Sunday, 20 July 2014

Externalise authorization in your Axway API Gateway

This post discusses how easily Axway's API Gateway and ViewDS's Access Sentinel can integrate, allowing Axway API Gateway users to experience the flexibility of XACML and the ability to perform fine grained attribute based access control. 

API Security breaches can cause brand damage, revenue loss, and compliance penalties. Axway API Gateway provides comprehensive API security and pre-built identity management integrations, including an ability to integrate with XACML 3.0 authorization servers such as ViewDS Access Sentinel. 

Complicated authorization policies can be abstracted away from the Axway policy configuration to a dedicated Access Sentinel server. Since Access Sentinel is a purpose built solution, it will offer greater ease and flexibility when it comes to managing policies and offer greater performance and scalability when complex authorization rules are required. 

Components
A simple example of when Access Sentinel can be used with API Gateway is when you would like to authorize a client's access to an API. 



Axway API Gateway is a next-generation technology that enables enterprises to standardize the API development and delivery capabilities required to provide business services via cloud, mobile and partner channels. Encapsulating application gateway, cloud service broker and identity middleware functionality in a unified platform, it provides an agile API environment that leverages existing back-end applications, services and data to help speed time-to-market for new business services while ensuring high security, performance and availability. 

ViewDS Access Sentinel is an authorization server that is designed to allow third party applications to externalize their authorization decision-making. The server is an XACML 3.0 standards based solution that can manage authorization policies to ensure vendor suite applications are faster, easier and safer to use. 

Access Sentinel can be invoked from within your API Gateway at any stage throughout your policy processing. 

XACML PEP Filter
To begin, locate the XACML PEP authorization filter and place it into your policy. 


XACML PEP Filter Configuration
XACML Version
Select XACML version 3.
0

XACML Attributes
Add the desired attributes to the request. For example: 
Add the authenticated user's username as the subject identifier

Add the requested uri as the resource identifier
Add the HTTP verb as the action identifier

XACML Response 
Identify that a Permit response is required to allow processing to continue down a Success Path.

Routing 
In this next step, we simply need to supply the URL that Access Sentinel is offering an authorization service on. By default, Access Sentinel provides this service on port 3009. 
Advanced
The advanced setting of the XACML PEP filter allow aspects of SOAP message to be configured. In this example, we will adhere to the SAML 2.0 Profile of XACML 3.0, whereby we'll use SOAP 1.1 and encapsulate the XACML Authorization Request within XACMLAuthzDecisionQuery.


When you click Finish the configuration of the XACML PEP will be complete and usable within your API policy. 

In this example, we've configured the XACML PEP filter to send Access Sentinel an authorization request, indicating that a specific user is attempting to access a URI using a specific HTTP verb (E.g. POST, GET, etc). Access Sentinel will then be able to respond with an authorization decision (Permit or Deny) that will be based upon its authorization policies and any additional information that it has regarding the subject and resource. Since Access Sentinel maintains information about users and resources, it will use this information efficiently when making a decision, saving you the time end effort of obtaining this information from external data sources within your API policy and hand crafting access control decision logic yourself.