I have 2 different registries that are used to authenticate users: LDAP1 and LDAP2.
I want to create 2 reverse proxies RP1 and RP2.
How can I specify that RP1 is supposed to only authenticate users from LDAP1 and RP2 only authenticates users from LDAP2.
To make it clearer, I don't want RP1 to authenticate users defined in LDAP2 and RP2 must not authenticate users from LDAP1.

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Joao,

There's no simple configuration option for this; in general, Verify Access assumes a single user population (who can all authenticate to any reverse proxy) and then use of groups and access control to limit access to resources.

Are the Reverse Proxy instances on different appliances?  If so, you may be able to achieve what you want by NOT including the Reverse Proxy appliances in the cluster so that you can independently manage the ldap.conf file for each one.  This file specifies the federated LDAP servers that are being used so you could simply make sure that only the LDAP server you want the Reverse Proxy to use is defined in its local ldap.conf file.

In cases where complete separation of users is required (internal vs external users for example), I've also seen the decision made to build independent Verify Access implementations for each one.  That way everything is independent - which is sometimes required for compliance.

Perhaps others have got different ideas to share.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

No, all users are defined in the same appliance. If they were defined in different appliances, it would be an easy thing to do.

I can check if there is an attribute that distinguishes users from one LDAP to the other, like the suffix. Can I use then such attribute to create a access control policy that can be applied to one reverse proxy, that allows those users to access a specific reverse proxy?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Tue October 06, 2020 06:19 AM
From: Jon Harry
Subject: Segregating users per Reverse Proxy

Hi Joao,

There's no simple configuration option for this; in general, Verify Access assumes a single user population (who can all authenticate to any reverse proxy) and then use of groups and access control to limit access to resources.

Are the Reverse Proxy instances on different appliances?  If so, you may be able to achieve what you want by NOT including the Reverse Proxy appliances in the cluster so that you can independently manage the ldap.conf file for each one.  This file specifies the federated LDAP servers that are being used so you could simply make sure that only the LDAP server you want the Reverse Proxy to use is defined in its local ldap.conf file.

In cases where complete separation of users is required (internal vs external users for example), I've also seen the decision made to build independent Verify Access implementations for each one.  That way everything is independent - which is sometimes required for compliance.

Perhaps others have got different ideas to share.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Hi Joao,

After a user has authenticated, their DN will be available in their credential and could be used in an AAC Context-based Access policy to permit or deny access to protected resources.  You would want to enable caching of that policy so that it is only invoked once for each session.  You might also be able to use an "authorization policy" to make this check.  Authorization Policies are XSL-based rules that are evaluated within the Reverse Proxy and so are more efficient than calling out to AAC.

One more thought on limiting the authentication itself.  You would have more control of this if you performed authentication using the AAC Authentication Service.  In that case it would be possible to add a custom (JavaScript) step to the authentication policy which would lookup the user's DN and prevent the authentication from completing if the wrong LDAP was used.  With Verify Access v10, I think it would be possible to do the suffix check first (with a lookup helper) and then forward the provided username/password to the AAC username/password mechanism only if it is acceptable.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Tue October 06, 2020 06:26 AM
From: Joao Goncalves
Subject: Segregating users per Reverse Proxy

No, all users are defined in the same appliance. If they were defined in different appliances, it would be an easy thing to do.

I can check if there is an attribute that distinguishes users from one LDAP to the other, like the suffix. Can I use then such attribute to create a access control policy that can be applied to one reverse proxy, that allows those users to access a specific reverse proxy?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------


Original Message:
Sent: Tue October 06, 2020 06:19 AM
From: Jon Harry
Subject: Segregating users per Reverse Proxy

Hi Joao,

There's no simple configuration option for this; in general, Verify Access assumes a single user population (who can all authenticate to any reverse proxy) and then use of groups and access control to limit access to resources.

Are the Reverse Proxy instances on different appliances?  If so, you may be able to achieve what you want by NOT including the Reverse Proxy appliances in the cluster so that you can independently manage the ldap.conf file for each one.  This file specifies the federated LDAP servers that are being used so you could simply make sure that only the LDAP server you want the Reverse Proxy to use is defined in its local ldap.conf file.

In cases where complete separation of users is required (internal vs external users for example), I've also seen the decision made to build independent Verify Access implementations for each one.  That way everything is independent - which is sometimes required for compliance.

Perhaps others have got different ideas to share.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Hi, I suggest to configure for each webseal instance an EAI that checks the credentials on the wanted ldap.

------------------------------
Pietro Mosini
IBM
Rome
------------------------------

Original Message:
Sent: Tue October 06, 2020 06:49 AM
From: Jon Harry
Subject: Segregating users per Reverse Proxy

Hi Joao,

After a user has authenticated, their DN will be available in their credential and could be used in an AAC Context-based Access policy to permit or deny access to protected resources.  You would want to enable caching of that policy so that it is only invoked once for each session.  You might also be able to use an "authorization policy" to make this check.  Authorization Policies are XSL-based rules that are evaluated within the Reverse Proxy and so are more efficient than calling out to AAC.

One more thought on limiting the authentication itself.  You would have more control of this if you performed authentication using the AAC Authentication Service.  In that case it would be possible to add a custom (JavaScript) step to the authentication policy which would lookup the user's DN and prevent the authentication from completing if the wrong LDAP was used.  With Verify Access v10, I think it would be possible to do the suffix check first (with a lookup helper) and then forward the provided username/password to the AAC username/password mechanism only if it is acceptable.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------


Original Message:
Sent: Tue October 06, 2020 06:26 AM
From: Joao Goncalves
Subject: Segregating users per Reverse Proxy

No, all users are defined in the same appliance. If they were defined in different appliances, it would be an easy thing to do.

I can check if there is an attribute that distinguishes users from one LDAP to the other, like the suffix. Can I use then such attribute to create a access control policy that can be applied to one reverse proxy, that allows those users to access a specific reverse proxy?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994


Original Message:
Sent: Tue October 06, 2020 06:19 AM
From: Jon Harry
Subject: Segregating users per Reverse Proxy

Hi Joao,

There's no simple configuration option for this; in general, Verify Access assumes a single user population (who can all authenticate to any reverse proxy) and then use of groups and access control to limit access to resources.

Are the Reverse Proxy instances on different appliances?  If so, you may be able to achieve what you want by NOT including the Reverse Proxy appliances in the cluster so that you can independently manage the ldap.conf file for each one.  This file specifies the federated LDAP servers that are being used so you could simply make sure that only the LDAP server you want the Reverse Proxy to use is defined in its local ldap.conf file.

In cases where complete separation of users is required (internal vs external users for example), I've also seen the decision made to build independent Verify Access implementations for each one.  That way everything is independent - which is sometimes required for compliance.

Perhaps others have got different ideas to share.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM