This is a bit of an ancient feature, but one I hadn't touched for a while. I wanted a domain cookie in my deployment, I had a Virtual Host and a standard host. host1.example.comhost2.example.com (A virtual Host). And I was struggling to get the login process (via AAC and the identifier first authentication) on the... Continue Reading →
Sometimes you might want to put your own enrollment process into an authentication service flow. This might be for Just in time enrollment, or some other reason. I quickly prototyped this out using an infomap, and just want to put it here for reference later. In short, it uses the easy native functions to detect... Continue Reading →
IBM Security Verify Access (ISVA) (formerly IBM Security Access Manager - ISAM) has been around for a fair while, and has made a series of assumptions over it's time, starting fresh, you might not make those assumptions if you were deploying ISVA today. Upgrades for existing customers rarely bring onboard these changes to avoid backwards... Continue Reading →
Branded SMS and Email OTP messages with IBM Security Verify Access just takes a few steps with IBM Security Verify Access. First thing you need to do - is determine how you plan to differentiate the inbound request from a different brand. In this example, we'll do it based on an inbound HTTP header to... Continue Reading →
How do you handle a partially authenticated state when the inbound user is either missing attributes, or needs to select from multiple mapped accounts when accessing resources protected by ISAM or what is now IBM Security Verify Access.
Over on the ISAM blog on ibm.com, I've just completed an indepth article on using ISAM with a Single Paged Application. These are typically applications that use JavaScript, AJAX, Angular and other frameworks to make a very dynamic user experience on a website. Think of any site you've used where the whole page doesn't reload... Continue Reading →
My friend Leo has just posted details on how to make use of the OAuth provisioning APIs exposed via Infomap, you can take a look at the details here: https://www.ibm.com/blogs/security-identity-access/2018/06/oauth-building-developer-portal/ This is one of the best things you can do to enable your ISAM infrastructure to be easily consumed by your organizations developers. They can... Continue Reading →
Its not immediately obvious, and commonly misconstrued as an problem of disappearing tokens, but the OAuth grants in ISAM have a "Maximum" Grant lifetime, as opposed to an inactivity in a default API Definition. This means that when you request a Token - say via ROPC and you are using the default settings of an... Continue Reading →
In ISAM 9.0.4.0 the OIDC relying party was completely rewritten for increased flexibility. This has made it much easier to add support for Facebook Login into an ISAM Reverse Proxy instance. Here are the steps I've taken to authenticate into ISAM with Facebook. Pre-Conditions: ISAM 9.0.4.0 - Preconfigured Standard WebSEAL reverse Proxy with default configuration.... Continue Reading →
This article is no longer necessary, thanks to OOTB behavior available in ISAM 9.0.6 and later. See details here. In order to clean up the instantiation URLs generated by the authentication service, you can use a ISAM HTTP transformation rule. I've just completed two examples of this. Remove PolicyId static prefix: No static Prefix This... Continue Reading →
Since WeMo devices appear to be few and far between now in Australia, I thought I'd try the apparently "ZigBee" compatible Swann Devices for smart home automation. I was pleasantly surprised that it was incredibly easy to set up - and no Swann Hub is required. Plug in the device, and start searching for it... Continue Reading →
Just a quick post, but I've managed to get my Ring Spotlight cam light operated by my Alexa using a Custom Device type in my SmartThings hub. UPDATED: June 2018, fixed authentication API changes in the github code repo, and the postman collection has the new call too. Here is a copy of my... Continue Reading →
If you'd like to redirect after the completion of the login process from an InfoMap, you can set the equivalent of the EAI redirect header: eai-redir-url-header = am-eai-redir-url This can be done through the setting of the response token attribute: context.set(Scope.SESSION, “urn:ibm:security:asf:response:token:attributes”, “itfim_override_targeturl_attr”, "/someURL"); There is a technote showing this in other mapping rules here:... Continue Reading →
A simple post here - a quick guide on how you redirect to a specific url after logging out. In the ISAM reverse proxy, you can make use of the operation based Local Response Redirect, to send you to a specific location once you have logged out. To enable this, enable local response redirect, #--------------------------... Continue Reading →
HTTP Public Key Pinning is a header that allows you to pin a certificate to a host, consider it the next step after HSTS ISAM for Web & Sending Security HTTP Headers the solution isn't any different to send the header with WebSEAL. The HTTP Public-Key-Pins response header associates a specific cryptographic public key with... Continue Reading →
Philip Nye 