IBM Security Verify

Hello Team,

We are sending some attributes of the user in headers to backend application. 

WeabSeal fetches those attributes from user credentials and sent to the backend application in headers. 

Is there any provision to fetch those attributes from LDAP directly and send them in the header for each request to the backend application?

One solution is to refresh credentials after a specific interval.

is there any alternate solution other than refresh credentials?

------------------------------
Mukesh
------------------------------

Hi Mukesh,

There's no simple way to do what you're asking.  It might be possible to build something around the TFIM-SSO capability (which calls STS to get a "token" to include in an HTTP header) but this is only for one header and I don't know for sure if it would really work.

You also need to be careful about the performance implications of calling out to an external system too often... anything done on every request is likely to cause scaling issues.  Usually LDAP is only called on login and, even then, we have internal caches to reduce the calls.

What is the reason that you need to refresh the attributes all the time?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Tue May 11, 2021 01:45 AM
From: Mukesh Bhati
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hello Team,

We are sending some attributes of the user in headers to backend application. 

WeabSeal fetches those attributes from user credentials and sent to the backend application in headers. 

Is there any provision to fetch those attributes from LDAP directly and send them in the header for each request to the backend application?

One solution is to refresh credentials after a specific interval.

is there any alternate solution other than refresh credentials?

------------------------------
Mukesh
------------------------------

Hi Jon,

So we have 4-5 attributes in the LDAP which we are updating from infoMaps.

And sending the same attributes in headers. But backend applications need updated values.

------------------------------
Mukesh
------------------------------

Original Message:
Sent: Tue May 11, 2021 05:11 AM
From: Jon Harry
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hi Mukesh,

There's no simple way to do what you're asking.  It might be possible to build something around the TFIM-SSO capability (which calls STS to get a "token" to include in an HTTP header) but this is only for one header and I don't know for sure if it would really work.

You also need to be careful about the performance implications of calling out to an external system too often... anything done on every request is likely to cause scaling issues.  Usually LDAP is only called on login and, even then, we have internal caches to reduce the calls.

What is the reason that you need to refresh the attributes all the time?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue May 11, 2021 01:45 AM
From: Mukesh Bhati
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hello Team,

We are sending some attributes of the user in headers to backend application. 

WeabSeal fetches those attributes from user credentials and sent to the backend application in headers. 

Is there any provision to fetch those attributes from LDAP directly and send them in the header for each request to the backend application?

One solution is to refresh credentials after a specific interval.

is there any alternate solution other than refresh credentials?

------------------------------
Mukesh
------------------------------

Hi Mukesh,

If you are updating the attributes from an infoMap (i.e. part of an authentication policy) then you should be able to return a new credential to the Reverse Proxy (with updated attributes) at the end of that process.  That would seem like the best way to get the updated attributes available to send to the backend servers in HTTP headers.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Tue May 11, 2021 08:26 AM
From: Mukesh Bhati
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hi Jon,

So we have 4-5 attributes in the LDAP which we are updating from infoMaps.

And sending the same attributes in headers. But backend applications need updated values.

------------------------------
Mukesh

Original Message:
Sent: Tue May 11, 2021 05:11 AM
From: Jon Harry
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hi Mukesh,

There's no simple way to do what you're asking.  It might be possible to build something around the TFIM-SSO capability (which calls STS to get a "token" to include in an HTTP header) but this is only for one header and I don't know for sure if it would really work.

You also need to be careful about the performance implications of calling out to an external system too often... anything done on every request is likely to cause scaling issues.  Usually LDAP is only called on login and, even then, we have internal caches to reduce the calls.

What is the reason that you need to refresh the attributes all the time?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue May 11, 2021 01:45 AM
From: Mukesh Bhati
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hello Team,

We are sending some attributes of the user in headers to backend application. 

WeabSeal fetches those attributes from user credentials and sent to the backend application in headers. 

Is there any provision to fetch those attributes from LDAP directly and send them in the header for each request to the backend application?

One solution is to refresh credentials after a specific interval.

is there any alternate solution other than refresh credentials?

------------------------------
Mukesh
------------------------------

Hi Jon,

Those attributes are already present in user credentials.

when the user is authenticated WebSeal add those attribute to the user credentials as Extended attributes for credentials is configured.

I tried to update the attribute from infoMap. but the same attribute is getting added multiple times. basically, I want to replace/update the old value.

