wso2con asia 2016: enterprise security uncovered
TRANSCRIPT
•••••••••
Supplier A
Username = “robert”Password = “robert-pass”
Assembly plant
Supplier A
Session key: 6700A
<order> <issuer>Assembly plant</issuer> <item>k802</item> <quantity>7000000</quantity></order>
Assembly plant
Assembly plant Inventory
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
HTTP Basic Authentication
Base64 encoded <username>:<password>
Assembly plant Inventory
UsernameToken included in the SOAP header
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"> <soapenv:Header> <wsse:Security> <wsse:UsernameToken wsu:Id="UsernameToken-1"> <wsse:Username>admin</wsse:Username> <wsse:Password>admin</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> ….. </soapenv:Body></soapenv:Envelope>
Username token
…
Assembly plant Inventory
Username = “robert”Password = “robert-pass”
Accountsdepartment
Logistics department
Username = “robert2”Password = “robert2-pass”Username = “robert2”Password = “robert2-pass”
Username = “robert_5”Password = “K67robert2-AB-#2”
AuthenticationServer
(e.g. WSO2 IS)
Service provider(e.g. Inventory)
Client (e.g. Assembly plant)
Username = “robert”Password = “robert-pass”
Token
Token
Userprofiles
STS Server(e.g. WSO2 IS)
Service Provider(e.g. inventory)
Client(e.g. Assembly plant)
Request for Secure Token (RST)
Username = “robert”Password = “robert-pass”
SAML Assertion
UserProfiles
SAML Assertion
Signed with STS private key
Securitypolicy
User
InventoryUsername = “robert”Password = “robert-pass”
Accounts department
Logisticsdepartment
Username = “robert2”Password = “robert2-pass”Username = “robert”Password = “robert-pass”
Username = “robert”Password = “robert-pass”
AuthenticationServer
(e.g. WSO2 IS)
Identity provider(e.g. WSO2 IS)
Service provider(e.g. inventory)
Userdata
1. Log in request
2. Redirect to IDP URL
3. Request token4. Authenticate
5. Redirect to SP with token
6. Send SAML token Session: S1
Identity provider(e.g. WSO2 IS)
Service provider 2(e.g. Accounts dept.)
Userdata
1. Log in request
2. Redirect to IDP URL
3. Request token (session: IS1)
5. Redirect to SP with token
6. Send SAML token
Service provider 1(e.g. inventory)
Session: S1
4. Bypass login page
Session: S2
Identity provider(e.g. WSO2 IS)
Service provider 1(SP1)
Session: S1
Session: IS1
Service provider 2(SP2)
Session ID
SP
IS1 SP1IS1 SP2IS2 SP2
Session: S2
Identity provider(e.g. WSO2 IS)
Service provider 1(SP1)
Service provider 2(SP2)
Session ID
SP
IS1 SP1IS1 SP2IS2 SP2
Logout
(session: IS1)
Logout (session: S1)
Session: S2(Invalidated)
Service provider 1(SP1)
/data/files
/data/archives
/data/visualize
/data/details
User = Jane
User = David
User = Tao
Service provider 1(SP1)
User = Jane
User = David
User = Tao
Access control policy
If user = Tao and resource = /data/archives
Permit.
If role = Clark and action = write
Deny.
If role = Manager and resource = /data/files
Permit.
/data/files
/data/archives
/data/visualize
/data/details
Policy decision Point
If user = jane Permit.
If role = clark andAction = writeDeny.
Policy Store
Policy Administration Point
Policy Enforcement Point(PEP)User = Tao
User = David
User = Jane
Policy Enforcement Point(PEP)
User = Jane
User = David
User = TaoService provider 1
(SP1)
/data/files
/data/archives
/data/visualize
/data/details
4. Filtered messages
Policy decision point
If user = jane Permit.
If role = clark andAction = writeDeny.
1. P
aram
eter
s
3. D
ecis
ion
2. Evaluate
Access policy 1
Policy
Target
Rule (effect = permit)Target
Condition
Rule…......Rule
…......
