IDP Authorizers

Updated on 03 Mar 2024
3 Minutes to read

Print
Dark
Light
PDF

Article Summary

Share feedback

Thanks for sharing your feedback!

IDP Overview

In the standard interaction between an organization's IDP and its users, users attempt to log in to an organization's application (this could be an online application, a database, a digital resource, etc.). When this happens, the IDP generates a token with user identification details (user name, password, etc.).

What happens behind the scenes of this "every day" occurrence, is the milliseconds between the login request and the opening of the application, the launching of the web tool, etc. For an organization that wants to ensure that its authorization policies are correctly applied, the organization needs to determine whether each user should be granted or denied access based on any number of attributes (the users location, job title, the time of day or day of the week, etc.). This is what happens in the fractions of milliseconds in between the request and the enforcement (the login request and the resource becoming accessible).

The IDP Authorizers feature in PlainID provides a powerful solution for managing and controlling access to Identity Provider (IDP) resources within your organization. This is a comprehensive guide on how to effectively configure and utilize the IDP Authorizers feature to enhance your identity and access management processes.

With IDP Authorizers, you can seamlessly integrate your existing IDP systems with PlainID's centralized access control platform. This enables you to define fine-grained authorization policies, enforce access rules, and manage user privileges across your entire IDP ecosystem.

PlainID Prerequisites / Pre-Conditions

Existence of the following building blocks:
- Claims Asset Type With the following attributes:

Attribute Name	Attibute Properties	Notes
claimKey	`Name for request` = `claimKey`	Must
claimValue	`Name for request`= `claimValue`	Must

At least 1 asset defined (Internal/PlainId manager asset), e.g.:

Asset name	claimKey	claimValue
Portal Administrator	claimPortalRole	Administrator
Senior Department Manager	departmentManagerLevel	Senior

Identity Attributes
- The Name for request must match the name of the attribute in the source
Optional - Add/Define Asset Type Rulesets
Define an Application
- Associate the “Claims” Asset Type with the Application
- With the associated Scope (ClientID + ClientSecret)
- This will be used to define the Hook in the IDP
Define a Policy
- Associate the Application

IDP Prerequisites

Existing application
At least 1 user associated with the application in the IDP
Inline Hook Okta or Rule Auth0

IDP Webhook In The Policy Authorization Agent

IDP Webhook Setup In The Policy Authorization Agent - For Kubernetes (Helm)

Important

If upgrading your PAA (Versions 5.2410 and above), ensure that your custom-values.yaml is updated according to the changes in configuration listed in the code block below. Note that your idp-webhook is enabled.

Add the following section to the values-custom.yaml
Note: In the example below we have 2 IDP Application configurations (“Bank Portal” and “Loans Approval”)

idp-webhook:
  enabled: true
  replicaCount: 1
# Allows you to add any config files to /app/config
  plainIDConfig:
    config.yaml:
      log:
        format: json
        level: trace
      http:
        port: 8080
        jwt:
          jwtBearerActive: false
          jwtIgnoreVerification: true
      management:
        port: ${MANAGEMENT_PORT:8081}
      server:
        name: idp-webhook
        auth:
          secret:
      apps:
        - Bank Portal:
            clientid: PPWZYCOMXGNTHMGO8CIT
            clientsecret: 94syzfIOJI48pfFRAPt6BbjA7HdlbdAY74gnWVrX
            entitytype: User
            tokentype: identity
            includeIdentity: true
            userid: $.identity.claims.sub
            claims:
              plainid: $.response[*].access[?(@.resourceType == "assetExternal")].path
              FirstName_identity: $.identity.attributes.first_name

        - Loan Approval:
            clientid: PXY8GCMDLPKSNAFDAA7A
            clientsecret: U4kt3WL2vZytHqB4oseSAWePGeS7p1JxIO0Bpas1
            entitytype: User
            tokentype: identity
            includeIdentity: false
            userid: $.identity.claims.sub
            claims:
              plainid: $.response[*].access[?(@.resourceType == "portal-permissions")].path
              FirstName_identity: $.identity.attributes.lastName

      secret: KQaIAMeiCfCQ02mdiVxxcJpKuvlWEG3GokoHtcmlaIqhvF4lxYPrL_B8UEoBl4FA
      runtime:
        host: http://10.xxx.xx.xx
        uri: /api/runtime/token/v3
        tenantPattern: "http://[tenant]-runtime.runtime"
        listenport: "8010"
        timeout: 3s

Applications Parameters Information

Attribute/Parameter	Description
Application Name	The IDP Client name - must be an exact match
clientid	The PlainID Scope Client ID
clientSecret	The PlainID Scope Client Secret
entitytype	The Identity Type (default User)
tokentype	Which token will be used to return the claims: - Identity [Default] - Access
includeIdentity	Request the PDP to include the Identity Attributes in the response Notice: In order to map identity attributes, the `includeIdentity` must be set to `true`
userid	The JSON path to the user id Default `$.identity.claims.sub`
claims	List of claims and the corresponding JSON Path mappings from the PlainID PDP Response

General Parameters

Attribute/Parameter	Value	Description
secret	secret	This secret will be used to allow the IDP to authenticate with the IDP Webhook endpoint
log.level	Error
runtime.host	http://plainid-paa-uk.local	The server K8s svc IP
runtime.uri	/api/runtime/token/v3	Static value
runtime.listenport	8080	The port that the IDP Webhook service will be listening to

Mapping The PlainID Policy Decision Response To Claims

Sample JSON Path Expressions:

Expression	Description
`$.response[*].access[?(@.resourceType == "ProfileInformation")].attributes.BU`	Get the Business Unit (`BU`) code from the `ProfileInformation` assets included in the PDP Response
`$.response[*].access[?(@.resourceType == "Accounts")].path`	Get the asset id (`path`) from the `Accounts` Asset Type assets included in the PDP Response
`$.response[].access[?(@.resourceType == "InternalIDP")].attributes.AttText[]`	Get a multi-value set of attributes from the `InternalIDP` Asset Type assets included in the PDP Response
`$.identity.attributes.user_role`	Get the `user_role` attribute from the identity included in the PDP Response Notice: In order to map identity attributes, the `includeIdentity` must be set to `true`

Was this article helpful?

What's Next

IDP Webhook for Token Enrichment

Table of contents