EmpowerID 2018 Documentation / Web Access Management / Current: Creating a Reverse Proxy SSO Application for Andy's Beans |
To enable the EmpowerID Reverse Proxy to protect the Andy's Beans Web site, create an application for it with URL subcomponents for each URL or group of URLs on the site you want to protect in EmpowerID, and link that application to a SAML SSO Connection to provide single sign-on capabilities to all authorized users.
For the AndysBeans Web site, there are a number of URLs that need to be restricted. These include the following:
AndysBeans/Employees | AndysBeans/EmployeeManager/ | AndysBeans/ProductManager |
---|---|---|
AndysBeans/Employees/Details | AndysBeans/EmployeeManager/Create AndysBeans/EmployeeManager/Details AndysBeans/EmployeeManager/Edit AndysBeans/EmployeeManager/Delete | AndysBeans/ProductManager/Create |
There are several ways to protect these URLs, depending on the granularity of your security policy:
This sample uses a combination of pattern matches and beginning paths to protect the URLs on the AndysBeans Web site.
This topic demonstrates how to create an application for AndysBeans and add to it URL subcomponents for each path that needs to be protected from unauthorized access.
Enter the full URL for the Andy's Beans site in the Full URL (Exact Match Path) field.
For example: sso.empowersso.com:8080/andysbeans where
|
Select Make me the Application Owner to manage the application and approve or deny access requests.
Leave Configure Advanced Claim and Request Account Options cleared.
The following image shows what the General section of the Application Details form looks like after completing these steps.
Click the Single Sign-On tab and, from the Single Sign-On Connection Type drop-down, select Web Access Management (HTTP Header).
This opens the WAM Connection Information section of the form. Use this section to build the SSO Connection for the Web application.
In the WAM Connection Information section, leave the Display Name field as is.
Enter the base URL for AndysBeans in the Base URL for Reverse Proxy field.
Enter Reverse Proxy for Andy's Beans in the Description field.
Leave Allow Anonymous Access to Unprotected paths cleared to block access to all paths not specifically protected by the native application.
Leave Use Target Hostname in Requests (Reverse Proxy Only) cleared.
Select the certificate used in your environment for signing SAML assertions from the Certificate drop-down.
A tracking-only account store exists as a container within EmpowerID that stores user and group records for SSO or attestation without making a connection to the external directory associated with the application.
Opting to create a new account store when registering applications in EmpowerID is advantageous because it creates a one-to-one correlation between the account store and the application, and the SSO connection for the application.
This tells EmpowerID to create a "tracking-only" account store. When you create a new Account Directory, EmpowerID gives the directory the same name as the application. |
Click Add to Cart.
Click the My Cart icon and in the dialog that appears, enter a reason for creating the application and click Submit.
Now that the WAM application is created, the next step is to add protected application subcomponents for each of the URLs that need to be protected from unauthorized access.
Now that the application and the protected application subcomponents for the application are created, the next step is to create a number of people in EmpowerID with accounts in Andy's Beans. For the full list of these user accounts see About the Sample .NET Web Application.
After EmpowerID creates the user account and the person owning the account, your browser is directed the Account Details page for the account.
From the Account Details page, click the EmpowerID Logon link. This directs your browser to the View page for the Charles Stripe person.
From the View page for Charles Stripe, expand the Access Assignments accordion.
From the Access Assignments accordion, do the following to give Charles Stripe access to the employees and employeemanager pages of the AndysBeans application.
Click the Add New Assignment (+) button.
Select Direct from the Assign direct to resource or other method drop-down.
Select Pages and Reports from the Resource Type drop-down.
In the Enter a Pages and Reports Name to Search field, enter AB Employee Manager Pages and click the tile to select it.
Select Viewer from the Access Level drop-down.
Click Save to add the assignment to the Shopping Cart.
Repeat the above, this time giving Charles Stripe Viewer access to AB Employee Pages.
Locate the Login field and change the value from charles.stripe@andysbeans.com to charles.stripe.
In the Management Roles field, enter Self-Service User and click the tile for the role to select it.
Click Save.
Click the Shopping Cart and in the dialog that appears, enter a reason for the assignment and click Submit.
Repeat these steps for the following Andy's Beans users:
For a full list of all Andy's Beans users and their roles, see About the Sample .NET Web Application. |
Now that you have created the Reverse Proxy for Andy's Beans in EmpowerID, the next step is to Configuring the Reverse Proxy for the Web Application.
|