IBM Security Verify

 View Only
Expand all | Collapse all

InfoMap (isam 9.0.6.0)

  • 1.  InfoMap (isam 9.0.6.0)

    Posted Thu February 28, 2019 12:36 PM 
    Hi,

    I have played around a bit with "An Introduction to the InfoMap Authentication Mechanism in ISAM 9.0.2 - Shane Weeden's Blog" infomap

    When i try the example i have found some findings and questions.

    InfoMap(aac) sets the headers
    am-eai-user-id: fim
    am-eai-xattrs: authenticationTypes,authenticationMechanismTypes
    If you have customized the key to something else like am-eai-bad-user-id, am-eai-bad-xattrs it wont work.

    ** Note to self: Don't touch the defaults **

    Question: Is this documented?

    When i test the info map i always get

    am-eai-user-id: fim
    am-eai-xattrs: authenticationTypes,authenticationMechanismTypes

    Question: is the user "fim" hardcoded somewhere?

    Question: if i wish to send the user after login somewhere else how do you do that?

    Some troubleshooting logs if you have time too look on this. it's just snippets from the log not sure if it helps.

    pdweb.debug

    2019-02-28-17:34:23.203+01:00I----- thread(8) trace.pdweb.debug:2 /build/isam/src/i4w/pdweb/webseald/ras/trace/debug_log.cpp:220: ----------------- PD <=== BackEnd -----------------
    Thread 8; fd 258; local 127.0.0.1:50034; remote 127.0.0.1:443
    HTTP/1.1 200 OK
    connection: Close
    content-language: en-US
    content-length: 0
    date: Thu, 28 Feb 2019 16:34:23 GMT
    x-frame-options: SAMEORIGIN
    cache-control: no-cache="set-cookie, set-cookie2"
    expires: Thu, 01 Dec 1994 16:00:00 GMT
    authenticationmechanismtypes: urn:ibm:security:authentication:asf:mechanism:username_login
    am-eai-user-id: fim
    am-eai-xattrs: authenticationTypes,authenticationMechanismTypes
    authenticationtypes: urn:ibm:security:authentication:asf:username_login
    Set-Cookie: LtpaToken2=""; Path=/; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Secure; HttpOnly
    Set-Cookie: LtpaToken2=""; Path=/; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Secure; HttpOnly

    aac trace log

    [2/28/19 18:03:15:156 CET] 00000089 id=00000000 com.tivoli.am.fim.fedmgr2.authservice.util.IvCredHelper 3 buildTamPrincipal Adding attribute: authenticationTypes
    [2/28/19 18:03:15:156 CET] 00000089 id=00000000 com.tivoli.am.fim.fedmgr2.authservice.util.IvCredHelper 3 buildTamPrincipal Adding attribute: authenticationMechanismTypes
    [2/28/19 18:03:15:156 CET] 00000089 id=00000000 com.tivoli.am.fim.fedmgr2.authservice.util.IvCredHelper > buildTamPac ENTRY
    [2/28/19 18:03:15:157 CET] 00000089 id=00000000 com.tivoli.am.fim.fedmgr2.authservice.util.IvCredHelper 3 buildTamPac building pac, setting principal name of: fim


    ------------------------------
    Regards Mikael
    ------------------------------


  • 2.  RE: InfoMap (isam 9.0.6.0)

    Posted Thu February 28, 2019 01:02 PM
    The best way to solve something is to ask that makes you think.

    Found that i have lost a row. If this is not set it will set the user to "fim".
    context.set(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "username", username);

    ------------------------------
    Regards Mikael
    ------------------------------

    Original Message


  • 3.  RE: InfoMap (isam 9.0.6.0)

    Posted Fri March 01, 2019 02:52 AM
    Hi Mikael,

    In addition to your own findings, you can customise the response headers infomap sends as you desire. In that case, you need to make sure WebSEAL picks them up too.

    This is done in the EAI configuration of your webseal instance. For the user and xattrs, take a look at the eai-user-id-header and eai-xattrs-header.

    You'll find more info on eai settings here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.6/com.ibm.isam.doc/wrp_stza_ref/reference/ref_eai_stza.html

    Cheers


    ------------------------------
    Kristof Goossens
    ------------------------------

    Original Message


  • 4.  RE: InfoMap (isam 9.0.6.0)

    Posted Fri March 01, 2019 03:41 AM
    Hi,

    About "Question: if i wish to send the user after login somewhere else how do you do that?"

