PingGateway 2024.11

Restrict access to Studio

When PingGateway is running in development mode, by default the Studio endpoint is open and accessible. To allow only specific users to access Studio, configure a "studioProtectionFilter" in admin.json with a SingleSignOnFilter or CrossDomainSingleSignOnFilter.

The following example uses a SingleSignOnFilter to require users to authenticate with AM before they can access Studio, and protects the request from Cross Site Request Forgery (CSRF) attacks.

  1. Set up AM:

    1. Select Services > Add a Service and add a Validation Service with the following Valid goto URL Resources:

      • https://ig.example.com:8443/*

      • https://ig.example.com:8443/*?*

    2. Register a PingGateway agent with the following values, as described in Register a PingGateway agent in AM:

      • Agent ID: ig_agent

      • Password: password

        Use secure passwords in a production environment. Consider using a password manager to generate secure passwords.
    3. (Optional) Authenticate the agent to AM as described in Authenticate a PingGateway agent to AM.

      PingGateway agents are automatically authenticated to AM by a deprecated authentication module in AM. This step is currently optional, but will be required when authentication chains and modules are removed in a future release of AM.
  2. Set up PingGateway:

    1. Set an environment variable for the PingGateway agent password, and then restart PingGateway:

      $ export AGENT_SECRET_ID='cGFzc3dvcmQ='

      The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.

    2. Add the following admin.json configuration to PingGateway:

      {
        "mode": "DEVELOPMENT",
        "properties": {
          "SsoTokenCookieOrHeader": "iPlanetDirectoryPro"
        },
        "connectors": [
          {
            "port": 8080
          },
          {
            "port": 8443
          }
        ],
        "heap": [
          {
            "name": "SystemAndEnvSecretStore-1",
            "type": "SystemAndEnvSecretStore"
          },
          {
            "name": "AmService-1",
            "type": "AmService",
            "config": {
              "agent" : {
                "username" : "ig_agent",
                "passwordSecretId" : "agent.secret.id"
              },
              "secretsProvider": "SystemAndEnvSecretStore-1",
              "url": "http://am.example.com:8088/openam/",
              "ssoTokenHeader": "&{SsoTokenCookieOrHeader}"
            }
          }
        ],
        "studioProtectionFilter": {
          "type": "ChainOfFilters",
          "config": {
            "filters": [
              {
                "type": "SingleSignOnFilter",
                "config": {
                  "amService": "AmService-1"
                }
              },
              {
                "type": "CsrfFilter",
                "config": {
                  "cookieName": "&{SsoTokenCookieOrHeader}",
                  "failureHandler": {
                    "type": "StaticResponseHandler",
                    "config": {
                      "status": 403,
                      "headers": {
                        "Content-Type": [
                          "text/plain"
                        ]
                      },
                      "entity": "Request forbidden"
                    }
                  }
                }
              }
            ]
          }
        }
      }

      Notice the following features of the configuration:

      • The mode is development, so by default the Studio endpoint is open and unfiltered.

      • The properties object sets a configuration parameter for the value of the SSO token cookie or header, which is used in AmService and CorsFilter.

      • The AmService uses the PingGateway agent in AM for authentication.

        The agent password for AmService is provided by a SystemAndEnvSecretStore in the heap.

      • The "studioProtectionFilter" calls the SingleSignOnFilter to redirect unauthenticated requests to AM. It uses the CsrfFilter to protect requests from CSRF attacks.

    3. Restart PingGateway to take into account the changes to admin.json.

  3. Test the setup:

    1. If you are logged in to AM, log out and clear any cookies.

    2. Go to http://ig.example.com:8080/openig/studio. The SingleSignOnFilter redirects the request to AM for authentication.

    3. Log in to AM with user demo, password Ch4ng31t. The Studio Routes screen is displayed.