System Overview

This chapter describes DirX Access first in broader context of the IAM components and protected systems followed by the detailed view on its inner components and their use for respective functionality scenarios.

DirX Access in the IAM Landscape

DirX Access is a component with the primary goal to enable to secure applications. It focuses on the real time request processing, mainly when it comes to authentication and authorization. DirX Access shall cooperate with other IAM components to achieve a complete protection in multiple different scenarios for the protected applications. Figure 1 depicts DirX Access in its typical deployment context.

./attachments/att++_++6++_++for++_++109838337
Figure 1. DirX Access in the IAM Context

As mentioned, the main goal of DirX Access is to protect applications. The protection may come in many forms: providing of an authenticated identity via issued tickets and assertions, single sign-on experience, via a complete authorization decision for initial request at the protected application. The modern applications typically have a built-in possibility to delegate the authentication and authorization problem to a third party component (DirX Access) by using standardized protocols. At the application side we can find in such cases the standard client-side components: SAML SP, or OAuth/OpenID Connect client. The legacy applications are then protected via the DXA’s own component - the policy enforcement point (PEP). The PEP can be deployed in the environment of the protected application and translate the authenticated identities and authorization decisions into the form the application understands (e.g., HTTP headers).

Each action performed at the DirX Access server generates specific audit message that can be sent to arbitrary auditing system. Via this channel, DXA typically produces the output consumed by the Identity Analytics and Intelligence Systems that are able not only to provide defined views on the original actions (hence, enforce the accountability) but also deduce additional information helpful for running and altering the existing system.

The user information for DirX Access is drawn from the user repository. DirX Access is typically in the role of the consumer of this repository - it can’t make any alterations in it. This role is predominantly assigned to the Identity Management and Governance Systems.

Additional source of identities (user accounts) can be third-party Identity Providers. In the deployments, where there are already existing Identity Providers, DirX Access can take a role of the relying party / client and can consume such identities. In these scenarios, the identities are typically further processed (e.g., enriched with additional data) and subsequently presented or used in the relation with the protected applications. DXA serves as a kind of identity proxy.

Privacy Regulations Conformance

DirX Access directly addresses several requirements common to current privacy legislations such as the U.S. Sarbanes-Oxley Act (SOX). As a complete access management system, DirX Access not only complies with these privacy regulations itself in its own architecture and implementation, but also makes your network infrastructure, including the resources and Web services you have already deployed, compliant with many of the same standards.

The use of role-based access control in DirX Access solves many of the problems inherent in creating and managing systems with tight security and stringent privacy policies. Because access to information sources and applications is provided to business roles that are in turn associated with users, the likelihood of individual users acquiring access to protected resources is reduced.

In addition, when a user switches role in the organization, his or her access rights change automatically. This eliminates the possibility of a situation where a user with access to sensitive personal information such as medical records moves to a new position in the organization and incorrectly maintains those access rights simply due to administrative oversight.

DirX Access in its default configuration does not manage any user data. As seen from Figure 1, for the initial user authentication, it needs to be connected to a user repository. Typically, this repository (e.g., corporate user directory) must exist independently on the deployment of DirX Access which concludes that by default DirX Access does not yield additional requirements according to the GDPR. However, certain configurations (such as user-aware risk-based authentication) might require user-related data to be stored. In such case, consult appropriate documentation sections for more information.

The multi-factor authentication is highly favorable (if not required) by the majority of the most important regulations (e.g., SOX, NIST Digital Identity Guidelines, etc.). DirX Access enables employing the strong multi-factor authentication out-of-the-box by combining the building blocks represented by strong authentication methods, such as PKI, FIDO, OTP, etc., into a configurable sequence.

DirX Access enforces passwords across the organization. It removes the need for each system component to request and validate passwords on its own, centralizing authentication and password management in one unit for tighter control. Furthermore, DirX Access allows the typical user name and password model to be refused for selected resources in favor of even more secure methods of authentication, such as X.509 certificates.

Perhaps the most crucial aspect of privacy regulation conformance, however, is the capability to execute complete end-to-end auditing on all system access events. It is not enough to merely deploy a system that should be secure, no matter how well defined; a requirement for complete confidence in an access management system is a way to confirm on an on-going basis that the security measures in place are not being compromised. With the auditing capabilities offered by DirX Access, administrators can review exactly who had access to what applications, and when, ensuring accountability for all users and resources in the system.

DirX Access allows administrators to customize security levels in a variety of ways, via RBA conditions, authorization conditions and rules, and the optional use of SSL/TLS encryption for internal communications to maintain the integrity of all data passed along the line. For more information on evaluating the security needs of your organization and designing your DirX Access deployment, see the chapter “System Deployment” in the “Administration Guide”.

Architecture

DirX Access delivers its core authorization, authentication and identity federation functionality using the components that are described in the following sections.

DirX Access deployments can be broadly separated into the following tiers:

  • Tier 1:

    • DirX Access policy enforcement points (PEPs) using Tier 2 security services.

  • Tier 2:

    • DirX Access Standards-oriented Web Applications publishing standardized IAM protocols endpoints; for example, SAML federation endpoints (SAML FEPs).

    • DirX Access Web Applications.

    • DirX Access Web Services.

    • DirX Access Services providing security services and using Tier 3 persistence.

  • Tier 3:

    • DirX Access Cache Server.

    • directory servers persisting user, configuration and policy data for DirX Access.

The following figure presents the DirX Access architecture from a high-level component standpoint:

./attachments/att++_++7++_++for++_++109838337
Figure 2. High-Level DirX Access Components

Third Party Web, Application and Portal Servers

These components are considered third-party technologies in your organization’s network that use DirX Access as their access management system: they represent the applications and resources that DirX Access is to protect. Depending on the server technology, you may use the native SSO and user personalization capabilities of DirX Access rather than the third-party server’s built-in methods, achieving a more robust and manageable solution.

