Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.2.0

The authorization policy is used to define what data is delivered to the applications behind Web AgentsApplications. In practice, the authorization policy adds attributes with name and value to the ticket response message for a web agentapplication. No other attributes are delivered to the web agentapplication. In this way, the information exposed about a user to applications can be restricted. For data security, it is best practice to send only the minimum amount of information required by the web agentapplication. For this reason, it is strongly recommended to use an authorization policy for all web agentsapplications.

An authorization policy can be used to assign Application-specific roles to users based on their group membership.

Arbitrary attribute names and values can be sent using the text tag. For example, if an application accepts an attribute called LOGONAME to customize the main screen appearance, this field could be set explicitly to EXAMPLE COMPANY for all users of that application.

Values from a user's directory record can be sent using arbitrary attribute names using the user tag. For example, if an application requires that the user mobile phone number is sent in a variable called MOBILE. User attribute data can optionally be Base64 encoded using the binary tag.

Attributes from Authentication Methods can also be optionally renamed and sent to Web Applications. For example, TUPAS sends Personal Identity Numbers in a field called CUSTID, which can be renamed to PERSONALID before passing to the application.

Authorization policies can be used for Attribute Based Access Control (ABAC) by checking for the presence or absence of a user or method attribute.

The same authorization policy can be reused and assigned to many different web agentsapplications. A web agent application can only have one authorization policy assigned to it. Assigning a new Authorization Policy to a Web Agent Application will replace the existing policy.

The ticket response protocol defines also special semantics for some attribute names, such as "username" and "role". The web agent application or web application that receives a ticket response message may implement functionality that is based on the ticket response attributes. For example, the Ubisecure BEA WebLogic Agent Application implements J2EE declarative and programmatic authorization based on the values of the username and role attributes. The Ubisecure Web Agent Application for ASP.NET implements MembershipProvider and RoleProvider based on the values of the username and role attributes, if Membership and Role Providers functions are used.

Below is an example of an authorization policy when using SQL database as user a repository.

Image Modified

Figure 1. Attributes in Authorization Policy

...

Once the Authorization Policy is ready, remember to assign in to the required AgentApplication.

Figure 4. Attributes at the application when successfully signed in

...