Source: thenewstack.io
Just-in-Time Authorization with OpenID SSE and CAEP
Enterprises relying on on-premise or cloud Intrusion Detection and Prevention Systems (IDPS) to authenticate users to third-party SaaS apps or internal apps are often challenged with implementing effective access control or authorization. This provides an opportunity for a growing category of compromise, which relies on authenticated users abusing their access privileges to exfiltrate, modify or erase critical data.
This justification is then propagated in the form of specific permission tuples to the SaaS or internal apps where the access control is enforced.
To implement Just-in-Time access, the initial OIDC token may not contain any permission claims, or may contain permissions claims that name specific assets such as customer IDs.
The app then simply has to verify if an incoming user has the permission required to access a specific asset.
This justification is then propagated in the form of specific permission tuples to the SaaS or internal apps where the access control is enforced.
To implement Just-in-Time access, the initial OIDC token may not contain any permission claims, or may contain permissions claims that name specific assets such as customer IDs.
The app then simply has to verify if an incoming user has the permission required to access a specific asset.
Related Articles
Community Partners
DevOps Careers