Content provider

Overview

The content provider can be thought of as an alias for a domain. For example, an organization could have two domains to serve specific user populations such as employees.companyname.com and contractors.companyname.com. Within OpenIAM, the content providers mapped to each domain would be named Employees and Contractors respectively. Organizations can have multiple content providers per instance of OpenIAM.

Content providers allow for flexible applications of authentication policies so that each domain can have fine-tuned methods of security unique to their users. Authentication policies can be set at the URL level in addition to the global level for a domain so that an organization could theoretically configure a content provider to require MFA for self-service in one domain while another content provider would not be configured to have such a requirement. Content providers can also be mapped to differing protocols, such as http and https.

Additionally, content providers allow for custom stylesheets and branding to be applied to their corresponding domains.

Creating a new content provider

  1. Open a web browser and enter the URL of the webconsole of your OpenIAM instance. (The URL follows the format of https://[OPENIAM_INSTANCE_NAME]/webconsole.) Select Enter.
  2. Enter your login credentials and select Next. Note: your account must have Super Security Admin privileges to access the webconsole.
  3. Enter a Content Provider Name to identify the content provider from within the webconsole.
  4. Select the appropriate radio button to indicate whether your instance supports HTTP, HTTPS, or both.
  5. Select Save.

Configuring a content provider

  1. Log in to the webconsole.
  2. Select Access Control > Content Providers. Select the Actions button for the corresponding content provider you wish to configure.
  3. The table below provides a description of the fields on the Edit Content Provider screen.
Field nameDescription
Authentication ProviderSelect the authentication provider from the drop-down list to apply the selected authentication policy upon login.
Content Provider NameA name of your choosing to identify the content provider.
DescriptionA description of the content provider.
URLThe landing page for this content provider.
Domain PatternThe domain pattern of your application.
Authentication Cookie NameThe name of the cookie that will be used to store the authentication token.
Authentication Cookie DomainThe domain of the authentication cookie.
CategoryTo add the content provider to a category in the self-service request catalog, select an option from the drop-down list.
Postback URL Parameter NameWhen redirecting from the login page URL, this parameter will indicate where to redirect upon successful authentication.
UI ThemeTo apply pre-configured UI themes (style sheets and branding) to the content provider, select the UI theme name from the drop-down list. UI themes can be created/configured under Administration > UI Themes.
Does this application support SSL?Select Yes or No from the drop-down list.
Is Authorization Disabled?Users accessing a content provider with authorization enabled must be authorized to the content provider’s resource.
Show on Applications PageIf enabled, the content provider will appear on the My Applications page and launch pad of the self-service portal.
Set Access-Control-Allow-Origin HeaderIf enabled, this will set the Access-Control-Allow-Origin Header to the specified URL.
Support Global LogoutIf enabled, logging out of OpenIAM will log the user out of all accounts he/she is currently logged into. If not enabled, the user will only be logged out of OpenIAM during logout and their other sessions will remain active.
Application UnavailableIf enabled, users not entitled to the resource marked as unavailable will be redirected to the URL specified under Unavailable URL by the proxy. Entitled users will proceed as if the application is available. This is present for debugging purposes.
Unavailable URLThe user will be redirected to this URL if the application is unavailable.
Supported Authentication RulesSelect the plus sign to add pre-defined authentication rules to the content provider. Authentication rules are defined under Policy > Authentication Rule.
Application ServerThis specifies where the reverse proxy will proxy the request to.
  1. Select Save.

URI Patterns

The content provider allows organizations to apply functionality to the URI patterns of their instance of OpenIAM.

  • Select the Actions button of the corresponding URI pattern to be modified.

The table below provides a description of the fields at the top of the page.

