IBM Security Verify

 View Only
  • 1.  Email OTO configuration in ISAM

    Posted Thu September 10, 2020 04:15 PM
    Hi All,

    We are currently working to set out email OTP in out ISAM 90.7 environment. 

    We have done configuration as described in:

    Branching Authentication Policy in ISAM Advanced Access Control - Shane Weeden's Blog

    However, whenever I am trying to access emailotp with 

    https://<websealhostname>/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:emailOTP, I am getting an error "Required session data not present".

    I have also disabled distributedsessionCache from AAC policy.

    Can anyone suggest what can be the reason and how can i branch authentication in a way that user after logging, get all the configured MFA and email OTP works for them.

    Regards
    Rahul Jha




    ------------------------------
    Rahul Jha
    ------------------------------


  • 2.  RE: Email OTO configuration in ISAM

    Posted Fri September 11, 2020 11:19 AM
    Edited by Enio Padilla Fri September 11, 2020 11:19 AM
    Make sure you configured the parameters for the email OTP authentication policy as described in the picture below (from Shane's blog).  Also, keep in mind that with ISVA v10, branching is done out of the box, so you may want to check out ISVA v10 if possible.


    https://www.ibm.com/blogs/sweeden/wp-content/uploads/2018/08/emailotp_macotp_properties-300x188.png 300w, https://www.ibm.com/blogs/sweeden/wp-content/uploads/2018/08/emailotp_macotp_properties-768x481.png 768w, https://www.ibm.com/blogs/sweeden/wp-content/uploads/2018/08/emailotp_macotp_properties-1024x641.png 1024w" sizes="(max-width: 578px) 100vw, 578px" data-mce-hlimagekey="dded5ecb-d8ed-41e1-a3eb-f4e1bc168183" data-mce-hlselector="#ReplyInline_7d2a890a1fd547919b7b7cbb9727726d-tinyMce" width="578" height="362">

    ------------------------------
    Enio Padilla
    ------------------------------



  • 3.  RE: Email OTO configuration in ISAM

    Posted Mon September 14, 2020 01:15 AM
    Thanks Enio for your reply.

    Configuration for email OTP is present as per Shane's document and above configuration is also present.

    I am still getting error that "session is not present" while calling email OTP url.

    Regards
    Rahul Jha

    ------------------------------
    Rahul Jha
    ------------------------------



  • 4.  RE: Email OTO configuration in ISAM

    Posted Mon September 14, 2020 11:55 AM
    The Select2FA infomap is the one that populates the value of the deliveryAttribute based on the value of the user's emailAddress.  When you get the page to select the authentication mechanism, it should show the text "Email OTP to: <emailaddress@somedomain.com>" , Are you getting the emailaddress value to show in there? If it's not showing up then either the email address is not populated the right user attribute or something else is missing.

    Look at the Select2FA and Pre2FA mapping rules, as the error you're getting is coming from one of these 2 mapping rules.  You may want to put some additional tracing in these 2 infomaps by using the IDMappingExtUtils.traceString method, you will also need to add com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils=ALL to your trace specification to get the messages in your trace.log, and then look at your trace.log to figure out why you're getting that error.

    ------------------------------
    Enio Padilla
    ------------------------------



  • 5.  RE: Email OTO configuration in ISAM

    Posted Tue November 10, 2020 03:13 AM
    Hi Enio,

    I have successfully configured email OTP with version 9.0.6.

    Also, we will check about version 10 features.

    Thanks
    Rahul Jha

    ------------------------------
    Rahul Jha
    ------------------------------