Implement Authorization Model for Federated Users by Leveraging WSO2 Identity Server Adaptive Authentication
If you can remember my previous article [1] where I described how to implement authorization logic for federated users. There I have used XACML to write authorization policies. Most of you may have noticed writing XACML policy from the scratch is not easy task unless you have very comprehensive UI.
Recently WSO2 Identity Server has introduced adoptive authentication [2] capability where you can bake some fine grain authorization logic to authentication flaw itself.
If you focused on Section 03: Configure Authorization with XACML, let’s try to do same thing with new JavaScript configuration introduced with Adaptive Authentication.
You can download and run WSO2 Identity Server 5.7.0 (at the time I am writing this blog Identity Server 5.7.0 beta-2 has been released hope to see GA release soon). We can use Identity Server 5.7.0 instance to demonstrate company ABC. You can do all configuration in [1] except XACML policy configurations for authorization. After doing all previous configurations. Go to service provider application created for AWS. if you navigate to
List service providers → Select AWS service provider → Local and Outbound Authentication Configuration → Advanced Configuration

Once you select advanced configuration, place to put JavaScript configuration will be prompted.

The idea is if you doesn’t have engineer role, you will not be allowed to login to salesForce.
function onLoginRequest(context) {executeStep(1, {onSuccess: function (context) {var user = context.steps[1].subject;var isEngineer = isUserInRole(user, ‘engineer’);if (!isEngineer) {sendError(‘http://www.example.com/error',{'errorcode':'000403','errorMsg':'You are not allowed to login to AWS’});}}});}
Similarly you can do same configuration for salesForce as well.
The idea is if you doesn’t have manager role, you will not be allowed to login to salesForce.
function onLoginRequest(context) {executeStep(1, {onSuccess: function (context) {var user = context.steps[1].subject;var isManager = isUserInRole(user, ‘manager’’);if (!isManager) {sendError(‘http://www.example.com/error',{'errorcode':'000403','errorMsg':'You are not allowed to login to salesForce’});}}});}
One more question remaining, where is the isUserInRole is defined ??? If you have a look at existing JS API reference [3] there is function call isUserInRole. So next challenge is how to introduce new JS API to Script configuration but
Don’t worry you can get step by step guidance from [4] without any hassle :D.
[2] https://docs.wso2.com/display/IS570/Adaptive+Authentication
[3] https://docs.wso2.com/display/IS570/Adaptive+Authentication+JS+API+Reference
