IBM Security Verify

Hello,

I have a requirement , currently we are using EAI with custom login page and working fine.
We want to integrate another application and they want to use there own login page and want to post the credential to pkmslogin.form.

So i have create a virtual junction and created 2 object space like protected and public , if the user access directly protected page the webseal should throw the application login page instead of  EAI custom login page.

How this can handle.

Also i am looking for alternative way if this can implement using rest api urn:ibm:security:authentication:asf:password.



------------------------------
krish krishna
------------------------------

Hi Krish,

There are a few parts to this question.  Let me split them out.

First, the question of triggering different (external) authentication for different junctions.

How are you currently triggering EAI?  If it is using local-response-redirect then you can make this configuration junction-specific by adding the junction name to the [local-response-redirect] stanza.  So it would become [local-response-redirect:/junction1].  In this way, you can have access to one junction redirect to you EAI and access to a different junction redirect to the custom login page in the other application.

Another way you might be redirecting to an EAI is via modification of the login.html page (to do a redirect).  If this is the case, you could add custom JavaScript in this page to read the current URL (in %URL% macro) and redirect to different login page from there.

Second there is the question of posting direct to pkmslogin.form.  This is possible but have a look at what the "real" login.html file includes in its POST so that you can make sure your custom login page sends the same parameters.

Finally you asked about the REST API for password authentication.  You could use this from your application if you want it to perform authentication as a Single Page Application.  The body of the request to send to the password endpoint is:


The API will not return a redirect on authentication success - it will return a 204 (no content) message.  I *think* that the PD-S-SESSION-ID cookie will be returned with this message so that subsequent browser calls will be authenticated.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Fri February 05, 2021 11:17 AM
From: krish krishna
Subject: Virtual junction with custom login page

Hello,

I have a requirement , currently we are using EAI with custom login page and working fine.
We want to integrate another application and they want to use there own login page and want to post the credential to pkmslogin.form.

So i have create a virtual junction and created 2 object space like protected and public , if the user access directly protected page the webseal should throw the application login page instead of  EAI custom login page.

How this can handle.

Also i am looking for alternative way if this can implement using rest api urn:ibm:security:authentication:asf:password.



------------------------------
krish krishna
------------------------------

Thanks Jon, I was able to implement the form posting to pkmslogin.form and based on response i am redirecting to the appropriate page, now i want to implement the 2nd level authentication ( MACOTP ), how i can implement this by calling the rest api for macotp , the custom login is hosted in application and doing a post to pkmslogin.form , so can i call after success to pkmslogin.form ?

------------------------------
krish krishna
------------------------------

Original Message:
Sent: Mon February 08, 2021 05:36 AM
From: Jon Harry
Subject: Virtual junction with custom login page

Hi Krish,

There are a few parts to this question.  Let me split them out.

First, the question of triggering different (external) authentication for different junctions.

How are you currently triggering EAI?  If it is using local-response-redirect then you can make this configuration junction-specific by adding the junction name to the [local-response-redirect] stanza.  So it would become [local-response-redirect:/junction1].  In this way, you can have access to one junction redirect to you EAI and access to a different junction redirect to the custom login page in the other application.

Another way you might be redirecting to an EAI is via modification of the login.html page (to do a redirect).  If this is the case, you could add custom JavaScript in this page to read the current URL (in %URL% macro) and redirect to different login page from there.

Second there is the question of posting direct to pkmslogin.form.  This is possible but have a look at what the "real" login.html file includes in its POST so that you can make sure your custom login page sends the same parameters.

Finally you asked about the REST API for password authentication.  You could use this from your application if you want it to perform authentication as a Single Page Application.  The body of the request to send to the password endpoint is:

{

"operation": "verify",

"username": "{{user_id}}",

"password": "{{user_pw}}"

}

The API will not return a redirect on authentication success - it will return a 204 (no content) message.  I *think* that the PD-S-SESSION-ID cookie will be returned with this message so that subsequent browser calls will be authenticated.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Fri February 05, 2021 11:17 AM
From: krish krishna
Subject: Virtual junction with custom login page

Hello,

I have a requirement , currently we are using EAI with custom login page and working fine.
We want to integrate another application and they want to use there own login page and want to post the credential to pkmslogin.form.

So i have create a virtual junction and created 2 object space like protected and public , if the user access directly protected page the webseal should throw the application login page instead of  EAI custom login page.

How this can handle.

Also i am looking for alternative way if this can implement using rest api urn:ibm:security:authentication:asf:password.



------------------------------
krish krishna
------------------------------

Hi Krish,

After the application posts to pkmslogin.fom (and login is successful) it will receive a session cookie in the response.
If the Authentication Service APIs are called (via Reverse Proxy) with this cookie then any successful 2FA will be applied to that session.

I couldn't see a lot of documentation on this area but perhaps this helps a bit:
https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.6/com.ibm.isam.doc/develop/concept/con_use_curl_access_token.html
(where bearer token is being sent here you would be sending the session cookie).

My advice is to get a utility like Postman running so you can easily exercise the AAC API endpoint and get familiar with it.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu February 11, 2021 12:18 AM
From: krish krishna
Subject: Virtual junction with custom login page

Thanks Jon, I was able to implement the form posting to pkmslogin.form and based on response i am redirecting to the appropriate page, now i want to implement the 2nd level authentication ( MACOTP ), how i can implement this by calling the rest api for macotp , the custom login is hosted in application and doing a post to pkmslogin.form , so can i call after success to pkmslogin.form ?

