IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  WebSEAL HTTP transformation rule enhancements: v10.0.7.0

    Posted Thu December 14, 2023 08:30 PM

    IBM Security Verify Access v10.0.7.0 was released earlier today (15th December, 2023).  This release, among other things, contains a number of extensions to the WebSEAL HTTP transformation rules capability to make it more flexible and powerful.  

    A video has been recorded which highlights these enhancements: https://community.ibm.com/community/user/security/viewdocument/ibm-security-verify-access-v1007?CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d&tab=librarydocuments.



    ------------------------------
    Scott Exton
    IBM
    Gold Coast
    ------------------------------


  • 2.  RE: WebSEAL HTTP transformation rule enhancements: v10.0.7.0

    Posted Mon December 18, 2023 10:23 AM

    I have yet to see a 2024 Roadmap for Security Verify.  Does this exist and if so, where?



    ------------------------------
    Rebecca Rivera
    ------------------------------

    Original Message


  • 3.  RE: WebSEAL HTTP transformation rule enhancements: v10.0.7.0

    Posted Wed January 10, 2024 08:56 PM

    Hi Rebecca, 
    You can get roadmap information through your account team, or via our Early Access Program. 

    https://community.ibm.com/community/user/security/blogs/ann-louise-bolger1/2020/11/01/ibm-security-verify-access-early-access



    ------------------------------
    Philip Nye
    IBM
    Gold Coast
    ------------------------------

    Original Message


  • 4.  RE: WebSEAL HTTP transformation rule enhancements: v10.0.7.0

    Posted Tue December 19, 2023 08:51 AM
    Edited by Matt Jenkins Tue December 19, 2023 08:52 AM

    @Scott Exton I don't see in the WebSEAL configuration reference where the new [http-transformations:secrets] is mentioned.  Do you have some documentation on how to set and use those secrets?

    I assume the LUA LDAP module can write to the LDAP?  If so, can it use the webseald instance bind credential?  We have a requirement to record the user's last login time and then deny authentication based on that value being too high.  I'm thinking this may allow us to do this without utilizing an EAI/InfoMap on the RTSS to reduce that external dependency.

    Also, another question.  We had a use case where we were using the user name mapping module to pull attributes off an client cert (mTLS auth) and put them into the session (i.e. subject, fingerprint, etc.).  However, when a user steps up to a different authentication level above ssl, we are losing these attributes and hence they are not available to backends after a user changes authentication levels.  I had opened an idea/RFE to enhance the product so that the session attributes are not lost during step-up.  Would LUA potentially be able to be used here to somehow prevent these attributes from getting removed from the session?  We could either continue to use the user name mapping module, and then somehow invoke LUA to preserve the attributes, or we could replace the user name mapping module with LUA by what you describe and building on the client cert auth example you gave.  Specifically we are stepping "up" from ssl to password, as this was a legacy MFA that we implemented years ago and never went to EAI/InfoMap/AAC so that we did not have the tight dependency on the RTSS for these flows.

    Thanks!

    Matt



    ------------------------------
    Matt Jenkins
    ------------------------------

    Original Message


  • 5.  RE: WebSEAL HTTP transformation rule enhancements: v10.0.7.0

    Posted Sun January 07, 2024 06:53 PM

    Matt,

     

    Sorry for the delayed response but I have only just gotten back from holidays.  In answer to your questions:

     

    1. The [http-transformations:secrets] stanza is only mentioned in the Lua scripting documentation: https://www.ibm.com/docs/en/sva/10.0.7?topic=transformation-configuration-data.  The stanza is designed to house opaque data, and the LMI will automatically obfuscate any data which is added to this stanza.  To use this stanza you just need to add a configuration entry to the stanza (either using the Web services or the LMI).  Let me know if this doesn't adequately answer your question.
    2. The LUA LDAP module can be used to write to the LDAP server.  You will be able to access the WebSEAL bind credential as this is configuration information which can be accessed from the new 'Control.getConfig()' API.
    3. You should be able to use the new session API to store data in the session, and not lose this data after a step-up operation.  You should be able to write a Lua script to set the session data based on attributes from the authenticated credential, but it would probably be safer to replace the user-mapping rule with a new Lua script.

     

    Let me know if you have any further questions.

     

    Thanks.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     




    Original Message


Related Content