Web Policy Agents 2024.3

Prepare for installation

For information about installing Web Agent, refer to the Installation. This section summarizes considerations for using the agent with Identity Cloud:

  • Configure Identity Cloud and set up a policy before you install the agent. When you configure the agent in the Identity Cloud admin UI, you can select the policy.

  • For environments with load balancers or reverse proxies, consider the communication between the agent and the Identity Cloud servers, and between the agent and the client. Do one of the following:

    • Configure the environment before you install the agent.

    • Install the agent using agentadmin --s --forceInstall to prevent the agent from trying to connect to Identity Cloud before installation.

Example installation for this guide

Unless otherwise stated, the examples in this guide assume the following installation:

  • AM server URL: https://tenant.forgeblocks.com:443/am

  • Agent URL: http://agent.example.com:80

  • Agent profile name: web-agent

  • Agent profile realm: /alpha

  • Agent profile password: /secure-directory/pwd.txt

Add a demo user in Identity Cloud

Add a user so you can test the examples in this guide.

  1. In the Identity Cloud admin UI, select group Identities > Manage > settings_system_daydream Alpha realm - Users.

  2. Add a new user with the following values:

    • Username : demo

    • First name : demo

    • Last name : user

    • Email Address : demo@example.com

    • Password : Ch4ng3!t

Create a policy set and policy in Identity Cloud

  1. In the Identity Cloud admin UI, select open_in_new Native Consoles > Access Management. The AM admin UI is displayed.

  2. In the AM admin UI, select Authorization > Policy Sets > New Policy Set, and add a policy set with the following values:

    • Id : PEP

    • Resource Types : URL

  3. In the policy set, add a policy with the following values:

    • Name : PEP-policy

    • Resource Type : URL

    • Resource pattern : *://*:*/*

    • Resource value : *://*:*/*

  4. On the Actions tab, add actions to allow HTTP GET and POST.

  5. On the Subjects tab, remove any default subject conditions, add a subject condition for all Authenticated Users.

Create an agent profile in Identity Cloud

  1. In the Identity Cloud admin UI, go to verified_user Gateways & Agents > New Gateway/Agent, and add a Web Agent with the following values:

    • Agent ID : web-agent

    • Password : password

    • Application URL : http://agent.example.com:80

  2. Click Save Profile and Done.

  3. On the agent profile page, select Use Policy Authorization, select a policy set to assign to the profile, and then click Save.

    If a suitable policy set isn’t available, select Edit advanced settings to edit or create one.

  4. (Optional) Use AM’s secret service to manage the agent profile password. If AM finds a matching secret in a secret store, it uses that secret instead of the agent password configured in Step 1.

    1. In the settings panel of the agent profile page, click Edit advanced settings in the Access Management Native Console.

    2. In the AM admin UI, set a label for the agent password in Secret Label Identifier.

      AM uses the identifier to generate a secret label for the agent.

      The secret label has the format am.application.agents.identifier.secret, where identifier is the Secret Label Identifier.

      The Secret Label Identifier can contain only characters a-z, A-Z, 0-9, and periods (.). It can’t start or end with a period.

    3. Select Secret Stores and configure a secret store.

    4. Map the label to the secret. Learn more from AM’s Map and rotate secrets.

    Note the following points for using AM’s secret service:

    • Set a Secret Label Identifier that clearly identifies the agent.

    • If you update or delete the Secret Label Identifier, AM updates or deletes the corresponding mapping for the previous identifier provided no other agent shares the mapping.

    • When you rotate a secret, update the corresponding mapping.

Copyright © 2010-2024 ForgeRock, all rights reserved.