SlideShare uma empresa Scribd logo

Securing the Unsecured: Using SSO and XACML to Protect Your Web Apps

WSO2
WSO2

To view recording of this webinar please use below URL: http://wso2.com/library/webinars/2015/06/securing-the-unsecured-using-sso-and-xacml-to-protect-your-web-apps/ WSO2 App Manager provides a simple app management solution for both application developers and application users. This webinar will focus on how you can Secure web applications and implement SSO between web applications Use XACML policies for fine-grained security in web application resources

Tecnologia
1 de 22
Baixar para ler offline
Securing the Unsecured Using SSO and XACML to Protect Web Apps App Manager 1.0 .0 Dinusha Senanayaka WSO2 App Manager Team
Why App Manager ? 2 100% Open Source, under Apache 2 License Policy-based Authorization Insights into App Subscriptions & Behaviors Single-Sign-On (SSO) across Web AppsUnified App Store Central App Management (web & mobile) Access Control based on Organizational User Roles Leverages on proven components of WSO2: - Analytics Platform - App Usage Statistics - Security offering - Authentication, Authorization, Federated Identity and SSO - Enterprise Store - App Provisioning & Management
WSO2 App Manager Components 3
Single Sign-On between Web Apps Pros for End User ◉ Do not have to memorize long list of passwords to access multiple applications Pros for Application developers ◉ Do not have to worry about implementing security for Web Apps ◉ Can focus only developing Application business logic Pros for Administrators ◉ Do not have to manage multiple user accounts for different applications 4
SAML2 Web Browser based SSO Profile 5
Single Logout between Web Apps 6
Demo 7
Two Type of Web Apps ◉ Non-secured web apps ◉ Already secured web apps How to manage with App Manager ? 8
Secure Non-secured Web Apps Using App Manager ◉ Just publish the web app in App Manager 9
Already secured Web Apps through App Manager ◉ Need some modifications to be done on web App ◉ Could use JWT token or SAML response to identify the user inside web app 10
JWT and SAML Token Headers ◉ Ways of sending authenticated user details to the backend ◉ Web app could either process JWT (Json) header or SAML Response (XML) header to get user details 11
JWT/ SAML Response { "iss": "wso2.org/products/am", "exp": 1435218328463, "Subject": "beth@wso2.com", "http://wso2.org/claims/card_holder": "beth", "http://wso2.org/claims/card_number": "45678563456986", "http://wso2.org/claims/emailaddress": "beth@wso2.com", "http://wso2.org/claims/expiration_date": "2020-12-20", "http://wso2.org/claims/givenname": "Beth", "http://wso2.org/claims/lastname": "Carder", "http://wso2.org/claims/organization": "WSO2", "http://wso2.org/claims/role": "Internal/private_beth-AT-wso2. com,Internal/subscriber,Internal/store-admin, Internal/everyone,SALES", "http://wso2.org/claims/streetaddress": "Califonia", "http://wso2.org/claims/telephone": "877 309 2070", "http://wso2.org/claims/zipcode": "0789", "http://wso2.org/ffid": "34567" } 12
JWT/ SAML Response <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://ec2-54-84-233-242.compute-1.amazonaws.com:8280/plan-trip/1.0.0/" ID=" aipcfpjgmlffcbhcdnapgkdncjdcjdbkalkmejpe" InResponseTo="0" IssueInstant="2015-06-25T07:30:28.203Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">appm</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="ifghfahaljakniomfjeelcknnpaopmjbagonchak" IssueInstant="2015-06-25T07:30:28.203Z" Version="2.0"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">appm</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">beth@wso2.com</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2015-06-25T07:35:28.203Z" Recipient="http://ec2-54-84-233-242.compute-1.amazonaws. com:8280/plan-trip/1.0.0/"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2015-06-25T07:30:28.203Z" NotOnOrAfter="2015-06-25T07:35:28.203Z"> <saml2:AudienceRestriction> <saml2:Audience>PlanYourTrip-1.0.0</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2015-06-25T07:30:28.203Z" SessionIndex="550a41fc-ba6a-4dff-bc58-7ec11ed6d0d3"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name="http://wso2.org/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >Internal/private_beth-AT-wso2.com,Internal/subscriber,Internal/store-admin,Internal/everyone,SALES</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response> 13
Sample Code Snippet to Identify User from JWT Header var header = request.getHeader("X-JWT-Assertion"); // Create Base64 Object var Base64 = require('../modules/base64.js'); if(header !=null){ var jwtAssertions = header.split("."); //JWT header by default contains three '.' separated sections var jsonString = Base64.decode(jwtAssertions[1]); jsonString = jsonString.replace("http://wso2.org/claims/emailaddress", "email"); jsonString = jsonString.replace("http://wso2.org/claims/role", "roles"); var obj = parse(jsonString); var email = obj.email; var roles = obj.roles; if (roles.indexOf("admin") != -1) { session.put("user",{"mail":email,"admin":true}); } else { session.put("user",{"mail":email,"admin":false}); } } var user = session.get("user"); if(user==null){ response.sendRedirect(baseAt+"/login.jag"); }else if(user.admin){ } 14
Federated Authentication for Web Apps 15
◉ Authentication : SAML2 SSO ◉ Authorization: ? 16
XACML : eXtensible Access Control Markup Language XACML Reference Architecture 17
How App Manager Enforce XACML Evaluation for Web Apps ? 18
XACML Policy Editor in App Manager 19
Demo 20
Summary ◉ How App Manager provides security (SSO) for Web Apps ◉ Non secured web apps ◉ Already secured web apps ◉ Federated Authentication for web apps using App Manager ◉ Fine grained authorization to web app resources using XACML 21
Contact us !

