tag:blogger.com,1999:blog-23922918321158255012024-02-21T22:23:53.228+05:30Pushpalanka's BlogDevelop technologies. Feel the power of human imagination.Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comBlogger68125tag:blogger.com,1999:blog-2392291832115825501.post-89503640066946035162020-04-28T23:00:00.006+05:302020-04-28T23:10:52.913+05:30JVM Garbage Collection and Optimizations<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
<h2>
Overview </h2>
When troubleshooting systems for performance-related issues, memory optimizations are a place that needs a deep analysis of what each system stores in the memory, how long those are stored, and access patterns. This post is to keep a note on the background information and valuable points to note in such an effort, specific to Java-based implementations as a deep understanding of the JVM behaviors is very beneficial in the process.<br />
<br />
Java language provides much convenience to the developers by taking care of the memory management to a great extent letting the focus be on the rest of the logic. Still having a good understanding of how Java does this underneath, rationalize several best practices we follow in Java implementations and help design the programs better and think seriously on some aspects that can later lead to memory leaks and system stability in the long run. Java Garbage Collector has a big role in this been responsible for freeing up memory by removing memory garbage.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<h2>
<b> JVM</b></h2>
</div>
<div style="text-align: justify;">
This information is widely available, yet I am summarizing here for reference in one place. :)</div>
<div style="text-align: justify;">
JVM enables Java code to run in hardware and OS independent manner. It operates on memory locations allocated for own process by the OS acting as another abstraction of a physical machine.</div>
<div style="text-align: justify;">
JVMs can be implemented based on the open standard as published at [1], widely known implementations been Oracle Hotspot JVM, almost the same open-source version OpenJDK, IBM J9, JRockit and Dalvik VM used in Android OS with some deviations.</div>
<div style="text-align: justify;">
In brief JVM loads and executes compiled Java byte code using the resources allocated to it from the platform, it runs on.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<h2>
<b>JVM Structure</b></h2>
</div>
<div style="text-align: justify;">
<h3>
ClassLoaders</h3>
loads the byte code in the JVM memory (load, link(verify, prepare, resolve --> if failed NoClassDef found exception is issued), initialize) Bootstrap class loaders, Extension class loaders, Application class loaders</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<h3>
Memory and runtime data area</h3>
<h4>
<span style="font-weight: normal;">This captures a few important sections below, though it is not comprehensive. </span></h4>
<ul>
<li>Native method stack - The java native library stack which is platform-dependent, mostly written in C language.</li>
</ul>
<ul>
<li>JVM stack (the currently executing method stack trace is kept, per thread. Recursive method calls can cause the stack to be filled and overflow(java.lang.StackOverFlowError) if proper breaks are not set. <b>-Xss</b> JVM option allows configuring the stack size.), PC register (program counter, points to the next instruction to be executed per thread. )</li>
</ul>
<ul>
<li>Method area(stores Class data, size governed by <b>XX:MaxPermSize</b>, PermGen space 64MB default, if it is to serve huge server app loading millions of classes, then we can tune by increasing to avoid issues of OOM: PermGen space. From Java 8 onwards this PermGen space is referred as Metaspace with no limit in java8 by default though it is allowed to be fine-tuned and limit), Heap(Xms, Xmx), Run time constant pool</li>
</ul>
</div>
<div style="text-align: justify;">
<h3>
Execution engine</h3>
<div style="text-align: justify;">
This engine executes the bytecode which is assigned to the runtime data areas through the classloader. It makes use of the Interpreter, Garbage Collector, Hotspot profiler, JIT compiler for optimized execution of the program.</div>
<div style="text-align: justify;">
Refer [2] for more details on the JVM architecture.</div>
<br />
Now we know where the Garbage Collector sits in the JVM architecture. Let's go deep into the internals.<br />
<h2>
Garbage Collector</h2>
It is the Java automatic memory management process which removes the objects that are not used anymore. Then comes the question, how does it decide if the object is used or not. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
It defines two categories of objects as,<br />
<b>live objects </b>- reachable objects that are referenced from another object. Ultimately the reference links will reach the root which is the main thread which creates the whole object graph.<br />
<b>dead objects</b> - unreachable objects that are not referenced by any other that are just lying in the heap.<br />
<br />
this categorization and garbage collection is based on two facts as below.<br />
1. Most of the objects soon become unreachable after the creation. Mostly the short-lived objects which live only within a method context.<br />
2. Old objects rarely refer to young objects. For example, a long-lived cache would hardly refer a newer object from it.</div>
<div style="text-align: justify;">
<br />
<h2>
<b>Garbage Collection Steps</b></h2>
Newly created object instances reside in the Java heap, which goes to different generations as shown below. Garbage collection is done by a daemon thread called 'Garbage Collector' which directs the objects through different spaces within the heap.<br />
Garbage Collection is done in 3 steps.<br />
<br />
<b>1. Mark</b> - Starting from the root and traverse through the object graph marking the reachable objects as alive.<br />
<b>2. Sweep</b> - Delete the unmarked objects.<br />
<b>3. Compact</b> - Defragment the memory making the allocations contiguous for the live objects. It's considered the most time taking process.<br />
<br />
The Heap Area is divided as below.<br />
<b>Old(tenured) generation</b> - Objects that survived for a long, stay here until it get marked unreachable and cleaned up in a major garbage
collection which runs through the whole heap.<br />
<b><br /></b>
<b>Young generation</b> - this is further divided into 3 as Eden space and 2 Survivor spaces.<br />
<br />
Garbage collection at two stages as 'Minor'
or 'Major'. Both these garbage collections are stop-the-world operations that stop every other memory access. Minor GC might not be felt by the application though as it only scans through the young generation space will be small in size.<br />
<br />
<h2>
Garbage Collector</h2>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigs4XRc96U4cv-HVMXzn6MKGERqeKDSa4FjWJpovqgTuW3F04-O_3vXURLCEftGXzLm2Ba6QeaGF27ZKvSnDWwKu0QmTeh3127FaDP0jcQ4-qUSjWWXKEJZS42d_2ETtUM_NuvURWaWUQ/s1600/gc-process.gif" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="450" data-original-width="800" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigs4XRc96U4cv-HVMXzn6MKGERqeKDSa4FjWJpovqgTuW3F04-O_3vXURLCEftGXzLm2Ba6QeaGF27ZKvSnDWwKu0QmTeh3127FaDP0jcQ4-qUSjWWXKEJZS42d_2ETtUM_NuvURWaWUQ/s640/gc-process.gif" width="640" /></a> The memory life cycle goes as below as shown in the above animation.<br />
1. Newly created objects reside in the Eden space. (Just as humans started from Eden garden :) ) Until Eden space goes full it keeps on getting new objects added there.<br />
<br />
2. When the Eden space is full, a minor GC runs, marks the live objects, move those live objects to 'Survivor from' space and sweep the Eden space which becomes free.<br />
<br />
3. Then it keeps on filling the Eden space with new objects as the program runs. Now when the Eden space is full, we have previously moved objects in the 'Survivor from' space too. Minor GC runs marking objects in both these spaces, move the remaining live objects as a whole to the other survivor space. <b>Wonder why not copy the live objects from Eden space to the remaining space of 'Survivor from' rather than moving all to the other survivor space? </b>Well, moving all to the other has proven more efficient in compact step over compacting the area with objects in it.<br />
<br />
4. This cycle will repeat moving objects between the suvivor spaces until a configured threshold<b>(<span class="st">-XX:<i>MaxTenuringThreshold</i></span>)</b> is met. (It keep tracks of how many numbers of GC cycles have been survived by each object). When the threshold is met, those objects will be moved to the tenured space.<br />
<br />
5. As time passes, if the tenured space also gets filled up, the major GC kicks in and traverse through the whole Heap memory space performing the GC steps. This pause can be felt in human interactions and is not desired.<br />
<br />
When there is a memory leak or huge caches that reside for long time, tenured space gets filled up with the time. At such times, those objects might not be even detected as dead. This results in major GCs running frequently as it detects tenured space is full, but it fails to clean up enough memory as nothing can be swept out.<br />
<br />
This error 'java.lang.OutOfMemoryError' in the logs would hint us clearly when memory is not enough. Also if we see frequent CPU hikes with high memory usage, it can be a symptom of frequent GC run due to some kind of memory handling issue that needs attention.<br />
<br />
<h2>
<b>Performance</b></h2>
When focusing on JVM fine-tuning focusing on memory utilization, the major deciding factor is what is more critical from <b>Responsiveness/latency</b> and <b>Throughput</b>. If the throughput is of utmost importance as in batch processing, we can compromise with having some pauses for major GC to run, if it helps overall throughput. Because the application occasionally going less responsive might not be an issue there.<br />
On the other hand, if responsiveness is of utmost importance as in a UI based application, we should try to avoid major GC. Doing this namely, would not help though. For example, we can delay a major GC by increasing the space for the young generation. But then the minor GC would start to take much time as it needs to traverse and compact a huge space now. Hence have the correct size, the correct ratio between young and old generations needs to be carefully done to achieve this. Sometimes this can even go into the application design details to fine-tune memory usages with the object creation patterns and caching locations. It will be a topic for another post to analyze the heap dumps and flame graphs to decide on the best things to be cached.<br />
<br />
<h2>
Garbage Collectors</h2>
As the role of garbage collection is having this much impact on the performance of an application, so much of the effort have been put by the engineers to improve it. The result is, we have a choice on the best garbage collector to use as per the requirements. Below is a non-comprehensive list of options.<br />
<h4>
1. Serial Collector</h4>
Runs in a single thread. Only suitable for basic applications.<br />
<h4>
<b>2. Concurrent Collector (CMS - Concurrent Mark and Sweep)</b></h4>
A single thread performs garbage collection. It only stops the world in mark and re-mark phase. The rest of the work is done while the application is running and does not wait for the old generation to be full. This is a good choice when the memory space is large, has a high number of CPUs to cater for concurrent execution, and when the application demands the shortest pauses with responsiveness been the critical factor. This has been the most favored in most of the web applications in the past.<br />
<h4>
3. Parallel Collector</h4>
This collector makes use of multiple CPUs. It waits for the old generation to be full or near full, but when it runs it stops the world. Multiple threads do the mark, sweep, and compacting making the garbage collection much faster. When the memory is not very large and the number of CPUs is limited this is a good option to cater to demands on throughput which can withstand pauses.<br />
<h4>
4. G1(Garbage First) collector (1.7 upwards)</h4>
This option improves garbage collection to be more predictable by allowing configurations such as pausing time when GC runs. It is said to have the good of both worlds of parallelism and concurrency. It divides the memory into regions and each region is considered as either an Eden, survivor or a tenured space. If the region is having more unreachable objects then that region is garbage collected first.<br />
<br />
<h3>
Default Garbage Collector in Versions</h3>
<ul>
<li>Java 7 - Parallel GC</li>
<li>Java 8 - Parallel GC</li>
<li>Java 9 - G1 GC</li>
<li>Java 10 - G1 GC</li>
<li>Java 11 - G1 GC (ZGC provided as an experimental feature along with Epsilon) </li>
<li>Java 12 - G1 GC (Shenandoah GC introduced. OpenJDK only.)</li>
</ul>
<h2>
Tune-up parameters for the garbage collector</h2>
The rule of thumb for tuning up the JVM is not to do so unless there is an issue to be addressed with the default settings or decided after a lot of deliberation with proven effects after long-running production-level load patterns. This is because Java Ergonomics has advanced a lot and would be most of the time able to perform a lot of optimizations if the application is not behaving ugly. A comprehensive list of options can be found at [5] including configuring the sizes of the heap spaces, thresholds, type of garbage collector to use, etc.</div>
<div style="text-align: justify;">
<h3>
Diagnose</h3>
Below configurations are useful to diagnose memory issues with the help of GC behavior in addition to the heap dumps.<br />
<br /></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<b>-XX:-PrintGCDetails</b> - Print details of garbage collection.<br />
<b>-Xloggc:<file-name></b> - Print GC logging details to a given file.<br />
<b>-XX:-UseGCLogFileRotation</b> - Enable GC log file rotation when the above configuration is done.<br />
<b>-XX:-HeapDumpOnOutOfMemoryError</b> - Dump the heap content for further analysis if a OOM error occurs.<br />
<b>-XX:OnOutOfMemoryError="<cmd args="">;<cmd args="">"</b> - Set of commands to be run, if an OOM error occurs. Allows to execute any custom task when facing the error.<br />
<br />
We will go into the diagnose and analyzing details in another post. <br />
<br />
Cheers! <br />
<br />
<div style="text-align: justify;">
[1] - https://docs.oracle.com/javase/specs/index.html<br />
[2] - https://docs.oracle.com/javase/specs/jvms/se8/html/jvms-2.html#jvms-2.5.6 <br />
[2] - Oracle Garbage Collection tuning guide - <a href="https://docs.oracle.com/javase/9/gctuning/ergonomics.htm#JSGCT-GUID-DB4CAE94-2041-4A16-90EC-6AE3D91EC1F1">https://docs.oracle.com/javase/9/gctuning/ergonomics.htm#JSGCT-GUID-DB4CAE94-2041-4A16-90EC-6AE3D91EC1F1</a><br />
[3] - New java garbage collectors - <a href="https://blogs.oracle.com/javamagazine/understanding-the-jdks-new-superfast-garbage-collectors">https://blogs.oracle.com/javamagazine/understanding-the-jdks-new-superfast-garbage-collectors</a><br />
[4] - Available collectors - <a href="https://docs.oracle.com/en/java/javase/13/gctuning/available-collectors.html#GUID-F215A508-9E58-40B4-90A5-74E29BF3BD3C">https://docs.oracle.com/en/java/javase/13/gctuning/available-collectors.html#GUID-F215A508-9E58-40B4-90A5-74E29BF3BD3C</a><br />
[5] - JVM options - <a href="https://www.oracle.com/technetwork/articles/java/vmoptions-jsp-140102.html">https://www.oracle.com/technetwork/articles/java/vmoptions-jsp-140102.html</a><br />
<br /></div>
</div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-86832004823700918732020-04-24T16:15:00.002+05:302020-04-24T16:29:20.077+05:30Tomcat JDBC Pool - Connection Leak - Catch the Culprit<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Database connection leaks are something that can stay hidden unless paid specific attention and would come to the surface at the most critical stages at a peak time of the system. We would manually check if all the open connections have been closed properly. Then we have various code quality plugins that would scan and check for that. Still when the connections are passed through a complex structure of program both of these can miss a possible connection leak. Then at unit test or integration test levels, we can have checks to validate the counts in the connection pool to avoid this unfortunate situation, that would keep engineers busy at year-end, black Friday, etc. :)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In the unfortunate case of hitting with a performance degrade or a total crash of the system which can be propagated via a JDBC connection leak, when we suspect a connection leak, how easily and quickly isolate the culprit. In the Tomcat connection pool, we can do this using 3 properties.</div>
<br />
<h4>
<code>removeAbandoned</code></h4>
<div style="text-align: left;">
If a DB connection has been abandoned(not been used for a while, but haven't returned to the pool), this configuration will try to remove it. How long to wait before it removes the connection is configured by the below configuration.</div>
<h4>
<code><code>removeAbandonedTimeout</code></code></h4>
<div style="text-align: left;">
The time it will spare before attempting to remove the connection. By default 60s.<code><code></code></code><br />
<code><code><br /></code></code>
<div style="text-align: justify;">
<span style="color: blue;"><b>Note: </b></span>When we are using this property with a target to isolate a culprit, it is useful to know the average time taken by the longest transaction the system would execute on the database. Setting this value considerably larger than that would avoid us from catching the innocent threads that might be actually doing useful work would get properly closed at the end.<code><code><br /></code></code></div>
</div>
<h4>
<code><code><code>logAbandoned</code> </code></code></h4>
<div style="text-align: left;">
'Should it log the stack trace when removing an abandoned connection' is governed by this. </div>
<div style="text-align: left;">
<code><code></code></code></div>
<div style="text-align: left;">
<code><code><br /></code></code></div>
<div style="text-align: left;">
More details on these properties can be found at <a href="https://tomcat.apache.org/tomcat-8.0-doc/jdbc-pool.html#Common_Attributes">https://tomcat.apache.org/tomcat-8.0-doc/jdbc-pool.html#Common_Attributes</a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: justify;">
These configurations can also be used as a safety net in case you are doubtful if the application has any leak. Because it will automatically remove the connections that have been forgotten to be closed and the pool will handle to keep the intended min, max and idle connection count properly considering those.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This is a sample log I got captured while the pool removes an abandoned connection.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<pre style="background: #f0f0f0; border: 1px dashed #cccccc; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> [2020-04-24 00:26:13,229] WARN {org.apache.tomcat.jdbc.pool.ConnectionPool} - Connection has been abandoned PooledConnection[com.mysql.jdbc.JDBC4Connection@5ab91385]:java.lang.Exception
at org.apache.tomcat.jdbc.pool.ConnectionPool.getThreadDump(ConnectionPool.java:1096)
at org.apache.tomcat.jdbc.pool.ConnectionPool.borrowConnection(ConnectionPool.java:799)
at org.apache.tomcat.jdbc.pool.ConnectionPool.borrowConnection(ConnectionPool.java:648)
at org.apache.tomcat.jdbc.pool.ConnectionPool.getConnection(ConnectionPool.java:200)
at org.apache.tomcat.jdbc.pool.DataSourceProxy.getConnection(DataSourceProxy.java:128)
at org.lanka.carbon.user.core.jdbc.JDBCUserStoreManager.getDBConnection(JDBCUserStoreManager.java:1187)
at org.lanka.sample.CustomUserStoreManager.doAuthenticate(CustomUserStoreManager.java:51)
at org.lanka.carbon.user.core.common.AbstractUserStoreManager.authenticateInternal(AbstractUserStoreManager.java:674)
at org.lanka.carbon.user.core.common.AbstractUserStoreManager.access$100(AbstractUserStoreManager.java:86)
at org.lanka.carbon.user.core.common.AbstractUserStoreManager$4.run(AbstractUserStoreManager.java:542)
at org.lanka.carbon.user.core.common.AbstractUserStoreManager$4.run(AbstractUserStoreManager.java:539)
at java.security.AccessController.doPrivileged(Native Method)
at org.lanka.carbon.user.core.common.AbstractUserStoreManager.authenticate(AbstractUserStoreManager.java:539)
at org.lanka.carbon.user.core.common.AbstractUserStoreManager.authenticateInternal(AbstractUserStoreManager.java:702)
at org.lanka.carbon.user.core.common.AbstractUserStoreManager.access$100(AbstractUserStoreManager.java:86)
at org.lanka.carbon.user.core.common.AbstractUserStoreManager$4.run(AbstractUserStoreManager.java:542)
at org.lanka.carbon.user.core.common.AbstractUserStoreManager$4.run(AbstractUserStoreManager.java:539)
at java.security.AccessController.doPrivileged(Native Method)
at org.lanka.carbon.user.core.common.AbstractUserStoreManager.authenticate(AbstractUserStoreManager.java:539)
at org.lanka.carbon.user.core.common.AbstractUserStoreManager$3.run(AbstractUserStoreManager.java:522)
at org.lanka.carbon.user.core.common.AbstractUserStoreManager$3.run(AbstractUserStoreManager.java:514)
at java.security.AccessController.doPrivileged(Native Method)
</code></pre>
</div>
<br />
<div style="text-align: justify;">
As you can the whole stack trace relevant to the abandoned connection creation is captured here, which will lead us to the culprit faster.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Optionally, we also have the option of using JConsole to monitor the JDBC pool via JMX. For that, we need to enable the property <b>'</b><code class="attributeName"><b>jmxEnabled'</b></code> which will allow connecting from Jconsole to the JDBC pool. Once done it has a whole lot of features to monitor the pool and can even set to notify when a connection is detected to be abandoned. <code class="attributeName"></code></div>
<br />
Hope this will help you save some time in troubleshooting.<br />
Cheers!</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-17902302005098500862019-01-30T19:59:00.000+05:302019-01-30T20:01:01.840+05:30OPA for HTTP Authorization<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Open Policy Agent[1] is a promising, light weight and very generic policy engine to govern authorization is any type of domain. I found this comparion[2] very attractive in evaluating OPA for a project I am currently working on, where they demonstrate how OPA can cater same functionality defined in RBAC, RBAC with Seperation of Duty, ABAC and XACML. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Here are the steps to a brief demonstration of OPA used for HTTP API authorization based on the sample [3], taking it another level up.</div>
<div style="text-align: justify;">
<br />
<h2>
Running OPA Server</h2>
</div>
<div style="text-align: justify;">
First we need to download OPA from [4], based on the operating system we are running on. </div>
<div style="text-align: justify;">
For linux,<code class="lang-shell" style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; background: 0px 0px; border: none; box-sizing: border-box; break-inside: avoid; color: inherit; direction: ltr; display: inline; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 0.85em; line-height: inherit; margin: 0px; max-width: initial; overflow: initial; padding: 0px; text-size-adjust: none; white-space: pre;"> </code></div>
<pre style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; -webkit-text-stroke-width: 0px; background: rgb(247, 247, 247); border: none; box-sizing: border-box; break-inside: avoid; color: #333333; direction: ltr; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 14px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: 0.2px; margin: 0px 0px 1.275em; orphans: 2; overflow: auto; padding: 0.85em 1em; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-size-adjust: none; text-transform: none; white-space: pre-wrap; widows: 2; word-spacing: 0px; word-wrap: normal;"><code class="lang-shell" style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; background: 0px 0px; border: none; box-sizing: border-box; break-inside: avoid; color: inherit; direction: ltr; display: inline; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 0.85em; line-height: inherit; margin: 0px; max-width: initial; overflow: initial; padding: 0px; text-size-adjust: none; white-space: pre;">curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.10.3/opa_linux_amd64</code><code class="lang-shell" style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; background: 0px 0px; border: none; box-sizing: border-box; break-inside: avoid; color: inherit; direction: ltr; display: inline; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 0.85em; line-height: inherit; margin: 0px; max-width: initial; overflow: initial; padding: 0px; text-size-adjust: none; white-space: pre;"> </code></pre>
<div style="text-align: justify;">
Make it executable,</div>
<pre style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; -webkit-text-stroke-width: 0px; background: rgb(247, 247, 247); border: none; box-sizing: border-box; break-inside: avoid; color: #333333; direction: ltr; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 14px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: 0.2px; margin: 0px 0px 1.275em; orphans: 2; overflow: auto; padding: 0.85em 1em; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-size-adjust: none; text-transform: none; white-space: pre-wrap; widows: 2; word-spacing: 0px; word-wrap: normal;"><code class="lang-shell" style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; background: 0px 0px; border: none; box-sizing: border-box; break-inside: avoid; color: inherit; direction: ltr; display: inline; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 0.85em; line-height: inherit; margin: 0px; max-width: initial; overflow: initial; padding: 0px; text-size-adjust: none; white-space: pre;">chmod 755 ./opa
</code></pre>
Once done, we can start OPA policy engine as a server.<br />
<pre style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; -webkit-text-stroke-width: 0px; background: rgb(247, 247, 247); border: none; box-sizing: border-box; break-inside: avoid; color: #333333; direction: ltr; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 14px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: 0.2px; margin: 0px 0px 1.275em; orphans: 2; overflow: auto; padding: 0.85em 1em; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-size-adjust: none; text-transform: none; white-space: pre-wrap; widows: 2; word-spacing: 0px; word-wrap: normal;"><code>./opa run --server</code><code class="lang-shell" style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; background: 0px 0px; border: none; box-sizing: border-box; break-inside: avoid; color: inherit; direction: ltr; display: inline; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 0.85em; line-height: inherit; margin: 0px; max-width: initial; overflow: initial; padding: 0px; text-size-adjust: none; white-space: pre;">
</code></pre>
<h2 style="text-align: left;">
Define Data and Rules</h2>
Next we need to load data and authorization rules to the server, so it can make decisions. OPA defines these in files in the format of .rego. Below is a sample file I used.<br />
<pre class="prettyprint">package httpapi.authz
subordinates = {"alice": [], "charlie": [], "bob": ["alice"], "betty": ["charlie"]}