Tier 1: DirX Access Policy Enforcement Points

PEPs are plug-in components that operate as DirX Access clients and that provide policy enforcement services (especially authorization and authentication). They intercept requests for resources and services, query the DirX Access Services for authorization and authentication, and enforce the decisions. PEPs are categorized as:

  • Application PEPs: PEPs that integrate with specific applications and protect this application; for example:

    • Application source PEPs: custom PEPs that use Client SDK methods that are integrated with the sources of applications

      • Application extension PEPs: custom off-the-shelf PEPs that extend applications; for example:

      • AOP-based PEPs

    • Servlet-Filter PEPs

  • Protocol stack extension PEPs: PEPs that reside in protocol stacks:

    • HTTP stack PEPs (also called Web PEPs): Apache HTTP Server PEP, Jetty PEP, Tomcat PEP, IIS PEP

When integrating DirX Access PEPs, the following approaches can be used:

  • Declarative: With this approach, the PEPs intercept resource access requests and enforce decisions without changing the actual service application. This approach applies to:

    • Servlet-Filter PEP

    • Jetty PEP

    • Tomcat PEP

    • Apache HTTP Server PEP

    • IIS PEP

  • Programmatic: Alternatively, applications can call the policy decision point (PDP) directly through programmatic means. With this approach, application designers can protect any arbitrary data or elements, such as tables or fields in a database or widgets on a Web page. This approach also provides applications with the ability to personalize pages with user information, improving user experience. This approach applies to:

    • Custom PEPs using Client SDK methods

    • AOP PEP

Mixing the declarative and programmatic approaches within a network can result in a very fine-grained and effective security solution.

Tier 2: DirX Access Applications

DirX Access provides a set of Web applications, Web service applications, and some additional applications.

Standards-oriented Web Applications

DirX Access provides the following off-the-shelf Standards-oriented Web applications:

  • SAML SP FEP Web application: A Web application that provides a federation endpoint for SAML service providers.

  • SAML IdP FEP Web application: A Web application that provides a federation endpoint for SAML identity providers.

  • SAML Proxying IdP FEP Web application: A combination of SAML IdP FEP and SAML SP FEP Web applications that provides a SAML proxying function for identity providers.

  • OAuth Client FEP Web application: A Web application that facilitates OAuth 2.0 client support.

  • OAuth Provider FEP Web application: A Web application that proxies OAuth 2.0 server support to DirX Access OAuthService.

  • WS-Federation Web application: A Web application that handles WS-Federation and Passive Requestor Profile specification. The Web application uses WS-Trust specification for its purpose and defines Security Token Service (a web service that issues security tokens) which can be accessed separately.

Web Applications

DirX Access provides the following custom Web applications:

  • Authentication Application Web application: A Web application that performs initial user authentication outside of PEPs and FEPs components and enables implementing complex authentication schemes. See the section “Authentication Application” in the “Administration Guide” for more details.

  • Manager Web application: A Web application that provides an intuitive Web-based interface that allows full or delegated administrators to define authentication methods for resources and authorization policies for roles.

RESTful Web Services

DirX Access provides the following off-the-shelf RESTful Web services:

  • SSO Web Service: Endpoint providing all request-processing functionality in one: authentication, authorization, request injection, etc.

  • Configuration Web Service: A web service providing the possibility to manage DirX Access configuration and policies.

  • SysActions Web Service: A web service providing the possibility to perform system actions, such as: deployment, keystore import/export, etc.

  • SCIM 2.0 Endpoint: Endpoint providing the SCIM 2.0 server functionality.

  • Legacy RESTful Web Services: Endpoints publishing the legacy RESTful interfaces to preserve compatibility.

  • Configuration Web Service: A Web service that provides the possibility to manage DirX Access configuration.

  • Sessioning Web Service: A Web service that enables SSO sessions management. Furthermore, it provides the possibility to perform authorization requests, and request injections.

SOAP Web Services

DirX Access provides the following off-the-shelf SOAP Web services:

  • Federation Web service: A Web services application that provides WS-Trust STS functionality.

  • Provisioning Web service: A Web services application that provides the ability to provision abstractions of the DirX Access policy service, for example, authentication methods, authorization policies and roles.

Secure Communication

Since DirX Access components are deployed in distributed network environments, the various components must communicate to fulfill their access management and security functions.

It is necessary to secure the communication between DirX Access components for any productive deployment to ensure the system integrity and trustworthiness. DirX Access supports SSL/TLS which should be used for this task. Not using SSL/TLS can be considered only if the communication between the components in question uses a trusted network (for example, a VPN, an IPSec tunnel, or a dedicated physical network, local machine connection only) where no additional protection is needed, or for demo/sample deployments.

Tier 2: DirX Access Services

The DirX Access services provide the core functionality of the product, including authorization, authentication, identity federation, administration and auditing services. The DirX Access Services tier is implemented according to SOA principles and comprises the following native services:

  • AppRepoService – manages DirX Access internal Application Repository.

  • AuditService – performs auditing. This service acts as a source for audit events that can be pushed to an arbitrary (configurable) audit sink.

  • AuthenticationService – validates authentication credentials; creates internal subject representations.

  • AuthorizationService – performs authorization (PDP / decision making). This service comprises PDPs, which evaluate requests for resource access provided by PEPs. The PDPs use policy information obtained from the Tier 3 directory server.

  • ClusterService – connects to the distributed caching and persistence.

  • CommunicationService – provides native communications and starts / stops the embedded Web server.

  • CryptoService – manages cryptographic keys and performs related operations.

  • FederationService – issues SAML tokens.

  • FidoService – generates and processes FIDO-based protocol messages.

  • OAuthService – provides OAuth 2.0 server functionality with OpenID Connect and UMA 2.0 extensions.

  • ProvisioningService – processes provisioning requests.

  • SsoService – manages SSO token representation of internal subjects.

  • UserService – provides persistent user data to other services.

These DirX Access services can be used via programming API (when employing the extension points in the form of Callout interfaces) and through bundled Web applications and Web services.

Tier 3: DirX Access Cache Server

The DirX Access Cache Server component provides the distributed cache and persistence to their clients embedded in DirX Access Servers.

Secure Distributed Cache/Persistence

The cluster service provides the communication to the distributed caching component – DirX Access Cache Server. If communication in this environment is a concern, it can be configured to be protected via SSL/TLS.

