Post on 10-Apr-2017
Building a Secure Enterprise
Johann Dilantha NallathambyTechnical LeadWSO2
Rushmin FernandoTechnical LeadWSO2
Agenda
• WSO2 Identity Server Architecture• SAML2 Single Sign-On/Single Logout• XACML 3.0• OAuth 2.0• OpenID Connect• User Management• SCIM 2.0• Plugging an external Identity Store• Identity Cloud
Identity Server Architecture
SAML SSO
Identity provider(e.g. WSO2 IS)
Service provider(e.g. inventory)
Userdata
1. Log in request
2. Redirect to IDP URL
3. Request token4. Authenticate
5. Redirect to SP with token
6. Send SAML token Session: S1
SAML SSO - User Experience
SAML SSO - Login to Another Service Provider
Identity provider(e.g. WSO2 IS)
Service provider 2(e.g. Accounts dept.)
Userdata
1. Log in request
2. Redirect to IDP URL
3. Request token (session: IS1)
5. Redirect to SP with token
6. Send SAML token
Service provider 1(e.g. inventory)
Session: S1
4. Bypass login page
Session: S2
SAML SSO
Identity provider(e.g. WSO2 IS)
Service provider 1(SP1)
Session: S1
Session: IS1
Service provider 2(SP2)
Session ID
SP
IS1 SP1IS1 SP2IS2 SP2
Session: S2
SAML Single Logout
Identity provider(e.g. WSO2 IS)
Service provider 1(SP1)
Service provider 2(SP2)
Session ID
SP
IS1 SP1IS1 SP2IS2 SP2
Logout
(session: IS1)
Logout (session: S1)
Session: S2(Invalidated)
What the User Can Do...
Service provider 1(SP1)
/data/files
/data/archives
/data/visualize
/data/details
User = Jane
User = David
User = Tao
What the User Can Do (Ctd...)
Service provider 1(SP1)
User = Jane
User = David
User = Tao
Access control policy
If user = Tao and resource = /data/archives
Permit.
If role = Clark and action = write
Deny.
If role = Manager and resource = /data/files
Permit.
XACML - Architecture/data/files
/data/archives
/data/visualize
/data/details
Policy decision Point
If user = jane Permit.
If role = clark andAction = writeDeny.
Policy Store
Policy Administration Point
Policy Enforcement Point(PEP)User = Tao
User = David
User = Jane
XACML - Policy Decision Flow
Policy Enforcement Point(PEP)
User = Jane
User = David
User = TaoService provider 1
(SP1)
/data/files
/data/archives
/data/visualize
/data/details
4. Filtered messages
Policy decision point
If user = jane Permit.
If role = clark andAction = writeDeny.
1. P
aram
eter
s
3. D
ecis
ion
2. Evaluate
Access policy 1
XACML - PolicyPolicy
Target
Rule (effect = permit)Target
Condition
Rule…......Rule
…......
Activation conditions for the rule set
Activation conditions for the rule
Conditions for the rule
Decision if target and condition are true
XACML - Policy (Ctd...)
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="BankOne_account_access_policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/bankone/accounts/*</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Match> </AllOf> </AnyOf> </Target> <Rule Effect="Permit" RuleId="update_accounts_rule"> …. </Rule> …....</Policy>
If resource matches /bankone/accounts/*
Activation conditions for the rule set
XACML - Policy (Rules)<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="BankOne_account_access_policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0"> <Target> ..... </Target> <Rule Effect="Permit" RuleId="update_accounts_rule"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="...#string">/bankone/accounts/update/*</AttributeValue> <AttributeDesignator AttributeId="...:resource:resource-id" Category="...:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Match> </AllOf> </AnyOf> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</AttributeValue> <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Apply> </Condition> </Rule> <Rule Effect="Permit" RuleId="read_accounts_rule"> … </Rule></Policy>
Permit if conditions satisfy
If resource matches /bankone/accounts/update/*
If role is manager
XACML Request
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/bankone/accounts/read/a1</AttributeValue> </Attribute> </Attributes></Request>
Subject = bob
Resource = /bankone/accounts/read/a1
XACML - Policy Enforcement
Policy Enforcement Point(PEP)
User = Jane
User = David
User = TaoService provider 1
(SP1)
/data/files
/data/archives
/data/visualize
/data/details
4. Filtered messages
Policy decision
If user = jane Permit.
If role = clark andAction = writeDeny.
1. P
aram
eter
s
3. D
ecis
ion
2. Evaluate
Access policy 1
XACML - Policy EnforcementWSO2 ESB
Proxyservice
Entitlement
Service provider 1 (SP1)
On accept
On reject
SendDrop
Property [Set user]
Property [Set resource]
Policy decision(WSO2 IS)
Render menu items in a web app based on the logged-in user’s fine-grained permissions
XACML Demo
Bring a Token...
Service providerAccess resource
R1
Does the user has permission to access R1?
Service providerAccess resource
R1
Check if R1 is authorized for the given tokenToken
But..
How does a user get a token?How do we know if a given token has permission to access a resource?
