We 7531 Course
We 7531 Course
cover
Front cover
Course Guide
AAA, OAuth, and OIDC in IBM DataPower
V7.5
Course code WE753 / ZE753 ERC 1.0
April 2017 edition
Notices
This information was developed for products and services offered in the US.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you provide in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to
actual people or business enterprises is entirely coincidental.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
© Copyright International Business Machines Corporation 2017.
This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
V11.0
Contents
TOC
Contents
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Agenda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
TMK
Trademarks
The reader should recognize that the following terms, which appear in the content of this training
document, are official trademarks of IBM or other companies:
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide.
The following are trademarks of International Business Machines Corporation, registered in many
jurisdictions worldwide:
DataPower® DB™ Domino®
Lotus® Rational® Tivoli®
WebSphere®
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Java™ and all Java-based trademarks and logos are trademarks or registered trademarks of
Oracle and/or its affiliates.
VMware and the VMware "boxes" logo and design, Virtual SMP and VMotion are registered
trademarks or trademarks (the "Marks") of VMware, Inc. in the United States and/or other
jurisdictions.
Social® is a trademark or registered trademark of TWC Product and Technology, LLC, an IBM
Company.
Other product and service names might be trademarks of IBM or other companies.
pref
Course description
AAA, OAuth, and OIDC in IBM DataPower V7.5
Duration: 1 day
Purpose
This course teaches you the developer skills that are required to configure and implement
authentication and authorization support within your IBM DataPower Gateway V7.5 services.
A common requirement for DataPower services is to authenticate the sender of a message, and
authorize that sender to request the message’s behavior. The AAA action within DataPower
provides the basics of the “authenticate, authorize, and audit” support.
OAuth is an authorization framework that defines a way for a client application to access server
resources on behalf of another party. It provides a way for the user to authorize a third party to their
server resources without sharing their credentials. DataPower supports OAuth specifications and
protocols, and can provide an OAuth web token service.
OpenID Connect (OIDC) is an authentication layer that runs on top of an OAuth 2.0 authorization
framework. DataPower can operate as an OIDC client.
In this course, you learn how to use the configuration options and processing actions to add the
AAA support to a service, implement an OAuth 2.0 scenario, and add OIDC support.
Hands-on exercises give you experience working directly with an IBM DataPower gateway. The
exercises focus on skills such as configuring a AAA action, configuring a web token service, and
creating an OIDC client.
Audience
This course is designed for integration developers who configure service policies on IBM
DataPower Gateways.
Prerequisites
Before taking this course, you should successfully complete course Essentials of Service
Development for IBM DataPower Gateway V7.5 (WE751G) or Essentials of Service Development
for IBM DataPower Gateway V7.5 (ZE751G). You should also be familiar with AAA, OAuth 2.0, and
OIDC concepts.
Objectives
• Describe the AAA framework within the IBM DataPower Gateway
• Explain the purpose of each step in an access control policy
pref • Configure a AAA action to enforce authentication and authorization policies that are in a AAA
information file and in an LDAP server
• Describe the OAuth 2.0 framework
• Explain the role that a DataPower gateway performs in an OAuth 2.0 framework
• Configure the DataPower objects that are used for OAuth 2.0 interactions
• Define Social Login
• Describe how to configure Social Login in DataPower
• Configure an OIDC client
pref
Agenda
Note
The following unit and exercise durations are estimates, and might not reflect every class
experience.
Day 1
(00:15) Course introduction
(01:00) Unit 1. Authentication, authorization, and auditing (AAA)
(00:45) Exercise 1. Configuring authentication and authorization in a service
(00:45) Unit 2. OAuth overview and DataPower implementation
(01:30) Exercise 2. Defining a three-legged OAuth scenario that uses DataPower services
(00:45) Unit 3. Social Login support in DataPower
(01:00) Exercise 3. Implementing an OIDC client
(00:15) Unit 4. Course summary
Uempty
Overview
This unit describes the authentication, authorization, and auditing (AAA) framework within the IBM
DataPower Gateway. These three facets of security both monitor and restrict access to resources.
References
IBM DataPower Gateway Knowledge Center:
http://www.ibm.com/support/knowledgecenter/SS9H2Y_7.5.0
Uempty
Instructions
Uempty
Unit objectives
• Describe the AAA framework within the DataPower Gateway
• Explain the purpose of each step in an access control policy
• Authenticate and authorize requests with:
ƒ WS-Security Username and binary security tokens
ƒ HTTP Authorization header claims
ƒ Security Assertion Markup Language (SAML) assertions
Uempty
Authentication always precedes authorization. A policy cannot decide whether a request proceeds
if it does not know the identity of the requester. For example, a security guard first determines
whether someone is an employee of the company. After this step, the guard determines whether
that employee has access to the building. Together, authentication and authorization restrict access
to resources.
Although auditing does not directly protect resources against unauthorized access, this third
process has an important role in securing resources. A record of successful and unsuccessful
access attempts allows the security infrastructure to detect suspicious activity in the system.
Historical logs also enforce nonrepudiation; clients cannot deny accessing the system in the past.
In literature these three steps are commonly known as “AAA,” which is pronounced “triple A.”
Uempty
AAA framework
Extract Map
Authenticate
identity credentials
SAML
WS-Security
SSL client certificate
HTTP basic
authentication
The AAA action combines three security processes into a single stylesheet transform. In the first
step, the stylesheet extracts the identity token from the message. To verify the claims that the token
makes, the stylesheet either authenticates the token against an on-board policy or queries an
external access control server. As soon as the client identity is confirmed, the stylesheet maps the
client credentials to one of the users or groups that the service defines.
In the second step, the stylesheet extracts the requested resource from the message. For web
services, a resource represents a service or service operation. If the requested resource is an alias
for one or more back-end resources, the stylesheet maps the alias to the actual resource names as
well.
When the stylesheet determines the requested back-end resource and confirms the client identity, it
decides whether the client has permission to access the requested resource. In other words, the
stylesheet authorizes access to a back-end resource.
The final step is auditing and accounting. The stylesheet records any access attempts, successful
or unsuccessful, for monitoring and nonrepudiation. The stylesheet can also do postprocessing
steps, such as generating various tokens for the outgoing message. A custom stylesheet can also
be specified.
The various tokens that can be generated are:
Uempty
• SAML assertion
• WS-Security Kerberos AP-REQ
• WS-Security user name
• LTPA
• Kerberos SPNEGO
• ICRX
• JSON web token (JWT)
Uempty
Uempty
3. Map authentication
credentials (optional) Identity Identity
The access control policy steps relate directly to the processing stages within the AAA framework.
In the first step, the policy defines how the framework retrieves information about the client identity.
