Mapping obligations to a URL

You can define the mapping between the obligation that the policy decision point (PDP) returns and the URL that attempts to satisfy the obligation.

Procedure

  1. Open the WebSEAL configuration file.
  2. Add entries to the [obligations-urls-mapping] stanza. These entries define the mapping between an obligation and the URL that attempts to satisfy that obligation. Following is an example of the stanza and entry:
    [obligations-urls-mapping]
    obligation = URL

    Where:

    obligation
    Defines the obligation string that is returned by runtime security services. This string, or key, is case-sensitive.

    You can also use wildcard obligations in this entry. Add an asterisk at the end of an obligation to indicate that all obligations found that match this entry, up to but not including the asterisk, are redirected to the URL value. Exact matches are searched for first. If no match is found, wildcard matches are used.

    URL
    Defines the URL to which the user is redirected for authentication. The URL must point to an external authentication interface (EAI) application. See the WebSEAL documentation for information about the requirements for the EAI application.
  3. Save the file.
  4. Restart the WebSEAL server for the changes to take effect.

Results

When the runtime security services returns an obligation, the key is searched for in the configuration file in the following order:

  1. [obligations-urls-mapping] entries
  2. [obligations-levels-mappings] entries

The entries in the [obligations-urls-mapping] stanza must have unique keys as compared to the keys in the [obligations-levels-mappings] entries.

Example

The following entry specifies that an obligation named auth1. The value of auth1 is a URL that is used to satisfy the obligation.

[obligations-urls-mapping]
auth1 = https://example.com

To redirect all obligations that start with urn:example to http://www.example.com, add the following entry:

urn:example:* = http://example.com

Suppose that you have the following entries in the [obligations-urls-mapping] stanza:

urn:example:sports = http://example.sports
urn:example:* = http://example

If runtime security services returns an obligation of urn:example:sports, the first entry is used to redirect the user to http://example.sports. In this case, both stanza entries apply to the obligation returned, but because there is an exact match, that obligation is used.