IBM Security Verify

 View Only
Expand all | Collapse all

Custom header and transformation - (Active Directory Attribute)

  • 1.  Custom header and transformation - (Active Directory Attribute)

    Posted Thu May 26, 2022 03:45 AM
    We have a federated active directory on version 10.0.0.2. We see the users in Policy Administration, but we don't have an attribute that we can use as user id other than the user principal name (which is a mail address). The iv-user therefore comes in as firstname.lastname@domain.com.

    How can we define a custom header, lets says ABC_USER, which has the value firstname.lastname@domain.com? We also need to transform this header value, so that it only contains the firstname.lastname and the domain name is dropped? I am aware that the value for iv-user cannot be changed, so we are trying to insert a custom header, which could be consumed by the application.

    I have gone through some of the documentation for this, but the examples are lacking.

    ------------------------------
    Giriraj Dave
    ------------------------------


  • 2.  RE: Custom header and transformation - (Active Directory Attribute)

    Posted Thu May 26, 2022 04:06 AM
    Hi Giriraj,

    If your connection from AD was a federation (SAML etc.) connection then it would be relatively simple to create an additional attribute in the credential using the SP JavaScript mapping rule.  However, looks like your Active Directory is a federated directory... with Verify Access reading it directly over LDAPS.

    In that case, I don't think there is an opportunity to perform any attribute manipulation during the login process... so, unless there is a suitable attribute already in AD user record, you'd have to split this into two actions:
    1) Add an HTTP header using the user principal - this can be done with HTTP Tag Value or in configuration file
    2) Use an XSLT HTTP Transformation Rule on the response to modify the header value (remove the domain suffix).

    For (1), use the [header-names] stanza - that's the easiest approach.  For example, use this line:
    credattr{AZN_CRED_PRINCIPAL_NAME} = X-Principal
    To add X-Principal header.​
    If you want to only send to a single junction, add an extended attribute to the junction object with:
    name: HTTP-Tag-Value
    value: AZN_CRED_PRINCIPAL_NAME=X-Principal

    For (2), you need to write an XSLT rule.  This can be tricky but there are examples here:
    https://github.com/IBM-Security/isam-support/tree/master/config-example/webseal/http-transformations/response
    This one looks close to what you need:
    https://github.com/IBM-Security/isam-support/blob/master/config-example/webseal/http-transformations/response/response-modify-header.xslt

    I hope this helps.

    Jon.


    ------------------------------
    Jon Harry
    Senior Technical Sales Enablement Specialist
    Identity and Access Management
    IBM Technology, Worldwide
    ------------------------------



  • 3.  RE: Custom header and transformation - (Active Directory Attribute)

    Posted Thu May 26, 2022 12:14 PM
    Hi Jon, thanks very much for your reply and time. I put in the credattr{AZN_CRED_PRINCIPAL_NAME} = X-Principal and now I see that header in the backend. Since we use WebSphere as the backend, I am able to use the snoop servlet to see what's being received.

    Two really dumb questions:

    1) I believe the answer to this would be a resounding no, but I will still ask, can we name our custom header as iv-user? This is coming from our appdev team, the reason being so that they won't have to make any changes in the backend. They would have to make changes to use "x-principal"

    2) You mentioned earlier that we need to use the XSLT Transformation Rule on the response...when I go to Web -> HTTP Transformation and try and create a new file, would that be of Template "Request" or "Response"? I thought earlier that we would have to modify the request header and not response? 

    Also, yes, you are correct, we just have AD as the federated directory with SVA directly accessing it - I also have a minor question around it. For the existing domain, we have a TDI assembly copying internal users from AD to IBM SDS. If we go the federated directory route for the new domain, we can avoid TDI altogether? Would that be a correct statement?

    Thanks again for your help. I will try out the XSLT thing (we don't have any experience around it)...will let you know how that goes.

    ------------------------------
    Giriraj Dave
    ------------------------------



  • 4.  RE: Custom header and transformation - (Active Directory Attribute)

    Posted Fri May 27, 2022 09:18 AM
    Hi Giriraj,

    >> can we name our custom header as iv-user?
    You can't override the iv-user header.  I'm not even sure you can modify it with transformation rules. @Nick Lloyd will know.

    >> You mentioned earlier that we need to use the XSLT Transformation Rule on the response...when I go to Web -> HTTP Transformation and try and create a new file, would that be of Template "Request" or "Response"? I thought earlier that we would have to modify the request header and not response?
     I was wrong.  You would need to create a request template to modify the request... since you want to add/change a header in the request going to junction.  Not sure how I confused myself on that.


    >>  If we go the federated directory route for the new domain, we can avoid TDI altogether? Would that be a correct statement?
    If you set up AD as a federated directory *and* enable "basic users", you wouldn't need to use TDI.  When using basic users, there's no need to perform the "import" operation on users to make them visible to Verify Access - the native user object is read directly from AD.  Note that groups you want to use for access control still need to be imported... but usually that is a shorter and mostly static set.

    Jon.
    ​​​

    ------------------------------
    Jon Harry
    Senior Technical Sales Enablement Specialist
    Identity and Access Management
    IBM Technology, Worldwide
    ------------------------------



  • 5.  RE: Custom header and transformation - (Active Directory Attribute)