List of Contributions

Michael Boey*****

Contact Details

My Content

1 to 20 of 24 total

RE: tokenGroups attribute for basic users

Posted By Michael Boey***** Mon December 30, 2019 04:00 AM
Found In Egroup: IBM Security Verify \ view thread
----edit---- It seems something changed in the connection between ISAM and AD since last week. A packet trace reveals that the tokenGroups are not being returned anymore. Therefore it is possible that 'binary-base64-attr' still is a solution. I hope to test it as soon as I get feedback from an AD expert. ...

tokenGroups attribute for basic users

Posted By Michael Boey***** Tue December 24, 2019 06:56 AM
Found In Egroup: IBM Security Verify \ view thread
Hi, We have a requirement to get a list of all AD groups a user is member of, including transitive/nested group memberships. We would then like to filter these groups and put them in a token, or just make them available via the /userinfo endpoint. We have a setup where we work with basic users that ...

RE: JWT as access token for userinfo endpoint

Posted By Michael Boey***** Thu December 19, 2019 11:25 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Peter, Leo, Thank you very much for the solution. The userinfo endpoint works now. Turned out to be easier than I thought :). Enjoy the holidays! ------------------------------ Michael ------------------------------

JWT as access token for userinfo endpoint

Posted By Michael Boey***** Mon December 02, 2019 09:11 AM
Found In Egroup: IBM Security Verify \ view thread
Hi, In the OIDC spec, the following is said about what the userinfo request should look like: "The Client sends the UserInfo Request using either HTTP GET or HTTP POST. The Access Token obtained from an OpenID Connect Authentication Request MUST be sent as a Bearer Token." The OIDC spec says nothing ...

RE: Best Practice OAuth 2.0 Pattern for Single Page App

Posted By Michael Boey***** Fri June 28, 2019 12:57 AM
Found In Egroup: IBM Security Verify \ view thread
Hi, I did not attend the master class and do not have access to the slides you mention, but I'd guess they align with the 'current best practices for browser based apps': https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps In that draft, it is explained that browser-based apps ...

RE: ISAM as PDP for authorization decisions

Posted By Michael Boey***** Tue June 18, 2019 03:52 AM
Found In Egroup: IBM Security Verify \ view thread
Thanks Philip and Shane. These answers give us the direction we need. ------------------------------ Michael ------------------------------

ISAM as PDP for authorization decisions

Posted By Michael Boey***** Sat June 15, 2019 07:00 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Community, Is anyone (extensively) using ISAM as a PDP for authorization, not just authentication? Since ISAM supports XACML, theoretically it seems that it could be used as such. We are looking into solutions which can aid in decoupling authorization from the business logic of an application. ...

ISAM automation: Is using Powershell a good idea?

Posted By Michael Boey***** Mon February 11, 2019 11:48 AM
Found In Egroup: IBM Security Verify \ view thread
Hi community, Since we have decided to move forward with ISAM after the successful PoCs, we are currently working out the next steps. One of these steps includes the automation of ISAM tasks as much as possible (not to say: completely) right from the start. It seems that different resources exist ...

RE: NTLM workarounds

Posted By Michael Boey***** Mon January 21, 2019 04:05 AM
Found In Egroup: IBM Security Verify \ view thread
​Update: we got the core to work! I'm now able to access a page secured with NTLM (a 200 OK is returned with HTML and cookies). Todos: check the security impact of enabling persistent sessions copy the back-end authentication cookie (sharepoint in our case) into the user's session ...

RE: NTLM workarounds

Posted By Michael Boey***** Wed January 16, 2019 11:56 AM
Found In Egroup: IBM Security Verify \ view thread
​I could get past the connection: close problem by using Webseal, as suggested by Peter. Also, I had to configure some other options: strip-www-authenticate-headers=no max-cached-persistent-connections= And then make sure the junction can be called by anyone (since it will be called ...

