http://predixtransform.com

1. E5: Predix Security with ACS/UAA
Dario Amiri, Senior Software Architect, GE Digital
@darioamiri

2. 2PREDIX TRANSFORM
Agenda
User Account and Authentication (UAA)1
Access Control Service (ACS)2

3. 3PREDIX TRANSFORM
User Account and Authentication
UAA features include
• User account management
• OIDC and SAML initiated login
• OIDC and SAML federation of external identity providers
• All OAuth 2.0 grant types
• Device authentication

4. 4PREDIX TRANSFORM
User Account Management
• SCIM-based RESTful API
• User native accounts
– Credentials stored in UAA
• User shadow accounts
– Federated identities
• Manage user privileges
– Group membership
– Coarse-grained
– Tied to user login session

5. 5PREDIX TRANSFORM
User Authentication
• OpenID Connect (OIDC)
– Built on top of OAuth 2.0 framework
– Easier to implement
• Security Assertion Markup Language (SAML)
– Ubiquitous in the enterprise
– You better know what you’re doing

6. 6PREDIX TRANSFORM
OIDC/OAuth Concepts
• Resource Owner
– I.e. a user
• Client
– Application or service identity
– Can act on it’s own or on behalf of a user (i.e. resource owner)
• Grant type
– A procedure for authorizing a client or user
– client_credentials authorizes a client acting on it’s own
– authz_code authorizes a client to act on behalf of a user

7. 7PREDIX TRANSFORM
Authorities vs. groups vs. scopes
• Authorities
– What privileges a client has when it acts on it’s own
• Groups
– What privileges a user potentially has
– Effective privileges are still limited by the client scopes …
app_client
authorities:
clients.secret
scopes: scim.read
scim.read
scim.write
tom@ge.com
GroupsUsersClients

8. 8PREDIX TRANSFORM
Authorities vs. groups vs. scopes
• Client scopes
– What a user can do through a specific client
– Inner join of user groups and client scopes produces …
• Access token scope
– Holds the effective privileges during a login session
app_client
authorities:
clients.secret
scopes: scim.read
scim.read
scim.write
tom@ge.com
GroupsUsersClients

9. 9PREDIX TRANSFORM
Authorities vs. groups vs. scope
app_client
authorities:
clients.secret scopes:
scim.read
scim.read
scim.write
tom@ge.com
GroupsUsersClients
scope:
clients.secret
scope:
scim.read
Tokens
client_credentials authz_code
OAuth Grant Type

10. 10PREDIX TRANSFORM
Authorities vs. groups vs. scope
app_client
authorities:
clients.secret scopes:
scim.*
scim.read
scim.write
tom@ge.com
GroupsUsersClients
scope:
clients.secret
scope:
scim.read
scim.write
Tokens
client_credentials authz_code
OAuth Grant Type

11. 11PREDIX TRANSFORM
Service-to-service authentication
• OAuth 2.0 client credentials grant
– Restrict allowed grant type to client_credentials
– Set client authorities as necessary to access Predix services
– <service>.zones.<instance>.user
– Restrict unnecessary authorities
service consumer
(client)
web service
(resource server)
uaa
(authorization server)
trust
3.api request + token
1.client id + secret
2.token
4.data

12. 12PREDIX TRANSFORM
Login service - OIDC
• OpenID Connect (OIDC)
http://openid.net/specs/openid-connect-core-
1_0.html
– Supported by virtually all web
frameworks and reverse
proxies
– Uses authz_code or implicit
grant
– Basically OAuth but the access
token represents a user
identity
session management
token verification
web app
(client)
web service
(resource server)
uaa
(authorization server)
trust
browser
1.request
2.oauth
3.login
7.api request
+ token
5.code
6.token
4.code
8.data
9.response

13. 13PREDIX TRANSFORM
Login service - SAML
• Security Assertion Markup
Language
(SAML)http://saml.xml.org/saml-
specifications
– Ubiquitous in the enterprise
– Complicated to use
– SAML IdP metadata:
http://<uaa
hostname>/saml/idp/metadat
a
session management
web app
(client)
uaa
(authorization server)trust
browser
1.request
2.saml request
3.login
4.saml response
5.response

14. 14PREDIX TRANSFORM
Federating external IdP with SAML
• Download your SAML SP metadata from UAA
– https://<uaa hostname>/saml/metadata
– Send this to the IdP’s administrator
• Obtain SAML IdP metadata from IdP administrator
• Create/configure IdP in UAA
– Use the scripts
– Read the documentation

15. 15PREDIX TRANSFORM
Federating external IdP with SAML
session management
token verification
web app
(client)
web service
(resource server)
uaa
(authorization server)
trust
browser
1.request
2.oauth
4.login
9.api request
+ token
7.code
8.token
6.code
10.data
11.response
saml idp
3.saml request
5.saml response

16. 16PREDIX TRANSFORM
Federating external IdP with SAML
• Federate with multiple identity providers
• IdP discovery based on user domain
– tom@ge.com authenticates with the ge.com idp
– nik@tesla.com authenticates with the tesla.com idp
• Mapping of SAML attributes to JWT properties

17. 17PREDIX TRANSFORM
Best Practices
• Read the documentation
• Initiate user login using OpenID Connect (OIDC)
• Use client credentials grant for devices
– Give each device a client id and secret
– Use JWT Bearer Profile for certificate-based authentication
• Consider using the GE shared UAA
• Use the new dashboard when it becomes available

18. 18PREDIX TRANSFORM
Why ACS?
Limitations of OAuth 2.0
• Scope-based privileges are too coarse-grained
• Scopes are tightly coupled to access token
– Logout/login required for privilege changes to take effect
• Lack of consistent solution for
– policy definition
– privilege management
• Performance not tuned for making fine-grained access control
decisions per resource request

