IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  User mapping: access to SAML request?

    Posted Wed June 12, 2019 08:02 AM
    Hi Community,

    Migrating from TFIM to the federation module, I was wondering if there is a way to get hold of (in this case) a SAML request in the mapping module.

    We used to use a custom user mapping module, where we had the full SAML request available. The user mapping script should connect to a (HTTP) microservice and indicate the providerId in order for the microservice to identify the right mapping policies etc.

    Through the stsuu object, I can get the requestSecurityToken() that provides me with info on the ACSurl, ACSindex, nameid format, etc.
    I noticed the providerId can be found in the value of the relaystate, but as the relaystate is pretty widely (mis-)used to contain information that is vital to the workflow's operation, I am not sure if I can rely on that value.

    So the question is twofold: What is the best way to reliably get to the providerId in the usermapping module and/or (even better) is there a way to get to the full request?

    Thx,

    ------------------------------
    Kristof Goossens
    ------------------------------


  • 2.  RE: User mapping: access to SAML request?

    Posted Fri June 14, 2019 05:04 AM
    Hi Community,


    I've been investigating a bit further and noticed that the relaystate only contained the providerid by coincidence. It's in fact not related and you cannot count on it to contain the providerid.

    I solved the issue by adding an identifier for the application as an attribute for the user. This way, the information becomes available in the STSUU object.

    Kristof

    ------------------------------
    Kristof Goossens
    ------------------------------

    Original Message


  • 3.  RE: User mapping: access to SAML request?

    Posted Fri June 14, 2019 10:47 AM
    And after even more digging into it, turns out the providerId was right in front of me all along: it *is* in the security token in the SPNameQualifier attribute of the NameID node (child of Saml20Claims).

    Kind regards,

    ------------------------------
    Kristof Goossens
    ------------------------------

    Original Message


  • 4.  RE: User mapping: access to SAML request?
    Best Answer

    Posted Mon June 17, 2019 04:11 AM

    Hi Kristof,

    There is probably more than one way to do this, but here's at least one thing you can try. I'm going to assume you are doing this at a SAML IDP and are looking for information on the SP-partner?

    If so, consider using an Access Policy - this definitely has access to the SAML request via:

    var protocolContextJSON = (function() {
    var protocolContext = context.getProtocolContext();
    var protocolContextReturn = {};
    protocolContextReturn["request"] = "" + protocolContext.getAuthnRequest();
    protocolContextReturn["FederationId"] = "" + protocolContext.getFederationId();
    protocolContextReturn["PartnerId"] = "" + protocolContext.getPartnerId();
    protocolContextReturn["FederationName"] = "" + protocolContext.getFederationName();
    protocolContextReturn["PartnerName"] = "" + protocolContext.getPartnerName();
    return protocolContextReturn;
})();


// Now your authn request should be in protocolContextJSON["request"]

    You can also access the current user's credential in the access policy. From that you could extract tagvalue_session_index. Eg:

    var sessionindex = null;
var user = context.getUser();
if (user != null) {
    sessionindex = user.getAttribute("tagvalue_session_index");
}



    Using IDMappingExtCache, you can use the session index as the key, and store as the value whatever details you want from the authentication request. 

    Then later in your federation mapping rule you can retrieve those values (information about the SSO request) from IDMappingExtCache as the stsuu in the mapping rule will also contain the tagvalue_session_index.

    Make sense?



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 5.  RE: User mapping: access to SAML request?

    Posted Tue June 18, 2019 01:48 AM
    Hi Shane, 

    Thx for your comment, I was indeed trying to identify the partner in order to apply the right policies and enrichments. 
    What you describe makes indeed a lot of sense!

    Thx,

    ------------------------------
    Kristof Goossens
    ------------------------------

    Original Message


  • 6.  RE: User mapping: access to SAML request?

    Posted Wed June 19, 2019 02:17 AM
    Hi Shane,

    I implemented your idea as it gives more garantees as to the needed info being available on one hand and I will need an access policy to do stepup authentications (and other business logic ) on the other hand.

    It works elegantly, but I am wondering where the cache is maintained. Is the data stored in the database (part of the runtime container in a docker environment)?

    How can we make that cache highly available and shared between runtime instances? Can it be done through the DSC?

    Thx in advance,

    ------------------------------
    Kristof Goossens
    ------------------------------

    Original Message


  • 7.  RE: User mapping: access to SAML request?

    Posted Wed June 19, 2019 02:36 AM
    IDMappingExtCache is backed by the high volume runtime database. You should be fine.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 8.  RE: User mapping: access to SAML request?

    Posted Tue June 25, 2019 10:22 AM
    Thank you! That is exactly what I needed! Wow, this forum is sometimes more helpful than service desk!

    Just few code lines, that I used. May be I will help somebody to implement it quicker (for my case I needed Partner Name):

    Access policy:

    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);

    var PartnerName=context.getProtocolContext().getPartnerName();
    var tsi=user.getAttribute("tagvalue_session_index").getValue();
    IDMappingExtUtils.getIDMappingExtCache().put(tsi,PartnerName,60);


    SAML Mapping:

    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);

    var tsi=stsuu.getAttributeContainer().getAttributeValuesByName("tagvalue_session_index");
    var PartnerName=IDMappingExtUtils.getIDMappingExtCache().get(tsi[0]);

    ------------------------------
    Regards,
    Ivan Yartsev
    ------------------------------

    Original Message


  • 9.  RE: User mapping: access to SAML request?

    Posted Tue June 25, 2019 04:57 PM
    Perfect. Glad it worked out.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


Related Content