April 16, 2020 at 4:55 pm #27821ray.deng83Participant
Are we able to implement SAML with authorization using Policies? Like in chain or auth tree.
I have a client scenario that uses memberOf attribute in AD to verify the entitlements of a user. They use SAML for SSO and login and would like to implement Authorization as well. When AM is acting as IDP, SAML can be used to authenticate the user and send user profile to SP. I’m wondering if a user can be denied during the AM login if the user doesn’t have the right entitlement. Any inputs are welcome. Thanks.
LeApril 16, 2020 at 5:19 pm #27822Jatinder SinghParticipant
You will require a Policy Decision Point (PDP) to be able to query Authorization Policies and allow/deny access. I suggest looking at Fedlet configuration at the below link:
Hope this help! Cheers.April 16, 2020 at 6:42 pm #27824Andrew PotterParticipant
You might also look at developing a custom IDPAdapter that evaluates the AM policy. There is unsupported sample code for such an adapter here: https://bugster.forgerock.org/jira/browse/OPENAM-8299April 16, 2020 at 8:44 pm #27825Jatinder SinghParticipant
+1 on Andrew’s suggestion.April 30, 2020 at 10:17 pm #27876Scott HegerParticipant
Having implemented custom IDPAdapters for this very thing for several customers I can attest that that is the approach you should follow.May 1, 2020 at 12:34 pm #27879Andy CoryParticipant
+1 for the IdP adapter approach. In this instance I think it’s a more lightweight option than the fedlet.
You must be logged in to reply to this topic.