Tier 3: Directory Server

The directory server, for example DirX Directory, persists configuration, policy and user information. Depending on the configuration of the directory system, DirX Access can use one or more directory servers to store this data repository. Note that DirX Access does not ship with a bundled directory server.

When DirX Access is first configured, it is provided with the location of a directory server on your network to act as the policy and configuration data store, recording all data specific to DirX Access. This storage is named Application Repository.

The Application Repository can reside in a dedicated directory server isolated from any user data, so that you can manage your policy data separately from any existing user information on your system. Alternatively, the Application Repository can reside in the same directory server as your user data. DirX Access can intersect with user data whenever you choose to share the same repository.

Directory records are associated with object classes that identify what type of records they are, such as users, corporate resources, organizational units, etc. For example, the object classes person and inetOrgPerson are typically used to indicate that a particular directory record represents a user account. For more details on object classes, user accounts and directory schemas, consult your directory server documentation.

Data in the Application Repository

The Application Repository is primarily oriented on storing the policy and configuration data. This includes the following elements:

  • Authentication policies.

  • Authorization policies, including rule, condition and action components.

  • Users and groups.

  • Authentication methods.

  • Services configurations.

  • Policy enforcement point configurations.

  • Federation configurations.

  • Centralized component configuration parameters.

These items are recorded as directory server entries. They are created and modified whenever an authorized administrator creates or modifies policy-related data through DirX Access Manager or an identity management application’s administration console.

Additionally, the Application Repository might host so called Shadow User Tree (SUT) that stores records mapped one-to-one to the records in the User Repository. The SUT is managed solely by DirX Access and is accessible via the SCIM 2.0 interface. The records in SUT contain additional information about the user that is specific to DirX Access, including

  • OTP credentials.

  • FIDO credentials.

  • user-specific risk-based-authentication-related data.

Data in the User Repository

DirX Access uses the User Repository just for the consumption of the user-related data.

Secure Directory Access

If secure communication with your LDAP directory is a concern, and you need to ensure that DirX Access trusts the directory server, you can configure DirX Access to use a secure LDAP connection and authenticate the LDAP server using your choice of authentication methods.

Authorization

This section describes the architectural elements and models supported in DirX Access authorization.

Architectural Elements

The principal architectural elements in an authorization system are the policy enforcement points (PEP) and policy decision points (PDP). These elements are further augmented by a policy management authority (PMA).

./attachments/att++_++2++_++for++_++109838337
Figure 3. Conceptual Architecture of a Policy Control System

Typically, interactions between these components begin with the PEP, which intercepts a request for a protected resource and passes the request to the PDP. The PDP pulls policy information from the PMA, which may use a directory server or other information repository to persist authorization policies. The PDP validates the information provided by the PEP against the policies provided by the PMA to determine whether the user is authorized to access the requested resource. It returns its decision to the PEP, which enforces the decision by providing or refusing access.

The following sections describe the way these conceptual architectural components are supported in DirX Access.

Policy Enforcement Point (PEP)

The PEP security functionality is provided by plug-in components that are deployed at Web or application servers or with specific applications. They represent the client components of the DirX Access Services.

From a deliverable perspective, the following categories of PEPs need to be distinguished:

  • Off-the-shelf PEPs: PEPs delivered with the DirX Access delivery media. See the data sheet for details on the off-the-shelf PEP provided with a version of DirX Access.

  • Custom PEPs: solution- or project-specific PEPs created to address target environments not covered by the off-the-shelf PEPs. Custom PEPs can interact with DirX Access Services through RESTful Web services communications.

In all cases, DirX Access PEPs intercept access requests, extract the relevant attributes from an access request and generate authorization decision requests, rendering authorization decisions at the PDPs. When an authorization decision is returned, the PEPs are responsible for enforcing it, and for ensuring that all obligations required by an authorization decision are also satisfied.

PEPs may be co-located with PDPs for performance and scalability reasons, or may reside on remote network nodes. If PEP and PDP do not reside on the same host, they should communicate using secure SSL/TLS connections.

Policy Decision Point (PDP)

The PDP security functionality is provided by the authorization service in DirX Access. PDPs make policy decisions and store authorization policies at runtime (in volatile memory).

When PDPs receive an authorization decision request from PEPs, they fetch the applicable policies from the PMA. PDPs process the requests and evaluate them against the applicable authorization policies. When a decision is made, the PDP returns the authorization decision response to the PEP.

The PDPs operate according to the XACML standard with currently supported versions 1.x, 2.0, and 3.0.

Policy Management Authority (PMA)

The PMA security functionality is provided by the policy service in DirX Access. It manages authorization policies and stores them (in persistent memory).

Authorization policy information in a DirX Access system is stored underneath the root-node of the policy sub-tree repository on the directory server that is used to persist data for DirX Access. Such directory servers persist all object types required by DirX Access, including users, configurations and policies, as well as the attributes that describe each type of object, such as user names and IDs, role permissions (read, write and execute), and policy conditions.

DirX Access PMA functionality employs both RBAC (role-based access control) and ABAC (attribute-based access control) models.

Arbitrary Application-Defined Authorization Models

To be able to address access management use cases and scenarios that are not matched by RBAC, DirX Access supports arbitrary, application-defined authorization models.

Arbitrary non-RBAC authorization policy information is stored according to the XACMLPolicyStatement abstraction defined in the OASIS SAML profile of XACML.

Authorization Models

DirX Access supports role-based access control (RBAC) and attribute-based access control (ABAC).

RBAC Authorization Model

Role-based access control (RBAC) represents a specific instance of an authorization model that makes use of an indirection between users and resources through the RBAC-defined concepts of roles and permissions.

The underlying principle of RBAC systems is that business roles tend to be more stable and change less often than the users fulfilling those functions. Permissions are therefore assigned to roles, and roles are assigned to users as required.

The following figure illustrates the relationships between permissions, users, and roles.

./attachments/att++_++1++_++for++_++109838337
Figure 4. Relationships between Permissions, Roles and Users

RBAC authorization policy is translated by DirX Access into XACML for processing in the PDP as well as caching as Java objects.