The framework can treat the requested URL, the client IP address, the HTTP header, or any part of
the message, as a client identifier. When it is extracted, the second step describes how to verify the
claimed identity that is stored in the message. If the authorization method (which is described on
the next slide) expects a different client identifier, the policy can apply a custom stylesheet to
convert the authentication credentials.
The authentication credential mapping step is optional.
The colors and shapes of the identity token uniquely represent different security token types.
Uempty
Resource
7. Specify postprocessing
actions (optional)
Token
Token
XML
Authentication, authorization, and auditing (AAA) © Copyright IBM Corporation 2017
If the authentication step succeeds, the policy determines the resources that the client requests
before making a final decision on whether to authorize access. An optional mapping step matches
the resource request with a type expected by the authorization method.
When authentication and authorization succeed, monitoring and postprocessing steps can take
place. The monitoring step records whether the access control policy as a whole succeeds or fails.
Such information can be used for auditing purposes. Unlike the monitoring step, post processing
occurs only if the policy authorizes the resource request.
The postprocessing step can add more security tokens such as a SAML assertion, WS-Security
Username token, LTPA token, Kerberos SPNEGO token, and a JSON web token (JWT).
Uempty
3 Map credentials
4 Extract resource
Map resource
5
6 Allow Deny
Authorize
The numbers correspond to the access control policy steps detailed on the previous two slides.
Keep in mind that the output message is returned to the processing rule, not back to the actual
client itself. Similarly, an On Error action or an error rule suppresses or handles errors that are
generated from a AAA action.
The only part of the postprocessing step that occurs when authorization fails is the incrementing of
the authorization failures counter (if one exists).
Within the postprocessing step, monitors track the requests.
Uempty
In this scenario, the client includes a WS-Security user name token with a password or password
digest as a proof of identity. As a good practice, clients send plain text tokens, such as the
WS-Security user name token, within a secure channel, such as an SSL connection.
The access control policy on the DataPower gateway verifies the user name and password against
a built-in user list. It assumes that all authenticated users have full access to any resource
protected by the policy.
Uempty
The WS-Security user name token provides a basic method to transport user credentials to a web
service. The password field can be in plain text, or the Secure Hash Algorithm (SHA1) can hash it.
Because SHA1 is a well-known algorithm, a hashed password provides a minimal level of security
by obfuscating the password. Messages with these identity credentials are sent only over a secure
connection.
For the sake of brevity, the URI for the wsse namespace declaration is truncated. For the URI, see
the WS-Security V1.1 specification.
Within the SOAP body, the child element describes the requested web service operation. In effect,
this element identifies the resource that is requested in this call.
Two elements are highlighted in dark blue: the WS-Security header and the retrieveAll web
service operation call.
Uempty
Uempty
• Subject DN from certificate in message signature
• Token extracted from message
• Token extracted as cookie value
• LTPA token
• Processing metadata
• JWT
• Custom processing
• HTML forms-based authentication
• Redirect to a social login provider
• OAuth
The choices for authentication method are:
• Accept LTPA token
• Accept SAML assertion with valid signature
• Bind to LDAP server
• Contact CA Single Sign-On (formerly Netegrity SiteMinder)
• Contact ClearTrust server
• Contact IBM Security Access Manager
• Contact NSS for SAF authentication
• Contact SAML server for SAML Authentication statement
• Contact WS-Trust server for WS-Trust token
• Custom template
• Pass identity token to authorization phase
• Retrieve SAML assertions that corresponds to SAML Browser Artifact
• Use AAA information file
• Use certificate from BinarySecurityToken
• Use established WS-SecureConversation security context
• Use RADIUS server
• Use verified JWT, access token, or ID token
• Validate Kerberos AP-REQ for server principal
• Validate signer certificate for digitally signed message
• Validate SSL certificate from connection peer
Uempty
Uempty
• Use XACML Authorization decision
Uempty
HTTP BASIC-AUTH is the basic authentication scheme. See the following slide for an example of
an HTTP request message with a basic authentication header.
Uempty
In this scenario, the HTTP authorization header field is used for authentication. Remember that the
client encoded the user name and password in Base64. This encoding method is known, hence,
the client uses an SSL connection to keep the contents of this message private.
Base64 is a binary-to-text encoding scheme by printable (mostly alphanumeric) characters. As an
MIME content transfer encoding, it is used to encode binary data into email messages.
In the HTTP basic authentication scheme, the user name and password are concatenated with a
colon (:) before it is encoded by Base64. For example, the user name “Alice” and the password
“ond3mand” become “Alice:ond3mand”. In Base64 encoding, the user name and password string is
“QWxpY2U6b25kM21hbmQ=”
Uempty
Uempty
The Run Custom Post Processing setting applies a custom stylesheet or GatewayScript to the
outgoing request message. This setting does not require enablement for a built-in postprocessing
step, such as adding a WS-Security user name token.
The added WS-Security Username token for a username of “student”, a password of
“web1sphere”, and a password type of “Text” is:
<wsse:UsernameToken>
<wsse:Username>student</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profi
le-1.0#PasswordText">web1sphere</wsse:Password>
<wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message
-security-1.0#Base64Binary">N2FmMzg3OTEtZDI4OS00MzkzLThmYWUtNzM3MzhkYmRmM2Zh</wsse
:Nonce>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-util
ity-1.0.xsd"
>2015-03-24T21:16:44Z</wsu:Created>
</wsse:UsernameToken>
Uempty
The same token, with a password type of “Digest” is:
<wsse:UsernameToken>
<wsse:Username>student</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profi
le-1.0#PasswordDigest">JDqa4I7DaWicLrj+ykiSBQT0MFc=</wsse:Password>
<wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message
-security-1.0#Base64Binary">YzVhNmQ3OTctZmE5Mi00NjdhLWFiYmYtZDUyNDVmNmRjNTEw</wsse
:Nonce>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-util
ity-1.0.xsd"
>2015-03-24T21:25:12Z</wsu:Created>
</wsse:UsernameToken>
In both cases, the optional <Nonce> and <Created> elements are specified. These elements and
the password can be used to protect against replay attacks.
Uempty
For identity extraction methods, the policy runs all checked methods. The system runs the methods
in the order that is presented in the check box list. Afterward, the system concatenates all identities
that are found for authentication. This scheme allows different clients to use different identification
methods.
However, if a client includes more than one identifier in the message, both identifiers must pass the
authentication stage.
Choosing more than one identity extraction method allows an access control policy to support
different credentials from different clients. In this example, some clients support XML signatures,
but not WS-Security. Other clients support the WS-Security standard. The former adds an XML
signature block directly into the SOAP header, while the latter adds a binary security token within a
WS-Security header.
