How to write authentication requests and Token issuance access policy scripts

Introduction

This document will show you how to use a policy script to do access control at the protocol connection level (aka service provider level) when:

An authentication request first comes to Identify.
When Identify is about to issue a token to the requesting service provider.

The samples will address some use cases that our customers usually ask for: whether client IP is or is not within a specific range, whether a specific claim exists, or whether the logged in user comes from a specific service provider.

Where and how to write the scripts

Both authentication requests and token issuance access policy scripts are set up for each protocol connection configuration:

authentication requests and Token issuance access policy scripts

Or in the Safewhere Admin:

authentication requests and Token issuance access policy scripts

You can find all syntax and built-in functions here

Note: the policy scripts only apply for the passive flow.

Common use cases

Apply authentication request or token issuance access policy for IP Addresses from 192.168.1.15 to 192.168.1.20 and not for IP Addresses from 192.168.1.0 to 192.168.1.14.

Rules.ApplyIPAddressRange("192.168.1.1 - 192.168.1.20")
    .NotApplyIPAddressRange("192.168.1.17 - 192.168.1.18");

Apply the authentication request or token issuance access policy for users that have a specific claim.

Rules.ApplyExpression((RuleContext) => {
    return RuleContext.FirstFactorPrincipal.HasClaim("urn:identify:rest-api:role", "Administrator");
});