Enforce policies decisions from ForgeRock Identity Cloud
This example sets up ForgeRock Identity Cloud as a policy decision point for requests processed by Java Agents. For more information about Java Agents, see the User guide.
Before you start, use the Installation guide to install a Java Agent with the following values:
-
AM server URL:
https://tenant.forgeblocks.com:443/am
-
Agent URL:
http://agent.example.com:80/app
-
Agent profile name:
java-agent
-
Agent profile realm:
/alpha
-
Agent profile password:
/secure-directory/pwd.txt
-
Using the ForgeRock Identity Cloud Docs, log in to Identity Cloud as an administrator.
-
Make sure that you are managing the
alpha
realm. If not, switch realms. -
Add a Java Agent profile in one of the following ways:
-
In the Identity Cloud admin UI:
Details
-
In the Identity Cloud admin UI, go to verified_user Gateways & Agents > New Gateway/Agent, and add a Java Agent with the following values:
-
Agent ID :
java-agent
-
Password :
password
-
Application URL :
http://agent.example.com:80/app
-
-
Click Done
-
-
In the AM admin UI:
Details
-
In the Identity Cloud admin UI, go to open_in_new Native Consoles > Access Management. The AM admin UI is displayed.
-
Select Applications > Agents > Java, and add an agent profile by using the following hints:
- Agent ID
-
The ID of the agent profile. This ID resembles a username in AM and is used during the agent installation. For example,
MyAgent
.When AM is not available, the related error message contains the agent profile name. Consider this in your choice of agent profile name. - Agent URL
-
The URL where the agent resides. For more information, refer to Example installation for this guide.
When the agent is in remote configuration mode, the Agent URL is used to populate the agent profile for services, such as notifications.
- Server URL
-
The full URL to an authorization server, such as Identity Cloud or AM. For more information, refer to Example installation for this guide.
If the authorization server is deployed in a site configuration (behind a load balancer), enter the site URL. When the agent is in remote configuration mode, the Server URL is used to populate the agent profile for login, logout, naming, and cross-domain SSO.
- Password
-
The password the agent uses to authenticate to an authorization server, such as Identity Cloud or AM. Use this password when installing an agent.
Although the agent accepts any password length and content, you are strongly encouraged to generate secure passwords. This can be achieved in various ways, for example using a password manager or by using the command line tool agentadmin --key.
-
On the Java Agent page, select AM Services > OAuth Login URL List, and enter the redirect URL for unauthenticated requests. The examples in this document use
|?realm=/alpha
. For more information, refer to OAuth Login URL List. -
Select AM Services > Policy Evaluation Realm Map, and enter the name of an AM realm to use for policy evaluations. The examples in this document use
/alpha
. For more information, refer to Policy Evaluation Realm Map. -
Select AM Services > Policy Set Map, and enter the name of an AM policy set to use for policy evaluations. The examples in this document use
PEP
. For more information, refer to Policy Set Map. -
Click Save Changes.
-
-
-
Add a policy set and policy:
-
In the Identity Cloud admin UI, select verified_user Gateways & Agents and refresh the page.
-
Select the agent you just created.
-
On the agent profile page, make sure that Use Policy Authorization is selected.
-
Go to Policy Set > Add. The AM admin UI is displayed.
-
Add a policy set with the following values:
-
Id :
PEP
-
Resource Types :
URL
-
-
In the policy set, add a policy with the following values:
-
Name :
PEP-policy
-
Resource Type :
URL
-
Resource pattern :
*://*:*/*
-
Resource value :
*://*:*/*
-
-
On the Actions tab, add actions to allow HTTP
GET
andPOST
. -
On the Subjects tab, remove any default subject conditions, add a subject condition for all
Authenticated Users
.
-
-
Assign the new policy set to the agent profile:
-
Return to the agent profile page on the Identity Cloud admin UI, and refresh the page.
-
In Policy Set, select
PEP
to assign the PEP policy set to the agent profile, and then click Save.
-
-
Test the setup:
-
In the Identity Cloud admin UI, select group Identities > Manage > settings_system_daydream Alpha realm - Users, and add a new user with the following values:
-
Username :
demo
-
First name :
demo
-
Last name :
user
-
Email Address :
demo@example.com
-
Password :
Ch4ng3!t
-
-
Log out of Identity Cloud, and clear any cookies.
-
Go to
http://agent.example.com:80/app
. The Identity Cloud login page is displayed. -
Log in to Identity Cloud as user
demo
, passwordCh4ng3!t
, to access the web page protected by the Java Agent.
-