credential, the certificate is base64-encoded before comparing.
"NONE" : No check is performed.

Note: For backwards-compatibility, the default value of this property is "DNs"!

If a credential record can be found but it contains no credential data, this plugin responds with CREDENTIAL_NOT_ASSIGNED (can for example start a registration process), if credential data can be found but does not match in this check, CERTIFICATE_DOES_NOT_MATCH_USER. How the plugin behaves if no credential record can be found at all is defined property "treat-no-credential-data-as-not-assigned".

Attributes

String

Optional

Default value

DNs

Allowed values

DNs, subject-DN, CN, TBS, certificate, NONE

Issuer Dn Property (issuerDnProperty)

Description

The name of the credential context data property holding the DN (distinguished name) of the issuer of the client certificate.

This setting is only used in conjunction with match policies "CN" and "subject-DN" and requires that a credential persister is configured: In addition to matching the cn or subject dn the issuer DN is also compared to the value stored in the context property (of the credential context container) referenced by this setting.
The comparison is case-insensitive.

Attributes

String

Optional

Example

issuer_dn

Multi Format Dn Comparison (multiFormatDnComparison)

Description

If set to true, comparison of distinguished names (DNs) supports various formats. If set to true, the following DNs are considered to be equal:

a=A,b=B,c=C
c=C,b=B,a=A (backwards)
/a=A/b=B/c=C (slash notation)
/c=C/b=B/a=A (slash notation backwards)
a=A,b=B,x.y.z=C (where x.y.z is the OID for attribute c)

This affects match policy "subject-DN" and it affects issuer DN comparison if the property "issuer-dn-property" is defined.

Attributes

Boolean

Optional

Default value

false

User Property (userProperty)

Description

Name (key) of a context data property in the credential bean that defines the username to be used.

This property is used in situations where the username cannot be extracted directly from the certificate but it is determined by looking up a credential bean and reading the username from it. If the referenced context data property cannot be found, an AuthenticatorException is thrown.

If this property is defined, it usually makes sense to also set the property "treat-no-credential-data-as-not-assigned" to true.

Attributes

String

Optional

Example

username

Example

uid

Treat No Cred Data As Not Assigned (treatNoCredDataAsNotAssigned)

Description

If this property is set to "TRUE", this plugin responds with CREDENTIAL_NOT_ASSIGNED if no credential bean can be found at all. If it is "FALSE" (which is the default), this plugin responds with USER_NOT_FOUND.

This property exists to make this plugin suitable for situations where the username cannot be extracted directly from the certificate but it is determined by looking up a credential bean and reading the username from it. In this case not finding a credential bean at all usually means that the certificate has not yet been assigned. In the other case - i.e. the username is directly read from the certificate - not finding the credential bean usually means that the user does no more exist.

Attributes

Boolean

Optional

Default value

false

Static Roles (staticRoles)

Description

A comma-separated list of roles (role names, optionally followed by a colon and a role idle timeout in seconds) that are granted to authenticated users. Make sure not to use spaces between the values.

Attributes

String

Optional

Example

role1,role2:300

Example

admin

Example

user:300,employee:600

Certificate Status Checker (certificateStatusChecker)

Description

The certificate status checker plug-in used to check the revocation status of the client certificate. The status checker can for example use a CRL or an OCSP service to do this.

Note: If this optional property is not defined or empty (and no certificate status checker plugins are configured by the property "Cert Status Checkers"), no status check is performed (i.e. all certificates are considered to be non-revoked).

Attributes

Plugin-Link

Optional

Assignable plugins

User Persister (userPersister)

Description

Class name of a user persister used after successful certificate verification and user extraction. The user is loaded from the persister in order to check the "locked" status and update statistics. In one of the following cases, the authentication fails (after successful certificate verification!):

User is not found
Username is ambiguous
User is locked
User is not valid

In the case of successful authentication, user data (roles, context data) is loaded and added to the result.

Attributes

Plugin-Link

Optional

Assignable plugins

Max Failed Logins (maxFailedLogins)

Description

The number of failed logins before a user is locked. Set to zero (0) to disable this feature. This feature only works if a user persister is configured.

Attributes

Integer

Optional

Default value

Expiring Certificate Warning Days (expiringCertificateWarningDays)

Description

This displays a warning page to the user if the client certificate is about to expire within the configured number of days.

Attributes

Integer

Optional

Additional User Validators (additionalUserValidators)

Description

To validate users beyond the usual tests for being locked or invalid, additional plugins can be added, which e.g. check context data fields. This is only functional if a User Persister is configured.

Attributes

Plugin-List

Optional

Assignable plugins

Context Data User Validator

Check Validity Period (checkValidityPeriod)

Description

If enabled, the validity period of the certificate is checked. If disabled, expired (or not-yet-valid) certificates are also accepted.

Attributes

Boolean

Optional

Default value

true

Certificate Status Checkers (certStatusCheckers)

Description

A list of certificate status checkers used to check the revocation status of the client certificate. If more than one checker is configured, all of them are consulted and the certificate is considered revoked if at least one of them tells so.

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: CertificateAuthenticator
id: CertificateAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  additionalUserValidators:
  certStatusCheckers:
  certificateStatusChecker:
  checkValidityPeriod: true
  credentialPersister:
  doNotUpdateUserStatistics: false
  expiringCertificateWarningDays:
  issuerDnProperty:
  matchPolicy: DNs
  maxFailedLogins: 0
  multiFormatDnComparison: false
  staticRoles:
  stripDomainFromUsername: false
  treatNoCredDataAsNotAssigned: false
  userAttribute:
  userPersister:
  userProperty:
  usernameTransformers:

Certificate Credential Extraction Step

Description

Step for extracting a client certificate from the request.

Type name

CertificateCredentialExtractionStep

Class

com.airlock.iam.techclientreg.application.configuration.step.CertificateCredentialExtractionStepConfig

May be used by

Selection Step for Self-Service Flow Step Sequence Selection Step Selection Option Technical Client Registration Flow Selection Step for User Self-Registration Selection Step for Public Self-Service

License-Tags

TechClientRegistration

Properties

Certificate Required (certificateRequired)

Description

If enabled, the client certificate is always required. If it is required but missing, the step fails. In all other cases it succeeds.

Attributes

Boolean

Optional

Default value

true

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: CertificateCredentialExtractionStep
id: CertificateCredentialExtractionStep-xxxxxx
displayName: 
comment: 
properties:
  certificateRequired: true
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Certificate Data Extractor Task

Description

This task plug-in iterates over user or credential records reads an X509 certificate(or the TBS part of it) from the record, extracts information (e.g. DN or serial number) from it and stores this information in another field of the record.

This task can be used to retrieve information encoded in the certificate and write it to the user record so the information can be used in search criteria, queries or be displayed more easily in the admin tool.

The certificate data read from the record must be the base-64 encoded binary representation of an X.509 ASN.1 structure. It also can be only the TBS-part ("to-be-signed part") of the certificate.

Type name

CertificateDataExtractorTask

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.CertificateDataExtractorTask

May be used by

Task Schedule

License-Tags

ClientCertificate

Properties

Credential Persister (credentialPersister)

Description

The credential persister plug-in is used to read the certificate and store the extracted piece(s) of information.

The returned credentials must either contain the certificate data in the string credential field or in one of the context data fields. In the latter case, the name of the context data field containing the certificate data must be specified in property "certificate-property".

Make sure the persister is able to store the target field(s), i.e. the field(s) where the extracted data is stored. It is usally necessary to list these fields in the context data container.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Iterator (credentialIterator)

Description

The credential iterator plug-in used to iterate over a set of credential structures. For efficiency reasons it makes sense to limit the set of credential structures returned by this plug-in as much as possible.

It is usually a good idea to already include a "not-null"-check on the certificate data and "null"-checks in the fields where the extracted data is stored. Like this only the records with missing (i.e. not yet processed) data are processed.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database Credential Persister Dummy Credential Persister LDAP Connector LDAP Credential Persister Property Credential Persister

Certificate Property (certificateProperty)

Description

Name of the data field of the context data container to read the certificate data from. If this property is not defined, the certificate data is read from the string credential data field of the configured credential persister.

Attributes

String

Optional

Suggested values

cert_x509_data, cert_tbs, client_certificate

Is Tbs Data (isTbsData)

Description

Set to true if the stored certificate data is not an X509 certificate but only the TBS-part (to-be-signed-part) of it.

Attributes

Boolean

Optional

Default value

false

Mapping (mapping)

Description

Mappings of certificate data elements to context data properties.

Attributes

Plugin-List

Mandatory

Assignable plugins

Certificate Data to Context Data Mapping

YAML Template (with default values)


type: CertificateDataExtractorTask
id: CertificateDataExtractorTask-xxxxxx
displayName: 
comment: 
properties:
  certificateProperty:
  credentialIterator:
  credentialPersister:
  isTbsData: false
  mapping:

Certificate Data to Context Data Mapping

Description

Mapping certificate data elements into context data properties.

Type name

CertificateDataExtractorTaskMapping

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.CertificateDataExtractorTaskMapping

May be used by

Certificate Data Extractor Task

Properties

Certificate Data Element (certificateDataElement)

Description

Selects the data element in the certificate. Allowed values are:

"notBefore": Validity start date.
"notAfter": Validity end date.
"subjectDn": Distinguished name of the subject.
"subjectCn": Common name of the subject.
"issuerDn": Distinguished name of the issuer.
"serial": Certificate serial number.

Attributes

String

Mandatory

Allowed values

notBefore, notAfter, subjectDn, subjectCn, issuerDn, serial

Context Property (contextProperty)

Description

Name of the context data property, the extracted certificate data element is written to.

Attributes

String

Mandatory

Example

certValidFrom

Example

certValidTo

Example

certSubjectDn

Example

certSubjectCn

Example

certIssuerDn

Example

certSerial

YAML Template (with default values)


type: CertificateDataExtractorTaskMapping
id: CertificateDataExtractorTaskMapping-xxxxxx
displayName: 
comment: 
properties:
  certificateDataElement:
  contextProperty:

Certificate Subject Organization Identifier Equality Credential Verifier

Description

Verifies that the HTTP signature signing certificate's subject organizationIdentifier (oid 2.5.4.97 according to ITU-T Recommendations X.520) equals the client credential certificate's subject organizationIdentifier. The signing certificate must contain an organizationIdentifier in it's Subject Distinguished Name and the credential must be a certificate credential containing an equal organizationIdentifier in it's Subject Distinguished Name or else the verification will fail.

Type name

CertificateSubjectOrganizationIdentifierEqualityCredentialVerifier

Class

com.airlock.iam.login.app.misc.oneshot.impl.CertificateSubjectOrganizationIdentifierEqualityCredentialVerifierConfig

May be used by

HTTP Signature Verification Credential Extractor

Properties

YAML Template (with default values)


type: CertificateSubjectOrganizationIdentifierEqualityCredentialVerifier
id: CertificateSubjectOrganizationIdentifierEqualityCredentialVerifier-xxxxxx
displayName: 
comment: 
properties:

Certificate Token Authenticator

Description

Authenticator for client certificates (e.g. from smart cards or USB sticks) using the token model. This allows for more than one certificate per user.

Warning 2: This authenticator does not check whether the certificate was signed by a trusted entity. This must be done prior to calling this authenticator, typically during an SSL handshake.

Type name

CertificateTokenAuthenticator

Class

com.airlock.iam.core.misc.impl.authen.certificate.CertificateTokenAuthenticator

May be used by

Properties

Certificate Matcher (certificateMatcher)

Description

Plugin to lookup the client certificate in the persistency layer or an external service.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Data Certificate Matcher Token Data Certificate Matcher

Static Roles (staticRoles)

Description

A list of roles (role names, optionally followed by a colon and a role idle timeout in seconds) that are granted to authenticated users.

Attributes

String-List

Optional

Update User Statistics (updateUserStatistics)

Description

If the user statistics (last successful login, total logins) should be updated.

Attributes

Boolean

Optional

Default value

true

Update Token Statistics (updateTokenStatistics)

Description

If the token statistics (last usage, total usages) should be updated.

Attributes

Boolean

Optional

Default value

true

User Persister (userPersister)

Description

User is not found
Username is ambiguous
User is locked
User is not valid

In the case of successful authentication, user data (roles, context data) is loaded and added to the result.

Attributes

Plugin-Link

Optional

Assignable plugins

Max Failed Logins (maxFailedLogins)

Description

The number of failed logins before a user is locked. Set to zero (0) to disable this feature. This feature only works if a user persister is configured.

Attributes

Integer

Optional

Default value

Expiring Certificate Warning Days (expiringCertificateWarningDays)

Description

This displays a warning page to the user if the client certificate is about to expire within the configured number of days.

Attributes

Integer

Optional

Additional User Validators (additionalUserValidators)

Description

To validate users beyond the usual tests for being locked or invalid, additional plugins can be added, which e.g. check context data fields. This is only functional if a User Persister is configured.

Attributes

Plugin-List

Optional

Assignable plugins

Context Data User Validator

Check Validity Period (checkValidityPeriod)

Description

If enabled, the validity period of the certificate is checked. If disabled, expired (or not-yet-valid) certificates are also accepted.

Attributes

Boolean

Optional

Default value

true

Certificate Status Checkers (certStatusCheckers)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: CertificateTokenAuthenticator
id: CertificateTokenAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  additionalUserValidators:
  certStatusCheckers:
  certificateMatcher:
  checkValidityPeriod: true
  expiringCertificateWarningDays:
  maxFailedLogins: 0
  staticRoles:
  updateTokenStatistics: true
  updateUserStatistics: true
  userPersister:

Certificate Token Controller

Description

Token controller to manage X.509 certificates based on the token model. Currently supported operations are adding and removing certificates.

Type name

CertificateTokenController

Class

com.airlock.iam.admin.application.configuration.certificate.CertificateTokenController

May be used by

User Group Configuration Users Configuration

License-Tags

ClientCertificate

Properties

Token Data Provider (tokenDataProvider)

Description

Token data provider for creating, loading, updating and deleting certificates.

Attributes

Plugin-Link

Mandatory

Assignable plugins

HTTP Signature Verification Credential Extractor Authenticator-based One-Shot Target Application

Allowed As Active (allowedAsActive)

Description

Whether or not certificates can be chosen as active authentication method.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: CertificateTokenController
id: CertificateTokenController-xxxxxx
displayName: 
comment: 
properties:
  allowedAsActive: true
  tokenDataProvider:

Certificate Token Credential Extractor

Description

Extracts a client certificate credential and an authorization bearer token. The result will be a credential that is both a certificate and a token credential and therefore can be handled by authenticators handling either or both credential types.

Type name

CertificateTokenCredentialExtractor

Class

com.airlock.iam.login.app.misc.oneshot.impl.CertificateTokenCredentialExtractorConfig

May be used by

Properties

YAML Template (with default values)


type: CertificateTokenCredentialExtractor
id: CertificateTokenCredentialExtractor-xxxxxx
displayName: 
comment: 
properties:

Chaining Identity Propagator

Description

An identity propagator that calls multiple other identity propagators in a defined order.

Note: The configured identity propagators are processed in the defined order.
This plugin is useful if more than one identity propagator should be used.

Type name

ChainingIdentityPropagator

Class

com.airlock.iam.core.misc.impl.sso.ChainingIdentityPropagator

May be used by

Authenticator-based One-Shot Target Application Conditional Identity Propagator

Properties

Id Propagators (idPropagators)

Description

The list of identity propagators called in the defined order.

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: ChainingIdentityPropagator
id: ChainingIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  idPropagators:

Changed Email Address Provider

Description

Provides the email address stored in the flow session for email verification during email change. This provider must find an email address in the flow session, otherwise it fails.

Type name

ChangedEmailProvider

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.ChangedEmailProviderConfig

May be used by

Generic String SAML 2.0 Attribute Send Email Link Step Email OTP Authentication Step Translated String Provider Email Item Definition Start User Representation Step String Value Provider Custom Claim Recipient From String Value Provider String Context Data Email Event Subscriber (Loginapp) Date-Time From String Value Provider Value Provider Map Email Notification Step Email Change Verification Step Dynamic Boolean Custom Claim One Shot Response Header Email OTP Transaction Approval Step Transforming String Value Provider SMS Event Subscriber (Loginapp) OIDC Authorization Request Parameter Date From String Value Provider User Attribute Is Unique String Regex Condition Procivis One Desk SSI Service mTAN Verification Step Fallback String Value Provider Phone Numbers from String Value Providers Generic ID Propagator Acknowledge Message Step String-based Role Provider

Properties

YAML Template (with default values)


type: ChangedEmailProvider
id: ChangedEmailProvider-xxxxxx
displayName: 
comment: 
properties:

Checkbox UI Element

Description

Displays a checkbox.

Type name

ConfigurableUiCheckbox

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiCheckboxConfig

May be used by

Properties

Label (label)

Description

Label for the checkbox. The UI treats it as a key to translate. If there is no translation, the configured value is what is shown in the UI.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9]+((\.|-)[a-zA-Z0-9]+)*

Property (property)

Description

The property of the checkbox. This property will be sent to the server via REST as part of a JSON object. For example, if the property name is 'termsAccepted' and the checkbox is checked, the JSON sent to the server will be as follows: {"termsAccepted": true}.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9_]+(\.[a-zA-Z0-9_]+)*

Example

termsAccepted

Example

allowNewsletter

Validation (validation)

Description

Validates the state of the checkbox. If not configured, the user can freely choose its state.

Attributes

Plugin-Link

Optional

Assignable plugins

Required Checkbox State

Label Left (labelLeft)

Description

Whether the label should be aligned left to the checkbox like for normal input fields or right to the checkbox with the checkbox itself aligned to input fields.

Attributes

Boolean

Optional

Default value

true

HTML ID (htmlId)

Description

The ID of the element in the HTML. If no ID is set, the 'property' is used as the ID.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_]+

Submit To Server (submitToServer)

Description

If enabled, this value is submitted to the server. Otherwise, it is only used locally (e.g. to confirm inputs of other fields).

Attributes

Boolean

Optional

Default value

true

Initial Value Query (initialValueQuery)

Description

JSONPath query to fetch the field value from the initial REST call response. Requires an initial REST call to be configured in this custom step UI. If the query yields multiple results, the first one is set as the initial value and all others are discarded.

See the JSONPath documentation for the full documentation: https://github.com/dchester/jsonpath

Examples:

Assume the initial REST call returns the following JSON response:

{
 "meta": {
   "type": "jsonapi.metadata.document",
   "timestamp": "2023-03-10T13:06:01.294+02:00"
 },
 "data": [
  {
    "type": "user",
    "id": "user1",
    "attributes": {
      "contextData": {
         "givenname": "User1",
         "surname": "FSMTest",
         "roles": "customerA"
      }
    }
  },
  {
    "type": "user",
    "id": "user2",
    "attributes": {
      "contextData": {
        "givenname": "User2",
        "surname": "FSMTest",
        "roles": "customerB"
      }
    }
  }
 ]
}

The following table shows the results of various JSONPath queries given the JSON above:

Description JSONPath Query Extracted Initial Value Static path from the root $.meta.type jsonapi.metadata.document The role of the user whose id equals "user1" $.data[?(@.id == 'user1')].attributes.contextData.roles customer The number of users $.data.length 2 All "givenname" attributes
Note:
This query yields multiple results.
The first one is set to the initial value, the rest is discarded. $..givenname User1

Attributes

String

Optional

Example

$..locked

Example

$..data[?(@.id == 'valid')].attributes.currentValue

YAML Template (with default values)


type: ConfigurableUiCheckbox
id: ConfigurableUiCheckbox-xxxxxx
displayName: 
comment: 
properties:
  htmlId:
  initialValueQuery:
  label:
  labelLeft: true
  property:
  submitToServer: true
  validation:

Cipher Credential Persister

Description

Encrypts and decrypts selected fields of credential data. Uses an underlying other credential persister plugin to load and store data, i.e. it is applicable to any other credential persister plugin.

Note that data that is not (yet) encrypted can be read as plaintext. The first time the field is written(because of a change in the very field itself), it will be encrypted. This makes migration of data and mixture with encrypted and non-encrypted data possible. It also implies that this encryption provides secrecy (confidentiality) but no authenticity!

The following restrictions apply when using data field encryption:

Encryption can only be applied to the serial number, the credential data and context data fields.
Encryption of context data properties can only be applied to string type properties.
Encryption cannot be applied to the username (even if part of the context data container)
Searching on encrypted fields is not supported.
If encrypting a context data property that is also used by other persister plugins (e.g. a user persister plugin), make sure that the other plugin also encrypts the field.
Note that encrypted strings are larger than their plain counterpart. Make sure to allow long strings in the underlying persister plugin. The shortest encrypted string is 38 characters long. For longer strings, doubling the plain string length makes a good upper boundary.

Type name

CipherCredentialPersister

Class

com.airlock.iam.core.misc.impl.persistency.cipher.CipherCredentialPersister

May be used by

JSP Remember-Me Settings Certificate Authenticator Credential Data mTAN Handler Credential Data mTAN Handler OATH OTP Settings Credential Secret Batch Task Token Authenticator Credential Report Task Credential-based Generic Token Repository Legacy Email OTP Authentication Step Email Otp Authenticator Has Email Address Remember-Me Reset Step Certificate Data Extractor Task Persister IAK Verifier

License-Tags

DataEncryption

Properties

Credential Persister (credentialPersister)

Description

The underlying persister plugin used to load and store data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Encrypt Serial (encryptSerial)

Description

Set to TRUE if the serial number of the credential should be encrypted.

Attributes

Boolean

Optional

Default value

false

Encrypt Credential Data (encryptCredentialData)

Description

Set to TRUE if the credential data of the credential should be encrypted.

Attributes

Boolean

Optional

Default value

true

Encrypted Context Properties (encryptedContextProperties)

Description

Specifies a list of names of string context data properties that have to be stored encrypted on the database.

Attributes

String-List

Mandatory

Cipher Password (cipherPassword)

Description

Password used for the encryption and decryption.

If other persister plugins (e.g. a UserPersister plugin) also use encryption on data fields encrypted in this plugin, make sure they use the same password.

This property supports the extended string syntax, i.e. its value may be configured scrambled or in an external file (see example values).

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: CipherCredentialPersister
id: CipherCredentialPersister-xxxxxx
displayName: 
comment: 
properties:
  cipherPassword:
  credentialPersister:
  encryptCredentialData: true
  encryptSerial: false
  encryptedContextProperties:

Cipher Token List Persister

Description

Encrypts and decrypts selected context data fields of token list data structure. Uses an underlying other token list persister plugin to load and store data, i.e. it is applicable to any other token list persister plugin.

The following restrictions apply when using data field encryption:

Encryption can only be applied to context data fields.
Encryption can only be applied to string type properties.
Encryption cannot be applied to the username (even if part of the context data container)
Searching on encrypted fields is not supported.
If encrypting a context data property that is also used by other persister plugins (e.g. a user persister plugin), make sure that the other plugin also encrypts the field.
Note that encrypted strings are larger than their plain counterpart. Make sure to allow long strings in the underlying persister plugin. The shortest encrypted string is 38 characters long. For longer strings, doubling the plain string length makes a good upper boundary.

Type name

CipherTokenListPersister

Class

com.airlock.iam.core.misc.impl.persistency.cipher.CipherTokenListPersister

May be used by

Fixed TAN Generator Task TAN Batch Task Matrix Token Controller Default TAN Service

License-Tags

DataEncryption

Properties

Token List Persister (tokenListPersister)

Description

The underlying persister plugin used to load and store data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cipher Token List Persister Database Token List Persister Dummy Token List Persister LDAP Token List Persister Property Token List Persister

Encrypted Context Properties (encryptedContextProperties)

Description

Specifies a list of names of string context data properties that have to be stored encrypted on the database.

Attributes

String-List

Mandatory

Cipher Password (cipherPassword)

Description

Password used for the encryption and decryption.

If other persister plugins (e.g. a UserPersister plugin) also use encryption on data fields encrypted in this plugin, make sure they use the same password.

This property supports the extended string syntax, i.e. its value may be configured scrambled or in an external file (see example values).

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: CipherTokenListPersister
id: CipherTokenListPersister-xxxxxx
displayName: 
comment: 
properties:
  cipherPassword:
  encryptedContextProperties:
  tokenListPersister:

Cipher User Persister

Description

Encrypts and decrypts selected fields of user data. Uses an underlying other user persister plugin to load and store data, i.e. it is applicable to any other user persister plugin.

The method changeUsername(String oldUsername, String newUsername) is not implemented and will throw a NotImplementedException.

Note that data that is not (yet) encrypted can be read as plaintext. The first time the field is written (because of a change in the very field itself), it will be encrypted. This makes migration of data and mixture with encrypted and non-encrypted data possible. It also implies that this encryption provides secrecy (confidentiality) but no authenticity!

The following restrictions apply when using data field encryption:

Encryption can only be applied to context data fields.
Encryption can only be applied to string type fields.
Encryption cannot be applied to the username (even if part of the context data container)
Searching on encrypted fields is not supported.
If encrypting a context data property that is also used by other persister plugins (e.g. a credential persister plugin), make sure that the other plugin also encrypts the field.
Note that encrypted strings are larger than their plain counterpart. Make sure to allow long strings in the underlying persister plugin. The shortest encrypted string is 38 characters long. For longer strings, doubling the plain string length makes a good upper boundary but some encryption mechanisms will still produce much longer output.

Type name

CipherUserPersister

Class

com.airlock.iam.core.misc.impl.persistency.cipher.CipherUserPersister

May be used by

Auth Method-based Authenticator Selector Email User Profile Item Certificate Authenticator Radius Authentication Service Self Reg Users Clean Up Task Self Reg Users Clean Up Task SMS Notifier Delete Users Task Delete Users Task Password Batch Task Password Batch Task Password Authenticator Self Reg Users Reminder Task Self Reg Users Reminder Task Combining User Persister User to Password Service Mapping Lock Inactive Accounts Task Lock Inactive Accounts Task Vasco Letter Generator Certificate Token Authenticator Airlock 2FA Authenticator String User Profile Item Lookup and Accept Authenticator Email Notifier Extended User Persister-based User Store Provider Main Authenticator Export Users Task Export Users Task Custom User Persister-based User Store Provider User Persister Configuration User Persister Configuration User Persister Configuration Lock Expired Initial Passwords Task Lock Expired Initial Passwords Task Selection Authenticator Combining Extended User Persister Combining Extended User Persister Extended String User Profile Item Role-based Authenticator Selector Credential Data Certificate Matcher Meta Authenticator HTTP Password Service Token Activation On Delivery Strategy Destroy Last User Session User Persister Email Certificate Provider User Persister-based User Store New Email Clean-up Strategy Email Notification Task Email Notification Task

License-Tags

DataEncryption

Properties

User Persister (userPersister)

Description

The underlying persister plugin used to load and store data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cipher User Persister Combining Extended User Persister Database User Persister Dummy Extended User Persister LDAP Connector LDAP User Persister Property User Persister

Encrypted Context Properties (encryptedContextProperties)

Description

Specifies a list of names of string context data properties that have to be stored encrypted on the database.

Attributes

String-List

Mandatory

Cipher Password (cipherPassword)

Description

Password used for the encryption and decryption.

If other persister plugins (e.g. a CredentialPersister plugin) also use encryption on context data fields listed in this plugin, make sure they use the same password.

This property supports the extended string syntax, i.e. its value may be configured scrambled or in an external file (see example values).

Attributes

String

Mandatory

Sensitive

YAML Template (with default values)


type: CipherUserPersister
id: CipherUserPersister-xxxxxx
displayName: 
comment: 
properties:
  cipherPassword:
  encryptedContextProperties:
  userPersister:

Claim From Subject Token (OAuth 2.0 Token Exchange)

Description

Sets the claim to the configured claim value of the subject token.

If the referenced subject token data does not contain any value, it will be ignored.

Type name

OAuth2TokenExchangeJwtSubjectTokenClaimValue

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtSubjectTokenClaimValueConfig

May be used by

Custom Claim (OAuth 2.0 Token Exchange)

License-Tags

OAuthTokenExchange

Properties

Subject Token Data Name (subjectTokenDataName)

Description

The subject token claim to use. The referenced value must be a string, number, boolean, array or object.

Attributes

String

Mandatory

Example

sub

Example

username

Example

claim1

Example

roles

Example

context-data

YAML Template (with default values)


type: OAuth2TokenExchangeJwtSubjectTokenClaimValue
id: OAuth2TokenExchangeJwtSubjectTokenClaimValue-xxxxxx
displayName: 
comment: 
properties:
  subjectTokenDataName:

Claim Set Custom Claim

Description

A custom claim introducing a JSON Object in the response.

Type name

CustomClaimSetClaim

Class

com.airlock.iam.oauth2.application.configuration.claims.CustomClaimSetClaimConfig

May be used by

JWT Access Token Format OAuth 2.0 Static Client OAuth 2.0 Static Client OIDC ID Token Claims OIDC UserInfo Endpoint

License-Tags

OAuthServer

Properties

Custom Claims (customClaims)

Description

Custom claims to include in the object.

Attributes

Plugin-List

Mandatory

Assignable plugins

Claim Set Custom Claim Client ID Custom Claim Context Data String Custom Claim Formatted Date And Time Context Data Custom Claim Formatted LocalDate Context Data Custom Claim Session ID Custom Claim Static Boolean Custom Claim Static String Custom Claim String Format Custom Claim User Roles Custom Claim Username Custom Claim

Claim Name (claimName)

Description

The name (JSON key) of the claim.

Attention: If a custom claim with this same claim name already exists, it will result in a runtime error.

Using a registered claim name (see RFC 7519) might cause the claim to be ignored or an exception to be thrown.

Attributes

String

Mandatory

Example

firstname

Example

street

Example

zip

Example

country

Example

roles

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Not Claim Condition Or Claim Condition Required Scopes Claim Condition

YAML Template (with default values)


type: CustomClaimSetClaim
id: CustomClaimSetClaim-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:
  customClaims:

Claim Validator

Description

Validates one (single-valued) claim against different rules defined by the config.

Type name

ClaimValidatorSettings

Class

com.airlock.iam.oauth2.application.configuration.claims.ClaimValidatorSettings

May be used by

JWT Ticket Decoder OIDC Flow Client OIDC Discovery Flow Client

Properties

Claim (claim)

Description

Claim to validate.

Attributes

String

Mandatory

Suggested values

acr, iss

Mandatory (mandatory)

Description

If enabled, the claim must be present. Otherwise validation fails.

Attributes

Boolean

Optional

Default value

true

Validation Pattern (validationPattern)

Description

If defined, the claim must match the pattern. Otherwise validation fails. If left empty, a present claim is always valid.

Attributes

RegEx

Optional

YAML Template (with default values)


type: ClaimValidatorSettings
id: ClaimValidatorSettings-xxxxxx
displayName: 
comment: 
properties:
  claim:
  mandatory: true
  validationPattern:

Client Certificate (X.509) Credential Extractor

Description

Extracts the client certificate from the request and creates a credential that can be used with a "Certificate Token Authenticator" or a "Certificate Authenticator".

Type name

ClientCertificateExtractor

Class

com.airlock.iam.login.app.misc.oneshot.impl.ClientCertificateExtractor

May be used by

HTTP Signature Verification Credential Extractor Authenticator-based One-Shot Target Application

Properties

YAML Template (with default values)


type: ClientCertificateExtractor
id: ClientCertificateExtractor-xxxxxx
displayName: 
comment: 
properties:

Client Certificate (X.509) Request Authentication

Description

Authenticates single requests by their client certificate.

Warning 1: This authentication assumes that some external process can guarantee that the certificate belongs to the authenticating entity. This is typically done by challenging the entity to sign something with the corresponding private key. This is, for example, the case in an SSL handshake involving client certificate verification.

Warning 2: This authentication does not check whether the certificate was signed by a trusted entity. This must be done during the SSL handshake.

Type name

ClientCertificateRequestAuthentication

Class

com.airlock.iam.common.application.configuration.certificate.ClientCertificateRequestAuthenticationConfig

May be used by

Session-less REST Endpoints Transaction Approval Adminapp REST API Configuration

Properties

User Attribute (userAttribute)

Description

Defines how the username is extracted from the certificate.

Usually the username is part of the DN (distinguished name) of the certified subject. This attribute specifies the attribute name of the username in the DN. Example: The value "cn" will extract the common name from the DN and use this as username.

The following values are interpreted separately:

dn: the whole distinguished name is used.
subjectAlternativeName: the alternative subject name is used.
certificate: the base64 encoded certificate.

Username transformation can be used to lookup the user based on a context-data field or to modify the extracted username (e.g. to strip the domain from the name).

Attributes

String

Mandatory

Suggested values

cn, sAMAccountName, dn, subjectAlternativeName, certificate

Check Validity Period (checkValidityPeriod)

Description

If enabled, the validity period of the certificate is checked. If disabled, expired (or not yet valid) certificates are also accepted.

Attributes

Boolean

Optional

Default value

true

Certificate Status Checkers (certStatusCheckers)

Description

Attributes

Plugin-List

Optional

Assignable plugins

User Store (userStore)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Username Transformation (usernameTransformers)

Description

Transforms the provided username from the credential to a technical user ID.

Attributes

Plugin-List

Optional

Assignable plugins

Static Roles (staticRoles)

Description

Static list of roles granted to the authenticated user.

Attributes

String-List

Optional

Roles Blocklist (rolesBlocklist)

Description

List of role names that won't be granted to the authenticated user. The block list is also applied to persistent roles (if available).

Attributes

String-List

Optional

YAML Template (with default values)


type: ClientCertificateRequestAuthentication
id: ClientCertificateRequestAuthentication-xxxxxx
displayName: 
comment: 
properties:
  certStatusCheckers:
  checkValidityPeriod: true
  rolesBlocklist:
  staticRoles:
  userAttribute:
  userStore:
  usernameTransformers:

Client Certificate Context Extractor

Description

Context extractor that determines the context by matching configurable regular expressions against information in the client certificate extracted from the request.

This extractor works in conjunction with client certificate authentication.

Type name

ClientCertificateContextExtractor

Class

com.airlock.iam.common.application.configuration.context.ClientCertificateContextExtractor

May be used by

Combining Context Extractor Transaction Approval API Policy Service Concatenating Context Extractor Loginapp

Properties

Mappings (mappings)

Description

Defines mappings of regular expressions patterns to configuration contexts.

Each pattern is matched in order against the issuer distinguished name (DN) of the extracted client certificate.

The first matching pattern determines the resulting configuration context.

Attributes

Plugin-List

Mandatory

Assignable plugins

Client Certificate Context Extractor Pattern

Match Against Subject DN (matchAgainstSubjectDn)

Description

By default, the patterns are matched against the distinguished name (DN) of the certificate issuer. If this property is enabled, the patterns are matched against the DN of the certificate subject (holder) instead.

Attributes

Boolean

Optional

Default value

false

Fallback Context (fallbackContext)

Description

Name of the context to be used if no pattern matches or no client certificate could be extracted from the request.
Leave empty to implicitly use the default context. If this plugin is used within a "Combining Context Extractor", use "[DEFAULT]" to explicitly return the default context if necessary.

Attributes

String

Optional

Example

CTX1

Example

EXT

Example

[DEFAULT]

Gateway (gateway)

Description

Settings regarding an Airlock Gateway or Airlock Microgateway reverse proxy placed in front of Airlock IAM.

The client certificate is extracted differently from the request based on this configuration:

Airlock Gateway (WAF): certificate is extracted from the environment cookie
Airlock Microgateway: certificate is extracted from the configured header
When no gateway is configured, attempt to extract the client certificate from the jakarta.servlet.request.X509Certificate request attribute

Attributes

Plugin-Link

Optional

Assignable plugins

Airlock Gateway Settings Airlock Microgateway Settings

YAML Template (with default values)


type: ClientCertificateContextExtractor
id: ClientCertificateContextExtractor-xxxxxx
displayName: 
comment: 
properties:
  fallbackContext:
  gateway:
  mappings:
  matchAgainstSubjectDn: false

Client Certificate Context Extractor Pattern

Description

A regular expression pattern and its resulting configuration context.

Type name

ContextPatternForClientCertificateContextExtractor

Class

com.airlock.iam.common.application.configuration.context.ContextPatternForClientCertificateContextExtractor

May be used by

Client Certificate Context Extractor

Properties

Pattern (pattern)

Description

Regular expression pattern matched against the distinguished name.

Attributes

RegEx

Mandatory

Configuration Context (configurationContext)

Description

The configuration context identifier.
Use "[DEFAULT]" to explicitly return the default context.

Attributes

String

Mandatory

Example

ch1

Example

[DEFAULT]

YAML Template (with default values)


type: ContextPatternForClientCertificateContextExtractor
id: ContextPatternForClientCertificateContextExtractor-xxxxxx
displayName: 
comment: 
properties:
  configurationContext:
  pattern:

Client Certificate PEM Format

Description

The mTLS client certificate is expected in URL encoded PEM format.

If an invalid format is presented, the certificate cannot be extracted.

Type name

ClientCertificatePemExtractionFormat

Class

com.airlock.iam.common.application.configuration.gateway.extractor.ClientCertificatePemExtractionFormatConfig

May be used by

HTTP Request mTLS Client Certificate Extractor

Properties

YAML Template (with default values)


type: ClientCertificatePemExtractionFormat
id: ClientCertificatePemExtractionFormat-xxxxxx
displayName: 
comment: 
properties:

Client Certificate XFCC Format

Description

The mTLS client certificate is expected in XFCC (x-forwarded-client-cert) header format as specified by Envoy proxy.

The XFCC is a proxy header which indicates certificate information of part or all of the clients or proxies that a request has flowed through, on its way from the client to the server.

IAM requires that the Cert key is set in the XFCC header under which the URL encoded PEM certificate is contained.

Envoy and other proxies in between, e.g. Airlock Micogateway, must be configured accordingly.

If an invalid format is presented, the certificate cannot be extracted.

Type name

ClientCertificateXfccExtractionFormat

Class

com.airlock.iam.common.application.configuration.gateway.extractor.ClientCertificateXfccExtractionFormatConfig

May be used by

HTTP Request mTLS Client Certificate Extractor

Properties

YAML Template (with default values)


type: ClientCertificateXfccExtractionFormat
id: ClientCertificateXfccExtractionFormat-xxxxxx
displayName: 
comment: 
properties:

Client Fingerprinting Score Risk Extractor

Description

Risk Extractor that extracts the Airlock Gateway (WAF) client fingerprinting (CFP) score and compares it to the configured threshold. No tags are granted, if the request does not contain a CFP score environment cookie.

Type name

ClientFingerprintingScoreRiskExtractor

Class

com.airlock.iam.authentication.application.configuration.risk.extractor.clientfingerprinting.ClientFingerprintingScoreRiskExtractorConfig

May be used by

Risk Assessment Step

Properties

Client Fingerprinting Score Threshold (clientFingerprintingThreshold)

Description

This property defines the client fingerprinting (CFP) score threshold: If the CFP score reported by the Airlock Gateway (WAF) is higher or equal to the threshold, it is considered to be a 'match'. Otherwise, it is considered to be a 'mismatch'. Please refer to the Airlock Gateway manual for further information about client fingerprinting.

Attributes

Integer

Mandatory

Tags When Above Or Equal Threshold (tagsWhenAboveOrEqualThreshold)

Description

The tags to grant if the current request's client fingerprinting score is higher or equal to the configured threshold.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Tags When Below Threshold (tagsWhenBelowThreshold)

Description

The tags to grant if the current request's client fingerprinting score is lower than the configured threshold.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

YAML Template (with default values)


type: ClientFingerprintingScoreRiskExtractor
id: ClientFingerprintingScoreRiskExtractor-xxxxxx
displayName: 
comment: 
properties:
  clientFingerprintingThreshold:
  tagsWhenAboveOrEqualThreshold:
  tagsWhenBelowThreshold:

Client ID Custom Claim

Description

A custom claim for the Client ID.

Type name

CustomClientIdClaim

Class

com.airlock.iam.oauth2.application.configuration.claims.CustomClientIdClaimConfig

May be used by

JWT Access Token Format OAuth 2.0 Static Client OAuth 2.0 Static Client Claim Set Custom Claim OIDC ID Token Claims OIDC UserInfo Endpoint

License-Tags

OAuthServer

Properties

Claim Name (claimName)

Description

The name (JSON key) of the claim.

Attention: If a custom claim with this same claim name already exists, it will result in a runtime error.

Using a registered claim name (see RFC 7519) might cause the claim to be ignored or an exception to be thrown.

Attributes

String

Mandatory

Example

firstname

Example

street

Example

zip

Example

country

Example

roles

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Not Claim Condition Or Claim Condition Required Scopes Claim Condition

YAML Template (with default values)


type: CustomClientIdClaim
id: CustomClientIdClaim-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:

Client ID From Request

Description

Accepts a Client ID specified in the request if no client exists by this name yet.
Warning: the specification explicitly forbids clients to create their own client identifier due to privacy and security issues. Use this plugin with caution.

Type name

ClientIdFromRequest

Class

com.airlock.iam.techclientreg.application.configuration.registration.clientid.ClientIdFromRequestConfig

May be used by

OAuth 2.0 Dynamic Client Registration

License-Tags

TechClientRegistration

Properties

Request Parameter (requestParameter)

Description

The request parameter containing the Client ID. Must not be one of the standard parameters specified in the RFC (e.g. client_id).

