Hello all,

ISAM's EAI and InfoMap capabilities allow us to implement custom authentication logic for users which reside in ISAM's LDAP or any federated directory.

I need to know whether, using EAI/InfoMap, would it be possible to authenticate the users which are not present in ISAM's LDAP or any of the federated directories? In other words, would it be possible to create a user credential for a user not present in any of the federated directories by using EAI/InfoMap?

The goal is to authenticate users from a database and these users do not reside in ISAM LDAP or any of the Federated Directories.

Looking forward to your valueable comments..

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Hello,

You can absolutely do this.

If you return an external user header, groups header and extra attributes headers, WebSEAL will build a credential for that user (and populate the specified groups) for a user thy doesn't exist in ISAM LDAP.

You can do the same from AAC Authentication Service or Federation Runtime by setting the POC mode to External User.

To authenticate against a database you'll probably have to write a full EAI App since those capabilities are not build into the JavaScript extensions.  A hybrid approach would be to have AAC Authentication Mechanisn call to an external REST service which Does the DB work.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Sat May 16, 2020 09:14 AM
From: Jahanzaib Sarwar
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hello all,

ISAM's EAI and InfoMap capabilities allow us to implement custom authentication logic for users which reside in ISAM's LDAP or any federated directory.

I need to know whether, using EAI/InfoMap, would it be possible to authenticate the users which are not present in ISAM's LDAP or any of the federated directories? In other words, would it be possible to create a user credential for a user not present in any of the federated directories by using EAI/InfoMap?

The goal is to authenticate users from a database and these users do not reside in ISAM LDAP or any of the Federated Directories.

Looking forward to your valueable comments..

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Hi Jahanzaib,

Yes, it is possible to authenticate the user via EAI having no user-specific entry in ISAM LDAP.
To achieve this, you need to set am-eai-ext-user-id header from EAI.

Also, you need to do below configurations in reverse proxy configuration file.

eai-ext-user-id-header = am-eai-ext-user-id

For more information, go through below documentation link.
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/wrp_config/concept/con_http_hdr_ref.html
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/wrp_stza_ref/reference/ref_eai_ext_user_id_header.html

------------------------------
Prashant Narkhede
------------------------------

Original Message:
Sent: Sat May 16, 2020 09:14 AM
From: Jahanzaib Sarwar
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hello all,

ISAM's EAI and InfoMap capabilities allow us to implement custom authentication logic for users which reside in ISAM's LDAP or any federated directory.

I need to know whether, using EAI/InfoMap, would it be possible to authenticate the users which are not present in ISAM's LDAP or any of the federated directories? In other words, would it be possible to create a user credential for a user not present in any of the federated directories by using EAI/InfoMap?

The goal is to authenticate users from a database and these users do not reside in ISAM LDAP or any of the Federated Directories.

Looking forward to your valueable comments..

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Hi Jon and Prashant,

Thank you for your responses. This helped and I am able to successfully authenticate external user (which does not exist in ISAM LDAP) using an EAI test app by returning the required headers.

Jon, thank you for discussing different ways to implement this, I am thinking to use EAI only (non-hybrid without InfoMap). Kindly can you suggest would there be any advantage that you see in going with the hybrid approach? Because at the end we have to depend on EAI so why not only use the full EAI app for this purpose?

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Original Message:
Sent: Sat May 16, 2020 10:48 AM
From: Prashant Narkhede
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hi Jahanzaib,

Yes, it is possible to authenticate the user via EAI having no user-specific entry in ISAM LDAP.
To achieve this, you need to set am-eai-ext-user-id header from EAI.

Also, you need to do below configurations in reverse proxy configuration file.

eai-ext-user-id-header = am-eai-ext-user-id

For more information, go through below documentation link.
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/wrp_config/concept/con_http_hdr_ref.html
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/wrp_stza_ref/reference/ref_eai_ext_user_id_header.html

------------------------------
Prashant Narkhede

Original Message:
Sent: Sat May 16, 2020 09:14 AM
From: Jahanzaib Sarwar
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hello all,

ISAM's EAI and InfoMap capabilities allow us to implement custom authentication logic for users which reside in ISAM's LDAP or any federated directory.

