- 03 Mar 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
IDP Authorizers
- Updated on 03 Mar 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
IDP Overview
In the standard interaction between an organization's IDP and its users, users attempt to log in to an organization's application (this could be an online application, a database, a digital resource, etc.). When this happens, the IDP generates a token with user identification details (user name, password, etc.).
What happens behind the scenes of this "every day" occurrence, is the milliseconds between the login request and the opening of the application, the launching of the web tool, etc. For an organization that wants to ensure that its authorization policies are correctly applied, the organization needs to determine whether each user should be granted or denied access based on any number of attributes (the users location, job title, the time of day or day of the week, etc.). This is what happens in the fractions of milliseconds in between the request and the enforcement (the login request and the resource becoming accessible).
The IDP Authorizers feature in PlainID provides a powerful solution for managing and controlling access to Identity Provider (IDP) resources within your organization. This is a comprehensive guide on how to effectively configure and utilize the IDP Authorizers feature to enhance your identity and access management processes.
With IDP Authorizers, you can seamlessly integrate your existing IDP systems with PlainID's centralized access control platform. This enables you to define fine-grained authorization policies, enforce access rules, and manage user privileges across your entire IDP ecosystem.
PlainID Prerequisites / Pre-Conditions
- Existence of the following building blocks:
Claims
Asset Type With the following attributes:
Attribute Name | Attibute Properties | Notes |
---|---|---|
claimKey | Name for request = claimKey | Must |
claimValue | Name for request = claimValue | Must |
- At least 1 asset defined (Internal/PlainId manager asset), e.g.:
Asset name | claimKey | claimValue |
---|---|---|
Portal Administrator | claimPortalRole | Administrator |
Senior Department Manager | departmentManagerLevel | Senior |
- Identity Attributes
- The
Name for request
must match the name of the attribute in the source
- The
- Optional - Add/Define Asset Type Rulesets
- Define an Application
- Associate the “Claims” Asset Type with the Application
- With the associated Scope (ClientID + ClientSecret)
- This will be used to define the Hook in the IDP
- Define a Policy
- Associate the Application
IDP Prerequisites
- Existing application
- At least 1 user associated with the application in the IDP
- Inline Hook Okta or Rule Auth0
IDP Webhook In The Policy Authorization Agent
IDP Webhook Setup In The Policy Authorization Agent - For Kubernetes (Helm)
If upgrading your PAA (Versions 5.2410 and above), ensure that your custom-values.yaml is updated according to the changes in configuration listed in the code block below. Note that your idp-webhook is enabled.
Add the following section to the values-custom.yaml
Note: In the example below we have 2 IDP Application configurations (“Bank Portal” and “Loans Approval”)
idp-webhook:
enabled: true
replicaCount: 1
# Allows you to add any config files to /app/config
plainIDConfig:
config.yaml:
log:
format: json
level: trace
http:
port: 8080
jwt:
jwtBearerActive: false
jwtIgnoreVerification: true
management:
port: ${MANAGEMENT_PORT:8081}
server:
name: idp-webhook
auth:
secret:
apps:
- Bank Portal:
clientid: PPWZYCOMXGNTHMGO8CIT
clientsecret: 94syzfIOJI48pfFRAPt6BbjA7HdlbdAY74gnWVrX
entitytype: User
tokentype: identity
includeIdentity: true
userid: $.identity.claims.sub
claims:
plainid: $.response[*].access[?(@.resourceType == "assetExternal")].path
FirstName_identity: $.identity.attributes.first_name
- Loan Approval:
clientid: PXY8GCMDLPKSNAFDAA7A
clientsecret: U4kt3WL2vZytHqB4oseSAWePGeS7p1JxIO0Bpas1
entitytype: User
tokentype: identity
includeIdentity: false
userid: $.identity.claims.sub
claims:
plainid: $.response[*].access[?(@.resourceType == "portal-permissions")].path
FirstName_identity: $.identity.attributes.lastName
secret: KQaIAMeiCfCQ02mdiVxxcJpKuvlWEG3GokoHtcmlaIqhvF4lxYPrL_B8UEoBl4FA
runtime:
host: http://10.xxx.xx.xx
uri: /api/runtime/token/v3
tenantPattern: "http://[tenant]-runtime.runtime"
listenport: "8010"
timeout: 3s
Applications Parameters Information
Attribute/Parameter | Description |
---|---|
Application Name | The IDP Client name - must be an exact match |
clientid | The PlainID Scope Client ID |
clientSecret | The PlainID Scope Client Secret |
entitytype | The Identity Type (default User) |
tokentype | Which token will be used to return the claims: - Identity [Default] - Access |
includeIdentity | Request the PDP to include the Identity Attributes in the response Notice: In order to map identity attributes, the includeIdentity must be set to true |
userid | The JSON path to the user id Default $.identity.claims.sub |
claims | List of claims and the corresponding JSON Path mappings from the PlainID PDP Response |
General Parameters
Attribute/Parameter | Value | Description |
---|---|---|
secret | secret | This secret will be used to allow the IDP to authenticate with the IDP Webhook endpoint |
log.level | Error | |
runtime.host | http://plainid-paa-uk.local | The server K8s svc IP |
runtime.uri | /api/runtime/token/v3 | Static value |
runtime.listenport | 8080 | The port that the IDP Webhook service will be listening to |
Mapping The PlainID Policy Decision Response To Claims
Sample JSON Path Expressions:
Expression | Description |
---|---|
$.response[*].access[?(@.resourceType == "ProfileInformation")].attributes.BU | Get the Business Unit (BU ) code from the ProfileInformation assets included in the PDP Response |
$.response[*].access[?(@.resourceType == "Accounts")].path | Get the asset id (path ) from the Accounts Asset Type assets included in the PDP Response |
$.response[*].access[?(@.resourceType == "InternalIDP")].attributes.AttText[*] | Get a multi-value set of attributes from the InternalIDP Asset Type assets included in the PDP Response |
$.identity.attributes.user_role | Get the user_role attribute from the identity included in the PDP Response Notice: In order to map identity attributes, the includeIdentity must be set to true |