    Take a look at eai-redir-url-header in WebSEAL's eai stanza.
    Links: 
    • https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.6/com.ibm.isam.doc/wrp_stza_ref/reference/ref_eai_redir_url_hdr.html
    • https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/wrp_config/concept/con_http_hdr_ref.html

    Kind regards, Peter



    ------------------------------
    Peter Volckaert
    Sales Engineer
    IBM Security
    ------------------------------

    Original Message


  • 5.  RE: InfoMap (isam 9.0.6.0)

    Posted Fri March 01, 2019 04:16 AM
    Hi,

    Thanks for the links :-)
    I understand the headers and how to use them but not how i set them i infomap.

    But i guess from looking at other code that you set the headers something like this.

    context.set(Scope.REQUEST, "urn:ibm:security:asf:response:header","am-eai-user-id","user123")

    Is this this equal to this line:

    context.set(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "username", param);

    And where can i find imformation urn:ibm:security:asf:response:token:attributes ?
    If i google it i only find Shanes blog ;-)

    ------------------------------
    Regards Mikael
    ------------------------------

    Original Message


  • 6.  RE: InfoMap (isam 9.0.6.0)

    Posted Fri March 01, 2019 05:00 AM
    Specifically on the response token attributes - https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.2.1/com.ibm.isam.doc/admin/ref/authpolicyprops.html#Credentials

    If it doesn't take you there, scroll down to Context attributes and look for the Authentication Service credential row.  You'd need to iterate over that to see what was in there using the InfoMap trace logging.

    ------------------------------
    Scott Andrews
    ------------------------------

    Original Message


  • 7.  RE: InfoMap (isam 9.0.6.0)

    Posted Fri March 01, 2019 04:43 AM
    Hi Mikael.
    Have a look at IBM Target URL redirection - United States
    Ibm remove preview
    IBM Target URL redirection - United States
    How do I change the redirect URL from a TFIM or ISAM mapping rule?
    View this on Ibm >



    ------------------------------
    Scott Andrews
    ------------------------------

    Original Message


  • 8.  RE: InfoMap (isam 9.0.6.0)

    Posted Fri March 01, 2019 04:56 AM
    The InfoMap version is - 
    context.set(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "itfim_override_targeturl_attr", "/someURL");

    The JavaDoc from the appliance downloads area and the other references about about the various context attributes (session, etc.) will help you with what you need.

    You don't need to set the EAI headers in your InfoMap.  The consumption of the attributes to authenticate the user to WebSEAL and enrich the credential is done by the auth service.   Provided you exit the InfoMap cleanly and you trigger it via the authentication policy, you'll get what you need.

    Also take a look at - 
    https://www.ibm.com/developerworks/community/wikis/home?lang=es#!/wiki/W3180eb23c62c_4bcb_afa1_85cd0cacc66c/page/InfoMap%20Resources and https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/W3180eb23c62c_4bcb_afa1_85cd0cacc66c/page/Toast%20Message%20InfoMap%20Sample (second is cross-linked anyhow).

    I can also send you a sample InfoMap (based on AppX deployment pattern) that shows an example of using a HTTP client in the logic to validate against some external source at runtime and uses the Server Connections feature to hold the values of the connection details so you're not hardcoding variables in to the InfoMap JS.

    ------------------------------
    Scott Andrews
    ------------------------------

    Original Message


  • 9.  RE: InfoMap (isam 9.0.6.0)

    Posted Sun March 03, 2019 07:40 AM
    Thanks Scott, the links and advise's has been very helpful. :-)

    I've almost got the login flow as i wanted, but there is one thing i don't find.
    I want to take out the query parameter in the first request to the authentication mechanism(infomap)

    Let' say that you do a GET on this url.
    /mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:username_login&client_id=12345

    I wish to get the client_id and put that in the session so i can use them in the next step. I have almost all logging on but can't find a way to extract it.

    Can you point me in the right direction.



