Hi Joao,
> When specifying the URL, which URL should be used? In the cookbook it is used
http://localhost/scim.> The URL is meant to be delivered to the AAC runtime, or reverse proxy?
If you're creating a "Server Connection" for (privileged) access to SCIM for User Self Care mechanisms, then this should connect directly to the Runtime.
Effectively the Runtime is connecting to itself so the use of
http://localhost/scim is correct. It is not going via the Reverse Proxy.
If you're creating an access point to the SCIM function for a 3rd party application or for unprivileged access for end users then this should be via the Reverse Proxy.
> If it is the AAC runtime, then localhost or policy server host should used as URL?
Unless you have changed the interface that the runtime listens on, use of localhost is correct. This is a loopback connection.
> If it is the AAC runtime, as the /scim junction backend server for the reverse proxy is localhost, should this URL be the same? Then what is /scim doing there?
The context-root for the SCIM function in the runtime is /scim so all URLs start with this. When defining the /scim junction in the Reverse Proxy it is a transparent-path junction so the /scim part of the path is passed on to the runtime.
> When creating a Server Connection for SCIM Web Service, we are supposed to add easuser and its password. Why this user and not Scim Administrator's password? To have permission to make changes in scim we must use a user that belongs to the scim admin Group!
The easuser is (by default) a member of the scimAdmin group defined in the AAC user registry. If you want to create a new user (or group if you have changed the admin group name in SCIM config) then that's fine. Using easuser is just the easiest option because it already exists in a new system.
> When Configuring Google reCAPTCHA site key, we must use a Domain. If we have ISVA configured in the intranet, and ISAM has a local domain (e.g. internal.example.com) not visible from internet, what should we use on the Domain parameter?
It is whatever domain the browser is accessing to reach the page showing the reCAPTCHA; it doesn't have to be visible from internet - it's used by Google code that runs in your browser (and probably for CSS protection too).
> Regarding the stepup resource, if we provide /scim apis from ISVA, where we have PUT /Users/{id} as an endpoint shouldn't we we apply the stepup policy to unauthenticated users to the PUT /scim/Users, because if they are authenticated, they should only be able to change their own data, since we already identified the user.
If we were to put a policy on the resource, because it is a Rest API, how can we restrict the stepup only to PUT or POST methods?
If you publish the /scim APIs via the Reverse Proxy, the junction must be configured to send the iv-user and iv-group headers and the SCIM configuration must have authorization enabled. The SCIM function will know (from iv-group header) that the end user connecting is not an administrator and so will only allow them to view and update their own information. You should not configure the system in such a way that all users can view/change other users.
If you want to limit access to different HTTP methods this is possible via ACL. It's even possible to remap which permission bits apply to which methods if you want more fine-grained control. This isn't step-up though. You can't specify step-up per method using POPs. I think you would have to use AAC context-based access for this.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Tue April 20, 2021 12:47 PM
From: Joao Goncalves
Subject: Analysing User Self Care in ISAM Cookbook
Although there are some duplication from USC cookbook and MMFA cookbook both written by Jon Harry, there are some specific thing related to USC that I would like to have further explanation:
- When specifying the URL, which URL should be used? In the cookbook it is used http://localhost/scim.
- The URL is meant to be delivered to the AAC runtime, or reverse proxy?
- If it is the reverse proxy, then there must be defined a scim junction, and open http port. Shouldn't this reverse proxy or the junction be restricted to ISAM internal use only, and consequently not available to other users through the reverse proxy? In fact, the /scim junction has the localhost as the backend server.
- I already user the reverse proxy (not localhost) with the /scim function and seems to work, but it is inefficient, so there must be a better way of doing this.
- If it is the AAC runtime, then localhost or policy server host should used as URL?
- If it is the AAC runtime, as the /scim junction backend server for the reverse proxy is localhost, should this URL be the same? Then what is /scim doing there?
- When creating a Server Connection for SCIM Web Service, we are supposed to add easuser and its password. Why this user and not Scim Administrator's password? To have permission to make changes in scim we must use a user that belongs to the scim admin Group!
- When Configuring Google reCAPTCHA site key, we must use a Domain. If we have ISVA configured in the intranet, and ISAM has a local domain (e.g. internal.example.com) not visible from internet, what should we use on the Domain parameter?
- Regarding the stepup resource, if we provide /scim apis from ISVA, where we have PUT /Users/{id} as an endpoint shouldn't we we apply the stepup policy to unauthenticated users to the PUT /scim/Users, because if they are authenticated, they should only be able to change their own data, since we already identified the user.
- If we were to put a policy on the resource, because it is a Rest API, how can we restrict the stepup only to PUT or POST methods?
------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------