------------------------------
krish krishna

Original Message:
Sent: Mon February 08, 2021 05:36 AM
From: Jon Harry
Subject: Virtual junction with custom login page

Hi Krish,

There are a few parts to this question.  Let me split them out.

First, the question of triggering different (external) authentication for different junctions.

How are you currently triggering EAI?  If it is using local-response-redirect then you can make this configuration junction-specific by adding the junction name to the [local-response-redirect] stanza.  So it would become [local-response-redirect:/junction1].  In this way, you can have access to one junction redirect to you EAI and access to a different junction redirect to the custom login page in the other application.

Another way you might be redirecting to an EAI is via modification of the login.html page (to do a redirect).  If this is the case, you could add custom JavaScript in this page to read the current URL (in %URL% macro) and redirect to different login page from there.

Second there is the question of posting direct to pkmslogin.form.  This is possible but have a look at what the "real" login.html file includes in its POST so that you can make sure your custom login page sends the same parameters.

Finally you asked about the REST API for password authentication.  You could use this from your application if you want it to perform authentication as a Single Page Application.  The body of the request to send to the password endpoint is:

{

"operation": "verify",

"username": "{{user_id}}",

"password": "{{user_pw}}"

}

The API will not return a redirect on authentication success - it will return a 204 (no content) message.  I *think* that the PD-S-SESSION-ID cookie will be returned with this message so that subsequent browser calls will be authenticated.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Fri February 05, 2021 11:17 AM
From: krish krishna
Subject: Virtual junction with custom login page

Hello,

I have a requirement , currently we are using EAI with custom login page and working fine.
We want to integrate another application and they want to use there own login page and want to post the credential to pkmslogin.form.

So i have create a virtual junction and created 2 object space like protected and public , if the user access directly protected page the webseal should throw the application login page instead of  EAI custom login page.

How this can handle.

Also i am looking for alternative way if this can implement using rest api urn:ibm:security:authentication:asf:password.



------------------------------
krish krishna
------------------------------

Hello again,

A helpful colleague (thanks Jack!) pointed out that there is documentation for the Authentication REST API on the appliance itself.  Unfortunately it's not hosted on the LMI (like some other APIs are ) so you have to download the file, extract it, and then serve the directory via a web server.

To download, go to System-->File Downloads in the LMI.
The file on a Verify Access 10 system is ISVA-Access-Control-authn-rest-api.zip.

After extracting to my system, I started a web server in the directory using Python (since I had it handy):

python -m SimpleHTTPServer

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu February 11, 2021 12:31 PM
From: Jon Harry
Subject: Virtual junction with custom login page

Hi Krish,

After the application posts to pkmslogin.fom (and login is successful) it will receive a session cookie in the response.
If the Authentication Service APIs are called (via Reverse Proxy) with this cookie then any successful 2FA will be applied to that session.

I couldn't see a lot of documentation on this area but perhaps this helps a bit:
https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.6/com.ibm.isam.doc/develop/concept/con_use_curl_access_token.html
(where bearer token is being sent here you would be sending the session cookie).

My advice is to get a utility like Postman running so you can easily exercise the AAC API endpoint and get familiar with it.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu February 11, 2021 12:18 AM
From: krish krishna
Subject: Virtual junction with custom login page

Thanks Jon, I was able to implement the form posting to pkmslogin.form and based on response i am redirecting to the appropriate page, now i want to implement the 2nd level authentication ( MACOTP ), how i can implement this by calling the rest api for macotp , the custom login is hosted in application and doing a post to pkmslogin.form , so can i call after success to pkmslogin.form ?

------------------------------
krish krishna

Original Message:
Sent: Mon February 08, 2021 05:36 AM
From: Jon Harry
Subject: Virtual junction with custom login page

Hi Krish,

There are a few parts to this question.  Let me split them out.

First, the question of triggering different (external) authentication for different junctions.

How are you currently triggering EAI?  If it is using local-response-redirect then you can make this configuration junction-specific by adding the junction name to the [local-response-redirect] stanza.  So it would become [local-response-redirect:/junction1].  In this way, you can have access to one junction redirect to you EAI and access to a different junction redirect to the custom login page in the other application.

Another way you might be redirecting to an EAI is via modification of the login.html page (to do a redirect).  If this is the case, you could add custom JavaScript in this page to read the current URL (in %URL% macro) and redirect to different login page from there.

Second there is the question of posting direct to pkmslogin.form.  This is possible but have a look at what the "real" login.html file includes in its POST so that you can make sure your custom login page sends the same parameters.

Finally you asked about the REST API for password authentication.  You could use this from your application if you want it to perform authentication as a Single Page Application.  The body of the request to send to the password endpoint is:

{

"operation": "verify",

"username": "{{user_id}}",

"password": "{{user_pw}}"

}

The API will not return a redirect on authentication success - it will return a 204 (no content) message.  I *think* that the PD-S-SESSION-ID cookie will be returned with this message so that subsequent browser calls will be authenticated.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Fri February 05, 2021 11:17 AM
From: krish krishna
Subject: Virtual junction with custom login page

Hello,

I have a requirement , currently we are using EAI with custom login page and working fine.
We want to integrate another application and they want to use there own login page and want to post the credential to pkmslogin.form.

So i have create a virtual junction and created 2 object space like protected and public , if the user access directly protected page the webseal should throw the application login page instead of  EAI custom login page.

How this can handle.

Also i am looking for alternative way if this can implement using rest api urn:ibm:security:authentication:asf:password.



------------------------------
krish krishna
------------------------------