IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  ISAM as SAML SP

    Posted Wed January 15, 2020 01:52 PM
    Hi,
    I'm trying to configure ISAM as SP in a SAML federation. My problem is getting attributes from assertion to find the user in the registry. 
    I'm trying to create a mapping rule to read the content and find the user in LDAP. I'm using this command:
    may var = stsuu.getAttributeContainer().getAttributeValueByName("urn:oid:2.16.840.1.113730.3.1.241");
    but always returns null.
    If  anyone can help me, I'd appreciate that.

    This is part of stsuu trace:
    ?xml version="1.0" encoding="UTF-8"?>
    <stsuuser:STSUniversalUser xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser">
    <stsuuser:Principal>
    <stsuuser:Attribute name="name" type="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
    <stsuuser:Value>anonymous</stsuuser:Value>
    </stsuuser:Attribute>
    </stsuuser:Principal>
    <stsuuser:AttributeList>
    <stsuuser:Attribute name="https://samltest.id/attributes/role" type="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <stsuuser:Value>manager@samltest.id</stsuuser:Value>
    </stsuuser:Attribute>
    <stsuuser:Attribute name="urn:oid:2.16.840.1.113730.3.1.241" type="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <stsuuser:Value>Rick Sanchez</stsuuser:Value>
    </stsuuser:Attribute>
    <stsuuser:Attribute name="urn:oid:0.9.2342.19200300.100.1.1" type="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <stsuuser:Value>rick</stsuuser:Value>
    </stsuuser:Attribute>
    <stsuuser:Attribute name="urn:oid:2.5.4.20" type="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <stsuuser:Value>+1-555-555-5515</stsuuser:Value>
    </stsuuser:Attribute>
    <stsuuser:Attribute name="urn:oid:2.5.4.42" type="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <stsuuser:Value>Rick</stsuuser:Value>
    </stsuuser:Attribute>
    <stsuuser:Attribute name="urn:oid:0.9.2342.19200300.100.1.3" type="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <stsuuser:Value>rsanchez@samltest.id</stsuuser:Value>
    </stsuuser:Attribute>
    <stsuuser:Attribute name="urn:oid:2.5.4.4" type="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <stsuuser:Value>Sanchez</stsuuser:Value>
    </stsuuser:Attribute>
    <stsuuser:Attribute name="AuthenticationInstant" type="urn:oasis:names:tc:SAML:2.0:assertion">
    <stsuuser:Value>2020-01-14T19:23:00Z</stsuuser:Value>
    </stsuuser:Attribute>
    <stsuuser:Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" type="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <stsuuser:Value>rsanchez@samltest.id</stsuuser:Value>
    </stsuuser:Attribute>


  • 2.  RE: ISAM as SAML SP

    Posted Thu January 16, 2020 09:27 AM
    can you add your mapping rule


    here my test for you


    STSUU :

    <?xml version="1.0" encoding="utf-8"?>
    <stsuuser:STSUniversalUser xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser">
    <stsuuser:Principal>
    <stsuuser:Attribute name="name" type="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
    <stsuuser:Value>pippo</stsuuser:Value>
    </stsuuser:Attribute>
    </stsuuser:Principal>
    <stsuuser:AttributeList>
    <stsuuser:Attribute name="am_eai_xattr_session_lifetime" type="">
    <stsuuser:Value>1579187473</stsuuser:Value>
    </stsuuser:Attribute>
    <stsuuser:Attribute name="urn:oid:2.16.840.1.113730.3.1.241" type="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <stsuuser:Value>ciccio panza</stsuuser:Value>
    </stsuuser:Attribute>
    .....
    .....




    SP mapping rule and trace :

    [1/16/20 15:21:47:467 CET] 00000055 id=00000000 com.tivoli.am.fim.mappingrule.DBMappingRuleProvider < getMappingRuleById(String, String) RETURN
    ID: 105
    Name: test-sp
    Content:
    importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);



    var myvar= stsuu.getAttributeContainer().getAttributeValueByName("urn:oid:2.16.840.1.113730.3.1.241");
    IDMappingExtUtils.traceString("MYVAR +++++++++++++++++++++++ " + myvar);

    [1/16/20 15:21:47:468 CET] 00000055 id=00000000 com.tivoli.am.fim.logging.FIMLoggerFactory > getFIMLogger ENTRY
    [1/16/20 15:21:47:468 CET] 00000055 id=00000000 com.tivoli.am.fim.logging.FIMLoggerFactory < getFIMLogger RETURN
    ....


    [1/16/20 15:21:47:532 CET] 00000055 id=00000000 om.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils > traceString ENTRY MYVAR +++++++++++++++++++++++ ciccio panza
    [1/16/20 15:21:47:532 CET] 00000055 id=00000000 om.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils < traceString RETURN


    ------------------------------
    Gianluca Gargaro
    IBM
    Roma
    ------------------------------

    Original Message


  • 3.  RE: ISAM as SAML SP

    Posted Fri January 17, 2020 12:04 PM
    Hi Gianluca,

    Your mapping rule code solved my problem. Thank you.


Related Content