RE: NTLM workarounds

Posted By Michael Boey***** Mon January 14, 2019 10:23 AM
Found In Egroup: IBM Security Verify \ view thread
​Ok, I couldn't just leave it. I contacted someone via upwork.com and had the https://github.com/gautamsi/node-ntlm-client translated into plain JavaScript. In tests outside ISAM this works fine. It even runs in ISAM, but there is one very last error (at least, I hope it's the last one) that I'm ...

RE: NTLM workarounds

Posted By Michael Boey***** Fri January 11, 2019 10:48 AM
Found In Egroup: IBM Security Verify \ view thread
I tried it using a patched version of the NTLM JS library: https://github.com/hdeshev/nativescript-ntlm-demo/blob/master/app/ntlm.js . Changes to get it running were minimal, but I did not succeed and my assumption is that it is because that library only seems to support NTLM 56 bit encryption, whereas ...

RE: NTLM workarounds

Posted By Michael Boey***** Tue January 08, 2019 11:13 AM
Found In Egroup: IBM Security Verify \ view thread
Hi, Thanks for the answers. We wish to investigate the JS option a bit further, just to be sure: is any Javascript supported on ISAM or are there restrictions? Btw, the previous examples were nodejs modules, this one seems to be plain JS: https://github.com/erlandranvinge/ntlm.js/tree/master ...

ISAM DRP & Port exhaustion

Posted By Michael Boey***** Thu January 03, 2019 06:22 AM
Found In Egroup: IBM Security Verify \ view thread
Hi, We are planning for a potential ISAM roll-out in a twin data center pattern, but during the design we came across some fundamental questions of which I'd like input on 2 of them: Active - active vs active - passive Port exhaustion 1. Active - active vs active - passive The performance ...

RE: NTLM workarounds

Posted By Michael Boey***** Thu December 20, 2018 03:38 AM
Found In Egroup: IBM Security Verify \ view thread
​Hi Peter, That might be a valid alternative indeed. The one downside is of course that we introduce a new component, which we'd have to set up HA and maintain. I'll investigate it a bit futher internally. Perhaps another alternative is a mapping rule which speaks NTLM? I see some people tried ...

RE: Forms based SSO - credential pass-through

Posted By Michael Boey***** Thu December 20, 2018 03:27 AM
Found In Egroup: IBM Security Verify \ view thread
​Some details: Credits to Peter Volckaert and https://philipnye.com . Most of what I did was copy pasting things together. Disclaimer: This was done as part of a PoC and is not running in production. Several improvements might be possible, such as encryption of the password in idmappingextcache. Note ...

RE: Forms based SSO - credential pass-through

Posted By Michael Boey***** Wed December 19, 2018 11:42 AM
Found In Egroup: IBM Security Verify \ view thread
​Hi Jon, I'm certainly willing to share code snippets. I have them available but need to take some time to present them more nicely here. I should have some time by the latest next week. Please ping me in case I forgot! Kr, Michael ------------------------------ Michael ----------------- ...

NTLM workarounds

Posted By Michael Boey***** Wed December 19, 2018 11:39 AM
Found In Egroup: IBM Security Verify \ view thread
​Hello, Following my (successfully solved) question about Forms-based SSO, we have another legacy technology which we are phasing out, but still exists. Again, I'm fully aware that it might be a better idea to move to other protocols, but it is a reality that some applications still speak NTLM. ...

RE: Forms based SSO - credential pass-through

Posted By Michael Boey***** Tue December 18, 2018 12:59 PM
Found In Egroup: IBM Security Verify \ view thread
Update: I implemented the Store password in GSO at login time (v2) option. Since this was my first real encounter with ISAM it took me some time, but actually it is pretty easy (and I had some help of Peter). Basically the steps were the following: - Create a custom U/P mechanism-mapping where ...

RE: Forms based SSO - credential pass-through

Posted By Michael Boey***** Sat November 24, 2018 08:24 AM
Found In Egroup: IBM Security Verify \ view thread
Hi Jon, Thank you very much for your efforts! I have to sync with another team for making changes to RDS, but given the limited impact I assume that will not be an issue. Concerning the move to Kerberos, that’s probably the better move to make. However I wanted to use RDS as a quick proof of concept ...