When using ISAM for Mobile, and you access the User Self Service/User Self Care pages for managing OAuth Grants, there is the option to delete and manage your grants. https://<ISAM for Mobile Host>/mga/sps/mga/user/mgmt/html/device/device_selection.html In earlier versions of ISAM for Mobile, the configuration prevented DELETE and PUT operations. This meant that WebSEAL would not allow the... Continue Reading →
As of V8.0.1.0 of ISAM for Mobile, there is a helper class in the Javascript mapping rule for Resource Owner Password Validation against the configured LDAP server. There are a few steps required to configure it though. If you haven't configured it, you will receive the following error on attempting an ROPC flow: {"error":"mapping_error", "error_description":"com.tivoli.am.rba.exception.RBARuntimeException:... Continue Reading →
NOTE: The Keystash has been enhanced, and is no longer accessible this way. If you've lost your keystore password now - all bets are off. Sorry. On the other hand, if you at least have the stash, you can likely export the keys and move them into a new keystore of your choice, with a... Continue Reading →
Sample Federation URL: I make this post, as much about a note to myself - as for others. This URL will avoid using the Alias service, and initiate a HTTPPost SAML flow. https://<idpHost>/FIM/sps/<federationname>/saml20/logininitial?RequestBinding=HTTPPost&ResponseBinding=HTTPPost&NameIdFormat=Email&PartnerId=<ID for partner> Here is some additional notes from the IBM Knowledge Center: http://www-01.ibm.com/support/knowledgecenter/SSZSXU_6.2.2.6/com.ibm.tivoli.fim.doc_6226/admin/concept/handlingunspecifiednameid.html
Since 8.0.0.3 ISAM for Mobile has had the ability to call a Javascript Policy Information Point (PIP) during context based access (CBA, formerly risk based access - RBA) decisions for attribute enrichment. This capability is very flexible and can be used for many different purposes. Some examples include: Manipulating and extracting attributes from request headers.... Continue Reading →
Just spent a while troubleshooting why my browser wouldn't ask me for the client certificate even when I went to a certificate protected webseal instance. After a while, I worked it out, and thought I'd make a note of it here. Title Note: It was actually happening on both Firefox AND Internet Explorer. Pre-conditions: forms-auth... Continue Reading →
By default, when External Authentication Interface (EAI) authentication has been configured, and the authentication header is returned to WebSEAL by the backend application server, WebSEAL authenticates the user, and then generates a 302 redirect to either the cached request or the login redirect url. If you want the page returned to the browser but the... Continue Reading →
Since the move to the ISAM for Web Appliance, certificate mapping for client authentication is performed by an XSL stylesheet mapping mechanism. Since it was not immediately obvious to me, I've included two examples here where the CN of the certificate, is used as the username for the user in ISAM. Provide Full LDAP DN:... Continue Reading →
[14 July, 2016] There has been a few updates to this article related to the ISAM 9.0.1 release, adding some enhancements for OAuth. This includes enhancements to the session lifetime, and session logout, also some technical updates regarding the use of DSC. 13 Jan, 20201 (Actually well before this) There was a change the DSC... Continue Reading →
If you want to hide a header from a junctioned server, it is possible to remove it using a HTTP Transformation rule. The steps to making a HTTP Transformation rule are fairly well documented here: http://www-01.ibm.com/support/knowledgecenter/SSPREK_8.0.0.4/com.ibm.isamw.doc_8.0.0.4/wrp_config/concept/con_http_transforms.html?lang=en On the appliance, you need to either create the XSL HTTP Transformation rule and upload it, or you can... Continue Reading →
#ibmcsc IBM strives hard to make the Corporate Service Corps so much more than a volunteer engagement with NGO's and local government groups around the world. They stress the importance that IBM is sending highly skilled consultants not manual laborers. Or, to put another way, we are there to make a difference to their organisation,... Continue Reading →
#ibmcsc In the last couple of years, the local council donated some land to the Foundation in the North of the city, in one of the lower socio economic regions of the city. (Many of the outer suburbs of Salta are lower socio economic). And they raised money to build their own dedicated building. Although... Continue Reading →
My team mate Stefanie has written a great blog post on her days in Salta and working with the Anpuy team. Take a read here!
#ibmcsc On the 5th of May, we had the official CSC kickoff with all the teams and their associated groups/foundations. For us it was the beginning of the real work, the day we met in person our 'clients' and the day we all realised that we'd like to know Spanish just a little bit better.... Continue Reading →
#ibmcsc The following day, we packed up our barely unpacked bags, and headed to the BA domestic airport, and another couple of delay hours later, arrived into Salta La Linda. Our first experience of Salta, was the fact that a huge soccer game was on, resulting in the taxi ride, that would normally be 6kms,... Continue Reading →
Philip Nye 