Discover our knowledge. Read our blogs!

Learn more

We build all our solutions with WSO2 and we are proud that we are Platinum Value-Added Reseller of WSO2.

Learn more

Enforce authorization for service provider with WSO2 Identity Server

Enforce authorization for service provider with WSO2 Identity ServerWSO2 Identity Server (IS) supports various authentication protocols, such as SAML2, OpenID and WS-Federation Passive, to seamlessly integrate different service provider applications according to standards. Once service providers are integrated with WSO2 IS, user authentication for service providers will be handled by WSO2 IS.

Although login is centralized, service providers might have the requirement to allow or restrict access for certain users by enforcing certain authorization rules. For example, an application from an HR service provider only allows users with an HR role to access the application and must deny access to other users. 

In WSO2 IS, the XACML feature enforces different kind of authorization in the login flow. For example, this blog post explains how to configure WSO2 IS to perform role-based authorization with XACML when a user tries to login to a service provider.

yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-1

PICKUP DISPATCH is a web application configured to use the WSO2 IS for user authentication. Identity Server has two different type of users, manager and staff. A Manager user has the role assigned of manager and staff users has the role assigned of staff. Access to the web application should only be allowed to the manager and restricted to staff users.

To run the example in this WSO2 Tutorial you must have the following prerequisites in place:

  • WSO2 Identity Server 5.10.0
  • Apache Tomcat 0.29
  • Sample web application - pickup-war

Step 1 - Configure Service Provider

  • Configure the service provider for the pickup-dispatch application. Go to Service Providers > Click on Add > Select Manual Configuration Mode > Register a service provider called “pickup-dispatch
yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-2
  • Expand Inbound Authentication Configuration > OAuth/OpenID Connect Configuration > Configure
yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-3
yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-4
  • Write down the OauthClientKey and OauthClientSecret of the service provider for later use.
yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-5
  • Expand Local & Outbound Authentication Configuration > Select the Enable Authorization check box
yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-6
  • Click on Update to save the service provider configuration.

Step 2 - Configure XACML Policy 

  • Open Entitlement-> Policy Administration -> authn_role_based_policy_template
yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-7
  • This template is designed to authorize the user based on the user role in authentication flow
yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-8
  • Configure template:
    • Replace the policy id with a unique name g“pickup-dispatch-role-based-access”
    • Replace SP_Name with the name of  the service provider “pickup-dispatch”
    • Replace ROLE_1 with role “manager” (in this example, a user with the role manager only has access to the service provider app
    • Remove the ROLE_2 section (in this example only one role is used, but multiple roles can be handled by extending the template)
yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-9
  • Save the policy  > Publish to MyPDP
yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-10

yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-11

Step 3 - Create users and roles 

  • Create the roles manager and staff. Users and Roles > Add > Add New Role > Give the Role Name > Click Next > Give login permission > Click Finish
yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-12
yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-14
  • Create manager and staff users and associate the manager role to manager and the staff role to staff. Users and Roles > Add > Add New User > Give username and credentials > Click Next > Assign roles > Click Finish"
yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-15yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-16

Step 4 - Setup sample web app 

  • Extract the web app pickup-war to apache-tomcat/webapps
  • Open dispatch.properties located at: pickup-dispatch/WEB-INF/classes
  • Replace consumerKey and consumerSecret values with the OAuth client key and the OAuth client secret value of the previously created service provider. Update the value of scope to “openid internal_application_mgt_view”
yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-17
  • Start the tomcat server

Step 5 - Verify Login

yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-18
  • Login as a staff user who has the staff role assigned. The result would be authentication failed due to authorization fail.
yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-19
  • Login as a manager user who has the manager role assigned. The result would be login is successful with user role authorization.
yenlo_blog_2020-06-11_enforce-authorization-for-service-provider_figure-20

Conclusion  

WSO2 Identity Server provides out-of-the-box support to engage XACML policies in the authentication flow to enforce authorization requirements. XACML can not only be used to enforce role-based authorization, but also to enforce other fine-grained access control. For example, restricting access to a service provider within a certain time period, granting access to a service provider based on user’s claim values, et cetera.

If this blog sparks any questions for you don’t hesitate to leave a comment below the or contact us.

Download your copy of the Identity & Access Management Selection Guide

Care to share?
   
Picture of Jenanathan Yogendran
Published June 11, 2020

Jenanathan Yogendran

Jenananthan is an Integration Consultant with more than 5 years experience in middleware integration and development. He has been part of several integration projects and his specialities are WSO2 Enterprise Service Bus, WSO2 API Manager and WSO2 Identity Server.

Responses

Stay up to date with the latest articles