Restricting Access to Studio

When IG is running in development mode, by default the Studio endpoint is open and accessible. To allow only specific users to access Studio, configure a StudioProtectionFilter with a SingleSignOnFilter or CrossDomainSingleSignOnFilter.

The following example uses a SingleSignOnFilter to require users to authenticate with AM before they can access Studio, and protects the request from Cross Site Request Forgery (CSRF) attacks.

Require Authentication to Access Studio in Development Mode
  1. Set up AM:

    1. (From AM 6.5.x) Select Identities > demo, and set the demo user password to Ch4ng31t.

    2. (For AM 6.5.3 and later versions) Select Services > Add a Service, and add a Validation Service with the following Valid goto URL Resources :

      • http://openig.example.com:8080/*

      • http://openig.example.com:8080/*?*

    3. Select Applications > Agents > Identity Gateway, add an agent with the following values:

  2. Set up IG:

    1. Set an environment variable for the IG agent password, and then restart IG:

      $ export AGENT_SECRET_ID='cGFzc3dvcmQ='

      The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.

    2. Add the following route to IG:

      • Linux

      • Windows

      $HOME/.openig/config/admin.json
      appdata\OpenIG\config\admin.json
      • Standalone mode

      • Web container mode

      {
        "prefix": "openig",
        "mode": "DEVELOPMENT",
        "properties": {
          "SsoTokenCookieOrHeader": "iPlanetDirectoryPro"
        },
        "connectors": [
          {
            "port": 8080
          },
          {
            "port": 8443
          }
        ],
        "heap": [
          {
            "name": "SystemAndEnvSecretStore-1",
            "type": "SystemAndEnvSecretStore"
          },
          {
            "name": "AmService-1",
            "type": "AmService",
            "config": {
              "agent" : {
                "username" : "ig_agent",
                "passwordSecretId" : "agent.secret.id"
              },
              "secretsProvider": "SystemAndEnvSecretStore-1",
              "url": "http://openam.example.com:8088/openam/",
              "ssoTokenHeader": "&{SsoTokenCookieOrHeader}",
              "version": "7.1"
            }
          },
          {
            "name": "StudioProtectionFilter",
            "type": "ChainOfFilters",
            "config": {
              "filters": [
                {
                  "type": "SingleSignOnFilter",
                  "config": {
                    "amService": "AmService-1"
                  }
                },
                {
                  "type": "CsrfFilter",
                  "config": {
                    "cookieName": "&{SsoTokenCookieOrHeader}",
                    "failureHandler": {
                      "type": "StaticResponseHandler",
                      "config": {
                        "status": 403,
                        "headers": {
                          "Content-Type": [
                            "text/plain"
                          ]
                        },
                        "entity": "Request forbidden"
                      }
                    }
                  }
                }
              ]
            }
          }
        ]
      }
      {
        "prefix": "openig",
        "mode": "DEVELOPMENT",
        "heap": [
          {
            "name": "SystemAndEnvSecretStore-1",
            "type": "SystemAndEnvSecretStore"
          },
          {
            "name": "AmService-1",
            "type": "AmService",
            "config": {
              "agent" : {
                "username" : "ig_agent",
                "passwordSecretId" : "agent.secret.id"
              },
              "secretsProvider": "SystemAndEnvSecretStore-1",
              "url": "http://openam.example.com:8088/openam/",
              "version": "7.1"
            }
          },
          {
            "name": "StudioProtectionFilter",
            "type": "ChainOfFilters",
            "config": {
              "filters": [
                {
                  "type": "SingleSignOnFilter",
                  "config": {
                    "amService": "AmService-1"
                  }
                },
                {
                  "type": "CsrfFilter",
                  "config": {
                    "cookieName": "iPlanetDirectoryPro",
                    "failureHandler": {
                      "type": "StaticResponseHandler",
                      "config": {
                        "status": 403,
                        "headers": {
                          "Content-Type": [
                            "text/plain"
                          ]
                        },
                        "entity": "Request forbidden"
                      }
                    }
                  }
                }
              ]
            }
          }
        ]
      }

      Notice the following features of the file:

      • The prefix sets the base of the administrative route to the default value /openig. The Studio endpoint is therefore /openig/studio.

      • The mode is development, so by default the Studio endpoint is open and unfiltered.

      • The properties object sets a configuration parameter for the value of the SSO token cookie or header, which is used in AmService and CorsFilter.

      • The AmService uses the IG agent in AM for authentication.

        The agent password for AmService is provided by a SystemAndEnvSecretStore in the heap.

      • The StudioProtectionFilter calls the SingleSignOnFilter to redirect unauthenticated requests to AM, and uses the CsrfFilter to protect requests from CSRF attacks. For more information, see SingleSignOnFilter and CsrfFilter.

    3. Restart IG to take into account the changes to admin.json.

  3. Test the setup:

    1. If you are logged in to AM, log out and clear any cookies.

    2. Go to http://openig.example.com:8080/openig/studio. The SingleSignOnFilter redirects the request to AM for authentication.

    3. Log in to AM with user demo, password Ch4ng31t. The Studio Routes screen is displayed.