IBM Security Verify

 View Only
Expand all | Collapse all

Adding an infomap mechanism to the default login policy

  • 1.  Adding an infomap mechanism to the default login policy

    Posted Mon January 08, 2024 10:57 AM
    Edited by Narayan Verma Mon January 08, 2024 10:58 AM
    Hi, is it possible to add a mechanism to the default login policy protecting the junction (e.g. https://www.iamlab.ibm.com:4000)? In my case I want to add an InfoMap based Duo authentication every time someone signs in using userid/password and skip Duo if they sign in using a certificate.

    Or, alternatively, is there an Infomap mechanism for certificate based authentication that I can embed into other policies using branching and other features?
    Thanks!



    ------------------------------
    Narayan Verma
    ------------------------------



  • 2.  RE: Adding an infomap mechanism to the default login policy

    Posted Tue January 09, 2024 02:29 PM

    Hi team, any isights or recommendations on this?

    Thanks!



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 3.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 10, 2024 01:36 AM

    Certificate authentication happens at the transport layer directly to WebSEAL. It does not make sense that it would ever use an AAC/Infomap authentication policy. It might use an Infomap to do identity mapping for the certificate, but that's all.

    If you want certificate authentication as primary, followed by essentially step-up to Duo, then that is easy. Use a protected object policy on the junction (or any other WebSEAL object space resource that you want to protected) with authentication levels, like:

    pdadmin> pop create level2pop
pdadmin> pop modify level2pop set ipauth anyothernw 2
pdadmin> pop attach /WebSEAL/<your_server>/<your jct> level2pop

    In your  [authentication-levels] stanza, something like:

    [authentication-levels]
level = unauthenticated
level = ssl
level = ext-auth-interface

    To redirect to your Duo Infomap for step-up authentication:

    [acnt-mgt]
enable-local-response-redirect = yes

[local-response-redirect]
local-response-redirect-uri = [stepup] /mga/sps/authsvc/policy/duoPolicy

     

    And in the AuthSvcCredential mapping rule (included in AAC), which runs at the successful completion of any AAC authentication policy, add:

    if (policyID.equals("urn:ibm:security:authentication:asf:duoPolicy")) {
   stsuu.getAttributeContainer().setAttribute(new Attribute("AUTHENTICATION_LEVEL", null, "2"));
}

    If its not that exact combination, its close. Experiment.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 4.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 10, 2024 09:16 AM
    Edited by Narayan Verma Wed January 10, 2024 09:34 AM

    Thanks Shane!

    How do we achieve Duo authentication right after the user id/password authentication?  The current login screen - e.g. certlogin.html provides both userid/password authentication and certificate option.  What we want to do is to inject Duo right after the userid/password authentication if the user chooses that route.  If user goes for cert based authentication then Duo is not needed.  We want to do that as part of initial login not as part of step-up authentication.

    Somewhat of a later concern, for step-up authentication for sensitive data applications is it possible to provide an option to the user of using (either Duo or Certificate) not just Duo-only or just Cert-only?

    We are trying to treat Duo and cert as same level of authentications from strength perspective.  Our options for initial login are going to be either of a) Kerberos b) userid/password followed by Duo c) certificate.  For step-up they are going to be either of a) Duo b) certificate.  That's the desired end goal.  I am hoping it's not going to create any conflicts, lead to bad practices, or unsupportable configurations.



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 5.  RE: Adding an infomap mechanism to the default login policy
    Best Answer

    Posted Wed January 10, 2024 07:40 PM
    Edited by Narayan Verma Wed January 17, 2024 10:19 AM

    You do this exactly the same way I have described - use the building blocks I have provided to put your solution together. Step-up authentication is just a way of triggering another level of authentication (Duo, or certificate) after password authentication. So you'd start with something like:

    [authentication-levels]
level = unauthenticated
level = password
level = ext-auth-interface
level = ext-ssl

    In this case password=1, EAI=2 (this includes Duo), and certificates=3. You would still use level2pop to protect all resources that are of any value. Either level 2 or 3 satisifies this.

