WAYF client-side (browser)

Edit online

The YAML file provided below contains an example YAML configuration for an IBM® Application Gateway (IAG) container which:

  1. Uses two OIDC identity providers

  2. Redirects unauthenticated clients to a landing page, where they can select which provider to authenticate with.

Example YAML

version:    "26.06.0"

#
# In this example, a directory named "local_pages" containing "index.html" is
# in the same directory as the configuration YAML.
#
# index.html is a static HTML page which contains hyperlinks to the OIDC 
# provider kickoff URLs.
#
# <a href="/pkmsoidc?iss=primary">Login with Primary</a>
# <a href="/pkmsoidc?iss=secondary">Login with Secondary</a>
#

server:
  local_pages:
    content:  local_pages
    type:     path

identity:

  #
  # We configure two OIDC identity providers, named "primary" and "secondary".
  #

  oidc:
    - name:               primary
      discovery_endpoint: https://primary.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration
      client_id:          cea1e673-918e-42ce-b59f-3dda344def66
      client_secret:      EkQvEb3BBTufGZqA44zkUu9s
    - name:               secondary
      discovery_endpoint: https://secondary.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration
      client_id:          4b987537-cd3f-487b-b852-10a5bb083385
      client_secret:      UbgG4HKwuJiaWBxXUnciMnbt

  #
  # When clients are challenged to authenticate, we want to send them to
  # index.html. This is the static page where they can select their provider.
  #

  auth_challenge_redirect:
    url: /index.html


policies:
  authorization:

    #
    # Ensure that the static page can be accessed by clients before they have
    # authenticated.
    #

    - name:   landing_page
      methods:
        - GET
      paths:
        - /index.html
      rule:   anyuser
      action: permit