Hello All,

For one of our customer, we are creating SPA(Single Paged Application) which will handle all scenarios like Login, Forgot Password, Change Password, Unlock Me, and Dashboard after login to access ISAM integrated applications(with SSO).

For each scenario, we have created a custom infoMap. These InfoMaps are getting invoked from SPA with REST API calls. Additionally, We are using TOTP as a second factor for authentication.

With the below rest endpoint, we can get the QR code for a logged-in user which can be used with any authenticator. https://hostname/mga/sps/mga/user/mgmt/otp/qr/{otpType} Using this code, registered the user with IBM Verify Mobile Application successfully.

In the case of Forgot Password, We are asking for a username and then redirecting user to the TOTP page. The challenge that we are currently facing is to ensure whether the user already has the device registered or not. If no device registered then we wanted to show an error page instead of the TOTP page.

But when using https://hostname/mga/sps/mga/user/mgmt/device endpoint to get the registered device, it gives me an empty result.

Is there any specific API that we can use?
Can someone help me on this?



------------------------------
Mukesh
------------------------------

Hi Mukesh you can use the SCIM endpoint to get user's data included the user's registered devices.
You have to have configured SCIM endpoint and perform a request to https://<websealip>/scim/Users?filter=userName%20eq%20UserName

Take a look to this post
https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=06cfde3a-7a7f-4884-9794-d31f234ac4d7&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d&tab=digestviewer#bm06cfde3a-7a7f-4884-9794-d31f234ac4d7

Hope this help you.
Regards.


------------------------------
David Vicenteño
------------------------------

Original Message:
Sent: Thu October 29, 2020 02:55 AM
From: Mukesh Bhati
Subject: ISAM - How to get the registered device for user with REST API call

Hello All,

For one of our customer, we are creating SPA(Single Paged Application) which will handle all scenarios like Login, Forgot Password, Change Password, Unlock Me, and Dashboard after login to access ISAM integrated applications(with SSO).

For each scenario, we have created a custom infoMap. These InfoMaps are getting invoked from SPA with REST API calls. Additionally, We are using TOTP as a second factor for authentication.

With the below rest endpoint, we can get the QR code for a logged-in user which can be used with any authenticator. https://hostname/mga/sps/mga/user/mgmt/otp/qr/{otpType} Using this code, registered the user with IBM Verify Mobile Application successfully.

In the case of Forgot Password, We are asking for a username and then redirecting user to the TOTP page. The challenge that we are currently facing is to ensure whether the user already has the device registered or not. If no device registered then we wanted to show an error page instead of the TOTP page.

But when using https://hostname/mga/sps/mga/user/mgmt/device endpoint to get the registered device, it gives me an empty result.

Is there any specific API that we can use?
Can someone help me on this?



------------------------------
Mukesh
------------------------------

Hi David,

Thanks for your reply.

I went through the scim endpoint /scim/Me and get to know that whether a user has enrolled for TOTP or not?.

But the thing that I have observed when https://test.isam.com/mga/sps/mga/user/mgmt/otp/qr/totp endpoint is called user get registered for TOTP.

but there may be the case where a user doesn't scan the barcode and close the window and then next time /scim/Me API will show that the user is enrolled for TOTP.

is this a bug?

We have created a SPA where for the first time we need to show a barcode to the user. 

How this can be done?



------------------------------
Mukesh
------------------------------

Original Message:
Sent: Thu October 29, 2020 11:21 AM
From: David Vicenteño
Subject: ISAM - How to get the registered device for user with REST API call

Hi Mukesh you can use the SCIM endpoint to get user's data included the user's registered devices.
You have to have configured SCIM endpoint and perform a request to https://<websealip>/scim/Users?filter=userName%20eq%20UserName

Take a look to this post
https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=06cfde3a-7a7f-4884-9794-d31f234ac4d7&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d&tab=digestviewer#bm06cfde3a-7a7f-4884-9794-d31f234ac4d7

Hope this help you.
Regards.


------------------------------
David Vicenteño

Original Message:
Sent: Thu October 29, 2020 02:55 AM
From: Mukesh Bhati
Subject: ISAM - How to get the registered device for user with REST API call

Hello All,

For one of our customer, we are creating SPA(Single Paged Application) which will handle all scenarios like Login, Forgot Password, Change Password, Unlock Me, and Dashboard after login to access ISAM integrated applications(with SSO).

