IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  AAC Junction over Virtual Junction

    Posted Fri August 13, 2021 12:40 PM
    Edited by Gabriel Labarrera Fri August 13, 2021 03:38 PM
    Hi, I'm trying to configure a TOTP policy over a virtual junction but get this error when consuming the AAC Juction over the virtual junction

    Example:
    virtual juntion: www.testurl.com
    AAC juntion: /mga

    Request URL: https://www.testurl.com/mga/sps/authsvc?TransactionId=<UUID>

    Error:

    Error details

    FBTAUT010E Authentication service cannot perform MAC one-time password authentication because the username parameter is missing. If you specify the username parameter using literal value, ensure that it is not NULL. If you specify the username parameter using context attribute reference, ensure that the referenced context attribute is not NULL. If you do not specify the username parameter, ensure that the authentication policy requires the user to login before they are challenged by MAC one-time password authentication.

    I try adjusting the trigger and obligations properties

    trigger = /mga/sps/auth*
    trigger = /mga/sps/authservice/authentication*
    trigger = /mga/sps/authsvc*
    trigger = /mga/sps/apiauthsvc*
    trigger = HTTPS://www.testurl.com:443/mga/sps/auth*
    trigger = HTTPS://www.testurl.com:443/mga/sps/authservice/authentication*
    trigger = HTTPS://www.testurl.com:443/mga/sps/authsvc*
    trigger = HTTPS://www.testurl.com:443/mga/sps/apiauthsvc*

    urn:ibm:security:authentication:asf:* = /mga/sps/authsvc
    urn:ibm:security:authentication:asf:* = https://www.testurl.com/mga/sps/authsvc

    But seems that any of this configurations is working, am i missing something?

    ------------------------------
    Gabriel Labarrera
    ------------------------------


  • 2.  RE: AAC Junction over Virtual Junction

    Posted Mon August 16, 2021 06:33 AM

    Do users also log in to the same VHJ?

    If not, perhaps you'll need to set shared-domain-cookie = yes.
    The /mga is typically a standard junction.
    I haven't seen that specific error before, but have had to enable it for VHJ with TOPT myself.
    If nothing else, it's a quick change to make and deploy and roll back if it doesn't help!

    #----------------------
    # SHARING SESSIONS
    #----------------------

    ...<snip>...

    # Enable a cookie based session to be shared across all standard and virtual
    # host junctions on a single WebSEAL instance. This is achieved through
    # enabling the WebSEAL instance to store a single session key as an
    # independent value in a multi-valued domain cookie, indexed by the instance
    # name. The domain cookie itself is shared across all participating WebSEAL
    # instances, but the session values are specific to each instance.
    #
    # If WebSEAL exists in an environment where the DSC already handles single
    # sign-on across domains, do not enable this configuration item.
    # shared-domain-cookie = yes


    ------------------------------
    Scott Andrews
    ------------------------------

    Original Message


Related Content