Policy Enforcement in Structured Editor

This section describes how to set up IG as a policy enforcement point in the structured editor of Studio. For more information about setting up policy enforcement, see Enforcing Policy Decisions From AM.

Set Up IG as a PEP
  1. In IG Studio, create a route:

    1. Go to http://openig.example.com:8080/openig/studio, and select Create a route.

    2. Select Structured to use the structured editor.

  2. Select Advanced options on the right, and create a route with the following options:

    • Base URI: http://app.example.com:8081

    • Condition: Path: /home/pep-sso

    • Name: pep-sso

    The structured editor is displayed.

  3. Configure authentication:

    1. Select Authentication.

    2. Select Single Sign-On, and enter the following information:

      • AM service: Configure an AM service to use for authentication:

        • URI: http://openam.example.com:8088/openam

        • Agent: The credentials of the agent you created in AM.

          • Username: ig_agent

          • Password: password

      Leave all other values as default.

  4. Configure a PolicyEnforcementFilter:

    1. Select Authorization.

    2. Select AM Policy Enforcement, and then select the following options:

      • Access Management configuration:

        • AM service: http://openam.example.com:8088/openam (/).

      • Access Management policies:

        • Policy set: PEP-SSO

        • AM SSO token: ${contexts.ssoToken.value}

      Leave all other values as default.

  5. On the top-right of the screen, select and Display to review the route.

    The following route should be displayed:

    {
      "name": "pep-sso",
      "baseURI": "http://app.example.com:8081",
      "condition": "${matches(request.uri.path, '^/home/pep-sso')}",
      "heap": [
        {
          "name": "SystemAndEnvSecretStore-1",
          "type": "SystemAndEnvSecretStore"
        },
        {
          "name": "AmService-1",
          "type": "AmService",
          "config": {
            "agent": {
              "username": "ig_agent",
              "passwordSecretId": "agent.secret.id"
            },
            "secretsProvider": "SystemAndEnvSecretStore-1",
            "url": "http://openam.example.com:8088/openam/",
            "version": "7"
          }
        }
      ],
      "handler": {
        "type": "Chain",
        "config": {
          "filters": [
            {
              "name": "SingleSignOnFilter-1",
              "type": "SingleSignOnFilter",
              "config": {
                "amService": "AmService-1"
              }
            },
            {
              "name": "PolicyEnforcementFilter-1",
              "type": "PolicyEnforcementFilter",
              "config": {
                "pepRealm": "/",
                "application": "PEP-SSO",
                "ssoTokenSubject": "${contexts.ssoToken.value}",
                "amService": "AmService-1"
              }
            }
          ],
          "handler": "ReverseProxyHandler"
        }
      }
    }

  6. Select Deploy to push the route to the IG configuration.

    You can check the $HOME/.openig/config/routes folder to see that the route is there.

Read a different version of :