Skip to content

Commit da458a6

Browse files
pdtoalpdtoal
committed
amended after review
1 parent 25e7e25 commit da458a6

File tree

1 file changed

+18
-18
lines changed
  • security/security-design/shared-assets/iam-mfa-bypass-svc-accts

1 file changed

+18
-18
lines changed

security/security-design/shared-assets/iam-mfa-bypass-svc-accts/README.md

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ One common use case is when using an OCI IAM account as a service account to cal
88

99
Whilst the recommended approach is to always use OAUTH authentication, there are situations where this can't be used and BASIC authentication must be used instead. If MFA is enabled on that user account, then BASIC authentication cannot be used as the REST endpoint returns a 401 Unauthorised status code.
1010

11-
In this tutorial, I will show you how to configure OCI IAM sign-on policies to bypass MFA for specific accounts accessing specific resources/applications. My use case is to enable a client (which only supports BASIC authentication) to call a deployed integrations REST endpoint on OIC.
11+
This tutorial will show you how to configure OCI IAM sign-on policies to bypass MFA for specific accounts accessing specific resources/applications. The use case is to enable a client (which only supports BASIC authentication) to call a deployed integrations REST endpoint on OIC.
1212

1313
> ***Note*** MFA should only be disabled for specific users and for specific use cases, such as the one described above. As best practice, MFA should be enabled and enforced for all users.
1414
@@ -22,37 +22,37 @@ In this tutorial, I will show you how to configure OCI IAM sign-on policies to b
2222

2323
# Testing User Authentication
2424

25-
My use case assumes that there is a sign-on policy configured within OCI IAM that enforces MFA for your users (including your test user) and therefore your users get challenged for MFA when they access OIC.
25+
This use case assumes that there is a sign-on policy configured within OCI IAM that enforces MFA for your users (including your test user) and therefore your users get challenged for MFA when they access OIC.
2626

27-
Let's test this by logging into the OIC service console as our test user...
27+
Let's first test this by logging into the OIC service console as our test user (Marty McFly)...
2828

2929
![MFA Login.](images/mfa-for-oic.gif "MFA Login.")
3030

31-
Now that we know MFA is being enforced for our test user (Marty McFly), we can show that we are unable to call an OIC integration endpoint using basic authentication. The screenshot below show the 401 Unauthorised status code being returned by Postman.
31+
Now that we know MFA is being enforced for our test user, we can show that we are unable to call an OIC integration endpoint using basic authentication. The screenshot below show the 401 Unauthorised status code being returned by Postman.
3232

3333
![401 Unauthorised.](images/oic-endpoint-401.png "401 Unauthorised.")
3434

3535
# Amending the Sign-On Policy
3636

37-
To allow my service account to be able to call the REST API, I need to make a change to the OCI IAM sign-on policy so that MFA can be bypassed for my service account (marty.mcfly) when accessing the OIC application.
37+
To allow the service account to be able to call the REST API, changes need to be made to the OCI IAM sign-on policy so that MFA can be bypassed for the service account (marty.mcfly) when accessing the OIC application.
3838

39-
> ***Note*** I don't want to disable MFA for my service account for all applications as that introduces unnecessary risk. Therefore, I will only disable MFA for my service account for my OIC application.
39+
> ***Note*** The aim is not to disable MFA for the service account for all applications as that introduces unnecessary risk. Therefore, MFA will only be disabled for the service account for the OIC application.
4040
41-
In my example, MFA for OIC is being enforced by its own sign-on policy. It may be the case that the Default Sign-On policy has been amended for force MFA for all users and all applications by default. If this is the case, then, my recommendation would still be to create an application-specific sign-on policy, just for OIC (or whatever your affected application is).
41+
In this example, MFA for OIC is being enforced by its own sign-on policy. It may be the case that the Default Sign-On policy has been amended to force MFA for all users and all applications by default. If this is the case, then, the recommendation would still be to create an application-specific sign-on policy, just for OIC (or whatever your target application is).
4242

43-
Looking at my current list of sign-on policies, I can see the two out-of-the-box policies and the additional OIC policy that I created.
43+
Looking at the current list of sign-on policies, there are two out-of-the-box policies and the additional OIC policy.
4444

