List of Contributions

Laurent LA Asselborn

Contact Details

My Content

1 to 20 of 50+ total

RE: TAM 7 - PROGRAM ERROR null null com.tivoli.pd.jutil.PDContext

Posted By Laurent LA Asselborn Mon April 08, 2024 02:07 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Victor, I would first check if your Java environment of the Websphere server is still correctly configured. If you did an update of Java, you probably lost the correct PD.jar file. The files to check are: PD.jar, PD.properties and PDCA.ks To check the ISVA version of PD.jar: # unzip -p /o ...

RE: ISVA Discovery on CMDB

Posted By Laurent LA Asselborn Fri February 09, 2024 10:56 AM
Found In Egroup: IBM Security Verify \ view thread
You can probably put the management interface behind a WebSEAL junction. That way you can filter the URLs with DynURL. It will probably be a bit of work to find out which URLs to allow and which to block. ------------------------------ Laurent LA Asselborn ------------------------------

RE: ISVA Discovery on CMDB

Posted By Laurent LA Asselborn Thu February 08, 2024 03:39 AM
Found In Egroup: IBM Security Verify \ view thread
Hi, So it seems you want to protect the access to the management interface of the appliance? At first I thought, like other commentators, that you wanted to protect a service which is deployed behind the appliance. You can configure these limitations under "System -> Account Management". We only ...

RE: Template customization for default login page

Posted By Laurent LA Asselborn Fri January 05, 2024 02:10 AM
Found In Egroup: IBM Security Verify \ view thread
You also have to pay attention to the fact that the templates exist in several languages. The template which gets chosen depends on the language configured in your browser. So you either have to change the templates for all languages, or just delete languages you don't want to support. -------- ...

RE: Oidc redirect_uri matching

Posted By Laurent LA Asselborn Fri August 04, 2023 02:50 AM
Found In Egroup: IBM Security Verify \ view thread
Hi, I assume you are talking about OIDC on ISVA. Here the redirect_uri is validated on a prefix base. So your example would pass, but even an URL https://abc.com/test/myCallback would also pass. ------------------------------ Laurent LA Asselborn ------------------------------

RE: Populating JWT claim with user's groups

Posted By Laurent LA Asselborn Wed July 12, 2023 03:01 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Sacha, From this link: https://www.ibm.com/docs/en/sva/9.0.7?topic=support-oidc-claims-customization Saving Values or Parameters Security Access Manager enables you to save values or parameters that are related to the claims at the /authorize endpoint. For example, some request parameters ...

RE: FSSO junction creating error

Posted By Laurent LA Asselborn Mon June 05, 2023 04:40 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Galin, Just to check the obvious: did you create the test.conf file before executing your command? In your command, did you indicate the file as "test.conf" or with the absolute file path? Kind regards, Laurent ------------------------------ Laurent LA Asselborn ------- ...

RE: Form based sso

Posted By Laurent LA Asselborn Tue February 28, 2023 04:51 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Siddhant, The URL shown in your screenshot does not match what is configured in you fsso file (/TestSecApp/login*). So it should be normal that the form login is not applied. Kind regards, Laurent ------------------------------ Laurent LA Asselborn -------------------------- ...

RE: Session Verification through ISAM API

Posted By Laurent LA Asselborn Wed February 01, 2023 05:57 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Julian, No, you don't have to be logged in in the same browser (or more precisely, on the same WebSEAL) as that would make the function pretty useless. In fact, you will probably get an error if you try to call this service with an active session. What this service does is exchange an access ...

RE: ISVA: Get operational LDAP attribute (pwdAccountLockedTime) of basic users from SDS in InfoMap

Posted By Laurent LA Asselborn Fri November 11, 2022 04:33 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Sascha, If you are using basic users I am not sure that they have this attribute. Usually this attribute is set on the user object under secauthority=default, and basic users don't have an entry in this subtree. Can you check if you are using basic users which only exist in one subtree, or if ...

