IBM Security Verify

Hello Team,

We have created a custom infoMap for login. it's working fine.
and we have enabled DSC and concurrent login policy(displace) restriction.
this configuration is working and restricting user sessions.
but we are unable to get all active sessions of the user in infomap at the time of login to provide an appropriate error message to the user or to avoid the creation of the new session.

or How provide the options to select which session to keep and which session to end(new/old)?
As we have enabled local-response-redirect.

------------------------------
Mukesh
------------------------------

Original Message:
Sent: 2/10/2021 8:26:00 AM
From: Mukesh Bhati
Subject: ISAM - How to restrict multiple user session in InfoMap?

Hello Team,

We have created a custom infoMap for login. it's working fine.
and we have enabled DSC and concurrent login policy(displace) restriction.
this configuration is working and restricting user sessions.
but we are unable to get all active sessions of the user in infomap at the time of login to provide an appropriate error message to the user or to avoid the creation of the new session.

or How provide the options to select which session to keep and which session to end(new/old)?
As we have enabled local-response-redirect.

------------------------------
Mukesh
------------------------------

Hi Scott,

Thanks for the Help.

Yes, I'm able to avoid session creation of user if already exists. by calling LMI API from infoMap.

------------------------------
Mukesh
------------------------------

Original Message:
Sent: Wed February 10, 2021 03:59 PM
From: Scott Exton
Subject: ISAM - How to restrict multiple user session in InfoMap?

Mukesh,

 

WebSEAL provides an OOTB displacement form which will allow a user to displace an existing session if they so choose.  However, this only allows you to displace a single existing session - and does not allow you to select which session to displace from multiple active sessions.  The only way which I can think of for you to be able to query and selectively terminate sessions is by making Web service requests to the LMI - although adding a runtime dependency on the LMI is discouraged.

 

The other option is to use Redis instead of DSC and then use the Redis API's to manage the sessions.  Redis support was added in the recently released v10.0.1.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

Original Message:
Sent: 2/10/2021 8:26:00 AM
From: Mukesh Bhati
Subject: ISAM - How to restrict multiple user session in InfoMap?

Hello Team,

We have created a custom infoMap for login. it's working fine.
and we have enabled DSC and concurrent login policy(displace) restriction.
this configuration is working and restricting user sessions.
but we are unable to get all active sessions of the user in infomap at the time of login to provide an appropriate error message to the user or to avoid the creation of the new session.

or How provide the options to select which session to keep and which session to end(new/old)?
As we have enabled local-response-redirect.

------------------------------
Mukesh
------------------------------

Hi Mukesh, Scott,

There is actually another way to query sessions; use a WebServer Connection and make a JavaScript Client Helper library to interface to the DSessAdmin service on http://127.0.0.1:2026/DSess/services/DSessAdmin in InfoMap.

Then, using a listSessionsRequest:

POST /DSess/services/DSessAdmin HTTP/1.1
Host: 127.0.0.1:2026
Content-Type: text/xml; charset=UTF-8
SOAPAction: "execute"

<?xml version='1.0' encoding='utf-8' ?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Body><ns1:execute xmlns:ns1="http://admin.sms.am.tivoli.com"><ns1:request>listSessions</ns1:request><ns1:inAttrs><ns1:attributes><ns1:name>SessionDataClass</ns1:name><ns1:values>com.tivoli.am.sms.concurrent-session-key-class</ns1:values></ns1:attributes><ns1:attributes><ns1:name>SessionDataInstance</ns1:name><ns1:values>sms</ns1:values></ns1:attributes><ns1:attributes><ns1:name>ReplicaSet</ns1:name><ns1:values>www-demo</ns1:values></ns1:attributes><ns1:attributes><ns1:name>SessionDataValue</ns1:name><ns1:values>*</ns1:values></ns1:attributes><ns1:attributes><ns1:name>MaxResults</ns1:name><ns1:values>0x400</ns1:values></ns1:attributes><ns1:attributes><ns1:name>Version</ns1:name><ns1:values>6.0.0.0</ns1:values></ns1:attributes></ns1:inAttrs></ns1:execute></SOAP-ENV:Body></SOAP-ENV:Envelope>​

You then get a response in the form of:

