Posts

Showing posts from September, 2014

OPA for HTTP Authorization

Open Policy Agent[1] is a promising, light weight and very generic policy engine to govern authorization is any type of domain. I found this comparion[2] very attractive in evaluating OPA for a project I am currently working on, where they demonstrate how OPA can cater same functionality defined in RBAC, RBAC with Seperation of Duty, ABAC and XACML.  
Here are the steps to a brief demonstration of OPA used for HTTP API authorization based on the sample [3], taking it another level up.
Running OPA Server First we need to download OPA from [4], based on the operating system we are running on.  For linux, curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.10.3/opa_linux_amd64 Make it executable, chmod 755 ./opa Once done, we can start OPA policy engine as a server.
./opa run --server Define Data and Rules Next we need to load data and authorization rules to the server, so it can make decisions. OPA defines these in files in the format of .rego. Below is a sample …

Leveraging federation capabilities of Identity Server for API gateway - Configuration Details

Image
With this post I am to share the steps of a popular solution using WSO2 Identity Server and WSO2 API Manager. Following diagram will give an initial insight on this solution. Overview


1.  Webapp that requires single sign on(SSO) facility with some other applications. 
                - To achieve this we are using WSO2 Identity Server(IS) as the Identity Provider(IDP). 
2.  Webapp needs to consume some APIs secured with OAuth tokens.                  - To expose the APIs secured with OAuth tokens we are using WSO2 API Manager(AM) here.
                - Since we already have the SAML Response received at SSO step, SAML2 Bearer grant type is ideal to use at this scenario to request an OAuth token to access the required APIs.                 - Allowing AM to properly issue an OAuth token in this scenario, we add IS as a trusted IDP in AM.
3.  Webapp requires to allow users registered in another IDP like Facebook or Google to be able to login with SSO functionality.                  - With mini…

How to write a Custom SAML SSO Assertion Signer for WSO2 Identity Server

This is the 3rd post I am writing to explain the use of extension points in WSO2 Identity Server. WSO2 Identity Server has so many such extension points which are easily configurable and arm the server with lot of flexibility. With this, we can support so many domain specific requirements with minimum efforts. Firstly I have shared the usage and steps of writing a custom user store manager. Secondly a custom claim handler which is also related with SAML SSO Response. Now this third post deals with writing a custom SAML SSO Assertion signer. What we can customize? Credentials used to sign the SAML Assertion (The private key)Signing AlgorithmThis sample can be extended to customize how we sign the SAML Response and validate the signature as well. How? We have to write a class extending  The class 'org.wso2.carbon.identity.sso.saml.builders.signature.DefaultSSOSigner' or Implementing, The interface 'org.wso2.carbon.identity.sso.saml.builders.signature.SSOSigner' Needs to ove…