According to the MMFA cookbook, there is a step "Configuration and policy for Reverse proxy instances" where we are suppose to execute MMFA configuration.

After executing this wizard, it will create a /mga junction. From what I understand this junction support multiple functions, and checks the identity through the HTTP Header Identity Information, specifically IV-USER, IV-GROUPS and IV-CREDS.
It will also create ACLs and more to protect /mga resources, which are provided by the localhost ("The AAC Runtime")

When configuring SCIM, we are supposed to create a transparent standard junction, where we have localhost as the backend server, the same as /mga.

Why do we need to run the MMFA wizard on the reverse proxy? Isn't just enough to create the /scim junction?

In step 5.2.2 "Modify Reverse Proxy Instance Configuration File" of the MMFA cookbook, we should change the attribute "force-tag-value-prefix" to no.
What is the need for this? I really don't understand what this attribute does?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi,

- The MMFA wizard is performing the following tasks depending on the channel.  See the list below (depending on the channel)
- The force-tag-value-prefix   :  determines how attributes are stored in the credential  . The runtime is expecting e.g AUTHENTICATION_LEVEL instead of tagvalue_AUTHENTICATION_LEVEL

Determines whether each attribute name set in a junction object's HTTP-Tag-Value is automatically prefixed with "tagvalue_" before it is placed in the credential. This prohibits access to credential attributes that do not have names beginning with "tagvalue_" such as AUTHENTICATION_LEVEL. When this options set to no, the automatic prefixing of "tagvalue_" will not occur so that all credential attributes can be specified in HTTP-Tag-Value.

Reverse proxy changes when executing the MMFA wizard

<doc> Browser channel changes
Reverse proxy configuration file stanzas and entries:</doc>

[server]:

http-method-disabled-remote = TRACE,CONNECT

[eai]:

eai-auth = https

retain-eai-session = yes

eai-redir-url-priority = yes

[eai-trigger-urls]:

trigger = /{junction}/sps/oauth/oauth20/session*

trigger = /{junction}/sps/auth*

trigger = /{junction}/sps/authservice/authentication*

trigger = /{junction}/sps/authsvc*

trigger = /{junction}/sps/apiauthsvc*

[session]:

user-session-ids = yes

[azn-decision-info]:

Accept = header:Accept

Accept-Charset = header:Accept-Charset

Accept-Encoding = header:Accept-Encoding

Accept-Language = header:Accept-Language

Authorization = header:Authorization

Cache-Control = header:Cache-Control

Connection = header:Connection

Content-Type = header:Content-Type

Host = header:Host

HTTP_HOST_HDR = header:host

HTTP_REQUEST_SCHEME = scheme

HTTP_REQUEST_METHOD = method

HTTP_REQUEST_URI = uri

HTTP_AZN_HDR = header:authorization

HTTP_CONTENT_TYPE_HDR = header:content-type

HTTP_TRANSFER_ENCODING_HDR = header:transfer-encoding

Missing = header:Missing

Pragma = header:Pragma

Transfer-Encoding = header:Transfer-Encoding

User-Agent = header:User-Agent

X-Requested-With = header:X-Requested-With

method = method

rspcode = header:rspcode

scheme = scheme

uri = uri

[obligations-urls-mapping]:

urn:ibm:security:authentication:asf:* = /{junction}/sps/authsvc

[websocket]:

max-worker-threads = 20

idle-worker-threads = 0

jct-read-inactive-timeout = 300

clt-read-inactive-timeout = 300

jct-write-blocked-timeout = 300

clt-write-blocked-timeout = 300

[mmfa-config-info]:

autoconfig = mmfa

[mmfa-config-info:mmfa]:

channel = browser

junction = /{junction}

[junction:/{junction}]:

reset-cookies-list = *{cookie},*JSESSIONID*

managed-cookies-list = *{cookie},*JSESSIONID*

ACLs

isam_mobile_anyauth:

/WebSEAL/{hostname}-{webseal}/{junction}/sps/auth

/WebSEAL/{hostname}-{webseal}/{junction}/sps/xauth

/WebSEAL/{hostname}-{webseal}/{junction}/sps/oauth/oauth20/clients

/WebSEAL/{hostname}-{webseal}/{junction}/sps/common/qr

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mga/user/mgmt/html

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mmfa/user/mgmt/html

/WebSEAL/{hostname}-{webseal}/{junction}/sps/ac

/WebSEAL/{hostname}-{webseal}/{junction}/sps/wssoi

isam_mobile_nobody:

/WebSEAL/{hostname}-{webseal}/{junction}

isam_mobile_rest:

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mga/user/mgmt/otp

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mga/user/mgmt/device

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mga/user/mgmt/questions

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mga/user/mgmt/grant

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mmfa/user/mgmt/authenticators

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mmfa/user/mgmt/auth_methods

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mmfa/user/mgmt/qr_code

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mmfa/user/mgmt/transactions

/WebSEAL/{hostname}-{webseal}/{junction}/websock/mmfa-wss

isam_mobile_rest_unauth:

/WebSEAL/{hostname}-{webseal}/{junction}/sps/apiauthsvc

isam_mobile_unauth:

/WebSEAL/{hostname}-{webseal}/{junction}/sps/authsvc

/WebSEAL/{hostname}-{webseal}/{junction}/sps/authservice/authentication

/WebSEAL/{hostname}-{webseal}/{junction}/sps/oauth/oauth20/authorize

/WebSEAL/{hostname}-{webseal}/{junction}/sps/oauth/oauth20/session

/WebSEAL/{hostname}-{webseal}/{junction}/sps/oauth/oauth20/token

/WebSEAL/{hostname}-{webseal}/{junction}/sps/static

<doc> Mobile channel changes
Reverse proxy configuration file stanzas and entries:</doc>

[server]:

http-method-disabled-remote = TRACE,CONNECT

maximum-followed-redirects = 4

follow-redirects-for = GET /{junction}/sps/apiauthsvc*

follow-redirects-for = PUT /{junction}/sps/apiauthsvc*

[forms]:

forms-auth = none

[oauth]:

oauth-auth = https

default-fed-id = https://localhost/sps/oauth/oauth20

fed-id-param = FederationId

cluster-name = oauth-cluster

user-identity-attribute = username

[tfim-cluster:oauth-cluster]:

handle-pool-size = 10

handle-idle-timeout = 240

timeout = 240

server = 9,https://{runtime.hostname}:{runtime.port}/TrustServerWS/SecurityTokenServiceWST13

basic-auth-user = {runtime.username}

basic-auth-passwd = {runtime.password}

ssl-keyfile = pdsrv.kdb

ssl-keyfile-stash = pdsrv.sth

[session]:

require-mpa = no

user-session-ids = yes

[session-http-headers]:

Authorization = https

[mmfa-config-info]:

autoconfig = mmfa

[mmfa-config-info:mmfa]:

channel = mobile

junction = /{junction}

[junction:/{junction}]:

reset-cookies-list = *{cookie},*JSESSIONID*

managed-cookies-list = *{cookie},*JSESSIONID*

ACLs

isam_mobile_anyauth:

/WebSEAL/{hostname}-{webseal}/{junction}/sps/oauth/oauth20/logout

isam_mobile_nobody:

/WebSEAL/{hostname}-{webseal}/{junction}

isam_mobile_rest:

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mga/user/mgmt/otp

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mga/user/mgmt/device

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mga/user/mgmt/questions

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mga/user/mgmt/grant

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mmfa/user/mgmt/authenticators

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mmfa/user/mgmt/auth_methods

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mmfa/user/mgmt/qr_code

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mmfa/user/mgmt/transactions

isam_mobile_rest_unauth:

/WebSEAL/{hostname}-{webseal}/{junction}/sps/apiauthsvc

isam_mobile_unauth:

/WebSEAL/{hostname}-{webseal}/{junction}/sps/mmfa/user/mgmt/details

/WebSEAL/{hostname}-{webseal}/{junction}/sps/oauth/oauth20/token

Kind regards
Serge Vereecke

------------------------------
Serge Vereecke
------------------------------

Original Message:
Sent: Tue April 13, 2021 04:22 PM
From: Joao Goncalves
Subject: Requirements for SCIM

According to the MMFA cookbook, there is a step "Configuration and policy for Reverse proxy instances" where we are suppose to execute MMFA configuration.

After executing this wizard, it will create a /mga junction. From what I understand this junction support multiple functions, and checks the identity through the HTTP Header Identity Information, specifically IV-USER, IV-GROUPS and IV-CREDS.
It will also create ACLs and more to protect /mga resources, which are provided by the localhost ("The AAC Runtime")

When configuring SCIM, we are supposed to create a transparent standard junction, where we have localhost as the backend server, the same as /mga.

Why do we need to run the MMFA wizard on the reverse proxy? Isn't just enough to create the /scim junction?

In step 5.2.2 "Modify Reverse Proxy Instance Configuration File" of the MMFA cookbook, we should change the attribute "force-tag-value-prefix" to no.
What is the need for this? I really don't understand what this attribute does?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------