Authorization configuration - CustomerID

Ubisecure CustomerID SSO Adapter is a critical component in the authentication process. If it is not installed or if it is configured incorrectly, authentication will fail. For more detailed information on installing and upgrading Ubisecure CustomerID SSO Adapter, please refer to the pages  Installation - CustomerID and Upgrade - CustomerID .

Ubisecure CustomerID SSO Adapter can be used as such if no special role sets are required for Ubisecure CustomerID service providers. Often it is required that only certain roles are included to authentication responses for different service providers (applications).

The Ubisecure CustomerID SSO Adapter authorization configuration is located in a file called eidm2-authorizer.properties. By default the configuration file is empty, which is sufficient for a standard Ubisecure CustomerID installation which utilizes the Ubisecure Directory for resolving user's roles.

Policies

If needed, different role sets can be defined in the configuration file for use with different services. These sets are called policies and can be defined as follows:

policy.N.name

Defines the name of the policy. The policy name is later used in Ubisecure SSO Management with eidm:roles:<name> when defining the authorization policies for service providers.

policy.N.include

Specify the way in which roles are included or excluded. Valid values are whitelist and blacklist. White listing causes only the defined roles to be included in user's final role set. Black listing causes the defined roles to be omitted from user's roles. If this key is omitted, black listing will be used.

policy.N.roles.M

Roles for a policy are defined using separate key for each role where M starts from 1 onwards.

policy.N.mapping.M

Policies can contain zero to several role mappings. A role mapping translates a role to another role. This allows for instance several roles to be seen as one by the target application. Role mappings can also be used to map any role string to arbitrary role string. Role mapping for a policy are defined with key policy.N.mapping.M, where M runs from 1 onwards and keys' values are names of role mappings defined elsewhere in the configuration.

# example role mapping
policy.1.mapping.1 = mapping # name of the mapping can be an arbitrary string
policy.1.mapping.2 = mapping2

Role Mappings

Role mappings provide a way to translate role names in the Ubisecure CustomerID system to other arbitrary strings in the respective entity scope of the original role. Only mappings used by the policies are read by the authorizer. A mapping is defined by two keys; first key is the name of the mapping as written in a policy definition and its value is the role that should be translated, the second key is the mapping name suffixed with ".name" and its value is the string which will be the resulting role name.

Consider the following mapping:

mapping = eIDMUser
mapping.name = normalUser

This would translate all the eIDMUser roles of a user to normalUser where the policy using this mapping is used.

Example Configuration

For instance, consider the following configuration:

# policy
policy.1.name = 
policy.1.include = whitelist
policy.1.roles.1 = OrganizationMainUser
policy.1.roles.2 = OrganizationUser
policy.1.mapping.1 = defaultUserMapping
policy.1.mapping.2 = adminUserMapping 

#role mappings
# OrganizationUser -> defaultUser
defaultUserMapping = OrganizationUser 
defaultUserMapping.name = defaultUser
# OrganizationMainUser -> adminUser
adminUserMapping = OrganizationMainUser
adminUserMapping.name = adminUser

This defines a policy which only relays user's roles OrganizationMainUser and OrganizationUser translating them to adminUser and defaultUser respectively.

Organization Path

Beginning with Ubisecure CustomerID 2.11.1, it is possible to send user's hierarchical organization name to the application that sits behind the Ubisecure SSO web agent using a configured authorization policy. Many times user's organization is in some form of a hierarchy and the application might need to know this hierarchy. To send the hierarchical organization name, use eidm:organization in the authorization policy attribute value. Here is an example that would send hierarchical organization name in an attribute called organization:

organization eidm:organization

You can add this configuration to the Ubisecure SSO's authorization policy using the Ubisecure SSO Management web application's policy editor.

Structured Role Organization Information

Beginning with Ubisecure CustomerID 4.4.0 authorizer can provide structured information about user's roles' respective organizations in a JSON format. These data can be included in the authorization policy by invoking the authorizer with orgclaims parameter, i.e., using 'eidm:orgclaims' as the value in an authorization policy's attribute.

