Handlers
Handler objects process a request and context, and return a response. The way the response is created depends on the type of handler.
Chain
Dispatches a request and context to an ordered list of filters, and then finally to a handler.
Filters process the incoming request and context, pass it on to the next filter, and then to the handler. After the handler produces a response, the filters process the outgoing response and context as it makes its way to the client. Note that the same filter can process both the incoming request and the outgoing response but most filters do one or the other.
A Chain can be placed in a configuration anywhere that a handler can be placed.
Unlike ChainOfFilters, Chain finishes by dispatching the request to a handler. For more information, refer to ChainOfFilters.
Usage
{
"name": string,
"type": "Chain",
"config": {
"filters": [ Filter reference, ... ],
"handler": Handler reference
}
}Properties
"filters": array of Filter references, required-
An array of names of filter objects defined in the heap, and inline filter configuration objects.
The chain dispatches the request to these filters in the order they appear in the array.
See also Filters.
"handler": Handler reference, required-
The Handler to which the Chain dispatches the request after it has traversed the specified filters.
Provide the name of a Handler object defined in the heap or an inline Handler configuration object.
Example
{
"name": "LoginChain",
"type": "Chain",
"config": {
"filters": [ "LoginFilter" ],
"handler": "ReverseProxyHandler"
}
}ClientHandler
Sends requests to third-party services that are accessible through HTTP, and reconstructs the response from the received bytes. A third-party service is one that IG calls for data, such as an HTTP API or AM, or one to which IG submits data. When IG relays a request to a third-party service, IG is acting as a client of the service. IG is client-side.
Consider the following comparison of the ClientHandler and ReverseProxyHandler:
| ClientHandler | ReverseProxyHandler | |
|---|---|---|
Use this handler to … |
Send requests to third-party services accessed within a route. The service can be AM or an HTTP API. The service can be an HTTP endpoint, such as AM, IDM, Identity Cloud, or any custom HTTP API. |
Send requests to the final service accessed by a route. The service can be the final downstream application. |
If the service does not respond in time, this handler … |
Propagates the error through the Promise flow. If the error is not handled within the route, for example, by a FailureHandler,
the handler returns a |
Stops processing the request, and returns a |
When uploading or downloading large files, prevent timeout issues by increasing
the value of soTimeout, and using a streaming mode, as follows:
Configure the streamingEnabled property of
AdminHttpApplication.
Usage
{
"name": string,
"type": "ClientHandler",
"config": {
"vertx": object,
"connections": configuration expression<number>,
"waitQueueSize": configuration expression<number>,
"soTimeout": configuration expression<duration>,
"connectionTimeout": configuration expression<duration>,
"protocolVersion": configuration expression<enumeration>,
"http2PriorKnowledge": configuration expression<boolean>,
"proxyOptions": ProxyOptions reference,
"temporaryStorage": TemporaryStorage reference,
"tls": ClientTlsOptions reference,
"retries": object,
"circuitBreaker": object,
"hostnameVerifier": configuration expression<enumeration>, //deprecated
"proxy": Server reference, //deprecated
"systemProxy": boolean //deprecated
}
}* Legacy; no longer supported
Properties
"vertx": object, optional-
Vert.x-specific configuration for the handler when IG is client-side. When IG is acting server-side, configure the
connectors:vertxproperty of admin.json.When IG sends requests to a proxied application or requests services from a third-party application, IG is client-side. IG is acting as a client of the application, and the application is acting as a server. Vert.x options are described in HttpClientOptions.
The
vertxobject is read as a map, and values are evaluated as configuration expressions.For properties where IG provides its own first-class configuration, Vert.x configuration options are disallowed, and the IG configuration option takes precedence over Vert.x options configured in
vertx. The following Vert.x configuration options are disallowed client-side:-
alpnVersions -
connectTimeout -
enabledCipherSuites -
enabledSecureTransportProtocols -
http2ClearTextUpgrade -
idleTimeout -
idleTimeoutUnit -
keyCertOptions -
keyStoreOptions -
maxWaitQueueSize -
pemKeyCertOptions -
pemTrustOptions -
pfxKeyCertOptions -
pfxTrustOptions -
port -
protocolVersion -
proxyOptions -
ssl -
trustOptions -
trustStoreOptions -
useAlpn -
verifyHost
The following example configures the Vert.x configuration when IG is acting client-side. When IG is acting server-side, configure the
connectors:vertxproperty ofadmin.json:{ "vertx": { "maxWebSocketFrameSize": 128000, "maxWebSocketMessageSize": 256000, "compressionLevel": 4, "maxHeaderSize": 16384 } }The following example configures HTTP/2 connections when IG is acting client-side. The configuration allows IG to make HTTP/2 requests with large headers. When IG is acting server-side, configure the
connectors:vertxproperty ofadmin.json:{ "vertx": { "initialSettings": { "maxHeaderListSize": 16384 } } } -
"connections": configuration expression<number>, optional-
The maximum number of concurrent HTTP connections in the client connection pool.
For information about the interaction between this property and
waitQueueSize, see the description ofwaitQueueSize.Default: 64
- “waitQueueSize”: configuration expression<number>, optional
-
The maximum number of outbound requests allowed to queue when no downstream connections are available. Outbound requests received when the queue is full are rejected.
Use this property to limit memory use when there is a backlog of outbound requests, for example, when the protected application or third-party service is slow.
Configure
waitQueueSizeas follows:-
Not set (default): The wait queue is calculated as the square of
connections.-
If
connectionsis not configured, then its default of64is used, giving thewaitQueueSizeof4096. -
If the square of
connectionsexceeds the maximum integer value for the Java JVM, the maximum integer value for the Java JVM is used.
-
-
-1: The wait queue is unlimited. Requests received when there are no available connections are queued without limit. -
0: There is no wait queue. Requests received when there are no available connections are rejected. -
A value that is less than the square of
connections:When the configuration is loaded, the configured value is used. IG generates a warning that the
waitQueueSizeis too small for theconnectionssize, and recommends a different value. -
A value where
waitQueueSizeplusconnectionsexceeds the maximum integer value for the Java JVM:When the configuration is loaded, the
waitQueueSizeis reduced to the maximum integer value for the Java JVM minus the value ofconnections. IG generates a warning.
Consider the following example configuration of
connectionsandwaitQueueSize:{ "handler" : { "name" : "proxy-handler", "type" : "ReverseProxyHandler", "MyCapture" : "all", "config": { "soTimeout": "10 seconds", "connectionTimeout": "10 seconds", "connections": 64, "waitQueueSize": 100 } }, "baseURI" : "http://app.example.com:8080", "condition" : "${find(request.uri.path, '/')}" }IG can propagate the request to the sample application using 64 connections. When the connections are consumed, up to 100 subsequent requests are queued until a connection is freed. Effectively IG can accommodate 164 requests, although user concurrency delay means more may be handled. Requests received when the waitQueue is full are rejected.
Default: Not set
-
"connectionTimeout": configuration expression<duration>, optional-
Time to wait to establish a connection, expressed as a duration
Default: 10 seconds
"protocolVersion": configuration expression<enumeration>, optional-
The version of HTTP protocol to use when processing requests:
-
HTTP/2:-
For HTTP, process requests using HTTP/1.1.
-
For HTTPS, process requests using HTTP/2.
-
-
HTTP/1.1:-
For HTTP and HTTPS, process requests using HTTP/1.1.
-
-
Not set:
-
For HTTP, process requests using HTTP/1.1.
-
For HTTPS with
alpnenabled in ClientTlsOptions, process requests using HTTP/1.1, with an HTTP/2 upgrade request. If the targeted server can use HTTP/2, the client uses HTTP/2.For HTTPS with
alpndisabled in ClientTlsOptions, process requests using HTTP/1.1, without an HTTP/2 upgrade request.Note that
alpnis enabled by default in ClientTlsOptions.
-
Default: Not set
-
|
In HTTP/1.1 request messages, a In scripts or custom extensions that use HTTP/2, use
|
"http2PriorKnowledge": configuration expression<boolean>, optional-
A flag for whether the client should have prior knowledge that the server supports HTTP/2. This property is for cleartext (non-TLS requests) only, and is used only when
protocolVersionis HTTP/2.-
false: The client checks whether the server supports HTTP/2 by sending an HTTP/1.1 request to upgrade the connection to HTTP/2:-
If the server supports HTTP/2, the server upgrades the connection to HTTP/2, and subsequent requests are processed over HTTP/2.
-
If the server does not support HTTP/2, the connection is not upgraded, and subsequent requests are processed over HTTP/1.
-
-
true: The client does not check that the server supports HTTP/2. The client sends HTTP/2 requests to the server, assuming that the server supports HTTP/2.
Default:
false -
"proxyOptions": ProxyOptions reference, optional-
A proxy server to which requests can be submitted. Use this property to relay requests to other parts of the network. For example, use it to submit requests from an internal network to the internet.
Provide the name of a ProxyOptions object defined in the heap or an inline configuration.
Default: A heap object named
ProxyOptions.
"soTimeout": configuration expression<duration>, optional-
Socket timeout, after which stalled connections are destroyed, expressed as a duration.
If SocketTimeoutExceptionerrors occur in the logs when you try to upload or download large files, consider increasingsoTimeout.Default: 10 seconds
"temporaryStorage": TemporaryStorage reference, optional-
The TemporaryStorage object to buffer the request and response, when the
streamingEnabledproperty of admin.json isfalse.Default: A heap object named
TemporaryStorage. tls: ClientTlsOptions reference, optional-
Use of a TlsOptions reference is deprecated; use ClientTlsOptions instead. For more information, refer to the Deprecated section of the Release Notes.
Configure options for connections to TLS-protected endpoints, based on ClientTlsOptions. Define the object inline or in the heap.
Default: Connections to TLS-protected endpoints are not configured.
"retries": object, optional-
Enable and configure retry for requests.
During the execution of a request to a remote server, if a runtime exception occurs, or a condition is met, IG waits for a delay, and then schedules a new execution of the request. IG tries until the allowed number of retries is reached or the execution succeeds.
A warning-level entry is logged if all retry attempts fail; a debug-level entry is logged if a retry succeeds.
"retries": { "enabled": configuration expression<boolean>, "condition": runtime expression<boolean>, "executor": ScheduledExecutorService reference, "count": configuration expression<number>, "delay": configuration expression<duration>, } }"enabled": configuration expression<boolean>, optional-
Enable retries.
