Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WSO2Con USA 2017: Building a Secure Enterprise

314 views

Published on

WSO2Con USA 2017: Building a Secure Enterprise

Published in: Technology
  • Be the first to comment

  • Be the first to like this

WSO2Con USA 2017: Building a Secure Enterprise

  1. 1. Building a Secure Enterprise Johann Dilantha Nallathamby Technical Lead WSO2 Rushmin Fernando Technical Lead WSO2
  2. 2. Agenda • WSO2 Identity Server Architecture • SAML2 Single Sign-On/Single Logout • XACML 3.0 • OAuth 2.0 • OpenID Connect • User Management • SCIM 2.0 • Plugging an external Identity Store • Identity Cloud
  3. 3. Identity Server Architecture
  4. 4. SAML SSO Identity provider (e.g. WSO2 IS) Service provider (e.g. inventory) User data
  5. 5. SAML SSO - User Experience
  6. 6. SAML SSO - Login to Another Service Provider Identity provider (e.g. WSO2 IS) Service provider 2 (e.g. Accounts dept.) User data Service provider 1 (e.g. inventory) 4. Bypass login page
  7. 7. SAML SSO Identity provider (e.g. WSO2 IS) Service provider 1 (SP1) Service provider 2 (SP2) Session ID SP IS1 SP1 IS1 SP2 IS2 SP2
  8. 8. SAML Single Logout Identity provider (e.g. WSO2 IS) Service provider 1 (SP1) Service provider 2 (SP2) Session ID SP IS1 SP1 IS1 SP2 IS2 SP2 Logout (session: S1)
  9. 9. What the User Can Do... Service provider 1 (SP1) /data/files /data/archives /data/visualize /data/details User = Jane User = David User = Tao
  10. 10. What the User Can Do (Ctd...) Service provider 1 (SP1) User = Jane User = David User = Tao Access control policy If user = Tao and resource = /data/archives Permit. If role = Clark and action = write Deny. If role = Manager and resource = /data/files Permit.
  11. 11. XACML - Architecture /data/files /data/archives /data/visualize /data/details Policy decision Point If user = jane Permit. If role = clark and Action = write Deny. Policy Store Policy Administration Point Policy Enforcement Point(PEP) User = Tao User = David User = Jane
  12. 12. XACML - Policy Decision Flow Policy Enforcement Point(PEP) User = Jane User = David User = Tao Service provider 1 (SP1) /data/files /data/archives /data/visualize /data/details Policy decision point If user = jane Permit. If role = clark and Action = write Deny. Access policy 1
  13. 13. XACML - Policy Policy Target Rule (effect = permit) Target Condition Rule …...... Rule …...... Activation conditions for the rule set Activation conditions for the rule Conditions for the rule Decision if target and condition are true
  14. 14. XACML - Policy (Ctd...) <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="BankOne_account_access_policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/bankone/accounts/*</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Match> </AllOf> </AnyOf> </Target> <Rule Effect="Permit" RuleId="update_accounts_rule"> …. </Rule> ….... </Policy> If resource matches /bankone/accounts/* Activation conditions for the rule set
  15. 15. XACML - Policy (Rules) <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="BankOne_account_access_policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0"> <Target> ..... </Target> <Rule Effect="Permit" RuleId="update_accounts_rule"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="...#string">/bankone/accounts/update/*</AttributeValue> <AttributeDesignator AttributeId="...:resource:resource-id" Category="...:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Match> </AllOf> </AnyOf> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</AttributeValue> <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> </Apply> </Condition> </Rule> <Rule Effect="Permit" RuleId="read_accounts_rule"> … </Rule> </Policy> Permit if conditions satisfy If resource matches /bankone/accounts/update/* If role is manager
  16. 16. XACML Request <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/bankone/accounts/read/a1</AttributeValue> </Attribute> </Attributes> </Request> Subject = bob Resource = /bankone/accounts/read/a1
  17. 17. XACML - Policy Enforcement Policy Enforcement Point(PEP) User = Jane User = David User = Tao Service provider 1 (SP1) /data/files /data/archives /data/visualize /data/details Policy decision If user = jane Permit. If role = clark and Action = write Deny. Access policy 1
  18. 18. XACML - Policy Enforcement WSO2 ESB Proxy service Entitlement Service provider 1 (SP1) On accept On reject SendDrop Property [Set user] Property [Set resource] Policy decision (WSO2 IS)
  19. 19. Render menu items in a web app based on the logged- in user’s fine-grained permissions
  20. 20. XACML Demo
  21. 21. Bring a Token... Service provider Access resource R1 Does the user has permission to access R1? Service provider Access resource R1 Check if R1 is authorized for the given token Token
