Getting started

The Getting started dialog provides a simple way to apply an initial, default configuration to a newly created IAM tenant and test the settings - within minutes. If necessary, key parameters can be adjusted. This allows you to activate and validate the tenant without first having to create a full configuration in the IAM Config Editor.

Prerequisites

To perform the Getting started wizard, the Airlock SEC role is required. See also SaaS roles and permissions.

Recommended workflow

  1. Adjust the configuration options shown in the Getting started view.
  2. Apply the configuration on the tenant's IAM instance.
  3. Test the login flow using the automatically generated login form.
  4. (Optional) Download the configuration and continue fine-tuning in the IAM Config Editor.

Configuration options

The following configuration items are available and can be adapted directly:

  • App: Defines which application users will log in to.
  • Authentication flow: Selects the authentication method for your application users.
  • User account management: Specifies who is responsible for creating and managing user accounts.
  • User experience: Configures the branding and look-and-feel of the login UI.

App

The App section allows you to specify the target application that your end-users must authenticate with. It represents the default application associated with your tenant's IAM.

Currently (Q4 2025), the following apps are available:

  • Airlock portal application

  • The Airlock portal application is a web application that provides end-users with access to your application(s) and protected self-services, such as changing passwords, addresses, and email. It enables end-users to manage their own accounts.

  • The Airlock portal application is the default target application and is always included, even if an additional OIDC application is configured.

  • Login endpoint: This field displays the URL for the login page of the application protected by your tenant's IAM. The endpoint URL becomes available only when there is an active deployment.

  • OIDC app

  • The OIDC application performs an OpenID Connect Authorization Code Flow. This flow allows (OAuth 2.0?) clients to obtain tokens securely. You configure the app directly in the wizard.
    (Was ist der Use Case dieser App? )

  • To define your OIDC, specify the following fields:

    • Name: The name of the OIDC app.
    • Description (optional)
    • Redirect URI: The URI to which the end-users are redirected after login.
    • CORS allowed origins: The domain names allowed to access the OIDC app.
    • Enforce PKCE (Proof Key for Code Exchange) (optional): If enabled, clients must use the S256 challenge method for enhanced authorization security.

  • OIDC credentials and endpoints: This subsection lists the credentials and endpoints required to set up the OIDC functionality.

  • This includes the following credentials and endpoints:

    • Client ID
    • Client secret
    • Discovery endpoint
    • Authority/issuer endpoint
    • Authorization endpoint
    • Token endpoint
    • Userinfo endpoint

You can configure alternative or additional target applications in the IAM Config Editor after completing the Getting started wizard.

Authentication flow

The Authentication flow section defines how your end-users will authenticate during login.

  • Available authentication methods or flows

  • Currently (Q4 2025), the following authentication methods/flows are available:

    • Password

    • The Password authentication method consists of username and password. It is generally considered weak because the credentials are static and remain the same across multiple logins. Password is the default authentication method.

    • Password & email OTP

    • The Password & email OTP authentication method combines username/password with a one-time password (OTP) sent via email.

    • Passkey

    • The Passkey authentication method enables users to directly authenticate with the passkey on their device or browser.
      (Wenn diese Methode ausgewählt wird, erscheinen weiterhin die Password policy und Email settings subsection. Stimmt das? Müssen die für Passkey tatsächlich weiterhin spezifiziert werden?)

  • The Password policy section specifies the allowed characters in passwords and whether a password blacklist should be enforced. It applies only to the Password and Password & email OTP authentication methods.

  • Properties:

    • Password character set : Choose between the default and enhanced security option.
      • Default passwords: At least 8 characters
      • Enhanced security: Minimum of 12 characters and at least one special character (e.g., ! ? #).

    • In both cases, passwords must include at least:

      • one uppercase letter,
      • one lowercase letter, and
      • one digit.
    • Disallow the use of the 100'000 most common passwords: Enable this option to apply a blacklist that blocks the 100'000 most common passwords.
  • The Email settings section defines the subject and body text for the email that includes a one-time password (OT). These settings apply only to the Password & email OTP authentication method.