Activation conditions for the rule set
Activation conditions for the rule
Conditions for the rule
Decision if target and condition are true
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="BankOne_account_access_policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/bankone/accounts/*</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Match> </AllOf> </AnyOf> </Target> <Rule Effect="Permit" RuleId="update_accounts_rule"> …. </Rule> …....</Policy>
If resource matches /bankone/accounts/*
Activation conditions for the rule set
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="BankOne_account_access_policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0"> <Target> ..... </Target> <Rule Effect="Permit" RuleId="update_accounts_rule"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="...#string">/bankone/accounts/update/*</AttributeValue> <AttributeDesignator AttributeId="...:resource:resource-id" Category="...:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Match> </AllOf> </AnyOf> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</AttributeValue> <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Apply> </Condition> </Rule> <Rule Effect="Permit" RuleId="read_accounts_rule"> … </Rule></Policy>
Permit if conditions satisfy
If resource matches /bankone/accounts/update/*
If role is manager
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/bankone/accounts/read/a1</AttributeValue> </Attribute> </Attributes></Request>
Subject = bob
Resource = /bankone/accounts/read/a1
Policy Enforcement Point(PEP)
User = Jane
User = David
User = TaoService provider 1
(SP1)
/data/files
/data/archives
/data/visualize
/data/details
4. Filtered messages
Policy decision
If user = jane Permit.
If role = clark andAction = writeDeny.
1. P
aram
eter
s
3. D
ecis
ion
2. Evaluate
Access policy 1
WSO2 ESB
Proxyservice
Entitlement
Service provider 1 (SP1)
On accept
On reject
SendDrop
Property [Set user]
Property [Set resource]
Policy decision(WSO2 IS)
Service providerAccess resource
R1
Does the user has permission to access R1?
Service providerAccess resource
R1
Check if R1 is authorized for the given tokenToken
•Access is granted to authorized tokens
•Users obtain tokens from an authorization server
•Service providers validate the authorization of a token with authorization server
Tokens are authorized for scopes
Each protected resource + action has to be mapped to a scope
Serviceprovider
Read resource R1
Authorization server
Token (T1)
Resource Action Scope
R1 read R1_read
R1 write R1_write
R2 read R2_read
Token Scope
T1 R1_read
T2 R1_read
T3 R2_read
T3 R2_write
Is T1 authorized for R1_read?
…
Web app
Access photos in collection A
I need a Oauth2 tokenwith scope “photos_A”
PhotoServer
Web app
PhotoServer
Client IDClient secret
1. Register webapp
2. Generate client ID / client secret
3. Configure callback URL
4. Configure OAuth2 URLs
5. Set client ID / client secret
Application Developer
Web app
PhotoServer
Client IDClient secretAuth code
1. Redirect with scope request
2. Authenticate and ask permission
3. Redirect with auth code
PhotoServer
Web app
Client IDClient secret
4. Request token(auth code, cid, secret)
6. Access photo collection A
5. Send Token
Client – One who wants to access the resourceE.g. Web app
E.g. A web app want to access photos stored in PhotoServer
Web app
User – One who has permissions to the resourceE.g. Jane – Jane's web browser
Resource server – One who contains the resourceAuthorization server – One who grants access to the resourceE.g. Facebook
PhotoServer
Web app PhotoServer
Authorizationserver
1. Access web app
2. R
edire
ct w
ith
scop
ere
ques
t “ph
otos
_A”
3. A
uthe
ntic
ate
and
ask
perm
issi
ons
4. R
edire
ct w
ithau
th c
ode
Web app PhotoServer
Authorization server
7. Request photos
5. R
eque
st to
ken
(aut
h co
de, c
id, s
ecre
t)
6. T
oken
giv
en
Web app PhotoServer
Authorization server
8. Validate token for scope “photos_A”
9. Validation response
Token Scope
T1 photos_A
T2 photos_B
T3 photos_A
T3 photos_B
Web app
Log in
Identityserver
Read Jane's profile
Web app
1. Log in
2. G
et to
kens
3. Authenticate
4. Auth code
Client IDSecret
Auth code
Identityserver
6.
Web app
Client IDSecret
Auth code
Identityserver
5. Auth code, cid, secret
Access token:
Authorizes user info access
ID token:
Authenticates the user
Web app
Identityserver
7. Get user info 8. First name: JaneAddress: 65, Ed..Tel: +61 93...
Identity server
Company A (logistics) Company A (head office)
Company B
Jane wants to access a service hosted by
company A.
Identity server
Identity server Identity server
Company A (logistics) Company A (head office)
Company B
Jane wants to access a service hosted by
company A.
You are not in my Identity Server!
