IBM Security Verify

Hi,

Is it possible to get any AD domain related information to from WebSEAL to ISAM STS for a user who logged into WebSEAL configured with Kerberos SSO? Domain related information here could simply be the realm the user logged in with.

The use case we are looking to address is one where we would like to identify the AD domain the user logged in with and include that in a JWT token issued over a TFIMSSO junction. I would assume we should attempt to get the AD domain attribute into the stsuu, but we haven't found a way to even send this attribute to ISAM from WebSEAL.

We are using ISAM LDAP as a user registry.

Thanks

Do you know if the attribute you want in the JWT is already part of the user's session credential? Use the ivcreds local application after performing authentication to find out. Also some parts of the question don't make sense, and require clarification, such as:

• "WebSEAL configured with Kerberos SSO". I presume you actually mean WebSEAL configured for Windows Desktop authentication using SPNEGO authentication? The terminology Kerberos SSO in ISAM documentation is typically used to refer to an integration on a WebSEAL Junction for sending Kerberos constrained delegation tokens to an IIS-hosted application. I couldn't imagine you would be using that and trying to use a JWT via a TFIM SSO junction at the same time. 
• "send this attribute to ISAM from WebSEAL". ISAM is the acronym for the former name of the entire product, which is now called IBM Security Verify Access. WebSEAL is a component of the product, as is the STS. 

Hi,

Is it possible to get any AD domain related information to from WebSEAL to ISAM STS for a user who logged into WebSEAL configured with Kerberos SSO? Domain related information here could simply be the realm the user logged in with.

The use case we are looking to address is one where we would like to identify the AD domain the user logged in with and include that in a JWT token issued over a TFIMSSO junction. I would assume we should attempt to get the AD domain attribute into the stsuu, but we haven't found a way to even send this attribute to ISAM from WebSEAL.

We are using ISAM LDAP as a user registry.

Thanks

Hi Shane,

Thanks for the response and apologies, my query should have been more clear. This is indeed for a Windows Desktop authentication using SPNEGO/Kerberos configuration on WebSEAL. It is in the Security Verify Access STS component where we would like to determine the user's login domain.

I have looked at the credential viewer enabled on webseal after SPNEGO Kerberos login and see some interesting information including:

Do you know if the attribute you want in the JWT is already part of the user's session credential? Use the ivcreds local application after performing authentication to find out. Also some parts of the question don't make sense, and require clarification, such as:

• "WebSEAL configured with Kerberos SSO". I presume you actually mean WebSEAL configured for Windows Desktop authentication using SPNEGO authentication? The terminology Kerberos SSO in ISAM documentation is typically used to refer to an integration on a WebSEAL Junction for sending Kerberos constrained delegation tokens to an IIS-hosted application. I couldn't imagine you would be using that and trying to use a JWT via a TFIM SSO junction at the same time. 
• "send this attribute to ISAM from WebSEAL". ISAM is the acronym for the former name of the entire product, which is now called IBM Security Verify Access. WebSEAL is a component of the product, as is the STS. 

Hi,

Is it possible to get any AD domain related information to from WebSEAL to ISAM STS for a user who logged into WebSEAL configured with Kerberos SSO? Domain related information here could simply be the realm the user logged in with.

The use case we are looking to address is one where we would like to identify the AD domain the user logged in with and include that in a JWT token issued over a TFIMSSO junction. I would assume we should attempt to get the AD domain attribute into the stsuu, but we haven't found a way to even send this attribute to ISAM from WebSEAL.

We are using ISAM LDAP as a user registry.

Thanks

Hi Shane,

Thanks for the response and apologies, my query should have been more clear. This is indeed for a Windows Desktop authentication using SPNEGO/Kerberos configuration on WebSEAL. It is in the Security Verify Access STS component where we would like to determine the user's login domain.

I have looked at the credential viewer enabled on webseal after SPNEGO Kerberos login and see some interesting information including:

Do you know if the attribute you want in the JWT is already part of the user's session credential? Use the ivcreds local application after performing authentication to find out. Also some parts of the question don't make sense, and require clarification, such as:

• "WebSEAL configured with Kerberos SSO". I presume you actually mean WebSEAL configured for Windows Desktop authentication using SPNEGO authentication? The terminology Kerberos SSO in ISAM documentation is typically used to refer to an integration on a WebSEAL Junction for sending Kerberos constrained delegation tokens to an IIS-hosted application. I couldn't imagine you would be using that and trying to use a JWT via a TFIM SSO junction at the same time. 
• "send this attribute to ISAM from WebSEAL". ISAM is the acronym for the former name of the entire product, which is now called IBM Security Verify Access. WebSEAL is a component of the product, as is the STS. 

