Creating a policy for permitted audiences
This tutorial describes how to create a policy for a REST service to control access based on an acceptable audience value.
About this task
An authorization server like PingFederate might set an audience
field on the access tokens that it issues, naming one or more services that are allowed to accept the access token. A REST service can use the audience
field to ensure that it does not accept access tokens that are intended for use with a different service.
As with the Permitted Clients policy, each rule in the Permitted Audiences policy defines an acceptable audience value.
Steps
-
Go to Policies > Policies.
-
Expand Global Decision Point and SCIM Policy Set.
-
Highlight Token Policies and click and then Add Policy.
-
For the name, replace Untitled with
Permitted Audiences
. -
From the Combining Algorithm list, select Unless one decision is permit, the decision will be deny.
-
Click Add Rule.
-
For the name, replace Untitled with
Audience: https://example.com
. -
From the Effect list, select
Permit
. -
In the Condition section:
-
Click Comparison.
-
From the Select an Attribute list, select
HttpRequest.AccessToken.audience
. -
From the middle, comparison-type list, select
Equals
. -
In the final field, enter
https://example.com
.
-
-
Expand Statements.
-
Click the Components tab, expand Statements, and drag
Unauthorized Audience
to the Statements box.Do not click Show Statements within the "Audience: https://example.com" rule.
-
Click Save changes.
Result
The final configuration should resemble the following image.