Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WSO2Con ASIA 2016: Enterprise Security Uncovered

5,862 views

Published on

The identity and access management landscape has evolved rapidly in recent years with a multitude of standards, such as OpenID Connect, eclipsing the world of identity. As a result, there’s an urgent need to re-think identity management (IDM) solutions and ensure that they are able to seamlessly adapt to these changes. Given that acquisitions, mergers and directly on-boarding customers seem to be the trend today, concepts such as bring your own identity, just-in-time provisioning and dynamically discovered federation are real needs of project managers and architects.

WSO2 Identity Server 5.0 takes a rejuvenated approach to successfully eradicate complexities in various identity and access management standards. It abstracts the interactions between an application and an IDM from the perspective of a service provider and identity provider.

This session will discuss the following:

Advantages of the new chained collaborative federation capability in WSO2 Identity Server 5.0
How to configure and govern a set of identity providers, selectively associate them to a set of service providers and carry out federated authentication and provisioning
Chain of control over what each entity in the system can do: propagated from a tenant administrator to an application developer to an end user

Published in: Technology
  • Be the first to comment

WSO2Con ASIA 2016: Enterprise Security Uncovered

  1. 1. • • • • • • • • •
  2. 2. Supplier A Username = “robert” Password = “robert-pass” Assembly plant Supplier A Session key: 6700A <order> <issuer>Assembly plant</issuer> <item>k802</item> <quantity>7000000</quantity> </order> Assembly plant
  3. 3. Assembly plant Inventory Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== HTTP Basic Authentication Base64 encoded <username>:<password>
  4. 4. Assembly plant Inventory UsernameToken included in the SOAP header <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"> <soapenv:Header> <wsse:Security> <wsse:UsernameToken wsu:Id="UsernameToken-1"> <wsse:Username>admin</wsse:Username> <wsse:Password>admin</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> ….. </soapenv:Body> </soapenv:Envelope> Username token
  5. 5. … Assembly plant Inventory Username = “robert” Password = “robert-pass” Accounts department Logistics department Username = “robert2” Password = “robert2-pass” Username = “robert2” Password = “robert2-pass” Username = “robert_5” Password = “K67robert2-AB-#2”
  6. 6. Authentication Server (e.g. WSO2 IS) Service provider (e.g. Inventory) Client (e.g. Assembly plant) Username = “robert” Password = “robert-pass” Token Token User profiles
  7. 7. STS Server (e.g. WSO2 IS) Service Provider (e.g. inventory) Client (e.g. Assembly plant) Request for Secure Token (RST) Username = “robert” Password = “robert-pass” SAML Assertion User Profiles SAML Assertion Signed with STS private key Security policy
  8. 8. User InventoryUsername = “robert” Password = “robert-pass” Accounts department Logistics department Username = “robert2” Password = “robert2-pass” Username = “robert” Password = “robert-pass” Username = “robert” Password = “robert-pass” Authentication Server (e.g. WSO2 IS)
  9. 9. Identity provider (e.g. WSO2 IS) Service provider (e.g. inventory) User data 1. Log inrequest 2. Redirect to IDP URL 3. Request token 4. Authenticate 5. Redirect to SP with token 6. Send SAML token Session: S1
  10. 10. Identity provider (e.g. WSO2 IS) Service provider 2 (e.g. Accounts dept.) User data 1. Log in request 2. Redirect to IDP URL 3. Request token (session: IS1) 5. Redirect to SP with token 6. Send SAML token Service provider 1 (e.g. inventory) Session: S1 4. Bypass login page Session: S2
  11. 11. Identity provider (e.g. WSO2 IS) Service provider 1 (SP1) Session: S1 Session: IS1 Service provider 2 (SP2) Session ID SP IS1 SP1 IS1 SP2 IS2 SP2 Session: S2
  12. 12. Identity provider (e.g. WSO2 IS) Service provider 1 (SP1) Service provider 2 (SP2) Session ID SP IS1 SP1 IS1 SP2 IS2 SP2 Logout (session: IS1) Logout (session: S1) Session: S2 (Invalidated)
  13. 13. Service provider 1 (SP1) /data/files /data/archives /data/visualize /data/details User = Jane User = David User = Tao
  14. 14. Service provider 1 (SP1) User = Jane User = David User = Tao Access control policy If user = Tao and resource = /data/archives Permit. If role = Clark and action = write Deny. If role = Manager and resource = /data/files Permit.
  15. 15. /data/files /data/archives /data/visualize /data/details Policy decision Point If user = jane Permit. If role = clark and Action = write Deny. Policy Store Policy Administration Point Policy Enforcement Point (PEP) User = Tao User = David User = Jane
  16. 16. Policy Enforcement Point(PEP) User = Jane User = David User = Tao Service provider 1 (SP1) /data/files /data/archives /data/visualize /data/details 4. Filtered messages Policy decision point If user = jane Permit. If role = clark and Action = write Deny. 1.Parameters 3.Decision2. Evaluate Access policy 1
  17. 17. Policy Target Rule (effect = permit) Target Condition Rule …...... Rule …...... Activation conditions for the rule set Activation conditions for the rule Conditions for the rule Decision if target and condition are true
