Securing the Unsecured: Using SSO and XACML to Protect Your Web Apps

790 views

Published on

To view recording of this webinar please use below URL:
http://wso2.com/library/webinars/2015/06/securing-the-unsecured-using-sso-and-xacml-to-protect-your-web-apps/


WSO2 App Manager provides a simple app management solution for both application developers and application users. This webinar will focus on how you can

Secure web applications and implement SSO between web applications
Use XACML policies for fine-grained security in web application resources

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
790
On SlideShare
0
From Embeds
0
Number of Embeds
32
Actions
Shares
0
Downloads
31
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Securing the Unsecured: Using SSO and XACML to Protect Your Web Apps

  1. 1. Securing the Unsecured Using SSO and XACML to Protect Web Apps App Manager 1.0 .0 Dinusha Senanayaka WSO2 App Manager Team
  2. 2. Why App Manager ? 2 100% Open Source, under Apache 2 License Policy-based Authorization Insights into App Subscriptions & Behaviors Single-Sign-On (SSO) across Web AppsUnified App Store Central App Management (web & mobile) Access Control based on Organizational User Roles Leverages on proven components of WSO2: - Analytics Platform - App Usage Statistics - Security offering - Authentication, Authorization, Federated Identity and SSO - Enterprise Store - App Provisioning & Management
  3. 3. WSO2 App Manager Components 3
  4. 4. Single Sign-On between Web Apps Pros for End User ◉ Do not have to memorize long list of passwords to access multiple applications Pros for Application developers ◉ Do not have to worry about implementing security for Web Apps ◉ Can focus only developing Application business logic Pros for Administrators ◉ Do not have to manage multiple user accounts for different applications 4
  5. 5. SAML2 Web Browser based SSO Profile 5
  6. 6. Single Logout between Web Apps 6
  7. 7. Demo 7
  8. 8. Two Type of Web Apps ◉ Non-secured web apps ◉ Already secured web apps How to manage with App Manager ? 8
  9. 9. Secure Non-secured Web Apps Using App Manager ◉ Just publish the web app in App Manager 9
  10. 10. Already secured Web Apps through App Manager ◉ Need some modifications to be done on web App ◉ Could use JWT token or SAML response to identify the user inside web app 10
  11. 11. JWT and SAML Token Headers ◉ Ways of sending authenticated user details to the backend ◉ Web app could either process JWT (Json) header or SAML Response (XML) header to get user details 11
  12. 12. JWT/ SAML Response { "iss": "wso2.org/products/am", "exp": 1435218328463, "Subject": "beth@wso2.com", "http://wso2.org/claims/card_holder": "beth", "http://wso2.org/claims/card_number": "45678563456986", "http://wso2.org/claims/emailaddress": "beth@wso2.com", "http://wso2.org/claims/expiration_date": "2020-12-20", "http://wso2.org/claims/givenname": "Beth", "http://wso2.org/claims/lastname": "Carder", "http://wso2.org/claims/organization": "WSO2", "http://wso2.org/claims/role": "Internal/private_beth-AT-wso2. com,Internal/subscriber,Internal/store-admin, Internal/everyone,SALES", "http://wso2.org/claims/streetaddress": "Califonia", "http://wso2.org/claims/telephone": "877 309 2070", "http://wso2.org/claims/zipcode": "0789", "http://wso2.org/ffid": "34567" } 12
  13. 13. JWT/ SAML Response <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://ec2-54-84-233-242.compute-1.amazonaws.com:8280/plan-trip/1.0.0/" ID=" aipcfpjgmlffcbhcdnapgkdncjdcjdbkalkmejpe" InResponseTo="0" IssueInstant="2015-06-25T07:30:28.203Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">appm</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="ifghfahaljakniomfjeelcknnpaopmjbagonchak" IssueInstant="2015-06-25T07:30:28.203Z" Version="2.0"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">appm</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">beth@wso2.com</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2015-06-25T07:35:28.203Z" Recipient="http://ec2-54-84-233-242.compute-1.amazonaws. com:8280/plan-trip/1.0.0/"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2015-06-25T07:30:28.203Z" NotOnOrAfter="2015-06-25T07:35:28.203Z"> <saml2:AudienceRestriction> <saml2:Audience>PlanYourTrip-1.0.0</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2015-06-25T07:30:28.203Z" SessionIndex="550a41fc-ba6a-4dff-bc58-7ec11ed6d0d3"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name="http://wso2.org/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >Internal/private_beth-AT-wso2.com,Internal/subscriber,Internal/store-admin,Internal/everyone,SALES</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response> 13
  14. 14. Sample Code Snippet to Identify User from JWT Header var header = request.getHeader("X-JWT-Assertion"); // Create Base64 Object var Base64 = require('../modules/base64.js'); if(header !=null){ var jwtAssertions = header.split("."); //JWT header by default contains three '.' separated sections var jsonString = Base64.decode(jwtAssertions[1]); jsonString = jsonString.replace("http://wso2.org/claims/emailaddress", "email"); jsonString = jsonString.replace("http://wso2.org/claims/role", "roles"); var obj = parse(jsonString); var email = obj.email; var roles = obj.roles; if (roles.indexOf("admin") != -1) { session.put("user",{"mail":email,"admin":true}); } else { session.put("user",{"mail":email,"admin":false}); } } var user = session.get("user"); if(user==null){ response.sendRedirect(baseAt+"/login.jag"); }else if(user.admin){ } 14
  15. 15. Federated Authentication for Web Apps 15
  16. 16. ◉ Authentication : SAML2 SSO ◉ Authorization: ? 16
  17. 17. XACML : eXtensible Access Control Markup Language XACML Reference Architecture 17
  18. 18. How App Manager Enforce XACML Evaluation for Web Apps ? 18
  19. 19. XACML Policy Editor in App Manager 19
  20. 20. Demo 20
  21. 21. Summary ◉ How App Manager provides security (SSO) for Web Apps ◉ Non secured web apps ◉ Already secured web apps ◉ Federated Authentication for web apps using App Manager ◉ Fine grained authorization to web app resources using XACML 21
  22. 22. Contact us !

×