IBM Security Verify

Hi all,
we have an authentication policy custom that is configured in several webseals through a local-response-redirect on the login operation.
We add in the infomap login page an url to reset the password through another policy (I forgot my password).
The issue now is that this authentication policy is used by different Point of Contacts, some webseals are used as identity provider in the SP flow and other webseals are used as
Point of Contact for the OIDC Provider.
We would like to configure the mechanism so that after changing the password, if the user comes from a federation flow or an oauth flow,
after logging in again the user remains in the same flow. Instead, at the moment the user returns to the isam login page,
which has no memory of the application that started the federation flow or the OIDC flow and after login the user is not redirected anywhere.
Is there a way to get back in the initial flow?

thank you

------------------------------
Natascia Roia
------------------------------

Hello Natascia,

It's not clear from you description what the various flows you are using are.  Could you provide some insight into the actual and desired behaviour (using this as a template):

1. SAML SSO is triggered at ISAM IdP
2. Local-Response-Redirect triggers password authentication policy in AAC
3. User clicks "forgotten password" which triggers forgotten password policy in AAC
4. User changes password and is redirected back to AAC password policy
5. User logs in with new password
Actual behaviour: User ends up on login page again
Desired behaviour: SAML SSO login continues

In general, I would expect the Reverse Proxy to cache the request that caused the first login action... this should then cause redirection to that resource when the user is logged in.  I need to understand the flow you're using better to figure out why that isn't working.

If you have a trace at the browser (or in Reverse Proxy) that shows the series of requests that are being made that would be helpful too.  At a certain point you might need to open a support case if you need assistance reviewing traces to debug this... but we can try to help here if you provide some more information.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed November 18, 2020 11:41 AM
From: Natascia Roia
Subject: AAC - redirect to initial flow

Hi all,
we have an authentication policy custom that is configured in several webseals through a local-response-redirect on the login operation.
We add in the infomap login page an url to reset the password through another policy (I forgot my password).
The issue now is that this authentication policy is used by different Point of Contacts, some webseals are used as identity provider in the SP flow and other webseals are used as
Point of Contact for the OIDC Provider.
We would like to configure the mechanism so that after changing the password, if the user comes from a federation flow or an oauth flow,
after logging in again the user remains in the same flow. Instead, at the moment the user returns to the isam login page,
which has no memory of the application that started the federation flow or the OIDC flow and after login the user is not redirected anywhere.
Is there a way to get back in the initial flow?

thank you

------------------------------
Natascia Roia
------------------------------

Thank you Jon.
I try to explain better our flows.
In our AAC we have two authentication policy
1 user-password-captcha for user's login:
configured with a custom infomap
2 forgot-pwd for the reset password:
the policy is configured as described in the IBM's cookbook so with SMS OTP - mechanism to set a new password - success mechanism


We have two flows with two differents webseals.
FLOW A
1. SAML SSO is triggered at ISAM Idp
2. local-response-redirect triggers user-password-captcha authentication policy in AAC
3. On the login page of the user-password-captcha login there's a link for the forgot-pwd policy
4. User clicks "forgotten password" which triggers forgotten password policy in AAC
5. The user is blocked in the page of success password change.

We have a way to add the redirection to the login page but in this case the webseal hasn't memory of the flow so the user logs in with a new password and he get the success login page.
Which is the better way to resume the federation flow?


FLOW B
1.OIDC SSO is triggered at ISAM OIDC provider
2. local-response-redirect triggers user-password-captcha authentication policy in AAC
3. On the login page of th user-password-captcha login ther's a link for the forgot-pwd policy
4. User clicks "forgotten password" which triggers forgotten password policy in AAC
5. The user is blocked in the page of success password change.

Here the problem is the same, how can we resume the OIDC authorization code flow?

Thank you

------------------------------
Natascia Roia
------------------------------

Original Message:
Sent: Thu November 19, 2020 04:40 AM
From: Jon Harry
Subject: AAC - redirect to initial flow

Hello Natascia,

It's not clear from you description what the various flows you are using are.  Could you provide some insight into the actual and desired behaviour (using this as a template):

1. SAML SSO is triggered at ISAM IdP
2. Local-Response-Redirect triggers password authentication policy in AAC
3. User clicks "forgotten password" which triggers forgotten password policy in AAC
4. User changes password and is redirected back to AAC password policy
5. User logs in with new password
Actual behaviour: User ends up on login page again
Desired behaviour: SAML SSO login continues

In general, I would expect the Reverse Proxy to cache the request that caused the first login action... this should then cause redirection to that resource when the user is logged in.  I need to understand the flow you're using better to figure out why that isn't working.

