Hello,

Can someone please explain why these settings are recommended in webseal while configuring reverse proxy instance as the point of contact for SAML 2.0 federations?

ba-auth = none
forms-auth = https

https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.6/com.ibm.isam.doc/config/task/ConfiguringSAML2POC.html

Thanks,
Niranjan Govardhan



------------------------------
Niranjan govardhan
------------------------------

Hello Niranjan,

I think it is more accurate to say that these are the values that are set by the REST API when configuring a Reverse Proxy as a federation Point of Contact.  That doesn't mean you couldn't change them afterwards if your environment requires something different.

Also, worth saying that these values for Basic Authentication and Forms-based authentication are (these days) the default settings when creating a new Reverse Proxy instance.  Most systems today use Forms-based authentication in preference to Basic Authentication.

On a Service Provider system that is only allowing authentication via federation, I believe you could disable Form-based authentication if that was desired.  (Note that the login.html page will still be displayed  - because EAI would be enabled - and would need to be customized to initiate federation login).

On an Identity Provider system you need to have some authentication mechanism enabled but you could disable Form-based authentication if you were using something else.

I hope this helps.  If you need more clarity please ask again.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu April 30, 2020 02:20 PM
From: Niranjan Govardhan
Subject: SAML 2.0 and reverse proxy configuration

Hello,

Can someone please explain why these settings are recommended in webseal while configuring reverse proxy instance as the point of contact for SAML 2.0 federations?

ba-auth = none
forms-auth = https

https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.6/com.ibm.isam.doc/config/task/ConfiguringSAML2POC.html

Thanks,
Niranjan Govardhan



------------------------------
Niranjan govardhan
------------------------------

Hello Jon,

Thank you for detailed answer! It really helped to clarify my doubts. We changed these recommended settings in our environment and we didn't see any noticeable issues when we tested federation scenarios. So I was trying to understand why these settings were recommended and we don't encounter any uncovered issues as we move to upper environment without those. I suppose we can also remove "level = ext-auth-interface" added by REST API from configuration without any issues?

Thanks,
Niranjan Govardhan.

------------------------------
Niranjan Govardhan
------------------------------

Original Message:
Sent: Fri May 01, 2020 08:36 AM
From: Jon Harry
Subject: SAML 2.0 and reverse proxy configuration

Hello Niranjan,

I think it is more accurate to say that these are the values that are set by the REST API when configuring a Reverse Proxy as a federation Point of Contact.  That doesn't mean you couldn't change them afterwards if your environment requires something different.

Also, worth saying that these values for Basic Authentication and Forms-based authentication are (these days) the default settings when creating a new Reverse Proxy instance.  Most systems today use Forms-based authentication in preference to Basic Authentication.

On a Service Provider system that is only allowing authentication via federation, I believe you could disable Form-based authentication if that was desired.  (Note that the login.html page will still be displayed  - because EAI would be enabled - and would need to be customized to initiate federation login).

On an Identity Provider system you need to have some authentication mechanism enabled but you could disable Form-based authentication if you were using something else.

I hope this helps.  If you need more clarity please ask again.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu April 30, 2020 02:20 PM
From: Niranjan Govardhan
Subject: SAML 2.0 and reverse proxy configuration

Hello,

Can someone please explain why these settings are recommended in webseal while configuring reverse proxy instance as the point of contact for SAML 2.0 federations?

ba-auth = none
forms-auth = https

https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.6/com.ibm.isam.doc/config/task/ConfiguringSAML2POC.html

Thanks,
Niranjan Govardhan



------------------------------
Niranjan govardhan
------------------------------

Hi,

For removing the "level" config that would depend on you being the IdP or SP. If you are the service provider, the federation runtime will create a session on WebSEAL by the eai mechanism and so of course this mechanism has to be enabled as a valid level to authenticate. If you are the IdP the config should be solely defined by the different authentication mechanisms you use.

------------------------------
Laurent LA Asselborn
------------------------------

Original Message:
Sent: Fri May 01, 2020 01:00 PM
From: Niranjan Govardhan
Subject: SAML 2.0 and reverse proxy configuration

Hello Jon,

Thank you for detailed answer! It really helped to clarify my doubts. We changed these recommended settings in our environment and we didn't see any noticeable issues when we tested federation scenarios. So I was trying to understand why these settings were recommended and we don't encounter any uncovered issues as we move to upper environment without those. I suppose we can also remove "level = ext-auth-interface" added by REST API from configuration without any issues?

