December 7

Secure your Shibboleth IdP with Granular Access

minute read

0  comments

Video Transcript: 

00:00 In this video we are going to look at how to use the granular access features in the dashboard. The Granular access features allow you to confidently control what users have access to what content. This then means that you as the identity provider have the power to limit access and perform authorisation decisions, instead of having to rely on the service provider to do that for you.  

00:19 Please note, that to use this feature you have to go to the dashboard admin and enter the statistics settings and set up the group attribute you wish to use. This attribute is defaulted to 'member of'. At the moment as you can see, so first of all we need to add a new rule so we can see some of the other features in action. 

00:38 To add a new rule all we need to do is click 'add new'. This then presents us with a form to fill out. The rule name is simply a recognisable name for this rule so you can call it whatever you want and just use whatever convention works best for you. In this example, we are going to be testing against the UK federation test SP, so for this example, I'm going to set the rule name to UK federation test SP.  

01:01 The entity ID is the entity ID of the service provider or service providers you want this rule to. If you have set any friendly names for any of your resources, you will see them listed here instead of their entity ID. When you click on the entity ID field you are going to see a list appear, this is the list of service providers that have been found in the logs. You can search for the entity ID or for any name just by typing and it will start filtering the list. Or you can scroll the list and click what SPs you want to add. You can add multiple entity IDs just by clicking on them and you can remove them by clicking on the entry that you want to delete and pressing the backspace button. Finally, as you may not have authenticated to the service provider that you want to set the access rule up for, as it may have not been already in the logs to be imported into this list, you can also just type the entity ID in and then press enter. For this test, I'm just going to use the UK federation test SP.  

01:53 We then have two options; we can either choose to deny everybody and only allow certain groups by using the allow groups field or we can allow everybody by default and deny access to specific groups by using the deny groups field. The functionality of the groups both work the same for the allow and deny groups but lets take a look at the allow groups. When I click on the field it functions much the same as the entity ID field, I can scroll the list or type in what I'm searching for. I can also add in multiple groups. The entries from this list are populated from the LDAP or Active Directory attribute that is specified in the statistics settings. For this test, I will only allow VPNOnly accounts to login to the UK federation test SP.  

02:35 And then the final field we have is the comments text field. This is just a standard text field or text box that allows you to enter some notes that may be helpful later. In here I tend to put an explanation for the rule. So, for this example, I'll just put only allow accounts that are in the VPNOnly group access to the UK federation test SP.  

02:55 And then when you have finished filling out all those fields and I'm ready, we can just click save. This then takes you back to the granular access table. Now we have some data in the table we can start looking at the other features;  

03:07 We can download a tax separated export of our rules simply by clicking 'download TSV'. You can then open this up in a spreadsheet programme or text programme, for example, I'm going to use excel. 

03:18 We can easily increase or decrease the amount of entries shown in the table per page by clicking on the dropdown list.  

03:25 We also have a search function which searches over the entity ID, rule name and the allow and deny groups. It will then filter the results so we can easily locate the rule that we are looking for. For this example, I have added two more rules so that we can test the search function properly. If I start typing UK federation, you will see that it filters to the rule that we created earlier. And if I search for EZPZ SP then we can see the EZPZ SP rule that I just added only shows now.  

03:52 You may have also noticed that the column data has clickable data in it. What this means is each column can be edited inline. You can edit any of the data just by clicking on it. If I click on rule name data, in this case, lets click on the test 2, you can see a text box pops up. I can then just edit this data and then click the tick to save. If I wanted to undo the change or didn't want to save the data, I can just click the cross instead. You can also edit the entity IDs, the allow groups, the deny groups and the comments in exactly the same way.  

04:28 At the end of the row we have a tick icon. This allows us to quickly enable or disable this rule. We are just going to quickly try logging into the UK federation test SP. I'll login with my shibboleth account which isn't part of the VPNOnly group. As you can see, I've been denied access to this page. And this page can be themed up to match any specification. Using the tick, I can quickly disable that rule and the changes take effect instantly. Now I have disabled that rule if I try and login again with to the UK federation test SP, I'm going to be allowed access.  

05:01 I then also have the ability to move the rules around using the last icon. You can move the item by clicking and holding the icon and dragging the rule to the location where you want it. It then allows you to move the rule down the order or up the order as rules at the begining of the table have precedence over those that are at the bottom of the table.  

05:19 We then also have the amount of rules and the ability to move to different pages of the table if you have enough entries.  

05:25 Finally if you want to delete a rule or set of rules, you can do this by selecting the check box to the left of the rule or the rules that you want to delete. And then press 'delete selected'. You will then be asked to confirm the deletion. After you have confirmed the delete, you can see that all the rules have now been deleted.  

05:41 If you would like to try and track down the access rules to see what rules are being hit for the user, for example, when I was denied access to the UK federation test SP, you can just go to the log viewer and take a look at the rules that have been applied. And as you can see under the log viewer, the UK federation test SP rule was applied to me, and I was denied access.  


Tags


You may also like