Mayur,
There are numerous ways available to programmatically log out a user (e.g. if you are using the DSC you can issue a DSC administration request, otherwise you can use pdadmin or an EAI) – however, I don't fully understand how this is going to help you? Are you suggesting that you want to provide the user an opportunity to log in again when their IP address changes, rather than returning a 403?
Thanks.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
image002.png@01D85F83.85516C50"> |
Original Message:
Sent: 10/9/2023 9:27:00 PM
From: mayur boob
Subject: RE: client-identifier for specific applicaiton
Hi Scott,
Yes, once the session is created and SAML token is passed to the application then want to logout user , so that if there is any change in IP address user will be challenged with authentication.
------------------------------
mayur boob
------------------------------
Original Message:
Sent: Mon October 09, 2023 03:57 PM
From: Scott Exton
Subject: client-identifier for specific applicaiton
Maya,
What do you mean by 'clear the session of the user'? Are you talking about a complete logout of the user session so that they are forced to authenticate again?
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 10/9/2023 10:09:00 AM
From: mayur boob
Subject: RE: client-identifier for specific applicaiton
Hi @Scott Exton,
Right now we are stuck with the Outlook application due to the behavior of IP getting changed due to the user connecting to different access point and Verify access shows error 403.
Is there any way I can clear the session of the user from DSC post-authentication?
- User authenticates via ISAM.
- ISAM generates a SAML token and passes it on to the application.
- ISAM removes the user session from DSC once the token is passed to the application via infomap or any other way.
Or is there any other way I can remove the user session once the token is passed to the application?
------------------------------
mayur boob
Original Message:
Sent: Wed October 04, 2023 04:59 PM
From: Scott Exton
Subject: client-identifier for specific applicaiton
Mayur,
Unfortunately there is no way to bypass client verification for specific applications/URLs. It is a global setting.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 10/4/2023 6:59:00 AM
From: mayur boob
Subject: client-identifier for specific applicaiton
Hi All,
We have currently configured "client-identifier = CLIENT_IP" which works and is required due to security compliance.
But after integrating Outlook with ISAM we are facing issues where the user changes his network he has to close and login again in Outlook since the IP gets changed due to the user hoping on multiple networks.
May I know if there is any way we can bypass IP validation for specific applications?
Regards,
Mayur
------------------------------
mayur boob
------------------------------