IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  SAML authentication on virtual junction

    Posted Mon December 15, 2025 08:30 AM


    ------------------------------
    Marek Kembrowski
    ------------------------------


  • 2.  RE: SAML authentication on virtual junction

    Posted Tue December 16, 2025 02:51 AM

    Hi Marek,
    you need to tell your webseal reverse proxy what to do when protected resources are requested.  So 1 option is to use the local-response-redirect mechanism.
    You can configure it specifically for your virtual host junction, or for the complete reverse proxy instance (like below).

    [acnt-mgt]
enable-local-response-redirect = yes

[local-response-redirect]
local-response-redirect-uri = <your logininitial url>


    ------------------------------
    Tom Bosmans
    ------------------------------

    Original Message


  • 3.  RE: SAML authentication on virtual junction

    Posted Wed December 17, 2025 03:38 PM

    Thanks, i've managed to do what I wanted wiht following configuration changes:


    [session]

    shared-domain-cookie = yes 

    [session-cookie-domains]

    domain = <root-domain> 

    [acnt-mgt]  

    http-rsp-header = x-frame-options:TEXT{DENY}

    http-rsp-header = content-security-policy:TEXT{default-src 'self'; frame-ancestors 'self'; form-action 'self';}

    http-rsp-header = x-content-type-options:TEXT{nosniff}

    http-rsp-header = x-xss-protection:TEXT{1}

    [acnt-mgt:{virtual-junction-host-label}]

    enable-local-response-redirect = yes

    [local-response-redirect:{virtual-junction-host-label}]

    local-response-redirect-uri = [login] https://<webseal>/sps/<FED-NAME>/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=<ENTRA-STS-URL>/&NameIdFormat=Unspecified&AllowCreate=false&Target=<virtual-junction-url> 

    Different story was, that my federation didnt work at all due to some problems with connection to runtime (ssl handshake failure). 

    I hope what i did makes sense in general. 



    ------------------------------
    Marek Kembrowski
    ------------------------------

    Original Message


  • 4.  RE: SAML authentication on virtual junction

    Posted Thu December 18, 2025 04:00 AM

    Hi Marek,

    I wouldn't use domain cookies (do you really need them ?  do you want to have single sign on between your virtual host junction and the other hostnames on your reverse proxy ?), but for the rest it looks fine !

    Tom



    ------------------------------
    Tom Bosmans
    ------------------------------

    Original Message


  • 5.  RE: SAML authentication on virtual junction

    Posted Thu December 18, 2025 02:47 AM

    Hi Marek,

    To enforce SAML authentication on a virtual junction in IBM Verify Access 11, you need to ensure:

    1. Federation Configuration

      • Verify that the SAML federation with Entra is correctly configured and mapped to the junction.
      • Check that the federation is associated with the correct authentication mechanism.

    2. Junction Settings

      • On the virtual junction, set the authentication policy to use the SAML mechanism.
      • Ensure the iv-user header is enabled in the junction configuration so it can be passed to the backend after successful login.

    3. Triggering SAML Sign-In

      • Instead of the default forms login, you need to use the federation login URL (e.g., /sps/federation/saml20/login) or configure the junction to automatically redirect to the SAML login page.
      • If you are still getting login.html, check the Access Control Policy and make sure the junction is not falling back to forms authentication.

    4. Header Injection

      • After successful SAML authentication, configure the junction to inject iv-user and any other required headers to the backend.


    ------------------------------
    Venkata Sathish Reddy Ambati
    ------------------------------

    Original Message


Related Content