IBM Security Access Manager What s in the box : InfoMap Authentication Mechanism IBM SECURITY SUPPORT OPEN MIC. 13 Dec 2017

Transcription

1 IBM Security Access Manager What s in the box : InfoMap Authentication Mechanism IBM SECURITY SUPPORT OPEN MIC 13 Dec 2017

2 IBM Security Learning Academy New content published daily! Learning at no cost! Learning Videos Hands-on Labs Live Events 2 IBM Security

3 Panelists Frank Klein: Gianluca Gargaro: Jon Harry: Phil Goodman: EMEA ISAM Support EMEA ISAM Support IAM Technical Sales Enablement EMEA ISAM Support 3 IBM Security

4 Goal of session Share some insight on what s available in Access Manager out of the box and how to use those features 4 IBM Security

5 Agenda What is going to be covered: WebSeal traditional EAI interface ISAM AAC Overview and Architecture InfoMap authentication mechanism InfoMap configuration example InfoMap troubleshooting 5 IBM Security

6 WebSeal traditional EAI interface

7 EAI advantage WebSeal CDAS interface: Library running in the same address space as WebSEAL C API interface - C coding required Only gets information passed through CDAS interface Cannot request additional information from user WebSEAL External Authentication Interface ( EAI ): Application running on a backend web server HTTP interface no constraint on language used EAI app has complete access to HTTP messages EAI app can implement multiple message exchanges with client 7 IBM Security

8 Authentication processing with CDAS INTRAPROCESS WebSEAL C API CDAS shared library Gather Authentication Data Authentication Data Verify/Process Data Build Credential AM User ID (Auth Level) (Attributes) Return AM User ID 8 IBM Security 8

9 Authentication processing with EAI JUNCTION WebSEAL HTTP EAI Gather Authentication Data Verify/Process Data Build Credential HTTP Headers : User info Attributes Control data Return AM User ID or PAC or External User Control data 9 IBM Security 9

10 WebSEAL EAI Authentication flow Client WebSEAL EAI Application Request for resource Re-direct to EAI Application Authn Trigger Authn Required Unauth Access Allowed Modified Login page or local-response-redirect Authn Trigger Continued 10 IBM Security 10

11 EAI allows multiple challenge/response exchanges Client WebSEAL EAI Application Response Response Repeat while authentication not complete Trigger Match No EAI Msg Trigger Match Build Credential Authenticated Session Challenge Challenge Identity EAI Message 11 IBM Security 11

12 Credential Build Strategies - 1 When using EAI authentication interface the following strategies are available to build a user credential: USERNAME: Username and Attributes headers returned. Reverse Proxy builds credential in standard way (with Groups and Attributes). Additional Attributes then added. User must exist in the SAM Registry. PAC: SAM Credential returned. Credential fully constructed by the EAI app. User does not have to exist in SAM Registry. No Group information is populated so no ACLs can be applied. EXTUSER: Username, Groups, and Attributes returned. Reverse Proxy builds credential without looking up Username so User does not have to exist in SAM Registry. Groups must exist in registry; they are dynamically added to credential. Group-based ACLs can be used. Attributes are added to credential. 12 IBM Security

13 Credential Build Strategies - 2 Header option USERNAME PAC EXTUSER credresponseheader <blank> am-eai-pac <blank> userresponseheader am-eai-user-id <blank> am-eai-ext-user-id attributesresponseheader am-eai-xattrs <blank> am-eai-xattrs groupsresponseheader <blank> <blank> am-eai-ext-user-groups Header names must match what is configured in the Reverse Proxy configuration file: [eai-auth] eai-auth = https eai-pac-header = am-eai-pac eai-user-id-header = am-eai-user-id eai-xattrs-header = am-eai-xattrs eai-ext-user-id-header = am-eai-ext-user-id eai-ext-user-groups-header = am-eai-ext-user-groups eai-redir-url-header = am-eai-redir-url 13 IBM Security

14 Landing Page if there is an existing session Client WebSEAL EAI Application Request Re-direct to EAI App Authn Required Cache Request Request to EAI App Challenge/Response(s) Use cache EAI Message Re-direct Cached URL Request for URL Authorize Cached Request 14 IBM Security

15 Landing Page specified in EAI Message Client WebSEAL EAI Application Request to EAI App Challenge/Response(s) Re-direct EAI URL No session EAI Message Request for URL Authorize Request for URL 15 IBM Security 15

16 ISAM AAC Overview and Architecture

17 Access Manager Packages SAM Appliance Management WLP WLP runtime SAM Advanced Access Control Authentication Service Context based access control Device registration/fingerprinting API Protection (OAuth 2.0) SAM Federation SAML 2.0 Open ID Connect SaaS Quick Connect Secure Token Service Authorization Server Policy Server Embedded LDAP Distributed Session Cache SAM Base Platform Web Reverse Proxy Layer 7 Load Balancer Web Threat Protection 17 IBM Security

