Restrict access to Studio
When PingGateway is running in development mode, by default the Studio endpoint is open and accessible. To allow only specific users to access Studio, configure a StudioProtectionFilter with a SingleSignOnFilter or CrossDomainSingleSignOnFilter.
The following example uses a SingleSignOnFilter to require users to authenticate with AM before they can access Studio, and protects the request from Cross Site Request Forgery (CSRF) attacks.
-
Set up AM:
-
Select Services > Add a Service and add a Validation Service with the following Valid goto URL Resources:
-
https://ig.example.com:8443/*
-
https://ig.example.com:8443/*?*
-
-
Register a PingGateway agent with the following values, as described in Register a PingGateway agent in AM:
-
Agent ID:
ig_agent
-
Password:
password
Use secure passwords in a production environment. Consider using a password manager to generate secure passwords.
-
-
(Optional) Authenticate the agent to AM as described in Authenticate a PingGateway agent to AM.
PingGateway agents are automatically authenticated to AM by a deprecated authentication module in AM. This step is currently optional, but will be required when authentication chains and modules are removed in a future release of AM.
-
-
Set up PingGateway:
-
Set an environment variable for the PingGateway agent password, and then restart PingGateway:
$ export AGENT_SECRET_ID='cGFzc3dvcmQ='
The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.
-
Add the following
admin.json
configuration to PingGateway:{ "prefix": "openig", "mode": "DEVELOPMENT", "properties": { "SsoTokenCookieOrHeader": "iPlanetDirectoryPro" }, "connectors": [ { "port": 8080 }, { "port": 8443 } ], "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AmService-1", "type": "AmService", "config": { "agent" : { "username" : "ig_agent", "passwordSecretId" : "agent.secret.id" }, "secretsProvider": "SystemAndEnvSecretStore-1", "url": "http://am.example.com:8088/openam/", "ssoTokenHeader": "&{SsoTokenCookieOrHeader}" } }, { "name": "StudioProtectionFilter", "type": "ChainOfFilters", "config": { "filters": [ { "type": "SingleSignOnFilter", "config": { "amService": "AmService-1" } }, { "type": "CsrfFilter", "config": { "cookieName": "&{SsoTokenCookieOrHeader}", "failureHandler": { "type": "StaticResponseHandler", "config": { "status": 403, "headers": { "Content-Type": [ "text/plain" ] }, "entity": "Request forbidden" } } } } ] } } ] }
Notice the following features of the configuration:
-
The
prefix
sets the base of the administrative route to the default value/openig
. The Studio endpoint is therefore/openig/studio
. -
The
mode
isdevelopment
, so by default the Studio endpoint is open and unfiltered. -
The
properties
object sets a configuration parameter for the value of the SSO token cookie or header, which is used in AmService and CorsFilter. -
The AmService uses the PingGateway agent in AM for authentication.
The agent password for AmService is provided by a SystemAndEnvSecretStore in the heap.
-
The StudioProtectionFilter calls the SingleSignOnFilter to redirect unauthenticated requests to AM, and uses the CsrfFilter to protect requests from CSRF attacks. For more information, refer to SingleSignOnFilter and CsrfFilter.
-
-
Restart PingGateway to take into account the changes to
admin.json
.
-
-
Test the setup:
-
If you are logged in to AM, log out and clear any cookies.
-
Go to http://ig.example.com:8080/openig/studio. The SingleSignOnFilter redirects the request to AM for authentication.
-
Log in to AM with user
demo
, passwordCh4ng31t
. The Studio Routes screen is displayed.
-