Uempty
The Bind to LDAP server choice causes the page to redisplay with the LDAP options on the lower
part of the page. The lower part is shown on the next slide.
Uempty
2
3. Use the LDAP Search Attribute fields to
verify the password digest from a WS-Security
Username Token 3
If Bind to LDAP server is selected, the page repaints to display entry fields for the LDAP details.
The targeted LDAP server can be a load balancer group that is composed of multiple LDAP
servers.
The DataPower to LDAP server connection is usually over an SSL connection. For example, when
you specify an SSL Type of “Client Profile”, the following field asks for the SSL Client Profile
object.
The LDAP Bind Password Alias identifies an object that contains the text of the password. Hence,
the configuration of the LDAP server connection does not directly expose the Bind password.
Uempty
Uempty
Validation
AAAInfo.xml LTPA credential
Client Server
Uempty
Uempty
<aaa:AAAInfo xmlns:aaa="http://www.datapower.com/AAAInfo">
<aaa:FormatVersion>1</aaa:FormatVersion>
<aaa:Filename>local:///AddressInfo.xml</aaa:Filename>
<aaa:Summary>
AAA file to validate credentials for Address users
</aaa:Summary>
<aaa:Authenticate>
<aaa:Username>AddressAdmin</aaa:Username>
<aaa:Password>password</aaa:Password>
<aaa:OutputCredential>
AddressUser
</aaa:OutputCredential>
</aaa:Authenticate>
</aaa:AAAInfo>
The Authenticate step uses this AAA XML file to validate the extracted identity. The incoming
identity has a user name of AddressAdmin and password of password.
After the Authenticate step, AddressUser is returned as the output credential.
Uempty
For more information, see the article WS-Policy security integration between DataPower and
WebSphere Application Server, which includes a section on using the LTPA token:
http://www.ibm.com/developerworks/websphere/library/techarticles/0911_rasmussen/0911_rasmus
sen.html.
Also, see the LTPA section of the Knowledge Center:
https://www.ibm.com/support/knowledgecenter/SS9H2Y_7.5.0/com.ibm.dp.doc/ltpa_introduction.ht
ml.
Uempty
Uempty
Uempty
Federated security systems require an interoperable way of sending security information from one
system to another. The Security Assertion Markup Language (SAML) is designed specifically for
this purpose. It is analogous to how the SOAP specification defines a messaging model for
transferring information between web service clients and servers.
SAML allows clients or intermediaries to embed claims, or assertions, into the message. One
common use for assertions is single sign-on: after a security server authenticates a client, a SAML
authentication statement is tagged to the client request. Subsequent systems that process the
request need only to trust the assertion instead of authenticating the client again.
SAML does not create another language for writing authentication or authorization tokens. Its
assertions are self-describing wrappers around any token type. This concept is similar to how the
web services security standard describes a uniform method for storing binary security tokens in a
SOAP message. The actual binary security token is an implementation detail beyond these
specifications.
SAML does not require storage within a WS-Security header. It is possible to have a SAML
assertion directly on the SOAP header. SAML V1.1 defines how assertions look within a
WS-Security header.
Uempty
In plain terms, here are some typical statements that the three types of SAML assertions make:
• Authentication statement: “I am Bob Smith.”
• Attribute statement: “Bob Smith is a payroll manager.”
• Authorization decision statement: “Payroll managers can run the Payroll Update web service.”
These assertions avoid repeating the same checks on the same message as it passes through
different systems. In addition, assertion statements delegate the authentication and authorization
task to a separate server.
The last point describes the HTTP binding for SAML. Remember that SAML is not only used for
web services. For example, a web application server might want to verify a SAML assertion in a
single sign-on (SSO) scenario. Without even examining the HTTP request message, the server
extracts and dereferences a SAML assertion from the URL query string.
The common practice is to embed a SAML assertion inside a SOAP header. However, the IBM
DataPower gateway can also dereference browser artifacts that point to a SAML assertion that is
kept on a remote server.
Uempty
In this example, the request message contains a SAML authentication statement and a SAML
attribute statement. The authentication statement claims that the current requester is verified during
a previous processing step. The access control policy accepts this claim if and only if the digital
signature that was used to sign the claim is valid.
An application-specific SAML attribute describes the resource that the client requests. The policy
authorizes the request if the current requester is an authorized user.
Uempty
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
AssertionID="IDd600a593-4e13-44d9-829a-3055600c46ca"
IssueInstant="2006-07-28T18:51:02Z"
Issuer=http://training.ibm.com/security/
MajorVersion="1" MinorVersion="1">
<saml:Conditions NotBefore="2006-07-28T18:51:02Z"
NotOnOrAfter="2006-07-28T18:54:02Z"/>
<saml:AuthenticationStatement
AuthenticationInstant="2006-07-28T18:51:02Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://address.training.ibm.com">
admin
</saml:NameIdentifier>
This example is a SAML assertion that is generated in the post-processing step of an access
control policy.
The Conditions element defines a window of time in which this statement is valid. This time limit
reduces the likelihood of a replay attack.
Within the AuthenticationStatement, the Subject element describes the identity of the client
through a NameIdentifier element.
This statement is a SAML V1.1 authentication statement. The syntax for a SAML V2.0
authentication statement is different from this structure. IBM DataPower supports all of SAML V1.0,
V1.1, and V2.0 statements.
Uempty
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:SubjectLocality IPAddress="127.0.0.1"/>
</saml:AuthenticationStatement>
</saml:Assertion>
The SubjectConfirmation element describes which party backs up the claim. In this example,
the message sender vouches for the validity of this claim.
It is a good practice to sign SAML assertions digitally to maintain the integrity of the claim.
Uempty
Uempty
<saml:Attribute
AttributeName="EastAddressSearch"
AttributeNamespace="http://address.training.ibm.com">
<saml:AttributeValue>
Query
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
The Attribute element describes application-specific information. For example, a SAML attribute
element can encapsulate fields from an LDAP directory entry. The system can use this additional
information about the subject to make an authorization decision.
Again, it is a good practice to sign SAML assertions digitally to maintain the integrity of the claim.
Uempty
To verify the signature of the SAML assertion, the access control policy needs the validation
credential. If the validation credentials field is blank, then the certificate is not validated. In either
case, the signature is verified.
Uempty
When authorizing requests based on SAML attributes, you must specify one or more expected
attributes in a separate page. The following slide describes how to enter in the list of expected
SAML attributes.
Uempty
Uempty
• Authentication methods:
ƒ Accept a SAML assertion with a valid signature
ƒ Retrieve SAML assertions corresponding to a SAML browser artifact
ƒ Contact a SAML server for a SAML authentication statement
• Authorization methods:
ƒ Generate a SAML authorization query
ƒ Generate a SAML attribute query
• Postprocessing:
ƒ Generate a SAML V1.0, V1.1, or V2.0 assertion
In addition to the previously covered scenarios, an access control policy can parse any token type
and make a SAML authorization or attribute query to an external server. To avoid repeating security
checks, the policy can generate a SAML assertion during the post processing stage.
