In a previous post, I shared a way to get headers in OTP mapping rules and in the AuthSvcCred Mapping rules. Since the infomap module is a little bit different, I have included an example of how you can do it there: Here is the output into my MACRO for easy debugging: User-Agent: Mozilla/5.0 (Macintosh;... Continue Reading →
Coinciding with the ISAM 9.0.2 release, we released version 1.2 of the IBM Mobile Security SDK for Android and iOS. ISAM SDK offers a platform library to: Authenticate users against ISAM with OAuth Works with OAuth for ISAM 8.0.1.3 onwards. Strong authentication Support Generate Soft Token One Time Passwords Time based OTP and Counter based... Continue Reading →
In ISAM 9.0.2, we released native appliance based capabilities to perform User Self Care Operations with ISAM. The user self care operations are built using the authentication service which means operations are modular, can easily be reordered or customised to suite your flow. Out of the box, there are three USC operations included: USC Account... Continue Reading →
Its possible to configure ISAM to listen on more than one network interface, more than one IP, and more than one set of ports. The easiest way to configure this, is in the LMI under the configuration settings for an individual reverse proxy instance: There are settings for: The IP to listen on. This must... Continue Reading →
ISAM introduced the concept of non-imported users which we named Basic users, or lite users depending on who you ask, back in 2014 with version 8.0.0.4. I still regularly receive a bunch of questions as to what this means from an architectural perspective, and most importantly, what are the advantages and disadvantages to this new... Continue Reading →
When performing an Authorization Code flow, or when performing an Implicit Grant flow, it may be necessary to get attributes out of the ISAM Session credential, and store them with your OAuth tokens. This is a quick guide to show how this can be done: Identify the request in the mapping rule Requests passing through... Continue Reading →
The ISAM OAuth implementation is exceedingly flexible. If you are just looking to do basic OAuth flows, then chances are you won't ever even look in these OAuth Mapping Rules. On the other hand, if you're looking to modify the behaviour of the OAuth flow to achieve OAuth nirvana, then these Mapping Rules are going... Continue Reading →
ISAM Advanced Access Control has a mechanism that allows a developer to convert an authenticated/valid OAuth Access token, into an authenticated ISAM session, that is using a cookie. There are two useful scenarios that this endpoint comes in handy: Hybrid Apps Where an OAuth authenticated native application wants to open a WebView, that is authenticated... Continue Reading →
In ISAM 9.0.1 it's possible to use a rich text email template for Email One Time Passwords. There is a knack to setting it up though, you need to add the HTML to the XML template file using CDATA tags like the example below:
The ISAM Reverse Proxy has a wealth of settings that can be configured. This means that almost every deployment situation can be catered for, but also means that its easy to overlook some settings that may give you grief. In this post, I've decided to capture some of the more important ones to help you... Continue Reading →
I had to write an XSL Stylesheet to modify a request parameter - I had to modify a request parameter in a TFIM SAML request from RelayState to Target, here is what I used changing request text from "something" to "another": <?xml version="1.0" encoding="UTF-8"?> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> <!-- This is a template stylesheet which should... Continue Reading →
Encountered a scenario last week, where I logged the user into ISAM using an AD Short name, but needed to use the email address as the SAML Principal name when logging into an external service (e.g. Pager Duty). The user's email address was populated as an attribute in Active Directory, and ISAM will automatically pull... Continue Reading →
Have been trying to setup an authentication service Mechanism to return a specific Authentication level into WebSEAL, and initially had some trouble, here is what you need to do: The important part are these lines: if (policyID.equals("urn:ibm:security:authentication:asf:hotp")) { stsuuAttrs.setAttribute(new Attribute("AUTHENTICATION_LEVEL", null, "5")); } Where you specify the policyID, and nominate the appropriate Authentication Level.... Continue Reading →
IBM Security Access Manager provides a set of capabilities that can be used for authentication and authorization of a client accessing API's and can be scoped to a user or clients needs. When you moving away from browser use cases, REST based API's depend less on session cookies and instead make use of security tokens.... Continue Reading →
In ISAM using the Local Response Redirect capability has traditionally been overkill when using it for an EAI for a login operation. The reason being, almost any error or management page that is traditionally handled by ISAM now gets redirected to your EAI. Including Login operations, Logout page, Stepup and other authentication related operations. It... Continue Reading →
