Embed Size (px)
Citation preview
Single Sign On - Overview
• SP – Service Provider• IDP – Identity Provider• TAI – Trust Assertion Interceptor
SP
SP
IDP
TAI
TAI
SSO Integration• User accesses a front end application.• The application redirects user to IdP and user authenticates to IdP.• IdP redirects user to Assertion Consumer Service (ACS) in SP by sending
Security Assertion(SA) response over HTTP POST inside a hidden form.• SP processes SA response and creates security context.• ACS adds security cookie to HTTP response and redirects request to web
resource or business application.• SP intercepts request in TAI, and maps security cookie to security context
and authorizes user access to the requested web resource.• Application sends HTTP response back to user
Single Sign-On (SSO) Consideration• SSO between Web Application• SSO between Cockpits• The SSO cookie is only used for processing the authentication. The
related authorization should be realized by implementing a proper role concept.
Using Single Sign-On in Cockpits• Update spring-security-config.xml to include rememberMeServices.• New SSO cookie will be created when user logs in.• SSO cookie will be used to authenticate user when redirect to any
other cockpits.• When a user explicitly logs out of the SSO aware cockpit, the SSO
cookie is removed. • See https://
wiki.hybris.com/display/release5/How+To+Use+SSO+in+hybris+Cockpits for detail information.
Enable Single Sign-On for hybirs• Single Sign-On can be implemented in several different ways.• Single Sign-On can be implemented at different layers.• SAML Single Sign-On is one supported with samlsignsignon extension.
Follow the this training trail to setup SAML Single Sign-On:https://wiki.hybris.com/display/R5T/hybris+5+Developer+Training+Trails+-+SAML+Single+Sign+On
Create User / User Group• In hMC or BackOffice
User Group & Role• In hybris, user roles are best represented in the form of user groups• Roles are represented by userGroup entries in the database• Usergroup types are similar to the User types. Both are extended
from the Principal type. – What that means?• User groups are containers that hold users and user groups• It is not possible to remove the system user group.
User Group Hierarchy
User Group Purpose•Roles•Permission Management•Marketing Targeting•Different Access•Cockpit Customization•Catalog Visibility
User, User Group, Permission• User and User group = Principal• Permission = Access Right• System Accounts can NOT be modified nor deleted.
employee: admincustomer: anonymoususergroup: admingroupRecommend to review all factory default Employee Default Accounts and disable which is not needed on QA and PROD Environment.
Permission – What is it? What it does?• Permission is an abstract concept.• Permission define access right, however –• Permission do NOT automatically restrict access – why?• Can specify detailed level of access to type, item and attributes.• Permission can be granted/assigned to user or user group.
Permission Scope• Global Permissions
- Assigned to principal, not related to any type, item or attribute • Type Permissions• Item Permissions• Attribute Permissions
Type-Based Access Rights - Overview• Access rights for hybris types and their attributes• Access is granted to individual users and/or user groups• Affect the entire type, not individual items• Also can affect individual type attribute
Custom Access Rights - Overview• Allows defining very fine-grained access control.• You may define your own permission types.• You can grant or deny permissions to the item instances.• However.. don’t overuse
managing and checking permissions on item level can be expensive - huge number of items is involved.If possible use type-based permissions together with restrictions.• Exposed API allows checking of both Item and Type permissions.
Access Right Importing• Type access configuration can be imported by impex:
https://wiki.hybris.com/display/release5/ImpEx+API#ImpExAPI-UserRights
$START_USERRIGHTSType;UID;MemberOfGroups;Password;Target;read;change;create;remove;change_permUserGroup;productManagerGroup;;;;;;;;#Access Rights for Products & Catalog;;;;;;;;;;;;;Product;+;+;+;+;+;;;;;Product.ean;+;- ;- ;- ;- ;‐ ‐ ‐ ‐;;;;Catalog;+;;;;;;;Media;+;+;+;+;+;$END_USERRIGHTS
API CRUD example• Permissions are create though Impex or Permission services API
PermissionManagementService – void createPermission(String permissionName);i.e.: permissionManagementService.createPermission(“MY_PERMISSION");
• For typical CRUD permission checking use: PermissionCRUDService – a wrapper over PermissionCheckingService
Assign / Revoke Permission• In hMC or BackOffice
Group Hierarchy User Account Access
UserGroupUG_AZ
UserGroupUG_FED
UserU1
UserGroupUG_PHX
UserU2
Member of Multiple Group
UserU1
UserGroupUG1
UserGroupUG2
Permission Effective Priority• The closest permission in the group hierarchy take effective.• Most general priority has the lowest priority while the most specific
priority has the highest priority• Permission assigned to user override the permission assigned to the
user group the user belongs to.
Permission Best Practices & Tips• Grant permission at group level as possible.• Avoid to use denial as possible – why?• Avoid to grant/deny permission at user as possible.• Design your permissions schema and keep it simple.• Define custom permission for custom functionalities.• Document all custom defined permission and where it is used.• Permission are not automatically enforced. Your code does the job.
User Group Best Practices• Design your group hierarchy clean and keep it simple.• Separate functionalities to different group base on role or can be
reusable.• Matches the groups closer to the real world functional role as
possible.• Add user/group to different groups for different roles instead of
create a new group if possible.
HMC Access Levels• There are list of OOTB employee accounts and user groups with
deferent level of the hMC access.• Review those accounts and user groups and manage them per your
business needs.• https://
help.hybris.com/6.1.0/hcd/8c24121386691014b925a250976f2851.html
Group Based Marketing• Segment Customers into different groups• Use segmentation for personalizing the content• Target group based marketing
- BTG (Behavioral Targeting Groups)-BTGCockpit-SAP hybris Marketing-C4C
URL Access Control• Defines who have access to certain URL or URL pattern• Defined in spring-security-config.xml, for example
<security:intercept-url pattern="/my-account*" access="hasRole('ROLE_CUSTOMERGROUP')" />• A role name in a Spring Security file is a concatenation of ROLE_ +
UserGroup.uid of a given usergroup stored in the database.
RestrictionsRestrictions are rules obeyed by FlexibleSearch which allow to limit search results depending on which type is searched and which user is currently logged in.Where it apply:In FlexibleSearch only. (Not effect to user in admingroup).Not effect to external search engines like Lucene.
https://help.hybris.com/6.1.0/hcd/8c428f8286691014970ceee87aa01605.html
Restrictions in Cockpits• In cockpits restrictions are disabled by default• To enable restrictions in cockpits search box:
cockpit.disableRestrictions=false
Create Restriction• Restriction can be created through following ways:• Hybris Commerce API• Hybris Management Console• Impex
