WSO2Con USA 2017: Building Platforms for Rapid Application Development
WSO2Con USA 2017: Building a Secure Enterprise
-
Upload
wso2-inc -
Category
Technology
-
view
115 -
download
2
Transcript of WSO2Con USA 2017: Building a Secure Enterprise
![Page 1: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/1.jpg)
Building a Secure Enterprise
Johann Dilantha NallathambyTechnical LeadWSO2
Rushmin FernandoTechnical LeadWSO2
![Page 2: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/2.jpg)
Agenda
• WSO2 Identity Server Architecture• SAML2 Single Sign-On/Single Logout• XACML 3.0• OAuth 2.0• OpenID Connect• User Management• SCIM 2.0• Plugging an external Identity Store• Identity Cloud
![Page 3: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/3.jpg)
Identity Server Architecture
![Page 4: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/4.jpg)
SAML SSO
Identity provider(e.g. WSO2 IS)
Service provider(e.g. inventory)
Userdata
1. Log in request
2. Redirect to IDP URL
3. Request token4. Authenticate
5. Redirect to SP with token
6. Send SAML token Session: S1
![Page 5: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/5.jpg)
SAML SSO - User Experience
![Page 6: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/6.jpg)
SAML SSO - Login to Another Service Provider
Identity provider(e.g. WSO2 IS)
Service provider 2(e.g. Accounts dept.)
Userdata
1. Log in request
2. Redirect to IDP URL
3. Request token (session: IS1)
5. Redirect to SP with token
6. Send SAML token
Service provider 1(e.g. inventory)
Session: S1
4. Bypass login page
Session: S2
![Page 7: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/7.jpg)
SAML SSO
Identity provider(e.g. WSO2 IS)
Service provider 1(SP1)
Session: S1
Session: IS1
Service provider 2(SP2)
Session ID
SP
IS1 SP1IS1 SP2IS2 SP2
Session: S2
![Page 8: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/8.jpg)
SAML Single Logout
Identity provider(e.g. WSO2 IS)
Service provider 1(SP1)
Service provider 2(SP2)
Session ID
SP
IS1 SP1IS1 SP2IS2 SP2
Logout
(session: IS1)
Logout (session: S1)
Session: S2(Invalidated)
![Page 9: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/9.jpg)
What the User Can Do...
Service provider 1(SP1)
/data/files
/data/archives
/data/visualize
/data/details
User = Jane
User = David
User = Tao
![Page 10: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/10.jpg)
What the User Can Do (Ctd...)
Service provider 1(SP1)
User = Jane
User = David
User = Tao
Access control policy
If user = Tao and resource = /data/archives
Permit.
If role = Clark and action = write
Deny.
If role = Manager and resource = /data/files
Permit.
![Page 11: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/11.jpg)
XACML - Architecture/data/files
/data/archives
/data/visualize
/data/details
Policy decision Point
If user = jane Permit.
If role = clark andAction = writeDeny.
Policy Store
Policy Administration Point
Policy Enforcement Point(PEP)User = Tao
User = David
User = Jane
![Page 12: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/12.jpg)
XACML - Policy Decision Flow
Policy Enforcement Point(PEP)
User = Jane
User = David
User = TaoService provider 1
(SP1)
/data/files
/data/archives
/data/visualize
/data/details
4. Filtered messages
Policy decision point
If user = jane Permit.
If role = clark andAction = writeDeny.
1. P
aram
eter
s
3. D
ecis
ion
2. Evaluate
Access policy 1
![Page 13: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/13.jpg)
XACML - PolicyPolicy
Target
Rule (effect = permit)Target
Condition
Rule…......Rule
…......
Activation conditions for the rule set
Activation conditions for the rule
Conditions for the rule
Decision if target and condition are true
![Page 14: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/14.jpg)
XACML - Policy (Ctd...)