This authorization model is constrained according the XACML profile for RBAC; all policies that can be expressed for the RBAC model belong to this dedicated profile, as illustrated in the following figure:

./attachments/att++_++5++_++for++_++109838337
Figure 5. DirX Access RBAC Model

RBAC authorization policy information can be managed through the administration Web application provided by DirX Access as well as through the provisioning Web service:

  • Administrators use the DirX Access Manager Web application to create and manage access control policies stored by the PMA through a Web-based interface. Administrators can also use the DirX Access provisioning Web service to manage authorization policies programmatically through a Web services client.

Note that the DirX Access restricts policy management to authorized administrators to prevent tampering with the system access control policies, and maintains the uniqueness of policy identifiers to prevent conflicts.

Permissions are created on the DirX Access Manager Policies page. The Roles page is used to create roles, and to assign existing permissions to roles. Roles can be assigned to users either on the Roles page or the Users page.

DirX Access supports role hierarchies, which define seniority relations between roles. Senior roles in the hierarchy may inherit permissions from junior roles.

For example, in the role hierarchy pictured below, the Production Engineers may be authorized to access software source code repositories for their respective projects, while the quality engineers may be authorized to access bug databases for their respective projects. The project leads may be able to access both the code repository and the bug database, but only within their respective projects. The director, however, may access either system for either project.

./attachments/att++_++3++_++for++_++109838337
Figure 6. Sample Role Hierarchy

To ensure the tightest possible security, it is recommended that you follow the principle of least privilege. Assign each role (and therefore the user or users assigned to that role) only the minimum access rights required to carry out its business objectives.

For example, if the vice-president of the Sales department never takes orders over the telephone, and does not know how to use the Web-based application used by the order-takers, the principle of least privilege suggests that inheritance from junior roles would not be appropriate.

The image below shows the role configuration page in DirX Access Manager.

./attachments/att++_++4++_++for++_++109838337
Figure 7. Role Configuration in DirX Access Manager

Role exclusion, or separation of duties, is a way of avoiding the conflicts of interest that may arise if users are assigned two incompatible roles. When two roles are excluded from each other, any user with one of the roles assigned cannot have the other role assigned at the same time. For example, a user authorized to buy a certain commodity is not allowed to sell the same commodity.

Separation of duty relations between roles reduce the number of permissions that can be made available to a user by placing constraints on which roles can be assigned to which users. Each role has an associated set of other excluded roles; whenever an administrator attempts to assign a role to a user who already has one or more of the excluded roles assigned, DirX Access Manager reports the conflict and blocks the new user assignment.

DirX Access implements extension of the RBAC authorization model called Role Enablement Authority, or REA, that supports multi-dimensional and dynamic role assignments. The REA concept is described in the section “Role Enablement Authorities” in the “Administration Guide”.

Administrative Responsibilities

Users of an RBAC system can be conceptually separated into three categories.

  • Role engineers, who are responsible for modeling the business structure of the organization in DirX Access roles. They distinguish roles according to users’ job functions and access requirements, create the roles in DirX Access, and assign permissions and constraints to those roles. Global or enterprise roles may be assigned to any user in the organization.

  • Administrators, who are responsible for assigning roles to the users.

  • End-users in an RBAC system, who make use of their roles every time they request access to a protected resource, although the operation is transparent to them. In a well-designed system, users simply access the resources they need without ever being aware of the roles to which they are assigned within DirX Access.

For more information on designing role hierarchies to match your organization’s business units, please see the chapter “System Deployment”.

ABAC Authorization Model

DirX Access supports attribute-based access control (ABAC) authorization model to leverage the full expressiveness of XACML policies. This model enables you to design any application-specific policies, as long as policy syntax requirements (well-formedness, validity) are met.

You can employ the ABAC profile in use cases and scenarios that are not matched by RBAC (which is a proper subset of ABAC). For example, some health care environments prefer Discretionary Access Control (DAC) authorization models, which allow resource owners to exercise discretionary access control for resources.

Since arbitrary authorization models are typically application- or deployment-specific, this section does not describe their potential characteristics and instead refers to the original specification.

The ABAC policies can be managed through the policy Web service provided in DirX Access, which follows the XACML SAML profile.

XACML Profiles

DirX Access supports other XACML profiles in addition to the RBAC profile to increase the number of possible use cases.

XACML v3.0 Multiple Decision Profile Version 1.0

Each PDP provides a switch that enables the multiple decision profile. When activated, any request message can be composed of semantically multiple requests evaluated according to the profile. As this profile is internally processed for the standard version 3.0 only, the XACML response will be always in version 3.0, regardless to the request version.

While the DirX Access-internal clients of PDPs do not make use of multiple decisions, the external clients are free to use them from any API. For more information, see the profile.

XACML SAML Profile Version 2.0

The XACML SAML profile enables extending the SAML protocol with authorization decisions using the full expressivity of XACML 3.0. This profile is supported by the SAML IdP endpoint. For more information, see the section “Authorization APIs” or the profile.

Authorization APIs

The authorization decision-making is both internally built in other DirX Access processes (SSO, configuration management, and so on) and externally accessible to the clients via a number of APIs, namely, it is a part of the processing via the SSO REST Web Service and the XACML Requests can be processed directly via the legacy REST Web Service.

Production vs. Testing Methods

The authorization APIs enable passing complete XACML requests into the process. However, there is a difference between the production and the testing methods in what is actually being processed. While the testing methods simply use the given request, the production methods apply the corresponding subject data to the request by replacing all the subject category attributes with the attributes formed from the subject data.

The production methods also leave tracing information in audit and monitoring mechanisms.

SAML IdP Endpoint

The SAML IdP endpoint supports full-blown authorization decisions based on the XACML SAML profile. The DirX Access implementation of the SAML IdP currently supports XACML 3.0 only.

The SAML IdP endpoint can provide the decision for any subject for which it currently manages an active session. The decision is made by a production method with respect to this subject.

The PDP evaluating the request is determined through the value of the “PEP identifier” parameter in the SAML IdP endpoint settings (and the subsequent chain to the PDP).

Authorization Service Proxy API

These APIs support the XACML core functionality and, in addition, the XACML SAML profile with the following restriction: the messages are directly the profile elements XACMLAuthzDecisionQuery and XACMLAuthzDecisionStatement because for these APIs, the communication runs between two trusted components so there is no need for the enveloping.

