Service Provider Authorization

Follow

Service Provider Authorization

Each Service Provider can be assigned certain parameters or conditions by which only Devices or Users that satisfy these parameters or conditions can access this Service Provider

Authentication Schemes and Methods

Authentication Schemes can be used to group together and order Authentication Methods. An Authentication Method is linked to one or more IDPs. So an Authentication Scheme can define different levels of authentication, IDPs, by ordering Authentication Methods. This is used to create Multi-Factor and Mulit-Level authentication mechanisms.

Definitions of fields of Authentication Schemes

Field Name Description
Authentication Scheme Scheme to define Authentication Methods and the priorities of these Methods
Method Comparison The default method to compare Authentication Methods within the selected Authentication Scheme
AuthnContextClassRef A XML URI reference indentifying an Authenticatin Method when no identifier was given in the request

Definitions of items of the Method Comparison

Field Name Description
Minimum This is the requested authnmethod and everything above, if nothing is requested, it checks the default from the Service Provider, if no default is set it is the lowest
Maximum
Better This uses the Minimum except that the requested authnmethod is excluded
Exact Exact is the requested authnmethod and nothing else, if nothing is requested it takes the default, if no default is set, it is the lowest
  • Click Service Providers under Administration
  • Click the Authorization icon adjacent to the SP that you want to set the Scheme settings
  • Select the Scheme of your choice from the drop down list of field Authentication Scheme
  • Select a Method Comparison option from the drop down list of field Method Comparison
  • Enter an XML URI reference for field AuthnContextClassRef
  • Click button Save & Close

Context

The context is used to set the authorization context restrictions. Currently context can be defined as where, IP address defining location, and when, defining what time period access to this Service Provider is allowed.

Time

Allows a time slot can be specified to restrict access to this Service Provider. This is specified in 24 hour time and is open 24 hours a day by default. A start and end time can be specified by dragging the handles. The blue highlighted segment is when the SP can be accessed. For instance the SP is accessible from 6 in the morning to 6 in the evening in the image below.

  • Click Service Providers under Administration
  • Click the Authorization icon adjacent to the SP that you want to set the Time settings
  • Swing the spherical time object under tab "Time" either clockwise or anti-clockwise to set the time within which you want the SP to be available
  • Click button "Save & Close"

IP Address

This operation is used to set the IP Address range that can only be used to access this Service Provider. Any IP Address or range of IP Addresses that does not fall within the defined or specified IP Address or range of IP Adrresses will therefore be unable to access this Service Provider

  • Click Service Providers under Administration
  • Click the Authorization icon adjacent to the SP that you want to set the IP Address range
  • Click on Add New IP under tab IP Address
  • Enter a valid IP Address for the Startâ€? and “End fields
  • Click button Save & Close
Possible Alerts that can be encountered during this operation

User will be informed via an alert message underneath the “Start� and “End� text fields that Start IP Address Invalid Value when User enters an invalid IP Address for the “Start� text field, and also End IP Address Invalid Value when User enters an invalid IP Address for the “End� text field

Attribute Based Authorisation (Attribute Rule)

An attribute rule can be specified to allow/restrict access to this Service Provider dependant upon the attributes of the authenticated user. Any number of conditions can be specified and one complex condition, being a nested sub-set of attribute conditions, can be specified per Service Provider.

Attribute Rule Edit

To create/edit and delete conditions work in the Edit tab. The main operator is applied to all conditions. A complex condition can specify it's own operator that applies only to the complex condition attribute list. Functions alter depending upon the type of the attribute that is selected: enumeration, single or multiple for instance. The value input field is hidden when not applicable.

Attribute Rule View

The Code View shows how the Attribute Rule will be evaluated.

The result of specifying authorizations for a Service Provider can be seen by navigating to the Admin Portal SP Log-In page, or any other application, and attempt to log in. The user will not be able to login if the criteria specified in the authorizations are not met.

Nested Rule 1

This operation is used to set the Attribute conditions that need to be satisfied before the said Service Provider can be accessed(All set conditions must be met)

  • Click Service Providers under Administration
  • Click the Authorization icon adjacent to the SP that you want to set the Attribute(s) conditions
  • Click on Attribute Rules on the left sidebar under Service Providers
  • Select the operator AND from field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes )
  • Click on button Add Simple Condition, and set further parameters(eg. First Name - Equals - Francis )
  • Click button Add Complex Condition, and select operator OR
  • Click buton Add Simple Condition and set the necessary parameters(eg. Last Name - Equals - West), and click button Save & Close
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
Nested Rule 2

This operation is used to set the Attribute conditions that need to be satisfied before the said Service Provider can be accessed(All set conditions for the AND Rule must be met, with at least one condition from the OR condition)

  • Select the operator AND from field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes )
  • Click on button Add Simple Condition, and set further parameters(eg. Last Name - Equals - Francis )
  • Click button Add Complex Condition, and select operator OR
  • Click buton Add Simple Condition and set the necessary parameters(eg. Last Name - IsEmpty), and click button Save & Close
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
OR Rule

