IBM Security Verify

 View Only
  • 1.  Is it possible to add response headers in IAG?

    Posted Mon August 31, 2020 06:25 AM
    Hello

    I am trying IAG and I would like to add a header to the response. Is it possible? I was reading the documentation but I don't think so. 

    Regards

    ------------------------------
    Javier Garcia Pazos
    ------------------------------


  • 2.  RE: Is it possible to add response headers in IAG?

    Posted Tue September 01, 2020 03:18 AM
    There are two ways that you can do this:

    1. Create a HTTP transformation rule to add in the response header: https://iamdevportal.us-east.mybluemix.net/iag/references/yaml/policies/http-transformations/response

    2. Add an advanced configuration entry (https://iamdevportal.us-east.mybluemix.net/iag/references/yaml/advanced/configuration) which adds the static response headers in, using the legacy WebSEAL [rsp-header-names] configuration.

    I hope that this helps.

    ------------------------------
    Scott Exton
    IBM
    Gold Coast
    ------------------------------



  • 3.  RE: Is it possible to add response headers in IAG?

    Posted Tue September 01, 2020 11:53 AM
    Hello Scott,

    I am trying with the HTTP Transformation but I think it is not possible to apply the HTTP Transformation if the session is expired. I would like to modify redirect response to Identity Provider if Accept header doesn't contain "html" string.

    Regards

    ------------------------------
    Javier Garcia Pazos
    ------------------------------



  • 4.  RE: Is it possible to add response headers in IAG?

    Posted Tue September 01, 2020 04:21 PM
    Javier,

    Unfortunately you are correct and HTTP response transformation rules won't be triggered if the session has expired.

    ------------------------------
    Scott Exton
    IBM
    Gold Coast
    ------------------------------



  • 5.  RE: Is it possible to add response headers in IAG?

    Posted Wed September 02, 2020 02:14 AM
    Thanks a lot Scott,

    just other question: do you know how to avoid redirecting xhr requests, sending back a different status code than 302, or controlling session expiration from these xhr requests?

    Regards

    ------------------------------
    Javier Garcia Pazos
    ------------------------------