Lately one of my customers requested a very simple web application, with a on-premise frontend and a backend which calls Google AI APIs.
Why a on-prem web application? The client leverages on Citrix NetScalar enable authentication through SSO.
What about authorization? They create AD groups and restrisct permission using NetScalar also as authorization layer.
The problem is that, when we were deploying in production, client policies were also changing, so the only way to implement authorization became to read headers (see the example below) and use saml-group header value on the backend.
Unfortunally we built a AngulaJS application, so reading the headers, implement httpModules or other stuff like these was not so easy, so we looked for a cheap solution to mantain the as is solution.
Using just IIS Url Rewrite Module we are able to read headers and filter access according to content without impact on the frontend application or writing a single line of code.
As you can see in this image, with a rule like this, IIS blocks every kind of request that is not coming from a user belonging to group BPO-997_CA...swich.
When referring to a particular header key (in my case saml-groups), you have to use HTTP_saml-groups input in order to create the rule.
What's wrong with this solution? It's applicable only when you need a very simple authorization (in our case only access the application) but, useful to know ;)
Credits to Valerio Angelini and Marco Aimi who worked with me testing this solution.
