6. SAML SSO - Login to Another Service Provider
Identity provider
(e.g. WSO2 IS)
Service provider 2
(e.g. Accounts dept.)
User
data
Service provider 1
(e.g. inventory)
4. Bypass login page
7. SAML SSO
Identity provider
(e.g. WSO2 IS)
Service provider 1
(SP1)
Service provider 2
(SP2)
Session
ID
SP
IS1 SP1
IS1 SP2
IS2 SP2
8. SAML Single Logout
Identity provider
(e.g. WSO2 IS)
Service provider 1
(SP1)
Service provider 2
(SP2)
Session
ID
SP
IS1 SP1
IS1 SP2
IS2 SP2
Logout
(session: S1)
9. What the User Can Do...
Service provider 1
(SP1)
/data/files
/data/archives
/data/visualize
/data/details
User = Jane
User =
David
User = Tao
10. What the User Can Do (Ctd...)
Service provider 1
(SP1)
User = Jane
User =
David
User = Tao
Access control policy
If user = Tao and
resource = /data/archives
Permit.
If role = Clark and
action = write
Deny.
If role = Manager and
resource = /data/files
Permit.
12. XACML - Policy Decision Flow
Policy Enforcement
Point(PEP)
User = Jane
User = David
User = Tao
Service provider 1
(SP1)
/data/files
/data/archives
/data/visualize
/data/details
Policy decision point
If user = jane
Permit.
If role = clark and
Action = write
Deny.
Access policy 1
13. XACML - Policy
Policy
Target
Rule (effect = permit)
Target
Condition
Rule
…......
Rule
…......
Activation conditions for the rule set
Activation conditions for the rule
Conditions for the rule
Decision if target and condition are true
17. XACML - Policy Enforcement
Policy Enforcement
Point(PEP)
User = Jane
User = David
User = Tao
Service provider 1
(SP1)
/data/files
/data/archives
/data/visualize
/data/details
Policy decision
If user = jane
Permit.
If role = clark and
Action = write
Deny.
Access policy 1
18. XACML - Policy Enforcement
WSO2 ESB
Proxy
service
Entitlement
Service provider 1
(SP1)
On
accept
On
reject
SendDrop
Property [Set user]
Property [Set resource]
Policy decision
(WSO2 IS)
19. Render menu items in a web app based on the logged-
in user’s fine-grained permissions
21. Bring a Token...
Service provider
Access resource
R1
Does the user has
permission to access R1?
Service provider
Access resource
R1
Check if R1 is authorized
for the given token
Token
22. But..
How does a user get a token?
How do we know if a given token has permission to access a resource?
23. OAuth 2.0
•Access is granted to authorized tokens
•Users obtain tokens from an authorization server
•Resource servers validate the authorization of a token with authorization server
Tokens are authorized for scopes
Each protected resource + action has to be mapped to a scope
24. OAuth 2.0 (Ctd...)
Service
provider
Read resource R1
Authorization server
Token (T1)
Resource Action Scope
R1 read R1_read
R1 write R1_write
R2 read R2_read
Token Scope
T1 R1_read
T2 R1_read
T3 R2_read
T3 R2_write
Is T1 authorized for R1_read?
26. Access On Behalf of a User
Eg: A web app wants to access photos stored in PhotoServer
Web app
Access photos in collection A
I need a Oauth2 token
with scope “photos_A”
PhotoServer
27. Access On Behalf of a User (Ctd...)
Eg: A web app wants to access photos stored in PhotoServer
Web app
PhotoServer
Client ID
Client secret
1. Register webapp
2. Generate client ID / client secret
3. Configure callback URL
4. Configure OAuth2 URLs
5. Set client ID / client secret
Application Developer
28. Access On Behalf of a User (Ctd...)
Eg: A web app wants to access photos stored in PhotoServer
Web app
PhotoServer
Client ID
Client secret
Auth code
29. Access On Behalf of a User (Ctd...)
Eg: A web app wants to access photos stored in PhotoServer
PhotoServer
Web app
Client ID
Client secret
5. Send Token
30. Client – One who wants to
access the resource
E.g. Web app
Observations
E.g. A web app want to access photos stored in PhotoServer
Web app
User – One who has permissions
to the resource
E.g. Jane – Jane's web browser
Resource server – One who
contains the resource
Authorization server – One who
grants access to the resource
E.g. Facebook
PhotoServer
33. Delegating the authorization (Ctd...)
Web app PhotoServer
Authorization server
8. Validate token for
scope “photos_A”
9. Validation response
Token Scope
T1 photos_A
T2 photos_B
T3 photos_A
T3 photos_B
42. OAuth 2.0 is for delegated access control.
Can we extend this for authentication?
43. A Simple Approach...
Similar to clients are authorized to access resources,
clients can be authorized to access user data
Web app
Log in
Identity
server
Read Jane's profile
44. OpenID Connect SSO
Web app
1. Log in
3. Authenticate
4. Auth code
Client ID
Secret
Auth code
Identity
server
45. 6.
OpenID Connect SSO (Ctd...)
Web app
Client ID
Secret
Auth code
Identity
server
Access token:
Authorizes user info access
ID token:
Authenticates the user
46. OpenID Connect SSO (Ctd...)
Web app
Identity
server
8.
First name: Jane
Address: 65, Ed..
Tel: +61 93...
51. Adding Users to Many Other Parties...
Identity server
Identity server
Logistics
Head office
Accounting
Add user to all Identity Servers!
Username: saman
Password: saman123
Email: saman@wso2.com
Username: saman
Password: saman123
Email: saman@wso2.com
Username: saman
Password: saman123
Email: saman@wso2.com
52. Federated Provisioning
Identity server
Identity server
Identity server
Logistics
Head office
Accounting
Username: saman
Password: saman123
Email: saman@wso2.com
Username: saman
Password: saman123
Email: saman@wso2.com
Username: saman
Password: saman123
Email: saman@wso2.com
54. Integrating External User Stores
Identity
server
Logistics
Identity server
Head office
Username: jane
Password: jane123
Email:
saman@wso2.com
1. Access request
2 .Auth request
3. Auth
request
4. Auth
response
IS1
User store
5. Add user