I need to know whether, using EAI/InfoMap, would it be possible to authenticate the users which are not present in ISAM's LDAP or any of the federated directories? In other words, would it be possible to create a user credential for a user not present in any of the federated directories by using EAI/InfoMap?

The goal is to authenticate users from a database and these users do not reside in ISAM LDAP or any of the Federated Directories.

Looking forward to your valueable comments..

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Hi Jahanzaib,

The main reason I suggested the hybrid solution is to minimize the custom development effort.  A REST service to connect to DB is much smaller than an entire EAI app.  The ISAM Authentication Service already contains a lot of the logic required for an EAI application.

However, writing your own complete EAI application will give you maximum flexibility and perhaps you prefer to have all of the authentication code in one place.  There's no problem with that if it's what you want.

Jon.



------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon May 18, 2020 03:42 PM
From: Jahanzaib Sarwar
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hi Jon and Prashant,

Thank you for your responses. This helped and I am able to successfully authenticate external user (which does not exist in ISAM LDAP) using an EAI test app by returning the required headers.

Jon, thank you for discussing different ways to implement this, I am thinking to use EAI only (non-hybrid without InfoMap). Kindly can you suggest would there be any advantage that you see in going with the hybrid approach? Because at the end we have to depend on EAI so why not only use the full EAI app for this purpose?

Best regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Sat May 16, 2020 10:48 AM
From: Prashant Narkhede
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hi Jahanzaib,

Yes, it is possible to authenticate the user via EAI having no user-specific entry in ISAM LDAP.
To achieve this, you need to set am-eai-ext-user-id header from EAI.

Also, you need to do below configurations in reverse proxy configuration file.

eai-ext-user-id-header = am-eai-ext-user-id

For more information, go through below documentation link.
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/wrp_config/concept/con_http_hdr_ref.html
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/wrp_stza_ref/reference/ref_eai_ext_user_id_header.html

------------------------------
Prashant Narkhede

Original Message:
Sent: Sat May 16, 2020 09:14 AM
From: Jahanzaib Sarwar
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hello all,

ISAM's EAI and InfoMap capabilities allow us to implement custom authentication logic for users which reside in ISAM's LDAP or any federated directory.

I need to know whether, using EAI/InfoMap, would it be possible to authenticate the users which are not present in ISAM's LDAP or any of the federated directories? In other words, would it be possible to create a user credential for a user not present in any of the federated directories by using EAI/InfoMap?

The goal is to authenticate users from a database and these users do not reside in ISAM LDAP or any of the Federated Directories.

Looking forward to your valueable comments..

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Hi Jon,

Thanks. I was able to achieve that using my own complete EAI application.

Now, I am doing some more testing on external user with respect to AAC MMFA registrations of users, and need to know, how does AAC differentiate between external and internal users in case if the user id is same (as AAC identifies MMFA registrations based upon the user id as per my understanding).

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Original Message:
Sent: Tue May 19, 2020 04:20 AM
From: Jon Harry
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hi Jahanzaib,

The main reason I suggested the hybrid solution is to minimize the custom development effort.  A REST service to connect to DB is much smaller than an entire EAI app.  The ISAM Authentication Service already contains a lot of the logic required for an EAI application.

However, writing your own complete EAI application will give you maximum flexibility and perhaps you prefer to have all of the authentication code in one place.  There's no problem with that if it's what you want.

Jon.



------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon May 18, 2020 03:42 PM
From: Jahanzaib Sarwar
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hi Jon and Prashant,

Thank you for your responses. This helped and I am able to successfully authenticate external user (which does not exist in ISAM LDAP) using an EAI test app by returning the required headers.

Jon, thank you for discussing different ways to implement this, I am thinking to use EAI only (non-hybrid without InfoMap). Kindly can you suggest would there be any advantage that you see in going with the hybrid approach? Because at the end we have to depend on EAI so why not only use the full EAI app for this purpose?

Best regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Sat May 16, 2020 10:48 AM
From: Prashant Narkhede
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hi Jahanzaib,

Yes, it is possible to authenticate the user via EAI having no user-specific entry in ISAM LDAP.
To achieve this, you need to set am-eai-ext-user-id header from EAI.