Recomendados

Owasp web security
Owasp web securityOwasp web security
Owasp web securityPankaj Kumar Sharma
 
Introduction to OAuth2
Introduction to OAuth2 Introduction to OAuth2
Introduction to OAuth2 Sean Whitesell
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
2 fa it101
2 fa it1012 fa it101
2 fa it101c_______101
 
Lessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumLessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumCA Technologies
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
WSO2 App Manager: Managing Application Lifecycles Across Your Enterprise
WSO2 App Manager: Managing Application Lifecycles Across Your EnterpriseWSO2 App Manager: Managing Application Lifecycles Across Your Enterprise
WSO2 App Manager: Managing Application Lifecycles Across Your EnterpriseWSO2
 
Solving Single-Sign-On
Solving Single-Sign-OnSolving Single-Sign-On
Solving Single-Sign-OnAaron King
 

Recomendados

Owasp web security
Owasp web securityOwasp web security
Owasp web securityPankaj Kumar Sharma
 
Introduction to OAuth2
Introduction to OAuth2 Introduction to OAuth2
Introduction to OAuth2 Sean Whitesell
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
2 fa it101
2 fa it1012 fa it101
2 fa it101c_______101
 
Lessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumLessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumCA Technologies
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
WSO2 App Manager: Managing Application Lifecycles Across Your Enterprise
WSO2 App Manager: Managing Application Lifecycles Across Your EnterpriseWSO2 App Manager: Managing Application Lifecycles Across Your Enterprise
WSO2 App Manager: Managing Application Lifecycles Across Your EnterpriseWSO2
 
Solving Single-Sign-On
Solving Single-Sign-OnSolving Single-Sign-On
Solving Single-Sign-OnAaron King
 
Addressing Integration needs in the education industry with the WSO2 Platform
Addressing Integration needs in the education industry with the WSO2 PlatformAddressing Integration needs in the education industry with the WSO2 Platform
Addressing Integration needs in the education industry with the WSO2 PlatformWSO2
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...Profesia Srl, Lynx Group
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsCA API Management
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
Varuns resume
Varuns resumeVaruns resume
Varuns resumesuresh varun
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsCognizant
 
Programming with Azure Active Directory
Programming with Azure Active DirectoryProgramming with Azure Active Directory
Programming with Azure Active DirectoryJoonas Westlin
 
WearFit Security Design Analysis of a Wearable Fitness Tr.docx
WearFit Security Design Analysis of a Wearable Fitness Tr.docxWearFit Security Design Analysis of a Wearable Fitness Tr.docx
WearFit Security Design Analysis of a Wearable Fitness Tr.docxjessiehampson
 
Building Cool Applications with WSO2 StratosLive
Building Cool Applications with WSO2 StratosLiveBuilding Cool Applications with WSO2 StratosLive
Building Cool Applications with WSO2 StratosLiveWSO2
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Sarvesh Upadhyay
Sarvesh UpadhyaySarvesh Upadhyay
Sarvesh UpadhyaySarvesh Upadhyay
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
WSO2 App Manager - Product Overview
WSO2 App Manager - Product OverviewWSO2 App Manager - Product Overview
WSO2 App Manager - Product OverviewWSO2
 
Cv Jawad Munir
Cv Jawad MunirCv Jawad Munir
Cv Jawad Munirjawad_munir
 
Hack applications
Hack applicationsHack applications
Hack applicationsenrizmoore
 
SharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning ModelsSharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning ModelsShailen Sukul
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
C01461422
C01461422C01461422
C01461422IOSR Journals
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in ChoreoWSO2
 

