IBM Security Verify

 View Only
  • 1.  ISAM Credential for External Users using Infomap

    InnerCircle
    Posted Wed April 03, 2019 12:46 PM

    Hello,

    I would like to know how to build an ISAM credential using AAC Infomap for external users who doesn't exist ISAM registry.

    Using the below line in Infomap, the ISAM credential was built only for user who exist in ISAM registry.

    context.set(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "username", requestedUsername);


    Please let me know if there any method or attribute that we need to set to create a credential for external userids.

    Thanks
    Vamsi.



    ------------------------------
    Vishnu Vamsi
    ------------------------------


  • 2.  RE: ISAM Credential for External Users using Infomap

    Posted Wed April 03, 2019 02:05 PM
    Whether the user will be returned as a Standard user or an External User is not controlled by the InfoMap. The username is set as you have described in both cases.

    Standard Vs External User is set by changing the Point of Contact Profile for the AAC Runtime. This is configured under Point of Contact in the LMI.  It is a global setting. 

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: ISAM Credential for External Users using Infomap

    InnerCircle
    Posted Thu April 04, 2019 10:22 AM
    Hi Jon,

    Thanks for you reply.

    I would like to use both Standard and External user registry to do the lookup and build ISAM credential. Can it be achieved with single point of contact profile defaulted in AAC?

    Thanks,

    ------------------------------
    Vishnu Vamsi
    ------------------------------



  • 4.  RE: ISAM Credential for External Users using Infomap

    Posted Thu April 04, 2019 11:28 AM
    Hello,

    When the Reverse Proxy receives an authentication (EAI) message from AAC, it is the HTTP headers used that determine if the user should be considered a "real" user or an "external" user.  If the username is sent in header `am-eai-user-id` then it is a real user.  This header is checked first.  If this header is not sent but a username is sent in header `am-eai-external-user-id` then this is an external user.

    Which header is used to return the username (in normal flow) is determined by the POC Contact Profile.  There is no option here to support a mix of real users and external users at the same time.

    I have seen a pattern used which might help (although I don't have full details).  In this pattern, the standard AAC function which completes authentication and returns the EAI headers is bypassed (by completing the authentication without credential).   Template scripting in the final template page is then used to send the headers in custom code which gives dynamic  control over which headers to return - and therefore how the Reverse Proxy behaves.

    Hopefully someone else in this forum might have some sample code they could share for this.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 5.  RE: ISAM Credential for External Users using Infomap

    Posted Wed August 10, 2022 08:14 AM
    Hi Vamsi,

    I am using the follwing template page to do what Jon Harry suggested.

    <%
    var username = templateContext.macros["@USERNAME@"]
    var myattr = templateContext.macros["@MYATTR@"]
    templateContext.response.setHeader("am-eai-ext-user-id",username);
    templateContext.response.setHeader("am-eai-ext-user-groups","external");
    templateContext.response.setHeader("am-eai-xattrs","myattr");
    templateContext.response.setHeader("myattr",myattr);
    %>

    In my case only two macros are set by the infomap, but the possibilities are endless.
    The group needs to exist in the registry and is defined in the ACL I am using.

    Hope this helps.

    Regards,
    Paul van den Brink


    ------------------------------
    Paul van den Brink
    ------------------------------