Using Active Directory security groups for authorization
231 views
Skip to first unread message
Epoch1
Jul 7, 2016, 4:08:20 AM7/7/16
to SimpleSAMLphp
Hi,
I have set up SSP as an SP and I'm using ADFS as a IdP.
I'm new to SAML and SSP and I want to know if it is possible to configure SSP to restrict access to web applications based on Active Directory security groups? I am creating a user portal and once users are successfully authenticated they will be displayed a set of links available to them based on their AD security group membership. Is there anything that SSP can do to check that a user is a member of a specific group when they click one of the links to access an application or do I have to build something myself? I looked at the Authorize module but it looks like it just enforces group membership for the SP where as I need to check this for each link.
I'm using SSP with non php systems so I have it set up with Apache, auth memcookie and I'm using memcached. I've noticed that when I print out my Apache environment hash the groups entry is truncated, all I get is the first CN (the group data contains = , and spaces as part of the DN), however groups are correctly printed out if I use php and getAttributes (the data is also correct in the cache). I need to use the ENV hash though as I have some non-php applications.
Can anyone help with either of my questions? Thanks.
I have set up SSP as an SP and I'm using ADFS as a IdP.
I'm new to SAML and SSP and I want to know if it is possible to configure SSP to restrict access to web applications based on Active Directory security groups? I am creating a user portal and once users are successfully authenticated they will be displayed a set of links available to them based on their AD security group membership. Is there anything that SSP can do to check that a user is a member of a specific group when they click one of the links to access an application or do I have to build something myself? I looked at the Authorize module but it looks like it just enforces group membership for the SP where as I need to check this for each link.
I'm using SSP with non php systems so I have it set up with Apache, auth memcookie and I'm using memcached. I've noticed that when I print out my Apache environment hash the groups entry is truncated, all I get is the first CN (the group data contains = , and spaces as part of the DN), however groups are correctly printed out if I use php and getAttributes (the data is also correct in the cache). I need to use the ENV hash though as I have some non-php applications.
Can anyone help with either of my questions? Thanks.
Peter Schober
Jul 7, 2016, 5:05:45 AM7/7/16
to SimpleSAMLphp
* Epoch1 <mje...@me.com> [2016-07-07 10:08]:
the SimpleSAMLphp SAML SP has processed the Assertion it will make
attributes available via the appriate API call, as per the
documentation.
What you do with these attributes is up to you, and authorisation is
one obvious and very common use-case. (SSP doesn't know or need to
know that some of the strings it recieves are LDAP group names, of
course, that's just your own code comparing strings, etc.)
> I am creating a user portal and once users are successfully
> authenticated they will be displayed a set of links available to
> them based on their AD security group membership.
You can do that for "UI optimisation" purposes (don't show stuff the
subject doesn't have access to anyway), but note that the resources
those links will point to themselfs will need to implement those same
checks (again), because "hiding links" (in the portal) is not proper
authorisation (for the resource), the resource itself must be
protected.
> Is there anything that SSP can do to check that a user is a member
> of a specific group when they click one of the links to access an
> application or do I have to build something myself?
Someone or something has to know what groups are required for each
resource/link to be [not] shown. So that's part of your own code.
> I looked at the Authorize module but it looks like it just enforces
> group membership for the SP where as I need to check this for each
> link.
Then it's not for you. See also the very first sentence in the
documentation for that module,
https://simplesamlphp.org/docs/stable/authorize:authorize
You also don't want SSP to terminate access to your "portal", the way
I understood it you want everyone have access and only then
differentiate what they see based on attributes available. That means
SSP cannot play a role in authorisation here, it's your application
code that does that.
> I'm using SSP with non php systems so I have it set up with Apache,
> auth memcookie and I'm using memcached. I've noticed that when I
> print out my Apache environment hash the groups entry is truncated,
> all I get is the first CN (the group data contains = , and spaces as
> part of the DN), however groups are correctly printed out if I use
> php and getAttributes (the data is also correct in the cache). I
> need to use the ENV hash though as I have some non-php applications.
