Enforce policy decisions from Identity Cloud
This example sets up ForgeRock Identity Cloud as a policy decision point for requests processed by Web Agents. For more information about Web Agents, refer to the User guide.
Before you start, use the Installation guide to install a Web Agent with the following values:
-
AM server URL:
https://tenant.forgeblocks.com:443/am
-
Agent URL:
http://agent.example.com:80
-
Agent profile name:
web-agent
-
Agent profile realm:
/alpha
-
Agent profile password:
/secure-directory/pwd.txt
-
Using the ForgeRock Identity Cloud Docs, log in to Identity Cloud as an administrator.
-
Make sure you are managing the
alpha
realm. If not, switch realms. -
Add a Web Agent profile in one of the following ways:
-
In the Identity Cloud admin UI:
Details
-
In the Identity Cloud admin UI, go to verified_user Gateways & Agents > New Gateway/Agent, and add a Web Agent with the following values:
-
Agent ID :
web-agent
-
Password :
password
-
Application URL :
http://agent.example.com:80
-
-
Click Done
-
-
In the AM admin UI:
Details
-
In the Identity Cloud admin UI, go to open_in_new Native Consoles > Access Management. The AM admin UI is displayed.
-
Select Applications > Agents > Web, and add an agent profile by using the following hints:
- Agent ID
-
The ID of the agent profile. This ID resembles a username in AM and is used during the agent installation. For example,
MyAgent
.When AM is not available, the related error message contains the agent profile name. Consider this in your choice of agent profile name. - Agent URL
-
The URL where the agent resides. For more information, refer to Example installation for this guide.
In centralized configuration mode, the Agent URL populates the agent profile for services, such as notifications.
- Server URL
-
The full URL to an authorization server, such as Identity Cloud or AM. For more information, refer to Example installation for this guide.
If the authorization server is deployed in a site configuration (behind a load balancer), enter the site URL.
In centralized configuration mode, the Server URL populates the agent profile for use with login, logout, naming, and cross-domain SSO.
- Password
-
The password the agent uses to authenticate to an authorization server, such as Identity Cloud or AM. Use this password when installing an agent.
Although the agent accepts any password length and content, you are strongly encouraged to generate secure passwords. This can be achieved in various ways, for example, by using a password manager.
-
On the the Web Agent page, select AM Services > AM Conditional Login URL, and enter the redirect URL for unauthenticated requests. This guide uses
|https://tenant.forgeblocks.com:443/am/oauth2/authorize?realm=/alpha
. For more information, refer to AM Conditional Login URL. -
Select AM Services > Policy Evaluation Realm, and enter the name of the policy evaluation realm. This guide uses
/alpha
. For more information, refer to Policy Evaluation Realm. -
Select AM Services > Policy Set, and enter the name of an AM policy set to use for policy evaluations. This guide uses
PEP
. For more information, refer to Policy Set. -
Select AM Services > AM Logout URL, and enter the page to which the agent redirects the end user on log out. This guide uses
https://tenant.forgeblocks.com:443/am/UI/Logout?realm=/alpha
. For more information, refer to AM Logout URL. -
Select AM Services > SSO, and delete the content of Cookie Name to leave the field empty. The agent determines the cookie name automatically from AM.
-
Click Save Changes.
-
-
-
Add a policy set and policy:
-
In the Identity Cloud admin UI, select verified_user Gateways & Agents and refresh the page.
-
Select the agent you just created.
-
On the agent profile page, make sure Use Policy Authorization is selected.
-
Go to Policy Set > Add. The AM admin UI is displayed.
-
In the AM admin UI, add a policy set with the following values:
-
Id :
PEP
-
Resource Types :
URL
-
-
In the policy set, add a policy with the following values:
-
Name :
PEP-policy
-
Resource Type :
URL
-
Resource pattern :
*://*:*/*
-
Resource value :
*://*:*/*
-
-
On the Actions tab, add actions to allow HTTP
GET
andPOST
. -
On the Subjects tab, remove any default subject conditions, add a subject condition for all
Authenticated Users
.
-
-
Assign the new policy set to the agent profile:
-
Return to the agent profile page on the Identity Cloud Admin UI, and refresh the page.
-
In Policy Set, select
PEP
to assign the PEP policy set to the agent profile, and then click Save.
-
-
Test the setup:
-
In the Identity Cloud admin UI, select group Identities > Manage > settings_system_daydream Alpha realm - Users, and add a new user with the following values:
-
Username :
demo
-
First name :
demo
-
Last name :
user
-
Email Address :
demo@example.com
-
Password :
Ch4ng3!t
-
-
Log out of Identity Cloud, and clear any cookies.
-
Go to
http://agent.example.com:80
. The Identity Cloud login page is displayed. -
Log in to Identity Cloud as user
demo
, passwordCh4ng3!t
, to access the web page protected by the Web Agent.
-