PingOne Advanced Identity Cloud

Policies in the UI

You manage authorization policies through the AM admin UI native console. You can only create a policy as part of a policy set.

To configure a policy, go to Native Consoles > Access Management > Realms > Realm Name > Authorization > Policy Sets and select the name of the policy set in which to configure the policy.

To... Action

Create a policy

Click Add a Policy.

When creating a policy, specify a name, a resource type, and at least one resource.

Click Create.

Modify a policy

Click the policy name or the pencil icon ().

Delete a policy

Click the delete icon () or click the policy name then x Delete.

Policy type names

Don’t use any of the following characters in policy, policy set, or resource type names:

  • Double quotes (")

  • Plus sign (+)

  • Comma (,)

  • Less than (<)

  • Equals (=)

  • Greater than (>)

  • Backslash (\)

  • Forward slash (/)

  • Semicolon (;)

  • Null (\u0000)

Resources

To define resources that the policy applies to:

  1. Click the Resources pencil icon () or the Resources tab.

  2. Select a resource type from the Resource Type list.

    The resource type determines which resource patterns are available. The OAuth2 Scope resource type contains the same resource patterns as the URL resource type, as well as the * pattern.

    Use the resource patterns that are most relevant for the scopes in your environment.

    Learn more about resource types in Resource types.

  3. Select a resource pattern from the Resources drop-down list.

  4. Replace the asterisks with values for matching resources, and click Add.

    Learn more about resource patterns in Resource type patterns.

  5. Optionally, click Add Resource to add more resource patterns, or click () to delete a resource pattern.

  6. Save your changes.

Policy actions

To define policy actions that allow or deny access to a resource:

  1. Click the Actions pencil icon () or the Actions tab.

  2. Click Add an Action to select an action from the drop-down list.

  3. Select whether to allow or deny the action on the resources.

  4. Optionally, add further actions, or click () to delete actions.

  5. Save your changes.

Conditions

To define subject and environment conditions:

  • Combine logical operators with blocks of configured parameters to create a rule set. The policy uses this rule set to filter requests for resources.

  • Use drag and drop to nest logical operators at multiple levels to create complex rule sets.

    Nested subject conditions

  • A gray horizontal bar indicates a valid point to drop a block.

    Drop blocks into drop points, which are shown as a gray horizontal band.

Subjects

To define the subject conditions that the policy applies to:

  1. Click Add a Subject Condition, choose the type from the drop-down menu, and provide any required subject values.

  2. When complete, click the check icon () and drag the block into a valid drop point in the rule set.

  3. To add a logical operator, click Add a Logical Operator, choose between All Of, Not, and Any Of from the drop-down list, and drag the block into a valid drop point in the rule set.

  4. To edit a condition, click the edit icon (), or click () to delete.

  5. Continue combining logical operators and subject conditions and click Save Changes when you’ve finished.

Subject condition types Description

Authenticated Users

Any user that has successfully authenticated with Advanced Identity Cloud.

Users & Groups

Search for and select one or more users or groups under the Realms > Realm Name > Identities or the Groups tab.

OpenID Connect/Jwt Claim

Validate a claim within a JSON Web Token (JWT).

Type the name of the claim to validate in the Claim Name field, for example, sub, and the required value in the Claim Value field, and click the check icon ().

Repeat the step to enter additional claims.

The claim(s) will be part of the JWT payload together with the JWT header and signature. The JWT is sent in the authorization header of the bearer token.

This condition type only supports string equality comparisons, and is case-sensitive.

Never Match

Never match any subject. This disables the policy.

If you do not set a subject condition, Never Match is the default. In other words, you must set a subject condition for the policy to apply.

To match regardless of the subject, configure a Never Match subject condition inside a logical Not block.

Environments

To define the environment conditions the policy applies to:

  1. Click Add an Environment Condition, select an environment condition type from the Type list, and provide any required values.

    The fields differ, according to the type you’ve selected. Learn more in Environment condition types.

