Restricting access to Studio
When IG is running in development mode, by default the Studio endpoint is open and accessible. To allow only specific users to access Studio, configure a StudioProtectionFilter with a SingleSignOnFilter or CrossDomainSingleSignOnFilter.
The following example uses a SingleSignOnFilter to require users to authenticate with AM before they can access Studio, and protects the request from Cross Site Request Forgery (CSRF) attacks.
-
Set up AM:
-
(From AM 6.5.3) Select Services > Add a Service, and add a Validation Service with the following Valid goto URL Resources:
-
http://ig.example.com:8080/*
-
http://ig.example.com:8080/*?*
-
-
Select Applications > Agents > Identity Gateway and register an IG agent with the following values:
-
Agent ID:
ig_agent
-
Password:
password
For AM 6.5.x and earlier versions, register an agent as described in Register an IG agent in AM 6.5 and earlier.
Use secure passwords in a production environment. Consider using a password manager to generate secure passwords.
-
-
(Optional) Authenticate the agent to AM as described in Authenticate an IG agent to AM.
IG agents are automatically authenticated to AM by a deprecated authentication module in AM. This step is currently optional, but will be required when authentication chains and modules are removed in a future release of AM.
-
-
Set up IG:
-
Set an environment variable for the IG agent password, and then restart IG:
$ export AGENT_SECRET_ID='cGFzc3dvcmQ='
The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.
-
Add the following
admin.json
configuration to IG:{ "prefix": "openig", "mode": "DEVELOPMENT", "properties": { "SsoTokenCookieOrHeader": "iPlanetDirectoryPro" }, "connectors": [ { "port": 8080 }, { "port": 8443 } ], "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AmService-1", "type": "AmService", "config": { "agent" : { "username" : "ig_agent", "passwordSecretId" : "agent.secret.id" }, "secretsProvider": "SystemAndEnvSecretStore-1", "url": "http://am.example.com:8088/openam/", "ssoTokenHeader": "&{SsoTokenCookieOrHeader}" } }, { "name": "StudioProtectionFilter", "type": "ChainOfFilters", "config": { "filters": [ { "type": "SingleSignOnFilter", "config": { "amService": "AmService-1" } }, { "type": "CsrfFilter", "config": { "cookieName": "&{SsoTokenCookieOrHeader}", "failureHandler": { "type": "StaticResponseHandler", "config": { "status": 403, "headers": { "Content-Type": [ "text/plain" ] }, "entity": "Request forbidden" } } } } ] } } ] }
Notice the following features of the configuration:
-
The
prefix
sets the base of the administrative route to the default value/openig
. The Studio endpoint is therefore/openig/studio
. -
The
mode
isdevelopment
, so by default the Studio endpoint is open and unfiltered. -
The
properties
object sets a configuration parameter for the value of the SSO token cookie or header, which is used in AmService and CorsFilter. -
The AmService uses the IG agent in AM for authentication.
The agent password for AmService is provided by a SystemAndEnvSecretStore in the heap.
-
The StudioProtectionFilter calls the SingleSignOnFilter to redirect unauthenticated requests to AM, and uses the CsrfFilter to protect requests from CSRF attacks. For more information, refer to SingleSignOnFilter and CsrfFilter.
-
Restart IG to take into account the changes to
admin.json
.
-
-
-
Test the setup:
-
If you are logged in to AM, log out and clear any cookies.
-
Go to http://ig.example.com:8080/openig/studio. The SingleSignOnFilter redirects the request to AM for authentication.
-
Log in to AM with user
demo
, passwordCh4ng31t
. The Studio Routes screen is displayed.
-