    Then instead of just using local-response-redirect to redirect to Duo on step-up, take that out and allow WebSEAL to show the regular stepuplogin.html page. Modify WebSEAL to have:

    [step-up]
show-all-auth-prompts = yes
step-up-at-higher-level = yes

    Code your "choices" of either Duo or certificates to be displayed to the user into stepuplogin.html with FORM actions pointing to each as appropriate.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 6.  RE: Adding an infomap mechanism to the default login policy

    Posted Thu January 11, 2024 12:32 PM
    Edited by Narayan Verma Thu January 11, 2024 12:36 PM

    Thanks Shane, I got it to work with the following:

    [authentication-levels]
    level = unauthenticated
    level = password
    level = ext-auth-interface
    level = ssl
    [step-up]
    show-all-auth-prompts = yes
    step-up-at-higher-level = yes
    Had to update the AuthSvcCredential mapping rule as well.
    I attached the level2pop at the /WebSEAL/isvaconfig-rp1/index.html level.  However, if I attach it to /WebSEAL/isvaconfig-rp1/ then I cannot access the link I added for the duo policy which is at 
    /mga/sps/authsvc/policy/duoup.  When I try to access that URL I get redirected back to the stepuplogin.html as if I am being stepped up to access the duoup policy.  Is there a way to exclude /mga/sps/authsvc/policy from the step-up authentication - level2pop?  Otherwise, I'll end up attaching level2pop to a lot of applications/junctions like it was applied to /index.html.  That was my initial observation as I do more testing.



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 7.  RE: Adding an infomap mechanism to the default login policy

    Posted Thu January 11, 2024 04:26 PM

    Read this: https://community.ibm.com/community/user/security/blogs/shane-weeden1/2020/03/18/protecting-entire-isam-webseal-site-with-multi-fac

    It will resolve your issue with all-of-site protection with MFA.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 8.  RE: Adding an infomap mechanism to the default login policy

    Posted Thu January 11, 2024 04:37 PM

    Thank you Shane!  One thing I observed is that it's also trying to step-up the users authenticated using Kerberos.  Seems like those users get the AUTHENTICATION_LEVEL = 0 as seen in IVCREDS.  Can Kerberos be treated as if it's equivalent to (UID/PWD + Duo) or Certificate?

    Thanks!



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 9.  RE: Adding an infomap mechanism to the default login policy

    Posted Thu January 11, 2024 05:15 PM

    That would be easy enough to do. There are probably a few ways. The one that comes to mind most readily and is most flexible is as follows.

    1. Go back to using local-response-redirect for stepup login, sending the local-response-redirect for step-up to an Infomap based authentication policy.
    2. Code the Infomap to see what is already in the users credentials - you'll be able to tell if they've already done Kerberos by looking at another stsuu attribute the the credential like AZN_CRED_AUTH_METHOD or similar.
    3. If the user was already authenticated kerberos, just succeed the stepup immediately in the Infomap, raising their authentication level.
    4. Otherwise send back a page template from Infomap which looks more or less like the exisiting WebSEAL stepuplogin.html and everything else there works as it currently does.


    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 10.  RE: Adding an infomap mechanism to the default login policy

    Posted Fri January 12, 2024 11:46 AM
    Edited by Narayan Verma Fri January 12, 2024 02:11 PM

    I am trying to test the new policy at /mga/sps/authsvc/policy/kbooster after doing a kerberos authentication directly and getting the following error:

    "stsuu" is not defined.

    The code snippet in my mapping rule is as below:

    stsuu.getAttributeContainer().setAttribute(new Attribute("AUTHENTICATION_LEVEL", null, "2"));
    is stsuu available in InfoMap mapping rules as well?
    My imports are as below:
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);
    importClass(Packages.com.tivoli.am.fim.trustserver.sts.uuser.Attribute);
    importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);

    Getting similar error (stsuu is not defined) when the policy is being invoked in the step-up flow:  /mga/sps/authsvc/policy/kbooster?TAM_OP=stepup

    My other question is if I copy the content from stepuplogin.html for this new template in booster when Kerberos is not present how do I supply the values for macros that are already present like %LANGUAGE%, %PKMSPUBLIC%, %MSG{0x3898370b}%, %MSG{0x3898370e}% etc.  I believe somehow the mapping rule needs to make it available to the template, they don't seem to be globally available for all templates.  A workaround could be hard coding the values so stsuu not being available in the mapping rule is the bigger problem.