# HTTP API request
import input as http_api
# http_api = {
# "path": ["finance", "salary", "alice"],
# "user": "alice",
# "method": "GET"
# "user_agent": "cURL/1.0"
# "remote_addr": "127.0.0.1"
# }
default allow = false
# Allow users to get their own salaries.
allow {
http_api.method = "GET"
http_api.path = ["finance", "salary", username]
username = http_api.user
}
# Allow managers to get their subordinates' salaries.
allow {
http_api.method = "GET"
http_api.path = ["finance", "salary", username]
subordinates[http_api.user][_] = username
}
# Allow managers to edit their subordinates' salaries only if the request came
# from user agent cURL and address 127.0.0.1.
allow {
http_api.method = "POST"
http_api.path = ["finance", "salary", username]
subordinates[http_api.user][_] = username
http_api.remote_addr = "127.0.0.1"
http_api.user_agent = "curl/7.47.0"
}</pre>
<br />
At first it defines a data set, which represents the relationship subordinates. For example as per this dataset, alice is a subordinate of bob. Then it defines 3 rules that will give feedback as 'allow'.<br />
<ul style="text-align: left;">
<li>If user tries to get own salary it is allowed.</li>
<li>If a user tries to get the salary of a subordinate it is allowed.</li>
<li>If a user tries to modify the salary, it is allowed only if it is of a subordinate, request is initiated from remote address '127.0.0.1' and user agent 'curl/7.47.0'</li>
</ul>
To load this policy into the OPA engine we use below call.<br />
<pre style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; -webkit-text-stroke-width: 0px; background: rgb(247, 247, 247); border: none; box-sizing: border-box; break-inside: avoid; color: #333333; direction: ltr; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 14px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: 0.2px; margin: 0px 0px 1.275em; orphans: 2; overflow: auto; padding: 0.85em 1em; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-size-adjust: none; text-transform: none; white-space: pre-wrap; widows: 2; word-spacing: 0px; word-wrap: normal;">curl -X PUT --data-binary @salary-example.rego localhost:8181/v1/policies/example<code class="lang-shell" style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; background: 0px 0px; border: none; box-sizing: border-box; break-inside: avoid; color: inherit; direction: ltr; display: inline; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 0.85em; line-height: inherit; margin: 0px; max-width: initial; overflow: initial; padding: 0px; text-size-adjust: none; white-space: pre;"></code></pre>
The above policy is stored into a file named 'salary-example.rego' and referred in the above command.<br />
<div>
<ul style="text-align: left;">
</ul>
<h2 style="text-align: left;">
Evaluate at API Invocation</h2>
<div style="text-align: justify;">
Below is a sample API implementation in python, that consults the OPA engine on the decision whether to provide a response or deny as unauthorized.</div>
<br />
<pre class="prettyprint">#!/usr/bin/env python
import base64
import os
from flask import Flask
from flask import request
import json
import requests
import logging
import sys
logging.basicConfig(stream=sys.stderr, level=logging.DEBUG)
app = Flask(__name__)
opa_url = os.environ.get("OPA_ADDR", "http://localhost:8181")
policy_path = os.environ.get("POLICY_PATH", "/v1/data/httpapi/authz")
def check_auth(url, user, method, user_agent, remote_addr,url_as_array, token):
input_dict = {"input": {
"user": user,
"path": url_as_array,
"method": method,
"user_agent": user_agent,
"remote_addr": remote_addr
}}
if token is not None:
input_dict["input"]["token"] = token
logging.info("Checking auth...")
logging.info(json.dumps(input_dict, indent=2))
try:
rsp = requests.post(url, data=json.dumps(input_dict))
except Exception as err:
logging.info(err)
return {}
if rsp.status_code >= 300:
logging.info("Error checking auth, got status %s and message: %s" % (j.status_code, j.text))
return {}
j = rsp.json()
logging.info("Auth response:")
logging.info(json.dumps(j, indent=2))
return j
@app.route('/', defaults={'path': ''}, methods = ['GET', 'POST', 'DELETE'])
@app.route('/<path:path>', methods = ['GET', 'POST'])
def root(path):
user_encoded = request.headers.get('Authorization', "Anonymous:none")
logging.info("User Agent: %s" % request.user_agent.string)
logging.info("Remote Address: %s" % request.remote_addr)
if user_encoded:
user_encoded = user_encoded.split("Basic ")[1]
user, _ = base64.b64decode(user_encoded).decode("utf-8").split(":")
url = opa_url + policy_path
path_as_array = path.split("/")
token = request.args["token"] if "token" in request.args else None
j = check_auth(url, user, request.method, request.user_agent.string, request.remote_addr, path_as_array, token).get("result", {})
if j.get("allow", False) == True:
return "Success: user %s is authorized \n" % user
return "Error: user %s is not authorized to %s url /%s \n" % (user, request.method, path)
if __name__ == "__main__":
app.run()</pre>
<br />
<div style="text-align: justify;">
The function 'check_auth' is responsible to retreive the decision from OPA engine, providing the input details required for authorization. Run the above python script with below command. It uses python modules 'flask' and 'request'.</div>
<div style="text-align: justify;">
<br /></div>
<pre style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; -webkit-text-stroke-width: 0px; background: rgb(247, 247, 247); border: none; box-sizing: border-box; break-inside: avoid; color: #333333; direction: ltr; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 14px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: 0.2px; margin: 0px 0px 1.275em; orphans: 2; overflow: auto; padding: 0.85em 1em; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-size-adjust: none; text-transform: none; white-space: pre-wrap; widows: 2; word-spacing: 0px; word-wrap: normal;"><code class="lang-shell" style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; background: 0px 0px; border: none; box-sizing: border-box; break-inside: avoid; color: inherit; direction: ltr; display: inline; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 0.85em; line-height: inherit; margin: 0px; max-width: initial; overflow: initial; padding: 0px; text-size-adjust: none; white-space: pre;">python echo_server.py
</code></pre>
Now we can try to call this API served by this python server and see the authorization policy in action.</div>
<div>
</div>
<div>
<pre style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; -webkit-text-stroke-width: 0px; background: rgb(247, 247, 247); border: none; box-sizing: border-box; break-inside: avoid; color: #333333; direction: ltr; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 14px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: 0.2px; margin: 0px 0px 1.275em; orphans: 2; overflow: auto; padding: 0.85em 1em; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-size-adjust: none; text-transform: none; white-space: pre-wrap; widows: 2; word-spacing: 0px; word-wrap: normal;"><code class="lang-shell" style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; background: 0px 0px; border: none; box-sizing: border-box; break-inside: avoid; color: inherit; direction: ltr; display: inline; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 0.85em; line-height: inherit; margin: 0px; max-width: initial; overflow: initial; padding: 0px; text-size-adjust: none; white-space: pre;">curl --user alice:password localhost:5000/finance/salary/alice
</code></pre>
Above is allowed based on the 1st rule, user trying to read own salary.<br />
<pre style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; -webkit-text-stroke-width: 0px; background: rgb(247, 247, 247); border: none; box-sizing: border-box; break-inside: avoid; color: #333333; direction: ltr; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 14px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: 0.2px; margin: 0px 0px 1.275em; orphans: 2; overflow: auto; padding: 0.85em 1em; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-size-adjust: none; text-transform: none; white-space: pre-wrap; widows: 2; word-spacing: 0px; word-wrap: normal;"><code class="lang-shell" style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; background: 0px 0px; border: none; box-sizing: border-box; break-inside: avoid; color: inherit; direction: ltr; display: inline; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 0.85em; line-height: inherit; margin: 0px; max-width: initial; overflow: initial; padding: 0px; text-size-adjust: none; white-space: pre;">curl --user bob:password localhost:5000/finance/salary/alice
</code></pre>
Above is allowed based on the 2nd rule, user trying to read the salary of a subordinate.</div>
<div>
<pre style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; -webkit-text-stroke-width: 0px; background: rgb(247, 247, 247); border: none; box-sizing: border-box; break-inside: avoid; color: #333333; direction: ltr; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 14px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: 0.2px; margin: 0px 0px 1.275em; orphans: 2; overflow: auto; padding: 0.85em 1em; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-size-adjust: none; text-transform: none; white-space: pre-wrap; widows: 2; word-spacing: 0px; word-wrap: normal;"><code class="lang-shell" style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; background: 0px 0px; border: none; box-sizing: border-box; break-inside: avoid; color: inherit; direction: ltr; display: inline; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 0.85em; line-height: inherit; margin: 0px; max-width: initial; overflow: initial; padding: 0px; text-size-adjust: none; white-space: pre;">curl -X POST -d "empoyeeID=100&value=2000" --user bob:password localhost:5000/finance/salary/alice
</code></pre>
This will be allowed based on the 3rd rule, if the user agent also matches the exact same cURL client version we have defined in the policy.</div>
<div>
<pre style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; -webkit-text-stroke-width: 0px; background: rgb(247, 247, 247); border: none; box-sizing: border-box; break-inside: avoid; color: #333333; direction: ltr; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 14px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: 0.2px; margin: 0px 0px 1.275em; orphans: 2; overflow: auto; padding: 0.85em 1em; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-size-adjust: none; text-transform: none; white-space: pre-wrap; widows: 2; word-spacing: 0px; word-wrap: normal;">curl -X POST -d "empoyeeID=100&value=2000" --user bob:password localhost:5000/finance/salary/alice<code class="lang-shell" style="-webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: transparent; background: 0px 0px; border: none; box-sizing: border-box; break-inside: avoid; color: inherit; direction: ltr; display: inline; font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 0.85em; line-height: inherit; margin: 0px; max-width: initial; overflow: initial; padding: 0px; text-size-adjust: none; white-space: pre;">
</code></pre>
Even though the previous request was allowed for bob to edit alice's salary, the above request is failed as a user cannot modify own salary based on the defined rule.</div>
<div>
<br /></div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
This was a good excercise to understand the power and the behavior of OPA which enjoyed. Hope you too. Cheers!<br />
<br />
[1] - <a href="https://www.openpolicyagent.org/">https://www.openpolicyagent.org</a><br />
[2] - <a href="https://www.openpolicyagent.org/docs/comparison-to-other-systems.html">https://www.openpolicyagent.org/docs/comparison-to-other-systems.html</a><br />
[3] - <a href="https://www.openpolicyagent.org/docs/http-api-authorization.html">https://www.openpolicyagent.org/docs/http-api-authorization.html</a><br />
[4] - <a href="https://github.com/open-policy-agent/opa/releases">https://github.com/open-policy-agent/opa/releases</a> </div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-11501787788572747342019-01-29T19:19:00.000+05:302019-01-29T19:22:09.394+05:30SPIFFE in a Nutshell<div dir="ltr" style="text-align: left;" trbidi="on">
<h2>
SPIFFE in a Nutshell</h2>
<div style="text-align: justify;">
I have been studying SPIFEE(Secure Production Identity Framework For Everyone)[1] for for sometime and here I am drafting the flow as I have understand now, for the benefit of anyone else trying to understand the flow. </div>
<div style="text-align: justify;">
<br /></div>
<ul style="text-align: left;">
<li><b>Identity Registry</b> - SPIRE server has a own identity registry which keeps two coarse-grained attributes that decides how the SPIFFE IDs will be issued to a workload. It keeps details as in the below table.</li>
</ul>
<br />
<div style="text-align: justify;">
<b id="docs-internal-guid-dec5bcb4-7fff-e555-8c83-ee00d4e0570b" style="font-weight: normal;"></b></div>
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; width: 411.0236220472441pt;"><colgroup><col width="*"></col><col width="*"></col><col width="*"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="background-color: #d9d9d9; border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">SPIFFE ID</span></div>
</td><td style="background-color: #d9d9d9; border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Node Selector</span></div>
</td><td style="background-color: #d9d9d9; border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Process Selector</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">spiffe://abc.com/bill</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">aws:ec2:1234</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">k8s:namespace:1234</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">spiffe://xyz.com/account</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">token:7236427472</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">unix:uid:1002</span></div>
</td></tr>
</tbody></table>
</div>
<br />
<br />
A separate registration API is provided to manage these entries in the identity registry.<br />
<br />
<ul style="text-align: left;">
<li><b>Node Selector</b> - This defines a machine (physical or virtual) where a workload can be running on. The exact type of selector to be used is decided based on the infrastructure provider (AWS, GCP, bare metal) that the workload is running. Eg. AWS EC2 Instance ID, a serial number of a physical machine. Node attestor act based on the infrastructure provider to honor there selectors.</li>
<li><b>Workload Selector</b> - This defines how to identify a process as representing a workload, after the node is identified. This can be described in terms of attributes of the process itself (eg. Linux UID) or in terms of indirect attributes such as a kubernetes namespace. Node agent is responsible to verify that a particular process on a machine qualifies for it’s workload selector. Workload attestor act based on the process attributes to honor the process selectors.</li>
<li><b>SPIRE Node Agent</b> - A process that sits on the node, verifies the provenance of workloads running on the node, and provides those workloads with certificates via the Workload API, based on the selectors.</li>
</ul>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhig1Pgm8gT7rNNzNH6G-f8CubbUyFmkHtgpmInQcPTz4UBLrxEzvi7aOGqdBfLXYbzUdqXm0wlv7Ko3zWcLOThoEPTMYCVqfpj7O6WESkfkgyOa23rOSW92rj38Xa8KMeOFCffxz1E-dA/s1600/Document+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1158" data-original-width="1550" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhig1Pgm8gT7rNNzNH6G-f8CubbUyFmkHtgpmInQcPTz4UBLrxEzvi7aOGqdBfLXYbzUdqXm0wlv7Ko3zWcLOThoEPTMYCVqfpj7O6WESkfkgyOa23rOSW92rj38Xa8KMeOFCffxz1E-dA/s1600/Document+1.png" /></a></div>
<div style="text-align: left;">
<br /></div>
<ol style="text-align: left;">
<li>Registration API is called by either an administrator or a third party application to populate the identity registry with the required SPIFFE IDs and relevant selectors.</li>
<li>Node agent get authenticated with the SPIRE server using a pre-established cryptographic key pair or based in the infrastructure provider. For example in the case of AWS EC2, node agent will submit the node’s Instance Identification Document(IID) issued by AWS.</li>
<li>Node attestor in the SPIRE server validates the provided identification document based on the used mechanism. If the AWS IID is used, the relevant attestor will validate it with AWS settings. Upon successful validation SPIRE server sends back a set of SPIFFE IDs that can be issued to the node along with their process selector policies.</li>
<li>When workload start to run in the node, it first make a call to the node agent asking ‘who am I?’. </li>
<li>Based on the process selectors node agent received in the previous step, and using the workload attestors, agent decides on the SPIFFE ID to be given to workload. It generates a key pair based on that and sends the CSR(Certificate Signing Request) to the SPIRE server.</li>
<li>SPIRE server responds to the node agent with the signed SVID for the workload along with the trust bundles, indicating which other loads can be trusted by this workload.</li>
<li>Upon receiving the response from SPIRE server, node agent, handover the received SVID, trust bundles the generated private key to the workload. This private key never leave the node it’s workload belongs to.</li>
</ol>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Please feel free to suggest any correction, if you notice.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
[1] - https://spiffe.io</div>
<div style="text-align: left;">
[2] - https://docs.google.com/document/d/1RZnBfj8I5xs8Yi_BPEKBRp0K3UnIJYTDg_31rfTt4j8/edit#</div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-62597631820915884002018-12-29T23:03:00.001+05:302019-01-29T19:23:22.166+05:30Authorization for a Multi-Cloud System<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
This is a project design I am currently working on to consume SPIFFE(<a href="https://spiffe.io/" target="_blank">Secure Production Identity Framework For Everyone</a>) bootstrapped trust and identification to provide authorization in a dynamically scaling, heterogeneous system, inspired by Mr. Prabath Siriwardena from WSO2 and under the supervision of Prof. Gihan Dias from University of Moratuwa. An enterprise system running across multiple clouds, as in the hybrid cloud, is an obvious example that will be benefitted from this. The objective is to open doors for the SPIFFE standard based systems to co-exist with rest of the systems with minimal effort, without compromising on security aspects while having an authorization solution based on SPIFFE.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<h3>
<b>What is SPIFFE?</b></h3>
</div>
<div style="text-align: justify;">
In brief, it is a trust bootstrapping and identification framework, submitted as a standard and accepted by CNCF(Cloud Native Computing Foundation)[1]. As of now, this standard has two main implementations as SPIRE and Istio[2], a platform that supports service mesh architecture using SPIFFE for identification aspects. This implementation has taken care of a lot of complexities involved in trust bootstrapping and identification across heterogeneous systems. More details can be read at the <a href="http://spiffe.io/">spiffe.io</a> site.</div>
<div style="text-align: justify;">
<h3>
<b>Why OAuth2.0?</b></h3>
</div>
<div style="text-align: justify;">
OAuth 2.0 is currently the most widely used standard in the API security domain, that is used in access delegation and authorization in the workloads world as well. While SPIFFE is an emerging standard as of now, OAuth 2.0 has been there for a while, and we can say most of the enterprise system have adopted it. Hence if we can blend these two standards, we can best of both worlds and additional power with interoperability provided by OAuth 2.0 and dynamic trust bootstrapping and identification capabilities of SPIFFE.<br />
<h3>
<b>How the Design Works?</b></h3>
<div>
Please note the SPIRE server in the below diagram can be any implementation that supports the SPIFFE standard.</div>
</div>
<div style="text-align: justify;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw4gv76OaWxLt8PUpOtsxCvHf56JGEAx4MEEDkE4YFqGa7ZP__j3pKEBmKeqMxsmhwbP122ZS6CHFs1XQcfeR8Adugd8Q-oDi54ke-6Rp0La8H5Bs-H4PEWMWnJbRNP8SgcIDlk3hPkDY/s1600/spiffe-oauth.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1070" data-original-width="1600" height="428" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw4gv76OaWxLt8PUpOtsxCvHf56JGEAx4MEEDkE4YFqGa7ZP__j3pKEBmKeqMxsmhwbP122ZS6CHFs1XQcfeR8Adugd8Q-oDi54ke-6Rp0La8H5Bs-H4PEWMWnJbRNP8SgcIDlk3hPkDY/s640/spiffe-oauth.png" width="640" /></a></div>
<b><br /></b> - We assume an enterprise system that consists of workloads residing in two clouds, here we have assumed that is AWS and GCP. If we imagine this as a currently running system in GCP with workloads secured based on OAuth 2.0 scopes, the other workloads that are to consume these should come with valid access tokens and relevant scopes.<br />
- The part of the system running in the AWS cloud can be imagined to be designed newly to run as part of a multi-cloud system. It makes use of SPIFFE standard to uniquely identify the workloads across multiple clouds.<br />
- As part of this SPIFFE based trust bootstrapping and identification, each workload receives an X.509 certificate signed by the SPIRE server, bearing their identifier referred as the SPIFFE ID.<br />
eg. <span style="font-size: 12pt; white-space: pre-wrap;">spiffe://localdomain/us-west/data (This is included as a SAN) [3]</span><br />
<span style="font-size: 12pt; white-space: pre-wrap;">- Here comes OAuth 2.0 into the picture. We depend on the capability of the authorization server to issue an OAuth 2 access token under client credentials grant type. This will be under the MTLS OAuth2.0 specification that is currently in the draft stage[4].</span><br />
<br />
There are few special things happening here,<br />
<br />
<ul>
<li>MTLS connection is created based on the SPIRE server signed key pairs of the workload. Hence the authorization server and SPIRE server is assumed to have a pre-established trust.</li>
<li>As the workload creates the MTLS connection with the authorization server, it creates an OAuth 2 client dynamically on the fly, generates OAuth2 secrets and issues a token. At this point, the authorization server should do several validations before issuing these. </li>
<li>The certificate needs to be validated first, then the content of it needs to be read along with the SPIFFE ID coming in the SAN.</li>
<li>Just looking at the SPIFFE ID and issuing a token will not suffice for the enterprise use case.</li>
<li>Hence we are to provide the capability of attaching scopes to these tokens based on a policy defined in authorization server using OPA. (OPA stands for Open Policy Agent, which is much flexible to provide RBAC, ABAC or XACML like complex policies as well.) This policy can consume additionally available data and make decisions.</li>
<li>After the validation is complete, the authorization server will issue a self-contained access token, including the scopes, expired time etc. that will be sent to the AWS workload, in order to be submitted when calling GCP workloads.</li>
