IG 2023.6

Restricting access to Studio

When IG is running in development mode, by default the Studio endpoint is open and accessible. To allow only specific users to access Studio, configure a StudioProtectionFilter with a SingleSignOnFilter or CrossDomainSingleSignOnFilter.

The following example uses a SingleSignOnFilter to require users to authenticate with AM before they can access Studio, and protects the request from Cross Site Request Forgery (CSRF) attacks.

  1. Set up AM:

    1. (From AM 6.5.3) Select Services > Add a Service, and add a Validation Service with the following Valid goto URL Resources:

      • http://ig.example.com:8080/*

      • http://ig.example.com:8080/*?*

    2. Select Applications > Agents > Identity Gateway and register an IG agent with the following values:

      • Agent ID: ig_agent

      • Password: password

        For AM 6.5.x and earlier versions, register an agent as described in Register an IG agent in AM 6.5 and earlier.

        Use secure passwords in a production environment. Consider using a password manager to generate secure passwords.
    3. (Optional) Authenticate the agent to AM as described in Authenticate an IG agent to AM.

      IG agents are automatically authenticated to AM by a deprecated authentication module in AM. This step is currently optional, but will be required when authentication chains and modules are removed in a future release of AM.
  2. Set up IG:

    1. Set an environment variable for the IG agent password, and then restart IG:

      $ export AGENT_SECRET_ID='cGFzc3dvcmQ='

      The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.

    2. Add the following admin.json configuration to IG:

      {
        "prefix": "openig",
        "mode": "DEVELOPMENT",
        "properties": {
          "SsoTokenCookieOrHeader": "iPlanetDirectoryPro"
        },
        "connectors": [
          {
            "port": 8080
          },
          {
            "port": 8443
          }
        ],
        "heap": [
          {
            "name": "SystemAndEnvSecretStore-1",
            "type": "SystemAndEnvSecretStore"
          },
          {
            "name": "AmService-1",
            "type": "AmService",
            "config": {
              "agent" : {
                "username" : "ig_agent",
                "passwordSecretId" : "agent.secret.id"
              },
              "secretsProvider": "SystemAndEnvSecretStore-1",
              "url": "http://am.example.com:8088/openam/",
              "ssoTokenHeader": "&{SsoTokenCookieOrHeader}"
            }
          },
          {
            "name": "StudioProtectionFilter",
            "type": "ChainOfFilters",
            "config": {
              "filters": [
                {
                  "type": "SingleSignOnFilter",
                  "config": {
                    "amService": "AmService-1"
                  }
                },
                {
                  "type": "CsrfFilter",
                  "config": {
                    "cookieName": "&{SsoTokenCookieOrHeader}",
                    "failureHandler": {
                      "type": "StaticResponseHandler",
                      "config": {
                        "status": 403,
                        "headers": {
                          "Content-Type": [
                            "text/plain"
                          ]
                        },
                        "entity": "Request forbidden"
                      }
                    }
                  }
                }
              ]
            }
          }
        ]
      }

    Notice the following features of the configuration:

    • The prefix sets the base of the administrative route to the default value /openig. The Studio endpoint is therefore /openig/studio.

    • The mode is development, so by default the Studio endpoint is open and unfiltered.

    • The properties object sets a configuration parameter for the value of the SSO token cookie or header, which is used in AmService and CorsFilter.

    • The AmService uses the IG agent in AM for authentication.

      The agent password for AmService is provided by a SystemAndEnvSecretStore in the heap.

    • The StudioProtectionFilter calls the SingleSignOnFilter to redirect unauthenticated requests to AM, and uses the CsrfFilter to protect requests from CSRF attacks. For more information, refer to SingleSignOnFilter and CsrfFilter.

      1. Restart IG to take into account the changes to admin.json.

  3. Test the setup:

    1. If you are logged in to AM, log out and clear any cookies.

    2. Go to http://ig.example.com:8080/openig/studio. The SingleSignOnFilter redirects the request to AM for authentication.

    3. Log in to AM with user demo, password Ch4ng31t. The Studio Routes screen is displayed.

Copyright © 2010-2023 ForgeRock, all rights reserved.