Attributes

String

Mandatory

YAML Template (with default values)


type: ClientIdFromRequest
id: ClientIdFromRequest-xxxxxx
displayName: 
comment: 
properties:
  requestParameter:

Client ID From Subject Token (OAuth 2.0 Token Exchange)

Description

Sets the claim value to that of the subject token's "client_id" data.

Only string values are considered. If the subject token's "client_id" data is a not a string value, the token exchange request will lead to an invalid request error.

Type name

OAuth2TokenExchangeJwtSubjectTokenClientIdClaimValue

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtSubjectTokenClientIdClaimValueConfig

May be used by

Custom Claim (OAuth 2.0 Token Exchange) JWT Token Exchange Rule JWT Token Exchange Rule JWT Token Exchange Rule

License-Tags

OAuthTokenExchange

Properties

YAML Template (with default values)


type: OAuth2TokenExchangeJwtSubjectTokenClientIdClaimValue
id: OAuth2TokenExchangeJwtSubjectTokenClientIdClaimValue-xxxxxx
displayName: 
comment: 
properties:

Client ID Of Authenticated Client (OAuth 2.0 Token Exchange)

Description

Sets the claim value to that of the authenticated client ID.

Type name

OAuth2TokenExchangeJwtAuthenticatedClientIdStringClaimValue

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtAuthenticatedClientIdStringClaimValueConfig

May be used by

Custom Claim (OAuth 2.0 Token Exchange) JWT Token Exchange Rule JWT Token Exchange Rule JWT Token Exchange Rule

License-Tags

OAuthTokenExchange

Properties

YAML Template (with default values)


type: OAuth2TokenExchangeJwtAuthenticatedClientIdStringClaimValue
id: OAuth2TokenExchangeJwtAuthenticatedClientIdStringClaimValue-xxxxxx
displayName: 
comment: 
properties:

Client IP SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing the client IP address.

Type name

ClientIpAttribute

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.ClientIpAttributeConfig

May be used by

Auth Method-based Authenticator Selector Email User Profile Item Certificate Authenticator Radius Authentication Service Self Reg Users Clean Up Task Self Reg Users Clean Up Task SMS Notifier Delete Users Task Delete Users Task Password Batch Task Password Batch Task Password Authenticator Self Reg Users Reminder Task Self Reg Users Reminder Task Combining User Persister User to Password Service Mapping Lock Inactive Accounts Task Lock Inactive Accounts Task Vasco Letter Generator Certificate Token Authenticator Airlock 2FA Authenticator String User Profile Item Lookup and Accept Authenticator Email Notifier Extended User Persister-based User Store Provider Main Authenticator Export Users Task Export Users Task Custom User Persister-based User Store Provider User Persister Configuration User Persister Configuration User Persister Configuration Lock Expired Initial Passwords Task Lock Expired Initial Passwords Task Selection Authenticator Extended String User Profile Item Role-based Authenticator Selector Credential Data Certificate Matcher Meta Authenticator HTTP Password Service Token Activation On Delivery Strategy Destroy Last User Session User Persister Email Certificate Provider User Persister-based User Store New Email Clean-up Strategy Email Notification Task Email Notification Task Cipher User Persister

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion.

Attributes

String

Mandatory

Example

ClientIP

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: ClientIpAttribute
id: ClientIpAttribute-xxxxxx
displayName: 
comment: 
properties:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:

Client Name Processor

Description

Processes the "client_name" metadata attribute. The value is taken from the request as long as it matches the configured regular expression and doesn't exceed the length limit imposed by the database.
If not configured, no "client_name" is stored, and the client is simply displayed as "DCR OAuth 2.0 Client".

Type name

ClientNameProcessor

Class

com.airlock.iam.techclientreg.application.configuration.registration.ClientNameProcessorConfig

May be used by

OAuth 2.0 Dynamic Client Registration

License-Tags

TechClientRegistration

Properties

Allowed Values (allowedValues)

Description

Regular expression limiting the client names requested by the client.

Attributes

RegEx

Optional

Default value

[a-zA-Z0-9 _.-]+

Mandatory (mandatory)

Description

If the attribute is mandatory a valid value is required, or else an error is returned. If it is not mandatory, invalid values are silently ignored.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: ClientNameProcessor
id: ClientNameProcessor-xxxxxx
displayName: 
comment: 
properties:
  allowedValues: [a-zA-Z0-9 _.-]+
  mandatory: false

Coloring Rule

Description

Defines a coloring rule for the log viewer based on a regular expression.

Type name

ColoringRule

Class

com.airlock.iam.admin.application.configuration.logviewer.ColoringRule

May be used by

Log Viewer

Properties

Regexp Pattern String (regexpPatternString)

Description

Defines the regular expression pattern matched against the log level and the message. The matching is case-insensitive. The pattern must match part of the level or message. Use "^" and "$" to be sure it matches the whole level or message.

Attributes

RegEx

Mandatory

Foreground Color (foregroundColor)

Description

Foreground color (font) of the log message.

Attributes

String

Optional

Default value

black

Allowed values

black, white, red, blue, green, yellow, orange, purple

Background Color (backgroundColor)

Description

Background color of the log message.

Attributes

String

Optional

Default value

white

Allowed values

black, white, red, blue, green, yellow, orange, purple

Foreground Color For Meta Data (foregroundColorForMetaData)

Description

Metadata color of the log message.

Attributes

String

Optional

Default value

black

Allowed values

black, white, red, blue, green, yellow, orange, purple

YAML Template (with default values)


type: ColoringRule
id: ColoringRule-xxxxxx
displayName: 
comment: 
properties:
  backgroundColor: white
  foregroundColor: black
  foregroundColorForMetaData: black
  regexpPatternString:

Combined Password Hash

Description

Combined password hash plugin that uses one defined PasswordHash for hash generation and a list of PasswordHash functions for checking / verification. Verification is passed, if one of the configured hashes can verify the password with its hash.

Type name

CombinedPasswordHash

Class

com.airlock.iam.core.misc.util.password.hash.CombinedPasswordHash

Properties

Hash For Generation (hashForGeneration)

Description

The hash function used to generate password hashes.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Hashes For Verification (hashesForVerification)

Description

List of hash functions used to verify a given password/hash pair. Verification succeeds, if at least on function can verify the pair.

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: CombinedPasswordHash
id: CombinedPasswordHash-xxxxxx
displayName: 
comment: 
properties:
  hashForGeneration:
  hashesForVerification:

Combining Context Extractor

Description

Combines two or more context extractors in the following way: Iterates over the list of configured context extractors and returns the first specific context (even if it is the explicit default context). If no context extractor returns a context, the fallback context is used.

Type name

CombiningContextExtractor

Class

com.airlock.iam.core.misc.util.context.CombiningContextExtractor

May be used by

Transaction Approval API Policy Service Concatenating Context Extractor Loginapp

Properties

Context Extractors (contextExtractors)

Description

Defines the context extractors to be used in order.

Attributes

Plugin-List

Mandatory

Assignable plugins

Fallback Context (fallbackContext)

Description

Name of the context to be used if none of the configured extractors returns a specific context.
Leave empty to implicitly use the default context. If this plugin is used within a "Combining Context Extractor", use "[DEFAULT]" to explicitly return the default context if necessary.

Attributes

String

Optional

Example

CTX1

Example

EXT

Example

[DEFAULT]

YAML Template (with default values)


type: CombiningContextExtractor
id: CombiningContextExtractor-xxxxxx
displayName: 
comment: 
properties:
  contextExtractors:
  fallbackContext:

Combining Extended User Persister

Description

Merges the results of several ExtendedUserPersisters. This may only work as expected, if every user persister cares about a distinct subset of users. Please be aware that the undeletion of a user is not possible.

Type name

CombiningExtendedUserPersister

Class

com.airlock.iam.core.misc.impl.persistency.CombiningExtendedUserPersister

May be used by

Properties

User Insertion Persister (userInsertionPersister)

Description

The persister that will be used when a user gets inserted. Please make sure that this user persister is also used in the list of persisters within this plugin, otherwise some unexpected behaviour may be the result of the configuration. If this property is left empty, the configuration validates, but the insertion of a user is not possible.

Attributes

Plugin-Link

Optional

Assignable plugins

Cipher User Persister Combining Extended User Persister Database User Persister Dummy Extended User Persister LDAP Connector LDAP User Persister Property User Persister

Persisters (persisters)

Description

The list of persisters in the order they are combined. When a user exists in multiple inner persisters an exception is thrown, or the first persister in this list wins, depending on the configuration flag Allow Duplicates.

Attributes

Plugin-List

Mandatory

Assignable plugins

Allow Duplicates (allowDuplicates)

Description

If this flag is set to true, the result from the first inner persister where the user is found is returned.

Potentially the user may be found by an other persister. If this flag is set to false, always all inner persisters are asked, and if a userId is found by multiple inner persisters, a NotUniqueException is thrown.

Iterator methods are always called on all persisters, but if Allow Duplicates is enabled, no exception is thrown in case of duplicates.

Enabling this flag improves performance but the uniqueness of a user over all inner persisters is not checked any more.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: CombiningExtendedUserPersister
id: CombiningExtendedUserPersister-xxxxxx
displayName: 
comment: 
properties:
  allowDuplicates: false
  persisters:
  userInsertionPersister:

Combining Role Provider

Description

Provides the roles from the configured role providers.

Type name

CombiningRoleProvider

Class

com.airlock.iam.login.application.configuration.targetapp.CombiningRoleProviderConfig

May be used by

Properties

Role Providers (roleProviders)

Description

Role providers whose roles will be provided.

Attributes

Plugin-List

Mandatory

Assignable plugins

YAML Template (with default values)


type: CombiningRoleProvider
id: CombiningRoleProvider-xxxxxx
displayName: 
comment: 
properties:
  roleProviders:

Combining User Persister

Description

Merges the results of several UserPersisters. This may only work as expected, if every user persister cares about a distinct subset of users.

Type name

CombiningUserPersister

Class

com.airlock.iam.core.misc.impl.persistency.CombiningUserPersister

May be used by

Auth Method-based Authenticator Selector Email User Profile Item Certificate Authenticator Radius Authentication Service Self Reg Users Clean Up Task SMS Notifier Delete Users Task Delete Users Task Password Batch Task Password Batch Task Password Authenticator Self Reg Users Reminder Task User to Password Service Mapping Lock Inactive Accounts Task Lock Inactive Accounts Task Vasco Letter Generator Certificate Token Authenticator Airlock 2FA Authenticator String User Profile Item Lookup and Accept Authenticator Email Notifier Main Authenticator Export Users Task Export Users Task Custom User Persister-based User Store Provider User Persister Configuration User Persister Configuration User Persister Configuration Lock Expired Initial Passwords Task Lock Expired Initial Passwords Task Selection Authenticator Combining Extended User Persister Extended String User Profile Item Role-based Authenticator Selector Credential Data Certificate Matcher Meta Authenticator HTTP Password Service Token Activation On Delivery Strategy Destroy Last User Session User Persister Email Certificate Provider User Persister-based User Store New Email Clean-up Strategy Email Notification Task Email Notification Task

Properties

Persisters (persisters)

Description

Attributes

Plugin-List

Mandatory

Assignable plugins

Allow Duplicates (allowDuplicates)

Description

If this flag is set to true, the result from the first inner persister where the user is found is returned.

Iterator methods are always called on all persisters, but if Allow Duplicates is enabled, no exception is thrown in case of duplicates.

Enabling this flag improves performance but the uniqueness of a user over all inner persisters is not checked any more.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: CombiningUserPersister
id: CombiningUserPersister-xxxxxx
displayName: 
comment: 
properties:
  allowDuplicates: false
  persisters:

Complete Migration Step

Description

A flow step to complete the migration. The step sets the "authMethod" field on the user to the new authentication method and clears the "nextAuthMethod" and "migrationDate" fields.

Type name

CompleteMigrationStep

Class

com.airlock.iam.authentication.application.configuration.migration.CompleteMigrationStepConfig

May be used by

Properties

Target Auth Method (targetAuthMethod)

Description

The user's authentication method is set to the configured target authentication method when the migration is completed.

Attributes

String

Mandatory

Suggested values

MTAN, CRONTO, DEVICE_TOKEN, MATRIX

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: CompleteMigrationStep
id: CompleteMigrationStep-xxxxxx
displayName: 
comment: 
properties:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:
  targetAuthMethod:

Composite Password Service

Description

A password service that takes different password services for each task. This password service is useful in a certificate environment where users don't have any passwords for login but want to set a password for their mobile app.

Type name

CompositePasswordService

Class

com.airlock.iam.core.misc.impl.authen.CompositePasswordService

May be used by

Password Settings Administrators Configuration User to Password Service Mapping User-based Password Service Selector

Properties

Check Password Password Service (checkPasswordPasswordService)

Description

This is the password service to use when checking the password.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Change Password Password Service (changePasswordPasswordService)

Description

This is the password service to use when changing the password.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Reset Password Password Service (resetPasswordPasswordService)

Description

This is the password service to use when reseting the password.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: CompositePasswordService
id: CompositePasswordService-xxxxxx
displayName: 
comment: 
properties:
  changePasswordPasswordService:
  checkPasswordPasswordService:
  resetPasswordPasswordService:

Concatenating Context Extractor

Description

Combines two or more context extractors in the following way: Iterates over the list of configured context extractors and returns the concatenation of all extracted specific contexts (ignoring DEFAULT contexts) as result context. If no configured context extractor returns a specific context, the fallback context is used.

Type name

ConcatenatingContextExtractor

Class

com.airlock.iam.core.misc.util.context.ConcatenatingContextExtractor

May be used by

Combining Context Extractor Transaction Approval API Policy Service Loginapp

Properties

Context Extractors (contextExtractors)

Description

Defines one of the context extractors to be used in order. Use the group/selector notation to specify a list of context extractors.

Attributes

Plugin-List

Mandatory

Assignable plugins

Fallback Context (fallbackContext)

Description

Name of the context to be used if none of the configured extractors returns a non-default context.
Leave empty to implicitly use the default context. If this plugin is used within a "Combining Context Extractor", use "[DEFAULT]" to explicitly return the default context if necessary.

Attributes

String

Optional

Example

CTX1

Example

EXT

Example

[DEFAULT]

YAML Template (with default values)


type: ConcatenatingContextExtractor
id: ConcatenatingContextExtractor-xxxxxx
displayName: 
comment: 
properties:
  contextExtractors:
  fallbackContext:

Concatenating Data Transformer

Description

Concatenates the entries of a list of strings with ',' as delimiter. A use case of this transformer is concatenating multivalued attributes which have been loaded from an LDAP in order to store them as a single value on a database.

Values which have been transformed by this transformer are guaranteed to be of type java.lang.String.

Type name

ConcatenatingDataTransformer

Class

com.airlock.iam.core.misc.util.datatransformer.ConcatenatingDataTransformer

May be used by

Chaining Identity Propagator Authenticator-based One-Shot Target Application

Properties

Attributes (attributes)

Description

Selects the attributes to apply the replacement to.
Use the asterisk character ("*") to replace all attributes.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: ConcatenatingDataTransformer
id: ConcatenatingDataTransformer-xxxxxx
displayName: 
comment: 
properties:
  attributes:

Condition-based Role Provider

Description

Provides a list of roles depending on a flow condition.

Type name

ConditionBasedRoleProvider

Class

com.airlock.iam.login.application.configuration.targetapp.ConditionBasedRoleProviderConfig

May be used by

Properties

Condition (condition)

Description

Condition that has to be fulfilled for this roles to be provided.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Roles (roles)

Description

Roles to be provided.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: ConditionBasedRoleProvider
id: ConditionBasedRoleProvider-xxxxxx
displayName: 
comment: 
properties:
  condition:
  roles:

Conditional Identity Propagator

Description

Identity propagator that can check multiple conditions before deciding to propagate the identity. The conditions can be set so that all have to be true or only one (see "Conditions Logic Mode" property).

Type name

ConditionalIdentityPropagator

Class

com.airlock.iam.core.misc.impl.sso.ConditionalIdentityPropagator

May be used by

Properties

Conditions Logic Mode (conditionsLogicMode)

Description

Determines how the conditions are logically connected.

AND: All conditions must be true.
OR: At least one condition must be true.

Attributes

Enum

Optional

Default value

AND

Conditions (conditions)

Description

The conditions to be checked. How the conditions are connected is determined by the "Conditions Logic Mode" above (e.g. AND or OR).

Attributes

Plugin-List

Mandatory

Assignable plugins

Context Data Condition User Condition

Identity Propagator (identityPropagator)

Description

The identity propagator to call if the conditions are true according to the configured conditions logic mode.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: ConditionalIdentityPropagator
id: ConditionalIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  conditions:
  conditionsLogicMode: AND
  identityPropagator:

Conditional Risk-based Role Derivation

Description

An access policy rule deriving new roles from existing roles and Risk Tags by combining logical conditions.

Type name

ConditionalRiskBasedRoleDerivation

Class

com.airlock.iam.authentication.application.configuration.risk.accesspolicy.condition.ConditionalRiskBasedRoleDerivationConfig

Properties

Conditions (conditions)

Description

This rule only matches if all of the defined conditions match.

Attributes

Plugin-List

Mandatory

Assignable plugins

Logical AND Role Derivation Logical NOT Role Derivation Logical OR Role Derivation

Target Roles (targetRoles)

Description

The resulting roles if all required conditions can be satisfied.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: ConditionalRiskBasedRoleDerivation
id: ConditionalRiskBasedRoleDerivation-xxxxxx
displayName: 
comment: 
properties:
  conditions:
  targetRoles:

Conditional Value Map Provider

Description

Optionally relays the values of another Value Map Provider, depending on the evaluation of a flow condition.

Type name

ConditionalValueMapProvider

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.ConditionalValueMapProviderConfig

May be used by

Properties

Condition (condition)

Description

A condition that must be met for this Value Map Provider to relay the values of the embedded Value Map Provider.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Value Map Provider (valueMapProvider)

Description

A Value Map Provider whose provided values will be relayed by this Value Map Provider only if the condition is met.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: ConditionalValueMapProvider
id: ConditionalValueMapProvider-xxxxxx
displayName: 
comment: 
properties:
  condition:
  valueMapProvider:

Configurable Error Mapper

Description

Defines how to respond based on configuration.

Type name

ConfigurableErrorMapperFactory

Class

com.airlock.iam.login.app.misc.configuration.oneshot.ConfigurableErrorMapperFactory

May be used by

Authenticator-based One-Shot Target Application

Properties

Responses by Authentication Failure Type (authenticationFailures)

Description

Maps authentication failure types to HTTP error responses.

The authentication failure types can be defined by the authenticator. Known types seen in one-shot flow:

"user not found"
"user required"
"user name ambiguous"
"user locked"
"user temporarily locked"
"user invalid"
"user not permitted at this time"
"user not permitted at this client"
"device blocked"
"device busy with another authentication request"
"unspecified"
"password required"
"password wrong"
"password change required"
"token required"
"token wrong"
"next token required"
"binding token required"
"token expired"
"certificate required"
"certificate does not match user"
"certificate not yet valid"
"certificate expired"
"certificate revoked"
"certificate issuer not trusted"

Note that more failure types may be added as the authenticator interface evolves.

Attributes

Plugin-Map

Optional

Assignable plugins

Failure HTTP Response

Default Authentication Failure Response (defaultAuthenticationFailure)

Description

Specifies how to respond in case no specific authentication failure type matches.

Attributes

Plugin-Link

Optional

Assignable plugins

Failure HTTP Response

Authorization Failure Response (user has no access) (userHasNoAccess)

Description

Defines how to respond if the user has no access to the target application/service (authorization failure).

Attributes

Plugin-Link

Optional

Assignable plugins

Failure HTTP Response

Credential Extraction Failure Response (credentialCannotBeExtracted)

Description

Defines how to respond if the credential cannot be extracted from the request.

Attributes

Plugin-Link

Optional

Assignable plugins

Failure HTTP Response

YAML Template (with default values)


type: ConfigurableErrorMapperFactory
id: ConfigurableErrorMapperFactory-xxxxxx
displayName: 
comment: 
properties:
  authenticationFailures:
  credentialCannotBeExtracted:
  defaultAuthenticationFailure:
  userHasNoAccess:

Configurable HTTP CRL Obtainer

Description

This obtains a CRL by calling other obtainers. Optionally, there is a configuration for every CRL URL possible, but without a configuration the default obtainer is used. To improve performance and to help reduce bottlenecks upon startup, CRL can be persisted (e.g. in a file). Only CRL located at HTTP(s) URLs are considered.

Type name

MultiIssuerConfigurableHTTPCrlObtainer

Class

com.airlock.iam.core.misc.impl.cert.crl.MultiIssuerConfigurableHTTPCrlObtainer

May be used by

Fallback Crl Obtainer CRL Distribution Point Extension CRL Checker

Properties

Cache Persister (cachePersister)

Description

Persists the CRL in a cache for faster access after a server (re-)start.

Attributes

Plugin-Link

Optional

Assignable plugins

File Crl Persister No CRL Persister

Default Obtainer (defaultObtainer)

Description

The obtainer that is used by default (if no special obtainer is configured for that URL).

Attributes

Plugin-Link

Optional

Assignable plugins

CRL HTTP Obtainer Configurable HTTP CRL Obtainer Do Nothing Obtainer Fallback Crl Obtainer

Overwriting Obtainers (overwritingObtainers)

Description

A map of URLs to obtainers. Whenever the CRL at the given URL is accessed the defined obtainer is used instead of the default obtainer.

Attributes

Plugin-Map

Optional

Assignable plugins

CRL HTTP Obtainer Configurable HTTP CRL Obtainer Do Nothing Obtainer Fallback Crl Obtainer

YAML Template (with default values)


type: MultiIssuerConfigurableHTTPCrlObtainer
id: MultiIssuerConfigurableHTTPCrlObtainer-xxxxxx
displayName: 
comment: 
properties:
  cachePersister:
  defaultObtainer:
  overwritingObtainers:

Configuration-based Authenticator

Description

This authenticator allows to statically configure a list of users, e.g. for defining a short list of admins without setting up an additional database.

Type name

ConfigurationBasedAuthenticator

Class

com.airlock.iam.core.misc.impl.authen.ConfigurationBasedAuthenticator

May be used by

Persister Password Service Radius Authentication Service Fallback Authenticator Administrators Configuration Authenticator-based One-Shot Target Application Main Authenticator User-based Authenticator Selector Meta Authenticator Meta Authenticator Meta Authenticator User to Authenticator Mapping

Properties

Users (users)

Description

List of statically configured users. Allows to add any number of users with statically configured username, password and roles.

Attributes

Plugin-List

Mandatory

Assignable plugins

Configured User Data

YAML Template (with default values)


type: ConfigurationBasedAuthenticator
id: ConfigurationBasedAuthenticator-xxxxxx
displayName: 
comment: 
properties:
  users:

Configured User Data

Description

Basic information for statically configured users. Only username, password and roles are stored for these users.

Type name

ConfiguredUserData

Class

com.airlock.iam.core.misc.impl.authen.ConfiguredUserData

May be used by

Configuration-based Authenticator

Properties

Username (username)

Description

The name of the authenticated user.

Attributes

String

Mandatory

Length >= 3

Example

admin

Example

joe

Password (password)

Description

Password for the user.

Attributes

String

Mandatory

Sensitive

Roles (roles)

Description

Roles granted to the authenticated user.

Attributes

String-List

Optional

YAML Template (with default values)


type: ConfiguredUserData
id: ConfiguredUserData-xxxxxx
displayName: 
comment: 
properties:
  password:
  roles:
  username:

Contacts Processor

Description

Processes the "contacts" metadata attribute. The values are taken from the request as long as they match the configured regular expression and don't exceed the length limits imposed by the database.

Type name

ContactsProcessor

Class

com.airlock.iam.techclientreg.application.configuration.registration.ContactsProcessorConfig

May be used by

OAuth 2.0 Dynamic Client Registration

License-Tags

TechClientRegistration

Properties

Allowed Contacts (allowedContacts)

Description

Regex limiting the contacts values provided by the client. Typically email addresses.

Attributes

RegEx

Optional

Default value

[a-zA-Z0-9 _.@-]+

Mandatory (mandatory)

Description

If the attribute is mandatory a valid value is required, or else an error is returned. If it is not mandatory, invalid values are silently ignored.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: ContactsProcessor
id: ContactsProcessor-xxxxxx
displayName: 
comment: 
properties:
  allowedContacts: [a-zA-Z0-9 _.@-]+
  mandatory: true

Context Data Access Rule

Description

Defines fine-grained permissions on context data.

Type name

ContextDataAccessRule

Class

com.airlock.iam.admin.application.configuration.ContextDataAccessRule

May be used by

Role-based Access Control Role-based Access Control

Properties

Context Data Field (contextDataField)

Description

The name of a context data column for which to configure the access.

Attributes

String

Mandatory

Roles (roles)

Description

Defines the set of required roles needed to access the resource. Multiple roles are specified as a comma-separated list. Without a value, access is always denied. The special value 'NO RESTRICTION' allows access for any authenticated admin, without role restrictions.

Attributes

String

Optional

Suggested values

NO RESTRICTION, useradmin, tokenadmin, helpdesk, sysadmin, superadmin, useradmin,tokenadmin, useradmin,helpdesk, tokenadmin,helpdesk, sysadmin,superadmin, useradmin,tokenadmin,helpdesk,sysadmin,superadmin

YAML Template (with default values)


type: ContextDataAccessRule
id: ContextDataAccessRule-xxxxxx
displayName: 
comment: 
properties:
  contextDataField:
  roles:

Context Data Changed

Description

Event that is published when a user's context data is changed.

Type name

ContextDataChangedSubscribedEvent

Class

com.airlock.iam.common.application.configuration.event.ContextDataChangedSubscribedEventConfig

May be used by

Properties

Field Name Pattern (fieldNamePattern)

Description

The event is only handled by this subscriber, if at least one of the changed context data fields matches this pattern.

Attributes

RegEx

Optional

Default value

YAML Template (with default values)


type: ContextDataChangedSubscribedEvent
id: ContextDataChangedSubscribedEvent-xxxxxx
displayName: 
comment: 
properties:
  fieldNamePattern: .*

Context Data Condition

Description

Condition that matches the value of a context data field against a configurable pattern.

Type name

ContextDataCondition

Class

com.airlock.iam.core.misc.impl.sso.ContextDataCondition

May be used by

Conditional Identity Propagator

Properties

Name (name)

Description

The name of the context data field to check.

Attributes

String

Mandatory

Pattern (pattern)

Description

The pattern to match the context data field with.

Attributes

RegEx

Mandatory

YAML Template (with default values)


type: ContextDataCondition
id: ContextDataCondition-xxxxxx
displayName: 
comment: 
properties:
  name:
  pattern:

Context Data Item

Description

Context data to include in the created IAM user.

Type name

ContextDataItem

Class

com.airlock.iam.oauth2.application.configuration.accountregistration.ContextDataItemConfig

May be used by

Automated Account Registration

License-Tags

OAuthSocialRegistration

Properties

Context Data Item Name (contextDataItemName)

Description

The name of the context data item of the provider account.

To be able obtain the context data value, it is required to add an 'OAuth 2.0 Remote Context Data Resource' with a 'Local Context Data Key' equal to this value to the resource mappings.

Attributes

String

Mandatory

Example

surname

Example

givenname

Example

Optional (optional)

Description

Defines whether the context data value has to be present or not. If a mandatory property is missing, the user will not be created.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: ContextDataItem
id: ContextDataItem-xxxxxx
displayName: 
comment: 
properties:
  contextDataItemName:
  optional: false

Context Data Item (Airlock 2FA Account Display Name)

Description

Provides the value of a configured context data during the user's enrollment for Airlock 2FA as display name.

Type name

Airlock2FAContextDataDisplayNameProvider

Class

com.airlock.iam.factor.application.configuration.airlock2fa.Airlock2FAContextDataDisplayNameProviderConfig

May be used by

Airlock 2FA Settings

License-Tags

Airlock2FA

Properties

Context Data Name (contextDataName)

Description

Name of the context data whose value is to be used as display name during user's enrollment.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Mandatory (mandatory)

Description

If enabled, it is mandatory that the context data field be non-blank, otherwise attempting to create an Airlock 2FA account will result in an error. If disabled and the context data field is blank, then no display name will be provided.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: Airlock2FAContextDataDisplayNameProvider
id: Airlock2FAContextDataDisplayNameProvider-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  mandatory: false

Context Data Map

Description

Provides all context data of the current user. The keys of the context data items are provided as defined in the Loginapp's user store.

The "username" is always part of the map, even if it is not explicitly part of the context data.

Type name

ContextDataValueMapProvider

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.ContextDataValueMapProviderConfig

May be used by

Properties

YAML Template (with default values)


type: ContextDataValueMapProvider
id: ContextDataValueMapProvider-xxxxxx
displayName: 
comment: 
properties:

Context Data Regex Condition

Description

Condition that is fulfilled, if the value of the configured context data field matches a specified pattern.

Type name

ContextDataEventCondition

Class

com.airlock.iam.core.misc.persistency.usereventbus.conditions.ContextDataEventCondition

May be used by

Properties

Context Data Key (contextDataKey)

Description

The context data field for which the value is matched against the configured pattern.

For newly created users (before/after insert user events), some context data fields (e.g. the username field or "additional context data") are not available.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Pattern (pattern)

Description

Specifies the pattern that has to match the context data value from the specified key.

Attributes

RegEx

Mandatory

Is Fulfilled If Value Is Null (isFulfilledIfValueIsNull)

Description

If checked, the condition is fulfilled if the provided value is null. If unchecked, the condition is unfulfilled in that situation.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: ContextDataEventCondition
id: ContextDataEventCondition-xxxxxx
displayName: 
comment: 
properties:
  contextDataKey:
  isFulfilledIfValueIsNull: false
  pattern:

Context Data SAML 2.0 Attribute

Description

A SAML 2.0 attribute containing context data of the user.

Type name

ContextDataAttribute

Class

com.airlock.iam.saml2.application.configuration.assertion.attribute.ContextDataAttributeConfig

May be used by

JWT Access Token Format OAuth 2.0 Static Client OAuth 2.0 Static Client Claim Set Custom Claim OIDC ID Token Claims OIDC UserInfo Endpoint

License-Tags

SamlIdp

Properties

Attribute Name (samlAttributeName)

Description

The name of the attribute to add to the assertion.

Attributes

String

Mandatory

Example

givenname

Example

authmethod

Context Data Name (contextDataName)

Description

The context data key to add to the Assertion. If the context data doesn't contain any value for the given key, the attribute will not be included in the assertion.

Attributes

String

Mandatory

Example

givenname

Example

auth_method

Name Format (nameFormat)

Description

The NameFormat to use for the attribute.

Attributes

String

Optional

Default value

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Suggested values

urn:oasis:names:tc:SAML:2.0:attrname-format:basic, urn:oasis:names:tc:SAML:2.0:attrname-format:uri, urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

YAML Template (with default values)


type: ContextDataAttribute
id: ContextDataAttribute-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  samlAttributeName:

Context Data String Custom Claim

Description

A custom context data string claim.

Type name

CustomContextDataStringClaim

Class

com.airlock.iam.oauth2.application.configuration.claims.CustomContextDataStringClaimConfig

May be used by

License-Tags

OAuthServer

Properties

Context Data Name (contextDataName)

Description

The context data field that should be included in the claim. If the value is missing or is not of type string, the claim will not be included in the response.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Claim Name (claimName)

Description

The name (JSON key) of the claim.

Attention: If a custom claim with this same claim name already exists, it will result in a runtime error.

Using a registered claim name (see RFC 7519) might cause the claim to be ignored or an exception to be thrown.

Attributes

String

Mandatory

Example

firstname

Example

street

Example

zip

Example

country

Example

roles

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Not Claim Condition Or Claim Condition Required Scopes Claim Condition

YAML Template (with default values)


type: CustomContextDataStringClaim
id: CustomContextDataStringClaim-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:
  contextDataName:

Context Data Uniqueness Check

Description

Ensures that context data values across all users remain unique when user data is imported. Uniqueness checks are only supported on string context fields.

Type name

ContextDataUniquenessCheck

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.xmlimporter.ContextDataUniquenessCheck

May be used by

XML File Importer Task

Properties

Context Data Name (contextDataKey)

Description

The key of the user's context data item to be checked for uniqueness.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Certificate Authenticator Certificate Token Authenticator Main Authenticator Meta Authenticator

Behaviour (behaviour)

Description

The behaviour of the XML File Importer in case of a uniqueness check violation.

IGNORE_ATTRIBUTE: The violating context field is ignored, and the import proceeds with the next context fields of the user. Note: If the field is also required through "Required User Info Attributes" the current user is ignored instead.
IGNORE_USER: The current user is ignored, and the import proceeds with data for the next user.
ABORT: The current user is ignored and the import is aborted. The changes of previous import commands are not rolled back.

Attributes

Enum

Mandatory

YAML Template (with default values)


type: ContextDataUniquenessCheck
id: ContextDataUniquenessCheck-xxxxxx
displayName: 
comment: 
properties:
  behaviour:
  contextDataKey:

Context Data User Group Condition

Description

Checks user group membership by comparing a context data attribute with the specified value.

Type name

ContextDataUserGroupCondition

Class

com.airlock.iam.core.misc.impl.persistency.ContextDataUserGroupCondition

May be used by

User Group Configuration

Properties

Group Name (groupName)

Description

The name of the user group. May be used in log files and may be displayed in the admin tool.

Attributes

String

Mandatory

Example

Administrator

Example

Employee

Example

Customer

Context Property Name (contextPropertyName)

Description

Name of the context data attribute to be examined. Make sure the user user persister provides the attribute.

Attributes

String

Mandatory

Example

department

Example

company

Example

distinguishedName

Pattern (pattern)

Description

Regular expression pattern matched against the (default string representation of the) context data value. If it matches, the user is considered to be member of the group.

Attributes

RegEx

Mandatory

YAML Template (with default values)


type: ContextDataUserGroupCondition
id: ContextDataUserGroupCondition-xxxxxx
displayName: 
comment: 
properties:
  contextPropertyName:
  groupName:
  pattern:

Context Data User Validator

Description

Validates a user based on allowed values in a specified context data field.

Type name

ContextDataUserValidator

Class

com.airlock.iam.core.misc.impl.authen.ContextDataUserValidator

May be used by

Properties

Context Field (contextField)

Description

Name of the context field with the values that should be checked. If the user does not have this context field (i.e. it is null), then the user is considered to be invalid.

Attributes

String

Mandatory

Example

status

Example

is_locked

Allowed Values (allowedValues)

Description

List of allowed values for the context data field. The field must contain one of these values in order to be valid.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: ContextDataUserValidator
id: ContextDataUserValidator-xxxxxx
displayName: 
comment: 
properties:
  allowedValues:
  contextField:

Context Data Username

Description

Uses a context data value as username.

Type name

ContextDataUsername

Class

com.airlock.iam.oauth2.application.configuration.accountregistration.ContextDataUsernameConfig

May be used by

Automated Account Registration

License-Tags

OAuthSocialRegistration

Properties

Context Data (contextData)

Description

Context Data to use as username. The value of this context data must be present, else the user creation will fail.

To be able obtain the context data value, it is required to add an 'OAuth 2.0 Remote Context Data Resource' with a 'Local Context Data Key' equal to this value to the resource mappings.

Attributes

String

Mandatory

Example

email, mtan_number

YAML Template (with default values)


type: ContextDataUsername
id: ContextDataUsername-xxxxxx
displayName: 
comment: 
properties:
  contextData:

Context Data Username Provider

Description

Provides a username from a context data field.

Type name

ContextDataUsernameProvider

Class

com.airlock.iam.authentication.application.configuration.idpropagation.ContextDataUsernameProviderConfig

May be used by

Legacy ID Propagation Adapter

Properties

Property Name (propertyName)

Description

Name of the context data property from which the username is taken.

Attributes

String

Mandatory

Example

applA-name

Mandatory (mandatory)

Description

If enabled, it is mandatory that the context data field be non-empty, otherwise an exception is thrown at identity propagation time. If disabled and the context data field is empty, then no username is supplied and subsequent username providers are asked to supply a name (or the authenticated user ID is used if no provider supplies a username).

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: ContextDataUsernameProvider
id: ContextDataUsernameProvider-xxxxxx
displayName: 
comment: 
properties:
  mandatory: false
  propertyName:

Context Data Username Transformer

Description

This user name transformer allows to configure any user store which provides alternative log-in names (aliases) in its context data. In case the alias is found in the context data, the provided user name will be transformed to the user ID used in the user store.

Type name

ContextDataUsernameTransformer

Class

com.airlock.iam.core.misc.impl.authen.ContextDataUsernameTransformer

Properties

User Store (userStore)

Description

The user store which must provide the alternative user name fields (as context data). The transformation result will be the user ID of the matching user record. This user store must provide all the context data columns which are selected as potential user aliases in the context-data-columns property.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Context Data Columns (contextDataColumns)

Description

The names of the context data columns of the underlying user store which may contain an alias. The originally stated user name is looked up in all the context data columns. If there is a match, the user ID of the record in the store becomes the transformation result. If multiple records match, the user cannot log in and user trail logs are written. In this case the alias data is in an inconsistent state and this must be fixed. Thus, the listed columns - including the user ID column - must not contain duplicates.
Note that at least one context data column must be stated for the transformation to be successful.

Attributes

String-List

Mandatory

Check User Store First (checkUserStoreFirst)

Description

For efficiency reasons, the default behavior of this transformer is to first check if the user store finds a user name that matches the input of the user. With this property, this first check could be disabled.
Usually, setting this property to false is not recommended, as it is often the best strategy to first match for the user ID.
Disabling this check makes sense in a chain of UsernameTransformers where it is known that the current input name cannot be a user ID, e.g. directly after a Primary Key Lookup.

Attributes

Boolean

Optional

Default value

true

Mandatory Transformation (mandatoryTransformation)

Description

Specifies whether or not the transformation is mandatory:
This transformer serves two main purposes: It can allow login using an 'alias' in addition to the user ID (in this case, set this property to false because this transformer may or may not be given the alias) or it can transform the entered user name on the fly to an 'internal identifier' used for further processing (in this case, set this property to true). In the latter case, this 'internal identifier' cannot be used directly as a login name, thus the transformation must succeed in order to obtain a valid userid for further processing.
Note that a transformation is considered successful if the user name could be resolved, no matter whether or not the user name was actually changed (e.g. the transformation is also successful if the 'Check User Persister First' flag is true and the user name was found using that persister directly).

Attributes

Boolean

Optional

Default value

false

Stop After Successful Transformation (stopAfterSuccessfulTransformation)

Description

With this flag the chaining of user name transformers can be interrupted. If it is enabled and the user name transformer found the user name in a context field (or if enabled using the primary key lookup), following user name transformers are not executed.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: ContextDataUsernameTransformer
id: ContextDataUsernameTransformer-xxxxxx
displayName: 
comment: 
properties:
  checkUserStoreFirst: true
  contextDataColumns:
  mandatoryTransformation: false
  stopAfterSuccessfulTransformation: false
  userStore:

Context Pattern

Description

A context extractor matching against the request path.

Type name

ContextPattern

Class

com.airlock.iam.core.misc.util.context.ContextPattern

May be used by

URL Context Extractor

Properties

Pattern (pattern)

Description

Regular expression pattern matched against the request URI.
The matching is done against the part of the request URI after the protocol or after the host (depending on the configuration of the context extractor).
Example: If the request URL is "https://host/blah/blue", the considered path is either "host/blah/blue" (if virtualhost is included) or "/blah/blue" otherwise.

The request path is then matched against the regular expression which must match the entire path, not just a substring.

Important: For SPA URLs under /ui/app/*, only top-level navigation (for example when navigating from an external site using a link or http redirect) can be used for context extraction. Most navigations/clicks within the SPA do not lead to an explicit request to the URL seen in the URL bar.

Attributes

RegEx

Mandatory

Configuration Context (configurationContext)

Description

The resulting configuration context if the regular expression matches.
Use "[DEFAULT]" to explicitly return the default context.

Attributes

String

Mandatory

Example

CTX1

Example

EXT

Example

[DEFAULT]

YAML Template (with default values)


type: ContextPattern
id: ContextPattern-xxxxxx
displayName: 
comment: 
properties:
  configurationContext:
  pattern:

Cookie Mapping

Description

A mapping from a source cookie to a target cookie sent to the Airlock Gateway (WAF) or the client.

Type name

CookieMapping

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.CookieMapping

May be used by

SAML Access Cookie Identity Propagator On Behalf Login Identity Propagator Access Cookie Identity Propagator On Behalf Login Identity Propagation

Properties

Source Access Cookie Name (sourceAccessCookieName)

Description

The name of the access cookie to be extracted from the HTTP response of the application providing access cookies.

Attributes

String

Mandatory

Example

ACCESS_COOKIE

Example

AUTH_USER

Target Access Cookie Name (targetAccessCookieName)

Description

The name of the access cookie to be sent to the browser or entry server. If this property is not defined, the name of the fetched access cookie is used.

Attributes

String

Optional

Example

ACCESS_COOKIE

Example

AUTH_USER

Target Access Cookie Path (targetAccessCookiePath)

Description

The path for which the cookie is set. The path determines where the cookie is sent by the reverse proxy (or browser).

If the same access cookie is used for all applications, the value "/" can be used. If different tickets are used for different applications, the applications path should be used.

Note that only one access cookie per cookie path and name can exist. Make sure that this cookie name does not clash with other cookie's names. For example, do not use session cookie names such as "JSESSIONID".

