Hi Sander,
I'd use the runtime database for this:
- both the cookie and its expirationtime are in the same store then: which is a natural thing, easier to understand also.
- changing the code such that also the expirationtime is stored is easy as it is similar to storing the cookie. Versus figuring out how to store the expirationtime in an LDAP.
- ISAM stores custom attributes in the runtime database - not in an LDAP.
So: doing something similar but storing data in an LDAP would require a lot more effort; better use what ISAM offers "out of the box" for managing custom attributes.
Kind regards, Peter
------------------------------
Peter Volckaert
Sales Engineer
IBM Security
------------------------------
Original Message:
Sent: 11-21-2018 03:35 AM
From: Sander Meyfroot
Subject: Device registration with browser fingerprint no expiration in ISAM
Hello Peter,
Thank you for your answer. I was also thinking about this but I was wondering if there was some built-in functionality in ISAM to do this.
I think this should also be possible to do with the advanced access control. Do you think it is more interesting to use this runtime database for storing those custom attributes or do you think it would be usefull to create a subtree in the ISAM LDAP to store those custom attributes (since this is all custom development then)
thank you,
best regards,
Sander Meyfroot
------------------------------
Sander Meyfroot
Original Message:
Sent: 11-20-2018 16:35
From: Peter Volckaert
Subject: Device registration with browser fingerprint no expiration in ISAM
Hi Sander,
My 2 cents: similar to the fingerprintcookie attribute you could introduce another attribute fingerprintcookie-expirationtime. Which is then set to the expiration time of the fingerprint cookie. That would then allow you to run a script that would loop over all devicefinger prints and delete the ones that have expired fingerprint cookies.
There is a set of REST API's that allow you to do that: see below screenshot:
"Retrieve a list of device fingerprints" is likely the one you're interested in.
Details of this API's can be found in the documentation downloads on the appliance itself.
Hope this helps.
Kind regards, Peter
------------------------------
Peter Volckaert
Sales Engineer
IBM Security
Original Message:
Sent: 11-19-2018 11:05
From: Sander Meyfroot
Subject: Device registration with browser fingerprint no expiration in ISAM
Hello,
we want to use the persistent login described here:
Risked-Based Access with Persistent Cookie Device Fingerprint - Shane Weeden's Blog
| Shane Weeden's Blog |
remove preview |
 |
| Risked-Based Access with Persistent Cookie Device Fingerprint - Shane Weeden's Blog |
| Using Persistent Cookies for Browser Device Registration with ISAM Advanced Access Technical Overview Many customer enquiries (How do I.....?) related to IBM Security Access Manager and associated technologies cross my path, and I often find it intriguing and a good old-fashioned challenge to try and figure out how to solve some of these problems with our technology. |
| View this on Shane Weeden's Blog > |
|
|
We have setup this part.
It is important for us that if the persistent cookie expires in the browser it is also removed from the ISAM runtime database that contains the browser fingerprint information.
Right now ISAM does not expire the fingerprint. The value keeps valid even if the browser has discarded the information. There is no cleanup. When checking the API documentation there is also no expiry attribute returned when getting the linked devices.
Is it possible to add an attribute in the database so that the cookie fingerprint value also expires in the appliance?
thank you,
Best regards,
Sander Meyfroot
------------------------------
Sander Meyfroot
------------------------------