3. 3PREDIX TRANSFORM
User Account and Authentication
UAA features include
• User account management
• OIDC and SAML initiated login
• OIDC and SAML federation of external identity providers
• All OAuth 2.0 grant types
• Device authentication
4. 4PREDIX TRANSFORM
User Account Management
• SCIM-based RESTful API
• User native accounts
– Credentials stored in UAA
• User shadow accounts
– Federated identities
• Manage user privileges
– Group membership
– Coarse-grained
– Tied to user login session
5. 5PREDIX TRANSFORM
User Authentication
• OpenID Connect (OIDC)
– Built on top of OAuth 2.0 framework
– Easier to implement
• Security Assertion Markup Language (SAML)
– Ubiquitous in the enterprise
– You better know what you’re doing
6. 6PREDIX TRANSFORM
OIDC/OAuth Concepts
• Resource Owner
– I.e. a user
• Client
– Application or service identity
– Can act on it’s own or on behalf of a user (i.e. resource owner)
• Grant type
– A procedure for authorizing a client or user
– client_credentials authorizes a client acting on it’s own
– authz_code authorizes a client to act on behalf of a user
7. 7PREDIX TRANSFORM
Authorities vs. groups vs. scopes
• Authorities
– What privileges a client has when it acts on it’s own
• Groups
– What privileges a user potentially has
– Effective privileges are still limited by the client scopes …
app_client
authorities:
clients.secret
scopes: scim.read
scim.read
scim.write
tom@ge.com
GroupsUsersClients
8. 8PREDIX TRANSFORM
Authorities vs. groups vs. scopes
• Client scopes
– What a user can do through a specific client
– Inner join of user groups and client scopes produces …
• Access token scope
– Holds the effective privileges during a login session
app_client
authorities:
clients.secret
scopes: scim.read
scim.read
scim.write
tom@ge.com
GroupsUsersClients
9. 9PREDIX TRANSFORM
Authorities vs. groups vs. scope
app_client
authorities:
clients.secret scopes:
scim.read
scim.read
scim.write
tom@ge.com
GroupsUsersClients
scope:
clients.secret
scope:
scim.read
Tokens
client_credentials authz_code
OAuth Grant Type
10. 10PREDIX TRANSFORM
Authorities vs. groups vs. scope
app_client
authorities:
clients.secret scopes:
scim.*
scim.read
scim.write
tom@ge.com
GroupsUsersClients
scope:
clients.secret
scope:
scim.read
scim.write
Tokens
client_credentials authz_code
OAuth Grant Type
11. 11PREDIX TRANSFORM
Service-to-service authentication
• OAuth 2.0 client credentials grant
– Restrict allowed grant type to client_credentials
– Set client authorities as necessary to access Predix services
– <service>.zones.<instance>.user
– Restrict unnecessary authorities
service consumer
(client)
web service
(resource server)
uaa
(authorization server)
trust
3.api request + token
1.client id + secret
2.token
4.data
12. 12PREDIX TRANSFORM
Login service - OIDC
• OpenID Connect (OIDC)
http://openid.net/specs/openid-connect-core-
1_0.html
– Supported by virtually all web
frameworks and reverse
proxies
– Uses authz_code or implicit
grant
– Basically OAuth but the access
token represents a user
identity
session management
token verification
web app
(client)
web service
(resource server)
uaa
(authorization server)
trust
browser
1.request
2.oauth
3.login
7.api request
+ token
5.code
6.token
4.code
8.data
9.response
13. 13PREDIX TRANSFORM
Login service - SAML
• Security Assertion Markup
Language
(SAML)http://saml.xml.org/saml-
specifications
– Ubiquitous in the enterprise
– Complicated to use
– SAML IdP metadata:
http://<uaa
hostname>/saml/idp/metadat
a
session management
web app
(client)
uaa
(authorization server)trust
browser
1.request
2.saml request
3.login
4.saml response
5.response
14. 14PREDIX TRANSFORM
Federating external IdP with SAML
• Download your SAML SP metadata from UAA
– https://<uaa hostname>/saml/metadata
– Send this to the IdP’s administrator
• Obtain SAML IdP metadata from IdP administrator
• Create/configure IdP in UAA
– Use the scripts
– Read the documentation
16. 16PREDIX TRANSFORM
Federating external IdP with SAML
• Federate with multiple identity providers
• IdP discovery based on user domain
– tom@ge.com authenticates with the ge.com idp
– nik@tesla.com authenticates with the tesla.com idp
• Mapping of SAML attributes to JWT properties
17. 17PREDIX TRANSFORM
Best Practices
• Read the documentation
• Initiate user login using OpenID Connect (OIDC)
• Use client credentials grant for devices
– Give each device a client id and secret
– Use JWT Bearer Profile for certificate-based authentication
• Consider using the GE shared UAA
• Use the new dashboard when it becomes available
18. 18PREDIX TRANSFORM
Why ACS?
