IBM Security Verify

 View Only
  • 1.  Preventing direct access to applications

    Posted Fri December 08, 2023 10:19 AM

    Hi, I was watching a demo video on how to protect applications via WebSEAL at https://www.securitylearningacademy.com/course/view.php?id=2694 and I was able to follow the demo.  My question is about how do I prevent direct access to the application? For example, testuserB can directly access IBM.com without going through ISVA/WebSeal.

    I know the demo was using a publicly accessible site but is there a demo or steps to protect an internal application in a similar way where you can only access the application via WebSeal/ISVA and any direct access results in first authenticating with ISVA.  Really curious to understand how we can put an internal application behind reverse proxy and prevent direct access to it and any access should be via the reverse proxy after authenticating with ISVA



    ------------------------------
    Narayan Verma
    ------------------------------


  • 2.  RE: Preventing direct access to applications

    Posted Sun December 10, 2023 03:50 PM

    Narayan,

     

    The answer to your question really comes down to the environment itself.  In some environments you can add a firewall or routing rule to prevent network access from any other machine but WebSEAL.  In other environments you would need to configure the application Web server itself to prevent access from any host other than WebSEAL.  The other option is to require authentication to access the application Web server and use one of the single-sign-on capabilities of WebSEAL to authenticate to the application Web server.

     

    I hope that this helps.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 3.  RE: Preventing direct access to applications

    Posted Mon December 11, 2023 07:19 AM

    Thank you Scott, by SSO in the third item are you talking about OIDC/SAML?



    ------------------------------
    Narayan Verma
    ------------------------------



  • 4.  RE: Preventing direct access to applications

    Posted Mon December 11, 2023 02:51 PM

    Narayan,

     

    By SSO I am referring to the ability of WebSEAL to authenticate to a junctioned server.  There are many different ways that it can do this, for example: LTPA cookie, JWT, BA header, forms single sign on.

     

    Thanks.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">