Mais conteúdo relacionado

Semelhante a Securing the Unsecured: Using SSO and XACML to Protect Your Web Apps

Addressing Integration needs in the education industry with the WSO2 Platform
Addressing Integration needs in the education industry with the WSO2 PlatformAddressing Integration needs in the education industry with the WSO2 Platform
Addressing Integration needs in the education industry with the WSO2 PlatformWSO2
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...Profesia Srl, Lynx Group
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsCA API Management
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsCognizant
 
Programming with Azure Active Directory
Programming with Azure Active DirectoryProgramming with Azure Active Directory
Programming with Azure Active DirectoryJoonas Westlin
 
WearFit Security Design Analysis of a Wearable Fitness Tr.docx
WearFit Security Design Analysis of a Wearable Fitness Tr.docxWearFit Security Design Analysis of a Wearable Fitness Tr.docx
WearFit Security Design Analysis of a Wearable Fitness Tr.docxjessiehampson
 
Building Cool Applications with WSO2 StratosLive
Building Cool Applications with WSO2 StratosLiveBuilding Cool Applications with WSO2 StratosLive
Building Cool Applications with WSO2 StratosLiveWSO2
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
WSO2 App Manager - Product Overview
WSO2 App Manager - Product OverviewWSO2 App Manager - Product Overview
WSO2 App Manager - Product OverviewWSO2
 
Hack applications
Hack applicationsHack applications
Hack applicationsenrizmoore
 
SharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning ModelsSharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning ModelsShailen Sukul
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 

Semelhante a Securing the Unsecured: Using SSO and XACML to Protect Your Web Apps (20)

Addressing Integration needs in the education industry with the WSO2 Platform
Addressing Integration needs in the education industry with the WSO2 PlatformAddressing Integration needs in the education industry with the WSO2 Platform
Addressing Integration needs in the education industry with the WSO2 Platform
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing Passwords
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
 
Varuns resume
Varuns resumeVaruns resume
Varuns resume
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
 
Programming with Azure Active Directory
Programming with Azure Active DirectoryProgramming with Azure Active Directory
Programming with Azure Active Directory
 
WearFit Security Design Analysis of a Wearable Fitness Tr.docx
WearFit Security Design Analysis of a Wearable Fitness Tr.docxWearFit Security Design Analysis of a Wearable Fitness Tr.docx
WearFit Security Design Analysis of a Wearable Fitness Tr.docx
 
Building Cool Applications with WSO2 StratosLive
Building Cool Applications with WSO2 StratosLiveBuilding Cool Applications with WSO2 StratosLive
Building Cool Applications with WSO2 StratosLive
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
 
Sarvesh Upadhyay
Sarvesh UpadhyaySarvesh Upadhyay
Sarvesh Upadhyay
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
WSO2 App Manager - Product Overview
WSO2 App Manager - Product OverviewWSO2 App Manager - Product Overview
WSO2 App Manager - Product Overview
 
Cv Jawad Munir
Cv Jawad MunirCv Jawad Munir
Cv Jawad Munir
 
Hack applications
Hack applicationsHack applications
Hack applications
 
SharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning ModelsSharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning Models
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
C01461422
C01461422C01461422
C01461422
 

Mais de WSO2

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in ChoreoWSO2
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023WSO2
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzureWSO2
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfWSO2
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in MinutesWSO2
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityWSO2
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...WSO2
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfWSO2
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoWSO2
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsWSO2
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital BusinessesWSO2
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)WSO2
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformationWSO2
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesWSO2
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready BankWSO2
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIsWSO2
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native DeploymentWSO2
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”WSO2
 

Mais de WSO2 (20)

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in Choreo
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on Azure
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdf
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos Identity
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdf
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing Choreo
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected Products
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking Experiences
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready Bank
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
 

Último

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Último (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Securing the Unsecured: Using SSO and XACML to Protect Your Web Apps

