OPA for HTTP Authorization

Open Policy Agent[1] is a promising, light weight and very generic policy engine to govern authorization is any type of domain. I found this comparion[2] very attractive in evaluating OPA for a project I am currently working on, where they demonstrate how OPA can cater same functionality defined in RBAC, RBAC with Seperation of Duty, ABAC and XACML.  
Here are the steps to a brief demonstration of OPA used for HTTP API authorization based on the sample [3], taking it another level up.
Running OPA Server First we need to download OPA from [4], based on the operating system we are running on.  For linux, curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.10.3/opa_linux_amd64 Make it executable, chmod 755 ./opa Once done, we can start OPA policy engine as a server.
./opa run --server Define Data and Rules Next we need to load data and authorization rules to the server, so it can make decisions. OPA defines these in files in the format of .rego. Below is a sample …

WSO2 Identity Server - Extension Points - Part 1 - SAML

This is the first post of a series of post to come, to serve as a catalog of extension points available within WSO2 Identity Server as of IS 5.1.0 version which is to be released soon. Most of them are available in 5.0.0 version as well. We have quite a lot of flexibility provided for the users to shape Identity Server to serve exactly what they require via these extension points.

There are 2 types of extensions available in WSO2 Identity Server as of now. Most of these require a restart of the server in order to be effective, but can be configured dynamically without a restart of the server. Few of the extensions like UI theming can be made without a server restart.
  • Drop the extension developed as an OSGI bundle, followed by a server restart,  configure it dynamically
      • eg: custom user store managers
  • Drop the extension developed as a Java component, configure in a configuration file, then restart the server. Configure it dynamically via the UI.
      • eg: custom authenticators

Files Used for Configurations

  1. The configuration files for these extensions are located at <IS_HOME>/repository/conf folder. 
  2. Most of the configurations specific to identity server resides identity/identity.xml within this folder. 
  3. Configurations relevant to federation scenarios(authentication framework) resides at identity/application-authentication.xml file. 
  4. Identity management related configurations resides at identity/identity-mgt.properties file. 
  5. Entitlement(XACML) related configurations resides at identity/entitlement.properties file.
    Apart from above we have multiple listeners and UI modifications allowed for branding purposes.
Note: Though the extension points are available to cater for variety of enterprise needs, this introduces a maintenance overhead in long term. If these are valid generic scenarios we will be merging these to product itself, otherwise these extensions needs to be maintained at major upgrades if there is any API change or improvements done at interfaces.

First our attention is for SAML based scenario as that is a widely used standard on Single Sign On.

Please find a list of available extension points related to this scenario below.

All the implementation using following extension point needs to be configured at <IS_HOME>/repository/conf/identity/identity.xml file under the element ‘SSOService’.

  1. Custom SSO Signer


When we want to change the way we sign/validate the SAML Response or Assertion. If this is just changing the algorithms default UI configurations are available without going for this extension.




Default Implementation:


  1. Custom SSO encryption


When we want to change the way we encrypt the SAML assertion in local



Default Implementation:


  1. SAMLAssertionBuilder


This extension point can control how the SAML assertion it built. Intend use of the extension point is put the given inputs in the SAML assertion format as preferred. This extension point gives full control over what is there in SAML assertion.  



Default Implementation:


  1. SAML2HTTPRedirectSignatureValidator


Can be used to differentiate(deflating, encoding etc.) on how the signature is validated at SAML HTTP redirect binding.



Default Implementation:


  1. ResponseBuilder


This extension point provides the full control over the SAML Responses built to sent over to replyingparties



Default Implementation:


 If there are any other use cases or samples you have found useful around WSO2 Identity Server SAML implementation, you are most welcome to add them here, for the benefit of all. Thanks!

The second post is available at OAuth - Extension Points Part 2 - WSO2 Identity Server on the extension points in WSO2 Identity Server related to OAuth2.0.


Popular posts from this blog

Signing SOAP Messages - Generation of Enveloped XML Signatures

How to send an HTML email in Java (Using Google SMTP Server)

How to convert WSDL to Java