Uempty
Unit summary
• Describe the AAA framework within the DataPower Gateway
• Explain the purpose of each step in an access control policy
• Authenticate and authorize requests with:
ƒ WS-Security Username and binary security tokens
ƒ HTTP Authorization header claims
ƒ Security Assertion Markup Language (SAML) assertions
Uempty
Review questions
1. True or False: To authenticate a client without using an
external access control resource, you can compare the
client’s credentials against a custom DataPower AAA
information file or validate the digital signature that is used to
sign the credential.
2.
3.
Uempty
Review answers
1. True or False: To authenticate a client without using an
external access control resource, you can compare the
client’s credentials against a custom DataPower AAA information
file or validate the digital signature that is used to sign the credential.
The answer is True.
2. True or False: If the Authenticate step fails, the Extract Resource
step is not attempted.
The answer is False. Even if the Authenticate step fails, the Extract
Resource step occurs. In fact, although the authentication might fail,
the Authorize step always occurs because all requests might be
allowed.
3. True or False: The postprocessing step in an access control policy
adds more information to the outgoing request message or
transforms the message itself.
The answer is True. Extra tokens such as a SAML assertion or LTPA
token can be added to the original message. The postprocessing
step also supports using a stylesheet or GatewayScript for further
processing of the message.
Authentication, authorization, and auditing (AAA) © Copyright IBM Corporation 2017
Uempty
Exercise: Configuring
authentication and
authorization in a service
Uempty
Exercise objectives
• Configure a AAA action to enforce authentication and
authorization policies that are in a AAA information file
• Configure a AAA action to enforce authentication and
authorization policies that are in an LDAP server
Uempty
Overview
This unit introduces the OAuth 2.0 framework and its DataPower implementation.
References
IBM DataPower Gateway Knowledge Center:
http://www.ibm.com/support/knowledgecenter/SS9H2Y_7.5.0
Uempty
Unit objectives
• Describe the OAuth framework
• Describe why OAuth is useful in security scenarios
• Describe the OAuth three-legged scenario
• Explain the role that a DataPower gateway performs in an OAuth
framework
• Describe the OAuth configuration options on DataPower: the web
token service, the AAA action, the OAuth client profile, and the OAuth
client group
Uempty
What is OAuth?
• OAuth defines a way for a client to access server resources on behalf
of another party
• It provides a way for the user to authorize a third party to their server
resources without sharing their credentials
The OAuth specification solves a specific problem: how to delegate access rights to a third-party
client that is working on behalf of the user. Before OAuth, third-party applications asked and stored
the user’s user name and password within the application. This process is risky because the server
cannot distinguish between the user and the third-party application. One analogy in the real world is
to hand over your house keys to a cleaning service. You must have a high degree of trust in the
client to give them complete access to your home.
With OAuth, the client does not use your credentials. Instead, an authorization service gives a
temporary pass to the client, so it can perform a limited set of tasks in a fixed time period. As the
user, you can tell the authorization service to revoke the temporary pass at any time.
Although OAuth is more complicated than handing over your credentials to the client, it is a safer
mechanism that gives the user control over the third-party client’s actions.
Uempty
• The valet can use your car with this key, with some restrictions:
ƒ Speed restriction
ƒ Distance restriction
ƒ Cannot alter some car functions, such as radio stations
ƒ Cannot open car storage areas
• When you allow the valet to borrow the valet key, you delegate access
to certain features of the car to a third party.
When you purchase a car, you receive a main key and a valet key.
The valet can use your car with this key, with some restrictions. The car cannot exceed a certain
speed. The car might not be able to travel as far as with the regular key. The valet cannot change
the radio station settings. The valet cannot open car storage areas.
When you allow the valet to borrow the valet key, you delegate access to certain features of the car
to a third party.
Uempty
1 2
Whenever you sign up for a web-based application or a mobile application, you create an account
on the server with a user name and password. The process becomes tedious for the user when
they sign up for dozens of applications.
Social networks, such as Facebook and Twitter, already link your identity to a user account.
Therefore, many applications use your social network account to create an account.
There are three players in this scenario. You as the user; the third-party application as a client; and
the social network as a web-based service. You want the third-party application to access some
(but not all) of your information from the service. That is, you want the client to act on your behalf to
access resources on the service.
In this example, the third-party application, the Print Shoppe, wants to access your online photo
album from your social network account. The application opens a new page from the social network
site. After you log in to the social network, the social network service grants an authorization token
to the application. At no time does the third-party application see your user name or password on
the social network.
Uempty
Alice is the owner of an online photo The Print Shoppe, a third-party client
album. As a resource owner, Alice application, wants to access Alice's
declares which applications can access photos from an online service.
her online photo album.
Take a closer look at the three actors in the OAuth scenario. Alice is the owner of an online photo
album. As the user, Alice wants to print her photos with a third-party photo printing service. The
Print Shoppe is a third-party client application that wants to access Alice's photos from the online
service. Last, the social network is a service that securely stores Alice's photos. This service also
manages access to the photos from Alice and third-party applications that act on Alice's behalf.
Uempty
Request access
Grant access to
with user
resources
credentials
Access granted
Without OAuth, the user must give their user name and password to the third-party application. In
turn, the third-party application sends these credentials while posing as the user. For convenience's
sake, the application saves a copy of the user name and password.
There are several issues with this scenario. First, the service cannot distinguish between the owner
of the resource, and the third-party application. To the service, it is the same user that is accessing
the application. This practice is not safe; the user does not know what the application reads or
modifies on the service. Second, there is no simple way to revoke access for one particular
third-party application. The user must reset their password, which breaks access from all third-party
applications.
Uempty
In this scenario, Alice is the owner of a photo album that is hosted on an online photo service. Alice
wants to print a set of photos with a photo printing service. Alice is the resource owner, and the
photo printing service is a third-party OAuth client application. Alice starts the process when she
selects the "print from my photo album" option in the third-party application.
Uempty
In the second step, the third-party application requires the resource owner's authorization before it
can access her online photo album. Instead of asking Alice directly for her user credentials, the
third-party client application redirects Alice's request to an authorization server.
Uempty
Authorization server
In the third step, the authorization server asks for Alice's user credentials to verify her identity.
Uempty
Authorization server
Figure 2-10. OAuth Step 4: Ask resource owner to grant access to resources
The authorization server returns a web form to ask Alice whether she grants the OAuth client
access to her resources.