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="BankOne_account_access_policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/bankone/accounts/*</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Match> </AllOf> </AnyOf> </Target> <Rule Effect="Permit" RuleId="update_accounts_rule"> …. </Rule> …....</Policy>
If resource matches /bankone/accounts/*
Activation conditions for the rule set
![Page 15: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/15.jpg)
XACML - Policy (Rules)<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="BankOne_account_access_policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0"> <Target> ..... </Target> <Rule Effect="Permit" RuleId="update_accounts_rule"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="...#string">/bankone/accounts/update/*</AttributeValue> <AttributeDesignator AttributeId="...:resource:resource-id" Category="...:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Match> </AllOf> </AnyOf> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</AttributeValue> <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Apply> </Condition> </Rule> <Rule Effect="Permit" RuleId="read_accounts_rule"> … </Rule></Policy>
Permit if conditions satisfy
If resource matches /bankone/accounts/update/*
If role is manager
![Page 16: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/16.jpg)
XACML Request
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/bankone/accounts/read/a1</AttributeValue> </Attribute> </Attributes></Request>
Subject = bob
Resource = /bankone/accounts/read/a1
![Page 17: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/17.jpg)
XACML - Policy Enforcement
Policy Enforcement Point(PEP)
User = Jane
User = David
User = TaoService provider 1
(SP1)
/data/files
/data/archives
/data/visualize
/data/details
4. Filtered messages
Policy decision
If user = jane Permit.
If role = clark andAction = writeDeny.
1. P
aram
eter
s
3. D
ecis
ion
2. Evaluate
Access policy 1
![Page 18: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/18.jpg)
XACML - Policy EnforcementWSO2 ESB
Proxyservice
Entitlement
Service provider 1 (SP1)
On accept
On reject
SendDrop
Property [Set user]
Property [Set resource]
Policy decision(WSO2 IS)
![Page 19: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/19.jpg)
Render menu items in a web app based on the logged-in user’s fine-grained permissions
![Page 20: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/20.jpg)
XACML Demo
![Page 21: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/21.jpg)
Bring a Token...
Service providerAccess resource
R1
Does the user has permission to access R1?
Service providerAccess resource
R1
Check if R1 is authorized for the given tokenToken
![Page 22: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/22.jpg)
But..
How does a user get a token?How do we know if a given token has permission to access a resource?
![Page 23: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/23.jpg)
OAuth 2.0•Access is granted to authorized tokens
•Users obtain tokens from an authorization server
•Resource servers validate the authorization of a token with authorization server
Tokens are authorized for scopes
Each protected resource + action has to be mapped to a scope
![Page 24: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/24.jpg)
OAuth 2.0 (Ctd...)
Serviceprovider
Read resource R1
Authorization server
Token (T1)
Resource Action Scope
R1 read R1_read
R1 write R1_write
R2 read R2_read
Token Scope
T1 R1_read
T2 R1_read
T3 R2_read
T3 R2_write
Is T1 authorized for R1_read?
![Page 25: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/25.jpg)
Now …How to get a token?
![Page 26: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/26.jpg)
Access On Behalf of a User
Eg: A web app wants to access photos stored in PhotoServer
Web app
Access photos in collection A
I need a Oauth2 tokenwith scope “photos_A”
PhotoServer
![Page 27: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/27.jpg)
Access On Behalf of a User (Ctd...)
Eg: A web app wants to access photos stored in PhotoServer
Web app
PhotoServer
Client IDClient secret
1. Register webapp
2. Generate client ID / client secret
3. Configure callback URL
4. Configure OAuth2 URLs
5. Set client ID / client secret
Application Developer
![Page 28: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/28.jpg)
Access On Behalf of a User (Ctd...)
Eg: A web app wants to access photos stored in PhotoServer
Web app
PhotoServer
Client IDClient secretAuth code
1. Redirect with scope request
2. Authenticate and ask permission
3. Redirect with auth code
![Page 29: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/29.jpg)
Access On Behalf of a User (Ctd...)
Eg: A web app wants to access photos stored in PhotoServer
PhotoServer
Web app
Client IDClient secret
4. Request token(auth code, cid, secret)
6. Access photo collection A
5. Send Token
![Page 30: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/30.jpg)
Client – One who wants to access the resourceE.g. Web app
ObservationsE.g. A web app want to access photos stored in PhotoServer
Web app
User – One who has permissions to the resourceE.g. Jane – Jane's web browser
Resource server – One who contains the resourceAuthorization server – One who grants access to the resourceE.g. Facebook
PhotoServer
![Page 31: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/31.jpg)
Delegating the authorization
Web app PhotoServer
Authorizationserver
1. Access web app
2. R
edire
ct w
ith
scop
ere
ques
t “ph
otos
_A”
3. A
uthe
n tic
ate
and
ask
per m
issi
o ns
4. R
edire
ct w
ithau
th c
ode
![Page 32: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/32.jpg)
Delegating the authorization (Ctd...)
