The yaml file provided below contains an example YAML configuration for an IBM Application Gateway (IAG) container which:
- Configures an IBM Security Verify tenant as the identity provider using OIDC;
- Defines a single Web application which will be proxied by the IAG;
- Defines an authorization policy for the Web application which will enforce second-factor (2FA) authentication.
version: "20.09" # # Configure an IAG container to proxy a single Web application, and define # an authorization policy for the Web application. The authorization policy # will enforce that a particular ACR is present in the token received from # IBM Security Verify. # # # Specify an IBM Security Verify tenant as the identity provider for the # container. Please note that the values provided below are for illustrative # purposes only and don't reflect a real tenant. A free tenant can be created # using the instructions found at the following URL: # https://www.ibm.com/us-en/marketplace/cloud-identity-for-consumers # # The discovery endpoint has the following format: # https://<verify host>/oidc/endpoint/default/.well-known/openid-configuration # # The redirect URI which is used in the SSO flow is constructed from the host # header contained in the request, appended with '/pkmsoidc' (for example: # https://ibm-app-gateway.ibm.com/pkmsoidc). This redirect URI should be # specified when creating the custom application within the CI administrators # console. # identity: oidc: discovery_endpoint: "https://ibm_app_gw.ice.ibmcloud.com/oidc/endpoint/default/.well-known/openid-configuration" client_id: "300141b6-690b-4e4e-862d-2c96da2bb1ba" client_secret: "wPP8rM8N0d" # # Define an resource server which will be hosted at the '/static' path of the # IAG container. A single Web server, located at http://10.10.10.200:1337, # hosts the resource server. # resource_servers: - path: "/static" connection_type: "tcp" servers: - host: "10.10.10.200" port: 1337 transparent_path: false # # The following authorization policy will enforce that the current credential # contains the 'acr' attribute with the value 'urn:ibm:security:policy:id:2'. # If the 'acr' is any other value, this policy will obligate that # authentication should take place again and indicate to the identity provider # that we want the 'urn:ibm:security:policy:id:2' authentication experience to # take place. # # Note that: # - The field which we receive from the identity provider is 'acr', this is # stored in the credential and can be used in our policy rule authoring. # - The parameter we send to the identity provider during authentication is # named 'acr_values', this is a space separated string of authentication # experiences that IAG as a relying party is asking to take place. # policies: authorization: - name: "enforce_2fa" paths: - "*" rule: 'acr != "urn:ibm:security:policy:id:2"' action: "obligate" obligation: oidc: acr_values: "urn:ibm:security:policy:id:2" - name: "permit_with_2fa" paths: - "*" rule: 'acr = "urn:ibm:security:policy:id:2"' action: "permit" - name: "deny_access" paths: - "*" rule: "()" action: "deny"