Notice that the ID and password interaction is between the authorization server and the resource
owner. The OAuth client never sees that information.
Uempty
Authorization server
Figure 2-11. OAuth Step 5: Resource owner grants client access to resources
The resource owner, Alice, submits the web form to allow or deny access to her resources.
Uempty
Authorization server
Figure 2-12. OAuth Step 6: Authorization server sends authorization grant code to client
The authorization server never transmits the resource owner's user name and password to the
OAuth client. Instead, the server sends an authorization grant code: a code that specifies that the
resource owner has authenticated to the authorization server and has granted access.
Uempty
Authorization server
Figure 2-13. OAuth Step 7: Client requests access token from authorization server
The OAuth client sends three pieces of information to the authorization server: the authorization
grant code, the client ID, and the client secret or client certificate. If the OAuth client is a public
client, then it does not send the client secret or certificate.
Uempty
Authorization server
Figure 2-14. OAuth Step 8: Authorization server sends authorization token to client
Optionally, the authorization server can also return a refresh token. After the current access token
expires, the OAuth client sends the refresh token to the authorization server to request another
access token.
Uempty
Authorization server
Figure 2-15. OAuth Step 9: OAuth client sends access token to resource server
It is possible that the authorization server and the resource server are the same server.
Uempty
Authorization server
Figure 2-16. OAuth Step 10: Resource server grants access to OAuth client
Optionally, the authorization server can also return a refresh token. After the current access token
expires, the OAuth client sends the refresh token to the authorization server to request another
access token.
Uempty
These items are the role definitions that are directly from the specification.
Uempty
Resource owner
Although some implementations of OAuth combine the roles into what appears to be a single
“server,” the roles and protocols are still the same.
Uempty
These names are the OAuth roles as they can be implemented in a DataPower environment.
DataPower does separate the authorization server function from the resource server function,
contrary to many online systems that perform the two functions within the same system.
A web token service is defined as an authorization server and a token endpoint. The authorization
behavior is as you expect. The token endpoint refers to the service’s ability to supply an access
token back to the client.
Uempty
Resource server
MPGW
OAuth client
Resource application
Client code
in web server MPGW
The resource server is also considered as the enforcement point (EP) of the secured access to the
actual back-end application.
The resource application can be another service on the appliance, or an application service that is
running on a server in the trusted domain.
DataPower also supports scenarios where the authorization server is not a DataPower service
while the resource server is on DataPower, and the reverse situation.
Tivoli Federated Identity Manager also provides an OAuth authorization server implementation. A
DataPower-based resource server can interact with the Tivoli Federated Identity Manager-based
authorization server. The DataPower resource server sends a WS-Trust request to Tivoli Federated
Identity Manager to have the access token validated.
Uempty
OAuth client
Resource server
Client code in
web server MPGW
1. The OAuth 2.0 specification does not specify how the access token is formed or validated.
DataPower defines its own implementation of the token format and validation, so both the web
token service and the resource server use the same implementation.
2. The required parameters for the actual OAuth client are defined in an OAuth client profile object
that the web token service and the resource server can access.
Uempty
OAuth client
Resource server
Client code in
web server MPGW
This diagram is a sample flow of the grant type of authorization code. There are more grant types:
implicit, resource owner password credentials, and client credentials. For more information, see the
specification.
The user requests the resource from the client.
Uempty
OAuth client
Resource server
Client code in
web server MPGW
Uempty
3. Client returns
resource to user
Uempty
Authorization request
The OAuth client issues a request for an authorization grant from the
authorization server, on behalf of the user
The following parameters are sent as part of the URI string:
• response_type: A value of “code” identifies it as a request for an authorization
grant
• client_id: The client identifier of the initiating OAuth client
This parameter is the client identifier that the authorization server knows each particular
OAuth client by
• redirect_uri: A URL that refers to the OAuth client “entry point”
The authorization server uses this URL for an HTTP redirection on the response
• scope: The scope of the access request
• state: A value that the OAuth client can use to maintain state between the request
and the callback
The authorization server includes this value when redirecting the user agent (browser) back
to the client
The parameter should be used for preventing cross-site request forgery
An example request from the lab exercise, from the OAuth client to the web token service:
https://172.16.78.12:7990/authz?response_type=code&client_id=FindBagOAuthClient&redirect_uri
=http://172.16.80.23:4000/redirect&state=09e8fc0d1d2d&scope=findBag&name=1986
Uempty
Authorization response
The authorization server responds with an authorization grant code to
the OAuth client, by using an HTTP redirection to the user’s browser
(user agent)
The parameters:
• code: The authorization code that the authorization server generates
The authorization code must expire shortly after it is issued to mitigate the
risk of leaks, and the client must not reuse it
• state: The “state” parameter that was present in the client
authorization request
The parameters are returned in the URI string as part of the Location
header in the redirection
Uempty
The client ID and the client secret can be sent in an HTTP Basic Authorization header. DataPower
uses this approach.
Uempty
The parameters:
• access_token: The access token that the authorization server
generates
• token_type: The type of the token
• expires_in: The lifetime in seconds of the access token
• refresh_token: (optional) The refresh token, which can be used to
obtain new access tokens by using the same authorization grant code
• scope: The scope of the request
Uempty
Resource request
• The OAuth client sends the request to the resource server, and
includes the access token
• The specification does not explicitly indicate the parameters on the call,
but it does indicate what must happen:
ƒ The resource server must validate the access token
ƒ The resource server must ensure that the token is not expired
ƒ The resource server must validate that the token scope covers the requested
resource
• The methods that the resource server uses to validate the access token
are beyond the scope of the specification. But they generally involve an
interaction or coordination between the resource server and the
authorization server.
Uempty
• The AAA policies in the web token service and the resource server use
the OAuth client profile to get details on a client that accesses the
services:
ƒ Client ID, client credentials, Web token service
redirection URLs Authorization server/
ƒ Stylesheets for more processing Token endpoint
Resource server
OAuth client
MPGW
Client code in web server
Figure 2-30. OAuth client and the OAuth Client Profile object
Uempty
With the customized OAuth option, you can write your own OAuth client behavior in a stylesheet.
There are multiple options for OAuth 2.0 authorization grant types:
• With the authorization code, the authorization server sends back a custom redirect URI and an
authorization code after it authenticates the resource owner. The authorization code prevents
replay attacks. The client application opens the redirect URI with the authorization code to
retrieve an access token for a resource.
• With the implicit grant type, the authorization server does not send back an authorization code.
It sends back an access token after the resource owner authorizes the client application. This
grant type is available for public clients only.
• With the resource owner password credentials grant type, the client application sends the user
name and password for a user on the resource server. This grant type assumes a high level of
trust between the client application and the resource server.
