Map obligations to a URL

We can define the mapping between the obligation the policy decision point (PDP) returns and the URL that attempts to satisfy the obligation.

Steps

1. Open the WebSEAL configuration file.
2. Add entries to the [obligations-urls-mapping] stanza. These entries define the mapping between an obligation and the URL that attempts to satisfy that obligation. The following example contains a complete stanza and entry:

   [obligations-urls-mapping]
   obligation = URL

   Where:

   obligation

   Define the obligation string that is returned by runtime security services. This string, or key, is case-sensitive.

   We can also use wildcard obligations in this entry. Add an asterisk at the end of an obligation to indicate that all obligations found that match this entry, up to but not including the asterisk, are redirected to the URL value. Exact matches are searched for first. If no match is found, wildcard matches are used.

   URL

   Define the URL to which the user is redirected for authentication. The URL must point to an external authentication interface (EAI) application. See the WebSEAL documentation for information about the requirements for the EAI application.

3. Save the file.
4. Restart the WebSEAL server for the changes to take effect.

When the runtime security services returns an obligation, the key is searched for in the configuration file in the following order:

1. [obligations-urls-mapping] entries
2. [obligations-levels-mappings] entries

The entries in the [obligations-urls-mapping] stanza must have unique keys as compared to the keys in the [obligations-levels-mappings] entries.

Example

The following entry specifies that an obligation named auth1. The value of auth1 is a URL used to satisfy the obligation.

[obligations-urls-mapping]
auth1 = https://example.com

To redirect all obligations that start with urn:example to http://www.example.com, add the following entry:

urn:example:* = http://example.com

Suppose that we have the following entries in the [obligations-urls-mapping] stanza:

urn:example:sports = http://example.sports
urn:example:* = http://example

If runtime security services returns an obligation of urn:example:sports, the first entry is used to redirect the user to http://example.sports. In this case, both stanza entries apply to the obligation returned, but because there is an exact match, that obligation is used.

Parent topic: Obligations