<li>GCP workloads do not require any additional functions here, other than using its existing mechanism to validate the OAuth 2.0 token and derive any useful information that came with it.</li>
</ul>
<br />
Hope this explains the scenario well. I am to name this solution Dvaara, indicating opening more doors and controlled access. :)<br />
We are open for any feedback, suggestions.<br />
<br />
If you like to understand more on SPIFFE, [6] might help. <br />
<b><br /></b> [1] - <a href="https://www.cncf.io/blog/2018/03/29/cncf-to-host-the-spiffe-project/">https://www.cncf.io/blog/2018/03/29/cncf-to-host-the-spiffe-project/</a><br />
[2] - <a href="https://istio.io/docs/concepts/security/#istio-security-vs-spiffe">https://istio.io/docs/concepts/security/#istio-security-vs-spiffe</a><br />
[3] - A sample SVID -<br />
<a href="https://gist.github.com/Pushpalanka/b70d5057154eb3c34d651e6a4d8f46ee#file-svid-cert">https://gist.github.com/Pushpalanka/b70d5057154eb3c34d651e6a4d8f46ee#file-svid-cert</a><br />
[4] - <a href="https://tools.ietf.org/html/draft-ietf-oauth-mtls-12">https://tools.ietf.org/html/draft-ietf-oauth-mtls-12</a><br />
[5] - <a href="https://www.openpolicyagent.org/docs/comparison-to-other-systems.html">https://www.openpolicyagent.org/docs/comparison-to-other-systems.html</a><br />
[6] - <a href="https://pushpalankajaya.blogspot.com/2019/01/spiffe-in-nutshell.html" target="_blank">https://pushpalankajaya.blogspot.com/2019/01/spiffe-in-nutshell.html </a><br />
<br />
Cheers!<br />
<br /></div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-87423240564907491752018-01-11T20:34:00.001+05:302018-01-11T20:36:29.632+05:30Beyond PSD2 for a Better Open Banking Expereince<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
PSD2 is acting as a catalyst in the digital transformation happening in the Banking industry. While meeting the compliance requirements of PSD2, financial institutes are excited to make use of the new business models and opportunities opened by this laid foundation. More the customers and partners we can reach, more the business activities and more the revenue. Making the banking functions more accessible and reactive will be a key enabler to provide a seamless experience to these parties, <b>including internal banking staff</b> whom directly affects the business efficiency. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
IAM plays a critical role in improving business accessibility without compromising the system boundaries. PSD2 mandates strong customer authentication(SCA), setting the bar high for user authenticity, while keeping few exemptions, not to bother payment services user(PSU) with SCA for every little transactions. While adhering to this policy will make an institute PSD2 complaint, if they can react fast to the fraud rates fluctuations, utilizing the freedom given on SCA exemptions, it can act a business advantage. Also what if we select the factors for SCA in a <b>context aware</b> fashion and according a pre-configured user preference?</div>
<div style="text-align: left;">
<br />While SCA addresses the authenticity for PSU, API security addresses securely exposing banking functions to Fintecs including AISPs and PISPs. Supporting OIDC 1.0 based API security flows is plain sailing for the objective. How about having a smooth partner <b>onboarding process</b>, that captures all details for security checks there onwards (flexibility of making use of eIDAS network) and fine grained authorization policies for API access, along with OAuth2.0 and OIDC?</div>
<div style="text-align: left;">
<br />CIAM is a very sensitive aspect that need delicate handling as it’s governed by PSU’s choice as a whole and very strictly defined by PSD2 and GDPR enforcement to come. Precisely and concisely capturing user consent, honoring use consents in all business functions, providing consent mgt functionalities for both PSU and customer care officers, keeping trails of changes happened on consents and catering interoperability between consents captured by different parties still have space for more elegant solutions.</div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-43435806592066244302017-12-23T23:25:00.001+05:302017-12-23T23:25:55.326+05:30Identity Mediation for PSD2<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
Partners, mergers, legal entities, government entities, customers all need to work together in this era, while honoring the boundaries they should work within. This is with link to my previous post on challenges of future IAM
requirements arising with increased interchangeability requirements
between diversified parties.<br />
<ol style="text-align: left;">
<li>Challenges of Future IAM (concerned with Mergers , Acquisitions, Startups) -http://pushpalankajaya.blogspot.com/2017/07/challenges-of-future-iam-concerned-with.html</li>
<li>Future of Identity and Access Management (IAM)- http://pushpalankajaya.blogspot.com/2017/07/future-of-identity-and-access.html</li>
</ol>
This need is much more emphasized with the new regulations such as PSD2 in EU region that is putting foundation for Open Banking. While these standards define guidance for implementation interfaces, </div>
<div>
<ul style="text-align: left;">
<li>End user authentication and authorization</li>
<li>Third party authentication and authorization</li>
<li>Identity mgt of internal staff,</li>
</ul>
has hidden needs of identity mediation. Federated authentication is going to be a key feature requirement in Open banking for any institution that is looking for a long term journey in the arena as a giant. </div>
<div>
<br /></div>
<div>
With the Strong Customer Authentication requirements, it also highlights the need of an 'ESB like' power in an identity mediation solution. Without being limited to identity mediation between different protocols, a comprehensive solution needs to be flexible and powerful enough to easily define the sequences the authentication and authorization flow should follow. </div>
<div>
<br /></div>
<div>
How about having an 'ESB like' Identity Mediation Engine that is based on event driven architecture, written in functional programming paradigm and can be dynamically configured in JavaScript? I have seen Identity Mediation Solutions written in OOP paradigm and configured via XML or a UI, then solutions that are written in OOP paradigm, but sequence can be handled via Java Script syntax.what's next?</div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-81838143248564962552017-12-23T22:30:00.000+05:302017-12-23T22:30:17.255+05:30Building a Fool Proof Security Strategy for PSD2 Compliance<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
Following are the slides I used in a webinar by WSO2 to look at the IAM and overall security aspects of a fully PSD2 Complaint Solution. While it lists down the basic requirements to be PSD2 complaint, it also explains the requirements that are not visible out in the surface, but very valuable in building a comprehensive and robust solution that will have a long term vision while being PSD2 complaint as per the urgent need. </div>
<br />
<div>
<iframe allowfullscreen="" frameborder="0" height="485" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/kDEcWeup4NYjfH" style="border-width: 1px; border: 1px solid #ccc; margin-bottom: 5px; max-width: 100%;" width="595"> </iframe> <br />
<div style="margin-bottom: 5px;">
<b> <a href="https://www.slideshare.net/wso2.org/building-a-fool-proof-security-strategy-for-psd2-compliance" target="_blank" title="Building a Fool Proof Security Strategy for PSD2 Compliance">Building a Fool Proof Security Strategy for PSD2 Compliance</a> </b> from <b><a href="https://www.slideshare.net/wso2.org" target="_blank">WSO2 Inc.</a></b><br />
<br />
<b>The webinar recording is available at </b><br />
<b><a href="https://wso2.com/library/webinars/2017/11/building-a-fool-proof-security-strategy-for-psd2-compliance/">https://wso2.com/library/webinars/2017/11/building-a-fool-proof-security-strategy-for-psd2-compliance/</a> </b> </div>
</div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-87012014744005889032017-08-19T23:44:00.000+05:302017-09-01T09:18:27.156+05:30Regulatory Technical Standard (RTS) for PSD2 SCA in Plain Text<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Abbreviations Used with PSD2</h2>
<div dir="ltr" style="text-align: left;" trbidi="on">
<ol style="text-align: left;">
<li>Payment Services Directive 2 -<span class="Apple-converted-space"> </span><b>PSD2</b> </li>
<li>Regulatory Technical Standard<b><span class="Apple-converted-space"> </span></b>(<b>RTS</b>)<b><span class="Apple-converted-space"> </span></b>- A recommendation requested by PSD2 as a technical guideline to be compliant with PSD2 </li>
<li>Strong Customer Authentication -<span class="Apple-converted-space"> </span><b>SCA</b> </li>
<li>Payment Service User -<span class="Apple-converted-space"> </span><b>PSU</b> </li>
<li>Account Servicing Payment Service Provider (<b>ASPSP</b>) - the existing banks</li>
<li>Payment Initiation Service Provider (<b>PISP</b>) - a third party entity or a bank itself that can initiate the payment process </li>
<li>Account Information Service Provider (<b>AISP</b>) - a third party or a bank itself which can retrieve PSU's account information may be to show an aggregate view of all accounts. </li>
<li>Payment Service Providers issuing card- based payment instruments (<b>PSP</b>) - payment service providers that existed in pre PSD2 era who are doing payments through card networks like VISA or Mastercard. Sometime this is also used to refer all PSPs including PISP and AISP.</li>
<li>Common and Secure Communication (<b>CSC</b>) </li>
<li>Third Party Payment Service Providers (<b>TPP</b>)</li>
<li>Access to accounts - <b>XS2A</b> </li>
</ol>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
When addressing PISPs, AISPs and PSPs as a whole we will use XSPs here in this post.<br />
<br />
<h2 style="text-align: left;">
PSD2 Flow in Brief </h2>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5pPGSzkZ1SmOh7iOk0VcBcDTUf4ARXZEgUbVqQBHmwrrKkTHqD_vge2z7WiqHoU3S3S6Tr9HIzkjNI1QCz03HTfXRGwL0Ch3pIxx54kVuF2TpV5r8xshIrQfXyLqFw2517UxrsaSJDMM/s1600/psd2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1050" data-original-width="1520" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5pPGSzkZ1SmOh7iOk0VcBcDTUf4ARXZEgUbVqQBHmwrrKkTHqD_vge2z7WiqHoU3S3S6Tr9HIzkjNI1QCz03HTfXRGwL0Ch3pIxx54kVuF2TpV5r8xshIrQfXyLqFw2517UxrsaSJDMM/s1600/psd2.png" /></a></div>
<h2 style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
</h2>
<div class="separator" style="-webkit-text-stroke-width: 0px; clear: both; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: center; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
</div>
With PSD2 we get rid of going through the card network to perform a payment and directly calls the relevant banks APIs that exposed in secured manner.<br />
<br />
<h2 style="text-align: left;">
RTS in Plain Text</h2>
<h3 style="text-align: left;">
CHAPTER 1 - GENERAL PROVISIONS</h3>
<h4 style="text-align: left;">
Article 1 - Subject matter </h4>
Strong Customer Authentication - At PSU authentication XSPs should be applying at least 2 factors from below. <br />
<ul style="text-align: left;">
<li>Knowledge - Something we know, like our user name and password. </li>
<li>Possession - Something we have, like a mobile or some other device. </li>
<li>Inherence - Something we are, like our biometric identities including iris pattern, finger print etc. </li>
</ul>
<div style="text-align: left;">
More details on this comes later. <br />
- Freedom is present to exempt SCA, based on the level of risk, the amount and the recurrence of the payment transaction and of the payment channel used for its execution. <br />
- Confidentiality and the integrity of the PSU’s personalised security credentials - Encrypt user credentials at LDAP, MYSQL like data layer level, in transport and mask at displaying. <br />
- CSC between XSPs (HTTPS protocol needs to be used in communication.) </div>
<h4 style="text-align: left;">
Article 2 - General authentication requirements</h4>
<ul style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-left: 40px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;"></ul>
<ul style="text-align: left;">
<li>Transaction monitoring mechanisms that enable PSPs to detect unauthorised or fraudulent payment transactions. - This needs analytical capabilities integrated within an authorization server, so that it govern the PSU's sessions with the feedbacks received from monitoring systems.</li>
<li>Transaction monitoring mechanisms takes into account, at a minimum, each of the following risk-based factors:</li>
<ul>
<li>lists of compromised or stolen authentication elements</li>
<li>the amount of each payment transaction</li>
<li>known fraud scenarios in the provision of payment services</li>
<li>signs of malware infection in any sessions of the authentication procedure</li>
</ul>
<li>When exempt application of SCA following should be considered at minimum on a real time basis.</li>
<ul>
<li>the previous spending patterns of the individual PSU.</li>
<li>the payment transaction history of each of the PSP’s PSU </li>
<li>the
location of the payer and of the payee at the time of the payment
transaction provided that the access device or the software is provided
by the PSP.</li>
<li>the abnormal behavioral payment patterns of the PSU in relation to the payment transaction history.</li>
<li>In case the access device or the software is provided by the PSP, a log of the use of the access device or the software provided to the PSU and the abnormal use of the access device or the software.</li>
</ul>
</ul>
<h4 style="text-align: left;">
Article 3 - Review of the security measures</h4>
PSPs that make use of the exemption under Article 16(below) shall perform the audit for the methodology, the model and the reported fraud rates at a minimum on a yearly basis.<br />
<br />
<h3 style="text-align: left;">
CHAPTER 2 - SECURITY MEASURES FOR THE APPLICATION OF STRONG CUSTOMER AUTHENTICATION</h3>
<h4 style="text-align: left;">
Article 4 - Authentication code</h4>
<ul style="text-align: left;">
<li>Authentication based on two or more elements categorized as knowledge, possession and inherence shall result in the generation of an authentication code. - <b>Use of Multi Factor Authentication(MFA)</b></li>
<li>The authentication code shall be accepted only once by the PSP when the payer uses the authentication code to access its payment account online, to initiate an electronic payment transaction or to carry out any action through a remote channel which may imply a risk of payment fraud or other abuses.- If it is OAuth 2.0 standard authorization code that comes into mind at this level, yes.</li>
</ul>
<ol style="text-align: left;">
<li>no information on any of the elements of the strong customer authentication categorized as knowledge, possession and inherence can be derived from the disclosure of the authentication code</li>
<li>it is not possible to generate a new authentication code based on the knowledge of any other authentication code previously generated</li>
<li>the authentication code cannot be forged.<br />The number of failed authentication attempts that can take place consecutively, within a given period of time shall be temporarily or permanently blocked, shall in no event exceed five times. - <b>Account locking capabilities should be present in the solution.</b><br />
The payer should be alerted before the block is permanent. Where the block is permanent, a secure procedure shall be established allowing the payer to regain use of the blocked electronic payment instruments. (<b>May be send an email to user at account lock.</b>)<br />
<br />
The communication sessions are protected against the capture of authentication data transmitted during the authentication and against manipulation--> HTTPS<br />
<br />
A maximum time without activity by the payer after being authenticated for accessing its payment account online shall not exceed five minutes. (<b>Session timeout 5 minutes</b>)<br /> </li>
</ol>
<h4 style="text-align: left;">
Article 5 - Dynamic linking
</h4>
<ol style="text-align: left;">
</ol>
When SCA is applied, additionally following security requirements should be met.<br />
<ul style="text-align: left;">
<li>the payer is made aware of the amount of the payment transaction and of the payee.</li>
<li>Authentication code generated shall be specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction. Any change to those will invalidate the generated authentication (so authentication code only applicable to PISP flow.) Adopt security measures which ensure the confidentiality, authenticity and integrity of each of the following, <b>(we may need encryption and signing of the relevant data. A JWT token which carries this data between services can cater for this)</b></li>
</ul>
<ul style="margin-left: 40px; text-align: left;">
<li>the amount of the transaction and the payee through all phase of authentication.</li>
<li>the information displayed to the payer through all phases of authentication including generation, transmission and use of the authentication code.</li>
</ul>
in relation to payment transactions for which the payer has given consent to execute a batch of remote electronic payment transactions to one or several payees, the authentication code shall be specific to the total amount of the batch of payment transactions and to the specified payees.</div>
<div dir="ltr" style="text-align: left;" trbidi="on">
<h4 style="text-align: left;">
Article 6 - Requirements of the elements categorised as knowledge Payment</h4>
<div style="text-align: left;">
<span style="font-weight: normal;">Elements of SCA categorised as knowledge shall be subject to mitigation measures in order to prevent their disclosure to unauthorised parties.</span></div>
<div style="text-align: left;">
<span style="font-weight: normal;">(<b>Keeping passwords encrypted, OTPs and other two factor data sending through secured channels.</b>)</span> </div>
<h4 style="text-align: left;">
Article 7 - Requirements of the elements categorised as possession</h4>
Elements categorized as possession shall be subject to measures designed to prevent replication of the elements.</div>
<div dir="ltr" style="text-align: left;" trbidi="on">
<h4 style="text-align: left;">
Article 8 - Article Requirements of devices and software linked to elements categorised as inherence</h4>
Elements categorized as inherence shall be subject to measures ensuring that the devices and the software guarantee resistance against unauthorised use of the elements through access to the devices and the software.<br />
<h4 style="text-align: left;">
Article 9 - Independence of the elements Payment</h4>
</div>
<div dir="ltr" style="text-align: left;" trbidi="on">
Measures in terms of technology, algorithms and parameters, which ensure that the breach of one of the elements does not compromise the reliability of the other elements.<br />
<br />
Mitigating measures shall include each of the following,<br />
<ul style="text-align: left;">
<li>the use of separated secure execution environments through the software installed inside the multi-purpose device;</li>
<li>mechanisms to ensure that the software or device has not been altered by the payer or by a third party or mechanisms to mitigate the consequences of such alteration where this has taken place</li>
</ul>
(<b>Mostly relevant with the third party applications like mobile apps or other devices that capture fingerprint like factors. So we have concerns if the two factors are fingerprint and SMS OTP while an application installed in mobile is used for fingerprint scan.</b>)</div>
<div dir="ltr" style="text-align: left;" trbidi="on">
</div>
<div dir="ltr" style="text-align: left;" trbidi="on">
<h3 style="text-align: left;">
CHAPTER 3 - EXEMPTIONS FROM STRONG CUSTOMER AUTHENTICATION</h3>
<div style="text-align: left;">
<span style="font-weight: normal;">SCA applicability should be able to be handled dynamically under different policies that may need to be configurable. As these policies may change by the time. Hence a dynamic policy configuration mechanism should be applicable on deciding the authentication flow for the user.</span> </div>
<h4 style="text-align: left;">
Article 10 - Payment account information IS</h4>
<ul style="text-align: left;">
<li>PSPs are exempted from the application of SCA where a PSU is limited to accessing either or both of the following items online without disclosure of sensitive payment data,</li>
<ul>
<li>the balance of one or more designated payment accounts</li>
<li>the payment transactions executed in the last 90 days through one or more designated payment accounts.</li>
</ul>
</ul>
Exemption is not applicable in below scenarios,<br />
<ul style="text-align: left;">
<li>the payment service user is accessing online the information for the first time;</li>
<li>the last time the payment service user accessed the online information and strong customer authentication was applied more than 90 days ago.</li>
</ul>
<h4 style="text-align: left;">
Article 11 - Contactless payments at point of sale</h4>
PSPs are exempted from the application of SCA where the payer initiates a contactless electronic payment transaction provided that both the following conditions are met:<br />
<ul style="text-align: left;">
<li>the individual amount of the contactless electronic payment transaction does not exceed EUR 50</li>
<li>the cumulative amount, or the number, of previous contactless electronic payment transactions initiated via the payment instrument offering a contactless functionality since the last application of strong customer authentication does not, respectively, exceed EUR 150 or 5 consecutive individual payment transactions.</li>
</ul>
<h4 style="text-align: left;">
Article 12 - Transport and parking fares</h4>
SCA exempted when payer initiates an electronic payment transaction at an unattended payment terminal for the purpose of paying a transport or parking fare.</div>
<div dir="ltr" style="text-align: left;" trbidi="on">
<h4 style="text-align: left;">
Article 13 - Trusted beneficiaries and recurring transactions</h4>
SCA exempted when,<br />
<ul style="text-align: left;">
<li>the payee is included in a list of trusted beneficiaries previously created or confirmed by the payer through its account servicing payment service provider</li>
<li>the payer initiates a series of payment transactions with the same amount and the same payee.</li>
</ul>
Those not exempted if payer creates, confirms or subsequently amends, the list of trusted beneficiaries after consent is given or the payer initiates the series of payment transactions for the first time, or subsequently amends, the series of payments.</div>
<div dir="ltr" style="text-align: left;" trbidi="on">
<h4 style="text-align: left;">
Article 14 - Payments to self</h4>
Exempted from SCA.</div>
<div dir="ltr" style="text-align: left;" trbidi="on">
<h4 style="text-align: left;">
Article 15 - Low-value transaction</h4>
SCA exempted when,<br />
<ul style="text-align: left;">
<li>the amount of the remote electronic payment transaction does not exceed EUR 30</li>
<li>the cumulative amount, or the number, of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not, respectively, exceed EUR 100 or 5 consecutive individual remote electronic payment transactions.</li>
