PingGateway 2024.11

Decisions in different domains

The following procedure gives an example of how to create a policy in AM and configure an agent that can request policy decisions, when PingGateway and AM are in different domains.

Before you start, set up and test the example in Cross-domain single sign-on (CDSSO).

  1. Set up AM:

    1. In the AM admin UI, select Applications > Agents > Identity Gateway, and change the redirect URL for ig_agent_cdsso:

      • Redirect URL for CDSSO : https://ig.ext.com:8443/home/pep-cdsso/redirect

    2. Select Authorization > Policy Sets > New Policy Set, and add a policy set with the following values:

      • Id : PEP-CDSSO

      • Resource Types : URL

        • In the new policy set, add a policy with the following values:

      • Name : CDSSO

      • Resource Type : URL

      • Resource pattern : *://*:*/*

      • Resource value : http://app.example.com:8081/home/pep-cdsso*

        This policy protects the home page of the sample application.

      • On the Actions tab, add an action to allow HTTP GET.

      • On the Subjects tab, remove any default subject conditions, add a subject condition for all Authenticated Users.

  2. Add the following route to PingGateway:

    • Linux

    • Windows

    $HOME/.openig/config/routes/04-pep-cdsso.json
    %appdata%\OpenIG\config\routes\04-pep-cdsso.json
    {
      "name": "pep-cdsso",
      "baseURI": "http://app.example.com:8081",
      "condition": "${find(request.uri.path, '^/home/pep-cdsso')}",
      "heap": [
        {
          "name": "SystemAndEnvSecretStore-1",
          "type": "SystemAndEnvSecretStore"
        },
        {
          "name": "AmService-1",
          "type": "AmService",
          "config": {
            "agent": {
              "username": "ig_agent_cdsso",
              "passwordSecretId": "agent.secret.id"
            },
            "secretsProvider": "SystemAndEnvSecretStore-1",
            "url": "http://am.example.com:8088/openam/"
          }
        }
      ],
      "handler": {
        "type": "Chain",
        "config": {
          "filters": [
            {
              "name": "CrossDomainSingleSignOnFilter-1",
              "type": "CrossDomainSingleSignOnFilter",
              "config": {
                "redirectEndpoint": "/home/pep-cdsso/redirect",
                "authCookie": {
                  "path": "/home",
                  "name": "ig-token-cookie"
                },
                "amService": "AmService-1"
              }
            },
            {
              "name": "PolicyEnforcementFilter-1",
              "type": "PolicyEnforcementFilter",
              "config": {
                "application": "PEP-CDSSO",
                "ssoTokenSubject": "${contexts.cdsso.token}",
                "amService": "AmService-1"
              }
            }
          ],
          "handler": "ReverseProxyHandler"
        }
      }
    }
    When verificationSecretId isn’t configured, PingGateway discovers and uses the AM JWK set to verify the signature of AM session tokens. If the JWK set isn’t available, PingGateway doesn’t verify the tokens.
  3. Test the setup:

    1. In your browser’s privacy or incognito mode, go to to https://ig.ext.com:8443/home/pep-cdsso.

    2. If you see warnings that the site isn’t secure, respond to the warnings to access the site.

      PingGateway redirects you to AM for authentication.

    3. Log in to AM as user demo, password Ch4ng31t.

      When you have authenticated, AM redirects you back to the request URL, and PingGateway requests a policy decision. AM returns a policy decision that grants access to the sample application.