Important

This document in a DRAFT. The information contained herein is subject to change.

Introduction#

Attribute mapping policies allow you to integrate with Rackspace identity federation without having to make significant configuration changes to your identity provider. An attribute mapping policy provides a declarative means of extracting and transforming information produced by your identity system so that it may seamlessly inter-operate with Rackspace.

This document describes the attribute mapping policy language in detail. It is intended as a guide to assist in the writing of mapping policies as well as a reference for the features of the policy language.

Technology Background#

In order to write attribute mapping policies you should have a basic understanding of the following technologies:

SAML 2.0
The Security Assertion Markup Language is an OASIS Standard for defining XML-encoded assertions about authentication, authorization, and related attributes. A basic understanding of the SAML protocol is required, although this document concentrates solely on SAML Responses and SAML Assertions.
XPath 2.0
XPath is a W3C standard expression language for extracting information from structured data. The language is designed to be embedded in a host language and it is used in this way by the mapping policy language. The datatypes and function libraries defined by the XPath standard are used in other policy languages such as XACML. In most cases, only basic understanding of XPath is required, see XPath Basics for a quick overview.
YAML 1.1
YAML is a simple data serialization language that is designed to be human friendly. YAML is very similar to JSON but allows for useful features such as comments and the ability to easily input multi-line data. Attribute mapping policies are written in YAML, see YAML Basics for a quick overview.

What is Attribute Mapping?#

Your identity provider contains information about every user in your organization. For example, it maintains that Jane Doe is a development manager whose username is janed. Jane’s email address is janed@widgets.com, and as a development manager she is a member of the engineering, managers, and linux_user groups. Additionally, Jane is managing the widgets_ui project.

When Jane logs into Rackspace your organization’s identity provider submits to Rackspace a cryptographically signed SAML response that contains (among other things) the attributes described above. Rackspace (the service provider) needs these attributes in order to grant Jane access to Rackspace services.

Attribute mapping allows the extraction and transformation of the attributes in the SAML response so they can be processed by Rackspace. There are three major reasons why attribute mapping is required:

Attribute Name Alignment#

Rackspace expects that Jane’s email is supplied in an attribute named email, but your organization’s identity provider by default submits a user’s email in an attribute named mail. This is not an atypical situation because several competing standards exist for attribute names. In this case the attribute mail must be mapped to the attribute email.

The mapping is simple and can be summarized as follows:

mailemail

Role and Group Alignment#

The groups engineering, managers, and linux_user are entirely meaningless to Rackspace. Rackspace organizes its roles according to the services it provides. For example, the nova:admin role grants administration access to our OpenStack compute service and the ticketing:observer role grants view only access to Rackspace tickets.

In this case, we want the managers group to map to the ticketing:admin role because any manager should be able to create and edit tickets. We also want to map managers to the billing:observer role because all managers can see invoices. Additionally, we want to map the linux_user group to nova:observer because all linux users should be able to query the Compute API.

The mapping described above can be summarized as follows:

managersticketing:admin, billing:observer

linux_usernova:observer

Implementation of Access Policies#

The mapping above is fairly simple. All users in the managers group will obtain the ticketing:admin and billing:observer roles. Unfortunately, things are often more complicated than this. For example, some managers are actually contractors, and contractors should not be allowed to view invoices so these contractors should not receive the billing:observer role. You can tell that a user is a contractor by looking at membership in the contractors group.

Additionally, there are separate Rackspace accounts for each project managed by a manager. A manager involved with the widgets_ui project should have full administrator rights (via the admin role) to account 777654—which is the account associated with that project. The identity provider passes an attribute named manager_projects that contains the list of all of the projects managed by a user.

There are two other projects to consider: widgets_moble is associated with account 887655, and widgets_platform which should have admin access to account 779966.

Note that by performing this mapping, you are implementing an access policy that is executed whenever a user logs in. As long as relevant information is provided by the identity provider in a SAML response you can implement similar policies for your organization.

The mapping rules above can be summarized as follows:

managersticketing:admin, billing:observer unless the user is also a member of contractors.

manager_projects contains widgets_uiadmin on 777654

manager_projects contains widgets_mobleadmin on 887655

manager_projects contains widgets_platformadmin on 779956

Mapping Policy for Widget.com#

The following attribute mapping policy implements the rules described in the previous section. The rest of this document provides a guide for writing such polices.

Mapping policy for Widget.com#
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
---
mapping:
  version: RAX-1
  description: |-
    The following is an attribute mapping for Widgets.com.   
  rules:
  - local:
      user:
        domain: "{D}"
        name: "{D}"
        email: "{At(mail)}"
        roles: "{0}"
        expire: "{D}"
    remote:
      - multiValue: true
        path: |-
             (:
                The following describes the rules for assigning roles to
                users.
             :)
              for $group in mapping:get-attributes('groups') return
                  (:
                    If a user is a manager they get ticketing:admin,
                    If they are not a contractor then they also get billing:observer
                    Managers become admin based on the project that they are working
                    on
                  :)
                if ($group = 'managers') then
                     (
                      'ticketing:admin',
                      if (not(mapping:get-attributes('groups')='contractors')) then 'billing:observer' else
                      (),
                      for $project in mapping:get-attributes('manager_projects') return
                      (
                         if ($project = 'widgets_ui')       then 'admin/777654' else
                         if ($project = 'widgets_mobile')   then 'admin/887655' else
                         if ($project = 'widgets_platform') then 'admin/779956' else
                         ()
                      )
                     ) else
                (:
                   If a user is a member of the linux_user group they get the
                   nova:observer role.
                :)
                if ($group = 'linux_user') then 'nova:observer' else
                ()

Important

This document in a DRAFT. The information contained herein is subject to change.