Content provider
Overview
The content provider can be thought of as an alias for a domain. For example, an organization could have two domains to serve specific user populations such as employees.companyname.com and contractors.companyname.com. Within OpenIAM, the content providers mapped to each domain would be named Employees and Contractors respectively. Organizations can have multiple content providers per instance of OpenIAM.
Content providers allow for flexible applications of authentication policies so that each domain can have fine-tuned methods of security unique to their users. Authentication policies can be set at the URL level in addition to the global level for a domain so that an organization could theoretically configure a content provider to require MFA for self-service in one domain while another content provider would not be configured to have such a requirement. Content providers can also be mapped to differing protocols, such as http and https.
Additionally, content providers allow for custom stylesheets and branding to be applied to their corresponding domains.
Creating a new content provider
- Open a web browser and enter the URL of the webconsole of your OpenIAM instance. (The URL follows the format of
https://[OPENIAM_INSTANCE_NAME]/webconsole.) Select Enter. - Enter your login credentials and select Next. Note: your account must have Super Security Admin privileges to access the webconsole.
- Enter a Content Provider Name to identify the content provider from within the webconsole.
- Select the appropriate radio button to indicate whether your instance supports HTTP, HTTPS, or both.
- Select Save.
Configuring a content provider
- Log in to the webconsole.
- Select Access Control > Content Providers. Select the Actions button for the corresponding content provider you wish to configure.
- The table below provides a description of the fields on the Edit Content Provider screen.
| Field name | Description |
|---|---|
| Authentication Provider | Select the authentication provider from the drop-down list to apply the selected authentication policy upon login. |
| Content Provider Name | A name of your choosing to identify the content provider. |
| Description | A description of the content provider. |
| URL | The landing page for this content provider. |
| Domain Pattern | The domain pattern of your application. |
| Authentication Cookie Name | The name of the cookie that will be used to store the authentication token. |
| Authentication Cookie Domain | The domain of the authentication cookie. |
| Category | To add the content provider to a category in the self-service request catalog, select an option from the drop-down list. |
| Postback URL Parameter Name | When redirecting from the login page URL, this parameter will indicate where to redirect upon successful authentication. |
| UI Theme | To apply pre-configured UI themes (style sheets and branding) to the content provider, select the UI theme name from the drop-down list. UI themes can be created/configured under Administration > UI Themes. |
| Does this application support SSL? | Select Yes or No from the drop-down list. |
| Is Authorization Disabled? | Users accessing a content provider with authorization enabled must be authorized to the content provider’s resource. |
| Show on Applications Page | If enabled, the content provider will appear on the My Applications page and launch pad of the self-service portal. |
| Set Access-Control-Allow-Origin Header | If enabled, this will set the Access-Control-Allow-Origin Header to the specified URL. |
| Support Global Logout | If enabled, logging out of OpenIAM will log the user out of all accounts he/she is currently logged into. If not enabled, the user will only be logged out of OpenIAM during logout and their other sessions will remain active. |
| Application Unavailable | If enabled, users not entitled to the resource marked as unavailable will be redirected to the URL specified under Unavailable URL by the proxy. Entitled users will proceed as if the application is available. This is present for debugging purposes. |
| Unavailable URL | The user will be redirected to this URL if the application is unavailable. |
| Supported Authentication Rules | Select the plus sign to add pre-defined authentication rules to the content provider. Authentication rules are defined under Policy > Authentication Rule. |
| Application Server | This specifies where the reverse proxy will proxy the request to. |
- Select Save.
URI Patterns
The content provider allows organizations to apply functionality to the URI patterns of their instance of OpenIAM.
- Select the Actions button of the corresponding URI pattern to be modified.