    Thanks!



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 11.  RE: Adding an infomap mechanism to the default login policy

    Posted Sat January 13, 2024 03:26 AM

    No it's not and never has been. There are alternative APIs for accessing credential attributes in an Infomap. Google up examples or look through my blog articles. There's plenty of existing information available. 



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 12.  RE: Adding an infomap mechanism to the default login policy

    Posted Sat January 13, 2024 10:31 AM

    Thanks Shane, I tried the below and it worked:

    context.set(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "AUTHENTICATION_LEVEL", "2");
    result = true;
    Also, since kbooster mapping rule only has to show the template for Duo I decided to not have the user choose Duo manually and simply redirected to the Duo policy from the template as below:
    <%
    templateContext.response.sendRedirect("duoup");
    %>
    So, this is how I have it working:
    • Kerberos --> auth level 0 --> goes to kbooster infomap policy --> kbooster mapping rule automatically steps-up auth level to 2 since AZN_CRED_AUTH_METHOD = kerberosv5
    • Userid/password --> auth level 1 --> goes to kbooster infomap policy --> kbooster mapping rule leaves it alone  --> kbooster template redirects to duoup (Duo universal prompt) --> after Duo authentication auth level changes to 2 via the AuthSvcCredential customization you had suggested
    • certificate --> auth level 3 --> kbooster is not invoked


    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 13.  RE: Adding an infomap mechanism to the default login policy

    Posted Sat January 13, 2024 03:45 PM

    Sounds good. 



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 14.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 17, 2024 10:48 AM
    Edited by Narayan Verma Wed January 17, 2024 10:54 AM
    Thanks Shane, I have a follow up question on Kerberos.  Is there a way for a user in a different domain to get the prompt for userid/password or certificate authentication when Kerberos authentication fails?  Here is my sample scenario:

    • Kerberos is set up for mydomain.com and works fine for users in that domain.
    • userid/password and cert based logins are also available for users that don't use kerberos
    • there are users in multiple other domains e.g. mydomain1.com that access the WebSEAL at https://www.iamlab.ibm.com:4000.  They currently get an error message as below after they enter their domain userid and password in the browser when prompted:
    Error Code: 0x38cf0963
    Error Text: DPWWA2403E Your browser supplied NTLM authentication data. NTLM is not supported by WebSEAL. Make sure your browser is configured to use Integrated Windows Authentication.

    Would it possible to present them with the option to login using their userid/password or with certificate when this occurs using the same url (https://www.iamlab.ibm.com:4000/index.htm) or on a different URL altogether?  Ideal would be a graceful degradation to userid/password/Duo or cert based authentication on the same URL but if that's not possible can we configure a different URL that does not even try to use Kerberos (and then ultimately land in an error state with no other option to login).  Establishing trust between the domains is currently not a viable option from Kerberos perspective.
    Thanks!



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 15.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 17, 2024 12:12 PM

    Can't you do something simple like detect this  error code in client side JavaScript and show the regular u/p prompt in that case?



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 16.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 17, 2024 12:26 PM

    Thanks Shane, which template would I modify for detecting this error state on the browser?

    Also, by showing the regular userid/password you mean redirecting the user's browser to a policy that contains the password mechanism (I am assuming I'll immediately follow it up with a Duo mechanism)?  If so, how can we add the cert based auth option to the setup?  Can I simply include the below form as is?

    <form method=POST action="https://www.iamlab.ibm.com:4444/pkmslogin.form">
    <div class="login-inputs">
    <input TYPE="hidden" NAME="login-form-type" VALUE="cert">
    <input TYPE="hidden" NAME="token" VALUE="Unknown">

    <input class="submitButton button-1 ease-in-anim-fast" type="submit" value="Certificate Login">
    </div>
    </form>


    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 17.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 17, 2024 01:11 PM

    I already described how to find which page you need before. Sounds like you have some experimenting to do. 



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 18.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 17, 2024 04:44 PM
    Edited by Narayan Verma Wed January 17, 2024 04:46 PM

    Thanks Shane!  Figured out it was the rp1 Junction --> Management Root --> errors --> C --> default.htm.