    ------------------------------
    Regards Mikael
    ------------------------------

    Original Message


  • 10.  RE: InfoMap (isam 9.0.6.0)

    Posted Sun March 03, 2019 11:48 AM
    Hi,

    The below should work:
    client_id=context.get(Scope.REQUEST, "urn:ibm:security:asf:request:parameter", "client_id");
    var client_id_param = client_id+"";

    So: yes, query parameters are made available in the same "urn:ibm:security:asf:request:parameter"-realm as parameters within a body of a POST.

    Kind regards, Peter.

    ------------------------------
    Peter Volckaert
    Sales Engineer
    IBM Security
    ------------------------------

    Original Message


  • 11.  RE: InfoMap (isam 9.0.6.0)

    Posted Mon March 04, 2019 02:51 AM
    Hi,

    I tried it but i get only null, it looks like infomap is only executed when you do the post request not on the initial GET request.

    ------------------------------
    Regards Mikael
    ------------------------------

    Original Message


  • 12.  RE: InfoMap (isam 9.0.6.0)

    Posted Mon March 04, 2019 03:07 AM
    Hi,

    That is odd, because I successfully use a query parameter in my Infomap and in fact use it to determine what the Infomap should do. So it's used for the initial request.  Are you on 9.0.6? May be the underscore is not ok, not URL safe? Try with using clientid instead of client_id - or make it URL safe.
    To troubleshoot you can log all the incoming parameters in your Infomap:
    var parameters = context.get(Scope.REQUEST, "urn:ibm:security:asf:request", "parameters");
    IDMappingExtUtils.traceString("parameters"+parameters);

    Kind regards, Peter

    ------------------------------
    Peter Volckaert
    Sales Engineer
    IBM Security
    ------------------------------

    Original Message


  • 13.  RE: InfoMap (isam 9.0.6.0)

    Posted Mon March 04, 2019 03:21 AM
    Hi Peter,

    Thanks! you are right i got i working now :-)

    ------------------------------
    Regards Mikael
    ------------------------------

    Original Message


  • 14.  RE: InfoMap (isam 9.0.6.0)

    Posted Mon March 04, 2019 03:17 PM
    Hi,

    Hopefully a last question regarding infomap.

    Lets say you hit (oauth2 endpoint)

    /mga/sps/oauth/oauth20/authorize?client_id=12345&response_type=code&scope=god&redirect_uri=https://localhost/&state=123456

    if you are not logged in by default it goes to
    /sps/auth

    But i would like it to goto my infomap authentication.
    /mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:username_login&client_id=12345&response_type=code&scope=god&redirect_uri=https://localhost/&state=123456

    Can i solve this via some advanced setting or via the PostTokenGeneration / PreTokenGeneration mapping rule?


    ------------------------------
    Regards Mikael
    ------------------------------

    Original Message


  • 15.  RE: InfoMap (isam 9.0.6.0)

    Posted Tue March 05, 2019 06:35 AM
    I tried with setting all the macros to see if could solve it with login.html

    but no luck :(

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
    <HTML>
    <HEAD>
    <meta name="description" content="Wait for login page...">
    <SCRIPT language="JavaScript">
    var loc = %LOCATION%
    var url = %URL%
    var referer = %REFERER%;
    var back_url = %BACK_URL%;
    var hostname = %HOSTNAME%;
    var http_base = %HTTP_BASE%;
    var https_base = %HTTPS_BASE%;
    var ref_encoded = %REFERER_ENCODED%;
    var url_encoded = %URL_ENCODED%;
    var tam_op = %TAM_OP%
    </SCRIPT>
    </HEAD>
    <BODY>
    <noscript>This page uses Javascript. Your browser either doesn't support Javascript or you have it turned off. To see this page as it is meant to appear please use a Javascript enabled browser.</noscript>
    </BODY>
    </HTML>

    gives in the response.

    <SCRIPT language="JavaScript">
    var loc =
    var url = /mga/sps/auth
    var referer = none;
    var back_url = /;
    var hostname = api.example.com;
    var http_base = http://api.example.com;
    var https_base = https://api.example.com;
    var ref_encoded = none;
    var url_encoded = /mga/sps/auth;
    var tam_op = login
    </SCRIPT>

    ------------------------------
    Regards Mikael
    ------------------------------

    Original Message


  • 16.  RE: InfoMap (isam 9.0.6.0)

    Posted Wed March 06, 2019 02:32 AM
    Hi Mikael,

    In ISAM 9.0.5 we introduced "access policies". These allow you to do step-up and re-authentication during federation flows. I also used such access policy for a initial sign in. Therefore you need to set an "unauthenticated" ACL on the /sps/auth endpoint. In the access policy itself you can then redirect to your custom Infomap authentication mechanism.

