There is an application that needs ISAM to authenticate a user. ISAM is supposed to generate a SAML assertion.

This application require a Business ID and User ID to identify the user.
The user then must provide a password.

It will be easy to create an interface in ISAM that prompts for user to authenticate himself.
The question is how does ISAM connect to Active Directory Federated Services, pass the 3 elements (BusinessID, UserID and Password) for the user to be authenticated, and get its answer?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Joao,

I'm struggling to understand the flow here. You've mentioned an application that requires 2 IDs and a password but you've also mentioned SAML and ADFS.

I don't know ADFS that well but I thought it was for generation/validation of SAML tokens so I don't understand where the 2 IDs and the password come into the picture.

ISAM can be connected to Active Directory - and other supported LDAP servers - but authentication is via username and password (standard LDAP stuff) - not aware of any ability to pass in multiple usernames?

How do other applications authenticate to this system. Perhaps it's a two phase process where first there is an LDAP search with the 2 IDs (to lookup user DN) and then a standard password check with DN and password?  I'm just guessing really - need more information.  I think that would be possible in a custom InfoMap using the user lookup helper.

Jon. 

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu September 24, 2020 07:21 AM
From: Joao Goncalves
Subject: Authenticating User with 2-part key

There is an application that needs ISAM to authenticate a user. ISAM is supposed to generate a SAML assertion.

This application require a Business ID and User ID to identify the user.
The user then must provide a password.

It will be easy to create an interface in ISAM that prompts for user to authenticate himself.
The question is how does ISAM connect to Active Directory Federated Services, pass the 3 elements (BusinessID, UserID and Password) for the user to be authenticated, and get its answer?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Thanks for your reply. I don't know AD either. But this customer has a Banking application that validates a user against AD using <BusinessID> and <UserID>.
And he wants ISAM to authenticat the user, and send a SAML assertion to the Banking application.
The only piece of the implementation I am missing is how I can used the authentication service in ISAM, to pass 2 IDs + password to AD so it can validate the user.

I would suppose that when we pass an User ID, ISAM composes the user with the SUFFIX defined in the AD registry, like cn=<userID>,<SUFFIX>. It is possible that I will need to pass something like cn=<userID>,ou=<businessID>,<SUFFIX> instead.
But I'm not sure.

Either way, if my assessment is correct, how do I change the DN of the user, before I send it to AD, so it can be validated?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Fri September 25, 2020 06:06 PM
From: Jon Harry
Subject: Authenticating User with 2-part key

Hi Joao,

I'm struggling to understand the flow here. You've mentioned an application that requires 2 IDs and a password but you've also mentioned SAML and ADFS.

I don't know ADFS that well but I thought it was for generation/validation of SAML tokens so I don't understand where the 2 IDs and the password come into the picture.

ISAM can be connected to Active Directory - and other supported LDAP servers - but authentication is via username and password (standard LDAP stuff) - not aware of any ability to pass in multiple usernames?

How do other applications authenticate to this system. Perhaps it's a two phase process where first there is an LDAP search with the 2 IDs (to lookup user DN) and then a standard password check with DN and password?  I'm just guessing really - need more information.  I think that would be possible in a custom InfoMap using the user lookup helper.

Jon. 

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu September 24, 2020 07:21 AM
From: Joao Goncalves
Subject: Authenticating User with 2-part key

There is an application that needs ISAM to authenticate a user. ISAM is supposed to generate a SAML assertion.

This application require a Business ID and User ID to identify the user.
The user then must provide a password.

It will be easy to create an interface in ISAM that prompts for user to authenticate himself.
The question is how does ISAM connect to Active Directory Federated Services, pass the 3 elements (BusinessID, UserID and Password) for the user to be authenticated, and get its answer?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Joao,

You won't be able to support this use case with the built-in password authentication mechanisms in the Reverse Proxy or AAC. They both work with only a username and password and expect to be authenticating a standard Verify Access user.

You will need to do custom coding to get this set up.

If you are using Verify Access v10, you may be able to use a custom JavaScript AAC authentication mechanism (with LDAP helper) to simply perform a lookup of the userPrincipalName from the user and business attributes from the user. You could then chain this into the built-in password mechanism. This is done by setting the operation parameter in the Request context to "verify" before calling it. 

If this isn't possible, you could write an authentication mechanism that uses the user lookup helper to perform the lookup and authentication.

Both above cases assume AD is configured in Verify Access as a "federated directory". 

if the above can't work, or you prefer to code with a different language/platform, then you can create a custom login application external to Verify Access and integrate using External Authentication Interface (EAI). This is more work but you have complete control.

i hope this helps explain the options.

Jon. 

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Fri September 25, 2020 06:48 PM
From: Joao Goncalves
Subject: Authenticating User with 2-part key

Thanks for your reply. I don't know AD either. But this customer has a Banking application that validates a user against AD using <BusinessID> and <UserID>.
And he wants ISAM to authenticat the user, and send a SAML assertion to the Banking application.
The only piece of the implementation I am missing is how I can used the authentication service in ISAM, to pass 2 IDs + password to AD so it can validate the user.

I would suppose that when we pass an User ID, ISAM composes the user with the SUFFIX defined in the AD registry, like cn=<userID>,<SUFFIX>. It is possible that I will need to pass something like cn=<userID>,ou=<businessID>,<SUFFIX> instead.
But I'm not sure.

Either way, if my assessment is correct, how do I change the DN of the user, before I send it to AD, so it can be validated?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Fri September 25, 2020 06:06 PM
From: Jon Harry
Subject: Authenticating User with 2-part key

Hi Joao,

I'm struggling to understand the flow here. You've mentioned an application that requires 2 IDs and a password but you've also mentioned SAML and ADFS.

I don't know ADFS that well but I thought it was for generation/validation of SAML tokens so I don't understand where the 2 IDs and the password come into the picture.

ISAM can be connected to Active Directory - and other supported LDAP servers - but authentication is via username and password (standard LDAP stuff) - not aware of any ability to pass in multiple usernames?

How do other applications authenticate to this system. Perhaps it's a two phase process where first there is an LDAP search with the 2 IDs (to lookup user DN) and then a standard password check with DN and password?  I'm just guessing really - need more information.  I think that would be possible in a custom InfoMap using the user lookup helper.

Jon. 

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu September 24, 2020 07:21 AM
From: Joao Goncalves
Subject: Authenticating User with 2-part key

There is an application that needs ISAM to authenticate a user. ISAM is supposed to generate a SAML assertion.

This application require a Business ID and User ID to identify the user.
The user then must provide a password.

It will be easy to create an interface in ISAM that prompts for user to authenticate himself.
The question is how does ISAM connect to Active Directory Federated Services, pass the 3 elements (BusinessID, UserID and Password) for the user to be authenticated, and get its answer?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------