Introduction to SSO Access Policy

Transcription

1 Introduction to SSO Access Policy ISAM appliance includes an advanced access control offering that can be used to create authentication policies to protect web resources. These authentication policies can perform step up and re authentication based on certain conditions or rules. While attaching authentication policies to web resources work fine, the federated single sign on flow cannot use these authentication policies for the following reasons 1. Federated single sign on is not a web resource based flow. 2. Contextual information about federation is unavailable for evaluation. In ISAM we introduced SSO Access Policy which allow step up and reauthentication during a single sign on flow. In this article, we will see the use of access policies during OIDC single sign on flow with prompt. OpenID Connect specification states this about prompt = login The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typically login_required. Access Policy decisions SSO Access policy can be written in JavaScript, using the access policies a set of contextual federation information can be retrieved and a decision can be made based on the information. The three decisions are allow, deny and challenge. Let s look at JavaScript code snippets to call the different decisions Allow An allow decision allows the user to continue the single sign on flow. Deny var decision = Decision.allow(); context.setdecision(decision); A few things to note is the above code snippet Allow decision allows the user to continue with the single sign on flow. Allow decision does not take any parameters. Deny decision aborts the single sign on flow. var handler = new HtmlPageDenyDecisionHandler();

2 Challenge handler.setpageid("/access_policy/custom_deny_decision.html"); Sign on denied"); context.setdecision(decision.deny(handler)); A few things to note is the above code snippet Deny decision support two types of handler, one is a HTML page deny, the other is a Redirect deny. In the above snippet we use a HTML page deny, the handler supports calling a custom HTML page or using the OOTB HTML page, in the above example we set a custom HTML page using setpageid() function. A custom macro can be set using setmacro() function the macro can be retrieved at the custom HTML page. var handler = new RedirectDenyDecisionHandler(); handler.setredirecturi(" context.setdecision(decision.deny(handler)); A few things to note is the above code snippet In the above snippet we use Redirect deny decision, the handler can be used to redirect to a specific URI using setredirecturi(). Challenge decision halts the single sign on flow, for the user to complete a challenge. Challenge decision supports two types of handlers, RedirectChallengeDecision and HTMLPageChallenge. var handler = new RedirectChallengeDecisionHandler(); IDMappingExtUtils.traceString("CHALLENGE WITH TOTP"); handler.setredirecturi(" m:security:authentication:asf:totp&target= context.setdecision(decision.challenge(handler)); A few things to note is the above code snippet In the above example the user needs to complete a TOTP challenge before single sign can continue, this is done using the Redirect challenge decision. As the name suggest RedirectChallenge is to redirect to a server, in this case it is the server which is configured with the TOTP authentication policy. The redirect is performed to the following server a TOTP policy is being invoked via the PolicyId query parameter. Target query parameter is used to inform the server about the URI to redirect to, once the redirect challenge is complete.

3 When a redirect challenge is called during single sign on, the single sign on flow halts till the challenge completes and it resumes once a call to the is made, where is the point of contact of the federation is the endpoint to resume the single sign is a special macro that will be automatically populated by the runtime. var handler = new HtmlPageChallengeDecisionHandler(); handler.setpageid("/access_policy/test.html"); handler.setmacro("@message@", Challenge decision ); context.setdecision(decision.challenge(handler)); A few things to note is the above code snippet Challenge decision calling a custom HTML page where the user is asked to perform an action before the single sign on can continue, in the above example we call a custom HTML page using setpageid() function. A custom macro can be set using setmacro() function the macro can be retrieved at the custom HTML page. The above decision can be made based on the contextual information, let look at the various contextual information available for decision making. Context Method Description User var user = context.getuser(); This function is used to retrieve user context user.getusername(); This function is used to retrieve username from user context user.getgroups(); This function is used to retrieve user groups from user context user.getattributes(); This function is used to retrieve user attributes from user context Request var request = context.getrequest(); This function is used to retrieve request context request.getparameternames(); This function is used to retrieve GET and POST parameters request.getcookies(); This function is used to retrieve cookies request.getheadernames(); This function is used to retrieve headers