RESTful Web Services API

The RESTful Web Services API exposes the XACML core functionality and, in addition, provides a method simplifying the requests by querying for the decision for the given subject, resource and action.

Authentication

Authentication is the process of verifying the identity of a user requesting a service or resource. Authentication is differentiated into initial authentication, SSO and federated authentication:

  • Initial authentication: to authenticate initially with DirX Access, a user needs to:

    • Have a corresponding user account entry in the directory server that describes the user by a set of attributes. Without the directory server entry, DirX Access has no record against which to initially authenticate the connecting user

    • Provide credentials that match those stored in the corresponding user entry. Without the correct set of user credentials, DirX Access cannot confirm that the user is who he or she claims to be.

  • SSO: to maintain an SSO session in the local domain with DirX Access, a user must:

    • Present a valid identifier to a valid authentication state maintained in DirX Access.

    • Federated authentication: to authenticate through a federation with DirX Access, a user must:

    • Be able to authenticate (via initial authentication or SSO) at the identity provider and obtain a SAML- or OAuth-based security token that represents the user’s authentication event at the identity provider.

    • Present the SAML — or OAuth-based security token for validation at the service provider. This action can be performed through protocol frameworks for federated authentication defined by SAML 1.x or 2.0, OAuth 2.0, OpenID Connect 1.0 or based on WS-Trust.

Once authenticated, users can access resource content according the authorization policies set in DirX Access and stored persistently in the directory server.

Authentication is determined by two key elements:

  • An authentication policy: A policy means to request certain authentication methods for certain resources.

  • An authentication method: The mechanism deployed by the server to evaluate a user’s credentials. The authentication method configuration, along with the resource itself, is the main ingredient of an authentication policy. For information about the supported DirX Access authentication methods, please refer to the chapter “Administrative Tasks ‑ Configuration Data ‑ Authentication Methods”.

Assurance Levels and Authentication Method Conditions

Administrators can assign a ranking to authentication methods using the DirX Access Manager. This ranking, provided by assurance levels, indicates how secure the authentication methods are relative to each other on a numeric scale. For example, the password authentication method is relatively weak, and may be assigned a weight of 1, while an X.509 certificate method may be seen as stronger, and therefore assigned a higher weight of 5.

The PDP can use assurance levels as conditions for authorization. For example, a critical resource may be assigned a policy with an assurance level condition of 10, requiring that users be authenticated using only the most secure methods in order to achieve access. As a result, an authenticated user whose role includes access to the critical resource can still be denied if the method used to initially authenticate that user was not secure enough to meet the desired assurance level condition.

As an alternative to weighted assurance levels, a condition associated with an authorization policy can also specify exactly which authentication method or methods must be used in order to achieve access.

Risk-based Authentication

Risk-level assignment represents another authentication approach that works in concert with assurance levels. Risk-level assignment is a method of risk-based authentication (RBA), which estimates the potential size of a threat coming from an authentication request. A resource within DirX Access is typically protected by an authentication method with an assurance level that provides information about the level of its protection. Both risk level and assurance level are used to calculate access rights and then select the appropriate authentication method for eliminating incoming risk.

The risk level assignment is calculated from risk-based conditions assigned to the authentication policy. These conditions can specify several criteria for recognizing threats, such as access time, IP addresses, number of login events per time period and so on. RBA applies these conditions before the authentication request itself to estimate the height of the risk level and compare it with the assurance levels of the authentication methods covered by the policy in order to select the best one.

For details about the RBA mechanism and its configuration, see the chapter “Functional Topics” in the “Administration Guide”.

Authentication Application

Some initial user authentication scenarios require enforcing more complex authentication schemes beyond what PEPs and FEPs can do - for example, when users should authenticate using both password and OTP authentication method types. To support these scenarios, DirX Access offers the authentication method type “Authentication Application”, which basically delegates the initial user authentication process from PEPs and FEPs to the DirX Access Authentication Application Web component. Out-of-the-box, the Authentication Application can handle all supported authentication method types. See the section “Authentication Application” of the “Administration Guide”. The application’s Web page layout is also customizable; see the chapter “Customizing DirX Access Components” in the DirX Access Integration Guide for more information.

Single Sign-On

SSO considerations need to distinguish between Web and Web services as target environments.

Web

For Web SSO in single-domain Web environments, DirX Access uses authentication state identifiers stored in HTTP session cookies or encoded in HTTP requests URLs. Once a user has authenticated, his or her authentication token is returned by the Web browser for any HTTP request within the same domain. The HTTP session cookie expires whenever the Web browser is closed. Moreover, it can be configured to be available only if communications with the Web browser are protected by SSL/TLS (this is recommended).

The authentication state identifier content is a random quantity that has a meaning only for DirX Access; that is, it is opaque outside.

SOAP Web Services

Single sign-on for DirX Access SOAP Web services is based on WS-Trust.

RESTful Web Services

DirX Access RESTful Web services can be used for performing the single sign-on action via their SSO endpoint.

The legacy Sessioning endpoint enables furthermore the management of the SSO sessions.

Backend Application Integration

Web applications that delegate their authentication processes to DirX Access may want to retrieve authenticated user information from DirX Access, for example, to personalize Web pages for users. DirX Access provides two alternatives for retrieving user information:

  • Web applications can use programmatic means to connect directly to the DirX Access Services and retrieve information about an authenticated user from the repository.

  • DirX Access can provide user information in header variables added to HTTP requests or responses. HTTP requests or responses modified by DirX Access will contain the user’s name, group membership and business roles. These variables are accessible to any Web application able to fetch the HTTP request headers. This personalization feature populates HTTP headers with information on the authenticated user. The provided information comprises:

    • User attributes native to DirX Access; that is, attributes that are interpreted by DirX Access:

      • Login name: represented by the user’s RFC822 login name; for example: user01@my-company.

      • Assigned business roles: represented as a comma-separated list of names of assigned business roles; for example: My-Company/manager, My-Company/employee.

