IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Storing information in iv-creds/stsuu while user is unauthenticated

    Posted Mon June 17, 2019 08:44 AM
    Hello everybody,

    We have a specific requirement (for the PSD2 implementation) where we would like to store information about as user before this user is authenticated.

    For that we tried enabling the creation of session for unauthenticated users via this stanza:
    # Should sessions be established for access to unprotected resources?  This
# configuration item is useful when a consistent session identifier is
# required for clients as they transition from unauthenticated to
# authenticated.
create-unauth-sessions = yes

    We then implemented an "EAI" api that we declared in the eai-trigger-urls.
    That api returned "am-eai-xattrs" headers specifying some http headers containing the attributes that we would like to store in the session, so they are available in the STSUU.


    We weren't able to achieve the goal. It seems that webseal totaly ignores the am-eai-xattrs for an unauth session, not taking the header into account and not filtering it (the am-eai-xattrs header was available in the browser).


    We also tried specifying an "am-eai-(ext-)user-id" with different values (real value, unauthenticated, nobody, ...). In that case the attributes are stored in the session, but the user is considered logged in and no authentication mechanism is triggered.


    Has anyone had any experience with this kind of scenario where we want to store attributes in an unauthenticated session and keep them available after the user authenticates itself ?

    ------------------------------
    André Leruitte
    ------------------------------


  • 2.  RE: Storing information in iv-creds/stsuu while user is unauthenticated

    Posted Tue June 18, 2019 01:43 AM
    Hi André,

    We are doing something similar. Our EAI is returning a full PAC, but the principle is the same. From your post, it seems you're doing things right, but one thing to double check would be what name to use as the response header from your EAI. That header name is configurable and is defined through the eai-xattrs-header entry in the [eai] stanza of webseal's configuration. Make sure there are not typo's there...

    FYI: There are some other interesting headers defined there too (if you want to send some additional info from your EAI to webseal)

    Kind regards,

    ------------------------------
    Kristof Goossens
    ------------------------------

    Original Message


  • 3.  RE: Storing information in iv-creds/stsuu while user is unauthenticated

    Posted Wed June 19, 2019 03:48 AM
    Hi André,

    I don't have practical experience in this, but I'll give you my thoughts anyway:
    - There's an easy way to store such runtime information, namely by using the "cache" (which in fact stores data in the runtime database). It stores a key:value pair, the key could be the sessionid. You can have it stored temporarily for x seconds. See the Javadoc in section "IDMappingExtUtilsCache".
    - Set a (non-persistent) cookie that contains the data that needs to be included in the credential at login time. Not sure this is ok for your user, but might be pretty simple to implement.

    Is this helpful?

    Kind regards, Peter.

    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------

    Original Message


  • 4.  RE: Storing information in iv-creds/stsuu while user is unauthenticated

    Posted Thu June 20, 2019 01:42 AM

    You're both on the right track, but not all the way there.

    First, you do need  unauthenticated sessions, and to put the user-session-index in the cred. In WebSEAL config file:

    [session]
user-session-ids=yes
create-unauth-sessions=yes


    Then in your EAI (which you should do via InfoMap), use the stsuu's tagvalue_session_index attribute as the index for storing this data in IDMappingExtCache. No need for any cookie setting stuff - WebSEAL will do that.

    After authentication the tagvalue_session_index should remain the same and you can retrieve these (again in InfoMap) post-authentication from IDMappingExtCache.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 5.  RE: Storing information in iv-creds/stsuu while user is unauthenticated

    Posted Mon June 24, 2019 03:28 AM
    Thanks a lot Peter and Shane for your hints.
    The solution you suggested Shane seems to fit perfectly our initial needs.

    However, in the meantime we now realize that in certain circonstances the information we wish to store is much bigger than we expected ( it can be several hundreds of Ko!)

    So we still use the session_id as key for storing and retrieving the cached data, but we decided to store it in an external db.


    We still keep this solution at hand because we are sure somewhere in the future we will need it.

    ------------------------------
    André Leruitte
    ------------------------------

    Original Message


Related Content