Configuring SAML Authorization Policies

Overview

Authorization is the process to control the access provided to the users. With authorization policies, you can indicate if the authenticated user is permitted to have access to a resource or not.

For instance, on a protected resource, such as, saml.acme.com, you can restrict the access to users to use same.acme.com/admin page.

Starting with Avi Vantage version 20.1.1, SAML authorization policies are supported.

The following section discusses configuring authorization policy with corresponding rules and action.

SAML Authorization Policies

The diagrammatic representation of SAML authorization flow is as follows:

saml-authorization-flow

SAML Authorization Rules

The SAML authorization supports the following match types:

Match Type Description
Attribute The attributes that are part of SAML response from IDP
Path URI Path
Host Header Host header that is present in incoming request
Method HTTP request method, for instance, GET, POST etc.

Note: Host header and path can be configured to be case sensitive aware.

The SAML authorization supports the following action types:

Action Type Description
allow_access Allow access on authorization policy rule match
close_connection Close connection on authorization policy rule match
http_local_response Send HTTP local response on authorization policy rule match

Example:

Assume the following scenario:

  1. The aviadmin path should be allowed only for a user with an email(attribute), say, admin@acme.com.
  2. Only GET requests are allowed for this path.
  3. Requests carrying host-header admin.acme.com are only allowed to access this path.

If all the above conditions are met, then only the access should be allowed. Else, the 403 response code should be returned to the user.

For the above scenario, the authorization policy configuration will be as follows:


+------------------------------+------------------------------------------------+
| Field                        | Value                                          |
+------------------------------+------------------------------------------------+
| uuid                         | ssopolicy-86fb0825-8d1f-45f4-a56b-f8bf8adf9a46 |
| name                         | sso1                                           |
| authentication_policy        |                                                |
|   default_auth_profile_ref   | saml-idp-authz                                |
| authorization_policy         |                                                |
|   authz_rules[1]             |                                                |
|     name                     | Demo_rule                                          |
|     index                    | 1                                              |
|     enable                   | True                                           |
|     match                    |                                                |
|       attr_matches[1]        |                                                |
|         attribute_name       | email                                          |
|         attribute_value_list |                                                |
|           match_criteria     | EQUALS                                         |
|           match_str[1]       | admin@acme.com                          |
|       path                   |                                                |
|         match_criteria       | EQUALS                                         |
|         match_case           | INSENSITIVE                                    |
|         match_str[1]         | /aviadmin                                      |
|       host_hdr               |                                                |
|         match_criteria       | HDR_EQUALS                                     |
|         match_case           | INSENSITIVE                                    |
|         value[1]             | admin.acme.com                          |
|       method                 |                                                |
|         match_criteria       | IS_IN                                          |
|         methods[1]           | HTTP_METHOD_GET                                |
|     action                   |                                                |
|       type                   | ALLOW_ACCESS                                   |
|       status_code            | HTTP_RESPONSE_STATUS_CODE_403                  |
|   authz_rules[2]             |                                                |
|     name                     | Deny_rule                                          |
|     index                    | 2                                              |
|     enable                   | True                                           |
|     match                    |                                                |
|       path                   |                                                |
|         match_criteria       | EQUALS                                         |
|         match_case           | INSENSITIVE                                    |
|         match_str[1]         | /aviadmin                                      |
|     action                   |                                                |
|       type                   | HTTP_LOCAL_RESPONSE                            |
|       status_code            | HTTP_RESPONSE_STATUS_CODE_403                  |
| type                         | SSO_TYPE_SAML                                  |
| tenant_ref                   | admin                                          |
+------------------------------+------------------------------------------------+

Here the rule name Demo_rule will be hit only if all the criteria are met and will be provided an access.

If any of the criteria is not met in Demo_rule, then Deny_rule will be hit, and access will be denied.

You need to explicitly define the action in a rule (Deny_rule in this case), else it will be implicitly permitted.

Notes:

  • If there are multiple conditions within a single rule then it is AND match. If there are multiple rules then it is a OR match i.e., if multiple rules are configured and if one of the rules matches, then the action will be executed. The order of rule check depends on index of rule.

  • The status_code has a default value of HTTP_RESPONSE_STATUS_CODE_403 and it will be honored only when the action is local response. For other actions like close connection or allow access, the status code will be ignored.

Configuring Authorization Policy with Corresponding Rules and Actions

This section explains the different kind of matches in example formats. You can choose one criterion or more based on the use case or requirement.

