I tried with setting all the macros to see if could solve it with login.html
but no luck :(
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<meta name="description" content="Wait for login page...">
<SCRIPT language="JavaScript">
var loc = %LOCATION%
var url = %URL%
var referer = %REFERER%;
var back_url = %BACK_URL%;
var hostname = %HOSTNAME%;
var http_base = %HTTP_BASE%;
var https_base = %HTTPS_BASE%;
var ref_encoded = %REFERER_ENCODED%;
var url_encoded = %URL_ENCODED%;
var tam_op = %TAM_OP%
</SCRIPT>
</HEAD>
<BODY>
<noscript>This page uses Javascript. Your browser either doesn't support Javascript or you have it turned off. To see this page as it is meant to appear please use a Javascript enabled browser.</noscript>
</BODY>
</HTML>
gives in the response.
<SCRIPT language="JavaScript">
var loc =
var url = /mga/sps/auth
var referer = none;
var back_url = /;
var hostname = api.example.com;
var http_base =
http://api.example.com;var https_base =
https://api.example.com;var ref_encoded = none;
var url_encoded = /mga/sps/auth;
var tam_op = login
</SCRIPT>
------------------------------
Regards Mikael
------------------------------
Original Message:
Sent: 03-04-2019 03:17 PM
From: Mikael Lindblad
Subject: InfoMap (isam 9.0.6.0)
Hi,
Hopefully a last question regarding infomap.
Lets say you hit (oauth2 endpoint)
/mga/sps/oauth/oauth20/authorize?client_id=12345&response_type=code&scope=god&redirect_uri=https://localhost/&state=123456
if you are not logged in by default it goes to
/sps/auth
But i would like it to goto my infomap authentication.
/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:username_login&client_id=12345&response_type=code&scope=god&redirect_uri=https://localhost/&state=123456
Can i solve this via some advanced setting or via the PostTokenGeneration / PreTokenGeneration mapping rule?
------------------------------
Regards Mikael
Original Message:
Sent: 03-04-2019 03:20 AM
From: Mikael Lindblad
Subject: InfoMap (isam 9.0.6.0)
Hi Peter,
Thanks! you are right i got i working now :-)
------------------------------
Regards Mikael
Original Message:
Sent: 03-04-2019 03:06 AM
From: Peter Volckaert
Subject: InfoMap (isam 9.0.6.0)
Hi,
That is odd, because I successfully use a query parameter in my Infomap and in fact use it to determine what the Infomap should do. So it's used for the initial request. Are you on 9.0.6? May be the underscore is not ok, not URL safe? Try with using clientid instead of client_id - or make it URL safe.
To troubleshoot you can log all the incoming parameters in your Infomap:
var parameters = context.get(Scope.REQUEST, "urn:ibm:security:asf:request", "parameters");
IDMappingExtUtils.traceString("parameters"+parameters);
Kind regards, Peter
------------------------------
Peter Volckaert
Sales Engineer
IBM Security
Original Message:
Sent: 03-04-2019 02:50 AM
From: Mikael Lindblad
Subject: InfoMap (isam 9.0.6.0)
Hi,
I tried it but i get only null, it looks like infomap is only executed when you do the post request not on the initial GET request.
------------------------------
Regards Mikael
Original Message:
Sent: 03-03-2019 11:47 AM
From: Peter Volckaert
Subject: InfoMap (isam 9.0.6.0)
Hi,
The below should work:
client_id=context.get(Scope.REQUEST, "urn:ibm:security:asf:request:parameter", "client_id");
var client_id_param = client_id+"";
So: yes, query parameters are made available in the same "urn:ibm:security:asf:request:parameter"-realm as parameters within a body of a POST.
Kind regards, Peter.
------------------------------
Peter Volckaert
Sales Engineer
IBM Security
Original Message:
Sent: 03-03-2019 07:39 AM
From: Mikael Lindblad
Subject: InfoMap (isam 9.0.6.0)
Thanks Scott, the links and advise's has been very helpful. :-)
I've almost got the login flow as i wanted, but there is one thing i don't find.
I want to take out the query parameter in the first request to the authentication mechanism(infomap)
Let' say that you do a GET on this url.
/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:username_login&client_id=12345
I wish to get the client_id and put that in the session so i can use them in the next step. I have almost all logging on but can't find a way to extract it.
Can you point me in the right direction.
------------------------------
Regards Mikael
Original Message:
Sent: 03-01-2019 04:56 AM
From: Scott Andrews
Subject: InfoMap (isam 9.0.6.0)
The InfoMap version is -
context.set(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "itfim_override_targeturl_attr", "/someURL");
The JavaDoc from the appliance downloads area and the other references about about the various context attributes (session, etc.) will help you with what you need.