Make sure the configuration flag Interpret Cookie Domains is set in the Airlock Gateway (WAF) configuration. If not the cookie path is ignored and cookies in the cookie store are sent to any backend HTTP request of the same session. This also means that there may be only one cookie per cookie name!
It is best to consult the corresponding documentation of the web entry server or reverse proxy to get more accurate information on cookie handling.

Attributes

String

Optional

Default value

Example

/appl1

Example

/appl2

Target Access Cookie Domain (targetAccessCookieDomain)

Description

The domain for which the cookie is set. The domain determines where the cookie is sent by the reverse proxy (or browser).

Because of security restrictions in browsers (same origin policy) it is usually not possible to set a cookie for a different domain unless the right-most two domain parts (e.g. "ergon.ch") are equal to that of the application setting the cookie.
It is possible that there are further restrictions regarding this in browsers.

If you are using a HTTP reverse proxy that stores the cookie in its session store (and does not send it to the client), make sure to understand the proxies interpretation of the cookie domain and cookie path.

Make sure the configuration flag Interpret Cookie Domains is set in the Airlock Gateway (WAF) configuration. If not the cookie domain is ignored and cookies in the cookie store are sent to any backend HTTP request of the same session. The cookie path is also ignored meaning that there may be only one cookie per cookie name!
The Airlock Gateway also supports the following cookie domain values (if the flag Interpret Cookie Domains is set):

The value .* results in cookies being sent to all backend servers. This is especially useful if one authentication ticket is used for multiple backends.
The value @<fully-qualified-host> results in the cookie being treated as if it were set by the host specified by "<fully-qualified-host>". If using this value, make sure the corresponding mapping also uses the fully qualified hostname.

It is best to consult the corresponding documentation of the web entry server or reverse proxy to get more accurate information on cookie handling.

Note that only one cookie per cookie path and name can exist. Make sure that this cookie name does not clash with other cookie's names. For example, do not use session cookie names such as "JSESSIONID".

Attributes

String

Optional

Example

@172.16.1.1:80

Set Secure Flag Target Access Cookie (setSecureFlagTargetAccessCookie)

Description

If set to TRUE the "secure"-flag of the cookie is set.

If the cookie is marked as secure, the browser (and any HTTP proxy behaving like a browser) should send the cookie only over secure connections.
Caution: If you think that setting this flag makes your application more secure, it is in most cases way better to adequately secure the access cookie by encrypting it appropriately. Remember that this flag just "asks" the browser to not transmit the cookie over unencrypted connections.

Attributes

Boolean

Optional

Default value

false

URL Encode Target Cookie Value (urlEncodeTargetCookieValue)

Description

If set to TRUE the value from the fetched cookie is not passed as is to the response but it is URL-encoded (using UTF-8 encoding).

Attributes

Boolean

Optional

Default value

false

Mandatory (mandatory)

Description

If set to TRUE the cookie must be present in the response or the process will fail.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: CookieMapping
id: CookieMapping-xxxxxx
displayName: 
comment: 
properties:
  mandatory: true
  setSecureFlagTargetAccessCookie: false
  sourceAccessCookieName:
  targetAccessCookieDomain:
  targetAccessCookieName:
  targetAccessCookiePath: /
  urlEncodeTargetCookieValue: false

Cookie Ticket Adder

Description

Adds a ticket string as a response cookie.

Type name

CookieTicketAdder

Class

com.airlock.iam.authentication.application.configuration.idpropagation.CookieTicketAdderConfig

May be used by

Generic ID Propagator

Properties

Cookie Name (cookieName)

Description

The name of the cookie used to transport the ticket.

Only one cookie per cookie path and name can exist, therefore the name of this cookie must be distinct from all other cookie names used by this applications (such as "JSESSIONID").

Attributes

String

Mandatory

Example

AUTH_TICKET

Cookie Path (cookiePath)

Description

The path for which the cookie is set. This determines with which future requests the cookie will be sent to the server.

To add the cookie to all requests to a given domain, the value "/" can be used. If the cookie should be limited to a certain backend, the corresponding context path should be used.

Only one cookie per cookie path and name can exist, therefore the name of this cookie must be distinct from all other cookie for the same path (such as "JSESSIONID").

When using an Airlock Gateway (WAF), the Gateway configuration flag Interpret Cookie Domains must be set. Otherwise the cookie path is ignored and cookies in the cookie store are sent with back-end HTTP requests of the same session.

Attributes

String

Optional

Default value

Example

/appl1

Example

/appl2

Cookie Domain (cookieDomain)

Description

The domain for which the cookie is set. This determines with which future requests the cookie will be sent to the server.

Because of security restrictions in browsers (same origin policy) it is usually not possible to set a cookie for a different domain (except subdomains).

Airlock Gateway (WAF) handle cookies differently and allow setting cookies for other domains within the protected infrastructure while not exposing them to the internet. The Gateway configuration flag Interpret Cookie Domains needs to be enabled for this feature. If this flag is enabled, also the following special domain names are supported:

An empty value results in the cookie only being sent to the origin server that set the cookie.
The value .* results in cookies being sent to all back-end servers.
Setting a different hostname results in the cookie being sent to the back-end host with that hostname.

Consult the Airlock Gataway documentation for more information on cookie handling.

Attributes

String

Optional

Example

@www.test.com

Example

ergon.ch

Secure Flag (secureFlag)

Description

If enabled, the "secure"-flag of the cookie is set.

If the cookie is marked as secure, the browser (and any HTTP proxy behaving like a browser) should send the cookie only over secure connections.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: CookieTicketAdder
id: CookieTicketAdder-xxxxxx
displayName: 
comment: 
properties:
  cookieDomain:
  cookieName:
  cookiePath: /
  secureFlag: true

Cookie Ticket Identity Propagator

Description

An identity propagator based on authentication tickets transported to the target application using a HTTP cookie.

This plugin is usually used together with an entry component that keeps the authentication ticket cookie from being sent to the client and therefore from being exposed to external attacks.
If you intend to send the cookie to the client, it must be protected accordingly by choosing an appropriate ticket encoder.

Type name

CookieTicketIdentityPropagator

Class

com.airlock.iam.core.misc.impl.sso.CookieTicketIdentityPropagator

May be used by

Legacy ID Propagation Adapter Chaining Identity Propagator Authenticator-based One-Shot Target Application Conditional Identity Propagator

Properties

Cookie Name (cookieName)

Description

The name of the cookie used to transport the authentication ticket.

Attributes

String

Mandatory

Example

AUTH_TICKET

Example

medusaAuth

Cookie Path (cookiePath)

Description

The path for which the cookie is set. The path determines where the cookie is sent by the reverse proxy (or browser).

If one single authentication ticket is used for all applications, the value "/" can be used. If different tickets are used for different applications, the applications path should be used.

Make sure the configuration flag Interpret Cookie Domains is set in the Airlock Gateway (WAF) configuration. If not, the cookie path is ignored and cookies in the cookie store are sent to any back-end HTTP request of the same session. This also means that there may be only one cookie per cookie name!
It is best to consult the corresponding documentation of the web entry server or reverse proxy to get more accurate information on cookie handling.

Attributes

String

Optional

Default value

Example

/appl1

Example

/appl2

Cookie Domain (cookieDomain)

Description

The domain for which the cookie is set. The domain determines where the cookie is sent by the reverse proxy (or browser).

Make sure the configuration flag Interpret Cookie Domains is set in the Airlock Gateway (WAF) configuration. If not, the cookie domain is ignored and cookies in the cookie store are sent to any back-end HTTP request of the same session. The cookie path is also ignored, meaning that there may be only one cookie per cookie name!
Airlock also supports the following cookie domain values (if the flag Interpret Cookie Domains is set):

An empty value results in the cookie only being sent to the origin server that set the cookie.
The value .* results in cookies being sent to all back-end servers. This is especially useful if one authentication ticket is used for multiple back-ends.
The value @<fully-qualified-host> results in the cookie being treated as if it were set by the host specified by "<fully-qualified-host>". If using this value, make sure the corresponding mapping also uses the fully qualified hostname.

It is best to consult the corresponding documentation of the web entry server or reverse proxy to get more accurate information on cookie handling.

If one single authentication ticket is used for all applications, the value ".*" can be used. If different tickets are used for different applications, the applications path should be used.

Attributes

String

Optional

Example

@www.test.com

Example

ergon.ch

Ticket Service (ticketService)

Description

The ticket service providing the authentication ticket and knowing what to put into the ticket.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Mapping Ticket Service

Ticket Encoder (ticketEncoder)

Description

The ticket encoder plugin used to encode the authentication ticket in a string.

Caution:This plugin is usually used together with an entry component that keeps the authentication ticket cookie from being sent to the client and therefore from being exposed to external attacks.
If you intend to send the cookie to the client, it must be protected accordingly by choosing an appropriate ticket encoder.

Note that some ticket encoders do not support ticket expiry, i.e. they do not encode the ticket validity into the ticket.

Attributes

Plugin-Link

Mandatory

Assignable plugins

AES256 Encryption Ticket Encoder Esp Sign Ticket Encoder Gzip Base64 Ticket Encoder JWT Ticket Encoder Plain Base64 Ticket Encoder Plain Ticket Encoder RSA Sign Ticket Encoder

Fixed Key-Value Pairs (keyValuePairs)

Description

Additional fixed name-value-pairs may be provided to the ticket service.
If supported by the ticket service plugin, this is a way to add such an extra key-value-pair to a ticket.
The key-value-pairs are added to the key-value-pairs passed to this plugin by the calling application. It overwrites existing values with the same key.

Attributes

Plugin-List

Optional

Assignable plugins

Key Value Pair

URL Encoding Scheme (urlEncodingScheme)

Description

String values should be URL encoded in order to be suitable as cookie values. This optional property defines the URL encoding scheme to be used.
Make sure that the component receiving the ticket uses the same URL encoding scheme.

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15

Disable URL Encoding (disableUrlEncoding)

Description

If set to true, the cookie's final value is not URL-encoded, though the key/values will always be.
Notice that this may result in V1 cookies because the value will most probably contain the '=' character which is not allowed in V0 cookies. Make sure your application supports V1 cookies when disabling this property.

Attributes

Boolean

Optional

Default value

false

Set Secure Flag In Cookie (setSecureFlagInCookie)

Description

If set to TRUE the "secure"-flag of the cookie is set.

If the cookie is marked as secure, the browser (and any HTTP proxy behaving like a browser) should send the cookie only over secure connections.
Caution: If you think that setting this flag makes your application more secure, it is in most cases way better to adequately secure the authentication ticket by choosing a secure ticket encoder plugin. Remember that this flag just "asks" the browser to not transmit the cookie over unencrypted connections.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: CookieTicketIdentityPropagator
id: CookieTicketIdentityPropagator-xxxxxx
displayName: 
comment: 
properties:
  cookieDomain:
  cookieName:
  cookiePath: /
  disableUrlEncoding: false
  keyValuePairs:
  setSecureFlagInCookie: false
  ticketEncoder:
  ticketService:
  urlEncodingScheme: UTF-8

Correlation ID Settings

Description

Defines settings for the correlation ID.

Type name

CorrelationIdSettings

Class

com.airlock.iam.common.application.configuration.logging.CorrelationIdSettingsConfig

May be used by

Adminapp Service Container Main Settings Transaction Approval API Policy Service Loginapp

Properties

Header Name (headerName)

Description

Defines the header from which the correlation ID will be extracted on incoming requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Default value

X-Correlation-ID

Validation Pattern (validationPattern)

Description

The correlation ID that is extracted from the request header will be matched against this regular expression.

If it matches, then it will be logged for the scope of the current HTTP request. Otherwise, the value is rejected, and no correlation ID will be logged.

This can be configured to prevent unexpected values from being written to the log files.

Attributes

RegEx

Optional

Default value

[\x21-\x7E]{2,256}

YAML Template (with default values)


type: CorrelationIdSettings
id: CorrelationIdSettings-xxxxxx
displayName: 
comment: 
properties:
  headerName: X-Correlation-ID
  validationPattern: [\x21-\x7E]{2,256}

CORS Settings

Description

CORS Settings.

Type name

CorsSettings

Class

com.airlock.iam.common.application.configuration.CorsSettings

May be used by

Transaction Approval Security Settings Adminapp REST API Configuration

Properties

Allowed Origins (allowedOrigins)

Description

A list of regular expressions for the origins allowed to execute cross domain requests ('preflight checks') to the REST API. If no origins are configured, the server will deny any CORS requests.

Note that if a TLS tunnel is terminated by a load balancer which connects to IAM via http, IAM will consider most requests as CORS requests unless 'Strict CORS Validation' is deactivated.

Attributes

RegEx-List

Optional

Strict CORS Validation (strictCorsValidation)

Description

Match the 'Origin' header of the browser exactly.

Disabling this flag allows Airlock IAM to be connected to e.g. a load-balancer without TLS (load-balancer terminates TLS):

'https://yourhost.com:443' is then considered a match compared to 'http://yourhost.com:80', and treated as same-origin

Note that this setting does not influence the 'Allowed Origins'.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: CorsSettings
id: CorsSettings-xxxxxx
displayName: 
comment: 
properties:
  allowedOrigins:
  strictCorsValidation: true

Create Airlock 2FA Device Activation Letters

Description

Settings for user's device activation letters. Such a letter contains a QR code to be scanned and is typically necessary for the registration of the first Airlock 2FA device.

Compared to "Order Airlock 2FA Device Activation Letters", no order will be created since activation letters will be directly generated by this plugin. The "Airlock 2FA Activation Letter Order Task" is therefore not necessary in this case.

Type name

Airlock2FACreateActivationLetters

Class

com.airlock.iam.admin.application.configuration.airlock2fa.Airlock2FACreateActivationLettersConfig

May be used by

Airlock 2FA Token Controller

License-Tags

Airlock2FA

Properties

Letter Printing Options (letterPrintingOptions)

Description

Configuration needed in case the created activation letter should be printed to a file.

Attributes

Plugin-Link

Optional

Assignable plugins

Print Airlock 2FA Activation Letters

Enrollment Validity [s] (enrollmentValidityInSeconds)

Description

The duration (in seconds) an enrollment code should be valid.

Note: This value is only used for the validity of the QR code in the enrollment letter and does not affect enrollment self-services.

Attributes

Integer

Optional

Default value

604800

YAML Template (with default values)


type: Airlock2FACreateActivationLetters
id: Airlock2FACreateActivationLetters-xxxxxx
displayName: 
comment: 
properties:
  enrollmentValidityInSeconds: 604800
  letterPrintingOptions:

Create Airlock 2FA Hardware Token Shipment Letters

Description

Settings for user's hardware token shipment letters. Such a letter is designed to accompany the shipment of the hardware token to the user and contains information relevant to its first use.

Type name

Airlock2FAShipmentLetters

Class

com.airlock.iam.admin.application.configuration.airlock2fa.Airlock2FAShipmentLettersConfig

May be used by

Airlock 2FA Token Controller

License-Tags

Airlock2FA

Properties

Renderer (renderer)

Description

Defines how shipment letters (e.g. PDFs) are rendered.

The following placeholders can be used in the templates

${User Context Data Name} - context data of the user.
${deviceManufacturer} - manufacturer of device.
${deviceModel} - model of device.
${deviceSerialNumber} - serial number of device.
${deviceActivationCode} - activation code of device, if any.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

Working Directory (workingDirectory)

Description

A writable directory used to store a partially rendered shipment letter.
If this property is defined, shipment letters are not directly generated into the output directory (see other property) but they are generated into this working directory and are then moved into the output directory once they are done.
This helps to solve problems with processes that automatically read the rendered letters and therefore might not see the fully rendered result. Make sure that the working directory and the output directory reside in the same file system (otherwise the moving of the generated file will not be atomic).
The directory is either absolute or relative to the JVMs current directory.

Attributes

File/Path

Optional

Output Directory (outputDirectory)

Description

The directory where the printable letters will be stored.

Attributes

File/Path

Mandatory

Language Context Data Name (languageContextDataName)

Description

The user's context data attribute containing its language. The language is used to choose the template in the renderer. If left empty, the default template will be used.

Attributes

String

Optional

Suggested values

language

YAML Template (with default values)


type: Airlock2FAShipmentLetters
id: Airlock2FAShipmentLetters-xxxxxx
displayName: 
comment: 
properties:
  languageContextDataName:
  outputDirectory:
  renderer:
  workingDirectory:

Credential Data Certificate Matcher

Description

The plugin extracts a username from a X509 client certificate. The extracted username can afterwards be used by e.g. an authenticator.

In a first step, a user identifier is extracted from the certificate data (e.g. from the subject DN). The result can either be used directly as username, or additionally, a User Iterator is configured to match the extracted identifier against some user attribute. If a matching user is found, its username is returned.

Example:
A certificate contains the following DN: cn=test,ou=local,o=company,c=ch.
The matcher can be configured (without User Iterator) to match the CN as user attribute, therefore, the extracted username is "test".

Type name

CredentialDataCertificateMatcher

Class

com.airlock.iam.core.misc.impl.authen.certificate.CredentialDataCertificateMatcher

May be used by

Certificate Token Authenticator

Properties

User Attribute (userAttribute)

Description

Defines how the user's username (or other piece of data used to look up the username) is to be extracted from the certificate. Example: The value "cn" will extract the common name from the DN and use it as username.

The following value is treated specially:

"altSubjectName": Use the certificate's alternative subject name as username.

Attributes

String

Mandatory

Suggested values

cn, altSubjectName

Username Transformer (usernameTransformer)

Description

Transforms the extracted username from the certificate before it is used in the lookup.

Attributes

Plugin-Link

Optional

Assignable plugins

User Iterator (userIterator)

Description

Searches the user in the underlying persistency layer by using the extracted user attribute and returns its username. If no iterator is configured, the extracted (and eventually transformed) user attribute is used as username.

Attributes

Plugin-Link

Optional

Assignable plugins

Context Data Columns (contextDataColumns)

Description

Defines the values the extracted user attribute is matched against in the lookup. The value must match any of the context columns.

Attributes

String-List

Optional

YAML Template (with default values)


type: CredentialDataCertificateMatcher
id: CredentialDataCertificateMatcher-xxxxxx
displayName: 
comment: 
properties:
  contextDataColumns:
  userAttribute:
  userIterator:
  usernameTransformer:

Credential Data mTAN Handler

Description

An mTAN handler that uses the credential data (in the user table of the IAM database). Supports only one mTAN number per user.

Type name

CredentialDataMtanHandler

Class

com.airlock.iam.core.misc.impl.authen.mtan.CredentialDataMtanHandler

May be used by

MTAN/SMS Settings mTAN Letter User Event Listener Basic mTAN Settings Has mTAN Activation Letter No mTAN Token Restriction Has mTAN Token All Phone Numbers Provider

Properties

Credential Persister (credentialPersister)

Description

Credential persister to load the mobile phone number from user data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Per User Flash Context Field (perUserFlashContextField)

Description

If a context data field is configured, sending of flash messages is decided per user, based on the value in this field. If this field is empty, the default flash setting is used.

Important: The referenced context data field must be of type String and accepts only one of the following values:

true - send flash SMS
false - send normal SMS
<empty/null> - use the default flash settings

Note: The same configuration value must also be added to the credential persister's context data fields.

Attributes

String

Optional

Suggested values

flashSms

IAK Verifier (iakVerifier)

Description

The IAK verifier is used to check initial activation keys. It is only used during credential self-registration and not during credential self-migration.

CAUTION: Not specifying an IAK verifier plugin means that no IAK is checked during the self-registration process. Be careful to not create unsafe processes! Usually, self-registration is unsafe without IAK verification.

Attributes

Plugin-Link

Optional

Assignable plugins

Dummy IAK Verifier Persister IAK Verifier Token IAK Handler

IAK Generator (iakGenerator)

Description

The string generator plugin which will generate the new IAKs.

Attributes

Plugin-Link

Optional

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

IAK Hash Function (iakHashFunction)

Description

This property is only used when new IAKs are generated. The hash function specifies how generated IAKs are hashed. It must be the same (or hash value compatible) to the one used for checking IAKs.

Attributes

Plugin-Link

Optional

Assignable plugins

Hash Value Is Binary (hashValueIsBinary)

Description

Enable, if the hash value produced by the configured hash function is binary (and not a string). It will the be stored using the credential persisters "binary" data slot.

Attributes

Boolean

Optional

Default value

false

IAK Credential Persister (iakCredentialPersister)

Description

If immediate generation of IAK letters in the Admin Tool should be allowed, an IAK credential persister must be configured.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: CredentialDataMtanHandler
id: CredentialDataMtanHandler-xxxxxx
displayName: 
comment: 
properties:
  credentialPersister:
  hashValueIsBinary: false
  iakCredentialPersister:
  iakGenerator:
  iakHashFunction:
  iakVerifier:
  perUserFlashContextField:

Credential Report Task

Description

This task plug-in iterates over user or credential records and - if certain conditions are met - executes a report renderer on the user (or credential). It is thought to produce for example letters for newly issued tokens or other credentials.

The task uses a user iterator plug-in to go through the set of users or credential records and looks at a specific flag telling this plug-in that a report should be rendered for the user (or credential). If the flag is set, the "delivery security gap" is checked: This is the minimum amount of time there must be between two reports being generated for one and the same user. If this check is ok, the configured report renderer is called and the flag reset.

Note:: There are special tasks for generating password letters (PasswordBatchTask) and matrix cards/TAN lists (TanBatchTask).

Type name

CredentialReportTask

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.CredentialReportTask

May be used by

Task Schedule

Properties

Report Type Short Desc (reportTypeShortDesc)

Description

Defines a short textual description of the type of the report being rendered.
The text is used in the user trail log written when a report is rendered. Please specify a text like in the examples below, so it suits the structure of the log statement it is used in.
If this property is not specified, a general statement will be logged.

Attributes

String

Optional

Example

password letter

Example

keyfile accompanying report

Example

mobile number registration letter

Credential Persister (credentialPersister)

Description

The credential persister plug-in is used to read and store credential data structures.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Iterator (credentialIterator)

Description

The credential iterator plug-in used to iterate over a set or credential structures. For efficiency reasons it makes sense to limit the set of credential structures returned by this plug-in as much as possible. It is usually a good idea to already include the "order-credential" flag already in the additional where clause of the iterator plug-in. Like this, this plug-in only gets the "interesting" records.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database Credential Persister Dummy Credential Persister LDAP Connector LDAP Credential Persister Property Credential Persister

Report Renderer (reportRenderer)

Description

Tells the this task which generic renderer to use to render reports. Like this, this plug-in only gets the "interesting" records.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

Delivery Security Gap (deliverySecurityGap)

Description

Specifies the minimum number of days there must be between two reports being generated for the same user. This delivery gap tries to prevent that a user gets - as an example - a password letter and a token within a short amount of time resulting in a security risk because both letters are handled at the same time (e.g. by the postal service).
This feature only works correct, if the underlying credential persister knows about the other credentials delivery timestamps. Make sure these are properly configured for the credential persister.
Not setting this property turns this feature off.

Attributes

Integer

Optional

Default value

Language Attribute Name (languageAttributeName)

Description

Tells the report task which attribute in the context data container contains the language to be used for rendering the password. If this property is configured and if the context data container of the user has a value for this attribute, it is used when calling the report renderer plug-in.

Attributes

String

Mandatory

Suggested values

language

Working Directory (workingDirectory)

Description

A writable directory used to store partial reports.
If this property is defined, the credential reports are not directly generated into the output directory (see other property) but they are generated into this working directory and are moved to the output directory once they are done.
This helps to solve problems with processes automatically reading the rendered reports and reading partial reports during the generation process. Make sure that the working directory and the output directory reside in the same file system (if not the moving of the generated file will not be atomic).
The directory is either absolute or relative to the JVMs current directory.

Attributes

File/Path

Optional

Output Directory (outputDirectory)

Description

Directory in the file system to put the rendered reports in. The directory is either absolute or relative to the JVMs current directory.

This property is not required if the renderer plugin (see separate property) does not write on the outputstream (e.g. sends it somewhere else). It is required otherwise.

Note: If this property is not defined and the used renderer plugin writes on the output stream, then the result (e.g. a PDF file) is lost.

Attributes

File/Path

Optional

File Name Prefix (fileNamePrefix)

Description

Filename prefix for rendered report files. It is important to set this to a unique value for the kind of reports generated by this task. When this task deletes old reports, it looks at this prefix (and the user id) in order to find out what files to delete. Thus, if this prefix is the same as for other reports and the reside in the same directory, other reports may be deleted.
Do not use the prefix "pwd-" or the empty prefix if password- or tokenlist reports are stored in the same directory. The latter is used as default for token lists (matrix card) and the former for password letters.

Attributes

String

Mandatory

Example

token-letter

Example

smartcardLetter

File Name Suffix (fileNameSuffix)

Description

Filename suffix for rendered report files. The indicated suffix is appended to the generated reports. This may be required if the files are processed (e.g. printed) by another process (manual or automatic).

Attributes

String

Mandatory

Suggested values

.pdf, .txt

Delete Old Reports (deleteOldReports)

Description

Deletes old rendered reports of a user from the file system when a new one is rendered. Setting this to TRUE results in at most one rendered report of this type per user.
Caution: This feature will delete all reports starting with the prefix configured by property "file-name-prefix" and the user's name. Thus you must make sure, that different report types use different filename prefixes.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: CredentialReportTask
id: CredentialReportTask-xxxxxx
displayName: 
comment: 
properties:
  credentialIterator:
  credentialPersister:
  deleteOldReports: false
  deliverySecurityGap: 0
  fileNamePrefix:
  fileNameSuffix:
  languageAttributeName:
  outputDirectory:
  reportRenderer:
  reportTypeShortDesc:
  workingDirectory:

Credential Secret Batch Task

Description

Server task that checks all users for a flag indicating that a new letter with a secret (e.g. activation code) should be generated.

Unlike the "Password Batch Task" this plugin uses a credential persister / iterator.

Generated secrets are rendered (e.g. made a pdf or printed) using a PasswordRenderer plugin.

Type name

CredentialSecretBatchTask

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.CredentialSecretBatchTask

May be used by

Task Schedule

Properties

Credential Iterator (credentialIterator)

Description

The credential iterator plugin used to iterate over all users' credentials. Usually this is the same as the credential persister.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database Credential Persister Dummy Credential Persister LDAP Connector LDAP Credential Persister Property Credential Persister

Credential Persister (credentialPersister)

Description

The credential persister plugin used to read and store credential data structures.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Delivery Security Gap Days (deliverySecurityGapDays)

Description

In order to avoid sending more than one credential to a user at the same time, this task inspects the delivery times of other credentials of the same user. The value of this property indicates the minimum number of days between the latest delivery of another token and the generation of a secret.

Setting this property to zero (0) disables this feature.

Attributes

Long

Optional

Default value

Aggregate Report (aggregateReport)

Description

Optional property to describe an aggregate report over all generated reports in a batch. If none is configured, no aggregate report will be generated.

Attributes

Plugin-Link

Optional

Assignable plugins

Aggregate Report

Credential Secret Generator (credentialSecretGenerator)

Description

Allows the configuration of settings for the generation of the credential secret reports.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Credential Secret Generator

Token Cleanup Configs (tokenCleanupConfigs)

Description

Allows the configuration of settings to remove tokens during the batch task.

Attributes

Plugin-List

Optional

Assignable plugins

OAuth 2.0 Token Cleanup Remember Me Token Cleanup

YAML Template (with default values)


type: CredentialSecretBatchTask
id: CredentialSecretBatchTask-xxxxxx
displayName: 
comment: 
properties:
  aggregateReport:
  credentialIterator:
  credentialPersister:
  credentialSecretGenerator:
  deliverySecurityGapDays: 0
  tokenCleanupConfigs:

Credential Secret Generator

Description

Responsible for the generation and the rendering of credential secrets.

Type name

CredentialSecretGenerator

Class

com.airlock.iam.core.misc.renderer.CredentialSecretGenerator

May be used by

Password Batch Task Credential Secret Batch Task mTAN/SMS Token Controller

Properties

Hash Value Is Binary (hashValueIsBinary)

Description

Enable to tell this plugin that the hash value produced by the configured hash function is binary (and not a string). It will the be stored using the credential persisters "binary" data slot.

Attributes

Boolean

Optional

Default value

false

Password Generator (passwordGenerator)

Description

The string generator plugin which will generate the new password.

Attributes

Plugin-Link

Optional

Assignable plugins

Dynamic Active Directory String Generator Pattern-based Random String Generator

Hash Function Plugin (hashFunctionPlugin)

Description

This property is used when new passwords are generated. The hash function is used to hash the generated password. It must be the same (or hash value compatible) as used when checking passwords.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Output Directory Path (outputDirectoryPath)

Description

Directory in the file system to put the rendered passwords in. The directory is either absolute or relative to the JVMs current directory.

This property is not required if the renderer plugin (see separate property) does not write on the outputstream (e.g. sends it somewhere else). It is required otherwise.

Note: If this property is not defined and the used renderer plugin writes on the output stream, then the result (e.g. a PDF file) is lost.

Attributes

File/Path

Optional

Working Directory Path (workingDirectoryPath)

Description

A writable directory used to store partial reports.
If this property is defined, the passwords are not directly generated into the output directory (see other property) but they are generated into this working directory and are moved to the output directory once they are done.
This helps to solve problems with processes automatically reading the rendered passwords and reading partial reports during the generation process. Make sure that the working directory and the output directory reside in the same file system (if not the moving of the generated file will not be atomic).
The directory is either absolute or relative to the JVMs current directory.

Attributes

File/Path

Optional

File Name Prefix (fileNamePrefix)

Description

Do not use the empty prefixes if token-list reports are stored in the same directory. The empty prefix is the default for token list letters (and not configurable in older plugin versions).

This property is optional to be backwards compatible. The prefix "pwd-" is used if none is defined.

Attributes

String

Optional

Default value

pwd-

Example

pwd-

Example

passwordLetter-

Configured File Name Suffix (configuredFileNameSuffix)

Description

Filename suffix for rendered password files. The configured file name suffix will be extended with a leading dot, before using as suffix if necessary.

Attributes

String

Optional

Suggested values

.pdf, .docx

Report Type Short Desc (reportTypeShortDesc)

Description

Attributes

String

Optional

Example

password letter

Example

activation key letter

Example

PIN letter

Password Renderer (passwordRenderer)

Description

Tells the password batch task which password renderer to use for the rendering of newly generated passwords.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Password Renderer Text File Password Renderer Word Template Password Renderer

Language Attribute Name (languageAttributeName)

Description

Tells the password batch task which attribute in the context data container contains the language to be used for rendering the password. If this property is configured and if the context data container of the user has a value for this attribute, it is used when calling the password renderer plugin.

Attributes

String

Optional

Suggested values

language

Delete Old Passwords (deleteOldPasswords)

Description

Deletes old rendered passwords of a user from the file system when a new one is rendered. Setting this to TRUE results in at most one rendered password per user.

Attributes

Boolean

Optional

Default value

false

Barcode Generator (barcodeGenerator)

Description

Optional barcode generator. If this property is configured, a barcode image and the corresponding barcode content are added to the parameter map accessible by report templates. The following keys are defined:

BarcodeImage: placeholder for the barcode image.
BarcodeContent: placeholder for the barcode content.
BarcodeContentDisplay: placeholder for the barcode content in a human-readable format.

Attributes

Plugin-Link

Optional

Assignable plugins

Swiss Post Barcode Generator

YAML Template (with default values)


type: CredentialSecretGenerator
id: CredentialSecretGenerator-xxxxxx
displayName: 
comment: 
properties:
  barcodeGenerator:
  configuredFileNameSuffix:
  deleteOldPasswords: false
  fileNamePrefix: pwd-
  hashFunctionPlugin:
  hashValueIsBinary: false
  languageAttributeName:
  outputDirectoryPath:
  passwordGenerator:
  passwordRenderer:
  reportTypeShortDesc:
  workingDirectoryPath:

Credential to Authenticator Mapping

Description

Maps a credential pattern to an authenticator plugin.

Type name

CredentialBasedAuthenticatorSelectorMapping

Class

com.airlock.iam.core.misc.impl.authen.CredentialBasedAuthenticatorSelectorMapping

May be used by

Credential-based Authenticator Selector

Properties

Pattern (pattern)

Description

Defines a regular expression pattern matched against the credential (token or response to a challenge or password) provided during authentication.

Attributes

RegEx

Mandatory

Case Sensitive (caseSensitive)

Description

If set to false, the case of characters is ignored when matching the pattern against the credential data.

Attributes

Boolean

Optional

Default value

true

Authenticator (authenticator)

Description

Defines the authenticator plugin used when the credential provided during authentication matches the pattern specified by property "pattern".

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: CredentialBasedAuthenticatorSelectorMapping
id: CredentialBasedAuthenticatorSelectorMapping-xxxxxx
displayName: 
comment: 
properties:
  authenticator:
  caseSensitive: true
  pattern:

Credential-based Attribute Mapping

Description

Filters and maps attributes from the outside to the generic token and vice versa.

This plugin is designed to work only with the credential-based repository that is shipped with IAM. For custom repository implementations, custom attribute mappings are needed.

Type name

CredentialBasedAttributeMapping

Class

com.airlock.iam.admin.application.configuration.generic.CredentialBasedAttributeMapping

May be used by

Credential-based Generic Token Repository Token-based Generic Token Repository

Properties

Serial Number (serialNumber)

Description

The serial ID of this token.

Attributes

String

Optional

Enabled (enabled)

Description

Indicates whether this token is enabled. This is a read-only property.

Attributes

String

Optional

Valid From (validFrom)

Description

Date as of which the token is valid.

Attributes

String

Optional

Valid To (validTo)

Description

Expiration date of this token.

Attributes

String

Optional

Generation Date (generationDate)

Description

The activation date of this token. This is a read-only property.

Attributes

String

Optional

Data (data)

Description

The actual data of this token. Binary data is converted to a base64 representation.

Attributes

String

Optional

Encoding (encoding)

Description

Encoding of the data (BINARY or STRING).

Attributes

String

Optional

Delivery Date (deliveryDate)

Description

The token delivery date.

Attributes

String

Optional

Context Data Fields (contextDataFields)

Description

Maps internal credential context data keys (left side of the map, labeled KEY) under the mapped name to an external interface (right side, labeled PLUGIN).

Mapped context data fields are elements of a nested map with the name 'contextData'. For example an entry with external name 'myField' will be mapped to an external interface as data.attributes.contextData.myField.

Attributes

Plugin-Map

Optional

Assignable plugins

Mapped Context Data Field

YAML Template (with default values)


type: CredentialBasedAttributeMapping
id: CredentialBasedAttributeMapping-xxxxxx
displayName: 
comment: 
properties:
  contextDataFields:
  data:
  deliveryDate:
  enabled:
  encoding:
  generationDate:
  serialNumber:
  validFrom:
  validTo:

Credential-based Authenticator Selector

Description

An authenticator plugin that selects one of several authenticators (and/or contexts) depending on the credential provided in the first or any preceding authentication steps: The credential, i.e. the token or response to a challenge or the password, is compared against a list of regular expressions. The first matching expression defines the authenticator plugin (and/or context) to use for the rest of the authentication process. If none matches, a default authenticator is used.

This plugin does not add or change data added to the authentication result but just passes on the results of the wrapped authenticator(s).

Example usage:

Use the plugin as second authenticator after username and password have been provided.
Configure it with an SmsAuthenticator as default authenticator and an EmailOtpAuthenticator used if the token matches "email"
The user is then asked for an SMS code after successful password verification. If the user enters "email" as SMS code, an email is sent and the user is asked for the OTP in the email.

Type name

CredentialBasedAuthenticatorSelector

Class

com.airlock.iam.core.misc.impl.authen.CredentialBasedAuthenticatorSelector

May be used by

Persister Password Service Auth Method-based Authenticator Selector Radius Authentication Service Fallback Authenticator Administrators Configuration Authenticator-based One-Shot Target Application Main Authenticator Roles-to-Authenticator Mapping User-based Authenticator Selector Role-based Authenticator Selector Meta Authenticator Meta Authenticator Meta Authenticator Credential to Authenticator Mapping User to Authenticator Mapping Authentication Method Identifier Mapping

Properties

Mappings (mappings)

Description

Mappings between user name patterns and authenticator plugins.

Attributes

Plugin-List

Mandatory

Assignable plugins

Credential to Authenticator Mapping

Default Authenticator (defaultAuthenticator)

Description

The default authenticator plugin, i.e. the authenticator to be used when the credential data matches no pattern.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: CredentialBasedAuthenticatorSelector
id: CredentialBasedAuthenticatorSelector-xxxxxx
displayName: 
comment: 
properties:
  defaultAuthenticator:
  mappings:

Credential-based Generic Token Repository

Description

Repository that loads credentials as tokens from persistence.

If configured, the credential model supports a 'current' and 'next' credential. The db columns can be specified in the configured 'Credential Persister'.

Type name

CredentialBasedGenericTokenRepository

Class

com.airlock.iam.admin.application.configuration.generic.CredentialBasedGenericTokenRepositoryConfig

May be used by

Generic Token Endpoint

Properties

Credential Persister (credentialPersister)

Description

Credential Persister to load credentials from persistence.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Support Current And Next Credential (supportCurrentAndNextCredential)

Description

Controls whether a 'next' credential is supported.

Attributes

Boolean

Optional

Default value

false

Use Next As Current On Deletion (useNextAsCurrentOnDeletion)

Description

Controls whether a 'next' credential is automatically used as new 'current' on deletion of an old 'current'. Has no effect if 'next' credential is not supported.

Attributes

Boolean

Optional

Default value

true

Token Attribute Mapping (attributeMapping)

Description

Defines the set of supported attributes and optional name mappings.

Attributes

Plugin-Link

Optional

Assignable plugins

Credential-based Attribute Mapping Identity Attribute Mapping Token-based Attribute Mapping

YAML Template (with default values)


type: CredentialBasedGenericTokenRepository
id: CredentialBasedGenericTokenRepository-xxxxxx
displayName: 
comment: 
properties:
  attributeMapping:
  credentialPersister:
  supportCurrentAndNextCredential: false
  useNextAsCurrentOnDeletion: true

CRL Certificate Status Checker

Description

Certificate status checker using a CRL (certificate revocation list) to check the status of certificates.

Periodically updates the CRL using the configured "CRL Fetcher". The latest fetched CRL is cached in memory and if configured, persisted into a file cache.

The CRL Distribution Point Extension of the certificate is not taken into account. Use plugin "CRL Distribution Point Extension CRL Checker" to consider the CRL Distribution Point Extension of the certificate being checked.

Type name

CrlCertificateStatusChecker

Class

com.airlock.iam.core.misc.impl.cert.crl.CrlCertificateStatusChecker

May be used by

Properties

CRL Fetcher (crlFetcher)

Description

The plug-in used to periodically obtain the CRL.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Fallback CRL Fetcher File CRL Fetcher LDAP CRL Fetcher URL CRL Fetcher

Fetch Interval Seconds (fetchIntervalSeconds)

Description

The number of seconds between two attempts to fetch the current CRL. This plug-in uses always the latest fetched CRL. Values lower than one minute (60) are not allowed.
If the CRL cannot be fetched, a warning is logged and the plug-in tries again after the waiting some time specified by property retry-interval-seconds.

Attributes

Long

Mandatory

Retry Interval Seconds (retryIntervalSeconds)

Description

If a CRL cannot be fetched (because the CRL fetcher plug-in throws an exception), this plug-in retries after waiting a certain time. This property specifies the amount of seconds to wait before retrying. The minimum allowed value is 10 seconds.

Attributes

Long

Mandatory

Retry Count (retryCount)

Description

If a CRL cannot be fetched (because the CRL fetcher plug-in throws an exception), this plug-in retries after waiting a certain time specified by property retry-interval-seconds. This property specifies the maximum number of retries before the plug-in gives up. After giving up, the plug-in will try again after the normal fetch interval (specified by property fetch-interval-seconds has been passed.
The number of retries times the amount of time to wait between retries must not be greater than the fetch interval.

Attributes

Integer

Mandatory

CRL Validity Seconds (crlValiditySeconds)

Description

The number of seconds a CRL is considered valid. The validity is counted from the update time of the CRL (this is an attribute of the CRL itself and does not depend on the time it was fetched).
Make sure that the validity period is considerably larger than the fetch interval.
The minimum value is one minute (60).

Attributes

Long

Mandatory

Fail Silently If CRL Expired (failSilentlyIfCrlExpired)

Description

Optional property specifying how this class certificate status checker should behave if the latest available CRL has expired:
If set to TRUE, calling method isRevoked(X509Certificate) always returns true and a warning is logged.
If set to FALSE (the default), calling method isRevoked(X509Certificate) will result in a CertificateStatusCheckerException.

Attributes

Boolean

Optional

Default value

false

Cache File (cacheFile)

Description

Specifies a readable and writable file used by the plug-in to cache the latest fetched CRL. This is valuable in the case of a server restart at a time when there is a valid CRL from the last successful fetch but no CRL can be fetched at startup. In this case, the locally cached file is used.
This property is optional. If not defined, no local file cache will be used.
Caution:Make sure the file is readable and writable. Be careful with relative paths and permissions.

Attributes

File/Path

Optional

Included Issuer (includedIssuer)

Description

Specifies that only certificates with a issuer matching against this pattern are checked against the CRL. Certificates that do not match this pattern are ignored and true is returned upon the check.

Attributes

RegEx

Optional

Keystore Config (keystoreConfig)

Description

The keystore containing the CA certificate to verify the signature of the CRL.

