IAM

Expand all | Collapse all

Federations : why SOAP trigger in EAI TRIGGER URLS ?

  • 1.  Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted 4 days ago
    Hello Community,

    I must say that my question are probably obvious for a lot of people but I was not able to find any answer. We are currently using ISAM (9.0.6) and TFIM (6.2.2) for federation management and I am working on TFIM migration to ISAM. I was reading the last Cookbook ( SAM906-FederationCookbook20190718.pdf , link : https://community.ibm.com/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=75e1aea2-96dc-96f1-4bf9-92c32f3dd048&forceDialog=0) and I had two questions about it.

    1- On page 306, the following entries are suggested to be add in the eai-trigger-urls stanza :

    trigger = /isam/sps/saml20idp/saml20/login*
    trigger = /isam/sps/saml20idp/saml20/slo*
    trigger = /isam/sps/saml20idp/saml20/soap*
    trigger = /isam/sps/auth*

    I can understand the login and the slo trigger but I must say I am not sure why adding a SOAP trigger in this case. What could be used for ?


    2- Probably both questions are related, but we have the exact same "eai-trigger-urls" recommendations no matter if we are configuring a SP (page 306) or IDP (page 313) reverse proxy. Is SOAP really needed in SP scenario ?

    Thank you very much, I must say that I followed the cookbook and everything is working flawlessly. I also note that I have the exact same configuration right now with ISAM/TFIM combo so it is working like this, I just really want to know why those settings are recommended.


    Thank you very much, 

    ------------------------------
    Christophe Agostini
    ------------------------------


  • 2.  RE: Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted 4 days ago
    Hello Christophe,

    The trigger for '​​/isam/sps/saml20idp/saml20/soap*' is for the Artifact SSO binding which uses SOAP to exchange the SAML Request/Response as opposed to HTTP.

    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 3.  RE: Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted 4 days ago
    Hello Jack,

    Thanks for the great answer. So in the case where my partner does use or support artifact/SOAP, I can remove this entry from the trigger URL as well as in the ACL ?

    ------------------------------
    Christophe Agostini
    ------------------------------



  • 4.  RE: Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted 4 days ago
    Hello Christophe,

    Yes, technically you can remove it, but the tool will place it again, as well as the ACL.

    Why do you desire to remove it?

    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 5.  RE: Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted 4 days ago

    Hello,

    Actually I am not using the tool but rather RestApi calls (using ansible, etc.) so they will not be created. I do not plan to remove them but if they are not needed then I may consider to do so : I may be wrong to think like this but if our partners do not use it then it's an entry I do not have to manage, it's an entry less in ACL ... and the fewer lines of code I have the happier I am !

    Christophe, the simple guy ^^





    ------------------------------
    Christophe Agostini
    ------------------------------



  • 6.  RE: Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted 4 days ago

    Hello Christophe,


    That makes sense.
    My understanding is that they're only used for the Artifact binding, so safe to remove if that's not being used.



    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 7.  RE: Federations : why SOAP trigger in EAI TRIGGER URLS ?

    Posted 4 days ago
    If I remember correctly, the EAI trigger is set for the SOAP endpoint because single logout can be triggered via SOAP and an EAI "server task" command is used to terminate the user session when logout message received from partner over SOAP.

    if you're not using SOAP binding then no impact of removing this trigger from configuration if you want to.

    cheers... Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------