18 Authentication Service Components HTTP In Authentication Engine OTP Mapping Rules Pause/Abort Reverse Proxy Challenge or Error page EAI Response Page Renderer (Template + Macros) AuthSvcCredential Mapping Rule Credential Generator Success (last mechanism) Policy Policy Start/ Success Result Pause Success Abort Session Credential parameters Request Context Credential Authentication Mechanism Authentication Mechanism Config Config 18 IBM Security

19 Authentication Policy An authentication policy is an ordered list of operations that need to be completed prior to the user being authenticated. The authentication policy specifies the following: An ordered list of authentication mechanisms to be executed The parameters for each authentication mechanism The attributes that should be part of the credential, if the policy completes Note: Authentication Policies don't HAVE to end in authentication This means they can be used for other things too (like user self care) 19 IBM Security

20 Authentication Mechanisms Authentication: SAM username and password MAC One time password via or SMS HOTP One time password TOTP One time password Knowledge-based Q&A RSA One time password Mobile Multi-Factor Authentication FIDO Universal 2nd Factor mechanism Self-Care Collect information ( , account data) Send (notify account name) Lookup account info (SCIM) Modify account info (SCIM) Integration HTTP Redirect to external Other login components: Accept Licence Agreement Consent to device registration Google recaptcha Customisation Java OSGi Plug-in JavaScript Module (InfoMap) 20 IBM Security

21 Direct Invocation Browser ISAM Reverse Proxy ISAM AAC Authentication Service Page containing link to trigger Authentication Service GET /mga/sps/authsvc?policyid=policyuri&target=/targeturi Execute Authentication Policy Redirect to /TargetURI Set EAI headers (includes redirect URI) 21 IBM Security

22 Invocation by SAM Advanced Access Control Policy Browser ISAM Reverse Proxy Access Policy Engine ISAM Advanced Access Control Authentication Service /Protected Resource Access Decision Request Permit with Authentication Redirect to: /mga/sps/authsvc?transactionid=x Access Decision (Authentication Obligation + Transaction ID) Generate Transaction ID Transaction ID CBA Attributes GET /mga/sps/authsvc?transactionid=x Session Context Execute Authentication Policy Set EAI headers /Protected Resource /Protected Resource Access Decision Request Access Decision (Permit) Permit /Protected Resource 22 IBM Security

23 InfoMap authentication mechanism

24 JavaScript InfoMap Mechanisms SAM now includes a new type of Authentication Mechanism the InfoMap. An InfoMap mechanism is a wrapper that executes JavaScript when it is called. Script InfoMap Mechanism Template File The InfoMap definition links to a JavaScript "Mapping Rule" and a Template File. Create a new InfoMap Mechanism by using the New icon under Authentication Mechanisms. A set of classes are automatically available to the JavaScript and other "helper" classes can be imported. JavaScript "InfoMap" "InfoMap" Script Template Template Page Page Mapping Rules Template Files 24 IBM Security

25 Reading and Writing Context Attributes To get an attribute from context: context.get(scope,namespace,name) To set an attribute in context: context.set(scope,namespace,name,value) Scope can be one of the following: Scope.REQUEST Scope.SESSION Namespace and name are strings It's a good idea to keep value as string otherwise you may have problems reading out again. Examples: var user = context.get(scope.request, urn:ibm:security:asf:request:parameter, uid ); var myheader = context.get(scope.request, urn:ibm:security:asf:request:header, myheader ); var groups = context.get(scope.request, urn:ibm:security:asf:request:token:attributes, groups ); var firstgroup = groups[0]; context.set(scope.session, urn:ibm:security:asf:response:token:attributes, username,user); 25 IBM Security

26 Controlling what happens next To return PAUSE: success.setvalue(false); An HTTP Response is sent using the specified Template File The macro contains the URL that will recall this authentication session This needs to include a form with method= POST and To return SUCCESS: success.setvalue(true); The Mechanism doesn t control the response in this case To return ABORT: success.endpolicywithoutcredential(); An HTTP Response is sent using the specified Template File The policy is ended so there macro is empty 26 IBM Security

27 Mechanism not complete Send HTTP Response InfoMap Config Mapping Rule: mymodule.js Template: / /myfile.html Auth Service Pause mymodule.js macros.put("@mymacro@","my Text"); success.setvalue(false); HTTP Response: Blah Blah My Text / /myfile.html Blah 27 IBM Security

28 Mechanism Complete InfoMap Config Mapping Rule: mymodule.js Template: / /myfile.html mymodule.js Auth Service Success success.setvalue(true); Call next mechanism or build credential 28 IBM Security

29 Policy Halt (no authentication) - Send HTTP Response InfoMap Config Mapping Rule: mymodule.js Template: / /myfile.html Auth Service Abort mymodule.js page.setvalue("/ /anotherfile.html"); macros.put("@mymacro@","my Text"); success.endpolicywithoutcredential(); / /anotherfile.html HTTP Response: Something My Text Also showing use of page.setvalue() to override specified template page 29 IBM Security