<?xml version='1.0' encoding='utf-8' ?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <SOAP-ENV:Body>
    <ns1:executeResponse xmlns:ns1="http://admin.sms.am.tivoli.com">
      <ns1:executeReturn>
        <ns1:outAttrs>
          <ns1:attributes>
            <ns1:name>NumResults</ns1:name>
            <ns1:values>5</ns1:values>
          </ns1:attributes>
          <ns1:attributes>
            <ns1:name>ReturnedResults</ns1:name>
            <ns1:values>5</ns1:values>
          </ns1:attributes>
        </ns1:outAttrs>
        <ns1:outAttrs>
          <ns1:attributes>
            <ns1:name>SessionIndex</ns1:name>
            <ns1:values>oklK1VKBGwI+RAs9ARRMhbLlUqo5RqCsQ6n7HzBXZHpDdQuqfbg=</ns1:values>
          </ns1:attributes>
          <ns1:attributes>
            <ns1:name>SessionName</ns1:name>
            <ns1:values>unauthenticated</ns1:values>
          </ns1:attributes>
          <ns1:attributes>
            <ns1:name>SessionCreation</ns1:name>
            <ns1:values>1613484197</ns1:values>
          </ns1:attributes>
        </ns1:outAttrs>
        ...
        <ns1:result>952467756</ns1:result>
      </ns1:executeReturn>
    </ns1:executeResponse>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>​

You would then need to parse the XML and query all sessions for given user, my PoC implementation uses an Authentication Policy and the "apiauthsvc" to expose this DSessClient:

POST /mga/sps/apiauthsvc/policy/dsessadmin_api HTTP/1.1
Host: isva.lan
Accept: application/json
Content-Type: application/json

{
    "userId": "unauthenticated",
    "replicaSet": "www-demo",
    "operation": "verify"
}​

And finally you get your JSON Response:

[
    "7AIWZ+cTQWRpVRygXnnMUnb4ZP2cH1QoXOjD9OMsl3Z3SSydW4E=",
    "TIGg8prcQ2L/k6cK40FnFU7Ie67qUJ3JCkvyvFQ6KYa90xCG9/E=",
    "W32eAOOei2rfNrHLkij3jDPh3eSfTYMYc94w/DtkpGrC4JMnbYI="
]

I just did a quick PoC implementation of this, but immediately ran into the issue of parsing the XML -> I just transformed it into three separate JSON objects:

// Array of all SessionIndex'es
let sessions = [];

/* This contains the other SessionData, e.g.:
    {"15P4wUNk6OQYGcjhxJMKSBZiytleTsnTx4bjwmPN9TcnoI9eHRk=": { "sub": "unauthenticated", "iat": "1613484195"}}
*/
let sessionData = {};

/* This contains an array of sessions per user:
    { "unauthenticated" : ["123456xml=", "654321xml="], "sec_master": ["another-sessionid"]}
*/
let userSessions = {};​

If you're interested, I can look into ways of sharing this PoC code, although keep in mind, the XML -> JSON parsing is far from ideal. Although I think it may be more beneficial that IBM implements such a DSessClient to properly and transparantly interface with the DSC, albeit ISVA DSC or Redis.

Another remark could possibly be that this operation is not supported/condoned by IBM, I just know it's possible this way :)

Hope it helps.

------------------------------
Dries Eestermans
IS4U
------------------------------

Original Message:
Sent: Thu February 11, 2021 04:15 AM
From: Mukesh Bhati
Subject: ISAM - How to restrict multiple user session in InfoMap?

Hi Scott,

Thanks for the Help.

Yes, I'm able to avoid session creation of user if already exists. by calling LMI API from infoMap.

------------------------------
Mukesh

Original Message:
Sent: Wed February 10, 2021 03:59 PM
From: Scott Exton
Subject: ISAM - How to restrict multiple user session in InfoMap?

Mukesh,

 

WebSEAL provides an OOTB displacement form which will allow a user to displace an existing session if they so choose.  However, this only allows you to displace a single existing session - and does not allow you to select which session to displace from multiple active sessions.  The only way which I can think of for you to be able to query and selectively terminate sessions is by making Web service requests to the LMI - although adding a runtime dependency on the LMI is discouraged.

 

The other option is to use Redis instead of DSC and then use the Redis API's to manage the sessions.  Redis support was added in the recently released v10.0.1.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

Original Message:
Sent: 2/10/2021 8:26:00 AM
From: Mukesh Bhati
Subject: ISAM - How to restrict multiple user session in InfoMap?

Hello Team,

We have created a custom infoMap for login. it's working fine.
and we have enabled DSC and concurrent login policy(displace) restriction.
this configuration is working and restricting user sessions.
but we are unable to get all active sessions of the user in infomap at the time of login to provide an appropriate error message to the user or to avoid the creation of the new session.

or How provide the options to select which session to keep and which session to end(new/old)?
As we have enabled local-response-redirect.

------------------------------
Mukesh
------------------------------