4545
![List of IAM Sign-On Policies.](images/iam-sign-on-policies-list.png "List of IAM Sign-On Policies.")
4646

47-
Editing my OIC policy and looking at the rule within it, we can see that it has no conditions current set.
47+
Editing the OIC policy and looking at the rule within it, we can see that it has no conditions current set.
4848

4949
![Existing Sign-On Policy Rule Conditions.](images/sign-on-pol-conditions-pre.png "Existing Sign-On Policy Rule Conditions.")
5050

5151
We can also see that the actions are enforcing MFA.
5252

5353
![Existing Sign-On Policy Rule Actions.](images/sign-on-pol-actions.png "Existing Sign-On Policy Rule Actions.")
5454

55-
Finally, we can see that the sign-on policy is attached to my OIC application.
55+
Finally, we can see that the sign-on policy is attached to the OIC application.
5656

5757
![Existing Sign-On Policy Rule Apps.](images/sign-on-pol-apps.png "Existing Sign-On Policy Rule Apps.")
5858

@@ -66,7 +66,7 @@ Save those changes and that's it!
6666

6767
# Testing the API call
6868

69-
The final step is to test our API call again.
69+
The final step is to test the API call again.
7070

7171
![200 OK.](images/oic-endpoint-200.png "200 OK.")
7272

@@ -80,29 +80,29 @@ The above approach is also only appropriate when you have an application-specifi
8080

8181
However, the good news is that you can still meet your use case in either of the above cases. The approach needed is slightly different. In these circumstances we build our application-specific sign-on policy slightly differently.
8282

83-
Let's build a sign-on policy when the service accounts are contained in a group.
83+
Let's build a sign-on policy where the service accounts are contained in a group.
8484

85-
> ***Note*** I have reverted my sign-on policy back to its original state, i.e., removed Marty McFly from the Excluded Users so that MFA is enforced for all users accessing OIC, including Marty.
85+
> ***Note*** The sign-on policy has been reverted back to its original state, i.e., removed Marty McFly from the Excluded Users so that MFA is enforced for all users accessing OIC, including Marty.
8686
8787
![OIC Service Accounts Group.](images/oic-group.png "OIC Service Accounts Group.")
8888

89-
As you can see, I now have created a group containing my service accounts.
89+
As you can see, I now have created a group containing the service account(s).
9090

91-
Within my sign-on policy, I add a new rule (in addition to the existing rule enforcing MFA). This rule will allow any user in the `OIC Service Accounts` group to access OIC, but the actions won't force an additional factor.
91+
Within the sign-on policy, add a new rule (in addition to the existing rule enforcing MFA). This rule will allow any user in the `OIC Service Accounts` group to access OIC, but the actions won't force an additional factor.
9292

93-
Adding a new rule to my existing `Sign-On Policy for OIC`, within the conditions, I add my service accounts group.
93+
Adding a new rule to the existing `Sign-On Policy for OIC`, within the conditions, I add my service accounts group.
9494

9595
![Sign On Policy Rule Conditions.](images/sign-on-pol-group-rule-conditions.png "Sign On Policy Rule Conditions.")
9696

9797
The actions allow access without the additional factor.
9898

9999
![Sign On Policy Rule Actions.](images/sign-on-pol-group-rule-actions.png "Sign On Policy Rule Actions.")
100100

101-
Lastly, I need to re-order my rules within my sign-on policy so that the more specific rule containing the group condition is executed first. I do this using the `Edit Priority` button on the list of rules.
101+
Lastly, the rules within the sign-on policy need to be reordered so that the more specific rule containing the group condition is executed first. This is done using the `Edit Priority` button on the list of rules.
102102

103103
![Sign On Policy Rules Order.](images/sign-on-pol-list-group-reorder.png "Sign On Policy Rules Order.")
104104

105-
That's it! I can re-test my API call and it is still successful using this alternative approach.
105+
That's it! I can re-test the API call and it is still successful using this alternative approach.
106106

107107
# Summary
108108

0 commit comments

Comments
 (0)