  22. 22. But.. How does a user get a token? How do we know if a given token has permission to access a resource?
  23. 23. OAuth 2.0 •Access is granted to authorized tokens •Users obtain tokens from an authorization server •Resource servers validate the authorization of a token with authorization server Tokens are authorized for scopes Each protected resource + action has to be mapped to a scope
  24. 24. OAuth 2.0 (Ctd...) Service provider Read resource R1 Authorization server Token (T1) Resource Action Scope R1 read R1_read R1 write R1_write R2 read R2_read Token Scope T1 R1_read T2 R1_read T3 R2_read T3 R2_write Is T1 authorized for R1_read?
  25. 25. Now … How to get a token?
  26. 26. Access On Behalf of a User Eg: A web app wants to access photos stored in PhotoServer Web app Access photos in collection A I need a Oauth2 token with scope “photos_A” PhotoServer
  27. 27. Access On Behalf of a User (Ctd...) Eg: A web app wants to access photos stored in PhotoServer Web app PhotoServer Client ID Client secret 1. Register webapp 2. Generate client ID / client secret 3. Configure callback URL 4. Configure OAuth2 URLs 5. Set client ID / client secret Application Developer
  28. 28. Access On Behalf of a User (Ctd...) Eg: A web app wants to access photos stored in PhotoServer Web app PhotoServer Client ID Client secret Auth code
  29. 29. Access On Behalf of a User (Ctd...) Eg: A web app wants to access photos stored in PhotoServer PhotoServer Web app Client ID Client secret 5. Send Token
  30. 30. Client – One who wants to access the resource E.g. Web app Observations E.g. A web app want to access photos stored in PhotoServer Web app User – One who has permissions to the resource E.g. Jane – Jane's web browser Resource server – One who contains the resource Authorization server – One who grants access to the resource E.g. Facebook PhotoServer
  31. 31. Delegating the authorization Web app PhotoServer Authorization server 1. Access web app
  32. 32. Delegating the authorization (Ctd...) Web app PhotoServer Authorization server 7. Request photos 6.Tokengiven
  33. 33. Delegating the authorization (Ctd...) Web app PhotoServer Authorization server 8. Validate token for scope “photos_A” 9. Validation response Token Scope T1 photos_A T2 photos_B T3 photos_A T3 photos_B
  34. 34. Federated Access to APIs
  35. 35. Federated Access to APIs
  36. 36. Self Contained Access Tokens
  37. 37. Multiple OAuth2 Apps with No Shared Credentials
  38. 38. Multiple OAuth2 Apps with No Shared Credentials (Self-issued JWT)
  39. 39. Accessing APIs via desktop clients (kerberos)
  40. 40. Token Exchange
  41. 41. Fine-grained access control for APIs
  42. 42. OAuth 2.0 is for delegated access control. Can we extend this for authentication?
  43. 43. A Simple Approach... Similar to clients are authorized to access resources, clients can be authorized to access user data Web app Log in Identity server Read Jane's profile
  44. 44. OpenID Connect SSO Web app 1. Log in 3. Authenticate 4. Auth code Client ID Secret Auth code Identity server
  45. 45. 6. OpenID Connect SSO (Ctd...) Web app Client ID Secret Auth code Identity server Access token: Authorizes user info access ID token: Authenticates the user
  46. 46. OpenID Connect SSO (Ctd...) Web app Identity server 8. First name: Jane Address: 65, Ed.. Tel: +61 93...
  47. 47. Adding Users WSO2 IS Management Console
  48. 48. Adding Users? (Ctd..) Hot deploy multiple user stores
  49. 49. Adding Users? (Ctd..) SCIM – System for Cross-domain Identity Management SCIM endpoints
  50. 50. Adding Users? (Ctd..) curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"Ekanayake","givenName":"Chathura"}, "userName":"chathura","password":"pass123", …........}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
  51. 51. Adding Users to Many Other Parties... Identity server Identity server Logistics Head office Accounting Add user to all Identity Servers! Username: saman Password: saman123 Email: saman@wso2.com Username: saman Password: saman123 Email: saman@wso2.com Username: saman Password: saman123 Email: saman@wso2.com
  52. 52. Federated Provisioning Identity server Identity server Identity server Logistics Head office Accounting Username: saman Password: saman123 Email: saman@wso2.com Username: saman Password: saman123 Email: saman@wso2.com Username: saman Password: saman123 Email: saman@wso2.com
  53. 53. Provisioning Bridge IS1 - Logistics SCIM endpoint IDP - IS2 SCIM SPML IS2 – Head office SCIM endpoint WS SCIM SCIM SOAP
  54. 54. Integrating External User Stores Identity server Logistics Identity server Head office Username: jane Password: jane123 Email: saman@wso2.com 1. Access request 2 .Auth request 3. Auth request 4. Auth response IS1 User store 5. Add user
  55. 55. Thank You!

×