Decisions with a claimsSubject and PingAM
This example extends Decisions in the same domain with PingAM to enforce a policy decision from AM
using the claimsSubject instead of ssoTokenSubject to identify the subject.
Before you start, set up and test the example in Decisions in the same domain with PingAM.
-
Set up AM:
-
Select the policy
PEP-SSOand add a new resource:-
Resource Type:
URL -
Resource pattern:
*://*:*/* -
Resource value:
http://app.example.com:8081/home/pep-claims
-
-
In the same policy, add the following subject condition:
-
Any of -
Type :
OpenID Connect/JwtClaim -
claimName :
iss -
claimValue :
am.example.com
-
-
-
Add the following route to PingGateway:
- Linux
-
$HOME/.openig/config/routes/04-pep-claims.json - Windows
-
%appdata%\OpenIG\config\routes\04-pep-claims.json
{ "name": "pep-claims", "baseURI": "http://app.example.com:8081", "condition": "${find(request.uri.path, '^/home/pep-claims')}", "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AmService-1", "type": "AmService", "config": { "url": "http://am.example.com:8088/openam", "agent": { "username": "ig_agent", "passwordSecretId": "agent.secret.id" }, "secretsProvider": "SystemAndEnvSecretStore-1" } } ], "handler": { "type": "Chain", "config": { "filters": [ { "name": "SingleSignOnFilter-1", "type": "SingleSignOnFilter", "config": { "amService": "AmService-1" } }, { "name": "PolicyEnforcementFilter-1", "type": "PolicyEnforcementFilter", "config": { "application": "PEP-SSO", "claimsSubject": { "sub": "${contexts.ssoToken.info.uid}", "iss": "am.example.com" }, "amService": "AmService-1" } } ], "handler": "ReverseProxyHandler" } } }Source: 04-pep-claims.json
-
Test the setup:
-
In your browser’s privacy or incognito mode, go to https://ig.example.com:8443/home/pep-claims.
-
If you see warnings that the site isn’t secure, respond to the warnings to access the site.
-
Log in to AM as user
demo, passwordCh4ng31t.AM returns a policy decision that grants access to the sample application.
-