Code for reference
context.set(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "attr1" ,"newValue");
success.setValue(true);

What I observed if we use the above code then infoMaps should end with success.setValue(true) and which internally changes the value of AZN_CRED_AUTH_EPOCH_TIME which we don't want to update.


------------------------------
Mukesh
------------------------------

Original Message:
Sent: Tue May 11, 2021 12:03 PM
From: Jon Harry
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hi Mukesh,

If you are updating the attributes from an infoMap (i.e. part of an authentication policy) then you should be able to return a new credential to the Reverse Proxy (with updated attributes) at the end of that process.  That would seem like the best way to get the updated attributes available to send to the backend servers in HTTP headers.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue May 11, 2021 08:26 AM
From: Mukesh Bhati
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hi Jon,

So we have 4-5 attributes in the LDAP which we are updating from infoMaps.

And sending the same attributes in headers. But backend applications need updated values.

------------------------------
Mukesh

Original Message:
Sent: Tue May 11, 2021 05:11 AM
From: Jon Harry
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hi Mukesh,

There's no simple way to do what you're asking.  It might be possible to build something around the TFIM-SSO capability (which calls STS to get a "token" to include in an HTTP header) but this is only for one header and I don't know for sure if it would really work.

You also need to be careful about the performance implications of calling out to an external system too often... anything done on every request is likely to cause scaling issues.  Usually LDAP is only called on login and, even then, we have internal caches to reduce the calls.

What is the reason that you need to refresh the attributes all the time?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue May 11, 2021 01:45 AM
From: Mukesh Bhati
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hello Team,

We are sending some attributes of the user in headers to backend application. 

WeabSeal fetches those attributes from user credentials and sent to the backend application in headers. 

Is there any provision to fetch those attributes from LDAP directly and send them in the header for each request to the backend application?

One solution is to refresh credentials after a specific interval.

is there any alternate solution other than refresh credentials?

------------------------------
Mukesh
------------------------------

Hi Mukesh,

I think the value of this configuration option in [eai] stanza will change the append vs replace behaviour:

# The following configuration entry is used to determine whether
# extended attributes replace credential attributes of the same name
# or are appended as additional values.
eai-replace-cred-attributes = yes

What value do you have for the following?  I wonder if this would help with the epoch value?

# RETAIN EAI SESSION
# If an already-authenticated EAI client authenticates via an EAI a second
# time, the existing session and cache entry are completely replaced by
# default. If retain-eai-session = yes, then the existing session and
# cache entry will be retained, and the credential and relevant data will
# be updated in the existing cache entry.
retain-eai-session = yes

If this doesn't help with the epoch value then it may be that it's not possible to fix this.  In that case you might consider setting the authentication time in a different attribute that you control - that way you can decide when it is updated?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Fri May 14, 2021 07:35 AM
From: Mukesh Bhati
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hi Jon,

Those attributes are already present in user credentials.

when the user is authenticated WebSeal add those attribute to the user credentials as Extended attributes for credentials is configured.

I tried to update the attribute from infoMap. but the same attribute is getting added multiple times. basically, I want to replace/update the old value.

Code for reference
context.set(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "attr1" ,"newValue");
success.setValue(true);

What I observed if we use the above code then infoMaps should end with success.setValue(true) and which internally changes the value of AZN_CRED_AUTH_EPOCH_TIME which we don't want to update.


------------------------------
Mukesh

Original Message:
Sent: Tue May 11, 2021 12:03 PM
From: Jon Harry
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hi Mukesh,

If you are updating the attributes from an infoMap (i.e. part of an authentication policy) then you should be able to return a new credential to the Reverse Proxy (with updated attributes) at the end of that process.  That would seem like the best way to get the updated attributes available to send to the backend servers in HTTP headers.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue May 11, 2021 08:26 AM
From: Mukesh Bhati
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hi Jon,

So we have 4-5 attributes in the LDAP which we are updating from infoMaps.

And sending the same attributes in headers. But backend applications need updated values.

------------------------------
Mukesh

Original Message:
Sent: Tue May 11, 2021 05:11 AM
From: Jon Harry
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hi Mukesh,

There's no simple way to do what you're asking.  It might be possible to build something around the TFIM-SSO capability (which calls STS to get a "token" to include in an HTTP header) but this is only for one header and I don't know for sure if it would really work.

