Skip to main content
Version: 1.16

ASM and ADS integration

You can configure Access Decision Service (ADS) to retrieve its authorization domain from Axiomatics Services Manager (ASM) by accessing the Domain management API of ASM, as described in the Domain management APIOpens in a new tab section of the ASM documentation.

In order for ADS to communicate with ASM, you should configure Keycloak which is used by ASM for authentication and access management purposes.

Integration procedure

The following steps are required for a successful integration between ADS and ASM:

  1. Configure an authorization domain in an ASM project.

    For more information on how to manage authorization domain configurations, refer to the Domain managementOpens in a new tab section of the ASM documentation.

  2. Set up the Keycloak client to provide authentication access to ADS, following the instructions provided in the Configure Keycloak for ADSOpens in a new tab section of the ASM documentation.

  3. Update the ADS deployment YAML file by configuring the following properties:

    • domain

      note

      The space character (" ") in a domain name should be replaced with its URL-encoded representation in the domain property, which is %20. This ensures that the URL is correctly interpreted by web browsers and servers.

      For example, Project 1 should be replaced by Project%201 in the URL, as shown below:

      domain: https://<hostname/adm/api/namespaces/Project%201/names/mydomain/domain

    • authHttpClientConfiguration

    • domainRefreshInterval

You can configure the domain property of the deployment.yaml file in order to retrieve the domain using one of the two ADM’s endpoints as displayed in the examples below:

  • ADS using RetrieveDomainByName endpoint

    The RetrieveDomainByName endpoint is used to retrieve a specific domain within a namespace.

    Example:

    domain: https://<hostname>/adm/api/namespaces/test/names/testA/domain

    In this example, test is the namespace and testA is the domain name.

  • ADS using RetrieveDomainByID endpoint

    The RetrieveDomainByID endpoint is used to retrieve a specific domain instance by its ID.

    Example:

    domain: http://<hostname>/adm/api/domains/e8a9e7d6-8fc6-4706-ac7d-a74eff74c58c

    In this example, e8a9e7d6-8fc6-4706-ac7d-a74eff74c58c is the domain-id.

    Deployment configuration sample

    This is a customized sample of an ADS deployment YAML file that supports the ADS-ASM integration configuration:

    ## Access Decision Service configuration for integration with Axiomatics Services Manager
    #### Path to license file
    license: file:<path_to_file>/axiomatics_PDP.license
    #### Path to domain configuration file

    domain: https://<hostname>/adm/api/namespaces/Test-Project/names/Test-Domain/domain
    #### Endpoint from which the client contacts the domain manage. The domain is retrieved from ASM
    #### Test-Project = namespace
    #### Test-Domain = domain name
    authHttpClientConfiguration: #### Authorization server configuration
    clientId: ads #### the ADS instance name
    clientSecret: <secret> #### the generated secret for the specific client
    tokenUri: https://<hostname>/auth/realms/asm/protocol/openid-connect/token
    ####URI to the authorization server
    timeout: 30 seconds #### The maximum idle time for a connection

    domainRefreshInterval: 5 seconds #### This property configures ADS to update the domain configuration during runtime by polling its source at regular intervals.