IBM Security Verify

Hi all,

after a long fight, I was able to set up SAML SSO for ISVG Identity Manager through Azure AD. What I still cannot figure out is how to login interactively using login and password when Trust association on Securit Domain is on. Is that even possible? With TAI turned off, everything works fine and I can login using login/pass. If I turn Trust association on and SSO starts working, I can still access the login form on URL https://server_url/itim/console/jsp/logon/Login.jsp, but after submitting form, I get 401 unauthorized all the time. Which is OK if the login/pass don't match, but when they DO match, I even get LTPA token (I can see it in cookies), but it is not accepted, 401 error is returned and I am redirected to the IdP page.

Can someone please tell me if this combined scenario supposed to be working and if so, where to look or what to look for? Thanks.

------------------------------
Pavel Koza
------------------------------

I am not very deep into this setup - so my first advice is to open a support case to get help from our support team.
That said - I believe that when you are setting this up (SAML or OIDC) then the user MUST be in Azure AD for the URL used to login to ISVG IM. This was also th case when ISAM was used in older times - in ISVA now the default is that there is a fallback so that is the trust based login fails it is redirected to the standard login form (userid/password).  In those times we used to setup a different URL for direct login than the standard login URL for "standard" SSO users.

But as I am not a deep expert in this SSO setup it may be possible to get the same fallback functionality  with SAML and Azure AD - but I do not know what is needed and whether that is part of the TAI setup or is something to be configured in Azure AD SAML definition...

HTH
 

------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Tue April 25, 2023 03:58 AM
From: Pavel Koza
Subject: ISVG-IM authentication problem

Hi all,

after a long fight, I was able to set up SAML SSO for ISVG Identity Manager through Azure AD. What I still cannot figure out is how to login interactively using login and password when Trust association on Securit Domain is on. Is that even possible? With TAI turned off, everything works fine and I can login using login/pass. If I turn Trust association on and SSO starts working, I can still access the login form on URL https://server_url/itim/console/jsp/logon/Login.jsp, but after submitting form, I get 401 unauthorized all the time. Which is OK if the login/pass don't match, but when they DO match, I even get LTPA token (I can see it in cookies), but it is not accepted, 401 error is returned and I am redirected to the IdP page.

Can someone please tell me if this combined scenario supposed to be working and if so, where to look or what to look for? Thanks.

------------------------------
Pavel Koza
------------------------------

Hi,
If you want to use SAML with TAI , you need to configure a SAML TAI :  https://www.ibm.com/docs/en/was/9.0.5?topic=swss-saml-web-single-sign-sso-trust-association-interceptor-tai-custom-properties  .  Just enabling TAI will not work as the TAI must be able to consume the SAML tokens and map this into a authenticated principal in WAS.

Hope this helps
Serge Vereecke (IBM)

------------------------------
Serge Vereecke
------------------------------

Original Message:
Sent: Tue April 25, 2023 03:58 AM
From: Pavel Koza
Subject: ISVG-IM authentication problem

Hi all,

after a long fight, I was able to set up SAML SSO for ISVG Identity Manager through Azure AD. What I still cannot figure out is how to login interactively using login and password when Trust association on Securit Domain is on. Is that even possible? With TAI turned off, everything works fine and I can login using login/pass. If I turn Trust association on and SSO starts working, I can still access the login form on URL https://server_url/itim/console/jsp/logon/Login.jsp, but after submitting form, I get 401 unauthorized all the time. Which is OK if the login/pass don't match, but when they DO match, I even get LTPA token (I can see it in cookies), but it is not accepted, 401 error is returned and I am redirected to the IdP page.

Can someone please tell me if this combined scenario supposed to be working and if so, where to look or what to look for? Thanks.

------------------------------
Pavel Koza
------------------------------