User:Paulpehrson/Sandbox/Reverse Proxying and Enforcement
Reverse Proxying and Enforcement
As shown in Figure 1, traffic to the site is resolved by DNS to hit a special reverse proxy known in opensso terminology as an agent. As hinted to already, an agent looks at each request and checks to see if that URL is accessible to a user. It first consults a list of unenforced URLs. If the URL is found in that list, then the packet is proxied onward to the appropriate cluster. If not found then it must consult access policies to ensure access by the user is allowed. If the user does not have a currently active session, then the agent must redirect the user to a sign-in page. This sign-in page typically also happens to be an application protected by the agent but its URLs are included in the unenforced list allowing its traffic to pass through the agent. Upon receiving the user’s credentials the sign-in service then uses a REST api on the policy server to authenticate the user. If successful, the application sets the resultant token in a cookie and redirects the user agent back to the original URL. Upon receiving the original request with the active cookie, the agent now contacts the policy server asking if the URL is allowed to be accessed by the user. The policy server consults all configured policies protecting that URL to see if the user meets any of the conditions for access and accordingly forbids access or allows the traffic onward to be routed to the targeted application.
Previous PageUser:Paulpehrson/Sandbox/Community blah blah Next Page Canonical Versus Application Space Enforcement