In wso2 IS XACML policy how to validate role and its permissions - authorization

In wso2 identity server how to add custom permission like for a role useroperation associate permissions create,update,delete. How can I create the permissions like this.
How can use those assigned permissions for validating by using roles and permissions in XACML policy.
I have created a XACML policy using Standard Policy Editor based on the subject name which is username I am fetching role attribute and I am validating, but how can I validate the permissions assoicated to it using XACML. Is it possible to achieve this usecase in wso2 XACML policy?

There are several ways that you can add custom permissions to the WSO2 Identity Server. These methods are given in this answer.
There is a XACML function as urn:oasis:names:tc:xacml:1.0:function:eval-permission-tree defined in the WSO2 Identity Server. This can be used to validate the permissions of a user.
This function requires two inputs.
 1. required permission string (ex: /permission/admin/login)
 2. subject or the user whose permissions are validated
In the WSO2 Identity Server, there is a sample XACML policy on using this function. If you login to the management console of the Identity Server, the sample is with the name evaluate_permission_tree_policy at Main > Entitlement > PAP > Policy Administration
You can get the permission string by referring to the registry of the Identity Server via Main > Registry > Browse 
I assume that you want to validate the permissions of a given role from the XACML policy. As per the current implementation, the function eval-permission-tree only checks whether the given user is authorized. [1]
To achieve your requirement, you can write your own XACML function extending the EvalPermissionTreeFunction class.
This blog[2] describes how you can write a custom XACML function and plug it into WSO2 IS.
[1] https://github.com/wso2/carbon-identity-framework/blob/master/components/entitlement/org.wso2.carbon.identity.entitlement/src/main/java/org/wso2/carbon/identity/entitlement/extension/EvalPermissionTreeFunction.java#L77
[2] https://pamodaaw.medium.com/custom-xacml-functions-for-wso2-identity-server-5-10-0-a91bc2ec673d

Related

Can be Keycloak configured to set roles automatically based on user's properties?

The goal is to get an access token with a custom set of roles.
My scenario is that I have an User Storage Provider SPI that looks into an Oracle DB for authentication. It also checks users permissions defined in other tables of that DB. I would set that permissions into the UserModel object returned by the SPI.
Now I would like to define in Keycloak (using the administration application) custom roles and configure them so they are included in the access token of the user depending on some rules over the user's permissions that I've set previously into the UserModel. The idea is to be flexible and allow to change the configuration between roles and the user's permissions found in DB.
I've read the theory about mappers and policies but I'm not sure how to manage it and I can't find an example that ilustrates the process.

Error in creating XACML policy with policy editor on WSO2 Identity Server management console- wso2is-km-5.3.0

I am using the pre-packaged IS WSO2IS-km-5.3.0 to integrate IS as a key manager with WSO2 AM 2.1.0. When I tried to create a policy with the policy editor on WSO2 Identity Server management console, the policy creation failed with the following message:
Error while adding entitlement policy. Invalid Entitlement Policy. Policy is not valid according to XACML schema
This happens whether I try to create a policy using any of the editor options - basic policy editor, Simple policyset editor, policyset editor.
The Policy is successfully added when we set the value as
PDP.SchemaValidation.Enable = false in entitlement.properties file at
IS_HOME/repository/conf/identity location.
Please let me know which configuration is required to create policy.
I have found the below link regarding this but not able to solve my issue:
WSO2 API Manager 1.8 - Trying out XACML - Error creating the policy
xacml version:5.7.5 for IS and APIM and
XACML Mediation 4.6.10 on APIM
You can use the standard policy editor, which is the recommended editor for writing XACML policies.
If that didn't work, you can try editing an XACML policy template which is available according to your requirement.
You should keep the PDP.SchemaValidation.Enable=true, in entitlement.properties file which is the default value.
Please refer https://docs.wso2.com/display/IS530/Creating+a+XACML+Policy for more information on creating XACML policies.

WSO2 IS: OpenID Connect custom claims in 5.2.0?

I have installed WSO2 IS 5.2.0 and I have problem to retrieve custom created claims.
I've added new claims to dialect http://wso2.org/claims and I also added new claims that map the same attribute to dialect http://wso2.org/oidc/claim that worked with version 5.1.0 but in version 5.2.0 not working.
All fields are present in database attribute table. I am using Oauth2 OpenID connect userInfo for fetching user data.
Here is claims configuration for my Service Provider:
With this configuration in 5.1.0 I got all requested claims from image, but in 5.2.0 I get only claims that are not custom - that was already present in both dialects by default.
The reason for this behaviour is the introduction of OpenIDConnect claim scopes in 5.2.0. So basically when you are requesting for a OIDC token you can specify a scope value that is bound to a set of claims. So when you send that OIDC token to the userinfo endpoint only those claims which are common in both OIDC scope config and SP claim configuration (ie. intersection of claim in both these configs) will be returned.
Let's take an example,
consider the default required scope need to get an OIDC token which is 'openid'
openid scope is bound to the following schemes.
sub, email, email_verified, name, family_name,given_name,middle_name,nickname,preferred_username,profile,picture,website,gender,birthdate,zoneinfo,locale,updated_at,phone_number,phone_number_verified,address,street
(you can configure this using 'oidc' file found in the registry at /_system/config/oidc)
So in your case please add the custom claims slotCentreURL,role, slotCentre into the mapped claims for this scope by editing the oidc file.
Alternatively you can add a new scope say 'customSPScope1' with claims that you need, send it when getting the OIDC token in addition to the mandatory openid scope.
You also need to configure the required claims at Service Provider configuration. The logic here is that only the intersection of claims configured at OIDC scope level and claims configured at SP level are returned.
The reason could be the mapped attribute. You need to configure same maapped attribute in both OIDC dialect and wso2 dialect for custom claims

