Getting started

The Getting started page provides a quick way to apply an initial default configuration to a newly created IAM tenant and test the settings within minutes. If needed, you can adjust key parameters. This allows you to activate and validate the tenant without first creating a full configuration in the IAM Config Editor.

Prerequisites

To complete the Getting started configuration, you need the Airlock SEC role. For details, see SaaS roles and permissions.

Recommended workflow:

1. Adjust the configuration options linked on the Getting started page.

2. Apply the configuration on the tenant's IAM instance.

3. Test the login flow using the automatically generated login form.

4. Optional: Download the configuration and continue fine-tuning it in the IAM Config Editor.

Configuration options

The following configuration options are available and can be adjusted directly:

• Application: Defines which application users log in to.

• Authentication flow: Selects the authentication method for your application users.

• User onboarding: Specifies who creates and manages user accounts.

• User experience: Configures the branding and look and feel of the login UI.

Application

The Application section lets you specify the target application that end users authenticate with. It represents the default application associated with your tenant IAM.

The following two options are available:

• Airlock portal application

  • The Airlock portal application is a web application that gives end users access to your applications and to protected self-services (e.g., changing passwords, addresses, or email). It enables end users to manage their own accounts.

  • It is not really an application of it's own but part of the loginapp and serves as placeholder for your target application.

• OIDC app

  • Configure connection to your OIDC app, for details see here.

Under Login endpoint, the URL of the login page for the application protected by the tenant IAM is displayed. The URL is available only after the tenant IAM has an active deployment.

You can configure alternative or additional target applications in the IAM Config Editor after completing the Getting started configuration.

Authentication flow

The Authentication flow section defines how your end-users will authenticate during login.

The following options are available:

• Authentication methods/flows:

  • Password (default)
    Uses a username and password.

    Risk This method is considered weak because the credentials are static and reused across logins.

  • Email OTP
    Combines username and password with a one-time password (OTP) sent by email.

  • Passkey
    Lets users authenticate using a passkey on their device or in their browser. For registration, a Password and email OTP flow is still configured.

  • Airlock 2FA
    Provides Multifactor Authentication (MFA) with Airlock 2FA and allows use the user's mobile phone to receive an authorization request. This option is inactive by default as it is a payed Add-on. Contact Airlock Sales to request Airlock 2FA.

• The Password policy section defines password requirements and whether a password blacklist is enforced. It applies only to Password and Email OTP. The following properties can be configured:

  • Password character set

    • Default: at least 8 characters, including at least one uppercase letter, one lowercase letter, and one digit.

    • Enhanced security: at least 12 characters, including at least one uppercase letter, one lowercase letter, one digit, and one special character (e.g., !, ?, #).

  • Disallow the use of the 100'000 most common passwords: Enable this checkbox to block the 100,000 most common passwords.

• The Email settings section defines the subject and body text for the OTP email. It applies only to Email OTP. The following properties can be configured:

  • Email subject and Email body, respectively, show the default subject and body text for each supported language (EN, DE, FR, IT). You can replace the default text with your custom content.

  • Use ${TOKEN} in the body text as a placeholder for the OTP.

You can configure alternative or additional authentication flows in the IAM Config Editor after completing the Getting started configuration.

User onboarding

The User onboarding section defines how end-user accounts are created and who can create them.

The following options are available:

• Manual account creation: Administrators create and manage end users in the tenant IAM Adminapp. End users cannot create their own accounts.

• Self registration: End users can create their own accounts when they register for your application. Properties:

  • Allowed domains: Enable this option to allow only users with specific email domains to self-register.

  • Domains: Enter the allowed email domain names (for example, example.com). Only users with email addresses from these domains can self-register.

• SCIM: Automatically provision and manage user accounts through your identity provider using the SCIM standard (this feature is not yet available).

User experience

The User experience section allows you to customize the branding and appearance of the login user interface.

The following options are available:

• Default branding: The Airlock logo, favicon and colors are used.

• Custom branding: Tailor the login experience to match your brand's identity. Changes are reflected in the preview on the right side. Please note that this preview is intended as an example only, and does not represent the login interface exactly.
  You can set the following properties:

  • Colors: Select your preferred theme colors using the color picker or enter a hex code in the text field.

  • Assets: Upload and manage branding images for the sign-in page. These assets can be configured:

    • Company logo: Upload an image to display your company logo on the sign-in page.

    • Favicon: Upload an image to use as the favicon in the browser tab.

• Language preferences: Select the languages that the Loginapp should support. These languages are available:

  • EN - English

  • FR - French

  • DE - German

  • IT - Italian

• Tone of voice: Set the form of address defined by your brand guidelines. This applies to languages that distinguish between formal and informal address. Available options:

  • Formal (You / Sie / Vous / Lei)

  • Informal (you / du / tu / tu)

Operation

After you complete the Getting started configuration, you can test your settings using the following options:

• Click Activate tenant to apply the configuration to the tenant IAM instance, making it ready for testing. A status indicator shows the activation progress. After the initial activation completes, the current status of the running tenant IAM instance is displayed. Each change to the Getting started configuration requires activation to take effect.

• Login form: Click Open login form to try your settings (target application, authentication flow, and user experience).

• User management:

  • Click Create test user to create a test end-user account for trying out the login flow. This is a shortcut for creating users in the Adminapp.

  • Click Manage users to open the tenant IAM Adminapp and manage end-user accounts.

Next steps

The Getting started configuration is intended for initial setup and testing. For further refinement, download the configuration and extend it in the IAM Config Editor, which provides advanced IAM features and customization options.

In order to upload and activate custom configuration files, you must first disable the Getting started configuration:

1. Go to:
   Administration >> Tenants

2. In the preview table, select your tenant.

3. Click Disable Getting Started.

Notice
From this point on, two IAM configuration sources exist for your tenant:
• the initial configuration that you adjust and apply on the Getting started page
• custom configurations created in the IAM Config Editor, uploaded in the Configuration files dialog, and activated in the Activate configuration dialog (this requires disabling the Getting started configuration).

For more information, see:

• Configure Tenant IAM for ZIP upload for details on creating a custom configuration file

• Activate configuration for details on activating an uploaded configuration file

Notice
If you re-apply the Getting started configuration to the tenant IAM instance, you overwrite the currently active configuration. This may overwrite an advanced uploaded configuration with the initial default configuration.
To restore a previously uploaded configuration, disable the Getting started configuration.
1. Go to:
Operation >> Activate configuration
2. In the Configuration property, select a previously uploaded configuration from the drop-down list.
3. Click Activate.