Instructions for configuring Web Agents with the ForgeRock Identity Cloud.

Preface

ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see https://www.forgerock.com.

1. About This Guide

This guide is for customers using an agent-based integration model, with ForgeRock Access Management on-premise, or another on-premise access management solution. The guide provides an example of how to transition from on-premise access management to ForgeRock Identity Cloud without changing the architecture of the agent-based model.

2. Example Installation for This Guide

Unless otherwise stated, examples assume the following installation:

  • Web Agents are installed on http://www.example.com:80 in the alpha realm. For more information, see "Installing Web Agents" in the User Guide.

  • ForgeRock Identity Cloud is installed with the default configuration described in the ForgeRock Identity Cloud Docs.

    Find the value of the following properties:

    • The root URL of your ForgeRock Identity Cloud. This guide uses https://Tenant.forgeblocks.com:443.

    • The URL of the Access Management component of the ForgeRock Identity Cloud. This guide uses https://Tenant.forgeblocks.com:443/am.

    • The realm where you work. This guide uses alpha.

If you use a different configuration, substitute in the procedures accordingly.

Chapter 1. About Web Agents and the ForgeRock Identity Cloud

ForgeRock Identity Cloud simplifies the consumption of ForgeRock as an Identity Platform. However, many organizations have business web applications and APIs deployed across multiple clouds, or on-premise. This guide provides an example of how to use Web Agents with the ForgeRock Identity Cloud, without changing the architecture of the agent-based model.

The following image illustrates the flow of an inbound request to a website, through a Web Agent, and the Web Agent's interaction with ForgeRock Identity Cloud to enforce resource-based policies.

Web Agent Enforcing Policies From Identity Cloud

For information about the ForgeRock Identity Cloud, see the ForgeRock Identity Cloud Docs.

Chapter 2. Enforce Policies From ForgeRock Identity Cloud

This example sets up ForgeRock Identity Cloud as a policy decision point for requests processed by Web Agents. For more information about Web Agents, see the User Guide.

  1. Set up Identity Cloud:

    1. Install Identity Cloud with the default configuration in "Example Installation for This Guide", as described in the ForgeRock Identity Cloud Docs.

    2. Log in to the ForgeRock Identity Cloud as an administrator.

    3. Make sure that you are managing the alpha realm. If not, click the current realm at the top of the screen, click Realm Settings, and switch to the alpha realm.

    4. In the platform console, go to Identities > Manage > Alpha realm - Users, and add a new user with the following values:

      • Username: demo

      • First name: demo

      • Last name: user

      • Email Address: demo@example.com

      • Password: Ch4ng3!t

  2. Set up Access Management in Identity Cloud:

    1. Go to the alpha realm in the AM console:

      1. In the platform console, click Native Consoles > Access Management. The Access Management console is displayed.

      2. Make sure that you are managing the alpha realm. If not, click the current realm at the top of the screen, click Realm Settings, and switch to the alpha realm.

    2. Add a Web Agent:

      1. Click Applications > Agents > Web, and add an agent with the following values:

        • Agent ID: web-agent

        • Agent URL: http://www.example.com:80

        • Server URL: https://Tenant.forgeblocks.com:443/am

        • Password: password

      2. On the AM Services tab, set the following values:

        • AM Conditional Login URL:|https://Tenant.forgeblocks.com:443/am/oauth2/authorize?realm=/alpha

          Note the | at the start of the URL.

        • Policy Evaluation Realm: /alpha

        • Policy Set: PEP

    3. Add a policy to protect a web page:

      1. Click Authorization > Policy Sets, and add a new policy set with the following values:

        • Id: PEP

        • Resource Types: URL

      2. In the policy set, add a policy with the following values:

        • Name: PEP-policy

        • Resource Type: URL

        • Resource pattern: *://*:*/*

        • Resource value: *://*:*/*

        This policy protects all web pages.

      3. On the Actions tab, add actions to allow HTTP GET and POST.

      4. On the Subjects tab, remove any default subject conditions, add a subject condition for all Authenticated Users.

  3. Set up Web Agents:

    1. Create a text file containing the agent profile password:

      $ echo password > /tmp/pwd.txt
      $ chmod 400 /tmp/pwd.txt
      C:\> echo password > pwd.txt
    2. Using "Installing Web Agents" in the User Guide, install Web Agents with the following values:

      • Configuration file [/opt/apache/conf/httpd.conf]: Enter the path to your Apache configuration file.

      • Existing agent.conf file: Skip the import, or enter the path to your file.

      • OpenAM URL: https://Tenant.forgeblocks.com:443/am

      • Agent URL: http://www.example.com:80

      • Agent Profile name: web-agent

      • Agent realm/organization name: /alpha

      • Agent Profile password source: /tmp/pwd.txt

    3. Restart Web Agents; for example:

      $ apachectl -k stop
      $ apachectl -k start
  4. Test the setup:

    1. In a new browser, go to http://www.example.com:80. The Identity Cloud login page is displayed.

    2. Log in to Identity Cloud as user demo, password Ch4ng3!t to access the Web Agent.

Read a different version of :