IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

"OIDC Login" on the login page

  • 1.  "OIDC Login" on the login page

    Posted Thu March 07, 2019 08:32 AM
    Hello community

    I am still lacking some understanding regarding the button "OIDC Login" on the login page - doing an OIDC login doesn't return anything - is that behaviour wanted or maybe even a wrong configuration on my side?


    Thanks
    bernhard

    ------------------------------
    Bernhard Hensler
    ------------------------------


  • 2.  RE: "OIDC Login" on the login page
    Best Answer

    Posted Thu March 07, 2019 09:19 AM
    Edited by Bernhard Hensler Thu March 07, 2019 09:37 AM
    Hi Bernhard,

    This button appears on the login page when the oidc login mechanism is enabled in the Reverse Proxy configuration.
    When you click the button it should initiate OIDC login (redirect to /pkmsoidc?iss=default).

    If the OIDC configuration was set up by the Cloud Identity wizards then you should be redirected to CI for authentication.
    If the OIDC configuration was set up manually it should redirect to the configured OIDC Provider.

    If nothing happens, I would guess something in the configuration in Reverse Proxy configuration is bad.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: "OIDC Login" on the login page

    Posted Thu March 07, 2019 09:37 AM
    Thanks Jon for the clarification - then obviously something must be misconfigured as none of the 2 options you described does the job (CI is configured). I will take a look into that again. Best bernhard

    ------------------------------
    Bernhard Hensler
    ------------------------------

    Original Message


  • 4.  RE: "OIDC Login" on the login page

    Posted Thu March 07, 2019 12:03 PM
    Hi

    I notice this behavior also (oidc login button displayed) in a sandbox environment where we had configured webseal on the logout succes event to automatically redirect (display) the login page (as suggested in some blog from Philip Nye). It happens also that this is a wrp in which we had enabled oauth-auth login mecanism to accept bearer token obtained elsewhere from the ISAM idp end point. 

    So the explaination from Jon makes perfect sense to us now.  

    I guess if it is not desired to display the oidc login button, one can just re-configure the page displayed on login?

    Sylvain Gilbert, p. ing., Conseiller Technique Infrastructures Securité/Security Infrastructures Technical Advisor
    Intact Corporation Financière | 1935 des Cascades, Saint-Hyacinthe, QC J2S 8K9
    (T) 855.646.8228, x 86667 | (M) 450.223.9537



    Original Message


  • 5.  RE: "OIDC Login" on the login page

    Posted Thu March 07, 2019 12:44 PM
    If you don't want the button to show then it makes sense to remove that section from the Reverse Proxy login.html.

    If you want OIDC to trigger automatically when a resource is requested from Cloud Identity launchpad, you could replace with this code:

    <script>
      if (document.referrer.includes("ibmcloud")) {
        document.location = "/pkmsoidc?iss=default";
      }
    </script>

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 6.  RE: "OIDC Login" on the login page

    Posted Fri March 08, 2019 04:07 PM
    The 'OIDC Login' button will only appear in the login page if you have enabled oidc-auth in the WebSEAL configuration.  If you look at your browser traffic you should see that after you select the button it will send a request to '/pkmsoidc' - which is the entry point for OIDC authentication.  If the OIDC authentication has not been configured correctly WebSEAL will just send the login page again.  This page usually includes an error as to why the OIDC authentication failed.  If you want to see the OIDC authentication flow have a look at the knowledge centre: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.5/com.ibm.isam.doc/wrp_config/concept/con_oidc_auth_flow.html.

    If you don't want to see the 'OIDC Login' button you should just disable oidc-auth.  If you are in fact trying to configure OIDC-RP authentication you should have a look at the WebSEAL log file to see what is going wrong.

    I hope that this helps.

    ------------------------------
    Scott Exton
    IBM
    Gold Coast
    ------------------------------

    Original Message


  • 7.  RE: "OIDC Login" on the login page

    Posted Tue March 12, 2019 02:46 PM

    Hello Scott

     

    I think that Bernhard may be on a valid trail although I cannot say if his scenario is identical to mine.

     

    1. The scenario that I just reproduced is where "oidc-auth = none" in the WRP, and also logout = login.html in [acnt-mgt].

    2. Login to WRP: OK, No OIDC login is displayed.

    3. Logout by going to /pkmslogout: you are directed back to the Login page as expected but this time with the "OIDC Login" displayed.

     

    If I reconfigured the WRP with the default logout = logout.html in [acnt-mgt] + WRP recycle, then at step 3 of previous test case, I see the normal ISAM User Disconnect message. Navigating back forces to ISAM native login page to be displayed but without the "OIDC Login" button this time.

     

    So, it appears this could be a particular scenario?

     

    This is easy to reproduce.

     

     

    Sylvain Gilbert, p. ing., Conseiller Technique Infrastructures Securité/Security Infrastructures Technical Advisor

    Intact Corporation Financière | 1935 des Cascades, Saint-Hyacinthe, QC J2S 8K9

    (T) 855.646.8228, x 86667 | (M) 450.223.9537

    sylvain.gilbert@intact.net | www.intactfc.com

     




    Original Message


  • 8.  RE: "OIDC Login" on the login page

    Posted Tue March 12, 2019 02:53 PM
    Hello,

    When you set logout = login.html you're asking SAM to render the login page as the logout page. Likely this means the correct macros (which are what cause the different parts of the page to display or hide) are not populated.

    You should either redirect back to home page from logout (to trigger login normally) or edit login.html to manually remove the OIDC login part.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 9.  RE: "OIDC Login" on the login page

    Posted Tue March 12, 2019 04:08 PM
    Sylvain,

    I concur with Jon.  The authentication mechanism macros are only replaced in pages which are used for authentication (e.g. login/step-up).  In your case you have an authentication mechanism macro in the logout page and this means that the macro won't be replaced.

    Thanks,

    Scott.

    ------------------------------
    Scott Exton
    IBM
    Gold Coast
    ------------------------------

    Original Message


  • 10.  RE: "OIDC Login" on the login page

    Posted Tue March 12, 2019 06:33 PM

    Scott, Jon, thanks.

     

    It should not be concerned to us as we are not using the IBM branded static content ( no offence  (-:   – I do like the new pages however, they look cool/slick compared to old ones from V7- era ).

     

    We usually replace everything with our own branded static content.

     

    But I wanted to raise this observation as others could encounter also this pitfall.

     

    Yes, I concur with both of you that one could always customize the pages to take that OIDC Logic into account.

     

    But anyone who comes across Philip Nye's 3 years old blog post (https://philipnye.com/2016/05/24/commonly-overlooked-isam-settings-for-production-deployments/), might be tempted as well to perform the same config (logout = login.html), which now with ISAM V9 OIDC support will give this odd behavior. Will leave a note to Philip's blog if we wants to refresh his post.  (-; I understand this is his private blog, not official one from IBM.

     

    Thanks

     

    Sylvain Gilbert, p. ing., Conseiller Technique Infrastructures Securité/Security Infrastructures Technical Advisor

    Intact Corporation Financière | 1935 des Cascades, Saint-Hyacinthe, QC J2S 8K9

    (T) 855.646.8228, x 86667 | (M) 450.223.9537

    sylvain.gilbert@intact.net | www.intactfc.com

     




    Original Message


Related Content