IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  EAI Headers with Infomap and OIDC Mapping rule

    Posted Wed March 03, 2021 05:02 AM
    Hello,

    We have an eai application where we are setting response headers as below and it works as expected

    res.setHeader("AZN_CRED_AUTHNMECH_INFO", authMech);
    xattrs.append(delimit).append("AZN_CRED_AUTHNMECH_INFO");
    res.setHeader("AZN_CRED_USER_INFO", systemId);
    xattrs.append(delimit).append("AZN_CRED_USER_INFO");
    res.setHeader("am-eai-xattrs", xattrs.toString());


    When the same thing tried on OIDC "Advanced Configuration Mapping Rule" with the following then it doesn't work:

    var cust_attr = [];
    cust_attr.push("AZN_CRED_AUTHNMECH_INFO")
    stsuu.addAttribute(new Attribute("AZN_CRED_AUTHNMECH_INFO", "urn:ibm:SAM:oidc:rp:userinfo:rsp:param", "Facebook"));
    stsuu.addAttribute(new Attribute("AZN_CUSTOM_ATTRIBUTES", "urn:ibm:SAM:oidc:rp:userinfo:rsp:param", cust_attr));


    When the same thing tried on "Infomap" with the following then it doesn't work:

    context.set(Scope.SESSION, "urn:ibm:names:ITFIM:5.1:accessmanager", "AZN_CRED_AUTHNMECH_INFO", "Fake");


    We need to know how can we add "AZN_CRED_AUTHNMECH_INFO" and  "AZN_CRED_USER_INFO" headers via infomaps and mappingrules.

    Regards,
    Piyush



    ------------------------------
    Piyush Agrawal
    ------------------------------



  • 2.  RE: EAI Headers with Infomap and OIDC Mapping rule

    Posted Wed March 03, 2021 06:30 AM
    Hi Piyush,

    The OIDC "Advanced Configuration Mapping Rule" is specific to the OIDC Relying Party in federation add-on and is used to modify requests being sent to the OIDC Provider.  I don't see any use case for adding sending EAI-type headers in these requests.  If I remember correctly, it isn't possible to manipulate HTTP headers in these requests (although I know others would like to be able to do this and I think there is an RFE open).

    If you're trying to get EAI headers returned from OIDC RP functionality, you would need to do this by setting STS attributes in the mapping rule of the OIDC RP definition.  In that mapping rule you would use this code to add an attribute:

    var myAttr = new Attribute("AZN_CRED_AUTHNMECH_INFO","urn:ibm:names:ITFIM:5.1:accessmanager", "Fake");
stsuu.addAttribute(myAttr);​

    When you're working with an InfoMap (for a custom AAC Authentication mechanism), an attribute is added to set to be returned via EAI (to appear in users credential after successful authentication completion) using the following code:

    context.set(Scope.SESSION,"urn:ibm:security:asf:response:token:attribute",
              "AZN_CRED_AUTHNMECH_INFO","Fake");
​

    I hope this helps.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: EAI Headers with Infomap and OIDC Mapping rule

    Posted Fri March 05, 2021 05:37 PM

    Hello Jon,

    Thank you for reply.
    Yes you are right I am modiying OIDC RP definition oidc_rp.js which looks like following, but still doesn't work, I can see groups, Authentication_level in credentials and redirect url is also working but attribute "AZN_*" doesn't populate

