WebSphere Application Server & Liberty

 View Only
  • 1.  SAML Without LDAP

    Posted Mon January 10, 2022 06:53 PM
    Hello, 

    I have receive a request that would implement a security config without LDAP ( or any user registry ... not even the "File "Registry"). I already have started to build something by implementing a java class that will intercept the SAML Token and configure the Subject ( some customization is needed ) ...  but what about the "Admin Console" or wsadmin ? How would I authenticate a wsadmin user ( and honestly also xmlaccess as we are still using the Portal ) without any LDAP ( or registry ) ?

    Any idea ?

    ------------------------------
    Daniel JANS
    CogitoSum
    Laval
    (514) 236-3699
    ------------------------------


  • 2.  RE: SAML Without LDAP

    IBM Champion
    Posted Tue January 11, 2022 05:32 AM
    Hello Daniel,
    have you considered to implement a custom user registry? You can then add this user registry as the only user registry in the WAS federated repository (VMM) configuration. This should allow you to cover Portal, wsadmin etc. as well and should afaik be transparent to Portal etc. This would also allow you to use the SAML TAI for SAML based authentication. Anything speaking against that from you requirements / research?

    Good luck and have a great day - Hermann

    ------------------------------
    Hermann Huebler
    2innovate IT Consulting GmbH
    Vienna
    Austria

    #IBMChampion
    ------------------------------



  • 3.  RE: SAML Without LDAP

    Posted Tue January 11, 2022 03:03 PM
    Hello Hermann,

    I have considered this solution but it has been refused. The company wants to make sure that all the credentials are store in the same place so that it can be managed centrally ( I am working for a financial institution ... Security .... ) In the past, it was LDAP/OPENSSO. We are still using LDAP but moving to AZURE SSO.

    The next step is to get rid of LDAP. The idea is to grab all the information from the SAML Token ( using a LoginModule that is already in place for some customization of the Subject ). No issue for the end user as they will be redirected and will get a SAML Token. The issue is for the admins ( not only the console but also the scripts : wsadmin and Xmlacess as we are using the portal ) who should authenticate the same way ( using a SAML Token ).

    How do I authenticate a script ( wsadmin ) with SAML ? That is my problem.

    ------------------------------
    Daniel JANS
    CogitoSum
    Laval
    (514) 236-3699
    ------------------------------



  • 4.  RE: SAML Without LDAP

    Posted Tue January 11, 2022 03:31 PM
    It should not be any different.  You pass the userid/pw to scripting and then the LoginModule can go and authenticate with the provider using the userid/pw supplied using a SAML request.  This would mean that you would have to interpret that the request is coming from scripting.  You may also want to look at Trust Interceptors (TAI).

    Brian

    ------------------------------
    Brian S Paskin
    Sr. Web Engineer
    IBM Tech Garage
    ------------------------------



  • 5.  RE: SAML Without LDAP

    Posted Tue January 11, 2022 04:05 PM

    Hello Brian,

    thanks for the reply. When you are too much into it, you ( me in this case)  forget to explain the whole context.

    We are already using TAI with a LoginModule ( for customization of the Subject ).

    If I understand well, I would have to customize a little further the LoginModule to

    1. detect that the request in coming from a script ( wsadmin or Admin Console )
    2. Then send a java SAML Request ( as wsadmin has no web interface ) and get the SAML Token from it 

      Right ?

    If so, any hint, documentation for the second point ?

    ------------------------------
    Daniel JANS
    CogitoSum
    Laval
    (514) 236-3699
    ------------------------------



  • 6.  RE: SAML Without LDAP

    Posted Thu January 13, 2022 10:48 AM
    Hi Daniel,

    What "it" would that be?  When you send the java SAML Request, would you be using the WSSTrustClient?  When you request a SAML token from an idP, you have to have identifying information for the user; that is usually the username and password. 

    You could let the SAML TAI+LM solution handle the admin console, then your remaining issue would be wsadmin. You could write a login module for your wsadmin requests that use the WSSTrustClient to request (or verify) SAML tokens.

    I've asked my colleague @Hiroko Takamiya to see if she has some guidance for where you would put such a thing.

    Just spitballing for the working of the login modules themselves, if you want the login module to be able to distinguish between interactive and wsadmin, this is a tactic that we make use of in WS-Security:

    Since JAAS configs are stacked, you can make the one that is used after the TAI, class A for example, then make the one for wsadmin B+A.  Perhaps Your class A can check for something that class B puts on the shared state; then it knows it came from wsadmin.  Otherwise, it came from interactive.


    ------------------------------
    Barbara Jensen
    ------------------------------



  • 7.  RE: SAML Without LDAP

    Posted Thu January 13, 2022 02:40 PM
    Hi, Barbara  and all 

    A while ago, I looked into a similar requirement from a customer for Spnego SSO.(The customer put the project on the back burner)  
    Following is what I remember.  This is the same direction that Daniel and Brian came up with already. 
     
    • Wsadmin does not send SSO token 
    • The requests from wsadmin are not intercepted by TAI
    • WAS would call System login module so a custom LoginModule can be plugged in  (Attached article is related to this topic)  

    Sorry I am not sure about the last question from Daniel = "How to interact with SAML Idp from loginModule...."
     
    I remember WAS SAML feature comes with TAI and SAML related application (.ear)  I wonder if Daniel could use similar mechanism that is driven not by TAI but by his custom loginModule to interact with SAML IdP... (Barbara is the expert in this area :-) back to you, Barb) 

    LoginModule article 
    https://www.ibm.com/docs/en/was-nd/8.5.5?topic=SSAW57_8.5.5/com.ibm.websphere.base.doc/ae/tsec_jaascustlogmod.html
    >  you can plug in custom login modules and where the ltpaLoginModule and the wsMapDefaultInboundLoginModule login modules are required.


    ------------------------------
    Hiroko Takamiya
    IBM
    ------------------------------



  • 8.  RE: SAML Without LDAP

    IBM Champion
    Posted Wed January 12, 2022 12:12 AM
    Edited by Hermann Huebler Wed January 12, 2022 03:57 AM
    Hello Daniel,
    yes, I understood that you must not have a local user registry storing any data. Therefore the suggestion to use a CUR which is just code where you can do whatever you want (access Azure user registry, process SAML token etc. etc.).
    Also as your customer is using portal keep in mind that portal admin calls VMM to query users, groups in the user registry etc. in the admin portlets (for example when setting up permissions). For that a LoginModule only might not be sufficient.

    Also note that Portal provides a transient user registry (https://help.hcltechsw.com/digital-experience/8.5/security/openid_trans_users.html) which is usually used for SAML authentication without a configured local user registry.
    ------------------------------
    Hermann Huebler
    2innovate IT Consulting GmbH
    Vienna
    Austria

    #IBMChampion
    ------------------------------



  • 9.  RE: SAML Without LDAP

    Posted Tue January 11, 2022 06:08 AM
    Hi, You need to use a LoginModule to intercept the Login and then do certain work.  I have an example of reading a DB to validate user and groups.

    Brian

    ------------------------------
    Brian S Paskin
    Sr. Web Engineer
    IBM Tech Garage
    ------------------------------



  • 10.  RE: SAML Without LDAP

    Posted Tue January 11, 2022 03:04 PM
    Hello Brian,

    Please, look at the reply that I sent to Hermann that goes in the details of the request. I have already a LoginModule in place.

    Thanks.

    ------------------------------
    Daniel JANS
    CogitoSum
    Laval
    (514) 236-3699
    ------------------------------