Creating a Reverse Proxy Application for the Sample App
- Phillip Hanegan
CTo enable the EmpowerID Reverse Proxy to protect the Andy's Beans Web site, create an application for it with URL subcomponents for each URL or group of URLs on the site you want to protect in EmpowerID, and link that application to a SAML SSO Connection to provide single sign-on capabilities to all authorized users.
For the AndysBeans Web site, there are a number of URLs that need to be restricted. These include the following:
AndysBeans/Employees | AndysBeans/EmployeeManager/ | AndysBeans/ProductManager |
---|---|---|
AndysBeans/Employees/Details | AndysBeans/EmployeeManager/Create AndysBeans/EmployeeManager/Details AndysBeans/EmployeeManager/Edit AndysBeans/EmployeeManager/Delete | AndysBeans/ProductManager/Create |
There are several ways to protect these URLs, depending on the granularity of your security policy:
- You can add a URL subcomponent that is an exact match for a specific URL, limiting the scope of the subcomponent to that one URL.
- You can create a URL subcomponent that uses a JavaScript regular expression to block access to all URLs meeting the condition (pattern match) of the expression.
- You can create a path-specific URL subcomponent that restricts access to any URL with a matching beginning path.
This sample uses a combination of pattern matches and beginning paths to protect the URLs on the AndysBeans Web site.
This topic demonstrates how to create an application for AndysBeans and add to it URL subcomponents for each path that needs to be protected from unauthorized access.
Step 1 – Create a Reverse Proxy SSO application for AndysBeans
- In the navigation sidebar of the EmpowerID Web interface, expand Applications and click Manage Applications.
- From the Application page, click the Create Application Action link.
This opens the Application Details form for the application. This form provides you with fields and options for registering applications in EmpowerID. - In the General section of the form, enter AndysBeansRP in the Name field.
- Enter Andy's Beans Reverse Proxy in the Display Name and Description fields.
- Leave the Icon field as is.
Enter the full URL for the Andy's Beans site in the Full URL (Exact Match Path) field.
For example: sso.empowersso.com:8080/andysbeans where
- http:// is the scheme
- sso.empowersso.com is the FQDN of the server hosting the application,
- 8080 is the port, and
- andysbeans is the site.
- Leave the Base URL for the HTTP Module field empty. This field is reserved for the EmpowerID Web Agent.
- Leave Allow Access Requests selected so that the application appears in the IT Shop, allowing users to request or claim an account in the application.
- Leave Allow Claim Account selected so that users can claim their accounts and gain instant access after passing the requisite identity proofs.
- Select Login Is Email Address (Receive OTP to Claim) to receive a one-time password to claim the account and to pass the appropriate identity assertion to the application when logging in from EmpowerID.
- Leave Allow Request Account and Allow Access Requests selected so that users can request an account in the application.
Select Make me the Application Owner to manage the application and approve or deny access requests.
Leave Configure Advanced Claim and Request Account Options cleared.
The following image shows what the General section of the Application Details form looks like after completing these steps.
To configure SSO
Click the Single Sign-On tab and, from the Single Sign-On Connection Type drop-down, select Web Access Management (HTTP Header).
This opens the WAM Connection Information section of the form. Use this section to build the SSO Connection for the Web application.In the WAM Connection Information section, leave the Display Name field as is.
Enter the base URL for AndysBeans in the Base URL for Reverse Proxy field.
Enter Reverse Proxy for Andy's Beans in the Description field.
Leave Allow Anonymous Access to Unprotected paths cleared to block access to all paths not specifically protected by the native application.
Leave Use Target Hostname in Requests (Reverse Proxy Only) cleared.
Select the certificate used in your environment for signing SAML assertions from the Certificate drop-down.
Step 2 – Create a tracking-only account store
A tracking-only account store exists as a container within EmpowerID that stores user and group records for SSO or attestation without making a connection to the external directory associated with the application.
Opting to create a new account store when registering applications in EmpowerID is advantageous because it creates a one-to-one correlation between the account store and the application, and the SSO connection for the application.
- Click the Users tab and select the Create a New Account Directory checkbox.
This tells EmpowerID to create a "tracking-only" account store.
When you create a new Account Directory, EmpowerID gives the directory the same name as the application.
Click Add to Cart.
Click the My Cart icon and in the dialog that appears, enter a reason for creating the application and click Submit.
Now that the WAM application is created, the next step is to add protected application subcomponents for each of the URLs that need to be protected from unauthorized access.
Step 3 – Add protected application subcomponents (URLs)
- In the navigation sidebar, expand Applications and click Manage Applications.
- Search for Andy's Beans Reverse Proxy and click the Display Name link for it.
- This directs you to the View One page for the application. View One pages allow you to view information about an object in EmpowerID and manage it as needed.
- From the View One page, expand the Protected Application Components accordion and click the Add Protected Application Subcomponent (+) button.
- In the dialog that appears do the following to protect all pages of Andy's Beans that start with productmanager:
- From the Type drop-down, select URL.
- In the Name, Display Name, and Description fields, enter AB Product Manager Pages.
