IBM Security Verify

 View Only
  • 1.  Device registration with browser fingerprint no expiration in ISAM

    Posted Mon November 19, 2018 11:06 AM
    Hello,

    we want to use the persistent login described here:
    Risked-Based Access with Persistent Cookie Device Fingerprint - Shane Weeden's Blog
    Shane Weeden's Blog remove preview
    Risked-Based Access with Persistent Cookie Device Fingerprint - Shane Weeden's Blog
    Using Persistent Cookies for Browser Device Registration with ISAM Advanced Access Technical Overview Many customer enquiries (How do I.....?) related to IBM Security Access Manager and associated technologies cross my path, and I often find it intriguing and a good old-fashioned challenge to try and figure out how to solve some of these problems with our technology.
    View this on Shane Weeden's Blog >

    We have setup this part.
    It is important for us that if the persistent cookie expires in the browser it is also removed from the ISAM runtime database that contains the browser fingerprint information.
    Right now ISAM does not expire the fingerprint. The value keeps valid even if the browser has discarded the information. There is no cleanup. When checking the API documentation there is also no expiry attribute returned when getting the linked devices.
    Is it possible to add an attribute in the database so that the cookie fingerprint value also expires in the appliance?
    thank you,

    Best regards,

    Sander Meyfroot



    ------------------------------
    Sander Meyfroot
    ------------------------------


  • 2.  RE: Device registration with browser fingerprint no expiration in ISAM

    Posted Tue November 20, 2018 04:35 PM
    Edited by Peter Volckaert Tue November 20, 2018 04:36 PM
    Hi Sander,

    My 2 cents: similar to the fingerprintcookie attribute you could introduce another attribute fingerprintcookie-expirationtime. Which is then set to the expiration time of the fingerprint cookie. That would then allow you to run a script that would loop over all devicefinger prints and delete the ones that have expired fingerprint cookies.
    There is a set of REST API's that allow you to do that: see below screenshot:
    "Retrieve a list of device fingerprints" is likely the one you're interested in.
    Details of this API's can be found in the documentation downloads on the appliance itself.

    Hope this helps.
    Kind regards, Peter


    ------------------------------
    Peter Volckaert
    Sales Engineer
    IBM Security
    ------------------------------



  • 3.  RE: Device registration with browser fingerprint no expiration in ISAM

    Posted Wed November 21, 2018 03:35 AM
    Hello Peter,

    Thank you for your answer. I was also thinking about this but I was wondering if there was some built-in functionality in ISAM to do this.
    I think this should also be possible to do with the advanced access control. Do you think it is more interesting to use this runtime database for storing those custom attributes or do you think it would be usefull to create a subtree in the ISAM LDAP to store those custom attributes (since this is all custom development then)
    thank you,

    best regards,

    Sander Meyfroot

    ------------------------------
    Sander Meyfroot
    ------------------------------



  • 4.  RE: Device registration with browser fingerprint no expiration in ISAM

    Posted Wed November 21, 2018 04:58 PM
    Edited by Peter Volckaert Wed November 21, 2018 05:02 PM
    Hi Sander,

    I'd use the runtime database for this:
    - both the cookie and its expirationtime are in the same store then: which is a natural thing, easier to understand also.
    - changing the code such that also the expirationtime is stored is easy as it is similar to storing the cookie. Versus figuring out how to store the expirationtime in an LDAP.
    - ISAM stores custom attributes in the runtime database - not in an LDAP.

    So: doing something similar but storing data in an LDAP would require a lot more effort; better use what ISAM offers "out of the box" for managing custom attributes.

    Kind regards, Peter

    ------------------------------
    Peter Volckaert
    Sales Engineer
    IBM Security
    ------------------------------