IDP Authorizers
    • 03 Mar 2024
    • 3 Minutes to read
    • Dark
      Light
    • PDF

    IDP Authorizers

    • Dark
      Light
    • PDF

    Article summary

    IDP Overview

    In the standard interaction between an organization's IDP and its users, users attempt to log in to an organization's application (this could be an online application, a database, a digital resource, etc.). When this happens, the IDP generates a token with user identification details (user name, password, etc.).

    What happens behind the scenes of this "every day" occurrence, is the milliseconds between the login request and the opening of the application, the launching of the web tool, etc. For an organization that wants to ensure that its authorization policies are correctly applied, the organization needs to determine whether each user should be granted or denied access based on any number of attributes (the users location, job title, the time of day or day of the week, etc.). This is what happens in the fractions of milliseconds in between the request and the enforcement (the login request and the resource becoming accessible).

    The IDP Authorizers feature in PlainID provides a powerful solution for managing and controlling access to Identity Provider (IDP) resources within your organization. This is a comprehensive guide on how to effectively configure and utilize the IDP Authorizers feature to enhance your identity and access management processes.

    With IDP Authorizers, you can seamlessly integrate your existing IDP systems with PlainID's centralized access control platform. This enables you to define fine-grained authorization policies, enforce access rules, and manage user privileges across your entire IDP ecosystem.

    PlainID Prerequisites / Pre-Conditions

    • Existence of the following building blocks:
      • Claims Asset Type With the following attributes:
    Attribute NameAttibute PropertiesNotes
    claimKeyName for request = claimKeyMust
    claimValueName for request= claimValueMust
    • At least 1 asset defined (Internal/PlainId manager asset), e.g.:
    Asset nameclaimKeyclaimValue
    Portal AdministratorclaimPortalRoleAdministrator
    Senior Department ManagerdepartmentManagerLevelSenior
    • Identity Attributes
      • The Name for request must match the name of the attribute in the source
    • Optional - Add/Define Asset Type Rulesets
    • Define an Application
      • Associate the “Claims” Asset Type with the Application
      • With the associated Scope (ClientID + ClientSecret)
      • This will be used to define the Hook in the IDP
    • Define a Policy
      • Associate the Application

    IDP Prerequisites

    • Existing application
    • At least 1 user associated with the application in the IDP
    • Inline Hook Okta or Rule Auth0

    IDP Webhook In The Policy Authorization Agent

    IDP Webhook Setup In The Policy Authorization Agent - For Kubernetes (Helm)

    Important

    If upgrading your PAA (Versions 5.2410 and above), ensure that your custom-values.yaml is updated according to the changes in configuration listed in the code block below. Note that your idp-webhook is enabled.

    Add the following section to the values-custom.yaml
    Note: In the example below we have 2 IDP Application configurations (“Bank Portal” and “Loans Approval”)

    idp-webhook:
      enabled: true
      replicaCount: 1
    # Allows you to add any config files to /app/config
      plainIDConfig:
        config.yaml:
          log:
            format: json
            level: trace
          http:
            port: 8080
            jwt:
              jwtBearerActive: false
              jwtIgnoreVerification: true
          management:
            port: ${MANAGEMENT_PORT:8081}
          server:
            name: idp-webhook
            auth:
              secret:
          apps:
            - Bank Portal:
                clientid: PPWZYCOMXGNTHMGO8CIT
                clientsecret: 94syzfIOJI48pfFRAPt6BbjA7HdlbdAY74gnWVrX
                entitytype: User
                tokentype: identity
                includeIdentity: true
                userid: $.identity.claims.sub
                claims:
                  plainid: $.response[*].access[?(@.resourceType == "assetExternal")].path
                  FirstName_identity: $.identity.attributes.first_name
    
            - Loan Approval:
                clientid: PXY8GCMDLPKSNAFDAA7A
                clientsecret: U4kt3WL2vZytHqB4oseSAWePGeS7p1JxIO0Bpas1
                entitytype: User
                tokentype: identity
                includeIdentity: false
                userid: $.identity.claims.sub
                claims:
                  plainid: $.response[*].access[?(@.resourceType == "portal-permissions")].path
                  FirstName_identity: $.identity.attributes.lastName
    
          secret: KQaIAMeiCfCQ02mdiVxxcJpKuvlWEG3GokoHtcmlaIqhvF4lxYPrL_B8UEoBl4FA
          runtime:
            host: http://10.xxx.xx.xx
            uri: /api/runtime/token/v3
            tenantPattern: "http://[tenant]-runtime.runtime"
            listenport: "8010"
            timeout: 3s
    

    Applications Parameters Information

    Attribute/ParameterDescription
    Application NameThe IDP Client name - must be an exact match
    clientidThe PlainID Scope Client ID
    clientSecretThe PlainID Scope Client Secret
    entitytypeThe Identity Type (default User)
    tokentypeWhich token will be used to return the claims:
    - Identity [Default]
    - Access
    includeIdentityRequest the PDP to include the Identity Attributes in the response
    Notice: In order to map identity attributes, the includeIdentity must be set to true
    useridThe JSON path to the user id
    Default $.identity.claims.sub
    claimsList of claims and the corresponding JSON Path mappings from the PlainID PDP Response

    General Parameters

    Attribute/ParameterValueDescription
    secretsecretThis secret will be used to allow the IDP to authenticate with the IDP Webhook endpoint
    log.levelError
    runtime.hosthttp://plainid-paa-uk.localThe server K8s svc IP
    runtime.uri/api/runtime/token/v3Static value
    runtime.listenport8080The port that the IDP Webhook service will be listening to

    Mapping The PlainID Policy Decision Response To Claims

    Sample JSON Path Expressions:

    ExpressionDescription
    $.response[*].access[?(@.resourceType == "ProfileInformation")].attributes.BUGet the Business Unit (BU) code from the ProfileInformation assets included in the PDP Response
    $.response[*].access[?(@.resourceType == "Accounts")].pathGet the asset id (path) from the Accounts Asset Type assets included in the PDP Response
    $.response[*].access[?(@.resourceType == "InternalIDP")].attributes.AttText[*]Get a multi-value set of attributes from the InternalIDP Asset Type assets included in the PDP Response
    $.identity.attributes.user_roleGet the user_role attribute  from the identity included in the PDP Response
    Notice: In order to map identity attributes, the includeIdentity must be set to true

    Was this article helpful?