For each scenario, we have created a custom infoMap. These InfoMaps are getting invoked from SPA with REST API calls. Additionally, We are using TOTP as a second factor for authentication.

With the below rest endpoint, we can get the QR code for a logged-in user which can be used with any authenticator. https://hostname/mga/sps/mga/user/mgmt/otp/qr/{otpType} Using this code, registered the user with IBM Verify Mobile Application successfully.

In the case of Forgot Password, We are asking for a username and then redirecting user to the TOTP page. The challenge that we are currently facing is to ensure whether the user already has the device registered or not. If no device registered then we wanted to show an error page instead of the TOTP page.

But when using https://hostname/mga/sps/mga/user/mgmt/device endpoint to get the registered device, it gives me an empty result.

Is there any specific API that we can use?
Can someone help me on this?



------------------------------
Mukesh
------------------------------

looking forwards too for the post, thanks David

------------------------------
Priyo Harjiyono
Digital Manager
Anotherorion.com
Yogyakarta
------------------------------

Original Message:
Sent: Thu October 29, 2020 11:21 AM
From: David Vicenteño
Subject: ISAM - How to get the registered device for user with REST API call

Hi Mukesh you can use the SCIM endpoint to get user's data included the user's registered devices.
You have to have configured SCIM endpoint and perform a request to https://<websealip>/scim/Users?filter=userName%20eq%20UserName

Take a look to this post
https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=06cfde3a-7a7f-4884-9794-d31f234ac4d7&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d&tab=digestviewer#bm06cfde3a-7a7f-4884-9794-d31f234ac4d7

Hope this help you.
Regards.


------------------------------
David Vicenteño

Original Message:
Sent: Thu October 29, 2020 02:55 AM
From: Mukesh Bhati
Subject: ISAM - How to get the registered device for user with REST API call

Hello All,

For one of our customer, we are creating SPA(Single Paged Application) which will handle all scenarios like Login, Forgot Password, Change Password, Unlock Me, and Dashboard after login to access ISAM integrated applications(with SSO).

For each scenario, we have created a custom infoMap. These InfoMaps are getting invoked from SPA with REST API calls. Additionally, We are using TOTP as a second factor for authentication.

With the below rest endpoint, we can get the QR code for a logged-in user which can be used with any authenticator. https://hostname/mga/sps/mga/user/mgmt/otp/qr/{otpType} Using this code, registered the user with IBM Verify Mobile Application successfully.

In the case of Forgot Password, We are asking for a username and then redirecting user to the TOTP page. The challenge that we are currently facing is to ensure whether the user already has the device registered or not. If no device registered then we wanted to show an error page instead of the TOTP page.

But when using https://hostname/mga/sps/mga/user/mgmt/device endpoint to get the registered device, it gives me an empty result.

Is there any specific API that we can use?
Can someone help me on this?



------------------------------
Mukesh
------------------------------

Hi Mukesh,

From ISAM 9.0.7 you can see TOTP and HOTP enrollment status via SCIM:

GET /scim/Me or /scim/Users/<scimUserID>

{
"meta": {
"location": "https://localhost/scim/Users/dGVzdHVzZXI",
"resourceType": "User"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP",

],
"id": "dGVzdHVzZXI",
"userName": "testuser",
"name": {
"givenName": null,
"familyName": "user"
},
"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
}
...
}

------------------------------
Jasmine
------------------------------

Original Message:
Sent: Thu October 29, 2020 02:55 AM
From: Mukesh Bhati
Subject: ISAM - How to get the registered device for user with REST API call

Hello All,

For one of our customer, we are creating SPA(Single Paged Application) which will handle all scenarios like Login, Forgot Password, Change Password, Unlock Me, and Dashboard after login to access ISAM integrated applications(with SSO).

For each scenario, we have created a custom infoMap. These InfoMaps are getting invoked from SPA with REST API calls. Additionally, We are using TOTP as a second factor for authentication.

With the below rest endpoint, we can get the QR code for a logged-in user which can be used with any authenticator. https://hostname/mga/sps/mga/user/mgmt/otp/qr/{otpType} Using this code, registered the user with IBM Verify Mobile Application successfully.

In the case of Forgot Password, We are asking for a username and then redirecting user to the TOTP page. The challenge that we are currently facing is to ensure whether the user already has the device registered or not. If no device registered then we wanted to show an error page instead of the TOTP page.

