Configure Custom Domains

Documentation
How-to Guides
Configure Custom Domains

By default, IAM tenants are accessible via the platform domain: airlock.cloud. If the IAM tenant application (Loginapp or Adminapp) needs to be accessible via a custom domain, this can be defined in the saas.yaml file using the Host configuration.

Airlock SaaS will automatically create an ACME certificate for the custom domain. The certificate issuance process relies on delegated domains for the DNS-01 challenge. To fulfill this requirement, the SaaS administrator must apply the necessary DNS changes on their side.

Configuration options

Using SaaS API reference

https://docs.airlock.com/saas-public-api/#tag/tenantconfig

Using saas.yaml

End of life: The saas.yaml is deprecated and will not be supported in a future Airlock SaaS version.
The following settings can be configured through the SaaS API reference using an Oauth 2.0 client.

Basic structure

apiVersion: iam.airlock.com/v1
kind: Host
spec:
  loginapp:
    host: auth.example.com
    tls:
      minProtocolVersion: TLSV1_3
  adminapp:
    host: admin.example.com
    tls:
      minProtocolVersion: TLSV1_3

loginapp.host	string	The custom domain under the IAM tenant Loginapp should be accessible. note: It requires that the Loginapp and the Adminapp host are not equals.	-
loginapp.tls.minProtocolVersion	enum	Define the minimum TLS version that is accepted. `Values: TLSV1_2 or TLSV1_3`	`TLSV1_3`
adminapp.host	string	The custom domain under the IAM tenant Loginapp should be accessible. note: It requires that the Loginapp and the Adminapp host are not equals.	-
adminapp.tls.minProtocolVersion	string	Define the minimum TLS version that is accepted. `Values: TLSV1_2 or TLSV1_3`	`TLSV1_3`

loginapp.host

string

The custom domain under the IAM tenant Loginapp should be accessible.

note: It requires that the Loginapp and the Adminapp host are not equals.

loginapp.tls.minProtocolVersion

enum

Define the minimum TLS version that is accepted.

Values: TLSV1_2 or TLSV1_3

TLSV1_3

adminapp.host

string

The custom domain under the IAM tenant Loginapp should be accessible.

note: It requires that the Loginapp and the Adminapp host are not equals.

adminapp.tls.minProtocolVersion

string

Define the minimum TLS version that is accepted.

Values: TLSV1_2 or TLSV1_3

TLSV1_3

Changes to the customer's DNS server.

The customer needs to configure record sets in their DNS zone according to the following scheme:

Custom Domain	`CUSTOM-DOMAIN`
Record Sets	`_acme-challenge.<CUSTOM-DOMAIN>. 86400 IN CNAME _acme-challenge.<CUSTOM-DOMAIN>.acme.airlock.cloud.` `<CUSTOM-DOMAIN>. 86400 IN CNAME custom.ch-1.airlock.cloud.`

Custom Domain

CUSTOM-DOMAIN

Record Sets

_acme-challenge.<CUSTOM-DOMAIN>. 86400 IN CNAME _acme-challenge.<CUSTOM-DOMAIN>.acme.airlock.cloud.

<CUSTOM-DOMAIN>. 86400 IN CNAME custom.ch-1.airlock.cloud.

Verification of DNS Configuration

After creating the DNS records, verify that they are set correctly using the following commands:

DOMAIN=<CUSTOM-DOMAIN>

echo "Check ACME record:"
dig +short CNAME _acme-challenge.${DOMAIN}. | grep -Fx "_acme-challenge.${DOMAIN}.acme.airlock.cloud."

echo "Check custom domain record:"
dig +short CNAME ${DOMAIN}. | grep -Fx "custom.ch-1.airlock.cloud."

If both commands return matching results, the DNS configuration is correct and ACME certificate issuance will succeed.