IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  HPDIA0118W Authentication method is not supported for OIDC RP

    Posted Wed February 23, 2022 11:46 AM

    Hi

    We were advised by IBM support that the /pkmspasswd endpoint is not supported when WebSEAL is configured in OIDC Relying Party (/pkmsoidc).

    https://www.ibm.com/docs/en/sva/9.0.7?topic=operations-changing-passwords-pkmspasswd


    My question for the product team: is there a technical constraint that prevented /pkmspasswd to be supported in a first party use case (OIDC OP to OIDC RP same LDAP realm where "external user" setting is false) ?

    This forces us to either move the handling of /pkmspasswd on the OIDC OP side or create a new flow in our InfoMap to implement ourselves an equivalent of /pkmspasswd.

    Thanks 



    ------------------------------
    Sylvain Gilbert
    ------------------------------


  • 2.  RE: HPDIA0118W Authentication method is not supported for OIDC RP

    Posted Wed February 23, 2022 03:10 PM

    Sylvain,

     

    There is no technical reason for this, providing that the OP and WebSEAL are configured to use the same user registry.  An assumption was made however that this would not usually be the case, and that the management of the authenticated user should occur at the OP (just because 'external-user' is set to false does not guarantee that you are using the same user registry).

     

    Would it be possible to set up local response redirect on the WebSEAL side so that requests to /pkmspasswd are redirected to the password change page at the OP?

     

    Thanks.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

     

     




    Original Message


  • 3.  RE: HPDIA0118W Authentication method is not supported for OIDC RP

    Posted Wed February 23, 2022 04:51 PM
    Hi Scott

    The /pkmspasswd end-point does not seem to be supported neither on the OIDC Provider (WebSEAL) side as the login solution is based solely on Authentication Services (InfoMap). So I might need to implement (simulate) the entire /pkmspasswd from the InfoMap itself. Any other suggestion ?

    And should I consider submitting an RFE for the future to have OIDC RP-based WebSEAL support /pkmspasswd as well ?

    ------------------------------
    Sylvain Gilbert
    ------------------------------

    Original Message


  • 4.  RE: HPDIA0118W Authentication method is not supported for OIDC RP

    Posted Wed February 23, 2022 04:57 PM

    Sylvain,

     

    You should be able to set the '[eai] eai-allow-password-change' WebSEAL configuration entry on the OP side to 'true'.  By doing this you should re-enable the '/pkmspasswd' endpoint on the OP – even though you are using an InfoMap authentication mechanism.

     

    I hope that this helops.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

     

     




    Original Message


  • 5.  RE: HPDIA0118W Authentication method is not supported for OIDC RP

    Posted Wed February 23, 2022 06:35 PM
    Scottm as always your suggestion worked !
    I am unsure of all the black magic under the hood that occured given it is an EAI type login but that will be for another day (-:

    ------------------------------
    Sylvain Gilbert
    ------------------------------

    Original Message


Related Content