IG 2023.6

Policy enforcement

The following procedure gives an example of how to request and enforce policy decisions from Identity Cloud.

Enforce a simple policy

Before you start, set up and test the example in Cross-domain single sign-on.

  1. Set up Identity Cloud:

    1. In the Identity Cloud admin UI, select open_in_new Native Consoles > Access Management. The AM admin UI is displayed.

    2. Select Authorization > Policy Sets > New Policy Set, and add a policy set with the following values:

      • Id : PEP-CDSSO

      • Resource Types : URL

    3. In the new policy set, add a policy with the following values:

      • Name : CDSSO

      • Resource Type : URL

      • Resource pattern : *://*:*/*

      • Resource value : http://app.example.com:8081/home/cdsso

        This policy protects the home page of the sample application.

    4. On the Actions tab, add an action to allow HTTP GET.

    5. On the Subjects tab, remove any default subject conditions, add a subject condition for all Authenticated Users.

  2. Set up IG:

    1. Replace cdsso-idc.json with the following route, and correct the value for the property amInstanceUrl:

      • Linux

      • Windows

      $HOME/.openig/config/routes/pep-cdsso-idc.json
      appdata\OpenIG\config\routes\pep-cdsso-idc.json
      {
        "name": "pep-cdsso-idc",
        "baseURI": "http://app.example.com:8081",
        "condition": "${find(request.uri.path, '^/home/cdsso')}",
        "properties": {
          "amInstanceUrl": "https://myTenant.forgeblocks.com/am"
        },
        "heap": [
          {
            "name": "SystemAndEnvSecretStore-1",
            "type": "SystemAndEnvSecretStore"
          },
          {
            "name": "AmService-1",
            "type": "AmService",
            "config": {
              "url": "&{amInstanceUrl}",
              "realm": "/alpha",
              "agent": {
                "username": "ig_agent",
                "passwordSecretId": "agent.secret.id"
              },
              "secretsProvider": "SystemAndEnvSecretStore-1",
              "sessionCache": {
                "enabled": false
              }
            }
          }
        ],
        "handler": {
          "type": "Chain",
          "config": {
            "filters": [
              {
                "name": "CrossDomainSingleSignOnFilter-1",
                "type": "CrossDomainSingleSignOnFilter",
                "config": {
                  "redirectEndpoint": "/home/cdsso/redirect",
                  "authCookie": {
                    "path": "/home",
                    "name": "ig-token-cookie"
                  },
                  "amService": "AmService-1",
                  "verificationSecretId": "verify",
                  "secretsProvider": {
                    "type": "JwkSetSecretStore",
                    "config": {
                      "jwkUrl": "&{amInstanceUrl}/oauth2/realms/alpha/connect/jwk_uri"
                    }
                  }
                }
              },
              {
                "name": "PolicyEnforcementFilter-1",
                "type": "PolicyEnforcementFilter",
                "config": {
                  "application": "PEP-CDSSO",
                  "ssoTokenSubject": "${contexts.cdsso.token}",
                  "amService": "AmService-1"
                }
              }
            ],
            "handler": "ReverseProxyHandler"
          }
        }
      }

      Note the following feature of the route compared to cdsso-idc.json:

      • The CrossDomainSingleSignOnFilter is followed by a PolicyEnforcementFilter to enforce the policy PEP-CDSSO.

        For the security of your deployment, always configure verificationSecretId in CrossDomainSingleSignOnFilter.
        When verificationSecretId is not configured, IG does not verify the signature of AM session tokens, increasing the risk of CDSSO token tampering.
  3. Test the setup:

    1. Go to https://ig.ext.com:8443/home/cdsso.

      If you have warnings that the site is not secure respond to the warnings to access the site.

      IG redirects you to Identity Cloud for authentication.

    2. Log in to Identity Cloud as user demo, password Ch4ng3!t.

      Identity Cloud redirects you back to the request URL, and IG requests a policy decision. Identity Cloud returns a policy decision that grants access to the sample application.

Step up authorization for a transaction

Before you start, set up and test the example in Enforce a simple policy.

  1. In the Identity Cloud admin UI, select code Scripts > Auth Scripts > New Script > Journey Decision Node > Next, and add a default Journey Decision Node Script script called TxTestPassword:

    /*
      - Data made available by nodes that have already executed are available in the sharedState variable.
      - The script should set outcome to either "true" or "false".
     */
    
    var givenPassword = nodeState.get("password").asString()
    
    if (givenPassword.equals("7890")) {
      outcome = "true"
    } else {
      outcome = "false"
    }
  2. Configure a journey:

    1. Click account_tree Journeys and add a journey with the following configuration:

      • Name: Tx01_Tree

      • Identity Object: Alpha realm users

        The journey canvas is displayed.

    2. In Nodes > Basic Authentication, drag a Password Collector node onto the canvas.

    3. In Nodes > Utilities, drag a Scripted decision node onto the canvas.

    4. Configure the scripted decision node as follows:

      • Script: select TxTestPassword

      • Outcomes: enter true and false

    5. Connect the nodes as shown:

      Authentication journey

      For information about configuring trees, refer to ForgeRock Identity Cloud Docs

  3. Edit the authorization policy:

    1. In the Identity Cloud admin UI, select open_in_new Native Consoles > Access Management. The AM admin UI is displayed.

    2. Select Authorization > Policy Sets > PEP-CDSSO, and add the following environment condition to the CDSSO policy:

      • All of

      • Type: Transaction

      • Script name: Authenticate to tree

      • Strategy Specifier: Tx01_Tree

  4. Test the setup:

    1. In a browser, go to https://ig.ext.com:8443/home/cdsso.

      If you have not previously authenticated to Identity Cloud, the CrossDomainSingleSignOnFilter redirects the request to Identity Cloud for authentication.

    2. Log in to Identity Cloud as user demo, password Ch4ng3!t.

    3. Enter the password 7890 required by the script TxTestPassword.

      Identity Cloud redirects you back to the request URL, and IG requests a policy decision. Identity Cloud returns a policy decision based on the authentication journey.

Copyright © 2010-2023 ForgeRock, all rights reserved.