PingGateway 2024.11

Notifications and the policy cache

When WebSocket notifications are enabled, PingGateway receives notifications whenever AM creates, deletes, or changes a policy.

The following procedure gives an example of how to change the configuration in Decisions in the same domain and Decisions in different domains to evict outdated entries from the policy cache. For information about WebSocket notifications, refer to WebSocket notifications.

Before you start, set up and test the example in Decisions in the same domain.

  1. Websocket notifications are enabled by default. If they are disabled, enable them by adding the following configuration to the AmService in your route:

    "notifications": {
      "enabled": true
    }
  2. Enable policy cache in the PolicyEnforcementFilter in your route:

    "cache": {
      "enabled": true
    }
  3. In logback.xml add the following logger for WebSocket notifications, and then restart PingGateway:

    <logger name="org.forgerock.openig.tools.notifications.ws" level="TRACE" />
  4. Test the setup:

    1. In your browser’s privacy or incognito mode, go to https://ig.ext.com:8443/home/pep-sso.

    2. If you see warnings that the site isn’t secure, respond to the warnings to access the site.

    3. Log in to AM as user demo, password Ch4ng31t.

    4. In a separate terminal, log on to AM as admin, and change the PEP-SSO policy. For example, in the Actions tab, add an action to allow HTTP DELETE.

    5. Note that the PingGateway system logs are updated with Websocket notifications about the change:

      ... | TRACE | vert.x-eventloop-thread-14 | o.f.o.t.n.w.l.DirectAmLink | @system | Received a message: ... "policy": "PEP-SSO", "policySet": "PEP-SSO", "eventType": "UPDATE" } }
      ... | TRACE | vert.x-eventloop-thread-14 | o.f.o.t.n.w.SubscriptionService | @system | Notification received, ... "policy": "PEP-SSO", "policySet": "PEP-SSO", "eventType": "UPDATE" }}
      ... | TRACE | vert.x-eventloop-thread-14 | o.f.o.t.n.w.SubscriptionService | @system | Notification sent to a [/agent/policy] listener