Enforce Policies From Identity Cloud

This example sets up Identity Cloud as a policy decision point for requests processed by Web Agent. For more information about Web Agent, see the User Guide.

  1. Set up Identity Cloud:

    1. Install Identity Cloud with the default configuration in Example Installation for This Guide, as described in the ForgeRock Identity Cloud Docs.

    2. Log in to the Identity Cloud as an administrator.

    3. Make sure that you are managing the alpha realm. If not, click the current realm at the top of the screen, and switch to the alpha realm.

    4. In the platform console, go to Identities > Manage > Alpha realm - Users, and add a new user with the following values:

      • Username : demo

      • First name : demo

      • Last name : user

      • Email Address : demo@example.com

      • Password : Ch4ng3!t

  2. Set up Access Management in Identity Cloud:

    1. Go to the alpha realm in the AM console:

      1. In the platform console, click Native Consoles > Access Management. The Access Management console is displayed.

      2. Make sure that you are managing the alpha realm. If not, click the current realm, and switch to the alpha realm.

    2. Add a Web Agent:

      1. Click Applications > Agents > Web, and add an agent with the following values:

      2. On the AM Services tab, set the following values:

        • AM Conditional Login URL: |https://tenant.forgeblocks.com:443/am/oauth2/authorize?realm=/alpha

          Note the | at the start of the URL.

        • Policy Evaluation Realm : /alpha

        • Policy Set : PEP

    3. Click Authorization > Policy Sets, and add a new policy set with the following values:

      • Id : PEP

      • Resource Types : URL

    4. In the policy set, add a policy with the following values:

      • Name : PEP-policy

      • Resource Type : URL

      • Resource pattern : *://*:*/*

      • Resource value : *://*:*/*

        This policy protects all web pages.

    5. On the Actions tab, add actions to allow HTTP GET and POST.

    6. On the Subjects tab, remove any default subject conditions, add a subject condition for all Authenticated Users.

  3. Set up Web Agent:

    1. Create a text file for the agent password, and protect it. For example, use commands similar to these, changing the password value and path:

      • Unix

      • Windows

      $ cat > /tmp/pwd.txt
      password
      CTRL+D
      
      $ chmod 400 /tmp/pwd.txt
      C:> type > pwd.txt
      password
      CTRL+Z

      In Windows Explorer, right-click the password file, for example pwd.txt, select Read-Only, and then click OK.

    2. Using Install Web Agent, install the agent with the following values:

      • Configuration file [/opt/apache/conf/httpd.conf] : Enter the path to your Apache configuration file.

      • Existing agent.conf file : Skip the import, or enter the path to your file.

      • OpenAM URL : https://tenant.forgeblocks.com:443/am

      • Agent URL : http://www.example.com:80

      • Agent Profile name : web-agent

      • Agent realm/organization name : /alpha

      • Agent Profile password source : /tmp/pwd.txt

    3. Restart the agent:

      $ apachectl -k stop
      $ apachectl -k start
  4. Test the setup:

    1. Log out of Identity Cloud, and clear any cookies.

    2. Go to http://www.example.com:80. The Identity Cloud login page is displayed.

    3. Log in to Identity Cloud as user demo, password Ch4ng3!t, to access the agent.