The table below provides a description of the fields at the top of the page.
| Field name | Description |
|---|---|
| Pattern | The URI pattern that is being modified. |
| Application Path | The location of where the request will be proxied to. By default, it will proxy to the URI in the request. |
| Authentication Provider | Inherit from content provider refers to applying the same authentication policy set at the global level for the content provider. Otherwise, select an authentication provider from the drop-down list to be applied to the current URI pattern. |
| UI Theme | Inherit from content provider refers to applying the same UI theme set at the global level for the content provider. Otherwise, select a UI theme from the drop-down list to be applied to the current URI pattern. |
| Redirect URL | If a user enters this URI pattern, they will be redirected to the URL specified in this field. It can either be relative to the content provider, or absolute. |
| Redirect URL Groovy Script | If a user enters this URI pattern, the groovy script specified in this field will determine where to redirect the user. The variable set in this field will override the Redirect URL value set at the global level for the content provider. |
| Is Authorization Disabled | If enabled, users accessing this URI pattern must be authorized to access the URI pattern’s resource. Authorization checks are skipped if this option is disabled. |
| Show on Applications Page | If enabled, the URI pattern will appear on the My Applications page and launch pad of the self-service portal. |
| Ignore XSS | If enabled, cross-site scripting rules will not be applied to all HTTP requests for this URI pattern. |
| Cachable | If enabled, the proxy will cache requests to this URI pattern for the number of seconds specified in the Cache TTL field (described below). |
| Cache TTL | Requests to this URI pattern will be cached by the proxy for the number of seconds specified in this field. |
Request parameters
This field enables the option to match URI patterns based on the request parameters that are passed.
The table below provides an explanation of the options from the drop-down list.
| Option | Description |
|---|---|
| Ignore request parameters when doing a match | Matches the URI pattern regardless of whether request parameters are passed or not. |
| No request parameters | Matches the URI pattern only if no request parameters are passed. |
| Specific request parameters are present | Matches the URI pattern only if the specified request parameters are passed.
|
| Any number of parameters are present | Matches the URI pattern when any request parameters are passed. |
Supported Authentication Levels
This field applies authentication rules to the specified URI pattern.
- Select the plus sign on the right-hand side. From the drop-down list in the dialog, choose the authentication rule you wish to apply to the URI pattern and select Save.
Multiple authentication rules can be applied to a URI pattern.
Application Servers
This field specifies where the reverse proxy will proxy the request to for the specified URI pattern.
- Select the plus sign on the right-hand side. Enter the server URL in the dialog to specify where the request should be proxied to. Select Save.
XSS Rules
This field allows cross-site scripting rules to be applied to the specified URI pattern.
- Select the plus sign on the right-hand side. Enter the Parameter Name so that cross-site scripting rules are applied when the specified parameter is present. Select Ignore XSS so that cross-site scripting rules are not applied when the specified parameter is present. Select Save.
HTML Substitution List
This option allows for text in a response body to be substituted when a request is made.
- Select the plus sign on the right-hand side. In the Text Query field, enter the text to be substituted. In the Replace With field, enter the substitution. Select Save.
Metadata
This field allows for metadata rules to be applied to the specified URI pattern.
- Select the plus sign on the right-hand side. Enter the Metadata Name.
- Select the Metadata Type. The options are listed below:
- Set Cookie
- Exclude Cookie
- Exclude Header
- Form Post Processor
- Set Header
- Set URI String Pattern
- Select the plus sign next to Metadata Attributes. Enter the Property Name. Select the Property Type from the drop-down. The options are listed below:
- Groovy Script
- Fetched Value
- Static Value
- Value from User
- Empty Value
Enter the Property Value and select Save. Multiple attributes can be created.
- Select Save.
Error Mappings
The field allows for redirection to URLs for specific HTTP response codes.
- Select the plus sign on the right-hand side. Enter the HTTP Code that should initiate the URL redirect. Enter the Redirect URL. Select Save.
Supported HTTP Methods
This field specifies HTTP methods for the specified URI pattern.
- From the drop-down list, select the HTTP method. The options are listed below:
- Get
- Head
- Post
- Put
- Patch
- Delete
- Options
- Trace
- Select the plus sign next to Metadata Attributes. Please refer to the "Metadata" section above for more information.
- From the drop-down list below, select the option for request parameters. Please refer to the "Request Parameters" section above for more information.
- Select Save.