    Script is the only environment condition available for OAuth 2.0 policies.

  2. When complete, click the check icon () button and drag the block into a valid drop point in the rule set.

  3. To add a logical operator, click Add a Logical Operator, choose between All Of, Not, and Any Of from the drop-down list, and drag the block into a valid drop point in the rule set.

  4. To edit a condition, click the edit icon (), or click () to delete.

  5. Continue combining logical operators and subject conditions and click Save Changes when you’ve finished.

Table 1. Environment condition types
Environment condition type Description Additional fields

Active Session Time

Set a condition for the maximum duration the end user’s session has been active.

  • Max Session Time: Set the period the session can be active, in seconds.

  • Terminate Session: Set to True if the session must end when it reaches the Max Session Time. If set to True, the end user will need to reauthenticate.

Authentication Level (greater than or equal to)

The policy tests the required authentication level.

  • Authentication level: Set the minimum acceptable authentication level.

Authentication Level (less than or equal to)

The policy tests the required authentication level.

  • Authentication level: Set the maximum acceptable authentication level.

Authentication by Module Instance

Not applicable to Advanced Identity Cloud.

Authentication by Service

The policy tests the authentication journey used.

Authenticate To Service: Set the journey through which the end user must authenticate.

Authentication to a Realm

The policy evaluates the realm to which the end user authenticated. A session can belong to only one realm. Session upgrade between realms is not allowed.

Authenticate to a realm: Set the realm to which the end user must authenticate.

Current Session Properties

The policy evaluates property values set in the end user’s session.

  • Ignore Value Case: Set to True to make the test case-insensitive.

  • Properties: Set the properties you want to evaluate using the format property:value. For example, use clientType:genericHTML to test whether the value of the clientType property is equal to genericHTML.

IPv4 Address/DNS Name

The policy evaluates the IP version 4 address from which the request originated.

The IP address is taken from the requestIp value of policy decision requests. If the requestIp isn’t provided, Advanced Identity Cloud uses the IP address stored in the SSO token.

  • Start IP, End IP: Specify a range of addresses to test against. In each field, enter four sets of up to three digits, separated by periods (.)..

    If you set only one of the Start IP or End IP fields, it’s used as a single IP address to match.

  • DNS Name: Optionally, specify a domain against which requests are filtered.

IPv6 Address/DNS Name

The policy evaluates the IP version 6 address from which the request originated.

The IP address is taken from the requestIp value of policy decision requests. If the requestIp isn’t provided, Advanced Identity Cloud uses the IP address stored in the SSO token.

  • Start IP and End IP: Specify a range of addresses to test against. In each field, enter eight sets of four hexadecimal characters, separated by a colon (:).

    If you set only one of the Start IP or End IP fields, it’s used as a single IP address to match.

  • DNS Name: Optionally, specify a domain against which requests are filtered.

    Use an asterisk (*) in the DNS name to match multiple subdomains. For example, *.example.com applies to requests from www.example.com, secure.example.com, or any other subdomain of example.com.

Identity Membership

The policy evaluates the user’s UUID.

AM Identity Name: The policy applies if the end user’s UUID is a member of at least one of the AMIdentity objects specified here.

For example, use this type to filter requests on the identity of a Web Service Client (WSC).

Java agents and web agents don’t support the Identity Membership environment condition. Use the Users & Groups subject condition instead.

LDAP Filter Condition

The policy evaluates whether the end user’s entry can be found using the specified LDAP search filter.

LDAP Filter: Set the LDAP search filter for the identity repository configured for the policy service.

If you define a filter condition that uses LDAP accounts or groups in a different identity repository, you must configure the LDAP settings under Realms > Realm Name > Services > Policy Configuration.

OAuth2 Scope

The policy evaluates whether an authorization request includes all the specified OAuth 2.0 scopes.

Scopes: Enter the OAuth 2.0 scopes using the syntax described in RFC 6749, Access Token Scope.

