Building a Secure Enterprise

Johann Dilantha NallathambyTechnical LeadWSO2

Rushmin FernandoTechnical LeadWSO2

Agenda

• WSO2 Identity Server Architecture• SAML2 Single Sign-On/Single Logout• XACML 3.0• OAuth 2.0• OpenID Connect• User Management• SCIM 2.0• Plugging an external Identity Store• Identity Cloud

Identity Server Architecture

SAML SSO

Identity provider(e.g. WSO2 IS)

Service provider(e.g. inventory)

Userdata

1. Log in request

2. Redirect to IDP URL

3. Request token4. Authenticate

5. Redirect to SP with token

6. Send SAML token Session: S1

SAML SSO - User Experience

SAML SSO - Login to Another Service Provider

Identity provider(e.g. WSO2 IS)

Service provider 2(e.g. Accounts dept.)

Userdata

1. Log in request

2. Redirect to IDP URL

3. Request token (session: IS1)

5. Redirect to SP with token

6. Send SAML token

Service provider 1(e.g. inventory)

Session: S1

4. Bypass login page

Session: S2

SAML SSO

Identity provider(e.g. WSO2 IS)

Service provider 1(SP1)

Session: S1

Session: IS1

Service provider 2(SP2)

Session ID

SP

IS1 SP1IS1 SP2IS2 SP2

Session: S2

SAML Single Logout

Identity provider(e.g. WSO2 IS)

Service provider 1(SP1)

Service provider 2(SP2)

Session ID

SP

IS1 SP1IS1 SP2IS2 SP2

Logout

(session: IS1)

Logout (session: S1)

Session: S2(Invalidated)

What the User Can Do...

Service provider 1(SP1)

/data/files

/data/archives

/data/visualize

/data/details

User = Jane

User = David

User = Tao

What the User Can Do (Ctd...)

Service provider 1(SP1)

User = Jane

User = David

User = Tao

Access control policy

If user = Tao and resource = /data/archives

Permit.

If role = Clark and action = write

Deny.

If role = Manager and resource = /data/files

Permit.

XACML - Architecture/data/files

/data/archives

/data/visualize

/data/details

Policy decision Point

If user = jane Permit.

If role = clark andAction = writeDeny.

Policy Store

Policy Administration Point

Policy Enforcement Point(PEP)User = Tao

User = David

User = Jane

XACML - Policy Decision Flow

Policy Enforcement Point(PEP)

User = Jane

User = David

User = TaoService provider 1

(SP1)

/data/files

/data/archives

/data/visualize

/data/details

4. Filtered messages

Policy decision point

If user = jane Permit.

If role = clark andAction = writeDeny.

1. P

aram

eter

s

3. D

ecis

ion

2. Evaluate

Access policy 1

XACML - PolicyPolicy

Target

Rule (effect = permit)Target

Condition

Rule…......Rule

…......

Activation conditions for the rule set

Activation conditions for the rule

Conditions for the rule

Decision if target and condition are true

XACML - Policy (Ctd...)

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="BankOne_account_access_policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/bankone/accounts/*</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Match> </AllOf> </AnyOf> </Target> <Rule Effect="Permit" RuleId="update_accounts_rule"> …. </Rule> …....</Policy>

If resource matches /bankone/accounts/*

Activation conditions for the rule set

XACML - Policy (Rules)<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="BankOne_account_access_policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0"> <Target> ..... </Target> <Rule Effect="Permit" RuleId="update_accounts_rule"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="...#string">/bankone/accounts/update/*</AttributeValue> <AttributeDesignator AttributeId="...:resource:resource-id" Category="...:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Match> </AllOf> </AnyOf> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</AttributeValue> <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Apply> </Condition> </Rule> <Rule Effect="Permit" RuleId="read_accounts_rule"> … </Rule></Policy>

Permit if conditions satisfy

If resource matches /bankone/accounts/update/*

If role is manager

XACML Request

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/bankone/accounts/read/a1</AttributeValue> </Attribute> </Attributes></Request>

Subject = bob

Resource = /bankone/accounts/read/a1

XACML - Policy Enforcement

Policy Enforcement Point(PEP)

User = Jane

User = David

User = TaoService provider 1

(SP1)

/data/files

/data/archives

/data/visualize

/data/details

4. Filtered messages

Policy decision

If user = jane Permit.

If role = clark andAction = writeDeny.

1. P

aram

eter

s

3. D

ecis

ion

2. Evaluate

Access policy 1

XACML - Policy EnforcementWSO2 ESB

Proxyservice

Entitlement

Service provider 1 (SP1)

On accept

On reject

SendDrop

Property [Set user]

Property [Set resource]

Policy decision(WSO2 IS)

Render menu items in a web app based on the logged-in user’s fine-grained permissions

XACML Demo

Bring a Token...

Service providerAccess resource

R1

Does the user has permission to access R1?

Service providerAccess resource

R1

Check if R1 is authorized for the given tokenToken

But..

How does a user get a token?How do we know if a given token has permission to access a resource?

