SlideShare a Scribd company logo

Securing the Unsecured: Using SSO and XACML to Protect Your Web Apps

WSO2, profile picture
WSO2

The document discusses the WSO2 App Manager, emphasizing its role in securing web applications through Single Sign-On (SSO) and XACML for access control. It highlights the benefits for end users, application developers, and administrators, and outlines the process of securing both non-secured and already secured web apps using JWT and SAML tokens. Additionally, it covers the implementation of federated authentication and fine-grained authorization for web applications.

Technology
1 of 22
Downloaded 33 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Securing the Unsecured Using SSO and XACML to Protect Web Apps App Manager 1.0 .0 Dinusha Senanayaka WSO2 App Manager Team
Why App Manager ? 2 100% Open Source, under Apache 2 License Policy-based Authorization Insights into App Subscriptions & Behaviors Single-Sign-On (SSO) across Web AppsUnified App Store Central App Management (web & mobile) Access Control based on Organizational User Roles Leverages on proven components of WSO2: - Analytics Platform - App Usage Statistics - Security offering - Authentication, Authorization, Federated Identity and SSO - Enterprise Store - App Provisioning & Management
WSO2 App Manager Components 3
Single Sign-On between Web Apps Pros for End User ◉ Do not have to memorize long list of passwords to access multiple applications Pros for Application developers ◉ Do not have to worry about implementing security for Web Apps ◉ Can focus only developing Application business logic Pros for Administrators ◉ Do not have to manage multiple user accounts for different applications 4
SAML2 Web Browser based SSO Profile 5
Single Logout between Web Apps 6
Demo 7
Two Type of Web Apps ◉ Non-secured web apps ◉ Already secured web apps How to manage with App Manager ? 8
Secure Non-secured Web Apps Using App Manager ◉ Just publish the web app in App Manager 9
Already secured Web Apps through App Manager ◉ Need some modifications to be done on web App ◉ Could use JWT token or SAML response to identify the user inside web app 10
JWT and SAML Token Headers ◉ Ways of sending authenticated user details to the backend ◉ Web app could either process JWT (Json) header or SAML Response (XML) header to get user details 11
JWT/ SAML Response { "iss": "wso2.org/products/am", "exp": 1435218328463, "Subject": "beth@wso2.com", "http://wso2.org/claims/card_holder": "beth", "http://wso2.org/claims/card_number": "45678563456986", "http://wso2.org/claims/emailaddress": "beth@wso2.com", "http://wso2.org/claims/expiration_date": "2020-12-20", "http://wso2.org/claims/givenname": "Beth", "http://wso2.org/claims/lastname": "Carder", "http://wso2.org/claims/organization": "WSO2", "http://wso2.org/claims/role": "Internal/private_beth-AT-wso2. com,Internal/subscriber,Internal/store-admin, Internal/everyone,SALES", "http://wso2.org/claims/streetaddress": "Califonia", "http://wso2.org/claims/telephone": "877 309 2070", "http://wso2.org/claims/zipcode": "0789", "http://wso2.org/ffid": "34567" } 12
JWT/ SAML Response <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://ec2-54-84-233-242.compute-1.amazonaws.com:8280/plan-trip/1.0.0/" ID=" aipcfpjgmlffcbhcdnapgkdncjdcjdbkalkmejpe" InResponseTo="0" IssueInstant="2015-06-25T07:30:28.203Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">appm</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="ifghfahaljakniomfjeelcknnpaopmjbagonchak" IssueInstant="2015-06-25T07:30:28.203Z" Version="2.0"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">appm</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">beth@wso2.com</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2015-06-25T07:35:28.203Z" Recipient="http://ec2-54-84-233-242.compute-1.amazonaws. com:8280/plan-trip/1.0.0/"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2015-06-25T07:30:28.203Z" NotOnOrAfter="2015-06-25T07:35:28.203Z"> <saml2:AudienceRestriction> <saml2:Audience>PlanYourTrip-1.0.0</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2015-06-25T07:30:28.203Z" SessionIndex="550a41fc-ba6a-4dff-bc58-7ec11ed6d0d3"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name="http://wso2.org/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >Internal/private_beth-AT-wso2.com,Internal/subscriber,Internal/store-admin,Internal/everyone,SALES</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response> 13
Sample Code Snippet to Identify User from JWT Header var header = request.getHeader("X-JWT-Assertion"); // Create Base64 Object var Base64 = require('../modules/base64.js'); if(header !=null){ var jwtAssertions = header.split("."); //JWT header by default contains three '.' separated sections var jsonString = Base64.decode(jwtAssertions[1]); jsonString = jsonString.replace("http://wso2.org/claims/emailaddress", "email"); jsonString = jsonString.replace("http://wso2.org/claims/role", "roles"); var obj = parse(jsonString); var email = obj.email; var roles = obj.roles; if (roles.indexOf("admin") != -1) { session.put("user",{"mail":email,"admin":true}); } else { session.put("user",{"mail":email,"admin":false}); } } var user = session.get("user"); if(user==null){ response.sendRedirect(baseAt+"/login.jag"); }else if(user.admin){ } 14
Federated Authentication for Web Apps 15
◉ Authentication : SAML2 SSO ◉ Authorization: ? 16
XACML : eXtensible Access Control Markup Language XACML Reference Architecture 17
How App Manager Enforce XACML Evaluation for Web Apps ? 18
XACML Policy Editor in App Manager 19
Demo 20
Summary ◉ How App Manager provides security (SSO) for Web Apps ◉ Non secured web apps ◉ Already secured web apps ◉ Federated Authentication for web apps using App Manager ◉ Fine grained authorization to web app resources using XACML 21
Contact us !

