What is Dynamic Policy Agents in ForgeRock IG?

Dynamic Policy Agents in ForgeRock IG enable real-time policy evaluation and enforcement. Instead of static policies, these agents fetch and apply policies dynamically from external systems, ensuring that authorization decisions are always up-to-date with the latest conditions.

Why use Dynamic Policy Agents?

Use this when:

• You need real-time policy updates based on dynamic conditions.
• Your application requires adaptive policies that change based on user behavior, location, or time.
• You want to integrate with external policy management systems.

How do Dynamic Policy Agents work?

Dynamic Policy Agents work by integrating with external policy sources. When a request is made, the agent queries the external system for the appropriate policies, evaluates them, and enforces the resulting authorization decisions. This process happens in real-time, ensuring that the most current policies are always applied.

Setting Up Dynamic Policy Agents

Let’s walk through setting up Dynamic Policy Agents in ForgeRock IG.

Prerequisites

• ForgeRock IG installed and running
• External policy management system available
• API access to the policy management system

Step-by-Step Guide

Example Configuration

Here’s an example configuration for a Dynamic Policy Agent in ForgeRock IG:

{
  "name": "dynamic-policy-agent",
  "type": "Route",
  "config": {
    "baseUri": "${environment.baseUri}",
    "condition": "${matches(request.uri.path, '^/protected')}",
    "heap": [
      {
        "name": "policy-source",
        "type": "HttpClient",
        "config": {
          "uri": "https://policy.example.com/api/policies",
          "headers": {
            "Authorization": ["Bearer ${secrets.policy-api-token}"]
          }
        }
      },
      {
        "name": "pdp",
        "type": "Chain",
        "config": {
          "handlers": [
            {
              "type": "DispatchHandler",
              "config": {
                "bindings": [
                  {
                    "condition": "${true}",
                    "handler": "policy-source"
                  }
                ]
              }
            },
            {
              "type": "ScriptedDecisionHandler",
              "config": {
                "script": "policy-enforcement.js"
              }
            }
          ]
        }
      }
    ],
    "handler": "pdp"
  }
}

Explanation

• policy-source: An HttpClient that connects to the external policy management system.
• pdp: A Chain that dispatches requests to the policy-source and then processes the response using a ScriptedDecisionHandler.

Scripted Decision Handler

The ScriptedDecisionHandler uses a JavaScript file (policy-enforcement.js) to enforce the policies. Here’s an example script:

(function () {
  var policyResponse = request.entity;
  var policies = JSON.parse(policyResponse);

  // Enforce policies
  policies.forEach(function (policy) {
    if (!policy.evaluate(request)) {
      response.status = 403;
      response.entity = { "message": "Access denied" };
      return false;
    }
  });

  return true;
})();

Explanation

• The script parses the policy response from the external system.
• It iterates over each policy and evaluates it against the request.
• If any policy denies access, the script sets the response status to 403 and returns false.

Common Pitfalls

Incorrect Configuration

Wrong Way

{
  "name": "policy-source",
  "type": "HttpClient",
  "config": {
    "uri": "https://wrong-url.example.com/api/policies",
    "headers": {
      "Authorization": ["Bearer ${secrets.policy-api-token}"]
    }
  }
}

Right Way

{
  "name": "policy-source",
  "type": "HttpClient",
  "config": {
    "uri": "https://policy.example.com/api/policies",
    "headers": {
      "Authorization": ["Bearer ${secrets.policy-api-token}"]
    }
  }
}

Security Vulnerabilities

Vulnerable Code

var policyResponse = request.entity;
var policies = JSON.parse(policyResponse); // Potential injection point

Secure Code

var policyResponse = request.entity;
try {
  var policies = JSON.parse(policyResponse);
} catch (e) {
  response.status = 400;
  response.entity = { "message": "Invalid policy response" };
  return false;
}

Comparison Table

Quick Reference

Security Considerations

• Client secrets must stay secret - never commit them to git.
• Validate all inputs from the external policy source.
• Regularly audit policy configurations and access logs.
• Use HTTPS for secure communication between IG and the external policy source.

Troubleshooting

Error: Unable to connect to policy source

Solution

Ensure that the URI in the HttpClient configuration is correct and that there are no network issues preventing IG from reaching the external policy source.

Error: Invalid policy response

Solution

Parse the policy response carefully and handle any parsing errors to prevent the application from crashing.

Final Thoughts

Dynamic Policy Agents in ForgeRock IG provide powerful capabilities for real-time authorization. By integrating with external policy sources, you can ensure that your application always enforces the most current policies. Follow the steps outlined in this guide to set up and configure Dynamic Policy Agents effectively, and remember to prioritize security and input validation.

Start implementing Dynamic Policy Agents today to enhance your IAM strategy.