IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

Federated wrp in containers

Rudy SantosTue April 22, 2025 02:16 PM

I have a full IVIA v11 installation running on OpenShift, including two RPs, each with one container ...

Rudy SantosWed April 23, 2025 04:31 AM

My findings so far: 1) Using curl from my workstation and from OpenShift CLI, the HTTP 302 redirect ...

1. Federated wrp in containers

Like
Rudy Santos
Posted Tue April 22, 2025 02:16 PM

Reply
I have a full IVIA v11 installation running on OpenShift, including two RPs, each with one container for pod.

I have also configured a simple federation between these two RPs using the OIDC implicit flow. These steps are well documented in cookbooks such as Configuring OIDC Federation and FederationCookbook. I have used this configuration in the Virtual Appliance, including IVIA v11, for many purposes and it has always worked fine.

When the user clicks on the federation link on the login page of the first RP, the browser should be redirected to the second RP, and the authorization request (https://<RP2>/mga/sps/oauth/oauth20/authorize?...) should be sent to RP2 as expected.

Despite the browser initiating a request to RP2 (confirmed by inspecting network traffic using developer tools), the request ends up going to RP1 instead.

Both RPs are exposed via routes, and they are connected to their respective services, which in turn connect to their respective pods.

Any ideas on how to resolve this issue?

tks

------------------------------
Rudy Santos
------------------------------
2. RE: Federated wrp in containers

Like
Rudy Santos
Posted Wed April 23, 2025 04:31 AM

Reply
My findings so far:

1) Using curl from my workstation and from OpenShift CLI, the HTTP 302 redirect is made and the login page from RP2 is presented. The HTTP request to "auth" endpoint is logged in RP2.
curl -v -k -L https://RP1.k8s.CUSTOMER.LAN/oidc/sps/oidc/rp/oidc/kickoff/rp-cer?Target=https://RP1.k8s.CUSTOMER.LAN/creds

2) Using browser (Chorme, Firefox, end Edge), the HTTP 302 redirect responses to build the login page comes from the RP1 and the browser is not redirected to RP2. The HTTP request of gifs and js is logged in RP1 and nothing is logged in RP2.

Same responses using other workstation.

------------------------------
Rudy Santos
------------------------------

Original Message

IBM Verify

IBM Verify

Federated wrp in containers

Rudy SantosTue April 22, 2025 02:16 PM

Rudy SantosWed April 23, 2025 04:31 AM

1. Federated wrp in containers

2. RE: Federated wrp in containers

Additional
Resources

Office

Quick Links

IBM Verify

IBM Verify

Federated wrp in containers

Rudy SantosTue April 22, 2025 02:16 PM

Rudy SantosWed April 23, 2025 04:31 AM

1. Federated wrp in containers

2. RE: Federated wrp in containers

Related Content

IBM Verify Identity Access (IVIA) Single Sign On with Google Social Identity Provider

Access Manager Federation Cookbook

Configure ISAM 9.0.6 as external OIDC with IGI

enabling pkce using ISVA OIDC RP federation module

Proof Key For Code Exchange: Implementing PKCE through Advanced Mapping Rule In IBM Verify Access Relying Party

Additional Resources

Office

Quick Links

Additional
Resources