Restrict access to IDCS UI using Sign-On Policies

Introduction

The purpose of this blog post is to describe how to use Sign-On Policies to restrict access to the OOTB Oracle Identity Cloud Service UI.
One use-case could be that End-Users should not be able to view and update their own profile details using the OOTB UI.

Overview

IDCS comes with a Default Sign-On Policy that contains one Default Sign-On Rule which basically allows any authenticated user access to the IDCS “myconsole” application.

IDCS_SignOnPolicy

We will update this policy to deny access for End-Users and just allow Administrative users access. You can create different kinds of conditions but for this blog I’ll just use the Administrator check.

Note that IDCS will evaluate Sign-On Policies by looking at the application requested, if the application has been assigned to a specific policy IDCS will use this policy otherwise it will fallback to the Default Sign-On Policy.

After restricting the Default Sign-On Policy we will need to add additional Policies and rules to allow access to other Applications.

I’ll use a few simple test cases to check my changes.
Also I’ve create a simple End-User with no special privileges that I will be using for my testing as well as a simple Trusted Application for the OIDC test.

Initial state before any changes:

  1. Access /myconsole as End-User and be allowed access
  2. Initiate an OIDC flow using a different trusted application(DemoApp) and be allowed access

Update the Default Sign-On Rule to only allow Administrators.
Retest and expect the following result:

  1. Access /myconsole as End-User and be disallowed access
  2. Initiate an OIDC flow using a different trusted application(DemoApp) and be disallowed access

Create an additional Sign-On Policy and assign DemoApp to this Policy.
Retest and expect the following result:

  1. Access /myconsole as End-User and be disallowed access
  2. Initiate an OIDC flow using a different trusted application(DemoApp) and be allowed access

Making the changes

We only need few changes to implement the above mentioned behavior.

First we update the Default Sign-On Rule to only allow Administrators by selecting “And is an administrator” condition.

DefaultSignOnRule

After applying the changes we can test the policy using a different browser session and an IDCS End-User. The result when accessing /myconsole or any other trusted application should be:

Screen Shot 2018-05-02 at 2.12.47 PM

Then we can add a new Sign-On Policy called DemoPolicy with a single Rule called DemoAppAllUsersAccess that will allow any authenticated user access. Finally we assign our DemoApp to this policy to ensure it will be evaluated by IDCS instead of of the Default Sign-On Policy.

DemoPolicyAssignDemoPolicy

DemoPolicyRule

The result is that End-Users are denied access to the IDCS UI but allowed access to our DemoApp application.

Add Your Comment