Hi Daniel,
What "it" would that be? When you send the java SAML Request, would you be using the
WSSTrustClient? When you request a SAML token from an idP, you have to have identifying information for the user; that is usually the username and password.
You could let the SAML TAI+LM solution handle the admin console, then your remaining issue would be wsadmin. You could write a login module for your wsadmin requests that use the WSSTrustClient to request (or verify) SAML tokens.
I've asked my colleague
@Hiroko Takamiya to see if she has some guidance for where you would put such a thing.
Just spitballing for the working of the login modules themselves, if you want the login module to be able to distinguish between interactive and wsadmin, this is a tactic that we make use of in WS-Security:
Since JAAS configs are stacked, you can make the one that is used after the TAI, class A for example, then make the one for wsadmin B+A. Perhaps Your class A can check for something that class B puts on the shared state; then it knows it came from wsadmin. Otherwise, it came from interactive.
------------------------------
Barbara Jensen
------------------------------
Original Message:
Sent: Tue January 11, 2022 04:04 PM
From: Daniel JANS
Subject: SAML Without LDAP
Hello Brian,
thanks for the reply. When you are too much into it, you ( me in this case) forget to explain the whole context.
We are already using TAI with a LoginModule ( for customization of the Subject ).
If I understand well, I would have to customize a little further the LoginModule to
- detect that the request in coming from a script ( wsadmin or Admin Console )
- Then send a java SAML Request ( as wsadmin has no web interface ) and get the SAML Token from it
Right ?
If so, any hint, documentation for the second point ?
------------------------------
Daniel JANS
CogitoSum
Laval
(514) 236-3699
Original Message:
Sent: Tue January 11, 2022 03:31 PM
From: Brian S Paskin
Subject: SAML Without LDAP
It should not be any different. You pass the userid/pw to scripting and then the LoginModule can go and authenticate with the provider using the userid/pw supplied using a SAML request. This would mean that you would have to interpret that the request is coming from scripting. You may also want to look at Trust Interceptors (TAI).
Brian
------------------------------
Brian S Paskin
Sr. Web Engineer
IBM Tech Garage
Original Message:
Sent: Tue January 11, 2022 03:02 PM
From: Daniel JANS
Subject: SAML Without LDAP
Hello Hermann,
I have considered this solution but it has been refused. The company wants to make sure that all the credentials are store in the same place so that it can be managed centrally ( I am working for a financial institution ... Security .... ) In the past, it was LDAP/OPENSSO. We are still using LDAP but moving to AZURE SSO.
The next step is to get rid of LDAP. The idea is to grab all the information from the SAML Token ( using a LoginModule that is already in place for some customization of the Subject ). No issue for the end user as they will be redirected and will get a SAML Token. The issue is for the admins ( not only the console but also the scripts : wsadmin and Xmlacess as we are using the portal ) who should authenticate the same way ( using a SAML Token ).
How do I authenticate a script ( wsadmin ) with SAML ? That is my problem.
------------------------------
Daniel JANS
CogitoSum
Laval
(514) 236-3699
Original Message:
Sent: Tue January 11, 2022 05:31 AM
From: Hermann Huebler
Subject: SAML Without LDAP
Hello Daniel,
have you considered to implement a custom user registry? You can then add this user registry as the only user registry in the WAS federated repository (VMM) configuration. This should allow you to cover Portal, wsadmin etc. as well and should afaik be transparent to Portal etc. This would also allow you to use the SAML TAI for SAML based authentication. Anything speaking against that from you requirements / research?
Good luck and have a great day - Hermann
------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria
#IBMChampion
Original Message:
Sent: Mon January 10, 2022 06:52 PM
From: Daniel JANS
Subject: SAML Without LDAP
Hello,
I have receive a request that would implement a security config without LDAP ( or any user registry ... not even the "File "Registry"). I already have started to build something by implementing a java class that will intercept the SAML Token and configure the Subject ( some customization is needed ) ... but what about the "Admin Console" or wsadmin ? How would I authenticate a wsadmin user ( and honestly also xmlaccess as we are still using the Portal ) without any LDAP ( or registry ) ?
Any idea ?
------------------------------
Daniel JANS
CogitoSum
Laval
(514) 236-3699
------------------------------