• With the client credentials grant type, the client application sends its own credentials when it
accesses server resources under its own control, or to resources that are previously arranged
with the resource server. This grant type is available to confidential client types only.
• With the JWT grant type, an encoded JWT is used to request an access token, rather than by
using an authorization code. A JWT Bearer Token can be used to request an access token
Uempty
when a client wishes to utilize an existing trust relationship, expressed through the semantics of
the JWT, without a direct user-approval step at the authorization server. It also defines how a
JWT can be used as a client authentication mechanism.
Authorization code and Implicit grant grant types are for three-legged OAuth flows. Resource
owner password credential and Client credential are for two-legged OAuth flows.
The validation grant type allows a third party to contact the DataPower token endpoint to verify
whether an access token that the appliance issues is valid. “Disable Validation Grant” disables that
capability.
OpenID Connect allows an ID token to be generated.
Uempty
Text-based password
Regular expression to
check the scope of the
request
With Customized scope check, you can use a stylesheet to do the scope checking, rather than
using the Scope field entry.
Uempty
With Verify client credential, you can verify the client identity along with using the access token.
Use validation URL is used when you want to use a remote server to validate the access token
rather than using the DataPower resource server. This situation occurs when the authorization
server is not a DataPower web token service.
Uempty
Caching mechanism
Stylesheet/GatewayScript
that executes after a
successful OAuth request
Expiration time in
seconds
Option to use a
stylesheet/GatewayScript to
extract more resource owner
information
OAuth overview and DataPower implementation © Copyright IBM Corporation 2017
Uempty
Uempty
Processing
policy that is
implemented in
the service
You can create your own DataPower service to act as the authorization server and token endpoint.
It is much easier to use the web token service type that DataPower provides.
The Client credential set specifies the character encoding of the basic authentication values.
“Protocol” indicates that the encoding is derived from what is specified in the HTTP protocol.
Uempty
The OAuth Client Profiles and OAuth Client Groups have no effect until they are referenced from a
AAA policy.
Uempty
In the top screen capture, “HTTP authentication header” is also selected. That choice is why the
authentication realm is identified.
The oauth-scope-metadata contains the scope of the request.
Uempty
• In the Resource extraction phase, you select URL sent by client and
Processing metadata, and specify the oauth-scope-metadata
For V6.0 and later, the firmware verifies that the scope agreed to in the access token matches the
actual requested scope (resource extraction phase).
Uempty
Uempty
Unit summary
• Describe the OAuth framework
• Describe why OAuth is useful in security scenarios
• Describe the OAuth three-legged scenario
• Explain the role that a DataPower gateway performs in an OAuth
framework
• Describe the OAuth configuration options on DataPower: the web token
service, the AAA action, the OAuth client profile, and the OAuth client
group
Uempty
Review questions
1. True or False: With OAuth, resource owners allow third-party
access to the resource without sharing their credentials.
2.
3.
4.
Uempty
Review answers
1. True or False: With OAuth, resource owners allow third-party
access to the resource without sharing their credentials.
The answer is True.
2. True or False: Three-legged OAuth is the traffic and data
pattern that OAuth is designed to solve.
The answer is True.
3. DataPower implementation of OAuth includes (select 3):
A. Web Token Service
B. One-legged authentication
C. AAA action
D. SSL
E. OAuth Client Profile and OAuth Client Group
The answer is A, C, and E.
4. True or False: OAuth configuration on DataPower does not
allow for the use of custom stylesheets.
The answer is False. OAuth configuration on DataPower
does allow for the use of custom stylesheets.
OAuth overview and DataPower implementation © Copyright IBM Corporation 2017
Uempty
Figure 2-44. Exercise: Defining a three-legged OAuth scenario that uses DataPower services
Uempty
Exercise objectives
After completing this exercise, you should be able to:
• Define an OAuth Client Profile and an OAuth Client Group
object
• Create a AAA policy to support the OAuth protocol
• Configure a DataPower web token service
• Configure a DataPower implementation of an OAuth resource
server
Uempty
Application function:
• User enters the ID of a bag to request its status
• Application responds with the current details on the bag, and the time
stamp of the request
1. Initial request
Uempty
1. Initial request
Resource owner
Browser
Browser
2. Response
OAuth client
JavaScript code
ID of bag to find:
in web server
Search button
Uempty
Browser
student/passw0rd
5. Send login page
Notice that the OAuth client is not involved in the login and grant interactions. The OAuth client
never sees the ID and password of the user.
Uempty
Browser
9. Sends 302 redirect response; location
header has OAuth client entry point plus (redirected)
URI: auth grant code, state
The user granted access permission to the OAuth client. Now the web token service is verifying the
OAuth client before giving it an access token.
Notice that the browser does not see the access token.
Uempty
Resource server
MPGW
OAuth client
BaggageService 15. JSON response
returned to OAuth JavaScript code
MPGW client in web server
Uempty
Overview
This unit covers how DataPower supports Social Login.
References
IBM DataPower Gateway Knowledge Center:
http://www.ibm.com/support/knowledgecenter/SS9H2Y_7.5.0
Uempty
Unit objectives
• Define Social Login
• Describe how to configure Social Login in DataPower
• Configure a Social Login Policy object
• Configure a JWT Generator and a JWT Validator object
• Describe OpenID Connect
• Configure an OpenID Connect client in DataPower
Uempty
Uempty
Uempty
OIDC terms
• End-User: OAuth resource owner
• ID Token: JSON Web Token (JWT) that contains Claims about the
authentication event. It might contain other Claims
Uempty
ID token
• Is a security token that contains claims about the authentication event
of an end-user by an authorization server when using a client
ƒ Can potentially contain other requested claims
• The ID token relates to authentication and identity similar to the way the
access token relates to authorization
Uempty
Member Description
aud Audience that this ID token is intended for. Must contain the
client_ID string of the relying party. May contain an array of strings
for other audiences
exp Expiration time of ID token. JSON number of seconds since
January 1, 1970
iat Time at which the ID token was issued. . JSON number of seconds
since January 1, 1970
Uempty
ID token: Example
{
"iss": "https://server.example.com",
"sub": "24400320",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
}
Uempty
The “profile” scope returns the following standard claims: name, family_name, given_name,
middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate,
zoneinfo, locale, and updated_at.
The OpenID Provider may or may not support individual claim requests.
Uempty
The full list of standard claims is: sub, name, given_name, family_name, middle_name, nickname,
preferred_username, profile, picture, website, email, email_verified, gender, birthdate, zoneinfo,
locale, phone_number, phone_number_verified, address, updated_at.
The address claim is a JSON object composed of the following claims: formatted, street_address,
locality, region, postal_code, country.
The given_name and family_name members can each contain multiple name strings.