You also need to be careful about the performance implications of calling out to an external system too often... anything done on every request is likely to cause scaling issues.  Usually LDAP is only called on login and, even then, we have internal caches to reduce the calls.

What is the reason that you need to refresh the attributes all the time?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue May 11, 2021 01:45 AM
From: Mukesh Bhati
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hello Team,

We are sending some attributes of the user in headers to backend application. 

WeabSeal fetches those attributes from user credentials and sent to the backend application in headers. 

Is there any provision to fetch those attributes from LDAP directly and send them in the header for each request to the backend application?

One solution is to refresh credentials after a specific interval.

is there any alternate solution other than refresh credentials?

------------------------------
Mukesh
------------------------------

Hi Jon,

Thanks a lot for the help.!

By configuring the eai-replace-cred-attributes = yes now attribute values are getting updated instead of appending.

Even retain-eai-session = yes is already configured still updates the attribute AZN_CRED_AUTH_EPOCH_TIME in user credentials.

------------------------------
Mukesh
------------------------------

Original Message:
Sent: Fri May 14, 2021 08:47 AM
From: Jon Harry
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hi Mukesh,

I think the value of this configuration option in [eai] stanza will change the append vs replace behaviour:

# The following configuration entry is used to determine whether
# extended attributes replace credential attributes of the same name
# or are appended as additional values.
eai-replace-cred-attributes = yes

What value do you have for the following?  I wonder if this would help with the epoch value?

# RETAIN EAI SESSION
# If an already-authenticated EAI client authenticates via an EAI a second
# time, the existing session and cache entry are completely replaced by
# default. If retain-eai-session = yes, then the existing session and
# cache entry will be retained, and the credential and relevant data will
# be updated in the existing cache entry.
retain-eai-session = yes

If this doesn't help with the epoch value then it may be that it's not possible to fix this.  In that case you might consider setting the authentication time in a different attribute that you control - that way you can decide when it is updated?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Fri May 14, 2021 07:35 AM
From: Mukesh Bhati
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hi Jon,

Those attributes are already present in user credentials.

when the user is authenticated WebSeal add those attribute to the user credentials as Extended attributes for credentials is configured.

I tried to update the attribute from infoMap. but the same attribute is getting added multiple times. basically, I want to replace/update the old value.

Code for reference
context.set(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "attr1" ,"newValue");
success.setValue(true);

What I observed if we use the above code then infoMaps should end with success.setValue(true) and which internally changes the value of AZN_CRED_AUTH_EPOCH_TIME which we don't want to update.


------------------------------
Mukesh

Original Message:
Sent: Tue May 11, 2021 12:03 PM
From: Jon Harry
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hi Mukesh,

If you are updating the attributes from an infoMap (i.e. part of an authentication policy) then you should be able to return a new credential to the Reverse Proxy (with updated attributes) at the end of that process.  That would seem like the best way to get the updated attributes available to send to the backend servers in HTTP headers.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue May 11, 2021 08:26 AM
From: Mukesh Bhati
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hi Jon,

So we have 4-5 attributes in the LDAP which we are updating from infoMaps.

And sending the same attributes in headers. But backend applications need updated values.

------------------------------
Mukesh

Original Message:
Sent: Tue May 11, 2021 05:11 AM
From: Jon Harry
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hi Mukesh,

There's no simple way to do what you're asking.  It might be possible to build something around the TFIM-SSO capability (which calls STS to get a "token" to include in an HTTP header) but this is only for one header and I don't know for sure if it would really work.

You also need to be careful about the performance implications of calling out to an external system too often... anything done on every request is likely to cause scaling issues.  Usually LDAP is only called on login and, even then, we have internal caches to reduce the calls.

What is the reason that you need to refresh the attributes all the time?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue May 11, 2021 01:45 AM
From: Mukesh Bhati
Subject: ISAM - How to send updated user attributes to backend application in headers.

Hello Team,

We are sending some attributes of the user in headers to backend application. 

WeabSeal fetches those attributes from user credentials and sent to the backend application in headers. 

Is there any provision to fetch those attributes from LDAP directly and send them in the header for each request to the backend application?

One solution is to refresh credentials after a specific interval.

is there any alternate solution other than refresh credentials?

------------------------------
Mukesh
------------------------------