Sample file for Access Policies

Use the Access Policies samples as a template and modify it to suit your needs.

The access policy samples help you to get started with access policies. These samples assume that the federation, partner, and reverse proxy are configured with the correct junction, federation, and partner name.

importClass(Packages.com.ibm.security.access.policy.decision.Decision);
importClass(Packages.com.ibm.security.access.policy.decision.HtmlPageDenyDecisionHandler);
importClass(Packages.com.ibm.security.access.policy.decision.RedirectDenyDecisionHandler);
importClass(Packages.com.ibm.security.access.policy.decision.HtmlPageChallengeDecisionHandler);
importClass(Packages.com.ibm.security.access.policy.decision.RedirectChallengeDecisionHandler);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities); 

//Set promptTOTP = true if the user must be prompted with TOTP during a single sign on flow.
var promptTOTP = false;
if (promptTOTP){
/* 
* We are using the TOTP policy that is bundled with the Advanced Access Control activation. 
* The isamcfg tool must be configured with the right junction name. 
*/
	//Retrieve user context
	var user = context.getUser();
	//Check the various authenticationTypes performed by the user
	var authenticationTypesAttribute = user.getAttribute("authenticationTypes");
	if (authenticationTypesAttribute != null && authenticationTypesAttribute.getValues().
contains("urn:ibm:security:authentication:asf:totp")){
		/*
		* If authenticationTypesAttribute is not null, we check if the user has performed TOTP,
		* if yes the user is allowed to continue with the Single Sign on.
		*/
		context.setDecision(Decision.allow());
	}
	else{
		/*
		 * If authenticationTypesAttribute is null, or the user has not performed TOTP, the 
		 * user is challenged with a TOTP authentication.
		 * This is done by using a RedirectChallengeDecision. The RedirectChallengeDecision
		 * handler needs a redirect uri to which the user must be redirected to. Below is the
		 * API which does that.
		 * handler.setRedirectUri("/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:
		 * totp&Target=https://www.myidp.ibm.com/isam@ACTION@");
		 * Notice the Uri, it invokes a TOTP policy that is available OOTB by activating the
		 * Advanced Access Control, the other parameter which is sent is the Target, this is 
		 * the URL the user will be redirected to once the TOTP is completed. 
		 * The format of the URL is https://www.myidp.ibm.com/isam@ACTION@ , where 
		 * https://www.myidp.ibm.com/isam is the point of contact server for the federation
		 * and @ACTION@ macro is the endpoint which needs to be accessed for the Single Sign On
		 * flow to continue, since it was halted when the redirect challenge was initiated.
		 */
	
		var handler = new RedirectChallengeDecisionHandler();
		/*
		* If a variable or a string needs to be logged into the trace.log use the 
		* IDMappingExtUtils.traceString() function. To enable the trace, set the trace string to 
		* com.tivoli.am.fim.*:ALL
		*/
		IDMappingExtUtils.traceString("CHALLENGE WITH TOTP");
		handler.setRedirectUri("/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:totp\
&Target=https://www.myidp.ibm.com/isam@ACTION@");
		context.setDecision(Decision.challenge(handler));
	}
}

/*
* Set checkGroupMembership = true if the user is allowed to perform single sign on flow based on
* group membership.
*/
var checkGroupMembership = false;
if (checkGroupMembership){
	//Retrieve user context
	var user = context.getUser();
	//Check if the user belongs to the "SecurityGroup"
	var group = user.getGroup("SecurityGroup");
	//If the user belongs to the group, else Deny
	if ( group != null){
		context.setDecision(Decision.allow());
	}
	else{
		/*
		 * If the user does not belong to the group, the single sign on flow is aborted. A
         * HtmlPageDenyDecision is used to deny the user from performing SSO.
		 * The HtmlPageDenyDecision throws an OOTB HTML Deny page, which is located at
         * /access_policy/deny_decision.html or we could set a custom page using setPageId(). 
		 * A custom macro could be sent to display a custom error messages using setMacro().
		 *
		 *	var handler = new HtmlPageDenyDecisionHandler();
		 *	handler.setPageId("/access_policy/custom_deny_decision.html");
		 *	handler.setMacro("@MESSAGE@","This is a custom deny page");
		 *
		 *	Make sure that the following page exists /access_policy/custom_deny_decision.html, 
		 * a macro can be set to so that it can be retrieved from the template page.
		 *
		 *	In the above example a @MESSAGE@ macro is set, this can be retrieved in the
		 * /access_policy/custom_deny_decision.html page using the following code snippet.
		 *
		 *	<%templateContext.response.body.write(templateContext.macros["@MESSAGE@"]);%>
		 *	
		 *	<div class="pageContent">
		 *		<div class="errorMessage"><%templateContext.response.body.write(templateContext
		 * .macros["@MESSAGE@"]);%></div> 
		 *	</div>
		 *
		 */
		var handler = new HtmlPageDenyDecisionHandler();
		handler.setMacro("@MESSAGE@", "This user does not belong to the required group and is\
not allowed to preform sso");
		context.setDecision(Decision.deny(handler));
	}
	
}
With the Access Policies above, there are samples for each of the following activities:
  • Redirecting to another authentication provider, and the pattern for returning to the SSO
  • Checking credential attributes
  • Checking group membership
  • Sending a HTML page
  • Setting a macro for a page
  • Sending a redirect
  • Denying a request
  • Allowing a request
Parent topic: Access policies