The parameter supports different authorization role filtering and mappings similar to the eidm:roles operation (see the examples above). The desired policy should can be given to the operation as a parameter separated by colon, i.e., eidm:orgclaims:<policy name>.
Using an authorization policy rule: 

roleorgs eidm:orgclaims

will insert a JSON array in the roleorgs attribute of the authentication response with organization information. The response JSON contains basic data and attributes of all the organizations where a user has any roles.

Example Orgclaims Response

User has two roles Customers/1234/Representative and Organizations/OrganizationUser. The following is an example of a JSON response for the user.

[
{ "organizationClass" : "CustomerClass", "customerid"
: "1234", "technicalName" : "1234",
"roles": ["Customers\/1234\/Representative"],
"friendlyName" : "Customer 1234",
"entityName":"Customers\/1234" },
{ "organizationClass" : "OrganizationClass",
"technicalName" : "Organizations", "roles" :
["Organizations\/OrganizationUser"], "friendlyName" :
"Organizations container", "entityName":"Organizations"
}
]


Structured Role Delegation Information

Beginning with Ubisecure CustomerID 4.6.1 authorizer can provide information about delegated roles to the user in a JSON format. This data can be included in the authorization policy by invoking the authorizer with delegations parameter, i.e. using eidm:delegations as the value in an authorization policy's attribute.

Example Delegations Response

The following is an example of a JSON response.

[
{
"role":"Services/Service1/Role1",
"mandate":"<mandate ID>",
"organization":"UserOrgs/UserOrg1" },
{
"role":"Services/Service2/Role2",
"mandate":"<mandate ID>",
"organization":"UserOrgs/UserOrg2" }
]


Authorization Policies

In this section, we explain how roles and user attributes will be passed on to the applications/services in SAML messages during the authentication and authorization process.

The authorization policy is used to define the data that is delivered to the applications behind Service Providers (SP). In practice, the authorization policy adds attributes with a name and a value to the SAML message for a web agent. No other attributes are delivered to the service provider. In this way, the information exposed about a user to applications can be restricted. For data security, it is best practice to send only the minimum amount of information required by the web agent. For this reason, it is strongly recommended to use an authorization policy for all service providers.

You can add authorization policies using the Ubisecure SSO Management web application's policy editor.
Usually an authorization policy contains all or some of the user's Ubisecure CustomerID roles. It may also contain other application-specific roles that are based on user's group memberships. In addition to role definitions also user attributes are commonly defined in the authorization policy. User attributes can be collected from the main user authentication data repository (default user attributes) or from the internal Ubisecure CustomerID database (custom user attributes). You may also select attributes from the organization under which the user is stored (organization attributes). Ubisecure CustomerID creates an authorization policy for itself but for the application, the configuration of authorization policies is done using the Ubisecure SSO Management application.

NOTE: The use of user or organization custom attributes requires that the Ubisecure CustomerID SSO Adapter has been installed from Ubisecure CustomerID release 3.4.0 or newer and Ubisecure SSO version is 6.3.1 or newer.

Formats of Different Types of Policy Values:

Ubisecure CustomerID roles: 			eidm:roles
Ubisecure CustomerID limited roles:		eidm:roles:<policy name>
Default user attributes:				user:<attribute name>
Custom user attributes: 				eidm:user:<attribute name>
Organization attributes: 				eidm:organization:<attribute name>


Example Configuration:

Name				Group			Value
--------------------------------------------------------
email 				eIDMUser 		user:mail
firstname 			eIDMUser 		user:givenName
surname 			eIDMUser 		user:sn
mobile 				eIDMUser 		user:mobile
organization		eIDMUser 		user:o
organizationName	eIDMUser 		user:../description
username 			eIDMUser 		user:uid
uniqueid 			eIDMUser 		user:cn
customerid 			eIDMUser 		eidm:customerid
role 				eIDMUser 		eidm:roles
userid 				eIDMUser 		eidm:user:userid



Another example concerning custom attributes:

customerid 						eidm:user:customerid
org.companyid 					eidm:organization:companyid