</ul>
<h4 style="text-align: left;">
Article 16 - Transaction risk analysis</h4>
Analytics , Fraud detection<br />
<br />
Calculation of fraud rate needs to be handled using a fraud detection solution.<br />
<br />
Detailed risk scoring enabling the payment service provider to assess the level of risk of the payment transaction.</div>
<div dir="ltr" style="text-align: left;" trbidi="on">
<h4 style="text-align: left;">
Article 17 - Monitoring</h4>
An analytics solution is needed here.<br />
When exemptions are in action,<br />
Need to publish information when decision is made on applying SCA or not in the flow. This will need the help of an API management solution along with Identity and Access Mgt capabilities.<br />
<ul style="text-align: left;">
<li>PSPs shall record and monitor the following data for each payment instrument, with a breakdown for remote and non-remote payment transactions, at least on a quarterly basis (90 days):</li>
<li>the total value of all payment transactions and the resulting fraud rate, including a breakdown of payment transactions initiated through strong customer authentication and under the exemptions.</li>
<li>the average transaction value, including a breakdown of payment transactions initiated through strong customer authentication and under the exemptions</li>
<li>the number of payment transactions where any of the exemptions was applied and their percentage in respect of the total number of payment transactions</li>
</ul>
<h4 style="text-align: left;">
Article 18 - Invalidation and optionality of exemptions</h4>
When their monitored fraud rate exceeds for two consecutive quarters (180 days), PSPs can cease transactions to be exempted by SCA.<br />
<br />
Providing evidence of restoration of compliance of their monitored fraud rate with the applicable reference fraud rate, PSPs can again start exemption of SCA.</div>
<div style="text-align: left;" trbidi="on">
<h3 style="text-align: left;">
CHAPTER 4 - CONFIDENTIALITY AND INTEGRITY OF THE PAYMENT SERVICE USERS’ PERSONALISED SECURITY CREDENTIALS</h3>
<h4 style="text-align: left;">
Article 19 - General requirements</h4>
<ul style="text-align: left;">
<li>Confidentiality and integrity of the personalised security credentials of the PSU, including authentication codes, during all phases of authentication including display, transmission and storage. (<b>Use of password fields in the UI, store sensitive data after encryption, secured transport layer</b>)</li>
<li>personalised security credentials are masked when displayed and not readable in their full extent when input by the PSU during the authentication (<b>Mask password field etc</b>.)</li>
<li>personalised security credentials in data format, as well as cryptographic materials related to the encryption of the personalised security credentials are not stored in Plaintext. (<b>Keystores also need to be encrypted. User passwords encryption.</b>)</li>
<li>secret cryptographic material is protected from unauthorised disclosure. (Protection of keystore, guaranteed with system level security.)</li>
</ul>
<br />
Fully document the process related to the management of cryptographic material used to encrypt or otherwise render unreadable the personalised security credentials. (Handling key expiration, replacements of people administrating the system.)<br />
Ensure that the processing and routing of personalised security credentials and of the authentication codes generated, take place in secure environments in accordance with strong and widely recognised industry standards. (HTTPS)</div>
<div style="text-align: left;" trbidi="on">
<h4 style="text-align: left;">
Article 20 - Creation and transmission of credentials</h4>
<ul style="text-align: left;">
<li>ensure that the creation of personalised security credentials is performed in a secure environment.</li>
<li>mitigate the risks of unauthorised use of the personalised security credentials and of the authentication devices and software due to their loss, theft or copying before their delivery to the payer.</li>
</ul>
<h4 style="text-align: left;">
Article 21 - Association with the payment service user</h4>
Ensure that only the payment service user is associated with the personalised security credentials, with the authentication devices and the software in a secure manner.<br />
<br />
The premises of association may be, not limited to the payment service provider’s premises, the internet environment provided by the payment service provider or in other similar secure websites and its automated teller machine services.<br />
<br />
The association via a remote channel of the PSU’s identity with the personalised security credentials and with authentication devices or software shall be performed using SCA. (<b>This implies that SCA even in AISP flow</b>)</div>
<div style="text-align: left;" trbidi="on">
<h4 style="text-align: left;">
Article 22 - Delivery of credentials, authentication devices and software</h4>
The delivery of personalised security credentials, authentication devices and software to the payment service user is carried out in a secure manner designed to address the risks related to their unauthorised use due to their loss, theft or copying.<br />
<br />
Mechanisms that allow the payment service provider to verify the authenticity of the authentication software delivered to the payment services user via the internet. (Some signature comparison mechanism when sent over email??)<br />
<br />
The delivered personalised security credentials, authentication devices or software require activation before usage; (Lock the account until activation done over the phone?? Should have a portal for call center staff members to do these??)</div>
<div style="text-align: left;" trbidi="on">
<h4 style="text-align: left;">
Article 23 - Renewal of personalised security credentials</h4>
Ensure that the renewal or re-activation of personalised security credentials follows the procedures of creation, association and delivery of the credentials and of the authentication devices in accordance.<br />
<h4>
Article 24 - Destruction, deactivation and revocation</h4>
Secure destruction, deactivation or revocation of the personalised security credentials and devices and software.<br />
<br />
Deactivation or revocation of information related to personalised security credentials stored in the PSP’s systems and databases and, where relevant, in public repositories. (Should we totally delete or keep them marked as revoked? So according to GDPR spec, if the PSU request a forget of the data, we should delete it.) </div>
<div style="text-align: left;" trbidi="on">
<h3 style="text-align: left;">
CHAPTER 5 - COMMON AND SECURE OPEN STANDARDS OF COMMUNICATION</h3>
<h4>
Article 25 - Requirements for identification</h4>
Ensure secure identification when communicating between the payer’s device and the payee’s acceptance devices for electronic payments, including but not limited to payment terminals.<br />
<br />
risks against misdirection of communication to unauthorised parties in mobile applications and other payment services users’ interfaces offering electronic payment services are effectively mitigated.</div>
<div style="text-align: left;" trbidi="on">
(Mutual SSL between the parities is an option. Else we can depend on the PKI and use signatures and encryption to secure the data placed in a JWT sent in a header)<br />
<h4>
Article 26 - Traceability</h4>
Have processes in place which ensure that all payment transactions and other interactions with all the parties are traceable in all stages.<br />
<br />
PSPs shall ensure that any communication session established with the PSU, other PSPs and other entities,including merchants, relies on each of the following,<br />
<ul style="text-align: left;">
<li>a unique identifier of the session (JSESSIONID for the session can serve this)</li>
<li>Security mechanisms for the detailed logging of the transaction, including transaction number, timestamps and all relevant transaction data</li>
<li>timestamps which shall be based on a unified time-reference system and which shall be synchronised according to an official time signal.</li>
</ul>
<h4>
Article 27 - Communication interface</h4>
<ul style="text-align: left;">
<li>ASPSP have in place at least one interface which meets each of the following requirements,</li>
<ul style="text-align: left;">
<li>Any Payament Service Provider can identify themselves towards the ASPSP. (API to register themselves. TPP on-boarding, may be need to make use of workflows for human interactions to receive approval upon back ground check.)</li>
<li>AISPs can communicate securely to request and receive information on one or more designated payment accounts and associated payment transactions.</li>
<li>PISPs can communicate securely to initiate a payment order from the payer’s payment account and receive information on the initiation and the execution of payment transactions.</li>
<li>ASPSPs can create separate APIs for above or expose the ones used for their own PSUs.</li>
</ul>
</ul>
For the purposes of authentication of the PSU, the interfaces shall allow account information service providers and payment initiation service providers to rely on the authentication procedures provided by the ASPSP to the PSU. In particular the interface shall meet all of the following requirements: (An identity provider's Federation Capabilities are required here.)<br />
<br />
For the purposes of authentication of the PSU, the interfaces of ASPSP shall allow AISPs and PISPs to rely on the authentication procedures provided by the ASPSP to the PSU. In particular the interface shall meet all of the following requirements,<br />
<ul>
<li>a PISP or an AISP shall be able to instruct the ASPSP to start the authentication.</li>
<li>communication sessions between the ASPSP, the AISP, the PISP and the PSU shall be established and maintained throughout the authentication.</li>
<li>The integrity and confidentiality of the personalised security credentials and of authentication codes transmitted by or through the PISP or the AISP shall be ensured. (Making use of SAML, OIDC like protocols with signing and encryption enabled.)</li>
<li>ASPSP shall ensure that their interface(s) follows standards of communication which are issued by international or European standardisation organisations (Swagger 2.0). ASPSPs shall make the summary of the documentation publicly available on their website at no charge.</li>
<li>Except for emergency situations, any change to the technical specification of their interface is made available to authorised XSPs in advance as soon as possible and not less than 3 months before the change is implemented. (API versioning capabilities can help)</li>
<li>ASPSPs shall make available a testing facility, including support, for connection and functional testing by authorised XSPs that have applied for the relevant authorisation, to test their software and applications used for offering a payment service to users. No sensitive information shall be shared through the testing facility. (API Mgt solutions sandbox endpoints exposed as secured APIs.)</li>
</ul>
<h4>
Article 28 - Obligations for dedicated interface</h4>
(Need extensive monitoring on API mgt nodes regarding their performance factors such response time. High availability deployment requirements are there.) </div>
<div style="text-align: left;" trbidi="on">
<ul>
<li>When dedicated interfaces are provided for XSPs than what is exposed to PSUs, ensure that the dedicated interface offers the same level of availability and performance, including support, as well as the same level of contingency measures, as the interface made available to the PSU for directly accessing its payment account online.</li>
<li>In case of failure to achieve above, ‘without undue delay and shall take any action that may be necessary to avoid its reoccurrence’. PSPs can report such cases to competent authorities too.</li>
<li>ASPSPs shall also ensure that the dedicated interface uses <b>ISO 20022</b> elements, components or approved message definitions, for financial messaging. (something to consider when defining APIs. Their requests and response should adhere to the standard)</li>
<li>Communication plans to inform PSPs making use of the dedicated interface in case of breakdown, measures to bring the system back to business as usual and a description of alternative options PSPs may make use of during the unplanned downtime.</li>
</ul>
<h4>
Article 29 - Certificates</h4>
(electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC) eIDAS ANNNEX III & IV<br />
<br />
According to the references, need support for following signing algorithms to be aligned with this specification. ‘<a href="https://en.wikipedia.org/wiki/XAdES">XAdES</a>, <a href="https://en.wikipedia.org/wiki/PAdES">PAdES</a>, <a href="https://en.wikipedia.org/wiki/CAdES_(computing)">CAdES</a> or ASiC Baseline Profile’ which are to cater for different LOAs(Level of Assurance). In such case need to make use of extensions available and customize the signing procedures or implement the capabilities into the products.<br />
<br />
Qualified certificates for electronic seals or for website authentication shall include in English additional specific attributes in relation to each of the following:<br />
<br />
The name of the competent authorities where the payment service provider is registered. The role of the PSP, which maybe one or more of the following:<br />
<ul style="text-align: left;">
<li>ASPSP</li>
<li>PISP</li>
<li>AISP</li>
<li>PSP issuing card-based payment instruments</li>
</ul>
Addition of above attributes shall not affect the interoperability and recognition of qualified certificates for electronic seals or website authentication.<br />
<h4>
Article 30 - Security of communication session</h4>
When exchanging data via the internet, secure encryption is applied between the communicating parties throughout the respective communication session in order to safeguard the confidentiality and the integrity of the data, using strong and widely recognised encryption techniques. (HTTPS)<br />
<br />
XSPs shall keep the access sessions offered by ASPSP as short as possible and they shall actively terminate the session with the relevant account servicing payment service provider as soon as the requested action has been completed. (Federated session at IDP should be killed upon completion of task.)<br />
<br />
When maintaining parallel network sessions, avoid possibility of misrouting between XSPs.<br />
<br />
XSPs with ASPSP, contain unambiguous reference to each of the following items:<br />
<ul style="text-align: left;">
<li>the PSUs and the corresponding communication session in order to distinguish several requests from the same PSUs</li>
<li>for payment initiation services, the uniquely identified payment transaction initiated</li>
<li>for confirmation on the availability of funds, the uniquely identified request related to the amount necessary for the execution of the card-based payment transaction.</li>
</ul>
<h4>
Article 31 - Data exchanges</h4>
ASPSP should comply with,<br />
<br />
API Manager should - guarantee same information goes out for direct access by PSU or AISP/PISP<br />
<ul style="text-align: left;">
<li>Details submitted to AISP should be same as given to PSU without sensitive data.</li>
<li>Immediately after receipt of the payment order, PISPs with the same information on the initiation and execution of the payment transaction provided or made available to the PSU when the transaction is initiated directly by the latter.</li>
<li>Immediately provide PSPs with a confirmation whether the amount necessary for the execution of a payment transaction is available on the payment account of the payer. This confirmation shall consist of a simple ‘yes’ or ‘no’ answer.</li>
</ul>
Error sequence handling (API Manager error sequences needs to be defined).<br />
<br />
AISP can request information from ASPSP in either of following cases,<br />
<ul style="text-align: left;">
<li>Whenever the PSU is actively requesting such information.</li>
<li>Where the PSU is not actively requesting such information, no more than four times in a 24 hour period, unless a higher frequency is agreed between the AISP and the ASPSP, with the PSU’s consent. (API Manager throttling policy needs to be customized or configured to handle this)</li>
</ul>
</div>
<div style="text-align: left;" trbidi="on">
<h3 style="text-align: left;">
CHAPTER 6 - FINAL PROVISIONS</h3>
<h4>
Article 32 - Review</h4>
May propose updates to the fraud rates<br />
<h4>
Article 33 - Entry into force This</h4>
Regulation applies after 18 months after entry into force date.</div>
<div style="text-align: left;" trbidi="on">
</div>
<div style="text-align: left;" trbidi="on">
<b>Ref :</b> <a href="https://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+%28EBA-RTS-2017-02%29.pdf">https://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+%28EBA-RTS-2017-02%29.pdf</a></div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-80569370088616576172017-08-11T09:42:00.001+05:302017-08-11T09:42:56.310+05:30The Role of IAM in Open Banking<div dir="ltr" style="text-align: left;" trbidi="on">
This presentation discusses on PSD2 standards in detail with the PISP and AISP flows, the technologies involved around the standard and finally how it can be adopted for Sri Lankan financial market.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="570px" marginheight="0" marginwidth="0" mozallowfullscreen="" scrolling="no" src="https://www.slideshare.net/Pushpalanka/slideshelf" style="border: none;" webkitallowfullscreen="" width="760px"></iframe>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-58885347949475367172017-07-22T18:00:00.001+05:302017-07-22T18:00:51.959+05:30Challenges of Future IAM (concerned with Mergers , Acquisitions, Startups)<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
When the companies bring in external users to work within the enterprise activities, via mergers, acquisitions, outsourcing and allowing end users come via social login, a problem is raised due to the variety of protocols each of these external parties may use for identity management. Most of the time these external parties would not agree to share their user base with sensitive information of the users, which is a major asset of them. In this case identity federation or cross domain authentication comes into provide a solution to this problem. There are identity federation protocols that have evolved with the time mainly OpenID, SAML, WS-Federation and OpenID connect to address the requirement of federated authentication. Even though these protocols have been able to cater for it, while the acquisitions and merges grows up in numbers the solutions still suffers from two major limitations, namely[1],</div>
<h2>
Federation Silos</h2>
<div>
<span id="docs-internal-guid-a91e14a9-90e7-fd1b-7548-fe5327264051"><span style="background-color: white; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh93QwU1JJSNEeH0BpWKOhsVr-p6Vn85bsHkWhbbM4D3Ma4IwI5DrJeeGi0KgxAModymI254ZNZApOBDkGuwCnazxMcRuz8e3XnPOx9J0cBS5op-dI3z8PPIyX17SLPBCdJ0f11Gs-dOCs/s1600/sILOS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="970" data-original-width="1230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh93QwU1JJSNEeH0BpWKOhsVr-p6Vn85bsHkWhbbM4D3Ma4IwI5DrJeeGi0KgxAModymI254ZNZApOBDkGuwCnazxMcRuz8e3XnPOx9J0cBS5op-dI3z8PPIyX17SLPBCdJ0f11Gs-dOCs/s1600/sILOS.png" /></a></div>
<br />
<br />
<div style="text-align: justify;">
When there is federation requirement, organizations would choose on of the protocols available as suitable for them and move ahead with it. Any new system to be integrated would be preferred to support this protocol as it will be able to co-operate with the existing system This leads to a federation anti-pattern that may be a silo of SAML federation, a silo of OpenID Connect federation or a silo of OpenID federation or some other protocol. Later this makes it so hard to bring on a system which does not support another protocol and system is within the boundary of one particular protocol.</div>
<h2>
Spaghetti identity</h2>
<div>
<span id="docs-internal-guid-a91e14a9-90e9-b861-bfc1-52ba28ce48ea"><span style="background-color: white; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></span></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaITcQLMdDSoqGxyLnzc1MNd4dI0uWqeTVd2YxA9YHzLvMjhxDKBaV9-nwPNaCwcckeGbfWuepS9MDqoTJLr-MrJIHzyd6RJ8om5AIQ94IVpq2m1SsLEWn65JdFdlvfR83P_ze0xok48A/s1600/Document+1+%25281%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="690" data-original-width="1500" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaITcQLMdDSoqGxyLnzc1MNd4dI0uWqeTVd2YxA9YHzLvMjhxDKBaV9-nwPNaCwcckeGbfWuepS9MDqoTJLr-MrJIHzyd6RJ8om5AIQ94IVpq2m1SsLEWn65JdFdlvfR83P_ze0xok48A/s1600/Document+1+%25281%2529.png" /></a></div>
<br />
<br /></div>
<div style="text-align: justify;">
When
large-scale federation deployments are considered, this anti pattern is
observed. When one silo is considered from the above figure, within an
enterprise there may be so many parties involved in any of the protocols
as service providers and identity providers. Almost all of these
protocols depend on a trust relationship built among these parties in
order for the federation authentication to work. In a large scale this
means there are many point to point trust relationships that need to be
maintained as below. This added complexity makes it an anti-pattern that
needs to be get rid of.</div>
<br />
<i>Hence an integration mechanism is required between these parties of service providers and identity providers. If this integration just focused on each single entity that the enterprise would interact, then it can end up with something similar to below, which not doing any better than above.</i><i><br /></i>
<b id="docs-internal-guid-a91e14a9-6a46-12b1-434a-207b7efcc776" style="font-weight: normal;"><span style="background-color: white; color: black; font-family: 'Times New Roman'; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img alt="Collaboration.png" src="https://lh5.googleusercontent.com/rYB87pj5sWEvLXSYpe-TKb8Fjh9TNC-kck3WZTD8m1VBEuanIdsfeA4hkTg4FuJ9MJLQozITQr5IPGUH7F4VfjLPxMepOOOnP5hA_4UPLATl3MyYfcK-Rl7mhbSm23rMxPgFZsPn" style="border: medium none; transform: rotate(0rad);" /></span></b><br />
<br />
Integration with External Parties for Identity Management<br />
<br />
<div style="text-align: left;">
As
seen in the figure, if this approach is taken, the end result is a
maintenance costly, complex design. This means to write adapters for
each new party that is joining the enterprise system, which leads to
several complications such as,</div>
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li>Adapters needs to be written(may be from the scratch) which takes time and involves a significant cost</li>
<li>With the increase of number of adapters, complexity of maintenance goes high</li>
<li>Less re-use of available resources and efforts put on writing adapters</li>
<li>No central location which can control the identities involved in the enterprise.</li>
</ul>
<ol>
Identity Management includes several aspects such as, authentication,
authorization, claims handling of users, provisioning users etc. These
have common factors for all the parties which can be reused among them.
