Web Policy Agents 2023.3

ForgeRock Identity Cloud guide

ForgeRock® Identity Platform serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see https://www.forgerock.com.

About this guide

This guide is for customers using an agent-based integration model, with ForgeRock Access Management on-premise, or another on-premise access management solution. The guide provides an example of how to transition from on-premise access management to Identity Cloud without changing the architecture of the agent-based model.

The examples in this document are based on an available version of Identity Cloud. As Identity Cloud evolves, the examples in this document will be updated to reflect the changes.

Example installation for this guide

Identity Cloud is described in the Identity Cloud Docs.

Find the value of the following properties:

  • The agent URL. This guide uses Web Agent installed on http://agent.example.com:80, in the alpha realm.

  • The root URL of your Identity Cloud. This guide uses https://tenant.forgeblocks.com:443.

  • The server URL of the Access Management component of the Identity Cloud. This guide uses https://tenant.forgeblocks.com:443/am.

  • The realm where you work. This guide uses alpha.

If you use a different configuration, substitute in the procedures accordingly.

About Web Agent and the Identity Cloud

Identity Cloud simplifies the consumption of ForgeRock as an Identity Platform. However, many organizations have business web applications and APIs deployed across multiple clouds, or on-premise. This guide provides an example of how to use Web Agent with the Identity Cloud, without changing the architecture of the agent-based model.

The following image illustrates the flow of an inbound request to a website, through a Web Agent, and the agent’s interaction with Identity Cloud to enforce resource-based policies.

Web Agent enforces policies from Identity Cloud.

For information about the Identity Cloud, refer to the Identity Cloud Docs.

Enforce policy decisions from Identity Cloud

This example sets up ForgeRock Identity Cloud as a policy decision point for requests processed by Web Agents. For more information about Web Agents, refer to the User guide.

Before you start, use the Installation guide to install a Web Agent with the following values:

  • AM server URL: https://tenant.forgeblocks.com:443/am

  • Agent URL: http://agent.example.com:80

  • Agent profile name: web-agent

  • Agent profile realm: /alpha

  • Agent profile password: /secure-directory/pwd.txt

  1. Using the ForgeRock Identity Cloud Docs, log in to Identity Cloud as an administrator.

  2. Make sure you are managing the alpha realm. If not, switch realms.

  3. Add a Web Agent profile in one of the following ways:

    • In the Identity Cloud admin UI:

      Details

      1. In the Identity Cloud admin UI, go to verified_user Gateways & Agents > New Gateway/Agent, and add a Web Agent with the following values:

        • Agent ID : web-agent

        • Password : password

        • Application URL : http://agent.example.com:80

      2. Click Done

    • In the AM admin UI:

      Details

      1. In the Identity Cloud admin UI, go to open_in_new Native Consoles > Access Management. The AM admin UI is displayed.

      2. Select Applications > Agents > Web, and add an agent profile by using the following hints:

        Agent ID

        The ID of the agent profile. This ID resembles a username in AM and is used during the agent installation. For example, MyAgent.

        When AM is not available, the related error message contains the agent profile name. Consider this in your choice of agent profile name.
        Agent URL

        The URL where the agent resides. For more information, refer to Example installation for this guide.

        In centralized configuration mode, the Agent URL populates the agent profile for services, such as notifications.

        Server URL

        The full URL to an authorization server, such as Identity Cloud or AM. For more information, refer to Example installation for this guide.

        If the authorization server is deployed in a site configuration (behind a load balancer), enter the site URL.

        In centralized configuration mode, the Server URL populates the agent profile for use with login, logout, naming, and cross-domain SSO.

        Password

        The password the agent uses to authenticate to an authorization server, such as Identity Cloud or AM. Use this password when installing an agent.

        Although the agent accepts any password length and content, you are strongly encouraged to generate secure passwords. This can be achieved in various ways, for example, by using a password manager.

      3. On the the Web Agent page, select AM Services > AM Conditional Login URL, and enter the redirect URL for unauthenticated requests. This guide uses |https://tenant.forgeblocks.com:443/am/oauth2/authorize?realm=/alpha. For more information, refer to AM Conditional Login URL.

      4. Select AM Services > Policy Evaluation Realm, and enter the name of the policy evaluation realm. This guide uses /alpha. For more information, refer to Policy Evaluation Realm.

      5. Select AM Services > Policy Set, and enter the name of an AM policy set to use for policy evaluations. This guide uses PEP. For more information, refer to Policy Set.

      6. Select AM Services > AM Logout URL, and enter the page to which the agent redirects the end user on log out. This guide uses https://tenant.forgeblocks.com:443/am/UI/Logout?realm=/alpha. For more information, refer to AM Logout URL.

      7. Select AM Services > SSO, and delete the content of Cookie Name to leave the field empty. The agent determines the cookie name automatically from AM.

      8. Click Save Changes.

  4. Add a policy set and policy:

    1. In the Identity Cloud admin UI, select verified_user Gateways & Agents and refresh the page.

    2. Select the agent you just created.

    3. On the agent profile page, make sure Use Policy Authorization is selected.

    4. Go to Policy Set > Add. The AM admin UI is displayed.

    5. In the AM admin UI, add a policy set with the following values:

      • Id : PEP

      • Resource Types : URL

    6. In the policy set, add a policy with the following values:

      • Name : PEP-policy

      • Resource Type : URL

      • Resource pattern : *://*:*/*

      • Resource value : *://*:*/*

    7. On the Actions tab, add actions to allow HTTP GET and POST.

    8. On the Subjects tab, remove any default subject conditions, add a subject condition for all Authenticated Users.

  5. Assign the new policy set to the agent profile:

    1. Return to the agent profile page on the Identity Cloud Admin UI, and refresh the page.

    2. In Policy Set, select PEP to assign the PEP policy set to the agent profile, and then click Save.

  6. Test the setup:

    1. In the Identity Cloud admin UI, select group Identities > Manage > settings_system_daydream Alpha realm - Users, and add a new user with the following values:

      • Username : demo

      • First name : demo

      • Last name : user

      • Email Address : demo@example.com

      • Password : Ch4ng3!t

    2. Log out of Identity Cloud, and clear any cookies.

    3. Go to http://agent.example.com:80. The Identity Cloud login page is displayed.

    4. Log in to Identity Cloud as user demo, password Ch4ng3!t, to access the web page protected by the Web Agent.

Copyright © 2010-2023 ForgeRock, all rights reserved.