Prepare for installation
For information about installing Web Agent, refer to the Installation. This section summarizes considerations for using the agent with Advanced Identity Cloud:
-
Configure Advanced Identity Cloud and set up a policy before you install the agent. When you configure the agent in the Advanced Identity Cloud admin UI, you can select the policy.
-
For environments with load balancers or reverse proxies, consider the communication between the agent and the Advanced Identity Cloud tenants, and between the agent and the client. Do one of the following:
-
Configure the environment before you install the agent.
-
Install the agent using agentadmin --s --forceInstall to prevent the agent from trying to connect to Advanced Identity Cloud before installation.
-
Add a demo user in Advanced Identity Cloud
Add a user so you can test the examples in this guide.
-
In the Advanced Identity Cloud admin UI, select Identities > Manage > Alpha realm - Users.
-
Add a new user with the following values:
-
Username :
demo
-
First name :
demo
-
Last name :
user
-
Email Address :
demo@example.com
-
Password :
Ch4ng3!t
-
Create a policy set and policy in Advanced Identity Cloud
-
In the Advanced Identity Cloud admin UI, select Native Consoles > Access Management. The AM admin UI is displayed.
-
In the AM admin UI, select Authorization > Policy Sets > New Policy Set, and add a policy set with the following values:
-
Id :
PEP
-
Resource Types :
URL
-
-
In the policy set, add a policy with the following values:
-
Name :
PEP-policy
-
Resource Type :
URL
-
Resource pattern :
*://*:*/*
-
Resource value :
*://*:*/*
-
-
On the Actions tab, add actions to allow HTTP
GET
andPOST
. -
On the Subjects tab, remove any default subject conditions, add a subject condition for all
Authenticated Users
.
Create an agent profile in Advanced Identity Cloud
-
In the Advanced Identity Cloud admin UI, go to Gateways & Agents > New Gateway/Agent, and add a Web Agent with the following values:
-
Agent ID :
web-agent
-
Password :
password
-
Application URL :
https://agent.example.com:443
-
Use Secret Store for password: (Optional) Enable to use a secret store for the agent profile password.
Once enabled, the Secret Label Identifier field displays.
-
Secret Label Identifier: Enter a value that represents the
identifier
part of the secret label for the agent. This value should clearly identify the agent (for example,web-agent
). Advanced Identity Cloud uses the identifier to generate a secret label in the following format:am.application.agents.identifier.secret
.Learn more in Secret labels and Map ESV secrets to secret labels.
-
-
Click Save Profile and Done.
-
On the agent profile page, enable Use Policy Authorization, select a policy set to assign to the profile, and then click Save.
If a suitable policy set isn’t available, select Edit advanced settings to edit or create one.
Secret Label Identifier changes
Advanced Identity Cloud maintains secret mappings when the Secret Label Identifier is changed as follows:
-
If you update the Secret Label Identifier:
-
If no other agent shares that secret mapping, Advanced Identity Cloud updates any corresponding secret mapping for the previous identifier.
-
If another agent shares that secret mapping, Advanced Identity Cloud creates a new secret mapping for the updated identifier and copies its aliases from the previously shared secret mapping.
-
-
If you delete the Secret Label Identifier, Advanced Identity Cloud deletes any corresponding secret mapping for the previous identifier, provided no other agent shares that secret mapping.