2021-04-16 10:28:28 +00:00
|
|
|
#+TITLE: IROH Auth Presentation
|
|
|
|
|
#+Author: Yann Esposito
|
|
|
|
|
#+Date: [2021-04-16]
|
|
|
|
|
|
2021-04-16 11:36:35 +00:00
|
|
|
- tags :: [[file:2021-04-16--13-35-21Z--cisco.org][Cisco]]
|
2021-04-16 10:28:28 +00:00
|
|
|
|
2021-04-16 13:05:43 +00:00
|
|
|
* IROH Auth :ATTACH:
|
|
|
|
|
:PROPERTIES:
|
|
|
|
|
:ID: dc5070c0-9040-4175-9a67-c85a21f65f35
|
|
|
|
|
:END:
|
|
|
|
|
|
|
|
|
|
[[attachment:_20210416_150439Screenshot%202021-04-16%20at%2015.04.30.png]]
|
2021-04-16 10:28:28 +00:00
|
|
|
|
|
|
|
|
Yann Esposito <yaesposi@cisco.com>
|
|
|
|
|
|
2021-04-16 13:07:24 +00:00
|
|
|
* Plan
|
|
|
|
|
|
2021-04-16 13:08:34 +00:00
|
|
|
1. Introduction, History
|
|
|
|
|
2. Login
|
|
|
|
|
3. OAuth2/OIDC Provider
|
|
|
|
|
4. Specific Usages Cisco
|
2021-04-16 13:07:24 +00:00
|
|
|
|
2021-04-16 13:14:11 +00:00
|
|
|
* 1 - Introduction
|
2021-04-16 11:51:04 +00:00
|
|
|
* When did you interacted with IROH-Auth?
|
|
|
|
|
|
2021-04-16 13:08:34 +00:00
|
|
|
- *Login* in SecureX
|
|
|
|
|
- *Login* in CTR
|
|
|
|
|
- *Login* in Orbital
|
|
|
|
|
- *Authorized* the Ribbon
|
|
|
|
|
- *Invited* someone to your Org
|
2021-04-16 13:09:37 +00:00
|
|
|
- *Cross Launch* with SSE
|
|
|
|
|
- Dealing with JWT
|
2021-04-16 11:51:04 +00:00
|
|
|
- Changed the role of some user
|
2021-04-16 11:52:16 +00:00
|
|
|
- When you investigate in CTR (via CTIA's module)
|
2021-04-16 11:53:43 +00:00
|
|
|
- Created an OAuth2 client
|
2021-04-16 11:51:04 +00:00
|
|
|
|
2021-04-16 11:44:30 +00:00
|
|
|
* What is IROH-Auth? (overview)
|
2021-04-16 10:28:28 +00:00
|
|
|
|
2021-04-16 13:11:40 +00:00
|
|
|
This is a software subcomponent of /IROH/[fn:iroh] taking care of:
|
2021-04-16 11:33:46 +00:00
|
|
|
|
2021-04-16 13:09:37 +00:00
|
|
|
+ *Authentication*
|
2021-04-16 11:36:35 +00:00
|
|
|
- provide a user unique identifier
|
2021-04-16 13:09:37 +00:00
|
|
|
+ *Authorization*
|
2021-04-16 11:39:52 +00:00
|
|
|
- decide what user can or cannot do
|
2021-04-16 13:09:37 +00:00
|
|
|
+ *User Data Model*
|
|
|
|
|
+ *Tenancy (Org) Management*
|
|
|
|
|
+ *API Clients Management*
|
|
|
|
|
+ *OAuth2*, *OpenID Connect* provider (half of IROH-Auth dedicated to this)
|
2021-04-16 11:46:50 +00:00
|
|
|
|
2021-04-16 13:11:40 +00:00
|
|
|
[fn:iroh]: *IROH* The software serving the API behind SecureX, CTR, Ribbons, integrations...
|
2021-04-16 11:44:30 +00:00
|
|
|
* What is IROH-Auth? (technical)
|
|
|
|
|
|
|
|
|
|
/IROH-Auth/ is a set of /Services/ within /IROH/ some of them exposing
|
|
|
|
|
HTTP APIs.
