wso2 Identity Server - ACL based on role to manage user access to webapps

1
votes

I'm currently testing wso2 identity server. I have a second question.

Well I have an app with SAML authentication configured: can I manage access user based on role?

I didn't see in the manager how to limit access to some webapps based on role.

In my setup every user declared in a store can connect to the application...

Well I try to do some xacml ... but without success (more over my webapp doesn't support xacml protocol, so the wso2is must block the user at the login time).

I have tried to configure xacml without success...

1
wso2wso2is

1 Answers

2
votes

Simple answer - No.

Longer answer - WSO2 IS does authentication, but not any authorization (for the web users). Effectively - you cannot restrict user access to the specific SP during the authentication. How to overcome it - we pass the user roles (groups) as a claim to the service provider (application) and the service provider needs to do proper authorization based on the roles.

XACML is as way how an external application can do the authorization decisions. The application calls a web service (EntitlementService) with subject (user), resource (service) and action (+the client can provide additional information with the request) and the entitlement engine evaluates the XACML policies (rules) and responds with Permit, Deny or I don't care.