securing the unsecured: using sso and xacml to protect your web apps
TRANSCRIPT
Securing the Unsecured Using SSO and XACML to Protect Web Apps
App Manager 1.0 .0
Dinusha Senanayaka
WSO2 App Manager Team
Why App Manager ?
2
100% Open Source, under Apache 2
License
Policy-based Authorization
Insights into App Subscriptions &
Behaviors
Single-Sign-On (SSO) across Web AppsUnified App Store
Central App Management
(web & mobile)
Access Control based on Organizational
User Roles
Leverages on proven components of WSO2: - Analytics Platform - App Usage Statistics - Security offering - Authentication, Authorization,
Federated Identity and SSO - Enterprise Store - App Provisioning & Management
WSO2 App Manager Components
3
Single Sign-On between Web Apps
Pros for End User◉ Do not have to memorize long list of passwords to access multiple applications
Pros for Application developers◉ Do not have to worry about implementing security for Web Apps◉ Can focus only developing Application business logic
Pros for Administrators◉ Do not have to manage multiple user accounts for different applications
4
SAML2 Web Browser based SSO Profile
5
Single Logout between Web Apps
6
Demo
7
Two Type of Web Apps
◉ Non-secured web apps◉ Already secured web apps
How to manage with App Manager ?
8
Secure Non-secured Web Apps Using App Manager
◉ Just publish the web app in App Manager
9
Already secured Web Apps through App Manager
◉ Need some modifications to be done on web App◉ Could use JWT token or SAML response to identify the user
inside web app
10
JWT and SAML Token Headers◉ Ways of sending authenticated user details to the backend◉ Web app could either process JWT (Json) header or SAML Response (XML) header
to get user details
11
JWT/ SAML Response
{
"iss": "wso2.org/products/am",
"exp": 1435218328463,
"Subject": "[email protected]",
"http://wso2.org/claims/card_holder": "beth",
"http://wso2.org/claims/card_number": "45678563456986",
"http://wso2.org/claims/emailaddress": "[email protected]",
"http://wso2.org/claims/expiration_date": "2020-12-20",
"http://wso2.org/claims/givenname": "Beth",
"http://wso2.org/claims/lastname": "Carder",
"http://wso2.org/claims/organization": "WSO2",
"http://wso2.org/claims/role": "Internal/private_beth-AT-wso2.com,Internal/subscriber,Internal/store-admin,Internal/everyone,SALES",
"http://wso2.org/claims/streetaddress": "Califonia",
"http://wso2.org/claims/telephone": "877 309 2070",
"http://wso2.org/claims/zipcode": "0789",
"http://wso2.org/ffid": "34567"
}
12
JWT/ SAML Response
<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://ec2-54-84-233-242.compute-1.amazonaws.com:8280/plan-trip/1.0.0/" ID="aipcfpjgmlffcbhcdnapgkdncjdcjdbkalkmejpe" InResponseTo="0" IssueInstant="2015-06-25T07:30:28.203Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">appm</saml2:Issuer><saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="ifghfahaljakniomfjeelcknnpaopmjbagonchak" IssueInstant="2015-06-25T07:30:28.203Z" Version="2.0"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">appm</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2015-06-25T07:35:28.203Z" Recipient="http://ec2-54-84-233-242.compute-1.amazonaws.com:8280/plan-trip/1.0.0/"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2015-06-25T07:30:28.203Z" NotOnOrAfter="2015-06-25T07:35:28.203Z"> <saml2:AudienceRestriction> <saml2:Audience>PlanYourTrip-1.0.0</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2015-06-25T07:30:28.203Z" SessionIndex="550a41fc-ba6a-4dff-bc58-7ec11ed6d0d3"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name="http://wso2.org/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Internal/private_beth-AT-wso2.com,Internal/subscriber,Internal/store-admin,Internal/everyone,SALES</saml2:AttributeValue> </saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>
13
Sample Code Snippet to Identify User from JWT Headervar header = request.getHeader("X-JWT-Assertion");
// Create Base64 Object
var Base64 = require('../modules/base64.js');
if(header !=null){
var jwtAssertions = header.split("."); //JWT header by default contains three '.' separated sections
var jsonString = Base64.decode(jwtAssertions[1]);
jsonString = jsonString.replace("http://wso2.org/claims/emailaddress", "email");
jsonString = jsonString.replace("http://wso2.org/claims/role", "roles");
var obj = parse(jsonString);
var email = obj.email;
var roles = obj.roles;
if (roles.indexOf("admin") != -1) {
session.put("user",{"mail":email,"admin":true});
} else {
session.put("user",{"mail":email,"admin":false});
}
}
var user = session.get("user");
if(user==null){
response.sendRedirect(baseAt+"/login.jag");
}else if(user.admin){
}
14
Federated Authentication for Web Apps
15
◉ Authentication : SAML2 SSO◉ Authorization: ?
16
XACML : eXtensible Access Control Markup Language XACML Reference Architecture
17
How App Manager Enforce XACML Evaluation for Web Apps ?
18
XACML Policy Editor in App Manager
19
Demo
20
Summary
◉ How App Manager provides security (SSO) for Web Apps◉ Non secured web apps◉ Already secured web apps
◉ Federated Authentication for web apps using App Manager◉ Fine grained authorization to web app resources using XACML
21