Web app PhotoServer
Authorization server
7. Request photos
5. R
eque
st to
ken
(aut
h co
de, c
id, s
ecre
t)
6. T
oken
giv
en
![Page 33: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/33.jpg)
Delegating the authorization (Ctd...)
Web app PhotoServer
Authorization server
8. Validate token for scope “photos_A”
9. Validation response
Token Scope
T1 photos_A
T2 photos_B
T3 photos_A
T3 photos_B
![Page 34: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/34.jpg)
Federated Access to APIs
![Page 35: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/35.jpg)
Federated Access to APIs
![Page 36: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/36.jpg)
Self Contained Access Tokens
![Page 37: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/37.jpg)
Multiple OAuth2 Apps with No Shared Credentials
![Page 38: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/38.jpg)
Multiple OAuth2 Apps with No Shared Credentials(Self-issued JWT)
![Page 39: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/39.jpg)
Accessing APIs via desktop clients (kerberos)
![Page 40: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/40.jpg)
Token Exchange
![Page 41: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/41.jpg)
Fine-grained access control for APIs
![Page 42: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/42.jpg)
OAuth 2.0 is for delegated access control.Can we extend this for authentication?
![Page 43: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/43.jpg)
A Simple Approach...
Similar to clients are authorized to access resources,clients can be authorized to access user data
Web app
Log in
Identityserver
Read Jane's profile
![Page 44: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/44.jpg)
OpenID Connect SSO
Web app
1. Log in
2. G
e t to
kens
3. Authenticate
4. Auth code
Client IDSecret
Auth code
Identityserver
![Page 45: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/45.jpg)
6.
OpenID Connect SSO (Ctd...)
Web app
Client IDSecret
Auth code
Identityserver
5. Auth code, cid, secret
Access token:
Authorizes user info access
ID token:
Authenticates the user
![Page 46: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/46.jpg)
OpenID Connect SSO (Ctd...)
Web app
Identityserver
7. Get user info 8. First name: JaneAddress: 65, Ed..Tel: +61 93...
![Page 47: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/47.jpg)
Adding Users
WSO2 IS Management Console
![Page 48: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/48.jpg)
Adding Users? (Ctd..)Hot deploy multiple user stores
![Page 49: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/49.jpg)
Adding Users? (Ctd..)SCIM – System for Cross-domain Identity Management
SCIM endpoints
![Page 50: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/50.jpg)
Adding Users? (Ctd..)
curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"Ekanayake","givenName":"Chathura"},"userName":"chathura","password":"pass123", …........}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
![Page 51: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/51.jpg)
Adding Users to Many Other Parties...
Identity serverIdentity server
LogisticsHead office
Accounting
Add user to all Identity Servers!
Username: samanPassword: saman123Email: [email protected]
Username: samanPassword: saman123Email: [email protected]
Username: samanPassword: saman123Email: [email protected]
![Page 52: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/52.jpg)
Federated Provisioning
Identity server
Identity serverIdentity server
LogisticsHead office
Accounting
Username: samanPassword: saman123Email: [email protected]
Username: samanPassword: saman123Email: [email protected]
Username: samanPassword: saman123Email: [email protected]
![Page 53: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/53.jpg)
Provisioning Bridge
IS1 - LogisticsSCIM
endpoint IDP - IS2SCIM SPML
IS2 – Head office
SCIMendpoint
WS
SCIM
SCIMSOAP
![Page 54: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/54.jpg)
Integrating External User Stores
Identityserver
Logistics
Identity server
Head office
Username: janePassword: jane123Email: [email protected]
1. Access request
2 .Auth request
3. Auth request
4. Auth response
IS1User store
5. Add user
![Page 55: WSO2Con USA 2017: Building a Secure Enterprise](https://reader036.fdocuments.in/reader036/viewer/2022070518/58eb54031a28ab395a8b4747/html5/thumbnails/55.jpg)
Thank You!