Separate multiple scope strings with spaces, for example, openid profile.

Scope strings match regardless of the order in which they occur, so openid profile is equivalent to profile openid.

The condition is also met when additional scope strings are provided beyond those required to match the specified list. For example, if the condition specifies openid profile, then openid profile email also matches.

Resource/Environment/IP Address

The policy evaluates a complex condition, such as whether the end user is making a request from a specific host, and has also authenticated in a particular way.

Resource/Environment/IP Address: Enter a condition in the form of an IF…​ELSE statement.

The IF statement can specify either IP to match the end user’s IP address, or dnsName to match their DNS name.

If the IF statement is true, the THEN statement must also be true for the condition to be fulfilled. If not, {} returns relevant advice in the policy evaluation request.

The available parameters for the THEN statement are as follows:

  • service: The authentication journey used to authenticate the end user

  • authlevel: The minimum required authentication level

  • role: The role of the authenticated end user

  • user: The name of the authenticated end user

  • redirectURL: The URL the end user was redirected from.

  • realm: The realm to which the end user authenticated.

The IP address can be IPv4, IPv6, or a hybrid of the two. Example: IF IP=[127.0.0.1] THEN role=admins.

Script

The policy evaluates the outcome of a JavaScript.

Script Name: Select the script the policy evaluates. Learn more about scripting policy conditions in Scripted policy conditions.

Script is the only environmental condition available for OAuth 2.0 policies. Use scripts to capture the ClientId environmental attribute.

Time (day, date, time, and timezone)

The policy evaluates a time condition.

  • Start Time

  • End Time

  • Start Day

  • End Day

  • Start Date

  • End Date

Set values in start:end pairs.

  • Time Zone: Select a time zone from the list.

Example
Day, date and time conditions in policies must consist of a start and an end value.

Transaction

The policy evaluates successful completion of a transactional authorization.

Transactional authorization requires the end user to authenticate for each access to the resource.

  • Authentication Strategy: Select from the following:

    • Authenticate to Realm: The full path of a realm in which the end user must successfully authenticate to access the protected resource. For example, /alpha.

    • Authenticate to Tree: The authentication journey the end user must successfully traverse to access the protected resource.

    • Auth Level: The minimum authentication level the end user must achieve to access the protected resource.

    Authenticate to Chain and Authenticate to Module are not applicable to Advanced Identity Cloud.

  • Strategy Specifier: Enter the realm, tree or level.

    If you specify an Auth Level, you must ensure there are methods available to end users to reach that level. If none are found, the policy returns a 400 Bad request error when attempting to complete the transaction.

Response attributes

Add user attributes from the identity repository as response attributes—​either as subject attribute or static attributes—​to the request header at policy decision time.

Note that response attributes are not available for the OAuth2 Scope resource type.

The web or Java agent for the protected resources/applications, or the protected resources/applications themselves, retrieve the policy response attributes to customize the application.

To define response attributes in the policy:

  1. Click the Response Attributes edit icon () or the Response Attributes tab.

  2. To add subject attributes, select them from the Subject attributes drop-down list.

    To remove an entry, select the value, and click Delete (Windows/GNU/Linux) or Backspace (Mac OS X).

  3. To add a static attribute, specify the key-value pair for each static attribute. Enter the Property Name and its corresponding Property Value in the fields, and click Add (+).

    To edit a static attribute, click the edit icon (), or click () to delete.

  4. Continue adding subject and static attributes, and when finished, click Save Changes.

Example

This example policy requires authenticated end users to have a session no longer than 30 minutes to access resources at https://www.example.com:*/*.

Example policy

Before testing your OAuth 2.0 policies, ensure your OAuth 2.0 provider is configured to interact with Advanced Identity Cloud’s authorization service:

  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider.

  2. Ensure that Use Policy Engine for Scope decisions is enabled.

For more information about testing OAuth 2.0 policies, refer to Dynamic OAuth 2.0 authorization.