    Was able to get the browser redirected to https://www.iamlab.ibm.com:4000/mga/sps/authsvc/policy/branchtesting

    branchtesting is a is policy which is giving two branches/choices to the user... one branch has pre-built password mechanism immediately followed by Duo universal prompt mechanism (default option).  When I add the form for cert based authentication into the second branch it seems like it keeps asking for certificate at 

    https://www.iamlab.ibm.com:4444/pkmslogin.form even through the authentication is complete - I was able to verify this behavior only after indicating my preference to always send in a particular certificate from the browser.  It displays the following content when it settles:
    pkmslogout logout the current user session
    (Not valid for clients who authenticate with Basic Authentication or SPNEGO. BA clients must exit their browser to properly terminate their session. SPNEGO clients must log off from their workstation)
    pkmspasswd change password for logged-in user
    So basically, I am stuck on how to add the appropriate markup/processing for the cert based auth on the second branch.
    Thanks!



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 19.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 17, 2024 04:50 PM

    I wouldn't redirect to AAC at all. When the error is detected why not just have that error page render almost identical contents to what you have in certlogin.html today?



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 20.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 17, 2024 05:30 PM

    How do I keep default.html page intact for other use cases and change it only for the kerberos error code?

    Are the macro values that are in certlogin.html going to be available in default.html as well?



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 21.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 17, 2024 05:48 PM

    Put the forms in a hidden div and use JavaScript. Hard code "the other macros" values where needed. 



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 22.  RE: Adding an infomap mechanism to the default login policy

    Posted Thu January 18, 2024 03:03 PM
    Edited by Narayan Verma Thu January 18, 2024 03:04 PM

    Thanks Shane!  I am yet to build the conditional logic on browser side to show/hide content based on the exact error code but reusing the uid/pwd and cert based content from certlogin.html to the default.html error page worked for both uid/pwd/Duo and cert based auth flows.  For now, I just copied the forms not even from certlogin.html but from the browser's rendering (view page source from the browser) of the certlogin.html so I didn't have to replace any of the macro values for testing.  So I guess, I'll take this approach rather than presenting a new URL for the users in domains for which the Kerberos is not configured.

    Thanks! 



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 23.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 31, 2024 04:56 PM
    Edited by Narayan Verma Wed January 31, 2024 05:00 PM

    Hi Shane, conditional show/hide of content based on the error code works when Kerberos fails but I have run into an issue when implementing SAML for a spring boot Java application.

    When I try to access the application directly at http://www.iamlab.ibm.com:8080 I get redirected to ISVA runtime at https://www.iamlab.ibm.com:4000/sps/isamsaml/saml20/login.  It's serving the content from certlogin.html from the junction root which I have customized a bit.  Here almost all of the the css, js, and image files are not available.  e.g. https://www.iamlab.ibm.com:4000/sps/isamsaml/saml20/pkmspublic/jquery.js. When I access the ISAM directly the jQuery.js path is as https://www.iamlab.ibm.com:4000/pkmspublic/jquery.js and there is no 404.  

    How can I refer the js file in the certlogin.html so that I can access it both while accessing the WebSeal home page as well in the SAML SSO mode?  Currently the js file is referenced as <script src="pkmspublic/jquery.js" type="text/javascript"></script>.  Is there a way to refer the pkmspublic folder in a root relative way in the template file?

    Also, when I do a cert based login at this time it does not redirect me back to the calling application.  Instead, it redirects me to

    https://www.iamlab.ibm.com:4000/sps/isamsaml/saml20/pkmspublic/jenieimages_scale.gif which actually results in a 404.  Not sure why the redirect would be issued to an image file referenced by the certlogin.html rather than the originating application (http://www.iamlab.ibm.com:8080).  Forms based authentication is having similar issues as well.
    Also, when I attempt Kerberos SSO in SAML mode I get redirected to https://www.iamlab.ibm.com:4000/sps/isamsaml/saml20/login which gives me 404.  Ideally, I would have expected for Kerberos to succeed and bring me back to the original application.  When I check the ivcreds the kerberos authentication seems to have succeeded with auth level=0 and no systematic step-up using the infomap.
    Please help with these SAML issues for forms based auth/cert/Kerberos.  isamsaml is the name of my SAML federation.
    Thanks!