Default:
true "condition": runtine expression<boolean>, optional-
An inline IG expression to define a condition based on the response, such as an error code.
The condition is evaluated as follows:
-
If
true, IG retries the request until the value incountis reached. -
If
false, IG retries the request only if a runtime exception occurs, until the value incountis reached.Default:
${false}
-
"executor": ScheduledExecutorService reference, optional-
The ScheduledExecutorService to use for scheduling delayed execution of the request.
Default:
ScheduledExecutorServiceSee also ScheduledExecutorService.
"count": configuration expression<number>, optional-
The maximum number of retries to perform. After this threshold is passed and if the request is still not successful, then the ClientHandler propagates the failure.
Retries caused by any runtime exception or triggered condition are included in the count.
Default:
5 "delay": _configuration expression<duration>, optional-
The time to wait before retrying the request.
After a failure to send the request, if the number of retries is below the threshold, a new attempt is scheduled with the executor service after this delay.
Default:
10 seconds
The following example configures a retry when a downstream component returns a
502 Bad Gatewayresponse code:"retries": { "enabled": true, "condition": "${response.status.code == 502}" }The following example configures the handler to retry the request only once, after a 1-minute delay:
{ "retries": { "count": 1, "delay": "1 minute" } }The following example configures the handler to retry the request at most 20 times, every second:
{ "retries": { "count": 20, "delay": "1 second" } }The following example configures the handler to retry the request 5 times, every 10 seconds (default values), with a dedicated executor:
{ "retries": { "executor": { "type": "ScheduledExecutorService", "config": { "corePoolSize": 20 } } } } "circuitBreaker": object, optional-
Enable and configure a circuit breaker to trip when the number of failures exceeds a configured threshold. Calls to downstream services are stopped, and a runtime exception is returned. The circuit breaker is reset after the configured delay.
{ "circuitBreaker": { "enabled": configuration expression<boolean>, "maxFailures": configuration expression<integer>, "openDuration": configuration expression<duration>, "openHandler": Handler reference, "slidingCounter": object, "executor": ScheduledExecutorService reference } }"enabled": configuration expression<boolean>, optional-
A flag to enable the circuit breaker.
Default:
true "maxFailures": configuration expression<number>, required-
The maximum number of failed requests allowed in the window given by
size, before the circuit breaker trips. The value must be greater than zero.When
retriesis set, the circuit breaker does not count retried requests as failures. Bear this in mind when you setmaxFailures.In the following example, a request can fail and then be retried three times. If it fails the third retry, the request has failed four times, but the circuit breaker counts only one failure.
{ "retries": { "count": 3, "delay": "1 second" } } "openDuration": configuration expression<duration>, required-
The duration for which the circuit stays open after the circuit breaker trips. The
executorschedules the circuit to be closed after this duration. "openHandler": Handler reference, optional-
The Handler to call when the circuit is open.
Default: A handler that throws a RuntimeException with a "circuit-breaker open" message.
"slidingCounter": object, optional-
A sliding window error counter. The circuit breaker trips when the number of failed requests in the number of requests given by
sizereachesmaxFailures.The following image illustrates how the sliding window counts failed requests:
{ "slidingCounter": { "size": configuration expression<number> } }"size": configuration expression<number>, required-
The size of the sliding window in which to count errors.
The value of
sizemust be greater than zero, and greater than the value ofmaxFailures, otherwise an exception is thrown.
"executor": ScheduledExecutorService reference, optional-
A ScheduledExecutorService to schedule closure of the circuit after the duration given by
openDuration.Default: The default ScheduledExecutorService in the heap
"hostnameVerifier": configuration expression<enumeration>, optional-
This property is deprecated; use the tlsproperty instead to configure ClientTlsOptions. For more information, refer to the Deprecated section of the Release Notes.The way to handle hostname verification for outgoing SSL connections. Use one of the following values:
-
ALLOW_ALL: Allow a certificate issued by a trusted CA for any hostname or domain to be accepted for a connection to any domain.This setting allows a certificate issued for one company to be accepted as a valid certificate for another company. To prevent the compromise of TLS connections, use this setting in development mode only. In production, use
STRICT. -
STRICT: Match the hostname either as the value of the the first CN, or any of the subject-alt names.A wildcard can occur in the CN, and in any of the subject-alt names. Wildcards match one domain level, so
*.example.commatcheswww.example.combut notsome.host.example.com.
Default:
STRICT -
"proxy": Server reference, optional-
This property is deprecated; use proxyOptionsinstead. For more information, refer to the Deprecated section of the Release Notes.A proxy server to which requests can be submitted. Use this property to relay requests to other parts of the network. For example, use it to submit requests from an internal network to the internet.
If both
proxyandsystemProxyare defined,proxytakes precedence."proxy" : { "uri": configuration expression<uri string>, "username": configuration expression<string>, "passwordSecretId": configuration expression<secret-id>, "secretsProvider": SecretsProvider reference }"uri": configuration expression<uri string>, required-
URI of a server to use as a proxy for outgoing requests.
The result of the expression must be a string that represents a valid URI, but is not a real java.net.URI object.
"username": configuration expression<string>, required if the proxy requires authentication-
Username to access the proxy server.
"passwordSecretId": configuration expression<secret-id>, required if the proxy requires authentication-
The secret ID of the password to access the proxy server.
This secret ID must point to a GenericSecret.
"secretsProvider": SecretsProvider reference, required-
The SecretsProvider to query for the proxy’s password.
"systemProxy": boolean, optional-
This property is deprecated; use proxyOptionsinstead. For more information, refer to the Deprecated section of the Release Notes.Submit outgoing requests to a system-defined proxy, set by the following system properties or their HTTPS equivalents:
-
http.proxyHost, the host name of the proxy server. -
http.proxyPort, the port number of the proxy server. The default is80. -
http.nonProxyHosts, a list of hosts that should be reached directly, bypassing the proxy.
This property can’t be used with a proxy that requires a username and password. Use the property
proxyinstead.If both
proxyandsystemProxyare defined,proxytakes precedence.For more information, refer to Java Networking and Proxies.
Default: False.
-
"keyManager": Key manager reference(s), optional-
This property is deprecated; use the tlsproperty instead to configure ClientTlsOptions. For more information, refer to the Deprecated section of the Release Notes.The key manager(s) that handle(s) this client’s keys and certificates.
The value of this field can be a single reference, or an array of references.
Provide either the name(s) of key manager object(s) defined in the heap, or specify the configuration object(s) inline.
You can specify either a single key manager, as in
"keyManager": "MyKeyManager", or an array of key managers, as in"keyManager": [ "FirstKeyManager", "SecondKeyManager" ].If you do not configure a key manager, then the client cannot present a certificate, and so cannot play the client role in mutual authentication.
"sslCipherSuites": array of strings, optional-
This property is deprecated; use the tlsproperty instead to configure ClientTlsOptions. For more information, refer to the Deprecated section of the Release Notes.Array of cipher suite names, used to restrict the cipher suites allowed when negotiating transport layer security for an HTTPS connection.
For information about the available cipher suite names, refer to the documentation for the Java virtual machine (JVM) where you run IG. For Oracle Java, refer to the list of JSSE Cipher Suite Names.
Default: Allow any cipher suite supported by the JVM.
"sslContextAlgorithm": string, optional-
This property is deprecated; use the tlsproperty instead to configure ClientTlsOptions. For more information, refer to the Deprecated section of the Release Notes.The SSLContext algorithm name, as listed in the table of SSLContext Algorithms for the Java Virtual Machine used by IG.
Default: TLS
"sslEnabledProtocols": array of strings, optional-
This property is deprecated; use the tlsproperty instead to configure ClientTlsOptions. For more information, refer to the Deprecated section of the Release Notes.Array of protocol names, used to restrict the protocols allowed when negotiating transport layer security for an HTTPS connection.
Default: Allow any protocol supported by the JVM.
"trustManager": Trust manager reference(s), optional-
This property is deprecated; use the tlsproperty instead to configure ClientTlsOptions. For more information, refer to the Deprecated section of the Release Notes.The trust managers that handle(s) peers' public key certificates.
The value of this field can be a single reference, or an array of references.
Provide either the name(s) of trust manager object(s) defined in the heap, or specify the configuration object(s) inline.
You can specify either a single trust manager, as in
"trustManager": "MyTrustManager", or an array of trust managers, as in"trustManager": [ "FirstTrustManager", "SecondTrustManager" ].If you do not configure a trust manager, then the client uses only the default Java truststore. The default Java truststore depends on the Java environment. For example,
$JAVA_HOME/lib/security/cacerts.
DispatchHandler
When a request is handled, the first condition in the list of conditions is
evaluated. If the condition expression yields true, the request is
dispatched to the associated handler with no further processing. Otherwise,
the next condition in the list is evaluated.
Usage
{
"name": string,
"type": "DispatchHandler",
"config": {
"bindings": [
{
"condition": runtime expression<boolean>,
"handler": Handler reference,
"baseURI": runtime expression<url>,
}, ...
]
}
}Properties
"bindings": array of objects, required-
One or more condition and handler bindings.
"condition": runtime expression<boolean>, optional-
A flag to indicate that a condition is met. The condition can be based on the request, context, or IG runtime environment, such as system properties or environment variables.
Conditions are defined using IG expressions, as described in Expressions, and are evaluated as follows:
-
true: The request is dispatched to the associated handler. -
false: The next condition in the list is evaluated.
For examples, refer to Example conditions and requests.
Default:
${true} -
"handler": Handler reference, required-
The Handler to which IG dispaches the request if the associated condition yields
true.Provide the name of a Handler object defined in the heap or an inline Handler configuration object.
"baseURI": runtime expression<url>,optional-
A base URI that overrides the existing request URI. Only scheme, host, and port are used in the supplied URI.