OAuth 2.0•Access is granted to authorized tokens

•Users obtain tokens from an authorization server

•Resource servers validate the authorization of a token with authorization server

Tokens are authorized for scopes

Each protected resource + action has to be mapped to a scope

OAuth 2.0 (Ctd...)

Serviceprovider

Read resource R1

Authorization server

Token (T1)

Resource Action Scope

R1 read R1_read

R1 write R1_write

R2 read R2_read

Token Scope

T1 R1_read

T2 R1_read

T3 R2_read

T3 R2_write

Is T1 authorized for R1_read?

Now …How to get a token?

Access On Behalf of a User

Eg: A web app wants to access photos stored in PhotoServer

Web app

Access photos in collection A

I need a Oauth2 tokenwith scope “photos_A”

PhotoServer

Access On Behalf of a User (Ctd...)

Eg: A web app wants to access photos stored in PhotoServer

Web app

PhotoServer

Client IDClient secret

1. Register webapp

2. Generate client ID / client secret

3. Configure callback URL

4. Configure OAuth2 URLs

5. Set client ID / client secret

Application Developer

Access On Behalf of a User (Ctd...)

Eg: A web app wants to access photos stored in PhotoServer

Web app

PhotoServer

Client IDClient secretAuth code

1. Redirect with scope request

2. Authenticate and ask permission

3. Redirect with auth code

Access On Behalf of a User (Ctd...)

Eg: A web app wants to access photos stored in PhotoServer

PhotoServer

Web app

Client IDClient secret

4. Request token(auth code, cid, secret)

6. Access photo collection A

5. Send Token

Client – One who wants to access the resourceE.g. Web app

ObservationsE.g. A web app want to access photos stored in PhotoServer

Web app

User – One who has permissions to the resourceE.g. Jane – Jane's web browser

Resource server – One who contains the resourceAuthorization server – One who grants access to the resourceE.g. Facebook

PhotoServer

Delegating the authorization

Web app PhotoServer

Authorizationserver

1. Access web app

2. R

edire

ct w

ith

scop

ere

ques

t “ph

otos

_A”

3. A

uthe

n tic

ate

and

ask

per m

issi

o ns

4. R

edire

ct w

ithau

th c

ode

Delegating the authorization (Ctd...)

Web app PhotoServer

Authorization server

7. Request photos

5. R

eque

st to

ken

(aut

h co

de, c

id, s

ecre

t)

6. T

oken

giv

en

Delegating the authorization (Ctd...)

Web app PhotoServer

Authorization server

8. Validate token for scope “photos_A”

9. Validation response

Token Scope

T1 photos_A

T2 photos_B

T3 photos_A

T3 photos_B

Federated Access to APIs

Federated Access to APIs

Self Contained Access Tokens

Multiple OAuth2 Apps with No Shared Credentials

Multiple OAuth2 Apps with No Shared Credentials(Self-issued JWT)

Accessing APIs via desktop clients (kerberos)

Token Exchange

Fine-grained access control for APIs

OAuth 2.0 is for delegated access control.Can we extend this for authentication?

A Simple Approach...

Similar to clients are authorized to access resources,clients can be authorized to access user data

Web app

Log in

Identityserver

Read Jane's profile

OpenID Connect SSO

Web app

1. Log in

2. G

e t to

kens

3. Authenticate

4. Auth code

Client IDSecret

Auth code

Identityserver

6.

OpenID Connect SSO (Ctd...)

Web app

Client IDSecret

Auth code

Identityserver

5. Auth code, cid, secret

Access token:

Authorizes user info access

ID token:

Authenticates the user

OpenID Connect SSO (Ctd...)

Web app

Identityserver

7. Get user info 8. First name: JaneAddress: 65, Ed..Tel: +61 93...

Adding Users

WSO2 IS Management Console

Adding Users? (Ctd..)Hot deploy multiple user stores

Adding Users? (Ctd..)SCIM – System for Cross-domain Identity Management

SCIM endpoints

Adding Users? (Ctd..)

curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"Ekanayake","givenName":"Chathura"},"userName":"chathura","password":"pass123", …........}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

Adding Users to Many Other Parties...

Identity serverIdentity server

LogisticsHead office

Accounting

Add user to all Identity Servers!

Username: samanPassword: saman123Email: saman@wso2.com

Username: samanPassword: saman123Email: saman@wso2.com

Username: samanPassword: saman123Email: saman@wso2.com

Federated Provisioning

Identity server

Identity serverIdentity server

LogisticsHead office

Accounting

Username: samanPassword: saman123Email: saman@wso2.com

Username: samanPassword: saman123Email: saman@wso2.com

Username: samanPassword: saman123Email: saman@wso2.com

Provisioning Bridge

IS1 - LogisticsSCIM

endpoint IDP - IS2SCIM SPML

IS2 – Head office

SCIMendpoint

WS

SCIM

SCIMSOAP

Integrating External User Stores

Identityserver

Logistics

Identity server

Head office

Username: janePassword: jane123Email: saman@wso2.com

1. Access request

2 .Auth request

3. Auth request

4. Auth response

IS1User store

5. Add user

Thank You!