Hi Ramu
As discussed,I am elaborating the issue and solution here so that it could be used as a reference if someone needs it.
User flow:-
1.User accesses a SP initiated URL(https://abc.com)
2.The request goes through a LB and hits the SP.
3.The SP now redirects the user using it's SAML data to the IDP(https://webseal1.com/mga/sps/saml/saml20/logininitial?RequestBinding=HTTPPost&PartnerID=abc
5.The auth policy is configured and invoked here as per your requirement(https://webseal1.com/mga/sps/authsvc/policy/MyOrgUserPasswordPolicy?Target=https://webseal1.com/mga/sps/auth.
6.A login page is displayed from the AAC which prompts the user to enter uid/password.
Requirement:-You want to invoke branding here so that you can throw a customized logon page based on the SP.
Solution:-
a.Create an additioner Partner(Ex abc2) in ISVA for the same SP and share this new metadata with your SP.
b.Now you have 2 partnerIDs(says abc and abc2) for the same federation.
c.Create an ACL that denies access to everyone and attach it to the additional Partner(abc2).
d.Now in step "3" in the above user flow a user will be redirected to AAC's default "Not authorized" page due to the ACL.Now customize this "Not Authorized" page to read the URL and if it contains "abc2" auto redirect to your custom login page(create your custom branded html page with your CSS in AAC template files).
e.Custom login page is displayed to the user for the partner id "abc2".
Thanks
Aditya
------------------------------
Aditya Puvvala
------------------------------
Original Message:
Sent: Fri June 28, 2024 09:53 AM
From: Ramu Pedada
Subject: Capture initial referrer header and parameters in SP initiated saml flow in an infomap
Hi Laurent,
Thank you for your response. Missing that parameter/header was a typo by me. Thanks for pointing it out. I just tried few things already as follows
1. https://logon.rese.colruytgroup.com/mga/sps/SAML-default/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://idm.rese.colruytgroup.com/identityiq/ => 302
2. https://logon.rese.colruytgroup.com/mga/sps/auth => 302(user unauthenticated)
3. https://logon.rese.colruytgroup.com/mga/sps/authsvc/policy/colruytUserPasswordPolicy?Target=https://logon.rese.colruytgroup.com/mga/sps/auth => 200 and serves logon page
4. https://logon.rese.colruytgroup.com/mga/sps/authsvc/policy/colruytUserPasswordPolicy?StateId=dqSYl3IBTaZ38AIsIKK5XyWORKIMZg9aMjrWpEo7M1tWExxJy49YeyShjhbH => 302 logon form post and this contains the referrer header
Infomap:
var partnerid = context.get(Scope.REQUEST, "urn:ibm:security:asf:request:parameter", "PartnerId");
var target = context.get(Scope.REQUEST, "urn:ibm:security:asf:request:parameter", "Target");
var referrer = context.get(Scope.REQUEST, "urn:ibm:security:asf:request:header", "Referer");
logmsg(MAPPING_RULE_NAME,"DEBUG","====== partnerid: "+ partnerid);
logmsg(MAPPING_RULE_NAME,"DEBUG","====== target: "+ target);
logmsg(MAPPING_RULE_NAME,"DEBUG","====== referrer: "+ referrer);
Infomap output:
DEBUG: ====== partnerid: null
DEBUG: ====== target: null
DEBUG: ====== referrer: https://logon.rese.colruytgroup.com/mga/sps/authsvc/policy/colruytUserPasswordPolicy?Target=https://logon.rese.colruytgroup.com/mga/sps/auth
I understand that "PartnerId" in step1 and "Target" in step3 query parameters which are not part of request. That is why those are printed as null.
a) Is there a way to capture query parameters of a request in infomap?
b) Additional question, can we capture the original request(step1 in this case) in an infomap somehow?
------------------------------
Ramu Pedada
Original Message:
Sent: Thu June 27, 2024 03:01 AM
From: Laurent LA Asselborn
Subject: Capture initial referrer header and parameters in SP initiated saml flow in an infomap
Hi Ramu,
If you wanted to get a parameter of the request URL you would have to do a call like this:
context.get(Scope.REQUEST, "urn:ibm:security:asf:request:parameter", paramName)
You are missing the "parameter".
But this would still return null as the login_hint is not part of the request URL. The only parameter is "Target". You have to lookup the referer:
context.get(Scope.REQUEST, "urn:ibm:security:asf:request:header", "Referer");
I'm not sure if the headers are case-sensitive.
------------------------------
Laurent LA Asselborn
Original Message:
Sent: Wed June 26, 2024 02:27 PM
From: Ramu Pedada
Subject: Capture initial referrer header and parameters in SP initiated saml flow in an infomap
Greetings,
Could you help me to capture the initial referrer header and it's query parameters in SP initiated saml flow. The request flow is as follows
1. ramu.pedada@myorg.com">https://login.service.imperva.com/sso/idps/0oad0GLTCEX5d7?login_hint=ramu.pedada@myorg.com
2. https://logon.myorg.com/mga/sps/SAML-default/saml20/login(302 - as the user is unauthenticated)
3. https://logon.myorg.com/mga/sps/auth(302 - As the user is still unauthenticated)
4. https://logon.myorg.com/mga/sps/authsvc/policy/UserPasswordPolicy?Target=https://logon.myorg.com/mga/sps/auth
I would like to use the initial referrer header and query parameters in step 4 in a mapping rule of UserPasswordPolicy authentication policy. Is there a way I could capture them. When I tried to do context.get(Scope.REQUEST, "urn:ibm:security:asf:request", "login_hint"), I only got null. This could be because of multiple redirects before it hits the mapping rule.
------------------------------
Ramu Pedada
------------------------------