The result of the expression must be a string that represents a valid URI, but is not a real
java.net.URIobject. For example, it would be incorrect to use${request.uri}, which is not a String but a MutableUri.In the following example, the binding condition looks up the hostname of the request. If it finds a match, the value is used for the
baseURI. Otherwise, the default value is used:{ "properties": { "uris": { "app1.example.com": { "baseURI": "http://backend1:8080/" }, "app2.example.com": { "baseURI": "http://backend2:8080/" }, "default": { "baseURI": "http://backend3:8080/" } } }, "handler": { "type": "DispatchHandler", "config": { "bindings": [ { "condition": "${not empty uris[contexts.router.originalUri.host]}", "baseURI": "${uris[contexts.router.originalUri.host].baseURI}", "handler": "ReverseProxyHandler" }, { "baseURI": "${uris['default'].baseURI}", "handler": "ReverseProxyHandler" } ] } } }Default: No change to the base URI
Example
For an example that uses a DispatchHandler, refer to Implement not-enforced URIs with a DispatchHandler
ForgeRockClientHandler
The ForgeRockClientHandler is a Handler available by default on the heap that chains a default ClientHandler with a TransactionIdOutboundFilter.
This Handler supports ForgeRock audit by supporting the initiation or propagation of audit information from IG to the audit framework. For more information, see AuditService.
The following default ForgeRockClientHandler is available as a default object on the heap, and can be referenced by the name ForgeRockClientHandler.
{
"name": "ForgeRockClientHandler",
"type": "Chain",
"config": {
"filters": [ "TransactionIdOutboundFilter" ],
"handler": "ClientHandler"
}
}Example
For an example that uses ForgeRockClientHandler to log interactions between IG and AM, see Decorating IG’s interactions with AM.
IdentityAssertionHandler
Use in an Identity Cloud authentication journey with the IdentityAssertionNode node.
This handler replaces IdentityAssertionHandlerTechPreview designed for the Gateway Communication node described in Identity Cloud’s Gateway Communication overview.
The following image shows the flow of information when an Identity Assertion node authenticates internal accesses:
As part of an Identity Cloud journey, the IdentityAssertionHandler uses an identityAssertionPlugin to manage local authentication as follows:
-
The Identity Cloud authentication journey redirects a user to IG for local authentication, providing an identity request JWT.
-
IG validates the identity request JWT.
-
The identityAssertionPlugin accesses the IdentityRequestJwtContext generated from the identity request JWT. It then performs local processing and returns the principal and identity claims in an identity assertion JWT.
-
IG redirects the user back to Identity Cloud authentication journey, providing the identity assertion JWT. If an exception prevents IG from returning a valid identity assertion JWT, IG returns an HTTP 500.
The following table lists the claims contained in identity request JWT and identity assertion JWT:
| Claim | Description | Identity request JWT | Identity assertion JWT (succesful plugin processing) |
Identity assertion JWT (plugin processing error) |
|---|---|---|---|---|
|
Issuer |
|
|
|
|
Audience |
|
|
|
|
Issued at |
|
|
|
|
Expiration time |
|
|
|
|
Unique ID generated by the IdentityGatewayAssertionNode and returned in the identity assertion JWT |
|
|
|
|
URL on which to send the identity assertion JWT |
|
|
|
|
JWT version; only v1 is supported |
|
|
|
|
Map of claims items that can be required by a plugin |
Optional |
|
|
|
The user for whom the identity assertion JWT is issued |
|
|
|
|
Map of additional identity claims returned by the plugin |
|
|
|
|
Error message of the plugin processing failure |
|
|
|
Usage
{
"name": string,
"type": "IdentityAssertionHandler",
"config": {
"identityAssertionPlugin": IdentityAssertionPlugin reference,
"selfIdentifier": configuration expression<string>,
"peerIdentifier": configuration expression<string>,
"encryptionSecretId": configuration expression<secret-id>,
"secretsProvider": Secrets Provider reference,
"expiry": configuration expression<duration>,
"skewAllowance": configuration expression<duration>
}
}"identityAssertionPlugin": configuration expression<string>, required-
An implementation of org.forgerock.openig.handler.assertion.IdentityAssertionPlugin.
This plugin is called after the IdentityAssertionHandler validates the identity request JWT from Identity Cloud. The handler then passes the IdentityRequestJwtContext in the context chain to the plugin.
For an out-of-the-box plugin to support use-cases that aren’t already provisioned by an IG plugin, refer to ScriptableIdentityAssertionPlugin.
"selfIdentifier": configuration expression<string>, required-
An identifier to validate that this IG instance is the correct audience for the identity request from Identity Cloud.
This identifier is the value of:
-
audclaim in the identity request JWT -
issclaim in the identity assertion JWT
Can’t be null.
-
"peerIdentifier": configuration expression<string>, required-
An identifier to validate that the expected Identity Cloud instance issued the identity request.
This identifier is the value of the:
-
issclaim in the identity request JWT -
audclaim in the identity assertion JWT
Can’t be null.
-
"encryptionSecretId": configuration expression<secret-id>, required-
The secret ID for the secret to decrypt the identity request JWT and encrypt the returned identity assertion JWT. The secret ID must point to a CryptoKey. Decryption and encryption is with AES GCM using a 256-bit key.
"secretsProvider": SecretsProvider reference, required-
The SecretsProvider to resolve encrytion and decryption keys.
"expiry": _configuration expression<duration>, optional-
The expiry time of the identity assertion JWT.
Default: 30 seconds
"skewAllowance": configuration expression<duration>, optional-
The duration to add to the validity period of a JWT to allow for clock skew between different servers.
A
skewAllowanceof 2 minutes affects the validity period as follows:-
A JWT with an
iatof 12:00 is valid from 11:58 on the IG clock. -
A JWT with an
exp13:00 is expired after 13:02 on the IG clock.
Default: To support a zero-trust policy, the skew allowance is by default
zero. -
Example
The following route is an Identity Assertion service route for use with the IdentityAssertionNode.
{
"name": "IdentityAssertion",
"condition": "${find(request.uri.path, '^/idassert')}",
"properties": {
"amIdcPeer": "myTenant.forgeblocks.com"
},
"handler": "IdentityAssertionHandler-1",
"heap": [
{
"name": "IdentityAssertionHandler-1",
"type": "IdentityAssertionHandler",
"config": {
"identityAssertionPlugin": "BasicAuthScriptablePlugin",
"selfIdentifier": "https://ig.ext.com:8443",
"peerIdentifier": "&{amIdcPeer}",
"secretsProvider": [
"secrets-pem"
],
"encryptionSecretId": "idassert"
}
},
{
"name": "BasicAuthScriptablePlugin",
"type": "ScriptableIdentityAssertionPlugin",
"config": {
"type": "application/x-groovy",
"source": [
"import org.forgerock.openig.assertion.IdentityAssertionClaims",
"import org.forgerock.openig.assertion.plugin.IdentityAssertionPluginException",
"logger.info('Running ScriptableIdentityAssertionPlugin')",
"return new IdentityAssertionClaims('demo')"
]
}
},
{
"name": "pemPropertyFormat",
"type": "PemPropertyFormat"
},
{
"name": "secrets-pem",
"type": "FileSystemSecretStore",
"config": {
"directory": "&{ig.instance.dir}/secrets/igfs",
"suffix": ".pem",
"format": "pemPropertyFormat",
"mappings": [
{
"secretId": "idassert",
"format": "pemPropertyFormat"
}
]
}
}
]
}IdentityAssertionHandlerTechPreview
| The IdentityAssertionHandlerTechPreview, ScriptableIdentityAssertionPluginTechPreview, and IdentityAssertionPluginTechPreview are available in Technology preview. They aren’t yet supported, may be functionally incomplete, and are subject to change without notice. |
Use in an Identity Cloud authentication journey with the Gateway Communication node. described in Identity Cloud’s Gateway Communication overview.
The IdentityAssertionHandlerTechPreview sets up an IdentityAssertionPluginTechPreview to manage local processing, such as authentication. The Handler then calls the plugin at runtime for each request.
An Identity Cloud authentication journey does the following:
-
Redirects users to IG for local authentication.
-
After local authentication, provides an identity assertion and redirects users back to the Identity Cloud authentication journey.
The Identity Cloud authentication journey provides:
-
A cryptographically-secure random value in a nonce to validate the identity assertion.
-
A
returnUrito redirect the user back to Identity Cloud to continue the authentication journey.
Exceptions during local processing cause a redirect with an assertion JWT
containing an assertionError claim.
Exceptions that prevent the return of a valid assertion, such as an invalid
incoming JWT or key error, cause an HTTP 500.
Usage
{
"name": string,
"type": "IdentityAssertionHandlerTechPreview",
"config": {
"identityAssertionPlugin": IdentityAssertionPluginTechPreview reference,
"selfIdentifier": configuration expression<string>,
"peerIdentifier": configuration expression<string>,
"expire": configuration expression<duration>,
"secretsProvider": Secrets Provider reference,
"verificationSecretId": configuration expression<secret-id>,
"decryptionSecretId": configuration expression<secret-id>,
"skewAllowance": configuration expression<duration>,
"signature": object
}
}"identityAssertionPlugin": configuration expression<string>, required-
An implementation of org.forgerock.openig.handler.assertion.IdentityAssertionPluginTechPreview.
An out-of-the box implementation is available in ScriptableIdentityAssertionPluginTechPreview.
"selfIdentifier": configuration expression<string>, required-
An identifier to validate that this IG instance is the right audience for the incoming JWT from Identity Cloud. The same identifier is used for the
issclaim of the outgoing JWT sent to Identity Cloud.Can’t be null.
"peerIdentifier": configuration expression<string>, required-
An identifier to validate that the incoming JWT is from the expected peer. The same identifier is used for the
audclaim in the outgoing JWT sent Identity Cloud.Can’t be null.
"expire": duration, optional-
The expiry time of the outgoing JWT sent to Identity Cloud.
Default: 30 seconds
"secretsProvider": SecretsProvider reference, required-
The SecretsProvider to query for cryptographic keys.
"verificationSecretId": configuration expression<secret-id>, required-
The secret ID for the secret to validate the signature of the incoming JWT. The secret ID must point to a CryptoKey.
"decryptionSecretId": configuration expression<secret-id>, optional-
The secret ID for the secret to decrypt the incoming JWT. The secret ID must point to a CryptoKey.
When this property isn’t set, IG treats the incoming JWT as signed but not encrypted.
Default: Not set.
"skewAllowance": configuration expression<duration>, optional-
The duration to add to the validity period of a JWT to allow for clock skew between different servers.
A
skewAllowanceof 2 minutes affects the validity period as follows:-
A JWT with an
iatof 12:00 is valid from 11:58 on the IG clock. -
A JWT with an
exp13:00 is expired after 13:02 on the IG clock.
