We are trying to consume APIs hosted by Tradelens and secured by Cloud IAM using OAuth2.0. Tradelens will be both Identity Provider and Service Provider. Below is the link that describes the OAuth configuration.

https://docs.tradelens.com/how_to/token_generation/

We use SAP application to push some data to Tradelens APIs.
SAP will be secured by ISAM. The requirement is to configure ISAM as an Authorization server for OAuth. We would like to know if ISAM Federation module is capable of making outbound OAuth calls? Like requesting an access token using the authorization code etc.
Please note we are only licensed for Federation module and do not have AAC enabled in our environment.
If this is possible, kindly share any information link that describes how to configure ISAM Federation module to make outbound calls.  

We've been unable to find any documentation or get updates from a PMR and was directed to ask the question in the forum to see if anyone else has seen this or have had experience.    Any assistance would be greatly appreciated.




------------------------------
Derrick Chapman
derrickchapman2@gmail.com
------------------------------

Hi Derrick,

Before I try to help with your question, let me suggest that you would get better engagement on this topic if you post to the IAM-specific "IBM Verify" group on this community.  Here's a short link https://ibm.biz/iamcommunity.

On your question...

It's not completely clear to me exactly what flow you need to achieve here.  You say that ISAM is protecting SAP (which would indicate it would be acting as an OAuth Enforcement Point - validating tokens generated by itself of some 3rd Party OAuth system) but you say you need ISAM to act as an OAuth Authorization Server (indicating that you need it to generate the tokens).

ISAM with the Federation add-on can certainly act as either as OAuth Authorization Server or an Enforcement Point.  There's quite a lot of customization possible in both roles.

You also mention that you need ISAM to exchange an Authorization Code for an Access Token.  This is a OAuth "Client" activity.  The only time ISAM acts as a Client is when it is the Relying Party in an OpenID Connect federation.  Our OpenID Connect Relying Party implementation is also very flexible and can be used to implement standard OpenID Connect - or to retrieve an Access Token and then make this available to custom code to perform work with that token before building a session.

So, I think there's a reasonable chance we can help  you do what is required but really need to better understand the exact flow before commenting on if it is possible and the degree of customization that might be needed.

Hoping to hear from you on in the IBM Verify group forum.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed September 23, 2020 11:32 AM
From: Derrick Chapman
Subject: Outbound calls fromISAM Federation Module

We are trying to consume APIs hosted by Tradelens and secured by Cloud IAM using OAuth2.0. Tradelens will be both Identity Provider and Service Provider. Below is the link that describes the OAuth configuration.

https://docs.tradelens.com/how_to/token_generation/

We use SAP application to push some data to Tradelens APIs.
SAP will be secured by ISAM. The requirement is to configure ISAM as an Authorization server for OAuth. We would like to know if ISAM Federation module is capable of making outbound OAuth calls? Like requesting an access token using the authorization code etc.
Please note we are only licensed for Federation module and do not have AAC enabled in our environment.
If this is possible, kindly share any information link that describes how to configure ISAM Federation module to make outbound calls.  

We've been unable to find any documentation or get updates from a PMR and was directed to ask the question in the forum to see if anyone else has seen this or have had experience.    Any assistance would be greatly appreciated.




------------------------------
Derrick Chapman
derrickchapman2@gmail.com
------------------------------

Hi Jon,

I am working with Derrick on this requirement and would like to provide clarification.
In our scenario, Tradelens is hosting the APIs and is secured by cloud IAM. Tradelens IAM will be handling the Identity by providing Service ID & API Keys. 
Tradelens will also provide authorization by issuing authorization code & access tokens.
Our SAP application will be consuming Tradelens APIs. SAP will be posting a request to our ISAM Federation module which will then make callouts to Tradelens to obtain Authorization code and then exchange for access token.
Are you suggesting that we create a OIDC Relying Party Federation and then add an advanced configuration Mapping rule and then within the mapping rule add code to make callouts to Tradelens?
Please advise and let me know if you need any further clarification with the requirement. Attached a couple of architecture flow diagrams for your reference.

Thank you,
Rajya Ponnaluri

------------------------------
Rajya Ponnaluri
------------------------------

Original Message:
Sent: Thu September 24, 2020 07:32 AM
From: Jon Harry
Subject: Outbound calls fromISAM Federation Module

Hi Derrick,

Before I try to help with your question, let me suggest that you would get better engagement on this topic if you post to the IAM-specific "IBM Verify" group on this community.  Here's a short link https://ibm.biz/iamcommunity.

On your question...

It's not completely clear to me exactly what flow you need to achieve here.  You say that ISAM is protecting SAP (which would indicate it would be acting as an OAuth Enforcement Point - validating tokens generated by itself of some 3rd Party OAuth system) but you say you need ISAM to act as an OAuth Authorization Server (indicating that you need it to generate the tokens).

ISAM with the Federation add-on can certainly act as either as OAuth Authorization Server or an Enforcement Point.  There's quite a lot of customization possible in both roles.

You also mention that you need ISAM to exchange an Authorization Code for an Access Token.  This is a OAuth "Client" activity.  The only time ISAM acts as a Client is when it is the Relying Party in an OpenID Connect federation.  Our OpenID Connect Relying Party implementation is also very flexible and can be used to implement standard OpenID Connect - or to retrieve an Access Token and then make this available to custom code to perform work with that token before building a session.

