Restricting Access to Studio

When IG is running in development mode, by default the Studio endpoint is open and accessible. To allow only specific users to access Studio, configure a StudioProtectionFilter with a SingleSignOnFilter or CrossDomainSingleSignOnFilter.

The following example uses a SingleSignOnFilter to require users to authenticate with AM before they can access Studio, and protects the request from Cross Site Request Forgery (CSRF) attacks.

Require Authentication to Access Studio in Development Mode

  1. Set up AM:

    1. (For AM 6.5.x and earlier versions) Select Identities > demo, and set the demo user password to Ch4ng31t.

    2. (For AM 6.5.3 and later versions) Select  Services > Add a Service, and add a Validation Service with the following Valid goto URL Resources:

      • http://openig.example.com:8080/*

      • http://openig.example.com:8080/*?*

    3. Select Applications > Agents > Identity Gateway, add an agent with the following values:

      • Agent ID: ig_agent

      • Password: password

      Leave all other values as default.

      1. Select Applications > Agents > Java (or J2EE).

      2. Add an agent with the following values:

        • Agent ID: ig_agent

        • Agent URL: http://openig.example.com:8080/agentapp

        • Server URL: http://openam.example.com:8088/openam

        • Password: password

      3. On the Global tab, deselect Agent Configuration Change Notification.

        This option stops IG from being notified about agent configuration changes in AM, because they are not required by IG.

  2. Set up IG:

    1. Set an environment variable for the IG agent password, and then restart IG: 

      $ export AGENT_SECRET_ID='cGFzc3dvcmQ='

      The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.

    2. Add the following route to IG: 

      $HOME/.openig/config/admin.json
      %appdata%\OpenIG\config\admin.json

      {
  "prefix": "openig",
  "mode": "DEVELOPMENT",
  "heap": [
    {
      "name": "SystemAndEnvSecretStore-1",
      "type": "SystemAndEnvSecretStore"
    },
    {
      "name": "AmService-1",
      "type": "AmService",
      "config": {
        "agent" : {
          "username" : "ig_agent",
          "passwordSecretId" : "agent.secret.id"
        },
        "secretsProvider": "SystemAndEnvSecretStore-1",
        "url": "http://openam.example.com:8088/openam/",
        "version": "7"
      }
    },
    {
      "name": "StudioProtectionFilter",
      "type": "ChainOfFilters",
      "config": {
        "filters": [
          {
            "type": "SingleSignOnFilter",
            "config": {
              "amService": "AmService-1"
            }
          },
          {
            "type": "CsrfFilter",
            "config": {
              "cookieName": "iPlanetDirectoryPro",
              "failureHandler": {
                "type": "StaticResponseHandler",
                "config": {
                  "status": 403,
                  "headers": {
                    "Content-Type": [
                      "text/plain"
                    ]
                  },
                  "entity": "Request forbidden"
                }
              }
            }
          }
        ]
      }
    }
  ]
}
      {
  "prefix": "openig",
  "mode": "DEVELOPMENT",
  "properties": {
    "SsoTokenCookieOrHeader": "iPlanetDirectoryPro"
  },
  "connectors": [
    {
      "port": 8080
    },
    {
      "port": 8443
    }
  ],
  "heap": [
    {
      "name": "SystemAndEnvSecretStore-1",
      "type": "SystemAndEnvSecretStore"
    },
    {
      "name": "AmService-1",
      "type": "AmService",
      "config": {
        "agent" : {
          "username" : "ig_agent",
          "passwordSecretId" : "agent.secret.id"
        },
        "secretsProvider": "SystemAndEnvSecretStore-1",
        "url": "http://openam.example.com:8088/openam/",
        "ssoTokenHeader": "&{SsoTokenCookieOrHeader}",
        "version": "7"
      }
    },
    {
      "name": "StudioProtectionFilter",
      "type": "ChainOfFilters",
      "config": {
        "filters": [
          {
            "type": "SingleSignOnFilter",
            "config": {
              "amService": "AmService-1"
            }
          },
          {
            "type": "CsrfFilter",
            "config": {
              "cookieName": "&{SsoTokenCookieOrHeader}",
              "failureHandler": {
                "type": "StaticResponseHandler",
                "config": {
                  "status": 403,
                  "headers": {
                    "Content-Type": [
                      "text/plain"
                    ]
                  },
                  "entity": "Request forbidden"
                }
              }
            }
          }
        ]
      }
    }
  ]
}

      Notice the following features of the file:

      • The prefix sets the base of the administrative route to the default value /openig. The Studio endpoint is therefore /openig/studio.

      • The mode is development, so by default the Studio endpoint is open and unfiltered.

      • The properties object sets a configuration parameter for the value of the SSO token cookie or header, which is used in AmService and CorsFilter.

      • The AmService uses the IG agent in AM for authentication.

      • The agent password for AmService is provided by a SystemAndEnvSecretStore in the heap.

      • The StudioProtectionFilter calls the SingleSignOnFilter to redirect unauthenticated requests to AM, and uses the CsrfFilter to protect requests from CSRF attacks. For more information, see "SingleSignOnFilter" and "CsrfFilter".

    3. Restart IG to take into account the changes to admin.json.

  3. Test the setup:

    1. If you are logged in to AM, log out.

    2. Go to http://openig.example.com:8080/openig/studio. The SingleSignOnFilter redirects the request to AM for authentication.

    3. Log in to AM with user demo, password Ch4ng31t. The Studio Routes screen is displayed.

Read a different version of :