Default: To support a zero-trust policy, the skew allowance is by default
zero. -
"signature": object, required-
A JWT signature to validate the authenticity of claims or data for the outgoing JWT.
{ "signature": { "secretId": configuration expression<secret-id>, "algorithm": configuration expression<string>, "encryption": object } }"secretId": secret-id, required-
The secret ID of the signing key. The secret ID must point to a CryptoKey.
"algorithm": configuration expression<string>, optional-
The signing algorithm.
Default:
RS256 "encryption": object, required-
Configuration to encrypt the JWT.
{ "encryption": { "secretId": configuration expression<secret-id>, "algorithm": configuration expression<string>, "method": configuration expression<string> } }"secretId": secret-id, required-
The secret ID of the encryption key. The secret ID must point to a CryptoKey.
"algorithm": configuration expression<string>, required-
The encryption algorithm. Use an algorithm from the List of JWS Algorithms.
"method": configuration expression<string>, required-
The encryption method. Use a method from the List of JWE Algorithms.
Example
The following example route is for a Identity Cloud authentication journey that uses a Gateway Communication node.
For information about the identityAssertionPlugin object, refer to the example
in ScriptableIdentityAssertionPluginTechPreview.
{
"type": "IdentityAssertionHandlerTechPreview",
"config": {
"identityAssertionPlugin": "BasicAuthScriptablePlugin",
"selfIdentifier": "identity-gateway",
"peerIdentifier": "gateway-communication-node",
"secretsProvider": [
"IG-Decrypt",
"Node-Verify",
"IG-Sign",
"Node-Encrypt"
],
"verificationSecretId": "id.key.for.verifying.incoming.jwt",
"decryptionSecretId": "id.key.for.decrypting.incoming.jwt",
"signature": {
"secretId": "id.key.for.signing.assertion.jwt",
"algorithm": "RS256",
"encryption": {
"secretId": "id.key.for.encrypting.assertion.jwt",
"algorithm": "RSA-OAEP-256",
"method": "A256GCM"
}
}
}
}JwkSetHandler
Expose cryptographic keys as a JWK set. Use this handler to reuse exposed keys for their assigned purpose in a downstream application.
Consider the following limitations:
-
When the public key isn’t available, the corresponding private key can’t be exposed.
You are not recommended to expose private keys as a JWK. -
Keys in secure storage, such as a Hardware Security Module (HSM) or remote server, can’t be exposed.
For a description of how secrets are managed, refer to About secrets.
For information about JWKs and JWK Sets, refer to JSON Web Key (JWK).
Usage
{
"name": string,
"type": "JwkSetHandler",
"config": {
"secretsProvider": SecretsProvider reference,
"purposes": [ object, ... ],
"exposePrivateSecrets": configuration expression<boolean>
}
}"secretsProvider": SecretsProvider reference, required-
The SecretsProvider containing secrets to expose in the JwkSet.
"purposes": array of objects, required-
One or more purposes for the JwkSet key.
{
"purposes": [
{
"secretId": configuration expression<secret-id>,
"keyUsage": configuration expression<enumeration>
},
...
]
}"secretId": configuration expression<secret-id>, required-
The secret ID of the key to be exposed in the JwkSet.
This secret ID must point to a CryptoKey.
"keyUsage": configuration expression<enumeration>, required-
The allowed use of the key:
-
AGREE_KEY: Export the private key used in the key agreement protocol, for example, Diffie-Hellman. -
ENCRYPT: Export the public key used to encrypt data. -
DECRYPT: Export the private key used to decrypt data. -
SIGN: Export the private key used to sign data. -
VERIFY: Export the public key used to verify signature data. -
WRAP_KEY: Export the public key used to encrypt (wrap) other keys. -
UNWRAP_KEY: Export the private key used to decrypt (unwrap) other keys.
-
exposePrivateSecrets: configuration expression<boolean>, optional-
A flag indicating whether to publish private keys in a JWK set. As a security safeguard, this property is
falseby default to prevent the accidental exposure of private keys.true: Publish both public and private keys in the JWK setfalse: Publish only public keys in the JWK setDefault:
false
Examples
This example uses a JwkSetHandler to expose a signing key used by the JwtBuilderFilter:
-
Set an environment variable for the base64-encoded secret to sign the JWT:
$ export SIGNING_KEY_SECRET_ID='cGFzc3dvcmQ=' -
Add the following route to IG:
-
Linux
-
Windows
$HOME/.openig/config/routes/jwksethandler.json
%appdata%\OpenIG\config\routes\jwksethandler.json
{ "name": "jwksethandler", "condition": "${find(request.uri.path, '/jwksethandler')}", "heap": [ { "name": "SecretKeyPropertyFormat-1", "type": "SecretKeyPropertyFormat", "config": { "format": "BASE64", "algorithm": "AES" } }, { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore", "config": { "mappings": [{ "secretId": "signing.key.secret.id", "format": "SecretKeyPropertyFormat-1" }] } } ], "handler": { "type": "Chain", "config": { "filters": [ { "name": "JwtBuilderFilter-1", "type": "JwtBuilderFilter", "config": { "template": { "name": "${contexts.userProfile.commonName}", "email": "${contexts.userProfile.rawInfo.mail[0]}" }, "secretsProvider": "SystemAndEnvSecretStore-1", "signature": { "secretId": "signing.key.secret.id", "algorithm": "HS256" } } } ], "handler": { "type": "JwkSetHandler", "config": { "secretsProvider": "SystemAndEnvSecretStore-1", "purposes": [{ "secretId": "signing.key.secret.id", "keyUsage": "SIGN" }] } } } } }Notice the following features of the route:
-
The route matches requests to
/jwksethandler. -
The JWT signing key is managed by the SysEnvStoreSecretStore in the heap, which refers to the SecretKeyPropertyFormat for the secret’s format.
-
The JwtBuilderFilter
signatureproperty refers to the JWT signing key in the SysEnvStoreSecretStore. -
The JwkSetHandler refers to the JWT signing key.
-
-
Go to http://ig.example.com:8080/jwksethandler.
The signing key is displayed as an array, as follows:
{ "keys": [ { "k": "cGFzc3dvcmQ", "kid": "signing.key.secret.id", "kty": "oct", "use": "sig" } ] }The JWK set secret is ULR base64-encoded. Although the secret is set with the value
cGFzc3dvcmQ=, the valuecGFzc3dvcmQis exposed.
ResourceHandler
Serves static content from a directory.
Usage
{
"name": string,
"type": "ResourceHandler",
"config": {
"directories": [ configuration expression<string>, ... ],
"basePath": configuration expression<string>,
"welcomePages": [ configuration expression<string>, ... ],
"temporaryStorage": TemporaryStorage reference
}
}Properties
"directories": array of configuration expression<strings>, required-
A list of one or more directories in which to search for static content.
When multiple directories are specified in an array, the directories are searched in the listed order.
"basePath": _configuration expression<string>, required if the route is not/-
The base path of the incoming request for static content.
To specify no base path, leave this property out of the configuration, or specify it as
"basePath": ""or"basePath": "/".Default:
"". "welcomePages": array of configuration expression<strings>, optional-
A set of static content to serve from one of the specified directories when no specific resource is requested.
When multiple sets of static content are specified in an array, the sets are searched for in the listed order. The first set that is found is used.
Default: Empty
"temporaryStorage": TemporaryStorage reference, optional-
A TemporaryStorage object for the static content.
Default:
TemporaryStorageheap object
Example
The following example serves requests to http://ig.example.com:8080 with the
static file index.html from /path/to/static/pages/:
{
"name": "StaticWebsite",
"type": "ResourceHandler",
"config": {
"directories": ["/path/to/static/pages"],
"welcomePages": ["index.html"]
}
}When the basePath is /website, the example serves requests to
http://ig.example.com:8080/website:
{
"name": "StaticWebsite",
"type": "ResourceHandler",
"config": {
"directories": ["/path/to/static/pages"],
"basePath": "/website",
"welcomePages": ["index.html"]
}
}ReverseProxyHandler
Proxy requests to protected applications. When IG relays the request to the protected application, IG is acting as a client of the application. IG is client-side.
Consider the following comparison of the ClientHandler and ReverseProxyHandler:
| ClientHandler | ReverseProxyHandler | |
|---|---|---|
Use this handler to … |
Send requests to third-party services accessed within a route. The service can be AM or an HTTP API. The service can be an HTTP endpoint, such as AM, IDM, Identity Cloud, or any custom HTTP API. |
Send requests to the final service accessed by a route. The service can be the final downstream application. |
If the service does not respond in time, this handler … |
Propagates the error through the Promise flow. If the error is not handled within the route, for example, by a FailureHandler,
the handler returns a |
Stops processing the request, and returns a |
When uploading or downloading large files, prevent timeout issues by increasing
the value of soTimeout, and using a streaming mode, as follows:
Configure the streamingEnabled property of
AdminHttpApplication.
Usage
{
"name": string,
"type": "ReverseProxyHandler",
"config": {
"vertx": object,
"connections": configuration expression<number>,
"waitQueueSize": configuration expression<number>,
"soTimeout": configuration expression<duration>,
"connectionTimeout": configuration expression<duration>,
"protocolVersion": configuration expression<enumeration>,
"http2PriorKnowledge": configuration expression<boolean>,
"proxyOptions": ProxyOptions reference,
"temporaryStorage": TemporaryStorage reference,
"tls": ClientTlsOptions reference,
"retries": object,
"circuitBreaker": object,
"websocket": object,
"hostnameVerifier": configuration expression<enumeration>, //deprecated
"proxy": Server reference, //deprecated
"systemProxy": boolean //deprecated
}
}* Legacy; no longer supported
Properties
"vertx": object, optional-
Vert.x-specific configuration for the handler, where IG does not provide its own first-class configuration. Vert.x options are described in HttpClientOptions.