    • External attributes that are obtained through federated authentication: represented as a comma-separated list of attribute name and value pairs; for example: emailAddress[stan.hardy@acme.example],roles[/Acme/EmployeeAcme], firstName[Stan],lastName[Hardy].

    • Additional user attributes that are processed but not interpreted by DirX Access:

      • Arbitrary directory-resident user attributes such as surname, carLicense

  • This information is provided on the level of HTTP protocol elements and Java ServletRequest objects (depending on the capabilities of the PEP in use).

Note that the names of the header fields (for example, DXA_USER) are configurable.

Identity Federation

Identity federation supports organizations in consuming identities maintained by others. Identity federation scenarios recognize service, identity and proxying identity providers:

  • Service provider (SP), also known as resource provider (RP):

    • A provider of business services - owns resources and performs authorization.

    • A consumer of identity data - acts as an authorization authority granting access to resources.

  • Identity provider (IdP):

    • An issuer of identity data - acts as an authentication authority making assertions on authenticated user identity.

    • A provider of identity services: owns identity information and performs authentication.

  • Proxying identity provider:

    • Represents a special case of identity federation entity that acts both as a service and as an identity provider.

    • Acts as a service provider when it asks remote identity providers for identity data and consumes this data.

    • Acts as an identity provider when it performs authentication based on local identity information or based on identity data received from remote identity providers.

In identity federation scenarios, identity data comes in the form of transient authentication statements that are transferred in an interoperable and secure way. These authentication statements are also known as security tokens and come in the form of SAML assertions in DirX Access.

Identity Federation Technologies

Several identity federation technologies for Web and Web services environments have emerged in the last few years, including technology initiatives such as SAML, Shibboleth, Liberty-Alliance, and WS-Federation. This section provides an overview of the relevant properties.

Identity Data vs. Metadata

Identity federation systems differentiate between identity data and metadata:

Identity Data

Identity data consists of authentication statements comprising attributes and their values; for example, name = John Doe, affiliation = Acme.com, role = manager. That is, This is “John Doe”, an employee of “Acme.com” with the role “manager”.

In identity federation systems, identity data is represented through short-lived security tokens which typically come in the form of SAML assertions. Identity data issuance requires authentication; that is, security tokens are issued by online authentication authorities.

Identity Metadata

Identity metadata consists of attributes without their values; for example, name, affiliation, role and further properties that are required to operate an identity federation system; for example, addresses of service endpoints and employed keying associations.

In identity federation systems, identity metadata is represented through long-lived objects which come in various form factors; for example, system configuration settings (SAML protocols).

Identity Federation Protocols

The identity data and metadata exchanges require protocol standards that define the informational artifacts that are exchanged between the involved entities (clients, service providers, identity providers). The following identity federation protocols are relevant:

  • Initial approaches (2000 and earlier):

    • Proprietary approaches by Web SSO vendors

    • Undisclosed vendor-specific approaches

    • Published approaches (AuthXML, S2ML, X-TASS …)

    • Standards-based initiatives:

    • First generation:

      • First wave (2001-2003): SAML 1.x, Shibboleth, Liberty-Alliance

      • Second wave (2004-2005): WS-Federation, SAML 2.0

    • Second generation (from 2006):

      • Microsoft CardSpace, (OSIS, Eclipse Higgins, Apache Heraldry…)

      • OAuth

      • OpenID

Among these identity federation technologies, DirX Access supports SAML 1.x / 2.0 and OAuth 2.0 with OpenID Connect and User-Managed Access (UMA) extensions.

It is also important to note that Web environments differ significantly from Web services environments with respect to their identity federation readiness.

Architectural Elements

The identity federation system in DirX Access is based on DirX Access federation endpoints and DirX Access Services:

DirX Access Federation Endpoints

DirX Access federation endpoints implement specific identity federation protocols. Service provider endpoints need to be distinguished from identity provider endpoints.

Service Provider Endpoints

Service provider federation endpoints support federated authentication of external users against service providers according the conventions of an identity federation protocol; for example, SAML 1.x or 2.0. The service provider federation endpoints also create an SSO state in the service provider domain for users that can successfully be authenticated through federated authentication. Note that in contrast to initial authentication, this feature does not require users to have user accounts in the service provider domain to authenticate at the service provider.

SAML Protocols (Web)

The SAML protocols do not define the means for initial authentication or SSO. The DirX Access IdP FEP for SAML employs the DirX Access PEP or Authentication Application to perform initial authentication and the PEP to perform SSO. The full variety of authentication methods that are supported on the DirX Access PEP or Authentication Application level can be used with the IdP FEP for SAML. Moreover, the IdP FEP supports authorization decisions for the federated entities based on the XACML SAML profile.

OAuth 2.0 and OpenID Connect Protocols (Web)

A DirX Access SP FEP for OAuth processes OAuth 2.0 or OpenID Connect tokens to achieve federated authentication. It requires a PEP configuration to be able to transfer such authentication state.

Identity Provider Endpoints

Identity provider federation endpoints represent authentication state that can be established with the identity provider in a form that can be consumed by external service providers.

DirX Access uses SAML 1.x or 2.0 assertions to represent authentication state in exchanges between identity and service providers. These SAML assertions are transferred via the SAML 1.x, 2.0 protocols.

WS-Trust STS (Web Services)

Since WS-Trust Security Token Services (STSs) are Web services, they may require their own set of claims for authenticating and authorizing security token requests. The same mechanisms apply as for ordinary, non-STS Web services: the indication of required claims occurs through WS-Policy/WS-SecurityPolicy sections in STS WSDLs.

The DirX Access STS supports authentication based on Web services security (UsernameToken, X509Token).

WS-Federation (Passive Requestor Profile)

The WS-Federation Passive Requestor Profile specification defines extensions to the WS-Trust model to be used from browsers and portals that use the WS-Trust messages’ HTTP encoding.

The DirX Access WS-Federation supports claims-based authentication and can act as a Trusted Identity Token Issuer for SharePoint.

SAML Protocols (Web)

The SAML protocols do not define the means for initial authentication or SSO. The DirX Access IdP FEP for SAML employs the DirX Access PEP or Authentication Application to perform initial authentication, and the PEP to perform SSO (but does not perform authorization). The full variety of authentication methods that are supported on the DirX Access PEP or Authentication Application level can be used with the IdP FEP for SAML.