    Link to "Access Policies": 
    https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/config/concept/access_policies.html
    Link to an example on how to get request context like parameters (which is what you need):
    https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/config/concept/access_policies_request_context.html

    For your unauthenticated context, the access policy would look something like this:

    var authTarget = "https://www.abc.com/mga@ACTION@"
    var user = context.getUser();
    if (user == null) {
        var handler = new RedirectChallengeDecisionHandler();
        IDMappingExtUtils.traceString("Unauthenticated access");
        handler.setRedirectUri("/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:mycustomlogin&Target="+authTarget);
       context.setDecision(Decision.challenge(handler));

    Hope this will get your started.

    Kind regards, Peter.




    ------------------------------
    Peter Volckaert
    Sales Engineer
    IBM Security
    ------------------------------

    Original Message


  • 17.  RE: InfoMap (isam 9.0.6.0)

    Posted Wed March 06, 2019 06:44 AM
    Hi and thanks Peter,

    I have tried it with the following code. But the the parameters doesn't get populated.

    The redirect on /sps/auth gives a location that looks like this so i don't succeed to get the request parameters.

    https://example.com/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:username_login&Target=https://example.com/mga/sps/auth&client_id=null&response_type=null&scope=null&redirect_uri=null&state=null
​

    importClass(Packages.com.ibm.security.access.policy.decision.Decision);
importClass(Packages.com.ibm.security.access.policy.decision.RedirectChallengeDecisionHandler);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);

var user = context.getUser();
IDMappingExtUtils.traceString("user: "+request);
var request = context.getRequest();
var parameterNames = request.getParameterNames();
IDMappingExtUtils.traceString("request: "+request);
IDMappingExtUtils.traceString("parameterNames: "+parameterNames);

for (var it = parameterNames.iterator(); it.hasNext();) {
	var parameterName = it.next();
	var parameterValue = request.getParameter(parameterName);
	IDMappingExtUtils.traceString(parameterName +" = " + parameterValue);
}

if (user == null ){
	IDMappingExtUtils.traceString("Myhandler");
	var request = context.getRequest();

	var client_id = request.getParameter("client_id");
	var response_type = request.getParameter("response_type");
	var scope = request.getParameter("scope");
	var redirect_uri = request.getParameter("redirect_uri");
	var state = request.getParameter("state");

	var handler = new RedirectChallengeDecisionHandler();
	handler.setRedirectUri("https://example.com/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:username_login&client_id="+client_id+"&response_type="+response_type+"&scope="+scope+"&redirect_uri="+redirect_uri+"&state="+state);
	var decision = Decision.challenge(handler);
	context.setDecision(decision);
}


    ------------------------------
    Regards Mikael
    ------------------------------

    Original Message


  • 18.  RE: InfoMap (isam 9.0.6.0)

    Posted Thu March 07, 2019 02:22 AM
    Hi Mikael,

    In your tracing: do you see that the parameters are actually there? In other words, are the ParameterNames as expected?
    Otherwise put: what's the output of  IDMappingExtUtils.traceString(parameterName +" = " + parameterValue);

    If the names are there but the values are null, then try to cast the value to a Javascript string by adding "", like this: 
    var parameterValue = request.getParameter(parameterName)     + "";
    That's one of the classics on which I've already spent hours in my Infomaps ;-)

    Kind regards, Peter.




    ------------------------------
    Peter Volckaert
    Sales Engineer
    IBM Security
    ------------------------------

    Original Message


  • 19.  RE: InfoMap (isam 9.0.6.0)

    Posted Thu March 07, 2019 03:24 AM
    Hi Peter,

    I got a tip to look on the below and now i get all the parameters.

    var protocolContext = context.getProtocolContext();
    protocolContext.getAuthenticationRequest();

    There is good documentation in the javadoc(when you know what to look for)

    package com.ibm.security.access.policy.oauth20
    Interface ProtocolContext

    Thanks for all the help i have the complete flow working now.
    I will try and document my findings and share it with the community as soon i have two second free.

    Regards Mikael

    ------------------------------
    Regards Mikael
    ------------------------------

    Original Message