Web Access Manager Details

Agenda

• Overview

• Agent / WAM server interaction

• Agent configuration

• Expressing access policies

• Other notes

WAM Overview

Agents• Application Web

server plug-in• Intercepts URL• Decides when to ask

for policy decisions• Finds available WAM

policy server• Applies treatments

Server• Holds policies and

makes decisions• Handles SSL-based

authentications• Reads/writes cookies• Returns treatments

Agent / WAM Server InteractionAgent / WAM Server Interaction• A presented URL is passed to the

WAM Server for access policy evaluation

• The WAM server returns a treatment to the agent

• The agent executes the treatment

B ro wser

URL

A gent

W eb S erver W A M P o licy S erver LD A P R egistry

O T P S ervice

R equest

P o licyreferral

C hallenge/R espo nse

C o nf irmC redentials &A utho rizatio n

C o nf irmC redentials

W riteco o kie

T reatm entR esult

Agent-WAM-User Flow

Agent Configuration

• Exempted URLs

• Logging

• WAM server selection

Agent Configuration

• Exempted URLs– Those URLs which are outside WAM

governance (e.g. public)– A presented URL is first compared to the list

of exempted URLs– If the URL is exempted, then the agent allows

the access itself– Condition can be inverted to describe only

those URLs which are under WAM control

Agent Configuration

• Access Logs– No logging for exempted URLs– Agent can log either only denied or both

denied and allowed access– Higher logging levels are for debugging

purposes

WAM Agent Access Logs

Date & time

Session ID

Allow/deny comments

8/4/2006 9:12:26 28029:26e038 User tboard was allowed access to http://wamqa3.itcs.northwestern.edu:80/portal/index.html.

8/4/2006 9:12:45 28029:26e038 User tboard was denied access to http://wamqa3.itcs.northwestern.edu:80/zeta/pwd/tok/index.html.

Agent Configuration

• WAM server selection– Agent-WAM connections must be persistent

and cannot be load-balanced– Agent is configured with an list of WAM

servers to use in fail-over order– At Northwestern, we will have a

recommended configuration for each campus

U R L

A gent

W eb S erver

W A M 1

U R L

A gent

W eb S erver

W A M 2 W A M 3 W A M 4

1. W A M 32. W A M 43. W A M 14. W A M 2

1. W A M 12. W A M 23. W A M 34. W A M 4

C am pus A C am pus B

Agent Failover

Expressing Policies

• Default treatment is to deny access (no applicable policy)

• Default access authentication method is NetID & password (level 0)

• General URL protection logic:– Deny for a given level (c1) or below

– Allow for a higher level (c2) and above

– Generally, c2 = c1 + 1

Policy Rules ExampleA uthentica tion Tes tbed

tau/pw d

tau/pw d/tok tau/pw d/qtau/pw d/p

publictau porta lze ta

zeta /pw d

zeta /pw d/tok

tau/open

Policy Rules

A uthentica tion Tes tbed

tau/pw d

tau/pw d/tok tau/pw d/qtau/pw d/p

publictau porta lze ta

zeta /pw d

zeta /pw d/tok

tau/open

• Agent exemption for /zeta, /tau, /tau/open• Zeta/pwd/tok – deny =< 0; allow >=1• Tau/pwd/tok – deny =< 0; allow >= 1

• By default, all other URLs require level zero authentication.

Other Notes

• WAM server-side logs are strictly for debugging – they do not record deny/allow by user

• All connections are encrypted via SSL

• Agents have credentials for authenticating to the WAM server

QA&