Limitations of OAuth 2.0
• Scope-based privileges are too coarse-grained
• Scopes are tightly coupled to access token
– Logout/login required for privilege changes to take effect
• Lack of consistent solution for
– policy definition
– privilege management
• Performance not tuned for making fine-grained access control
decisions per resource request
19. 19PREDIX TRANSFORM
What does ACS do?
Attribute Based Access Control (ABAC)
• Attribute store for
– Subjects: entities that do things
– Resources: entities that have things done to them
• Policy store
– How subject and resource attributes combine to determine privileges
• Policy evaluation
– Given a subject, action, and resource determine if operation is allowed
20. 20PREDIX TRANSFORM
What are attributes?
• A key value pair
• Asserted by a trusted entity
• Useful for making authorization decisions
21. 21PREDIX TRANSFORM
What are attributes?
• tom@ge.com is an analyst
• tom@ge.com is a member of the research group
role: analyst
group: researchers
attributes
subject
tom@ge.com
identifier
22. 22PREDIX TRANSFORM
What are attributes?
• The asset with id 1234 is located at the San Ramon site
• The asset with id 1234 belongs to users in the research group
site: san-ramon
group: researchers
attributes
resource
/assets/1234
identifier
23. 23PREDIX TRANSFORM
Breaking down policy evaluation
• Client sends a request for authorization
– Can a subject perform an action on a resource
– Java library support today - route service tomorrow
• ACS performs
– Attribute discovery
– Policy evaluation
• Client receives
– Authorization decision (permit | deny)
– Discovered attributes
26. 26PREDIX TRANSFORM
Implementing RBAC with ACS
Hierarchical attributes
• Define attributes for roles, groups, etc.
– Users can inherit attributes from these
– Create an “analyst” subject and assign it attributes
– Have “tom@ge.com” subject inherit attributes from “analyst”
27. 27PREDIX TRANSFORM
Subject attribute inheritance example
org: ge
tenancy-id: 11235
org-ge
group: research
app: apm
group-research
role: analyst
report: asset-performance
role-analyst
tom@ge.com
org: ge
tenancy-id: 11235
group: research
app: apm
role: analyst
report: asset-performance
28. 28PREDIX TRANSFORM
Resource attribute inheritance example
org: ge
site: san-ramon
/sites/01
group: research
/sites/01/assets/21
report: asset-performance
/sites/01/assets/21/reports/72
org: ge
site: san-ramon
group: research
report: asset-performance
29. 29PREDIX TRANSFORM
Dynamic roles
Subject roles depend on the resource accessed
• Child subject conditionally inherits parent attributes
– User X inherits attribute from role Y when accessing resource Z
– tom@ge.com is an analyst for the “san-ramon” site
– tom@ge.com is not an analyst for other sites
• Subject attributes are scoped by resource attributes
30. 30PREDIX TRANSFORM
Scoped attribute inheritance (permit)
• Example policy
– Allow user access to asset performance report if
– The asset belongs to the user’s group
– The user is an analyst for the San Ramon site
site: san-ramon
org: ge
tenancy-id: 11235
org-ge
group: research
app: apm
group-research
role: analyst
report: asset-performance
role-analyst
tom@ge.com
org: ge
tenancy-id: 11235
group: research
app: apm
role: analyst
report: asset-performance
org: ge
site: san-ramon
/sites/01
group: research
/sites/01/assets/21
report: asset-performance
/sites/01/assets/21/reports/72
org: ge
site: san-ramon
group: research
report: asset-performance
31. 31PREDIX TRANSFORM
Scoped attribute inheritance (deny)
• Example policy
– Allow user access to asset performance report if
– The asset belongs to the user’s group
– The user is an analyst for the San Ramon site
site: san-ramon
org: ge
tenancy-id: 11235
org-ge
group: research
app: apm
group-research
role: analyst
report: asset-performance
role-analyst
tom@ge.com
org: ge
tenancy-id: 11235
group: research
app: apm
org: ge
site: cincy-oh
/sites/02
group: research
/sites/02/assets/33
report: asset-performance
/sites/02/assets/33/reports/51
org: ge
site: cincy-oh
group: research
report: asset-performance
33. 33PREDIX TRANSFORM
Five Lessons to Take Away
1. Use UAA to manage, federate, and authenticate
2. Understand OAuth 2.0, OIDC, SAML
3. Know Authorities vs. Groups vs. Scope
4. Use ACS to address limitations of OAuth
5. Read the UAA and ACS documentation