Enforcing AM Policy Decisions In the Same Domain

The following procedure gives an example of how to create a policy in AM and configure an agent that can request policy decisions, when IG and AM are in the same domain.

Enforce AM Policy Decisions in the Same Domain

Before you start, prepare AM, IG, and the sample application as described in "Example Installation for This Guide".

  1. Set up an AM agent with permission to request policy decisions:

    1. (For AM 6.5.x and earlier versions) Select Identities > demo, and set the demo user password to Ch4ng31t.

    2. (For AM 6.5.3 and later versions) Select  Services > Add a Service, and add a Validation Service with the following Valid goto URL Resources:

      • http://openig.example.com:8080/*

      • http://openig.example.com:8080/*?*

    3. Select Applications > Agents > Identity Gateway, add an agent with the following values:

      • Agent ID: ig_agent

      • Password: password

      Leave all other values as default.

      1. Select Applications > Agents > Java (or J2EE).

      2. Add an agent with the following values:

        • Agent ID: ig_agent

        • Agent URL: http://openig.example.com:8080/agentapp

        • Server URL: http://openam.example.com:8088/openam

        • Password: password

      3. On the Global tab, deselect Agent Configuration Change Notification.

        This option stops IG from being notified about agent configuration changes in AM, because they are not required by IG.

    4. Set up a policy:

      1. Select Authorization > Policy Sets > New Policy Set, and add a policy set with the following values:

        • Id: PEP-SSO

        • Resource Types: URL

      2. In the new policy set, add a policy with the following values:

        • Name: IG Policy SSO

        • Resource Type: URL

        • Resource pattern: *://*:*/*

        • Resource value: http://app.example.com:8081/home/pep-sso*

        This policy protects the home page of the sample application.

      3. On the Actions tab, add an action to allow HTTP GET.

      4. On the Subjects tab, remove any default subject conditions, add a subject condition for all Authenticated Users.

    5. Select Configure > Global Services > Platform, and add example.com as an AM cookie domain.

      By default, AM sets host-based cookies. After authentication with AM, requests can be redirected to AM instead of to the resource.

  2. Set up IG:

    1. Set an environment variable for the IG agent password, and then restart IG:

      $ export AGENT_SECRET_ID='cGFzc3dvcmQ='

      The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.

    2. Add the following route to IG, to serve .css and other static resources for the sample application:

        "name" : "sampleapp_resources",
        "baseURI" : "http://app.example.com:8081",
        "condition": "${matches(request.uri.path,'^/css')}",
        "handler": "ReverseProxyHandler"
    3. Add the following route to IG:

        "name": "pep-sso",
        "baseURI": "http://app.example.com:8081",
        "condition": "${matches(request.uri.path, '^/home/pep-sso')}",
        "heap": [
            "name": "SystemAndEnvSecretStore-1",
            "type": "SystemAndEnvSecretStore"
            "name": "AmService-1",
            "type": "AmService",
            "config": {
              "agent": {
                "username": "ig_agent",
                "passwordSecretId": "agent.secret.id"
              "secretsProvider": "SystemAndEnvSecretStore-1",
              "url": "http://openam.example.com:8088/openam/",
              "version": "7"
        "handler": {
          "type": "Chain",
          "config": {
            "filters": [
                "name": "SingleSignOnFilter-1",
                "type": "SingleSignOnFilter",
                "config": {
                  "amService": "AmService-1"
                "name": "PolicyEnforcementFilter-1",
                "type": "PolicyEnforcementFilter",
                "config": {
                  "pepRealm": "/",
                  "application": "PEP-SSO",
                  "ssoTokenSubject": "${contexts.ssoToken.value}",
                  "amService": "AmService-1"
            "handler": "ReverseProxyHandler"

      For information about how to set up the IG route in Studio, see "Policy Enforcement in Structured Editor" or "Protecting a Web App With Freeform Designer".

      For an example route that uses claimsSubject instead of ssoTokenSubject to identify the subject, see "Example Policy Enforcement Using claimsSubject".

  3. Test the setup:

    1. If you are logged in to AM, log out and clear any cookies.

    2. Go to http://openig.example.com:8080/home/pep-sso.

      Because you have not previously authenticated to AM, the request does not contain a cookie with an SSO token. The SingleSignOnFilter redirects you to AM for authentication.

    3. Log in to AM as user demo, password Ch4ng31t.

      When you have authenticated, AM redirects you back to the request URL, and IG requests a policy decision using the AM session cookie.

      AM returns a policy decision that grants access to the sample application.

Read a different version of :