30 InfoMap configuration example

31 Multiple user-attribute login use case User can authenticate with ISAM account or Use ISAM registry Multiphase Authentication Three Strike policy 31 IBM Security

32 Multi user-attribute login configuration steps Create and add the HTML template pages onto the appliance Create and add the server-side javascript rule that implements the logic Create an instance of the InfoMap authentication mechanism that refers to your page template and javascript rule Create an authentication policy that uses your InfoMap authentication mechanism instance Configure WebSEAL and runtime for this scenario 32 IBM Security

33 Create and add the HTML template pages onto the appliance <html>. <div <form method="post" <input type="hidden" name="operation" value="verify"> <input id="userattr" type="text" name="userattr"> <input id="password" type="password" name="password"> <input class="submitbutton" type="submit" value="login"> </form>. </body> </html> 33 IBM Security

34 Create and add the server-side javascript rule that implements the logic -1 Instantiate a UserLookupHelper class Instantiate a counter for the 3 strike policy catch data from request ( template form post data ) 34 IBM Security

35 Create and add the server-side javascript rule that implements the logic - 2 Try to find the user based on ISAM uid and authenticate with password. In case of failed authentication, increase counter. 35 IBM Security

36 Create and add the server-side javascript rule that implements the logic - 3 If ISAM uid is not found, try searching for their address and authenticate with password. In case of failing authentication increase counter 36 IBM Security

37 Create and add the server-side javascript rule that implements the logic - 4 provide alternate page when 3 strike policy has been met 37 IBM Security

38 Create and add the server-side javascript rule that implements the logic - 5 import the javascript file 38 IBM Security

39 Create an instance of the InfoMap authentication mechanism that refers to your page template and javascript rule IBM Security

40 Create an instance of the InfoMap authentication mechanism that refers to your page template and javascript rule IBM Security

41 Create an authentication policy that uses your InfoMap authentication mechanism instance 41 IBM Security

42 Configure WebSEAL and runtime for this scenario - 1 Authentication Service is invoked through a direct HTTP request via meta refresh in the login.html ( or stepup.html ) 42 IBM Security

43 Configure WebSEAL and runtime for this scenario IBM Security

44 InfoMap troubleshooting

45 Troubleshooting tips Enable pdweb.debug and pdeb.snoop to trace EAI flow Enable AAC runtime trace to see what s happening at runtime Use IDMappingExtUtils.traceString() in the mapping rule 45 IBM Security

46 EAI flow broken IBM Security

47 EAI flow broken :15: :00I----- thread(8) trace.pdweb.debug:2 /home/webseal/ /src/pdweb/webseald/ras/trace/debug_log.cpp:175: PD ===> BackEnd Thread ; fd 27; local :56009; remote :443 POST /sps/authsvc?stateid=c783e8a9-af22-425d-8100-bb346dd3b40a HTTP/ :15: :00I----- thread(8) trace.pdweb.debug:2 /home/webseal/ /src/pdweb/webseald/ras/trace/debug_log.cpp:219: Browser <=== PD Thread ; fd 23; local :81; remote :53095 HTTP/ Internal Server Error 47 IBM Security

48 EAI flow broken - 3 POST /sps/authsvc?stateid=c783e8a9-af22-425d-8100-bb346dd3b40a HTTP/1.1 iv-user: Unauthenticated referer: operation=verify&userattr=pippo%40secsupport.it&password=madrid :15: BackEnd ( :443) to WebSEAL ( :56009) sending 394 bytes HTTP/ OK am-eai-user-id: fim am-eai-xattrs: authenticationtypes,authenticationmechanismtypes,isam id authenticationtypes: urn:ibm:security:authentication:asf:imapmultiatt authenticationmechanismtypes: urn:ibm:security:authentication:asf:mechanism:infomapmultiattr ISAM id: pippo :15: WebSEAL ( :81) to Client ( :53095) sending 2156 bytes HTTP/ Internal Server Error 48 IBM Security

49 EAI flow broken IBM Security

50 Runtime exception case 1 50 IBM Security

51 Runtime exception case 1 ( cont ) 51 IBM Security

52 Runtime exception case 2 52 IBM Security

53 Questions for the panel Now is your opportunity to ask questions of our panelists. To ask a question now: Raise your hand by clicking Raise Hand. The Raise Hand icon appears next to your name in the Attendees panel on the right in the WebEx Event. The host will announce your name and unmute your line. or Type a question in the box below the Ask drop-down menu in the Q&A panel. Select All Panelists from the Ask drop-down-menu. Click Send. Your message is sent and appears in the Q&A panel. To ask a question after this presentation: You are encouraged to participate in the dw Answers forum: < 53 IBM Security

54 THANK YOU FOLLOW US ON: facebook.com/ibmsecuritysupport SecurityLearningAcademy.com securityintelligence.com xforce.ibmcloud.com Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.