IBM Verify

Hello everybody,

We are running into an issue when trying to use TFIMSSO to generate JWT tokens for the junctionned backends.

We followed Shane's "guide" (https://www.ibm.com/blogs/sweeden/isam-9-0-2-the-jwt-sts-module-and-junction-sso-to-websphere-liberty/) to implement iv-creds to jwt transformation by the STS. For most of our usecases it works as expected.

But we are now running into an issue with unauthenticated users, and need to find a proper solution.

Our reverse proxy has an /api junction on which the tfimsso has been enabled. That junction goes to our api gateway (APIConnect) and allows the different webapplications (SPA) to consume apis.

The issue appears when our authentication web application tries to consume api's from that /api junction. At that moment the user is unauthenticated, and when we try to consume api's from /api, Webseal does not allow the request to reach the backend.

It seems that from the moment we activate TFIMSSO on the /api junction, unauthenticated access is not allowed anymore (even if the ACL allows it).
We think it is because the STS default behavior when using a module chain is to validate that there is an authenticated user.

We found some documentation (https://www.ibm.com/support/knowledgecenter/en/SSZSXU_6.2.2.7/com.ibm.tivoli.fim.doc_6227/troubleshoot/concept/operationalissues.html and https://www-01.ibm.com/support/docview.wss?uid=swg27050504&aid=8 ) that mentions the fact that a custom configuration has to be applied on TFIM/STS so that iv-creds from an unauthenticated user are considered valid.

Can someone gives us a few more details on where exactly can we configure this (advanced tuning parameters?) and how ?
For example, if we specify "sts.ivcred.unauthenticated.user.name=guest" , must a "guest" user exists somewhere in the LDAP ?

Thanks for any tips on this very specific question,

------------------------------
André Leruitte
------------------------------

Hi André,

There are in fact 3 'advanced configuration' parameters that you can set:

Reference to this direct link on the 9.0.5 ISAM doc:
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.5/com.ibm.isam.doc/config/reference/ref_aac_advcfgprop.html

Seems like a 'full' ISAM user, so just create one e.g. using pdadmin user create
Let us know if this was useful.

Kind regards, Peter

------------------------------
Peter Volckaert
Sales Engineer
IBM Security
------------------------------

Original Message:
Sent: 11-15-2018 08:15
From: André Leruitte
Subject: Using JWT (TFIMSSO) with unauthenticated users

Hello everybody,

We are running into an issue when trying to use TFIMSSO to generate JWT tokens for the junctionned backends.

We followed Shane's "guide" (https://www.ibm.com/blogs/sweeden/isam-9-0-2-the-jwt-sts-module-and-junction-sso-to-websphere-liberty/) to implement iv-creds to jwt transformation by the STS. For most of our usecases it works as expected.

But we are now running into an issue with unauthenticated users, and need to find a proper solution.

Our reverse proxy has an /api junction on which the tfimsso has been enabled. That junction goes to our api gateway (APIConnect) and allows the different webapplications (SPA) to consume apis.

The issue appears when our authentication web application tries to consume api's from that /api junction. At that moment the user is unauthenticated, and when we try to consume api's from /api, Webseal does not allow the request to reach the backend.

It seems that from the moment we activate TFIMSSO on the /api junction, unauthenticated access is not allowed anymore (even if the ACL allows it).
We think it is because the STS default behavior when using a module chain is to validate that there is an authenticated user.

We found some documentation (https://www.ibm.com/support/knowledgecenter/en/SSZSXU_6.2.2.7/com.ibm.tivoli.fim.doc_6227/troubleshoot/concept/operationalissues.html and https://www-01.ibm.com/support/docview.wss?uid=swg27050504&aid=8 ) that mentions the fact that a custom configuration has to be applied on TFIM/STS so that iv-creds from an unauthenticated user are considered valid.

Can someone gives us a few more details on where exactly can we configure this (advanced tuning parameters?) and how ?
For example, if we specify "sts.ivcred.unauthenticated.user.name=guest" , must a "guest" user exists somewhere in the LDAP ?

Thanks for any tips on this very specific question,

------------------------------
André Leruitte
------------------------------

Hello Peter,

Thank you for your reply.

We have done some additional tests and everything is now working perfectly as expected, with authenticated (external) users as well as unauthenticated users.

We only configured the sts.ivcred.unauthenticated.user.name parameter (found in the Advanced Configuration of the AAC/Federation module), and we set it to "nobody"
We haven't touched the other two parameters (registry.id and uuid) and we didn't have to create a "nobody" user.


This is great, the /api junction is now working exactly as we expected:
- always injecting a JWT for the backends
- JWT containing user "nobody" if unauthenticated access
- JWT containing external user id if authenticated access
- ACL's working correctly (for making only some api's accessible for unauthenticated users)


Thanks for your support Peter!

------------------------------
André Leruitte
------------------------------

Original Message:
Sent: 11-16-2018 03:06
From: Peter Volckaert
Subject: Using JWT (TFIMSSO) with unauthenticated users

Hi André,

There are in fact 3 'advanced configuration' parameters that you can set:

Reference to this direct link on the 9.0.5 ISAM doc:
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.5/com.ibm.isam.doc/config/reference/ref_aac_advcfgprop.html

Seems like a 'full' ISAM user, so just create one e.g. using pdadmin user create
Let us know if this was useful.

Kind regards, Peter

------------------------------
Peter Volckaert
Sales Engineer
IBM Security

Original Message:
Sent: 11-15-2018 08:15
From: André Leruitte
Subject: Using JWT (TFIMSSO) with unauthenticated users

Hello everybody,

We are running into an issue when trying to use TFIMSSO to generate JWT tokens for the junctionned backends.

We followed Shane's "guide" (https://www.ibm.com/blogs/sweeden/isam-9-0-2-the-jwt-sts-module-and-junction-sso-to-websphere-liberty/) to implement iv-creds to jwt transformation by the STS. For most of our usecases it works as expected.

But we are now running into an issue with unauthenticated users, and need to find a proper solution.

Our reverse proxy has an /api junction on which the tfimsso has been enabled. That junction goes to our api gateway (APIConnect) and allows the different webapplications (SPA) to consume apis.

The issue appears when our authentication web application tries to consume api's from that /api junction. At that moment the user is unauthenticated, and when we try to consume api's from /api, Webseal does not allow the request to reach the backend.

It seems that from the moment we activate TFIMSSO on the /api junction, unauthenticated access is not allowed anymore (even if the ACL allows it).
We think it is because the STS default behavior when using a module chain is to validate that there is an authenticated user.

We found some documentation (https://www.ibm.com/support/knowledgecenter/en/SSZSXU_6.2.2.7/com.ibm.tivoli.fim.doc_6227/troubleshoot/concept/operationalissues.html and https://www-01.ibm.com/support/docview.wss?uid=swg27050504&aid=8 ) that mentions the fact that a custom configuration has to be applied on TFIM/STS so that iv-creds from an unauthenticated user are considered valid.

Can someone gives us a few more details on where exactly can we configure this (advanced tuning parameters?) and how ?
For example, if we specify "sts.ivcred.unauthenticated.user.name=guest" , must a "guest" user exists somewhere in the LDAP ?

Thanks for any tips on this very specific question,

------------------------------
André Leruitte
------------------------------