Tagged: 

This topic has 5 replies, 5 voices, and was last updated 4 weeks, 1 day ago by Andy Cory.

  • Author
    Posts
  • #27821
     ray.deng83
    Participant

    Are we able to implement SAML with authorization using Policies? Like in chain or auth tree.

    I have a client scenario that uses memberOf attribute in AD to verify the entitlements of a user. They use SAML for SSO and login and would like to implement Authorization as well. When AM is acting as IDP, SAML can be used to authenticate the user and send user profile to SP. I’m wondering if a user can be denied during the AM login if the user doesn’t have the right entitlement. Any inputs are welcome. Thanks.

    Best,
    Le

    #27822
     Jatinder Singh
    Participant

    You will require a Policy Decision Point (PDP) to be able to query Authorization Policies and allow/deny access. I suggest looking at Fedlet configuration at the below link:

    https://backstage.forgerock.com/docs/am/6/saml2-guide/#fedlet-xacml-pdp

    Hope this help! Cheers.

    #27824
     Andrew Potter
    Participant

    You might also look at developing a custom IDPAdapter that evaluates the AM policy. There is unsupported sample code for such an adapter here: https://bugster.forgerock.org/jira/browse/OPENAM-8299

    #27825
     Jatinder Singh
    Participant

    +1 on Andrew’s suggestion.

    #27876
     Scott Heger
    Participant

    Having implemented custom IDPAdapters for this very thing for several customers I can attest that that is the approach you should follow.

    #27879
     Andy Cory
    Participant

    +1 for the IdP adapter approach. In this instance I think it’s a more lightweight option than the fedlet.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?