  • 1. Securing the Unsecured Using SSO and XACML to Protect Web Apps App Manager 1.0 .0 Dinusha Senanayaka WSO2 App Manager Team
  • 2. Why App Manager ? 2 100% Open Source, under Apache 2 License Policy-based Authorization Insights into App Subscriptions & Behaviors Single-Sign-On (SSO) across Web AppsUnified App Store Central App Management (web & mobile) Access Control based on Organizational User Roles Leverages on proven components of WSO2: - Analytics Platform - App Usage Statistics - Security offering - Authentication, Authorization, Federated Identity and SSO - Enterprise Store - App Provisioning & Management
  • 3. WSO2 App Manager Components 3
  • 4. Single Sign-On between Web Apps Pros for End User ◉ Do not have to memorize long list of passwords to access multiple applications Pros for Application developers ◉ Do not have to worry about implementing security for Web Apps ◉ Can focus only developing Application business logic Pros for Administrators ◉ Do not have to manage multiple user accounts for different applications 4
  • 5. SAML2 Web Browser based SSO Profile 5
  • 8. Two Type of Web Apps ◉ Non-secured web apps ◉ Already secured web apps How to manage with App Manager ? 8
  • 9. Secure Non-secured Web Apps Using App Manager ◉ Just publish the web app in App Manager 9
  • 10. Already secured Web Apps through App Manager ◉ Need some modifications to be done on web App ◉ Could use JWT token or SAML response to identify the user inside web app 10
  • 11. JWT and SAML Token Headers ◉ Ways of sending authenticated user details to the backend ◉ Web app could either process JWT (Json) header or SAML Response (XML) header to get user details 11
  • 12. JWT/ SAML Response { "iss": "wso2.org/products/am", "exp": 1435218328463, "Subject": "beth@wso2.com", "http://wso2.org/claims/card_holder": "beth", "http://wso2.org/claims/card_number": "45678563456986", "http://wso2.org/claims/emailaddress": "beth@wso2.com", "http://wso2.org/claims/expiration_date": "2020-12-20", "http://wso2.org/claims/givenname": "Beth", "http://wso2.org/claims/lastname": "Carder", "http://wso2.org/claims/organization": "WSO2", "http://wso2.org/claims/role": "Internal/private_beth-AT-wso2. com,Internal/subscriber,Internal/store-admin, Internal/everyone,SALES", "http://wso2.org/claims/streetaddress": "Califonia", "http://wso2.org/claims/telephone": "877 309 2070", "http://wso2.org/claims/zipcode": "0789", "http://wso2.org/ffid": "34567" } 12
  • 13. JWT/ SAML Response <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://ec2-54-84-233-242.compute-1.amazonaws.com:8280/plan-trip/1.0.0/" ID=" aipcfpjgmlffcbhcdnapgkdncjdcjdbkalkmejpe" InResponseTo="0" IssueInstant="2015-06-25T07:30:28.203Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">appm</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="ifghfahaljakniomfjeelcknnpaopmjbagonchak" IssueInstant="2015-06-25T07:30:28.203Z" Version="2.0"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">appm</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">beth@wso2.com</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2015-06-25T07:35:28.203Z" Recipient="http://ec2-54-84-233-242.compute-1.amazonaws. com:8280/plan-trip/1.0.0/"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2015-06-25T07:30:28.203Z" NotOnOrAfter="2015-06-25T07:35:28.203Z"> <saml2:AudienceRestriction> <saml2:Audience>PlanYourTrip-1.0.0</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2015-06-25T07:30:28.203Z" SessionIndex="550a41fc-ba6a-4dff-bc58-7ec11ed6d0d3"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name="http://wso2.org/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >Internal/private_beth-AT-wso2.com,Internal/subscriber,Internal/store-admin,Internal/everyone,SALES</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response> 13
  • 14. Sample Code Snippet to Identify User from JWT Header var header = request.getHeader("X-JWT-Assertion"); // Create Base64 Object var Base64 = require('../modules/base64.js'); if(header !=null){ var jwtAssertions = header.split("."); //JWT header by default contains three '.' separated sections var jsonString = Base64.decode(jwtAssertions[1]); jsonString = jsonString.replace("http://wso2.org/claims/emailaddress", "email"); jsonString = jsonString.replace("http://wso2.org/claims/role", "roles"); var obj = parse(jsonString); var email = obj.email; var roles = obj.roles; if (roles.indexOf("admin") != -1) { session.put("user",{"mail":email,"admin":true}); } else { session.put("user",{"mail":email,"admin":false}); } } var user = session.get("user"); if(user==null){ response.sendRedirect(baseAt+"/login.jag"); }else if(user.admin){ } 14
  • 16. ◉ Authentication : SAML2 SSO ◉ Authorization: ? 16
  • 17. XACML : eXtensible Access Control Markup Language XACML Reference Architecture 17
  • 18. How App Manager Enforce XACML Evaluation for Web Apps ? 18
  • 19. XACML Policy Editor in App Manager 19
  • 21. Summary ◉ How App Manager provides security (SSO) for Web Apps ◉ Non secured web apps ◉ Already secured web apps ◉ Federated Authentication for web apps using App Manager ◉ Fine grained authorization to web app resources using XACML 21