Evaluate policy for multiple policy-sets

This topic has 1 reply, 2 voices, and was last updated 4 years, 10 months ago by chris-fry.

  • Author
    Posts
  • #18992
     aakash_singh
    Participant

    I am using OpenIG as PEP and OpenAM as PDP.

    I do I configure OpenIG to evaluate policy against all policy-sets under a particular realm ?

    Like I have something like below in my 04-pep.json route, how do I ensure that ALL application/policy-sets(under a realm) are considered while evaluating policies

    
    {
      "handler": {
        "type": "DispatchHandler",
        "config": {
          "bindings": [
            {
              "condition": "${request.headers['Authorization'] == null}",
              "handler": {
                "type": "StaticResponseHandler",
                "config": {
                  "status": 401,
                  "reason": "UnAuthorized"
                }
              }
            },
             {
              "condition": "${request.headers['Authorization'] != null}",
              "handler": {
                "type": "Chain",
                "config": {
                  "filters": [
                    {
                      "type": "PolicyEnforcementFilter",
                      "config": {
                        "openamUrl": "http://openam.int:8080/openam/",
                        "pepUsername": "policyAdmin",
                        "pepPassword": "password",
                        "pepRealm": "/",
                        "ssoTokenSubject": "request.headers['Authorization']",
                        "realm": "myrealm",
                        "application": "Policy-set1" // how do I ensure that all application are considered
                      }
                    }
                  ],
                  "handler": "ClientHandler"
                }
              }
            }
          ]
        }
      },
      "condition": "${matches(request.uri.path, '^/*')}"
    }
    
    
    #19613
     chris-fry
    Participant

    The Policy Enforcement Point (PEP) filter can only accept a single “application” (Policy Set), but you should be able to chain multiple PEP filters.

    e.g.

    {
      "handler": {
        "type": "DispatchHandler",
        "config": {
          "bindings": [
            {
              "condition": "${request.headers['Authorization'] == null}",
              "handler": {
                "type": "StaticResponseHandler",
                "config": {
                  "status": 401,
                  "reason": "UnAuthorized"
                }
              }
            },
             {
              "condition": "${request.headers['Authorization'] != null}",
              "handler": {
                "type": "Chain",
                "config": {
                  "filters": [
                    {
                      "type": "PolicyEnforcementFilter",
                      "config": {
                        "openamUrl": "http://openam.int:8080/openam/",
                        "pepUsername": "policyAdmin",
                        "pepPassword": "password",
                        "pepRealm": "/",
                        "ssoTokenSubject": "request.headers['Authorization']",
                        "realm": "myrealm",
                        "application": "Policy-set1" // how do I ensure that all application are considered
                      }
                    },
                    {
                      "type": "PolicyEnforcementFilter",
                      "config": {
                        "openamUrl": "http://openam.int:8080/openam/",
                        "pepUsername": "policyAdmin",
                        "pepPassword": "password",
                        "pepRealm": "/",
                        "ssoTokenSubject": "request.headers['Authorization']",
                        "realm": "myrealm",
                        "application": "Policy-set2" // Here's your second policy set
                      }
                    }
                  ],
                  "handler": "ClientHandler"
                }
              }
            }
          ]
        }
      },
      "condition": "${matches(request.uri.path, '^/*')}"
    }

    – Chris

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?