The
vertxobject is read as a map, and values are evaluated as configuration expressions.For properties where IG provides its own first-class configuration, Vert.x configuration options are disallowed, and the IG configuration option takes precedence over Vert.x options configured in
vertx. The following Vert.x configuration options are disallowed client-side:-
alpnVersions -
connectTimeout -
enabledCipherSuites -
enabledSecureTransportProtocols -
http2ClearTextUpgrade -
idleTimeout -
idleTimeoutUnit -
keyCertOptions -
keyStoreOptions -
maxWaitQueueSize -
pemKeyCertOptions -
pemTrustOptions -
pfxKeyCertOptions -
pfxTrustOptions -
port -
protocolVersion -
proxyOptions -
ssl -
trustOptions -
trustStoreOptions -
useAlpn -
verifyHost
The following example configures the Vert.x configuration when IG is acting client-side. When IG is acting server-side, configure the
connectors:vertxproperty ofadmin.json:{ "vertx": { "maxWebSocketFrameSize": 128000, "maxWebSocketMessageSize": 256000, "compressionLevel": 4, "maxHeaderSize": 16384 } }The following example configures HTTP/2 connections when IG is acting client-side. The configuration allows IG to make HTTP/2 requests with large headers. When IG is acting server-side, configure the
connectors:vertxproperty ofadmin.json:{ "vertx": { "initialSettings": { "maxHeaderListSize": 16384 } } } -
"connections": configuration expression<number>, optional-
The maximum number of concurrent HTTP connections in the client connection pool.
For information about the interaction between this property and
waitQueueSize, see the description ofwaitQueueSize.Default: 64
- “waitQueueSize”: configuration expression<number>, optional
-
The maximum number of outbound requests allowed to queue when no downstream connections are available. Outbound requests received when the queue is full are rejected.
Use this property to limit memory use when there is a backlog of outbound requests, for example, when the protected application or third-party service is slow.
Configure
waitQueueSizeas follows:-
Not set (default): The wait queue is calculated as the square of
connections.-
If
connectionsis not configured, then its default of64is used, giving thewaitQueueSizeof4096. -
If the square of
connectionsexceeds the maximum integer value for the Java JVM, the maximum integer value for the Java JVM is used.
-
-
-1: The wait queue is unlimited. Requests received when there are no available connections are queued without limit. -
0: There is no wait queue. Requests received when there are no available connections are rejected. -
A value that is less than the square of
connections:When the configuration is loaded, the configured value is used. IG generates a warning that the
waitQueueSizeis too small for theconnectionssize, and recommends a different value. -
A value where
waitQueueSizeplusconnectionsexceeds the maximum integer value for the Java JVM:When the configuration is loaded, the
waitQueueSizeis reduced to the maximum integer value for the Java JVM minus the value ofconnections. IG generates a warning.
Consider the following example configuration of
connectionsandwaitQueueSize:{ "handler" : { "name" : "proxy-handler", "type" : "ReverseProxyHandler", "MyCapture" : "all", "config": { "soTimeout": "10 seconds", "connectionTimeout": "10 seconds", "connections": 64, "waitQueueSize": 100 } }, "baseURI" : "http://app.example.com:8080", "condition" : "${find(request.uri.path, '/')}" }IG can propagate the request to the sample application using 64 connections. When the connections are consumed, up to 100 subsequent requests are queued until a connection is freed. Effectively IG can accommodate 164 requests, although user concurrency delay means more may be handled. Requests received when the waitQueue is full are rejected.
Default: Not set
-
"connectionTimeout": configuration expression<duration>, optional-
Time to wait to establish a connection, expressed as a duration
Default: 10 seconds
"protocolVersion": configuration expression<enumeration>, optional-
The version of HTTP protocol to use when processing requests:
-
HTTP/2:-
For HTTP, process requests using HTTP/1.1.
-
For HTTPS, process requests using HTTP/2.
-
-
HTTP/1.1:-
For HTTP and HTTPS, process requests using HTTP/1.1.
-
-
Not set:
-
For HTTP, process requests using HTTP/1.1.
-
For HTTPS with
alpnenabled in ClientTlsOptions, process requests using HTTP/1.1, with an HTTP/2 upgrade request. If the targeted server can use HTTP/2, the client uses HTTP/2.For HTTPS with
alpndisabled in ClientTlsOptions, process requests using HTTP/1.1, without an HTTP/2 upgrade request.Note that
alpnis enabled by default in ClientTlsOptions.
-
Default: Not set
-
|
In HTTP/1.1 request messages, a In scripts or custom extensions that use HTTP/2, use
|
"http2PriorKnowledge": configuration expression<boolean>, optional-
A flag for whether the client should have prior knowledge that the server supports HTTP/2. This property is for cleartext (non-TLS requests) only, and is used only when
protocolVersionis HTTP/2.-
false: The client checks whether the server supports HTTP/2 by sending an HTTP/1.1 request to upgrade the connection to HTTP/2:-
If the server supports HTTP/2, the server upgrades the connection to HTTP/2, and subsequent requests are processed over HTTP/2.
-
If the server does not support HTTP/2, the connection is not upgraded, and subsequent requests are processed over HTTP/1.
-
-
true: The client does not check that the server supports HTTP/2. The client sends HTTP/2 requests to the server, assuming that the server supports HTTP/2.
Default:
false -
"proxyOptions": ProxyOptions reference, optional-
A proxy server to which requests can be submitted. Use this property to relay requests to other parts of the network. For example, use it to submit requests from an internal network to the internet.
Provide the name of a ProxyOptions object defined in the heap or an inline configuration.
Default: A heap object named
ProxyOptions.
"soTimeout": configuration expression<duration>, optional-
Socket timeout, after which stalled connections are destroyed, expressed as a duration.
If SocketTimeoutExceptionerrors occur in the logs when you try to upload or download large files, consider increasingsoTimeout.Default: 10 seconds
"temporaryStorage": TemporaryStorage reference, optional-
The TemporaryStorage object to buffer the request and response, when the
streamingEnabledproperty of admin.json isfalse.Default: A heap object named
TemporaryStorage. tls: ClientTlsOptions reference, optional-
Use of a TlsOptions reference is deprecated; use ClientTlsOptions instead. For more information, refer to the Deprecated section of the Release Notes.
Configure options for connections to TLS-protected endpoints, based on ClientTlsOptions. Define the object inline or in the heap.
Default: Connections to TLS-protected endpoints are not configured.
"retries": object, optional-
Enable and configure retry for requests.
During the execution of a request to a remote server, if a runtime exception occurs, or a condition is met, IG waits for a delay, and then schedules a new execution of the request. IG tries until the allowed number of retries is reached or the execution succeeds.
A warning-level entry is logged if all retry attempts fail; a debug-level entry is logged if a retry succeeds.
"retries": { "enabled": configuration expression<boolean>, "condition": runtime expression<boolean>, "executor": ScheduledExecutorService reference, "count": configuration expression<number>, "delay": configuration expression<duration>, } }"enabled": configuration expression<boolean>, optional-
Enable retries.
Default:
true "condition": runtine expression<boolean>, optional-
An inline IG expression to define a condition based on the response, such as an error code.
The condition is evaluated as follows:
-
If
true, IG retries the request until the value incountis reached. -
If
false, IG retries the request only if a runtime exception occurs, until the value incountis reached.Default:
${false}
-
"executor": ScheduledExecutorService reference, optional-
The ScheduledExecutorService to use for scheduling delayed execution of the request.
Default:
ScheduledExecutorServiceSee also ScheduledExecutorService.
"count": configuration expression<number>, optional-
The maximum number of retries to perform. After this threshold is passed and if the request is still not successful, then the ClientHandler propagates the failure.
Retries caused by any runtime exception or triggered condition are included in the count.
Default:
5 "delay": _configuration expression<duration>, optional-
The time to wait before retrying the request.
After a failure to send the request, if the number of retries is below the threshold, a new attempt is scheduled with the executor service after this delay.
Default:
10 seconds
The following example configures a retry when a downstream component returns a
502 Bad Gatewayresponse code:"retries": { "enabled": true, "condition": "${response.status.code == 502}" }The following example configures the handler to retry the request only once, after a 1-minute delay:
{ "retries": { "count": 1, "delay": "1 minute" } }The following example configures the handler to retry the request at most 20 times, every second:
{ "retries": { "count": 20, "delay": "1 second" } }The following example configures the handler to retry the request 5 times, every 10 seconds (default values), with a dedicated executor:
{ "retries": { "executor": { "type": "ScheduledExecutorService", "config": { "corePoolSize": 20 } } } } "circuitBreaker": object, optional-
Enable and configure a circuit breaker to trip when the number of failures exceeds a configured threshold. Calls to downstream services are stopped, and a runtime exception is returned. The circuit breaker is reset after the configured delay.
{ "circuitBreaker": { "enabled": configuration expression<boolean>, "maxFailures": configuration expression<integer>, "openDuration": configuration expression<duration>, "openHandler": Handler reference, "slidingCounter": object, "executor": ScheduledExecutorService reference } }"enabled": configuration expression<boolean>, optional-
A flag to enable the circuit breaker.
Default:
true "maxFailures": configuration expression<number>, required-
The maximum number of failed requests allowed in the window given by
size, before the circuit breaker trips. The value must be greater than zero.When
retriesis set, the circuit breaker does not count retried requests as failures. Bear this in mind when you setmaxFailures.In the following example, a request can fail and then be retried three times. If it fails the third retry, the request has failed four times, but the circuit breaker counts only one failure.
{ "retries": { "count": 3, "delay": "1 second" } } "openDuration": configuration expression<duration>, required-
The duration for which the circuit stays open after the circuit breaker trips. The
executorschedules the circuit to be closed after this duration. "openHandler": Handler reference, optional-
The Handler to call when the circuit is open.
Default: A handler that throws a RuntimeException with a "circuit-breaker open" message.
"slidingCounter": object, optional-
A sliding window error counter. The circuit breaker trips when the number of failed requests in the number of requests given by
sizereachesmaxFailures.The following image illustrates how the sliding window counts failed requests:
{ "slidingCounter": { "size": configuration expression<number> } }"size": configuration expression<number>, required-
The size of the sliding window in which to count errors.
The value of
sizemust be greater than zero, and greater than the value ofmaxFailures, otherwise an exception is thrown.
"executor": ScheduledExecutorService reference, optional-
A ScheduledExecutorService to schedule closure of the circuit after the duration given by
openDuration.Default: The default ScheduledExecutorService in the heap
"websocket": object, optional-
Object to configure upgrade from HTTP or HTTPS protocol to WebSocket protocol.
