Implement Authorization Model for Federated Users by Leveraging WSO2 Identity Server Adaptive Authentication

Gayan Madusanka
Sep 7, 2018 · 2 min read

If you can remember my previous article [1] where I described how to implement authorization logic for federated users. There I have used XACML to write authorization policies. Most of you may have noticed writing XACML policy from the scratch is not easy task unless you have very comprehensive UI.

Recently WSO2 Identity Server has introduced adoptive authentication [2] capability where you can bake some fine grain authorization logic to authentication flaw itself.

If you focused on Section 03: Configure Authorization with XACML, let’s try to do same thing with new JavaScript configuration introduced with Adaptive Authentication.

You can download and run WSO2 Identity Server 5.7.0 (at the time I am writing this blog Identity Server 5.7.0 beta-2 has been released hope to see GA release soon). We can use Identity Server 5.7.0 instance to demonstrate company ABC. You can do all configuration in [1] except XACML policy configurations for authorization. After doing all previous configurations. Go to service provider application created for AWS. if you navigate to

List service providers → Select AWS service provider → Local and Outbound Authentication Configuration → Advanced Configuration

Once you select advanced configuration, place to put JavaScript configuration will be prompted.

The idea is if you doesn’t have engineer role, you will not be allowed to login to salesForce.

function onLoginRequest(context) {executeStep(1, {onSuccess: function (context) {var user = context.steps[1].subject;var isEngineer = isUserInRole(user, ‘engineer’);if (!isEngineer) {sendError(‘http://www.example.com/error',{'errorcode':'000403','errorMsg':'You are not allowed to login to AWS’});}}});}

Similarly you can do same configuration for salesForce as well.

The idea is if you doesn’t have manager role, you will not be allowed to login to salesForce.

function onLoginRequest(context) {executeStep(1, {onSuccess: function (context) {var user = context.steps[1].subject;var isManager = isUserInRole(user, ‘manager’’);if (!isManager) {sendError(‘http://www.example.com/error',{'errorcode':'000403','errorMsg':'You are not allowed to login to salesForce’});}}});}

One more question remaining, where is the isUserInRole is defined ??? If you have a look at existing JS API reference [3] there is function call isUserInRole. So next challenge is how to introduce new JS API to Script configuration but

Don’t worry you can get step by step guidance from [4] without any hassle :D.

[1] https://medium.com/@gayanmadusanka_80721/implement-authorization-model-for-federated-users-by-leveraging-wso2-identity-server-e95f967ff5ac

[2] https://docs.wso2.com/display/IS570/Adaptive+Authentication

[3] https://docs.wso2.com/display/IS570/Adaptive+Authentication+JS+API+Reference

[4] https://medium.com/@gayanmadusanka_80721/how-to-introduce-new-js-api-to-wso2-identity-server-adaptive-authentication-script-configuration-3a97dd6bc5b9

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade