Web Policy Agents 2023.3

FQDN checking

When FQDN checking is enabled, the agent checks the FQDN of a request before it evaluates the authentication or authorization of the request, as follows:

  • If the request matches the default domain, or the value of a mapped domain, the agent passes the request on to the next step without changing the domain.

  • Otherwise, the agent redirects the request to the specified domain before passing it on to the next step.

Use this feature to prevent the redirect of requests in the following scenarios:

  • Where resource URLs differ from the FQDNs in AM policies, for example, in load balanced and virtual host environments.

  • Where hostnames are virtual, allocated dynamically, or match a pattern, for example in a Kubernetes deployment.

  • Where hostnames are partial.

FQDN checking requires Enable FQDN Check to be true, FQDN Default to be set to a suitable value, and optionally, FQDN Virtual Host Map to map incoming URLs to valid outgoing domains.

The agent maps FQDNs as follows:

  1. If the request matches the domain in FQDN Default, the agent passes the request to the next step without changing the request domain.

  2. Otherwise, if the request matches a mapped domain (map value) in FQDN Virtual Host Map, the agent passes the request to the next step without changing the request domain.

  3. Otherwise, if the request matches a mapped host (map key) in FQDN Virtual Host Map, the agent redirects the request to the mapped domain before passing it to the next step.

  4. Otherwise, the agent redirects the request to the domain in FQDN Default before passing it to the next step.

Examples

The following example configuration and requests illustrate how the agent checks and remaps FQDNs:

Example configuration
  • Agent Root URL for CDSSO:

    sunIdentityServerDeviceKeyValue=agent.example.com

  • Not-Enforced URL List

    com.sun.identity.agents.config.notenforced.url[0]=http://www.agent1*.example.com

  • Enable FQDN Check:

    com.sun.identity.agents.config.fqdn.check.enable=true

  • FQDN Default:

    com.sun.identity.agents.config.fqdn.default=agent.default.com

  • FQDN Virtual Host Map:

    com.sun.identity.agents.config.fqdn.mapping[agent.example.com]=agent.example.com

    com.sun.identity.agents.config.fqdn.mapping[agent.example.com]=agent-*

    com.sun.identity.agents.config.fqdn.mapping[any.value.com]=ag*.example.com

    com.sun.identity.agents.config.fqdn.mapping[agent.othertest.com]=other.example.com

Example requests
  • http://agent.default.com/app: The request URL matches the domain of the default mapping, so the agent does not redirect the request.

  • https://agent.example.com/app: The request URL matches the value (domain) in the first mapping, so the agent does not redirect the request.

  • http://agent-4738294739287492/foo/bar/: The request URL matches the value (domain) in the second mapping, using the wildcard, so the agent does not redirect the request. Note that the value of the key is irrelevant in this match.

  • https://agent123.example.com/app: The request URL matches the value (domain) in the third mapping, so the agent does not redirect the request.

  • https://agent.othertest.me/app: The request URL matches the key (host) in the fourth mapping, so the agent redirects the request to https://other.example.com/app.

  • https://agent.othertest2.me/app: The request URL doesn’t match any mapping, so the agent redirects the request to the default domain, https://agent.example.com/app.

Copyright © 2010-2023 ForgeRock, all rights reserved.