The following are the steps to configure SAML authorization policies:

  1. You can attach the authorization profile to the authentication policy which contains the IDP metadata. For instance, configured authorization profile is saml-idp-authz.
    For more details on the authentication profile, refer to SAML Configuration on Avi Vantage user guide.

    
     [admin:controller]: > configure ssopolicy ssopolicy1
     [admin:controller]: ssopolicy> authentication_policy default_auth_profile_ref saml-idp-authz 
     [admin:controller]: ssopolicy:authentication_policy> save   
  2. You can navigate to authorization policy mode.
     [admin: controller]: ssopolicy> authorization_policy  
  3. You can configure the multiple authorization rules ordered by the index under authorization policy. The following is an example of configuration of authorization rule of name rule1.

     [admin:controller]: ssopolicy:authorization_policy> authz_rules name rule1
     New object being created
     [admin:controller]: ssopolicy:authorization_policy:authz_rules> 
  4. You can choose the match criteria for authorization policy as described in match table above. In the following example, attr_matches attribute is used as match criteria.
    attr_matches
    
     [admin:controller]: ssopolicy:authorization_policy:authz_rules> match 
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match> attr_matches 
     New object being created 
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:attr_matches>
     attribute_name         Attribute name whose values will be looked up in the access lists. 
     attribute_value_list   (submode)  

    The attributes or values in the SAML assertion responses are matched through attribute matches against the configured attributes and its values.

    The SAML assertion attributes can have zero or more values associated with each of them. You can configure multiple attributes and values as part of each rule. The rule is matched only if all the attributes are matched.

    The matches can be either positive or negative.

    • Positive Match — BEGINS_WITH, CONTAINS, ENDS_WITH, EQUALS, REGEX_MATCH

    • Negative Match — DOES_NOT_BEGIN_WITH, DOES_NOT_CONTAIN, DOES_NOT_END_WITH, DOES_NOT_EQUAL, REGEX_DOES_NOT_MATCH

    Positive attribute match rules are matched if the attribute is present in the assertion response and one of the values of the corresponding attribute matches with the configured value list.

    Negative attribute match rules are matched if the attribute is not present or all the values of the corresponding attribute negatively matches with the configured value list.

    
      [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:attr_matches> attribute_name  email
      [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:attr_matches> attribute_value_list
      [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:attr_matches:attribute_value_list> match_str abc@xyz.com 
      [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:attr_matches:attribute_value_list> 
      [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:attr_matches:attribute_value_list> match_criteria begins_with  
      [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:attr_matches:attribute_value_list> save 
      [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:attr_matches> save 
      admin:controller]: ssopolicy:authorization_policy:authz_rules:match>
  5. You can search for multiple attributes in the same rule. You can configure multiple attribute matches under a single rule as follows:
    
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match> attr_matches   New object being created 
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:attr_matches> attribute_name firstname 
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:attr_matches> attribute_value_list match_criteria equals match_str abc 
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:attr_matches:attribute_value_list> save 
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:attr_matches> save 
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match> 
  6. Based on the above details, the configuration will be as follows:
    
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match> where
     Tenant: admin
     Cloud: Default-Cloud
     +------------------------+-------------+
     | Field                  | Value       |
     +------------------------+-------------+
     | attr_matches[1]        |             |
     |   attribute_name       | email       |
     |   attribute_value_list |             |
     |     match_criteria     | BEGINS_WITH |
     |     match_str[1]       | abc@xyz.com |
     | attr_matches[2]        |             |
     |   attribute_name       | firstname   |
     |   attribute_value_list |             |
     |     match_criteria     | EQUALS      |
     |     match_str[1]       | abc         |
     +------------------------+-------------+
     

    Host Header

  7. You can add more conditions to be matched in the same rule, for instance, you can add another condition to match host header.

    
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match> host_hdr
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:host_hdr> match_criteria hdr_
     hdr_begins_with           header value begins with the configure value(s)
     hdr_contains              header value contains configured value(s)
     hdr_does_not_begin_with   header value does not begins with the configure value(s)
     hdr_does_not_contain      header value  does not contains configured value(s)
     hdr_does_not_end_with     header value does not ends with the configured value(s)
     hdr_does_not_equal        header value does not equals the configured value(s)
     hdr_does_not_exist        header does not exist in the HTTP request
     hdr_ends_with             header value ends with the configured value(s)
     hdr_equals                header value equals the configured value(s)
     hdr_exists                header exists in the HTTP request
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:host_hdr> match_criteria hdr_begins_with
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:host_hdr> value abc.xyz.com
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:host_hdr> save
      [admin:controller]: ssopolicy:authorization_policy:authz_rules:match> 

