Getting started

The Getting started page provides a quick way to apply an initial default configuration to a newly created IAM tenant and test the settings within minutes. If needed, you can adjust key parameters. This allows you to activate and validate the tenant without first creating a full configuration in the IAM Config Editor.

Prerequisites

To access and edit the Getting started configuration, it must be enabled (default) in the settings of the tenant, see viewing-and-editing-a-tenant.

Recommended workflow

1. Adjust the configuration options linked on the Getting started page.

2. Apply the configuration on the tenant's IAM instance.

3. Test the login flow using the automatically generated login form.

4. Optional: Download the configuration and continue fine-tuning it in the IAM Config Editor.

Configuration options

The following configuration options are available and can be adjusted directly:

• Application: Defines which application users log in to.

• Authentication flow: Selects the authentication method for your application users.

• User onboarding: Specifies who creates and manages user accounts.

• User experience: Configures the branding and look and feel of the login UI.

Application

The Application section lets you specify the target application that end users authenticate with. It represents the default application associated with your tenant IAM.

The following two options are available:

• Airlock portal application

  • The Airlock portal application is a web application that gives end users access to your applications and to protected self-services (e.g., changing passwords, addresses, or email). It enables end users to manage their own accounts.

  • It is not really an application of it's own but part of the loginapp and serves as placeholder for your target application.

• OIDC app
  Configure any of your applications that conform to the Open ID Connect standard. The following fields and options are available:

  • Name: Enter a descriptive name for the apllication.

  • Description: Enter an optional description of the application.

  • Redirect URI: Enter a URI that users are redirected to after login (whether the login succeeds or fails).

  • CORS allowed origins: Enter one or more allowed origins for browser-based access. Specify the origin only (scheme + hostname, and port if applicable), for example https://example.com. Typically include the origin of your redirect URI.

  • Enforce PKCE (Proof Key for Code Exchange): Select this checkbox to require OIDC clients to use PKCE with the S256 challenge method. This protects the authorization code flow by preventing intercepted authorization codes from being exchanged without the original code verifier.

  • OIDC credentials

    • Client ID: Enter the client ID for your application.

    • Client secret: Select a secret that was previously created in Vault to use as the client secret for the OIDC integration in your application code. If no secret exists yet, go to Vault and create a new secret for your OIDC application.

  • OIDC credentials and endpoints: Provides the endpoint URLs and related values required to configure OIDC in your application. Each value includes a copy icon for quick copy-and-paste into your application configuration.

    Notice On the Getting started page, you cannot add or extend scopes for OIDC applications. However, you can still use scopes: in tenant IAM, requested scopes are validated against the user’s roles. In other words, any role assigned to a user can also be used as a scope.

Under Login endpoint, the URL of the login page for the application protected by the tenant IAM is displayed. The URL is available only after the tenant IAM has an active deployment.

You can configure alternative or additional target applications in the IAM Config Editor after completing the Getting started configuration.

Authentication flow

The Authentication flow section defines how your end-users will authenticate during login.

The following options are available:

• Authentication methods/flows:

  • Password (default)
    Uses a username and password.

    Risk This method is considered weak because the credentials are static and reused across logins.

  • Email OTP
    Combines username and password with a one-time password (OTP) sent by email.

  • Passkey
    Lets users authenticate using a passkey on their device or in their browser. For registration, a Password and email OTP flow is still configured.

  • Airlock 2FA
    Provides Multifactor Authentication (MFA) with Airlock 2FA and allows use the user's mobile phone to receive an authorization request. This option is inactive by default as it is a payed Add-on. Contact Airlock Sales to request Airlock 2FA.

• The Password policy section defines password requirements and whether a password blacklist is enforced. It applies only to Password and Email OTP. The following properties can be configured:

  • Password character set

    • Default: at least 8 characters, including at least one uppercase letter, one lowercase letter, and one digit.

    • Enhanced security: at least 12 characters, including at least one uppercase letter, one lowercase letter, one digit, and one special character (e.g., !, ?, #).

  • Disallow the use of the 100'000 most common passwords: Enable this checkbox to block the 100,000 most common passwords.

• The Email settings section defines the subject and body text for the OTP email. It applies only to Email OTP. The following properties can be configured:

  • Email subject and Email body, respectively, show the default subject and body text for each supported language (EN, DE, FR, IT). You can replace the default text with your custom content.

  • Use ${TOKEN} in the body text as a placeholder for the OTP.

You can configure alternative or additional authentication flows in the IAM Config Editor after completing the Getting started configuration.

User onboarding

The User onboarding section defines how end-user accounts are created and who can create them.

The following options are available:

• Manual account creation: Administrators create and manage end users in the tenant IAM Adminapp. End users cannot create their own accounts.

• Self registration: End users can create their own accounts when they register for your application. Properties:

  • Allowed domains: Enable this option to allow only users with specific email domains to self-register.

  • Domains: Enter the allowed email domain names (for example, example.com). Only users with email addresses from these domains can self-register.

• SCIM: Automatically provision and manage user accounts through your identity provider using the SCIM standard (this feature is not yet available).

User experience

The User experience section allows you to customize the branding and appearance of the login user interface.

The following options are available:

• Default branding: The Airlock logo, favicon and colors are used.

• Custom branding: Tailor the login experience to match your brand's identity. Changes are reflected in the preview on the right side. Please note that this preview is intended as an example only, and does not represent the login interface exactly.
  You can set the following properties:

  • Colors: Select your preferred theme colors using the color picker or enter a hex code in the text field.

  • Assets: Upload and manage branding images for the sign-in page. These assets can be configured:

    • Company logo: Upload an image to display your company logo on the sign-in page.

    • Favicon: Upload an image to use as the favicon in the browser tab.

• Language preferences: Select the languages that the Loginapp should support. These languages are available:

  • EN - English

  • FR - French

  • DE - German

  • IT - Italian

• Tone of voice: Set the form of address defined by your brand guidelines. This applies to languages that distinguish between formal and informal address. Available options:

  • Formal (You / Sie / Vous / Lei)

  • Informal (you / du / tu / tu)

Operation

After you complete the Getting started configuration, you can test your settings using the following options:

• Click Activate tenant to apply the configuration to the tenant IAM instance, making it ready for testing. A status indicator shows the activation progress. After the initial activation completes, the current status of the running tenant IAM instance is displayed. Each change to the Getting started configuration requires activation to take effect.

• Login form: Click Open login form to try your settings (target application, authentication flow, and user experience).

• User management:

  • Click Create test user to create a test end-user account in your tenant IAM for trying out the login flow. This is a shortcut for creating users in the Adminapp.

    1. Complete and submit the form.
       ▶ The credentials for the new user are displayed.

    2. Copy the password.

    3. Close the dialog.

  • Click Manage users to open the tenant IAM Adminapp and manage end-user accounts.

  • Click Create test user to create a user in your tenant IAM.

Next steps

The Getting started configuration is intended for initial setup and testing. For further refinement, download the configuration and extend it in the IAM Config Editor, which provides advanced IAM features and customization options.

In order to upload and activate custom configuration files, you must first disable the Getting started configuration:

1. Go to:
   Administration >> Tenants

2. In the preview table, select your tenant.

3. Click Disable Getting Started.

For more information, see:

• Configure Tenant IAM for ZIP upload for details on creating a custom configuration file

• Activate configuration for details on activating an uploaded configuration file