Add required access policy

During this task we will create the required policy to route requests to back end protected web resources.
In the original example the following were examples were used:

URL Redirect
/2nd 2ndbackend.myportal.com
/3rd 3rdbackend.myportal.com
Important Note

Important

Add policy for each of the required redirects.

Add access policy for each secondary, tertiary and other back ends:

  1. If required select the Policies tab.
  2. Click Add () in the policy list header and choose Protected.

    See About Access Gateway policy types for more information on policy types.
  3. Change the policy type to Custom.
  4. Expand Advanced.
  5. In the Custom Configuration text area enter the following code:
    Note: We will enter the code in several sections.
    Initially enter the policy requirements.
    set $policy_name "2nd";
    set $policy_res "/2nd";
    set $policy_type "PROTECTED";
    set $policy_desc "Protect all application resources";
    These values should match the original protected resource as shown below.
    Note that the policy type here is set to PROTECTED.

    Important Note

    Important

    The following policy types are supported:

    Policy type

    Corresponding policy_type
    ProtectedPROTECTED
    Not ProtectedNO_AUTH
    Protected RulePROTECTED_REGEX

    Adaptive Rule

    Not supported


    See About Access Gateway policy types for a complete list of all policy types.

  6. Follow the set $policy_* statements with:
    set $UserName '';
    set $oag_username '';
    set $RemoteIP '';
    set $RelayDomain '';
    set $SESSIONID '';
    					
  7. For each attribute specify a corresponding set of indexed variables. These are key(s) from the SAML Assertion and there must be a one to one correspondence between application attributes and indexed variables. =
    Assuming there were three attributes, as shown below, we would then create three set statements plus an additional count set statement.
    Note that the field names must match those provided in the Name column. Also note that the $_argc variable must match the total attributes, in this example 3.
    set $_1 'oagusername';
    set $_2 'firstname';
    set $_3 'lastname';
    set $_argc 3;
    

    For example:

  8. Follow set statements with two required statements, shown below:
    # process request policies
    access_by_lua_file conf/authSession.lua;
    # resolver -required if using domain and not IP
    resolver 127.0.0.1;
    
  9. Add the required redirects
    Replace the following with appropriate values:
    SubstitutionDescriptionExample
    <APP_PATH>URI of the OAG app that should be passed to the additional back-end proxied server/2nd
    <PROXIED_SERVER_PROTOCOL>HTTP or HTTPS depending on the protocol supported by the <PROXIED_SERVER>HTTPS
    <PROXIED_SERVER>URL of the back-end server for the <APP_PATH>

    2ndbackend.myportal.com


    In general:
    #substitute the response data to include the application uri for absolute URLS
    subs_filter <PROXIED_SERVER_PROTOCOL>://<PROXIED_SERVER>/  https://$http_host/app1/ gi;
    #substitute the response data to include the application URI for redirects
    proxy_redirect <PROXIED_SERVER_PROTOCOL>://<PROXIED_SERVER>/ /<APP_PATH>/;
    #substitute the response data to include the application URI for relative URLS
    subs_filter href="/    href="/<APP_PATH>/ gi;
    

    For example:
    #substitute the response data to include the application uri for absolute URLS
    subs_filter HTTPS://2ndbackend.myportal.com/  https://$http_host/app1/ gi;
    #substitute the response data to include the application URI for redirects
    proxy_redirect HTTPS://2ndbackend.myportal.com/ /2nd/;
    #substitute the response data to include the application URI for relative URLS
    subs_filter href="/    href="/2nd/ gi;
    
  10. Complete the code block by entering the following statements.
    Note that you will need add all required headers to the request, which may be a subset of the original attribute values.
    # common managed directives
    include /etc/nginx/conf/icsgw_location_common.conf;
    
    # Include headers for application
    proxy_set_header oag_username $_1;
    proxy_set_header firstname $_2;
    proxy_set_header lastname $_3;
    
    # set to hostname that the protected upstream app needs
    proxy_set_header host localhost;
    					
  11. Click Not validated to validate the code block.
    On success the Not validated button will become Valid.
  12. Correct any errors and click Okay to finalize the policy.
  13. Click Done to complete the application.

 

The following example shows the completed code block for redirecting all requests for www.myportal.com/2nd to 2ndbackend.myportal.com.

set $policy_name "Second";
set $policy_desc "Protect all application resources";
set $policy_type "PROTECTED";
set $policy_res "/2nd";

# The values from auth Session
set $UserName '';
set $oag_username '';
set $RemoteIP '';
set $RelayDomain '';
set $SESSIONID '';

# Key(s) from the SAML Assertion
# authSession will look in the session for these key
# and populate the indexed variables
set $_1 'oagusername';
set $_2 'firstname';
set $_3 'lastname';
set $_argc 3;

# process request policies
access_by_lua_file conf/authSession.lua;
# resolver -required if using domain and not IP
resolver 127.0.0.1;

#substitute the response data to include the application uri for absolute URLS
subs_filter HTTPS://2ndbackend.myportal.com/  https://$http_host/app1/ gi;
#substitute the response data to include the application URI for redirects
proxy_redirect HTTPS://2ndbackend.myportal.com/ /2nd/;
#substitute the response data to include the application URI for relative URLS
subs_filter href="/    href="/2nd/ gi;

# common managed directives
include /etc/nginx/conf/icsgw_location_common.conf;

# Include headers for application
proxy_set_header oagusername $_1;
proxy_set_header firstname $_2;
proxy_set_header lastnamename $_3;

# set to hostname that the protected upstream app needs
proxy_set_header host localhost;
			

Next steps

Repeat the process, adding a new policy for each of the required URI/redirects. In the example given we would add an additional policy for /3rd redirecting to https://3rdbackend.myportal.com/.

Test