But when using https://hostname/mga/sps/mga/user/mgmt/device endpoint to get the registered device, it gives me an empty result.

Is there any specific API that we can use?
Can someone help me on this?



------------------------------
Mukesh
------------------------------

Hi Jasmine,

Thanks for your reply.

I went through the scim endpoint /scim/Me and get to know that whether a user has enrolled for TOTP or not?.

But the thing that I have observed when https://test.isam.com/mga/sps/mga/user/mgmt/otp/qr/totp endpoint is called user get registered for TOTP.

but there may be the case where a user doesn't scan the barcode and close the window and then next time /scim/Me API will show that the user is enrolled for TOTP.

is this a bug?

------------------------------
Mukesh
------------------------------

Original Message:
Sent: Fri October 30, 2020 02:07 AM
From: Jasmine Smith
Subject: ISAM - How to get the registered device for user with REST API call

Hi Mukesh,

From ISAM 9.0.7 you can see TOTP and HOTP enrollment status via SCIM:

GET /scim/Me or /scim/Users/<scimUserID>

{
"meta": {
"location": "https://localhost/scim/Users/dGVzdHVzZXI",
"resourceType": "User"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP",

],
"id": "dGVzdHVzZXI",
"userName": "testuser",
"name": {
"givenName": null,
"familyName": "user"
},
"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
}
...
}

------------------------------
Jasmine

Original Message:
Sent: Thu October 29, 2020 02:55 AM
From: Mukesh Bhati
Subject: ISAM - How to get the registered device for user with REST API call

Hello All,

For one of our customer, we are creating SPA(Single Paged Application) which will handle all scenarios like Login, Forgot Password, Change Password, Unlock Me, and Dashboard after login to access ISAM integrated applications(with SSO).

For each scenario, we have created a custom infoMap. These InfoMaps are getting invoked from SPA with REST API calls. Additionally, We are using TOTP as a second factor for authentication.

With the below rest endpoint, we can get the QR code for a logged-in user which can be used with any authenticator. https://hostname/mga/sps/mga/user/mgmt/otp/qr/{otpType} Using this code, registered the user with IBM Verify Mobile Application successfully.

In the case of Forgot Password, We are asking for a username and then redirecting user to the TOTP page. The challenge that we are currently facing is to ensure whether the user already has the device registered or not. If no device registered then we wanted to show an error page instead of the TOTP page.

But when using https://hostname/mga/sps/mga/user/mgmt/device endpoint to get the registered device, it gives me an empty result.

Is there any specific API that we can use?
Can someone help me on this?



------------------------------
Mukesh
------------------------------

Hi Mukesh,

That is not a bug. Because TOTP is an offline second factor method, there is no way for the server to confirm whether or not the user correctly scanned the QR code before they close the page. ISAM/Verify Access considers a TOTP enrollment to exist so long as the secret key has been generated, which happens when the QR code is displayed.

Hope this helps.

------------------------------
Jasmine
------------------------------

Original Message:
Sent: Mon November 02, 2020 11:54 PM
From: Mukesh Bhati
Subject: ISAM - How to get the registered device for user with REST API call

Hi Jasmine,

Thanks for your reply.

I went through the scim endpoint /scim/Me and get to know that whether a user has enrolled for TOTP or not?.

But the thing that I have observed when https://test.isam.com/mga/sps/mga/user/mgmt/otp/qr/totp endpoint is called user get registered for TOTP.

but there may be the case where a user doesn't scan the barcode and close the window and then next time /scim/Me API will show that the user is enrolled for TOTP.

is this a bug?

------------------------------
Mukesh

Original Message:
Sent: Fri October 30, 2020 02:07 AM
From: Jasmine Smith
Subject: ISAM - How to get the registered device for user with REST API call

Hi Mukesh,

From ISAM 9.0.7 you can see TOTP and HOTP enrollment status via SCIM:

GET /scim/Me or /scim/Users/<scimUserID>

{
"meta": {
"location": "https://localhost/scim/Users/dGVzdHVzZXI",
"resourceType": "User"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP",

],
"id": "dGVzdHVzZXI",
"userName": "testuser",
"name": {
"givenName": null,
"familyName": "user"
},
"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
}
...
}

------------------------------
Jasmine

Original Message:
Sent: Thu October 29, 2020 02:55 AM
From: Mukesh Bhati
Subject: ISAM - How to get the registered device for user with REST API call

Hello All,

For one of our customer, we are creating SPA(Single Paged Application) which will handle all scenarios like Login, Forgot Password, Change Password, Unlock Me, and Dashboard after login to access ISAM integrated applications(with SSO).