OAuth 2.0 protocol with OpenID Connect and UMA extensions (Web)

The OAuth 2.0 protocol does not define the means for initial authentication or SSO. The DirX Access IdP FEP for OAuth employs the DirX Access PEP or Authentication Application to perform initial authentication, and the PEP to perform SSO (but does not perform authorization). The full variety of authentication methods that are supported on the DirX Access PEP or Authentication Application level can be used with the IdP FEP for OAuth.

The DirX Access OAuth Server supports the OAuth 2.0 Authorization Framework standard (RFC 6749).

OpenID Connect extension allows clients to verify the identity of the end user or obtain basic profile information about the end user.

User Managed Access (UMA) extensions give individuals a unified control point for authorizing who and what can get access to their data.

DirX Access Services

DirX Access federation endpoints are clients of DirX Access Services container. They use DirX Access for backend processing tasks such as initial user authentication, SSO in the identity and service provider domains and attribute mappings at the service provider side. This also integrates the DirX Access federation functionality with auditing.

WS-Trust

Identity Provider

DirX Access Services for WS-Trust STSs contribute the following identity federation features:

  • Initial authentication.

  • SAML assertion issuance.

SAML Protocols
Service Provider

DirX Access Services for SAML SPs contribute the following identity federation features:

  • SAML assertion validation and consumption

  • Attribute mapping; that is, transferring the user attributes reported according to the identity provider context to the service provider context.

  • Single sign-on; that is, creating an authentication state and SSO in the service provider domain.

  • Personalization; that is, (configurable) supplying the external user attributes acquired through federation to downstream applications.

Identity Provider

DirX Access Services for SAML IdPs contribute the following identity federation features:

  • Initial authentication.

  • SAML assertion issuance.

OAuth 2.0 and OpenID Connect Protocols
Service Provider

DirX Access Services for OAuth SPs contribute the following identity federation features:

  • OAuth token validation and consumption

  • Attribute mapping; that is, transferring the user attributes reported according to the identity provider context to the service provider context.

  • Single sign-on; that is, creating an authentication state and SSO in the service provider domain.

  • Personalization; that is, (configurable) supplying the external user attributes acquired through federation to downstream applications.

Identity Provider

DirX Access Services for OAuth IdPs contribute the following identity federation features:

  • Initial authentication.

Provisioning

The provisioning capabilities of DirX Access facilitate the automation of all tasks concerning the life cycle of a user identity. In addition to the abstractions managed by the DirX Access user service (individual user accounts, LDAP groups, organizational units, user-to-role assignments) DirX Access also supports provisioning for the abstractions managed by the DirX Access policy service (including authentication policies, authorization policies and roles).

DirX Access integrates with off-the-shelf provisioning systems and home-grown applications through support of version 1.0 as well as version 2.0 of the Service Provisioning Markup Language (SPML). SPML 1.0 and 2.0 both have been specified by the OASIS organization.

DirX Access provides an SPML responder that processes requests passed in SOAP (v1.1 or 1.2) over HTTP messages. It allows you to look up, search, add, modify, and delete persistent objects that are manageable by the DirX Access policy services.

For details on provisioning, refer to the DirX Access Administration Guide.

DirX Access implements the SCIM 2.0 standard and extends its basic resource structure to be able to manage the user-specific data that are typically authentication-related, such as OTP shared secrets, FIDO credentials, and others.

Administration

DirX Access administration is performed through DirX Access Manager, a single-page web application utilizing the SysActions and Configuration RESTful Web Services. Administrators can use DirX Access Manager to perform a variety of tasks, such as:

  • Deploying DirX Access product components.

  • Creating authentication and RBAC authorization policies.

  • Configuring internal representation of authenticated subjects.

  • Configuring SAML assertions of authenticated subjects.

  • Configuring components, for example, Servers, PDPs, PEPs or SAML FEPs.

For an introduction to DirX Access Manager, see the chapter “Administrative Tools”. For detailed information on performing the tasks listed above, please see the chapter “Administrative Tasks”. The remainder of this section provides an overview of the delegation model in administration and the administrative roles in DirX Access.

Delegated Administration Model

DirX Access extends the concept of role-based access control, as used in resource management for business resources, to system administration. It provides a set of configurable administrative roles that can be assigned to users to control their rights and duties.

Note that business roles and administrative roles, while similar in function and effect, are conceptually separate in scope. Business roles control users’ access to system-wide Web resources such as e-mail, project management tools, or payroll systems. As such, they are at the heart of the DirX Access security model. Administrative roles, by contrast, control users’ access to view and manage elements within the DirX Access system, such as roles or permissions.

Administrative Roles

DirX Access has a default set of ready-to-use administrative roles, with pre-set permissions. Each role inherits all the permissions of the roles beneath it in the hierarchy, up to the top-level DirX Access Administrator role, which aggregates all administrative rights.

The following table lists the default DirX Access administrative roles, with the administrative functions specific to each.

Administrative Role Granted Administrative Functions

DirX Access Administrator

The top-level administrator, the DirX Access Administrator can perform all administration functions at the enterprise level and within any sub-domains that have the “manageable by parent” attribute set.

Domain Administrator

The domain administrator can perform all administrative functions for the users within his or her domain and within any sub-domains that have the “manageable by parent” attribute set. Please note that DirX Access currently supports only one domain model for configuration, policy and user data and thus privileges of the domain administrator are the same as of the top-level administrator.

Role Administrator

The role administrator has the same authority as the domain administrator, except that he or she cannot create or delete domains. The role administrator is responsible primarily for managing the business roles and security policies of his or her domain.

Senior Administrator

The senior administrator has the same authority as a domain administrator, except that he or she cannot assign administrative roles to other users.

Administrator

The administrator has the same authority as a senior administrator, except that he or she cannot create new users within the domain. An administrator can, however, modify an existing user’s attributes.

Support Administrator

The support administrator serves users in a help-desk role. He or she is able to view users’ attributes and change their passwords.

