IBM Security Verify

 View Only
Expand all | Collapse all

How to secure 3rd party service provider junction?

  • 1.  How to secure 3rd party service provider junction?

    Posted Mon August 16, 2021 09:01 PM
    I have a 3rd party Service Provider - ComponentSpace that I want to protect behind Security Verify Access - Reverse Proxy. I also want to enable Service Provider initiated logon.
    I have the mechanics working by adding unauth acl to the junction. When I access the URL: url/junction/partnerid will trigger a SAML V2 AuthnRequest to the idP (a federation also on Security Verify Access). The result is a SAML Assertion and a successful login.
    My question:
    How can I assign an ACL to the to the URL to ensure that once the user is authenticated he can only access the application if authorized?
    Thanks

    ------------------------------
    Kelly Kerr
    ------------------------------


  • 2.  RE: How to secure 3rd party service provider junction?

    Posted Fri August 27, 2021 06:26 AM
    Hi Kelly,

    From your description: You have an on-premises application which uses ComponentSpace for SAML SP functions.  This is sitting behind a junction of Verify Access Reverse Proxy.  When user access the application (via the junction) it redirects to Verify Access IdP function which triggers authentication and then SAML SSO (back through the junction).

    There are a few ways you could add authorization for application access in this situation:
      1. Replace the ACL allowing unauthenticated access to the junction with one that requires a logged in user (in the group that authorizes access).
              - In this case, user will have to authenticate as soon as they attempt to access the junction.  If not in appropriate group they will be denied access.
              - This doesn't work if you need some unauthenticated access to app before authentication required.

      2. Replace the ACL allowing unauthenticated access (as per 1) but then add additional unauthenticated ACLs to the specific pages/folders of the application that require unauthenticated access.
              - In this case, user has unauthenticated access to some parts of app but must login when hitting parts that need protecting.
              - This only works if you can easily distinguish the pages/folders of the application URL space that are unauthenticated vs authenticated.

     3. Leave the unauthenticated ACL on the junction but define an Access Policy and attach to the Federation Partner definition.  This (JavaScript) access policy will be evaluated each time the IdP is called to perform SSO to the partner (your application) and can allow or deny access based on any attribute in the user credential (including group memberships).

    (3) above is probably the best approach but does require you to write some JavaScript to create the access policy.  Have a look here for more detail:
    https://www.ibm.com/docs/en/sva/10.0.2?topic=policies-access-policy-development

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------