This operation is used to set the Attribute conditions that need to be satisfied before the said Service Provider can be accessed(At least one of the set conditions must be met)

  • Select the operator OR from field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes )
  • Click on button Add Simple Condition, and set further parameters(eg. First Name - Equals - Francis )
  • Click button Save & Close
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
AND Rule(Equals)

This operation is used to set the Attribute conditions that need to be satisfied before the said Service Provider can be accessed(All set conditions must be met)

  • Select the operator AND from field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes )
  • Click on button Add Simple Condition, and set further parameters(eg. First Name - Equals - East )
  • Click button Save & Close
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
AND Rule(Equals Not)

If the Attribute conditions here are met then User will be unable to access the Admin Portal or any other Application for that matter

  • Select the operator AND from the drop down list for field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes)
  • Cick on button Add Simple Condition, and set further parameters(eg. First Name - Equals Not - Francis, the value Francis should match the value/item for the field of the User in question)
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
AND Rule(Contains)

This operation is used to set the Attribute conditions that need to be satisfied before the said Service Provider can be accessed(All set conditions must be met)

  • Select the operator AND from the drop down list for field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes)
  • Click on button Add Simple Condition, and set further parameters(eg. First Name - Contains - Francis, the value Francis should match one of the values/items for the field of the User in question)
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
AND Rule(Contains Not)

If the Attribute conditions here are met then User will be unable to access the Admin Portal or any other Application for that matter

  • Select the operator AND from the drop down list for field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes)
  • • Click on button Add Simple Condition, and set further parameters(eg. First Name - Contains Not - Francis, the value Francis should match one of the values/items for the field of the User in question)
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
AND Rule(Equals Ignore Case)

This operation is used to set the Attribute conditions that need to be satisfied before the said Service Provider can be accessed(All set conditions must be met)

  • Select the operator AND from the drop down list for field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes)
  • Click on button Add Simple Condition, and set further parameters(eg. First Name - Equals Ignore Case - francis, the value Francis for the field of the User in question should have a combination of both lower and uppercase characters)
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
AND Rule(Equals Not Ignore Case)

If the Attribute conditions here are met then User will be unable to access the Admin Portal or any other Application for that matter

  • Select the operator AND from the drop down list for field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes)
  • • Click on button Add Simple Condition, and set further parameters(eg. First Name - Equals Not Ignore Case - francis, the value Francis for the field of the User in question should have a combination of both lower and uppercase characters)
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
AND Rule(Ends With)

This operation is used to set the Attribute conditions that need to be satisfied before the said Service Provider can be accessed(All set conditions must be met)

  • Select the operator AND from the drop down list for field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes)
  • Click on button Add Simple Condition, and set further parameters(eg. First Name - Ends With - Be, the value for the field of the User in question should end with the suffix Be for example, Francis Be)
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
AND Rule(Ends Not With)

If the Attribute conditions here are met then User will be unable to access the Admin Portal or any other Application for that matter

  • Select the operator AND from the drop down list for field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes)
  • Click on button Add Simple Condition, and set further parameters(eg. First Name - Ends Not With - Be, the value for the field of the User in question should end with the suffix Be for example, Francis Be)
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
AND Rule(Starts With)

This operation is used to set the Attribute conditions that need to be satisfied before the said Service Provider can be accessed(All set conditions must be met)

  • Select the operator AND from the drop down list for field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes)
  • Click on button Add Simple Condition, and set further parameters(eg. First Name - Starts With - Be, the value for the field of the User in question should start with the prefix Be for example, Be Francis)
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
AND Rule(Starts Not With)

If the Attribute conditions here are met then User will be unable to access the Admin Portal or any other Application for that matter

  • Select the operator AND from the drop down list for field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes)
  • Click on button Add Simple Condition, and set further parameters(eg. First Name - Ends Not With - Be, the value for the field of the User in question should end with the suffix Be for example, Francis Be)
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
AND Rule(Regular Expression)

This operation is used to set the Attribute conditions that need to be satisfied before the said Service Provider can be accessed(All set conditions must be met)

  • Select the operator AND from the drop down list for field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes)
  • Click on button Add Simple Condition, and set further parameters(eg. First Name - Matches - Organisa.tion(the character in between the letters A and T is a dot)(.), this implies that there can be any character in between letters A and T for the value for the field of the User in question, for example, organisaution)
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
AND Rule(Greater Than)

This operation is used to set the Attribute conditions that need to be satisfied before the said Service Provider can be accessed(All set conditions must be met)

  • Select the operator AND from the drop down list for field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes)
  • Click on button Add Simple Condition, and set further parameters(eg. First Name - Greater Than - be, the value for the field of the User in question should be bec)
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
AND Rule(Greater Than Ignore Case)

This operation is used to set the Attribute conditions that need to be satisfied before the said Service Provider can be accessed(All set conditions must be met)

  • Select the operator AND from the drop down list for field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes)
  • Click on button Add Simple Condition, and set further parameters(eg. First Name - Greater Than Ignore Case - be, the value for the field of the User in question should be Bec)
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
AND Rule(Less Than)