Hi,

Is it possible to get any AD domain related information to from WebSEAL to ISAM STS for a user who logged into WebSEAL configured with Kerberos SSO? Domain related information here could simply be the realm the user logged in with.

The use case we are looking to address is one where we would like to identify the AD domain the user logged in with and include that in a JWT token issued over a TFIMSSO junction. I would assume we should attempt to get the AD domain attribute into the stsuu, but we haven't found a way to even send this attribute to ISAM from WebSEAL.

We are using ISAM LDAP as a user registry.

Thanks

Hi Scott,

Thanks for these insights. What is interesting is, if I enable the following setting in the webseal config:

[spnego]
use-domain-qualified-name = yes

And I create a user on ISVA LDAP that has the full domain qualified name, I can log in with that user through Kerberos/SPNEGO and interestingly, the domain is then populated in the webseal credential attributes. That to me suggests that webseal is able to determine the AD domain, but the problem of course is that the ISVA LDAP registry would need to include the domain qualified names for all users as well, otherwise login fails. It would have been great if a feature similar to this could be turned on, but with the sole purpose of populating the domain as a webseal credential attribute, and not requiring the principal on ISVA LDAP to also contain the domain

Thanks.

------------------------------
Martin van der Wel

Original Message:
Sent: Wed October 04, 2023 10:29 PM
From: Scott Exton
Subject: AD User Domain Information with WebSEAL Kerberos SSO

Original Message:
Sent: 10/4/2023 7:23:00 AM
From: Martin van der Wel
Subject: RE: AD User Domain Information with WebSEAL Kerberos SSO

Hi Shane,

Thanks for the response and apologies, my query should have been more clear. This is indeed for a Windows Desktop authentication using SPNEGO/Kerberos configuration on WebSEAL. It is in the Security Verify Access STS component where we would like to determine the user's login domain.

I have looked at the credential viewer enabled on webseal after SPNEGO Kerberos login and see some interesting information including:

------------------------------
Martin van der Wel

Original Message:
Sent: Wed October 04, 2023 01:29 AM
From: Shane Weeden
Subject: AD User Domain Information with WebSEAL Kerberos SSO

Do you know if the attribute you want in the JWT is already part of the user's session credential? Use the ivcreds local application after performing authentication to find out. Also some parts of the question don't make sense, and require clarification, such as:

• "WebSEAL configured with Kerberos SSO". I presume you actually mean WebSEAL configured for Windows Desktop authentication using SPNEGO authentication? The terminology Kerberos SSO in ISAM documentation is typically used to refer to an integration on a WebSEAL Junction for sending Kerberos constrained delegation tokens to an IIS-hosted application. I couldn't imagine you would be using that and trying to use a JWT via a TFIM SSO junction at the same time. 
• "send this attribute to ISAM from WebSEAL". ISAM is the acronym for the former name of the entire product, which is now called IBM Security Verify Access. WebSEAL is a component of the product, as is the STS. 

------------------------------
Shane Weeden
IBM

Original Message:
Sent: Tue October 03, 2023 10:32 AM
From: Martin van der Wel
Subject: AD User Domain Information with WebSEAL Kerberos SSO

Hi,

Is it possible to get any AD domain related information to from WebSEAL to ISAM STS for a user who logged into WebSEAL configured with Kerberos SSO? Domain related information here could simply be the realm the user logged in with.

The use case we are looking to address is one where we would like to identify the AD domain the user logged in with and include that in a JWT token issued over a TFIMSSO junction. I would assume we should attempt to get the AD domain attribute into the stsuu, but we haven't found a way to even send this attribute to ISAM from WebSEAL.

We are using ISAM LDAP as a user registry.

Thanks

------------------------------
Martin van der Wel
------------------------------

Hi Martin,

Have you tried a combination of the use-domain-qualified-name=yes, and an XSL authenticated user mapping transform to then transform the final authenticated user identity back to that which you already have in LDAP, plus add/retain another attribute that is just the AD domain name?

I haven't got such an environment available to try it out or I'd do so, but it should be relatively easy to see if this would work.

