IBM Security Verify

Expand all | Collapse all

Trigger 2FA (TOTP & SMS ) with un-authenticated session

  • 1.  Trigger 2FA (TOTP & SMS ) with un-authenticated session

    Posted 4 days ago
    I have referred Shane Weeden blog :
    Branching Authentication Policy in ISAM Advanced Access Control - Shane Weeden's Blog
    Shane Weeden's Blog remove preview
    Branching Authentication Policy in ISAM Advanced Access Control - Shane Weeden's Blog
    PLEASE NOTE (update August 2020): For customers running IBM Security Verify Access v10 and later, branching AAC policy is now a built-in feature. For more information see: https://www.youtube.com/watch?v=msHP1Ha_dUg. The information in the rest of this article is still relevant for older version of IBM Security Access Manager that do not support out-of-the-box branching AAC policy.
    View this on Shane Weeden's Blog >

    I am creating self care to enable user account:
    1. User enter user name.
    2. Mapping rule to fetch username details via SCIM call and setting user name in SPSSession ("IDMappingExtUtils.setSPSSessionData(key,value)").
    3. Asking user to select 2FA either SMS/TOTP. (note: if is do not provide this option and trigger 2fa as default totp it works fine).
    4. Trigger respective 2FA mechanism. currently it fails at this step. 


    ------------------------------
    mayur boob
    ------------------------------


  • 2.  RE: Trigger 2FA (TOTP & SMS ) with un-authenticated session

    Posted 3 days ago
    Hi Mayur,

    I think we're going to need some more information on the failure in order to figure out what is going wrong.

    What version of ISAM/Verify Access are you using? (can you update to v10 and use native Branching capability?)
    What is the failure condition?  Are you getting an error message?  What is the URL flow?

    You'll need to look at the message.log of the AAC Runtime to see if there is any message or exception recorded there.
    If you find exceptions, be sure to look for the first exception that is thrown - that is most likely to show the root cause.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: Trigger 2FA (TOTP & SMS ) with un-authenticated session

    Posted yesterday
    Edited by mayur boob yesterday
    Hi Jon Harry,
    Thank you for your prompt reply.
    We can not upgrade to verify 10 as of now. we are using IBM version 9.0.7 IF2.
    I have moved one step forwards where user is prompted for 2FA and after that user gets below exception in trace.
    I have below settings for custom totp, where I am setting secret key and username from session.


    [7/22/21 20:16:49:788 SGT] 000032d6 id=00000000 vc.protocol.delegate.context.store.ResponseTokenContextStore < set(ContextIdentifier, AuthSvcToken) RETURN
    [7/22/21 20:16:49:789 SGT] 000032d6 id=00000000 om.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils > traceString ENTRY Read username from session mech: admin
    [7/22/21 20:16:49:789 SGT] 000032d6 id=00000000 om.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils < traceString RETURN
    [7/22/21 20:16:49:789 SGT] 000032d6 id=00000000 om.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils > traceString ENTRY Read secretkey from session : PO4ZLAEV2INKOGFOGS5K5EFDXR5MMO6P

    I am seeing below error message in the trace file:

    [7/22/21 20:16:59:594 SGT] 000032c5 id=00000000 com.tivoli.am.fim.authsvc.protocol.delegate.AuthSvcDelegate I processRequest(FederationManagerContext, ProtocolActionChain) java.lang.NullPointerException
    at com.tivoli.am.fim.authsvc.action.authenticator.totp.TOTPAuthenticator$4.execute(TOTPAuthenticator.java:255)

    Flow:
    1.
    User access below URL to enter username:
    2.
    Prompted for 2FA Selection
    3. Once selected 2FA: (TOTP)
    4. gets below error:


    Regards,
    Mayur

    ------------------------------
    mayur boob
    ------------------------------



  • 4.  RE: Trigger 2FA (TOTP & SMS ) with un-authenticated session

    Posted yesterday
    Hi Mayur,

    In Shane's original article he doesn't make any changes to the TOTP mechanism (to statically set the username and secret).  Are you doing this because the user is not authenticated at the point you're running this flow?

    I wonder if perhaps there's some issue and it's simply not possible to run the TOTP flow with a user that is not authenticated.  On the other hand, I think you said that you had this working if you simply remove the branching component.  In that test without the branching, was the user you were doing TOTP for still unauthenticated?

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 5.  RE: Trigger 2FA (TOTP & SMS ) with un-authenticated session

    Posted yesterday
    Hi Jon,

    Yes in shane article since user is authenticated so no need to do any changes.

    Understanding is correct since its unauthenticated session so I am settings is explicitly.

    If I force user to do TOTP without branching then it works fine for unauthenticated session.

    Regards,
    Mayur

    ------------------------------
    mayur boob
    ------------------------------