Also, you need to do below configurations in reverse proxy configuration file.

eai-ext-user-id-header = am-eai-ext-user-id

For more information, go through below documentation link.
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/wrp_config/concept/con_http_hdr_ref.html
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/wrp_stza_ref/reference/ref_eai_ext_user_id_header.html

------------------------------
Prashant Narkhede

Original Message:
Sent: Sat May 16, 2020 09:14 AM
From: Jahanzaib Sarwar
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hello all,

ISAM's EAI and InfoMap capabilities allow us to implement custom authentication logic for users which reside in ISAM's LDAP or any federated directory.

I need to know whether, using EAI/InfoMap, would it be possible to authenticate the users which are not present in ISAM's LDAP or any of the federated directories? In other words, would it be possible to create a user credential for a user not present in any of the federated directories by using EAI/InfoMap?

The goal is to authenticate users from a database and these users do not reside in ISAM LDAP or any of the Federated Directories.

Looking forward to your valueable comments..

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Hi Jahanzaib,

Simple answer: User names must be unique.  If username is the same then the same AAC information will be accessed for that user.

A common way to avoid username clashes is to use e-mail address as username.  This is usually unique for any user.

If you are authenticating users from multiple sources (direct user authentication in Verify Access and External Users via EAI) *and* these users have usernames which overlap, you probably need to consider appending something to the end of the external usernames before asserting identity back to Verify Access so that they don't clash with standard users.  e.g. `@@externaluser` (or something like that).  You could still return the user's "real" username in some other credential attribute in case you need to display it etc.

Jon.
​

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon January 11, 2021 02:47 PM
From: Jahanzaib Sarwar
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hi Jon,

Thanks. I was able to achieve that using my own complete EAI application.

Now, I am doing some more testing on external user with respect to AAC MMFA registrations of users, and need to know, how does AAC differentiate between external and internal users in case if the user id is same (as AAC identifies MMFA registrations based upon the user id as per my understanding).

Best regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Tue May 19, 2020 04:20 AM
From: Jon Harry
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hi Jahanzaib,

The main reason I suggested the hybrid solution is to minimize the custom development effort.  A REST service to connect to DB is much smaller than an entire EAI app.  The ISAM Authentication Service already contains a lot of the logic required for an EAI application.

However, writing your own complete EAI application will give you maximum flexibility and perhaps you prefer to have all of the authentication code in one place.  There's no problem with that if it's what you want.

Jon.



------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon May 18, 2020 03:42 PM
From: Jahanzaib Sarwar
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hi Jon and Prashant,

Thank you for your responses. This helped and I am able to successfully authenticate external user (which does not exist in ISAM LDAP) using an EAI test app by returning the required headers.

Jon, thank you for discussing different ways to implement this, I am thinking to use EAI only (non-hybrid without InfoMap). Kindly can you suggest would there be any advantage that you see in going with the hybrid approach? Because at the end we have to depend on EAI so why not only use the full EAI app for this purpose?

Best regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Sat May 16, 2020 10:48 AM
From: Prashant Narkhede
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hi Jahanzaib,

Yes, it is possible to authenticate the user via EAI having no user-specific entry in ISAM LDAP.
To achieve this, you need to set am-eai-ext-user-id header from EAI.

Also, you need to do below configurations in reverse proxy configuration file.

eai-ext-user-id-header = am-eai-ext-user-id

For more information, go through below documentation link.
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/wrp_config/concept/con_http_hdr_ref.html
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/wrp_stza_ref/reference/ref_eai_ext_user_id_header.html

------------------------------
Prashant Narkhede

Original Message:
Sent: Sat May 16, 2020 09:14 AM
From: Jahanzaib Sarwar
Subject: ISAM: EAI/InfoMap user authentication for non-directory users

Hello all,

ISAM's EAI and InfoMap capabilities allow us to implement custom authentication logic for users which reside in ISAM's LDAP or any federated directory.

I need to know whether, using EAI/InfoMap, would it be possible to authenticate the users which are not present in ISAM's LDAP or any of the federated directories? In other words, would it be possible to create a user credential for a user not present in any of the federated directories by using EAI/InfoMap?

The goal is to authenticate users from a database and these users do not reside in ISAM LDAP or any of the Federated Directories.

Looking forward to your valueable comments..

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------