IBM Security Verify

We have a junction setup now for inserting a saml token on a header using tfim-sso configuration.  We would like a second header with a JWT token inserted on same junction however does not appear it is possible to configure same junction twice.  Any suggestions to achieve this appreciated.

------------------------------
Caroline Waters-Batko
------------------------------

Hello Caroline,

I agree with your assessment that it is not possible to use the TFIM-SSO capability to include multiple tokens into different HTTP headers for a single junction.  I assume using different junctions is not possible.

In the specific case of JWT and SAML, perhaps it's worth noting that in Verify Access v10 there is now built-in support in the Reverse Proxy to generate a JWT and include in an HTTP header to the backend (with caveat that complex claim mapping is not possible).  This is independent to the TFIM-SSO capability and so I expect it would be possible to have a JWT included using this new function while maintaining the existing TFIM-SSO function to add a SAML token.

The only other approach I can think of would be to send one token in the SSO flow and then have the application call our STS with that token to obtain the other one.  I don't know if that's feasible in your architecture.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed November 04, 2020 03:45 PM
From: Caroline Waters-Batko
Subject: Two tokens on tfim-sso junction

We have a junction setup now for inserting a saml token on a header using tfim-sso configuration.  We would like a second header with a JWT token inserted on same junction however does not appear it is possible to configure same junction twice.  Any suggestions to achieve this appreciated.

------------------------------
Caroline Waters-Batko
------------------------------

Thanks for the confirmation and tip on V10. Really good to hear.

------------------------------
Caroline Waters-Batko
------------------------------

Original Message:
Sent: Thu November 05, 2020 11:55 AM
From: Jon Harry
Subject: Two tokens on tfim-sso junction

Hello Caroline,

I agree with your assessment that it is not possible to use the TFIM-SSO capability to include multiple tokens into different HTTP headers for a single junction.  I assume using different junctions is not possible.

In the specific case of JWT and SAML, perhaps it's worth noting that in Verify Access v10 there is now built-in support in the Reverse Proxy to generate a JWT and include in an HTTP header to the backend (with caveat that complex claim mapping is not possible).  This is independent to the TFIM-SSO capability and so I expect it would be possible to have a JWT included using this new function while maintaining the existing TFIM-SSO function to add a SAML token.

The only other approach I can think of would be to send one token in the SSO flow and then have the application call our STS with that token to obtain the other one.  I don't know if that's feasible in your architecture.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed November 04, 2020 03:45 PM
From: Caroline Waters-Batko
Subject: Two tokens on tfim-sso junction

We have a junction setup now for inserting a saml token on a header using tfim-sso configuration.  We would like a second header with a JWT token inserted on same junction however does not appear it is possible to configure same junction twice.  Any suggestions to achieve this appreciated.

------------------------------
Caroline Waters-Batko
------------------------------