OAuth 2.0•Access is granted to authorized tokens
•Users obtain tokens from an authorization server
•Resource servers validate the authorization of a token with authorization server
Tokens are authorized for scopes
Each protected resource + action has to be mapped to a scope
OAuth 2.0 (Ctd...)
Serviceprovider
Read resource R1
Authorization server
Token (T1)
Resource Action Scope
R1 read R1_read
R1 write R1_write
R2 read R2_read
Token Scope
T1 R1_read
T2 R1_read
T3 R2_read
T3 R2_write
Is T1 authorized for R1_read?
Now …How to get a token?
Access On Behalf of a User
Eg: A web app wants to access photos stored in PhotoServer
Web app
Access photos in collection A
I need a Oauth2 tokenwith scope “photos_A”
PhotoServer
Access On Behalf of a User (Ctd...)
Eg: A web app wants to access photos stored in PhotoServer
Web app
PhotoServer
Client IDClient secret
1. Register webapp
2. Generate client ID / client secret
3. Configure callback URL
4. Configure OAuth2 URLs
5. Set client ID / client secret
Application Developer
Access On Behalf of a User (Ctd...)
Eg: A web app wants to access photos stored in PhotoServer
Web app
PhotoServer
Client IDClient secretAuth code
1. Redirect with scope request
2. Authenticate and ask permission
3. Redirect with auth code
Access On Behalf of a User (Ctd...)
Eg: A web app wants to access photos stored in PhotoServer
PhotoServer
Web app
Client IDClient secret
4. Request token(auth code, cid, secret)
6. Access photo collection A
5. Send Token
Client – One who wants to access the resourceE.g. Web app
ObservationsE.g. A web app want to access photos stored in PhotoServer
Web app
User – One who has permissions to the resourceE.g. Jane – Jane's web browser
Resource server – One who contains the resourceAuthorization server – One who grants access to the resourceE.g. Facebook
PhotoServer
Delegating the authorization
Web app PhotoServer
Authorizationserver
1. Access web app
2. R
edire
ct w
ith
scop
ere
ques
t “ph
otos
_A”
3. A
uthe
n tic
ate
and
ask
per m
issi
o ns
4. R
edire
ct w
ithau
th c
ode
Delegating the authorization (Ctd...)
Web app PhotoServer
Authorization server
7. Request photos
5. R
eque
st to
ken
(aut
h co
de, c
id, s
ecre
t)
6. T
oken
giv
en
Delegating the authorization (Ctd...)
Web app PhotoServer
Authorization server
8. Validate token for scope “photos_A”
9. Validation response
Token Scope
T1 photos_A
T2 photos_B
T3 photos_A
T3 photos_B
Federated Access to APIs
Federated Access to APIs
Self Contained Access Tokens
Multiple OAuth2 Apps with No Shared Credentials
Multiple OAuth2 Apps with No Shared Credentials(Self-issued JWT)
Accessing APIs via desktop clients (kerberos)
Token Exchange
Fine-grained access control for APIs
OAuth 2.0 is for delegated access control.Can we extend this for authentication?
A Simple Approach...
Similar to clients are authorized to access resources,clients can be authorized to access user data
Web app
Log in
Identityserver
Read Jane's profile
OpenID Connect SSO
Web app
1. Log in
2. G
e t to
kens
3. Authenticate
4. Auth code
Client IDSecret
Auth code
Identityserver
6.
OpenID Connect SSO (Ctd...)
Web app
Client IDSecret
Auth code
Identityserver
5. Auth code, cid, secret
Access token:
Authorizes user info access
ID token:
Authenticates the user
OpenID Connect SSO (Ctd...)
Web app
Identityserver
7. Get user info 8. First name: JaneAddress: 65, Ed..Tel: +61 93...
Adding Users
WSO2 IS Management Console
Adding Users? (Ctd..)Hot deploy multiple user stores
Adding Users? (Ctd..)SCIM – System for Cross-domain Identity Management
SCIM endpoints
Adding Users? (Ctd..)
curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"Ekanayake","givenName":"Chathura"},"userName":"chathura","password":"pass123", …........}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
Adding Users to Many Other Parties...
Identity serverIdentity server
LogisticsHead office
Accounting
Add user to all Identity Servers!
Username: samanPassword: saman123Email: saman@wso2.com
Username: samanPassword: saman123Email: saman@wso2.com
Username: samanPassword: saman123Email: saman@wso2.com
Federated Provisioning
Identity server
Identity serverIdentity server
LogisticsHead office
Accounting
Username: samanPassword: saman123Email: saman@wso2.com
Username: samanPassword: saman123Email: saman@wso2.com
Username: samanPassword: saman123Email: saman@wso2.com
Provisioning Bridge
IS1 - LogisticsSCIM
endpoint IDP - IS2SCIM SPML
IS2 – Head office
SCIMendpoint
WS
SCIM
SCIMSOAP
Integrating External User Stores
Identityserver
Logistics
Identity server
Head office
Username: janePassword: jane123Email: saman@wso2.com
1. Access request
2 .Auth request
3. Auth request
4. Auth response
IS1User store
5. Add user
Thank You!