IBM Security Verify

 View Only
  • 1.  client-identifier for specific applicaiton

    Posted Wed October 04, 2023 06:59 AM

    Hi All,

    We have currently configured "client-identifier = CLIENT_IP" which works and is required due to security compliance.

    But after integrating Outlook with ISAM we are facing issues where the user changes his network he has to close and login again in Outlook since the IP gets changed due to the user hoping on multiple networks.

    May I know if there is any way we can bypass IP validation for specific applications?

    Regards,

    Mayur



    ------------------------------
    mayur boob
    ------------------------------


  • 2.  RE: client-identifier for specific applicaiton

    Posted Wed October 04, 2023 04:59 PM

    Mayur,

     

    Unfortunately there is no way to bypass client verification for specific applications/URLs.  It is a global setting.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 3.  RE: client-identifier for specific applicaiton

    Posted Wed October 04, 2023 09:47 PM

    Thank you Scott for the update.



    ------------------------------
    mayur boob
    ------------------------------



  • 4.  RE: client-identifier for specific applicaiton

    Posted Mon October 09, 2023 10:09 AM

    Hi @Scott Exton,

    Right now we are stuck with the Outlook application due to the behavior of IP getting changed due to the user connecting to different access point and Verify access shows error 403.

    Is there any way I can clear the session of the user from DSC post-authentication?

    1. User authenticates via ISAM.
    2. ISAM generates a SAML token and passes it on to the application.
    3. ISAM removes the user session from DSC once the token is passed to the application via infomap or any other way.

    Or is there any other way I can remove the user session once the token is passed to the application?



    ------------------------------
    mayur boob
    ------------------------------



  • 5.  RE: client-identifier for specific applicaiton

    Posted Mon October 09, 2023 03:58 PM

    Maya,

     

    What do you mean by 'clear the session of the user'?  Are you talking about a complete logout of the user session so that they are forced to authenticate again?

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 6.  RE: client-identifier for specific applicaiton

    Posted Mon October 09, 2023 09:27 PM

    Hi Scott,

    Yes, once the session is created and SAML token is passed to the application then want to logout user , so that if there is any change in IP address user will be challenged with authentication.



    ------------------------------
    mayur boob
    ------------------------------



  • 7.  RE: client-identifier for specific applicaiton

    Posted Tue October 10, 2023 01:54 AM

    Mayur,

     

    There are numerous ways available to programmatically log out a user (e.g. if you are using the DSC you can issue a DSC administration request, otherwise you can use pdadmin or an EAI) – however, I don't fully understand how this is going to help you?  Are you suggesting that you want to provide the user an opportunity to log in again when their IP address changes, rather than returning a 403?

     

    Thanks.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">