    Http Methods

  8. Add another condition, if required, based on HTTP methods as follows:

    
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match> method
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:method> match_criteria is_in
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:method> methods http_method_
     http_method_connect     HTTP connect method
     http_method_copy        HTTP COPY method
     http_method_delete      HTTP delete method
     http_method_get         HTTP get method
     http_method_head        HTTP head method
     http_method_lock        HTTP LOCK method
     http_method_mkcol       HTTP MKCOL method
     http_method_move        HTTP MOVE method
     http_method_options     HTTP options method
     http_method_patch       HTTP PATCH method
     http_method_post        HTTP post method
     http_method_propfind    HTTP PROPFIND method
     http_method_proppatch   HTTP PROPPATCH method
     http_method_put         HTTP put method
     http_method_trace       HTTP trace method
     http_method_unlock      HTTP UNLOCK method
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:method> methods http_method_get
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:method> save
     

    Path

  9. Match the path match based on the string group or list of the string values of the path. This is case sensitive and supports the following list of matching operations:

    
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match> path
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:path>
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:path> match_criteria begins_with
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:path> string_group_refs System-Cacheable-Resource-Types
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:path> match_str /acme
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match:path> save
     [admin:controller]: ssopolicy:authorization_policy:authz_rules:match> save
     [admin:controller]: ssopolicy:authorization_policy:authz_rules>
     

Configuring Action

You can configure any action as mentioned in the table above. In the following example, you can use http status code, such as http_local _response to send 403-response to the user.


[admin:controller]: ssopolicy:authorization_policy:authz_rules> action
[admin:controller]: ssopolicy:authorization_policy:authz_rules:action>
status_code   HTTP status code to use for local response when a policy rule is matched.
type          Defines the action taken when an authorization policy rule is matched.By default, access is allowed to the requested resource.
watch         Watch a given show command
where         Display the in-progress object
[admin:controller]: ssopolicy:authorization_policy:authz_rules:action> type http_local_response
[admin:controller]: ssopolicy:authorization_policy:authz_rules:action> status_code http_response_status_code_403
[admin:controller]: ssopolicy:authorization_policy:authz_rules:action> save   
 [admin:controller]: ssopolicy:authorization_policy:authz_rules> index 1 
 [admin:controller]: ssopolicy:authorization_policy:authz_rules> save 
 [admin:controller]: ssopolicy:authorization_policy> save 
 [admin:controller]: ssopolicy> save 

The following is the SSO policy configuration based on the above-mentioned configuration steps:


+------------------------------+------------------------------------------------+
| Field                        | Value                                          |
+------------------------------+------------------------------------------------+
| uuid                         | ssopolicy-16fc1b04-f635-439b-97a4-a3890dead864 |
| name                         | ssopolicy1                                     |
| authentication_policy        |                                                |
|   default_auth_profile_ref   | saml-idp-authz                                |
| authorization_policy         |                                                |
|   authz_rules[1]             |                                                |
|     name                     | rule1                                          |
|     index                    | 1                                              |
|     enable                   | True                                           |
|     match                    |                                                |
|       attr_matches[1]        |                                                |
|         attribute_name       | email                                          |
|         attribute_value_list |                                                |
|           match_criteria     | BEGINS_WITH                                    |
|           match_str[1]       | abc@xyz.com                                    |
|       attr_matches[2]        |                                                |
|         attribute_name       | firstname                                      |
|         attribute_value_list |                                                |
|           match_criteria     | EQUALS                                         |
|           match_str[1]       | abc                                            |
|       path                   |                                                |
|         match_criteria       | BEGINS_WITH                                    |
|         match_case           | INSENSITIVE                                    |
|         match_str[1]         | /acme                                   |
|         string_group_refs[1] | System-Cacheable-Resource-Types                |
|       host_hdr               |                                                |
|         match_criteria       | HDR_BEGINS_WITH                                |
|         match_case           | INSENSITIVE                                    |
|         value[1]             | abc.xyz.com                                    |
|       method                 |                                                |
|         match_criteria       | IS_IN                                          |
|         methods[1]           | HTTP_METHOD_GET                                |
|     action                   |                                                |
|       type                   | HTTP_LOCAL_RESPONSE                            |
|       status_code            | HTTP_RESPONSE_STATUS_CODE_403                  |
| type                         | SSO_TYPE_SAML                                  |
| tenant_ref                   | admin                                       |
+------------------------------+------------------------------------------------+