IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  AAC unauthenticated access policy

    Posted Mon November 02, 2020 02:12 PM
    Hi, ISVA community,

    Two questions here regarding "Unauthenticated access policy" pattern mentioned in Leo Farrell's blog post: Federated Single Sign On: Access Policy for 2FA with SAML and OIDC https://www.ibm.com/blogs/security-identity-access/federated-single-sign-on-access-policy/

    First question is, when using this pattern in existing environment (with a few existing SAML federations,and access control policies for step-up authentication flows, but no existing access policy), what's the caveat in terms of not to break anything existing, since by default /sps/auth is protected on webseal.

    Second question is:
    When using this pattern and setting /aac/sps/auth to be public on webseal, "/aac" being the junction to point to AAC runtime, what is the proper way to customize the response in AAC when a request is sent to /aac/sps/auth unauthenticated? My understanding is that when calling /aac/sps/auth without a session (neither webseal session id nor AAC jsessionid), AAC will respond with "An error has occurred" HTML response like below:

    --------------------------------------------------------------------------------
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
    <title>Internal Protocol Error</title>
    <link rel="stylesheet" type="text/css" href="/aac/sps/static/styles.css" />
    </head>
    <body>
    <div class="header">
    <div class="brandingLogo"><img src="/aac/sps/static/ibm-logo.png" /></div>
    </div>
    <div class="content">
    <div class="contentHeader">
    <h1 class="pageTitle error">An error has occurred</h1>
    <div class="instructions"></div>
    </div>
    <div class="pageContent">
    <div id="infoDiv">
    <em>/sps/auth</em> <br />
    <em>2020-10-30T20:30:42Z</em> <br />
    </div>
    <br />
    <div id="detailDiv">
    <h4>Error details</h4>
    An error occurred fulfulling the current request to /sps/auth. <br />
    This error was caused by an internal/unexpected error on the invoked protocol module leading to
    the exception displayed below. <br />
    Please validate configuration of the executing protocol and environment. <br />
    This is not a problem with the SPS. <br />
    </div>
    <br />
    <div id="stackDiv" >
    <h4>Stack trace</h4>
    <em></em>
    <pre>

    </pre>
    </div>
    </div>
    </div>
    </body>
    </html>
    --------------------------------------------------------------------------------

    This will go back to user browser, which is not a user friendly response. This unauthenticated authentication endpoint call won't reach access policy, is there anywhere we can catch this and present proper response to user, e.g., redirect user to login, in case the authentication endpoint is called without session id?

    Mostly what I am trying to get at is, since this pattern involves opening up an URI on AAC, so potentially it can be called by anyone, I want to make sure the implementation is covered from security perspective.

    Thanks in advance, any help is much appreciated.

    Tian

    ------------------------------
    Tian Xia
    ------------------------------


  • 2.  RE: AAC unauthenticated access policy

    Posted Tue February 02, 2021 04:56 PM
    We are also struggling with this 2nd issue. This behavior blocks OIDC flow and redirects to RP is blocked.
    Do we have any solution for this?

    Regards,
    Piyush


    ------------------------------
    Piyush Agrawal
    ------------------------------