     



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 24.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 31, 2024 05:52 PM
    Try something like (you don't need this many path traversals, but you get the general idea):



    <script src="../../../../../../../../../../../pkmspublic/jquery.js" type="text/javascript"></script>



    Original Message


  • 25.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 31, 2024 07:31 PM

    Thanks Shane, using %PKMSPUBLIC% macro resolved my css/js/image path problems.  

    I still seem to have login issues with SAML.  Eg. when I get to https://www.iamlab.ibm.com:4000/sps/isamsaml/saml20/login and enter userid/password I get redirected to https://www.iamlab.ibm.com:4000/sps/isamsaml/saml20/login by pkmsloginform and this time I get a custom 404 error message from ISVA for this URL.  Internal error code seems to be 0x38cf0428.  When I check ivcreds I seem to be authenticated using password authentication with auth level =1.

    Same exact thing happens when I try the cert based authentication.  Ivcreds tells me that my cert based auth succeeded with auth level = 3.

    Both mechanisms just stop with a custom 404 on /sps/isamsaml/saml20/login



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 26.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 31, 2024 07:37 PM
    404 is “not found”, nothing to do with being authenticated or not, so you need to figure out from the WebSEAL request log what is actually coming in and why its not aligned with an accessible URL.


    Original Message


  • 27.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 31, 2024 08:10 PM
    Edited by Narayan Verma Wed January 31, 2024 08:19 PM

    Where can I check this from SAML perspective?  Trace.log is not showing any new logs for this testing.

    All three mechanisms (userid/password, certificate, and Kerberos) are now issuing a 404 for https://www.iamlab.ibm.com:4000/sps/isamsaml/saml20/login once the first round of authentication completes internally.  For userid/password it's not redirecting to Duo for MFA and kerberos is not going through step-up from 0 to 2 via InfoMap.



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 28.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 31, 2024 08:22 PM
    I already told you - start with the WebSEAL request log.


    Original Message


  • 29.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 31, 2024 08:32 PM
    Edited by Narayan Verma Wed January 31, 2024 08:40 PM

    Sorry Shane, this seems to be escaping me.  Is this something accessible from the LMI or by attaching it to container?



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 30.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 31, 2024 09:07 PM
    Depends a little on how your container is configured. By default, you can find the request.log on the container in /var/application.logs/wrp/<instance_name>/log/request.log where <instance_name> is often "default".

    There is also a post on how to configure your WRP (aka WebSEAL) to output to stdout here: https://community.ibm.com/community/user/security/discussion/how-to-configure-requestlog-on-stdout





    Original Message


  • 31.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 31, 2024 09:29 PM

    Thanks Shane, I was able to browse to /var/application.logs/wrp/rp1/log but I don't see any files there.  is there a setting to have these logs generated and seen in request.log?



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 32.  RE: Adding an infomap mechanism to the default login policy

    Posted Wed January 31, 2024 09:37 PM
    By default there will be a file there. But like I said, it can depend on your WebSEAL configuration. You could try taking a look at /var/pdweb/<instance-name>/etc/webseald-<instance-name>.conf and in particular the [logging] stanza.


    Original Message


  • 33.  RE: Adding an infomap mechanism to the default login policy

    Posted Thu February 01, 2024 09:09 AM

    Thanks Shane!

    For userid/password I am getting the following log for user duotest:

    • 172.20.0.1 - unauthenticated 01/Feb/2024:13:58:18 +0000 "POST /sps/isamsaml/saml20/login HTTP/2" 401 29688
    • 172.20.0.1 - unauthenticated 01/Feb/2024:13:58:18 +0000 "GET /pkmspublic/jenieui.css HTTP/2" 200 19107
    • 172.20.0.1 - unauthenticated 01/Feb/2024:13:58:18 +0000 "GET /pkmspublic/jenieimages_scale.gif HTTP/2" 200 6334
    • 172.20.0.1 - unauthenticated 01/Feb/2024:13:58:18 +0000 "GET /pkmspublic/jenieimages_warning_icon_caps.png HTTP/2" 200 614
    • 172.20.0.1 - unauthenticated 01/Feb/2024:13:58:18 +0000 "GET /pkmspublic/jquery.js HTTP/2" 200 95962
    • 172.20.0.1 - unauthenticated 01/Feb/2024:13:58:18 +0000 "GET /pkmspublic/jenieimages_jenielogo.gif HTTP/2" 200 2443
    • 172.20.0.1 - unauthenticated 01/Feb/2024:13:58:18 +0000 "GET /pkmspublic/jenieimages_hdr-grad.gif HTTP/2" 200 199
    • 172.20.0.1 - unauthenticated 01/Feb/2024:13:58:18 +0000 "GET /pkmspublic/jenieimages_wink.gif HTTP/2" 200 613
    • 172.20.0.1 - duotest 01/Feb/2024:13:58:28 +0000 "POST /pkmslogin.form HTTP/2" 302 1462
    • 172.20.0.1 - duotest 01/Feb/2024:13:58:28 +0000 "POST /sps/isamsaml/saml20/login HTTP/2" 404 1505
    • 172.20.0.1 - duotest 01/Feb/2024:13:58:28 +0000 "GET /pics/amlogo.gif HTTP/2" 200 5944
    • 127.0.0.1 - unauthenticated 01/Feb/2024:13:58:41 +0000 "GET / HTTP/2" 401 29688

    For cert based authentication the log is similar as below for user user1:

    • 172.20.0.1 - unauthenticated 01/Feb/2024:14:00:33 +0000 "POST /sps/isamsaml/saml20/login HTTP/2" 401 29688
    • 172.20.0.1 - unauthenticated 01/Feb/2024:14:00:33 +0000 "GET /pkmspublic/jenieui.css HTTP/2" 200 19107
    • 172.20.0.1 - unauthenticated 01/Feb/2024:14:00:33 +0000 "GET /pkmspublic/jenieimages_warning_icon_caps.png HTTP/2" 200 614
    • 172.20.0.1 - unauthenticated 01/Feb/2024:14:00:33 +0000 "GET /pkmspublic/jenieimages_scale.gif HTTP/2" 200 6334
    • 172.20.0.1 - unauthenticated 01/Feb/2024:14:00:33 +0000 "GET /pkmspublic/jquery.js HTTP/2" 200 95962
    • 172.20.0.1 - unauthenticated 01/Feb/2024:14:00:33 +0000 "GET /pkmspublic/jenieimages_jenielogo.gif HTTP/2" 200 2443
    • 172.20.0.1 - unauthenticated 01/Feb/2024:14:00:33 +0000 "GET /pkmspublic/jenieimages_hdr-grad.gif HTTP/2" 200 199
    • 172.20.0.1 - unauthenticated 01/Feb/2024:14:00:33 +0000 "GET /pkmspublic/jenieimages_wink.gif HTTP/2" 200 613
    • 127.0.0.1 - unauthenticated 01/Feb/2024:14:00:41 +0000 "GET / HTTP/2" 401 29688
    • 172.20.0.1 - user1 01/Feb/2024:14:00:43 +0000 "POST /pkmslogin.form HTTP/1.1" 302 1437
    • 172.20.0.1 - user1 01/Feb/2024:14:00:43 +0000 "POST /sps/isamsaml/saml20/login HTTP/2" 404 1505
    • 172.20.0.1 - user1 01/Feb/2024:14:00:43 +0000 "GET /pics/amlogo.gif HTTP/2" 200 5944
    • 127.0.0.1 - unauthenticated 01/Feb/2024:14:01:11 +0000 "GET / HTTP/2" 401 29688

    Logs for kerberos are below for user narayanverma:

    • 172.20.0.1 - unauthenticated 01/Feb/2024:14:04:25 +0000 "POST /sps/isamsaml/saml20/login HTTP/2" 401 29688
    • 172.20.0.1 - narayanverma 01/Feb/2024:14:04:25 +0000 "POST /sps/isamsaml/saml20/login HTTP/1.1" 404 1505
    • 172.20.0.1 - narayanverma 01/Feb/2024:14:04:26 +0000 "GET /pics/amlogo.gif HTTP/1.1" 200 5944
    • 127.0.0.1 - unauthenticated 01/Feb/2024:14:04:42 +0000 "GET / HTTP/2" 401 29688

    Last line keeps repeating in the log file for all three use cases even with no user activity on the browser as long as the browser window is open, not sure if it's relevant.