RE: Get value of SAML PartnerID / PartnerName

Posted By Laurent LA Asselborn Thu October 06, 2022 03:17 AM
Found In Egroup: IBM Security Verify \ view thread
There is a workaround. You have to get it in an access policy and store it in the cache: var protocolContext = context.getProtocolContext(); var PartnerName = protocolContext.getPartnerName(); var tsi=user.getAttribute("tagvalue_session_index").getValue(); IDMappingExtUtils.getIDMappingExtCach ...

RE: MMFA Secret aas offline Letter

Posted By Laurent LA Asselborn Wed July 27, 2022 02:55 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Jens, Yes, you can implement an MMFA solution with offline letters. When you are talking about MMFA you seem to have in mind the IBM app, which uses OAuth beneath the hood. But that is not the only way of working. You could also implement an MMFA solution which uses TOTP. You have to keep in ...

RE: FBTOAU229E - Confidential clients accessing the token endpoint getting failed

Posted By Laurent LA Asselborn Mon May 24, 2021 08:09 AM
Found In Egroup: IBM Security Verify \ view thread
The problem is that you are authenticated in WebSEAL so an iv-cred is sent to the server. It seems this takes precedence over the Authorization header. You have now two possibilities: - do not send the WebSEAL cookie - configure a second junction which doesn't provide the credential to the backend ...

RE: ISAM 9 OpenID Connect Provider check user is active

Posted By Laurent LA Asselborn Wed May 12, 2021 02:27 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Kirill, So are you not able to use the UserLookupHelper at all or is it just that you are not able to check if the user is still active? It is definitely possible to use the UserLookupHelper in OAuth mapping rules, We use it. Did you set the required parameters in ldap.conf? [bind-credentials] ...

RE: Extra decryption needed within Assertion

Posted By Laurent LA Asselborn Tue May 11, 2021 02:50 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Jon, I for my part would be very surprised if ISAM doesn't support it as it is supported on the IdP side: Specify which pieces of messages to this partner should be encrypted: - Name Identifiers - Assertions - Assertion Attributes ------------------------------ Laurent LA Asselborn ...

RE: Sending Email Directly from InfoMap?

Posted By Laurent LA Asselborn Fri April 09, 2021 03:12 AM
Found In Egroup: IBM Security Verify \ view thread
That's also the solution I recommend. We use it to send confirmation mails from OAuth mapping rules. ------------------------------ Laurent LA Asselborn ------------------------------

RE: SCIM attribute Active and externalId

Posted By Laurent LA Asselborn Mon March 29, 2021 04:16 AM
Found In Egroup: IBM Security Verify \ view thread
I don't have much experience with basic users, but it is my understanding that basic users don't have an entry in the secauthority=default subtree. So no, this attribute does probably not apply to basic users. ------------------------------ Laurent LA Asselborn ------------------------------

RE: SCIM attribute Active and externalId

Posted By Laurent LA Asselborn Fri March 26, 2021 05:10 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Joao, The LDAP attribute controlling whether a user is active is "secAcctValid" of "secUser" objectclass. It is set on the entry "principalName=xxx,cn=Users,SECAUTHORITY=DEFAULT" ------------------------------ Laurent LA Asselborn ------------------------------

RE: SCIM detail questions

Posted By Laurent LA Asselborn Thu March 25, 2021 04:01 AM
Found In Egroup: IBM Security Verify \ view thread
The ResCred subtree is for GSO credentials. It is only there if you tick the box "GSO User". ------------------------------ Laurent LA Asselborn ------------------------------

RE: iv-user unauth after macotp

Posted By Laurent LA Asselborn Tue March 16, 2021 06:31 AM
Found In Egroup: IBM Security Verify \ view thread
I would check the [eai-trigger-urls] stanza for the trigger URLs. It seems that they trigger only for /mga. ------------------------------ Laurent LA Asselborn ------------------------------