2021-04-16 10:28:28 +00:00
|
|
|
#+TITLE: IROH Auth Presentation
|
|
|
|
#+Author: Yann Esposito
|
|
|
|
#+Date: [2021-04-16]
|
|
|
|
|
2021-04-16 11:36:35 +00:00
|
|
|
- tags :: [[file:2021-04-16--13-35-21Z--cisco.org][Cisco]]
|
2021-04-16 10:28:28 +00:00
|
|
|
|
2021-04-16 11:25:44 +00:00
|
|
|
* IROH Auth Presentation
|
2021-04-16 10:28:28 +00:00
|
|
|
|
|
|
|
Yann Esposito <yaesposi@cisco.com>
|
|
|
|
|
2021-04-16 11:51:04 +00:00
|
|
|
* When did you interacted with IROH-Auth?
|
|
|
|
|
|
|
|
- Login in SecureX
|
|
|
|
- Login in CTR
|
|
|
|
- Login in Orbital
|
|
|
|
- Authorized the Ribbon
|
|
|
|
- Cross Launch with SSE
|
|
|
|
- Invited someone to your Org
|
|
|
|
- Changed the role of some user
|
2021-04-16 11:52:16 +00:00
|
|
|
- When you investigate in CTR (via CTIA's module)
|
2021-04-16 11:53:43 +00:00
|
|
|
- Created an OAuth2 client
|
2021-04-16 11:51:04 +00:00
|
|
|
|
2021-04-16 11:44:30 +00:00
|
|
|
* What is IROH-Auth? (overview)
|
2021-04-16 10:28:28 +00:00
|
|
|
|
2021-04-16 11:36:35 +00:00
|
|
|
This is a software subcomponent of /IROH/ taking care of:
|
2021-04-16 11:33:46 +00:00
|
|
|
|
2021-04-16 11:36:35 +00:00
|
|
|
+ /Authentication/
|
|
|
|
- provide a user unique identifier
|
|
|
|
+ /Authorization/
|
2021-04-16 11:39:52 +00:00
|
|
|
- decide what user can or cannot do
|
2021-04-16 11:41:03 +00:00
|
|
|
+ /User Data Model/
|
2021-04-16 11:39:52 +00:00
|
|
|
+ /Tenancy (Org) Management/
|
2021-04-16 11:36:35 +00:00
|
|
|
+ /API Clients Management/
|
2021-04-16 11:46:50 +00:00
|
|
|
+ /OAuth2/, /OpenID Connect/ provider (half of IROH-Auth dedicated to this)
|
|
|
|
|
2021-04-16 11:44:30 +00:00
|
|
|
* What is IROH-Auth? (technical)
|
|
|
|
|
|
|
|
/IROH-Auth/ is a set of /Services/ within /IROH/ some of them exposing
|
|
|
|
HTTP APIs.
|
|
|
|
|
2021-04-16 11:59:31 +00:00
|
|
|
- Login
|
|
|
|
+ Login (core service + web API)
|
|
|
|
+ Org (service)
|
|
|
|
+ User (service + web API)
|
2021-04-16 12:04:13 +00:00
|
|
|
+ Scopes (service)
|
2021-04-16 11:59:31 +00:00
|
|
|
+ Auth Management (core service)
|
|
|
|
+ Invite (core service + web API)
|
|
|
|
+ Session (web API)
|
|
|
|
+ Profile (web API, =/whoami=)
|
|
|
|
+ SCIM Client (service)
|
|
|
|
+ IdP Migrate (core service + web API) /deprecated a few months ago/
|
|
|
|
+ Provision (service + web API) /used instead of IdP Migrate/
|
2021-04-16 11:58:20 +00:00
|
|
|
|
2021-04-16 11:59:31 +00:00
|
|
|
- OAuth2
|
|
|
|
+ OAuth2 (core service + web API)
|
|
|
|
+ OAuth2 Clients (core service + web API)
|
|
|
|
+ OAuth2 Clients Presets (service)
|
|
|
|
+ Grant Service (User's client authorizations)
|
2021-04-16 10:28:28 +00:00
|
|
|
|
2021-04-16 12:04:13 +00:00
|
|
|
- And related in Admin
|
|
|
|
+ Auth Management (web API)
|
|
|
|
+ OAuth2 Clients Management (web API)
|
|
|
|
|
2021-04-16 10:35:52 +00:00
|
|
|
* History
|
2021-04-16 10:28:28 +00:00
|
|
|
|
|
|
|
1. Login using AMP SAML (generate JWT)
|
|
|
|
2. OAuth2 Provider (Grants)
|
|
|
|
3. Login using OpenID Connect with TG (client of OpenID Connect)
|
|
|
|
4. Users/Orgs in DB!!!
|
|
|
|
5. Account Activation
|
|
|
|
6. Become an OpenID Connect provider
|
|
|
|
7. OIDC with SSE
|
|
|
|
|
|
|
|
* Internal User Structure
|
|
|
|
* Cisco specificity
|