Attributes

Plugin-Link

Optional

Assignable plugins

HSM Keystore Java Keystore

YAML Template (with default values)


type: CrlCertificateStatusChecker
id: CrlCertificateStatusChecker-xxxxxx
displayName: 
comment: 
properties:
  cacheFile:
  crlFetcher:
  crlValiditySeconds:
  failSilentlyIfCrlExpired: false
  fetchIntervalSeconds:
  includedIssuer:
  keystoreConfig:
  retryCount:
  retryIntervalSeconds:

CRL Distribution Point Extension CRL Checker

Description

Uses the CRL distribution point extension of the certificate to determine which CRL to use. If a certificate does not provide the CRL distribution point extension, the fallbackChecker is used to check the certificate. Otherwise the CRL is obtained by the CRL obtainer and used to check the certificate. As long as the CRL is not expired, the CRL is cached in memory.

Type name

MultiIssuerCRLChecker

Class

com.airlock.iam.core.misc.impl.cert.crl.MultiIssuerCRLChecker

May be used by

Properties

CRL Obtainer (crlObtainer)

Description

Accesses newer versions of the CRL.

Attributes

Plugin-Link

Optional

Assignable plugins

CRL HTTP Obtainer Configurable HTTP CRL Obtainer Do Nothing Obtainer Fallback Crl Obtainer

Fallback Checker (fallbackChecker)

Description

This checker is used when the CRL distribution point extension is not available on the certificate.

Attributes

Plugin-Link

Optional

Assignable plugins

Eagerly Loaded URLs (eagerlyLoadedURLs)

Description

The CRLs located at these URLs are downloaded upon startup of Airlock IAM. Otherwise a CRL is downloaded once the first certificate check uses the CRL, which can cause delays during the check.

Attributes

String-List

Optional

Keystore Config (keystoreConfig)

Description

The keystore containing the CA certificate to verify the signature of the CRL.

Attributes

Plugin-Link

Optional

Assignable plugins

HSM Keystore Java Keystore

Factory (factory)

Description

Creates a friendly representation of the X509 Certificate. Normally, the default plugin should be used.

Attributes

Plugin-Link

Optional

Assignable plugins

Default X509 Factory Implementation

CRL Cache (cacheRefreshInterval)

Description

Defines the interval in minutes in which the internal cache is checked for expired CRLs, which are then updated asynchronously. Note that this has option has no security consequences, since an expired CRL is also updated before a check. However, this might cause delays.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: MultiIssuerCRLChecker
id: MultiIssuerCRLChecker-xxxxxx
displayName: 
comment: 
properties:
  cacheRefreshInterval: 1
  crlObtainer:
  eagerlyLoadedURLs:
  factory:
  fallbackChecker:
  keystoreConfig:

CRL HTTP Obtainer

Description

Fetches the CRL from the specified URL. Alternatively the URL can be overwritten and various other HTTP client settings can be used.

Type name

CrlHTTPObtainer

Class

com.airlock.iam.core.misc.impl.cert.crl.CrlHTTPObtainer

May be used by

Configurable HTTP CRL Obtainer Configurable HTTP CRL Obtainer Fallback Crl Obtainer CRL Distribution Point Extension CRL Checker

Properties

Overwrite URL (overwriteURL)

Description

The URL to use instead of the default URL in the certificate.

Attributes

String

Optional

Example

https://localhost:8080/mypki/clients.crl

Example

http://crl.verisign.com/Class3InternationalServer.crl

Factory (factory)

Description

Creates a friendly representation of the X509 CRL.

Attributes

Plugin-Link

Optional

Assignable plugins

Default X509 Factory Implementation

Basic Auth Username (basicAuthUsername)

Description

Username used to fetch the CRL when a basic authentication is required the access the URL. Used in conjunction with property basic-auth-password.

Attributes

String

Optional

Example

johndoe

Basic Auth Password (basicAuthPassword)

Description

Password used to fetch the CRL when basic authentication is required to access the URL. Used in conjunction with property basic-auth-username.

Attributes

String

Optional

Sensitive

Proxy Host (proxyHost)

Description

The http proxy host if connections to the specified URL must be made using a http proxy.

Attributes

String

Optional

Example

gw.foo.bar

Example

192.168.12.13

Proxy Port (proxyPort)

Description

The http proxy port if connections to the specified URL must be made using a http proxy.

Attributes

Integer

Optional

Proxy Login User (proxyLoginUser)

Description

The user for authentication at the http proxy server. Using a http proxy does not necessarily make this property necessary. This depends on the proxy configuration.

Attributes

String

Optional

Example

felix

Example

jdoe

Proxy Login Password (proxyLoginPassword)

Description

The password for authentication at the http proxy server. Using a http proxy does not necessarily make this property necessary. This depends on the proxy configuration.

Attributes

String

Optional

Sensitive

Allow Only Trusted Certs (allowOnlyTrustedCerts)

Description

Only allow connections to servers whose certificate is trusted. See documentation of property "Trust Store Path" for more information about what certificates are trusted.

Security warning: Trusting all certificates allows connections to adversarial hosts. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Verify Server Hostname (verifyServerHostname)

Description

Enables hostname verification, i.e. the actual hostname must be the same as in the server certificate.

Security warning: Not verifying the hostname may allow connections to adversarial hosts, e.g. if they employ DNS spoofing. Only disable this property for testing and integration setups.

Attributes

Boolean

Optional

Default value

true

Trust Store Path (trustStorePath)

Description

Keystore file name containing trusted certificate issuers (and trusted certificates).

If this property is not defined the following certificate issuers are trusted:

The list of issuers known to the Java VM if the system property "javax.net.ssl.trustStore" is not defined.
The list of issuers in a keystore referenced by system property "javax.net.ssl.trustStore" if defined in instance.properties using iam.java.opts

If this property is defined then the following certificate issuers are trusted:

The list of issuers in the referenced truststore file and no others.

This property is only relevant if the property "Allow Only Trusted Certs" is enabled.

Attributes

File/Path

Optional

Trust Store Type (trustStoreType)

Description

Identifies the type of the keystore.

Attributes

String

Optional

Default value

JKS

Allowed values

JKS, PKCS12

Trust Store Password (trustStorePassword)

Description

The password used verify the authenticity of the trust store.

Depending on the keystore type, leaving this property empty (or undefined) has a different effect:

JKS: the keystore can be opened and used but the integrity of the keystore is not checked.
PKCS12: an error occurs.

Attributes

String

Optional

Sensitive

Connect/Read Timeout [s] (connectTimeout)

Description

The connection and read timeout in seconds. A timeout value of zero is interpreted as 60 seconds.

Attributes

Integer

Optional

Default value

Correlation ID Header Name (correlationIdHeaderName)

Description

When configured, all requests sent contain a header with the correlation ID with the configured name. If no value or an empty value is specified, the correlation ID header is not sent.

If the correlation ID is not defined, the correlation ID header is not included in sent requests.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_-]+

Suggested values

X-Correlation-ID

YAML Template (with default values)


type: CrlHTTPObtainer
id: CrlHTTPObtainer-xxxxxx
displayName: 
comment: 
properties:
  allowOnlyTrustedCerts: true
  basicAuthPassword:
  basicAuthUsername:
  connectTimeout: 5
  correlationIdHeaderName:
  factory:
  overwriteURL:
  proxyHost:
  proxyLoginPassword:
  proxyLoginUser:
  proxyPort:
  trustStorePassword:
  trustStorePath:
  trustStoreType: JKS
  verifyServerHostname: true

Cronto Activation Possible

Description

Flow selection condition that determines whether the user can activate a Cronto device. A Cronto device activation is possible if the user either has a valid activation letter with remaining activations or, if configured, the user is allowed to activate Cronto without a letter (e.g. in migration use cases).

Type name

CrontoActivationPossibleCondition

Class

com.airlock.iam.flow.shared.application.configuration.cronto.CrontoActivationPossibleConditionConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

The Cronto Handler to load the user's Cronto activation letters.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Strong Authentication Tag (strongAuthenticationTag)

Description

This tag indicates strong authentication (typically two factors) and thus considers Cronto activation without a letter as a possible Cronto activation method. If the tag is not configured, Cronto activation without a letter is not considered as a possible Cronto activation method.

Attributes

Plugin-Link

Optional

Assignable plugins

Tag

YAML Template (with default values)


type: CrontoActivationPossibleCondition
id: CrontoActivationPossibleCondition-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  strongAuthenticationTag:

Cronto Activation Required

Description

Flow selection condition that selects the subflow depending on whether a Cronto activation is required. A Cronto device activation is required if the user has no (active) Cronto device and either has a valid activation letter with remaining activations or if the user is allowed to activate cronto without activation letter (typically in migration use cases).

Type name

CrontoActivationRequiredCondition

Class

com.airlock.iam.flow.shared.application.configuration.condition.CrontoActivationRequiredConditionConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

The Cronto Handler to manage the user's Cronto devices and activation letters.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Include Inactive Devices (includeInactiveDevices)

Description

Flag to determine, whether inactive devices should be included when deciding whether the user has a Cronto device.

Attributes

Boolean

Optional

Default value

false

Strong Authentication Tag (strongAuthenticationTag)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Tag

YAML Template (with default values)


type: CrontoActivationRequiredCondition
id: CrontoActivationRequiredCondition-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  includeInactiveDevices: false
  strongAuthenticationTag:

Cronto Activation Step

Description

Configuration for a Cronto activation flow step.

Type name

CrontoActivationStep

Class

com.airlock.iam.flow.shared.application.configuration.cronto.CrontoActivationStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

CRONTO

Strong Authentication Tag (strongAuthenticationTag)

Description

If configured, this tag indicates strong authentication (typically two factors) and thus enables Cronto on-screen activation. The configured tag has to be obtained by an authentication step. In addition, the property "Enable On-Screen Activation" on the Cronto Handler must be enabled and all described conditions of the property must be fulfilled. This feature is typically used for migration use cases.

For security reasons, it is important to configure a strong authentication tag.

Attributes

Plugin-Link

Optional

Assignable plugins

Tag

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: CrontoActivationStep
id: CrontoActivationStep-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: CRONTO
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  strongAuthenticationTag:
  tagsOnSuccess:

Cronto Approval Stealth Step

Description

Cronto approval stealth step for public self-service flows.

This step displays a random dummy Cronto cryptogram and classifies any response OTP as wrong. Thus, it can never be successfully completed. It is intended to be used to avoid information leaking about users. Externally it behaves like the real Cronto approval step for public self-service flows.

This step is needed if the Cronto approval is used instead of a user verification step. Because the real Cronto approval step cannot be used for nonexistent or otherwise invalid users, a selection must be configured, using the "Public Self-Service Allowed Condition" to ensure that only users that are allowed to do public self-services enter the real Cronto step, while the other users end up in the stealth step.

Note that push and online validation have to be disabled in the real Cronto step, otherwise information would be leaked because it could behave differently for existing users (e.g. show push device selection). The configured authentication method ID must be the same as that of the real Cronto step. Also make sure the configured Flow Processors and Flow Restrictions in the public self-service flow allow nonexistent users and do not provide user feedback.

Type name

CrontoPublicSelfServiceApprovalStealthStep

Class

com.airlock.iam.publicselfservice.application.configuration.steps.CrontoPublicSelfServiceApprovalStealthStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Handles all Cronto-specific actions.

When the Cronto app communicates directly to IAM (for online validation and push notification management) these requests are on a separate session and must therefore be handled by a separate, global Cronto Handler defined in "Cronto App Communication" in Loginapp.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cronto Legacy Login Message Provider Cronto Message Provider Default Cronto Login Message Provider Transaction Approval Cronto Message Provider

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

CRONTO

Max Response Retries (maxResponseRetries)

Description

The number of times the user may enter a wrong response before the flow is aborted (and the challenge is deleted). If set to 0, only 1 attempt is possible for each challenge.

The purpose of this settings is usability. The failed attempts counter is always increased upon receiving a wrong OTP and the user is locked when the global failed attempts limit is exceeded.

Attributes

Integer

Optional

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: CrontoPublicSelfServiceApprovalStealthStep
id: CrontoPublicSelfServiceApprovalStealthStep-xxxxxx
displayName: 
comment: 
properties:
  authenticationMethodId: CRONTO
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxResponseRetries: 3
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto Authentication Step

Description

Configuration for a Cronto authentication flow step.

Type name

CrontoAuthStep

Class

com.airlock.iam.authentication.application.configuration.cronto.CrontoAuthStepConfig

May be used by

License-Tags

Cronto

Properties

Authenticate Push Devices Only (authenticatePushDevicesOnly)

Description

If this flag is set and there is no push-enabled device for the user, authentication is not possible.

This feature may be used for mobile application logins, where showing a cryptogram on the same device is not appropriate.

Attributes

Boolean

Optional

Default value

false

Push Selection For Single Device (pushSelectionForSingleDevice)

Description

If enabled, the step also asks for push device selection if there is only one push device enabled. Since the selection always includes the "offline" option, this can be used for "app-to-app" setups, where push messages should never be sent.

Attributes

Boolean

Optional

Default value

false

Show Login ID On Push (showLoginIdOnPush)

Description

If this flag is set a random ID is generated and shown to the user during push login.

The ID is shown on the Cronto device with the push message and on the login page, allowing the user to correlate a push message with a login session.

Attributes

Boolean

Optional

Default value

false

Message Provider (messageProvider)

Description

Message provider to create the login message.

Attributes

Plugin-Link

Optional

Assignable plugins

Cronto Handler (crontoHandler)

Description

Handles all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

CRONTO

Max Response Retries (maxResponseRetries)

Description

The number of times the user may enter a wrong response before the flow is aborted (and the challenge is deleted). If set to 0, only 1 attempt is possible for each challenge.

The purpose of this settings is usability. The failed attempts counter is always increased upon receiving a wrong OTP and the user is locked when the global failed attempts limit is exceeded.

Attributes

Integer

Optional

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: CrontoAuthStep
id: CrontoAuthStep-xxxxxx
displayName: 
comment: 
properties:
  authenticatePushDevicesOnly: false
  authenticationMethodId: CRONTO
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxResponseRetries: 3
  messageProvider:
  onFailureGotos:
  preCondition:
  pushSelectionForSingleDevice: false
  requiresActivation: false
  showLoginIdOnPush: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto Challenge Token Cleanup Strategy

Description

Task strategy that deletes challenge tokens which have not been consumed after a configured time.

Type name

CrontoChallengeTokenCleanUpStrategy

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.token.CrontoChallengeTokenCleanUpStrategyConfig

May be used by

Token Task

Properties

Token Data Provider (tokenDataProvider)

Description

The token data provider plugin is used to read all tokens to be handled by this task. Should be configured to only return the tokens that should be handled by this task.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Filtered Flow Event Gateway Session Terminator Subscriber (Loginapp) Email Event Subscriber (Loginapp) SMS Event Subscriber (Loginapp) Remote Event Subscriber (Loginapp)

Seconds To Keep Challenge Token (secondsToKeepChallengeToken)

Description

The number of seconds to keep a Cronto challenge token after its expiration date.

Attributes

Integer

Optional

Default value

300

YAML Template (with default values)


type: CrontoChallengeTokenCleanUpStrategy
id: CrontoChallengeTokenCleanUpStrategy-xxxxxx
displayName: 
comment: 
properties:
  secondsToKeepChallengeToken: 300
  tokenDataProvider:

Cronto Device Activated

Description

Event that is triggered by the activation of a Cronto device.

Type name

CrontoDeviceActivatedSubscribedEvent

Class

com.airlock.iam.login.application.configuration.event.CrontoDeviceActivatedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: CrontoDeviceActivatedSubscribedEvent
id: CrontoDeviceActivatedSubscribedEvent-xxxxxx
displayName: 
comment: 
properties:

Cronto Device Deleted

Description

Event that is triggered by the deletion of an Cronto device.

Type name

CrontoDeviceDeletedSubscribedEvent

Class

com.airlock.iam.common.application.configuration.event.CrontoDeviceDeletedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: CrontoDeviceDeletedSubscribedEvent
id: CrontoDeviceDeletedSubscribedEvent-xxxxxx
displayName: 
comment: 
properties:

Cronto Device List

Description

Configures the Cronto device list REST self-service. Additional self-service functionality can be configured in "Protected Self-Service Flows".

Type name

CrontoDeviceListSelfServiceRest

Class

com.airlock.iam.selfservice.application.configuration.token.CrontoDeviceListSelfServiceRestConfig

May be used by

Protected Self-Services

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

The plugin to handle all Cronto operations.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access the Cronto device list.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access the Cronto device list without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: CrontoDeviceListSelfServiceRest
id: CrontoDeviceListSelfServiceRest-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  crontoHandler:

Cronto Device Management UI

Description

Configures Cronto device management user interface.

Depending on the configuration, the user interface allows an authenticated user:

to activate a new Cronto device.
to order a new Cronto device activation letter.
to delete a Cronto device.
to rename a Cronto device.
to enable a Cronto device.
to disable a Cronto device.
to enable push for a Cronto device.
to disable push for a Cronto device.

The Cronto device management interface is accessible at /<loginapp-uri>/ui/app/protected/tokens/cronto/devices after user authentication.

Type name

CrontoDeviceManagementUi

Class

com.airlock.iam.selfservice.application.configuration.ui.tokens.CrontoDeviceManagementUiConfig

May be used by

License-Tags

Cronto

Properties

Flow To Activate Device (flowToActivateDevice)

Description

ID of the flow which is used for activating a new Cronto device. If not configured, the user will not be able to activate a new Cronto device via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Order Activation Letter (flowToOrderActivationLetter)

Description

ID of the flow which is used for ordering a new Cronto device activation letter. If not configured, the user will not be able to order a new activation letter via the management UI.

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Delete Device (flowToDeleteDevice)

Description

ID of the flow which is used for deletion of a Cronto device. If not configured, the user will not be able to delete a device via the management UI. The first interactive step in the specified flow must be a "Delete Cronto Device Initiation Step".

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Rename Device (flowToRenameDevice)

Description

ID of the flow which is used for renaming a Cronto device. If not configured, the user will not be able to rename a device via the management UI. The first interactive step in the specified flow must be a "Rename Cronto Device Step".

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Enable Device (flowToEnableDevice)

Description

ID of the flow which is used for enabling a Cronto device. If not configured, the user will not be able to enable a Cronto device via the management UI. The first interactive step in the specified flow must be a "Enable Cronto Device Initiation Step".

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Disable Device (flowToDisableDevice)

Description

ID of the flow which is used for disabling a Cronto device. If not configured, the user will not be able to disable a Cronto device via the management UI. The first interactive step in the specified flow must be a "Disable Cronto Device Initiation Step".

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Enable Push (flowToEnablePush)

Description

ID of the flow which is used for enabling push notifications for a Cronto device. If not configured, the user will not be able to enable Cronto Push for a device via the management UI. The first interactive step in the specified flow must be a "Enable Cronto Push Initiation Step".

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Flow To Disable Push (flowToDisablePush)

Description

ID of the flow which is used for disabling push notifications for a Cronto device. If not configured, the user will not be able to disable Cronto Push for a device via the management UI. The first interactive step in the specified flow must be a "Disable Cronto Push Initiation Step".

Attributes

Plugin-Link

Optional

Assignable plugins

Flow ID

Page Exit Target (pageExitTarget)

Description

If configured, an additional button is displayed on the Cronto device management to exit the page. On click, this button redirects the user to the configured target.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: CrontoDeviceManagementUi
id: CrontoDeviceManagementUi-xxxxxx
displayName: 
comment: 
properties:
  flowToActivateDevice:
  flowToDeleteDevice:
  flowToDisableDevice:
  flowToDisablePush:
  flowToEnableDevice:
  flowToEnablePush:
  flowToOrderActivationLetter:
  flowToRenameDevice:
  pageExitTarget:

Cronto Device Management UI Redirect

Description

Redirects to the "Cronto Device Management UI".

Type name

CrontoDeviceManagementFlowRedirectTarget

Class

com.airlock.iam.selfservice.application.configuration.ui.tokens.CrontoDeviceManagementFlowRedirectTargetConfig

May be used by

License-Tags

Cronto

Properties

YAML Template (with default values)


type: CrontoDeviceManagementFlowRedirectTarget
id: CrontoDeviceManagementFlowRedirectTarget-xxxxxx
displayName: 
comment: 
properties:

Cronto Device Removal Possible

Description

Condition that determines whether the current user can remove a Cronto device. For device removal to be possible, the user needs to have at least one device. If "Allow Deleting Last Device" is disabled, at least two devices are required. This is to ensure that the user will still be able to log in with Cronto after device deletion was performed.

Type name

CrontoDeviceDeletionPossibleCondition

Class

com.airlock.iam.selfservice.application.configuration.selection.CrontoDeviceDeletionPossibleConditionConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

One-Shot Authentication Flow Selection Step for Self-Service Flow Step Sequence Custom Protected Self-Service Flow Selection Option For Public Self-Service Selection Step Selection Option For Self-Service Simple Migration Selection Option Migration Selection Step Migration Selection Step Selection Option Authentication Flow Public Self-Service Flow Selection Step for User Self-Registration Advanced Migration Selection Option Selection Step for Public Self-Service

Allow Deleting Last Device (allowDeletingLastDevice)

Description

If enabled, the last device can be deleted. This can leave the user without a means to login again.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: CrontoDeviceDeletionPossibleCondition
id: CrontoDeviceDeletionPossibleCondition-xxxxxx
displayName: 
comment: 
properties:
  allowDeletingLastDevice: false
  crontoHandler:

Cronto Device Reset Step

Description

A non-interactive step that deletes all Cronto devices of the user (and optionally also the Cronto account and activation letter).

Type name

CrontoDeviceResetStep

Class

com.airlock.iam.flow.shared.application.configuration.cronto.CrontoDeviceResetStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Remove Account (removeAccount)

Description

If enabled, also the Cronto account and activation letter are removed. This can be useful when using the CrontoEngine stack, where all letters generated from the same account are identical.

Attributes

Boolean

Optional

Default value

false

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: CrontoDeviceResetStep
id: CrontoDeviceResetStep-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  removeAccount: false
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto Device Selection Step

Description

Step to select a Cronto device for further operations. E.g., this step can be followed by a Rename Cronto Device Step where the name can be edited.

Type name

CrontoDeviceSelectionStep

Class

com.airlock.iam.selfservice.application.configuration.step.CrontoDeviceSelectionStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Apply Cronto Device Renaming Cronto Device Reset Step Default Enable Cronto Device Flow Cronto Token Service CrontoSign Swiss Push Activation Possible Cronto Transaction Approval Step Cronto Device List Has Cronto Device Enable Cronto Push Initiation Step Default Cronto Device Removal Flow Apply Cronto Device Disabling Cronto Letter Order Step Cronto Device Removal Possible Default Cronto Device Renaming Flow Cronto Activation Step CrontoSign Swiss Push Activation Step Rename Cronto Device Step Apply Cronto Push Enabling Enable Cronto Device Initiation Step Default Disable Cronto Push Flow Cronto Report Strategy Cronto Message Provider Cronto Self-Services (Legacy) Cronto Device Selection Step Cronto Token Controller Has Cronto Account Cronto Letter User Event Listener Cronto Authentication Step Apply Cronto Device Enabling Transaction Approval Cronto Message Provider Cronto Activation Required Disable Cronto Push Initiation Step Cronto Public Self-Service Approval Step Cronto Self-Service Approval Step Default Enable Cronto Push Flow Cronto Approval Stealth Step Apply Cronto Device Deletion Cronto Letter Order Condition Cronto Activation Possible Loginapp Default Cronto Login Message Provider Delete Cronto Device Initiation Step Disable Cronto Device Initiation Step Main Authentication Settings Apply Cronto Push Disabling Default Disable Cronto Device Flow

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: CrontoDeviceSelectionStep
id: CrontoDeviceSelectionStep-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto Engine Handler

Description

Cronto functionality using the CrontoEngine implementation.

Type name

CrontoEngineHandler

Class

com.airlock.iam.core.misc.impl.cronto.crontoengine.CrontoEngineHandler

May be used by

License-Tags

Cronto

Properties

Maximum Number Of Activated Devices (maximumNumberOfActivatedDevices)

Description

The maximum number of devices that a user can have activated simultaneously.

Attributes

Integer

Optional

Default value

Default Allowed Platforms (defaultAllowedPlatforms)

Description

Defines the platforms for which an activation letter can be used per default. This can always be changed by an administrator for an individual letter.

Currently, the following platform codes are supported:

0: stand-alone Cronto device
1: iOS
2: Android
3: Windows phone
4: Blackberry
5: rooted iOS
6: rooted Android

Enter the numbers for all allowed platforms as one sequence, without spaces or commas, e.g. "012" to allow stand-alone, iOS and Android devices.

Attributes

String

Optional

Default value

01234

Platform Blacklist (platformBlacklist)

Description

Blacklist of blocked platform types. If a type is on this list, it can not be used for login or transaction signing and new devices of this type cannot be activated, independent of the allowed platforms in the activation letter.

Currently, the following platform codes are supported:

0: stand-alone Cronto device
1: iOS
2: Android
3: Windows phone
4: Blackberry
5: rooted iOS
6: rooted Android

Enter the numbers for all allowed platforms as one sequence, without spaces or commas, e.g. "56" to block rooted iOS and Android devices.

Attributes

String

Optional

Challenge Token Lifetime [s] (challengeTokenLifetime)

Description

The lifetime in seconds of a challenge token. After the lifetime of a challenge token has expired, no successful validation with this token is possible anymore and the token is deleted upon the next verification request.

Attributes

Integer

Optional

Default value

300

Enable Push Notifications (enablePushNotifications)

Description

If this option is selected, push notifications are enabled for users with a device that supports this feature.

Attributes

Boolean

Optional

Default value

false

Bank URL Index (bankUrlIndex)

Description

Index of the bank URL hard-coded in the CrontoSign application.

Attributes

Integer

Optional

Push Notifications Reminder Period (pushNotificationsReminderPeriod)

Description

Number of Cronto device usages required before a user is asked again whether push notifications should be activated for this device. A value of "1" means that the user is asked upon every login.

Attributes

Integer

Optional

Default value

Service Code (serviceCode)

Description

The Cronto Service Code used to generate the Cronto challenges. If the value is empty the Service Code of IAM will be used. Normally there is no need to overwrite this property.

Attributes

String

Optional

Sensitive

Push Notification Sender (pushNotificationSender)

Description

Plugin responsible for sending Cronto push notifications.

Attributes

Plugin-Link

Optional

Assignable plugins

Cronto Push Notification Sender Dummy Cronto Push Notification Sender

Token Data Provider (tokenDataProvider)

Description

Plugin to load tokens from persistence.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cronto Transaction Approval Step Cronto Authentication Step Cronto Public Self-Service Approval Step Cronto Self-Service Approval Step

Default Number of Letter Usages (defaultNumberOfActivations)

Description

Defines how many times an activation letter can be used per default to activate devices or apps. This can always be changed by an administrator for an individual letter.

Attributes

Integer

Optional

Default value

Default Letter Validity Time (defaultLetterValidityTime)

Description

Defines how long (how many days) an activation letter can be used per default to activate devices or apps. This can always be changed by an administrator for an individual letter. If no value is set, the validity is not limited.

Attributes

Integer

Optional

Selectable As Auth Method (selectableAsAuthMethod)

Description

Disable to prevent CrontoSign from being selected as active authentication method.

Attributes

Boolean

Optional

Default value

true

Selectable As Next Auth Method (selectableAsNextAuthMethod)

Description

Disable to prevent CrontoSign from being selected as the next authentication method (migration).

Attributes

Boolean

Optional

Default value

true

Enable On-Screen Activation (enableOnScreenActivation)

Description

If enabled, allows users to register Cronto devices with an on-screen activation cryptogram. This is typically the case when users do not have activation letters. If on-screen activation with a letter must be possible, enable "Enable On-Screen Activation With Letter".

On-screen activation is only possible in two situations: (1) during credential migration and (2) when activating an additional device.

Attention: make sure that such an activation can only be accessed by strongly authenticated users. For this, the "Strong Authentication Tag" must be configured on the following plugins (if used):

Cronto Activation Step
Cronto Activation Possible
Cronto Activation Required

Attributes

Boolean

Optional

Default value

false

Enable On-Screen Activation With Letter (enableOnScreenActivationWithLetter)

Description

If enabled, allows users who have a Cronto activation letter to register Cronto devices with the activation cryptogram from the letter being displayed in the browser.

Attention: make sure that such an activation can only be accessed by strongly authenticated users (refer to the documentation of "Enable On-Screen Activation")

Attributes

Boolean

Optional

Default value

false

Available Printing Options (availableOrderOptions)

Description

If several different ways of printing the letter are needed (for example to print locally or via the central printer, or to also order a device), then these printing options can be defined. The printing options allow to define separate printing task for different printing options.

Attributes

String-List

Optional

Default value

[default]

Options Resource Key Prefix (optionsResourceKeyPrefix)

Description

If this property is defined, the order options are assumed to be resource key and are used together with the prefix defined here to display a translated version of the options. If left empty, the options are displayed as defined above.

Attributes

String

Optional

Default value

cronto-order-option.

Default Printing Options (defaultOrderOptions)

Description

Defines the default order options for a new letter (what will be set for a new letter).

Attributes

String-List

Optional

Default value

[default]

YAML Template (with default values)


type: CrontoEngineHandler
id: CrontoEngineHandler-xxxxxx
displayName: 
comment: 
properties:
  availableOrderOptions: [default]
  bankUrlIndex:
  challengeTokenLifetime: 300
  defaultAllowedPlatforms: 01234
  defaultLetterValidityTime:
  defaultNumberOfActivations: 8
  defaultOrderOptions: [default]
  enableOnScreenActivation: false
  enableOnScreenActivationWithLetter: false
  enablePushNotifications: false
  maximumNumberOfActivatedDevices: 8
  optionsResourceKeyPrefix: cronto-order-option.
  platformBlacklist:
  pushNotificationSender:
  pushNotificationsReminderPeriod: 3
  selectableAsAuthMethod: true
  selectableAsNextAuthMethod: true
  serviceCode:
  tokenDataProvider:

Cronto Legacy Login Message Provider

Description

Provides the same Cronto login message that is created when using the "Cronto Authenticator".

This plugin exists for backward compatibility and uses the translations cronto.login-title, cronto.login-username, cronto.login-last and cronto.login-id to create a login message.

Type name

CrontoLegacyLoginMessageProvider

Class

com.airlock.iam.core.application.configuration.cronto.CrontoLegacyLoginMessageProviderConfig

May be used by

Properties

Username Alias (usernameAlias)

Description

Context data field for the alias that is used instead of the username in the message that is encoded in the cryptogram during login.

Attributes

Plugin-Link

Optional

Assignable plugins

Date Format (dateFormat)

Description

Date format for the "last login" information in the login message.

Attributes

String

Optional

Default value

dd.MM.yyyy HH:mm

YAML Template (with default values)


type: CrontoLegacyLoginMessageProvider
id: CrontoLegacyLoginMessageProvider-xxxxxx
displayName: 
comment: 
properties:
  dateFormat: dd.MM.yyyy HH:mm
  usernameAlias:

Cronto Letter Order Condition

Description

A condition to decide whether a user can order a (new) Cronto activation letter.

Type name

CrontoLetterOrderCondition

Class

com.airlock.iam.flow.shared.application.configuration.cronto.CrontoLetterOrderConditionConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

One-Shot Authentication Flow Selection Step for Self-Service Flow Step Sequence Custom Protected Self-Service Flow Selection Option For Public Self-Service Selection Step Selection Option For Self-Service Simple Migration Selection Option Migration Selection Step Migration Selection Step Selection Option Authentication Flow Public Self-Service Flow Selection Step for User Self-Registration Advanced Migration Selection Option Selection Step for Public Self-Service

Cronto Account Required (crontoAccountRequired)

Description

If enabled, only users that already have a Cronto account are allowed to order an activation letter.

Attributes

Boolean

Optional

Default value

true

Cronto Letter Required (crontoLetterRequired)

Description

If enabled, only users that already have a Cronto activation letter are allowed to order a new letter.

Attributes

Boolean

Optional

Default value

false

Minimum Letter Order Interval [h] (minimalLetterOrderInterval)

Description

Number of hours that must at least have passed since the last Cronto activation letter has been ordered.

By setting this value to 0, no waiting time until an additional letter can be ordered is required. However, it is recommended to set a different value to prevent a letter being ordered while another one is still being printed or being delivered.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: CrontoLetterOrderCondition
id: CrontoLetterOrderCondition-xxxxxx
displayName: 
comment: 
properties:
  crontoAccountRequired: true
  crontoHandler:
  crontoLetterRequired: false
  minimalLetterOrderInterval: 24

Cronto Letter Order Step

Description

A non-interactive step that orders a new Cronto activation letter. Existing letters for the user are deleted and can no longer be used. If the user does not yet have a Cronto account, a new account is created.

Type name

CrontoLetterOrderStep

Class

com.airlock.iam.flow.shared.application.configuration.cronto.CrontoLetterOrderStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: CrontoLetterOrderStep
id: CrontoLetterOrderStep-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto Letter Ordered

Description

Event that is triggered whenever a Cronto letter is ordered for a user. The event is initiated either through the Adminapp or through a Cronto Letter Order Step.

Type name

CrontoLetterOrderedSubscribedEvent

Class

com.airlock.iam.common.application.configuration.event.CrontoLetterOrderedSubscribedEventConfig

May be used by

Properties

YAML Template (with default values)


type: CrontoLetterOrderedSubscribedEvent
id: CrontoLetterOrderedSubscribedEvent-xxxxxx
displayName: 
comment: 
properties:

Cronto Letter User Event Listener

Description

Listens to 'after insert user events'. When notified that a new user has been inserted in the persistency layer, a Cronto activation letter is ordered.

Type name

CrontoLetterUserEventListener

Class

com.airlock.iam.core.misc.impl.persistency.usereventbus.CrontoLetterUserEventListener

May be used by

Active Directory Connector Database User Persister LDAP Connector LDAP User Persister

Properties

Cronto Handler (crontoHandler)

Description

Plugin to manage a user's Cronto tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cronto Transaction Approval Step Cronto Authentication Step Cronto Public Self-Service Approval Step Cronto Self-Service Approval Step

Condition (condition)

Description

The condition to decide whether the event should be handled. If not configured, the event is always handled.

Attributes

Plugin-Link

Optional

Assignable plugins

Authentication Method Condition Context Data Regex Condition Logical AND Condition Logical NOT Condition Logical OR Condition

YAML Template (with default values)


type: CrontoLetterUserEventListener
id: CrontoLetterUserEventListener-xxxxxx
displayName: 
comment: 
properties:
  condition:
  crontoHandler:

Cronto Message Provider

Description

Generic provider for Cronto messages.

Type name

GenericCrontoMessageProvider

Class

com.airlock.iam.flow.shared.application.configuration.message.GenericCrontoMessageProviderConfig

May be used by

License-Tags

Cronto

Properties

Resource Key (resourceKey)

Description

Resource key to select the localized template to display the data. The localized template can contain variables (e.g. ${town}) and the same formatting options (including shrinking of values to fit to limited size) as are available for Transaction Approval messages.

Attributes

String

Mandatory

Example

self-service.user-data-edit.approval.cronto

Example

password-reset.factors.cronto.message

Push Title Resource Key (pushTitleResourceKey)

Description

Resource key to select the localized template to display the push title. The localized template can contain variables (e.g. ${username}).

Attributes

String

Optional

Default value

cronto.push.login.title

Example

cronto.push.login.title

Push Subject Resource Key (pushSubjectResourceKey)

Description

Resource key to select the localized template to display the push subject. The localized template can contain variables (e.g. ${username}).

Attributes

String

Optional

Default value

cronto.push.login.subject

Example

cronto.push.login.subject

Value Providers (valueProviders)

Description

Attributes

Plugin-List

Optional

Assignable plugins

Omit Empty Value Lines (omitEmptyValueLines)

Description

If enabled, lines with an empty or blank "value" part (right-hand side) after variable replacing are omitted from the message. Example: if the message contains a line Town=${town} and the "town" variable is empty, then the whole line will be omitted.

Attributes

Boolean

Optional

Default value

false

Cronto Handler (crontoHandler)

Description

Cronto Handler to determine if a message is small enough to be encoded as a cryptogram. This is used for "shrinking" the growable message until it fits into a cryptogram. If it cannot be shrunk enough, an exception is thrown.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cronto Legacy Login Message Provider Cronto Message Provider Default Cronto Login Message Provider Transaction Approval Cronto Message Provider

YAML Template (with default values)


type: GenericCrontoMessageProvider
id: GenericCrontoMessageProvider-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  omitEmptyValueLines: false
  pushSubjectResourceKey: cronto.push.login.subject
  pushTitleResourceKey: cronto.push.login.title
  resourceKey:
  valueProviders:

Cronto Public Self-Service Approval Step

Description

Cronto approval step for public self-service flows.

Type name

CrontoPublicSelfServiceApprovalStep

Class

com.airlock.iam.publicselfservice.application.configuration.steps.CrontoPublicSelfServiceApprovalStepConfig

May be used by

License-Tags

Cronto

Properties

Message Provider (messageProvider)

Description

Configures how to create Cronto messages.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Allow Push Devices Only (allowPushDevicesOnly)

Description

If this flag is set and there is no push-enabled device for the user, public self-service is not possible.

This feature may be used for mobile application services, where showing a cryptogram on the same device is not useful.

Attributes

Boolean

Optional

Default value

false

Push Selection For Single Device (pushSelectionForSingleDevice)

Description

Attributes

Boolean

Optional

Default value

false

Cronto Handler (crontoHandler)

Description

Handles all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

CRONTO

Max Response Retries (maxResponseRetries)

Description

The number of times the user may enter a wrong response before the flow is aborted (and the challenge is deleted). If set to 0, only 1 attempt is possible for each challenge.

The purpose of this settings is usability. The failed attempts counter is always increased upon receiving a wrong OTP and the user is locked when the global failed attempts limit is exceeded.

Attributes

Integer

Optional

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: CrontoPublicSelfServiceApprovalStep
id: CrontoPublicSelfServiceApprovalStep-xxxxxx
displayName: 
comment: 
properties:
  allowPushDevicesOnly: false
  authenticationMethodId: CRONTO
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxResponseRetries: 3
  messageProvider:
  onFailureGotos:
  preCondition:
  pushSelectionForSingleDevice: false
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto Push Notification Sender

Description

Configurations for sending Cronto push notifications.

Settings for Android and iOS are both optional and it is possible to configure only one of them.

IAM must be able to connect to the push servers of Google (fcm.googleapis.com) and Apple (gateway.push.apple.com or gateway.sandbox.push.apple.com). To prevent direct communication of IAM to the push servers, a proxy can be configured (see Advanced Settings).

Type name

CommonCrontoPushNotificationSender

Class

com.airlock.iam.core.misc.impl.cronto.pushnotification.CommonCrontoPushNotificationSender

May be used by

Cronto Engine Handler Digipass Push App Handler CrontoSign Swiss App

License-Tags

Cronto

Properties

Firebase Service Account JSON (firebaseServiceAccountJson)

Description

Path to the JSON file used to authenticate communication with the Google servers. This file can be obtained from the Firebase Console, or, in case of third-party Cronto apps, from the app developer.

Attributes

File/Path

Optional

iOS Authentication Certificate Path (iOsAuthenticationCertificatePath)

Description

Path of the PKCS #12 client certificate used for the communication with the server when sending push notifications to Apple iOS devices.

Attributes

File/Path

Optional

iOS Authentication Certificate Password (iOsAuthenticationCertificatePassword)

Description

Password of the PKCS #12 client certificate used for the communication with the server when sending push notifications to Apple iOS devices.

Attributes

String

Optional

Sensitive

iOS Bundle ID (iOsBundleId)

Description

The bundle ID for sending notifications to iOS. Typically the same as used for creating the iOS authentication certificate.

Attributes

String

Optional

Default value

com.vasco.digipass.DIGIPASS

Suggested values

com.vasco.digipass.DIGIPASS, com.cronto.crontosign.swiss

Use iOS Sandbox Gateway (iOsUseSandboxGateway)

Description

Status of the gateway to be used. The sandbox gateway must be used for application development. This Boolean must be consistent with the issued PKCS #12 certificate.

Attributes

Boolean

Optional

Default value

false

Show iOS Badge (showIosBadge)

Description

If enabled, the badge number on iOS is set to the number of open transactions. Otherwise no badge number is displayed.

Attributes

Boolean

Optional

Default value

true

Proxy Host (proxyHost)

Description

Name of the proxy host through which the push notifications are sent. Both HTTP and SOCKS proxy types are supported.

Attributes

String

Optional

Example

proxy.mycompany.com

Proxy Type (proxyType)

Description

Type of the proxy server.

Attributes

Enum

Optional

Default value

SOCKS

Proxy Port (proxyPort)

Description

Port of the proxy server.

Attributes

Integer

Optional

Default value

1080

Connection Timeout (connectionTimeout)

Description

Timeout (in milliseconds) after which a sending connection (HTTP or TCP connection) should be closed.

Attributes

Integer

Optional

Default value

20000

Max Number Of Threads (maxNumberOfThreads)

Description

Maximum number of threads allowed for sending push messages.

Attributes

Integer

Optional

Default value

Termination Timeout (terminationTimeout)

Description

Maximum time to wait (in milliseconds) when awaitSendTerminationAndFinish is called.

