Hi, ISVA community,
Two questions here regarding "Unauthenticated access policy" pattern mentioned in Leo Farrell's blog post: Federated Single Sign On: Access Policy for 2FA with SAML and OIDC
https://www.ibm.com/blogs/security-identity-access/federated-single-sign-on-access-policy/First question is, when using this pattern in existing environment (with a few existing SAML federations,and access control policies for step-up authentication flows, but no existing access policy), what's the caveat in terms of not to break anything existing, since by default /sps/auth is protected on webseal.
Second question is:
When using this pattern and setting /aac/sps/auth to be public on webseal, "/aac" being the junction to point to AAC runtime, what is the proper way to customize the response in AAC when a request is sent to /aac/sps/auth unauthenticated? My understanding is that when calling /aac/sps/auth without a session (neither webseal session id nor AAC jsessionid), AAC will respond with "An error has occurred" HTML response like below:
--------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Internal Protocol Error</title>
<link rel="stylesheet" type="text/css" href="/aac/sps/static/styles.css" />
</head>
<body>
<div class="header">
<div class="brandingLogo"><img src="/aac/sps/static/ibm-logo.png" /></div>
</div>
<div class="content">
<div class="contentHeader">
<h1 class="pageTitle error">An error has occurred</h1>
<div class="instructions"></div>
</div>
<div class="pageContent">
<div id="infoDiv">
<em>/sps/auth</em> <br />
<em>2020-10-30T20:30:42Z</em> <br />
</div>
<br />
<div id="detailDiv">
<h4>Error details</h4>
An error occurred fulfulling the current request to /sps/auth. <br />
This error was caused by an internal/unexpected error on the invoked protocol module leading to
the exception displayed below. <br />
Please validate configuration of the executing protocol and environment. <br />
This is not a problem with the SPS. <br />
</div>
<br />
<div id="stackDiv" >
<h4>Stack trace</h4>
<em></em>
<pre>
</pre>
</div>
</div>
</div>
</body>
</html>
--------------------------------------------------------------------------------
This will go back to user browser, which is not a user friendly response. This unauthenticated authentication endpoint call won't reach access policy, is there anywhere we can catch this and present proper response to user, e.g., redirect user to login, in case the authentication endpoint is called without session id?
Mostly what I am trying to get at is, since this pattern involves opening up an URI on AAC, so potentially it can be called by anyone, I want to make sure the implementation is covered from security perspective.
Thanks in advance, any help is much appreciated.
Tian
------------------------------
Tian Xia
------------------------------