Authorization

By: Vipin Jain named 12 Jun 2017 at 1:25 a.m. CDT

19 Responses
Vipin Jain gravatar
Hello Team, We are implementing Google Authentication for SAML application and want to check if we can have authorization of users at Gluu before they are sent to SAML application. Here is the flow we are expecting and need help at Point 4 1. User access SAML Application with Gluu as IDP 2. User sent to Google Login from Gluu as its authentication 3. User authenticates against Google and request is sent back to Gluu 4. Gluu needs to check if the user is authorized to access the SAML Application and if yes, move to Point 5 5. User logged in successfully in SAML Application
CentOS72
closed

Answers

By Mohib Zico staff 12 Jun 2017 at 1:35 a.m. CDT

Copy
Mohib Zico gravatar
Hi Vipin, >> Gluu needs to check if the user is authorized How you are planning to implement this restriction on users?

By William Lowe user 12 Jun 2017 at 7:22 a.m. CDT

Copy
William Lowe gravatar
You can give users a specific role that would enable them to be authorized , but the saml application would need to enforce the policy. The Gluu server provides the ability to script policy. The application has to enforce the policy. If you control the saml app in question then yes, it is possible.

By Vipin Jain named 12 Jun 2017 at 8:47 a.m. CDT

Copy
Vipin Jain gravatar
Hi William, Thanks for the reply. I would need to control the authorization on Gluu level as i dont want to send the user to SAML App until the user is authorized. Something similar i found https://wiki.shibboleth.net/confluence/display/IDP30/ContextCheckInterceptConfiguration

By William Lowe user 12 Jun 2017 at 8:53 a.m. CDT

Copy
William Lowe gravatar
Hi Vipin, If it's supported by Shibboleth, then it is supported by the Gluu Server. Thanks, Will

By Vipin Jain named 12 Jun 2017 at 10:53 a.m. CDT

Copy
Vipin Jain gravatar
Thanks, But dont have an idea about how can i do the authorization at Gluu Server before user can login to SAML app

By Mohib Zico staff 12 Jun 2017 at 11:03 a.m. CDT

Copy
Mohib Zico gravatar
>> how can i do the authorization at Gluu Server before user can login to SAML app Vipin, The link you shared can be implemented in Gluu Server for sure as it's SAML is using Shibboleth. We can engage our resources if we get requests from customers or from some sections from Gluu Server community; as it need to be implemented in our velocity templates which Gluu Server is using to perform SAML operations. We haven't implemented this because mostly we are doing AuthZ in two ways: - Massively used: OpenID Connect + UMA - SAML authZ: Release some attribute to Trust Relationship which can differentiate users from AuthZ angle. Most of our EDU customers are using ePSA ( eduPersonScopedAffiliation ) or 'memberOf' attribute to achieve such AuthZ for their services. However I think you can also use [ePE](https://spaces.ais.ucla.edu/display/iamucla/eduPersonEntitlement) to achieve your AuthZ. If you have any question or confusion, please feel free to let us know.

By Vipin Jain named 12 Jun 2017 at 11:06 a.m. CDT

Copy
Vipin Jain gravatar
Thanks for the information. I am interested in doing below process, How can i use this in the Trust Relationship where i can use a attribute to check if a user is allowed to login to SAML application? SAML authZ: Release some attribute to Trust Relationship which can differentiate users from AuthZ angle. Most of our EDU customers are using ePSA ( eduPersonScopedAffiliation ) or 'memberOf' attribute to achieve such AuthZ for their services. However I think you can also use ePE to achieve your AuthZ.

By Vipin Jain named 13 Jun 2017 at 1:41 a.m. CDT

Copy
Vipin Jain gravatar
Hi Mohib, Did you get a chance to check the query? Thanks

By Mohib Zico staff 13 Jun 2017 at 1:53 a.m. CDT

Copy
Mohib Zico gravatar
Hi Vipin, You just need to specify which kind of people/group you need to specify in SP first. After that, populate and release that attribute from Gluu Server through Trust relationship.

By Vipin Jain named 13 Jun 2017 at 1:59 a.m. CDT

Copy
Vipin Jain gravatar
Hi Mohib, We dont control SP so we cannot modify the SP access control. What other ways we can control access at IDP side?

By Mohib Zico staff 13 Jun 2017 at 2:19 a.m. CDT

Copy
Mohib Zico gravatar
>> We dont control SP so we cannot modify the SP access control. How you are going to configure your Gluu Server configuration in SP then?

By Vipin Jain named 13 Jun 2017 at 2:59 a.m. CDT

Copy
Vipin Jain gravatar
We would give our metadata with instructions and they do the setup accordingly.

By Mohib Zico staff 13 Jun 2017 at 5:06 a.m. CDT

Copy
Mohib Zico gravatar
If you or your partners do not have any privilege to perform this operation in SP side, there is little hope to achieve AuthZ with SAML attributes frankly speaking.

By Vipin Jain named 13 Jun 2017 at 6:37 a.m. CDT

Copy
Vipin Jain gravatar
Thanks for that Mohib. Can we implement below in the flow i explained in the first for this ticket. Massively used: OpenID Connect + UMA?

By Mohib Zico staff 13 Jun 2017 at 7:40 a.m. CDT

Copy
Mohib Zico gravatar
Sure. UMA doc: https://gluu.org/docs/ce/3.0.1/admin-guide/uma/

By Mohib Zico staff 13 Jun 2017 at 7:44 a.m. CDT

Copy
Mohib Zico gravatar
Also.. I created an internal ticket on Shibboleth Context Checker configuration.

By Vipin Jain named 13 Jun 2017 at 8:07 a.m. CDT

Copy
Vipin Jain gravatar
Thanks, Do we know if can redirect users if users are not authorized?

By Vipin Jain named 14 Jun 2017 at 4:34 a.m. CDT

Copy
Vipin Jain gravatar
Hi Mohib, Did you get a chance to check this? I am exploring multiple options for this case and didnt come to a solution yet.

By Mohib Zico staff 14 Jun 2017 at 4:55 a.m. CDT

Copy
Mohib Zico gravatar
Hi Vipin, It's work in progress. Please note that there is no SLA on community issues. However it will implemented for sure, tested and if required a doc will be published. You will be notified.

Post an answer