Managing tenants

A tenant is the entity for the definition and operation of IAM configurations and the corresponding end-user data set. Each tenant allows you to operate one Airlock IAM instance. A tenant is a separate unit and does not share any data with another tenant.

One organization will usually have one tenant that operates in a production environment. It is possible to have additional non-productive tenants, to try out new configurations.

Tenants can be created, viewed, edit and deleted.

Prerequisites

To manage tenants, including their TLS settings, the roles AMC - Manage tenants and AMC - Manage TLS configuration are required. These roles are by default part of the SaaS Administrator role, but can also be assigned separately to an administrator. See also SaaS roles and permissions.

Location in the SaaS Management Center

You manage tenants and their TLS settings in the Tenants dialog of the SaaS Management Center. For this, go to Administration > Tenants.

Creating a tenant

  1. In the Tenants dialog, click the Create a tenant button.
  2. Specify the fields in the appearing window:
    • Color: Select a color to identify your tenant more easily. This color will be shown in the sidebar of the SaaS Management Center when this tenant is selected. It is also the background color of the corresponding tenant IAM Adminapp where administrators manage the end-users of the associated customer application(s).
    • Data center: Enter the region of the data center where the corresponding IAM instance will be deployed. Currently only one region (Switzerland North) is available.
    • Service level: This property specifies the service level and availability of Airlock IAM used by the tenant. Currently, there are two service levels: Non-production, to test and try out Airlock IAM, and Production, to use Airlock IAM in a production environment.
    •  
      Notice

      Before creating a Production service level tenant, ensure every administrator in the organization has been migrated to Airlock 2FA.

    •  
      Notice

      The Service level setting cannot be changed after the tenant is created.

  4. Click Create to create the tenant.
  5. The tenant is created. The next dialog shows the settings of the newly-created tenant.
  6.  
    Notice

    Next to the Tenant tab are the TLS (Loginapp), TLS (Adminapp) and the TLS (Transaction approval) tabs, which specify the respective TLS settings. By default, regular TLS is used to secure the connection between the server and the client. However, we strongly recommend using mutual TLS for added security. For more information, see Editing the TLS settings further below.

  7. To get the tenant instance up and running, apply an initial working configuration using the Getting started wizard. Go to Getting started.
  8.  
    Functional limitation

    Currently (Q4 2025), only Airlock SEC actors have the permission to complete the Getting started wizard.

Viewing and editing a tenant

To view and edit the details of an existing tenant, click on the respective tenant's entry in the list with tenants in the Tenants dialog. The next dialog shows the settings of the selected tenant and its TLS settings.

  • Select the Tenant tab to modify the tenant's name, color or data center (only possible as long as the tenant has not been deployed yet). Additionally, you can de- and re-activate the Getting started wizard here, by clicking the Disable/Enable Getting Started button.
  • Select the TLS (Loginapp), TLS (Adminapp) or TLS (Transaction approval) tab, to modify the respective TLS settings. For more information, see Editing the TLS settings.

Deleting a tenant

To delete a tenant, click on the respective tenant's entry in the list with tenants in the Tenants dialog. The next dialog shows the settings of the selected tenant. Click the red Delete button at the bottom of the dialog. Confirm the deletion in the following popup window.

 
Notice

Deleting a tenant cannot be undone.

Editing the TLS settings

By default, regular TLS is used to secure the connection between the server and the client. We strongly recommend using mutual TLS for added security.

To edit the TLS settings of a tenant, click the respective tenant's entry in the Tenants dialog. The next dialog shows the TLS settings of the selected tenant.

Proceed as follows to enable mutual TLS:

  1. Select the TLS (Loginapp), the TLS (Adminapp) or the TLS (Transaction approval) tab, to modify the respective TLS settings.
  2. By default, the option Regular TLS is enabled. For enhanced security, select Mutual TLS.
  3. Provide the URL of the tenant Loginapp, the CA and server certificates as well as the subject alternative names of your domain as required.
    • The Loginapp URL is the URL to the login page where end-users will authenticate. If (the configuration of) this tenant is activated, you will find a link to the login page in the Airlock Console. For this, go to Operation > Active configuration, then click the Tenant login link in the Current configuration section.
    • You could use the following command to create a root CA:
    •  
      Terminal box
      openssl req -nodes -x509 -sha256 -days 36500 -newkey rsa:4096 -keyout rootCA.pem -out rootCA.crt
  5. Click Save.
  6. The mTLS settings will be applied immediately to your running Airlock IAM.