Testing Web Access Management
After creating the application for AndysBeans in EmpowerID and editing the Web.config file for it, test the agent by navigating to one of the site's protected URLs from your browser. If the agent is working correctly, you are redirected to the EmpowerID logon page, where you need to authenticate as a user with an EmpowerID identity (known as an "EmpowerID Person" or "Person") and complete the RegisterAccount workflow by supplying that Person's AndysBeans username to EmpowerID.
The RegisterAccount workflow allows users with an EmpowerID Person to submit requests for an AndysBeans account (or any other SSO account for that matter) to EmpowerID for approval by a Person with the ability to do so. If the request is approved, EmpowerID creates an AndysBeans account in the AndysBeans Website Account Store and links it to the EmpowerID Person who made the request.
In subsequent visits to AndysBeans, if the user navigates to a protected page, EmpowerID intercepts the traffic and directs the user's browser to the EmpowerID Login page for authentication. Once authenticated, the agent checks to see if the Person has been granted an EmpowerID Access Level Assignment for the requested page. If the user has an assignment, the agent asserts the user's identity to the site, redirecting the user's browser back to the protected page for seamless access to any application resources to which they are entitled.
In this way, the agent allows only users with an EmpowerID Person, an AndysBeans account that has been registered to their Person, and the appropriate EmpowerID Access Level assignments to access any protected pages on AndysBeans.
If a URL subcomponent does not exist for a path that is restricted on the AndysBeans Web application itself, the agent still intercepts traffic directed to that path and forces the user to authenticate to EmpowerID. However, because a URL subcomponent does not exist for the path, the agent sends the authenticated user back to AndysBeans, where the decision for access is based on that person's user identity and roles in AndysBeans.
The RegisterAccount workflow requires usernames to be submitted in an email format. This is because the workflow sends a one-time, time-based password token to the user's email address that must be retrieved and submitted back to the workflow before the request can proceed. Since AndysBeans is not a real Web site with real functional email addresses, to test the agent, you must have a way to intercept those emails and read the tokens therein. In our environment, we use a utility called smtp4dev for this purpose.
To Test WAM
Log out of the EmpowerID Web interface and navigate to the employees page of AndysBeans home page.
In our environment, the URL for this page is http://sso.empowerID.com/andysbeans/employees for the agent only and http://www.andysbeans.com/andysbeans/employees for the agent configured with the reverse proxy. This redirects your browser to the EmpowerID Login page.
- From the EmpowerID Login page, log in as Fritz Dame using the EmpowerID login and password you set.
EmpowerID logs you in and directs your browser back to the AndysBeans employees page, authenticated to AndysBeans as Fritz Dame. There is an employee link at the top of the page. - From AndysBeans, click the LOG OFF link.
This logs you out of both AndysBeans and EmpowerID and redirects your browser to the AndysBeans home page. From the AndysBeans home page, append /employeemanager to the URL displayed in your browser's address bar.
In our environment, this URL is http://sso.empowerid.com/andysbeans/employeemanager for the agent only and http://www.andysbeans.com/andysbeans/employeemanager for the agent configured with the reverse proxy.
- This redirects your browser to the Login page for the EmpowerID Web application.
- From the EmpowerID Login page, log in as Charles Stripe using the EmpowerID login and password you set.
EmpowerID logs you in and then redirects your browser to the AndysBeans employeemanager page, authenticated to AndysBeans as Charles Stripe. Employee and admin links appear at the top of the page. - From AndysBeans, click the LOG OFF link.
This logs you out of both AndysBeans and EmpowerID and redirects your browser to the AndysBeans home page. - From the EmpowerID Login page, log in as George Varghese using the EmpowerID login and password you set.
EmpowerID logs you in and redirects your browser to the AndysBeans productmanager page, authenticated to AndysBeans as George Varghese. Employee and admin links appear at the top of the page. - From AndysBeans, click the LOG OFF link.
This logs you out of both AndysBeans and EmpowerID and redirects your browser to the AndysBeans home page.