Uempty
The Print Shoppe, a Relying Party An OpenID Provider (OP) verifies the
(RP), needs to authenticate the end- identity of the client and issues an ID
user before performing the requested token and access token. It can also
function (OIDC client) provide additional claims for the end-
user.
Social Login support in DataPower © Copyright IBM Corporation 2017
The Authorization Code Flow returns an Authorization Code to the Relying Party, which can then
exchange it for an ID Token and an Access Token directly. All tokens are returned from the Token
Endpoint.
This provides the benefit of not exposing any tokens to the User Agent and possibly other malicious
applications with access to the User Agent (typically a browser). The OpenID Provider can also
authenticate the Relying Party before exchanging the authorization code for an access token. The
Authorization Code Flow is suitable for Relying Parties that can securely maintain a “client secret”
between themselves and the OpenID Provider.
Uempty
*Might be a service on
DataPower
In this scenario, Alice is the end-user. Alice wants the Print Shoppe to perform some function which
requires authentication of the end-user.
Uempty
In the second step, the RP send an authorization request to the OP for end-user authentication.
This need is indicated by the “openid” value in the scope parameter. Additional values might be in
the scope parameter for standard claims retrieval.
The request also includes “response_type=code”, the client ID, and the redirect URL that is
intended to receive the response.
Uempty
In the third step, the OP for Alice's user credentials to verify her identity. Alice responds with her
credentials.
Notice that the ID and password interaction is between the OpenID Provider and the end-user. The
Relying Party never sees that information.
Uempty
The OpenID Provider must obtain an authorization decision before releasing information to the
Relying Party. The web form is one of the ways to obtain the end-user’s permission.
Uempty
Figure 3-15. OIDC Step 5: OP returns authorization response (authorization code) to the RP
The authorization response contains the authorization code as a query parameter to the
redirect_uri specified in the authorization request.
The OpenID Provider never transmits the end-user's user name and password to the Relying Party.
Instead, the server sends an authorization grant code: a code that specifies that the end-user has
authenticated to the OpenID Provider and has granted access.
Uempty
The Relying Party sends its ID and password in the HTTP basic authorization header (default). The
OpenID Provider authenticates the Relying Party.
The token request goes to the token endpoint of the OpenID Provider.
Uempty
Uempty
Uempty
Uempty
Uempty
Uempty
Uempty
OIDC client
DataPower service
Uempty
2
4. The client redirection URI specifies the
3 endpoint on DataPower that the social login
provider uses in the callback
4
5. The client optional query parameters
5 specifies more query parameters to include
in the request that is sent to the social login
provider
The client ID and client secret that are specified here must match the values that are specified in
the social login provider.
• If the provider is a web token service, the OAuth client profile that it references contains the
client ID and password.
• If the provider is Google, Google generates a client ID and password. The social login policy
values must match.
• For other providers, it depends on their implementation.
For the Scope field, multiple values can be specified. They must be separated by blanks.
The client redirection URL is sent to the provider so that the provider has a the correct callback
location. The value must end in “/social-login-callback”.
The URL can be specified in the following ways:
• A hardcoded string.
• A “URL-in/social-login-callback”. The “URL-in” is the standard service variable.
• A DataPower context variable.
Uempty
The optional query parameters are defined in Section 3.1.2.1 of the OpenID Connect specification.
Some examples are nonce (a random text string to mitigate replay attacks) and display (how the
authentication/consent screen is displayed to the end user).
The SSL client profile is used to establish the SSL connection with the provider.
Uempty
1
2. Authorization endpoint URL of the
2 provider
3
3. The Token endpoint URL of the provider
4
4. Enable JWT token validation or not
5
5. The name of the JWT Validator object
that specifies the parameters for JWT
validation
If the social login provider is specified as Google, it means that DataPower processes OIDC
transactions as specified by Google in
https://developers.google.com/identity/protocols/OpenIDConnect.
If the provider is Google, get the authorization and token endpoint URL values from the same
Google URL.
The suggestion is to validate a JWT.
The JWT Validator object is covered later in this unit.
Uempty
The Issuer is a PCRE string that verifies the issuer claim in the JWT.
The Audience is a PCRE string that verifies the audience claim in the JWT.
The Validation method specifies what validation to perform on the JWT:
• Decrypt indicates that the JWT must be decrypted successfully
• Verify indicates that the JWT must be validated successfully
• Custom processing indicates that a stylesheet or GatewayScript executes after the decryption
and validation succeeds
Uempty
Uempty
Uempty
The validity period is used to compute the expiration time (“exp”) claim.
Uempty
5
5. Encryption certificate is the crypto
certificate that is used to encrypt the key
Signing key (crypto shared secret key) if
AES Key Wrap
Uempty
Uempty
Uempty
Figure 3-33. Google as the social login provider: Social Login Policy
Uempty
Uempty
Uempty
Uempty
• If you need the original URI information (path and request parameters),
you need to explicitly “recall” it from a AAA context variable
ƒ var://context/AAA/social-login-url-in
Uempty
. . .
Uempty
• Being a participant in the two flows is why the single DataPower service
plays two roles
• This service has the Extract Identity phase of the AAA policy that
specifies OAuth and redirect to social login provider
Uempty
OAuth client
DP service, node.js, others
Resource owner
browser Social login provider
Web token service,
MPGW,
others
Dual-role DataPower service
Web token service, MPGW
Uempty
Resource owner
browser Social login provider
Web token service,
MPGW,
others
Dual-role DataPower service
Web token service, MPGW
Uempty
Resource owner
browser Social login provider
Web token service,
MPGW,
others
Dual-role DataPower service
Web token service, MPGW
Uempty
Resource owner
browser Social login provider
Web token service,
MPGW,
others
Dual-role DataPower service
Web token service, MPGW
Uempty
Resource owner
browser Social login provider
Web token service,
MPGW,
others
Dual-role DataPower service
Web token service, MPGW
Uempty
Resource owner
browser Social login provider
Web token service,
MPGW,
others
Dual-role DataPower service
Web token service, MPGW
Uempty
Resource owner
browser Social login provider
Web token service,
MPGW,
others
Dual-role DataPower service
Web token service, MPGW
When the OIDC client sends the grant code to the provider, it also sends a client ID and password.
This information authenticates the client to the provider.
Uempty
Resource owner
browser Social login provider
Web token service,
MPGW,
others
Dual-role DataPower service
Web token service, MPGW
This authorization grant code is different than the code that was sent from the provider and the
DataPower service.
Uempty
Resource owner
browser Social login provider
Web token service,
MPGW,
others
Dual-role DataPower service
Web token service, MPGW
This access token is different than the access token sent from the provider to the DataPower
service. Access token (#2) represents the OAuth client access to the resource server.