Also if authorization is considered for an example enterprise usually
have policies that needs to be effective across the system. With above
design this is much complex and there is no single location that can
cater for monitoring or managing requirements.</ol>
<br />
<div>
[1] - <a href="https://dzone.com/articles/identity-anti-patterns">https://dzone.com/articles/identity-anti-patterns</a></div>
<div>
[2] - <a href="https://msdn.microsoft.com/en-us/library/ee748508.aspx">https://msdn.microsoft.com/en-us/library/ee748508.aspx</a></div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-45594670982838900642017-07-22T15:22:00.000+05:302017-07-22T15:22:18.885+05:30Future of Identity and Access Management (IAM)<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
When a business needs a rapid growth or a new technology integrated, partnering and acquiring strategies are commonly put forward. WhatsApp been acquired by Facebook, Skype been acquired by Microsoft are such popular acquisitions done by the giants in the industry. According to the Wall Street Journal “2015 the biggest year ever for mergers and acquisitions” globally[1]. When this is considered from the aspects of enterprise identity management, it means the rapid merge of external users to current enterprise system. While this merge needs to happen rapidly in order to take the competitive advantage, privacy and security aspects cannot be ignored. Quocirca which is a primary research and analysis company also confirms that “many businesses now have more external users than internal ones. Many organisations are putting in place advanced identity and access management tools to facilitate the administration and security issues raised by this.”[2]. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The impact of these merges and acquisitions are been predicted by the reputed analyst firm Gartner, as “By 2020, 60% of digital identities interacting with the enterprise will come from external identity providers through a competitive marketplace – up from less than 10% today.”[3]. Quocirca further discuss this topic with relation to BYOID concept, where the users may produce these identity via an external identity provider that enterprise would trust. These external identity providers might be using different protocols (legacy, proprietary, standard based) to deal with identities. Hence integrating these with existing systems is a challenge as sometimes full replacement of those legacy systems is often difficult or even impossible and this is dealing with a more sensitive part of enterprise security. As a solution for this foreseen rising requirement for enterprise in IAM arena, industry is investigating on several solutions. While some has been evaluating on the possibility of using an ESB itself for the purpose, a new concept has also been emerged as EIB which is specifically focusing on identity mediation.</div>
<div style="text-align: left;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Apart from enterprises growing with mergers and acquisition, if a new enterprise is concerned, most of the time, users had to register there, filling a lengthy form. But with the application of BYOID concept, it is opening doors to easily attract a whole user base of social identity providers. For example if a website is concerned which allows to login via Google or Facebook, it is having a possible user base as large as Google users+Facebook users when compared to a website that allows login for own registered users. In order achieve this kind of external identity provider integration, there needs to be a mechanism to securely confirm the user's’ identity and submit the decision in a mutually understandable way. For this there needs to be a transformation happening in between the two parties, which can be identified as the main functionality of an EIB.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
With above facts it is evident that identity mediation is a requirement for enterprises in the coming up days, due to high rate of mergers, acquisitions happening and the possible competitive advantage of supporting login via the submission of a social identity. Also with the newly emerging technologies like IoT, many new protocols may be introduced to interact with identities and current protocols might get new version with several modifications. Time is critical factor for the enterprise when adapting new technologies and faster they move, more the benefits. Requirement that is given rise in this situation is an Identity Mediation mechanism that can do the transformation between identity protocols, similar to how ESBs transform messages between different transport protocols.</div>
<br />
<div style="text-align: left;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
[1] - M. Farrell, "2015 Becomes the Biggest M&A Year Ever", WSJ, 2016. [Online]. Available: <a href="http://www.wsj.com/articles/2015-becomes-the-biggest-m-a-year-ever-1449187101">http://www.wsj.com/articles/2015-becomes-the-biggest-m-a-year-ever-1449187101</a>. [Accessed: 24- Jan- 2016].</div>
<br />
<div style="text-align: left;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
[2] - Quocirca.com, "Identity, access management and the rise of bring your own identity | quocirca.com", 2013. [Online]. Available: <a href="http://quocirca.com/article/identity-access-management-and-rise-bring-your-own-identity">http://quocirca.com/article/identity-access-management-and-rise-bring-your-own-identity</a>. [Accessed: 24- Jan- 2016].</div>
<br />
<div style="text-align: left;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
[3] - D. Atkinson, "A Report From Inside the Gartner Identity and Access Management Summit", Top Identity & Access Management Software, Vendors, Products, Solutions, & Services, 2014. [Online]. Available: <a href="http://solutions-review.com/identity-management/a-report-from-inside-the-gartner-identity-and-access-management-summit/">http://solutions-review.com/identity-management/a-report-from-inside-the-gartner-identity-and-access-management-summit/</a>. [Accessed: 24- Jan- 2016].</div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-66056146201396113802017-07-21T10:39:00.001+05:302017-07-21T10:39:53.484+05:30Worth of Bitcoins<div dir="ltr" style="text-align: left;" trbidi="on">
Bitcoins seems to be an interesting subject and is been taking the hype recently.<br /><br />If we look at the value of a Bitcoin over the range of years, at 2015 it was worth $250 and now it is going beyond value of $2500 at the moment. This is capable of attracting more people towards it. We will proceed with more posts to understand Bitcoins, how to use it and any useful information for anyone interested in moving forward with Bitcoins, which I think is the currency of the future.<br /><br />Following captured from coinbase.com on 8th June 2017 shows the value deviation of bitcoin from it's very start.<br />
<br />
<a href="https://3.bp.blogspot.com/-xJAKnCumiNs/WTlghAQDFSI/AAAAAAAAACg/U3iaNZEwp3kdkAs3dDWKV1siKZqGKZcaACLcB/s1600/Peek%2B2017-06-08%2B20-03.gif"><img border="0" src="https://3.bp.blogspot.com/-xJAKnCumiNs/WTlghAQDFSI/AAAAAAAAACg/U3iaNZEwp3kdkAs3dDWKV1siKZqGKZcaACLcB/s1600/Peek%2B2017-06-08%2B20-03.gif" /></a><br /><br />Source : <a href="https://www.coinbase.com/join/58cce2e725cbc807ff9fe77b" target="_blank">https://www.coinbase.com</a></div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-25904079465549174892017-07-21T10:35:00.002+05:302017-12-23T22:19:42.574+05:30[WSO2 Article] Frictionless Adoption of Payment Services Directive 2 (PSD2) with WSO2<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Following webinar recording I did being at WSO2 discusses in detail on the security implications of PSD2, the available technical standards around the recommendations and what WSO2 products are in-line to cater for those.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/vvVF72Mbjnk/0.jpg" frameborder="0" height="532" src="https://www.youtube.com/embed/vvVF72Mbjnk?feature=player_embedded" width="640"></iframe></div>
<br />
<br />
Source : <a href="http://wso2.com/library/webinars/2017/04/frictionless-adoption-of-payment-services-directive-with-wso2/">http://wso2.com/library/webinars/2017/04/frictionless-adoption-of-payment-services-directive-with-wso2/</a><br />
<br />
The detailed article can be found at : <a href="http://wso2.com/library/articles/2017/05/frictionless-adoption-of-the-security-recommendations-for-the-payment-services-directive-2-psd2-with-wso2/">http://wso2.com/library/articles/2017/05/frictionless-adoption-of-the-security-recommendations-for-the-payment-services-directive-2-psd2-with-wso2/</a></div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-39916192519391865062017-07-21T10:33:00.000+05:302017-07-21T10:33:22.171+05:30Adaption of PSD2<div dir="ltr" style="text-align: left;" trbidi="on">
European Union has enforced Payment Service Directive version 2 (PSD2) for the Payment Service Providers to adapt by the year 2018. Following slide-deck discusses the<br />
<br />
<ul>
<li>
PSD2 background </li>
<li>PSD2 effects on the business domain </li>
<li>Security implications of the directive </li>
<li>What technologies, standards are available to meet the requirements </li>
<li>How WSO2 products can support to adapt PSD2</li>
</ul>
<br />
<iframe allowfullscreen="" frameborder="0" height="485" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/dLEFrxLKL8Pjq4" style="border-width: 1px; border: 1px solid #ccc; margin-bottom: 5px; max-width: 100%;" width="595"> </iframe> <br />
<div style="margin-bottom: 5px;">
<b> <a href="https://www.slideshare.net/Pushpalanka/frictionless-adaption-of-psd2-with-wso2" target="_blank" title="Frictionless Adaption of PSD2 with WSO2">Frictionless Adaption of PSD2 with WSO2</a> </b> from <b><a href="https://www.slideshare.net/Pushpalanka" target="_blank">Pushpalanka Jayawardhana</a></b><br />
<br />
The whole webinar based on the slides is can be found at [1].<br />
<br />
[1] - <a href="http://wso2.com/library/webinars/2017/04/frictionless-adoption-of-payment-services-directive-with-wso2/">http://wso2.com/library/webinars/2017/04/frictionless-adoption-of-payment-services-directive-with-wso2/</a><br />
<br />
</div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-63925211100787776832017-07-20T20:50:00.000+05:302017-07-21T11:34:52.564+05:30Checkout the Initial Summary for Directions in IML<div dir="ltr" style="text-align: left;" trbidi="on">
<iframe allowfullscreen="" frameborder="0" height="485" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/u4QQp42tbdI8Wm" style="border-width: 1px; border: 1px solid #ccc; margin-bottom: 5px; max-width: 100%;" width="595"> </iframe> <br />
<div style="margin-bottom: 5px;">
<b> <a href="https://www.slideshare.net/Pushpalanka/identity-mediation-for-enterprise-identity-bus" target="_blank" title="Identity mediation for enterprise identity bus">Identity mediation for enterprise identity bus</a> </b> from <b><a href="https://www.slideshare.net/Pushpalanka" target="_blank">Pushpalanka Jayawardhana</a></b> </div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-87434864923775792472017-07-20T20:47:00.002+05:302017-07-20T20:47:25.126+05:30Why Identity Mediation? And a Language ?<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
As identified and predicted by several prominent analyst firms(Forrester, Gartner) , acquiring and merging has been the frequent mechanism for enterprises to expand in the recent past and the years to come. With this expansion there is a rising need for enterprises to handle the enterprise across identity and access management procedures in a secured way that is fast enough to have the competitive advantage of the merged or acquired assets. With different enterprises having variety of standards and protocols in use for identity and access management, catering for this requirement is absolutely challenging given the time factor. A similar situation has been addressed by Enterprise Service Bus(ESB) concept few years back, when the requirements raised to mediate between different transport protocols and data formats when communication is required between disparate enterprise systems that are legacy and modern.</div>
<br /><img src="https://lh4.googleusercontent.com/HQeZ1_y-BbtKk5uYEP9X_3Zmmkeg4ZBwwxooGbUGAJCV_mSeyf8OIYNSrjpdK8q0bcDveNfE39fr2OH89AXMcPVnl1Qv-7PeungNsWsKPrDGTv_iP_eD5-kHbLOecEMci2kZ_d48" /><br /><br /><br /><div style="text-align: justify;">
We are trying to apply the same concepts around ESB in the arena of identity and access management to provide the basement for an Enterprise Identity Bus(EIB). While the idea of EIB has been discussed frequently in panels with the participation of industry giants and the concept has existed a while, there are limited implementations and research done around the subject. Hence in order to design an elegant solution, we have to go deep down to root levels of mediation language implementations and possible approaches for the mediation engine implementation.<br /><br /><br />Observing how the identity protocols have been evolving, reaching the glory stages and then getting dead in few years time, the mediation engine needs to be very flexible in its configuration and extensibility where a Domain Specific Language(DSL) is to be defined to cater for. This decision is considered looking at the pros and cons of it and usage of mediation languages in ESBs.<br /><br /><br />This blog is to provide a platform to discuss and share important findings, thoughts towards the implementation of IML(Identity Mediation Language) and IME(Identity Mediation Engine) together with an approach towards providing a robust solution for the requirement under consideration.</div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-10887434302870269552017-07-02T14:10:00.000+05:302017-07-02T14:10:20.862+05:30 WSO2 Identity Server - Extension Points - Part 3 - XACML<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
This is the third of a series of posts on extension points available in WSO2 Identity Server, with relevance to separate protocols.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Previous posts can be found at,</div>
<ul style="text-align: left;">
<li><a href="http://pushpalankajaya.blogspot.com/2015/12/wso2-identity-server-extension-points.html" target="_blank">WSO2 Identity Server - Extension Points - Part 1 - SAML</a></li>
<li>
<a href="http://pushpalankajaya.blogspot.com/2016/01/oauth-extension-points-part-2-wso2.html" target="_blank">WSO2 Identity Server - Extension Points - Part 2 - OAuth</a></li>
</ul>
<div style="text-align: left;">
With the XACML architecture there are 4 main separate components as,</div>
<ul style="text-align: left;">
<li>PIP (Policy Information Point) - serves information required for policy evaluation.</li>
<li>PAP (Policy Administration Point) - serves capabilities to govern the policies.</li>
<li>PDP (Policy Decision Point) - make decision on incoming requests whether to permit or deny based on the defined policies and information collected from PIP.</li>
<li>PEP (Policy Enforcement Point) - the interception point which checks and honors the policy decision.</li>
</ul>
<div style="text-align: left;">
<b id="docs-internal-guid-5f9c9dde-f47b-75c5-f168-5a638b464ee0" style="font-weight: normal;"></b><br /></div>
<div style="text-align: left;">
<b id="docs-internal-guid-5f9c9dde-f47b-75c5-f168-5a638b464ee0" style="font-weight: normal;">WSO2 Identity Server can act as all these 4 components. In this post we will check on the extendability of these components and their usages.</b></div>
<h2 style="text-align: left;">
Policy Information Point(PIP) modules </h2>
<u><b> Usage:</b></u><br />
<div>
When the information available locally is not enough to evaluate a XACML request<br />
<br />
eg: We need to authorize the user depending on their age, which is not directly available in current user store. <br />
<h4 style="text-align: left;">
1. PIP Attribute Finder () </h4>
<u><b> Usage:</b></u><br />
<br />
The ‘DefaultAttributeFinder’ talks to the underlying user store to read user attributes. It is by default registered for all the claims defined under ‘http://wso2.org/claims dialect’. If the user attributes needs to be read in from another location or some other deviation is required for default claim retrieval process this extension should be used (by specifying the full qualified custom class name, under "PIP.AttributeDesignators.Designator.1") which can be found at [IS_HOME]/repository/conf/identity/entitlement.properties file. You can also add more attribute finders keeping the default one as well.<br />
<br />
<b><u> Sample: </u></b><br />
<br />
<a href="https://docs.wso2.com/display/IS510/Writing+a+Custom+Policy+Info+Point">https://docs.wso2.com/display/IS510/Writing+a+Custom+Policy+Info+Point</a><br />
<div style="text-align: left;">
<br />
<u><b> Abstract Class / Default Implementation: </b></u><br />
<br />
org.wso2.carbon.identity.entitlement.pip.DefaultAttributeFinder </div>
<h4 style="text-align: left;">
2. PIP Resource Finder </h4>
<div style="text-align: left;">
<u><b> Usage: </b></u><br />
To register a PIP resource finder with the PDP. The default resource finder finds the resources of the underlying registry. We need to implement this interface and add an entry to file (by specifying the full qualified class name, under "PIP.ResourceFinders.Finder.1") which can be found at [IS_HOME]/repository/conf/identity/entitlement.properties file in case of a different logic required at resource finding. </div>
<div style="text-align: left;">
<br />
<u><b> Abstract Class / Default Implementation: </b></u><br />
org.wso2.carbon.identity.entitlement.pip.DefaultResourceFinder </div>
<h4 style="text-align: left;">
3. PIP Extension </h4>
<div style="text-align: left;">
<u><b> Usage: </b></u><br />
PIPExtensions will be fired for each and every XACML request - which will give a handle to the incoming request. Can be used to carry out custom checks or updates for XACML request, before sending to the PDP. Configured at specifying the full qualified class name, under "PDP.Extensions.Extension.1") which can be found at [IS_HOME]/repository/conf/identity/entitlement.properties file <br />
<br />
<u><b> Interface: </b></u><br />
org.wso2.carbon.identity.entitlement.pip.PIPExtension </div>
<h2 style="text-align: left;">
Policy Administration Point(PAP) modules </h2>
<h4 style="text-align: left;">
1. Entitlement Data Finder</h4>
<div style="text-align: left;">
This is the implementation of the policy meta data finder module which finds the resource in the under-line registry by default. Any deviation to policy meta data finding can be written as an extension at this point, <br />
<br />
PAP.Entitlement.Data.Finder.1 </div>
<div style="text-align: left;">
<br />
<u><b> Abstract Class / Default Implementation: </b></u><br />
org.wso2.carbon.identity.entitlement.pap.CarbonEntitlementDataFinder </div>
<h4 style="text-align: left;">
2. Policy Publisher Module</h4>
<div style="text-align: left;">
policy publisher module that is used to publish policies to external PDPs. External PDP can be identity server or else can be anything. Therefore this interface provide an extension to publish policies to different PDPs. <br />
<br />
PAP.Policy.Publisher.Module.1</div>
<div style="text-align: left;">
<br />
<u><b> Abstract Class / Default Implementation: </b></u><br />
org.wso2.carbon.identity.entitlement.policy.publisher.CarbonBasicPolicyPublisherModule <br />
<br />
<u><b> 3. Policy Version Manager </b></u><br />
<br />
This manages the versions of XACML policies. If a deviation is required for supported maximum version etc. this can be used. <br />
<br />
PAP.Policy.Version.Module </div>
<div style="text-align: left;">
<br />
<b><u> Abstract Class / Default Implementation: </u></b><br />
org.wso2.carbon.identity.entitlement.policy.version.DefaultPolicyVersionManager </div>
<h4 style="text-align: left;">
4. PAPStatusDataHandler</h4>
<div style="text-align: left;">
A handler that would be fired after an entitlement policy admin action is done. If any action is required to be done in relevance to this admin action, this extension can be used. <br />
<br />
PAP.Status.Data.Handler.1 </div>
<div style="text-align: left;">
<br />
<u><b> Abstract Class / Default Implementation: </b></u><br />
org.wso2.carbon.identity.entitlement.SimplePAPStatusDataHandler </div>
<h2 style="text-align: left;">
Policy Decision Point(PDP) modules </h2>
<h4 style="text-align: left;">
1. Policy Finder</h4>
<div style="text-align: left;">
Policy manage module is an extension point where XACML policies can be stored and loaded into the PDP from different sources. There can be more than one policy finder modules configure in the file [IS_HOME]/repository/conf/identity/entitlement.properties as below. <br />
<br />
PDP.Policy.Finder.1= </div>
<div style="text-align: left;">
<br />
<u><b> Interface: </b></u><br />
org.wso2.carbon.identity.entitlement.policy.finder.PolicyFinderModule </div>
<div style="text-align: left;">
<br />
<u><b> Abstract Class / Default Implementation: </b></u><br />
org.wso2.carbon.identity.entitlement.policy.store.RegistryPolicyStoreManageModule </div>
<h4 style="text-align: left;">
2. Policy Store Module</h4>
<div style="text-align: left;">
Handles the add, update, delete operations of the policies. Any modification to these operations can be done via this extension. <br />
<br />
<u><b>Interface: </b></u>org.wso2.carbon.identity.entitlement.policy.store.PolicyStoreManageModule <br />
Config parameter key should look like,<br />
PDP.Policy.Store.Module= </div>
