List of Contributions

Dries Eestermans

IS4U

Contact Details

IS4U

My Content

1 to 20 of 30 total

RE: ISAM - Encryption & Hashing in InfoMap

Posted By Dries Eestermans Fri February 19, 2021 02:40 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Mukesh, @Peter Volckaert has implemented such functionality in InfoMap: https://github.com/peter-volckaert/custom-password/blob/master/mapping-rules/InfoMap_CryptoJS.js, so I suggest you take a look at his code for leads. Furthermore, there are are some basic features implemented in the available ...

RE: ISAM - How to restrict multiple user session in InfoMap?

Posted By Dries Eestermans Wed February 17, 2021 04:12 PM
Found In Egroup: IBM Security Verify \ view thread
Hi Mukesh, Scott, There is actually another way to query sessions; use a WebServer Connection and make a JavaScript Client Helper library to interface to the DSessAdmin service on http://127.0.0.1:2026/DSess/services/DSessAdmin in InfoMap. Then, using a listSessionsRequest: POST /DSess/services/DSessAdmin ...

RE: ISAM - Getting Error While Using PluginUtils Class

Posted By Dries Eestermans Thu December 10, 2020 07:12 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Mukesh, That's basically due to restrictions put in place for the various different components (type of mapping rules), see Jon's link which shows the JavaScript whitelist that shows which packages you can use in which type of Mapping Rule. Alternatively, depending on your hashing requirements, ...

RE: ISAM - Getting Error While Using PluginUtils Class

Posted By Dries Eestermans Wed December 09, 2020 11:49 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Mukesh, Jon, You can Base64 Util class using: importClass(Packages.com.tivoli.am.fim.base64.BASE64Utility); let base64encodedString = java.util.Base64.getEncoder().encodeToString("examplestring"); That should give you a Base64 Encoded Java String. Regarding the atob() and btoa() ...

RE: OAuth Device authorization code flow and id_token generation

Posted By Dries Eestermans Wed October 21, 2020 10:28 AM
Found In Egroup: IBM Security Verify \ view thread
Hi @André Leruitte, You would not necessarily use it as an "access token" but rather inject it as an "id_token" in the response (some PoC code I made back then, not sure if it still works): if (request_type == "access_token" && grant_type == "urn:ietf:params:oauth:grant-type:device_code") ( ...

RE: OAuth Device authorization code flow and id_token generation

Posted By Dries Eestermans Tue October 20, 2020 02:45 AM
Found In Egroup: IBM Security Verify \ view thread
Hi André, I opened such an RFE about 2 years ago, when the grant type was first introduced in ISAM: "OpenID Connect - onboard OAuth Device Flow as grant type - ID: 127040", maybe you can upvote it, I'm not sure? Either way, I think it's good that it is receiving some attention and may get noticed ...

RE: Debugging TLS connections

Posted By Dries Eestermans Thu October 08, 2020 02:39 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Joao, I believe I've seen this behavior previously with Active Directory on Server 2016 (or higher). Indeed when testing via openssl s_client (or the interfaces ISAM provides for it), connection is successfully established. However when attempting to connect with the policy server or WebSEAL, ...

RE: JWT Module issue mode

Posted By Dries Eestermans Fri August 14, 2020 02:39 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Mikael, The way I solved this was indeed in the Mapping Rule itself, I'll only go about the "extraction" phase where I retrieve the stored attribute and transform such that it is always an array: // Map for claim types const CUSTOM_ATTRIBUTES_TO_ACCESS_TOKEN = ( "aud": ( "claim_type": "array", ...

RE: OAuth2.0 authorize equest respone location with #

Posted By Dries Eestermans Fri April 24, 2020 02:18 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Piyush, This is intended behavior, see the OpenID Connect specification here: "When using the Implicit Flow, all response parameters are added to the fragment component of the Redirection URI, as specified in OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses], unless a different ...

