test

WSO2 Identity Server Userstore using Web Services to get claims (GSOC-2018).md

Google summer of codes

Google Summer of Code participant: isuri anuradha

Organization :GFOSS - Open Technologies Alliance

Description about the project

WSO2 Identity and Access Management Server is open source popular identity and access management server throughout the world, plus WSO2 Identity Server efficiently undertakes the complex task of identity management across enterprise applications, services, and APIs.

This scenario in WSO2IS which is required to first user needs to authenticate with primary usestore and get authenticated user's attributes. From user attributes list, need to get a specific attribute which is pre-configured by the end user and then call an web app to obtain external claims. Thereafter, this external claim's values should be used in the response object to send to the client application.

                                  Figure 01. High level Architecture Diagram

Link to your project's GitHub page

• Link to the project : https://github.com/eellak/gsoc2018-wso2

Solution for the Problem domain

Real world use case where this solution is going to apply.

There is a company with an LDAP as a primary userstore and a WSO2 Identity Server on top of it acting as an SSO mechanism. This company to be compliant with the new EU General Data Protection Regulation employees must have access to their data in the company's HR system. Employees are not users of the HR software so they don't have access for that software. HR software has a web service where when you give the External userID of the employee returns you data about the employee. External userID is an attribute in LDAP and a claim in WSO2 Identity Server. We need WSO2 to connect to the HR's web service passing External userID as a parameter getting the data from HR and provide them as WSO2 Identity Server claims.

                                        Figure 02. Sequence Diagram

Why we need custom federated authenticator?

Federated custom authenticators are implemented to call external identity providers. These need to be configured to reach out to external applications to do the authentication process and send the response back to the Identity Server.

                             Figure 03. Design to the custom authenticator

In our custom federated authenticator, we have 3 main methods.

1. initializeAuthentication method

This method is responsible for the initiating authentication request which should call to the web service and passing security headers and the relevant parameters required to extract user information.

2. processAuthenticationResponse method

After authentication request, this method is used obtain the external claims from the web application and pass it for claim mapping.

3. buildClaims method

This method is used to map the requested claims with the local claims and existing claims in WSO2 claims.

Besides that in our custom federated authenticator we have add all UI configuration done to the Identity Provider. There are 04 properties to configure in UI.

• Token endpoint : Property field to configure token endpoint

• UserInfo endpoint : Property field to configure user info endpoint

• Username : Property field to configure username related to web service

• Password : Property field to configure password related to web service

  Why we need web sevice?

  The webservice provides security for backend services and obtain userinfo from backend services.
  The webservice obtain userinfo from backend services and also provide security for them. These is a two set process.The first step is for authenticate process and second step is for getting userinfo. By implementing the interface which is in Figure 04 we can plug any service. It can be API or LDAP service.

  

                               Figure 04 : Design to the web service
  

Links to the implementations.

• Link to custom federated authenticator : https://github.com/eellak/gsoc2018-wso2/tree/master/components/org.wso2.carbon.identity.sample.custom.authenticator

• Link to sample web service : https://github.com/eellak/gsoc2018-wso2/tree/master/components/sample_web_application

Requirements of the project

On the WSO2 Identity Server.

1. Adding user and user profile to the WSO2 Identity Server.
2. Adding Identity provider to the WSO2 Identity Server.
3. Adding Service provider to the WSO2 Identity Server.

On the custom federated authenticator.

1. Claim configuration.

A claim is a piece of information about a particular subject. It can be anything that the subject is owned by or associated with, such as name, group, preferences, etc. A claim provides a single and general notion to define the identity information related to the subject. In here we need to have a mapping between external claims and the local claims which is already existing in WSO2 Identity server. For that building up a claim dialects in IDP is essential and we have to request those claims from service provider configured in the Identity server. The external claims which are received from the external API/service that mapped in to local Identity Server claims.

2. Security configuration.

To secure the flow of extracting information from web application I have implemented Basic OAuth flow. First a request send to the web app with Authorization header : Basic username:password (In an encoded format). username and the password can configure in UI level as the security layer to the web app. After checking up the validity of the Authorization header web app can issue a token string. This token will use and check when extracting user information from user info endpoint.

On Web service

1. Implement the common interface and get userinfo from external service.

Future work

• Integrate backend API with claimservice.
• Integrate LDAP service with claim service.
• Enhance security implementation.