Policy Enforcement for CDSSO in Structured Editor

This section describes how to set up IG as a policy enforcement point for CDSSO in the structured editor of Studio. For more information about how to set up SSO, see "Enforcing AM Policy Decisions In Different Domains".

Set Up IG as a PEP for CDSSO
  1. In IG Studio, create a route:

    1. Go to http://openig.example.com:8080/openig/studio, and select Create a route.

    2. Select Structured to use the structured editor.

  2. Select Advanced options on the right, and create a route with the following options:

    • Base URI: http://app.example.com:8081

    • Condition: Path: /home/pep-cdsso

    • Name: pep-cdsso

  3. Configure authentication:

    1. Select Authentication.

    2. Select Cross-Domain Single Sign-On, and enter the following information:

      • AM service:

        • URI: http://openam.example.com:8088/openam

        • Version: The version of the AM instance, for example, 7.

        • Agent: The credentials of the agent you created in AM.

          • Username: ig_agent_cdsso

          • Password: password

      • Redirect endpoint: /home/pep-cdsso/redirect

      • Authentication cookie:

        • Path: /home

      Leave all other values as default.

  4. Configure a PolicyEnforcementFilter:

    1. Select Authorization.

    2. Select AM Policy Enforcement, and select the following options to reflect the configuration of the IG agent in AM:

      • Access Management configuration:

        • AM service: http://openam.example.com:8088/openam (/).

      • Access Management policies:

        • Policy set: PEP-CDSSO

        • AM SSO token ID: ${contexts.cdsso.token}

      Leave all other values as default.

  5. On the top-right of the screen, select and Display to review the route.

    The following route should be displayed:

      "name": "pep-cdsso",
      "baseURI": "http://app.example.com:8081",
      "condition": "${matches(request.uri.path, '^/home/pep-cdsso')}",
      "heap": [
          "name": "SystemAndEnvSecretStore-1",
          "type": "SystemAndEnvSecretStore"
          "name": "AmService-1",
          "type": "AmService",
          "config": {
            "agent": {
              "username": "ig_agent_cdsso",
              "passwordSecretId": "agent.secret.id"
            "secretsProvider": "SystemAndEnvSecretStore-1",
            "url": "http://openam.example.com:8088/openam/",
            "version": "7"
      "handler": {
        "type": "Chain",
        "config": {
          "filters": [
              "name": "CrossDomainSingleSignOnFilter-1",
              "type": "CrossDomainSingleSignOnFilter",
              "config": {
                "redirectEndpoint": "/home/pep-cdsso/redirect",
                "authCookie": {
                  "path": "/home",
                  "name": "ig-token-cookie"
                "amService": "AmService-1"
              "name": "PolicyEnforcementFilter-1",
              "type": "PolicyEnforcementFilter",
              "config": {
                "pepRealm": "/",
                "application": "PEP-CDSSO",
                "ssoTokenSubject": "${contexts.cdsso.token}",
                "amService": "AmService-1"
          "handler": "ReverseProxyHandler"

  6. Select Deploy to push the route to the IG configuration.

    You can check the $HOME/.openig/config/routes folder to see that the route is there.

Read a different version of :