|
|
|
|
|
|
2021-04-16 11:59:31 +00:00
|
|
|
- Login
|
|
|
|
|
+ Login (core service + web API)
|
|
|
|
|
+ Org (service)
|
|
|
|
|
+ User (service + web API)
|
2021-04-16 12:04:13 +00:00
|
|
|
+ Scopes (service)
|
2021-04-16 11:59:31 +00:00
|
|
|
+ Auth Management (core service)
|
|
|
|
|
+ Invite (core service + web API)
|
|
|
|
|
+ Session (web API)
|
|
|
|
|
+ Profile (web API, =/whoami=)
|
|
|
|
|
+ SCIM Client (service)
|
|
|
|
|
+ IdP Migrate (core service + web API) /deprecated a few months ago/
|
|
|
|
|
+ Provision (service + web API) /used instead of IdP Migrate/
|
2021-04-16 11:58:20 +00:00
|
|
|
|
2021-04-16 11:59:31 +00:00
|
|
|
- OAuth2
|
|
|
|
|
+ OAuth2 (core service + web API)
|
|
|
|
|
+ OAuth2 Clients (core service + web API)
|
|
|
|
|
+ OAuth2 Clients Presets (service)
|
|
|
|
|
+ Grant Service (User's client authorizations)
|
2021-04-16 10:28:28 +00:00
|
|
|
|
2021-04-16 12:05:34 +00:00
|
|
|
- Admin
|
2021-04-16 12:04:13 +00:00
|
|
|
+ Auth Management (web API)
|
|
|
|
|
+ OAuth2 Clients Management (web API)
|
|
|
|
|
|
2021-04-16 13:33:57 +00:00
|
|
|
* History: IROH/Visibility (1/?) :ATTACH:
|
2021-04-16 12:48:10 +00:00
|
|
|
:PROPERTIES:
|
|
|
|
|
:ID: dab23b61-a766-4eda-a1e9-1d39258ef5c0
|
|
|
|
|
:END:
|
2021-04-16 10:28:28 +00:00
|
|
|
|
2021-04-16 12:45:46 +00:00
|
|
|
Login using AMP SAML (generate JWT)
|
2021-04-16 13:19:09 +00:00
|
|
|
Worked with Guillaume.
|
2021-04-16 12:40:24 +00:00
|
|
|
|
2021-04-16 13:19:09 +00:00
|
|
|
Use AMP as an *IdP*[fn:idp]
|
2021-04-16 13:18:05 +00:00
|
|
|
|
|
|
|
|
After the dance of their people AMP provides:
|
|
|
|
|
- user-id
|
|
|
|
|
- org-id
|
|
|
|
|
- role (admin/user)
|
2021-04-16 13:16:45 +00:00
|
|
|
|
2021-04-16 13:01:26 +00:00
|
|
|
*No DB of users!*
|
2021-04-16 12:48:10 +00:00
|
|
|
|
2021-04-16 13:18:05 +00:00
|
|
|
[fn:idp] Idp: Identity Provider
|
|
|
|
|
|
2021-04-16 13:46:22 +00:00
|
|
|
* History: IROH/Visibility - SAML (2/?) :ATTACH:
|
2021-04-16 13:43:03 +00:00
|
|
|
:PROPERTIES:
|
2021-04-16 13:26:25 +00:00
|
|
|
:ID: 07dabe43-9563-430c-a729-87b5154d6d18
|
|
|
|
|
:END:
|
2021-04-16 13:22:06 +00:00
|
|
|
|
2021-04-16 13:27:43 +00:00
|
|
|
Doc & Libs
|
|
|
|
|
|
2021-04-16 13:25:21 +00:00
|
|
|
> It's bad.
|
|
|
|
|
> It's really bad.
|
|
|
|
|
> It's like eating a hot circle of garbage...
|
|
|
|
|
> Kevin
|
2021-04-16 13:24:19 +00:00
|
|
|
|
2021-04-16 13:26:25 +00:00
|
|
|
[[attachment:_20210416_152516.jpeg]]
|
2021-04-16 13:19:09 +00:00
|
|
|
|
2021-04-16 13:46:22 +00:00
|
|
|
* History: IROH/Visibility (3/?)
|
2021-04-16 12:40:24 +00:00
|
|
|
|
|
|
|
|
2nd goal: Support OAuth2 (become an OAuth2 provider)
|
2021-04-16 12:41:29 +00:00
|
|
|
3rd goal: Support AMP and Threatgrid login (OpenID Connect)
|
|
|
|
|
|
|
|
|
|
Become both an OAuth2 client and provider.
|
|
|
|
|
|
2021-04-16 12:42:45 +00:00
|
|
|
Need Clients/Users/Orgs in DB!!!
