I am trying to configure ISAM 9.0.6 as SAML SP for one of the application. My requirement is if ISAM find match for saml nameid value from user registry, then allow the user to access application, if not  deny the access. Unfortunately the out of the box sp saml mapping rule appears to be meant for JIT provisoning. Can someone provide me a sample mapping rule with name id matching condition

Thanks in advance.  
Venkat

------------------------------
venkata kuchipudi
------------------------------

Hi Venkat,

If you are able to login via SAML using a user that doesn't exist in the ISAM registry then your system has a Point of Contact setting that allows this (it is either set to create a PAC or is set to allow external users).  These don't perform JIT, they just allow the creation of a dynamic session credential even for users that don't exist locally.

You can change this option.  Go to Federation-->Point of Contact and change the mode to be "Standard User" (the first option).  In that case you will get an error if the incoming NameId doesn't match the username of an existing ISAM user.

(Note: this is a global change - only users that exist in the ISAM registry will be able to login to any part of your Access Manager system).

Jon

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Tue March 23, 2021 12:27 PM
From: venkata kuchipudi
Subject: saml mapping rule for isam as sp

I am trying to configure ISAM 9.0.6 as SAML SP for one of the application. My requirement is if ISAM find match for saml nameid value from user registry, then allow the user to access application, if not  deny the access. Unfortunately the out of the box sp saml mapping rule appears to be meant for JIT provisoning. Can someone provide me a sample mapping rule with name id matching condition

Thanks in advance.  
Venkat

------------------------------
venkata kuchipudi
------------------------------

Jon,

Thank you very much for your reply, and explanation about the mapping rule behavior. If you could, can you please share sample mapping rule with me for named matching condition.

Thanks
Venkata Kuchipudi

------------------------------
venkata kuchipudi
------------------------------

Original Message:
Sent: Tue March 23, 2021 02:46 PM
From: Jon Harry
Subject: saml mapping rule for isam as sp

Hi Venkat,

If you are able to login via SAML using a user that doesn't exist in the ISAM registry then your system has a Point of Contact setting that allows this (it is either set to create a PAC or is set to allow external users).  These don't perform JIT, they just allow the creation of a dynamic session credential even for users that don't exist locally.

You can change this option.  Go to Federation-->Point of Contact and change the mode to be "Standard User" (the first option).  In that case you will get an error if the incoming NameId doesn't match the username of an existing ISAM user.

(Note: this is a global change - only users that exist in the ISAM registry will be able to login to any part of your Access Manager system).

Jon

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue March 23, 2021 12:27 PM
From: venkata kuchipudi
Subject: saml mapping rule for isam as sp

I am trying to configure ISAM 9.0.6 as SAML SP for one of the application. My requirement is if ISAM find match for saml nameid value from user registry, then allow the user to access application, if not  deny the access. Unfortunately the out of the box sp saml mapping rule appears to be meant for JIT provisoning. Can someone provide me a sample mapping rule with name id matching condition

Thanks in advance.  
Venkat

------------------------------
venkata kuchipudi
------------------------------