If you have a trace at the browser (or in Reverse Proxy) that shows the series of requests that are being made that would be helpful too.  At a certain point you might need to open a support case if you need assistance reviewing traces to debug this... but we can try to help here if you provide some more information.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed November 18, 2020 11:41 AM
From: Natascia Roia
Subject: AAC - redirect to initial flow

Hi all,
we have an authentication policy custom that is configured in several webseals through a local-response-redirect on the login operation.
We add in the infomap login page an url to reset the password through another policy (I forgot my password).
The issue now is that this authentication policy is used by different Point of Contacts, some webseals are used as identity provider in the SP flow and other webseals are used as
Point of Contact for the OIDC Provider.
We would like to configure the mechanism so that after changing the password, if the user comes from a federation flow or an oauth flow,
after logging in again the user remains in the same flow. Instead, at the moment the user returns to the isam login page,
which has no memory of the application that started the federation flow or the OIDC flow and after login the user is not redirected anywhere.
Is there a way to get back in the initial flow?

thank you

------------------------------
Natascia Roia
------------------------------

Hi Natascia,

The cached page in the Reverse Proxy is only used after a login completes.  However, when you run the forgotten password flow, this doesn't complete the login - it finishes on a page which tells the user that their password has been reset.  In the JavaScript for the policy, the final mechanism is completing using this status:

success.endPolicyWithoutCredential();

This causes the success page template to be returned and the authentication process to stop.

One workaround to your issue might be to log the user in at the end of the forgotten password flow.  You would achieve this by making this change in the USC_PasswordReset_Success  JavaScript:

//success.endPolicyWithoutCredential();

success.setValue(true);

This is a very simple change you could try to see if it helps.

This isn't a complete fix because the user will be logged in with no message to confirm that the password reset completed.  If this works for you then you would probably want to customize the password reset flow a little more so that the success page is shown with success.setValue(false) and a button which submits a form which then triggers the success.setValue(true) to log the user in.

I hope this gives you something to try.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu November 19, 2020 07:50 AM
From: Natascia Roia
Subject: AAC - redirect to initial flow

Thank you Jon.
I try to explain better our flows.
In our AAC we have two authentication policy
1 user-password-captcha for user's login:
configured with a custom infomap
2 forgot-pwd for the reset password:
the policy is configured as described in the IBM's cookbook so with SMS OTP - mechanism to set a new password - success mechanism


We have two flows with two differents webseals.
FLOW A
1. SAML SSO is triggered at ISAM Idp
2. local-response-redirect triggers user-password-captcha authentication policy in AAC
3. On the login page of the user-password-captcha login there's a link for the forgot-pwd policy
4. User clicks "forgotten password" which triggers forgotten password policy in AAC
5. The user is blocked in the page of success password change.

We have a way to add the redirection to the login page but in this case the webseal hasn't memory of the flow so the user logs in with a new password and he get the success login page.
Which is the better way to resume the federation flow?


FLOW B
1.OIDC SSO is triggered at ISAM OIDC provider
2. local-response-redirect triggers user-password-captcha authentication policy in AAC
3. On the login page of th user-password-captcha login ther's a link for the forgot-pwd policy
4. User clicks "forgotten password" which triggers forgotten password policy in AAC
5. The user is blocked in the page of success password change.

Here the problem is the same, how can we resume the OIDC authorization code flow?

Thank you

------------------------------
Natascia Roia

Original Message:
Sent: Thu November 19, 2020 04:40 AM
From: Jon Harry
Subject: AAC - redirect to initial flow

Hello Natascia,

It's not clear from you description what the various flows you are using are.  Could you provide some insight into the actual and desired behaviour (using this as a template):

1. SAML SSO is triggered at ISAM IdP
2. Local-Response-Redirect triggers password authentication policy in AAC
3. User clicks "forgotten password" which triggers forgotten password policy in AAC
4. User changes password and is redirected back to AAC password policy
5. User logs in with new password
Actual behaviour: User ends up on login page again
Desired behaviour: SAML SSO login continues

In general, I would expect the Reverse Proxy to cache the request that caused the first login action... this should then cause redirection to that resource when the user is logged in.  I need to understand the flow you're using better to figure out why that isn't working.

If you have a trace at the browser (or in Reverse Proxy) that shows the series of requests that are being made that would be helpful too.  At a certain point you might need to open a support case if you need assistance reviewing traces to debug this... but we can try to help here if you provide some more information.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed November 18, 2020 11:41 AM
From: Natascia Roia
Subject: AAC - redirect to initial flow

Hi all,
we have an authentication policy custom that is configured in several webseals through a local-response-redirect on the login operation.
We add in the infomap login page an url to reset the password through another policy (I forgot my password).
The issue now is that this authentication policy is used by different Point of Contacts, some webseals are used as identity provider in the SP flow and other webseals are used as
Point of Contact for the OIDC Provider.
We would like to configure the mechanism so that after changing the password, if the user comes from a federation flow or an oauth flow,
after logging in again the user remains in the same flow. Instead, at the moment the user returns to the isam login page,
which has no memory of the application that started the federation flow or the OIDC flow and after login the user is not redirected anywhere.
Is there a way to get back in the initial flow?

thank you

------------------------------
Natascia Roia
------------------------------