    var sub = stsuu.getAttributeContainer().getAttributeValueByName("sub");
    stsuu.setPrincipalName(sub.toUpperCase());
    var finalAttrs = [];
    for (var i = 0; i < token_attribute_names.length; i++) {
    var attr = stsuu.getAttributeContainer().getAttributeByName(token_attribute_names[i]);
    if (attr != null) {
    attr.setName(tokenToSTSCredMappingAttribute(token_attribute_names[i]))
    finalAttrs.push(attr);
    }
    }
    stsuu.clearAttributeList();
    stsuu.addGroup(new Group("My_Overview", "urn:ibm:security:asf:response:token:attributes", null));
    stsuu.addAttribute(new Attribute("AUTHENTICATION_LEVEL", "urn:ibm:security:asf:response:token:attributes", "3"));
    stsuu.addAttribute(new Attribute("AZN_CRED_AUTHNMECH_INFO", "urn:ibm:security:asf:response:token:attributes", "Fake"));
    stsuu.addAttribute(new Attribute("AZN_CRED_USER_INFO", "urn:ibm:security:asf:response:token:attributes", "1614980740"));
    if (targetUrl != null && targetUrl.length() > 0) {
    var targetUrlAttr = new Attribute("itfim_override_targeturl_attr", "urn:ibm:security:asf:response:token:attributes", targetUrl);
    stsuu.addAttribute(targetUrlAttr);
    }

    When I am trying to work on Infomap as you suggested, I am getting ClassCastException

    96 Caused by: org.mozilla.javascript.WrappedException: Wrapped java.lang.ClassCastException: java.lang.String incompatible with [Ljava.lang.String; (InfoMap_RememberMeUsername#73)
    97 at org.mozilla.javascript.Context.throwAsScriptRuntimeEx(Context.java:1932)
    98 at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:148)
    99 at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225)
    100 at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
    101 at org.mozilla.javascript.gen.InfoMap_RememberMeUsername_628._c_script_0(InfoMap_RememberMeUsername:73)
    102 at org.mozilla.javascript.gen.InfoMap_RememberMeUsername_628.call(InfoMap_RememberMeUsername)
    103 at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:405)
    104 at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3508)
    105 at org.mozilla.javascript.gen.InfoMap_RememberMeUsername_628.call(InfoMap_RememberMeUsername)
    106 at org.mozilla.javascript.gen.InfoMap_RememberMeUsername_628.exec(InfoMap_RememberMeUsername)
    107 at com.ibm.security.access.javascript.JSCode.execute(JSCode.java:123)

    Regards,
    Piyush



    ------------------------------
    Piyush Agrawal
    ------------------------------

    Original Message


  • 4.  RE: EAI Headers with Infomap and OIDC Mapping rule

    Posted Mon March 08, 2021 02:53 AM
    Hi Piyush,

    The error indicates that you are providing an array of strings instead of a string.

    ------------------------------
    Laurent LA Asselborn
    ------------------------------

    Original Message


  • 5.  RE: EAI Headers with Infomap and OIDC Mapping rule

    Posted Mon March 08, 2021 06:14 AM

    Thank you for reply Laurent.
    Strange, but I am doing exactly same as suggested by Jon.

    context.set(Scope.SESSION,"urn:ibm:security:asf:response:token:attribute",
              "AZN_CRED_AUTHNMECH_INFO","Fake");


    ------------------------------
    Piyush Agrawal
    ------------------------------

    Original Message


  • 6.  RE: EAI Headers with Infomap and OIDC Mapping rule

    Posted Mon March 08, 2021 07:44 AM
    Hi Piyush,

    I think the issue here is the type that you are setting in the Attribute creation.  When you use:
    "urn:ibm:security:asf:response:token:attributes"
    as the type, the value is assumed to have multiple values and must be provided as a string array.

    When you use:
    "urn:ibm:security:asf:response:token:attribute"
    as the type, the value is assumed to have a single value and must be provided as a string.

    So, this:
    stsuu.addAttribute(new Attribute("AZN_CRED_AUTHNMECH_INFO", "urn:ibm:security:asf:response:token:attributes", "Fake"));
    will fail.  Change to either:

    stsuu.addAttribute(new Attribute("AZN_CRED_AUTHNMECH_INFO", "urn:ibm:security:asf:response:token:attribute", "Fake"));
    or
    stsuu.addAttribute(new Attribute("AZN_CRED_AUTHNMECH_INFO", "urn:ibm:security:asf:response:token:attributes", ["Fake"]));

    This applies to all the sts.addAttribute calls you're making in your script.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message