Embed Size (px)
Citation preview
Securing the Unsecured Using SSO and XACML to Protect Web Apps
App Manager 1.0 .0
Dinusha Senanayaka
WSO2 App Manager Team
Why App Manager ?
2
100% Open Source, under Apache 2
License
Policy-based Authorization
Insights into App Subscriptions &
Behaviors
Single-Sign-On (SSO) across Web AppsUnified App Store
Central App Management
(web & mobile)
Access Control based on Organizational
User Roles
Leverages on proven components of WSO2: - Analytics Platform - App Usage Statistics - Security offering - Authentication, Authorization,
Federated Identity and SSO - Enterprise Store - App Provisioning & Management
WSO2 App Manager Components
3
Single Sign-On between Web Apps
Pros for End User◉ Do not have to memorize long list of passwords to access multiple applications
Pros for Application developers◉ Do not have to worry about implementing security for Web Apps◉ Can focus only developing Application business logic
Pros for Administrators◉ Do not have to manage multiple user accounts for different applications
4
SAML2 Web Browser based SSO Profile
5
Single Logout between Web Apps
6
Demo
7
Two Type of Web Apps
◉ Non-secured web apps◉ Already secured web apps
How to manage with App Manager ?
8
Secure Non-secured Web Apps Using App Manager
◉ Just publish the web app in App Manager
9
Already secured Web Apps through App Manager
◉ Need some modifications to be done on web App◉ Could use JWT token or SAML response to identify the user
inside web app
10
JWT and SAML Token Headers◉ Ways of sending authenticated user details to the backend◉ Web app could either process JWT (Json) header or SAML Response (XML) header
to get user details
11
JWT/ SAML Response
{
"iss": "wso2.org/products/am",
"exp": 1435218328463,
"Subject": "[email protected]",
"http://wso2.org/claims/card_holder": "beth",
"http://wso2.org/claims/card_number": "45678563456986",
"http://wso2.org/claims/emailaddress": "[email protected]",
"http://wso2.org/claims/expiration_date": "2020-12-20",
"http://wso2.org/claims/givenname": "Beth",
"http://wso2.org/claims/lastname": "Carder",
"http://wso2.org/claims/organization": "WSO2",
"http://wso2.org/claims/role": "Internal/private_beth-AT-wso2.com,Internal/subscriber,Internal/store-admin,Internal/everyone,SALES",
"http://wso2.org/claims/streetaddress": "Califonia",
"http://wso2.org/claims/telephone": "877 309 2070",
"http://wso2.org/claims/zipcode": "0789",
"http://wso2.org/ffid": "34567"
}
12
JWT/ SAML Response
<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://ec2-54-84-233-242.compute-1.amazonaws.com:8280/plan-trip/1.0.0/" ID="aipcfpjgmlffcbhcdnapgkdncjdcjdbkalkmejpe" InResponseTo="0" IssueInstant="2015-06-25T07:30:28.203Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">appm</saml2:Issuer><saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="ifghfahaljakniomfjeelcknnpaopmjbagonchak" IssueInstant="2015-06-25T07:30:28.203Z" Version="2.0"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">appm</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2015-06-25T07:35:28.203Z" Recipient="http://ec2-54-84-233-242.compute-1.amazonaws.com:8280/plan-trip/1.0.0/"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2015-06-25T07:30:28.203Z" NotOnOrAfter="2015-06-25T07:35:28.203Z"> <saml2:AudienceRestriction> <saml2:Audience>PlanYourTrip-1.0.0</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2015-06-25T07:30:28.203Z" SessionIndex="550a41fc-ba6a-4dff-bc58-7ec11ed6d0d3"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name="http://wso2.org/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Internal/private_beth-AT-wso2.com,Internal/subscriber,Internal/store-admin,Internal/everyone,SALES</saml2:AttributeValue> </saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>
13
Sample Code Snippet to Identify User from JWT Headervar header = request.getHeader("X-JWT-Assertion");
// Create Base64 Object
var Base64 = require('../modules/base64.js');
if(header !=null){
var jwtAssertions = header.split("."); //JWT header by default contains three '.' separated sections
var jsonString = Base64.decode(jwtAssertions[1]);
jsonString = jsonString.replace("http://wso2.org/claims/emailaddress", "email");
jsonString = jsonString.replace("http://wso2.org/claims/role", "roles");
var obj = parse(jsonString);
var email = obj.email;
var roles = obj.roles;
if (roles.indexOf("admin") != -1) {
session.put("user",{"mail":email,"admin":true});
} else {
session.put("user",{"mail":email,"admin":false});
}
}
var user = session.get("user");
if(user==null){
response.sendRedirect(baseAt+"/login.jag");
}else if(user.admin){
}
14
Federated Authentication for Web Apps
15
◉ Authentication : SAML2 SSO◉ Authorization: ?
16
XACML : eXtensible Access Control Markup Language XACML Reference Architecture
17
How App Manager Enforce XACML Evaluation for Web Apps ?
18
XACML Policy Editor in App Manager
19
Demo
20
Summary
◉ How App Manager provides security (SSO) for Web Apps◉ Non secured web apps◉ Already secured web apps
◉ Federated Authentication for web apps using App Manager◉ Fine grained authorization to web app resources using XACML
21
