IBM Security Verify

​Howdy everyone,
         We have a requirement where we need to write a access policy that should get group info from AD and verify it. This policy will be attached to SAML partner to prevent unauthorized access (who ever is not in that AD group)  DId anyone had worked on a requirement like this one before. Looking for sample code or a way to do it (how can we make connection to AD since we cant use stsuu). Appreciate it in advance.

Thanks
MK

------------------------------
MK
------------------------------

Hi MK,

Just to clarify... are you trying to perform this group check on Identity Provider or on Service Provider?

Is the Active Directory you want to read groups from a "federated directory" in your Access Manager system or is it totally independent?

Perhaps you could provide a little more information on the flow of user data through the federation so we can understand the requirement better.

Inside the JavaScript you use to write an Access Policy, you do have access to a Helper class (LDAP Lookup Helper) but based on other appends on this forum, I think this really only works if the Active Directory is federated into Access Manager (others can comment on this).

There is a more generic Helper in the latest product version (Verify Access v10) but I think there have been some challenges here related to class whitelisting (others can comment if those have been fixed yet).  What version are you using?

Anyway, please give us a little more detail and the community will try to assist you with the best approach.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed July 22, 2020 06:54 AM
From: Madhu Kolli
Subject: isam access policy with AD group info

​Howdy everyone,
         We have a requirement where we need to write a access policy that should get group info from AD and verify it. This policy will be attached to SAML partner to prevent unauthorized access (who ever is not in that AD group)  DId anyone had worked on a requirement like this one before. Looking for sample code or a way to do it (how can we make connection to AD since we cant use stsuu). Appreciate it in advance.

Thanks
MK

------------------------------
MK
------------------------------

HI Jon,
     Thanks for your response.  We are doing it on IDP while adding  SP to our IDP. That way we can prevent unauthorized access to SP.

Our  isam version is 9.0.5. And the AD is not integrated with isam (that is our challenge as well). Earlier while doing SAML mapping files I used to do this way.

Create a new server connection to AD. By using attribute source to get the attributes we want from AD( ex: group info) using the server connection from AD and then use the mapping file to add those attributes via stsuu .  Since accesspolicy wont support stsuu looking for a better way to make connection to AD and retrieve groups from AD. 

I hope I answered all your questions if not please let me know. Btw migration to V10 is not in play right now. So we have to work with what we have right now. Thanks for your help again.

Thanks
MK

------------------------------
Madhu Kolli
------------------------------

Original Message:
Sent: Thu July 23, 2020 05:00 AM
From: Jon Harry
Subject: isam access policy with AD group info

Hi MK,

Just to clarify... are you trying to perform this group check on Identity Provider or on Service Provider?

Is the Active Directory you want to read groups from a "federated directory" in your Access Manager system or is it totally independent?

Perhaps you could provide a little more information on the flow of user data through the federation so we can understand the requirement better.

Inside the JavaScript you use to write an Access Policy, you do have access to a Helper class (LDAP Lookup Helper) but based on other appends on this forum, I think this really only works if the Active Directory is federated into Access Manager (others can comment on this).

There is a more generic Helper in the latest product version (Verify Access v10) but I think there have been some challenges here related to class whitelisting (others can comment if those have been fixed yet).  What version are you using?

Anyway, please give us a little more detail and the community will try to assist you with the best approach.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed July 22, 2020 06:54 AM
From: Madhu Kolli
Subject: isam access policy with AD group info

​Howdy everyone,
         We have a requirement where we need to write a access policy that should get group info from AD and verify it. This policy will be attached to SAML partner to prevent unauthorized access (who ever is not in that AD group)  DId anyone had worked on a requirement like this one before. Looking for sample code or a way to do it (how can we make connection to AD since we cant use stsuu). Appreciate it in advance.

Thanks
MK

------------------------------
MK
------------------------------

Hi MK,

What's the reason why you cannot continue to use the method that was working?

If you add an attribute source which pulls the group information from AD using LDAP, couldn't you then check the group membership in a partner-specific JavaScript mapping rule and throw an exception if the required groups are not found?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu July 23, 2020 10:26 AM
From: Madhu Kolli
Subject: isam access policy with AD group info

HI Jon,
     Thanks for your response.  We are doing it on IDP while adding  SP to our IDP. That way we can prevent unauthorized access to SP.

Our  isam version is 9.0.5. And the AD is not integrated with isam (that is our challenge as well). Earlier while doing SAML mapping files I used to do this way.

Create a new server connection to AD. By using attribute source to get the attributes we want from AD( ex: group info) using the server connection from AD and then use the mapping file to add those attributes via stsuu .  Since accesspolicy wont support stsuu looking for a better way to make connection to AD and retrieve groups from AD. 

