List of Contributions

Angela Klein

Contact Details

My Content

1 to 18 of 18 total
Posted By Angela Klein Wed February 26, 2020 09:53 AM
Found In Egroup: IBM Security Verify
\ view thread
We are using the email address to log into our website. Currently, the email being put in the uid and mail attribute in ISAM. We have a use case where we want to allow a user to change their email address. Is there a way to change the attribute that is used to log into the reverse proxy? We use ISIM ...
Posted By Angela Klein Mon February 24, 2020 12:52 PM
Found In Egroup: IBM Security Verify
\ view thread
I will preface this in saying we have this working in an environment were there is 1 reverse proxy instance (DSC enabled) and 1 AAC instance. We are on ISAM 9.0.7 Interim fp1 In the environment we are working on now, we have 2 load balanced reverse proxies (with DSC enabled) and 2 AAC appliances (DSC ...
Posted By Angela Klein Thu February 13, 2020 09:12 AM
Found In Egroup: IBM Security Verify
\ view thread
Jon, Thank you! That was it! Now onto the next challenge of always returning that and not automatically sending the MFA OTP if there is only 1 option registered. ------------------------------ Angela Klein ------------------------------
Posted By Angela Klein Wed February 12, 2020 09:55 PM
Found In Egroup: IBM Security Verify
\ view thread
The domain is a virtual host junction and the /static/mfa.json is on that backend server. We have the access policy attached to the VHJ/static/mfa.json. It is returning the HTML of the MFA selection page, so the access policy is triggering as expected. Based on the link I had posted above, it appears ...
Posted By Angela Klein Wed February 12, 2020 05:11 PM
Found In Egroup: IBM Security Verify
\ view thread
We are attempting to trigger an access policy and get a JSON return as is documented here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/develop/concept/con_use_curl_access_token.html When we trigger the access policy in PostMan, it returns the html page rather than the ...
Posted By Angela Klein Wed February 12, 2020 05:08 PM
Found In Egroup: IBM Security Verify
\ view thread
We are on ISAM 9.0.7.1 with an access policy configured. We are only allowing email and sms tokens for MFA. What we are finding is that for those who only have 1 form registered, the delivery selection screen is not displaying, it just sends the email automatically and goes to the verification screen. ...
Posted By Angela Klein Wed February 12, 2020 12:24 PM
Found In Egroup: IBM Security Verify
\ view thread
Thank you for the quick response. ------------------------------ Angela Klein ------------------------------
Posted By Angela Klein Wed February 12, 2020 11:09 AM
Found In Egroup: IBM Security Verify
\ view thread
Since none of those settings appeared to work, we turned to a HTTP Transformation. We updated ISAM to to 9.0.7.1 this morning and modeled the transform after this: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/wrp_config/concept/con_http_trans_scenario4.html We are attempting ...
Posted By Angela Klein Tue February 11, 2020 09:08 PM
Found In Egroup: IBM Security Verify
\ view thread
Jack, Thank you for your response. We did find those and have them set as you recommended. We do have a HTTP Transformation for CORS setting the Access-Control-Allow-Origin header where we tried changing what we were setting it and it seemed to help a little bit. Would that make a difference? -- ...
Posted By Angela Klein Tue February 11, 2020 05:17 PM
Found In Egroup: IBM Security Verify
\ view thread
We are on ISAM 9.0.6 and finding that the PD Session cookie doesn't include the domain so it's not being passed in subsequent calls. Here is the flow we are going through: 1. Call /apiauthsvc with the password PolicyID & get a state 2. Call the /apiauthsvc to verify the password with the state id ...
Posted By Angela Klein Mon February 10, 2020 04:51 PM
Found In Egroup: IBM Security Verify
\ view thread
Is there a way in ISAM 9.0.6 or 9.0.7 to use REST APIs to store the device fingerprint that would be generated via the AAC info.js? The device fingerprint is an integral part of our access policy to determine if we need to prompt for MFA. Let me know if you need any further info. ------------- ...
Posted By Angela Klein Sat February 08, 2020 03:08 PM
Found In Egroup: IBM Security Verify
\ view thread
We had MFA working with MAC OTP and device registration, however recently something happened and the browser fingerprint is being created but not stored for most users, so every authentication requires MFA, which is shouldn't. Does anyone have any suggestions where we could look for errors and what errors ...
Posted By Angela Klein Sat February 08, 2020 03:06 PM
Found In Egroup: IBM Security Verify
\ view thread
We are starting to look at using the Authentication Service Framework for a mobile application. I am working on setting up a new reverse proxy instance to trial this out. Does anyone have any gotchas or advice in getting this set up? We are using JWT to authentication to backend APIs and MAC OTP for ...
Posted By Angela Klein Sat February 08, 2020 02:58 PM
Found In Egroup: IBM Security Verify
\ view thread
We are using an external database to store the OIDC tokens and calling back into the /userinfo endpoint as part of the API calls. They are looking for ways to improve performance of the API and noticed that the call to the /userinfo endpoint is fairly slow. We have tried to go directly at the AAC IP ...
Posted By Angela Klein Mon January 20, 2020 12:11 PM
Found In Egroup: IBM Security Verify
\ view thread
Yes I have. That is what I have it set to. ------------------------------ Angela Klein ------------------------------
Posted By Angela Klein Thu January 16, 2020 04:34 PM
Found In Egroup: IBM Security Verify
\ view thread
The philipnye article is the one that I followed to initially attempt to set this up. When we call the /revoke endpoint passing in the client id, client secret, and token, it gives us a 200 response code, but then I can still call and API with the token and get information back, so it believes the ...
Posted By Angela Klein Tue January 14, 2020 01:18 PM
Found In Egroup: IBM Security Verify
\ view thread
Would you clarify what you mean? We are using OIDC and requesting a token during the login process through the AAC module. If this way won't work for the logout and invalidating the token, is there another endpoint we should be calling on logout to revoke the token? ------------------------------ ...
Posted By Angela Klein Thu January 02, 2020 04:04 PM
Found In Egroup: IBM Security Verify
\ view thread
We are attempting to revoke the OAuth token that is generated when logging into the website when a user logs out. Using this blog (https://www.ibm.com/support/pages/changes-default-webseal-configuration-oauth-authentication) we set the single-signout-uri in the reverse proxy configuration. However, I ...