deft/journal/2021-04-16--12-27-13Z--iroh_auth_presentation.org

IROH Auth Presentation

• IROH Auth
• Plan
• 1 - Introduction
• When did you interacted with IROH-Auth?
• What is IROH-Auth? (overview)
• What is IROH-Auth? (technical)
• History: IROH/Visibility (1/?)
• History: IROH/Visibility - SAML (2/?)
• History: IROH/Visibility (3/?)
• History: IROH/Visibility (4/?)
• History: SecureX (5/?)
• 2 - Login
• IROH-Auth Login
• IROH-Auth Login
• 3 - OAuth2 / OpendID Connect Provider
• 4 - Specifc Cisco Usage

tags

Cisco

IROH Auth   ATTACH

attachment:_20210416_150439Screenshot%202021-04-16%20at%2015.04.30.png

Yann Esposito <yaesposi@cisco.com>

Plan

1. Introduction, History
2. Login
3. OAuth2/OIDC Provider
4. Specific Usages Cisco

1 - Introduction

When did you interacted with IROH-Auth?

• Login in SecureX
• Login in CTR
• Login in Orbital
• Authorized the Ribbon
• Invited someone to your Org
• Cross Launch with SSE
• Dealing with JWT
• Changed the role of some user
• When you investigate in CTR (via CTIA's module)
• Created an OAuth2 client

What is IROH-Auth? (overview)

This is a software subcomponent of IROH¹ taking care of:

• Authentication

  • provide a user unique identifier

• Authorization

  • decide what user can or cannot do
• User Data Model
• Tenancy (Org) Management
• API Clients Management
• OAuth2, OpenID Connect provider (half of IROH-Auth dedicated to this)

¹: IROH The software serving the API behind SecureX, CTR, Ribbons, integrations…

What is IROH-Auth? (technical)

IROH-Auth is a set of Services within IROH some of them exposing HTTP APIs.

• Login

  • Login (core service + web API)
  • Org (service)
  • User (service + web API)
  • Scopes (service)
  • Auth Management (core service)
  • Invite (core service + web API)
  • Session (web API)
  • Profile (web API, /whoami)
  • SCIM Client (service)
  • IdP Migrate (core service + web API) deprecated a few months ago
  • Provision (service + web API) used instead of IdP Migrate

• OAuth2

  • OAuth2 (core service + web API)
  • OAuth2 Clients (core service + web API)
  • OAuth2 Clients Presets (service)
  • Grant Service (User's client authorizations)

• Admin

  • Auth Management (web API)
  • OAuth2 Clients Management (web API)

History: IROH/Visibility (1/?)   ATTACH

Login using AMP SAML (generate JWT) Worked with Guillaume.

Use AMP as an IdP²

After the dance of their people AMP provides:

• user-id
• org-id
• role (admin/user)

No DB of users!

History: IROH/Visibility - SAML (2/?)   ATTACH

Doc & Libs

> It's bad. > It's really bad. > It's like eating a hot circle of garbage… > Kevin

attachment:_20210416_152516.jpeg

History: IROH/Visibility (3/?)

2nd goal: Support OAuth2 (become an OAuth2 provider) 3rd goal: Support AMP and Threatgrid login (OpenID Connect)

Become both an OAuth2 client and provider.

Need Clients/Users/Orgs in DB!!!

OAuth2 RFC => OAuth2 GRANTS

• Authorization Code Grant (the classic)
• Client Grant (for scripts)
• Implicit Grant (for Single Page Applications, now deprecated)

History: IROH/Visibility (4/?)

4rd goal: Support Account Activation => SCIM³ Client

Call a SCIM server. Check if the account is part from an activated Org inside AMP.

• Become an OpenID Connect provider, made before the start of SecureX.
• OpenID Connect with SSE (we are the IdP now)

History: SecureX (5/?)

From idp-mapping to idp-mappings

From Idp managing Orgs to IdP providing only a User Identity Id. => generate random user-id/org-id and stop using the the one given by the IdP.

2 - Login

Lot of IROH-Auth services dedicated just for Login

IROH-Auth Login

Generally: enter your username & password => set a cookie with an id of the user of the user

Not in IROH-Auth. The first goal was (and still is) not to take care of user's credentials.

There are no user password in IROH Auth.

The password security is handled by external IdPs. Currently SXSO, CSA & TG.

IROH-Auth Login   ATTACH

So the dance of login via IROH-Auth

attachment:_20210416_154054Screenshot%202021-04-16%20at%2015.38.37.png

1. Login page => Select an IdP
2. When a user click on the link, we save an unique Id in DB and we redirect the user to the IdP's URL
3. IROH-Auth is just waiting for the user to come back (via browser redirect) with infos from the IdP. Generally the user come back to the /iroh/iroh-auth/:idp/answer endpoint with a query parameter containing a code

3 - OAuth2 / OpendID Connect Provider

4 - Specifc Cisco Usage

• Orbital
• AMP

---

²

Idp: Identity Provider

³

SCIM: System for Cross-domain Identity Management