IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  OIDC Federation OP and RP

    Posted Mon November 08, 2021 09:12 PM
    Edited by Piyush Agrawal Tue November 09, 2021 04:02 AM

    I am getting groups from OP but unable to create session on RP with same groups. Groups are Access Manager groups but somehow it is not working.


    Current configs:

    ISVA : 10.0.2.0

    webseal 1 (OP) External user logged in with AM Groups

    Webseal 2 (RP) triggers OIDC flow with opened,groups via https://webseal2/mga/sps/oidc/rp/fed/kickoff/webseal1 

    I am able to get session on RP but do not see any group membership

    Partner on federation fed is configured with : Identity Mapping rule : OIDCRP

    //OPDC_RP.js file looks like following
    

    stsuu.setPrincipalName(sub.toUpperCase());
    

    var finalAttrs = [];
    

    for (var i = 0; i < token_attribute_names.length; i++) {
    

        var attr = stsuu.getAttributeContainer().getAttributeByName(token_attribute_names[i]);
    

        if (attr != null) {
    

            attr.setType("urn:ibm:names:ITFIM:oauth:response:attribute");
    

            attr.setName(tokenToSTSCredMappingAttribute(token_attribute_names[i]))
    

            finalAttrs.push(attr);
    

        }
    

    }
    

    stsuu.clearAttributeList();
    

    var authLevelAttr = new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("AUTHENTICATION_LEVEL", "urn:ibm:names:ITFIM:oauth:response:attribute", "2");
    

    finalAttrs.push(authLevelAttr);
    

    for (var i = 0; i < finalAttrs.length; i++) {
    

        stsuu.addAttribute(finalAttrs[i]);
    

    }
    

    var grpsAttr = new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("am-eai-ext-user-groups", "urn:ibm:names:ITFIM:oauth:response:attribute", "min_oversikt");
    

    var grp1Attr = new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("group", "urn:ibm:names:ITFIM:oauth:response:attribute", "min_oversikt");
    

    var grp2Attr = new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("groups", "urn:ibm:names:ITFIM:oauth:response:attribute", "min_oversikt");
    

    var grp3Attr = new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("AZN_CRED_GROUPS", "urn:ibm:names:ITFIM:oauth:response:attribute", "min_oversikt");
    

    var extUserAttr = new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("ext-username", "urn:ibm:names:ITFIM:oauth:response:attribute", sub);
    

    stsuu.addContextAttribute(grpsAttr);
    

    stsuu.addContextAttribute(grp1Attr);
    

    stsuu.addContextAttribute(grp2Attr);
    

    stsuu.addContextAttribute(grp3Attr);
    

    stsuu.addContextAttribute(extUserAttr);
    

    var token_attribute_names = ["name", "given_name","family_name","email","phone","locale", "acr", "attest", "amr", "amr", "orig", "access_token", "iss"];
    

    var token_to_sts_attribute_mappings = {
    

        name: "tagvalue_eai_common_name",
    

        given_name: "tagvalue_credattrs_firstname",
    

        family_name: "tagvalue_credattrs_lastname",
    

        email: "tagvalue_credattrs_email",
    

        phone: "tagvalue_credattrs_mobile",
    

        channel: "tagvalue_channel",
    

        locale: "tagvalue_locale",
    

        acr: "AZN_CRED_AUTH_METHOD",
    

        attest: "AUTHENTICATION_LEVEL",
    

        amr: "AZN_CRED_AUTHNMECH_INFO",
    

        dest: "AZN_CRED_PRINCIPAL_DOMAIN",
    

        orig: "tagvalue_auth_mechanism"
    

    }

    I have tried to add group one by one in context attribute list as well as attributelist but none of them is working.
    Is it possible to add groups while doings sso between two webseal reverse proxies with oidc federation.



    ------------------------------
    Piyush Agrawal
    https://www.linkedin.com/in/piyush-norway/
    Gjensidige Norway
    ------------------------------


  • 2.  RE: OIDC Federation OP and RP

    Posted Mon November 15, 2021 06:02 AM
    Hi Piyush,

    When point of contact configuration is set for "non-Access Manager username, Access Manager groups, and extended attributes", the groups are read from the Group element of the STS Universal User object.

    To populate groups to the Groups element of the STS Universal User object you will need to first create a Group object and then add to the STSUU:

    # Adding a Group
stsuu.addGroup(new Group("testgroup"));
​

    Hopefully that will give you what you need.

    This is a good presentation on STSUU object (with hat tip to the Support team):
    https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/2019-04-25-Mastering_the_STSUniversalUser-correct.pdf

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: OIDC Federation OP and RP

    Posted Thu December 02, 2021 05:14 PM
    Thanks you Jon,

    I tried what you suggest and finally I have manage to add groups with 
    stsuu.addGroup(new Group("groupname","urn:ibm:names:ITFIM:5.1:accessmanager",null));


    ------------------------------
    Piyush Agrawal
    https://www.linkedin.com/in/piyush-norway/
    Gjensidige Norway
    ------------------------------

    Original Message


  • 4.  RE: OIDC Federation OP and RP

    Posted Thu December 02, 2021 05:21 PM

    Now I have moved my code to production but its failing due following error 


    /access_control/runtime/trace.log

    com.tivoli.am.fim.oidc10.rp.exception.OidcRuntimeException: FBTOIC116E There was an error contacting the [token]. The HTTP Status was: [400]. The JSON error code was: [invalid_request], with the description [FBTOAU232E The client MUST use the HTTP POST method when making access token requests.]
    1038 at com.tivoli.am.fim.oidc10.rp.OidcRelyingParty.handleOpJsonError(OidcRelyingParty.java:602)
    1039 at com.tivoli.am.fim.oidc10.rp.OidcRelyingParty.doTokenExchange(OidcRelyingParty.java:431)

    Same partner configuration is working on TEST(10.0.2.0) but failing on Production 10.0.1.0 Verstion.


    I am struggling to find what can go worng, and I also don´t know which Logs files I should look in this case.



    ------------------------------
    Piyush Agrawal
    https://www.linkedin.com/in/piyush-norway/
    Gjensidige Norway
    ------------------------------

    Original Message


  • 5.  RE: OIDC Federation OP and RP

    Posted Fri December 03, 2021 04:06 AM
    Hi Piyush,

    The error message implies that something is sending a request that is NOT a POST to the OP token endpoint.  That seems strange to be because I though all requests to token endpoint were POSTs.  Could it be that the RP has the token endpoint configured in error somewhere instead of a different endpoint?

    For tracing, I'd advice getting a trace from the AAC Runtime of the OP system.  I think it is the OP that is generating the error message reported at the RP.  You could also try to get a request log (or even a pdweb.snoop trace) from the OP system Reverse Proxy so you can determine the messages being received by the token endpoint.

    If you need help determining the correct traces to enable - or analysing the traces - you should open a support case.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


Related Content