But I am registered in Company B
Identity server
Identity server Identity server
Company A (logistics) Company A (head office)
Company BTrust local IS
Trust IS in head office
Trust IS of company B
If company B says “This is Jane”
then company A (logistics) believes it
Company A (logistics) IS - IS1<SP>
webapp1<IDP>
IS2
WSO2 AS
webapp1
Company A (HQ) IS - IS2<SP>IS1
<IDP>IS3
Company B IS - IS3<SP>IS2
Redirect withSAML request
Authenticate
Request for
resource
Redirect withSAML request
Redirect withSAML request
Company A (logistics) IS - IS1<SP>
webapp1<IDP>
IS2
WSO2 AS
webapp1
Company A (HQ) IS - IS2<SP>IS1
<IDP>IS3
Company B IS - IS3<SP>IS2
SAML assertion“User is Jane”
SAML assertion“User is Jane”
SAML assertion“User is Jane”
Identity server
Identity server Identity server
Company A (logistics) Company A (head office)
Company B
SAML request
SAML request
SAML request
???
WSO2 Identity ServerServiceProvider
Identity Provider
Claim configuration
Federated authenticators
SAML OpenIDConnect Facebook Google
Identity server
email → http://wso2.org/emailfirst_name → http://wso2.org/given_name…....
Outboundauthentication
OpenID Connect request
SAML request
WSO2 Identity ServerServiceProvider
Identity Provider
Claim configuration
Federated authenticators
SAML OpenIDConnect Facebook Google
Identity server
email → http://wso2.org/emailfirst_name → http://wso2.org/given_name…....
Outboundauthentication
SAML Response
Apply claimmappings
OpenID Connect responseClaimsemail = [email protected]_name = Jane
Claimshttp://wso2.org/email = [email protected]://wso2.org/given_name = Jane
Claimsemail= [email protected] = Jane
IS of Company A - IS1
<SP> webapp1 <IDP> IS2WSO2 AS
webapp1
Authenticate
Request forresource
SAMLOpenID Connect
authenticatorSAML
authenticator
IS of Company B - IS2
<SP> IS1
OpenID Connectauthenticator
OpenID Connect
IS of Company A - IS1
<SP> webapp1 <IDP> IS2WSO2 AS
webapp1
Authenticate
Request forresource
SAMLOpenID Connect
authenticatorSAML
authenticator
OpenID Connect
Anyone with a facebook account can be authenticated
SCIM – System for Cross-domain Identity Management
SCIM endpoints
curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"Ekanayake","givenName":"Chathura"},"userName":"chathura","password":"pass123", …........}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
Identity server
Identity serverIdentity server
LogisticsHead office
Accounting
Add user to all Identity Servers!
Username: samanPassword: saman123Email: [email protected]
Username: samanPassword: saman123Email: [email protected]
Username: samanPassword: saman123Email: [email protected]
Identity server
Identity serverIdentity server
LogisticsHead office
Accounting
Username: samanPassword: saman123Email: [email protected]
Username: samanPassword: saman123Email: [email protected]
Username: samanPassword: saman123Email: [email protected]
IS1 - LogisticsSCIM
endpoint IDP - IS2SCIM SPML
IS2 – Head office
SCIMendpoint
WS
SCIM
SCIMSOAP
Identityserver
Logistics
Identity server
Head office
Username: janePassword: jane123Email: [email protected]
1. Access request
2 .Auth request
3. Auth request
4. Auth response
IS1User store
5. Add user
Identity server
Update roles
Update claims
I need to approve assignments to “Assessor” role
I need to approve all claims
One of us has to approve all new assessors
Identityserver
Update claims
Approve claims update
Assigned to “Bob”
Identityserver
Update roles
Approve role assignment
Approve role assignment
Assigned to “supervisors” role
Assigned to “James”
Demo Resources
● The operation getVesrion1 and getVersion2 in the service http://localhost:8280/services/Customers should be accessed by any user● Request to any other service or operation should only be accessed by the users belong to the group(s) admin_emps or admin or both
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="testOr" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <Description>Test Or</Description> <Target></Target> <Rule Effect="Permit" RuleId="primary-group-emps-rule"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <AttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:group" MustBePresent="true"></AttributeDesignator> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin_emps</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule Effect="Permit" RuleId="primary-user-rule"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion1</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion2</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule Effect="Deny" RuleId="deny-rule"></Rule></Policy>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">pushpalanka</AttributeValue>
</Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:group">
<Attribute AttributeId="group" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">business</AttributeValue>
</Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion2</AttributeValue>
</Attribute></Attributes></Request>
● User 'Pushpalanka' belonging to groups staff and business tries to access 'http://localhost:8280/services/Customers/getVersion2'.
● Expected Response: Permit
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> </Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> </Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:group"> <Attribute AttributeId="group" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">business</AttributeValue> </Attribute></Attributes><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/</AttributeValue> </Attribute></Attributes></Request>
● Admin user belonging to admin and business groups tries to access service 'http://localhost:8280/services/Customers/'.
● Expected Response: Permit