You don't need to set the EAI headers in your InfoMap. The consumption of the attributes to authenticate the user to WebSEAL and enrich the credential is done by the auth service. Provided you exit the InfoMap cleanly and you trigger it via the authentication policy, you'll get what you need.
Also take a look at -
https://www.ibm.com/developerworks/community/wikis/home?lang=es#!/wiki/W3180eb23c62c_4bcb_afa1_85cd0cacc66c/page/InfoMap%20Resources and https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/W3180eb23c62c_4bcb_afa1_85cd0cacc66c/page/Toast%20Message%20InfoMap%20Sample (second is cross-linked anyhow).
I can also send you a sample InfoMap (based on AppX deployment pattern) that shows an example of using a HTTP client in the logic to validate against some external source at runtime and uses the Server Connections feature to hold the values of the connection details so you're not hardcoding variables in to the InfoMap JS.
------------------------------
Scott Andrews
Original Message:
Sent: 03-01-2019 04:43 AM
From: Scott Andrews
Subject: InfoMap (isam 9.0.6.0)
Hi Mikael.
Have a look at IBM Target URL redirection - United StatesIbm | remove preview |
| IBM Target URL redirection - United States | How do I change the redirect URL from a TFIM or ISAM mapping rule? | View this on Ibm > |
|
|
------------------------------
Scott Andrews
Original Message:
Sent: 02-28-2019 01:01 PM
From: Mikael Lindblad
Subject: InfoMap (isam 9.0.6.0)
The best way to solve something is to ask that makes you think.
Found that i have lost a row. If this is not set it will set the user to "fim".
context.set(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "username", username);
------------------------------
Regards Mikael
Original Message:
Sent: 02-28-2019 12:35 PM
From: Mikael Lindblad
Subject: InfoMap (isam 9.0.6.0)
Hi,
I have played around a bit with "An Introduction to the InfoMap Authentication Mechanism in ISAM 9.0.2 - Shane Weeden's Blog" infomap
When i try the example i have found some findings and questions.
InfoMap(aac) sets the headers
am-eai-user-id: fim
am-eai-xattrs: authenticationTypes,authenticationMechanismTypes
If you have customized the key to something else like am-eai-bad-user-id, am-eai-bad-xattrs it wont work.
** Note to self: Don't touch the defaults **
Question: Is this documented?
When i test the info map i always get
am-eai-user-id: fim
am-eai-xattrs: authenticationTypes,authenticationMechanismTypes
Question: is the user "fim" hardcoded somewhere?
Question: if i wish to send the user after login somewhere else how do you do that?
Some troubleshooting logs if you have time too look on this. it's just snippets from the log not sure if it helps.
pdweb.debug
2019-02-28-17:34:23.203+01:00I----- thread(8) trace.pdweb.debug:2 /build/isam/src/i4w/pdweb/webseald/ras/trace/debug_log.cpp:220: ----------------- PD <=== BackEnd -----------------
Thread 8; fd 258; local 127.0.0.1:50034; remote 127.0.0.1:443
HTTP/1.1 200 OK
connection: Close
content-language: en-US
content-length: 0
date: Thu, 28 Feb 2019 16:34:23 GMT
x-frame-options: SAMEORIGIN
cache-control: no-cache="set-cookie, set-cookie2"
expires: Thu, 01 Dec 1994 16:00:00 GMT
authenticationmechanismtypes: urn:ibm:security:authentication:asf:mechanism:username_login
am-eai-user-id: fim
am-eai-xattrs: authenticationTypes,authenticationMechanismTypes
authenticationtypes: urn:ibm:security:authentication:asf:username_login
Set-Cookie: LtpaToken2=""; Path=/; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Secure; HttpOnly
Set-Cookie: LtpaToken2=""; Path=/; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Secure; HttpOnly
aac trace log
[2/28/19 18:03:15:156 CET] 00000089 id=00000000 com.tivoli.am.fim.fedmgr2.authservice.util.IvCredHelper 3 buildTamPrincipal Adding attribute: authenticationTypes
[2/28/19 18:03:15:156 CET] 00000089 id=00000000 com.tivoli.am.fim.fedmgr2.authservice.util.IvCredHelper 3 buildTamPrincipal Adding attribute: authenticationMechanismTypes
[2/28/19 18:03:15:156 CET] 00000089 id=00000000 com.tivoli.am.fim.fedmgr2.authservice.util.IvCredHelper > buildTamPac ENTRY
[2/28/19 18:03:15:157 CET] 00000089 id=00000000 com.tivoli.am.fim.fedmgr2.authservice.util.IvCredHelper 3 buildTamPac building pac, setting principal name of: fim
------------------------------
Regards Mikael
------------------------------