IBM Security Verify

 View Only
  • 1.  Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule

    Posted Wed September 21, 2022 09:07 AM
    Hi Guys, 

    for my user mapping rule  I need the value of attribute 'AZN_CRED_AUTH_METHOD'. For example if user authenticates via SSL Client Certificate the value of AZN_CRED_AUTH_METHOD is "ssl"

    I used following code line but unfortunately I didn't get the right value:

    <xsl:variable name='credMethod' select="stsuuser:Attribute[@name='attr:AZN_CRED_AUTH_METHOD']/stsuuser:Value"/>

    Is it not possible for user name mapping rule to get this value of AZN* attributes?

    Best regards
    Thomas


    ------------------------------
    Thomas Renner
    ------------------------------


  • 2.  RE: Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule

    Posted Thu September 22, 2022 03:08 AM
    Hi Thomas,

    I think the XML UMI document model is applicable in your client cert authentication use case.
    Please carefully read this page (or the one for the release you're using): https://www.ibm.com/docs/en/sva/10.0.4?topic=introduction-umi-xml-document-model

    It contains this example XPath to get the Version out of the certificate:
    "/XMLUMI/stsuuser:STSUniversalUser/stsuuser:AttributeList/stsuuser: Attribute[@name='Version']/stsuuser:Value"

    Please also take a look at the example on this page:
    https://github.com/IBM-Security/isam-support/blob/master/config-example/webseal/user-name-mapping/realm-usermapping.xsl

    Hope this helps. If not - I did my best :-)

    Cheers, Peter.


    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------



  • 3.  RE: Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule

    Posted Thu September 22, 2022 04:57 PM

    Thomas,

     

    Unfortunately the user mapping rule is executed immediately after the authentication operation, but before the credential is created.  This means that the standard credential information (which includes AZN_CRED_AUTH_METHOD) is not available to the user mapping rule.  The full list of data which is made available to the user mapping rule can be found in the documentation: https://www.ibm.com/docs/en/sva/10.0.4?topic=mapping-valid-user-attributes.  It looks like you should be able to use the 'method' attribute to determine the method which authenticated the user.

     

    I hope that this helps.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 4.  RE: Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule

    IBM Champion
    Posted Fri September 23, 2022 08:50 AM
    As Scott pointed out, we use method for this today.  The two values I found were "LDAP Registry" for username/password and "SSL Client Certificate" for x509.  I can't recall how I figured those values out, likely tracing things.  I'm not sure if there are other values that you use for other purposes.

    So basically
    <xsl:variable name="method"><xsl:value-of select="stsuuser:Attribute[@name='method']/stsuuser:Value"/></xsl:variable>

    Then testing the value of $method as needed.

    Matt​​

    ------------------------------
    Matt Jenkins
    ------------------------------



  • 5.  RE: Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule

    Posted Fri September 23, 2022 09:15 AM
    Hi @ all, 

    We have already used the ​"method" in user mapping rule, however we didn't get the relevant authentication mechanism. Our current use case is that we have a Reverse Proxy as an native OIDC relying Party to a foreign IdP which is responsible for the authentication. In this case the AZN_CRED_AUTH_METHOD has the value "OIDC".

    Unfortunately the above mentioned "method" cannot provide any value, so we got "NOT FOUND".  That's why I was asking for ths AZN_CRED_AUTH_METHOD because I didn't find any other information to determine the authentication method in following case.

    Best regards
    Thomas

    ------------------------------
    Thomas Renner
    ------------------------------



  • 6.  RE: Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule

    IBM Champion
    Posted Fri September 23, 2022 10:18 AM
    Have you tried turning trace up to 9 on trace.pd.cas.usermap and then trying the flow?  I have an example of where I did that a while back and it dumps the entire STSUU document where you can see all the available attributes.

    Maybe there could be a clue with a different attribute?

    So I take it in your usermap you need to know if the auth method was oidc so you can tell if the user is authenticating to the WRP/webseal as a federated/oidc user?  If so, seems like you may end up having to use an EAI/InfoMap for whatever logic you need to do based on that attribute :(

    ------------------------------
    Matt Jenkins
    ------------------------------