Hi Vamsi,
I am using the follwing template page to do what Jon Harry suggested.
<%
var username = templateContext.macros["@USERNAME@"]
var myattr = templateContext.macros["@MYATTR@"]
templateContext.response.setHeader("am-eai-ext-user-id",username);
templateContext.response.setHeader("am-eai-ext-user-groups","external");
templateContext.response.setHeader("am-eai-xattrs","myattr");
templateContext.response.setHeader("myattr",myattr);
%>
In my case only two macros are set by the infomap, but the possibilities are endless.
The group needs to exist in the registry and is defined in the ACL I am using.
Hope this helps.
Regards,
Paul van den Brink
------------------------------
Paul van den Brink
------------------------------
Original Message:
Sent: Thu April 04, 2019 11:27 AM
From: Jon Harry
Subject: ISAM Credential for External Users using Infomap
Hello,
When the Reverse Proxy receives an authentication (EAI) message from AAC, it is the HTTP headers used that determine if the user should be considered a "real" user or an "external" user. If the username is sent in header `am-eai-user-id` then it is a real user. This header is checked first. If this header is not sent but a username is sent in header `am-eai-external-user-id` then this is an external user.
Which header is used to return the username (in normal flow) is determined by the POC Contact Profile. There is no option here to support a mix of real users and external users at the same time.
I have seen a pattern used which might help (although I don't have full details). In this pattern, the standard AAC function which completes authentication and returns the EAI headers is bypassed (by completing the authentication without credential). Template scripting in the final template page is then used to send the headers in custom code which gives dynamic control over which headers to return - and therefore how the Reverse Proxy behaves.
Hopefully someone else in this forum might have some sample code they could share for this.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Wed April 03, 2019 12:45 PM
From: Vishnu Vamsi Bathula
Subject: ISAM Credential for External Users using Infomap
Hello,
I would like to know how to build an ISAM credential using AAC Infomap for external users who doesn't exist ISAM registry.
Using the below line in Infomap, the ISAM credential was built only for user who exist in ISAM registry.
context.set(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "username", requestedUsername);
Please let me know if there any method or attribute that we need to set to create a credential for external userids.
Thanks
Vamsi.
------------------------------
Vishnu Vamsi
------------------------------