Field nameDescription
PatternThe URI pattern that is being modified.
Application PathThe location of where the request will be proxied to. By default, it will proxy to the URI in the request.
Authentication ProviderInherit from content provider refers to applying the same authentication policy set at the global level for the content provider. Otherwise, select an authentication provider from the drop-down list to be applied to the current URI pattern.
UI ThemeInherit from content provider refers to applying the same UI theme set at the global level for the content provider. Otherwise, select a UI theme from the drop-down list to be applied to the current URI pattern.
Redirect URLIf a user enters this URI pattern, they will be redirected to the URL specified in this field. It can either be relative to the content provider, or absolute.
Redirect URL Groovy ScriptIf a user enters this URI pattern, the groovy script specified in this field will determine where to redirect the user. The variable set in this field will override the Redirect URL value set at the global level for the content provider.
Is Authorization DisabledIf enabled, users accessing this URI pattern must be authorized to access the URI pattern’s resource. Authorization checks are skipped if this option is disabled.
Show on Applications PageIf enabled, the URI pattern will appear on the My Applications page and launch pad of the self-service portal.
Ignore XSSIf enabled, cross-site scripting rules will not be applied to all HTTP requests for this URI pattern.
CachableIf enabled, the proxy will cache requests to this URI pattern for the number of seconds specified in the Cache TTL field (described below).
Cache TTLRequests to this URI pattern will be cached by the proxy for the number of seconds specified in this field.

Request parameters

This field enables the option to match URI patterns based on the request parameters that are passed.

The table below provides an explanation of the options from the drop-down list.

OptionDescription
Ignore request parameters when doing a matchMatches the URI pattern regardless of whether request parameters are passed or not.
No request parametersMatches the URI pattern only if no request parameters are passed.
Specific request parameters are presentMatches the URI pattern only if the specified request parameters are passed.
  1. Select the plus sign below the drop-down list on the right-hand side.
  2. Enter the parameter name and value. Select the plus sign to add more request parameters. Otherwise, select Save.
Any number of parameters are presentMatches the URI pattern when any request parameters are passed.

Supported Authentication Levels

This field applies authentication rules to the specified URI pattern.

  • Select the plus sign on the right-hand side. From the drop-down list in the dialog, choose the authentication rule you wish to apply to the URI pattern and select Save.

Multiple authentication rules can be applied to a URI pattern.

Application Servers

This field specifies where the reverse proxy will proxy the request to for the specified URI pattern.

  • Select the plus sign on the right-hand side. Enter the server URL in the dialog to specify where the request should be proxied to. Select Save.

XSS Rules

This field allows cross-site scripting rules to be applied to the specified URI pattern.

  • Select the plus sign on the right-hand side. Enter the Parameter Name so that cross-site scripting rules are applied when the specified parameter is present. Select Ignore XSS so that cross-site scripting rules are not applied when the specified parameter is present. Select Save.

HTML Substitution List

This option allows for text in a response body to be substituted when a request is made.

  • Select the plus sign on the right-hand side. In the Text Query field, enter the text to be substituted. In the Replace With field, enter the substitution. Select Save.

Metadata

This field allows for metadata rules to be applied to the specified URI pattern.

  1. Select the plus sign on the right-hand side. Enter the Metadata Name.
  2. Select the Metadata Type. The options are listed below:
  • Set Cookie
  • Exclude Cookie
  • Exclude Header
  • Form Post Processor
  • Set Header
  • Set URI String Pattern
  1. Select the plus sign next to Metadata Attributes. Enter the Property Name. Select the Property Type from the drop-down. The options are listed below:
  • Groovy Script
  • Fetched Value
  • Static Value
  • Value from User
  • Empty Value

Enter the Property Value and select Save. Multiple attributes can be created.

  1. Select Save.

Error Mappings

The field allows for redirection to URLs for specific HTTP response codes.

  • Select the plus sign on the right-hand side. Enter the HTTP Code that should initiate the URL redirect. Enter the Redirect URL. Select Save.

Supported HTTP Methods

This field specifies HTTP methods for the specified URI pattern.

  1. From the drop-down list, select the HTTP method. The options are listed below:
  • Get
  • Head
  • Post
  • Put
  • Patch
  • Delete
  • Options
  • Trace
  1. Select the plus sign next to Metadata Attributes. Please refer to the "Metadata" section above for more information.
  2. From the drop-down list below, select the option for request parameters. Please refer to the "Request Parameters" section above for more information.
  3. Select Save.