Authorization Principles

From
Revision as of 09:25, 30 January 2020 by Thewikiadmin (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Organizations who integrate the STS with their legacy applications always adequate precautions in ensuring that the security controls are in place.  While authentication (e.g. UserContextModes) is the primary method by which unauthorized access is managed, the other aspect that needs to be considered is authorization.  Authorization takes the additional step to verify or make the decisions if a user should have access to the external application.   There are three tiers in managing access to external service providers:

  1. At the legacy application level: in this case the application itself determines if the user is authorized (typically via roles) to access the external service providers.  Most implementations will have the logic in the application decide if the link to the external service provider should be displayed or rendered.
  2. Leveraging Orbital Lite STS: using it's Allow/Deny rules and leveraging group memberships on directory services.  Here the STS will check if the users is a member of a specific group and grant access to the external provider accordingly
  3. Using Service Provider access controls: some service providers control the provisioning based on an approved user list or designated roles.  In federated identifies with authenticated identity providers (based on contractual stipulations), the role assignment and its managements may be delegated to the source system; e.g. a hospital has 3 roles defined with the SP and will assign them accordingly in the source application.

Ideally all three tiers should be implemented to ensure a highly-controlled access model.  Realistically, there may be undue operational overhead and complexity.  In additional performing unnecessary access control validation may add latency and impact performance. Here we present the recommended minimum access controls per UserContext Mode.

Recommended Access Control Tiers

UserContextMode Tier 1: Source Application Tier 2: Orbital Lite STS Tier 3: Service Provider
1: Individual Hash Yes, display link for authorized users Optional Optional
2: Organizational Hash Yes, display link for authorized users Optional Optional
3: Individual Plaintext Password Yes, display link for authorized users Yes, check for authorization Optional
4: Windows Authentication Optional, display link for authorized users Yes, check for authorization Optional
5: Client-side Certificates Optional, display link for authorized users Yes, check for authorization Optional
6: SSO Cookie Optional, display link for authorized users Yes, check for authorization Optional
7: ADFS Integration Optional, display link for authorized users Optional, leverage ADFS to assign assertions Optional

 

Additional Compensating Controls

Organizations are strongly encouraged to review logs and audit user activity at least monthly.  If possible, the activity at the Service Provider level should be reviewed and authorized access validated.  This should be done in collaboration with both parties, as the SP typically has no visibility into the userbase at the organization, and the organization may not have the knowledge to interpret the activity generated by the SP logs/reports.