IBM Verify

 View Only

  • 1.  Adding groups to credential in SAML flow

    Posted Wed September 13, 2023 10:22 AM
    Reply

    Hi,

    I have configured an STS-chain that I'm calling from the SP side towards the end of the SAML federation.

    I only want the IDP to provide me with the username, I as an SP will look into my own LDAP and fetch group membership from my STS-chain.

    I used the IBM Security Access Manager Federation Cookbook as a guide for this.

    And I have made it work.

     

    After SAML login, I can see that my groups are added to the credential, but they are added like this:

    AZN_CUSTOM_ATTRIBUTES ibm-allgroups

    ibm-allgroups : = cn=group1,o=blalbla,c=bla, cn=group2,o=blabla,c=bla, cn=group3,o=blabla,c=bla

    This kind of formatting is not recognized in ISVA as group membership. For example, ISVA doesn't naturally include those groups inside the iv-creds.

    Any tips on how I can add those groups in a more "natural" way so as they are included in the iv-creds?

    My mapping rules are looking like this at the moment:

    ip_pre_ldap

    importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);
    //
    // we can inspect the stsuu and make and decisions we want here before populating STSUU
    // that will be used as input to the LDAP Attribute mapping rule.
    //
    // for this demo, just set the BASE_DN to the DN we want to search for - if one isn't already set
    var existingbaseDN = stsuu.getAttributeValueByName("BASE_DN");
    if (existingbaseDN != null && existingbaseDN.length() > 0) {
    IDMappingExtUtils.traceString("The ip_pre_ldap.js found an existing BASE_DN: " + existingbaseDN);
    } else {
    IDMappingExtUtils.traceString("The ip_pre_ldap.js mapping rule is setting the BASE_DN");
    var baseDNAttr = new Attribute("BASE_DN", null, "uid=dummyHardwired,o=blabla,c=bla");
    stsuu.addAttribute(baseDNAttr);
    }

    ip_post_ldap

    importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);
    //re-write Principal name with type as email nameid format
    var principalName = stsuu.getPrincipalName();
    stsuu.getPrincipalAttributeContainer().clear();
    stsuu.addPrincipalAttribute(new Attribute("name", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", principalName));
    //
    // filter out STSUU attributes that we don't want in the SAML assertion after the LDAP
    // search has run. A good example of this is the BASE_DN attribute, plus other attributes
    // that were in the ISAM Credential at the SAML IDP.
    //
    //
    // The simplest way to do this is to decide which attributes we want to keep, and discard the rest.
    //
    var keepAttrs = [ "ibm-allgroups", "groups" ];
    var foundAttrs = [];
    for (var i = 0; i < keepAttrs.length; i++) {
    var attr = stsuu.getAttributeContainer().getAttributeByName(keepAttrs[i]);
    if (attr != null) {
    foundAttrs.push(attr);
    }
    }
    // empty attrs, then add back what we want
    stsuu.clearAttributeList();
    for (var i = 0; i < foundAttrs.length; i++) {
    stsuu.addAttribute(foundAttrs[i]);
    }

    And the attribute source I have created under Federation > Attribute source

    Attribute name Groups

    Value ibm-allgroups

    Type LDAP

    And the attribute mapping I'm doing inside the STS-chain:

    Attribute Name ibm-allgroups

    Attribute Source Groups



    ------------------------------
    Jonatan Wålegård
    ------------------------------


  • 2.  RE: Adding groups to credential in SAML flow

    Posted Wed September 13, 2023 05:18 PM
    Reply

    Jonatan,

     

    What are you trying to achieve?  Do you want the groups added to the credential as a multi-valued attribute, or are you wanting to populate the group field of the credential so that it can be used in ACLs and authorization decisions?

     

    If you are after the former I would take a quick look at the following WebSEAL configuration entry: https://www.ibm.com/docs/en/sva/10.0.6?topic=stanza-eai-create-multi-valued-attributes.  This will however only work if the attributes are being sent back by AAC in different headers of the same name.

     

    If you are after the later you would need to change your AAC configuration so that it returns a PAC (which is a complete credential) rather than individual headers.  The difference between the two options is that when a PAC is returned the credential is fully constructed and streamed back to WebSEAL by AAC.  When individual headers are returned WebSEAL constructs the credential from these headers.

     

    I hope that this helps.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     




    Original Message


  • 3.  RE: Adding groups to credential in SAML flow

    Posted Thu September 14, 2023 02:56 AM
    Reply

    @Scott Exton

    Yes I want the groups to be added to the credential in a way that ISVA will send them to the backends inside iv-creds, and that we can also use ACLs,

    Whenever I am looking into a credential in a working scenario, it looks like this:

    AZN_CRED_GROUPS [0] group1
    [1] group2
    [2] group3
    AZN_CRED_GROUP_REGISTRY_IDS [0] cn=group1,o=blabla,c=bla
    [1] cn=group2,o=blabla,c=bla
    [2] cn=group3,o=blabla,c=bla
    AZN_CRED_GROUP_UUIDS [0] xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    [1] xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    [2] xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    I'm not sure I understand the PAC-approach. I just want to add some groups to the credential inside a SAML mapping rule (the correct way).



    ------------------------------
    Jonatan Wålegård
    ------------------------------

    Original Message


  • 4.  RE: Adding groups to credential in SAML flow

    Posted Thu September 14, 2023 03:01 AM
    Reply

    Jonatan,

     

    Unfortunately I am not an expert when it comes to SAML mapping rules – however, I am sure that there are others in this forum who will be able to explain how to accomplish what you are trying to achieve.

     

    Thanks.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     




    Original Message


  • 5.  RE: Adding groups to credential in SAML flow

    Posted Thu September 14, 2023 03:35 AM
    Reply

    Hi Jonatan,

    In your ip_post_ldap mapping rule (when the ibm-allGroups is fetched by the Attribute Source), can you loop over the group DNs, and perform the equivalent of this:

    group = new Group("testgroup2", "urn:ibm:names:ITFIM:5.1:accessmanager", null);
    // TODO - revisit whether g1,g2 are needed pending defect 66726
    g1 = new Attribute("registryid", "urn:ibm:names:ITFIM:5.1:accessmanager", "cn=testgroup2,dc=iswga");
    g2 = new Attribute("uuid", "urn:ibm:names:ITFIM:5.1:accessmanager", "00000000-0000-0000-0000-000000000000");
    group.setAttribute(g1);
    group.setAttribute(g2);
    stsuu.addGroup(group);



    ------------------------------
    HANS VANDEWEGHE
    ------------------------------

    Original Message


  • 6.  RE: Adding groups to credential in SAML flow

    Posted Wed September 20, 2023 04:40 AM
    Reply

    I got some help from your colleague.

    Sharing final solution:

    var ibm-allgroups = stsuu.getAttributeContainer().getAttributeByName("ibm-allgroups");

if (ibm-allgroups != null){
var group_list = ibm-allgroups.getValues();
                for (var i=0; i<group_list.length; i++){
                                            var group_cn= group_list[i].substring(3,group_list[i].indexOf(","));
                                            var group = new Group(group_cn, "urn:ibm:names:ITFIM:5.1:accessmanager", null);                                                                                
                                            var g = new Attribute("registryid", "urn:ibm:names:ITFIM:5.1:accessmanager", group_list[i]);
                                group.setAttribute(g);
                                stsuu.addGroup(group);
                }              

}


    ------------------------------
    Jonatan Wålegård
    ------------------------------

    Original Message


Related Content