I'm using WSO2 Identity Server with XACML for authorization.
I have users with serveral roles in IS. The user must select one of them to enter the app. So I need to grant the user based only in one of all his roles.
I used port.getDecisionByAttributes(subject, resource, action, environment); of the EntitlementService for asking with SOAP WS to the policy defined in XACML. The subject is the username. But It grants because it uses all user's roles.
Example:
User: peter
Roles: rolegranted, rolenotgranted, otherrole
When peter enter the app and select rolenotgranted it should not access the resource.
When peter enter the app and select rolegranted it should access the resource.
How do I define de XACML policy? and which method of the EntitlementService should I use?
Thank you
Actually, you need to write role based XACML policies in the PDP. Entitlement service method that you are using is fine. You can send the username in the XACML request and verify the user's roles using user store (via PIP), I would like to suggest you to go through this blog. It explain how you can write a role based XACML policy in WSO2IS and use it property.
I finally had met the requirements passing the role in the subject arg of the getDecisionByAttributes method. WSO2 IS doesn't check if this subject exists, so I can pass anything here and test it in the policy rule.
Related
Was following the WSO2 course and landed on this. So far, only the admin account can publish and API. I just want the API creator to create the API and the API publisher to publish it.
I tried to create different roles and give them only the permissions they required like creator > creates and publisher > publishes. That has not worked so far
You can create roles from the management console and do the relevant role mappings from the Admin Portal. For example, if you want a user who can do CRUD operations on an API, you can assign a role which has Internal/creator mapping to that user. Or if you need more fine grained permissions, you can assign the relevant scopes in the Role Permissions section in the Admin Portal.
Please refer https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-user-roles/#creating-user-roles for more information. This also explains what are specific permissions (scopes) applied to each of creator, publisher, etc. You can use that to get an idea of each role's capabilities.
I understand that user and roles in wso2is are use for management the carbon console, how can i use roles and permissions for use in my web app, for example, defined roles and permission and apply policies using xacml ?
You can follow this documentation to set up role-based authorization for your application.
For the permission-based authorization, you can assign those permissions to the role and achieve it.
I wanted to give privileges to few users to edit few entitlement policies in wso2 Identity server.Is it posible to do?
You can control the permission of entitlement policy management of users, but cannot be applied per policy in default WSO2 Identity Server.
In WSO2 Identity server management console, you can add a role with appropriate permissions for managing entitlement policies. Click on 'Add' under 'Users and Roles' and select 'Add New Role'. Give a role name and click next to get the permission tree. You can select permission as shown below,
We have a lot of systems which have their own authorization mechanisms. Our goal is to expose all of them through IS so we can manage all of them in a single place.
Our users are authenticated in LDAP but their roles are spread through several databases. As far as I can see IS retrieves roles from the domain the user was authenticated. Is it possible to retrieve roles from all user stores ignoring the domain?
I've already tried both RemoteUserStoreManagerService.getRoleListOfUser and using claim http://wso2.org/claims/role.
In WSO2 you can only assign roles to user if roles are in the same user store domain where the user belongs. If the role is an internal role, then you can assign that role to any users in any user stores.
What is the API Service you tried to retrieve roles? and Please explain more about your requirements.
Thanks
Isura
Anybody could explain why the operation assume-role-with-saml needs some parameters that are already in the saml-assertion such as role-arn and principal-arn?
After some research I'm able to answer. I was asking why send the --role-arn parameter if it is already in the saml assertion. In fact the saml assertion can have more than one role so in the api request is necessary to identify which role should be assumed. I found the answer in this link
The Amazon documentation for assume-role-with-saml provides the information:
The --role-arnstring option identifies the role that the caller is assuming.
The --principal-arnstring option requires closer reading. Amazon says
The Amazon Resource Name (ARN) of the SAML provider in AWS IAM that describes the IdP.
The explanation for the latter is given a few paragraphs before:
Before your application can call assume-role-with-saml , you must configure your SAML identity provider (IdP) to issue the claims required by AWS.
The same page provides a link to Using Identity Providers, which explains the term:
Using identity providers, you can manage user identities outside of AWS, and you can give these external user identities permissions to use AWS resources in your account.
That is, you could associate an external user identity with a role using the --principal-arn option. The --role-arn option is not really optional, but a required parameter.
The saml-assertion (--saml-assertionstring) option) is additional "glue" which may be used to check permissions. Following the link in the description for this option to Configuring a Relying Party and Adding Claims, Amazon says
You also need to create appropriate claim rules in your IdP with AWS as a relying party. These rules map information about users and groups in your organization into appropriate SAML attributes. This lets you make sure that SAML authentication responses (assertions) from your IdP contain the necessary attributes that AWS uses in IAM policies to check permissions for federated users.
and in turn, that links to a page describing the assertions: Configure Assertions for the SAML Authentication Response