Contribute in GitHub:
Open doc issue|Edit online
The YAML file provided below contains an example YAML configuration for an IBM® Application Gateway (IAG) container which:
- Configures an IBM Security Verify tenant as the identity provider using OIDC;
- Defines a single Web application which will be proxied by the IAG;
- Defines an authorization policy for the Web application which will enforce second-factor (2FA) authentication.
Example YAML
version: "23.10"
#
# Configure an IAG container to proxy a single Web application, and define
# an authorization policy for the Web application. The authorization policy
# will enforce that a particular ACR is present in the token received from
# IBM Security Verify.
#
#
# Specify an IBM Security Verify tenant as the identity provider for the
# container. Please note that the values provided below are for illustrative
# purposes only and don't reflect a real tenant. A free tenant can be created
# using the instructions found at the following URL:
# https://www.ibm.com/us-en/marketplace/cloud-identity-for-consumers
#
# The discovery endpoint has the following format:
# https://<verify host>/oidc/endpoint/default/.well-known/openid-configuration
#
# The redirect URI which is used in the SSO flow is constructed from the host
# header contained in the request, appended with '/pkmsoidc' (for example:
# https://ibm-app-gateway.ibm.com/pkmsoidc). This redirect URI should be
# specified when creating the custom application within the CI administrators
# console.
#
identity:
oidc:
discovery_endpoint: "https://ibm-app-gw.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration"
client_id: "300141b6-690b-4e4e-862d-2c96da2bb1ba"
client_secret: "wPP8rM8N0d"
#
# Define an resource server which will be hosted at the '/static' path of the
# IAG container. A single Web server, located at http://10.10.10.200:1337,
# hosts the resource server.
#
resource_servers:
- path: "/static"
connection_type: "tcp"
servers:
- host: "10.10.10.200"
port: 1337
transparent_path: false
#
# The following authorization policy will enforce that the current credential
# contains the 'acr' attribute with the value 'urn:ibm:security:policy:id:2'.
# If the 'acr' is any other value, this policy will obligate that
# authentication should take place again and indicate to the identity provider
# that we want the 'urn:ibm:security:policy:id:2' authentication experience to
# take place.
#
# Note that:
# - The field which we receive from the identity provider is 'acr', this is
# stored in the credential and can be used in our policy rule authoring.
# - The parameter we send to the identity provider during authentication is
# named 'acr_values', this is a space separated string of authentication
# experiences that IAG as a relying party is asking to take place.
#
policies:
authorization:
- name: "enforce_2fa"
paths:
- "*"
rule: 'acr != "urn:ibm:security:policy:id:2"'
action: "obligate"
obligation:
oidc:
acr_values: "urn:ibm:security:policy:id:2"
- name: "permit_with_2fa"
paths:
- "*"
rule: 'acr = "urn:ibm:security:policy:id:2"'
action: "permit"
- name: "deny_access"
paths:
- "*"
rule: "()"
action: "deny"