Attributes

Integer

Optional

Default value

60000

YAML Template (with default values)


type: CommonCrontoPushNotificationSender
id: CommonCrontoPushNotificationSender-xxxxxx
displayName: 
comment: 
properties:
  connectionTimeout: 20000
  firebaseServiceAccountJson:
  iOsAuthenticationCertificatePassword:
  iOsAuthenticationCertificatePath:
  iOsBundleId: com.vasco.digipass.DIGIPASS
  iOsUseSandboxGateway: false
  maxNumberOfThreads: 20
  proxyHost:
  proxyPort: 1080
  proxyType: SOCKS
  showIosBadge: true
  terminationTimeout: 60000

Cronto Report Strategy

Description

Task strategy to create the Cronto activation letters, containing a cryptogram to activate Cronto devices and apps.

Type name

CrontoReportStrategy

Class

com.airlock.iam.servicecontainer.app.application.configuration.task.token.CrontoReportStrategyConfig

May be used by

Token Task

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Token Data Provider (tokenDataProvider)

Description

The token data provider plugin is used to read all tokens to be handled by this task. Should be configured to only return the tokens that should be handled by this task.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Report Type Short Desc (reportTypeShortDesc)

Description

Attributes

String

Optional

Default value

UNSPECIFIED

Example

password letter

Example

keyfile accompanying report

Example

mobile number registration letter

User Store (userStore)

Description

The user store to retrieve all user data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Report Renderer (reportRenderer)

Description

Tells this task which generic renderer to use to render reports.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Dummy Report Renderer Text Report Renderer Word Template Report Renderer

Barcode Generator (barcodeGenerator)

Description

BarcodeImage: placeholder for the barcode image.
BarcodeContent: placeholder for the barcode content.
BarcodeContentDisplay: placeholder for the barcode content in a human-readable format.

Tracking ID: If the "tracking ID" field is configured in the token data provider the generated barcode content is automatically stored in the token. This is useful for future reference, e.g., for tracking active shipments.

Attributes

Plugin-Link

Optional

Assignable plugins

Swiss Post Barcode Generator

Language Attribute Name (languageAttributeName)

Description

Attributes

String

Optional

Suggested values

language

Output Directory (outputDirectory)

Description

Directory in the file system to put the rendered reports in. The directory is either absolute or relative to the JVMs current directory.

This property is not required if the renderer plugin (see separate property) does not write on the outputstream (e.g. sends it somewhere else). It is required otherwise.

Note: If this property is not defined and the used renderer plugin writes on the output stream, then the result (e.g. a PDF file) is lost.

Attributes

File/Path

Optional

Working Directory (workingDirectory)

Description

Attributes

File/Path

Optional

Delete Old Reports (deleteOldReports)

Description

Attributes

Boolean

Optional

Default value

false

File Name Prefix (fileNamePrefix)

Description

Attributes

String

Mandatory

Example

token-letter

Example

smartcardLetter

File Name Suffix (fileNameSuffix)

Description

Attributes

String

Mandatory

Suggested values

.pdf, .docx, .txt

Aggregate Report (aggregateReport)

Description

Optional property to describe an aggregate report over all generated reports in a batch. If none is configured, no aggregate report will be generated.

Attributes

Plugin-Link

Optional

Assignable plugins

Aggregate Report

Required Order Options (requiredOrderOptions)

Description

Order options that have to be set for this task to handle the order. Leave empty handle all orders with the "order new" flag set. Several options can be comma-separated, in which case ALL listed options must be set for an order to be handled.

Attributes

String-List

Optional

Excluding Order Options (excludingOrderOptions)

Description

Order options that, if set, will exclude the order from being handled by this task. Leave empty to not exclude any orders. Several options can be comma-separated, in which case ANY listed option excludes the order from being handled by this task.

Attributes

String-List

Optional

YAML Template (with default values)


type: CrontoReportStrategy
id: CrontoReportStrategy-xxxxxx
displayName: 
comment: 
properties:
  aggregateReport:
  barcodeGenerator:
  crontoHandler:
  deleteOldReports: false
  excludingOrderOptions:
  fileNamePrefix:
  fileNameSuffix:
  languageAttributeName:
  outputDirectory:
  reportRenderer:
  reportTypeShortDesc: UNSPECIFIED
  requiredOrderOptions:
  tokenDataProvider:
  userStore:
  workingDirectory:

Cronto Self-Service Approval Step

Description

Configuration for a Cronto approval step for self-service flows. This can be used to validate self-service operations such as user data changes or registrations of additional devices. Typically, this step is configured between the step where a change is initiated and the step where the change is persisted.

Type name

CrontoSelfServiceApprovalStep

Class

com.airlock.iam.selfservice.application.configuration.step.CrontoSelfServiceApprovalStepConfig

May be used by

License-Tags

Cronto

Properties

Message Provider (messageProvider)

Description

Creates the message based on the self-service operation.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cronto Legacy Login Message Provider Cronto Message Provider Default Cronto Login Message Provider Transaction Approval Cronto Message Provider

Allow Only Push Devices (allowOnlyPushDevices)

Description

If this flag is set and there is no push-enabled device for the user, approval is not possible.

This feature may be used for mobile application services, where showing a cryptogram on the same device is not useful.

Attributes

Boolean

Optional

Default value

false

Push Selection For Single Device (pushSelectionForSingleDevice)

Description

Attributes

Boolean

Optional

Default value

false

Cronto Handler (crontoHandler)

Description

Handles all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

CRONTO

Max Response Retries (maxResponseRetries)

Description

The number of times the user may enter a wrong response before the flow is aborted (and the challenge is deleted). If set to 0, only 1 attempt is possible for each challenge.

The purpose of this settings is usability. The failed attempts counter is always increased upon receiving a wrong OTP and the user is locked when the global failed attempts limit is exceeded.

Attributes

Integer

Optional

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: CrontoSelfServiceApprovalStep
id: CrontoSelfServiceApprovalStep-xxxxxx
displayName: 
comment: 
properties:
  allowOnlyPushDevices: false
  authenticationMethodId: CRONTO
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxResponseRetries: 3
  messageProvider:
  onFailureGotos:
  preCondition:
  pushSelectionForSingleDevice: false
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto Self-Services (Legacy)

Description

Configures the Cronto device management REST self-service.

Type name

CrontoSelfServiceRest

Class

com.airlock.iam.login.rest.application.configuration.CrontoSelfServiceRestConfig

May be used by

User Self-Service Settings

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Manages the organization of the different Cronto tokens as well as the calls to the Cronto engine. This is usually the same handler as used by the Cronto authenticator.

Attributes

Plugin-Link

Mandatory

Assignable plugins

User Can Disable All Devices (userCanDisableAllDevices)

Description

If this option is checked, a user may disable all his Cronto devices in the Cronto device management.

Attributes

Boolean

Optional

Default value

false

Activation Session Lifetime [s] (activationSessionLifetime)

Description

The maximum allowed time (in seconds) between the first REST call for adding a new Cronto device, and the second call that verifies the OTP from the first call.

Attributes

Integer

Optional

Default value

120

User Can Order Additional Letter (userCanOrderAdditionalLetter)

Description

If this option is activated, users can order an additional activation letter, given they have already received a letter but need a new one.

The letter can be ordered on the activation page and the device management page.

Attributes

Boolean

Optional

Default value

false

Minimal New Letter Interval In Hours (minimalNewLetterIntervalInHours)

Description

Number of hours that must at least have passed since the last Cronto activation letter has been ordered. This is only used if "User can order additional letter" is activated.

Note:By setting this value to 0, no waiting time until an additional letter can be ordered is required. However, it is recommended to set a different value to prevent a letter being ordered while another one is still being printed or being delivered.

Attributes

Integer

Optional

Default value

Provide Deactivation Challenge (provideDeactivationChallenge)

Description

If enabled, a deactivation challenge is provided after deleting a device. This challenge is used to remove the account from the app.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: CrontoSelfServiceRest
id: CrontoSelfServiceRest-xxxxxx
displayName: 
comment: 
properties:
  activationSessionLifetime: 120
  crontoHandler:
  minimalNewLetterIntervalInHours: 24
  provideDeactivationChallenge: true
  userCanDisableAllDevices: false
  userCanOrderAdditionalLetter: false

Cronto Token Controller

Description

Plugin to manage a user's Cronto tokens.

Type name

CrontoTokenController

Class

com.airlock.iam.admin.application.configuration.cronto.CrontoTokenController

May be used by

User Group Configuration Users Configuration

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to manage a user's Cronto tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Auto Order (autoOrder)

Description

Auto order an activation letter upon adding this credential to the user. Note that if no default order options are set in the Cronto Handler plugin, the letter is only generated but not printed.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: CrontoTokenController
id: CrontoTokenController-xxxxxx
displayName: 
comment: 
properties:
  autoOrder: false
  crontoHandler:

Cronto Token Service

Description

Services for Cronto tokens.

Type name

CrontoTokenService

Class

com.airlock.iam.core.misc.tokenservice.CrontoTokenService

May be used by

Token Consistency User Change Listener

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to manage a user's Cronto tokens.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Token Data Provider (tokenDataProvider)

Description

Plugin to load Tokens from persistence.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Selection Step for Self-Service Flow Step Sequence Selection Step Transaction Approval Flow Selection Option Selection Step for User Self-Registration Selection Step for Public Self-Service

YAML Template (with default values)


type: CrontoTokenService
id: CrontoTokenService-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  tokenDataProvider:

Cronto Transaction Approval Step

Description

Configuration for a Cronto transaction approval flow step.

Type name

CrontoTransactionApprovalStep

Class

com.airlock.iam.transactionapproval.application.configuration.cronto.CrontoTransactionApprovalStepConfig

May be used by

License-Tags

Cronto

Properties

Message Provider (messageProvider)

Description

Creates the message for transaction approval.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cronto Legacy Login Message Provider Cronto Message Provider Default Cronto Login Message Provider Transaction Approval Cronto Message Provider

Allow Push Devices Only (authenticatePushDevicesOnly)

Description

If this flag is set and there is no push-enabled device for the user, transaction approval is not possible.

This feature may be used for mobile application approvals, where showing a cryptogram on the same device is not appropriate.

Attributes

Boolean

Optional

Default value

false

Push Selection For Single Device (pushSelectionForSingleDevice)

Description

Attributes

Boolean

Optional

Default value

false

Push To All Devices (pushToAllDevices)

Description

If enabled, the step never asks for a device selection even when there is more then one push device available. To enable this feature, Allow Push Devices Only needs to be enabled and Push Selection For Single Device needs to be disabled. In case a Auth Token ID was provided, the push notification is only sent to that device.

Attributes

Boolean

Optional

Default value

false

Cronto Handler (crontoHandler)

Description

Handles all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Authentication Method ID (authenticationMethodId)

Description

Example: a system tracks two passwords per user. Password 1 is used in flow A, password 2 in flow B. These two steps must have distinct 'Authentication Method Ids', e.g. PASSWORD1 and PASSWORD2.

To prevent such attacks, use two different counters by setting the authentication methods, for example, to PASSWORD1 and PASSWORD2, respectively.

Attributes

String

Optional

Length <= 23

Default value

CRONTO

Max Response Retries (maxResponseRetries)

Description

The number of times the user may enter a wrong response before the flow is aborted (and the challenge is deleted). If set to 0, only 1 attempt is possible for each challenge.

The purpose of this settings is usability. The failed attempts counter is always increased upon receiving a wrong OTP and the user is locked when the global failed attempts limit is exceeded.

Attributes

Integer

Optional

Default value

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: CrontoTransactionApprovalStep
id: CrontoTransactionApprovalStep-xxxxxx
displayName: 
comment: 
properties:
  authenticatePushDevicesOnly: false
  authenticationMethodId: CRONTO
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  maxResponseRetries: 3
  messageProvider:
  onFailureGotos:
  preCondition:
  pushSelectionForSingleDevice: false
  pushToAllDevices: false
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

Cronto was used for login (Transaction Approval only)

Description

Flow selection condition that selects the subflow if Cronto was used for login (as determined by the authTokenId provided in a preceding Transaction Approval Parameter Step).

Type name

CrontoAuthTokenIdSelectionCondition

Class

com.airlock.iam.transactionapproval.application.configuration.selection.CrontoAuthTokenIdSelectionConditionConfig

May be used by

License-Tags

TransactionApproval

Properties

Selectable If Login Method Unknown (selectableIfNoAuthTokenIdPresent)

Description

If this flag is set, the condition is always true (i.e. the option is selectable) if the login method is unknown.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: CrontoAuthTokenIdSelectionCondition
id: CrontoAuthTokenIdSelectionCondition-xxxxxx
displayName: 
comment: 
properties:
  selectableIfNoAuthTokenIdPresent: true

CrontoSign Swiss App

Description

Allows the configuration of CrontoSign Swiss push workflows based on the Vasco stack.

Type name

CrontoSignSwissVascoPushAppHandler

Class

com.airlock.iam.core.misc.impl.cronto.pushnotification.CrontoSignSwissVascoPushAppHandler

May be used by

Vasco Cronto Handler

Properties

Push Notifications Reminder Period (pushNotificationsReminderPeriod)

Description

Number of uses of a Cronto device required before a user is asked again whether push notifications should be activated for this device.

Attributes

Integer

Optional

Default value

Bank URL Index (bankUrlIndex)

Description

Index of the bank URL hard-coded in the CrontoSign application.

Attributes

Integer

Mandatory

Push Notification Sender (pushNotificationSender)

Description

Plugin responsible for sending Cronto push notifications.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cronto Push Notification Sender Dummy Cronto Push Notification Sender

YAML Template (with default values)


type: CrontoSignSwissVascoPushAppHandler
id: CrontoSignSwissVascoPushAppHandler-xxxxxx
displayName: 
comment: 
properties:
  bankUrlIndex:
  pushNotificationSender:
  pushNotificationsReminderPeriod: 3

CrontoSign Swiss Push Activation Possible

Description

Flow condition that determines if the Cronto device used during login (or registered during the authentication flow) can be activated for push. It also considers the "Push Notification Reminder Period" property of the Cronto handler to determine if the user should already be asked again.

This condition is only useful in authentication flows and after a Cronto authentication or activation step.

Type name

CrontoPushActivationCondition

Class

com.airlock.iam.flow.shared.application.configuration.cronto.CrontoPushActivationConditionConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: CrontoPushActivationCondition
id: CrontoPushActivationCondition-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

CrontoSign Swiss Push Activation Step

Description

A step that allows push activation on the CrontoSign Swiss app.

In an authentication flow, it is typically used together with the "CrontoSign Swiss Push Activation Possible" condition, which is fulfilled if the currently used device (for login or newly registered) qualifies for push activation.

In self-service flows, it can be used without a condition, allowing the user to activate any Cronto device.

Type name

CrontoPushActivationStep

Class

com.airlock.iam.flow.shared.application.configuration.cronto.CrontoPushActivationStepConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

All Ok On Behalf Login Step Validator Body And HTTP Status On Behalf Login Step Validator Body Status On Behalf Login Step Validator

Interactive Goto Targets (interactiveGotoTargets)

Description

Manually selectable Goto targets. These are steps to which the user can chose to jump when this is the current flow step.

Attributes

Plugin-List

Optional

Assignable plugins

Interactive Goto Target

Dynamic Step Activations (dynamicStepActivations)

Description

Steps that can be dynamically activated while in this step.

Attributes

Plugin-List

Optional

Assignable plugins

Dynamic Step Activation

Skip Condition (skipCondition)

Description

If this condition is configured and fulfilled, the step is skipped and the flow execution continues with the subsequent step.

Attributes

Plugin-Link

Optional

Assignable plugins

Pre Condition (preCondition)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

Requires Activation (requiresActivation)

Description

Attributes

Boolean

Optional

Default value

false

Tags On Success (tagsOnSuccess)

Description

This step grants these tags if it completes successfully.

Attributes

Plugin-List

Optional

Assignable plugins

Tag

Step ID (stepId)

Description

ID of this step. This is only needed if this step is the target of a goto action or if this step requires activation.

Attributes

Plugin-Link

Optional

Assignable plugins

Step ID

On Failure Gotos (onFailureGotos)

Description

Attributes

Plugin-Map

Optional

Assignable plugins

Step ID

Custom Response Attributes (customResponseAttributes)

Description

Custom attributes are not returned for 'retrieve' endpoints.

Attributes

Plugin-List

Optional

Assignable plugins

Custom Failure Response Attributes (customFailureResponseAttributes)

Description

Attributes

Plugin-List

Optional

Assignable plugins

YAML Template (with default values)


type: CrontoPushActivationStep
id: CrontoPushActivationStep-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:
  customFailureResponseAttributes:
  customResponseAttributes:
  dynamicStepActivations:
  interactiveGotoTargets:
  onFailureGotos:
  preCondition:
  requiresActivation: false
  skipCondition:
  stepId:
  tagsOnSuccess:

CSRF Token Extraction Step

Description

This plugin obtains the login page of a backend application with a HTTP GET request. It then extracts the CSRF-token from the login form and stores it in the on-behalf login step context under the configured key for further use.

This on behalf login step is typically used as a first step in the sequence of on-behalf login steps.

Type name

CsrfFormTokenExtractionStep

Class

com.airlock.iam.core.misc.impl.sso.onbehalflogin.CsrfFormTokenExtractionStep

May be used by

On Behalf Login Identity Propagator On Behalf Login Identity Propagation

Properties

CSRF token selector (csrfTokenSelector)

Description

Collects the CSRF protection token from the web application's login page.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Jsoup HTML Element Attribute Extractor

CSRF storage key (csrfStorageKey)

Description

The extracted CSRF protection token is stored in an information storage for further on behalf login steps. This key defines the name of the key under which the value of the CSRF protection token is stored. Further on behalf login steps reference the CSRF protection token's value using this key.

Attributes

String

Mandatory

Example

csrftoken

Target Application Login Page URL (targetApplicationLoginPageUrl)

Description

URL of the target application's page to connect.

Attributes

String

Mandatory

Example

http://foo.bar.ch/login.php

Example

https://secure.ergon.ch/auth/login

Query Parameters (queryParameters)

Description

The HTTP Query parameters to be added to the target url. This implementation supports template syntax using ${variable} in parameters. Available variables are all values provided to the identity propagation.

If the query parameter is already defined in the target URL, the value defined through this configuration will be added to the existing values.

If the same parameter name is configured multiple times, the values will be added to the existing values in order of the configured list.

Attributes

Plugin-List

Optional

Assignable plugins

HTTP Parameter

On Behalf Login Step Validator (onBehalfLoginStepValidator)

Description

An optional validator that validates the response of this step.

Attributes

Plugin-Link

Optional

Assignable plugins

Additional Headers (additionalHeaders)

Description

A list of headers to add to the standard headers of the HTTP client. It is possible to add multiple headers with the same name.

Attributes

Plugin-List

Optional

Assignable plugins

Request Header

YAML Template (with default values)


type: CsrfFormTokenExtractionStep
id: CsrfFormTokenExtractionStep-xxxxxx
displayName: 
comment: 
properties:
  additionalHeaders:
  csrfStorageKey:
  csrfTokenSelector:
  onBehalfLoginStepValidator:
  queryParameters:
  targetApplicationLoginPageUrl:

CSV Renderer

Description

A renderer that creates CSV output.

Type name

CsvRenderer

Class

com.airlock.iam.core.misc.renderer.CsvRenderer

May be used by

Export Users Task

Properties

Header Names (headerNames)

Description

Defines the header line of the CSV. Each of the Strings is used as the header for column at its position in the List. This list may be empty, if no header is to be written.

Attributes

String-List

Optional

Data Column Names (dataColumnNames)

Description

Defines the column names of the data to be written to the CSV. The columns are written in the order they have in this list. Columns that are in the data, but not defined here, will not be written.

Attributes

String-List

Mandatory

Charset (charset)

Description

Defines the character set to use when creating the CSV output.

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15

Field Delimiter (fieldDelimiter)

Description

This property specifies the separation character used in the generated CSV output in order to separate fields from each other. Usually, a comma is used but, e.g., Excel requires this to be a semicolon. To use the generated file with Excel, use a semicolon, to use it with most other programs, use a comma.

If the field delimiter is a valid character in one of the exported fields, then a text delimiter has to configured! Lack of doing so might result in erroneous CSV output.

Attributes

String

Optional

Default value

Suggested values

,, ;, :, |

Text Delimiter (textDelimiter)

Description

Specifies the character used to enclose the text of a single field. Such a delimiter is required if the field delimiter character is allowed to be used inside the field texts.

Attributes

String

Optional

Suggested values

", '

YAML Template (with default values)


type: CsvRenderer
id: CsvRenderer-xxxxxx
displayName: 
comment: 
properties:
  charset: UTF-8
  dataColumnNames:
  fieldDelimiter: ,
  headerNames:
  textDelimiter:

CSV Users Export

Description

Specifies what data to include in the export. A download button is included on the user list page. When pressed the current selection (filter) of users are downloaded as a CSV file.

For efficiency reasons, prefer using a "User Store Configuration" over a "User Persister Configuration".

Type name

CsvUsersExport

Class

com.airlock.iam.admin.application.configuration.users.CsvUsersExportConfig

May be used by

Date And Time With Offset Value Provider Value Provider Map Date And Time Context Data

Properties

Type (type)

Description

Valid values of this property are:

BASIC: The downloaded file contains only basic infos about the user (username, roles) plus the context data selected by the context keys.
FULL: The downloaded file contains all available data about the user plus the context data.

Attributes

Enum

Optional

Default value

BASIC

Context Keys (contextKeys)

Description

This property specifies a list of keys of the context data values to be included in the user data download file. Only values are included that the admin user is allowed to see (according to authorization settings).

Attributes

String-List

Optional

Charset (charset)

Description

Defines the character set to use when exporting the user list as CSV file.

Attributes

String

Optional

Default value

UTF-8

Allowed values

UTF-8, ISO-8859-1, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, ISO-8859-15

Separation Character (separationCharacter)

Description

This property specifies the separation character used in the generated CSV file in order to separate fields from eachother. Usually, a comma is used but, e.g., Excel requires this to be a semicolon. To use the generated file with Excel, use a semicolon, to use it with most programs, use a comma. The separator character MAY be surrounded by double quotes. E.g., the space character is specified as " ".

Attributes

String

Optional

Default value

;

Suggested values

,, ;, :, |

YAML Template (with default values)


type: CsvUsersExport
id: CsvUsersExport-xxxxxx
displayName: 
comment: 
properties:
  charset: UTF-8
  contextKeys:
  separationCharacter: ;
  type: BASIC

Current Date And Time Value Provider

Description

Provides the current date and time.

Type name

DateAndTimeNowValueProvider

Class

com.airlock.iam.common.application.configuration.valueprovider.DateAndTimeNowValueProviderConfig

May be used by

Properties

YAML Template (with default values)


type: DateAndTimeNowValueProvider
id: DateAndTimeNowValueProvider-xxxxxx
displayName: 
comment: 
properties:

Current Timestamp Transformer

Description

Sets the current timestamp on the configured attributes. The resulting attribute type is java.util.Date.

Type name

CurrentTimestampTransformer

Class

com.airlock.iam.core.misc.util.datatransformer.CurrentTimestampTransformer

May be used by

User Identification By Data Step Phone Number Verification Step User Data Registration Step Email Verification Step Username Password Authentication Step User Identification By Data Step (Public Self-Service) User Identification Step User Identification Step (Public Self-Service)

Properties

Attributes (attributes)

Description

The name of the attributes for which the value will be set to the current timestamp.

Attributes

String-List

Mandatory

YAML Template (with default values)


type: CurrentTimestampTransformer
id: CurrentTimestampTransformer-xxxxxx
displayName: 
comment: 
properties:
  attributes:

Custom CAPTCHA

Description

Requires a user to solve a custom CAPTCHA challenge.
Intended for use with a CAPTCHA Server that is API-compatible with reCAPTCHA. For reCAPTCHA and hCAPTCHA the according plugins should be used instead.
This plugin configuration does not affect the Loginapp UI. You will need to adapt it with design kit customization.

Type name

CustomCaptcha

Class

com.airlock.iam.flow.shared.application.configuration.captcha.CustomCaptchaConfig

May be used by

Properties

Site Key (siteKey)

Description

The site key can be assumed to be public knowledge and identifies the associated CAPTCHA account.

Attributes

String

Mandatory

Secret Key (secretKey)

Description

The secret is used to validate the CAPTCHA challenge response on the custom CAPTCHA server.

Attributes

String

Mandatory

Sensitive

CAPTCHA Service URL (captchaServiceUrl)

Description

URL of the CAPTCHA service to use. The CAPTCHA validation will be performed against a CAPTCHA server with this URL. The server API must match the reCAPTCHA API.

For example, the API request for reCAPTCHA is 'https://google.com/recaptcha/api/siteverify' as POST method with the 'secret' and the user 'response' token as POST parameters.

Attributes

String

Mandatory

Enforce CAPTCHA for step (enforceCaptchaForStep)

Description

Whether a CAPTCHA solution is always required. By default, solving a CAPTCHA in a step will cause subsequent steps with CAPTCHA to skip CAPTCHA verification. When this setting is enabled, the user is always required to solve the CAPTCHA for this step, irrespective of whether a CAPTCHA has previously been solved. Later CAPTCHA verifications are also not influenced by the step using this CAPTCHA, i.e. solving the CAPTCHA in this step has no effect on later CAPTCHA verifications. When this setting is disabled, no CAPTCHA is required if a CAPTCHA was resolved in a preceding step, unless the preceding Custom Captcha Step had this setting activated.

Attributes

Boolean

Optional

Default value

false

Type (type)

Description

The type is used to differentiate multiple types of CAPTCHA (reCAPTCHA, hCAPTCHA or multiple custom CAPTCHA). If you use multiple custom CAPTCHA make sure this type is unique.

Attributes

String

Optional

Default value

CUSTOM_CAPTCHA

Proxy URI (proxyUri)

Description

URI of a HTTP proxy the connector should use. If the port component of the URI is absent then a default port of 8080 is assumed. If this property is left empty then no proxy will be used.

Attributes

String

Optional

Example

https://proxy.company.com

Proxy Login User (proxyLoginUser)

Description

Username for the proxy if proxy authentication is used.

Attributes

String

Optional

Proxy Login Password (proxyLoginPassword)

Description

Password for the proxy if proxy authentication is used.

Attributes

String

Optional

Sensitive

YAML Template (with default values)


type: CustomCaptcha
id: CustomCaptcha-xxxxxx
displayName: 
comment: 
properties:
  captchaServiceUrl:
  enforceCaptchaForStep: false
  proxyLoginPassword:
  proxyLoginUser:
  proxyUri:
  secretKey:
  siteKey:
  type: CUSTOM_CAPTCHA

Custom Claim (OAuth 2.0 Token Exchange)

Description

Sets the configured claim to the configured value. Beware that claims with a "Registered Claim Name" (see RFC7519) are not allowed.

Type name

OAuth2TokenExchangeJwtCustomClaim

Class

com.airlock.iam.oauth2.application.configuration.tokenexchange.rules.jwt.OAuth2TokenExchangeJwtCustomClaimConfig

May be used by

License-Tags

OAuthTokenExchange

Properties

Claim Name (claimName)

Description

The claim name. Claims with a "Registered Claim Name" see RFC7519 are not allowed.

Attributes

String

Mandatory

Example

username

Example

claim1

Claim Value (claimValue)

Description

The claim value.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Claim Condition (claimCondition)

Description

This custom claim will only be added to the issued token if the configured condition is satisfied.

If no condition is configured, the custom claim will always be added.

Attributes

Plugin-Link

Optional

Assignable plugins

And Claim Condition Not Claim Condition Or Claim Condition Required Scopes Claim Condition

YAML Template (with default values)


type: OAuth2TokenExchangeJwtCustomClaim
id: OAuth2TokenExchangeJwtCustomClaim-xxxxxx
displayName: 
comment: 
properties:
  claimCondition:
  claimName:
  claimValue:

Custom Configuration-based Authentication UI

Description

User interface configuration for a configurable authentication flow step.

Type name

ConfigurableAuthenticationStepUi

Class

com.airlock.iam.authentication.application.configuration.ui.ConfigurableAuthenticationStepUiConfig

May be used by

Button Group UI Element Button UI Element CAPTCHA UI Element Cancel Button UI Element Checkbox UI Element Date UI Element Drop-Down UI Element Form UI Element Goto Button UI Element Hidden UI Element Input UI Element Radio Buttons UI Element Text UI Element

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

The step action that requires this UI. This must correspond to a "nextStep" that is returned in responses from flow REST calls, and that can be handled by the "Flow Step" referenced by the "Step ID" configured above. Leave empty to match all step actions (preferred method for steps with only one possible step action).

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

UI Elements (uiElements)

Description

Defines the user interface elements of the step.

Attributes

Plugin-List

Mandatory

Assignable plugins

Initial REST Invocation (initialRestInvocation)

Description

A REST API call to execute when loading the page. The data retrieved in this call can be used to display information in UI components, e.g. by configuring the "Initial Value Query" property on supported UI elements.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: ConfigurableAuthenticationStepUi
id: ConfigurableAuthenticationStepUi-xxxxxx
displayName: 
comment: 
properties:
  initialRestInvocation:
  pageId:
  requiredStepAction:
  stepId:
  uiElements:

Custom Configuration-based Public Self-Service UI

Description

User interface configuration for a configurable public self-service flow step.

The step is accessible by the following URI: /<loginapp-uri>/ui/app/self-service/flow/default/ext/<ID>

Type name

ConfigurablePublicSelfServiceStepUi

Class

com.airlock.iam.publicselfservice.application.configuration.ui.ConfigurablePublicSelfServiceStepUiConfig

May be used by

Public Self-Service UI

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

UI Elements (uiElements)

Description

Defines the user interface elements of the step.

Attributes

Plugin-List

Mandatory

Assignable plugins

Initial REST Invocation (initialRestInvocation)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: ConfigurablePublicSelfServiceStepUi
id: ConfigurablePublicSelfServiceStepUi-xxxxxx
displayName: 
comment: 
properties:
  initialRestInvocation:
  pageId:
  requiredStepAction:
  stepId:
  uiElements:

Custom Configuration-based Self-Service UI

Description

User interface configuration for a configurable protected self-service flow step.

The step is accessible by the following URI: /<loginapp-uri>/ui/app/protected/flow/<FLOW_ID>/ext/<ID>

Type name

ConfigurableSelfServiceStepUi

Class

com.airlock.iam.selfservice.application.configuration.ui.ConfigurableSelfServiceStepUiConfig

May be used by

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

UI Elements (uiElements)

Description

Defines the user interface elements of the step.

Attributes

Plugin-List

Mandatory

Assignable plugins

Initial REST Invocation (initialRestInvocation)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: ConfigurableSelfServiceStepUi
id: ConfigurableSelfServiceStepUi-xxxxxx
displayName: 
comment: 
properties:
  initialRestInvocation:
  pageId:
  requiredStepAction:
  stepId:
  uiElements:

Custom Configuration-based User Self-Registration UI

Description

User interface configuration for a configurable user self-registration flow step.

The step is accessible by the following URI: /<loginapp-uri>/ui/app/registration/flow/<FLOW_ID>/ext/<ID>

Type name

ConfigurableUserSelfRegStepUi

Class

com.airlock.iam.userselfreg.application.configuration.ui.ConfigurableUserSelfRegStepUiConfig

May be used by

User Self-Registration UI

License-Tags

SelfRegistration

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

UI Elements (uiElements)

Description

Defines the user interface elements of the step.

Attributes

Plugin-List

Mandatory

Assignable plugins

Initial REST Invocation (initialRestInvocation)

Description

Attributes

Plugin-Link

Optional

Assignable plugins

One-Shot Authentication Flow Authorization Flow Custom Protected Self-Service Flow Transaction Approval Flow Technical Client Registration Flow Authentication Flow Public Self-Service Flow User Self-Registration Flow

YAML Template (with default values)


type: ConfigurableUserSelfRegStepUi
id: ConfigurableUserSelfRegStepUi-xxxxxx
displayName: 
comment: 
properties:
  initialRestInvocation:
  pageId:
  requiredStepAction:
  stepId:
  uiElements:

Custom Flow Processors

Description

Allows to configure custom processors for any kind of flow.

Security Warning: For advanced users only. A custom processor configuration may change the behavior of, e.g., counting of failed logins, user locking and user validity checks. Using this advanced option may therefore have major security implications. Only use this option if you understand how to achieve a secure processor configuration.

Type name

CustomFlowProcessors

Class

com.airlock.iam.flow.application.configuration.processor.CustomFlowProcessorsConfig

May be used by

Properties

Processors (processors)

Description

Custom list of processors that are applied in the configured order.

It is crucial to understand that a faulty processor configuration leads to an insecure system. Unless the consequences are well understood, it is recommended to work with the respective default processors plugin provided for the flow type in question. Please read its documentation to know which processors it uses internally. Also read the plugin documentations of the individual processors, in particular to understand which processors are combinable and if so in which order.

Attributes

Plugin-List

Optional

Assignable plugins

CAPTCHA Processor Default Authentication Processor Default Transaction Approval Flow Processor Device Usage Processor Factor Use Reporting Processor Failed Factor Attempts Processor Latest Authentication Feedback Processor Login History Processor Public Self-Service Allowed Processor Renew Session ID Processor Set UI Tenant ID Processor Temporary Locking Processor Unlock Attempts Reset Processor User Enumeration Protection Processor User Identification Processor User Self-Registration Logging Processor User Validity Processor

YAML Template (with default values)


type: CustomFlowProcessors
id: CustomFlowProcessors-xxxxxx
displayName: 
comment: 
properties:
  processors:

Custom JavaScript-based Authentication UI

Description

User interface configuration for a custom JavaScript authentication flow step.

The step is accessible by the following URI: /<loginapp-uri>/ui/app/auth/flow/<FLOW_ID>/ext/<ID>

Type name

CustomJavaScriptAuthenticationStepUi

Class

com.airlock.iam.authentication.application.configuration.ui.CustomJavaScriptAuthenticationStepUiConfig

May be used by

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

YAML Template (with default values)


type: CustomJavaScriptAuthenticationStepUi
id: CustomJavaScriptAuthenticationStepUi-xxxxxx
displayName: 
comment: 
properties:
  pageId:
  requiredStepAction:
  stepId:

Custom JavaScript-based Public Self-Service UI

Description

User interface configuration for a custom JavaScript public self-service flow step.

The step is accessible by the following URI: /<loginapp-uri>/ui/app/self-service/flow/default/ext/<ID>

Type name

CustomJavaScriptPublicSelfServiceStepUi

Class

com.airlock.iam.publicselfservice.application.configuration.ui.CustomJavaScriptPublicSelfServiceStepUiConfig

May be used by

Public Self-Service UI

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

YAML Template (with default values)


type: CustomJavaScriptPublicSelfServiceStepUi
id: CustomJavaScriptPublicSelfServiceStepUi-xxxxxx
displayName: 
comment: 
properties:
  pageId:
  requiredStepAction:
  stepId:

Custom JavaScript-based Self-Service UI

Description

User interface configuration for a custom JavaScript self-service flow step.

The step is accessible by the following URI: /<loginapp-uri>/ui/app/protected/flow/<FLOW_ID>/ext/<ID>

Type name

CustomJavaScriptSelfServiceStepUi

Class

com.airlock.iam.selfservice.application.configuration.ui.CustomJavaScriptSelfServiceStepUiConfig

May be used by

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

YAML Template (with default values)


type: CustomJavaScriptSelfServiceStepUi
id: CustomJavaScriptSelfServiceStepUi-xxxxxx
displayName: 
comment: 
properties:
  pageId:
  requiredStepAction:
  stepId:

Custom JavaScript-based User Self-Registration UI

Description

User interface configuration for a custom JavaScript user self-registration flow step.

The step is accessible by the following URI: /<loginapp-uri>/ui/app/registration/flow/<FLOW_ID>/ext/<ID>

Type name

CustomJavaScriptUserSelfRegStepUi

Class

com.airlock.iam.userselfreg.application.configuration.ui.CustomJavaScriptUserSelfRegStepUiConfig

May be used by

User Self-Registration UI

License-Tags

SelfRegistration

Properties

Page ID (pageId)

Description

A unique identifier of the page. This ID is used to derive the page titles with the following keys:

custom.page.<ID>.title.caption: to define the caption of the page
custom.page.<ID>.title.page: to define HTML page title. If not set, the translation from the caption is used.

Attributes

String

Mandatory

Validation RegEx: [a-z]+(-[a-z]+)*

Step ID (stepId)

Description

The ID of the step to which this UI is referring.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Step ID

Required Step Action (requiredStepAction)

Description

Attributes

String

Optional

Suggested values

CRONTO_DEVICE_CHOICE_REQUIRED, CRONTO_OTP_REQUIRED, MTAN_TOKEN_CHOICE_REQUIRED, MTAN_OTP_REQUIRED, CRONTO_ACTIVATION_START_REQUIRED, CRONTO_ACTIVATION_COMPLETE_REQUIRED

YAML Template (with default values)


type: CustomJavaScriptUserSelfRegStepUi
id: CustomJavaScriptUserSelfRegStepUi-xxxxxx
displayName: 
comment: 
properties:
  pageId:
  requiredStepAction:
  stepId:

Custom Protected Self-Service Flow

Description

Configuration for a custom protected self-service flow.

Type name

CustomProtectedSelfServiceFlow

Class

com.airlock.iam.selfservice.application.configuration.flow.CustomProtectedSelfServiceFlowConfig

May be used by

Abort Step Account Link Linking Initiation Step Account Link Removal Initiation Step Acknowledge Message Step Airlock 2FA Activation Step Airlock 2FA Activation Trusted Session Binding Step Airlock 2FA Delete Devices Step Airlock 2FA Device Deletion Initiation Step Airlock 2FA Device Edit Initiation Step Airlock 2FA Device Edit Step Airlock 2FA Recovery Trusted Session Binding Step Airlock 2FA Self-Service Approval Step Apply Changes Step Cronto Activation Step Cronto Device Reset Step Cronto Device Selection Step Cronto Letter Order Step Cronto Self-Service Approval Step CrontoSign Swiss Push Activation Step Delete Cronto Device Initiation Step Delete FIDO Credential Initiation Step Delete OAuth 2.0 Session Initiation Step Delete Remember-Me Device Initiation Step Delete mTAN Number Initiation Step Device Token Registration Step Disable Cronto Device Initiation Step Disable Cronto Push Initiation Step Disable FIDO Credential Initiation Step Email Change Verification Step Email Notification Step Enable Cronto Device Initiation Step Enable Cronto Push Initiation Step Enable FIDO Credential Initiation Step FIDO Credential Display Name Change Step FIDO Credential Selection Step FIDO Registration Step FIDO Self-Service Approval Step Failure Step Matrix Self-Service Approval Step No Operation Step OATH OTP Activation Step OAuth 2.0 Consent Deny Initiation Step OAuth 2.0 Consent Grant Initiation Step OAuth 2.0 Consents Delete Initiation Step OAuth 2.0 Session Reset Step Password Change Self-Service Step Password Letter Order Step Remember-Me Reset Step Rename Cronto Device Step SSI Issuance Step SSI Verification Step Scriptable Step Select mTAN Token Step Selection Step for Self-Service Set Context Data Step Start User Representation Step Stop User Representation Step Tag Removal Step User Data Edit Step User Lock Step Vasco OTP Device Activation Vasco OTP Self-Service Approval Step mTAN Self-Service Approval Step mTAN Token Edit Step mTAN Token Registration Step mTAN Verification Step

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Steps (steps)

Description

Steps of the flow.

Attributes

Plugin-List

Mandatory

Assignable plugins

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Processors (processors)

Description

Processors are notified at various stages of the flow and offer hooks for custom logic.

Attributes

Plugin-Link

Optional

Assignable plugins

Persistency-less (persistencyless)

Description

If enabled, this flow does not consider persistency, i.e. users don't have to exist locally in order to use a self-service. This is typically used with SSO tickets or external authentication using OAuth or SAML.

Persistency-less flows are very limited in their capabilities, in particular:

The user state (locked, invalid etc.) cannot be verified.
Flow steps editing user data will complete without failure but changed data is lost.

Note that configuration validation support is limited. It is essential to test such a flow extensively to ensure it behaves correctly in all situations.

It is recommended to use the "Default Persistency-less Protected Self-Service Processors" when using a persistency-less flow.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: CustomProtectedSelfServiceFlow
id: CustomProtectedSelfServiceFlow-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  flowId:
  persistencyless: false
  processors:
  steps:

Custom Public Self-Service Restrictions

Description

Custom configuration for public self-service restrictions.

See the plugin descriptions of "Default Password Reset Restrictions" or "Default Self-Unlock Restrictions" for determine reasonable sets of restrictions.

Type name

CustomPublicSelfServiceRestrictions

Class

com.airlock.iam.publicselfservice.application.configuration.restrictions.CustomPublicSelfServiceRestrictionsConfig

May be used by

Public Self-Service Flow

Properties

Restrictions (restrictions)

Description

Restrictions define which users are allowed to perform a public self-service. These restrictions are checked in the configured order and after the first restriction disallows public self-service, no further checks are performed.

Security Warning: We recommend to use at least the restrictions provided by the "Default Password Reset Restrictions". Omitting these restrictions may allow public self-service for unauthorized (e.g. locked or invalid) users. The "Nonexistent User Restriction" is probably always needed and should be the first restriction in the list.

