deft/journal/2021-04-16--12-27-13Z--iroh_auth_presentation.org

IROH Auth Presentation

• IROH Auth
• Plan
• 1 - Introduction
• When did you interacted with IROH-Auth?
• What is IROH-Auth? (overview)
• What is IROH-Auth? (technical)
• History (1/?)
• SAML
• History (2/?)
• History (3/?)
• History: SecureX (4/?)
• Internal User Structure
• Cisco specificity
• 2 - Login
• 3 - OAuth2 / OpendID Connect Provider
• 4 - Specifc Cisco Usage

tags

Cisco

IROH Auth   ATTACH

attachment:_20210416_150439Screenshot%202021-04-16%20at%2015.04.30.png

Yann Esposito <yaesposi@cisco.com>

Plan

1. Introduction, History
2. Login
3. OAuth2/OIDC Provider
4. Specific Usages Cisco

1 - Introduction

When did you interacted with IROH-Auth?

• Login in SecureX
• Login in CTR
• Login in Orbital
• Authorized the Ribbon
• Invited someone to your Org
• Cross Launch with SSE
• Dealing with JWT
• Changed the role of some user
• When you investigate in CTR (via CTIA's module)
• Created an OAuth2 client

What is IROH-Auth? (overview)

This is a software subcomponent of IROH¹ taking care of:

• Authentication

  • provide a user unique identifier

• Authorization

  • decide what user can or cannot do
• User Data Model
• Tenancy (Org) Management
• API Clients Management
• OAuth2, OpenID Connect provider (half of IROH-Auth dedicated to this)

¹: IROH The software serving the API behind SecureX, CTR, Ribbons, integrations…

What is IROH-Auth? (technical)

IROH-Auth is a set of Services within IROH some of them exposing HTTP APIs.

• Login

  • Login (core service + web API)
  • Org (service)
  • User (service + web API)
  • Scopes (service)
  • Auth Management (core service)
  • Invite (core service + web API)
  • Session (web API)
  • Profile (web API, /whoami)
  • SCIM Client (service)
  • IdP Migrate (core service + web API) deprecated a few months ago
  • Provision (service + web API) used instead of IdP Migrate

• OAuth2

  • OAuth2 (core service + web API)
  • OAuth2 Clients (core service + web API)
  • OAuth2 Clients Presets (service)
  • Grant Service (User's client authorizations)

• Admin

  • Auth Management (web API)
  • OAuth2 Clients Management (web API)

History (1/?)   ATTACH

Login using AMP SAML (generate JWT) Worked with Guillaume.

Use AMP as an IdP²

After the dance of their people AMP provides:

• user-id
• org-id
• role (admin/user)

No DB of users!

SAML   ATTACH

Doc & Libs

> It's bad. > It's really bad. > It's like eating a hot circle of garbage… > Kevin

attachment:_20210416_152516.jpeg

History (2/?)

2nd goal: Support OAuth2 (become an OAuth2 provider) 3rd goal: Support AMP and Threatgrid login (OpenID Connect)

Become both an OAuth2 client and provider.

Need Clients/Users/Orgs in DB!!!

OAuth2 RFC => OAuth2 GRANTS

• Authorization Code Grant (the classic)
• Client Grant (for scripts)
• Implicit Grant (for Single Page Applications, now deprecated)

History (3/?)

4rd goal: Support Account Activation => SCIM³ Client

Call a SCIM server. Check if the account is part from an activated Org inside AMP.

• Become an OpenID Connect provider, made before the start of SecureX.
• OpenID Connect with SSE (we are the IdP now)

History: SecureX (4/?)

From idp-mapping to idp-mappings From Idp managin Orgs to IdP providing only a User Id.

Internal User Structure

Cisco specificity

2 - Login

3 - OAuth2 / OpendID Connect Provider

4 - Specifc Cisco Usage

• Orbital
• AMP

---

²

Idp: Identity Provider

³

SCIM: System for Cross-domain Identity Management