Protecting a Web App With Freeform Designer

This section describes how to use freeform designer to protect a web app, using AM for single sign-on and policy enforcement.

The generated route contains a chain of objects to authenticate the user, enforce an AM authorization policy, retrieve the user's profile, insert it into the request, and, finally, forward the request to the web app.

Protect a Web App With Freeform Designer

Before you start, set up AM as described in Enforcing Policy Decisions From AM.

  1. In IG Studio, create a route:

    1. Go to http://openig.example.com:8080/openig/studio, and select Create a route.

    2. Select Freeform to use the freeform designer.

  2. Select Web SSO to use the template for protecting web apps.

  3. Select Advanced options on the right, and create a route with the following options:

    • Base URI: http://app.example.com:8081

    • Condition: Path: /home/pep-sso-ff

    • Name: pep-sso-ff

    • AM Configuration:

      • URI: http://openam.example.com:8088/openam

      • Username: ig_agent

      • Password: password

    The route is displayed on the Flow tab of the canvas. Select the All Objects tab to view a list of objects in the route.

    Double-click on any object to review or edit it. After double-clicking on an object, select the Decorations tab to decorate it.

  4. On the Flow tab, double-click the Policy Enforcement object, and add a policy set with the following values:

    • Policy set: PEP-SSO

    • AM SSO token: ${contexts.ssoToken.value}

    Leave all other values as default.

  5. On the top-right of the screen, select and Display to review the route.

    The following route is displayed:

    {
      "name": "pep-sso-ff",
      "baseURI": "http://app.example.com:8081",
      "condition": "${matches(request.uri.path, '^/home/pep-sso-ff')}",
      "handler": "Chain",
      "heap": [
        {
          "name": "Chain",
          "type": "Chain",
          "config": {
            "handler": "ReverseProxyHandler",
            "filters": [
              "SSO",
              "PolicyEnforcement",
              "GetEmail",
              "InjectEmail"
            ]
          }
        },
        {
          "name": "SSO",
          "type": "SingleSignOnFilter",
          "config": {
            "amService": "AmService"
          }
        },
        {
          "name": "ReverseProxyHandler",
          "type": "ReverseProxyHandler"
        },
        {
          "name": "AmService",
          "type": "AmService",
          "config": {
            "url": "http://openam.example.com:8088/openam",
            "realm": "/",
            "agent": {
              "username": "ig_agent",
              "password": "password"
            },
            "sessionCache": {
              "enabled": false
            }
          }
        },
        {
          "name": "PolicyEnforcement",
          "type": "PolicyEnforcementFilter",
          "config": {
            "amService": "AmService",
            "ssoTokenSubject": "${contexts.ssoToken.value}",
            "cache": {
              "enabled": false
            },
            "application": "PEP-SSO"
          }
        },
        {
          "name": "GetEmail",
          "type": "UserProfileFilter",
          "config": {
            "username": "${contexts.ssoToken.info.uid}",
            "userProfileService": {
              "type": "UserProfileService",
              "config": {
                "amService": "AmService"
              }
            }
          }
        },
        {
          "name": "InjectEmail",
          "type": "HeaderFilter",
          "config": {
            "messageType": "REQUEST",
            "add": {
              "Email": [
                "${contexts.userProfile.username}"
              ]
            }
          }
        },
        {
          "type": "BaseUriDecorator",
          "name": "baseUri"
        },
        {
          "type": "TimerDecorator",
          "name": "timer",
          "config": {
            "timeUnit": "ms"
          }
        },
        {
          "type": "CaptureDecorator",
          "name": "capture",
          "config": {
            "captureEntity": false,
            "captureContext": false,
            "maxEntityLength": 524288
          }
        }
      ]
    }

  6. Select Deploy to push the route to the IG configuration.

    You can check the $HOME/.openig/config/routes folder to see that the route is there.

Test the Setup
  1. If you are logged in to AM, log out and clear any cookies.

  2. Go to http://openig.example.com:8080/home/pep-sso-ff.

  3. Log in to AM as user demo, password Ch4ng31t.

    AM returns a policy decision that grants access to the sample application.

Read a different version of :