Every key/value of the
websocketobject is evaluated as a configuration expression.List the subprotocols that are proxied by IG in the
vertxproperty of AdminHttpApplication (admin.json). For more information and an example of proxying WebSocket traffic, refer to WebSocket traffic{ "websocket": { "enabled": configuration expression<boolean>, "connectionTimeout": configuration expression<duration>, "soTimeout": configuration expression<duration>, "numberOfSelectors": configuration expression<number>, "tls": ClientTlsOptions reference, "proxyOptions": ProxyOptions reference, "vertx": object } }For more information, refer to The WebSocket Protocol.
"enabled": configuration expression<boolean>,optional-
Enable upgrade from HTTP protocol and HTTPS protocol to WebSocket protocol.
Default:
false "connectionTimeout": configuration expression<duration>, optional-
The maximum time allowed to establish a WebSocket connection.
Default: The value of handler’s main
connectionTimeout. "soTimeout": configuration expression<duration>, optional-
The time after which stalled connections are destroyed.
If there can be long delays between messages, consider increasing this value. Alternatively, keep the connection active by using WebSocket ping messages in your application. Default: The value of handler’s main
soTimeout. "numberOfSelectors": configuration expression<number>, optional-
The maximum number of worker threads.
In deployments with a high number of simultaneous connections, consider increasing the value of this property.
Default:
2 "tls": ClientTlsOptions reference, optional-
Configure options for connections to TLS-protected endpoints, based on a ClientTlsOptions configuration. Define a ClientTlsOptions object inline or in the heap.
Default: Use ClientTlsOptions defined for the handler
"proxyOptions": ProxyOptions reference, optional-
A proxy server to which requests can be submitted. Use this property to relay requests to other parts of the network. For example, use it to submit requests from an internal network to the internet.
Provide the name of a ProxyOptions object defined in the heap or an inline configuration.
Default: A heap object named
ProxyOptions. "vertx": object, optional-
Vert.x-specific configuration for the WebSocket connection, where IG does not provide its own first-class configuration. Vert.x options are described in HttpClientOptions.
For properties where IG provides its own first-class configuration, Vert.x configuration options are disallowed, and the IG configuration option takes precedence over Vert.x options configured in
vertx. The following Vert.x configuration options are disallowed client-side:-
alpnVersions -
connectTimeout -
enabledCipherSuites -
enabledSecureTransportProtocols -
http2ClearTextUpgrade -
idleTimeout -
idleTimeoutUnit -
keyCertOptions -
keyStoreOptions -
maxWaitQueueSize -
pemKeyCertOptions -
pemTrustOptions -
pfxKeyCertOptions -
pfxTrustOptions -
port -
protocolVersion -
proxyOptions -
ssl -
trustOptions -
trustStoreOptions -
useAlpn -
verifyHost
The following example configures the Vert.x configuration when IG is acting client-side. When IG is acting server-side, configure the
connectors:vertxproperty ofadmin.json:{ "vertx": { "maxWebSocketFrameSize": 128000, "maxWebSocketMessageSize": 256000, "compressionLevel": 4, "maxHeaderSize": 16384 } }The following example configures HTTP/2 connections when IG is acting client-side. The configuration allows IG to make HTTP/2 requests with large headers. When IG is acting server-side, configure the
connectors:vertxproperty ofadmin.json:{ "vertx": { "initialSettings": { "maxHeaderListSize": 16384 } } } -
The following default
vertxconfiguration provided by this handler overrides the Vert.x defaults:-
tryUsePerFrameCompression=true -
tryUsePerMessageCompression=true
- "hostnameVerifier": configuration expression<enumeration>, optional
-
This property is deprecated; use the ClientTlsOptions property
hostnameVerifierinstead.If a ReverseProxyHandler includes the deprecated
"hostnameVerifier": "ALLOW_ALL"configuration, it takes precedence, and deprecation warnings are written to the logs.For more information, refer to the Deprecated section of the Release Notes.
The way to handle hostname verification for outgoing SSL connections. Use one of the following values:
-
ALLOW_ALL: Allow a certificate issued by a trusted CA for any hostname or domain to be accepted for a connection to any domain.This setting allows a certificate issued for one company to be accepted as a valid certificate for another company. To prevent the compromise of TLS connections, use this setting in development mode only. In production, use
STRICT. -
STRICT: Match the hostname either as the value of the the first CN, or any of the subject-alt names.A wildcard can occur in the CN, and in any of the subject-alt names. Wildcards match one domain level, so
*.example.commatcheswww.example.combut notsome.host.example.com.
Default:
STRICT -
"proxy": Server reference, optional-
This property is deprecated; use proxyOptionsinstead. For more information, refer to the Deprecated section of the Release Notes.A proxy server to which requests can be submitted. Use this property to relay requests to other parts of the network. For example, use it to submit requests from an internal network to the internet.
If both
proxyandsystemProxyare defined,proxytakes precedence."proxy" : { "uri": configuration expression<uri string>, "username": configuration expression<string>, "passwordSecretId": configuration expression<secret-id>, "secretsProvider": SecretsProvider reference }"uri": configuration expression<uri string>, required-
URI of a server to use as a proxy for outgoing requests.
The result of the expression must be a string that represents a valid URI, but is not a real java.net.URI object.
- username: configuration expression<string>, required if the proxy requires authentication
-
Username to access the proxy server.
"passwordSecretId": configuration expression<secret-id>, required if the proxy requires authentication-
The secret ID of the password to access the proxy server.
This secret ID must point to a GenericSecret.
"secretsProvider": SecretsProvider reference, required-
The SecretsProvider to query for the proxy’s password.
"systemProxy": boolean, optional-
This property is deprecated; use proxyOptionsinstead. For more information, refer to the Deprecated section of the Release Notes.Submit outgoing requests to a system-defined proxy, set by the following system properties or their HTTPS equivalents:
-
http.proxyHost, the host name of the proxy server. -
http.proxyPort, the port number of the proxy server. The default is80. -
http.nonProxyHosts, a list of hosts that should be reached directly, bypassing the proxy.
This property can’t be used with a proxy that requires a username and password. Use the property
proxyinstead.If both
proxyandsystemProxyare defined,proxytakes precedence.For more information, refer to Java Networking and Proxies.
Default: False.
-
"keyManager": Key manager reference(s), optional-
This property is deprecated; use the tlsproperty instead to configure ClientTlsOptions. For more information, refer to the Deprecated section of the Release Notes.The key manager(s) that handle(s) this client’s keys and certificates.
The value of this field can be a single reference, or an array of references.
Provide either the name(s) of key manager object(s) defined in the heap, or specify the configuration object(s) inline.
You can specify either a single key manager, as in
"keyManager": "MyKeyManager", or an array of key managers, as in"keyManager": [ "FirstKeyManager", "SecondKeyManager" ].If you do not configure a key manager, then the client cannot present a certificate, and so cannot play the client role in mutual authentication.
"sslCipherSuites": array of strings, optional-
This property is deprecated; use the tlsproperty instead to configure ClientTlsOptions. For more information, refer to the Deprecated section of the Release Notes.Array of cipher suite names, used to restrict the cipher suites allowed when negotiating transport layer security for an HTTPS connection.
For information about the available cipher suite names, refer to the documentation for the Java virtual machine (JVM) where you run IG. For Oracle Java, refer to the list of JSSE Cipher Suite Names.
Default: Allow any cipher suite supported by the JVM.
"sslContextAlgorithm": string, optional-
This property is deprecated; use the tlsproperty instead to configure ClientTlsOptions. For more information, refer to the Deprecated section of the Release Notes.Default: TLS
"sslEnabledProtocols": array of strings, optional-
This property is deprecated; use the tlsproperty instead to configure ClientTlsOptions. For more information, refer to the Deprecated section of the Release Notes.Array of protocol names, used to restrict the protocols allowed when negotiating transport layer security for an HTTPS connection.
Default: Allow any protocol supported by the JVM.
"trustManager": Trust manager reference(s), optional-
This property is deprecated; use the tlsproperty instead to configure ClientTlsOptions. For more information, refer to the Deprecated section of the Release Notes.The trust managers that handle(s) peers' public key certificates.
The value of this field can be a single reference, or an array of references.
Provide either the name(s) of TrustManager object(s) defined in the heap, or specify the configuration object(s) inline.
You can specify either a single trust manager, as in
"trustManager": "MyTrustManager", or an array of trust managers, as in"trustManager": [ "FirstTrustManager", "SecondTrustManager" ].If you do not configure a trust manager, then the client uses only the default Java truststore. The default Java truststore depends on the Java environment. For example,
$JAVA_HOME/lib/security/cacerts.
Route
Routes are JSON-encoded configuration files that you add to IG to manage requests. You can add routes in the following ways:
-
Manually into the filesystem.
-
Through Common REST commands. For information, refer to Routes and Common REST.
-
Through Studio. For information, refer to the Studio guide.
Routes handle requests and their context, and then hand off any request they accept to a Handler.
When a route has a condition, it handles only requests that meet the condition. When a route has no condition, it handles any request.
Routes inherit settings from their parent configuration. This means that you
can configure global objects in the config.json heap, for example,
and then reference the objects by name in any other IG configuration.
Usage
{
"handler": Handler reference,
"heap": [ object, ... ],
"condition": runtime expression<boolean>,
"name": string,
"session": AsyncSessionManager reference,
"auditService": AuditService reference,
"globalDecorators": map,
"decorator name": Decorator object
}(*)Deprecated
Properties
"handler": Handler reference, required-
The Handler to which IG dispaches requests.
Provide the name of a Handler object defined in the heap or an inline Handler configuration object.
"heap": array of objects, optional-
Heap object configuration for objects local to this route.
Objects referenced but not defined here are inherited from the parent.
You can omit an empty array. If you only have one object in the heap, you can inline it as the handler value.
See also Heap objects.
"condition": runtime expression<boolean>, optional-
A condition based on the request, context, or IG runtime environment, such as system properties or environment variables.
-
true: The request is dispatched to the route. -
false: The condition for the next route in the configuration is evaluated. -
No condition: the request is dispatched unconditionally to the route.
For debugging, log the routes for which IG evaluates a condition, and the route that matches a condition. Add the following line to a custom
$HOME/.openig/config/logback.xml, and restart IG:<logger name="org.forgerock.openig.handler.router.RouterHandler" level="trace" />For information, refer to Manage logs.
An external request can never match a condition that uses the reserved administrative route. Therefore, routes that use these conditions are effectively ignored. For example, if
/openigis the administrative route, a route with the following condition is ignored:${find(request.uri.path, '^/openig/my/path')}.Default:
${true}For example conditions and requests that match them, refer to Example conditions and requests.