Thanks,
Niranjan Govardhan.

------------------------------
Niranjan Govardhan

Original Message:
Sent: Fri May 01, 2020 08:36 AM
From: Jon Harry
Subject: SAML 2.0 and reverse proxy configuration

Hello Niranjan,

I think it is more accurate to say that these are the values that are set by the REST API when configuring a Reverse Proxy as a federation Point of Contact.  That doesn't mean you couldn't change them afterwards if your environment requires something different.

Also, worth saying that these values for Basic Authentication and Forms-based authentication are (these days) the default settings when creating a new Reverse Proxy instance.  Most systems today use Forms-based authentication in preference to Basic Authentication.

On a Service Provider system that is only allowing authentication via federation, I believe you could disable Form-based authentication if that was desired.  (Note that the login.html page will still be displayed  - because EAI would be enabled - and would need to be customized to initiate federation login).

On an Identity Provider system you need to have some authentication mechanism enabled but you could disable Form-based authentication if you were using something else.

I hope this helps.  If you need more clarity please ask again.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu April 30, 2020 02:20 PM
From: Niranjan Govardhan
Subject: SAML 2.0 and reverse proxy configuration

Hello,

Can someone please explain why these settings are recommended in webseal while configuring reverse proxy instance as the point of contact for SAML 2.0 federations?

ba-auth = none
forms-auth = https

https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.6/com.ibm.isam.doc/config/task/ConfiguringSAML2POC.html

Thanks,
Niranjan Govardhan



------------------------------
Niranjan govardhan
------------------------------

Hi Laurent,

Thank you for clarification.

Thanks,
Niranjan Govardhan.

------------------------------
Niranjan Govardhan
------------------------------

Original Message:
Sent: Mon May 04, 2020 02:52 AM
From: Laurent LA Asselborn
Subject: SAML 2.0 and reverse proxy configuration

Hi,

For removing the "level" config that would depend on you being the IdP or SP. If you are the service provider, the federation runtime will create a session on WebSEAL by the eai mechanism and so of course this mechanism has to be enabled as a valid level to authenticate. If you are the IdP the config should be solely defined by the different authentication mechanisms you use.

------------------------------
Laurent LA Asselborn

Original Message:
Sent: Fri May 01, 2020 01:00 PM
From: Niranjan Govardhan
Subject: SAML 2.0 and reverse proxy configuration

Hello Jon,

Thank you for detailed answer! It really helped to clarify my doubts. We changed these recommended settings in our environment and we didn't see any noticeable issues when we tested federation scenarios. So I was trying to understand why these settings were recommended and we don't encounter any uncovered issues as we move to upper environment without those. I suppose we can also remove "level = ext-auth-interface" added by REST API from configuration without any issues?

Thanks,
Niranjan Govardhan.

------------------------------
Niranjan Govardhan

Original Message:
Sent: Fri May 01, 2020 08:36 AM
From: Jon Harry
Subject: SAML 2.0 and reverse proxy configuration

Hello Niranjan,

I think it is more accurate to say that these are the values that are set by the REST API when configuring a Reverse Proxy as a federation Point of Contact.  That doesn't mean you couldn't change them afterwards if your environment requires something different.

Also, worth saying that these values for Basic Authentication and Forms-based authentication are (these days) the default settings when creating a new Reverse Proxy instance.  Most systems today use Forms-based authentication in preference to Basic Authentication.

On a Service Provider system that is only allowing authentication via federation, I believe you could disable Form-based authentication if that was desired.  (Note that the login.html page will still be displayed  - because EAI would be enabled - and would need to be customized to initiate federation login).

On an Identity Provider system you need to have some authentication mechanism enabled but you could disable Form-based authentication if you were using something else.

I hope this helps.  If you need more clarity please ask again.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu April 30, 2020 02:20 PM
From: Niranjan Govardhan
Subject: SAML 2.0 and reverse proxy configuration

Hello,

Can someone please explain why these settings are recommended in webseal while configuring reverse proxy instance as the point of contact for SAML 2.0 federations?

ba-auth = none
forms-auth = https

https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.6/com.ibm.isam.doc/config/task/ConfiguringSAML2POC.html

Thanks,
Niranjan Govardhan



------------------------------
Niranjan govardhan
------------------------------