IBM Security Verify

 View Only
  • 1.  Getting Groups from AD basic users

    Posted Mon November 16, 2020 04:47 PM
    I am authenticating users from AD successfully.
    When I look into the STSUU, I cannot find AZN_CRED_GROUPS.
    If I add this to the Attribute Source using Credential Type AZN_CRED_GROUPS, I still don't get the groups.

    I will also need the display_name.

    But is there a restriction to getting the groups if the users are basic users and not full users?
    Do I have to extract the groups and display name by defining the Attribute Source using the LDAP type?

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------


  • 2.  RE: Getting Groups from AD basic users

    Posted Tue November 17, 2020 03:44 AM
    Joao,

    Accessing any attribute of the user should be a case of either adding AZN_CRED_ATTR configuration to Reverse Proxy (to populate the attribute into user credential at login time) or using Identity Source configuration (to make attribute available to OAuth/Federation mapping rules).  You say "display_name" but I think the standard attribute in AD would be "displayName"?

    The credential that is built following authentication will only include groups that are known to Verify Access.  That means that they have been "import"ed (and so show up if you do a "group list" command).

    If you want to have access to full group information without import, you'd need to read group information as a standard attribute from the user record.  Usually group membership in LDAP is obtained by looking up "members" attribute of the group object which is not helpful.  However, many LDAPs have a special (usually dynamically calculated) attribute on user object that returns group memberships.

    In Active Directory it is the "memberOf" attribute. (in IBM Directory Server it is "ibm-allGroups").  Perhaps you can reference this attribute (as above) to retrieve all groups?

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: Getting Groups from AD basic users

    Posted Tue November 17, 2020 04:21 AM
    Edited by Joao Goncalves Tue November 17, 2020 04:25 AM
    I am looking at the Reverse Proxy configuration file, and I don't know in which stanza to place AZN_CRED_ATTRS (or AZN_CRED_ATTR?)
    I can find this stanza.
    [TAM_CRED_ATTRS_SVC]
    # Each entry should then have a corresponding stanza which maps the LDAP
    # attribute into a credential attribute.
    #
    # For example:
    # [TAM_CRED_ATTRS_SVC:eperson]
    # emailAddress = mail
    # mobileNumber = mobile

    Regarding the displayName is in fact the correct attribute name.
    Regarding the group information, I just need a comma separated list, like, "staff,bin,auditor".
    I can see the the group information in the Active directory contains memberOf.

    In my previous tests with full users, the groups were imported without any additional configuration. By I can see that for basic users, there is more I must do. I just don't know how I can import those attributes by default, although I now how to get the using the Attribute Source option, where I can add specific attributes to STSUU. But I would rather have ISAM get them immediately when the user logins in and ISAM gets the attributes.

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------



  • 4.  RE: Getting Groups from AD basic users

    Posted Tue November 17, 2020 06:45 AM
    Hi Joao,

    I just tested this quickly in my environment.  I added the following to my Reverse Proxy configuration (some already existed actually):

    -- This already existed -----------
    [TAM_CRED_ATTRS_SVC]

    #
    # This stanza is used to configure the credential attributes entitlement
    # service. This entitlement service can be used to add attributes to the
    # credential which are based on LDAP attributes of the authenticated user.
    #
    # Entries in this stanza are used to define the sources of attributes to be
    # retrieved. The source names, such as user and group, are used to identify
    # the source location in the registry. You need to define these. The values
    # for these sources are registry identifiers that exist in the registry. The
    # values can be existing credential attribute names. If this is the case,
    # the service automatically finds and uses the respective values.
    #
    # For example:
    # eperson = azn_cred_registry_id
    # organisationalPerson = azn_cred_registry_id
    #
    # Each entry should then have a corresponding stanza which maps the LDAP
    # attribute into a credential attribute.
    #
    # For example:
    # [TAM_CRED_ATTRS_SVC:eperson]
    # emailAddress = mail
    # mobileNumber = mobile
    #
    # [TAM_CRED_ATTRS_SVC:organisationalPerson]
    # emailAddress = mail
    # mobileNumber = mobile
    #
    eperson = azn_cred_registry_id
    inetOrgPerson = azn_cred_registry_id
    --------

    ----- modified this to add entries I wanted -----
    [TAM_CRED_ATTRS_SVC:eperson]
    emailAddress = mail
    mobileNumber = mobile
    ad_groups = memberOf
    display_name = displayName
    --------

    With this done, I can see the following is added to credential when I login with AD Basic User:

    ad_groups[0] : CN=Administrators,CN=Builtin,DC=demo,DC=com
    display_name[0]: Fred Bloggs

    With these values in the user credential it should be easy to extract them in mapping rules.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 5.  RE: Getting Groups from AD basic users

    Posted Tue November 17, 2020 07:03 AM
    Edited by Joao Goncalves Tue November 17, 2020 07:47 AM
    I'm trying this, but I will need to understand how ISAM works, and what will these options on the configuration will do. Is this documented anywhere?

    Why eperson?

    After changing the reverse proxy configuration file, I am getting the attributes. But the groups returned by MemberOf, in STSUU return multiple values where each returned value contains the Distinguish Names of every group the users belong to.

    This was a great help. Thanks Jon.

    I am now trying to include these values in the claim.

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------



  • 6.  RE: Getting Groups from AD basic users

    Posted Tue November 17, 2020 07:33 AM
    Hi Joao,

    This configuration is documented in the Knowledge Center here:
    https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/wrp_config/task/tsk_spec_attr_add_crdl.htm

    "eperson" is just a label to link the source DN (defined in the TAM_CRED_ATTRS_SVC stanza) to the stanza which lists the attributes to extract from that source DN.  When working with IBM Directory Server, eperson is an objectclass of the user object.  It's not the same in AD but since it's only a label it doesn't matter.

    This configuration tells the Reverse Proxy that after it has built a credential for a user it should pull certain attributes from LDAP and include them as attributes in the credential.

    [TAM_CRED_ATTRS_SVC]
    <source DN label> = <credential attribute containing a DN>

    tells the Reverse Proxy to read the <credential attribute containing a DN> from the just-created credential and use this as a source DN for reading attributes.

    [TAM_CRED_ATTRS_SVC:<source DN label>]
    <cred attr name> = <LDAP attr name>

    tells the Reverse proxy to read the LDAP attribute named <LDAP attr name> from the source DN and store it in a credential attribute with name <cred attr name>.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------