------------------------------
Shane Weeden
IBM

Original Message:
Sent: Thu October 05, 2023 05:13 AM
From: Martin van der Wel
Subject: AD User Domain Information with WebSEAL Kerberos SSO

Hi Scott,

Thanks for these insights. What is interesting is, if I enable the following setting in the webseal config:

[spnego]
use-domain-qualified-name = yes

And I create a user on ISVA LDAP that has the full domain qualified name, I can log in with that user through Kerberos/SPNEGO and interestingly, the domain is then populated in the webseal credential attributes. That to me suggests that webseal is able to determine the AD domain, but the problem of course is that the ISVA LDAP registry would need to include the domain qualified names for all users as well, otherwise login fails. It would have been great if a feature similar to this could be turned on, but with the sole purpose of populating the domain as a webseal credential attribute, and not requiring the principal on ISVA LDAP to also contain the domain

Thanks.

------------------------------
Martin van der Wel

Original Message:
Sent: Wed October 04, 2023 10:29 PM
From: Scott Exton
Subject: AD User Domain Information with WebSEAL Kerberos SSO

Original Message:
Sent: 10/4/2023 7:23:00 AM
From: Martin van der Wel
Subject: RE: AD User Domain Information with WebSEAL Kerberos SSO

Hi Shane,

Thanks for the response and apologies, my query should have been more clear. This is indeed for a Windows Desktop authentication using SPNEGO/Kerberos configuration on WebSEAL. It is in the Security Verify Access STS component where we would like to determine the user's login domain.

I have looked at the credential viewer enabled on webseal after SPNEGO Kerberos login and see some interesting information including:

------------------------------
Martin van der Wel

Original Message:
Sent: Wed October 04, 2023 01:29 AM
From: Shane Weeden
Subject: AD User Domain Information with WebSEAL Kerberos SSO

Do you know if the attribute you want in the JWT is already part of the user's session credential? Use the ivcreds local application after performing authentication to find out. Also some parts of the question don't make sense, and require clarification, such as:

• "WebSEAL configured with Kerberos SSO". I presume you actually mean WebSEAL configured for Windows Desktop authentication using SPNEGO authentication? The terminology Kerberos SSO in ISAM documentation is typically used to refer to an integration on a WebSEAL Junction for sending Kerberos constrained delegation tokens to an IIS-hosted application. I couldn't imagine you would be using that and trying to use a JWT via a TFIM SSO junction at the same time. 
• "send this attribute to ISAM from WebSEAL". ISAM is the acronym for the former name of the entire product, which is now called IBM Security Verify Access. WebSEAL is a component of the product, as is the STS. 

------------------------------
Shane Weeden
IBM

Original Message:
Sent: Tue October 03, 2023 10:32 AM
From: Martin van der Wel
Subject: AD User Domain Information with WebSEAL Kerberos SSO

Hi,

Is it possible to get any AD domain related information to from WebSEAL to ISAM STS for a user who logged into WebSEAL configured with Kerberos SSO? Domain related information here could simply be the realm the user logged in with.

The use case we are looking to address is one where we would like to identify the AD domain the user logged in with and include that in a JWT token issued over a TFIMSSO junction. I would assume we should attempt to get the AD domain attribute into the stsuu, but we haven't found a way to even send this attribute to ISAM from WebSEAL.

We are using ISAM LDAP as a user registry.

Thanks

------------------------------
Martin van der Wel
------------------------------

I managed to track down a test environment and proved it will work. I set up WebSEAL for windows desktop authentication, and specifically set:

[spnego]use-domain-qualified-name = yes

My ISVA registry only contained the short name (not qualified with @AD_DOMAIN_NAME) for users.

I set up this User Name Mapping XSL file:

<?xml version="1.0" encoding='UTF-8'?> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser" version="1.0"> <!-- Required to constrain output of rule evaluation --> <xsl:output method="xml" omit-xml-declaration="yes" encoding='UTF=8' indent="no"/> <!-- Need this to ensure default text node printing is off --> <xsl:template match="text()"></xsl:template> <!-- Operate on the Principal section of the STSUU --> <xsl:template match="/XMLUMI/stsuuser:STSUniversalUser/stsuuser:Principal">  <!-- This contains the domain-qualified AD username when WebSEAl is configured with:  [spgneo]  use-domain-qualified-name = yes --> <xsl:variable name="origusername"><xsl:value-of select="stsuuser:Attribute[@name='name']/stsuuser:Value"/></xsl:variable>  <!-- Add an attribute with just the AD domain name (part after the @) --> <attribute name='ADDOMAIN'><xsl:value-of select="substring-after($origusername,'@')"/></attribute>  <!-- Map identity to the short username which is the part before the @ --> <identity><xsl:value-of select="substring-before($origusername,'@')"/></identity> </xsl:template> </xsl:stylesheet> 

