then we found our Reverse proxy MFA still trying connected to LDAP data source in port SSL 636. But in condition, the LDAP still not implement SSL, so we changed port non SSL 389. Its working now.
But the question is: how is detail mechanism, why MFA still need to connect to LDAP ?
Original Message:
Sent: Tue September 26, 2023 04:52 PM
From: Shane Weeden
Subject: Device registration failed error after config follow MFA Deployment Cookbook
Please do not send such large pdweb.snoop files like this. Take the time to:
1. Have a look at them yourself, and do some investigation.
2. At least redact them so that PII and secrets are not included.
It is also very onerous for me to have to try and find your configuration errors from this large volume of information.
It appears that oauth-auth is not configured properly, since the PATCH call to SCIM to update the userPresence methods results in a login challenge:
2023-09-26-16:42:42.311+07:00I----- thread(169) trace.pdweb.snoop.client:1 /build/isam/src/i4w/pdwebrte/webcore/amw_snoop.cpp:164: ----------------------------------------Thread 140552904365824; fd 257; local 10.15.2.6:444; remote 10.10.0.6:45144Receiving 1384 bytesPATCH /scim/Me?attributes=urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator:userPresenceMethods HTTP/1.1X-FORWARDED-PROTO: httpsX-FORWARDED-PORT: 444X-Forwarded-For: 103.171.30.20:26945X-Original-URL: /scim/Me?attributes=urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator:userPresenceMethodsConnection: keep-aliveX-AppGW-Trace-Id: c930329c4bc4ea2df17404f1f3646414Host: identity.lab-idam.netX-ORIGINAL-HOST: identity.lab-idam.net:444Content-Length: 713Accept: application/jsonAuthorization: bearer b25pfPiMuNbhR2t5kTnVUser-Agent: com.ibm.security.verifyappContent-Type: application/jsonAccept-Encoding: gzip{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"add","path":"urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator:userPresenceMethods","value":[{"keyHandle":"7a9b1f75-a14d-44eb-b1cb-be2e8aee4245.userPresence","algorithm":"SHA256withRSA","publicKey":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjU+pfItJoHd6FlhvmJk1vXRTsn8j1LQ+EDYvkgX23Le7tam8CHdb+4oLEmq4XVYavncx2DvpPhwBzi2Ggq0iJMiipDfijC3\/RQQf7GXhZnONeqjGOiOGvxe+SaIj7wlGauVN8i\/vTt9QU+oC7XGuYsYAW8iCQi9Z5eK215xB47RtOp94Sa092QiZmFANtLtZBifuhEKYqm7o1mwbXCCsFAtKYWS6f1aZwFSY2LtqHm+HVWqXeYLzCM5p5ZVRZczg9uY9V++wv6F12av4gf9WmS5SF1GxpGoRoX+8NMV+91BLEcs5cj2uRam2NuVmj8wI35Up28x+pi8PuQXvK2Fa6QIDAQAB","enabled":true}]}]}----------------------------------------2023-09-26-16:42:42.311+07:00I----- thread(169) trace.pdweb.snoop.client:1 /build/isam/src/i4w/pdwebrte/webcore/amw_snoop.cpp:190: ----------------------------------------Thread 140552904365824; fd 257; local 10.15.2.6:444; remote 10.10.0.6:45144Sending 433 bytesHTTP/1.1 200 OKcontent-length: 30content-type: application/jsondate: Tue, 26 Sep 2023 09:42:42 GMTp3p: CP="NON CUR OTPi OUR NOR UNI"server: WebSEAL/10.0.1.0x-frame-options: DENYx-content-type-options: nosniffcache-control: no-storex-xss-protection: 1content-security-policy: frame-ancestors 'none'strict-transport-security: max-age=31536000; includeSubDomainspragma: no-cache{ "operation" : "login"}
------------------------------
Shane Weeden
IBM
Original Message:
Sent: Tue September 26, 2023 06:13 AM
From: Andreas Victor
Subject: Device registration failed error after config follow MFA Deployment Cookbook
Hi Shane,
The testing results:
1. QRCode displayed, and tester device was success registered.
2. The device was recorded and displayed in URL https://identity.lab-idam.net/mga/sps/mmfa/user/mgmt/html/mmfa/usc/manage.html
3. Then, the tester gets an error. The device which installed mobile apps ibm verify, error appears: Invalid Data Reponse (as below capture).
4. And in the pdweb.snoop (attached file) there is no indication about the Invalid Data Response.
Any advise, @Shane Weeden ?
------------------------------
Andreas Victor
Original Message:
Sent: Tue September 26, 2023 01:34 AM
From: Shane Weeden
Subject: Device registration failed error after config follow MFA Deployment Cookbook
Not enough context. You never even said how far through the registration process you got (did you get a QR code to scan?).
I'd check the ISVA runtime logs, and turn on pdweb.snoop logging at WebSEAL and look for clues.
------------------------------
Shane Weeden
IBM
Original Message:
Sent: Mon September 25, 2023 12:43 AM
From: Andreas Victor
Subject: Device registration failed error after config follow MFA Deployment Cookbook
Poke @Shane Weeden
------------------------------
Andreas Victor
Original Message:
Sent: Fri September 22, 2023 12:09 AM
From: Andreas Victor
Subject: Device registration failed error after config follow MFA Deployment Cookbook
Poke @Jon Harry
------------------------------
Andreas Victor
Original Message:
Sent: Thu September 21, 2023 11:43 PM
From: Andreas Victor
Subject: Device registration failed error after config follow MFA Deployment Cookbook
Hi Community,
We are following MFA Deployment Cookbook based on as below url
"https://community.ibm.com/community/user/security/blogs/jon-harry/2020/02/06/mobile-multi-factor-authentication-ibm-verify-mfa"
Our tech data are
- domain: identity.lab-idam.net
- environment deploy in Azure Cloud
- ISVA version 10.0.1
- Policy server - with active runtime (1 server)
- Rev proxy/webseal (1 server) -- connected cluster with policy server
Then we already finished some steps:
- Create and config rev proxy: Done
- Configure SCIM: Done
- Configure Oauth with definition AuthenticatorClient: Done
- Configure endpoints refer to wizard: Done
We are in position want to test MMFA authenticator registration, by using url
"https://identity.lab-idam.net/mga/sps/mmfa/user/mgmt/html/mmfa/usc/manage.html"
But the device from tester is not registered yet, with error message HTTP 500.
Is there any advise, fellas ?
Thanks
------------------------------
Andreas Victor
------------------------------