For each scenario, we have created a custom infoMap. These InfoMaps are getting invoked from SPA with REST API calls. Additionally, We are using TOTP as a second factor for authentication.

With the below rest endpoint, we can get the QR code for a logged-in user which can be used with any authenticator. https://hostname/mga/sps/mga/user/mgmt/otp/qr/{otpType} Using this code, registered the user with IBM Verify Mobile Application successfully.

In the case of Forgot Password, We are asking for a username and then redirecting user to the TOTP page. The challenge that we are currently facing is to ensure whether the user already has the device registered or not. If no device registered then we wanted to show an error page instead of the TOTP page.

But when using https://hostname/mga/sps/mga/user/mgmt/device endpoint to get the registered device, it gives me an empty result.

Is there any specific API that we can use?
Can someone help me on this?



------------------------------
Mukesh
------------------------------

Hi Jasmine,

Thank you very much for your help :)

------------------------------
Mukesh
------------------------------

Original Message:
Sent: Tue November 03, 2020 06:55 PM
From: Jasmine Smith
Subject: ISAM - How to get the registered device for user with REST API call

Hi Mukesh,

That is not a bug. Because TOTP is an offline second factor method, there is no way for the server to confirm whether or not the user correctly scanned the QR code before they close the page. ISAM/Verify Access considers a TOTP enrollment to exist so long as the secret key has been generated, which happens when the QR code is displayed.

Hope this helps.

------------------------------
Jasmine

Original Message:
Sent: Mon November 02, 2020 11:54 PM
From: Mukesh Bhati
Subject: ISAM - How to get the registered device for user with REST API call

Hi Jasmine,

Thanks for your reply.

I went through the scim endpoint /scim/Me and get to know that whether a user has enrolled for TOTP or not?.

But the thing that I have observed when https://test.isam.com/mga/sps/mga/user/mgmt/otp/qr/totp endpoint is called user get registered for TOTP.

but there may be the case where a user doesn't scan the barcode and close the window and then next time /scim/Me API will show that the user is enrolled for TOTP.

is this a bug?

------------------------------
Mukesh

Original Message:
Sent: Fri October 30, 2020 02:07 AM
From: Jasmine Smith
Subject: ISAM - How to get the registered device for user with REST API call

Hi Mukesh,

From ISAM 9.0.7 you can see TOTP and HOTP enrollment status via SCIM:

GET /scim/Me or /scim/Users/<scimUserID>

{
"meta": {
"location": "https://localhost/scim/Users/dGVzdHVzZXI",
"resourceType": "User"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP",

],
"id": "dGVzdHVzZXI",
"userName": "testuser",
"name": {
"givenName": null,
"familyName": "user"
},
"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
}
...
}

------------------------------
Jasmine

Original Message:
Sent: Thu October 29, 2020 02:55 AM
From: Mukesh Bhati
Subject: ISAM - How to get the registered device for user with REST API call

Hello All,

For one of our customer, we are creating SPA(Single Paged Application) which will handle all scenarios like Login, Forgot Password, Change Password, Unlock Me, and Dashboard after login to access ISAM integrated applications(with SSO).

For each scenario, we have created a custom infoMap. These InfoMaps are getting invoked from SPA with REST API calls. Additionally, We are using TOTP as a second factor for authentication.

With the below rest endpoint, we can get the QR code for a logged-in user which can be used with any authenticator. https://hostname/mga/sps/mga/user/mgmt/otp/qr/{otpType} Using this code, registered the user with IBM Verify Mobile Application successfully.

In the case of Forgot Password, We are asking for a username and then redirecting user to the TOTP page. The challenge that we are currently facing is to ensure whether the user already has the device registered or not. If no device registered then we wanted to show an error page instead of the TOTP page.

But when using https://hostname/mga/sps/mga/user/mgmt/device endpoint to get the registered device, it gives me an empty result.

Is there any specific API that we can use?
Can someone help me on this?



------------------------------
Mukesh
------------------------------