Authentication nodes

App Policy Decision node

RAPID only

The App Policy Decision node is a specialized version of the Policy Decision node designed to simplify the evaluation of application access policies within a journey.

For example, use the node to restrict access based on user attributes, such as ensuring only end users in a specific finance group can access a finance portal.

You don’t need to configure the node because it automatically identifies the policy set and resource from the journey context. However, the node assumes the following prerequisites:

  • The node is used within an OAuth 2.0/OIDC or SAML application journey.

  • The application ID (OAuth 2.0 client ID or SP entity ID) is specified as the resource when the journey is invoked.

  • An access policy with that resource is defined within the application.

The outcome of the policy evaluation, to accept or reject access, map to the node’s outcomes. It doesn’t handle advices or environment conditions.

Example

This example uses an App Policy Decision node to manage access to a finance portal application based on usernames.

Prerequisites

The following setup is assumed:

  • A test end user, added to the Finance group in IDM.

  • An OIDC application, with the following settings:

    Client ID

    finance-app

    Access Policy

    Any

    Condition: User Group Membership

    equals

    Value: Finance

    Example policy
    app policy decision access policy
    Use a journey to authenticate users to this application

    example journey

Example journey

Policy Decision node in an app authorization flow

  • The authorization journey is invoked specifying the OAuth 2.0 client ID as the resource, for example:

    https://tenant-env-fqdn/am/oauth2/alpha/authorize?client_id=finance-app&redirectUri=http://www.example.com/signin&scope=openid&response_type=code

  • The Page node containing the Platform Username node and Platform Password node prompts for credentials.

  • The Data Store Decision node validates the username-password credentials.

  • A successful authentication routes the journey to the App Policy Decision node.

    The node has no configuration, but relies on the journey context and prerequisite configuration to identify the OAuth 2.0 client ID resource (finance-app). It can then locate the access policy to evaluate whether the end user is a member of the Finance group.

  • The outcome of the policy evaluation determines the path of the journey:

    Accept

    The policy grants access. The Message node informs the end user they’re authorized and the journey is successful.

    Reject

    The policy rejects access. The Message node informs the end user they’re not authorized.

    Error

    An error in policy evaluation leads to the failure outcome.

    Unknown Resource

    The node failed to identify the resource and the journey continues to the Set Error Details node.

Inputs

If policy evaluation requires a subject, make sure the username is collected earlier in the journey.

Dependencies

This node requires the following configuration:

  • An application (OAuth 2.0 client or SAML SP entity) that uses a journey with an App Policy Decision node

  • An access policy defined within the application

Configuration

This node has no configurable properties.

Outputs

This node doesn’t change the shared state.

Callbacks

This node doesn’t send any callbacks.

Outcomes

Accept

Policy evaluation succeeded.

Reject

Policy evaluation didn’t succeed.

Error

If an error occurs during policy evaluation.

Unknown Resource

If the node failed to identify the OAuth 2.0 or SAML 2.0 resource.

Errors

The node logs an error if policy evaluation fails.