Displaying Identity Injection and Form Fill Policy Results, and Using Identity Injection to View Roles
You can troubleshoot Identity Injection and Form Fill Policies using standard Access Management logging tools, or you can use a network sniffer to see what is actually sent to the web server. If you just want to see on your screen what information the web server is actually receiving, you can use PHP to display Form & Header information.
This article contains sample pages that will do the trick. The sample pages can be downloaded here: ampoltest.zip
You need to configure PHP on your webserver and copy the attached files to the documents folder. For this article, I’ve configured a SLES server with Apache to host the web pages. If you’re using another web server, refer to the documentation for PHP configuration.
1. Copy the attached files to the DocumentRoot or another accessible folder. The default on SLES is /srv/www/htdocs
2. Make sure that “apache2-mod_php5” is installed.
3. Make sure that php5 is configured in the configuration file /etc/sysconfig/apache2. (You can also use YaST or edit the conf files in /etc/apache2)
Figure 1 – Configuring php5
4. Create a reverse proxy service that accelerates the web server.
5. Configure a protected resource that will protect the web pages.
6. Assign a contract to this protected resource.
7. Open a browser and go to http(s)://configured_reverse_proxy/configured_path/ampoltest.php
If your Web Server and Access Gateway are correctly configured, you’ll see the following page. If you don’t see the buttons on the page, check your PHP configuration.
Figure 2 – Buttons on the NAM Policy Tester page
When you click the Form Fill Policy Test Form button, you’re redirected to the http(s)://configured_reverse_proxy/configured_path/amfftest.html page. This page contains a form with all the types of input fields that Access Manager supports. If you fill in an input field and click Submit Form, a page is loaded that displays the values that are sent to the web server. You can use this form to create and test Form Fill policies.
Figure 3 – Form Fill Policy Test Form
You’ll need to create a Form Fill policy and enable this policy in the protected resource.
1. In Form Selection, use the Form Name “form1” to identify the form.
2. Add all the information you want to have displayed in the Fill Options section.
Figure 4 – Fill Options data
After enabling the policy, you can go back to the http(s)://configured_reverse_proxy/configured_path/amfftest.html page. The Access Gateway will detect the form and auto submit the form to the webserver with the configured information. The webserver will display the results on a new web page.
Figure 5 – Results of Form Fill Policy
1. Create a new Identity Injection policy.
2. Enable this policy in the protected resource.
3. Add all the information you want to inject in this policy.
Figure 6 – Identity injection information
After enabling the Identity Injection policy, you can go to http(s)://configured_reverse_proxy/configured_path/amiitest.php
All the injected information is displayed by type on this page. The authentication header will be displayed both encoded and decoded.
Figure 7 – Results of identity injection
You can also use Identity Injection to display your current roles.
1. Create a new Identity Injection policy that injects a custom header with name X-roles.
2. For the value, select Roles for Current User.
3. Enable this policy on the protected resource.
Figure 8 – Enabling the identity injection policy
When you navigate to amiitest.php, the current roles are displayed on the screen after the authentication header.
Figure 9 – Roles for current user
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.