-
"name": string, optional-
Route name.
The Router uses the
nameproperty to order the routes in the configuration. If the route does not have anameproperty, the Router uses the route ID.The route ID is managed as follows:
-
When you add a route manually to the routes folder, the route ID is the value of the
_idfield. If there is no_idfield, the route ID is the filename of the added route. -
When you add a route through the Common REST endpoint, the route ID is the value of the mandatory
_idfield. -
When you add a route through Studio, you can edit the default route ID.
CAUTION: The filename of a route cannot be
default.json. The routenameproperty or route ID cannot bedefault.
Default: route ID
-
"session": AsyncSessionManager reference. reference, optional-
Stateless session implementation for this route. Define an AuthenticatedEncryptedJwtSessionManager object inline or in the heap.
When a request enters the route, IG builds a new session object for the route. The session content is available to the route’s downstream handlers and filters. Session content available in the ascending configuration (a parent route or
config.json) is not available in the new session.When the response exits the route, the session content is serialized as a secure JWT that is encrypted and signed, and the resulting JWT string is placed in a cookie. Session information set inside the route is no longer available. The
sessionreferences the previous session object.Default: Do not change the session storage implementation.
For more information, refer to AsyncSessionManager, and Sessions.
"auditService": AuditService reference, optional-
An audit service for the route. Provide either the name of an AuditService object defined in the heap or an inline AuditService configuration object.
Default: No auditing of a configuration. The NoOpAuditService provides an empty audit service to the top-level heap and its child routes.
"globalDecorators": map, optional-
A map of one or more data pairs with the format
Map<String, JsonValue>, where:-
The key is a decorator name
-
The value is a decorator configuration, passed as is to the decorator
The following format is required:
{ "globalDecorators": { "decorator name": "decoration configuration", ... } }All compatible objects in a route are decorated with the mapped decorator value. For more information, refer to Decorators.
In the following example, the property decorates all compatible objects in the route with a capture and timer decorator:
"globalDecorators": { "capture": "all", "timer": true }Default: Empty
-
"decorator name": Decorator object, optional-
Decorate the main handler of this route with a decorator referred to by the decorator name, and provide the configuration as described in Decorators.
Default: No decoration.
Route metrics at the Prometheus Scrape Endpoint
Route metrics at the Prometheus Scrape Endpoint have the following labels:
-
name: Route name, for example,My Route.If the router was declared with a default handler, then its metrics are published through the route named
default. -
route: Route identifier, for example,my-route. -
router: Fully qualified name of the router, for example,gateway.main-router.
The following table summarizes the recorded metrics:
| Name(1) | Monitoring type | Description |
|---|---|---|
|
Gauge |
Number of requests being processed. |
|
Counter |
Number of requests processed by the router or route since it was deployed. |
|
Counter |
Number of responses that threw an exception. |
|
Counter |
Number of responses that were not handled by IG. |
|
Counter |
Number of responses by HTTP status code family. The
|
|
Summary |
A summary of response time observations. |
(1)Metric names are deprecated and expected to be replaced with names ending in _total. The information provided by the metric isn’t deprecated. Other Prometheus metrics aren’t affected.
Learn more in Prometheus Scrape Endpoint.
Route metrics at the Common REST Monitoring Endpoint (deprecated)
Route metrics at the Common REST Monitoring Endpoint are published with an _id in the
following pattern:
-
heap.router-name.route.route-name.metric
The following table summarizes the recorded metrics:
| Name | Monitoring type | Description |
|---|---|---|
|
Counter |
Number of requests processed by the router or route since it was deployed. |
|
Gauge |
Number of requests being processed by the router or route at this moment. |
|
Counter |
Number of responses that threw an exception. |
|
Counter |
Number of responses that were not handled by IG. |
|
Counter |
Number of responses with an HTTP status code |
|
Counter |
Number of responses with an HTTP status code |
|
Counter |
Number of responses with an HTTP status code |
|
Counter |
Number of responses with an HTTP status code |
|
Counter |
Number of responses with an HTTP status code |
|
Counter |
Number of responses with an HTTP status code |
|
Timer |
Time-series summary statistics. |
Learn more in Common REST Monitoring Endpoint.
Example conditions and requests
| Condition | Requests that meet the condition |
|---|---|
|
All requests, because this expression always evaluates to |
|
|
|
|
|
Where |
|
For information about URI query, refer to |
|
|
|
|
|
Not |
|
For information about including properties in the configuration, refer to Route properties. |
|
Requests with the header |
|
Requests where an OAuth 2.0 client named |
|
Requests using the client credentials grant-type. |
Router
A Handler that performs the following tasks:
-
Defines the routes directory and loads routes into the configuration.
-
Depending on the scanning interval, periodically scans the routes directory and updates the IG configuration when routes are added, removed, or changed. The router updates the IG configuration without needing to restart IG or access the route.
-
Manages an internal list of routes, where routes are ordered lexicographically by route name. If a route is not named, then the route ID is used instead. For more information, refer to Route.
-
Routes requests to the first route in the internal list of routes, whose condition is satisfied.
Because the list of routes is ordered lexicographically by route name, name your routes with this in mind:
-
If a request satisfies the condition of more than one route, it is routed to the first route in the list whose condition is met.
-
Even if the request matches a later route in the list, it might never reach that route.
If a request does not satisfy the condition of any route, it is routed to the default handler if one is configured.
-
The router does not have to know about specific routes in advance - you can configure the router first and then add routes while IG is running.
|
Studio deploys and undeploys routes through a main router named |
Usage
{
"name": string,
"type": "Router",
"config": {
"defaultHandler": Handler reference,
"directory": configuration expression<string>,
"scanInterval": configuration expression<duration>
}
}An alternative value for type is RouterHandler.
Properties
"defaultHandler": Handler reference, optional-
Handler to use when a request does not satisfy the condition of any route.
Provide either the name of a handler object defined in the heap or an inline handler configuration object.
Default: If no default route is set either here or in the route configurations, IG aborts the request with an internal error.
See also Handlers.
"directory": configuration expression<string>, optional-
Directory from which to load route configuration files.
Default: The default directory for route configuration files, at
$HOME/.openig(on Windows,%appdata%\OpenIG).With the following example, route configuration files are loaded from
/path/to/safe/routesinstead of from the default directory:{ "type": "Router", "config": { "directory": "/path/to/safe/routes" } }If you define multiple routers, configure directoryso that the routers load route configuration files from different directories.An infinite route-loading sequence is triggered when a router starts a route that, directly or indirectly, starts another router, which then loads route configuration files from the same directory.
See also Expressions.
"scanInterval": configuration expression<duration>, optional-
Time interval at which IG scans the specified directory for changes to routes. When a route is added, removed, or changed, the router updates the IG configuration without needing to restart IG or access the route.
When an integer is used for the
scanInterval, the time unit is seconds.To load routes at startup only, and prevent changes to the configuration if the routes are changed, set the scan interval to
disabled.Default: 10 seconds
Router metrics at the Prometheus Scrape Endpoint
Router metrics at the Prometheus Scrape Endpoint have the following labels:
-
fully_qualified_name: Fully qualified name of the router, for example,gateway.main-router. -
heap: Name of the heap in which this router is declared, for example,gateway. -
name: Simple name declared in router configuration, for example,main-router.
The following table summarizes the recorded metrics:
| Name | Monitoring type | Description |
|---|---|---|
|
|
Number of routes deployed in the configuration. |
For more information about the the Prometheus Scrape Endpoint, refer to Prometheus Scrape Endpoint.
Router metrics at the Common REST Monitoring Endpoint (deprecated)
Router metrics at the Common REST Monitoring Endpoint are JSON objects, with the following form:
-
[heap name].[router name].deployed-routes
The following table summarizes the recorded metrics:
| Name | Monitoring type | Description |
|---|---|---|
|
|
Number of routes deployed in the configuration. |
For more information about the the Common REST Monitoring Endpoint, refer to Common REST Monitoring Endpoint.
Example
The following config.json file configures a Router:
{
"handler": {
"type": "Router",
"name": "_router",
"baseURI": "http://app.example.com:8081",
"capture": "all"
},
"heap": [
{
"name": "JwtSession",
"type": "JwtSession"
},
{
"name": "capture",
"type": "CaptureDecorator",
"config": {
"captureEntity": true,
"_captureContext": true
}
}
]
}All requests pass with the default settings to the Router. The Router scans
$HOME/.openig/config/routes at startup, and rescans the directory every 10
seconds. If routes have been added, deleted, or changed, the router applies the
changes.
The main router and any subrouters build the monitoring endpoints. For information about monitoring endpoints, refer to Monitoring endpoints.
SamlFederationHandler (deprecated)
|
This handler is deprecated; use the SamlFederationFilter instead. |
A handler to play the role of SAML 2.0 Service Provider (SP).
Consider the following requirements for SamlFederationHandler:
-
This handler does not support filtering; do not use it as the handler for a chain, which can include filters.
-
Do not use this handler when its use depends on something in the response. The response can be handled independently of IG, and can be
nullwhen control returns to IG. For example, do not use this handler in aSequenceHandlerwhere thepostconditiondepends on the response. -
Requests to the SamlFederationHandler must not be rebased, because the request URI must match the endpoint in the SAML metadata.
SAML in deployments with multiple instances of IG
When IG acts as a SAML service provider, session information is stored in the fedlet not the session cookie. In deployments with multiple instances of IG as a SAML service provider, it is necessary to set up sticky sessions so that requests always hit the instance where the SAML interaction was started.
For information, refer to Session state considerations in AM’s SAML v2.0 guide.
