IBM Security Verify

 View Only
  • 1.  Open ID Connect Relying Party with external user

    Posted Thu August 18, 2022 02:14 AM
    Hi,

    I want to setup an oidc-rp without the need to register all the users.
    Does someone know if it is possible to treat the users (the sub in the id_token) as external users?
    I am running ISVA10.0.3.1

    Any hint is much appreciated.

    Regards,
    Paul van den Brink

    ------------------------------
    Paul van den Brink
    ------------------------------


  • 2.  RE: Open ID Connect Relying Party with external user

    Posted Thu August 18, 2022 03:03 AM

    Paul,

     

    If you are using the native WebSEAL OIDC-RP capability you can enable support for 'external' users by setting the '[oidc:<id>] external-user' configuration entry.  I am not 100% sure if you can do this if you are using the OIDC-RP capability provided by the Federation component.

     

    Thanks.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 3.  RE: Open ID Connect Relying Party with external user

    Posted Thu August 18, 2022 08:36 AM
    Hi Scott,

    Good to know that there is an option.
    I was actually seeking for functionality in the Federation component because I wanted to use a mapping rule to enrich the credential with information from an other external source.

    Regards,
    Paul van den Brink

    ------------------------------
    Paul van den Brink
    ------------------------------



  • 4.  RE: Open ID Connect Relying Party with external user

    Posted Fri August 19, 2022 01:55 AM
    It is definitely possible - both with the Federation implementation of OIDC RP, and the WRP/IAG implementations.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 5.  RE: Open ID Connect Relying Party with external user

    InnerCircle
    Posted Fri August 19, 2022 09:45 AM
    If you are using the federation module, take a look at the point of contact profile.  I believe setting it to "Non-Access Manager Username, Access Manager groups and extended attributes" would allow this to work.  At least that is how it works with SAML.  I'm not 100% sure how the POC profiles work, there isn't a ton of information on them.  The only recent documentation I could find on the POC profiles is here:

    https://www.ibm.com/docs/en/sva/9.0.1?topic=configuration-preconfigured-point-contact-profiles

    This was something that came from the old TFIM days so there is some older info floating around if you google deep enough.

    If you do need via the federation module, maybe someone else could chime in on specifics.  But with SAML, that is how I have achieved this in the past to allow users to authenticate via SAML token and not have to exist in the PD registry.

    ------------------------------
    Matt Jenkins
    ------------------------------



  • 6.  RE: Open ID Connect Relying Party with external user

    Posted Mon August 22, 2022 04:42 AM
    Edited by Paul van den Brink Tue August 23, 2022 04:11 AM
    Hi Matt,

    Thanks for pointing me in this direction.

    I have it working now in my dev box.
    These are the steps I followed:

    1 change the default Point of Contact "Access Manager Username and extended attributes" to also prove a header for the groups
    fim.groups.response.header.name am-eai-user-groups

    2 change the proxy config to treat the eai headers as external user headers
    eai-user-id-header = not-used
    eai-ext-user-id-header = am-eai-user-id
    eai-ext-user-groups-header = am-eai-user-groups

    3 have the mapping rule also provide the groups
    stsuu.addGroup(new com.tivoli.am.fim.trustserver.sts.uuser.Group("group1", "urn:ibm:names:ITFIM:5.1:accessmanager", null));
    stsuu.addGroup(new com.tivoli.am.fim.trustserver.sts.uuser.Group("group2", "urn:ibm:names:ITFIM:5.1:accessmanager", null));
    stsuu.addGroup(new com.tivoli.am.fim.trustserver.sts.uuser.Group("group3", "urn:ibm:names:ITFIM:5.1:accessmanager", null));


    Regards,
    Paul van den Brink


    ------------------------------
    Paul van den Brink
    ------------------------------