Enforcing AM Policy Decisions In Different Domains
The following procedure gives an example of how to create a policy in AM and configure an agent that can request policy decisions, when IG and AM are in different domains.
Before you start, prepare AM, IG, and the sample application as described in "Example Installation for This Guide".
Set up AM:
(For AM 6.5.x and earlier versions) Select Identities > demo, and set the demo user password to
Ch4ng31t
.(For AM 6.5.3 and later versions) Select Services > Add a Service, and add a Validation Service with the following Valid goto URL Resources:
http://openig.ext.com:8080/*
http://openig.ext.com:8080/*?*
Select Applications > Agents > Identity Gateway, add an agent with the following values:
Agent ID:
ig_agent_cdsso
Password:
password
Redirect URL for CDSSO:
http://openig.ext.com:8080/home/pep-cdsso/redirect
The agent credentials are the only properties that are used by IG.
Select Applications > Agents > Java (or J2EE).
Add an agent with the following values:
Agent ID:
ig_agent_cdsso
Agent URL:
http://openig.ext.com:8080/agentapp
Server URL:
http://openam.example.com:8088/openam
Password:
password
On the Global tab: Agent Configuration Change Notification: Deselect
This option stops IG from being notified about agent configuration changes in AM, because they are not required by IG.
On the SSO tab:
Cross Domain SSO: Deselect
CDSSO Redirect URI:
/home/pep-cdsso/redirect
Set up a policy:
Select Authorization > Policy Sets > New Policy Set, and add a policy set with the following values:
Id:
PEP-CDSSO
Resource Types:
URL
In the new policy set, add a policy with the following values:
Name:
IG Policy CDSSO
Resource Type:
URL
Resource pattern:
*://*:*/*
Resource value:
http://app.example.com:8081/home/pep-cdsso*
This policy protects the home page of the sample application.
On the Actions tab, add an action to allow HTTP
GET
.On the Subjects tab, remove any default subject conditions, add a subject condition for all
Authenticated Users
.
Select Configure > Global Services > Platform, and add
example.com
as an AM cookie domain.By default, AM sets host-based cookies. After authentication with AM, requests can be redirected to AM instead of to the resource.
Set up IG:
Set an environment variable for the IG agent password, and then restart IG:
$
export AGENT_SECRET_ID='cGFzc3dvcmQ='
The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.
Add the following route to IG, to serve .css and other static resources for the sample application:
$HOME/.openig/config/routes/static-resources.json
%appdata%\OpenIG\config\routes\static-resources.json
{ "name" : "sampleapp_resources", "baseURI" : "http://app.example.com:8081", "condition": "${matches(request.uri.path,'^/css')}", "handler": "ReverseProxyHandler" }
Add the following route to IG:
$HOME/.openig/config/routes/04-pep-cdsso.json
%appdata%\OpenIG\config\routes\04-pep-cdsso.json
{ "name": "pep-cdsso", "baseURI": "http://app.example.com:8081", "condition": "${matches(request.uri.path, '^/home/pep-cdsso')}", "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AmService-1", "type": "AmService", "config": { "agent": { "username": "ig_agent_cdsso", "passwordSecretId": "agent.secret.id" }, "secretsProvider": "SystemAndEnvSecretStore-1", "url": "http://openam.example.com:8088/openam/", "version": "7" } } ], "handler": { "type": "Chain", "config": { "filters": [ { "name": "CrossDomainSingleSignOnFilter-1", "type": "CrossDomainSingleSignOnFilter", "config": { "redirectEndpoint": "/home/pep-cdsso/redirect", "authCookie": { "path": "/home", "name": "ig-token-cookie" }, "amService": "AmService-1" } }, { "name": "PolicyEnforcementFilter-1", "type": "PolicyEnforcementFilter", "config": { "pepRealm": "/", "application": "PEP-CDSSO", "ssoTokenSubject": "${contexts.cdsso.token}", "amService": "AmService-1" } } ], "handler": "ReverseProxyHandler" } } }
For information about how to set up the IG route in Studio, see "Policy Enforcement for CDSSO in Structured Editor".
Test the setup:
If you are logged in to AM, log out and clear any cookies.
Go to http://openig.ext.com:8080/home/pep-cdsso.
IG redirects you to AM for authentication.
Log in to AM as user
demo
, passwordCh4ng31t
.When you have authenticated, AM redirects you back to the request URL, and IG requests a policy decision. AM returns a policy decision that grants access to the sample application.