So, I think there's a reasonable chance we can help  you do what is required but really need to better understand the exact flow before commenting on if it is possible and the degree of customization that might be needed.

Hoping to hear from you on in the IBM Verify group forum.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed September 23, 2020 11:32 AM
From: Derrick Chapman
Subject: Outbound calls fromISAM Federation Module

We are trying to consume APIs hosted by Tradelens and secured by Cloud IAM using OAuth2.0. Tradelens will be both Identity Provider and Service Provider. Below is the link that describes the OAuth configuration.

https://docs.tradelens.com/how_to/token_generation/

We use SAP application to push some data to Tradelens APIs.
SAP will be secured by ISAM. The requirement is to configure ISAM as an Authorization server for OAuth. We would like to know if ISAM Federation module is capable of making outbound OAuth calls? Like requesting an access token using the authorization code etc.
Please note we are only licensed for Federation module and do not have AAC enabled in our environment.
If this is possible, kindly share any information link that describes how to configure ISAM Federation module to make outbound calls.  

We've been unable to find any documentation or get updates from a PMR and was directed to ask the question in the forum to see if anyone else has seen this or have had experience.    Any assistance would be greatly appreciated.




------------------------------
Derrick Chapman
derrickchapman2@gmail.com
------------------------------

Hi Rajya (and Derrick),

Looking at the architecture pictures, you seem to have an excellent architecture for protecting inbound access to your SAP system, but I was then surprised to see that all of the arrows indicate this is an outbound connection.

I will assume this outbound connection is one part of a wider set of use cases but I am still concerned if you think that outbound API flows will pass through Access Manager - it doesn't work that way. 

Perhaps you are thinking Access Manager could perform token mediation with TradeLens. It *could* do this (custom coding within a federation STS module or inside a custom Authentication Service Mechanism) but I'm pretty sure it would be more efficient and easier to have API Connect do this directly. Is there a reason you particularly want to use Access Manager for token mediation?  Centralisation of keys perhaps?

Jon. 

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu September 24, 2020 02:33 PM
From: Rajya Ponnaluri
Subject: Outbound calls fromISAM Federation Module

Hi Jon,

I am working with Derrick on this requirement and would like to provide clarification.
In our scenario, Tradelens is hosting the APIs and is secured by cloud IAM. Tradelens IAM will be handling the Identity by providing Service ID & API Keys. 
Tradelens will also provide authorization by issuing authorization code & access tokens.
Our SAP application will be consuming Tradelens APIs. SAP will be posting a request to our ISAM Federation module which will then make callouts to Tradelens to obtain Authorization code and then exchange for access token.
Are you suggesting that we create a OIDC Relying Party Federation and then add an advanced configuration Mapping rule and then within the mapping rule add code to make callouts to Tradelens?
Please advise and let me know if you need any further clarification with the requirement. Attached a couple of architecture flow diagrams for your reference.

Thank you,
Rajya Ponnaluri

------------------------------
Rajya Ponnaluri

Original Message:
Sent: Thu September 24, 2020 07:32 AM
From: Jon Harry
Subject: Outbound calls fromISAM Federation Module

Hi Derrick,

Before I try to help with your question, let me suggest that you would get better engagement on this topic if you post to the IAM-specific "IBM Verify" group on this community.  Here's a short link https://ibm.biz/iamcommunity.

On your question...

It's not completely clear to me exactly what flow you need to achieve here.  You say that ISAM is protecting SAP (which would indicate it would be acting as an OAuth Enforcement Point - validating tokens generated by itself of some 3rd Party OAuth system) but you say you need ISAM to act as an OAuth Authorization Server (indicating that you need it to generate the tokens).

ISAM with the Federation add-on can certainly act as either as OAuth Authorization Server or an Enforcement Point.  There's quite a lot of customization possible in both roles.

You also mention that you need ISAM to exchange an Authorization Code for an Access Token.  This is a OAuth "Client" activity.  The only time ISAM acts as a Client is when it is the Relying Party in an OpenID Connect federation.  Our OpenID Connect Relying Party implementation is also very flexible and can be used to implement standard OpenID Connect - or to retrieve an Access Token and then make this available to custom code to perform work with that token before building a session.

So, I think there's a reasonable chance we can help  you do what is required but really need to better understand the exact flow before commenting on if it is possible and the degree of customization that might be needed.

Hoping to hear from you on in the IBM Verify group forum.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed September 23, 2020 11:32 AM
From: Derrick Chapman
Subject: Outbound calls fromISAM Federation Module

We are trying to consume APIs hosted by Tradelens and secured by Cloud IAM using OAuth2.0. Tradelens will be both Identity Provider and Service Provider. Below is the link that describes the OAuth configuration.

https://docs.tradelens.com/how_to/token_generation/

We use SAP application to push some data to Tradelens APIs.
SAP will be secured by ISAM. The requirement is to configure ISAM as an Authorization server for OAuth. We would like to know if ISAM Federation module is capable of making outbound OAuth calls? Like requesting an access token using the authorization code etc.
Please note we are only licensed for Federation module and do not have AAC enabled in our environment.
If this is possible, kindly share any information link that describes how to configure ISAM Federation module to make outbound calls.  

We've been unable to find any documentation or get updates from a PMR and was directed to ask the question in the forum to see if anyone else has seen this or have had experience.    Any assistance would be greatly appreciated.




------------------------------
Derrick Chapman
derrickchapman2@gmail.com
------------------------------