IBM Security Verify

 View Only
  • 1.  MAC OTP Authentication - REST API call

    Posted Mon June 13, 2022 11:42 PM
    We have configured the Authentication policy with MAC OTP workflow with username request parameter. We are trying retrieve the email from LDAP with the request parameter, USERNAME inside the OTPGetMethods mapping Rules.

    We have tried using credential attribute & using user lookup helper class and had no luck with it.  any suggestions, please?

    ------------------------------
    Anji Babu
    ------------------------------


  • 2.  RE: MAC OTP Authentication - REST API call

    Posted Tue June 14, 2022 12:23 AM
    HI


    var stsuuAttrs = stsuu.getAttributeContainer();
    stsuuAttrs.getAttributeValueByName("emailAddress")


    where emailAddress ( is part of the credential and thus made avialable as part of the STSUU)

    You need to verify whether emailAddress or mail or whatever attribute you intend to use are part of credential attribute( you need to do related changes in reverse proxy config file)

    example(from reverse proxy config)

    [TAM_CRED_ATTRS_SVC:eperson]
    emailAddress = mail
    mobileNumber = mobile





    ------------------------------
    Tushar
    Tushar
    ------------------------------



  • 3.  RE: MAC OTP Authentication - REST API call

    Posted Tue June 14, 2022 01:29 AM
    I'd like to zoom out a bit and verify something. Why are you passing username via a request parameter? Perhaps ok if using apiauthsvc to call the policy programmaticly but if this is a browser accessed policy you have an open spammer. Can you confirm the use case with more detail?

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 4.  RE: MAC OTP Authentication - REST API call

    Posted Tue June 14, 2022 09:59 AM
    Shane,

    we are calling policy programmatically. Below the curl format.

    curl --location --request POST 'https://isvarp/mga/sps/apiauthsvc?PolicyId=urn:ibm:security:authentication:asf:newmacotp' \
    --header 'Content-Type: application/json' \
    --header 'Accept: application/json' \
    --data-raw '{'\''myuid'\'':'\''testuser'\''}' 

    Thank you


    ------------------------------
    Anji Babu
    ------------------------------



  • 5.  RE: MAC OTP Authentication - REST API call

    Posted Tue June 14, 2022 10:55 AM

    Ok, that's fine. Here's what I would do.

    I noticed you have your own policy - newmacotp, which is good. This should be a policy that has the following two mechanisms:

    Your custom Infomap
    Mac One-time password



    In the mapping rule for Your custom Infomap, you read in the username via:



    let username = context.get(Scope.REQUEST, "urn:ibm:security:asf:request:parameter", "myuid");

    You can then use UserLookupHelper or whatever other methods you want to discover email address or phone number and what type of OTP you are going to do (i.e. email or SMS). Put these into the AAC SESSION as attributes like this:

    let deliveryType = "Email"; // or "SMS"
    let deliveryAttribute = "testuser@mailinator.com"; // "or a formatted phone number"
    context.set(Scope.SESSION, "urn:myns", "deliveryType", deliveryType);
    context.set(Scope.SESSION, "urn:myns", "deliveryAttribute", deliveryAttribute);
    context.set(Scope.SESSION, "urn:myns", "username", username);


    Then in the Mac One Time Password mechanism in the policy, configure the properties like this:


    Understand that the idea of the Infomap is to load the AAC SESSION context with attributes, which then feed into the Mac One Time Password mechanism.

    Hopefully this unblocks you.






    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 6.  RE: MAC OTP Authentication - REST API call

    Posted Tue June 14, 2022 12:55 PM
    Thank you Shane for the input. 

    Based on your input, we have updated newmacotp policy with CustomInfoMap and MAC OTP authentication Policies



    we have hard coded the values in infomap mapping rule,  as mentioned below

    --->Infomap mapping rule (we have removed the email. it is hard coded for now. later will used userhelp class to pull out from ldap)

    importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);

    var username = context.get(Scope.REQUEST, "urn:ibm:security:asf:request:parameter", "myuid");
    IDMappingExtUtils.traceString("username from request: " + username);

    var deliveryType = "Email"; // or "SMS"
    IDMappingExtUtils.traceString("Delivery Type from request: " + deliveryType);

    var deliveryAttribute = "testemail"; // "or a formatted phone number"
    IDMappingExtUtils.traceString("Delivery Type from request: " + deliveryAttribute);