<div style="text-align: left;">
<br />
<b><u> Abstract Class / Default Implementation: </u></b><br />
org.wso2.carbon.identity.entitlement.policy.store.RegistryPolicyStoreManageModule (by default this is acting as the policy finder as well.) </div>
<h4 style="text-align: left;">
<b> 3. Policy Data Store Module</b></h4>
<div style="text-align: left;">
This is the entitlement policy data store that is used to persist metadata of the policies such as global policy combining algorithm and perform operations such as get, set, remove policy data stored in carbon registry. Any deviations to this can be made via this extension using below config. <br />
<br />
PDP.Policy.Data.Store.Module= <br />
<br />
<u><b> Abstract Class / Default Implementation: </b></u><br />
org.wso2.carbon.identity.entitlement.policy.store.DefaultPolicyDataStore </div>
<h2 style="text-align: left;">
Policy Enforcement Point (PEP) modules</h2>
<div style="text-align: left;">
When providing fine grained authorization for service providers WSO2 Identity Server act as a PEP itself and calls the own PDP to get authorization decisions. This is an extension point exposed by Identity Application Authentication Framework to customize authorization logic. By default the implementation is done based on XACML, which can be extended to cater for any deviations here acting as PEP.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<u><b>Interface:</b></u></div>
<div style="text-align: left;">
org.wso2.carbon.identity.application.authentication.framework.handler.authz.AuthorizationHandler <u><b><br /></b></u></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<u><b> </b></u><b><u>Abstract Class / Default Implementation:</u></b></div>
org.wso2.carbon.identity.application.authz.xacml.handler.impl.XACMLBasedAuthorizationHandler<div style="text-align: left;">
<b><u><br /></u></b></div>
<div style="text-align: left;">
<b><u>Config:</u></b></div>
<div style="text-align: left;">
At IS_HOME/repository/conf/identity/application-authentication.xml<b><u>,</u></b></div>
Under, <Extensions>,<div style="text-align: left;">
<AuthorizationHandler>...</AuthorizationHandler><b><u></u></b></div>
<div style="text-align: left;">
<b><u><br /></u></b></div>
<div style="text-align: left;">
Hope this will help in extending the functionalities to have your freedom in have the exact requiements catered. Cheers!<b><u><br /></u></b></div>
</div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-65963962269785746952017-06-29T12:31:00.000+05:302017-06-30T10:16:05.376+05:30WSO2 Identity Server - Extension Points - Part 2 - OAuth<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
OAuth2 is widely used in the enterprise today for authorization aspects of APIs. This is the second post on the extension points available in WSO2 Identity Server after <a href="http://pushpalankajaya.blogspot.com/2015/12/wso2-identity-server-extension-points.html" target="_blank">WSO2 Identity Server - Extension Points - Part 1 - SAML</a><br />
<br />
All the implementation using following extension point needs to be configured at <IS_HOME>/repository/conf/identity/identity.xml file under the element OAuth.</div>
<br />
<h3>
1. Custom OAuth grant handler</h3>
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Usage:</span></b></h4>
When we need to support an OAuth flow that is different from standard grant types. Validates the grant, scopes, and access delegation.<br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Sample:</span></b></h4>
<a href="https://docs.wso2.com/display/IS510/Writing+a+Custom+OAuth+2.0+Grant+Type">https://docs.wso2.com/display/IS510/Writing+a+Custom+OAuth+2.0+Grant+Type</a><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface:</span></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler</b><br />
<h3>
2. Client Auth Handler </h3>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"></b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Usage:</span></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
When the client credential authentication needs to be customized. By default we validate the client id and secret.</b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface:</span></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
org.wso2.carbon.identity.oauth2.token.handlers.clientauth.ClientAuthenticationHandler</b><br />
<h3>
3. OAuthCallbackHandler</h3>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">An extension point provided to verify whether the authenticated user is the rightful owner of the resource. There can be multiple active OAuthCallbackHandler implementations at a given time. There are registered through the identity.xml. In run-time, each and every authorization callback handler is invoked to see whether it can handle the given callback. Then the callback with the highest priority will be chosen. After handling the callback, it can set whether the given callback is authorized or not.</b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface: </span></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandler</b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Abstract Class / Default Implementation:</span></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler </b><br />
<h3>
4. TokenPersistenceProcessor</h3>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">Implementations are used to process keys and secrets just before storing them in the database. E.g. to encrypt tokens before storing them in the database. Implementations of this interface can be configured through the identity.xml.</b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface: </span></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
org.wso2.carbon.identity.oauth.tokenprocessor.TokenPersistenceProcessor</b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Abstract Class / Default Implementation:</span></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
</b><br />
<ul>
<li><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor </b></li>
<li><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor</b></li>
</ul>
<h3>
5. CustomClaimsCallbackHandler</h3>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">This is an extension point provided to include any claims that need to go into the id_token in addition to the standard OIDC mandatory claims and user claims retrieved by WSO2 Identity Server.<br /><br />An example would be add a tenant specific claim that is retrieved from an external API/Source could be included in an id_token using this extensions point. This extension point can also be used to set claims to the id_token without having to configure requested claims / oidc scopes using the management console. </b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface: </span></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
org.wso2.carbon.identity.openidconnect.CustomClaimsCallbackHandler</b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Abstract Class / Default Implementation:</span></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback</b><br />
<h3>
6. UserInfoAccessTokenValidator</h3>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">Validates the access token and returns the token info. Default behavior is validating the access token with WSO2 IS token validation OSGI service(Scope is also checked to have openid scope). If this needs to be modified this can be used.</b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface:</span></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
org.wso2.carbon.identity.oauth.user.UserInfoAccessTokenValidator</b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Default Implementation:</span></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator</b><br />
<h3>
7. UserInfoClaimRetriever</h3>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">Default behavior is creating claim URI and claim value pairs according to the claim mappings received. Any modifications to this default behavior can be done here.</b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface:</span></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
org.wso2.carbon.identity.oauth.user.UserInfoClaimRetriever</b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Default Implementation:</span></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever</b><br />
<h3>
8. UserInfoRequestValidator</h3>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><br />Default behavior is validating the schema and authorization header according to the specification(<a href="http://openid.net/specs/openid-connect-basic-1_0-22.html#anchor6">http://openid.net/specs/openid-connect-basic-1_0-22.html#anchor6</a>). Any further additional validations or modification to this validation on user info request can be done using this extension. </b><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface:</span></b></div>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
</b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">org.wso2.carbon.identity.oauth.user.UserInfoRequestValidator</span></b></div>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Default Implementation:</span></h4>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInforRequestDefaultValidator</span></div>
</b><br />
<h3>
9. UserInfoResponseBuilder</h3>
Creates the UserInfoResponse. By default the response can be a JSON or a JWT. When a different format is required this extension can be used to support it. <b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"></b><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface:</span></b></div>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
org.wso2.carbon.identity.oauth.user.UserInfoResponseBuilder</b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Default Implementations:</span></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
</b><br />
<ul>
<li><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJSONResponseBuilder</b></li>
<li><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJWTResponse</b></li>
</ul>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"></b><br />
<h3>
10. AuthorizationContextTokenGenerator</h3>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">Generates the token relevant to the authorization context. By default JWT token generation is supported with the following properties encoded to each authenticated API request:</b><br />
<ul>
<li><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">subscriber, applicationName, apiContext, version, tier, and endUserName</b></li>
<li><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">Additional properties can be encoded by engaging the below extension.</b></li>
<li><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">The JWT header and body are base64 encoded separately and concatenated with a dot.</b></li>
<li><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">Finally the token is signed using SHA256 with RSA algorithm.</b></li>
</ul>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><br />Any deviations can be made via this extension and configured in identity.xml</b><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"></b></b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Default Implementations:</span></b></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
</b>org.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator</b><br />
<br />
<h3>
11. ClaimsRetriever</h3>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">The default implementation class of this ClaimsRetriever reads user claim values from the default carbon user store. The user claims are encoded to the token in the natural order of the claimURIs by the previous token generator. To engage this class, its fully qualified class name should be mentioned under identity.xml -> OAuth -> TokenGeneration -> ClaimsRetrieverImplClass<br /><br />Any deviation can be done using this extension.</b><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"></b></b></b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Default Implementations:</span></b></b></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
</b></b>org.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator</b><br />
<h3>
12. ResponseTypeHandler</h3>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">This is intended to validate access delegation and oauth scope validation. Then issue codes or tokens. In this flow needs to be customized this extension can be used. </b><br />
<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"></b></b><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface:</span></b></b></div>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;"><b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
</b><br />org.wso2.carbon.identity.oauth2.authz.handlers.ResponseTypeHandler</b><br />
<h3>
13. OAuth2TokenValidator</h3>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">This when a token is sent back for validation purposes to validate on scopes, validity of access token and access delegation. </b><br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface:</span></b></h4>
<b id="docs-internal-guid-5f9c9dde-f413-359b-17ae-d990c6ceff89" style="font-weight: normal;">
org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidator</b></div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-10887389095219870582016-02-20T11:09:00.000+05:302016-02-20T11:09:43.736+05:30WSO2ConAsia-2016 - "Enterprise Security Uncovered"<iframe src="//www.slideshare.net/slideshow/embed_code/key/3CcKaPpii2IC5k" width="595" height="485" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" allowfullscreen> </iframe> <div style="margin-bottom:5px"> <strong> <a href="//www.slideshare.net/wso2.org/wso2con-asia-2016-enterprise-security-uncovered" title="WSO2Con ASIA 2016: Enterprise Security Uncovered" target="_blank">WSO2Con ASIA 2016: Enterprise Security Uncovered</a> </strong> from <strong><a target="_blank" href="//www.slideshare.net/wso2.org">WSO2 Inc.</a></strong> </div>Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-57404231967429345332015-12-01T18:27:00.000+05:302016-01-04T12:33:37.324+05:30WSO2 Identity Server - Extension Points - Part 1 - SAML<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
<span style="font-size: small;"><span style="font-family: inherit;">This is the first post of a series of post to come, to serve as a catalog of extension points available within WSO2 Identity Server as of IS 5.1.0 version which is to be released soon. Most of them are available in 5.0.0 version as well. We have quite a lot of flexibility provided for the users to shape Identity Server to serve exactly what they require via these extension points. </span></span></div>
<div style="text-align: justify;">
<span style="font-size: small;"><span style="font-family: inherit;"><br /></span></span></div>
<div style="text-align: justify;">
<span style="font-size: small;"><span style="font-family: inherit;"></span></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-size: small;"><span style="font-family: inherit;"><b id="docs-internal-guid-8b4d58dc-5d8c-a558-3cde-b94b6d30f85e" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">There are 2 types of extensions available in WSO2 Identity Server as of now. Most of these require a restart of the server in order to be effective, but can be configured dynamically without a restart of the server. Few of the extensions like UI theming can be made without a server restart.</span></b></span></span></div>
<div style="text-align: left;">
<span style="font-size: small;"><span style="font-family: inherit;"><b id="docs-internal-guid-8b4d58dc-5d8c-a558-3cde-b94b6d30f85e" style="font-weight: normal;"></b></span></span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<li style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-size: small;"><b id="docs-internal-guid-8b4d58dc-5d8c-a558-3cde-b94b6d30f85e" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Drop the extension developed as an OSGI bundle, followed by a server restart, configure it dynamically</span></b></span></div>
</li>
<ul style="margin-bottom: 0pt; margin-top: 0pt;"><ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: square; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-size: small;"><b id="docs-internal-guid-8b4d58dc-5d8c-a558-3cde-b94b6d30f85e" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">eg: custom user store managers</span></b></span></div>
</li>
</ul>
</ul>
<li style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-size: small;"><b id="docs-internal-guid-8b4d58dc-5d8c-a558-3cde-b94b6d30f85e" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Drop the extension developed as a Java component, configure in a configuration file, then restart the server. Configure it dynamically via the UI. </span></b></span></div>
</li>
<ul style="margin-bottom: 0pt; margin-top: 0pt;"><ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: square; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-size: small;"><b id="docs-internal-guid-8b4d58dc-5d8c-a558-3cde-b94b6d30f85e" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">eg: custom authenticators</span></b></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<br /></div>
</li>
</ul>
</ul>
</ul>
<br />
<div style="text-align: left;">
<span style="font-size: small;"><span style="font-family: inherit;"><b id="docs-internal-guid-8b4d58dc-5d8c-a558-3cde-b94b6d30f85e" style="font-weight: normal;"></b></span></span></div>
<h2 style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
Files Used for Configurations </h2>
<ol style="text-align: left;">
<li><span style="font-size: small;"><span style="font-family: inherit;">The configuration files for these extensions are located at <IS_HOME>/repository/conf folder. </span></span></li>
<li><span style="font-size: small;"><span style="font-family: inherit;">Most of the configurations specific to identity server resides identity/identity.xml within this folder. </span></span></li>
<li><span style="font-size: small;"><span style="font-family: inherit;">Configurations relevant to federation scenarios(authentication framework) resides at identity/application-authentication.xml file. </span></span></li>
<li><span style="font-size: small;"><span style="font-family: inherit;">Identity management related configurations resides at identity/identity-mgt.properties file. </span></span></li>
<li><span style="font-size: small;"><span style="font-family: inherit;">Entitlement(XACML) related configurations resides at identity/entitlement.properties file.</span></span><br />
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-size: small;"><span style="font-family: inherit;"> <b id="docs-internal-guid-8b4d58dc-5d8c-a558-3cde-b94b6d30f85e" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></b></span></span></div>
Apart from above we have multiple listeners and UI modifications allowed for branding purposes.</li>
</ol>
<div style="text-align: justify;">
<i><b>Note: Though the extension points are available to cater for variety of enterprise needs, this introduces a maintenance overhead in long term. If these are valid generic scenarios we will be merging these to product itself, otherwise these extensions needs to be maintained at major upgrades if there is any API change or improvements done at interfaces. </b></i></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
First our attention is for SAML based scenario as that is a widely used standard on Single Sign On.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Please find a list of available extension points related to this scenario below.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="font-family: inherit;"><b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"></b></span></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-size: 14.6667px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">All the implementation using following extension point needs to be configured at <IS_HOME>/repository/conf/identity/identity.xml file under the element ‘SSOService’.</span></b></div>
<br />
<h3>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><ol style="margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<li style="background-color: transparent; color: #666666; font-family: 'Trebuchet MS'; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><h2 style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
Custom SSO Signer</h2>
</li>
</ol>
</b></h3>
<div style="text-align: justify;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"></b></div>
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Usage: </span></b></h4>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: white; color: #222222; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When we want to change the way we sign/validate the SAML Response or Assertion. If this is just changing the algorithms default UI configurations are available without going for this extension.</span></b></div>
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Sample: </span></b></h4>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><a href="http://pushpalankajaya.blogspot.com/2014/09/how-to-write-custom-saml-sso-assertion.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://pushpalankajaya.blogspot.com/2014/09/how-to-write-custom-saml-sso-assertion.html</span></a></b></div>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><br /></b>
<br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface:</span></b></h4>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;">
</b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">org.wso2.carbon.identity.sso.saml.builders.signature.SSOSigner</span></b></div>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;">
