Menu
▾
▴
Re: [Unity-idm-discuss] Attributes (was Re: Oauth2 client: 404?)
|
From: Jan W. <J.W...@cw...> - 2017-01-10 12:16:06
|
Hi Krzysztof,
Thanks for the answer. Lots of things came in between, but I now got it
working. See below.
On 28/12/16 10:26, Krzysztof Benedyczak wrote:
> W dniu 22.12.2016 o 11:36, Jan Wielemaker pisze:
>> I think that means there is something wrong with the config, but I
>> have no clue what.
>
> There are two things to check:
> 1) whether you added the attribute email and cn for jan in group '/A'?
> Or in '/'? See in adminUI whether those are shown in /A group.
So, cn and email were defined in /A. After moving these to /, all works
as expected. For now that is enough for me.
> 2) make sure that you have proper authZ setup. User jan must have read
> rights in Unity. See Authorization section in documentation.
>
> And there is also 3rd, unlikely option: you can configure attribute type
> as "local" - then I think it is not visible in HomeUI (but I'd need to
> recheck this).
This was all ok :)
Now for something different. A particular (oauth2) client gets an
anonymous identity for my user as "sub". I understand that. Now we want
to implement attribute based access control based on the CERIF research
data model. This means we need a component that is called by service and
tell the service the user with "sub" identifier wants to access resource
R.
The flow I have in mind is this:
- User logs in to service using Unity and wants to access resource R.
- Services asks ABAC (Attribute Based Access Control) whether "sub"
is allowed to access R given a set of policies.
- ABAC asks Unity for CfPersID (CERIF person id) of "sub" (optionally
for service)
- ABAC applies policies on CERIF data for CfPersID
- ABAC replies access "granted/denied" for R.
So, I think what we need is a (web) API call from the ABAC component
that is trusted by the Unity server and that can be used to retrieve the
CfPersID attribute from Unity based on the anonymous identity Unity has
provided to the service.
Note that we do not want to expose CfPersID to the service as that
reveals the true identity of the user.
Is this possible, i.e., is there an API that can be used to get info
about a Unity user based on the anonymous id provided to some service?
Thanks --- Jan
|