Attributes

Plugin-List

Optional

Assignable plugins

Disabled Or Missing Secret Questions Restriction Invalid User Restriction Locked User Restriction No Email Address Restriction No mTAN Token Restriction Nonexistent User Restriction Too Many Unlocks Restriction

YAML Template (with default values)


type: CustomPublicSelfServiceRestrictions
id: CustomPublicSelfServiceRestrictions-xxxxxx
displayName: 
comment: 
properties:
  restrictions:

Custom User Persister-based User Store Provider

Description

This is a user store implementation that emulates the new user store interface for large numbers of users with existing plugins.

Type name

CustomUserPersisterBasedUserStoreProvider

Class

com.airlock.iam.core.application.configuration.store.user.CustomUserPersisterBasedUserStoreProvider

Properties

User Persister (userPersister)

Description

A user persister that will be used to retrieve and update users. Expects the persister to be an extended persister. Logs a warning if this is not the case.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: CustomUserPersisterBasedUserStoreProvider
id: CustomUserPersisterBasedUserStoreProvider-xxxxxx
displayName: 
comment: 
properties:
  userPersister:

Customizable Device List

Description

This plugin starts with all of a user's Airlock 2FA devices and allows you to narrow down the list using customizable filters. The filters are applied in sequence, with each step only keeping the devices that match the current filter. For example, applying a 'Hardware Device' filter first, followed by a 'Most Recently Registered' filter, will return only the most recently registered hardware device.

In case no Airlock 2FA account is associated with the current user, no device IDs are returned.

Type name

CustomizableAirlock2FADeviceIdsProvider

Class

com.airlock.iam.flow.shared.application.configuration.airlock2fa.provider.CustomizableAirlock2FADeviceIdsProviderConfig

May be used by

Device Was Registered In Current Flow Condition Device Was Used For Login Condition Is App Device Condition Is Hardware Device Condition Is In Cooldown Device Condition Is Single Device Condition Logical AND Device Condition Logical NOT Device Condition Logical OR Device Condition Most Recently Registered Device Condition

License-Tags

Airlock2FA

Properties

Device Filter Sequence (deviceFilters)

Description

In case not all device IDs should be returned, restrictions can be defined using this property.

A device will only be returned by this provider in case it passes all the filtering steps defined by this sequence. An example is given in the plugin documentation.

Note: No configured predicate (default) means all device IDs of the user will be returned.

Note: Generally, combining the device filters using a "Logical AND Device Condition", and configuring it as a single filter is not equivalent to using a list of filters.

Attributes

Plugin-List

Optional

Assignable plugins

Airlock 2FA Settings (airlock2FASettings)

Description

Settings of Airlock 2FA.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Airlock 2FA Settings

YAML Template (with default values)


type: CustomizableAirlock2FADeviceIdsProvider
id: CustomizableAirlock2FADeviceIdsProvider-xxxxxx
displayName: 
comment: 
properties:
  airlock2FASettings:
  deviceFilters:

Customizable Identity Generator

Description

Generate a random identity from a customizable pattern of fixed and random components.

Type name

CustomizableIdentityGenerator

Class

com.airlock.iam.common.application.configuration.user.CustomizableIdentityGenerator

May be used by

XML File Importer Task Username Generation Step Users Configuration Generated Username

Properties

Pattern (pattern)

Description

Pattern defining how the string is generated.

Pattern syntax:
pattern = fix_part | random_part [fix_part | random_part]*
random_part = {alphabet_name:number_of_characters}
fix_part = any_string_without_'{'

The alphabet_name refers either to a built-in alphabet (see below) or to a custom alphabet defined in the separate Alphabets property below.

Examples:
{digits:6} → 482913
OTP-{digits:4} → OTP-4821
{HEX:8} (with HEX defined in the custom Alphabets property below) → A9F03C1B

Built-in and ready-to-use alphabets are:

"digits" all decimal digits (i.e. the characters 0123456790)
"lower26" standard alphabet with 26 lowercase letters (i.e. the characters abcdefghijklmnopqrstuvwxyz)
"upper26" standard alphabet with 26 uppercase letters (i.e. the characters ABCDEFGHIJKLMNOPQRSTUVWXYZ)
"alpha52" standard alphabet with 26 upper- and 26 lowercase letters (i.e. the characters ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz)
"distinct" distinct standard characters: digits, upper- and lowercase letter without the hard to distinguish '0,O,1,l,I' (i.e. the characters 23456789abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ)
"DISTINCT" distinct standard characters (with uppercase letters): digits and uppercase letter without the hard to distinguish '0,O,1,I' (i.e. the characters 23456789ABCDEFGHJKLMNPQRSTUVWXYZ)
"extended" contains most of the characters visible on a computer keyboard without the hard to distinguish '0,O,1,l,I' (i.e. the characters +-.,:;$<>()[]{}%&!?/*@#=_23456789abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ)
NOTE: Characters in this pattern do not pass the input filter for tokens (OTP, SMS, and alike). Choose a different pattern for tokens or relax the corresponding pattern (in the Loginapp's security settings). Characters may be blocked by a WAF deny rule.

Attributes

String

Optional

Default value

user{digits:8}

Example

{distinct:5}

Example

user{digits:8}

Example

{lower26:1}{digits:3}{distinct:3}

Alphabets (alphabets)

Description

A map of custom alphabets that can be referenced in the Pattern property.

Example configuration:
Key (alphabet_name): HEX
Plugin: Alphabet with the following characters 0123456789ABCDEF

Example usage in the Pattern property above:
{HEX:8} → A9F03C1B
OTP-{HEX:6} → OTP-4F9A2C

Attributes

Plugin-Map

Optional

Assignable plugins

Alphabet

YAML Template (with default values)


type: CustomizableIdentityGenerator
id: CustomizableIdentityGenerator-xxxxxx
displayName: 
comment: 
properties:
  alphabets:
  pattern: user{digits:8}

Customizable Password Policy

Description

Password policy validates a password against a list of predefined password policy checks. Each password policy check validates one requirement of the password.

Not all checks are applied in all situations (e.g. a check whether a password is too young to be changed is not applied during a mandatory password change).

Type name

CustomizablePasswordPolicy

Class

com.airlock.iam.core.misc.impl.authen.CustomizablePasswordPolicy

May be used by

Password Settings HTTP Basic Authentication Step Password Change Self-Service Step Set Password Step Username Password Authentication Step Administrators Configuration Password Reset Step Password-only Authentication Step Username Password with FIDO Authentication Step Pattern-based Random String Generator Basic Auth Request Authentication Password User Item Voluntary Password Change Step Mandatory Password Change Step

Properties

Policy Checks (policyChecks)

Description

The list of password policy checks that must be passed when setting a password.

Attributes

Plugin-List

Optional

Assignable plugins

Age Check Password Policy Allowed Characters Password Policy Equals Old Password Policy Forbidden Characters Password Policy History Password Policy Meta Password Policy Password Length Policy Required Characters Password Policy Silly Password Policy Static Blacklist Password Policy Unique Across Services Password Policy User Data Blacklist Password Policy Valid Flag Password Policy

Optional Policy Checks (optionalPolicyChecks)

Description

The List of optional password policy checks of which at least the 'Minimum Passed Optional Checks' must be fulfilled when setting a new password.

Attributes

Plugin-List

Optional

Assignable plugins

Minimum Passed Optional Checks (minimumPassedOptionalChecks)

Description

The minimal amount of passed optional checks.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: CustomizablePasswordPolicy
id: CustomizablePasswordPolicy-xxxxxx
displayName: 
comment: 
properties:
  minimumPassedOptionalChecks: 0
  optionalPolicyChecks:
  policyChecks:

Data Sources

Description

Configures data sources (e.g. databases or directories) for the following data (excerpt):

User data
Token data

Note that data sources for some tokens are configured directly in the corresponding token-specific settings.

Type name

GlobalPersisterSettings

Class

com.airlock.iam.core.misc.plugin.config.GlobalPersisterSettings

May be used by

Main Settings

Properties

User Data Source (userStore)

Description

Data source (e.g. database or directory) to access user related data.

Attributes

Plugin-Link

Optional

Assignable plugins

Active Directory Connector Custom User Persister-based User Store Provider Database User Store Extended User Persister-based User Store Provider LDAP Connector User Persister-based User Store

Token Data Source (tokenDataSource)

Description

Data source (e.g. database or directory) to read and write token related data.

Attributes

Plugin-Link

Optional

Assignable plugins

Boolean Context Data Item Date And Time Context Data Item Date Context Data Item Integer Context Data Item Legacy Context Data Item String Context Data Item

User Trail Data Source (userTrailDataSource)

Description

Configures the global settings to persist user trail log messages across all modules.

If defined, user trail logs are additionally forwarded to the referenced repository. This does not affect writing messages to the respective module log files.

Attributes

Plugin-Link

Optional

Assignable plugins

User Trail Log Database Repository

Device Usage Data Source (deviceUsageDataSource)

Description

Data source to read and write device usage related data.

Attributes

Plugin-Link

Optional

Assignable plugins

Device Usage Database Repository

Accepted SSO Tickets Repository (acceptedSsoTicketRepository)

Description

Configures the repository used to store accepted SSO tickets and reject previously accepted ones.

Attributes

Plugin-Link

Optional

Assignable plugins

In-Memory Accepted SSO Tickets Repository Persistent Accepted SSO Tickets Repository

YAML Template (with default values)


type: GlobalPersisterSettings
id: GlobalPersisterSettings-xxxxxx
displayName: 
comment: 
properties:
  acceptedSsoTicketRepository:
  deviceUsageDataSource:
  tokenDataSource:
  userStore:
  userTrailDataSource:

Database Credential Persister

Description

Configurable credential persister and iterator using a database table as credential-repository.

The database is accessed via JDBC. It fetches the data of a user by directly executing a prepared statement. Making changes persistent is achieved by multiple update statement executions on the user record within a transaction.
This plug-in is very flexible in that it allows you to specify extra where clauses and search filters to select the set of credential records.

Note: This persister also supports iteration over credentials.

How this plug-in finds a credential record

There are two ways how this plugin finds a credential record for getting data, updating data and deleting data. The credential record is always fetched using a select statement given a primary key and applying the configured filters (additional where clause). The two variants differ in how the primary key is determined:

The primary key for selecting the credential record is the username itself. This is by far the most common and most efficient method to obtain credential data.
The primary key is determined by a separate query including the username. The query can be configured. This way of selecting the credential record is more flexible but results in an additional select statement.

Type name

DatabaseCredentialPersister

Class

com.airlock.iam.core.misc.impl.persistency.db.DatabaseCredentialPersister

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Credential Table Name (credentialTableName)

Description

The name of the database table containing the credential data (and often also user data).

Attributes

String

Mandatory

Suggested values

medusa_user, medusa_token

Col User Name (colUserName)

Description

The name of the database column with the username. This column is used to search the credential given the user's name.

Attributes

String

Mandatory

Suggested values

username

User Name Resolve Query (userNameResolveQuery)

Description

An SQL query that returns a primary key for the user table given the user name.
Such a query is useful if the username (used on the login page) is not part of the user table.
The query must be such that - given the username - it returns one value that can be used as primary key in the user table. The query must contain one question mark (?) which will be substituted by the username (a string).

If the query returns no records, it results in the user not being found.
If the query returns more than one record, it results in the username being ambiguous.

If this property is not defined, the username itself is used as primary key in the user table (the usual and efficient way).

Note: If this property is defined credential insertion by this plugin is no more possible.

Attributes

String

Optional

Example

SELECT u.id FROM user u, person p WHERE p.id = u.person_id and p.contractId = ?

Col Binary Credential Data (colBinaryCredentialData)

Description

The name of the database column with the current credential data's binary credential data. This database field must be able to store the appropriate amount of binary data (depending on the credential). The data type of this column is expected to be BYTE or VARBYTE.
The presence of this property indicates that the credential data is stored in binary form and not in string form. If this property is set, this class returns (and expects) instances of CredentialBean returning false in method "CredentialBean.isCredentialDataStringType()".
You cannot specify both this property and property "col-string-credential-type".

Attributes

String

Optional

Example

tokenSeed

Example

tanHashes

Example

token_list

Col String Credential Data (colStringCredentialData)

Description

The name of the database column with the current credential data's string type credential data. This database field must be able to store the appropriate amount of string data (depending on the credential). The data type of this column is expected to be VARCHAR or CHAR.
The presence of this property indicates that the credential data is stored as string and not in binary form. If this property is set, this class returns (and expects) instances of CredentialBean returning true in method "CredentialBean.isCredentialDataStringType()".
You cannot specify both this property and property "col-binary-credential-type".

Attributes

String

Optional

Suggested values

mtan_number, cert_subject_cn, oathotp_data, securid_user, secovid_data, remember_me_secret

Col Credential Serial (colCredentialSerial)

Description

The name of the database column with the current credential data's serial number. This database field must be able to store the appropriate amount of string data (depending on the credential). The data type of this column is expected to be VARCHAR or CHAR.

Attributes

String

Optional

Suggested values

cert_serial, oathotp_serial, securid_serial, secovid_serial

Col Credential Not Active After (colCredentialNotActiveAfter)

Description

The name of the database column indicating the point in time after which the current credential is considered no more active. The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Example

active_until

Example

tokenExpiryDate

Col Credential Not Active Before (colCredentialNotActiveBefore)

Description

The name of the database column indicating the point in time prior to which the current credential is considered active yet. The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Example

tokenActivationDate

Example

valid_since

Col Credential Delivery Date (colCredentialDeliveryDate)

Description

The name of the database column with the date and time of the latest credential delivery. This column type is either DATETIME or TIMESTAMP

Attributes

String

Optional

Suggested values

mtan_del_date, cert_del_date, oathotp_del_date

Col Credential Generation Date (colCredentialGenerationDate)

Description

The name of the database column with the date and time of the latest credential generation or assignment. This column type is either DATETIME or TIMESTAMP

Attributes

String

Optional

Suggested values

mtan_ass_date, cert_ass_date, oathotp_gen_date, remember_me_gen_date

Col Next Binary Credential Data (colNextBinaryCredentialData)

Description

The name of the database column with the next credential data's binary credential data. This database field must be able to store the appropriate amount of binary data (depending on the credential). The data type of this column is expected to be BYTE or VARBYTE.
The presence of this property indicates that the credential data is stored in binary form and not in string form. If this property is set, this class returns (and expects) instances of CredentialBean returning false in method "CredentialBean.isCredentialDataStringType()".
You cannot specify both this property and property "col-string-credential-type".

Attributes

String

Optional

Example

tokenSeed

Example

tanHashes

Example

token_list

Col Next String Credential Data (colNextStringCredentialData)

Description

The name of the database column with the next credential data's string type credential data. This database field must be able to store the appropriate amount of string data (depending on the credential). The data type of this column is expected to be VARCHAR or CHAR.
The presence of this property indicates that the credential data is stored as string and not in binary form. If this property is set, this class returns (and expects) instances of CredentialBean returning true in method "CredentialBean.isCredentialDataStringType()".
You cannot specify both this property and property "col-binary-credential-type".

Attributes

String

Optional

Example

tokenUserInAce

Example

bas64TanHash

Col Next Credential Serial (colNextCredentialSerial)

Description

The name of the database column with the next credential data's serial number. This database field must be able to store the appropriate amount of string data (depending on the credential). The data type of this column is expected to be VARCHAR or CHAR.

Attributes

String

Optional

Example

serial

Example

token_serial

Col Next Credential Not Active After (colNextCredentialNotActiveAfter)

Description

The name of the database column indicating the point in time after which the next credential is considered no more active. The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Example

active_until

Example

tokenExpiryDate

Col Next Credential Not Active Before (colNextCredentialNotActiveBefore)

Description

The name of the database column indicating the point in time prior to which the next credential is considered active yet. The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Example

tokenActivationDate

Example

valid_since

Col Next Credential Delivery Date (colNextCredentialDeliveryDate)

Description

The name of the database column with the date and time of the (latest) delivery of the next credential item. This column type is either DATETIME or TIMESTAMP

Attributes

String

Optional

Example

latest_token_delivery

Example

card_letter_delivery

Col Next Credential Generation Date (colNextCredentialGenerationDate)

Description

The name of the database column with the date and time of the latest credential generation or assignment. This column type is either DATETIME or TIMESTAMP

Attributes

String

Optional

Example

matrix_letter_generation

Example

card_assignment_date

Col Credential Active (colCredentialActive)

Description

The name of the database column with the flag indicating whether the credential is active or not. This field refers to the 'type' of credential for the user, not to a particular instance. If a current and a next credential data item exist for this credential type, deactivating this field concerns both credential data items. If only one credential data item should be deactivated, the fields not-active-before and not-active-after are required. Inactive credentials may not be used by the callers. This column type is either CHAR or NUMBER. The value "0" (zero) is treated as false, any other value is treated as true.
If the column is not specified, all credentials are considered to be active.

Attributes

String

Optional

Example

active

Example

tokenActive

Col Other Credentials Delivery Timestamps (colOtherCredentialsDeliveryTimestamps)

Description

Comma-separated list of column names with the delivery dates of other credentials. This information may be used in order to delay the delivery time for credentials so no two credentials of the same user are delivered the same day.

Attributes

String

Optional

Example

password_delivery

Example

password_delivery,iak_delivery

Col Credential Ordered Flag (colCredentialOrderedFlag)

Description

The name of the database column with the flag indicating whether a new credential should be generated or assigned for the user. This column type is either CHAR or NUMBER. The value "0" is treated as false, any other value is treated as true.

Attributes

String

Optional

Suggested values

mtan_order_new, cert_order_new, oathotp_order_new

Col Credential Ordered User (colCredentialOrderedUser)

Description

The name of the database column with the user by whom the new credential was ordered to be generated or assigned for the user. This column type is either CHAR or VARCHAR.

Attributes

String

Optional

Suggested values

mtan_order_user, cert_order_user, oathotp_order_user

Col Credential Ordered Date (colCredentialOrderedDate)

Description

The name of the database column with the date of when the new credential was ordered to be generated or assigned for the user. This column type is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

mtan_order_date, cert_order_date, oathotp_order_date

Additional Where Clause (additionalWhereClause)

Description

Optional SQL query part that is added to the where clause when searching the credentials by user name.
The SQL query without an additional where clause is "SELECT * FROM credential-table WHERE colusername = 'username'"(real values for "credential-table", "colusername" are taken from the configuration and "username" is taken from the credential object).
The SQL query with an additional where clause "xyz" is: "SELECT * FROM credential-table WHERE colusername = 'username' AND xyz".

Example: If the value of this configuration setting is "GROUP = 'a' AND COD = 1" the resulting query is "SELECT * FROM credential-table WHERE colusername = 'username' AND GROUP = 'a' AND COD = 1"

Attributes

String

Optional

Example

deleted = 0

Example

group = 'remoteUsers' AND verified = 1

Search Condition Query (searchConditionQuery)

Description

A way to limit the set of valid credential records with an arbitrary SQL query. (See also configuration property "additional-where-clause": it offers a different, slightly more efficient but less powerful way to limit the set of valid credential records).

After the credential has been found by username (and matching the optional additional where clause as specified by configuration property "additional-where-clause") the query specified by this configuration property is executed.
If the result of the query is "true" or "1", the credential record is considered valid. In all other cases, the credential record is not valid, i.e. the behaviour is as if the record did not exist.

The value of this configuration property can be empty (no effect) or any valid SQL query. You can use values of the user record (Record selected from table specified by configuration property "user-table-name" by user name and optionally additional where clause) in the query as follows: ${xxx} references the field (column) "xxx" from the selected user record.

Example:
In our example the selected user record has the following values (column name = value): user_id = 'freddy', person_no = 13, ... Further, there is a different database table "PERSON" which is referenced by the user table. The table "PERSON" has a column of type boolean called "valid" which indicates whether a person record is valid or not.
Consider the following value for this configuration property: SELECT p.valid FROM PERSON p WHERE p.person_no = ${person_no} Thus, when looking for the user record (given the username and the matching the optional additonal where part), the above query is executed where ${person_no} is substituted by the value 13 of field "person_no" of the selected user record.

Attributes

String

Optional

Example

SELECT p.valid FROM PERSON p WHERE p.person_no = ${person_no}

Additional Iterator Where Clause (additionalIteratorWhereClause)

Description

Same as property "additional-where-clause" except that it is used as where part when iterating over the credentials.

Attributes

String

Optional

Example

deleted = 0

Example

group = 'remoteUsers' AND verified = 1

Iterator Query (iteratorQuery)

Description

This query is used to get all user ids (or all matching user ids) instead of the default generated query defined by the user table, the username column and the context data fields.

Specifying such a query is only necessary if the username cannot be used as primary key in the user table (this only if property "user-name-resolve-query" is specified).

The query must be such that it returns one-column records one username (userid) per row.

Note that his query is used both when returning all user ids and when returning only matching user ids (filtered by the user). Thus, the query must be such that LIKE-clauses against context data columns work. This usually means that you must join the result with the user table (even if the user id is not read from the usertable) so the LIKE-clauses can access the context data of the user table. Failing to do so will result in runtime SQL syntax exceptions!

Note: If this property is specified, additional-iterator-clauses and the deleted flag is ignored. They must be part of the query itself!

Attributes

String

Optional

Example

SELECT p.id from PERSON p, User u where u.person_id = p.id

Context Data Items (contextDataItems)

Description

A list of context data items that are fetched and returned to the caller together with the credential.

Attributes

Plugin-List

Optional

Assignable plugins

Additional Context Data (additionalContextData)

Description

This selector allows to read context data from other tables by executing the specified query. The selector of this configuration property specifies the name of the context data variable to be read. The value of this configuration property may be empty (no effect) or any valid SQL query. You can use the values of the user record (Record selected from table specified by property user-table-name by user name) in the query as follows: ${xxx} refers to the field (column) xxx from the selected user record.

Note: These context data values are read only! When fetching credential records, the query will be executed for each credential and the values will be added to the context data container. Modified, new or deleted values will not be written when credential records are updated.

Also note that context data fields defined in configuration property context-data-columns override corresponding entries in this property.

Example:
SELECT p.mobile_no FROM person p WHERE p.person_no = ${person_no}

Attributes

Plugin-List

Optional

Assignable plugins

Additional Context Data

Col Deleted (colDeleted)

Description

The name of a binary column that marks a record as deleted. A record that has been marked as deleted is no more found by the persister.
Note: If a credential is deleted and this property is defined, the record is marked as deleted and not really removed from the database! If this property is not defined and a credential is deleted, the record is deleted from the database. The type of this column is either CHAR or NUMBER. The value "0" is treated as not deleted, any other value is treated as deleted.

Attributes

String

Optional

Suggested values

deleted

Col Version Id (colVersionId)

Description

Name of a database column containing a numerical version id that is automatically incremented by one when a record is changed.
Such a technical column is used by some applications or libraries (such as Hibernate) to implement optimistic locking.

Note that this plugin still uses its own data-based optimistic locking mechanism. It just increments the value within a transaction in order to be compliant with other components' locking mechanisms.

The column must be of an integer type. Usually a long type is used.

Attributes

String

Optional

Suggested values

rowVersionId

Col Record Modification Date (colRecordModificationDate)

Description

Name of a database column with the date and time this record was modified. The timestamp is written by this plugin at the time the record is modified by this plugin.

The type of the column must be compatible with a timestamp.

Note that - if configured (see separate property) - user information may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowUpdateDate

Col Record Modification User (colRecordModificationUser)

Description

Name of a database column with the name of the system that modified the record. The name is determined by configuration property "record-modification-user" and is written by this plugin at the time the record is modified by this plugin.

Note that - if configured (see separate property) - the modification date may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowUpdateUser

Record Modification User (recordModificationUser)

Description

Specifies a string (typically the name associated with the system using this plugin) that is written to the database fields specified by properties "col-record-insertion-user" and "col-record-modification-user" when this plugin creates or modifies a user record.

Attributes

String

Optional

Suggested values

AirlockIAM

YAML Template (with default values)


type: DatabaseCredentialPersister
id: DatabaseCredentialPersister-xxxxxx
displayName: 
comment: 
properties:
  additionalContextData:
  additionalIteratorWhereClause:
  additionalWhereClause:
  colBinaryCredentialData:
  colCredentialActive:
  colCredentialDeliveryDate:
  colCredentialGenerationDate:
  colCredentialNotActiveAfter:
  colCredentialNotActiveBefore:
  colCredentialOrderedDate:
  colCredentialOrderedFlag:
  colCredentialOrderedUser:
  colCredentialSerial:
  colDeleted:
  colNextBinaryCredentialData:
  colNextCredentialDeliveryDate:
  colNextCredentialGenerationDate:
  colNextCredentialNotActiveAfter:
  colNextCredentialNotActiveBefore:
  colNextCredentialSerial:
  colNextStringCredentialData:
  colOtherCredentialsDeliveryTimestamps:
  colRecordModificationDate:
  colRecordModificationUser:
  colStringCredentialData:
  colUserName:
  colVersionId:
  contextDataItems:
  credentialTableName:
  iteratorQuery:
  recordModificationUser:
  searchConditionQuery:
  sqlDataSource:
  userNameResolveQuery:

Database Field

Description

Name-Value pair where the name represents the column of a db field.

Type name

DatabaseField

Class

com.airlock.iam.core.misc.impl.persistency.db.DatabaseField

May be used by

Database Token Persister Database Token Persister Property User Persister Database Maintenance Message Persister Database Maintenance Message Persister Database User Persister

Properties

Column (column)

Description

The name of the db column.

Attributes

String

Mandatory

Example

column_name

Value (value)

Description

The value of the database field. Make sure to use single quotes when inserting string data.

Attributes

String

Mandatory

Example

'foobar'

YAML Template (with default values)


type: DatabaseField
id: DatabaseField-xxxxxx
displayName: 
comment: 
properties:
  column:
  value:

Database Login History Repository

Description

Login History Repository for relational databases. Stores information about all successful logins for future risk evaluations. The database table name is expected to be "login_history", and "history_seq" is the expected sequence name for Oracle DBs.

Type name

DatabaseLoginHistoryRepository

Class

com.airlock.iam.common.application.configuration.loginhistory.DatabaseLoginHistoryRepositoryConfig

May be used by

Target Applications and Authentication Login History Consistency User Change Listener

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Max Number Of Entries (maxNumberOfEntries)

Description

The maximum number of login history entries to keep per user. It must be set high enough to accommodate all configured risk extractors.

Attributes

Integer

Optional

Default value

YAML Template (with default values)


type: DatabaseLoginHistoryRepository
id: DatabaseLoginHistoryRepository-xxxxxx
displayName: 
comment: 
properties:
  maxNumberOfEntries: 50
  sqlDataSource:

Database Maintenance Message Persister

Description

Database interface for persisting maintenance messages.

The database model is based on two database tables: the first stores message details such as validity period, system availability, etc and the second stores the translations associated to the messages.

Type name

DatabaseMaintenanceMessagePersister

Class

com.airlock.iam.core.misc.impl.persistency.db.DatabaseMaintenanceMessagePersister

May be used by

Maintenance Message Settings Maintenance Message Configuration

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Cache Timeout (cacheTimeout)

Description

Specifies the number of seconds for which fetched maintenance messages are cached, before the underlying database layer is asked again. Thus a maintenance message that becomes valid at the point in time t may be deferred at most n seconds.
Setting this property to 0 (zero) or omitting this property results in a direct call to the underlying database layer every time the provider is asked for a maintenance message.
Note that the usage of the location token "${location}" in the additional where-clause of the message, disables caching.

Attributes

Long

Optional

Default value

Message Table (messageTable)

Description

The name of the database table containing the maintenance messages.

Attributes

String

Mandatory

Suggested values

medusa_maint_msg

Message Col Name (messageColName)

Description

The name of the column holding the message name.

Attributes

String

Mandatory

Suggested values

name

Message Col System Available (messageColSystemAvailable)

Description

The name of the column that indicates if the system is available for this message.

Attributes

String

Mandatory

Suggested values

system_available

Message Col Active (messageColActive)

Description

The name of the column that indicates if the message is active.

Attributes

String

Mandatory

Suggested values

active

Message Col Valid From (messageColValidFrom)

Description

The name of the column that stores the message's valid-from date.

Attributes

String

Mandatory

Suggested values

valid_from

Message Col Valid To (messageColValidTo)

Description

The name of the column that stores the message's valid-to date.

Attributes

String

Mandatory

Suggested values

valid_to

Message Col Location (messageColLocation)

Description

The name of the column that stores the message's location identifier. A message may have a location or not. Messages with different locations are independent of each other.

Attributes

String

Optional

Suggested values

location

Message Col Version Id (messageColVersionId)

Description

Name of a database column containing a numerical version id that is automatically incremented by one when a record is changed. Such a technical column is used by some applications or libraries (such as Hibernate) to implement optimistic locking.

The column must be of an integer type. Usually a long type is used.

Attributes

String

Optional

Suggested values

rowVersionId

Message Col Record Insertion Date (messageColRecordInsertionDate)

Description

Name of a database column with the date and time this record was created. The timestamp is written by this plugin at the time the record is inserted by this plugin.

The type of the column must be compatible with a timestamp.

Note that - if configured (see separate property) - user information may alos be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowInsertDate

Message Col Record Insertion User (messageColRecordInsertionUser)

Description

Name of a database column with the name of the system that inserted the record. The name is determined by configuration property "record-modification-user" and is written by this plugin at the time the record is inserted by this plugin

Note that - if configured (see separate property) - the insertion date may alo be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowInsertUser

Message Col Record Modification Date (messageColRecordModificationDate)

Description

Name of a database column with the date and time this record was modified. The timestamp is written by this plugin at the time the record is modified by this plugin.

The type of column must be compatible with a timestamp.

Note that - if configured (see separate property) - user information may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowUpdateDate

Message Col Record Modification User (messageColRecordModificationUser)

Description

Note that - if configured (see separate property - the modification date may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowUpdateUser

Message Additional Where Clause (messageAdditionalWhereClause)

Description

Optional SQL query condition that is added to the where clause when searching for, updating or deleting messages.
The SQL query without an additional where clause is something like SELECT * FROM message_table WHERE VALID_FROM <= now AND VALID_TO >= now.
The SQL query with an additional where clause xyz is: SELECT * FROM message_table WHERE VALID_FROM <= now AND VALID_TO >= now AND (xyz).

Note that this where clause may be overridden for the message lookup using property "Message Lookup Additional Where Clause".

Attributes

String

Optional

Example

GROUP = 'cus1' AND MANDATE = 'abc'

Example

deleted=0

Translation Table (translationTable)

Description

The name of the database table containing the translations for the maintenance messages. Records in this table belong to a message table record (i.e. a foreign key to the message table).

Attributes

String

Mandatory

Suggested values

medusa_maint_msg_tnsl

Translation Col Message Ref (translationColMessageRef)

Description

The name of the column in the translation table that references messages (the referred column in the message table is the one specified by message-col-name

Attributes

String

Mandatory

Suggested values

message_ref

Translation Col Language (translationColLanguage)

Description

The name of the column that holds the language of the translation.

Attributes

String

Mandatory

Suggested values

language

Translation Col Message (translationColMessage)

Description

The name of the column that holds the translated message.

Attributes

String

Mandatory

Suggested values

message

Translation Additional Where Clause (translationAdditionalWhereClause)

Description

Optional SQL query condition that is added to the where clause when searching for translations.
The SQL query without an additional where clause is something like SELECT * FROM translation_table WHERE language = 'en'.
The SQL query with an additional where clause xyz is: SELECT * FROM translation_table WHERE language = 'en' AND xyz.

Attributes

String

Optional

Example

GROUP = 'cus1' AND MANDATE = 'abc'

Example

deleted=0

Record Modification User (recordModificationUser)

Description

Specifies a string (typically the name associated with the system using this plugin) that is written to the database fields specified by properties "message-col-record-insertion-user" and "message-col-record-modification-user" when this plugin creates or modifies a record.

Attributes

String

Optional

Default value

Medusa

Suggested values

Airlock

Additional Insert Data (additionalInsertData)

Description

This property defines a list of name/value pairs used in insert statements when a new record is inserted.

This allows you to add arbitrary fixed or dynamic values when a new record is created. This is useful if some database fields may not be NULL but are not inserted by this plugin by default.

CautionMake sure to appropriately escape values (e.g. use single quotes around strings). They are used as provided in the SQL insert statements. This allows calling database dependent functions (e.g. in order to get a sequence number, system date, etc).

Attributes

Plugin-List

Optional

Assignable plugins

Database Field

Additional Insert Data Translations (additionalInsertDataTranslations)

Description

This property defines a list of name/value pairs used in insert statements when a new record is inserted.

This allows you to add arbitrary fixed or dynamic values when a new record is created. This is useful if some database fields may not be NULL but are not inserted by this plugin by default.

Attributes

Plugin-List

Optional

Assignable plugins

Database Field

YAML Template (with default values)


type: DatabaseMaintenanceMessagePersister
id: DatabaseMaintenanceMessagePersister-xxxxxx
displayName: 
comment: 
properties:
  additionalInsertData:
  additionalInsertDataTranslations:
  cacheTimeout: 0
  messageAdditionalWhereClause:
  messageColActive:
  messageColLocation:
  messageColName:
  messageColRecordInsertionDate:
  messageColRecordInsertionUser:
  messageColRecordModificationDate:
  messageColRecordModificationUser:
  messageColSystemAvailable:
  messageColValidFrom:
  messageColValidTo:
  messageColVersionId:
  messageTable:
  recordModificationUser: Medusa
  sqlDataSource:
  translationAdditionalWhereClause:
  translationColLanguage:
  translationColMessage:
  translationColMessageRef:
  translationTable:

Database Sequence Generator

Description

Sequence generator storing the sequence number in a database.

Type name

DatabaseSequenceGenerator

Class

com.airlock.iam.core.misc.util.report.barcode.DatabaseSequenceGenerator

May be used by

Swiss Post Barcode Generator

Properties

Sql Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Sequence Name (sequenceName)

Description

The name of the sequence. It must be a unique value in the column specified by property "Column Sequence Name".

Attributes

String

Mandatory

Example

Sendungsnummer01

Example

SEQ-A

Table Name (tableName)

Description

The name of the table where the sequence is stored.

Attributes

String

Optional

Default value

SEQUENCES

Example

SEQUENCES

Example

COUNTERS

Column Sequence Name (columnSequenceName)

Description

The name of the column holding the sequence name.

Attributes

String

Optional

Default value

NAME

Example

NAME

Column Sequence Number (columnSequenceNumber)

Description

The name of the column holding the sequence number. The column must be of a numeric type.

Attributes

String

Optional

Default value

STATE

Example

STATE

YAML Template (with default values)


type: DatabaseSequenceGenerator
id: DatabaseSequenceGenerator-xxxxxx
displayName: 
comment: 
properties:
  columnSequenceName: NAME
  columnSequenceNumber: STATE
  sequenceName:
  sqlDataSource:
  tableName: SEQUENCES

Database Token List Persister

Description

Highly configurable persister using a relational database as repository for token lists. The database is accessed via JDBC. It fetches the data of a user by directly executing a prepared statement. Making changes persistent is achieved by multiple update statement executions on the token list record within a transaction.
This plug-in allows you to specify extra where clauses and search filters to select the set of users.

How this plug-in finds a user record

There are two ways how this plugin finds a user record for getting user data, updating user data and deleting user data. The user record is always fetched using a select statement given a primary key and applying the configured filters (additional where clause). The two variants differ in how the primary key is determined:

The primary key for selecting the user record is the username itself. This is by far the most common and most efficient method to obtain user data.
The primary key is determined by a separate query including the username. The query can be configured. This way of selecting the user record is more flexible but results in an additional select statement.

Estimate for the Length of the Token List Database Field

The length of the encoded token hash list depends mainly on the number of unused tokens in the list, the used hash function and the encoding of the list.

Here is an example using the SHA1PasswordHash as hashfunction (which produces 40 bytes for each token) together with the hashed token list encoding used by this persister implementation (actually it is the encoding provided by TokenListHasher#hashedTokenListToBytes(HashedTokenList) ):
Each unused token uses 40 bytes for the hash value, 4 bytes for the index and 4 bytes for the length of the hash value, thus 48 bytes. Due to the nature of the hash function, this figures are independent of the length of the tokens.
Additionally the encoded list holds the number of the tokens (when the list was new) in 4 bytes, the length of the identification string in 4 bytes, the identification string of arbitrary length and the generation timestamp in 8 bytes. This makes another 16 bytes excluding the identification string.
If the list has 100 tokens and the identification string is 20 bytes at most, this makes 100 * 48 + 16 + 20 = 4836 bytes.

Type name

DatabaseTokenListPersister

Class

com.airlock.iam.core.misc.impl.persistency.db.DatabaseTokenListPersister

May be used by

Cipher Token List Persister Fixed TAN Generator Task TAN Batch Task TAN Batch Task Matrix Token Controller Default TAN Service

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Token List Table Name (tokenListTableName)

Description

The name of the database table containing the token lists (and often also user data).

Attributes

String

Mandatory

Suggested values

medusa_user

Col User Name (colUserName)

Description

The name of the database column with the username. This column is used to search the token list given the user's name.

Attributes

String

Mandatory

Suggested values

username

User Name Resolve Query (userNameResolveQuery)

Description

If the query returns no records, it results in the user not being found.
If the query returns more than one record, it results in the username being ambiguous.

If this property is not defined, the username itself is used as primary key in the user table (the usual and efficient way).

Note: If this property is defined, user insertion by this plugin is no more possible.

Attributes

String

Optional

Example

SELECT u.id FROM user u, person p WHERE p.id = u.person_id and p.contractId = ?

Col Token List (colTokenList)

Description

The name of the database column holding binary token list data. The type of this database column must be able to hold binary data (see plugin description to estimate the size of this field).

Attributes

String

Mandatory

Suggested values

matrix_current_list

Col New Token List (colNewTokenList)

Description

The name of the database column holding binary token list data of the new (or next) token list. The type of this database column must be able to hold binary data (see plugin description to estimate the size of this field).

Attributes

String

Mandatory

Suggested values

matrix_next_list

Col Generation Time Stamp (colGenerationTimeStamp)

Description

The name of the database column with the timestamp of the latest token list generation. This column type is either DATETIME or TIMESTAMP

Attributes

String

Optional

Suggested values

matrix_gen_date

Col Delivery Time Stamp (colDeliveryTimeStamp)

Description

The name of the database column with the timestamp of the latest token list delivery. This column type is either DATETIME or TIMESTAMP

Attributes

String

Optional

Suggested values

matrix_del_date

Col Other Credentials Delivery Timestamps (colOtherCredentialsDeliveryTimestamps)

Description

Comma-separated list of column names with the delivery dates of other credentials. This information may be used in order to delay the delivery time for token lists so no two credentials of the same user are delivered the same day.

Attributes

String

Optional

Example

password_delivery

Example

tokenDeliveryTimestamp

Col List Active (colListActive)

Description

The name of the database column with the flag indicating whether the token list is active or not. Inactive token lists may not be used by the callers. This column type is either CHAR or NUMBER. The value "0" (zero) is treated as false, any other value is treated as true.
If the column is not specified, all token lists are considered to be active.

Attributes

String

Optional

Suggested values

active, matrix_active

Col Challenge Open Since (colChallengeOpenSince)

Description

Name of the database column with the timestamp of the start of an ongoing challenge. The type of this column is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

matrix_chal_open_since, MATRIX_CHAL_OPEN_SINCE

Col Unanswered Challenges (colUnansweredChallenges)

Description

Name of the database column with the number of unanswered challenges. The type of this column is NUMBER.

Attributes

String

Optional

Suggested values

matrix_open_chals, MATRIX_OPEN_CHALS

Col New List Ordered (colNewListOrdered)

Description

The name of the database column with the flag indicating whether a new token list should be generated for a user. This column type is either CHAR or NUMBER. The value "0" is treated as false, any other value is treated as true.

Attributes

String

Mandatory

Suggested values

matrix_order_new

Col New List Ordered User (colNewListOrderedUser)

Description

The name of the database column with the user by whom a new token list was ordered. This column type is VARCHAR.

Attributes

String

Optional

Suggested values

matrix_order_user

Col New List Ordered Date (colNewListOrderedDate)

Description

The name of the database column with date of when a new token list was ordered. This column type is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

matrix_order_date

Additional Where Clause (additionalWhereClause)

Description

Optional SQL query part that is added to the where clause when searching the token lists by user name.
The SQL query without an additional where clause is "SELECT * FROM token-list-table WHERE colusername = 'username'"(real values for "token-list-table", "colusername" are taken from the configuration and "username" is taken from the token list object).
The SQL query with an additional where clause "xyz" is: "SELECT * FROM token-list-table WHERE colusername = 'username' AND xyz".

Example: If the value of this configuration setting is "GROUP = 'a' AND COD = 1" the resulting query is "SELECT * FROM token-list-table WHERE colusername = 'username' AND GROUP = 'a' AND COD = 1"

Attributes

String

Optional

Example

deleted = 0

Example

group = 'remoteUsers' AND verified = 1

Additional Iterator Where Clause (additionalIteratorWhereClause)

Description

Same as property "additional-where-clause" except that it is used as where part when iterating over the token lists.

Attributes

String

Optional

Example

deleted = 0

Example

group = 'remoteUsers' AND verified = 1

Iterator Query (iteratorQuery)

Description

This query is used to get all user ids (or all matching user ids) instead of the default generated query defined by the user table, the username column and the context data fields.

Specifying such a query is only necessary if the username cannot be used as primary key in the user table (this only if property "user-name-resolve-query" is specified).

The query must be such that it returns one-column records one username (userid) per row.

Note: If this property is specified, additional-iterator-clauses and the deleted flag is ignored. They must be part of the query itself!