4 Session var session = context.getsession(); This function is used to retrieve the session context session.getattribute("number"); This function is used to retrieve an attribute stored in the session, in this case number is retrieved from the session. session.setattribute("number", 10); This function is used to set an attribute into the session, in this case number is set to a value 10 in the session. session.removeattribute( number ); This function is to remove an attribute from the session. Protocol (SAML) var protocolcontext = context.getprotocolcontext(); the protocol context protocolcontext.getauthnrequest(); protocolcontext.getfederationid(); protocolcontext.getpartnerid(); protocolcontext.getfederationname(); protocolcontext.getpartnername(); Protocol (OIDC) var protocolcontext = context.getprotocolcontext(); protocolcontext.getauthenticationrequest(); protocolcontext.getclientid(); the authentication request from the protocol context the federationid request from the protocol context the partnerid request from the protocol context the federation name request from the protocol context the partner name request from the protocol context the protocol context the authentication request from the protocol context the clientid request from the protocol context

5 protocolcontext.getclientname(); protocolcontext.getdefinitionid(); protocolcontext.getdefinitionname(); the client name request from the protocol context the DefinitionId request from the protocol context the definition name request from the protocol context Scenario Description for prompt=login To run the OIDC Single Sign on flow with prompt = login as a parameter and see if the user is asked to login every time, even if user session exits. Technical Pre-requisites An ISAM configured as Open ID Connect and API protection definition with OIDC enabled with reverse proxy configured for the definition and Advanced Access Control module activate, Username password authentication mechanism configured, and a client configured. Execute isam aac config with the junction name /isam (Modify Secure Access Control -> Advanced Configuration -> attributecollection.servicelocation to /isam). An ISAM configured as OIDC relying party federation and partner with reverse proxy configured for federation.

6 Configuring the Solution To configure this solution, the following steps are required: Authoring an SSO access policy Uploading an access policy to the appliance. Configure the OpenID Connect and API protection definition to use the access policy. Configure username password authentication policy and WebSEAL ACL s. Test the solution by running an OIDC Single sign on flow. Authoring an SSO access policy When the relying party sends prompt =login as a parameter, the user is challenged with username password authentication challenge and then allowed to proceed with the single sign on. For this scenario, we are using the username password authentication policy available with Advanced Access Control. Let s look at the access policy JavaScript importclass(packages.com.ibm.security.access.policy.decision.decision); importclass(packages.com.ibm.security.access.policy.decision.htmlpagedenydecisionhandler); importclass(packages.com.ibm.security.access.policy.decision.redirectdenydecisionhandler); er); r); importclass(packages.com.ibm.security.access.policy.decision.htmlpagechallengedecisionhandl importclass(packages.com.ibm.security.access.policy.decision.redirectchallengedecisionhandle importpackage(packages.com.tivoli.am.fim.trustserver.sts.utilities); /* * Redirects a user to the authentication service, invoking the * username/password mechanism */ function getredirecttoauthsvc() {

7 var handler = new RedirectChallengeDecisionHandler(); IDMappingExtUtils.traceString("rediect to authsvc"); handler.setredirecturi(" ity:authentication:asf:password&target= } IDMappingExtUtils.traceString("returning challenge"); return handler; var prompt_login_demo = true; if(prompt_login_demo) { context.setdecision((function() { var request = context.getrequest(); var user = context.getuser(); if (user == null) { IDMappingExtUtils.traceString("User isnt authenticated"); return Decision.challenge(getRedirectToAuthSvc()); } else { // The current HTTP request contains authentication request. IDMappingExtUtils.traceString("Currently authenticated user: " + user); var responsetype = request.getparameter("response_type"); if (responsetype == null) { } else { // User is authenticated. var protocolcontext = context.getprotocolcontext(); var authenticationrequest = protocolcontext.getauthenticationrequest(); var authenticationcontext = authenticationrequest.getauthenticationcontext(); var promptval = authenticationcontext.getprompt();

8 IDMappingExtUtils.traceString("Prompt is: " + promptval); if (promptval!= null && promptval.contains("login")) { return Decision.challenge(getRedirectToAuthSvc()); } else { IDMappingExtUtils.traceString("Allowed"); return Decision.allow(); } } } IDMappingExtUtils.traceString("Allowed"); return Decision.allow(); })()); } Lets break down the access policy into smaller parts and discuss them in detail JavaScript code to check is a user context exists var user = context.getuser(); if (user == null) { IDMappingExtUtils.traceString("User isnt authenticated"); var handler = new RedirectChallengeDecisionHandler(); IDMappingExtUtils.traceString("rediect to authsvc"); handler.setredirecturi(" ity:authentication:asf:password&target= } IDMappingExtUtils.traceString("returning challenge"); return handler; A few things to note is the above code snippet If user context does not exist, we use a challenge decision, the challenge is used to authenticate the user. This is achieved using a RedirectChallenge handler.

