We follow the IAM directory structure as defined in the official IAM documentation, but expect the contents of <instance_1> to be in the root of the ZIP-file. Hence, everything that can be added to the IAM instance directory can also be added in Airlock as a Service. In addition to the IAM directory structure, a saas.yaml file can be included for further configuration.
For instance, a ZIP file could look like this (not conclusive):
adminapp/-texts
Add any number of string_LANG.properties files. You can omit them if they are not required.
loginapp-texts/
Add any number of string_LANG.properties files. You can omit them if they are not required.
servicecontainerapp-texts/
Add any number of string_LANG.properties files. You can omit them if they are not required.
transaction-approval-texts/
Add any number of string_LANG.properties files. You can omit them if they are not required.
libs/
Any JAR-files to support custom extensions in the Loginapp and/or Adminapp.
Warning
The SaaS platform does not validate JAR files included in the uploaded ZIP file. If you include unsafe or untrusted JAR files, the tenant IAM may be compromised.
➔ Only include JAR files from trusted sources and review their security implications before uploading. Some JAR files may not be compatible.The Microgateway may interfere with or block functionality when the user agent interacts with the IAM.
➔ Test the tenant IAM thoroughly with the JAR files in place and remove or replace any JAR files that cause issues.
instance.properties
Is currently copied fully. However, the feature set of instance.properties will be restricted in the future (with an allowlist). For the time being, limit your use to:
iam.environment.idiam.log.leveliam.loginapp.rest.ui.customizations
➔ e.g.,iam.loginapp.rest.ui.customizations=instances/${instance.name}/airlock-iam-loginapp-rest-ui-customizations.zip
iam-config.yaml (optional)
Airlock IAM as a Service fully supports iam-config.yaml. The configuration format is detected automatically from the configuration file in the ZIP archive and must not be set via iam.config.format in instance.properties.
customization.zip
May have any name, must be the same as defined in instance.properties.
saas.yaml (optional)
Warning
The saas.yaml file is deprecated and will be removed in a future Airlock SaaS release. If you continue to rely on it, configuration changes may stop working after an upgrade.
➔ Configure the following settings through he SaaS API reference using an Oauth 2.0 client.
The saas.yaml file can contain multiple types of configurations for tenant customization. These configurations must be separated using the YAML document separator --- . The file is optional and supports the following configuration types:
EgressTrafficPolicy: Controls egress traffic whitelisting
MicrogatewayDenyRulesPatch: Add Microgateway DenyRules exceptions
MicrogatewayHeaderRewritesPatch: Add Microgateway custom HeaderRewrites rules
Host: Defines custom domain configurations for tenant applications (when custom domains are enabled)
apiVersion: iam.airlock.com/v1
kind: EgressTrafficPolicy
spec:
loginapp:
destinations:
- host: api.example.com
port: 443
protocol: TCP
appProtocol: HTTPS
---
apiVersion: iam.airlock.com/v1
kind: MicrogatewayDenyRulesPatch
spec:
loginapp:
request:
builtIn:
exceptions:
- ruleKeys:
- XSS
blockedData:
parameter:
name:
matcher:
exact: "custom_param"
---
apiVersion: iam.airlock.com/v1
kind: MicrogatewayHeaderRewritesPatch
spec:
loginapp:
request:
allow:
matchingHeaders:
custom:
- name: Allow X-Legacy-Password
headers:
- name:
matcher:
exact: X-Legacy-Password
---
apiVersion: iam.airlock.com/v1
kind: Host
spec:
loginapp:
host: login.customer-domain.com
tls:
minProtocolVersion: TLSV1_3
adminapp:
host: admin.customer-domain.com
tls:
minProtocolVersion: TLSV1_3