Wednesday 25 November 2015

Unlocking the Authorization Asset

Consumer identity is a core asset to your business. Unlocking authorization and leveraging it into your business processes and (micro) services helps you in this endeavor as it drives a yet higher level of personalization and how users interact with resources and objects.

In a recent post titled "Authorization for Everything" I outlined how any resource or object can be described in ForgeRock's identity platform authorization framework by the example of a home cinema.


But who's going to setup the authorization objects and controls ?
(Question by an attendee of the ForgeRock Identity Summit in Düsseldorf)

User facing applications that operate or control devices or resources, like mobile applications or smart remote controls, are now enabled to call directly in the authorization framework to manage or evaluate permissions. This is also possible go via a hub to which an appliance like the home cinema would register when it is plugged in.

Smart authorization is now unlocked to any of these procedures, services and applications regardless of the platform. And the key is the REST API provided by the ForgeRock identity platform.

The key to drive authorization in the user experience or device management is the API !
Implement it where it creates most value for the consumer.
(My answer)

In full detail now how to manage and evaluate authorization elements via REST by the example of a home cinema.


Authorization Management via REST in detail
Step 1: Creating a resource type TV

First we create a resource type TV and specify the format of how to address the resource (e.g. tv://myhouse/homecinema) and possible actions for the resource.

Request:
curl -s --request POST --header "Content-Type: application/json" --data @request.json https://sso.redstone.com:443/sso/json/authzrealm/resourcetypes?_action=create&_prettyPrint=true
Request (JSON):
{
  "patterns": [
    "tv://*/*"
  ],
  "name": "tv",
  "actions": {
    "ENABLE": true,
    "DISABLE": true,
    "BROADCAST SCREEN": true,
    "BROADCAST CAMERA": true
  }
}

Response (JSON):
{
  "uuid" : "9fefc18f-5731-4963-a8d6-fa8aba7923d4",
  "name" : "tv",
  "description" : null,
  "patterns" : [ "tv://*/*" ],
  "actions" : {
    "DISABLE" : true,
    "ENABLE" : true,
    "BROADCAST CAMERA" : true,
    "BROADCAST SCREEN" : true
  },
  "createdBy" : "id=amadmin,ou=user,dc=sso-config,dc=com",
  "creationDate" : 1447989190178,
  "lastModifiedBy" : "id=amadmin,ou=user,dc=sso-config,dc=com",
  "lastModifiedDate" : 1447989190178
}

Note the resource type's UUID in the response. This value is needed later to assign a resource type to a policy.


Step 2: Creating the policy set (or application)

Next the resource set (or application) needs to be created with the resourceTypeUUID containing the one of resource type TV.

Request:
curl -s --request POST --header "Content-Type: application/json" --data @request.json https://sso.redstone.com:443/sso/json/authzrealm/applications?_action=create&_prettyPrint=true
Request (JSON):
{    "name" : "SmartHome",
    "applicationType" : "iPlanetAMWebAgentService",
    "description" : "Controlling objects in a smart home.",
    "resourceTypeUuids" : [ "
9fefc18f-5731-4963-a8d6-fa8aba7923d4"],
    "subjects" : [ "Policy", "NOT", "OR", "JwtClaim", "AuthenticatedUsers", "AND", "Identity", "NONE" ],
    "entitlementCombiner" : "DenyOverride",
    "saveIndex" : null,
    "searchIndex" : null,
    "resourceComparator" : null,
    "attributeNames" : [ ],
    "editable" : true,
    "conditions" : [ "LEAuthLevel", "Policy", "Script", "AuthenticateToService", "SimpleTime", "AMIdentityMembership", "OR", "IPv6", "IPv4", "SessionProperty", "AuthScheme", "AuthLevel", "NOT", "AuthenticateToRealm", "AND", "ResourceEnvIP", "LDAPFilter", "OAuth2Scope", "Session" ]
}

Response (JSON):
{
  "lastModifiedBy" : "id=amadmin,ou=user,dc=sso-config,dc=com"
],
  "lastModifiedDate" : 1447989192860,
  "creationDate" : 1447989192860,
  "createdBy" : "id=amadmin,ou=user,dc=sso-config,dc=com",
  "applicationType" : "iPlanetAMWebAgentService",
  "subjects" : [ "Policy", "NOT", "OR", "JwtClaim", "AuthenticatedUsers", "AND", "Identity", "NONE" ],
  "entitlementCombiner" : "DenyOverride",
  "saveIndex" : null,
  "searchIndex" : null,
  "resourceComparator" : null,
  "attributeNames" : [ ],
  "editable" : true,
  "conditions" : [ "LEAuthLevel", "Policy", "Script", "AuthenticateToService", "SimpleTime", "AMIdentityMembership", "OR", "IPv6", "IPv4", "SessionProperty", "AuthScheme", "AuthLevel", "NOT", "AuthenticateToRealm", "AND", "ResourceEnvIP", "LDAPFilter", "OAuth2Scope", "Session" ],
  "description" : "Controlling objects in a smart home.",
  "name" : "SmartHome"
}

Step 3: Creating the policy giving permissions to Bob

Next the resource set (or application) needs to be created with the resourceTypeUUID containing the one of resource type TV.