RE: ISAM: get request attributes in PreTokenGeneration

Posted By Dries Eestermans Wed February 26, 2020 10:19 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Mohamed, If you want to see what's available to your in the PreToken Mapping Rule, you can see it using: IDMappingExtUtils.traceString("incoming stsuu = " + stsuu.toString());​ If you then look into the trace.log file, you see the STSUU XML object, and this is what ISAM has tokenized for your ...

RE: Remove XML Tag from JWT returned from STS

Posted By Dries Eestermans Thu February 13, 2020 02:10 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Troy, In case you're using the LocalSTSClient helper class, the return value from "doRequest()" is a "com.tivoli.am.fim.fedmgr2.trust.util.LocalSTSClient.LocalSTSClientResult". In this class, you can either call the property "errorMessage" which is a String, or "token" which is a "org.w3c.dom.Element". ...

RE: ISAM OAuth Client with extended properties

Posted By Dries Eestermans Fri January 31, 2020 07:52 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Jürgen, The following snippet works for me: var json_obj = ("result":true, "count":42); var extProp = JSON.stringify(json_obj); var redirUrls = java.lang.reflect.Array.newInstance(java.lang.String, 2); redirUrls[0] = "http://127.0.0.1"; redirUrls[1] = "https://127.0.0.1"; let created_client ...

RE: Question around CORS support

Posted By Dries Eestermans Fri January 24, 2020 02:50 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Scott, Yes, that's exactly my use-case/request. I opened an RFE with ID: 139665. Regards, Dries ------------------------------ Dries Eestermans IS4U ------------------------------

RE: Question around CORS support

Posted By Dries Eestermans Wed January 22, 2020 04:53 PM
Found In Egroup: IBM Security Verify \ view thread
Scott, Let me use an example; I have an angular application (purely browser-based JS application), which performs the authorization code + PKCE. What it would do first, is probably detect whether it has a valid access token in cache, let's assume it doesn't and thus is redirects us to the authorization ...

RE: Question around CORS support

Posted By Dries Eestermans Wed January 22, 2020 03:38 PM
Found In Egroup: IBM Security Verify \ view thread
Hi Jack, Thanks for the link, I've found that transformation rule as well, but as you see in my new answer with origin whitelisting, a transformation rule might not be idea, because you'd have to restart the reverse prox(ies) for each new origin, if you want to have origin whitelisting for a specific ...

RE: Question around CORS support

Posted By Dries Eestermans Wed January 22, 2020 03:34 PM
Found In Egroup: IBM Security Verify \ view thread
Hi Scott, The pre-flight requests having "Access-Control-Allow-Origin: *" is no problem (I think this is ideal actually), but when you perform the actual POST to the /token endpoint, the browser expects CORS headers as well; the point I'm getting at are for example public clients, where we can perform ...

RE: Question around CORS support

Posted By Dries Eestermans Wed January 22, 2020 06:54 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Scott, Apologies for reviving this thread, but I have an additional request for this; wouldn't it be simpler if you allow us to modify the response object from InfoMap? That way we can manage it from JavaScript, giving us some more contextual information, e.g.: have a specific set of origins for ...

RE: ISAM WebSeal: Using of header "X-Forwarded-Proto"

Posted By Dries Eestermans Mon October 14, 2019 05:07 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Thomas, In case you're not behind a load balancer which sets the header to begin with, you can extract it from the Request using HTTP Transformation Rules: VALUE if required. --> ​ The snippet above will ...

RE: test

Posted By Dries Eestermans Fri September 27, 2019 01:46 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Jon, This is a reply with Firefox, maybe a plugin is causing issues? Regards, ------------------------------ Dries Eestermans IS4U ------------------------------

RE: ISAM Logs format

Posted By Dries Eestermans Thu August 08, 2019 02:18 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Francis, There is documentation available, refer to the Troubleshooting Guide (https://www-01.ibm.com/support/docview.wss?uid=ibm10742389&aid=4) and go to Chapter 9 "Message event logging", there's a section "Format of messages in logs", which are applicable to most of the log files. Hope this ...