Manage authorization policies - SSO

The authorization policy is used to define what data is delivered to the actual applications associated with the Application configurations in SSO. In practice, the authorization policy adds attributes with name and value to the ticket response message for a web application. No other attributes are delivered to the web application. In this way, the information exposed about a user to applications can be restricted. For data security, it is best practice to send only the minimum amount of information required by the web application. For this reason, it is strongly recommended to use an authorization policy for all web applications.

An authorization policy can be used to assign Application-specific roles to users based on their group membership. For OpenID Connect, OAuth 2.0 and Mobile Connect applications it's also possible to provide attributes based on the values of scope parameter of the authentication request.

Arbitrary attribute names and values can be sent using the text tag. For example, if an application accepts an attribute called LOGONAME to customize the main screen appearance, this field could be set explicitly to EXAMPLE COMPANY for all users of that application.
Values from a user's directory record can be sent using arbitrary attribute names using the user tag. For example, if an application requires that the user mobile phone number is sent in a variable called MOBILE. User attribute data can optionally be Base64 encoded using the binary tag.

Attributes from Authentication Methods can also be optionally renamed and sent to Web Applications.

Authorization policies can be used for Attribute Based Access Control (ABAC) by checking for the presence or absence of a user or method attribute

The same authorization policy can be reused and assigned to many different web applications. A web application can only have one authorization policy assigned to it. Assigning a new Authorization Policy to a web application will replace the existing policy.

The ticket response protocol defines also special semantics for some attribute names, such as "username" and "role". The web application or web application that receives a ticket response message may implement functionality that is based on the ticket response attributes. For example, the Ubisecure BEA WebLogic Application implements J2EE declarative and programmatic authorization based on the values of the username and role attributes. The Ubisecure web application for ASP.NET implements MembershipProvider and RoleProvider based on the values of the username and role attributes, if Membership and Role Providers functions are used.

The main view of authorization policy is presented in Figure 1.

Figure 1: Authorization Policy main view
ObjectDescription
Ubilogin 2.x/3.0 backwards compatible

Authorization Policy was changed in Ubisecure SSO version 3.1. Please see Identity Server 2020.1 Release Notes for more information.
When this feature is selected, Authorization Policy works as in Ubisecure SSO 3.0. This feature is used to ease the migration process from Ubisecure SSO 3.0.

NOTE: By setting this value ON the web application can access all information that is derived from the used authentication method.

Single-Value AttributesSingle-value constraint fails for the defined attribute if more than one distinct value is assigned
Required AttributesThe required constraint fails for the defined attribute if no value is assigned

The components of the authorization policy consist of Single-Value and Required constraints. The constraints function is an aid for the application designer and legacy application compatibility. For example, if an application requires a mandatory attribute with the user information, for example email address, this check can be performed already by Ubisecure SSO. Similarly, if an application does not support multiple roles, this can be verified to ensure that only one role is sent during the authorization process. Thus, additional data validation at the application level is avoided.

If no Single-Value or Required attributes are set, no checking is performed on the Authorization Policy. Multiple attribute values with the same name can be sent and null values do not cause authorization failure.

If an attribute name is listed in the Single-Value Attribute list, authorization will fail if more than one attribute value with the same name is configured in the Authorization Policy.

If an attribute name is listed in the Required Attributes list, then an attribute with that name and a non-null value must be configured in the Authorization Policy.

In summary, the default constraint allows 0..N values assigned per attribute, single-value allows 0..1 values, required allows 1..N, and the combination of single-value and required allows 1..1 values.
Authorization will not succeed if any of the constraints fail.

Roles

The Roles view presents a simplified view into the authorization policy where the Site Manager is allowed to manage group – role associations. See the Figure 2.

Figure 2: Authorization roles
ObjectDescription
GroupClick Group or System name to edit group object
UpdateEdit role field and click Update to update group – role association
AddClick Add… to create a new association. By default the name of the group is used for the role name. You can change the role name. Any number of associations can be created. A single group may be associated with any number of roles.
RemoveSelect group check box and click Remove to remove group – role association.

Attributes

The Attributes view (see Figure 3) presents a more advanced view into the authorization policy.

Figure 3: Authorization Policy Attributes editor

In this view it is possible to associate groups and attributes of any name. The attribute value assigned to an attribute is entered as an attribute value.

AttributeDescription
GroupGroup to whom the policy item is linked to.
SiteTop level site of the policy item group.
Scope

Scope of the policy item.

If set, the specified scope value, or one of the values in case of multiple values, must be present in the authentication request for the policy item to be evaluated. Note that this can only be used with OpenID Connect, OAuth 2.0 and Mobile Connect applications. Other application integration protocols don't support attribute scopes, so for them policy items with scope anything other than empty value will not be evaluated.

Empty value means that the policy item is evaluated regardless of scope.

Multiple values can be separated by a space.

NameName of the authorization attribute.
ValueAttribute value. See the syntax below.
Name FormatSAML attribute name format, used in the SAML message. Usually not needed.
Friendly NameSAML attribute friendly name, used in the SAML message. Usually not needed.
UpdateUpdate the edited fields
AddAdd new group – authorization association for to this authorization policy
RemoveRemove the selected group – authorization association(s)

The syntax of the attribute value is as follows:

  • text:<string>
    → the value is <string>
  • user:<name>
    → the value is evaluated by reading the attribute <name> from the user's directory object. For example, user:uid would return the value of the uid attribute.
  • user:<name>;binary
    → LDAP binary option mechanism (http://www.rfc-editor.org/rfc/rfc2251.txt , Authentication and authorization process - SSO and Management customization - SSO → Disabling Context Menu items). The attribute <name> is returned to web applications as Base64 coded string. For example, user:objectGuid;binary would return value such as sFy0xj0cXU6QpjsQRCzG5Q== .
  • method:<name>
    → the value is evaluated by reading the attribute <name> assigned by the authentication method component. The availability of method attributes depends on the authentication method implementation.

Java EL expressions

It is possible to use Java EL expressions in place of attribute values. This enables more complicated techniques available in Java EL syntax for building attribute values, such as concatenation of strings.

For more information, refer to Expression language API - SSO.

Note: In the image above, there's the expression that sets the attribute's name to "role", so an attribute with name "Update NameID and add role 'manager'" would not be defined. Instead, the name of the policy item group is used here as a human-readable description.

Applications

This view shows the web applications where this authorization policy is assigned.

Figure 4: The list of applications that the selected authorization policy is applied to
ObjectDescription
AddAdd a group to the selected authorization policy
RemoveRemove the selected application(s) from this authorization policy

A single authorization policy may be assigned with any number of applications. A single application can be associated with one or zero authorization policies.