  • Properties:

    • Email subject and Email body: Display the default subject and body text for the OTP email in each supported language (EN, DE, FR, IT). You can replace the default text with custom content.
    • Use ${TOKEN} in the body text as a placeholder for the OTP.

You can configure alternative or additional authentication flows in the IAM Config Editor after completing the Getting started wizard.

User account management

The User account management section defines how end-user accounts are created and who can create them.

Available options

  • Manual account creation: Administrators create and manage end-users in the tenant's Adminapp. End-users cannot create their own accounts.
  • Self registration: End-users can create their own accounts when they register for your application. This is the default option.
    (stimmt das? Es steht zwar “Users themselves” in der Übersicht, aber wenn man den Dialog öffnet ist “Manual account creation” by default markiert. Wenn ich im Wizard die Option “Self registration” auswähle, gibt es beim Activieren eine 500 Fehlermeldung)

  • Properties:

    • Allowed domains: Enable this option to allow end-users with specific email addresses to join your application automatically.
    • Domains: Specify the allowed email domain names in this field.
      Was bedeutet dies genau? Dass nur Benutzer mit der hier spezifizierten Mail-Domain (wie ergon.ch) sich selbst registrieren können, und alle andere nicht? Oder dass diese Benutzer sich gar nicht registrieren müssen, weil sie automatisch als User hinzugefügt werden?

User experience

The User experience section allows you to customize the branding and appearance of the login user interface. By default, the Airlock branding colors and assets (logo, favicon) are applied.

Adjustable branding elements:

  • Theme colors

  • Default:

    • Primary color (login dialog bar, active field frame, etc): Slate Blue (#3e5c70)
    • Page background color: White (#ffffff)
    • Text color: Dark Slate (#212529)
    • Button text color: White (#ffffff)
    • Button background color on hover: Slate Blue (#3e5c70)
  • Assets:
    • Company logo
    • Favicon

  • The Airlock logo and favicon are used by default.

  • To replace them:

    • Drag and drop your own logo and/or favicon in the respective field.
    • Or click the field to browse to and select your own logo and/or favicon.
  • Supported languages: By default, English (EN), French (FR), German (DE), and Italian (IT) are supported. To change the defaults, disable checkboxes for the corresponding languages.

Operation

After completing the configuration with the Getting started wizard, you can test your settings using the following operational options:

  • Activate tenant: Applies the configuration to the tenant IAM instance, making it ready for testing. A status indicator shows the progress of the activation. Once the initial activation is complete, the current status of the running tenant IAM instance becomes visible.
  • Login form: Click Open login form to test the automatically generated login form based on your configuration settings (target application, authentication flow, user experience).
  • User management: Click Manage users to access the tenant Adminapp and manage end-user accounts.

Next steps

The Getting started wizard is intended for initial setup and testing. For production use, download the configuration and refine it in the IAM Config Editor, which provides all advanced IAM features and customization options.

In order to upload and activate customized configuration files, you need to disable the Getting started wizard first.

Proceed as follows:

  1. Go to Administration > Tenants
  2. Select your tenant in the preview table.
  3. Click Disable Getting Started wizard.

For more information on

 
Notice

From this moment on, you have two configurations next to each other in your tenant setup:

  • The initial configuration, adjusted and applied by the Getting started wizard.
  • Customized configurations generated by the Config Editor, uploaded in the Configuration files dialog and activated in the Activate configuration dialog. This process requires disabling the Getting started wizard.

Be aware of the following: When you re-enable the Getting started wizard to work on the initial, default configuration, and apply the adjusted configuration to the tenant's IAM instance, you will overwrite the configuration that is currently active. There is a risk that you thus overwrite a customized, elaborated and advanced configuration with the simple, default one.

To make this undone

  • Disable the wizard (see above).
  • Go to Operation > Activate configuration
  • In the Activate configuration section, Configuration propery, select a suitable previously uploaded configuration from the drop-down list.
  • Click Activate to activate the selected configuration.