Enforcing AM Policy Decisions In the Same Domain
The following procedure gives an example of how to create a policy in AM and configure an agent that can request policy decisions, when IG and AM are in the same domain.
Before you start, prepare AM, IG, and the sample application as described in "Example Installation for This Guide".
Set up an AM agent with permission to request policy decisions:
(For AM 6.5.x and earlier versions) Select Identities > demo, and set the demo user password to
Ch4ng31t
.(For AM 6.5.3 and later versions) Select Services > Add a Service, and add a Validation Service with the following Valid goto URL Resources:
http://openig.example.com:8080/*
http://openig.example.com:8080/*?*
Select Applications > Agents > Identity Gateway, add an agent with the following values:
Agent ID:
ig_agent
Password:
password
Leave all other values as default.
Select Applications > Agents > Java (or J2EE).
Add an agent with the following values:
Agent ID:
ig_agent
Agent URL:
http://openig.example.com:8080/agentapp
Server URL:
http://openam.example.com:8088/openam
Password:
password
On the Global tab, deselect Agent Configuration Change Notification.
This option stops IG from being notified about agent configuration changes in AM, because they are not required by IG.
Set up a policy:
Select Authorization > Policy Sets > New Policy Set, and add a policy set with the following values:
Id:
PEP-SSO
Resource Types:
URL
In the new policy set, add a policy with the following values:
Name:
IG Policy SSO
Resource Type:
URL
Resource pattern:
*://*:*/*
Resource value:
http://app.example.com:8081/home/pep-sso*
This policy protects the home page of the sample application.
On the Actions tab, add an action to allow HTTP
GET
.On the Subjects tab, remove any default subject conditions, add a subject condition for all
Authenticated Users
.
Select Configure > Global Services > Platform, and add
example.com
as an AM cookie domain.By default, AM sets host-based cookies. After authentication with AM, requests can be redirected to AM instead of to the resource.
Set up IG:
Set an environment variable for the IG agent password, and then restart IG:
$
export AGENT_SECRET_ID='cGFzc3dvcmQ='
The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.
Add the following route to IG, to serve .css and other static resources for the sample application:
$HOME/.openig/config/routes/static-resources.json
%appdata%\OpenIG\config\routes\static-resources.json
{ "name" : "sampleapp_resources", "baseURI" : "http://app.example.com:8081", "condition": "${matches(request.uri.path,'^/css')}", "handler": "ReverseProxyHandler" }
Add the following route to IG:
$HOME/.openig/config/routes/04-pep.json
%appdata%\OpenIG\config\routes\04-pep.json
{ "name": "pep-sso", "baseURI": "http://app.example.com:8081", "condition": "${matches(request.uri.path, '^/home/pep-sso')}", "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AmService-1", "type": "AmService", "config": { "agent": { "username": "ig_agent", "passwordSecretId": "agent.secret.id" }, "secretsProvider": "SystemAndEnvSecretStore-1", "url": "http://openam.example.com:8088/openam/", "version": "7" } } ], "handler": { "type": "Chain", "config": { "filters": [ { "name": "SingleSignOnFilter-1", "type": "SingleSignOnFilter", "config": { "amService": "AmService-1" } }, { "name": "PolicyEnforcementFilter-1", "type": "PolicyEnforcementFilter", "config": { "pepRealm": "/", "application": "PEP-SSO", "ssoTokenSubject": "${contexts.ssoToken.value}", "amService": "AmService-1" } } ], "handler": "ReverseProxyHandler" } } }
For information about how to set up the IG route in Studio, see "Policy Enforcement in Structured Editor" or "Protecting a Web App With Freeform Designer".
For an example route that uses
claimsSubject
instead ofssoTokenSubject
to identify the subject, see "Example Policy Enforcement Using claimsSubject".
Test the setup:
If you are logged in to AM, log out and clear any cookies.
Go to http://openig.example.com:8080/home/pep-sso.
Because you have not previously authenticated to AM, the request does not contain a cookie with an SSO token. The SingleSignOnFilter redirects you to AM for authentication.
Log in to AM as user
demo
, passwordCh4ng31t
.When you have authenticated, AM redirects you back to the request URL, and IG requests a policy decision using the AM session cookie.
AM returns a policy decision that grants access to the sample application.