ASM and ADS integration
You can configure Access Decision Service (ADS) to retrieve its authorization domain from Axiomatics Services Manager (ASM) by accessing the Domain management API of ASM, as described in the Domain management APIOpens in a new tab section of the ASM documentation.
In order for ADS to communicate with ASM, you should configure Keycloak which is used by ASM for authentication and access management purposes.
Integration procedure
The following steps are required for a successful integration between ADS and ASM:
Configure an authorization domain in an ASM project.
For more information on how to manage authorization domain configurations, refer to the Domain managementOpens in a new tab section of the ASM documentation.
Set up the Keycloak client to provide authentication access to ADS, following the instructions provided in the Configure Keycloak for ADSOpens in a new tab section of the ASM documentation.
Update the ADS deployment YAML file by configuring the following properties:
domain
noteThe space character (" ") in a domain name should be replaced with its URL-encoded representation in the
domain
property, which is%20
. This ensures that the URL is correctly interpreted by web browsers and servers.For example,
Project 1
should be replaced byProject%201
in the URL, as shown below:domain: https://<hostname/adm/api/namespaces/Project%201/names/mydomain/domain
authHttpClientConfiguration
domainRefreshInterval
You can configure the domain
property of the deployment.yaml
file in order to retrieve the domain using one of the two ADM’s endpoints as displayed in the examples below:
ADS using RetrieveDomainByName endpoint
The RetrieveDomainByName endpoint is used to retrieve a specific domain within a namespace.
Example:
domain: https://<hostname>/adm/api/namespaces/test/names/testA/domain
In this example,
test
is the namespace andtestA
is the domain name.ADS using RetrieveDomainByID endpoint
The RetrieveDomainByID endpoint is used to retrieve a specific domain instance by its ID.
Example:
domain: http://<hostname>/adm/api/domains/e8a9e7d6-8fc6-4706-ac7d-a74eff74c58c
In this example,
e8a9e7d6-8fc6-4706-ac7d-a74eff74c58c
is the domain-id.Deployment configuration sample
This is a customized sample of an ADS deployment YAML file that supports the ADS-ASM integration configuration:
## Access Decision Service configuration for integration with Axiomatics Services Manager
#### Path to license file
license: file:<path_to_file>/axiomatics_PDP.license
#### Path to domain configuration file
domain: https://<hostname>/adm/api/namespaces/Test-Project/names/Test-Domain/domain
#### Endpoint from which the client contacts the domain manage. The domain is retrieved from ASM
#### Test-Project = namespace
#### Test-Domain = domain name
authHttpClientConfiguration: #### Authorization server configuration
clientId: ads #### the ADS instance name
clientSecret: <secret> #### the generated secret for the specific client
tokenUri: https://<hostname>/auth/realms/asm/protocol/openid-connect/token
####URI to the authorization server
timeout: 30 seconds #### The maximum idle time for a connection
domainRefreshInterval: 5 seconds #### This property configures ADS to update the domain configuration during runtime by polling its source at regular intervals.