During login (I was using the domain admin account), the original username value was Administrator@FVT.ISAM.COM

With the username mapping in place, then accessing an iv cred viewer app, I see:

Hi Martin,

Have you tried a combination of the use-domain-qualified-name=yes, and an XSL authenticated user mapping transform to then transform the final authenticated user identity back to that which you already have in LDAP, plus add/retain another attribute that is just the AD domain name?

I haven't got such an environment available to try it out or I'd do so, but it should be relatively easy to see if this would work.

------------------------------
Shane Weeden
IBM

Original Message:
Sent: Thu October 05, 2023 05:13 AM
From: Martin van der Wel
Subject: AD User Domain Information with WebSEAL Kerberos SSO

Hi Scott,

Thanks for these insights. What is interesting is, if I enable the following setting in the webseal config:

[spnego]
use-domain-qualified-name = yes

And I create a user on ISVA LDAP that has the full domain qualified name, I can log in with that user through Kerberos/SPNEGO and interestingly, the domain is then populated in the webseal credential attributes. That to me suggests that webseal is able to determine the AD domain, but the problem of course is that the ISVA LDAP registry would need to include the domain qualified names for all users as well, otherwise login fails. It would have been great if a feature similar to this could be turned on, but with the sole purpose of populating the domain as a webseal credential attribute, and not requiring the principal on ISVA LDAP to also contain the domain

Thanks.

------------------------------
Martin van der Wel

Original Message:
Sent: Wed October 04, 2023 10:29 PM
From: Scott Exton
Subject: AD User Domain Information with WebSEAL Kerberos SSO

Original Message:
Sent: 10/4/2023 7:23:00 AM
From: Martin van der Wel
Subject: RE: AD User Domain Information with WebSEAL Kerberos SSO

Hi Shane,

Thanks for the response and apologies, my query should have been more clear. This is indeed for a Windows Desktop authentication using SPNEGO/Kerberos configuration on WebSEAL. It is in the Security Verify Access STS component where we would like to determine the user's login domain.

I have looked at the credential viewer enabled on webseal after SPNEGO Kerberos login and see some interesting information including:

------------------------------
Martin van der Wel

Original Message:
Sent: Wed October 04, 2023 01:29 AM
From: Shane Weeden
Subject: AD User Domain Information with WebSEAL Kerberos SSO

Do you know if the attribute you want in the JWT is already part of the user's session credential? Use the ivcreds local application after performing authentication to find out. Also some parts of the question don't make sense, and require clarification, such as:

• "WebSEAL configured with Kerberos SSO". I presume you actually mean WebSEAL configured for Windows Desktop authentication using SPNEGO authentication? The terminology Kerberos SSO in ISAM documentation is typically used to refer to an integration on a WebSEAL Junction for sending Kerberos constrained delegation tokens to an IIS-hosted application. I couldn't imagine you would be using that and trying to use a JWT via a TFIM SSO junction at the same time. 
• "send this attribute to ISAM from WebSEAL". ISAM is the acronym for the former name of the entire product, which is now called IBM Security Verify Access. WebSEAL is a component of the product, as is the STS. 

------------------------------
Shane Weeden
IBM

Original Message:
Sent: Tue October 03, 2023 10:32 AM
From: Martin van der Wel
Subject: AD User Domain Information with WebSEAL Kerberos SSO

Hi,

Is it possible to get any AD domain related information to from WebSEAL to ISAM STS for a user who logged into WebSEAL configured with Kerberos SSO? Domain related information here could simply be the realm the user logged in with.

The use case we are looking to address is one where we would like to identify the AD domain the user logged in with and include that in a JWT token issued over a TFIMSSO junction. I would assume we should attempt to get the AD domain attribute into the stsuu, but we haven't found a way to even send this attribute to ISAM from WebSEAL.

We are using ISAM LDAP as a user registry.

Thanks

------------------------------
Martin van der Wel
------------------------------