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Default Implementation:</span></h4>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">org.wso2.carbon.identity.sso.saml.builders.signature.DefaultSSOSigner</span></div>
</b><br />
<h3>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><ol start="2" style="margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<li style="background-color: transparent; color: #666666; font-family: 'Trebuchet MS'; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><h2 style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
Custom SSO encryption</h2>
</li>
</ol>
</b></h3>
<div style="text-align: justify;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"></b></div>
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Usage:</span></b></h4>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: white; color: #222222; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When we want to change the way we encrypt the SAML assertion in local</span></b></div>
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface:</span></b></h4>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">org.wso2.carbon.identity.sso.saml.builders.encryption.SSOEncrypter</span></b></div>
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Default Implementation:</span></b></h4>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">org.wso2.carbon.identity.sso.saml.builders.encryption.DefaultSSOEncrypter</span></b></div>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><br /></b>
<br />
<h3>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><ol start="3" style="margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<li style="background-color: transparent; color: #666666; font-family: 'Trebuchet MS'; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><h2 style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
SAMLAssertionBuilder</h2>
</li>
</ol>
</b></h3>
<div style="text-align: justify;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"></b></div>
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Usage:</span></b></h4>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This extension point can control how the SAML assertion it built. Intend use of the extension point is put the given inputs in the SAML assertion format as preferred. This extension point gives full control over what is there in SAML assertion. </span></b></div>
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface:</span></b></h4>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">org.wso2.carbon.identity.sso.saml.builders.assertion.SAMLAssertionBuilder</span></b></div>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><br /></b>
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Default Implementation:</span></b></h4>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;">
</b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">org.wso2.carbon.identity.sso.saml.builders.assertion.DefaultSAMLAssertionBuilder</span></b></div>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;">
</b><br />
<h3>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><ol start="4" style="margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<li style="background-color: transparent; color: #666666; font-family: 'Trebuchet MS'; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><h2 style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
SAML2HTTPRedirectSignatureValidator</h2>
</li>
</ol>
</b></h3>
<div style="text-align: justify;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><br /></b></div>
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Usage:</span></b></h4>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Can be used to differentiate(deflating, encoding etc.) on how the signature is validated at SAML HTTP redirect binding. </span></b></div>
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface:</span></b></h4>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectSignatureValidator</span></b></div>
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Default Implementation:</span></b></h4>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator</span></b></div>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><br /></b>
<br />
<h3>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><ol start="5" style="margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<li style="background-color: transparent; color: #666666; font-family: 'Trebuchet MS'; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><h2 style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
ResponseBuilder</h2>
</li>
</ol>
</b></h3>
<div style="text-align: justify;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"></b></div>
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Usage:</span></b></h4>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This extension point provides the full control over the SAML Responses built to sent over to replyingparties</span></b></div>
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Interface:</span></b></h4>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">org.wso2.carbon.identity.sso.saml.builders.ResponseBuilder</span></b></div>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><br /></b>
<br />
<h4 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;">
<span style="background-color: transparent; color: #666666; font-family: "trebuchet ms"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Default Implementation:</span></b></h4>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;">
</b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBuilder</span></b></div>
<b id="docs-internal-guid-9813ec6e-5d99-f69c-4fc6-9b9f996e4495" style="font-weight: normal;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">org.wso2.carbon.identity.sso.saml.builders.ErrorResponseBuilder</span></div>
</b><br />
<br class="Apple-interchange-newline" />
<div style="text-align: justify;">
</div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<br /></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<b><span style="font-size: small;"><span style="font-family: inherit;"><span style="font-weight: normal;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> If there are any other use cases or samples you have found useful around WSO2 Identity Server SAML implementation, you are most welcome to add them here, for the benefit of all. Thanks!</span></span></span></span></b><br />
<br />
<b><span style="font-size: small;"><span style="font-family: inherit;"><span style="font-weight: normal;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The seco<b>nd post is available at <a href="http://pushpalankajaya.blogspot.com/2016/01/oauth-extension-points-part-2-wso2.html" target="_blank">OAuth - Extension Points Part 2 - WSO2 Identity Server</a></b> on the extension points in WSO2 Identity Server related to OAuth2.0.</span></span></span></span></b></div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<br /></div>
<br class="Apple-interchange-newline" /></div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-36187972364385800282014-09-21T22:12:00.000+05:302014-09-21T22:12:15.698+05:30Leveraging federation capabilities of Identity Server for API gateway - Configuration Details<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
With this post I am to share the steps of a popular solution using WSO2 Identity Server and WSO2 API Manager. Following diagram will give an initial insight on this solution.</div>
<h4 style="text-align: justify;">
Overview</h4>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1t20A6aGmBVPAv3di2bRYWbVw3jvMLNJH_w6_XUMQr0RFW8GhOXCCiyZ-CvWbCNoVsq1brT4107eJMeecLW6Hgnco4I837isy_XnWM9Zl2swS8XshLEZXOy_7JmDmWfJnsb5v6xB_7NU/s1600/Federated+(2).png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1t20A6aGmBVPAv3di2bRYWbVw3jvMLNJH_w6_XUMQr0RFW8GhOXCCiyZ-CvWbCNoVsq1brT4107eJMeecLW6Hgnco4I837isy_XnWM9Zl2swS8XshLEZXOy_7JmDmWfJnsb5v6xB_7NU/s1600/Federated+(2).png" height="317" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
<br /></div>
<span style="text-align: justify;">1. Webapp that requires single sign on(SSO) facility with some other applications. </span><br />
<div>
<span style="text-align: justify;"> - To achieve this we are using WSO2 Identity Server(IS) as the Identity Provider(IDP). </span></div>
<div>
<span style="text-align: justify;"><br /></span><span style="text-align: justify;">2. Webapp needs to consume some APIs secured with OAuth tokens. </span></div>
<div>
<span style="text-align: justify;"> - To expose the APIs secured with OAuth tokens we are using WSO2 API Manager(AM) here.</span><br />
<span style="text-align: justify;"> - Since we already have the SAML Response received at SSO step, SAML2 Bearer grant type is ideal to use at this scenario to request an OAuth token to access the required APIs.</span></div>
<div>
<span style="text-align: justify;"> - Allowing AM to properly issue an OAuth token in this scenario, we add IS as a trusted IDP in AM.</span></div>
<div>
<span style="text-align: justify;"><br /></span><span style="text-align: justify;">3. Webapp requires to allow users registered in another IDP like Facebook or Google to be able to login with SSO functionality. </span></div>
<div>
<span style="text-align: justify;"> - With minimum configurations to internal IS and external IDP side, we need to achieve this.</span><br />
<ol style="text-align: left;">
</ol>
<div>
<div style="text-align: justify;">
Rest of this post will deal with how we can configure the above, without sharing any databases underneath. Will setup this in multi-tenancy mode, to make it a more general scenario. Another instance of WSO2 Identity Server will be used in the place of external IDP. This can be replaced with Facebook, Google etc. according the requirement.</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<h3 style="text-align: justify;">
Pre-requisites</h3>
<div>
<div style="text-align: justify;">
WSO2 Identity Server -5.0.0 - <a href="http://wso2.com/products/identity-server">http://wso2.com/products/identity-server</a></div>
</div>
<div>
<div style="text-align: justify;">
WSO2 API Manager 1.7.0 - <a href="http://wso2.com/products/api-manager">http://wso2.com/products/api-manager</a></div>
</div>
<div>
<div style="text-align: justify;">
Sample Webapp - <a href="https://drive.google.com/file/d/0B1njqfOEx3g8RGR0WUlnUVdjUmM/edit?usp=sharing" target="_blank">Source of the webapp can be downloaded here</a>. </div>
<div style="text-align: justify;">
The <a href="https://drive.google.com/file/d/0B1njqfOEx3g8X25LSDVUS0liWjA/edit?usp=sharing" target="_blank">compiled webapp ready to deploy in a servelet container, can be found here</a>.</div>
<div style="text-align: justify;">
As we are to run several instances of WSO2 servers we need to configure port offsets, if all are configured in one machine. Following are the port offsets and ports I am to use. I will be using two tenants in the two Identity servers and API manager will be run of super tenant mode.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
1. WSO2 Identity Server -5.0.0 - Internal IDP - Offset 0 - Port 9443 </div>
<div style="text-align: justify;">
Tenant - lanka.com</div>
<div style="text-align: justify;">
2. WSO2 Identity Server -5.0.0 - Internal IDP - Offset 1 - Port 9444 </div>
<div style="text-align: justify;">
Tenant - lux.org</div>
<div style="text-align: justify;">
3. WSO2 API Manager 1.7.0 - API Gateway - Offset 2 - Port 9445</div>
<div style="text-align: justify;">
Tenant - carbon.super</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
</div>
<h3 style="text-align: justify;">
Webapp Configurations </h3>
<div>
If you download the webapp from the above link, the keystore configurations are already done. You will only need to import the public certificate of the tenant in internal IDP(lanka.com) to the keystore of webapp 'travelocity.jks'. </div>
<div>
Please note the following configurations done in travelocity.properties file found inside webapp at '/travelocity.com/WEB-INF/classes/travelocity.properties'.</div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
<br />
<pre class="prettyprint">EnableSAML2Grant=true
#A unique identifier for this SAML 2.0 Service Provider application
SAML.IssuerID=travelocity.com@lanka.com
#The URL of the SAML 2.0 Identity Provider
SAML.IdPUrl=https://localhost:9443/samlsso
#Password of the KeyStore for SAML and OpenID
KeyStorePassword=travelocity
#Alias of the IdP's public certificate
SAML.IdPCertAlias=lanka.com
#Alias of the SP's private key
SAML.PrivateKeyAlias=travelocity
#Private key password to retrieve the private key used to sign
#AuthnRequest and LogoutRequest messages
SAML.PrivateKeyPassword=travelocity
#OAuth2 token endpoint URL
SAML.OAuth2TokenEndpoint=https://localhost:9445/oauth2/token
#OAuth2 Client ID
SAML.OAuth2ClientID=FxuhFBEcX5P1wjtqPqigJ0OVP5ca
#OAuth2 Client Secret
SAML.OAuth2ClientSecret=2eqfI11Y9dRZaiijbAK3dfJFNRMa
</pre>
</div>
</div>
</div>
<div>
<br />
<h3>
1. SSO Setup with Internal IDP</h3>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
</div>
<ul style="line-height: 1.15;">
<li><span style="font-family: inherit; line-height: 1.15; white-space: pre-wrap;">Login as tenant admin - <admin>@lanka.com</span></li>
<li><span style="font-family: inherit; line-height: 1.15; white-space: pre-wrap;">Export the public certificate of the private key used at webapp side to sign the SAML Authentication Request. Following command can be used to export it.</span></li>
</ul>
<pre class="prettyprint">keytool -export -alias travelocity -file travelocity -keystore <path to travelocity.jks(which ever keystore used at webapp side)></pre>
<div>
<ul style="text-align: left;">
<li><span style="font-family: inherit; line-height: 17.25px; white-space: pre-wrap;">Import the above exported public certificate to the tenant key store of the internal IDP, identity server as below.</span></li>
</ul>
</div>
<div>
<span style="clear: left; float: left; font-family: Arial; font-size: 15px; margin-bottom: 1em; margin-right: 1em; vertical-align: baseline; white-space: pre-wrap;"><img alt="keystore1.png" height="210px;" src="https://lh6.googleusercontent.com/0aHn1ZMTSYF2YmZVXc0r2X95UFm8qGE_lbKQwDbYJJ4KmTbXrkTQWUd2sa1zgDaKC2WDzYqNkyZeM1PHrjp0a7Og5G-100i2iqQh0e2FQvc0OBklS9oerxo9fc_4_xSUlw" style="-webkit-transform: rotate(0rad); border: none;" width="768px;" /></span><span id="docs-internal-guid-dd268a3e-9885-58bf-a1ce-8c3ff1c9fc7e"></span></div>
<br />
<br />
<br />
<br />
<br /></div>
<div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<ul>
<li>After the import it will listed as below.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEQX3tpYQGK5cKyyRw-3Q5o8WZw_VduMDTPj2vM4ahp0EKVPlPiNEQvtQGt5eBXr45Axzljznhj9H_5mV01UQMG6Z37UGVousThvklCLsEzSJ0ZSo0uNreclk-4LACSOFZ-026wEN-QHw/s1600/crt.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEQX3tpYQGK5cKyyRw-3Q5o8WZw_VduMDTPj2vM4ahp0EKVPlPiNEQvtQGt5eBXr45Axzljznhj9H_5mV01UQMG6Z37UGVousThvklCLsEzSJ0ZSo0uNreclk-4LACSOFZ-026wEN-QHw/s1600/crt.png" height="197" width="640" /></a></div>
<br />
<br />
<div>
<br />
<br />
<br /></div>
<div style="text-align: justify;">
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<ul>
<li><span style="font-family: inherit; white-space: pre-wrap;">Create a new Service Provider for Travelocity webapp as following.</span></li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCbkZtd2sEzjnQuWiF_RNhS0c4bud3kyn25ZEA1b3_RA0DEjekEy64Bdmvk2JmZy829zMq09oHZrh6RmAqgBZhM4_CrUv36ozJvYzjU7bN-iD72rohAzQvNd51FqGK5LsaYXLUs-A2s2c/s1600/travel.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCbkZtd2sEzjnQuWiF_RNhS0c4bud3kyn25ZEA1b3_RA0DEjekEy64Bdmvk2JmZy829zMq09oHZrh6RmAqgBZhM4_CrUv36ozJvYzjU7bN-iD72rohAzQvNd51FqGK5LsaYXLUs-A2s2c/s1600/travel.png" height="274" width="640" /></a></div>
</div>
<div style="text-align: justify;">
<ul>
<li><span style="font-family: inherit;"><span style="line-height: 1.15; white-space: pre-wrap;">Then we needs to configure it as below. </span><span style="line-height: 1.15; white-space: pre-wrap;"> </span></span></li>
</ul>
</div>
<div style="text-align: justify;">
<span style="font-family: inherit; line-height: 1.15; white-space: pre-wrap;">- By enabling SaaS application, we are removing the tenant boundary for this service provider.</span></div>
<div style="text-align: justify;">
<span style="font-family: inherit; line-height: 1.15; white-space: pre-wrap;">- Enable response and assertion signing according to your requirement.</span></div>
<div style="text-align: justify;">
<span style="font-family: inherit; white-space: pre-wrap;">- Enable signature verification for SAML Authentication Request</span></div>
<div style="text-align: justify;">
<span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyqN7fAFBbJSKuM1aengTUXKv0dUGRa0MGJ0xzLiv-3XBaUA5nacTbXIUNuyIvrna6INGEG5vvrPqRos8qyp6p7JX63ACoa_6EHPWyaXV9ah3dvwxYdlAV3xE9EPMS7_LWCm4qV2j0Xps/s1600/travel2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyqN7fAFBbJSKuM1aengTUXKv0dUGRa0MGJ0xzLiv-3XBaUA5nacTbXIUNuyIvrna6INGEG5vvrPqRos8qyp6p7JX63ACoa_6EHPWyaXV9ah3dvwxYdlAV3xE9EPMS7_LWCm4qV2j0Xps/s1600/travel2.png" height="640" width="595" /></a></div>
<div style="text-align: justify;">
<span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><br /></span></span></div>
<div style="text-align: justify;">
<span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><br /></span></span></div>
<div style="text-align: justify;">
<span style="font-family: inherit; white-space: pre-wrap;">The configurations are mostly done to get the SSO scenario work with the webapp. We need to export the tenant public certificate to be imported to the trust store at webapp side. This is in order to verify the SAML Response/Assertion signed signature at the webapp side. We can export the certificate as below from the UI, using public key link.</span></div>
<div style="text-align: justify;">
<span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><br /></span></span></div>
<div style="text-align: justify;">
<span id="docs-internal-guid-dd268a3e-98ae-0956-5dac-1d82ed56606a"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img alt="keystore1.png" height="174" src="https://lh5.googleusercontent.com/HJ7Px3ULA0BJsl_LE38pr4S7d34oekUHfFf6WQk30HQiLHNy4bImhCKm7xo5D2ugzpV23RL0oRLW7XKEe4DRbjt2EsNAhRR_tczadAaSkyjdRAZnmfyzSGyd43zT4EwGeQ" style="-webkit-transform: rotate(0rad); border: none;" width="640" /></span></span></div>
<div style="text-align: justify;">
<span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><br /></span></span><span style="font-family: inherit; white-space: pre-wrap;">The exported key needs to be imported to webapp truststore(in this case travelocity.jks we located inside the webapp).</span><br />
<span style="font-family: inherit; white-space: pre-wrap;"><br /></span>
<span id="docs-internal-guid-dd268a3e-98af-909d-629a-2a6fe4f88da3"><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;"></span></span>
<pre class="prettyprint"><span id="docs-internal-guid-dd268a3e-98af-909d-629a-2a6fe4f88da3"><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">keytool -import -alias <The given alias name. Here lanka.com> -file <path to downloaded public certificate> -keystore <path to trust store of webapp. Here the travelocity.jks file></span></span></pre>
<span style="font-family: inherit;"><br /></span>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">Now if you try to login to travelocity web app as a tenant user, it should succeed.</span></span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: inherit;"><br /></span></div>
<h3 style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: inherit; font-size: small;">2. External federation</span></h3>
<span style="font-family: inherit;"><span style="vertical-align: baseline; white-space: pre-wrap;"><span id="docs-internal-guid-bb1f8770-98c5-e714-1109-e60ad3f489fd"></span></span>
<span style="vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="vertical-align: baseline; white-space: pre-wrap;"><span id="docs-internal-guid-dd268a3e-98cb-fac6-2a1d-d3598fcf7668"><span style="vertical-align: baseline;">Following configuration will demonstrate how to configure an external identity provider in Identity Server. Here we will use another instance of identity server as the external IDP. The scenario will be extended from the previous scenario. </span></span></span></span><br />
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;"><span><span style="vertical-align: baseline;"><br /></span></span></span>
<span style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; vertical-align: baseline;"></span><span style="vertical-align: baseline; white-space: pre-wrap;"><span id="docs-internal-guid-dd268a3e-98cc-69e6-90a3-3c9b891c0f7e"><span style="vertical-align: baseline;"><span style="font-family: inherit;">At internal federation, we had 'Travelocity' webapp registered as a Service Provider in the IDP which decided the authenticity of user. Now we will federate the decision on the authenticity of the user to an external IDP. For the demonstration purposes I am using a tenant(named lux.org) in the external IDP(idp.lanka.com).</span></span></span><span style="font-family: Arial; font-size: 15px;"><br /></span></span><br />
<h4>
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span id="docs-internal-guid-5f7fc8a3-98d2-6271-db96-8e475cd7201d"><span style="font-family: 'Trebuchet MS'; font-size: 17px; font-weight: bold; vertical-align: baseline;">Configuring another IS instance to act as an external IDP (idp.lanka.com)</span></span></span></h4>
<ul>
<li>Create a tenant named ‘lux.org’ and login with this tenant.
