2.5.4 Setting Up Policies

Access Gateway lets you retrieve information from your LDAP directory and inject the information into HTML headers, query strings, or basic authentication headers. Access Gateway can then send this information to the back-end web servers. Access Manager calls this technology Identity Injection.

This is one of the features within Access Manager that enables single sign-on. Users are prompted for the login credentials for one time, and Access Manager then supplies them for the resources you have configured for Identity Injection.

This section explains how to set up an Identity Injection policy for basic authentication. This policy is assigned to the third directory on your web server, which is the basic directory that your web server has been configured to require basic authentication before allowing access.

  1. Click Devices > Access Gateways > Edit > [Reverse Proxy Name] > [Proxy Service Name] > Protected Resources > New.

  2. Configure the resource for the basic directory as described in Section 2.1, Prerequisites for a Basic Access Manager Setup:

    1. For the contract, select Name/Password - Basic or Name/Password - Form.

    2. For the URL path, specify the path to the basic directory (/basic/*).

    3. Click OK.

  3. Click [Protected Resource Name] > Identity Injection.

    On a new installation, the list is empty because no policies have been created.

  4. In the Identity Injection Policy List section, click Manage Policies.

  5. In the Policy List section, click New, then specify values for the following fields:

    Name: Specify a name for the Identity Injection policy.

    Type: Select Access Gateway: Identity Injection.

  6. Click OK.

  7. (Optional) Specify a description for the policy.

  8. In the Actions section, click New > Inject into Authentication Header.

  9. Set up the policy for User Name and Password:

    • For User Name, select Credential Profile and LDAP Credentials: LDAP User Name.

      This injects the value of the cn attribute into the header.

    • For Password, select Credential Profile and LDAP Credentials: LDAP Password.

    The policy must look similar to the following:

  10. Click OK > OK > Apply Changes > Close.

  11. Select the new Identity Injection policy, then click Enable > OK.

  12. Click Devices > Access Gateways > Update > OK.

  13. To test this configuration from a client browser, specify the published DNS name as the URL in the browser. Click the link to the page that uses basic authentication.

    You are prompted to log in. If you have set up web applications on your web server that require login, any additional login prompts are hidden from the user and are handled by the identity injection system.