This is a bit of an ancient feature, but one I hadn't touched for a while. I wanted a domain cookie in my deployment, I had a Virtual Host and a standard host. host1.example.comhost2.example.com (A virtual Host). And I was struggling to get the login process (via AAC and the identifier first authentication) on the... Continue Reading →
Sometimes you might want to put your own enrollment process into an authentication service flow. This might be for Just in time enrollment, or some other reason. I quickly prototyped this out using an infomap, and just want to put it here for reference later. In short, it uses the easy native functions to detect... Continue Reading →
IBM Security Verify Access (ISVA) (formerly IBM Security Access Manager - ISAM) has been around for a fair while, and has made a series of assumptions over it's time, starting fresh, you might not make those assumptions if you were deploying ISVA today. Upgrades for existing customers rarely bring onboard these changes to avoid backwards... Continue Reading →
A simple post here - a quick guide on how you redirect to a specific url after logging out. In the ISAM reverse proxy, you can make use of the operation based Local Response Redirect, to send you to a specific location once you have logged out. To enable this, enable local response redirect, #--------------------------... Continue Reading →
HTTP Public Key Pinning is a header that allows you to pin a certificate to a host, consider it the next step after HSTS ISAM for Web & Sending Security HTTP Headers the solution isn't any different to send the header with WebSEAL. The HTTP Public-Key-Pins response header associates a specific cryptographic public key with... Continue Reading →
Received a question related to the 'art' of making an attribute that is multivalued for the purpose of a SAML Mapping rule, but this is still relevant when using Infomap, OAuth or even the AuthSvcCred mapping rules. When we are writing the JavaScript mapping rules, the engine wants to make JavaScript objects, this is useful... Continue Reading →
Coinciding with the ISAM 9.0.2 release, we released version 1.2 of the IBM Mobile Security SDK for Android and iOS. ISAM SDK offers a platform library to: Authenticate users against ISAM with OAuth Works with OAuth for ISAM 8.0.1.3 onwards. Strong authentication Support Generate Soft Token One Time Passwords Time based OTP and Counter based... Continue Reading →
Its possible to configure ISAM to listen on more than one network interface, more than one IP, and more than one set of ports. The easiest way to configure this, is in the LMI under the configuration settings for an individual reverse proxy instance: There are settings for: The IP to listen on. This must... Continue Reading →
In ISAM 9.0.1 it's possible to use a rich text email template for Email One Time Passwords. There is a knack to setting it up though, you need to add the HTML to the XML template file using CDATA tags like the example below:
The ISAM Reverse Proxy has a wealth of settings that can be configured. This means that almost every deployment situation can be catered for, but also means that its easy to overlook some settings that may give you grief. In this post, I've decided to capture some of the more important ones to help you... Continue Reading →
I had to write an XSL Stylesheet to modify a request parameter - I had to modify a request parameter in a TFIM SAML request from RelayState to Target, here is what I used changing request text from "something" to "another": <?xml version="1.0" encoding="UTF-8"?> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> <!-- This is a template stylesheet which should... Continue Reading →
Encountered a scenario last week, where I logged the user into ISAM using an AD Short name, but needed to use the email address as the SAML Principal name when logging into an external service (e.g. Pager Duty). The user's email address was populated as an attribute in Active Directory, and ISAM will automatically pull... Continue Reading →
Have been trying to setup an authentication service Mechanism to return a specific Authentication level into WebSEAL, and initially had some trouble, here is what you need to do: The important part are these lines: if (policyID.equals("urn:ibm:security:authentication:asf:hotp")) { stsuuAttrs.setAttribute(new Attribute("AUTHENTICATION_LEVEL", null, "5")); } Where you specify the policyID, and nominate the appropriate Authentication Level.... Continue Reading →
IBM Security Access Manager provides a set of capabilities that can be used for authentication and authorization of a client accessing API's and can be scoped to a user or clients needs. When you moving away from browser use cases, REST based API's depend less on session cookies and instead make use of security tokens.... Continue Reading →
In ISAM using the Local Response Redirect capability has traditionally been overkill when using it for an EAI for a login operation. The reason being, almost any error or management page that is traditionally handled by ISAM now gets redirected to your EAI. Including Login operations, Logout page, Stepup and other authentication related operations. It... Continue Reading →
Philip Nye 