IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  IBM Verify Acces BA & Forms Authent

    Posted Wed September 23, 2020 05:07 PM
    To address some use cases in our current deployment of SSO for O365, we would need to support client (outlook and so) authentication using BA.
    My question is, as the authentication point is unique (the WebSEAL facing our IdP) and configured for forms authentication, could I add the BA authent on the same WebSEAL?
    Thanks for your help

    ------------------------------
    -------------------
    Emmanuel Fauconnier
    9.0.7.1
    -------------------
    ------------------------------


  • 2.  RE: IBM Verify Acces BA & Forms Authent

    Posted Fri September 25, 2020 09:12 AM
    Hi Emmanuel,

    In a given session, form-based authentication overrides BA authentication.  However, if you can separate the traffic (either by junction or by user-agent) then it is possible to specify forms or BA independently.

    Here is a cut-and-paste from config file comments:

    # The auth-challenge-type contains a comma separated list of
    # authentication types which will be used when challenging a
    # client for authentication information. The supported authentication
    # types include:
    # ba, forms, spnego, token, cert, oidc and eai.
    #
    # The corresponding authentication configuration entry (e.g. ba-auth)
    # must be enabled for each specified authentication challenge type.
    #
    # By default the list of authentication challenge types will match that
    # of the list of configured authentication mechanisms.
    #
    # Each authentication type can additionally be configured with a set of rules.
    # These rules are used to determine the user agents for which the
    # authentication type is enabled. Each set of rules must be contained within
    # square brackets and separated by semicolons. Each pattern must begin with
    # a '+' or '-' character to indicate inclusion or exclusion respectively.
    # Patterns can contain alphanumeric characters, spaces, underscores and
    # periods. The wildcard characters '*' # and '?' can also be used.
    #
    # For example:
    #
    # auth-challenge-type = [+*MSIE*]ba, [-*MSIE*;+*]forms
    #
    # This configuration will present a basic authentication challenge to user
    # agents containing 'MSIE' (Internet Explorer browsers) and a forms based
    # challenge to all other user agents. See the WebSEAL administration guide
    # for further information.
    #
    # Do not use authentication challenge types as a security or enforcement
    # measure. If no challenge types can be determined for a given user agent
    # string, WebSEAL will fall back to the list of all configured authentication
    # mechanisms.
    #
    # This configuration item may be customized for a particular junction
    # by adding the adjusted configuration item to a [server:{jct_id}] stanza,
    # where '{jct-id}' refers to the junction point for a standard junction
    # (include the leading '/'), or the virtual host label for a virtual host
    # junction.
    # auth-challenge-type =

    Hopefully you can figure it out from here :)

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


Related Content