|
|
|
|
|
|
2021-04-16 12:41:29 +00:00
|
|
|
OAuth2 RFC => OAuth2 GRANTS
|
|
|
|
|
|
2021-04-16 12:42:45 +00:00
|
|
|
- Authorization Code Grant (the classic)
|
|
|
|
|
- Client Grant (for scripts)
|
|
|
|
|
- Implicit Grant (for Single Page Applications, now deprecated)
|
|
|
|
|
|
2021-04-16 13:33:57 +00:00
|
|
|
* History: CTR (4/?)
|
2021-04-16 12:40:24 +00:00
|
|
|
|
2021-04-16 13:13:09 +00:00
|
|
|
4rd goal: Support Account Activation => SCIM[fn:scim] Client
|
|
|
|
|
|
|
|
|
|
Call a SCIM server.
|
|
|
|
|
Check if the account is part from an activated Org inside AMP.
|
2021-04-16 12:44:28 +00:00
|
|
|
|
|
|
|
|
- Become an OpenID Connect provider, made before the start of SecureX.
|
|
|
|
|
- OpenID Connect with SSE (we are the IdP now)
|
2021-04-16 10:28:28 +00:00
|
|
|
|
2021-04-16 13:13:09 +00:00
|
|
|
[fn:scim] *SCIM*: System for Cross-domain Identity Management
|
2021-04-16 13:29:48 +00:00
|
|
|
|
2021-04-16 13:32:16 +00:00
|
|
|
* History: SecureX (5/?)
|
2021-04-16 13:16:45 +00:00
|
|
|
|
|
|
|
|
From =idp-mapping= to =idp-mappings=
|
|
|
|
|
|
2021-04-16 13:29:48 +00:00
|
|
|
From Idp managing Orgs to IdP providing only a User Identity Id.
|
|
|
|
|
=> generate random user-id/org-id and stop using the the one given by the IdP.
|
2021-04-16 13:15:28 +00:00
|
|
|
|
|
|
|
|
* 2 - Login
|
2021-04-16 13:33:57 +00:00
|
|
|
|
2021-04-16 13:35:02 +00:00
|
|
|
Lot of IROH-Auth services dedicated just for *Login*
|
|
|
|
|
|
2021-04-16 13:36:42 +00:00
|
|
|
* IROH-Auth Login
|
|
|
|
|
|
|
|
|
|
Generally: enter your username & password => set a cookie with an id of the
|
|
|
|
|
user of the user
|
|
|
|
|
|
|
|
|
|
Not in IROH-Auth.
|
|
|
|
|
The first goal was (and still is) not to take care of user's credentials.
|
|
|
|
|
|
|
|
|
|
*There are no user password in IROH Auth.*
|
2021-04-16 13:33:57 +00:00
|
|
|
|
2021-04-16 13:37:51 +00:00
|
|
|
The password security is handled by external *IdPs*.
|
|
|
|
|
Currently SXSO, CSA & TG.
|
|
|
|
|
|
2021-04-16 13:43:03 +00:00
|
|
|
* IROH-Auth Login :ATTACH:
|
|
|
|
|
:PROPERTIES:
|
|
|
|
|
:ID: e12ca021-c030-47f8-a9e5-4fb815a88735
|
|
|
|
|
:END:
|
2021-04-16 13:39:12 +00:00
|
|
|
|
|
|
|
|
So the dance of login via IROH-Auth
|
|
|
|
|
|
2021-04-16 13:43:03 +00:00
|
|
|
[[attachment:_20210416_154054Screenshot%202021-04-16%20at%2015.38.37.png]]
|
2021-04-16 13:39:12 +00:00
|
|
|
|
2021-04-16 13:45:18 +00:00
|
|
|
1. Login page => Select an IdP
|
2021-04-16 13:44:13 +00:00
|
|
|
2. When a user click on the link, we save an unique Id in DB and we
|
|
|
|
|
redirect the user to the IdP's URL
|
|
|
|
|
3. IROH-Auth is just waiting for the user to come back (via browser
|
|
|
|
|
redirect) with infos from the IdP.
|
2021-04-16 13:46:22 +00:00
|
|
|
Generally the user come back to the =/iroh/iroh-auth/:idp/answer= endpoint
|
|
|
|
|
with a query parameter containing a =code=
|
2021-04-16 13:44:13 +00:00
|
|
|
|
2021-04-16 13:39:12 +00:00
|
|
|
|
2021-04-16 13:15:28 +00:00
|
|
|
* 3 - OAuth2 / OpendID Connect Provider
|
|
|
|
|
* 4 - Specifc Cisco Usage
|
2021-04-16 13:16:45 +00:00
|
|
|
- Orbital
|
|
|
|
|
- AMP
|