Sorry, I don't know the details of the SSP/authmemcokie integration
and how that works for attributes and multi-valued attributes and what
limits apply there (size or otherwise).
-peter
> I'm new to SAML and SSP and I want to know if it is possible to
> configure SSP to restrict access to web applications based on Active
> Directory security groups?
Well, the IDP can put whatever it wants into SAML Attributes and once
> configure SSP to restrict access to web applications based on Active
> Directory security groups?
the SimpleSAMLphp SAML SP has processed the Assertion it will make
attributes available via the appriate API call, as per the
documentation.
What you do with these attributes is up to you, and authorisation is
one obvious and very common use-case. (SSP doesn't know or need to
know that some of the strings it recieves are LDAP group names, of
course, that's just your own code comparing strings, etc.)
> I am creating a user portal and once users are successfully
> authenticated they will be displayed a set of links available to
> them based on their AD security group membership.
subject doesn't have access to anyway), but note that the resources
those links will point to themselfs will need to implement those same
checks (again), because "hiding links" (in the portal) is not proper
authorisation (for the resource), the resource itself must be
protected.
> Is there anything that SSP can do to check that a user is a member
> of a specific group when they click one of the links to access an
> application or do I have to build something myself?
resource/link to be [not] shown. So that's part of your own code.
> I looked at the Authorize module but it looks like it just enforces
> group membership for the SP where as I need to check this for each
> link.
documentation for that module,
https://simplesamlphp.org/docs/stable/authorize:authorize
You also don't want SSP to terminate access to your "portal", the way
I understood it you want everyone have access and only then
differentiate what they see based on attributes available. That means
SSP cannot play a role in authorisation here, it's your application
code that does that.
> I'm using SSP with non php systems so I have it set up with Apache,
> auth memcookie and I'm using memcached. I've noticed that when I
> print out my Apache environment hash the groups entry is truncated,
> all I get is the first CN (the group data contains = , and spaces as
> part of the DN), however groups are correctly printed out if I use
> php and getAttributes (the data is also correct in the cache). I
> need to use the ENV hash though as I have some non-php applications.
and how that works for attributes and multi-valued attributes and what
limits apply there (size or otherwise).
-peter
Epoch1
Jul 7, 2016, 7:54:09 AM7/7/16
to SimpleSAMLphp, peter....@univie.ac.at
Thanks Peter that's really helpful. I was heading in the right direction I just wanted to clarify my understanding.
Peter Schober
Jul 7, 2016, 8:33:01 AM7/7/16
to SimpleSAMLphp
* Epoch1 <mje...@me.com> [2016-07-07 13:54]:
issue. If you even get a single group into httpd (via SSP and
authmemcookie) it seems you're doing everything as intended.
If SSP itself and your PHP code shows all groups everything's fine
there as well.
Since all you can do do with authmemcookie integration here is map
SSP-internal attribute names to username and groups I have no idea
what could go wrong here.
Maybe someone more familiar with SSP and authmemcookie can chime in
here.
If all else fails you could still decide to pick a different SAML
implementation that works within Apache httpd, such as mod_mellon or
the Shibboleth Service Provider.
-peter
> Thanks Peter that's really helpful. I was heading in the right
> direction I just wanted to clarify my understanding.
Sorry I have nothing to add on the authmemcookie group limitation
> direction I just wanted to clarify my understanding.
issue. If you even get a single group into httpd (via SSP and
authmemcookie) it seems you're doing everything as intended.
If SSP itself and your PHP code shows all groups everything's fine
there as well.
Since all you can do do with authmemcookie integration here is map
SSP-internal attribute names to username and groups I have no idea
what could go wrong here.
Maybe someone more familiar with SSP and authmemcookie can chime in
here.
If all else fails you could still decide to pick a different SAML
implementation that works within Apache httpd, such as mod_mellon or
the Shibboleth Service Provider.
-peter
Reply all
Reply to author
Forward
0 new messages