19. 19PREDIX TRANSFORM
What does ACS do?
Attribute Based Access Control (ABAC)
• Attribute store for
– Subjects: entities that do things
– Resources: entities that have things done to them
• Policy store
– How subject and resource attributes combine to determine privileges
• Policy evaluation
– Given a subject, action, and resource determine if operation is allowed

20. 20PREDIX TRANSFORM
What are attributes?
• A key value pair
• Asserted by a trusted entity
• Useful for making authorization decisions

21. 21PREDIX TRANSFORM
What are attributes?
• tom@ge.com is an analyst
• tom@ge.com is a member of the research group
role: analyst
group: researchers
attributes
subject
tom@ge.com
identifier

22. 22PREDIX TRANSFORM
What are attributes?
• The asset with id 1234 is located at the San Ramon site
• The asset with id 1234 belongs to users in the research group
site: san-ramon
group: researchers
attributes
resource
/assets/1234
identifier

23. 23PREDIX TRANSFORM
Breaking down policy evaluation
• Client sends a request for authorization
– Can a subject perform an action on a resource
– Java library support today - route service tomorrow
• ACS performs
– Attribute discovery
– Policy evaluation
• Client receives
– Authorization decision (permit | deny)
– Discovered attributes

24. 24PREDIX TRANSFORM
authorization request
tom@ge.com
subject
/assets/1234
resource
GET
action
attribute discovery
policy evaluation
authorization response
PERMIT | DENY
decision
role: analyst
group: researchers
tom@ge.com
site: san-ramon
group: researchers
/assets/1234
discovered attributes

25. 25PREDIX TRANSFORM
authorization response
discovered attributes
subject.and(resource).haveSame(‘group’)
policy
condition
attribute discovery
role: analyst
group: researchers
tom@ge.com
site: san-ramon
group: researchers
/assets/1234
discovered attributes
Attribute Store
authorization request
tom@ge.com /assets/1234GET
permit

26. 26PREDIX TRANSFORM
Implementing RBAC with ACS
Hierarchical attributes
• Define attributes for roles, groups, etc.
– Users can inherit attributes from these
– Create an “analyst” subject and assign it attributes
– Have “tom@ge.com” subject inherit attributes from “analyst”

27. 27PREDIX TRANSFORM
Subject attribute inheritance example
org: ge
tenancy-id: 11235
org-ge
group: research
app: apm
group-research
role: analyst
report: asset-performance
role-analyst
tom@ge.com
org: ge
tenancy-id: 11235
group: research
app: apm
role: analyst
report: asset-performance

28. 28PREDIX TRANSFORM
Resource attribute inheritance example
org: ge
site: san-ramon
/sites/01
group: research
/sites/01/assets/21
report: asset-performance
/sites/01/assets/21/reports/72
org: ge
site: san-ramon
group: research
report: asset-performance

29. 29PREDIX TRANSFORM
Dynamic roles
Subject roles depend on the resource accessed
• Child subject conditionally inherits parent attributes
– User X inherits attribute from role Y when accessing resource Z
– tom@ge.com is an analyst for the “san-ramon” site
– tom@ge.com is not an analyst for other sites
• Subject attributes are scoped by resource attributes

30. 30PREDIX TRANSFORM
Scoped attribute inheritance (permit)
• Example policy
– Allow user access to asset performance report if
– The asset belongs to the user’s group
– The user is an analyst for the San Ramon site
site: san-ramon
org: ge
tenancy-id: 11235
org-ge
group: research
app: apm
group-research
role: analyst
report: asset-performance
role-analyst
tom@ge.com
org: ge
tenancy-id: 11235
group: research
app: apm
role: analyst
report: asset-performance
org: ge
site: san-ramon
/sites/01
group: research
/sites/01/assets/21
report: asset-performance
/sites/01/assets/21/reports/72
org: ge
site: san-ramon
group: research
report: asset-performance

31. 31PREDIX TRANSFORM
Scoped attribute inheritance (deny)
• Example policy
– Allow user access to asset performance report if
– The asset belongs to the user’s group
– The user is an analyst for the San Ramon site
site: san-ramon
org: ge
tenancy-id: 11235
org-ge
group: research
app: apm
group-research
role: analyst
report: asset-performance
role-analyst
tom@ge.com
org: ge
tenancy-id: 11235
group: research
app: apm
org: ge
site: cincy-oh
/sites/02
group: research
/sites/02/assets/33
report: asset-performance
/sites/02/assets/33/reports/51
org: ge
site: cincy-oh
group: research
report: asset-performance

32. 32PREDIX TRANSFORM
Technology stack
runtime
Apache
Cassandra
PostgreSQL
java
spring titan db
spring data apache tinkerpop
cloud foundry
platform
uaa
• Apache 2 license
• We’re on github: https://github.com/predix/acs

33. 33PREDIX TRANSFORM
Five Lessons to Take Away
1. Use UAA to manage, federate, and authenticate
2. Understand OAuth 2.0, OIDC, SAML
3. Know Authorities vs. Groups vs. Scope
4. Use ACS to address limitations of OAuth
5. Read the UAA and ACS documentation

34. General Electric reserves the right to make changes in specifications and features, or discontinue the product or service described at any time, without notice or obligation. These materials do not constitute a
representation, warranty or documentation regarding the product or service featured. Illustrations are provided for informational purposes, and your configuration may differ. This information does not
constitute legal, financial, coding, or regulatory advice in connection with your use of the product or service. Please consult your professional advisors for any such advice. GE, Predix and the GE Monogram are
trademarks of General Electric Company. ©2016 General Electric Company – All rights reserved.