IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  SAM2 Federation -- AUTHN/IDP question

    Posted Fri November 30, 2018 09:15 AM
    We have a saml 2 federation with WebSEAL acting as teh SP.  We'd like access to any protected resource to fire an authn request back to the idp but we're struggling on the "right" way to do it without writing custom code.  

    Is anyone familiar with doing this or have already done something similar?  If so did you use custom code or was there a way to set it up directly in WebSEAL?

    ------------------------------
    Jarrett Peterson
    ------------------------------


  • 2.  RE: SAM2 Federation -- AUTHN/IDP question

    Posted Mon December 03, 2018 02:48 AM
    Edited by Peter Volckaert Mon December 03, 2018 02:49 AM
    Hi Jarrett,

    I do have experience with a similar challenge, but for OIDC. Below is a theoretical explanation on "Access Policies" to get you started.
     
    ISAM 9.0.4 introduced "Access Policies" and this is what ISAM offers for enforcing policies during a federation (OAuth, OIDC and SAML) flow. 
    Note that these policies are different from the AAC's "Access Control" policies.

    "Access Policies" consist of JavaScript code that specify conditions that must be met for a user to gain single sign-on access to applications. Access policies return a decision of accept, deny, or challenge. An example of a challenge response is the issuance of an SMS one-time password that must be confirmed by the user in order to use the target application.
    Here's the direct link in the Knowledge Center (for 9.0.6, so change to the version you're actually running): 
    https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/config/concept/access_policies.html

    It's key to have the Javadoc handy: so download the ISAM-javadoc.zip from the appliance.

    So: a policy drives the authentication during a federation flow (on the /sps/auth endpoint) and needs to know:
    - The user's current "authenticationlevel": e.g. 'password', 'totp', etc
    - The requested "authenticationlevel": e.g. 'password', 'totp', etc

    To get the user's current "authenticationlevel", something like the below is needed:
    var user = context.getUser();
    var authenticationTypes = user.getAttribute ("authenticationTypes").getValues();

    To get the requested "authenticationlevel"; something like the below is needed:
    var protocolContext=context.getProtocolContext();
    var authContext=protocolContext.getAuthnRequest().getRequestedAuthnContext();
    var acr=authContext.getAuthnContextClassRefs();

    This is not the full story, but I hope this will get you started.

    Kind regards, Peter.

    ------------------------------
    Peter Volckaert
    Sales Engineer
    IBM Security
    ------------------------------

    Original Message


  • 3.  RE: SAM2 Federation -- AUTHN/IDP question

    Posted Mon December 03, 2018 05:46 AM
    Hi Jarrett,

    What you're looking for here, I think, is a way to trigger an SSO event (rather than local authentication) whenever your local Access Manager policy says that an authenticated session is required.

    There's really 2 ways to do this:
    1. Modify the login.html of your WebSEAL server so that it does a client-side-script redirect to trigger SAML authentication.  This redirect could be to the local ISAM Federation trigger URL (for SP-initiated SSO) or directly to the trigger URL for the Identity Provider (for IdP-initiated SSSO).
    2. Create a custom obligation in AAC which is mapped to the trigger URL (either IdP or SP as above).  Then create a Context-based Access Policy which returns the obligation to trigger SSO.
    Unless you're using AAC anyway, (1) is the easiest to set up.

    Cheers... Jon.


    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


Related Content