Multiple Authentication / Authorization support for Web API via OWIN

I have a Web API project of ours that needs to be secured. I am planning to allow the user's that registered with my app to use the API [Forms Authentication], users with their own organizational accounts [ADFS] and Social Sign-In.
I have all the middleware available to plug-in and make available to the user's. However, in my application I do have custom roles and privileges that are to be provided so that my application authorizes the service calls based on the existing privileges. What is the best way to accomplish this.
I think that I will be required to provide my own custom implementation of the UserStore and UserManager with my own IUser Implementation.
Kindly suggest the best practice for this scenario.
With multiple authentication middleware registered, you can get multiple claimidentity's.
register each type of authentication you want to support.
I would be sure to add a claims transformation module at the end of the pipeline. Thinktecture has an example. ThinkTecture Owin Claims Transformer
This would give you one place to look up and add all the application type claims for an authenticated user in one spot.
Simple pseudo example (geared to webapi, but concept the same). Authenticate with bearer or basic or both then transform.
//identity 2.0 user manager stuff used in your modules
app.CreatePerOwinContext(ApplicationSession.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
// Token Authentication -> get a principle
app.UseOAuthBearerAuthentication(OAuthBearerOptions);
// Basic Authentication. -> get a principle
app.UseBasicAuthentication(app.CreateLogger<BasicAuthenticationMiddleware>(),
"Realm", ValidateUser);
// transform claims to application identity. Add additional claims if needed
app.UseClaimsTransformation(TransformClaims);
It sounds like you are looking for externalized authorization. Externalized authorization is the act of:
decoupling business logic from authorization logic
expressing authorization logic as centrally managed, centralized authorization policies
protecting your APIs through a common layer
enabling fine-grained & dynamic access control through the use of attribute-based access control (ABAC) which extends what's possible with RBAC (role-based access control).
Have a look at XACML, the eXtensible Access Control Markup Language. You can find some more information on OASIS's website.
Also check out NIST's project on ABAC.
Once you defined your authorization logic, you can decide how to enforce it. This can be done either via direct enforcement at the entry of your apps or can be done in a provisioning way whereby the permissions derived from the authorization policies are fed into an authentication token e.g. SAML as attribute assignments.
HTH
This is what I ended up designing for a system with similar requirements. The key is to separate the authentication and authorization logic.
Build Owin authentication middleware components that take care of establishing user identity based on various login methods you mentioned. Looks like you have this accomplished. Set ASP.NET identity based on the user.
Retrieve the roles/permissions for the logged in user from your store. This can be done as a separate Owin middleware or a part of your authentication. Add the permissions as Claims to your Principal.
Extend your roles/permissions store to map API service operations to the application permissions.
Implement a custom API Authorize attribute and apply it to every API operation. In this attribute you will have access to the operation name and the user Claims (permissions). Match the Claims with the permissions you mapped in the step above. If there is a match, return IsAuthorized=true, otherwise, return false.
Here is a similar issue at a simpler level.
How do you setup mixed authorizations for different authentications in .net (web api 2 + owin)

How to configure LDAP authentication module instance in OpenAM

I am trying to protect a Java servlet with OpenAM + J2EE tomcat agent. I got this part working by using embedded OpenDJ of OpenAM.
Now I am trying to authenticate against a LDAP server, so I added a LDAP module instance for OpenAM, but I get "User has no profile in this organization" when I am trying use uid/password of an user from that LDAP store.
I checked OpenAM administration guide on this the description is rather brief. I am wondering if it is even possible to do this without using the data store configured for OpenAM?
The login process in OpenAM is made of two stages:
Verifying credentials based on the authentication chain and individual authentication module configurations
User profile lookup
By configuring the LDAP authentication module you took care of the authentication part, however the profile lookup fails as you haven't configured the user data store (see data stores tab). Having a configured data store allows you to potentially expose additional user details across your deployment (e.g. include user attributes in SAML assertions or map them to HTTP headers with the agent), so in most of the scenarios having a data store configured is necessary.
In case you still don't want to configure a data store, then you can prevent the user profile lookup failure by going to Access Control -> <realm> -> Authentication -> All Core Settings -> User Profile Mode and set it to Ignore.
This is unrelated to authentication but it's related to authorization ... you have to configure appropriate policies ... see OpenAM docs.
Agents will enforce authorization, OpenAM determines if the user has the permission to access a protected resource.
As Bernhard has indicated authentication is only part of the process of granting access to a user. He is referring to using a Policy to control access.
Another method is to check if the authenticated user is a member of the desired group programmatically. This can be useful when you want access control over resources that OpenAM doesn't know about (e.g. specific data).
For example, lets say that you want different groups to have access to different rows in a table in a database. You can retrieve the group information associated with the user and add that to your database query, thus restricting the data returned.
I'm sure that you could do this with OpenAM as well using custom modules to allow the policy to use information in the database as resource, but I've found it is much simpler to perform this fine grained access control in your code, and is in all likelihood significantly faster.