    context.set(Scope.SESSION, "urn:myns", "deliveryType", deliveryType);
    context.set(Scope.SESSION, "urn:myns", "deliveryAttribute", deliveryAttribute);
    context.set(Scope.SESSION, "urn:myns", "username", username);


    when we call newmacotp policy, noticed MAC OTP policy is not invoking. Please see result below. OTP not delivered 

    curl -k -v -X POST -H "Content-Type:application/json" -H "Accept: application/json" --data "{'myuid':'testuser1'}" "https://isamrp/mga/sps/apiauthsvc?PolicyId=urn:ibm:security:authentication:asf:newmacotp"

    output:

    {"exceptionMsg":"","location":"/mga/sps/apiauthsvc?StateId=kZh0MSfhtJ38nDUjflw7d9043r39mOlwabOPPVFHzplwYMxQUbUK7izNqMRQioclDDMWsMAOTzhlal0WIjJsgpaU031k7ySmtxjKWPAzFBGjJLSJ2SxxhWBrjhuOwUwA","state":"kZh0MSfhtJ38nDUjflw7d9043r39mOlwabOPPVFHzplwYMxQUbUK7izNqMRQioclDDMWsMAOTzhlal0WIjJsgpaU031k7ySmtxjKWPAzFBGjJLSJ2SxxhWBrjhuOwUwA","message":"","mechanism":"urn:ibm:security:authentication:asf:mechanism:urn:ibm:security:authentication:asf:mechanism:customInfoMap"}

    ------------------------------
    Anji Babu
    ------------------------------



  • 7.  RE: MAC OTP Authentication - REST API call

    Posted Tue June 14, 2022 01:18 PM
    never mind. mapping rule code updated and it worked




    ------------------------------
    Anji Babu
    ------------------------------



  • 8.  RE: MAC OTP Authentication - REST API call

    Posted Tue June 14, 2022 02:18 PM
    Excellent. Sounds like you are making progress!

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 9.  RE: MAC OTP Authentication - REST API call

    Posted Tue June 14, 2022 04:55 PM
    Edited by Anji Babu Tue June 14, 2022 04:57 PM
    We have updated infomap mapping rule to retrieve EMAIL or Telephone number from LDAP based on delivery Type. It worked !!! 



    ----------------------------------------------------------------------------------------------------------------------------------------

    importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
    importClass(Packages.com.ibm.security.access.user.UserLookupHelper);
    importClass(Packages.com.ibm.security.access.user.User);

    var username = context.get(Scope.REQUEST, "urn:ibm:security:asf:request:parameter", "myuid");
    var deliveryType = context.get(Scope.REQUEST, "urn:ibm:security:asf:request:parameter", "medium");

    var hlpr1 = new UserLookupHelper();

    // To use the ISAM Runtime configuration use:
    // hlpr.init(false);
    // added admin credentials to the [bind-credentials] stanza of the
    // ldap.conf under the ISAM runtime. ldap.conf file

    hlpr1.init(false);

    if (username != null) {
    IDMappingExtUtils.traceString("Delivery Type from request: " + username);
    // put into authsvc context for next mechanism
    context.set(Scope.SESSION, "urn:myns", "username", username);
    user1 = hlpr1.getUser(username);

    if (deliveryType != null) {
    IDMappingExtUtils.traceString("Delivery Type from request: " + deliveryType);
    // put into authsvc context for next mechanism
    context.set(Scope.SESSION, "urn:myns", "deliveryType", deliveryType);

    var deliveryAttribute = "admin@localhost";
    if (deliveryType == "Email") {
    deliveryAttribute = user1.getAttribute("mail");
    IDMappingExtUtils.traceString("OTP Delivery medium is Email : " + deliveryAttribute);
    }
    if (deliveryType == "SMS") {
    deliveryAttribute = user1.getAttribute("telephoneNumber");
    IDMappingExtUtils.traceString("OTP Delivery medium is SMS : " + deliveryAttribute);
    }
    // put into authsvc context for next mechanism
    context.set(Scope.SESSION, "urn:myns", "deliveryAttribute", deliveryAttribute);

    }
    success.setValue(true);
    }else {
    success.setValue(false);
    }

    ------------------------------
    Anji Babu
    ------------------------------