- Leave the Icon field as is.
- Select Allow Access Requests. This allows users to request access to the page from the IT Shop.
- In the Starts With Path field, enter andysbeans/productmanager.
- Leave ABAC Check cleared.
At this point, the Protected Application Subcomponent dialog looks like this. - Click Save.
- Expand the Protected Application Components accordion and click the Add Protected Application Subcomponent (+) button.
- In the dialog that appears do the following to protect all pages in Andy's Beans beginning with employees:
- From the Type drop-down, select URL.
- In the Name, Display Name, and Description fields, enter AB Employee Pages.
- Leave the Icon field as is.
- Select Allow Access Requests. This allows users to request access to the page from the IT Shop.
- In the Starts With Path field, enter andysbeans/employees.
- Leave ABAC Check cleared.
At this point, the Protected Application Subcomponent dialog looks like this. - Click Save.
- Expand the Protected Application Components accordion and click the Add Protected Application Subcomponent (+) button.
- In the dialog that appears do the following to protect all pages in Andy's Beans beginning with employeemanager:
- From the Type drop-down, select URL.
- In the Name, Display Name, and Description fields, enter AB Employee Manager Pages.
- Leave the Icon field as is.
- Select Allow Access Requests. This allows users to request access to the page from the IT Shop.
- In the Starts With Path field, enter andysbeans/employeemanager.
- Leave ABAC Check cleared.
At this point, the Protected Application Subcomponent dialog looks like this. - Click Save.
The Protected Application Subcomponents accordion looks like this:
Now that the application and the protected application subcomponents for the application are created, the next step is to create a number of people in EmpowerID with accounts in Andy's Beans. For the full list of these user accounts see About the Sample .NET Web Application.
Step 4 – Add user accounts to the Andy's Beans WAM application account store
- In the navigation sidebar, expand Identity Administration and click User Accounts.
- Click the Create User (Person Optional) action link.
- From the General tab of the Create User form that appears do the following:
- From the Account Type drop-down, select Personal Standard.
- In the First Name field, enter Charles, Stripe in the Last Name field, and Charles Stripe in the Display Name field.
Charles Stripe is the Employee Manager for Andy's Beans. - Under Account Creation Location, click the Select a Location link, and in the Location Selector search for AndysBeans, select it, and click Save.
- In the Logon Name field, enter charles.stripe@andysbeans.com.
- In the Description field, enter Andy's Beans user account for Charles Stripe and, optionally, enter comments in the Comments or Justification field.
- Select Create a new EmpowerID Person object. The person created will be the owner of the user account.
- Under Person Business Role, click the Select a Role and Location link to open the Business Role and Location selector.
- Search for the Temporary Role Business Role and then click the node for that role to select it.
- Click Location to open the Location panel of the Business Role and Location selector.
- Search for the Temporary Location Location and then click the node for that location to select it.
- Click Select to select the Business Role and Location combination and close the Business Role and Location selector.
- Search for the Temporary Role Business Role and then click the node for that role to select it.
- Select Allow me to enter a password and enter pass@word1 in the Password and Confirm Password fields.
- Ensure that Allow Joining Account to Person and Allow Provisioning a Person from Account are selected.
- Click Save.
After EmpowerID creates the user account and the person owning the account, your browser is directed the Account Details page for the account.
From the Account Details page, click the EmpowerID Logon link. This directs your browser to the View page for the Charles Stripe person.
Step 5 – Assign access
From the View page for Charles Stripe, expand the Access Assignments accordion.
From the Access Assignments accordion, do the following to give Charles Stripe access to the employees and employeemanager pages of the AndysBeans application.
Click the Add New Assignment (+) button.
Select Direct from the Assign direct to resource or other method drop-down.
Select Pages and Reports from the Resource Type drop-down.
In the Enter a Pages and Reports Name to Search field, enter AB Employee Manager Pages and click the tile to select it.
Select Viewer from the Access Level drop-down.
Click Save to add the assignment to the Shopping Cart.
Repeat the above, this time giving Charles Stripe Viewer access to AB Employee Pages.
- Back on the View page for Charles Stripe, click the Edit link.
Locate the Login field and change the value from charles.stripe@andysbeans.com to charles.stripe.
In the Management Roles field, enter Self-Service User and click the tile for the role to select it.
Click Save.
Click the Shopping Cart and in the dialog that appears, enter a reason for the assignment and click Submit.
Repeat these steps for the following Andy's Beans users:
- George Varghese is the Product Manager and needs access to the employees and productmanager pages.
- Barry Chandler is an employee and needs access to the employees pages.
- Fritz Dame is an employee and needs access to the employees pages.
- Tim Johnson is an employee and needs access to the employees pages.
- Maria Hansen is an employee and needs access to the employees pages.
- Rhonda Black is an employee and needs access to the employees pages.
For a full list of all Andy's Beans users and their roles, see About the Sample .NET Web Application.
Now that you have created the Reverse Proxy for Andy's Beans in EmpowerID, the next step is to Configuring the Reverse Proxy for the Web Application.