Request:
curl -s --request POST --header "Content-Type: application/json" --data @request.json https://sso.redstone.com:443/sso/json/authzrealm/policies?_action=create&_prettyPrint=true
Request (JSON):
{
    "name" : "HomeCinema",
    "active" : true,
    "description" : "",
    "applicationName" : "SmartHome",
    "actionValues" : {
      "ENABLE" : true,
      "DISABLE" : true,
      "BROADCAST SCREEN" : true,
      "BROADCAST CAMERA" : true
    },
    "resources" : [ "tv://myhouse/homecinema" ],
    "subject" : {
      "type" : "Identity",
      "subjectValues" : [ "id=bob,ou=user,o=authzrealm,ou=services,dc=sso-config,dc=com" ]
    },
    "resourceTypeUuid" : "9fefc18f-5731-4963-a8d6-fa8aba7923d4"
}

Response (JSON):
{
  "name" : "HomeCinema",
  "active" : true,
  "description" : "",
  "applicationName" : "SmartHome",
  "actionValues" : {
    "DISABLE" : true,
    "ENABLE" : true,
    "BROADCAST CAMERA" : true,
    "BROADCAST SCREEN" : true
  },
  "resources" : [ "tv://myhouse/homecinema" ],
  "subject" : {
    "type" : "Identity",
    "subjectValues" : [ "id=bob,ou=user,o=authzrealm,ou=services,dc=sso-config,dc=com" ]
  },
  "resourceTypeUuid" : "9fefc18f-5731-4963-a8d6-fa8aba7923d4",
  "lastModifiedBy" : "id=amadmin,ou=user,dc=sso-config,dc=com",
  "lastModifiedDate" : "2015-11-20T03:13:14.274Z",
  "createdBy" : "id=amadmin,ou=user,dc=sso-config,dc=com",
  "creationDate" : "2015-11-20T03:13:14.274Z"
}

Step 4: Evaluating the policy for user Bob

Next the resource set (or application) needs to be created with the resourceTypeUUID containing the one of resource type TV. For completeness - the procedure is already outlined in "Authorization for Everything" - here's how an upstream application would evaluate if Bob can broadcast the screen (or any other action). 

Request URL:
https://sso.redstone.com:443/sso/json/authzrealm/policies?_action=evaluateTree&_prettyPrint=true
Request (JSON):
{
  "application": "SmartHome",
  "resource": "tv://myhouse/homecinema",
  "subject": {
    "ssoToken": "AQIC5wM2LY4SfcxbXJgKBtBsbzH0OtxslnEQDHK2RJ5UJho.*AAJTSQACMDIAAlNLABQtOTIwMDUyMDgxMTA2Mzk1NjIzMgACUzEAAjAx*"
  }
}

Response (JSON):
[ {
  "advices" : { },
  "ttl" : 9223372036854775807,
  "resource" : "tv://myhouse/homecinema",
  "actions" : {
    "DISABLE" : true,
    "ENABLE" : true,
    "BROADCAST CAMERA" : true,
    "BROADCAST SCREEN" : true
  },
  "attributes" : { }
} ]


If you want to go further, look at the details of policy creation via REST, policy evaluation or maybe even reproduce my demo at the Identity Summit in Düsseldorf, check the openam-high5 GitHub project. In particular the 652-authz-create-policy and 654-authz-evaluate-policy-tv.





Friday 13 November 2015

Authorization for Everything


Smart contextual & conditional authorization lowers barriers enabling friction-less user on-boarding, more intuitive user journeys and ultimately increases your return on identity, right at the heart of your digital transformation strategy.
Moving beyond web and mobile application security, for any object, any action, any context, authorization shall be described. It's ForgeRock's identity platform that does provide you the framework. It provides you Authorization for Everything.
 
The model, principals and functionality can be applied to any business, so as an example, I describe authorization for an "ordinary" object, a family household. It is composed of the family members and family members and household appliances. Bob stores wine in his wine cabinet, not only for consumption, but also for investments. Inventory is thus a crucial as Bob wants to know the current value of his investments. Other "critical" resources are the screens. For the home cinema, we can image specific actions like turn on and off as well as broadcasting screen or camera. Not all family member should have the same permissions to these resources.

 

Authorization Management

The HomeCinema policy contains resources, actions, subjects and conditions. The whole Smith family is allowed to turn on and off the home cinema between 16h00 and 19h00. Bob should add a policy that allows him to operate the home cinema after 19h00 and broadcast the camera with his remote friends when football is on. Here's how it looks in the OpenAM administration interface :

Any kind of resource with any kind of action can be described in the authorization framework, be it real estate, contracts, online media, etc. It a later post I shall describe how this can be done via API (REST), so that policy creation could be part of the resource or device registration process handled by application above the identity platform.

Policy Evaluation

Policy evaluation for a given resource and subject can be done via API. The policy enforcement point (which could be the home cinema itself but also a mobile app) requests a policy decision via REST. The user must be authenticated in some form prior to this request. The user's SSO token is then added to the policy evaluation request.
Request URL:
https://sso.redstone.com:443/sso/json/authzrealm/policies?_action=evaluateTree&_prettyPrint=true
Request:
{
  "application": "SmartHome",
  "resource": "tv://myhouse/homecinema",
  "subject": {
    "ssoToken": "AQIC5wM2LY4Sfcw5j9MI_A6GO7s58XGwY7yTAuEeP4RJcvM.*AAJTSQACMDIAAlNLABQtOTAyNzM0MDcxNzQ3NDU3MTE4MAACUzEAAjAx*"
  }
}

Response:
[ {
  "advices" : { },
  "ttl" : 9223372036854775807,
  "resource" : "tv://myhouse/homecinema",
  "actions" : {
    "DISABLE" : true,
    "ENABLE" : true,
    "BROADCAST CAMERA" : false,
    "BROADCAST SCREEN" : false
  },
  "attributes" : { }
} ]

The user is only allow to turn the home cinema on and off, not to broadcast screen or camera. Any objects, actions, subjects, context and conditions can be described in the identity platform. Unlocking the authorization asset on top of your customer view enables an even more personalized experience.
 
If you want to look at the details of the policy evaluation request and how it fits in the authorization framework, check the openam-high5 GitHub project. In particular the 654-authz-evaluate-policy-tv or 655-authz-evaluate-policy-door  scripts.