Access and Authentication

By Leo Farrell on September 11, 2018

OAuth: API Gateways and ISAM

OAuth: API Gateways and ISAM Today we’re going to explore the ways in which API gateways can integrate with ISAM, their different OAuth roles, and the interfaces for token validation and verification exposed by ISAM as an authorization server. ISAM has both an Authorization Server available in the form of API protection, as well as […]

Continue reading

By Philip Nye on September 6, 2018

ISAM 9.0.5 – Now Docker Certified

We’re proud to announce that the ISAM container on Docker Store is now Docker Certified. What is Docker Certification? Certified Container: Independent Software Vendors (ISV) are able to package and distribute their software as containers directly to the end user. These containers are tested, built with Docker recommended best practices, are scanned for vulnerabilities, and are […]

Continue reading

By Leo Farrell on September 11, 2018

OAuth: API Gateways and ISAM

OAuth: API Gateways and ISAM Today we’re going to explore the ways in which API gateways can integrate with ISAM, their different OAuth roles, and the interfaces for token validation and verification exposed by ISAM as an authorization server. ISAM has both an Authorization Server available in the form of API protection, as well as […]

Continue reading

By Leo Farrell on August 7, 2018

OAuth: SAML and JWT as a Grant Type

OAuth: SAML and JWT as a Grant Type In an earlier article it was demonstrated how Security Access Manager supports RFC 7523 using JWT as a method for OAuth clients to make requests to OAuth endpoints which require authentication such as /token and /introspect. However there is another portion to this RFC which goes into detail on […]

Continue reading

By Philip Nye and LEO FARRELL on July 30, 2018

ISAM and Single Paged (SPA) Applications

Updated: 13th May 2019 to discuss the content type aware responses in ISAM (9.0.6 release end of 2018) We’ve been having some conversations recently about the best way to achieve an authentication solution when implementing a single paged (SPA) app. In this piece we’re going to cover several recommendations, best practices and tweaks which can […]

Continue reading

By Leo Farrell on July 24, 2018

OpenID Connect: Request parameters via JWT

OpenID Connect: Request parameters via JWT The OpenID Connect specification has an optional section which goes into details of how a client can provide(Via the browser) a claims and OAuth parameters to /authorize in an alternative manner to query string or post parameter. This is of note as it allows the client to provide a trusted set […]

Continue reading

By Leo Farrell on July 19, 2018

OAuth: JWT as an Access Token

  OAuth: JWT as an Access Token on ISAM The OAuth 2.0 specification does not go into great detail about token formats  “Access tokens can have different formats, structures, and methods of utilization (e.g., cryptographic properties) based on the resource server security requirements”.  On IBM Security Access manager(ISAM) access tokens issued are a short opaque string used as […]

Continue reading

By Leo Farrell on July 11, 2018

Introducing the LocalSTSClient

 Introducing the LocalSTSClient In IBM Security Access Manager 9.0, the Security Token Service (STS) from Federated Identity Manager (TFIM) was made available. The STS is essential when needing to transform a security token from one type to another. As usage of the STS has grown, we have seen adoption of simple security tokens such as JWT. The […]

Continue reading

By Leo Farrell on July 3, 2018

OAuth: Device Flows

OAuth: Device Flows Introduction to Device Flows As IOT devices become more prevalent, so does the importance of the way these devices interact with user information and the web. These devices often need to call APIs which require authentication, but cannot provide a suitable method of user interaction in order for traditional authentication mechanisms such as username/password. […]

Continue reading

By Leo Farrell on June 18, 2018

OAuth: Dynamic Client Registration

OAuth: Dynamic Client Registration When hosting services via API or propagating identities to relying parties, OAuth and OpenID Connect are an essential way of granting authentication and authorization to a consumer, on behalf of a user. Depending on the size of this provider, the number of consumers may be huge, so much so that it […]

Continue reading

By Leo Farrell on June 10, 2018

Monitoring: Federation and Advanced Access

Monitoring: Federation and Advanced Access Two major pieces of ISAM run on an application server instance running within the appliance. Something I am often asked is how does an ISAM administrator get meaningful information about the resource consumption of this application server while under load. In ISAM 9.0.4.0 a monitoring capability was added to the runtime […]

Continue reading

By Leo Farrell on June 3, 2018

OAuth: Building a developer portal

OAuth: Developer Portal Create a self-service portal for OAuth clients to significantly reduce costs for ISAM administrators   OAuth as a protocol delegates the authorization decision to the resource owner, which means that the consumer of a given resource does not need to be explicitly permitted to access that resource up to the moment that […]

Continue reading