  18. 18. <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="BankOne_account_access_policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" >/bankone/accounts/*</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis: names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent=" true"/> </Match> </AllOf> </AnyOf> </Target> <Rule Effect="Permit" RuleId="update_accounts_rule"> …. </Rule> ….... </Policy> If resource matches /bankone/accounts/* Activation conditions for the rule set
  19. 19. <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="BankOne_account_access_policy" RuleCombiningAlgId="urn:oasis:names: tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0"> <Target> ..... </Target> <Rule Effect="Permit" RuleId="update_accounts_rule"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="...#string">/bankone/accounts/update/*</AttributeValue> <AttributeDesignator AttributeId="...:resource:resource-id" Category="...:attribute-category:resource" DataType="http://www.w3. org/2001/XMLSchema#string" MustBePresent="true"/> </Match> </AllOf> </AnyOf> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</AttributeValue> <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Apply> </Condition> </Rule> <Rule Effect="Permit" RuleId="read_accounts_rule"> … </Rule> </Policy> Permit if conditions satisfy If resource matches /bankone/accounts/update/* If role is manager
  20. 20. <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" >/bankone/accounts/read/a1</AttributeValue> </Attribute> </Attributes> </Request> Subject = bob Resource = /bankone/accounts/read/a1
  21. 21. Policy Enforcement Point(PEP) User = Jane User = David User = Tao Service provider 1 (SP1) /data/files /data/archives /data/visualize /data/details 4. Filtered messages Policy decision If user = jane Permit. If role = clark and Action = write Deny. 1.Parameters 3.Decision2. Evaluate Access policy 1
  22. 22. WSO2 ESB Proxy service Entitlement Service provider 1 (SP1) On accept On reject SendDrop Property [Set user] Property [Set resource] Policy decision (WSO2 IS)
  23. 23. Service provider Access resource R1 Does the user has permission to access R1? Service provider Access resource R1 Check if R1 is authorized for the given token Token
  24. 24. •Access is granted to authorized tokens •Users obtain tokens from an authorization server •Service providers validate the authorization of a token with authorization server Tokens are authorized for scopes Each protected resource + action has to be mapped to a scope
  25. 25. Service provider Read resource R1 Authorization server Token (T1) Resource Action Scope R1 read R1_read R1 write R1_write R2 read R2_read Token Scope T1 R1_read T2 R1_read T3 R2_read T3 R2_write Is T1 authorized for R1_read?
  26. 26.
  27. 27. Web app Access photos in collection A I need a Oauth2 token with scope “photos_A” PhotoServer
  28. 28. Web app PhotoServer Client ID Client secret 1. Register webapp 2. Generate client ID / client secret 3. Configure callback URL 4. Configure OAuth2 URLs 5. Set client ID / client secret Application Developer
  29. 29. Web app PhotoServer Client ID Client secret Auth code 1. Redirect with scope request 2. Authenticate and ask permission 3. Redirect with auth code
  30. 30. PhotoServer Web app Client ID Client secret 4. Request token (auth code, cid, secret) 6. Access photo collection A 5. Send Token
  31. 31. Client – One who wants to access the resource E.g. Web app E.g. A web app want to access photos stored in PhotoServer Web app User – One who has permissions to the resource E.g. Jane – Jane's web browser Resource server – One who contains the resource Authorization server – One who grants access to the resource E.g. Facebook PhotoServer
  32. 32. Web app PhotoServer Authorization server 1. Access web app 2.Redirectwith scope request“photos_A” 3.Authenticate and askpermissions 4.Redirectwith authcode
  33. 33. Web app PhotoServer Authorization server 7. Request photos 5.Requesttoken (authcode,cid,secret) 6.Tokengiven
  34. 34. Web app PhotoServer Authorization server 8. Validate token for scope “photos_A” 9. Validation response Token Scope T1 photos_A T2 photos_B T3 photos_A T3 photos_B
  35. 35. Web app Log in Identity server Read Jane's profile
  36. 36. Web app 1. Log in 2.Gettokens 3. Authenticate 4. Auth code Client ID Secret Auth code Identity server
  37. 37. 6. Web app Client ID Secret Auth code Identity server 5. Auth code, cid, secret Access token: Authorizes user info access ID token: Authenticates the user
  38. 38. Web app Identity server 7. Get user info 8. First name: Jane Address: 65, Ed.. Tel: +61 93...
  39. 39. Identity server Company A (logistics) Company A (head office) Company B Jane wants to access a service hosted by company A.
  40. 40. Identity server Identity server Identity server Company A (logistics) Company A (head office) Company B Jane wants to access a service hosted by company A. You are not in my Identity Server! But I am registered in Company B
  41. 41. Identity server Identity server Identity server Company A (logistics) Company A (head office) Company B Trust local IS Trust IS in head office Trust IS of company B If company B says “This is Jane” then company A (logistics) believes it
  42. 42. Company A (logistics) IS - IS1 <SP> webapp1 <IDP> IS2 WSO2 AS webapp1 Company A (HQ) IS - IS2 <SP> IS1 <IDP> IS3 Company B IS - IS3 <SP> IS2 Redirect with SAML request Authenticate Request for resource Redirect with SAML request Redirect with SAML request