I hope I answered all your questions if not please let me know. Btw migration to V10 is not in play right now. So we have to work with what we have right now. Thanks for your help again.

Thanks
MK

------------------------------
Madhu Kolli

Original Message:
Sent: Thu July 23, 2020 05:00 AM
From: Jon Harry
Subject: isam access policy with AD group info

Hi MK,

Just to clarify... are you trying to perform this group check on Identity Provider or on Service Provider?

Is the Active Directory you want to read groups from a "federated directory" in your Access Manager system or is it totally independent?

Perhaps you could provide a little more information on the flow of user data through the federation so we can understand the requirement better.

Inside the JavaScript you use to write an Access Policy, you do have access to a Helper class (LDAP Lookup Helper) but based on other appends on this forum, I think this really only works if the Active Directory is federated into Access Manager (others can comment on this).

There is a more generic Helper in the latest product version (Verify Access v10) but I think there have been some challenges here related to class whitelisting (others can comment if those have been fixed yet).  What version are you using?

Anyway, please give us a little more detail and the community will try to assist you with the best approach.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed July 22, 2020 06:54 AM
From: Madhu Kolli
Subject: isam access policy with AD group info

​Howdy everyone,
         We have a requirement where we need to write a access policy that should get group info from AD and verify it. This policy will be attached to SAML partner to prevent unauthorized access (who ever is not in that AD group)  DId anyone had worked on a requirement like this one before. Looking for sample code or a way to do it (how can we make connection to AD since we cant use stsuu). Appreciate it in advance.

Thanks
MK

------------------------------
MK
------------------------------

Hi Jon,
   Yes you are right. We could do that way as well.  I have that option as plan B incase if access policy wont work. However I do want to see if there is a way to do it via access policy as well. Hence started this quest. If you or anyone  have any ideas on how to make access policy work do let me know otherwise i will go with mapping file option.

Thanks
MK

------------------------------
Madhu Kolli
------------------------------

Original Message:
Sent: Thu July 23, 2020 12:42 PM
From: Jon Harry
Subject: isam access policy with AD group info

Hi MK,

What's the reason why you cannot continue to use the method that was working?

If you add an attribute source which pulls the group information from AD using LDAP, couldn't you then check the group membership in a partner-specific JavaScript mapping rule and throw an exception if the required groups are not found?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu July 23, 2020 10:26 AM
From: Madhu Kolli
Subject: isam access policy with AD group info

HI Jon,
     Thanks for your response.  We are doing it on IDP while adding  SP to our IDP. That way we can prevent unauthorized access to SP.

Our  isam version is 9.0.5. And the AD is not integrated with isam (that is our challenge as well). Earlier while doing SAML mapping files I used to do this way.

Create a new server connection to AD. By using attribute source to get the attributes we want from AD( ex: group info) using the server connection from AD and then use the mapping file to add those attributes via stsuu .  Since accesspolicy wont support stsuu looking for a better way to make connection to AD and retrieve groups from AD. 

I hope I answered all your questions if not please let me know. Btw migration to V10 is not in play right now. So we have to work with what we have right now. Thanks for your help again.

Thanks
MK

------------------------------
Madhu Kolli

Original Message:
Sent: Thu July 23, 2020 05:00 AM
From: Jon Harry
Subject: isam access policy with AD group info

Hi MK,

Just to clarify... are you trying to perform this group check on Identity Provider or on Service Provider?

Is the Active Directory you want to read groups from a "federated directory" in your Access Manager system or is it totally independent?

Perhaps you could provide a little more information on the flow of user data through the federation so we can understand the requirement better.

Inside the JavaScript you use to write an Access Policy, you do have access to a Helper class (LDAP Lookup Helper) but based on other appends on this forum, I think this really only works if the Active Directory is federated into Access Manager (others can comment on this).

There is a more generic Helper in the latest product version (Verify Access v10) but I think there have been some challenges here related to class whitelisting (others can comment if those have been fixed yet).  What version are you using?

Anyway, please give us a little more detail and the community will try to assist you with the best approach.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed July 22, 2020 06:54 AM
From: Madhu Kolli
Subject: isam access policy with AD group info

​Howdy everyone,
         We have a requirement where we need to write a access policy that should get group info from AD and verify it. This policy will be attached to SAML partner to prevent unauthorized access (who ever is not in that AD group)  DId anyone had worked on a requirement like this one before. Looking for sample code or a way to do it (how can we make connection to AD since we cant use stsuu). Appreciate it in advance.

Thanks
MK

------------------------------
MK
------------------------------