Over on the ISAM blog on ibm.com, I've just completed an indepth article on using ISAM with a Single Paged Application. These are typically applications that use JavaScript, AJAX, Angular and other frameworks to make a very dynamic user experience on a website. Think of any site you've used where the whole page doesn't reload... Continue Reading →
Build an ISAM developer Portal for OAuth Grants
My friend Leo has just posted details on how to make use of the OAuth provisioning APIs exposed via Infomap, you can take a look at the details here: https://www.ibm.com/blogs/security-identity-access/2018/06/oauth-building-developer-portal/ This is one of the best things you can do to enable your ISAM infrastructure to be easily consumed by your organizations developers. They can... Continue Reading →
ISAM OAuth Inactivity
Its not immediately obvious, and commonly misconstrued as an problem of disappearing tokens, but the OAuth grants in ISAM have a "Maximum" Grant lifetime, as opposed to an inactivity in a default API Definition. This means that when you request a Token - say via ROPC and you are using the default settings of an... Continue Reading →
ISAM Facebook Login with OIDC Relying Party
In ISAM 9.0.4.0 the OIDC relying party was completely rewritten for increased flexibility. This has made it much easier to add support for Facebook Login into an ISAM Reverse Proxy instance. Here are the steps I've taken to authenticate into ISAM with Facebook. Pre-Conditions: ISAM 9.0.4.0 - Preconfigured Standard WebSEAL reverse Proxy with default configuration.... Continue Reading →
Simpler ISAM Authentication Service URLs
In order to clean up the instantiation URLs generated by the authentication service, you can use a ISAM HTTP transformation rule. I've just completed two examples of this. Remove PolicyId static prefix: This transformation removes the need to have a long static prefix at the beginning of the URL query string parameter you call to... Continue Reading →
ISAM – Redirect on Logout or show login page on logout
A simple post here - a quick guide on how you redirect to a specific url after logging out. In the ISAM reverse proxy, you can make use of the operation based Local Response Redirect, to send you to a specific location once you have logged out. To enable this, enable local response redirect, #--------------------------... Continue Reading →
HTTP Public Key Pinning Header with ISAM and WebSEAL
HTTP Public Key Pinning is a header that allows you to pin a certificate to a host, consider it the next step after HSTS ISAM for Web & Sending Security HTTP Headers the solution isn't any different to send the header with WebSEAL. The HTTP Public-Key-Pins response header associates a specific cryptographic public key with... Continue Reading →
ISAM – Infomap – Any alias authentication
A number of customers like to use various alias's to authenticate into ISAM, up until recently, the primary way of achieving this, is via a Custom EAI, or some elaborate LDAP hackery. Infomap, and the UserHelper capabilities, makes this a much easier affair. Here is an example, where we use the infomap to authenticate based... Continue Reading →
ISAM JavaScript – Making Multi value Attributes
Received a question related to the 'art' of making an attribute that is multivalued for the purpose of a SAML Mapping rule, but this is still relevant when using Infomap, OAuth or even the AuthSvcCred mapping rules. When we are writing the JavaScript mapping rules, the engine wants to make JavaScript objects, this is useful... Continue Reading →
ISAM create a new OTP Mechanism
I wanted to make a new OTP Mechanism that was called by a JavaScript REST call - that wasn't the SMS mechanism in the box. In this example - I tested it with Boxcar - an iOS App that lets you send Push notifications with a simple REST call. To add a custom mechanism to... Continue Reading →
Get Headers and Cookies in JavaScript InfoMap Mechanism
In a previous post, I shared a way to get headers in OTP mapping rules and in the AuthSvcCred Mapping rules. Since the infomap module is a little bit different, I have included an example of how you can do it there: Here is the output into my MACRO for easy debugging: User-Agent: Mozilla/5.0 (Macintosh;... Continue Reading →
IBM Security Mobile Access SDK
Coinciding with the ISAM 9.0.2 release, we released version 1.2 of the IBM Mobile Security SDK for Android and iOS. ISAM SDK offers a platform library to: Authenticate users against ISAM with OAuth Works with OAuth for ISAM 8.0.1.3 onwards. Strong authentication Support Generate Soft Token One Time Passwords Time based OTP and Counter based... Continue Reading →
Password Reset with ISAM User Self Care
In ISAM 9.0.2, we released native appliance based capabilities to perform User Self Care Operations with ISAM. The user self care operations are built using the authentication service which means operations are modular, can easily be reordered or customised to suite your flow. Out of the box, there are three USC operations included: USC Account... Continue Reading →
Configure ISAM to listen on multiple interfaces and ports
Its possible to configure ISAM to listen on more than one network interface, more than one IP, and more than one set of ports. The easiest way to configure this, is in the LMI under the configuration settings for an individual reverse proxy instance: There are settings for: The IP to listen on. This must... Continue Reading →
ISAM Basic Users (aka Lite Users) vs Federated ISAM users
ISAM introduced the concept of non-imported users which we named Basic users, or lite users depending on who you ask, back in 2014 with version 8.0.0.4. I still regularly receive a bunch of questions as to what this means from an architectural perspective, and most importantly, what are the advantages and disadvantages to this new... Continue Reading →