IAM Team, Lately I've been thinking of a way to support dynamic roles in WSO2 IS. What triggered me was, we already have a tool to author dynamic role policies with XACML, albeit its shortcomings. Moreover the limitations in the tool is an orthogonal problem to this use case I believe. What is missing is an approach to transfer the decision to the service provider as part of the authentication response assertion, instead of doing a separate authorization call to XACML PDP.
I suggest the following approach: 1. A user can define a XACML policy with multiple rules, each rule corresponding to a dynamic role condition. 2. Define an obligation statement for the rule permit criteria and provide the dynamic role name as the obligation statement value. 3. The dynamic role names will have a convention. E.g. Dynamic_Role_XXX. 4. Extend the default authorization handler in the authentication framework, to read the obligations returned from the XACML authorization engine, collect all the obligation statements that start with "Dynamic_Role_", and add those dynamic role names minus the convention prefix, as a multi-valued claim with a special claim URI to the response assertion. 5. Now the service provider who can find the dynamic role names based on the special claim URI, understands the meaning of each dynamic role and can enforce them on the service provider side. Thoughts? Thanks & Regards, Johann -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] [image: Signature.jpg]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
