IBM Security Verify

 View Only
  • 1.  ISAM Certificate endpoints

    Posted Wed May 05, 2021 02:03 PM
    If I am using a certificate to sign documents, like SAML, JWT, and more. How can I provide an ISAM URL where users can obtain the public certificate that is in a ISVA SSL keystore?

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    ------------------------------


  • 2.  RE: ISAM Certificate endpoints

    Posted Wed May 05, 2021 02:39 PM
    Hi Joao,

    For an OIDC definition, the metadata file is available at:
      /<runtime junction>/sps/oauth/oauth20/metadata/<definition name>

    This points to a JWKS endpoint where public certificates are available:
      /<runtime junction>/sps/oauth/oauth20/jwks/<definition name>

    If I remember correctly, this JWKS endpoint publishes all the public certificates that are present in the keystore referenced in the definition (default is rt_profile_keys).

    For JWT support in the STS, there's a JWKS endpoint at:
    /<runtime junction>/sps/jwks

    (in my system I had to add an ACL to this endpoint to open it up for access).

    If these endpoints don't have the URL required by your service providers (they might be hard-coded to want a .well-known URL) then you can perform a URL mapping using transformation rules in the Reverse Proxy.

    There isn't a published endpoint for SAML certificates (it's not a core part of the SAML specification) but there's nothing to stop you from hosting a statically created JWKS or metadata document on the Reverse Proxy or a backend server.

    While I was searching for information on this I found a Blog by our developer @Leo Farrell which documents some of this in more depth:
    https://community.ibm.com/community/user/security/blogs/leo-farrell/2019/06/04/isam-jwks-endpoint
    ​​
    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------