Usage
{
"name": string,
"type": "SamlFederationHandler",
"config": {
"assertionMapping": map or configuration expression<map>,
"redirectURI": configuration expression<url>,
"secretsProvider": SecretsProvider reference,
"assertionConsumerEndpoint": configuration expression<url>,
"authnContext": configuration expression<string>,
"authnContextDelimiter": configuration expression<string>,
"logoutURI": configuration expression<url>,
"sessionIndexMapping": configuration expression<string>,
"singleLogoutEndpoint": configuration expression<url>,
"singleLogoutEndpointSoap": configuration expression<url>,
"SPinitiatedSLOEndpoint": configuration expression<url>,
"SPinitiatedSSOEndpoint": configuration expression<url>,
"useOriginalUri": configuration expression<boolean>,
"subjectMapping": configuration expression<string>
}
}Properties
"assertionMapping": map or configuration expression<map>, required-
A map with the format
Map<String, String>, where:-
Key: Session name,
localName -
Value: SAML assertion name,
incomingName, or a configuration expression that evaluates to the name
The following formats are allowed:
{ "assertionMapping": { "string": "configuration expression<string>", ... } }{ "assertionMapping": "configuration expression<map>" }In the following example, the session names
usernameandpasswordare mapped to SAML assertion namesmailandmailPassword:{ "assertionMapping": { "username": "mail", "password": "mailPassword" } }If an incoming SAML assertion contains the following statement:
mail = demo@example.com mailPassword = demopassword
Then the following values are set in the session:
username[0] = demo@example.com password[0] = demopassword
For this to work, edit the
<Attribute name="attributeMap">element in the SP extended metadata file,$HOME/.openig/SAML/sp-extended.xml, so that it matches the assertion mapping configured in the SAML 2.0 Identity Provider (IDP) metadata.Because the dot character (
.) serves as a query separator in expressions, do not use dot characters in the localName.To prevent different handlers from overwriting each others' data, use unique localName settings when protecting multiple service providers.
-
"redirectURI": configuration expression<url>, required-
The page that the filter used to HTTP POST a login form recognizes as the login page for the protected application.
This is how IG and the Federation component work together to provide SSO. When IG detects the login page of the protected application, it redirects to the Federation component. Once the Federation handler validates the SAML exchanges with the IDP, and sets the required session attributes, it redirects back to the login page of the protected application. This allows the filter used to HTTP POST a login form to finish the job by creating a login form to post to the application based on the credentials retrieved from the session attributes.
"secretsProvider": SecretsProvider reference, optional-
The SecretsProvider to query for keys when AM provides signed or encrypted SAML assertions.
+ When this property isn’t set, the keys are provided by direct keystore look-ups based on entries in the SP extended metadata file,
sp-extended.xml.+ Default: Empty.
"assertionConsumerEndpoint": configuration expression<string>, optional-
Default:
fedletapplication(same as the Fedlet)If you modify this attribute, change the metadata to match.
"authnContext": configuration expression<string>, optional-
Name of the session field to hold the value of the authentication context. Because the dot character (
.) serves as a query separator in expressions, do not use dot characters in the field name.Use this setting when protecting multiple service providers, as the different configurations must not map their data into the same fields of
session. Otherwise different handlers can overwrite each others' data.As an example, if you set
"authnContext": "myAuthnContext", then IG setssession.myAuthnContextto the authentication context specified in the assertion. When the authentication context is password over protected transport, then this results in the session containing"myAuthnContext": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport".Default: map to
session.authnContext "authnContextDelimiter": configuration expression<string>, optional-
The authentication context delimiter used when there are multiple authentication contexts in the assertion.
Default:
| "logoutURI": configuration expression<string>, optional-
Set this to the URI to visit after the user is logged out of the protected application.
You only need to set this if the application uses the single logout feature of the Identity Provider.
"sessionIndexMapping": configuration expression<string>, optional-
Name of the session field to hold the value of the session index. Because the dot character (
.) serves as a query separator in expressions, do not use dot characters in the field name.Use this setting when protecting multiple service providers, as the different configurations must not map their data into the same fields of
session. Otherwise different handlers can overwrite each others' data.As an example, if you set
"sessionIndexMapping": "mySessionIndex", then IG setssession.mySessionIndexto the session index specified in the assertion. This results in the session containing something like"mySessionIndex": "s24ccbbffe2bfd761c32d42e1b7a9f60ea618f9801".Default: map to
session.sessionIndex "singleLogoutEndpoint": configuration expression<string>, optional-
Default:
fedletSLORedirect(same as the Fedlet)If you modify this attribute, change the metadata to match.
"singleLogoutEndpointSoap": configuration expression<string>, optional-
Default:
fedletSloSoap(same as the Fedlet)If you modify this attribute, change the metadata to match.
"SPinitiatedSLOEndpoint": configuration expression<string>, optional-
Default:
SPInitiatedSLOIf you modify this attribute, change the metadata to match.
"SPinitiatedSSOEndpoint": configuration expression<string>, optional-
Default:
SPInitiatedSSOIf you modify this attribute, change the metadata to match.
"useOriginalUri": configuration expression<boolean>, optional-
When
true, use the original URI instead of a rebased URI when validating RelayState and Assertion Consumer Location URLs. Use this property if abaseUridecorator is used in the route or inconfig.json.Default:
false "subjectMapping": configuration expression<string>, optional-
Name of the session field to hold the value of the subject name. Because the dot character (
.) serves as a query separator in expressions, do not use dot characters in the field name.Use this setting when protecting multiple service providers, as the different configurations must not map their data into the same fields of
session. Otherwise different handlers can overwrite each others' data.As an example, if you set
"subjectMapping": "mySubjectName", then IG setssession.mySubjectNameto the subject name specified in the assertion. If the subject name is an opaque identifier, then this results in the session containing something like"mySubjectName": "vtOk+APj1s9Rr4yCka6V9pGUuzuL".Default: map to
session.subjectName
Example
For an example of how to set up IG as a SAML service provider, refer to SAML.
In the following example, IG receives a SAML 2.0 assertion from the IDP, and then logs the user in to the protected application using the username and password from the assertion:
{
"name": "SamlFederationHandler",
"type": "SamlFederationHandler",
"config": {
"assertionMapping": {
"username": "mail",
"password": "mailPassword"
},
"redirectURI": "/login",
"logoutURI": "/logout"
}
}ScriptableHandler
Creates a response to a request by executing a script.
Scripts must return either a Promise<Response, NeverThrowsException> or a Response.
This section describes the usage of ScriptableHandler. For information about script properties, available global objects, and automatically imported classes, see Scripts.
Usage
{
"name": string,
"type": "ScriptableHandler",
"config": {
"type": configuration expression<string>,
"file": configuration expression<string>, // Use either "file"
"source": [ string, ... ], // or "source", but not both
"args": map,
"clientHandler": Handler reference
}
}Properties
For information about properties for ScriptableHandler, refer to Scripts.
SequenceHandler
Processes a request through a sequence of handlers and post conditions, as follows:
-
A request is treated by
handler1, and thenpostcondition1is evaluated. -
If
postcondition1is true, the request is then treated byhandler2, and so on.
{
"handler": handler1,
"postcondition": expression1
},
{
"handler": handler2,
"postcondition": expression2
},
...Use this handler for multi-request processing, such as retrieving a form, extracting form content (for example, a nonce), and then submitting it in a subsequent request.
Usage
{
"name": string,
"type": "SequenceHandler",
"config": {
"bindings": [
{
"handler": Handler reference,
"postcondition": runtime expression<boolean>
}
]
}
}Properties
"bindings": array of objects, required-
A list of handler and postcondition bindings.
"handler": Handler reference, required-
The handler to dispatch the request to when it is the first handler in the bindings, or for subsequent handlers when their previous
postconditionyieldstrue.Provide the name of a Handler object defined in the heap or an inline Handler configuration object.
"postcondition": runtime expression<boolean>, optional-
A flag to indicate that a post condition is met:
-
true: The request is dispatched to the next handler inbindings. -
false: The sequence stops.
Postconditions are defined using IG expressions, as described in Expressions.
Default:
${true} -
StaticResponseHandler
Creates a response to a request statically, or based on something in the context.
Usage
{
"name": string,
"type": "StaticResponseHandler",
"config": {
"status": configuration expression<number>,
"reason": configuration expression<string>,
"headers": {
configuration expression<string>: [ runtime expression<string>, ... ], ...
},
"trailers": {
configuration expression<string>: [ runtime expression<string>, ... ], ...
},
"entity": runtime expression<string> or [ runtime expression<string>, ... ]
}
}Properties
"status": Status object-
The response status. For more information, refer to Status.
"reason": configuration expression<string>, optional-
Used only for custom HTTP status codes. For more information, refer to Response Status Codes and Status Code Registry.
"headers": map, optional-
One or more headers to set for a response, with the format
name: [ value, … ], where:When the property
entityis used, set aContent-Typeheader with the correct content type value. The following example sets the content type of a message entity in the response:"headers": { "Content-Type": [ "text/html; charset=UTF-8" ] }The following example is used in
federate-handler.jsonto redirect the original URI from the request:"headers": { "Location": [ "http://sp.example.com:8080/saml/SPInitiatedSSO" ] }
Default: Empty
"trailers": map, optional-
One or more trailers to set for a response, with the format
name: [ value, … ], where:-
name is a configuration expression<string> for a trailer name. If multiple expressions resolve to the same string, name has multiple values.
The following trailer names are not allowed:
-
Message framing headers (for example,
Transfer-EncodingandContent-Length) -
Routing headers (for example,
Host) -
Request modifiers (for example, controls and conditionals such as
Cache-Control,Max-Forwards, andTE) -
Authentication headers (for example,
AuthorizationandSet-Cookie) -
Content-Encoding -
Content-Type -
Content-Range -
Trailer
-
-
value is one or more runtime expression<strings> for trailer values.
-
Default: Empty
"entity": runtime expression<string> or array of runtime expression<string>, optional-
The message entity body to include in a response.
If a
Content-Typeheader is present, the entity must conform to the header and set the content length header automatically.Methods are provided for accessing the entity as byte, string, or JSON content. For information, refer to Entity.
Attackers during reconnaissance can use response messages to identify information about a deployment. For security, limit the amount of information in messages, and avoid using words that help identify IG. Default: Empty
Example
{
"name": "ErrorHandler",
"type":"StaticResponseHandler",
"config": {
"status": 500,
"headers": {
"Content-Type": [ "text/html; charset=UTF-8" ]
},
"entity": "<html><h2>Epic #FAIL</h2></html>"
}
}{
"handler": {
"type": "StaticResponseHandler",
"config": {
"status": 200,
"headers": {
"content-type": [ "text/html" ]
},
"entity": [
"<html>",
" <body>",
" <h1>Request Details</h1>",
" <p>The path was: ${request.uri.path}<p>",
" <p>The query params were: ${toString(request.queryParams)}</p>",
" <p>The headers were: ${toString(request.headers.entrySet())}<p>",
" </body>",
"</html>"
]
}
}
}