IBM Security Verify

 View Only
Expand all | Collapse all

Federations : why SOAP trigger in EAI TRIGGER URLS ?

  • 1.  Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted Wed September 11, 2019 01:05 PM
    Hello Community,

    I must say that my question are probably obvious for a lot of people but I was not able to find any answer. We are currently using ISAM (9.0.6) and TFIM (6.2.2) for federation management and I am working on TFIM migration to ISAM. I was reading the last Cookbook ( SAM906-FederationCookbook20190718.pdf , link : https://community.ibm.com/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=75e1aea2-96dc-96f1-4bf9-92c32f3dd048&forceDialog=0) and I had two questions about it.

    1- On page 306, the following entries are suggested to be add in the eai-trigger-urls stanza :

    trigger = /isam/sps/saml20idp/saml20/login*
    trigger = /isam/sps/saml20idp/saml20/slo*
    trigger = /isam/sps/saml20idp/saml20/soap*
    trigger = /isam/sps/auth*

    I can understand the login and the slo trigger but I must say I am not sure why adding a SOAP trigger in this case. What could be used for ?


    2- Probably both questions are related, but we have the exact same "eai-trigger-urls" recommendations no matter if we are configuring a SP (page 306) or IDP (page 313) reverse proxy. Is SOAP really needed in SP scenario ?

    Thank you very much, I must say that I followed the cookbook and everything is working flawlessly. I also note that I have the exact same configuration right now with ISAM/TFIM combo so it is working like this, I just really want to know why those settings are recommended. 


    Thank you very much, 

    ------------------------------
    Christophe Agostini
    ------------------------------


  • 2.  RE: Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted Wed September 11, 2019 01:56 PM
    Hello Christophe,

    The trigger for '​​/isam/sps/saml20idp/saml20/soap*' is for the Artifact SSO binding which uses SOAP to exchange the SAML Request/Response as opposed to HTTP.

    ------------------------------
    JACK YARBOROUGH
    ------------------------------

    Original Message


  • 3.  RE: Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted Wed September 11, 2019 02:04 PM
    Hello Jack,

    Thanks for the great answer. So in the case where my partner does use or support artifact/SOAP, I can remove this entry from the trigger URL as well as in the ACL ?

    ------------------------------
    Christophe Agostini
    ------------------------------

    Original Message


  • 4.  RE: Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted Wed September 11, 2019 02:07 PM
    Hello Christophe,

    Yes, technically you can remove it, but the tool will place it again, as well as the ACL.

    Why do you desire to remove it?

    ------------------------------
    JACK YARBOROUGH
    ------------------------------

    Original Message


  • 5.  RE: Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted Wed September 11, 2019 02:18 PM

    Hello,

    Actually I am not using the tool but rather RestApi calls (using ansible, etc.) so they will not be created. I do not plan to remove them but if they are not needed then I may consider to do so : I may be wrong to think like this but if our partners do not use it then it's an entry I do not have to manage, it's an entry less in ACL ... and the fewer lines of code I have the happier I am ! 

    Christophe, the simple guy ^^





    ------------------------------
    Christophe Agostini
    ------------------------------

    Original Message


  • 6.  RE: Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted Wed September 11, 2019 02:21 PM

    Hello Christophe,


    That makes sense.
    My understanding is that they're only used for the Artifact binding, so safe to remove if that's not being used.



    ------------------------------
    JACK YARBOROUGH
    ------------------------------

    Original Message


  • 7.  RE: Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted Wed September 11, 2019 06:13 PM
    If I remember correctly, the EAI trigger is set for the SOAP endpoint because single logout can be triggered via SOAP and an EAI "server task" command is used to terminate the user session when logout message received from partner over SOAP.

    if you're not using SOAP binding then no impact of removing this trigger from configuration if you want to.

    cheers... Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 8.  RE: Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted Wed September 25, 2019 10:21 AM
    Thank you Jon.

    So I get the EAI trigger for SOAP concept, thank you very much. However in ISAM Federation cookbook the following triggers are suggested : 

    trigger = /isam/sps/saml20idp/saml20/login*
    trigger = /isam/sps/saml20idp/saml20/slo*
    trigger = /isam/sps/saml20idp/saml20/soap*
    trigger = /isam/sps/auth*

    So in my case SOAP is not needed so I guess I do not need login (login*) and logout (slo*) triggers too, right ? Once again everything is working fine by following the cookbook, it is just that I don't understand the need of EAI triggers except in SOAP scenario.

    ------------------------------
    Christophe Agostini
    ------------------------------

    Original Message


  • 9.  RE: Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted Thu September 26, 2019 05:43 AM
    Hi Christophe,

    If you are supporting Single Logout in your environment then you need to have slo* trigger on both IdP and SP because both sides need to be able to instruct WebSEAL to perform a logout via EAI from this endpoint when running this flow.

    You certainly need the login* and auth* triggers at the Service Provider side because it needs to be able to instruct WebSEAL to create an authenticated session when a user is asserted from an Identity Provider.

    I don't think that you need these triggers at the Identity Provider side because you're not authenticating with Federation here.  Having additional triggers will not harm operation so everything will work even if extra values are present.  You could probably remove them if you want to (and test afterwards!)

    I hope this helps explain things for you.

    Cheers... Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 10.  RE: Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted Thu September 26, 2019 11:35 AM
    Thank you Jon,

    It all makes perfect sense now !

    Have a great day,

    ------------------------------
    Christophe Agostini
    ------------------------------

    Original Message