User

Simple users do not have any authority over other users’ accounts. They can only change their own profile preferences (provided they have access to a corresponding self-service application; this role does not entitle them to the use of DirX Access Manager).

Every administrative operation requested in DirX Access is examined by the delegation manager service, which enforces the policies corresponding to the authenticated user’s administrative role and the requested action (read, write, update, delete, reset password).

Delegated rights profiles are not limited to administrator and user accounts, but can be applied to any kind of actor or entity that carries out administrative tasks within an organization. For example, a script or batch process designed to add or modify multiple user accounts simultaneously may be granted an administrative role of the appropriate strength within the appropriate domain.

For handling RBAC administrative roles, DirX Access implements an extension of the RBAC authorization model called Role Enablement Authority(REA) that supports multi-dimensional and dynamic role assignments (the REA model can be used also for business roles, however, is used by administrative roles out-of-the-box, only). See the “Role Enablement Authorities” section in the “Administration Guide” to learn how use the REA concept to manage role definition and assignment.

User Management

Regarding user management, DirX Access provides various means and integration points to work with existing user populations or user populations that are not managed by DirX Access alone. With respect to managing the accounts of individual end users, DirX Access is considered to be a part of a larger solution. Thus, this section does not consider user management in general but focuses on a specific abstraction required in the user accounts for the operation of the DirX Access authorization services.

Business Roles

Business roles are the key to deploying and maintaining DirX Access effectively. A business role represents a definable job or business function, such as HR staff, sales representative, accounting staff, and so on. Each role has one or more associated access policies, which are aggregations of permissions that allow access to protected resources necessary to accomplish a business function, such as Web pages, Servlets, bean methods, etc.

Once a role is created in the system, the Role Administrator must assign the role to a user or a group. The permissions granted to the role allow the assigned user or group to access resources, and therefore to perform the job responsibilities represented by the role.

The following figure illustrates the relationship between users, groups, roles and resources:

./attachments/att++_++8++_++for++_++109838337
Figure 8. Sample Roles Determine Users’ and Groups’ Access to Resources

For example, a "Payroll Clerk" role may have an associated policy that gives access to the corporate payroll system. Once this role is assigned to a new employee in the accounting department, that employee becomes able to access that payroll system.

Administrative Roles

End users in DirX Access are also assigned with the administrative role “User”.

Auditing and Logging

This section gives a system overview of auditing and logging features. Note that auditing and logging is provided for all system features already considered (authorization, authentication, identity federation, provisioning, administration, user management).

Auditing

Auditing is the process of examining and reviewing the recorded actions taken by system users. Auditing is essential for a security system to determine the effectiveness of existing controls, to monitor for system misuse or abuse by users, to verify compliance with current security policies, to validate that documented procedures are followed, and to detect anomalies or intrusions. Effective auditing requires that appropriate data is recorded in the first place, and that the recorded data be periodically reviewed by authorized personnel. Auditing primarily serves compliance purposes.

In order to provide complete accountability for individual users, the auditing system must be able to identify each authenticated user correctly. This is the primary distinguishing feature of user audit data in comparison to system logs. Log data captured by DirX Access, by contrast, is typically generated by system processes and threads to report significant events or information about the internal state of the system or its components. Logging primarily serves debugging purposes.

For example, when a remote server does not respond, the log message may indicate the failure to reach the server, but will not indicate the user who initiated the connection request. Log data is not directly traceable to specific users or their actions.

By contrast, audit data generated by the DirX Access audit service corresponds directly to the actions taken by identifiable and authenticated users. Actions recorded for each user include:

  • Authentication (who, when, how)

  • Authorization (who, when, what)

  • Session management (session lifetime, idle timeout, etc.)

  • Account and password management (changes, expiration time reached, etc.)

  • Policy management (for example, role, authentication and authorization policy creation, modification, etc.)

  • User management (user and group creation, modification, etc.)

Taken together, all the audit information gathered is sufficient for any later investigation. In a sense, audit data is the complete recorded history of a system user.

Once the audit data is recorded, it must be reviewed on a regular basis in order to maintain effective operational security. Reviewers must watch for events that signify undesired intrusions or misuse of the system and its user privileges, and must plan ways to strengthen the active security measures should it become necessary.

The DirX Access auditing subsystem allows a variety of auditing sinks to be integrated with DirX Access through an externalization interface that is used to drop audit events and that can be implemented by (third-party) auditing sinks.

There is also a default implementation of this externalization interface that is provided off-the-shelf. This default implementation makes use of Log4J and can be configured through the standard Log4J means. Any Log4J appender can be used to handle DirX Access audit data; for example:

  • Console: Prints information to the system console.

  • File: Records information in files on the local file system.

  • Database: Records information in a JDBC database.

  • Syslog: Records information on a UNIX or Linux syslog facility.

  • Remote: Records information using a remote audit sink.

Out-of-the-box DirX Access employs a file-based appender that produces audit files called “audit.log”. By modifying the standard Log4J configuration file log4j.properties, (section “AUDIT APPENDER”) arbitrary Log4J appenders can be deployed for DirX Access audit data. The DirX Access Integration Guide provides details on how to integrate third-party auditing sinks.

Logging

The DirX Access logging service records internal system operations for problem diagnostics and debugging. Recorded information is assigned one of four importance levels: INFO, WARN, DEBUG or ERROR. You can control the amount of information each server generates by restricting its logs to a given type or types.

The DirX Access logging subsystem makes use of Log4J and can be configured through the standard Log4J methods. Any Log4J appender may be used in handling DirX Access logging data; for example:

  • Console: Prints information to the system console.

  • File: Records information in files on the local file system.

  • Database: Records information in a JDBC database.

  • Syslog: Records information on a UNIX or Linux syslog facility.

  • Remote: Records information using a remote audit sinks.

Out-of-the-box DirX Access uses a file-based appender that produces log files called “ server.log” (for log information from com.siemens.dxa packages) and “external.log” (for log information from third-party software packages). By modifying the standard Log4J configuration file “log4j.properties” (section “LOGGING APPENDER”) arbitrary Log4J appenders can be deployed for DirX Access audit data. The DirX Access Integration Guide provides details on how to integrate third-party auditing sinks.