On Mon, May 27, 2019 at 12:28 PM Johann Nallathamby <[email protected]> wrote:
> IAM Team, > > Lately I've been thinking of a way to support dynamic roles in WSO2 IS. > What triggered me was, we already have a tool to author dynamic role > policies with XACML, albeit its shortcomings. Moreover the limitations in > the tool is an orthogonal problem to this use case I believe. What is > missing is an approach to transfer the decision to the service provider as > part of the authentication response assertion, instead of doing a separate > authorization call to XACML PDP. > > I suggest the following approach: > > +1 for the approach. This looks like a good usage of using the capabilities of the XACML > 1. A user can define a XACML policy with multiple rules, each rule > corresponding to a dynamic role condition. > 2. Define an obligation statement for the rule permit criteria and provide > the dynamic role name as the obligation statement value. > Advice element may be suitable than obligation element in XACML as it just contain some information (dynamic role name) > 3. The dynamic role names will have a convention. E.g. Dynamic_Role_XXX. > 4. Extend the default authorization handler in the authentication > framework, to read the obligations returned from the XACML authorization > engine, collect all the obligation statements that start with > "Dynamic_Role_", and add those dynamic role names minus the convention > prefix, as a multi-valued claim with a special claim URI to the response > assertion. > There is something called AdviceId in the advice element & we can have a convention for it & retrieve the value from attribute value. Sample advice [1] > 5. Now the service provider who can find the dynamic role names based on > the special claim URI, understands the meaning of each dynamic role and can > enforce them on the service provider side. > > Thoughts? > [1] http://xacmlinfo.org/2015/01/14/use-xacml-advice-elements-to-generate-detail-decisions/ Thanks, Asela. > > Thanks & Regards, > Johann > > -- > *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | > WSO2 Inc. > (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] > [image: Signature.jpg] > -- Thanks & Regards, Asela Mobile : +94 777 625 933 http://soasecurity.org/ http://xacmlinfo.org/
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