9 As the name suggest RedirectChallenge is to redirect to a server, in this case it is the server which is configured with the authentication mechanism. The redirect is performed to the following server a username password policy is being invoked via the PolicyId query parameter. Target query parameter is used to inform the server about the URI to redirect to, once the redirect challenge is complete. When a redirect challenge is called during single sign on, the single sign on flow halts till the challenge completes and it resumes once a call to the is made, where is the point of contact of the federation is the endpoint to resume the single sign is a special macro that will be automatically populated by the runtime. JavaScript code snippet to check if user exists and retrieve the request parameters var request = context.getrequest(); IDMappingExtUtils.traceString("Currently authenticated user: " + user); var responsetype = request.getparameter("response_type"); A few things to note is the above code snippet If user context exists, we retrieve the request context and check if there is a response_type parameter in the request. JavaScript snippet if user context is not null and response_type is not null var protocolcontext = context.getprotocolcontext(); var authenticationrequest = protocolcontext.getauthenticationrequest(); var authenticationcontext = authenticationrequest.getauthenticationcontext(); var promptval = authenticationcontext.getprompt(); IDMappingExtUtils.traceString("Prompt is: " + promptval); if (promptval!= null && promptval.contains("login")) { var handler = new RedirectChallengeDecisionHandler(); IDMappingExtUtils.traceString("rediect to authsvc"); handler.setredirecturi(" ity:authentication:asf:password&target= IDMappingExtUtils.traceString("returning challenge"); return handler;

10 A few things to note is the above code snippet We retrieve the protocol context and then retrieve the authentication context, from the authentication context we get the prompt value. If prompt = login, we use a challenge decision, the challenge is to ask the user to reauthenticate. This is achieved using a RedirectChallenge handler. As the name suggest RedirectChallenge is to redirect to a server, in this case it is the server which is configured with the authentication mechanism. The redirect is performed to the following server a username password policy is being invoked via the PolicyId query parameter. Target query parameter is used to inform the server about the URI to redirect to, once the redirect challenge is complete. When a redirect challenge is called during single sign on, the single sign on flow halts till the challenge completes and it resumes once a call to the is made, where is the point of contact of the federation is the endpoint to resume the single sign is a special macro that will be automatically populated by the runtime. The entire access policy is attached in the downloads section. Download the access policy and upload it to the appliance. Uploading the access policy to the appliance Navigate to Secure Federation -> Access Policy. Click on Add and copy the contents of the access policy.

11 Create a access policy with the Name prompt, and select the Type as JavaScript and Category as OIDC, as show below : Save and deploy pending changes.

12 Configure the OpenID Connect and API protection definition to use the access policy Create a OpenID connect and API protection definition, with OIDC enabled, as shown below

13 Enable Access Policy by selecting the prompt as the access policy as shown above. Save and deploy pending changes. Configure username password authentication policy and reverse proxy ACL s We are using the username password authentication policy to authenticate the user, we need to configure it, navigate to Secure Access Control -> Authentication -> Mechanism and select Username Password mechanism and edit it as follows: The reverse proxy ACL s need to be configured such that they do not prompt the user for authentication, since the username password authentication policy is used for authentication. Detach the isam_oauth_anyauth ACL from the /WebSEAL/<Reverse Proxy>/isam/sps/auth endpoint Attach the isam_oauth_unauth ACL to the endpoint and Apply.

14 Test the solution by running a Single sign on flow Initiate a OIDC flow by accessing the authorize endpoint with the prompt =login parameter ps%3a%2f%2fwww.mysp.ibm.com%2fisam%2fsps%2foidc%2frp%2frp%2fredirect%2fpartner&respo nse_type=token+code+id_token&response_mode=form_post&state=y9h1eqad11&scope=openid&clie nt_id=clientid&prompt=login Login at the OP, and initiate another OIDC flow by accessing the authorize endpoint with the prompt =login parameter ps%3a%2f%2fwww.mysp.ibm.com%2fisam%2fsps%2foidc%2frp%2frp%2fredirect%2fpartner&respo nse_type=token+code+id_token&response_mode=form_post&state=y9h1eqad11&scope=openid&clie nt_id=clientid&prompt=login The user should be asked to login again, although a valid user session exists.