Decisions with claimsSubject
This example extends Decisions in the same domain to enforce a policy decision from AM
using the claimsSubject instead of ssoTokenSubject to identify the subject.
Before you start, set up and test the example in Decisions in the same domain.
-
Set up AM:
-
Select the policy
PEP-SSOand add a new resource:-
Resource Type:
URL -
Resource pattern:
*://*:*/* -
Resource value:
http://app.example.com:8081/home/pep-claims
-
-
In the same policy, add the following subject condition:
-
Any of -
Type :
OpenID Connect/JwtClaim -
claimName :
iss -
claimValue :
am.example.com
-
-
-
Add the following route to PingGateway:
-
Linux
-
Windows
$HOME/.openig/config/routes/04-pep-claims.json
%appdata%\OpenIG\config\routes\04-pep-claims.json
{ "name": "pep-claims", "baseURI": "http://app.example.com:8081", "condition": "${find(request.uri.path, '^/home/pep-claims')}", "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AmService-1", "type": "AmService", "config": { "url": "http://am.example.com:8088/openam", "agent": { "username": "ig_agent", "passwordSecretId": "agent.secret.id" }, "secretsProvider": "SystemAndEnvSecretStore-1" } } ], "handler": { "type": "Chain", "config": { "filters": [ { "name": "SingleSignOnFilter-1", "type": "SingleSignOnFilter", "config": { "amService": "AmService-1" } }, { "name": "PolicyEnforcementFilter-1", "type": "PolicyEnforcementFilter", "config": { "application": "PEP-SSO", "claimsSubject": { "sub": "${contexts.ssoToken.info.uid}", "iss": "am.example.com" }, "amService": "AmService-1" } } ], "handler": "ReverseProxyHandler" } } } -
-
Test the setup:
-
In your browser’s privacy or incognito mode, go to https://ig.example.com:8443/home/pep-claims.
-
If you see warnings that the site isn’t secure, respond to the warnings to access the site.
-
Log in to AM as user
demo, passwordCh4ng31t.AM returns a policy decision that grants access to the sample application.
-