PingGateway 2024.11

Decisions with claimsSubject

This example extends Decisions in the same domain to enforce a policy decision from AM using the claimsSubject instead of ssoTokenSubject to identify the subject.

Before you start, set up and test the example in Decisions in the same domain.

  1. Set up AM:

    1. Select the policy PEP-SSO and add a new resource:

      • Resource Type: URL

      • Resource pattern: *://*:*/*

      • Resource value: http://app.example.com:8081/home/pep-claims

    2. In the same policy, add the following subject condition:

      • Any of

      • Type : OpenID Connect/JwtClaim

      • claimName : iss

      • claimValue : am.example.com

  2. Add the following route to PingGateway:

    • Linux

    • Windows

    $HOME/.openig/config/routes/04-pep-claims.json
    %appdata%\OpenIG\config\routes\04-pep-claims.json
    {
      "name": "pep-claims",
      "baseURI": "http://app.example.com:8081",
      "condition": "${find(request.uri.path, '^/home/pep-claims')}",
      "heap": [
        {
          "name": "SystemAndEnvSecretStore-1",
          "type": "SystemAndEnvSecretStore"
        },
        {
          "name": "AmService-1",
          "type": "AmService",
          "config": {
            "url": "http://am.example.com:8088/openam",
            "agent": {
              "username": "ig_agent",
              "passwordSecretId": "agent.secret.id"
            },
            "secretsProvider": "SystemAndEnvSecretStore-1"
          }
        }
      ],
      "handler": {
        "type": "Chain",
        "config": {
          "filters": [
            {
              "name": "SingleSignOnFilter-1",
              "type": "SingleSignOnFilter",
              "config": {
                "amService": "AmService-1"
              }
            },
            {
              "name": "PolicyEnforcementFilter-1",
              "type": "PolicyEnforcementFilter",
              "config": {
                "application": "PEP-SSO",
                "claimsSubject": {
                  "sub": "${contexts.ssoToken.info.uid}",
                  "iss": "am.example.com"
                },
                "amService": "AmService-1"
              }
            }
          ],
          "handler": "ReverseProxyHandler"
        }
      }
    }
  3. Test the setup:

    1. In your browser’s privacy or incognito mode, go to https://ig.example.com:8443/home/pep-claims.

    2. If you see warnings that the site isn’t secure, respond to the warnings to access the site.

    3. Log in to AM as user demo, password Ch4ng31t.

      AM returns a policy decision that grants access to the sample application.