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 34.  RE: Adding an infomap mechanism to the default login policy

    Posted Fri February 02, 2024 10:41 AM
    Edited by Narayan Verma Fri February 02, 2024 01:50 PM

    Maybe my SAML IDP is not configured correctly in LMI or the local SP metatada is incomplete.  is it possible to get this reviewed to see if I am missing something?

    Initial SAML request for SSO is as below:

    <?xml 
version="1.0" 
encoding="UTF-8"?>
<saml2p:AuthnRequest 
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
    AssertionConsumerServiceURL="http://localhost:8080/login/saml2/sso/samlreg" 
    Destination="https://www.iamlab.ibm.com:4000/sps/isamsaml/saml20/login" 
    ForceAuthn="false" 
    ID="ARQf8c736d-47da-47f9-9492-30cfbcb302de" 
    IsPassive="false" 
    IssueInstant="2024-02-02T18:45:21.259Z" 
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Version="2.0">
    <saml2:Issuer 
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/saml2/service-provider-metadata/samlreg
    </saml2:Issuer>
</saml2p:AuthnRequest>

    SP (partner) metadata is as below:

    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://localhost:8080/saml2/service-provider-metadata/samlreg">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDtTCCAp2gAwIBAgIUD9ag8JFndxy4aTfDREjeOLBc5OcwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlBBMQ0wCwYDVQQHDAR0ZXN0MQ0wCwYDVQQKDAR0ZXN0MQ0wCwYDVQQLDAR0ZXN0MQ0wCwYDVQQDDAR0ZXN0MRIwEAYJKoZIhvcNAQkBFgN0c3QwHhcNMjQwMTMwMjExMzQwWhcNMjUwMTI5MjExMzQwWjBqMQswCQYDVQQGEwJVUzELMAkGA1UECAwCUEExDTALBgNVBAcMBHRlc3QxDTALBgNVBAoMBHRlc3QxDTALBgNVBAsMBHRlc3QxDTALBgNVBAMMBHRlc3QxEjAQBgkqhkiG9w0BCQEWA3RzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALgeGT4QLdTOaAL7fgeOdFl98lHQwwltff1EVRis8afwvv9kWeYU5ERx2URC6B6A57yPntYPEBxi6ASsH2hS4gJy637H01WYABKMAGZ+CxyVho01NGBSXEbl7Bl4yGOXvYTWv5Q+IgEapiweF/Ita4WCWSyywdidaAkiqTt61qO8EfpC70pVPDkHK/tz9F4heFf2B2z4XzScWI0xGgonBc/gIImX3inLm3LlXy3Hg94H1aDtqCtu4c6N6I3EpLLQ0olDZlP9YTPnLpoB3SX+oLzo1/4hVqW6i9EgH810fhQR92C28pJNzVBBypbCpYDM5y2bY2VLdAa2LQUp+L2qe48CAwEAAaNTMFEwHQYDVR0OBBYEFFdrzB0iMa71jgGS0ym2wLTeVkErMB8GA1UdIwQYMBaAFFdrzB0iMa71jgGS0ym2wLTeVkErMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGKNc+fxb6aYBBUlwrnmbvkCcekzAR+wioviFtele60tWm+wtUP7d3AGjMXV6QiK8a0m8/UV20dTmRhpxBWxQDQVgzGrUHWerLzCeLsNBL7bqT843pOV6F81koEQjamByI+ciq98OJk1dNon1JcJzanBLazJ6Iy4//jPAM8WEPGn71KlKsZlgRMPyv6d9yr2NJ6gdlEwNFYhtQACPothMx5yqvcMpw1w13MIsCoCdcxT01nr1OvdhJJRFI+gpm54UbUseyo9PKnP444yZkFmdS1GNeq6Anl8ET5xsR8iNUsLDQXZf1ZTAlkPQbBrMUTlW0EiBxi3ZHa9hSWEWT7n2a4=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/login/saml2/sso/samlreg" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>

    Are there any logs to review for SAML to see if there is a missing configuration?

    Thanks!



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message