IBM Security Verify

 View Only
  • 1.  2fa authentication, username parameter

    Posted Thu January 10, 2019 12:58 PM
    Hello

    I need to verify access to a secured website by using 2fa with a fingerprint approval.

    Using the following authentication policy and adding my username I can use my registered mobile device to verify the request.

    https://webseal/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:mmfa_fingerprint&username=bhr


    I don't want users to modify the url manually so I want to implement the following use case:

    1. users need to log in with username:password first
    2. username parameter will be read from the credentials (e.g. AZN_CRED_PRINCIPAL_NAME)
    3. http transformation rule will build the final url with following a fingerprint approval to access the secured website

    Is this approach doable, any other suggestions/thoughts are welcome!

    Best
    Bernhard

    ------------------------------
    Bernhard Hensler
    ------------------------------


  • 2.  RE: 2fa authentication, username parameter

    Posted Thu January 10, 2019 03:09 PM
    Hi Bernhard,

    If you want the user to login with username and password first, why not just modify the Authentication Policy (or add a new one) which has the password mechanism right before the MMFA initiate mechanism.

    The username authenticated by the username mechanism will be in the policy context and so the MMFA will act on that user.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: 2fa authentication, username parameter

    Posted Thu January 10, 2019 05:41 PM
    Thanks Jon

    Did so, created new authentication policy with 2 workflow steps:

    Authentication is done followed by an error message:



    I basically want to achieve this:

    - reading the username parameter from a credential (the user is already logged in)
    - and forcing a mmfa authenticate with a mobile device

    Doing this manually (adding the username paramater) works flawless:

    https://webseal/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:tta_mmfa_fingerprint&username=bhr

    ------------------------------
    Bernhard Hensler
    ------------------------------



  • 4.  RE: 2fa authentication, username parameter

    Posted Fri January 11, 2019 09:19 AM
    the trick was to create a new fingerprint authentication policy with the following values:

    Thanks Jon!


    ------------------------------
    Bernhard Hensler
    ------------------------------



  • 5.  RE: 2fa authentication, username parameter

    Posted Mon January 14, 2019 02:29 AM
    You can do this to get the username in the session



    ------------------------------
    Pang
    ------------------------------