3.6 KiB
IROH Auth Presentation
- IROH Auth
- Plan
- 1 - Introduction
- When did you interacted with IROH-Auth?
- What is IROH-Auth? (overview)
- What is IROH-Auth? (technical)
- History (1/?)
- SAML libs
- SAML doc
- History (2/?)
- History (3/?)
- History: SecureX (4/?)
- Internal User Structure
- Cisco specificity
- 2 - Login
- 3 - OAuth2 / OpendID Connect Provider
- 4 - Specifc Cisco Usage
- tags
- Cisco
IROH Auth ATTACH
attachment:_20210416_150439Screenshot%202021-04-16%20at%2015.04.30.png
Yann Esposito <yaesposi@cisco.com>
Plan
- Introduction, History
- Login
- OAuth2/OIDC Provider
- Specific Usages Cisco
1 - Introduction
When did you interacted with IROH-Auth?
- Login in SecureX
- Login in CTR
- Login in Orbital
- Authorized the Ribbon
- Invited someone to your Org
- Cross Launch with SSE
- Dealing with JWT
- Changed the role of some user
- When you investigate in CTR (via CTIA's module)
- Created an OAuth2 client
What is IROH-Auth? (overview)
This is a software subcomponent of IROH1 taking care of:
-
Authentication
- provide a user unique identifier
-
Authorization
- decide what user can or cannot do
- User Data Model
- Tenancy (Org) Management
- API Clients Management
- OAuth2, OpenID Connect provider (half of IROH-Auth dedicated to this)
1: IROH The software serving the API behind SecureX, CTR, Ribbons, integrations…
What is IROH-Auth? (technical)
IROH-Auth is a set of Services within IROH some of them exposing HTTP APIs.
-
Login
- Login (core service + web API)
- Org (service)
- User (service + web API)
- Scopes (service)
- Auth Management (core service)
- Invite (core service + web API)
- Session (web API)
- Profile (web API,
/whoami
) - SCIM Client (service)
- IdP Migrate (core service + web API) deprecated a few months ago
- Provision (service + web API) used instead of IdP Migrate
-
OAuth2
- OAuth2 (core service + web API)
- OAuth2 Clients (core service + web API)
- OAuth2 Clients Presets (service)
- Grant Service (User's client authorizations)
-
Admin
- Auth Management (web API)
- OAuth2 Clients Management (web API)
History (1/?) ATTACH
Login using AMP SAML (generate JWT) Worked with Guillaume.
Use AMP as an IdP2
After the dance of their people AMP provides:
- user-id
- org-id
- role (admin/user)
No DB of users!
SAML libs
OpenSAML v2 now deprecated
SAML doc ATTACH
> It's bad. > It's really bad. > It's like eating a hot circle of garbage… > Kevin
History (2/?)
2nd goal: Support OAuth2 (become an OAuth2 provider) 3rd goal: Support AMP and Threatgrid login (OpenID Connect)
Become both an OAuth2 client and provider.
Need Clients/Users/Orgs in DB!!!
OAuth2 RFC => OAuth2 GRANTS
- Authorization Code Grant (the classic)
- Client Grant (for scripts)
- Implicit Grant (for Single Page Applications, now deprecated)
History (3/?)
4rd goal: Support Account Activation => SCIM3 Client
Call a SCIM server. Check if the account is part from an activated Org inside AMP.
- Become an OpenID Connect provider, made before the start of SecureX.
- OpenID Connect with SSE (we are the IdP now)
History: SecureX (4/?)
From idp-mapping
to idp-mappings
From Idp managin Orgs to IdP providing only a User Id.
Internal User Structure
Cisco specificity
2 - Login
3 - OAuth2 / OpendID Connect Provider
4 - Specifc Cisco Usage
- Orbital
- AMP