Attributes

String

Optional

Example

SELECT p.id from PERSON p, User u where u.person_id = p.id

Context Data Items (contextDataItems)

Description

A list of context data items that are fetched and returned to the caller together with the token list.

Attributes

Plugin-List

Optional

Assignable plugins

Boolean Context Data Item Date And Time Context Data Item Date Context Data Item Integer Context Data Item Legacy Context Data Item String Context Data Item

Col Version Id (colVersionId)

Description

Note that this plugin still uses its own data-based optimistic locking mechanism. It just increments the value within a transaction in order to be compliant with other components' locking mechanisms.

The column must be of an integer type. Usually a long type is used.

Attributes

String

Optional

Suggested values

rowVersionId

Col Record Modification Date (colRecordModificationDate)

Description

Name of a database column with the date and time this record was modified. The timestamp is written by this plugin at the time the record is modified by this plugin.

The type of the column must be compatible with a timestamp.

Note that - if configured (see separate property) - user information may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowUpdateDate

Col Record Modification User (colRecordModificationUser)

Description

Note that - if configured (see separate property) - the modification date may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowUpdateUser

Record Modification User (recordModificationUser)

Description

Attributes

String

Optional

Default value

Medusa

Suggested values

Airlock

YAML Template (with default values)


type: DatabaseTokenListPersister
id: DatabaseTokenListPersister-xxxxxx
displayName: 
comment: 
properties:
  additionalIteratorWhereClause:
  additionalWhereClause:
  colChallengeOpenSince:
  colDeliveryTimeStamp:
  colGenerationTimeStamp:
  colListActive:
  colNewListOrdered:
  colNewListOrderedDate:
  colNewListOrderedUser:
  colNewTokenList:
  colOtherCredentialsDeliveryTimestamps:
  colRecordModificationDate:
  colRecordModificationUser:
  colTokenList:
  colUnansweredChallenges:
  colUserName:
  colVersionId:
  contextDataItems:
  iteratorQuery:
  recordModificationUser: Medusa
  sqlDataSource:
  tokenListTableName:
  userNameResolveQuery:

Database Token Persister

Description

Defines the table and column names, as well as additional query settings for the Database Token Persister.

This persister handles both token and token assignment data.

Type name

DatabaseTokenPersister

Class

com.airlock.iam.core.misc.impl.persistency.token.DatabaseTokenPersister

May be used by

Auth Method-based Authenticator Selector Email User Profile Item Certificate Authenticator Radius Authentication Service Self Reg Users Clean Up Task Self Reg Users Clean Up Task SMS Notifier Delete Users Task Delete Users Task Password Batch Task Password Batch Task Password Authenticator Self Reg Users Reminder Task Self Reg Users Reminder Task Combining User Persister User to Password Service Mapping Lock Inactive Accounts Task Lock Inactive Accounts Task Vasco Letter Generator Certificate Token Authenticator Airlock 2FA Authenticator String User Profile Item Lookup and Accept Authenticator Email Notifier Extended User Persister-based User Store Provider Main Authenticator Export Users Task Export Users Task Custom User Persister-based User Store Provider User Persister Configuration User Persister Configuration User Persister Configuration Lock Expired Initial Passwords Task Lock Expired Initial Passwords Task Selection Authenticator Combining Extended User Persister Combining Extended User Persister Extended String User Profile Item Role-based Authenticator Selector Credential Data Certificate Matcher Meta Authenticator HTTP Password Service Token Activation On Delivery Strategy Destroy Last User Session User Persister Email Certificate Provider Database User Store User Persister-based User Store New Email Clean-up Strategy Email Notification Task Email Notification Task Cipher User Persister

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

Token Table (tokenTable)

Description

The name of the database table containing the tokens.

Attributes

String

Mandatory

Suggested values

token

Token Sequence (tokenSequence)

Description

The name of the database sequence providing primary keys (Oracle only).

If left empty, Airlock IAM expects the database to support auto-increment columns (SQL Server, MySQL).

Attributes

String

Optional

Suggested values

token_seq

Token Col Token Id (tokenColTokenId)

Description

The name of the column holding the token identity (primary key).

This column needs to be set to auto_increment (H2, mysql,..) or the database sequence name must be configured (Oracle).

Attributes

String

Mandatory

Suggested values

token_id

Token Col Type (tokenColType)

Description

The name of the column holding the token type.

Attributes

String

Mandatory

Suggested values

type

Token Col Serial Id (tokenColSerialId)

Description

The name of the column holding the token serial.

Attributes

String

Mandatory

Suggested values

serial_id

Token Col Active (tokenColActive)

Description

The name of the column holding the active flag.

Attributes

String

Mandatory

Suggested values

active

Token Col Activation Date (tokenColActivationDate)

Description

The name of the column holding the activation date.

Attributes

String

Mandatory

Suggested values

activation_date

Token Col Obsoletes Token Id (tokenColObsoletesTokenId)

Description

The name of the column holding the 'obsoletes_token' token reference (foreign key).

Stores a reference to the token that gets deactivated the next time this token is used.

Attributes

String

Mandatory

Suggested values

obsoletes_token_id

Token Col Validity Range Lower (tokenColValidityRangeLower)

Description

The name of the column holding the validity range lower bound.

Attributes

String

Mandatory

Suggested values

validity_range_lower

Token Col Validity Range Upper (tokenColValidityRangeUpper)

Description

The name of the column holding the validity range upper bound.

Attributes

String

Mandatory

Suggested values

validity_range_upper

Token Col Generation Date (tokenColGenerationDate)

Description

The name of the column holding the generation date.

Attributes

String

Mandatory

Suggested values

generation_date

Token Col First Usage Date (tokenColFirstUsageDate)

Description

The name of the column holding the first usage date.

Attributes

String

Mandatory

Suggested values

first_usage_date

Token Col Latest Usage Date (tokenColLatestUsageDate)

Description

The name of the column holding the latest usage date.

Attributes

String

Mandatory

Suggested values

latest_usage_date

Token Col Total Usages (tokenColTotalUsages)

Description

The name of the column holding the number of total usages.

Attributes

String

Mandatory

Suggested values

total_usages

Token Col Token Data (tokenColTokenData)

Description

The name of the column holding the token data.

Attributes

String

Mandatory

Suggested values

token_data

Token Col Activates Token Id (tokenColActivatesTokenId)

Description

The name of the column holding the 'activates_token' token reference (foreign key).

Stores a reference to the token that gets activated the next time this token is used.

Attributes

String

Mandatory

Suggested values

activates_token_id

Token Col Generic Data Element1 (tokenColGenericDataElement1)

Description

The name of the 1st column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_1

Token Col Generic Data Element2 (tokenColGenericDataElement2)

Description

The name of the 2nd column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_2

Token Col Generic Data Element3 (tokenColGenericDataElement3)

Description

The name of the 3rd column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_3

Token Col Generic Data Element4 (tokenColGenericDataElement4)

Description

The name of the 4th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_4

Token Col Generic Data Element5 (tokenColGenericDataElement5)

Description

The name of the 5th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_5

Token Col Generic Data Element6 (tokenColGenericDataElement6)

Description

The name of the 6th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_6

Token Col Generic Data Element7 (tokenColGenericDataElement7)

Description

The name of the 7th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_7

Token Col Generic Data Element8 (tokenColGenericDataElement8)

Description

The name of the 8th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_8

Token Col Generic Data Element9 (tokenColGenericDataElement9)

Description

The name of the 9th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_9

Token Col Generic Data Element10 (tokenColGenericDataElement10)

Description

The name of the 10th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_10

Token Col Generic Data Element11 (tokenColGenericDataElement11)

Description

The name of the 11th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_11

Token Col Generic Data Element12 (tokenColGenericDataElement12)

Description

The name of the 12th column holding generic token data.

Attributes

String

Mandatory

Suggested values

generic_data_element_12

Token Col Tracking Id (tokenColTrackingId)

Description

The name of the column holding the tracking identity.

Attributes

String

Optional

Suggested values

tracking_id

Token Additional Where Clause (tokenAdditionalWhereClause)

Description

Optional SQL query condition that is added to the WHERE clause when searching for, updating or deleting tokens.

Example for an SQL query without an additional WHERE clause: SELECT * FROM token WHERE type = 'myTokenType'
Example for an SQL query with an additional WHERE clause "foo()": SELECT * FROM token WHERE type = 'myTokenType' AND foo()

Note that this WHERE clause may be overridden for the token lookup using the property: "Token Search Additional Where Clause"

Attributes

String

Optional

Example

generic_data_element_1 = 'myData1'

Token Search Additional Where Clause (tokenSearchAdditionalWhereClause)

Description

Same as the property "Token Additional Where Clause", but the additional WHERE clause of this property is only used to search tokens.

Attributes

String

Optional

Example

generic_data_element_1 = 'myData1'

Additional Token Insert Data (additionalTokenInsertData)

Description

This property defines a list of name/value pairs used in insert statements when a new token record is inserted.

This allows you to add arbitrary fixed or dynamic values when a new record is created.

Caution: Make sure to appropriately escape values (e.g. use single quotes around strings). They are used as provided in the SQL insert statements. This allows calling database dependent functions (e.g. in order to get a sequence number, system date, etc). Also, do not use any of the standard fields of the token table.

Attributes

Plugin-List

Optional

Assignable plugins

Database Field

Token Assignment Table (tokenAssignmentTable)

Description

The name of the database table containing the token assignments.

Attributes

String

Mandatory

Suggested values

token_assignment

Token Assignment Col Token Id (tokenAssignmentColTokenId)

Description

The name of the column holding the identity referencing the assigned token (foreign key).

Attributes

String

Mandatory

Suggested values

ta_token_id

Token Assignment Col User (tokenAssignmentColUser)

Description

The name of the column holding the name of the user whom the token is assigned to.

Attributes

String

Mandatory

Suggested values

ta_user

Token Assignment Col Assignment Date (tokenAssignmentColAssignmentDate)

Description

The name of the column holding the date of the assignment.

Attributes

String

Mandatory

Suggested values

ta_assignment_date

Token Assignment Col Assignment User (tokenAssignmentColAssignmentUser)

Description

The name of the column holding the name of the user that did the assignment.

Attributes

String

Mandatory

Suggested values

ta_assignment_user

Token Assignment Col Order New (tokenAssignmentColOrderNew)

Description

The name of the column holding the flag indicating whether a new token has been ordered.

Attributes

String

Mandatory

Suggested values

ta_order_new

Token Assignment Col Order New User (tokenAssignmentColOrderNewUser)

Description

The name of the column holding the name of the user that placed the order for a new token.

Attributes

String

Mandatory

Suggested values

ta_order_new_user

Token Assignment Col Order New Date (tokenAssignmentColOrderNewDate)

Description

The name of the column holding the date where a new token was ordered.

Attributes

String

Mandatory

Suggested values

ta_order_new_date

Token Assignment Col Order Options (tokenAssignmentColOrderOptions)

Description

The name of the column holding the options of a token order.

Attributes

String

Optional

Suggested values

ta_order_options

Token Assignment Col Additional Information (tokenAssignmentColAdditionalInformation)

Description

The name of the column holding additional token assignment information.

Attributes

String

Optional

Suggested values

ta_additional_information

Token Assignment Col Comment (tokenAssignmentColComment)

Description

The name of the column holding the token assignment comments.

Attributes

String

Optional

Suggested values

ta_comment

Token Assignment Additional Where Clause (tokenAssignmentAdditionalWhereClause)

Description

Optional SQL query condition that is added to the WHERE clause when searching for, updating or deleting token assignments.

Example for an SQL query without additional WHERE clause: SELECT * FROM token_assignment WHERE ta_user = 'user'
Example for an SQL query with additional WHERE clause "foo()": SELECT * FROM token_assignment WHERE ta_user = 'user' AND foo()

Attributes

String

Optional

Example

ta_comment = 'myComment1'

Additional Token Assignment Insert Data (additionalTokenAssignmentInsertData)

Description

This property defines a list of name/value pairs used in insert statements when a new token assignment record is inserted.

This allows you to add arbitrary fixed or dynamic values when a new record is created.

Attributes

Plugin-List

Optional

Assignable plugins

Database Field

YAML Template (with default values)


type: DatabaseTokenPersister
id: DatabaseTokenPersister-xxxxxx
displayName: 
comment: 
properties:
  additionalTokenAssignmentInsertData:
  additionalTokenInsertData:
  sqlDataSource:
  tokenAdditionalWhereClause:
  tokenAssignmentAdditionalWhereClause:
  tokenAssignmentColAdditionalInformation:
  tokenAssignmentColAssignmentDate:
  tokenAssignmentColAssignmentUser:
  tokenAssignmentColComment:
  tokenAssignmentColOrderNew:
  tokenAssignmentColOrderNewDate:
  tokenAssignmentColOrderNewUser:
  tokenAssignmentColOrderOptions:
  tokenAssignmentColTokenId:
  tokenAssignmentColUser:
  tokenAssignmentTable:
  tokenColActivatesTokenId:
  tokenColActivationDate:
  tokenColActive:
  tokenColFirstUsageDate:
  tokenColGenerationDate:
  tokenColGenericDataElement1:
  tokenColGenericDataElement10:
  tokenColGenericDataElement11:
  tokenColGenericDataElement12:
  tokenColGenericDataElement2:
  tokenColGenericDataElement3:
  tokenColGenericDataElement4:
  tokenColGenericDataElement5:
  tokenColGenericDataElement6:
  tokenColGenericDataElement7:
  tokenColGenericDataElement8:
  tokenColGenericDataElement9:
  tokenColLatestUsageDate:
  tokenColObsoletesTokenId:
  tokenColSerialId:
  tokenColTokenData:
  tokenColTokenId:
  tokenColTotalUsages:
  tokenColTrackingId:
  tokenColType:
  tokenColValidityRangeLower:
  tokenColValidityRangeUpper:
  tokenSearchAdditionalWhereClause:
  tokenSequence:
  tokenTable:

Database User Persister

Description

Highly configurable persister using a relational database as user-repository. The database is accessed via JDBC. It fetches the data of a user by directly executing a prepared statement. Making changes persistent is achieved by multiple update statement executions on the user record within a transaction.
This plug-in is very flexible in that most database columns are optional and it allows you to specify extra where clauses and search filters to select the set of users. It also allows to fetch role information from separate tables.

Note: This persister also supports insertion and deletion of users and can be used to iterate over users.

How this plug-in finds a user record

The primary key for selecting the user record is the username itself. This is by far the most common and most efficient method to obtain user data.
The primary key is determined by a separate query including the username. The query can be configured. This way of selecting the user record is more flexible but results in an additional select statement.

Type name

DatabaseUserPersister

Class

com.airlock.iam.core.misc.impl.persistency.db.DatabaseUserPersister

May be used by

Properties

SQL Data Source (sqlDataSource)

Description

Defines how connections to the database are obtained.

Attributes

Plugin-Link

Mandatory

Assignable plugins

JDBC Connection Pool

User Table Name (userTableName)

Description

The name of the database table containing the user data.

Attributes

String

Mandatory

Suggested values

medusa_user, medusa_admin

Col User Name (colUserName)

Description

The name of the database column with the username. This column is directly used to search the user unless a separate username-resolve-query (see separate configuration property) is specified.

Attributes

String

Mandatory

Suggested values

username

User Name Resolve Query (userNameResolveQuery)

Description

If the query returns no records, it results in the user not being found.
If the query returns more than one record, it results in the username being ambiguous.

If this property is not defined, the username itself is used as primary key in the user table (the usual and efficient way).

Note: If this property is defined user insertion by this plugin is no more possible.

Attributes

String

Optional

Example

SELECT u.id FROM user u, person p WHERE p.id = u.person_id and p.contractId = ?

Col Password (colPassword)

Description

The name of the database column with the password hash value (or the password itself).
In general the type of this database column is expected to be BYTE or VARBYTE because password hashes are byte sequences. However, if a password hash function is used that returns a character sequence (for example the password itself) this also works with column type CHAR or VARCHAR.
The plug-in tries to find out automatically whether the password hash is binary or string type by reading a value from the database and looking at the type of the returned object. This may lead to problems with NULL values or "too intelligent" JDBC drivers that implicitly convert HEX- or base64-strings to binary data. The optional property "Is Pwd Hash String Type" can be used to tell the plug-in explicitly what data type this column is.

Attributes

String

Optional

Suggested values

pwd_hash

Is Pwd Hash String Type (isPwdHashStringType)

Description

Flag telling this persister whether the password hash column is a string type column (CHAR, VARCHAR) or whether it is binary (VARBYTE, RAW, BLOB).
The value TRUE indicates that the password hash column is a string type column. The value FALSE indicates that the password hash column is a binary type column.
If this optional property is not defined or empty, the plug-in tries to determine the type of column automatically (see description of property "Col Password").

Attributes

Boolean

Optional

Default value

true

Col Auth Method (colAuthMethod)

Description

The name of the database column that holds the identifier for the authentication method to use for the user, if different authentication methods are supported. The column type is a string type column (CHAR, VARCHAR) and its value may be NULL.

Attributes

String

Optional

Suggested values

auth_method

Default Auth Method (defaultAuthMethod)

Description

The default authentication method value used when inserting new users that have no auth method set. This is only used if an authentication method column is configured.

Attributes

String

Optional

Suggested values

PASSWORD, MATRIX, MTAN, OATH_OTP, CERTIFICATE, CRONTO, EMAILOTP, SECURID, SECOVID

Col Next Auth Method (colNextAuthMethod)

Description

The name of the database column that holds the identifier for the next authentication method to use for the user after a migration. The column type is a string type column (CHAR, VARCHAR) and its value may be NULL.

Attributes

String

Optional

Suggested values

next_auth_method

Default Next Auth Method (defaultNextAuthMethod)

Description

The default next authentication method value used when inserting new users that have no next auth method set. This is only used if a next authentication method column is configured.

Attributes

String

Optional

Suggested values

PASSWORD, MATRIX, MTAN, OATH_OTP, CERTIFICATE, EMAILOTP, SECURID, SECOVID

Col Auth Migration Date (colAuthMigrationDate)

Description

The name of the database column that holds the date until which the migration of the authentication method must be performed. The column type is either DATETIME or TIMESTAMP and its value may be NULL.

Attributes

String

Optional

Suggested values

auth_migration_date

Col User Locked (colUserLocked)

Description

The name of the database column with the flag indicating whether the user is locked or not.
Authenticators usually set a user locked after some number of consecutively failed login attempts. This column type is either CHAR or NUMBER. The value "0" is treated as false, any other value is treated as true.
If this column is not specified, users are not considered locked.

Attributes

String

Optional

Suggested values

locked

Col User Lock Reason (colUserLockReason)

Description

The name of the database column contains the reason why the users is locked.
This can be the hole description of the reason or a key to the string resource.
This column type is either CHAR or VARCHAR.

Attributes

String

Optional

Suggested values

lock_reason

Col User Lock Date (colUserLockDate)

Description

The name of the database column contains the timestamp of the user locking.
The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

lock_date

Col Failed Logins (colFailedLogins)

Description

The name of the database column holding the number of consecutively failed logins. The type of this column is NUMBER.
If this column is not specified, the failed logins are not counted.

Attributes

String

Optional

Suggested values

failed_logins

Col Failed Token Counts (colFailedTokenCounts)

Description

The name of the database column holding the counters for failed attempts on individual authentication tokens. The type of this column is CLOB (or a DB-type equivalent).
If this column is not specified, the failed attempts in the flow-based REST authentication API are not counted.

Attributes

String

Optional

Suggested values

failed_token_counts

Col Failed Logins Before Latest Login (colFailedLoginsBeforeLatestLogin)

Description

The name of the database column holding the number of consecutively failed logins before the latest successful login. The type of this column is NUMBER.
If this column is not specified, the failed logins before the latest successful login are not counted.

Attributes

String

Optional

Suggested values

failed_logins_before

Col Total Logins (colTotalLogins)

Description

The name of the database column holding the total number of successful logins. The type of this column is NUMBER.
If this column is not specified, the successful logins are not counted.

Attributes

String

Optional

Suggested values

total_logins

Col Password Change Forced (colPasswordChangeForced)

Description

The name of the database column with the flag indicating whether the user must be forced to change the password.
This column type is either CHAR or NUMBER. The value "0" is treated as false, any other value is treated as true.
If this column is not specified, no password change is enforced.

Attributes

String

Optional

Suggested values

pwd_chg_enf

Col Password Delivery Date (colPasswordDeliveryDate)

Description

The name of the database column with the date and time of the latest password delivery.
The type of this column either DATETIME or TIMESTAMP. Note that it will work with most data types but depending on the chosen database data type, only the date without the time is stored.
If this column is not specified, the delivery date of the latest password is not provided to callers.

Attributes

String

Optional

Suggested values

pwd_lat_del

Col Other Credentials Delivery Timestamps (colOtherCredentialsDeliveryTimestamps)

Description

Comma-separated list of column names with the delivery dates of other credentials.
The type of every referenced column is either a DATETIME or TIMESTAMP.
This information can be used by components that care about not delivering more than one user credential at the same time.
If this column is not specified, no delivery dates are provided to callers.

Attributes

String

Optional

Example

latest_token_delivery

Example

latest_list_delivery

Example

smart_card_delivery_date

Example

smart_card_delivery_date,pin_delivery_date

Col Password Generation Date (colPasswordGenerationDate)

Description

The name of the database column with the date and time of the latest password generation.
The type of this column either DATETIME or TIMESTAMP.
This information is needed by components in which the generation date of a password and its delivery date is not necessarily the same. This can - for example - be the case when a generated credential is held back because another credential for the same user is delivered at the same time.
If this column is not specified, no password generation date is provided to callers.

Attributes

String

Optional

Example

pwd_lat_gen

Example

latest_password_generation

Example

pwd_gen_date

Col Latest Password Change (colLatestPasswordChange)

Description

The name of the database column with the date and time of the latest password change.
The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

pwd_lat_chg

Col Next Enforced Password Change (colNextEnforcedPasswordChange)

Description

The name of the database column with the date and time of next enforced password change.
The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

pwd_next_chg

Col Password Ordered Flag (colPasswordOrderedFlag)

Description

The name of the database column with the flag indicating whether a new password should be generated for this user.
This column type is either CHAR or NUMBER. The value "0" is treated as false, any other value is treated as true.
If this column is not specified, the password order state is always reported to be false.

Attributes

String

Optional

Suggested values

pwd_order_new

Col Password Ordered User (colPasswordOrderedUser)

Description

The name of the database column with the user by whom a new password was ordered.
This column type is either CHAR or VARCHAR.
If this column is not specified, the password order user is always null.

Attributes

String

Optional

Suggested values

pwd_order_user

Col Password Ordered Date (colPasswordOrderedDate)

Description

The name of the database column with the date of when a new password was ordered.
This column type is either DATETIME or TIMESTAMP.
If this column is not specified, the password order date is always null.

Attributes

String

Optional

Suggested values

pwd_order_date

Col Failed Password Resets (colFailedPasswordResets)

Description

The name of the database column with the number of failed password reset attempts for flow-based password reset. The type of this column is NUMBER

Security note: If this column is not specified, failed password reset attempts are not counted, which enables brute-force attacks.

Attributes

String

Optional

Suggested values

pwd_failed_resets

Col Role String (colRoleString)

Description

The name of the database column with a comma-separated list of roles granted to the user after successful authentication.
The type of this column is CHAR or VARCHAR.
Note: There are other ways to determine a user's roles (see other configuration properties). If the roles granted to a user are obtained from other tables (via foreign keys), leave this property empty and use the property roles-query instead.

Attributes

String

Optional

Suggested values

roles

Roles Query (rolesQuery)

Description

As an alternative way to get the roles granted to the authenticated user as described in configuration property Col Role String, this property allows to retrieve the roles based on foreign tables.
This property defines an arbitrary SQL query that returns the roles associated with the user. Note: The statement must be such that the query returns rows consisting of one column only with the granted role!
You may use the string ${userId} to reference the user id of the authenticated user inside the SQL query. The reference may be used once or multiple times.

Example: In the following example, the user table is USER, there is role table ROLE and a table with the user-to-role mappings USER2ROLE:

roles-query="SELECT r.role_name from ROLE r, USER u, USER2ROLE u2r where u.userName = ${userId} AND u.id = u2r.user AND u2r.role = r.id"

Attributes

String

Optional

Example

SELECT r.role_name from ROLE r, USER u, USER2ROLE u2r where u.userName = ${userId} AND u.id = u2r.user AND u2r.role = r.id

Grant Roles (grantRoles)

Description

A comma-separated list of roles (role names, optionally followed by a colon and a role idle timeout in seconds) that are granted to loaded users.
This set of roles is added to the otherwise determined set of roles. Thus, it does not replace otherwise determined roles but can be used in conjunction with other methods.

Attributes

String

Optional

Example

role1,role2:300

Example

admin

Example

user:300,employee:600

Col User Valid (colUserValid)

Description

Name of a database column with a flag indicating whether the user entry is valid or not.
The type of this column is either CHAR or NUMBER. The value "0" is treated as invalid, any other value is treated as valid.
If this column is not specified, all users are considered to be valid.

Attributes

String

Optional

Suggested values

valid

Col User Not Valid After (colUserNotValidAfter)

Description

The name of the database column indicating the point in time after which a user record is considered not valid anymore. The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

not_valid_after

Col User Not Valid Before (colUserNotValidBefore)

Description

The name of the database column indicating the point in time before which a user record is considered not valid yet. The type of this column either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

not_valid_before

Col Latest Successful Login (colLatestSuccessfulLogin)

Description

Name of the database column with the timestamp of the latest successful login. The type of this column is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

lat_succ_login

Col Second Latest Successful Login (colSecondLatestSuccessfulLogin)

Description

Name of the database column with the timestamp of the second latest successful login. The type of this column is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

lat_succ_login2

Col Latest Login Attempt (colLatestLoginAttempt)

Description

Name of the database column with the timestamp of the latest attempted login (regardless of success or failure). The type of this column is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

lat_login_attempt

Col First Login (colFirstLogin)

Description

Name of the database column with the timestamp of very first login of this user. The type of this column is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

first_login

Col Unlock Attempts (colUnlockAttempts)

Description

Name of the database column with the number of attempts of unlocking the user (e.g. through self-unlocking). The type of this column is NUMBER.

Attributes

String

Optional

Suggested values

unlock_attempts, UNLOCK_ATTEMPTS

Col Latest Unlock Attempt (colLatestUnlockAttempt)

Description

Name of the database column with the timestamp of the last unlock attempt of this user. The type of this column is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

lat_unlock_attempt, LAT_UNLOCK_ATTEMPT

Col Self Registered Flag (colSelfRegisteredFlag)

Description

Name of the database column with the flag indicating if the user is self-registered. This column type is either CHAR or NUMBER. The value "0" is treated as false, any other value is treated as true.
If this column is not specified, it will be assumed that no users are self-registered.

Attributes

String

Optional

Suggested values

self_registered

Col Self Registration Date (colSelfRegistrationDate)

Description

Name of the database column with the timestamp of the user's self-registration. The type of this column is either DATETIME or TIMESTAMP.

Attributes

String

Optional

Suggested values

self_registration_date

Col Channel Verification Resends (colChannelVerificationResends)

Description

Name of the database column holding the number of completed resends of the channel verification token during the user's self-registration. The type of this column is NUMBER.
If this column is not specified, the number of allowed resend attempts is not limited.

Attributes

String

Optional

Suggested values

channel_verification_resends

Col Last GSID (colLastGSID)

Description

Name of the database column with the last global session id.

Attributes

String

Optional

Suggested values

last_gsid_value

Col Last GSID Date (colLastGSIDDate)

Description

Name of the database column with the last update timestamp for the global session id.

Attributes

String

Optional

Suggested values

last_gsid_date

Col Secret Questions Enabled (colSecretQuestionsEnabled)

Description

The name of the database column with the flag indicating whether secret question features are enabled for the user or not.

Attributes

String

Optional

Suggested values

secret_questions_enabled

Additional Where Clause (additionalWhereClause)

Description

Optional SQL query condition that is added to the where clause when searching the user by user name.
The SQL query without an additional where clause is SELECT * FROM usertable WHERE colusername = 'username' (real values for "usertable", "colusername" are taken from the configuration and "username" is taken from the user name input field of the login mask.
The SQL query with an additional where clause xyz is: SELECT * FROM usertable WHERE colusername = 'username' AND xyz
. Example: If the value of this configuration setting is "GROUP = 'cus1' AND MANDATE = 'abc'" the resulting query is SELECT * FROM usertable WHERE colusername = 'username' AND GROUP = 'cus1' AND MANDATE = 'abc'
See also property search-condition-query: It offers a more powerful (although slightly less efficient) way to control the set of valid users.

Attributes

String

Optional

Example

GROUP = 'cus1' AND MANDATE = 'abc'

Example

deleted=0

Additional Iterator Where Clause (additionalIteratorWhereClause)

Description

Optional SQL query condition that is added to the where clause when iterating over users.
The SQL query without an additional where clause is SELECT colusername FROM usertable (real values for "usertable", "colusername" are taken from the configuration.
The SQL query with an additional where clause xyz is: SELECT colusername FROM usertable WHERE xyz
. Example: If the value of this configuration setting is "GROUP = 'cus1' AND MANDATE = 'abc'" the resulting query is SELECT colusername FROM usertable WHERE GROUP = 'cus1' AND MANDATE = 'abc'
See also property search-condition-query: It offers a more powerful (although slightly less efficient) way to control the set of valid users.

Attributes

String

Optional

Example

GROUP = 'cus1' AND MANDATE = 'abc'

Example

deleted=0

Iterator Query (iteratorQuery)

Description

This query is used to get all user ids (or all matching user ids) instead of the default generated query defined by the user table, the username column and the context data fields.

Specifying such a query is only necessary if the username cannot be used as primary key in the user table (this only if property "User Name Resolve Query" is specified).

The query must be such that it returns one-column records one username (userid) per row.

Note: If this property is specified, "Additional Iterator Clauses" and the deleted flag is ignored. They must be part of the query itself!

Attributes

String

Optional

Example

SELECT p.id from PERSON p, User u where u.person_id = p.id

Search Condition Query (searchConditionQuery)

Description

A way to limit the set of valid users with an arbitrary SQL query.
(See also configuration property additional-where-clause: it offers a different, slightly more efficient but less powerful way to limit the set of valid users).
After the user has been found by username (and matching the optional additional where clause as specified by configuration property additional-where-clause) the query specified by this configuration property is executed. If the result of the query is true or 1, the user is considered valid. In all other cases, the user is not valid, i.e. the behaviour is as if the user would not exist.

The value of this configuration property can be empty (no effect) or any valid SQL query. You can use values of the user record (Record selected from table specified by configuration property user-table-name by user name and optionally additional where clause) in the query as follows: ${xxx} refers to the field (column) xxx from the selected user record.

Example: In our example the selected user record has the following values (column name = value): user_id = 'freddie', person_no = 13, ...
Further, there is a different database table PERSON which is referenced by the user table. The table PERSON has a column of type boolean called "valid" which indicates whether a person record is valid or not. Consider the following value for this configuration property: SELECT p.valid FROM PERSON p WHERE p.person_no = ${person_no}
Thus, when looking for the user record (given the username and the matching the optional additonal where part), the above query is executed where ${person_no} is substituted by the value 13 of field person_no of the selected user record.

Attributes

String

Optional

Example

SELECT p.valid FROM PERSON p WHERE p.person_no = ${person_no}

Context Data Columns (contextDataColumns)

Description

A list of database columns that are loaded/stored in the user's context data container.

Use either an appropriately typed instance (preferred) or the legacy type using auto-detection (the default up to IAM 6.4).

Attributes

Plugin-List

Optional

Assignable plugins

Boolean Context Data Item Date And Time Context Data Item Date Context Data Item Integer Context Data Item Legacy Context Data Item String Context Data Item

Additional Context Data (additionalContextData)

Description

Note: These context data values are read only! When fetching user records, the query will be executed for each user and the values will be added to the context data container. Modified, new or deleted values will not be written when user records are updated.

Also note that context data fields defined in configuration property context-data-columns override corresponding entries in this property.

Example:
SELECT p.mobile_no FROM person p WHERE p.person_no = ${person_no}

Attributes

Plugin-List

Optional

Assignable plugins

Additional Context Data

Col Deleted (colDeleted)

Description

The name of a column that marks a record as deleted. A record that has been marked as deleted is ignored by this persister.
Note: If a user is deleted and this property is defined, the record is only marked as deleted and not really removed from the database! If this property is not defined and a user is deleted, the record is deleted from the database. The type of this column is either NUMBER (recommended) or CHAR. The value "1" represents a deleted user, "0" represents a non-deleted user.

Attributes

String

Optional

Suggested values

deleted

Col Version Id (colVersionId)

Description

Note that this plugin still uses its own data-based optimistic locking mechanism. It just increments the value within a transaction in order to be compliant with other components' locking mechanisms.

The column must be of an integer type. Usually a long type is used.

Attributes

String

Optional

Suggested values

rowVersionId

Col Record Insertion Date (colRecordInsertionDate)

Description

Name of a database column with the date and time this record was created. The timestamp is written by this plugin at the time the record is inserted by this plugin.

The type of the column must be compatible with a timestamp.

Note that - if configured (see separate property) - user information may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowInsertDate

Col Record Insertion User (colRecordInsertionUser)

Description

Name of a database column with the name of the system that inserted the record. The name is determined by configuration property "Record Modification User" and is written by this plugin at the time the record is inserted by this plugin.

Note that - if configured (see separate property) - the insertion date may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowInsertUser

Col Record Modification Date (colRecordModificationDate)

Description

Name of a database column with the date and time this record was modified. The timestamp is written by this plugin at the time the record is modified (or created) by this plugin.

The type of the column must be compatible with a timestamp.

Note that - if configured (see separate property) - user information may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowUpdateDate

Col Record Modification User (colRecordModificationUser)

Description

Name of a database column with the name of the system that modified the record. The name is determined by configuration property "Record Modification User" and is written by this plugin at the time the record is modified (or created) by this plugin.

Note that - if configured (see separate property) - the modification date may also be written to the database at the same time.

Attributes

String

Optional

Suggested values

rowUpdateUser

Record Modification User (recordModificationUser)

Description

Specifies a string (typically the name associated with the system using this plugin) that is written to the database fields specified by properties "Col Record Insertion User" and "Col Record Modification User" when this plugin creates or modifies a user record.

Attributes

String

Optional

Default value

Medusa

Suggested values

Airlock

Additional Insert Data (additionalInsertData)

Description

This property defines a list of name/value pairs used in insert statements when a new record is inserted.

This allows you to add arbitrary fixed or dynamic values when a new record is created. This is useful if some database fields may not be NULL but are not inserted by this plugin by default.

Caution: If the columns specified here are the same as configured in the context data fields or in any "Col ..." property, remove them from the other places for this persister instance.

Attributes

Plugin-List

Optional

Assignable plugins

Database Field

User Change Event Listeners (userChangeEventListeners)

Description

This property defines a list of User Change Event Listeners that listen to one or more events posted by a user persister and perform corresponding actions, e.g. to keep consistency with other tables.

Attributes

Plugin-List

Optional

Assignable plugins

Rowset Range Pattern (rowsetRangePattern)

Description

This property only has an effect if used in connection with a "Database User Store".

A string formatter pattern describing how to constrain the result set to a subrange of all results. Set this value in case Airlock IAM cannot determine the optimal query pattern automatically.

The first argument is the number of rows to skip (offset), and the second argument is the number of rows to return (limit).

If no pattern is set, Airlock IAM will attempt to automatically determine the query based on the database type.

Commonly used patterns:

LIMIT %2$d OFFSET %1$d for MySQL, MariaDB, H2, HSQLDB, PostgreSQL, SQLite
OFFSET %1$d ROWS FETCH NEXT %2$d ROWS ONLY for SQL:2008 standard, Derby, SQL Server 2012, Oracle 12c

Attributes

String

Optional

Suggested values

LIMIT %2$d OFFSET %1$d, OFFSET %1$d ROWS FETCH NEXT %2$d ROWS ONLY

Case Sensitive Exact Matching (caseSensitiveExactMatching)

Description

This property only has an effect if used in connection with a "Database User Store".

A String formatter pattern describing how to compare a string field on equality, case sensitive.

If the database is already case sensitive (most DBs, except MySQL and MariaDB) the default value can be used.

The argument (%s) is the name of the field to compare, and the question mark is the value to be searched for.

Commonly used patterns:

%s = ? – in most cases
BINARY `%s` = ? – for MySQL and MariaDB databases with standard (case insensitive) settings

Attributes

String

Optional

Default value

%s = ?

Suggested values

%s = ?, %s = BINARY ?

Case Sensitive Matching (caseSensitiveMatching)

Description

This property only has an effect if used in connection with a "Database User Store".

A String formatter pattern describing how to search in a string field, case sensitive.

If the database is already case sensitive (most DBs, except MySQL and MariaDB) the default value can be used.

The argument (%s) is the name of the field to compare, and the question mark is the value to be searched for. Important: This is used for approximate matching, e.g. "contains" matching, where the search value could be like "%bla%", thus the "LIKE" operator must be used instead of the equality sign.

Commonly used patterns:

%s LIKE ? – in most cases
%s LIKE BINARY ? – for MySQL and MariaDB databases with standard (case insensitive) settings
%s COLLATE latin1_general_cs LIKE ? – alternative for MySQL and MariaDB, possibly more efficient, but collation must be known

Attributes

String

Optional

Default value

%s LIKE ?

Suggested values

%s LIKE ?, %s LIKE BINARY ?, %s COLLATE latin1_general_cs LIKE ?

Case Insensitive Exact Matching (caseInsensitiveExactMatching)

Description

This property only has an effect if used in connection with a "Database User Store".

A String formatter pattern describing how to compare a string database field on equality, case insensitive.

If the database is already case insensitive (e.g. MySQL and MariaDB) the default value can be used.

The argument (%s) is the name of the field to compare, and the question mark is the value to be searched for. For some databases a less efficient "LIKE" operator has to be used for this.

Depending on used DB and version, as well as the specific setup, different values can be the most efficient. For large user repositories, a DB expert might be consulted or tests with different settings should be performed.

Commonly used patterns:

LOWER( %s ) = LOWER ( ? ) – works for most DBs, tested with Oracle DB. Note that this is only really efficient, if a lower-case index is created for the relevant columns.
%s COLLATE latin1_general_ci = ? – recommended for MSSQL.
%s = ? – for databases with default case insensitive matching, e.g. MySQL and MariaDB with standard settings

Attributes

String

Optional

Default value

LOWER( %s ) = LOWER ( ? )

Suggested values

%s = ?, LOWER( %s ) = LOWER ( ? ), %s COLLATE latin1_general_ci LIKE ?

Case Insensitive Matching (caseInsensitiveMatching)

Description

This property only has an effect if used in connection with a "Database User Store".

A String formatter pattern describing how to compare a string database field on equality, case insensitive.

If the database is already case insensitive (e.g. MySQL and MariaDB) the default value can be used.

Commonly used patterns:

LOWER( %s ) LIKE LOWER ( ? ) – works for most DBs, tested with Oracle DB. Note that this is only really efficient, if a lower-case index is created for the relevant columns.
%s COLLATE latin1_general_ci LIKE ? – recommended for MSSQL.
%s LIKE ? – for databases with default case insensitive matching, e.g. MySQL and MariaDB with standard settings
%s ILIKE ? – for PostgreSQL databases

Attributes

String

Optional

Default value

LOWER( %s ) LIKE LOWER ( ? )

Suggested values

%s LIKE ?, LOWER( %s ) LIKE LOWER ( ? ), %s COLLATE latin1_general_ci LIKE ?, %s ILIKE ?

YAML Template (with default values)


type: DatabaseUserPersister
id: DatabaseUserPersister-xxxxxx
displayName: 
comment: 
properties:
  additionalContextData:
  additionalInsertData:
  additionalIteratorWhereClause:
  additionalWhereClause:
  caseInsensitiveExactMatching: LOWER( %s ) = LOWER ( ? )
  caseInsensitiveMatching: LOWER( %s ) LIKE LOWER ( ? )
  caseSensitiveExactMatching: %s = ?
  caseSensitiveMatching: %s LIKE ?
  colAuthMethod:
  colAuthMigrationDate:
  colChannelVerificationResends:
  colDeleted:
  colFailedLogins:
  colFailedLoginsBeforeLatestLogin:
  colFailedPasswordResets:
  colFailedTokenCounts:
  colFirstLogin:
  colLastGSID:
  colLastGSIDDate:
  colLatestLoginAttempt:
  colLatestPasswordChange:
  colLatestSuccessfulLogin:
  colLatestUnlockAttempt:
  colNextAuthMethod:
  colNextEnforcedPasswordChange:
  colOtherCredentialsDeliveryTimestamps:
  colPassword:
  colPasswordChangeForced:
  colPasswordDeliveryDate:
  colPasswordGenerationDate:
  colPasswordOrderedDate:
  colPasswordOrderedFlag:
  colPasswordOrderedUser:
  colRecordInsertionDate:
  colRecordInsertionUser:
  colRecordModificationDate:
  colRecordModificationUser:
  colRoleString:
  colSecondLatestSuccessfulLogin:
  colSecretQuestionsEnabled:
  colSelfRegisteredFlag:
  colSelfRegistrationDate:
  colTotalLogins:
  colUnlockAttempts:
  colUserLockDate:
  colUserLockReason:
  colUserLocked:
  colUserName:
  colUserNotValidAfter:
  colUserNotValidBefore:
  colUserValid:
  colVersionId:
  contextDataColumns:
  defaultAuthMethod:
  defaultNextAuthMethod:
  grantRoles:
  isPwdHashStringType: true
  iteratorQuery:
  recordModificationUser: Medusa
  rolesQuery:
  rowsetRangePattern:
  searchConditionQuery:
  sqlDataSource:
  userChangeEventListeners:
  userNameResolveQuery:
  userTableName:

Database User Store

Description

Provides an efficient user store implementation for relational databases.