More Related Content

PPTX
Owasp web security
Pankaj Kumar Sharma
 
PPTX
Introduction to OAuth2
Sean Whitesell
 
PPTX
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
PPTX
2 fa it101
c_______101
 
PDF
Lessons Learned From Four Years of API Management Implementation Success at Unum
CA Technologies
 
PDF
Token, token... From SAML to OIDC
Shiu-Fun Poon
 
PDF
WSO2 App Manager: Managing Application Lifecycles Across Your Enterprise
WSO2
 
PDF
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
Profesia Srl, Lynx Group
 
Owasp web security
Pankaj Kumar Sharma
 
Introduction to OAuth2
Sean Whitesell
 
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
2 fa it101
c_______101
 
Lessons Learned From Four Years of API Management Implementation Success at Unum
CA Technologies
 
Token, token... From SAML to OIDC
Shiu-Fun Poon
 
WSO2 App Manager: Managing Application Lifecycles Across Your Enterprise
WSO2
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
Profesia Srl, Lynx Group
 

Similar to Securing the Unsecured: Using SSO and XACML to Protect Your Web Apps (20)

PPTX
Extended Security with WSO2 API Management Platform
WSO2
 
PDF
WSO2 App Manager - Product Overview
WSO2
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
PDF
SSO with the WSO2 Identity Server
WSO2
 
PDF
Sso with the wso2 identity server
sureshattanayake
 
PDF
API Security In Cloud Native Era
WSO2
 
PDF
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
PPTX
WSO2Con USA 2017: Building a Secure Enterprise
WSO2
 
PPTX
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
PDF
WSO2 Identity Server - Product Overview
WSO2
 
PDF
Leveraging federation capabilities of identity server for api gateway
Pushpalanka Jayawardhana
 
PPTX
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Michael J Geiser
 
PDF
API Security Best Practices & Guidelines
Prabath Siriwardena
 
PDF
Security Patterns with WSO2 ESB
WSO2
 
PPTX
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
PPTX
Synergies across APIs and IAM
Sagara Gunathunga
 
PDF
[4developers2016] - Security in the era of modern applications and services (...
PROIDEA
 
PPTX
Solving Single-Sign-On
Aaron King
 
PDF
OpenSSO Tech Overview Aquarium
Eduardo Pelegri-Llopart
 
PDF
OAuth based reference architecture for API Management
WSO2
 
Extended Security with WSO2 API Management Platform
WSO2
 
WSO2 App Manager - Product Overview
WSO2
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
SSO with the WSO2 Identity Server
WSO2
 
Sso with the wso2 identity server
sureshattanayake
 
API Security In Cloud Native Era
WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
WSO2Con USA 2017: Building a Secure Enterprise
WSO2
 
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
WSO2 Identity Server - Product Overview
WSO2
 
Leveraging federation capabilities of identity server for api gateway
Pushpalanka Jayawardhana
 
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Michael J Geiser
 
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Security Patterns with WSO2 ESB
WSO2
 
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Synergies across APIs and IAM
Sagara Gunathunga
 
[4developers2016] - Security in the era of modern applications and services (...
PROIDEA
 
Solving Single-Sign-On
Aaron King
 
OpenSSO Tech Overview Aquarium
Eduardo Pelegri-Llopart
 
OAuth based reference architecture for API Management
WSO2
 
Ad

More from WSO2 (20)

PDF
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
WSO2
 
PDF
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
PDF
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
WSO2
 
PDF
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
WSO2
 
PDF
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
PDF
Platformless Modernization with Choreo.pdf
WSO2
 
PDF
Application Modernization with Choreo for the BFSI Sector
WSO2
 
PDF
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
PDF
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
PPTX
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
PPTX
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
PPTX
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
PPTX
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
PPTX
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
PDF
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
PDF
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
PDF
architecting-ai-in-the-enterprise-apis-and-applications.pdf
WSO2
 
PDF
Driving Innovation: Scania's API Revolution with WSO2
WSO2
 
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
WSO2
 
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
WSO2
 
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
WSO2
 
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
Platformless Modernization with Choreo.pdf
WSO2
 
Application Modernization with Choreo for the BFSI Sector
WSO2
 
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
WSO2
 
Driving Innovation: Scania's API Revolution with WSO2
WSO2
 
Ad

Recently uploaded (20)

PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Teaching material agriculture food technology
LiaRayya
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
A Presentation on Artificial Intelligence
memembruh336
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 