  43. 43. Company A (logistics) IS - IS1 <SP> webapp1 <IDP> IS2 WSO2 AS webapp1 Company A (HQ) IS - IS2 <SP> IS1 <IDP> IS3 Company B IS - IS3 <SP> IS2 SAML assertion “User is Jane” SAML assertion “User is Jane” SAML assertion “User is Jane”
  44. 44. Identity server Identity server Identity server Company A (logistics) Company A (head office) Company B SAML request SAML request SAML request ???
  45. 45. WSO2 Identity Server Service Provider Identity Provider Claim configuration Federated authenticators SAML OpenID Connect Facebook Google Identity server email → http://wso2.org/email first_name → http://wso2.org/given_name ….... Outbound authentication OpenID Connect request SAML request
  46. 46. WSO2 Identity Server Service Provider Identity Provider Claim configuration Federated authenticators SAML OpenID Connect Facebook Google Identity server email → http://wso2.org/email first_name → http://wso2.org/given_name ….... Outbound authentication SAML Response Apply claim mappings OpenID Connect response Claims email = jane@companyb.com first_name = Jane Claims http://wso2.org/email = jane@companyb.com http://wso2.org/given_name = Jane Claims email= jane@companyb. com name = Jane
  47. 47. IS of Company A - IS1 <SP> webapp1 <IDP> IS2 WSO2 AS webapp1 Authenticate Request for resource SAML OpenID Connect authenticator SAML authenticator IS of Company B - IS2 <SP> IS1 OpenID Connect authenticator OpenID Connect
  48. 48. IS of Company A - IS1 <SP> webapp1 <IDP> IS2 WSO2 AS webapp1 Authenticate Request for resource SAML OpenID Connect authenticator SAML authenticator OpenID Connect Anyone with a facebook account can be authenticated
  49. 49. SCIM – System for Cross-domain Identity Management SCIM endpoints
  50. 50. curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"Ekanayake","givenName":"Chathura"}, "userName":"chathura","password":"pass123", …........}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
  51. 51. Identity server Identity server Identity server Logistics Head office Accounting Add user to all Identity Servers! Username: saman Password: saman123 Email: saman@wso2.com Username: saman Password: saman123 Email: saman@wso2.com Username: saman Password: saman123 Email: saman@wso2.com
  52. 52. Identity server Identity server Identity server Logistics Head office Accounting Username: saman Password: saman123 Email: saman@wso2.com Username: saman Password: saman123 Email: saman@wso2.com Username: saman Password: saman123 Email: saman@wso2.com
  53. 53. IS1 - Logistics SCIM endpoint IDP - IS2 SCIM SPML IS2 – Head office SCIM endpoint WS SCIM SCIM SOAP
  54. 54. Identity server Logistics Identity server Head office Username: jane Password: jane123 Email: saman@wso2. com 1. Access request 2 .Auth request 3. Auth request 4. Auth response IS1 User store 5. Add user
  55. 55. Identity server Update roles Update claims I need to approve assignments to “Assessor” role I need to approve all claims One of us has to approve all new assessors
  56. 56. Identity server Update claims Approve claims update Assigned to “Bob”
  57. 57. Identity server Update roles Approve role assignment Approve role assignment Assigned to “supervisors” role Assigned to “James”
  58. 58. Try with : https://store.wso2.com
  59. 59. Demo Resources
  60. 60. ● The operation getVesrion1 and getVersion2 in the service http://localhost:8280/services/Customers should be accessed by any user ● Request to any other service or operation should only be accessed by the users belong to the group(s) admin_emps or admin or both <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="testOr" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <Description>Test Or</Description> <Target></Target> <Rule Effect="Permit" RuleId="primary-group-emps-rule"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" ></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <AttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:group" MustBePresent="true"></AttributeDesignator> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin_emps</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule Effect="Permit" RuleId="primary-user-rule"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent=" true"></AttributeDesignator> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion1</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion2</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule Effect="Deny" RuleId="deny-rule"></Rule> </Policy>
  61. 61. <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">pushpalanka</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:group"> <Attribute AttributeId="group" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">business</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion2</AttributeValue> </Attribute> </Attributes> </Request> ● User 'Pushpalanka' belonging to groups staff and business tries to access 'http://localhost: 8280/services/Customers/getVersion2'. ● Expected Response: Permit
  62. 62. <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:group"> <Attribute AttributeId="group" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">business</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/</AttributeValue> </Attribute> </Attributes> </Request> ● Admin user belonging to admin and business groups tries to access service 'http://localhost: 8280/services/Customers/'. ● Expected Response: Permit

×