Type name

DatabaseUserStoreProvider

Class

com.airlock.iam.core.application.configuration.store.user.DatabaseUserStoreProvider

Properties

Database User Persister (databaseUserPersister)

Description

A database user persister whose configuration will be used by the user store.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database User Persister

YAML Template (with default values)


type: DatabaseUserStoreProvider
id: DatabaseUserStoreProvider-xxxxxx
displayName: 
comment: 
properties:
  databaseUserPersister:

Date And Time Context Data

Description

Non-interactive user context data item that stores a date and time value.

Type name

DateAndTimeNonInteractiveUserDataItemDefinition

Class

com.airlock.iam.flow.shared.application.configuration.step.user.data.DateAndTimeNonInteractiveUserDataItemDefinitionConfig

May be used by

Set Context Data Step

Properties

Context Data Item Name (contextDataItemNameConfig)

Description

The name of the context data where the value will be stored.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Current Date And Time Value Provider Date And Time Context Data Value Provider Date And Time From Map Value Provider Date And Time With Offset Value Provider Date-Time From String Value Provider Static Date And Time Value Provider

Date And Time Value Provider (valueProviderConfig)

Description

Provides the date and time value for the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: DateAndTimeNonInteractiveUserDataItemDefinition
id: DateAndTimeNonInteractiveUserDataItemDefinition-xxxxxx
displayName: 
comment: 
properties:
  contextDataItemNameConfig:
  valueProviderConfig:

Date And Time Context Data Item

Description

Context Data item of type Date and Time without time zone information (corresponds to java.util.Date).

The database column must be of a date with time type (e.g. DATETIME (TIMESTAMP on Oracle)) and the values of this context data item are guaranteed to be of type java.util.Date.

Type name

DateAndTimeContextDataItem

Class

com.airlock.iam.core.application.configuration.contextdata.DateAndTimeContextDataItemConfig

May be used by

Database User Persister Database Credential Persister Database Token List Persister

Properties

Context Data Name (contextDataName)

Description

Defines the reusable context data item representing the name and type of a value in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Formatted Date And Time Context Data Custom Claim Date And Time User Context Data Item Date And Time Context Data Item User Information Group Date And Time Context Data Value Provider User Self Information Group User Attribute Is Unique String Context Data User Group Condition Date And Time Context Data OAuth 2.0 Date Context Data Resource Email Notification Task User Information Self-Service

Database Column Name (databaseColumnName)

Description

The name of the database column to load into the context data in case it differs from the Context Data Name.

Attributes

String

Optional

Example

self_registration_date

Example

auth_migration_date

Readonly On Update (readonlyOnUpdate)

Description

If enabled, this context data field is treated readonly during updates of the user data. However, the field will still be persisted while inserting the user.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: DateAndTimeContextDataItem
id: DateAndTimeContextDataItem-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  databaseColumnName:
  readonlyOnUpdate: false

Date And Time Context Data Item Name

Description

Context Data item of type Date and Time (a moment in time without timezone information).

Type name

DateAndTimeContextDataItemName

Class

com.airlock.iam.core.application.configuration.contextdata.DateAndTimeContextDataItemNameConfig

May be used by

Properties

Context Data Name (contextDataName)

Description

The name of the context data field under which the date value is stored.

Attributes

String

Mandatory

Example

self_registration_date

Example

auth_migration_date

YAML Template (with default values)


type: DateAndTimeContextDataItemName
id: DateAndTimeContextDataItemName-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:

Date And Time Context Data Value Provider

Description

Provides the date and time value contained in the specified context data item of the user.

Make sure the configured context data item is also configured on the user persister.

Type name

ContextDataDateAndTimeValueProvider

Class

com.airlock.iam.common.application.configuration.valueprovider.contextdata.ContextDataDateAndTimeValueProviderConfig

May be used by

Date And Time With Offset Value Provider Value Provider Map Date And Time Context Data

Properties

Context Data Field (contextDataField)

Description

Context data field whose value will be returned.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Mandatory (mandatory)

Description

If enabled, the value provided by this context data item is not allowed to be null.

If this option is enabled and the context data item is null (e.g. if the configured context data is not configured on the user persister), an exception will be thrown at runtime.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: ContextDataDateAndTimeValueProvider
id: ContextDataDateAndTimeValueProvider-xxxxxx
displayName: 
comment: 
properties:
  contextDataField:
  mandatory: false

Date And Time Data Transformer

Description

Parses date strings (with time information, without time zone information) according to the specified pattern and converts them to regular context data date objects. The plugin allows to parse date time strings without a time offset, assuming it represents a date time for the local time zone. In case the input data contains zone information, the Multiple Date Pattern Transformer plugin with a Zoned Date/Time Pattern can be used.

Values which have been transformed by this transformer are guaranteed to be of type java.util.Date.

Type name

DateAndTimeDataTransformer

Class

com.airlock.iam.core.misc.util.datatransformer.DateAndTimeDataTransformer

May be used by

Date And Time With Offset Value Provider Value Provider Map Date And Time Context Data

Properties

Properties (properties)

Description

Selects the properties to apply the replacement to.
Use the asterisk character ("*") to replace all properties.

Attributes

String-List

Mandatory

Pattern (pattern)

Description

The format pattern of the date/time string representations.

Attributes

String

Mandatory

Example

yyyy-MM-dd HH:mm:ss

YAML Template (with default values)


type: DateAndTimeDataTransformer
id: DateAndTimeDataTransformer-xxxxxx
displayName: 
comment: 
properties:
  pattern:
  properties:

Date And Time From Map Value Provider

Description

Defines a date and time value to be provided from a Value Map Provider and a key. If the key is not present, an empty value (null) is returned.

If the provided value is a string, the value provider will automatically attempt to convert it to a date and time representation.

For this, the provided date-time string must be in ISO8601 format (e.g. 2025-10-27T10:02:00Z).

If the value is an incompatible type, or converting the string is impossible, an error is thrown.

Type name

DateAndTimeFromMapValueProvider

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.DateAndTimeFromMapValueProviderConfig

May be used by

Properties

Value Maps (valueMaps)

Description

Value maps from which the date and time to be provided is selected. If a key occurs in more than one value map, the providers further down in the list take precedence.

Attributes

Plugin-List

Mandatory

Assignable plugins

Key (key)

Description

Case-sensitive key to select the date and time in the value map.

Attributes

String

Mandatory

Example

registration_date

Example

auth_migration_date

YAML Template (with default values)


type: DateAndTimeFromMapValueProvider
id: DateAndTimeFromMapValueProvider-xxxxxx
displayName: 
comment: 
properties:
  key:
  valueMaps:

Date And Time User Context Data Item

Description

User context data item that stores a date and time value without time zone information.

Type name

DateAndTimeContextDataItemDefinition

Class

com.airlock.iam.flow.shared.application.configuration.item.DateAndTimeContextDataItemDefinitionConfig

May be used by

User Data Registration Step User Data Edit Step

Properties

Context Data Name (contextDataName)

Description

The context data item in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Database User Persister Database Credential Persister Database Token List Persister

Required (required)

Description

Specifies whether this context data item is required for the step to validate successfully.

Attributes

Boolean

Optional

Default value

true

Validators (validators)

Description

The validators for this context data item.

Attributes

Plugin-List

Optional

Assignable plugins

Date And Time Validator

Input Purpose (inputPurpose)

Description

The input purpose allows labeling data items using standardized values (see https://www.w3.org/TR/WCAG22/#input-purposes).

It is rendered using the HTML attribute "autocomplete". Browsers can use this to automatically fill input fields with data that was previously entered in other fields with the same purpose.

Note that the input purpose provided here will be used in the default Loginapp UI components and is available to custom single-page applications via the REST endpoints */info/retrieve.

If the Loginapp UI is used with configuration-based 'Customized Step UIs', the input purpose has to be defined on the UI elements ('Input UI Element', 'Drop-Down UI Element', 'Date UI Element').

Attributes

String

Optional

YAML Template (with default values)


type: DateAndTimeContextDataItemDefinition
id: DateAndTimeContextDataItemDefinition-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  inputPurpose:
  required: true
  validators:

Date And Time Validator

Description

Validate a date and time.

If the date and time value was not specified, the corresponding error type is REQUIRED.
If the specified date and time is before the minimum, the corresponding error type is BEFORE_MIN_DATE.
If the specified date and time is after the maximum, the corresponding error type is AFTER_MAX_DATE.

Type name

DateAndTimeValidator

Class

com.airlock.iam.common.application.configuration.validation.DefaultDateAndTimeValidatorConfig

May be used by

Date And Time User Context Data Item

Properties

Minimum Relative [days] (minRelative)

Description

The "minimum relative value" is the lower limit (earliest possible) for allowed difference in days to the current date.

Examples: A value of 1 means that tomorrow is the earliest possible date to enter, a value of -365 means that the entered date can be at most one year in the past.

Attributes

Integer

Optional

Min Date (minDate)

Description

The earliest date allowed to be filled in. This cannot be used together with "Minimum Relative" and must be in ISO 8601 format.

Attributes

String

Optional

Example

2011-12-03T10:15:30.000+01:00

Example

2018-02-06T15:58:53.661Z

Maximum Relative [days] (maxRelative)

Description

The "maximum relative value" is the upper limit (last possible) for allowed difference in days to the current date. This cannot be used together with "Max Date".

Examples: A value of 1 means that tomorrow is the latest possible date to enter, a value of -365 means that the entered date has to be at least one year in the past. Use this property to configure a minimal required age.

Attributes

Integer

Optional

Max Date (maxDate)

Description

The latest date allowed to be filled in. This cannot be used together with "Maximum Relative" and it must be in ISO 8601 format.

Attributes

String

Optional

Example

2011-12-03T10:15:30.000+01:00

Example

2018-02-06T15:58:53.661Z

YAML Template (with default values)


type: DateAndTimeValidator
id: DateAndTimeValidator-xxxxxx
displayName: 
comment: 
properties:
  maxDate:
  maxRelative:
  minDate:
  minRelative:

Date And Time With Offset Value Provider

Description

Defines a date and time value obtained by offsetting a date and time value by a fixed amount.

Type name

DateAndTimeWithOffsetValueProvider

Class

com.airlock.iam.common.application.configuration.valueprovider.DateAndTimeWithOffsetValueProviderConfig

May be used by

Value Provider Map Date And Time Context Data

Properties

Date And Time Provider (dateAndTimeProvider)

Description

The date and time value to which an amount is added.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Offset (offsetProvider)

Description

The amount to offset Date And Time Provider by.

A positive offset will result in a later date and time than Date And Time Provider, while a negative offset will result in an earlier date and time.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Integer Context Data Value Provider Integer From Map Value Provider Static Integer Value Provider

Unit (unit)

Description

The unit of Offset.

Attributes

Enum

Mandatory

YAML Template (with default values)


type: DateAndTimeWithOffsetValueProvider
id: DateAndTimeWithOffsetValueProvider-xxxxxx
displayName: 
comment: 
properties:
  dateAndTimeProvider:
  offsetProvider:
  unit:

Date Context Data

Description

Non-interactive user context data item that stores a date value.

Type name

DateNonInteractiveUserDataItemDefinition

Class

com.airlock.iam.flow.shared.application.configuration.step.user.data.DateNonInteractiveUserDataItemDefinitionConfig

May be used by

Set Context Data Step

Properties

Context Data Item Name (contextDataItemNameConfig)

Description

The name of the context data where the value will be stored.

Attributes

Plugin-Link

Mandatory

Assignable plugins

LocalDate Context Data Item Name

Date Value Provider (valueProviderConfig)

Description

Provides the date value for the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Date From Map Value Provider Date From String Value Provider

YAML Template (with default values)


type: DateNonInteractiveUserDataItemDefinition
id: DateNonInteractiveUserDataItemDefinition-xxxxxx
displayName: 
comment: 
properties:
  contextDataItemNameConfig:
  valueProviderConfig:

Date Context Data Item

Description

Context Data item that contains a date (only contains year, month and day but no time information).

The database column must either be of a date type (e.g. DATE; TIMESTAMP and DATETIME will also work where supported) or of a string type (e.g. VARCHAR, CHAR (whitespaces are removed automatically)), in which case a date pattern must be specified).

The values of this context data item are guaranteed to be of type java.time.LocalDate.

Type name

DateContextDataItem

Class

com.airlock.iam.core.application.configuration.contextdata.DateContextDataItemConfig

May be used by

Properties

Context Data Name (contextDataName)

Description

Defines the reusable context data item representing the name and type of a value in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

LocalDate Context Data Item Name

Database Column Name (databaseColumnName)

Description

The name of the database column to load into the context data in case it differs from the Context Data Name.

Attributes

String

Optional

Example

birthdate

Date Pattern For String Columns (datePatternForStringColumns)

Description

If the database uses a column of any string type (e.g. VARCHAR or CHAR), a date pattern must be specified to convert the value from database to a LocalDate. Invalid values on the database are treated as NULL.

Attributes

String

Optional

Suggested values

yyyy-MM-dd, dd.MM.yyyy

Readonly On Update (readonlyOnUpdate)

Description

If enabled, this context data field is treated readonly during updates of the user data. However, the field will still be persisted while inserting the user.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: DateContextDataItem
id: DateContextDataItem-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  databaseColumnName:
  datePatternForStringColumns:
  readonlyOnUpdate: false

Date Data Transformer

Description

Parses date strings (without time information) according to the specified pattern and converts them to regular context data date objects.

Values which have been transformed by this transformer are guaranteed to be of type java.time.LocalDate.

Type name

DateDataTransformer

Class

com.airlock.iam.core.misc.util.datatransformer.DateDataTransformer

May be used by

User Group Configuration Users Configuration Users Configuration Administrators Management Administrators Management

Properties

Properties (properties)

Description

Selects the properties to apply the replacement to.
Use the asterisk character ("*") to replace all properties.

Attributes

String-List

Mandatory

Pattern (pattern)

Description

The format pattern of the date string representations.

Attributes

String

Mandatory

Example

yyyy-MM-dd

YAML Template (with default values)


type: DateDataTransformer
id: DateDataTransformer-xxxxxx
displayName: 
comment: 
properties:
  pattern:
  properties:

Date Format

Description

Validates that a date has a valid format. The validity of a format is determined by the language in the UI. For example, with English, the format is mm/dd/yyyy while with German the format is dd.mm.yyyy. Note that this refers to the user-facing format in the UI only - the date format sent via REST still adheres to the standard format as specified by the REST API.

Type name

DateFormatValidation

Class

com.airlock.iam.flow.ui.application.configuration.configurable.validation.DateFormatValidationConfig

May be used by

Date UI Element

Properties

Translation Key (translationKey)

Description

The translation key to use for the error message in case the validation fails. A default translation is used when no translation key is configured.

Attributes

String

Optional

YAML Template (with default values)


type: DateFormatValidation
id: DateFormatValidation-xxxxxx
displayName: 
comment: 
properties:
  translationKey:

Date From Map Value Provider

Description

Defines a date value (without time) to be provided from a Value Map Provider and a key. If the key is not present, an empty value (null) is returned.

If the provided value is a string, the provider will attempt to convert it to a date type.

If the format of the string does not match 'yyyy-MM-dd', or the value is an incompatible type, an error is thrown.

Type name

DateFromMapValueProvider

Class

com.airlock.iam.flow.shared.application.configuration.valueprovider.DateFromMapValueProviderConfig

May be used by

Value Provider Map Date Context Data

Properties

Value Maps (valueMaps)

Description

Value maps from which the date to be provided is selected. If a key occurs in more than one value map, the providers further down in the list take precedence.

Attributes

Plugin-List

Mandatory

Assignable plugins

Key (key)

Description

Case-sensitive key to select the date in the value map.

Attributes

String

Mandatory

Example

birthdate

YAML Template (with default values)


type: DateFromMapValueProvider
id: DateFromMapValueProvider-xxxxxx
displayName: 
comment: 
properties:
  key:
  valueMaps:

Date From String Value Provider

Description

Provides a local date from a string.

The string must be of the format YYYY-MM-DD (ISO 8601)

Type name

DateFromStringValueProvider

Class

com.airlock.iam.common.application.configuration.valueprovider.DateFromStringValueProviderConfig

May be used by

Value Provider Map Date Context Data

Properties

String Value Provider Config (stringValueProviderConfig)

Description

The string to convert to a date.

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: DateFromStringValueProvider
id: DateFromStringValueProvider-xxxxxx
displayName: 
comment: 
properties:
  stringValueProviderConfig:

Date UI Element

Description

Displays an input field for date.

Type name

ConfigurableUiDate

Class

com.airlock.iam.flow.ui.application.configuration.configurable.ConfigurableUiDateConfig

May be used by

Properties

Label (label)

Description

Label for the input field. The UI treats it as a key to translate. If there is no translation, the configured value is what is shown in the UI.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9]+((\.|-)[a-zA-Z0-9]+)*

Property (property)

Description

The input field's property. This property will be sent to the server via REST as part of a JSON object. For example, if the property name is 'otp' and the user enters '4123' into the field, the JSON sent to the server will be as follows: {"otp": "4123"}.

Attributes

String

Mandatory

Validation RegEx: [a-zA-Z0-9_]+(\.[a-zA-Z0-9_]+)*

Example

otp

Example

phoneNumber

Placeholder (placeholder)

Description

Displays the placeholder if the field has no value. If empty, the UI will display the expected format of the date as placeholder.

Attributes

String

Optional

Validations (validations)

Description

The validations on the input field. The validator for 'Date Format' is automatically added if not already explicitly configured.

Attributes

Plugin-List

Optional

Assignable plugins

Date Format Maximum Date Minimum Date Required Field

HTML ID (htmlId)

Description

The ID of the element in the HTML. If no ID is set, the 'property' is used as the ID.

Attributes

String

Optional

Validation RegEx: [a-zA-Z0-9_]+

Input Purpose (inputPurpose)

Description

The input purpose allows labeling data items using standardized values (see https://www.w3.org/TR/WCAG22/#input-purposes).

It is rendered using the HTML attribute "autocomplete". Browsers can use this to automatically fill input fields with data that was previously entered in other fields with the same purpose.

Attributes

String

Optional

Suggested values

bday

Submit To Server (submitToServer)

Description

If enabled, this value is submitted to the server. Otherwise, it is only used locally (e.g. to confirm inputs of other fields).

Attributes

Boolean

Optional

Default value

true

Initial Value Query (initialValueQuery)

Description

See the JSONPath documentation for the full documentation: https://github.com/dchester/jsonpath

Examples:

Assume the initial REST call returns the following JSON response:

{
 "meta": {
   "type": "jsonapi.metadata.document",
   "timestamp": "2023-03-10T13:06:01.294+02:00"
 },
 "data": [
  {
    "type": "user",
    "id": "user1",
    "attributes": {
      "contextData": {
         "givenname": "User1",
         "surname": "FSMTest",
         "roles": "customerA"
      }
    }
  },
  {
    "type": "user",
    "id": "user2",
    "attributes": {
      "contextData": {
        "givenname": "User2",
        "surname": "FSMTest",
        "roles": "customerB"
      }
    }
  }
 ]
}

The following table shows the results of various JSONPath queries given the JSON above:

Attributes

String

Optional

Example

$..birthdate

Example

$..data[?(@.id == 'birthdate')].attributes.currentValue

YAML Template (with default values)


type: ConfigurableUiDate
id: ConfigurableUiDate-xxxxxx
displayName: 
comment: 
properties:
  htmlId:
  initialValueQuery:
  inputPurpose:
  label:
  placeholder:
  property:
  submitToServer: true
  validations:

Date User Context Data Item

Description

User context data item that stores a date (only date, no time nor time zone).

Type name

DateContextDataItemDefinition

Class

com.airlock.iam.flow.shared.application.configuration.item.DateContextDataItemDefinitionConfig

May be used by

User Data Registration Step User Data Edit Step

Properties

Context Data Name (contextDataName)

Description

The context data item in the context data.

Attributes

Plugin-Link

Mandatory

Assignable plugins

LocalDate Context Data Item Name

Required (required)

Description

Specifies whether this context data item is required for the step to validate successfully.

Attributes

Boolean

Optional

Default value

true

Validators (validators)

Description

The validators for this context data item.

Attributes

Plugin-List

Optional

Assignable plugins

Date Validator

Input Purpose (inputPurpose)

Description

The input purpose allows labeling data items using standardized values (see https://www.w3.org/TR/WCAG22/#input-purposes).

It is rendered using the HTML attribute "autocomplete". Browsers can use this to automatically fill input fields with data that was previously entered in other fields with the same purpose.

Note that the input purpose provided here will be used in the default Loginapp UI components and is available to custom single-page applications via the REST endpoints */info/retrieve.

If the Loginapp UI is used with configuration-based 'Customized Step UIs', the input purpose has to be defined on the UI elements ('Input UI Element', 'Drop-Down UI Element', 'Date UI Element').

Attributes

String

Optional

Suggested values

bday

YAML Template (with default values)


type: DateContextDataItemDefinition
id: DateContextDataItemDefinition-xxxxxx
displayName: 
comment: 
properties:
  contextDataName:
  inputPurpose:
  required: true
  validators:

Date User Profile Item

Description

Plugin to hold a configurable user profile item of type date (potentially including time information). This will correspond to a text input field is added to the user's context data, provided that the property name matches the property name in the configured user data. The date format can be configured as well acceptable date ranges. These can be absolute dates or in number of days relative to the current day.

Type name

DateUserProfileItem

Class

com.airlock.iam.common.application.configuration.userprofile.DateUserProfileItemConfig

May be used by

Properties

Date Format (dateFormat)

Description

Defines the date format of this item. The format is used for server-side validations and must correspond to other config options, such as "Earliest Date" and "Latest Date".

Attributes

String

Optional

Default value

dd.MM.yyyy

Allowed values

dd.MM.yyyy, dd-MM-yyyy, MM-dd-yyyy

Minimum Relative [days] (minRelative)

Description

The "minimum relative value" is the lower limit (earliest possible) for allowed difference in days to the current date.

Examples: A value of 1 means that tomorrow is the earliest possible day to enter, a value of -365 means that the entered date can be at most one year in the past.

Attributes

Integer

Optional

Earliest Date (minDate)

Description

The earliest date allowed to be filled in. This cannot be used together with "Minimum Relative" and must be in the same format as specified in "Date Format".

Attributes

String

Optional

Maximum Relative [days] (maxRelative)

Description

The "maximum relative value" is the upper limit (last possible) for allowed difference in days to the current date. This cannot be used together with "Max Date".

Examples: A value of 1 means that tomorrow is the latest possible day to enter, a value of -365 means that the entered date has to be at least one year in the past. Use this property to configure a minimal required age.

Attributes

Integer

Optional

Latest Date (maxDate)

Description

The latest date allowed to be filled in. This cannot be used together with "Maximum Relative" and it must be in the same format as specified in "Date Format".

Attributes

String

Optional

Date Transformation (dateTransformation)

Description

Defines how the date value should be transformed before it is persisted.

DATE: the date value is transformed to a java.util.Date object (date with time, where all time values are set to 0).
Use 'Date And Time Context Data Item Config' for the corresponding context data item in the persister.
LOCAL_DATE: the date value is transformed to a java.time.LocalDate object (date only).
Use 'Local Date Context Data Item Config' for the corresponding context data item in the persister.
STRING: the date value is transformed to a String as defined by "Date Format".
Use 'String Context Data Item Config' for the corresponding context data item in the persister.

Attributes

Enum

Optional

Default value

LOCAL_DATE

String Resource Key (stringResourceKey)

Description

String identifier for the language-specific string tables.

Attributes

String

Mandatory

Example

userdata.label.salutation

Example

userdata.label.firstname

Example

userdata.label.lastname

Example

userdata.label.email

Example

userdata.label.nationality

Example

userdata.label.birthdate

Example

userdata.label.street

Example

userdata.label.street-number

Example

userdata.label.address2

Example

userdata.label.zipcode

Example

userdata.label.town

Example

userdata.label.state

Example

userdata.label.country

Example

userdata.label.company

Example

userdata.label.department

Example

userdata.label.office-phone

Example

userdata.label.mobile-phone

Example

userdata.label.language

Example

userdata.label.correspondence-language

Example

userdata.label.realm

Property Name (propertyName)

Description

Name of the context-data field in which the value is stored.

Attributes

String

Mandatory

Example

surname

Example

givenname

Example

mtan_number

Optional (optional)

Description

If this field is optional or mandatory for the user.

Attributes

Boolean

Optional

Default value

true

Modifiable (modifiable)

Description

Attributes

Boolean

Optional

Default value

true

Validate Only Changed Values (validateOnlyChangedValues)

Description

If enabled, only values that have been changed by the user (compared to the data loaded from the data layer) are validated.

Attributes

Boolean

Optional

Default value

true

Sortable (sortable)

Description

If enabled, the attribute is sortable in the user list if the underlying user iterator supports sorting.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: DateUserProfileItem
id: DateUserProfileItem-xxxxxx
displayName: 
comment: 
properties:
  dateFormat: dd.MM.yyyy
  dateTransformation: LOCAL_DATE
  maxDate:
  maxRelative:
  minDate:
  minRelative:
  modifiable: true
  optional: true
  propertyName:
  sortable: true
  stringResourceKey:
  validateOnlyChangedValues: true

Date Validator

Description

Validate a date.

If the date was not specified, the corresponding error type is REQUIRED.
If the specified date is before the minimum, the corresponding error type is BEFORE_MIN_DATE.
If the specified date is after the maximum, the corresponding error type is AFTER_MAX_DATE.

Type name

DateValidator

Class

com.airlock.iam.common.application.configuration.validation.DefaultDateValidatorConfig

May be used by

Date User Context Data Item

Properties

Minimum Relative [days] (minRelative)

Description

The "minimum relative value" is the lower limit (earliest possible) for allowed difference in days to the current date.

Examples: A value of 1 means that tomorrow is the earliest possible date to enter, a value of -365 means that the entered date can be at most one year in the past.

Attributes

Integer

Optional

Min Date (minDate)

Description

The earliest date allowed to be filled in. This cannot be used together with "Minimum Relative" and must be in ISO 8601 format.

Attributes

String

Optional

Example

2011-12-03

Example

2018-02-06

Maximum Relative [days] (maxRelative)

Description

The "maximum relative value" is the upper limit (last possible) for allowed difference in days to the current date. This cannot be used together with "Max Date".

Attributes

Integer

Optional

Max Date (maxDate)

Description

The latest date allowed to be filled in. This cannot be used together with "Maximum Relative" and it must be in ISO 8601 format.

Attributes

String

Optional

Example

2011-12-03

Example

2018-02-06

YAML Template (with default values)


type: DateValidator
id: DateValidator-xxxxxx
displayName: 
comment: 
properties:
  maxDate:
  maxRelative:
  minDate:
  minRelative:

Date-Time From String Value Provider

Description

Parses and provides a date and time value from a string.

Type name

DateAndTimeFromStringValueProvider

Class

com.airlock.iam.common.application.configuration.valueprovider.DateAndTimeFromStringValueProviderConfig

May be used by

Date And Time With Offset Value Provider Value Provider Map Date And Time Context Data

Properties

String Value Provider (stringValueProvider)

Description

The string to convert to a date.

Examples of strings supported by the default formats:

2011-12-03T10:15:30+01:00
2011-12-03T10:15:30+0100
2011-12-03T10:15:30+01
2011-12-03T10:15:30.000+01:00
2011-12-03T10:15:30.000+0100
2011-12-03T10:15:30.000+01
2011-12-03T10:15:30Z
2011-12-03T10:15:30.000Z

Attributes

Plugin-Link

Mandatory

Assignable plugins

Formats (formats)

Description

The date and time formats used to parse the value provided by String Value Provider.

The format is interpreted as specified in the java.text.SimpleDateFormat documentation.

Each format is tried sequentially, until a format matches. One of the formats must match, else an exception is thrown.

Attributes

String-List

Optional

Default value

[yyyy-MM-dd'T'HH:mm:ssX, yyyy-MM-dd'T'HH:mm:ss.SSSX]

YAML Template (with default values)


type: DateAndTimeFromStringValueProvider
id: DateAndTimeFromStringValueProvider-xxxxxx
displayName: 
comment: 
properties:
  formats: [yyyy-MM-dd'T'HH:mm:ssX, yyyy-MM-dd'T'HH:mm:ss.SSSX]
  stringValueProvider:

Date/Time Input Token Controller Element

Description

Renders an input filed with a date picker for a date property.

Type name

DateInputTokenControllerUiElement

Class

com.airlock.iam.admin.application.configuration.generic.ui.DateInputTokenControllerUiElementConfig

May be used by

Generic Token Controller UI

Properties

Label (label)

Description

Label for the field. The UI treats it as a key to translate. If there is no translation, the label is shown in the UI as is.

Attributes

String

Mandatory

Example

userdata.label.birthdate

Property (property)

Description

The property to use as value for this field.

The ID of the response is referenced by using the reserved value @id.

Attributes

String

Mandatory

Example

orderDate

Example

contextData.birthdate

Example

@id

Placeholder (placeholder)

Description

Displays a placeholder when the field has no value. The placeholder is not interpreted as value and disappears when typing in the field.

Attributes

String

Optional

Required (required)

Description

Whether this field must have a value when the token is added or updated. Required fields are marked with an asterisk.

Attributes

Boolean

Optional

Default value

false

Date-only (dateOnly)

Description

If enabled, the date is handled without time. The date picker changes accordingly. The referenced property must be of a matching date type, e.g. a "Date Context Data Item".

Attributes

Boolean

Optional

Default value

false

Read-only (readOnly)

Description

If enabled, the field is read-only and cannot be altered by administrators via the UI.

Attributes

Boolean

Optional

Default value

false

Hide If Empty (hideIfEmpty)

Description

If enabled, this UI element is hidden if it has no value.

Attributes

Boolean

Optional

Default value

false

YAML Template (with default values)


type: DateInputTokenControllerUiElement
id: DateInputTokenControllerUiElement-xxxxxx
displayName: 
comment: 
properties:
  dateOnly: false
  hideIfEmpty: false
  label:
  placeholder:
  property:
  readOnly: false
  required: false

Default Account Link Linking Flow

Description

Simple configuration for an account link linking self-service flow.

The following steps are automatically generated:

An Account Link Linking Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Type name

DefaultAccountLinkLinkingFlow

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultAccountLinkLinkingFlowConfig

May be used by

License-Tags

OAuthAccountLinking

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: DefaultAccountLinkLinkingFlow
id: DefaultAccountLinkLinkingFlow-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  flowId:

Default Account Link Removal Flow

Description

Simple configuration for an account link removal self-service flow.

The following steps are automatically generated:

An Account Link Removal Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Type name

DefaultAccountLinkDeletionFlow

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultAccountLinkDeletionFlowConfig

May be used by

License-Tags

OAuthAccountLinking

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: DefaultAccountLinkDeletionFlow
id: DefaultAccountLinkDeletionFlow-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  flowId:

Default Aggregate Report Strategy

Description

Default aggregator that should be sufficent for most aggregate reports. The parameter map passed to the template contains the follwoing data:

Key	Value
aggr_count	<number of reports>
aggr_langs	<List of all languages>
aggr_filenames	<List of all file names>
<key Param1>	<List of all Param1 values>
<key Param1>.aggr_first	<Value of this parameter in the first report. >
<key Param1>.aggr_last	<Value of this parameter in the last report. >

All parameters passed to the reports are listed as <key Param1>. All the lists are in the same order of reports as they have been genereated (first generated report at position 0).

Type name

DefaultAggregateReportStrategy

Class

com.airlock.iam.core.misc.util.report.aggregation.DefaultAggregateReportStrategy

May be used by

Aggregate Report

Properties

YAML Template (with default values)


type: DefaultAggregateReportStrategy
id: DefaultAggregateReportStrategy-xxxxxx
displayName: 
comment: 
properties:

Default Authentication Processor

Description

Processor that performs the necessary actions related to authentication, such as audit logging, tracking used authentication methods, updating login statistics, renewing session ID and executing the configured behavior upon existing sessions.

Type name

DefaultAuthenticationProcessor

Class

com.airlock.iam.authentication.application.configuration.processor.DefaultAuthenticationProcessorConfig

May be used by

Custom Flow Processors

Properties

Update Login Statistics (updateLoginStatistics)

Description

Login statistics (timestamps, login counts, etc.) are updated whenever a user successfully completes the first authentication flow of a session. Upon completing additional authentication flows in the same session (e.g. step-ups), the statistics are not updated.

If disabled, the login statistics are never updated when completing this flow.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: DefaultAuthenticationProcessor
id: DefaultAuthenticationProcessor-xxxxxx
displayName: 
comment: 
properties:
  updateLoginStatistics: true

Default Authentication Processors

Description

This plugin automatically configures a list of essential flow processors for authentication flows.

The processors are configured in this order:

CAPTCHA Processor
User Identification Processor
Latest Authentication Feedback Processor (only if enabled)
Default Authentication Processor
Factor Use Reporting Processor
Failed Factor Attempts Processor (with strict counting)
Renew Session ID Processor
User Validity Processor
Login History Processor (only if enabled)
Unlock Attempts Reset Processor
Device Usage Processor
Set UI Tenant ID Processor

Type name

DefaultAuthenticationProcessors

Class

com.airlock.iam.authentication.application.configuration.processor.DefaultAuthenticationProcessorsConfig

May be used by

Properties

Add Latest Authentication Feedback (addLatestAuthenticationFeedback)

Description

If enabled, adds the "Latest Authentication Feedback Processor" to the list of authentication processors.
The latest authentication information is provided in all flow step results (REST responses) after successfully identifying the user. In addition, the Loginapp UI displays this information on selected second factor pages.

Note: If an authentication flow starts with a user identifying step without verification of an authentication factor (e.g. password, remember-me cookie, SSO ticket, ...) this may lead to unwanted information leakage.

Attributes

Boolean

Optional

Default value

false

Write Login History (writeLoginHistory)

Description

If enabled, an entry is added to the login history repository after a successful authentication in an authentication flow. Within a session, only a single entry is written into the login history database per successful login, even if a user completes the same or another authentication flow multiple times. This adds the "Login History Processor" to the list of authentication processors.

Attributes

Boolean

Optional

Default value

false

Update Login Statistics (updateLoginStatistics)

Description

If disabled, the login statistics are never updated when completing this flow.

Attributes

Boolean

Optional

Default value

true

YAML Template (with default values)


type: DefaultAuthenticationProcessors
id: DefaultAuthenticationProcessors-xxxxxx
displayName: 
comment: 
properties:
  addLatestAuthenticationFeedback: false
  updateLoginStatistics: true
  writeLoginHistory: false

Default Authorization Processors

Description

This plugin uses the following processors for standard authorization flows:

User Validity Processor
Factor Use Reporting Processor

Type name

DefaultAuthorizationProcessors

Class

com.airlock.iam.authentication.application.configuration.processor.DefaultAuthorizationProcessorsConfig

May be used by

Properties

YAML Template (with default values)


type: DefaultAuthorizationProcessors
id: DefaultAuthorizationProcessors-xxxxxx
displayName: 
comment: 
properties:

Default Cronto Device Removal Flow

Description

Simple configuration for a Cronto device removal self-service flow.

The following steps are automatically generated:

A Delete Cronto Device Initiation Step.
An Apply Changes Step

The access condition for the flow is always a Cronto Device Removal Possible.

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Type name

DefaultCrontoDeviceDeletionFlow

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoDeviceDeletionFlowConfig

May be used by

License-Tags

Cronto

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Allow Deleting Last Device (allowDeletingLastDevice)

Description

If enabled, the last device can be deleted. This can leave the user without a means to login again.

Attributes

Boolean

Optional

Default value

false

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. The "Access Condition" is always the Cronto Device Removal Possible. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: DefaultCrontoDeviceDeletionFlow
id: DefaultCrontoDeviceDeletionFlow-xxxxxx
displayName: 
comment: 
properties:
  allowDeletingLastDevice: false
  authorizationCondition:
  crontoHandler:
  flowId:

Default Cronto Device Renaming Flow

Description

Simple configuration for a Cronto device renaming self-service flow.

The following steps are automatically generated:

A Cronto Device Selection Step.
A Rename Cronto Device Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Type name

DefaultCrontoDeviceRenamingFlow

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoDeviceRenamingFlowConfig

May be used by

License-Tags

Cronto

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Cronto Transaction Approval Step Cronto Authentication Step Cronto Public Self-Service Approval Step Cronto Self-Service Approval Step

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: DefaultCrontoDeviceRenamingFlow
id: DefaultCrontoDeviceRenamingFlow-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  crontoHandler:
  flowId:

Default Cronto Login Message Provider

Description

Provides the default Cronto login message.

This plugin configures a Generic Cronto Message Provider for the translation string cronto.login-message with the two value map providers for the user's context-data and user statistics.

Type name

DefaultCrontoLoginMessageProvider

Class

com.airlock.iam.flow.shared.application.configuration.message.DefaultCrontoLoginMessageProviderConfig

May be used by

License-Tags

Cronto

Properties

Cronto Handler (crontoHandler)

Description

Attributes

Plugin-Link

Mandatory

Assignable plugins

YAML Template (with default values)


type: DefaultCrontoLoginMessageProvider
id: DefaultCrontoLoginMessageProvider-xxxxxx
displayName: 
comment: 
properties:
  crontoHandler:

Default Disable Cronto Device Flow

Description

Simple configuration for a self-service flow to disable a Cronto device.

The following steps are automatically generated:

A Disable Cronto Device Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Type name

DefaultCrontoDeviceDisablingFlow

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoDeviceDisablingFlowConfig

May be used by

License-Tags

Cronto

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: DefaultCrontoDeviceDisablingFlow
id: DefaultCrontoDeviceDisablingFlow-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  crontoHandler:
  flowId:

Default Disable Cronto Push Flow

Description

Simple configuration for a self-service flow to disable Cronto push notification.

The following steps are automatically generated:

A Disable Cronto Push Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Type name

DefaultCrontoPushDisablingFlow

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoPushDisablingFlowConfig

May be used by

License-Tags

Cronto

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: DefaultCrontoPushDisablingFlow
id: DefaultCrontoPushDisablingFlow-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  crontoHandler:
  flowId:

Default Disable FIDO Credential Flow

Description

Simple configuration for a self-service flow to disable a FIDO credential.

The following steps are automatically generated:

A Disable FIDO Credential Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Type name

DefaultFidoCredentialDisablingFlow

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultFidoCredentialDisablingFlowConfig

May be used by

License-Tags

FIDO

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

FIDO Settings (fidoSettings)

Description

Settings for FIDO.

Attributes

Plugin-Link

Mandatory

Assignable plugins

FIDO Settings

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: DefaultFidoCredentialDisablingFlow
id: DefaultFidoCredentialDisablingFlow-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  fidoSettings:
  flowId:

Default Enable Cronto Device Flow

Description

Simple configuration for a self-service flow to enable a Cronto device.

The following steps are automatically generated:

A Enable Cronto Device Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Type name

DefaultCrontoDeviceEnablingFlow

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoDeviceEnablingFlowConfig

May be used by

License-Tags

Cronto

Properties

Flow ID (flowId)

Description

Unique ID for this flow, which is used for selecting or referencing a flow.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Flow ID

Cronto Handler (crontoHandler)

Description

Plugin to handle all Cronto-specific actions.

Attributes

Plugin-Link

Mandatory

Assignable plugins

Access Condition (accessCondition)

Description

Precondition that must be fulfilled for a user to access this flow.

Note the difference to the "Authorization Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

Authorization Condition (authorizationCondition)

Description

Precondition that must be fulfilled for the user to be authorized to access this flow without further authentication. Note the difference to the "Access Condition":

Access Condition: This condition determines whether a user is allowed to access a service at all. If this condition is not fulfilled, there is nothing that can be done (at least not immediately). Typical examples include having a certain authentication token, or a certain static role. This condition is always checked before the Authorization Condition and if it fails, the REST response has status 403 with error code PRECONDITION_NOT_FULFILLED.
Authorization Condition: This condition determines whether the user is currently authorized to access a service. It is expected that completing another authentication flow (step-up) would enable the user to then fulfill the condition. The typical authorization condition checks whether the user has obtained a certain tag (or combination of tags). If the condition fails, the REST response has status 403 with error code NOT_AUTHORIZED.

Attributes

Plugin-Link

Optional

Assignable plugins

YAML Template (with default values)


type: DefaultCrontoDeviceEnablingFlow
id: DefaultCrontoDeviceEnablingFlow-xxxxxx
displayName: 
comment: 
properties:
  accessCondition:
  authorizationCondition:
  crontoHandler:
  flowId:

Default Enable Cronto Push Flow

Description

Simple configuration for a self-service flow to enable Cronto push notification.

The following steps are automatically generated:

A Enable Cronto Push Initiation Step.
An Apply Changes Step

If more advanced features are needed, a Custom Protected Self-Service Flow can be configured.

Type name

DefaultCrontoPushEnablingFlow

Class

com.airlock.iam.selfservice.application.configuration.flow.DefaultCrontoPushEnablingFlowConfig

May be used by