Uempty
Resource owner
browser Social login provider
Web token service,
MPGW,
others
Dual-role DataPower service
Web token service, MPGW
Uempty
Unit summary
• Define Social Login
• Describe how to configure Social Login in DataPower
• Configure a Social Login Policy object
• Configure a JWT Generator and a JWT Validator object
• Describe OpenID Connect
• Configure an OpenID Connect client in DataPower
Uempty
Review questions
1. True or False: DataPower V7.5.1 supports all forms of social
login.
2.
3.
4.
Uempty
Review answers (1 of 2)
1. True or False: DataPower V7.5.1 supports all forms of social
login.
The answer is False. DataPower V7.5.1 handles social login
only for providers that implement OpenID Connect. Some
providers, such as Facebook, do not implement OIDC.
Uempty
Review answers (2 of 2)
3. Which object specifies the client ID and password that is
sent from the OIDC client to the provider:
A. OAuth client profile
B. Web token service
C. Social login policy
D. JWT generator
E. OAuth Client Profile and OAuth Client Group
The answer is C. The social login policy object specifies the client ID
and password that are sent to the provider to authenticate itself. If
the provider is Google, you obtain the client ID and password from
your Google API Manager page. If the provider is a web token
service or MPGW, the client ID and password is referenced on the
provider side from the OAuth client profile.
4. True or False: The OIDC client never sees the login credentials
of the user.
The answer is True. The OIDC login credentials are shared
between the user and the provider only. This isolation is similar to
that of OAuth.
Social Login support in DataPower © Copyright IBM Corporation 2017
Uempty
Exercise: Implementing an
OIDC client
Uempty
Exercise objectives
• Configure an OIDC client
Uempty
Overview
This unit summarizes the course.
Uempty
Unit objectives
• Explain how the course met its learning objectives
• Access the IBM Training website
• Identify other IBM Training courses that are related to this topic
• Locate appropriate resources for further study
Uempty
Course objectives
• Describe the AAA framework within the IBM DataPower Gateway
• Explain the purpose of each step in an access control policy
• Configure a AAA action to enforce authentication and authorization
policies that are in a AAA information file and in an LDAP server
• Describe the OAuth 2.0 framework
• Explain the role that a DataPower gateway performs in an OAuth 2.0
framework
• Configure the DataPower objects that are used for OAuth 2.0
interactions
• Define Social Login
• Describe how to configure Social Login in DataPower
• Configure an OIDC client
Uempty
<lab_files>/Solutions
• Remember to change
ƒ Port numbers
ƒ Back-end server (Network > Interface > DNS Settings > Static Hosts)
ƒ Front IP addresses (Network > Interface > Host Alias)
Uempty
Uempty
Uempty
Unit summary
• Explain how the course met its learning objectives
• Access the IBM Training website
• Identify other IBM Training courses that are related to this topic
• Locate appropriate resources for further study
Uempty
Course completion
You have completed this course:
AAA, OAuth, and OIDC in IBM DataPower V7.5
AP
B
BPM business process management
C
CBA context-based access
CEK content encryption key
CLI command-line interface
CRT Chinese Remainder Theorem
D
DAP Directory Access Protocol
DB database
DER Distinguished Encoding Rules
DH Diffie-Hellman
DN distinguished name
DNS Dynamic Name Server
E
EC Elliptic Curve
ECC Elliptic Curve Cryptography
ECDH Elliptic Curve Diffie-Hellman
ECDSA Elliptic Curve Digital Signature Algorithm
ECMA European Computer Manufacturers Association
AP
EP enforcement point
F
FLWOR for, let, where, order by, return
FSH front side handler
G
GB gigabyte
GCM Galois/Counter Mode
GUI graphical user interface
H
HMAC hash message authentication code
HTML Hypertext Markup Language
HTTP Hypertext Transfer Protocol
HTTPS HTTP over SSL
I
IANA Internet Assigned Numbers Authority
IBM International Business Machines Corporation
IETF Internet Engineering Task Force
IP Internet Protocol
IV initialization vector
J
J2SE Java Platform, Standard Edition
JDBC Java Database Connectivity
JMS Java Message Service
JOSE JSON Object Signing and Encryption
JSON JavaScript Object Notation
JWA JSON Web Algorithm
JWE JSON Web Encryption
JWK JSON Web Key
JWS JSON Web Signature
JWT JSON Web Token
AP
K
KDF key derivation function
L
LDAP Lightweight Directory Access Protocol
LDIF LDAP Data Interchange Format
LTPA Lightweight Third Party Authentication
M
MAC message authentication code
MFA message filter action
MFA multi-factor authentication
MIME Multipurpose Internet Mail Extensions
MPGW multi-protocol gateway
N
npm node package manager
NSS network security services
O
OAEP Optimal Asymmetric Encryption Padding
OASIS Organization for the Advancement of Structured Information Standards
OAuth Open standard for Authorization
OIDC OpenID Connect
OP OpenID Provider
OTP one-time password
P
PBES Password Based Encryption Scheme
PCRE Perl Compatible Regular Expressions
PDF Portable Document Format
PEM Privacy Enhanced Mail
PI processing instruction
PKCS Public Key Cryptography Standard
PKI public key infrastructure
PKIX Public Key Infrastructure for X.509 Certificates (IETF)
AP
POX plain old XML
PS Probabilistic Signature Scheme
R
REST Representational State Transfer
RFC Request for Comments
RP Relying Party
RPC Remote Procedure Call
RSA Rational Software Architect
RSS Really Simple Syndication
S
SAF System Authorization Facility
SAML Security Assertion Markup Language
SDK software development kit
SHA secure hash algorithm
SLM service level management
SLM service level monitoring
SNMP Simple Network Management Protocol
SOA service-oriented architecture
SOAP Usage note: SOAP is not an acronym; it is a word in itself (formerly an acronym for
Simple Object Access Protocol)
SPNEGO Simple and Protected GSSAPI Negotiation Mechanism
SPVC self-paced virtual classroom
SQL Structured Query Language
SSH Secure Shell
SSL Secure Sockets Layer
SSO single sign-on
STS Security Token Service
T
TLS Transport Layer Security
U
URI Uniform Resource Identifier
URL Uniform Resource Locator
AP
USB Universal Serial Bus
UTC Coordinated Universal Time
W
WS web services
WSDL Web Services Description Language
WSP web service proxy
WTS web token service
WWW World Wide Web
X
XACML Extensible Access Control Markup Language
XML Extensible Markup Language
XMLFW XML firewall
XPath XML Path Language
XSD XML Schema Definition
XSL Extensible Stylesheet Language
XSLT Extensible Stylesheet Language Transformation
backpg