Skip to main content

Description

The yaml file provided below contains an example YAML configuration for an IBM Application Gateway (IAG) container which:

  1. Configures an IBM Security Verify tenant as the identity provider using OIDC;
  2. Defines a single Web application which will be proxied by the IAG;
  3. Defines an authorization policy for the Web application which will enforce second-factor (2FA) authentication.

Example Yaml File

version: "20.07"

#
# Configure an IAG container to proxy a single Web application, and define
# an authorization policy for the Web application. The authorization policy
# will enforce that a particular ACR is present in the token received from
# IBM Security Verify.
#

#
# Specify an IBM Security Verify tenant as the identity provider for the 
# container.  Please note that the values provided below are for illustrative
# purposes only and don't reflect a real tenant.  A free tenant can be created 
# using the instructions found at the following URL:
#    https://www.ibm.com/us-en/marketplace/cloud-identity-for-consumers
#
# The discovery endpoint has the following format:
#    https://<verify host>/oidc/endpoint/default/.well-known/openid-configuration
#
# The redirect URI which is used in the SSO flow is constructed from the host 
# header contained in the request, appended with '/pkmsoidc' (for example: 
# https://ibm-app-gateway.ibm.com/pkmsoidc).  This redirect URI should be
# specified when creating the custom application within the CI administrators
# console.
#

identity:
  oidc:
    discovery_endpoint: "https://ibm_app_gw.ice.ibmcloud.com/oidc/endpoint/default/.well-known/openid-configuration"
    client_id: "300141b6-690b-4e4e-862d-2c96da2bb1ba"
    client_secret: "wPP8rM8N0d"

#
# Define an resource server which will be hosted at the '/static' path of the
# IAG container.  A single Web server, located at http://10.10.10.200:1337, 
# hosts the resource server.
#

resource_servers:
  - path: "/static"
    connection_type: "tcp"
    servers:
      - host: "10.10.10.200"
        port: 1337
    transparent_path: false

#
# The following authorization policy will enforce that the current credential
# contains the 'acr' attribute with the value 'urn:ibm:security:policy:id:2'.
# If the 'acr' is any other value, this policy will obligate that 
# authentication should take place again and indicate to the identity provider
# that we want the 'urn:ibm:security:policy:id:2' authentication experience to
# take place.
#
# Note that:
#  - The field which we receive from the identity provider is 'acr', this is 
#    stored in the credential and can be used in our policy rule authoring.
#  - The parameter we send to the identity provider during authentication is
#    named 'acr_values', this is a space separated string of authentication
#    experiences that IAG as a relying party is asking to take place.
#

policies:
  authorization:

    - name: "enforce_2fa"
      paths: 
        - "*"
      rule: 'acr != "urn:ibm:security:policy:id:2"'
      action: "obligate"
      obligation:
        oidc:
          acr_values: "urn:ibm:security:policy:id:2"

    - name: "permit_with_2fa"
      paths: 
        - "*"
      rule: 'acr = "urn:ibm:security:policy:id:2"'
      action: "permit"

    - name: "deny_access"
      paths: 
        - "*"
      rule: "()"
      action: "deny"