IBM Security Verify

 View Only
  • 1.  AD User Domain Information with WebSEAL Kerberos SSO

    Posted Tue October 03, 2023 10:45 AM

    Hi,

    Is it possible to get any AD domain related information to from WebSEAL to ISAM STS for a user who logged into WebSEAL configured with Kerberos SSO? Domain related information here could simply be the realm the user logged in with.

    The use case we are looking to address is one where we would like to identify the AD domain the user logged in with and include that in a JWT token issued over a TFIMSSO junction. I would assume we should attempt to get the AD domain attribute into the stsuu, but we haven't found a way to even send this attribute to ISAM from WebSEAL.

    We are using ISAM LDAP as a user registry.

    Thanks



    ------------------------------
    Martin van der Wel
    ------------------------------


  • 2.  RE: AD User Domain Information with WebSEAL Kerberos SSO

    Posted Wed October 04, 2023 01:30 AM

    Do you know if the attribute you want in the JWT is already part of the user's session credential? Use the ivcreds local application after performing authentication to find out. Also some parts of the question don't make sense, and require clarification, such as:

    • "WebSEAL configured with Kerberos SSO". I presume you actually mean WebSEAL configured for Windows Desktop authentication using SPNEGO authentication? The terminology Kerberos SSO in ISAM documentation is typically used to refer to an integration on a WebSEAL Junction for sending Kerberos constrained delegation tokens to an IIS-hosted application. I couldn't imagine you would be using that and trying to use a JWT via a TFIM SSO junction at the same time. 
    • "send this attribute to ISAM from WebSEAL". ISAM is the acronym for the former name of the entire product, which is now called IBM Security Verify Access. WebSEAL is a component of the product, as is the STS. 


    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 3.  RE: AD User Domain Information with WebSEAL Kerberos SSO

    Posted Wed October 04, 2023 07:23 AM

    Hi Shane,

    Thanks for the response and apologies, my query should have been more clear. This is indeed for a Windows Desktop authentication using SPNEGO/Kerberos configuration on WebSEAL. It is in the Security Verify Access STS component where we would like to determine the user's login domain.

    I have looked at the credential viewer enabled on webseal after SPNEGO Kerberos login and see some interesting information including:

    AZN_CRED_AUTHNMECH_INFO GSS Authentication
    AZN_CRED_AUTH_METHOD kerberosv5
    AZN_CRED_REGISTRY_ID (User DN as on ISVA LDAP)
    But nothing regarding the AD domain my user has logged into. Is there a way to add that information in the webseal credential attributes?
    Thanks


    ------------------------------
    Martin van der Wel
    ------------------------------



  • 4.  RE: AD User Domain Information with WebSEAL Kerberos SSO

    Posted Wed October 04, 2023 10:30 PM

    Martin,

     

    I can think of two ways to potentially augment the credential with that information:

    1. You can use the registry attribute entitlement service (https://www.ibm.com/docs/en/sva/10.0.6?topic=credentials-mechanisms-adding-registry-attributes-credential) to add user information from the ISVA registry to the credential.  This does mean however that the ISVA user registry would need to know the domain information.
    2. You can use the XML user mapping capability (https://www.ibm.com/docs/en/sva/10.0.6?topic=mapping-xml-user-model) to also obtain information from the ISVA registry and add this to the credential.  In addition to this, if the user name which was used in the authentication operation contains the domain, you should be able to author the XSLT to pull this out and add it as a credential attribute.

     

    I hope that this helps.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 5.  RE: AD User Domain Information with WebSEAL Kerberos SSO

    Posted Thu October 05, 2023 05:13 AM

    Hi Scott,

    Thanks for these insights. What is interesting is, if I enable the following setting in the webseal config:

    [spnego]
    use-domain-qualified-name = yes

    And I create a user on ISVA LDAP that has the full domain qualified name, I can log in with that user through Kerberos/SPNEGO and interestingly, the domain is then populated in the webseal credential attributes. That to me suggests that webseal is able to determine the AD domain, but the problem of course is that the ISVA LDAP registry would need to include the domain qualified names for all users as well, otherwise login fails. It would have been great if a feature similar to this could be turned on, but with the sole purpose of populating the domain as a webseal credential attribute, and not requiring the principal on ISVA LDAP to also contain the domain

    Thanks.



    ------------------------------
    Martin van der Wel
    ------------------------------



  • 6.  RE: AD User Domain Information with WebSEAL Kerberos SSO

    Posted Thu October 05, 2023 07:11 PM
    Edited by Shane Weeden Thu October 05, 2023 07:11 PM

    Hi Martin,

    Have you tried a combination of the use-domain-qualified-name=yes, and an XSL authenticated user mapping transform to then transform the final authenticated user identity back to that which you already have in LDAP, plus add/retain another attribute that is just the AD domain name?

    I haven't got such an environment available to try it out or I'd do so, but it should be relatively easy to see if this would work.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 7.  RE: AD User Domain Information with WebSEAL Kerberos SSO

    Posted Thu October 05, 2023 09:20 PM

    I managed to track down a test environment and proved it will work. I set up WebSEAL for windows desktop authentication, and specifically set:

    [spnego]
    use-domain-qualified-name = yes

    My ISVA registry only contained the short name (not qualified with @AD_DOMAIN_NAME) for users.

    I set up this User Name Mapping XSL file:

    <?xml version="1.0" encoding='UTF-8'?> 
    
    <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser" version="1.0"> 
    
    <!-- Required to constrain output of rule evaluation --> 
    <xsl:output method="xml" omit-xml-declaration="yes" encoding='UTF=8' indent="no"/> 
    
    <!-- Need this to ensure default text node printing is off --> 
    <xsl:template match="text()"></xsl:template> 
    
    <!-- Operate on the Principal section of the STSUU --> 
    <xsl:template match="/XMLUMI/stsuuser:STSUniversalUser/stsuuser:Principal"> 
     <!-- This contains the domain-qualified AD username when WebSEAl is configured with:
      [spgneo]
      use-domain-qualified-name = yes
     -->
     <xsl:variable name="origusername"><xsl:value-of select="stsuuser:Attribute[@name='name']/stsuuser:Value"/></xsl:variable> 
    
     <!-- Add an attribute with just the AD domain name (part after the @) -->
     <attribute name='ADDOMAIN'><xsl:value-of select="substring-after($origusername,'@')"/></attribute> 
    
     <!-- Map identity to the short username which is the part before the @ -->
     <identity><xsl:value-of select="substring-before($origusername,'@')"/></identity> 
    </xsl:template> 
    
    </xsl:stylesheet> 

    During login (I was using the domain admin account), the original username value was Administrator@FVT.ISAM.COM

    With the username mapping in place, then accessing an iv cred viewer app, I see:



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------