This operation is used to set the Attribute conditions that need to be satisfied before the said Service Provider can be accessed(All set conditions must be met)

  • Select the operator AND from the drop down list for field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes)
  • Click on button Add Simple Condition, and set further parameters(eg. First Name - Less Than - be, the value for the field of the User in question should be abe)
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login
AND Rule(Less Than Ignore Case)

This operation is used to set the Attribute conditions that need to be satisfied before the said Service Provider can be accessed(All set conditions must be met)

  • Select the operator AND from the drop down list for field When, and set the necessary parameters(eg. Administrator Access - Equals - Yes)
  • Click on button Add Simple Condition, and set further parameters(eg. First Name - Less Than Ignore Case - be, the value for the field of the User in question should be Abe)
  • Go back to the Admin Log-In page, or any other Application for that matter and attempt to login

Application Authorization

Application Authorization applies authorization rules to a URI and defined HTTP methods within a specific Service Provider.

An example of where this might be used would be for a specific application URL such as:

http://hostname/selfservice/admin

Services under this location can be restricted. For instance only administrators can GET, POST, PUT and DELETE to this location but auditors can only access GET methods from this location and others have no access at all.

The outcome of the authorization can also be specified so that matching of a statement can result in allowing access, denying access, forcing a re-authentication or a step up in authentication.

The application authorization is similar to the attribute authorization in the fact that rules are created against a pre-defined data key and a value. For instance if an HTTP header has a certain value (an http header user equals johndoe) or a user attribute is not empty (user's email address is not empty).

Application authorizations can contain nested rules and multiple statements, one nested rule per statement.

Each statement defines a result outcome that is performed when that statement matches true. A result outcome can be allow, deny, re-authenticate or step-up authentication.

The first statement that matches true is returned with the specified outcome. Due to this behaviour application statements can be ordered to determine the order of execution.

Application Rule Screen

To access the application rules for a Sservice Provider (SP) click the shield button from SP list page and then click the Application Rule menu from the Authorization screen. All of the application rules will be listed for this SP.

Note that application rules can only be added for Proxy and API Service Providers. The Application Rule button will not be available for other types of SP.

Application Rule List

The initial screen linked to by the Application Rule navigation is a list of all the application rules have have been defined for this Service Provider. Each rule can be deleted, edited, copied or it's statements viewed for more detailed identification within the list page.

Deleting an Application Rule

To delete an application rule click the delete button in the corresponding row. A modal will be shown displaying the details of the rule and an option to Delete or Cancel.

Copying an Application Rule

To copy an application rule click the copy button in the corresponding row. The application rule will be copied to a new entry and /copied will be appended to the URI as application rule URIs must be unique within one SP.

Viewing Application Rule Details

To view the statements of a rule click the view button (binoculars) and the statements for the corresponding row will be shown in a modal dialog. The view is the same display as shown in the code view tab when modifying an application rule.

Creating an application rule

There can be multiple Application Rules for one SP. This means that there can be multiple rules specified for different URIs or locations.

To create a new rule click the Add New URI Resource button found top right of the Application Rule screen.

A form is then displayed. Specify a URI and one or more HTTP methods that apply to this rule. Clicking the Add New Statement button adds a rule similar to the attribute authorizations screen where simple and complex (nested) conditions can be created. The logic and operations are the same as those defined for the attribute authorizations.

A condition can be created to check against user attributes but also http headers, cookies or query parameters. The type is set using the button to the left of each condition row. Header, cookie and query condition types are treated as string attributes and thus provide the string operations when these types are selected.

To specify the condition for an attribute select a user attribute from the list provided. To specify the condition for header, cookie or query enter the name of the element to compare against so a name of a header, the name of a cookie or the name of a query parameter.

Click the Save & Close button to save the URI, methods and statements.

The outcome

The outcome of an application rule statement is specified at the bottom of each statement.

Outcome Description
allow If the rule statment is true then access to the SP is allowed.
deny If the rule statment is true then access to the SP is denied. There is the option to return a key/value pair that can be used to react to the outcome.
re-authenticate If the rule statement is true the the user must re-authenticate to access the SP
step-up If the rule statement is true then the user must step up to the selected authentication method with the selected comparison to access the SP

Step-up When the outcome of a statement is step-up then an comparison method should be selected either: minimum, maximum, better or exact. If maximum is selected then there is no need to select an authentication method. If any other comparison is selected then the authentication method needs to be selected.

Edit Tab

The edit tab is where the statements are defined and edited. The statements are validated for mandatory fields and also values. For instance if multiple values are provided for a single value operation then this also fails validation.

Code View Tab

The code view tab provides a simple to read summary of the statements and conditions so that the path of execution can be easily evaluated. This is just a view and no editing can be made.

Order Tab

Statements can be placed into a specific order to change the execution order. This is required as the rules engine will return the outcome of the first statement that it matches and will ignore the rest. Statements can be ordered by drag and drop or by clicking the arrows to the left of each statement.

Have more questions? Submit a request

Comments