#+TITLE: IROH Auth Presentation #+Author: Yann Esposito #+Date: [2021-04-16] - tags :: [[file:2021-04-16--13-35-21Z--cisco.org][Cisco]] * IROH Auth :ATTACH: :PROPERTIES: :ID: dc5070c0-9040-4175-9a67-c85a21f65f35 :END: [[attachment:_20210416_150439Screenshot%202021-04-16%20at%2015.04.30.png]] Yann Esposito * Plan 1. Introduction, History 2. Login 3. OAuth2/OIDC Provider 4. Specific Usages Cisco * 1 - Introduction * When did you interacted with IROH-Auth? - *Login* in SecureX - *Login* in CTR - *Login* in Orbital - *Authorized* the Ribbon - *Invited* someone to your Org - *Cross Launch* with SSE - Dealing with JWT - Changed the role of some user - When you investigate in CTR (via CTIA's module) - Created an OAuth2 client * What is IROH-Auth? (overview) This is a software subcomponent of /IROH/[fn:iroh] taking care of: + *Authentication* - provide a user unique identifier + *Authorization* - decide what user can or cannot do + *User Data Model* + *Tenancy (Org) Management* + *API Clients Management* + *OAuth2*, *OpenID Connect* provider (half of IROH-Auth dedicated to this) [fn:iroh]: *IROH* The software serving the API behind SecureX, CTR, Ribbons, integrations... * What is IROH-Auth? (technical) /IROH-Auth/ is a set of /Services/ within /IROH/ some of them exposing HTTP APIs. - Login + Login (core service + web API) + Org (service) + User (service + web API) + Scopes (service) + Auth Management (core service) + Invite (core service + web API) + Session (web API) + Profile (web API, =/whoami=) + SCIM Client (service) + IdP Migrate (core service + web API) /deprecated a few months ago/ + Provision (service + web API) /used instead of IdP Migrate/ - OAuth2 + OAuth2 (core service + web API) + OAuth2 Clients (core service + web API) + OAuth2 Clients Presets (service) + Grant Service (User's client authorizations) - Admin + Auth Management (web API) + OAuth2 Clients Management (web API) * History (1/?) :ATTACH: :PROPERTIES: :ID: dab23b61-a766-4eda-a1e9-1d39258ef5c0 :END: Login using AMP SAML (generate JWT) Worked with Guillaume. Use AMP as an *IdP*[fn:idp] After the dance of their people AMP provides: - user-id - org-id - role (admin/user) *No DB of users!* [fn:idp] Idp: Identity Provider * *SAML libs* OpenSAML v2 now deprecated * *SAML doc* :ATTACH: :PROPERTIES: :ID: 07dabe43-9563-430c-a729-87b5154d6d18 :END: > It's bad. > It's really bad. > It's like eating a hot circle of garbage... > Kevin [[attachment:_20210416_152516.jpeg]] * History (2/?) 2nd goal: Support OAuth2 (become an OAuth2 provider) 3rd goal: Support AMP and Threatgrid login (OpenID Connect) Become both an OAuth2 client and provider. Need Clients/Users/Orgs in DB!!! OAuth2 RFC => OAuth2 GRANTS - Authorization Code Grant (the classic) - Client Grant (for scripts) - Implicit Grant (for Single Page Applications, now deprecated) * History (3/?) 4rd goal: Support Account Activation => SCIM[fn:scim] Client Call a SCIM server. Check if the account is part from an activated Org inside AMP. - Become an OpenID Connect provider, made before the start of SecureX. - OpenID Connect with SSE (we are the IdP now) [fn:scim] *SCIM*: System for Cross-domain Identity Management * History: SecureX (4/?) From =idp-mapping= to =idp-mappings= From Idp managin Orgs to IdP providing only a User Id. * Internal User Structure * Cisco specificity * 2 - Login * 3 - OAuth2 / OpendID Connect Provider * 4 - Specifc Cisco Usage - Orbital - AMP