Securing the Unsecured: Using SSO and XACML to Protect Your Web Apps

  • 1. Securing the Unsecured Using SSO and XACML to Protect Web Apps App Manager 1.0 .0 Dinusha Senanayaka WSO2 App Manager Team
  • 2. Why App Manager ? 2 100% Open Source, under Apache 2 License Policy-based Authorization Insights into App Subscriptions & Behaviors Single-Sign-On (SSO) across Web AppsUnified App Store Central App Management (web & mobile) Access Control based on Organizational User Roles Leverages on proven components of WSO2: - Analytics Platform - App Usage Statistics - Security offering - Authentication, Authorization, Federated Identity and SSO - Enterprise Store - App Provisioning & Management
  • 3. WSO2 App Manager Components 3
  • 4. Single Sign-On between Web Apps Pros for End User ◉ Do not have to memorize long list of passwords to access multiple applications Pros for Application developers ◉ Do not have to worry about implementing security for Web Apps ◉ Can focus only developing Application business logic Pros for Administrators ◉ Do not have to manage multiple user accounts for different applications 4
  • 5. SAML2 Web Browser based SSO Profile 5
  • 8. Two Type of Web Apps ◉ Non-secured web apps ◉ Already secured web apps How to manage with App Manager ? 8
  • 9. Secure Non-secured Web Apps Using App Manager ◉ Just publish the web app in App Manager 9
  • 10. Already secured Web Apps through App Manager ◉ Need some modifications to be done on web App ◉ Could use JWT token or SAML response to identify the user inside web app 10
  • 11. JWT and SAML Token Headers ◉ Ways of sending authenticated user details to the backend ◉ Web app could either process JWT (Json) header or SAML Response (XML) header to get user details 11
  • 12. JWT/ SAML Response { "iss": "wso2.org/products/am", "exp": 1435218328463, "Subject": "beth@wso2.com", "http://wso2.org/claims/card_holder": "beth", "http://wso2.org/claims/card_number": "45678563456986", "http://wso2.org/claims/emailaddress": "beth@wso2.com", "http://wso2.org/claims/expiration_date": "2020-12-20", "http://wso2.org/claims/givenname": "Beth", "http://wso2.org/claims/lastname": "Carder", "http://wso2.org/claims/organization": "WSO2", "http://wso2.org/claims/role": "Internal/private_beth-AT-wso2. com,Internal/subscriber,Internal/store-admin, Internal/everyone,SALES", "http://wso2.org/claims/streetaddress": "Califonia", "http://wso2.org/claims/telephone": "877 309 2070", "http://wso2.org/claims/zipcode": "0789", "http://wso2.org/ffid": "34567" } 12
  • 13. JWT/ SAML Response <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://ec2-54-84-233-242.compute-1.amazonaws.com:8280/plan-trip/1.0.0/" ID=" aipcfpjgmlffcbhcdnapgkdncjdcjdbkalkmejpe" InResponseTo="0" IssueInstant="2015-06-25T07:30:28.203Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">appm</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="ifghfahaljakniomfjeelcknnpaopmjbagonchak" IssueInstant="2015-06-25T07:30:28.203Z" Version="2.0"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">appm</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">beth@wso2.com</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2015-06-25T07:35:28.203Z" Recipient="http://ec2-54-84-233-242.compute-1.amazonaws. com:8280/plan-trip/1.0.0/"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2015-06-25T07:30:28.203Z" NotOnOrAfter="2015-06-25T07:35:28.203Z"> <saml2:AudienceRestriction> <saml2:Audience>PlanYourTrip-1.0.0</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2015-06-25T07:30:28.203Z" SessionIndex="550a41fc-ba6a-4dff-bc58-7ec11ed6d0d3"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name="http://wso2.org/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >Internal/private_beth-AT-wso2.com,Internal/subscriber,Internal/store-admin,Internal/everyone,SALES</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response> 13
  • 14. Sample Code Snippet to Identify User from JWT Header var header = request.getHeader("X-JWT-Assertion"); // Create Base64 Object var Base64 = require('../modules/base64.js'); if(header !=null){ var jwtAssertions = header.split("."); //JWT header by default contains three '.' separated sections var jsonString = Base64.decode(jwtAssertions[1]); jsonString = jsonString.replace("http://wso2.org/claims/emailaddress", "email"); jsonString = jsonString.replace("http://wso2.org/claims/role", "roles"); var obj = parse(jsonString); var email = obj.email; var roles = obj.roles; if (roles.indexOf("admin") != -1) { session.put("user",{"mail":email,"admin":true}); } else { session.put("user",{"mail":email,"admin":false}); } } var user = session.get("user"); if(user==null){ response.sendRedirect(baseAt+"/login.jag"); }else if(user.admin){ } 14
  • 16. ◉ Authentication : SAML2 SSO ◉ Authorization: ? 16
  • 17. XACML : eXtensible Access Control Markup Language XACML Reference Architecture 17
  • 18. How App Manager Enforce XACML Evaluation for Web Apps ? 18
  • 19. XACML Policy Editor in App Manager 19
  • 21. Summary ◉ How App Manager provides security (SSO) for Web Apps ◉ Non secured web apps ◉ Already secured web apps ◉ Federated Authentication for web apps using App Manager ◉ Fine grained authorization to web app resources using XACML 21