IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule

    Posted Wed September 21, 2022 09:07 AM
    Hi Guys, 

    for my user mapping rule  I need the value of attribute 'AZN_CRED_AUTH_METHOD'. For example if user authenticates via SSL Client Certificate the value of AZN_CRED_AUTH_METHOD is "ssl"

    I used following code line but unfortunately I didn't get the right value:

    <xsl:variable name='credMethod' select="stsuuser:Attribute[@name='attr:AZN_CRED_AUTH_METHOD']/stsuuser:Value"/>

    Is it not possible for user name mapping rule to get this value of AZN* attributes?

    Best regards
    Thomas


    ------------------------------
    Thomas Renner
    ------------------------------


  • 2.  RE: Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule

    Posted Thu September 22, 2022 03:08 AM
    Hi Thomas,

    I think the XML UMI document model is applicable in your client cert authentication use case.
    Please carefully read this page (or the one for the release you're using): https://www.ibm.com/docs/en/sva/10.0.4?topic=introduction-umi-xml-document-model

    It contains this example XPath to get the Version out of the certificate:
    "/XMLUMI/stsuuser:STSUniversalUser/stsuuser:AttributeList/stsuuser: Attribute[@name='Version']/stsuuser:Value"

    Please also take a look at the example on this page:
    https://github.com/IBM-Security/isam-support/blob/master/config-example/webseal/user-name-mapping/realm-usermapping.xsl

    Hope this helps. If not - I did my best :-)

    Cheers, Peter.


    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------



  • 3.  RE: Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule

    Posted Thu September 22, 2022 04:57 PM

    Thomas,

     

    Unfortunately the user mapping rule is executed immediately after the authentication operation, but before the credential is created.  This means that the standard credential information (which includes AZN_CRED_AUTH_METHOD) is not available to the user mapping rule.  The full list of data which is made available to the user mapping rule can be found in the documentation: https://www.ibm.com/docs/en/sva/10.0.4?topic=mapping-valid-user-attributes.  It looks like you should be able to use the 'method' attribute to determine the method which authenticated the user.

     

    I hope that this helps.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 4.  RE: Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule

    Posted Fri September 23, 2022 08:50 AM
    As Scott pointed out, we use method for this today.  The two values I found were "LDAP Registry" for username/password and "SSL Client Certificate" for x509.  I can't recall how I figured those values out, likely tracing things.  I'm not sure if there are other values that you use for other purposes.

    So basically
    <xsl:variable name="method"><xsl:value-of select="stsuuser:Attribute[@name='method']/stsuuser:Value"/></xsl:variable>

    Then testing the value of $method as needed.

    Matt​​

    ------------------------------
    Matt Jenkins
    ------------------------------



  • 5.  RE: Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule

    Posted Fri September 23, 2022 09:15 AM
    Hi @ all, 

    We have already used the ​"method" in user mapping rule, however we didn't get the relevant authentication mechanism. Our current use case is that we have a Reverse Proxy as an native OIDC relying Party to a foreign IdP which is responsible for the authentication. In this case the AZN_CRED_AUTH_METHOD has the value "OIDC".

    Unfortunately the above mentioned "method" cannot provide any value, so we got "NOT FOUND".  That's why I was asking for ths AZN_CRED_AUTH_METHOD because I didn't find any other information to determine the authentication method in following case.

    Best regards
    Thomas

    ------------------------------
    Thomas Renner
    ------------------------------



  • 6.  RE: Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule

    Posted Fri September 23, 2022 10:18 AM
    Have you tried turning trace up to 9 on trace.pd.cas.usermap and then trying the flow?  I have an example of where I did that a while back and it dumps the entire STSUU document where you can see all the available attributes.

    Maybe there could be a clue with a different attribute?

    So I take it in your usermap you need to know if the auth method was oidc so you can tell if the user is authenticating to the WRP/webseal as a federated/oidc user?  If so, seems like you may end up having to use an EAI/InfoMap for whatever logic you need to do based on that attribute :(

    ------------------------------
    Matt Jenkins
    ------------------------------