</li>
<li>First we need to import the public certificate of the internal IS into tenant key store, which is paired with the private key used to sign the SAML Request. This time it is 'wso2carbon'.</li>
<li>Configure the internal IS as a service provider here. This is because now the SAML request is to be sent to this IS by the internal IS, we configured before.</li>
<li>Note that ‘Assertion Consumer URL’ is pointed to ‘<a href="https://localhost:9443/commonauth">https://localhost:9443/commonauth</a>’ of the internal IS. Also note the certificate alias we have selected to use at SAML Request signature validation. This is the one that we imported here.</li>
</ul>
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span id="docs-internal-guid-dd268a3e-98d4-117b-ca9b-e93252726f37"></span><span id="docs-internal-guid-dd268a3e-98d4-117b-ca9b-e93252726f37"><span style="vertical-align: baseline;"><img height="122" src="https://lh5.googleusercontent.com/PwEKmieI2wW7yuGuIw4YZEjTDggccKNodMa797l3wJtUjO28ckBdZqRNZrHmvoEpf5-yLeEsav_IijQenq7ToL3GGV7t7KCWqs28gj_mYb1gaxZiJ7_0gPVWjwIFb4e09w" style="-webkit-transform: rotate(0rad); border: none;" width="640" /></span></span></span>
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: Arial; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: 15px;"><br /></span><span id="docs-internal-guid-dd268a3e-98ea-c1f1-45d0-0658d6e2cfe3" style="font-size: 15px;"><span style="vertical-align: baseline;"><img height="581px;" src="https://lh5.googleusercontent.com/ro33nD3j6Ix-rmUtNB67MmTB1XzBfk-egcSk8Ns430El8AgN7FE1WC_JL2ZKcePtvh_b8mTx8ZbY1lYfJBvF-ICM7fPvBgd_5hTx-v5tC7z6gx4YaL134uDNp-xguQhUAg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="719px;" /></span></span><span style="font-size: 15px;"><br /><br /></span></span><h4>
<span style="font-family: Arial; vertical-align: baseline; white-space: pre-wrap;"><span id="docs-internal-guid-f8dcb81a-98eb-def9-5b34-f29020f1fda8"><span style="font-family: 'Trebuchet MS'; font-weight: bold; vertical-align: baseline;">Configure Internal IS to federate SSO requests from Travelocity webapp to the external IDP</span></span></span></h4>
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;"><span id="docs-internal-guid-dd268a3e-98ed-073f-1f7f-243760029fcf"><span style="vertical-align: baseline;">In the internal IS, we need to configure it to make use of the external IDP we just configured.</span></span></span></div>
<div>
<ul>
<li><span style="font-family: inherit; white-space: pre-wrap;">Create a Identity Provider as below. </span></li>
<li><span style="font-family: inherit; white-space: pre-wrap;">Upload the public certificate we can download from the external IDP, tenant keystore. This is to validate the signatures of SAML Response and Assertions that will be sent to this internal IS from the external IS.</span></li>
</ul>
<span style="vertical-align: baseline; white-space: pre-wrap;"><span id="docs-internal-guid-dd268a3e-98ee-b9be-ec36-56e87287c482"><br /><img height="408" src="https://lh5.googleusercontent.com/764tuYtgac1c8i3X9Kyxte68Qh19rqf-saJ5Nq8LzVjAVeD3ZvJ1smkXfB2633Z6Kaoql4a448sSi1xUZXPLMtMscuTe60A5NQdJjpcodnWxt5IHYQaOKPlzkkhu6qGhXQ" style="-webkit-transform: rotate(0rad); border: none;" width="640" /></span><span style="font-family: Arial;"><span style="font-size: 15px;"><br /></span></span></span>
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span>We have to make some additional changes in the service provider configuration for Travelocity webapp as well. </div>
<ul style="text-align: left;">
<li>In the drop down list of federated authenticators select the identity provider we just configured.</li>
</ul>
<div>
<span style="vertical-align: baseline;"><span id="docs-internal-guid-dd268a3e-98f0-eeac-23f2-88f6b7293b23"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="517" src="https://lh6.googleusercontent.com/4_ZY4xIHcg2qf-ylu46ixCLa9wHevpC_WiekE-hYGZQmCgWTCmlRCty4ov_nWjjfUeLAdCR-ghMV1xOjU47ik99IhkG-9PHWbT0EhRsmE0S41zFQDj17NSnMjemqrBR_9w" style="-webkit-transform: rotate(0rad); border: none;" width="640" /></span></span></span></div>
<div>
<span style="vertical-align: baseline;"><br /></span></div>
<div style="text-align: left;">
</div>
<div style="text-align: justify;">
<br /></div>
<span style="font-family: inherit; vertical-align: baseline;"><div style="text-align: justify;">
<span style="font-family: inherit; white-space: pre-wrap;">There is one more addition we have to do as following to meet the requirement of audience restriction validation in SAML SSO scenario. This is not a requirement for federation, but for API access. The value we give here for audience is the OAuth token endpoint, which we will consume to exchange the SAML token for an OAuth token.</span></div>
</span><br />
<div>
<span style="vertical-align: baseline;"><br /></span></div>
<div>
<span style="vertical-align: baseline;"><span id="docs-internal-guid-fa602197-98f2-43c7-4082-83501f034c66"><span style="font-family: 'Trebuchet MS'; font-size: 21px; vertical-align: baseline; white-space: pre-wrap;"><img height="676px;" src="https://lh3.googleusercontent.com/_WaJ0XRLRKTRRfnU_YEOVbF_PkMcZOMAaeisfMYOOMn6T5lLh0d2RYKWS8YqxFUDPfWywLtZ-T-zDptJKlj-r5Dzwjpr27glEvVlNpLBxmvg2CG0XJyZ8KtepNElErt6xQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="770px;" /></span></span></span></div>
<div>
<span style="vertical-align: baseline;"><br /></span></div>
<div>
<span style="vertical-align: baseline;"><span id="docs-internal-guid-580c2d66-98f2-db84-7869-bfb44db0c6df"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: inherit;"><span style="vertical-align: baseline; white-space: pre-wrap;">Now we are in a position to test the external federation scenario with Travelocity webapp sample. After hosting it in a tomcat server, hit the URL, ‘</span><a href="http://localhost:8080/travelocity.com/index.jsp" style="text-decoration: none;"><span style="color: #1155cc; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://localhost:8080/travelocity.com/index.jsp</span></a><span style="vertical-align: baseline; white-space: pre-wrap;">’, which will take us to a page as below. Click on the link to login with SAML.</span></span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: inherit;"><span style="vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span id="docs-internal-guid-580c2d66-98f3-629a-1a79-c8230e91a444"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="484px;" src="https://lh5.googleusercontent.com/5h8Q6luMaUp56Kgg2kUQmA-l_u5DNbsbqtqWfLjoRDpSiv-rmBXkAEXTownp52IPGH87RGKC54ymUjKd6PODh3JLurDV02iU3bFfOjWjFOCciOJGPnk_t9jnKXwZEic3Ow" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="704px;" /></span></span></div>
<div>
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
</span></span></div>
<div style="text-align: justify;">
<span style="font-family: inherit; vertical-align: baseline;"><span id="docs-internal-guid-dd268a3e-98f3-b79d-e2f1-fcecd788b2bc"><span style="vertical-align: baseline; white-space: pre-wrap;">This will take us to following screen. Note the page is from our external IDP (idp.lanka.com), where we can enter credentials of a user in this IDP to get successfully authenticated. If our external authenticator was Google this will be a page from Google, submitted to enter the credentials.</span></span></span></div>
<div>
<span style="vertical-align: baseline;"><br /></span></div>
After successful authentication, following screen will be shown.<div>
<span style="vertical-align: baseline;"><br /></span></div>
<div>
<span style="vertical-align: baseline;"><span id="docs-internal-guid-dd268a3e-98f5-3f85-646b-9687319626ce"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="349px;" src="https://lh3.googleusercontent.com/VMNAhp8hCzbmH7lba0ALQSgPx_G7OEDUmeRAtGoFpLS3JjboTxS3jel_kK8nn3-dEQMo8_FJAmHVszcrk1qlFqa_dqbq0klLqUc4dgcN43TGxvbg2CztqWRkFpVT2WWhsw" style="-webkit-transform: rotate(0rad); border: none;" width="726px;" /></span></span></span></div>
<div>
<span style="vertical-align: baseline;"><br /></span></div>
Now the external federated SAML scenario is completed.<div>
<span style="vertical-align: baseline;"><span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></span></div>
<h3 style="text-align: left;">
3. API Access leveraging the federation</h3>
<div>
<span style="font-family: inherit; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="vertical-align: baseline; white-space: pre-wrap;">To achieve this we need following configurations present at Webapp side.</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
</div>
<ul>
<li><span style="font-family: inherit; line-height: 1.15; white-space: pre-wrap;">Register an application in API-M store, subscribe to some APIs, provide the generated client id and client secret values in travelocity.properties file of the sample webapp.</span></li>
<li><span style="font-family: inherit; line-height: 1.15; vertical-align: baseline; white-space: pre-wrap;">Point SAML.OAuth2TokenEndpoint=</span><a href="https://localhost:9445/oauth2/token" style="font-family: inherit; line-height: 1.15; text-decoration: none;"><span style="color: #1155cc; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://localhost:9445/oauth2/token</span></a><span style="font-family: inherit; line-height: 1.15; vertical-align: baseline; white-space: pre-wrap;"> to OAuthtoken endpoint of API-M.</span></li>
<li><span style="font-family: inherit; line-height: 1.15; white-space: pre-wrap;">Import the public certificate of internal IS, to the keystore used by webapp. The given alias value should be provided at ‘SAML.IdPCertAlias=lanka.com’ in travelocity.properties file. </span></li>
</ul>
</span></div>
<h4 style="text-align: left;">
IDP Configuration at API-M</h4>
<ul style="text-align: left;">
<li>Configure ‘host name’ and ‘mgt host name’ in APIM_HOME/repository/conf/carbon.xml </li>
<li>Login as super admin and add an identity provider as following.</li>
</ul>
<div>
<span style="vertical-align: baseline;"><span id="docs-internal-guid-dd268a3e-98f9-d8cb-3013-6ea528bcecd5"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="176" src="https://lh5.googleusercontent.com/66KItSPtoXlJgB8uzkVIte62rdWh5bLgF1ktni9rVWQEumUXtAUodRRv7f8LOFWqc8mSnS1-x_Oiho0NiM7eFw8A2B9oq9HFjUf_CUOw6ZfrU_2M32d13BWXspXD79BJww" style="-webkit-transform: rotate(0rad); border: none;" width="640" /></span></span></span></div>
<div>
<span style="vertical-align: baseline;"><br /></span></div>
<ul style="text-align: left;">
<li>Following fields needs to be filled. Note that we have imported the public certificate of the internal IS here, so that we can validate it’s SAML token.</li>
<li>API-M is not aware of the federation happening at the internal IS node.</li>
</ul>
<div>
<span id="docs-internal-guid-dd268a3e-98fb-6e05-02da-8c41982c6c12"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="348" src="https://lh5.googleusercontent.com/pIo0r9D1nWnRdETUdaMAm6Sn2_QqnYc5t5toAdGK_OxjOzCgkSoA19Z6PQcSITJJcoQDDSy6SNeSJfH3-jxCdKFT1i9l52Zc2Fn5aPX3nBbWqwg1eF-PJPRv3McZb-JI1A" style="-webkit-transform: rotate(0rad); border: none;" width="640" /></span></span></div>
<div>
<span style="vertical-align: baseline;"><br /></span></div>
<ul style="text-align: left;">
<li>When configuring the federated authenticator, we should note that Identity Provider entity id should be as same as the issuer of the SAML Response coming to API-M, to exchange for an OAuth token. SSO URL, is the redirect URL for internal IS.</li>
</ul>
<div>
<span id="docs-internal-guid-dd268a3e-98fd-0d69-97c6-24d0cdcd21a2"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="481px;" src="https://lh4.googleusercontent.com/cs9blNuKv4PeiMczpmtXHdx9cFKrACqDSoMwx48gQsxmpd97kFevPd5Srac9PoDHO09FoEw5FRZZoRnkBcKgQDLDAWgpQhEh0pEacICFnQHp2pUpNvsdSRW-JmV86w8hHw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="657px;" /></span></span></div>
<div>
<span style="vertical-align: baseline;"><br /></span></div>
<ul style="text-align: left;">
<li>Once these configurations are done, we can test the end-to-end scenario. Now from the page we left at ‘Travelocity’ webapp, if we click on the link ‘<a href="http://localhost:8080/travelocity.com/token">Request OAuth2 Access Token</a>’ following page will appear. It is showing the details of the OAuth token, it received in exchange to the provided SAML token.</li>
</ul>
<div>
<span style="vertical-align: baseline;"><span id="docs-internal-guid-dd268a3e-98fd-d690-a1de-d800bc052104"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="599px;" src="https://lh6.googleusercontent.com/81tvrjSKWP_6KQCmVOlccSGUsNxfpxyhpXXo8UPyMxTlE1Pd-tBDVGEwEtah-dj9ZdWajBHI_F6XAHDyY5FWmbXRk-wXh7wbTS2IiM6TJo3MG69W9ZnF_UXJt746Q8gK7Q" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="603px;" /></span></span></span></div>
<div>
<span style="vertical-align: baseline;"><br /></span></div>
Now we can use this access token at webapp side to consume any APIs we got subscribed to.<div>
<span style="vertical-align: baseline;"><br /></span></div>
<div>
<span style="vertical-align: baseline;">Hope this helps. We can expand and customize this scenario in several ways according to requirements, with options provided with federation, provisioning and extension points. Will discuss those in a latter post.</span></div>
<div>
<span style="vertical-align: baseline;"><br /></span></div>
<div>
<span style="vertical-align: baseline;">Cheers!</span></div>
<div>
<span style="vertical-align: baseline;"><br /></span></div>
<div>
<span style="vertical-align: baseline;"><br /></span>
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
</div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-13711261640865842332014-09-10T00:03:00.000+05:302017-06-24T10:39:04.237+05:30How to write a Custom SAML SSO Assertion Signer for WSO2 Identity Server<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: justify;">
This is the 3rd post I am writing to explain the use of extension points in WSO2 Identity Server. WSO2 Identity Server has so many such extension points which are easily configurable and arm the server with lot of flexibility. With this, we can support so many domain specific requirements with minimum efforts.</div>
<div dir="ltr">
</div>
<ul style="text-align: left;">
<li>Firstly I have shared the usage and steps of <a href="http://pushpalankajaya.blogspot.com/2013/09/how-to-write-custom-user-store-manager.html" target="_blank">writing a custom user store manager</a>. </li>
</ul>
<ul style="text-align: left;">
<li>Secondly a <a href="http://pushpalankajaya.blogspot.com/2014/07/adding-custom-claims-to-saml-response.html" target="_blank">custom claim handler</a> which is also related with SAML SSO Response. </li>
</ul>
<ul style="text-align: left;">
<li>Now this third post deals with writing a custom SAML SSO Assertion signer.</li>
</ul>
<h4 style="text-align: left;">
What we can customize?</h4>
<div dir="ltr">
</div>
<ul style="text-align: left;">
<li>Credentials used to sign the SAML Assertion (The private key)</li>
<li>Signing Algorithm</li>
<li>This sample can be extended to customize how we sign the SAML Response and validate the signature as well.</li>
</ul>
<div dir="ltr">
</div>
<h4 style="text-align: left;">
How?</h4>
<div>
We have to write a class extending </div>
<div>
<ul style="text-align: left;">
<li>The class 'org.wso2.carbon.identity.sso.saml.builders.signature.DefaultSSOSigner' or</li>
</ul>
Implementing,</div>
<div>
<ul style="text-align: left;">
<li>The interface 'org.wso2.carbon.identity.sso.saml.builders.signature.SSOSigner'</li>
</ul>
<div>
Needs to override the following method in our case to customize how we sign the assertion,</div>
</div>
<div>
<br />
</div>
<script src="https://gist.github.com/Pushpalanka/dcc650721d038786c49385336843cc2e.js"></script>
<div dir="ltr">
Finally we have to update the identity.xml() as below with the above custom class we write overriding the methods.</div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
</div>
<div style="margin-bottom: 0in; margin-left: 0.5in; text-indent: -0.25in;">
<pre class="prettyprint"> <SAMLSSOSigner>org.wso2.custom.sso.signer.CustomSSOSigner</SAMLSSOSigner></pre>
<pre class="prettyprint"> </pre>
</div>
<div dir="ltr">
and place the compiled package with the above class at 'IS_HOME/repository/components/lib' </div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
Now if we restart the server and run the SAML SSO scenario, the SAML SSO Assertion will be signed in the way we defined at the custom class we wrote.<br />
<br />
<a href="https://drive.google.com/file/d/0B1njqfOEx3g8Z0hwV3FYb1poVHc/edit?usp=sharing" target="_blank">Here you can find a complete sample code</a> to customize the assertion signing procedure.</div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
Hope this helps..</div>
<div dir="ltr">
Cheers!</div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-36599070591662683452014-07-31T03:09:00.000+05:302017-06-24T10:36:55.415+05:30Adding Custom Claims to the SAML Response - (How to Write a Custom Claim Handler for WSO2 Identity Server)<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
</div>
<h3>
<span style="font-family: inherit;">Overview</span></h3>
<span style="font-family: inherit;">The latest release of WSO2 Identity Server (version 5.0.0), is armed with an "application authentication framework" which provides lot of flexibility in authenticating users from various service providers who are using heterogeneous protocols. It has several extension points, which can be used to cater several customized requirements commonly found in enterprise systems. With this post, I am going to share the details on making use of one such extension point.</span><br />
<div style="text-align: justify;">
<span style="font-family: inherit;"><br /></span></div>
<h3>
<span style="font-family: inherit;">Functionality to be Extended</span></h3>
<span style="font-family: inherit;">When SAML Single Sign On is used in enterprise systems it is through the SAML Response that the relying party get to know whether the user is authenticated or not. At this point relying party is not aware of other attributes of the authenticated user which it may need for business and authorization purposes. To provide these attribute details for the relying party, SAML specification has allowed to send attributes as well in the SAML Response. WSO2 Identity Server supports this out of the box via the GUI provided for administrators. You can refer [1] for the details on this functionality and configuration details.</span><br />
<div style="text-align: justify;">
<span style="font-family: inherit;"><br />The flexibility provided by this particular extension, comes handy when we have a requirement to add additional attributes to the SAML Response, apart from the attributes available in the underline user store. There may be external data sources we need to look, in order to provide all the attributes requested by the relying parties. </span></div>
<div style="text-align: justify;">
<span style="font-family: inherit;"><br />In the sample I am to describe here, we will be looking into a scenario where the system needs to provide some local attributes of the user which are stored in user store, with some additional attributes I expect to be retrieved from an external data source.<br />Following SAML Response is what we need to send to the relying party from WSO2 IS.</span></div>
<div style="text-align: justify;">
<script src="https://gist.github.com/Pushpalanka/b9456ec27572e450f153fe7e262baee9.js"></script>
<br />
<div style="text-align: justify;">
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"> </span><br />
<span style="font-family: inherit;">In this response we are having one local attribute, which is role and two additional attributes </span>http://pushpalanka.org/claims/keplerNumber and http://pushpalanka.org/claims/status which have been retrieved from some other method we can define in our extension.<br />
<h3>
How?</h3>
<div>
1. Implement the customized logic to get the external claims. There are just two facts we need to note at this effort.<br />
<br />
<ul>
<li>The custom implementation should either implement the interface 'org.wso2.carbon.identity.application.authentication.framework.handler.claims.ClaimHandler' or extend the default implementation of the interface 'org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler'. </li>
<li>The map returned at the method, 'public Map<String, String> handleClaimMappings' should contain all the attributes we want to add to the SAML Response.</li>
</ul>
<div>
Following is the sample code I was written, adhering to the above. The external claims may have been queried from a database, read from a file or using any other mechanism as required.</div>
<br />
<br />
<script src="https://gist.github.com/Pushpalanka/e93257d93c0847d40ee39cd17ed6fab8.js"></script>
<br />
<br />
2.Drop the compiled OSGI bundle at IS_HOME/repository/components/dropins. (We developed this as a OSGI bundle as we need to get local claims as well using RealmService. <a href="https://drive.google.com/file/d/0B1njqfOEx3g8SThYRVNKYXFmbkU/edit?usp=sharing" target="_blank">You can find the complete bundle and source code here</a>)<br />
<br />
3. Point WSO2 Identity Server to use the new custom implementation we have.<br />
<br />
In IS_HOME/repository/conf/security/applicationauthentication.xml configure the new handler name. (in 'ApplicationAuthentication.Extensions.ClaimHandler' element.)<br />
<pre class="prettyprint"> <ClaimHandler>com.wso2.sample.claim.handler.CustomClaimHandler</ClaimHandler></pre>
<br />
Now if look at the generated SAML Response, we will see the external attributes added.<br />
Cheers!<br />
<br />
[1] - https://docs.wso2.com/display/IS500/Adding+a+Service+Provider</div>
</div>
</div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.comtag:blogger.com,1999:blog-2392291832115825501.post-91861216470171955222014-07-18T15:18:00.000+05:302014-07-18T15:18:58.202+05:30Leveraging federation capabilities of Identity Server for API gateway (First Webinar Conducted by Myself)<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
<div style="text-align: justify;">
The first Webinar conducting experience for me happened on July 02nd 2014, with opportunity given by WSO2 Lanka (pvt) Ltd, where I am currently employed. As always that was a great opportunity given by the company to me.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The Webinar was done to highlight the capabilities introduced with WSO2 IS 5.0.0, the First Enterprise Identity Bus, which is 100% free and open source. This Webinar, in detail discuss and demonstrate the power and value it adds when these capabilities of federation are leveraged in combination with WSO2 API Manager. </div>
</div>
<div style="text-align: justify;">
<div style="text-align: justify;">
<br /></div>
</div>
<div style="text-align: justify;">
<div style="text-align: justify;">
Following are the slides used at the Webinar. </div>
</div>
<div style="text-align: center;">
<iframe allowfullscreen="" frameborder="0" height="486" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/36619105?rel=0" style="border-width: 1px 1px 0; border: 1px solid #CCC; margin-bottom: 5px; max-width: 100%;" width="597"> </iframe> </div>
<div style="margin-bottom: 5px;">
<div style="text-align: center;">
<br /></div>
<div style="text-align: justify;">
The session went under following outline and you can watch the full recording of the session at WSO2 library, '<a href="http://wso2.com/library/webinars/2014/07/leveraging-federation-capabilities-of-identity-server-to-api-gateway/" target="_blank">Leveraging federation capabilities of Identity Server for API gateway</a>'.</div>
<br /><ul style="text-align: left;">
<li>Configuring WSO2 Identity Server as the OAuth2 key manager of the API Manager</li>
<li>Identity federation capability of Identity Server 5.0</li>
<li>How to connect existing IAM solution with API Manager through identity bridge</li>
<li>How to expand the solution to various other possible requirements</li>
</ul>
</div>
<div style="text-align: justify;">
<div style="text-align: left;">
Lot more to improve. Any feed backs, suggestions are warmly welcome!</div>
</div>
</div>
Pushpalankahttp://www.blogger.com/profile/12173668224617137998noreply@blogger.com