Hi,

I want to add SCIM attributes of user to webseal header / credential to make them available to backend server.
As these attributes are not seen in TDS, it looks like, traditional method of HTTP-TAG-VALUE wont be helpful.
I have tried to add such attributes using infomap to context object. I am able to read its value from context in infomap after setting.
But its not getting added to webseal's credential or header.
This custom login Infomap is being called before actual login happens in webseal.

Any pointers would be helpful.

Thanks,
Pradnya Medhi

Hi Pradnya,

Where are these SCIM attributes coming from?  Is this an external SCIM service that you want to retrieve attributes for?

If you're adding attributes to the context as part of an InfoMap authentication policy, these should be present in the user credential that is generated when that authentication policy completes.  The code you need to use is something like this:

context.set(Scope.SESSION,"urn:ibm:security:asf:response:token:attribute","attrName","attrValue");

If you don't see the attribute in the credential after the policy completes, it is likely one of the following reasons:
 - Some later InfoMap is clearing the context
 - The Authentication process is not resulting in authentication at WebSEAL
 - Some later authentication process in WebSEAL is replacing the credential

When you say "This custom Infomap is being called before actual login happens in WebSEAL", what is the login process at WebSEAL?  Is it part of the same Authentication Policy? Is it another Authentication Policy?  Is it a built-in WebSEAL authentication?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed January 06, 2021 12:26 AM
From: Prandya Medhi
Subject: Addition of SCIM attributes of user to webseal header / credential

Hi,

I want to add SCIM attributes of user to webseal header / credential to make them available to backend server.
As these attributes are not seen in TDS, it looks like, traditional method of HTTP-TAG-VALUE wont be helpful.
I have tried to add such attributes using infomap to context object. I am able to read its value from context in infomap after setting.
But its not getting added to webseal's credential or header.
This custom login Infomap is being called before actual login happens in webseal.

Any pointers would be helpful.

Thanks,
Pradnya Medhi

Hi Jon,

Thank you for your response.

I am using built-in SCIM service in infomap, attributes for such service are not seen on TDS, not sure if they are stored in DB somewhere.

Code I am using to add attribute in credential is exactly same as you suggested:
context.set(Scope.SESSION,"urn:ibm:security:asf:response:token:attribute","attrName","attrValue");

As you mentioned one of the possibilities could be some later InfoMap is clearing the context, I have observed this at some other places as well. How do we handle this, any pointers?

Login process of webseal is handled through custom infomap in which SCIM attributes are also added to credential before webseal creates one. Its the same Authentication Policy.

Thanks,
Pradnya Medhi

------------------------------
Prandya Medhi
------------------------------

Original Message:
Sent: Thu January 07, 2021 04:12 AM
From: Jon Harry
Subject: Addition of SCIM attributes of user to webseal header / credential

Hi Pradnya,

Where are these SCIM attributes coming from?  Is this an external SCIM service that you want to retrieve attributes for?

If you're adding attributes to the context as part of an InfoMap authentication policy, these should be present in the user credential that is generated when that authentication policy completes.  The code you need to use is something like this:

context.set(Scope.SESSION,"urn:ibm:security:asf:response:token:attribute","attrName","attrValue");

If you don't see the attribute in the credential after the policy completes, it is likely one of the following reasons:
 - Some later InfoMap is clearing the context
 - The Authentication process is not resulting in authentication at WebSEAL
 - Some later authentication process in WebSEAL is replacing the credential

When you say "This custom Infomap is being called before actual login happens in WebSEAL", what is the login process at WebSEAL?  Is it part of the same Authentication Policy? Is it another Authentication Policy?  Is it a built-in WebSEAL authentication?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed January 06, 2021 12:26 AM
From: Prandya Medhi
Subject: Addition of SCIM attributes of user to webseal header / credential

Hi,

I want to add SCIM attributes of user to webseal header / credential to make them available to backend server.
As these attributes are not seen in TDS, it looks like, traditional method of HTTP-TAG-VALUE wont be helpful.
I have tried to add such attributes using infomap to context object. I am able to read its value from context in infomap after setting.
But its not getting added to webseal's credential or header.
This custom login Infomap is being called before actual login happens in webseal.

Any pointers would be helpful.

Thanks,
Pradnya Medhi

Hi Prandya,

I don't think the built in authentication mechanisms would clear context so I would guess it is some custom code that is doing this (if that's the culprit).

I would suggest checking the AuthSvcCredential mapping rule - this gets called at the end of every Authentication Policy.  Make sure it doesn't have any custom code in it which is clearing the STS attributes that are to be passed back.

You could also add a trace point in this module to output the final STS that is being returned.  That way you can check for sure which attributes are making it to the end of the policy flow.

If you see the attributes there, you could use an pdweb.debug trace in the Reverse Proxy to check the EAI headers that are being returned from the AAC.  You should see headers for your attributes in this trace.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Fri January 08, 2021 06:50 AM
From: Prandya Medhi
Subject: Addition of SCIM attributes of user to webseal header / credential

Hi Jon,

Thank you for your response.

I am using built-in SCIM service in infomap, attributes for such service are not seen on TDS, not sure if they are stored in DB somewhere.

Code I am using to add attribute in credential is exactly same as you suggested:
context.set(Scope.SESSION,"urn:ibm:security:asf:response:token:attribute","attrName","attrValue");

As you mentioned one of the possibilities could be some later InfoMap is clearing the context, I have observed this at some other places as well. How do we handle this, any pointers?

Login process of webseal is handled through custom infomap in which SCIM attributes are also added to credential before webseal creates one. Its the same Authentication Policy.

Thanks,
Pradnya Medhi

------------------------------
Prandya Medhi

Original Message:
Sent: Thu January 07, 2021 04:12 AM
From: Jon Harry
Subject: Addition of SCIM attributes of user to webseal header / credential

Hi Pradnya,

Where are these SCIM attributes coming from?  Is this an external SCIM service that you want to retrieve attributes for?

If you're adding attributes to the context as part of an InfoMap authentication policy, these should be present in the user credential that is generated when that authentication policy completes.  The code you need to use is something like this:

context.set(Scope.SESSION,"urn:ibm:security:asf:response:token:attribute","attrName","attrValue");

If you don't see the attribute in the credential after the policy completes, it is likely one of the following reasons:
 - Some later InfoMap is clearing the context
 - The Authentication process is not resulting in authentication at WebSEAL
 - Some later authentication process in WebSEAL is replacing the credential

When you say "This custom Infomap is being called before actual login happens in WebSEAL", what is the login process at WebSEAL?  Is it part of the same Authentication Policy? Is it another Authentication Policy?  Is it a built-in WebSEAL authentication?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed January 06, 2021 12:26 AM
From: Prandya Medhi
Subject: Addition of SCIM attributes of user to webseal header / credential

Hi,

I want to add SCIM attributes of user to webseal header / credential to make them available to backend server.
As these attributes are not seen in TDS, it looks like, traditional method of HTTP-TAG-VALUE wont be helpful.
I have tried to add such attributes using infomap to context object. I am able to read its value from context in infomap after setting.
But its not getting added to webseal's credential or header.
This custom login Infomap is being called before actual login happens in webseal.

Any pointers would be helpful.

Thanks,
Pradnya Medhi