IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  ISVA - custom identity mapping rule to restrict user access.

    Posted Tue June 20, 2023 09:00 AM

    Hi All

    I am working on the identity mapping rules of SAML in ISAM 10.0.2.

    I have a requirement to check if a user is a member of certain LDAP groups and then allow access to the Service Provider.

    I am able to retrieve the groups that a user is member of but I am unable to deny access if a user isn't a member of the LDAP groups.

    Any help would be highly appreciated.

    Thanks,

    Kalyan



    ------------------------------
    kalyan
    ------------------------------


  • 2.  RE: ISVA - custom identity mapping rule to restrict user access.

    Posted Wed June 21, 2023 03:44 AM

    In your mapping rule when you detect the user is not in the desired group(s), call:

    IDMappingExtUtils.throwSTSUserMessageException("Authorization denied - or any other message");

    The rule will exit via exception and SSO will not occur.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 3.  RE: ISVA - custom identity mapping rule to restrict user access.

    Posted Thu June 22, 2023 07:15 AM

    Thanks much Shane for such a swift response.

    I have inserted the code snippet shared(IDMappingExtUtils.throwSTSUserMessageException("Authorization denied - or any other message");) and I see a partial success.

    I thought that the code would throw the WebSeal error page(Unauthorized403-->38cf0427) but the SAML flow is indeed going through to the SP with empty SAML attributes due to which the respective error page is being thrown from the SP.

    Is this expected behaviour?

    Thanks once again!!



    ------------------------------
    srinivasa kalyana chakravarthy
    ------------------------------

    Original Message


  • 4.  RE: ISVA - custom identity mapping rule to restrict user access.

    Posted Wed June 21, 2023 11:00 AM

    Using an Access Policy is also preferable because it won't interrupt the SAML SSO flow and can be customized on a per-partner basis.

    This means you can use the same Identity Mapping just for the attributes and leave the access logic to the Access Policy.

    Here is our documented example for Group based logic:

    https://www.ibm.com/docs/en/sva/10.0.2?topic=policies-sample-file-access

    It specifically has a group membership example.

    You can also have more flexibility on the page you return or the action you take when the user is denied access.



    ------------------------------
    JACK YARBOROUGH
    ------------------------------

    Original Message


  • 5.  RE: ISVA - custom identity mapping rule to restrict user access.

    Posted Thu June 22, 2023 07:16 AM

    Thanks Jack for the suggestion.I will try this too and get back.



    ------------------------------
    srinivasa kalyana chakravarthy
    ------------------------------

    Original Message


  • 6.  RE: ISVA - custom identity mapping rule to restrict user access.

    Posted Mon June 26, 2023 11:13 AM

    A bit more about that in this article two-factor-authentication 

    It is in dutch but easily translated



    ------------------------------
    Ralf Klein
    ------------------------------

    Original Message


  • 7.  RE: ISVA - custom identity mapping rule to restrict user access.

    Posted Tue July 11, 2023 01:33 PM
    Edited by Sascha W Tue March 25, 2025 05:48 AM

    I have an access policy that does exactly that:

    • check users group
    • if any group match a regex: success
    • If not: deny

    This is the code, i think you can easily adapt it to your needs:

    importClass(Packages.com.ibm.security.access.policy.decision.Decision);
importClass(Packages.com.ibm.security.access.policy.decision.HtmlPageDenyDecisionHandler);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);

IDMappingExtUtils.traceString("LOG - INIZIO Access Policy");
// Prendo tutto il contesto utente
var user = context.getUser();
var groupsArray = [];
              var groups = user.getGroups();

              for (var it = groups.iterator(); it.hasNext();) {
                     var group = it.next();
                     var groupName = group.getName();
                     groupsArray.push("" + groupName);
                     };
//Stampo l'array dei gruppi utente
	for (var j in groupsArray){
	IDMappingExtUtils.traceString("LOG - Array Gruppi: " + groupsArray[j]);
	}


//Creo la regex con il codice app
var regex = "\^APP";
IDMappingExtUtils.traceString("REGEX: " + regex);
var re = new RegExp(regex, 'gm');


// Setto DENY di Default
var handler = new HtmlPageDenyDecisionHandler();
handler.setPageId("/otp/errors/aclerror.html");
handler.setMacro("@ERROR_MESSAGE@","ACCESSO NEGATO");
handler.setMacro("@DETAIL@","🚫 Non sei abilitatə all'applicazione 🚫");
      var decision = Decision.deny(handler);
      context.setDecision(decision);
// Confronto i gruppi utente ed i gruppo AUTH, se almeno uno corrisponde: ALLOW
for(var x in groupsArray) {
    if (groupsArray[x].match(re)){
	  IDMappingExtUtils.traceString("LOG - Matching Groups: " + groupsArray[x]);
	  var decision = Decision.allow();
      context.setDecision(decision);
      break
    		}
    	}
IDMappingExtUtils.traceString("LOG - FINE Access Policy");



    ------------------------------
    S
    ------------------------------

    Original Message


  • 8.  RE: ISVA - custom identity mapping rule to restrict user access.

    Posted Wed July 12, 2023 04:34 AM

    Thank you Sacha for your suggestion I will implement and get back to you.



    ------------------------------
    srinivasa kalyana chakravarthy
    ------------------------------

    Original Message


Related Content