/wiki/spaces/E2D/pages/29982926 / Web Access Management / Current: Creating a WAM SSO Application for the Sample App |
To enable the EmpowerID Agent to protect the Andy's Beans Web site, you neet to create an application for it with URL subcomponents for each URL or group of URLs on the site you want to protect in EmpowerID and link that application to a SAML SSO Connection to provide single sign-on capabilities to all authorized users.
For the Andy's Beans Web site, there are a number of URLs that need to be restricted. These include the following:
AndysBeans/Employees | AndysBeans/Employer | AndysBeans/ProductManager |
---|---|---|
AndysBeans/Employees/Details | AndysBeans/EmployeeManager/Create | AndysBeans/ProductManager/Create |
AndysBeans/Employees/MyHR | AndysBeans/EmployeeManager/Details | AndysBeans/ProductManager/Details |
AndysBeans/Employees/MyMedical | AndysBeans/EmployeeManager/Edit | AndysBeans/ProductManager/Edit |
AndysBeans/Employees/UpdatePlan | AndysBeans/EmployeeManager/Delete | AndysBeans/ProductManager/Delete |
There are a number of ways in which these URLs can be protected, depending on the granularity of your security policy:
This example uses a combination of the second two, pattern matches and beginning paths, to protect the Andy's Beans URLs.
This is what the General section of the Application Details form looks like after completing these steps.
This opens the WAM Connection Information section of the form. You use this section to build the SSO Connection for the Web application.
Select the certificate used in your environment for signing SAML assertions from the Certificate drop-down.
This certificate can be a self-signed certificate that you can generate using the EmpowerID Certificate Manager. The certificate must be mapped to an EmpowerID Person with access to make calls to the EmpowerID API. For information on using the Certificate Manager to generate the certificate and mapping it to an EmpowerID Person, expand the drop-down below. |
Next, map the certificate to an EmpowerID Person with the access to make API calls:
|
Opting to create a new account store when registering applications in EmpowerID is advantageous in that doing so creates a one-to-one correlation between the account store and the application, as well as the SSO connection for the application. When you create a new Account Directory, EmpowerID gives the directory the same name as the application. |
Now that the WAM application has been created, the next step is to add protected application subcomponents for each of the URLs that need to be protected for unauthorized access.
After completed the above steps, the Protected Application Subcomponents accordion should look like the below image.
Now that the application and the protected application subcomponents for the application are created, the next step is to create a number of people in EmpowerID with accounts in Andy's Beans.
In the Display Name field, enter Charles Stripe.
Charles Stripe is the Employee Manager for Andy's Beans. |
After EmpowerID creates the user account and the person owning the account, your browser is directed to the Account Details page for the account.
From the Account Details page that opens, click the EmpowerID Logon link. This directs your browser to the View page for the Charles Stripe person.
From the View page for Charles Stripe, expand the Access Assignments accordion and do the following to give Charles Stripe access to the employees and employeemanager pages of the AndysBeans application.
Click the Add New Assignment (+) button.
From the Assign direct to resource or other method drop-down, select Direct.
From the Resource Type drop-down, select Pages and Reports.
In the Enter a Pages and Reports Name to Search field, enter AB Employee Manager Pages and click the tile to select it.
From the Access Level drop-down, select Viewer.
Click Save to add the assignment to the Shopping Cart.
Repeat the above, this time giving Charles Stripe Viewer access to AB Employee Pages.
Rhonda Black is an employee and needs access to the employees pages.
For a full list of all Andy's Beans users and their roles, see About the Sample .NET Web Application. |
Now that you have created the WAM application for AndysBeans, the next step is to Creating an OAuth Application for Andy's Beans for it.
|