Access and Authentication

IBM Verify: Displaying Custom Transaction Data

Share this post:

The release of IBM Verify v2.1.1 (iOS) and v2.1.0 (Android) brings new functionality enhancing the user experience when approving or denying a transaction.  In this article I’ll show you how to configure your ISAM mapping rule to send additional transaction information to IBM Verify.

Getting Started

Open the ISAM administration web console in the browser

  1. Click Secure Access Control > Authentication
  2. Click the Advanced tab
  3. Select the mapping rule that triggers your MFA flow, click Edit

I’m using the MMFA Cookbook, so the mapping rule I’m editing is called DemoTransferAmount, shown below:

importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
// this has to be an attribute name, and appear in the advanced configuration property
// attributeCollection.authenticationContextAttributes so that it is made available
// from CBA authorization policy
var param = context.get(Scope.SESSION, "urn:ibm:security:asf:cba:attribute", "transferAmount");
IDMappingExtUtils.traceString("Received a transfer amount of: " + param);

if(param != null && param != "")
{
  var message = "You have a pending transaction amount of: $" + param;
  success.setValue(true);
  context.set(Scope.SESSION, "urn:ibm:security:asf:demo", "prompt", message);
  context.set(Scope.SESSION, "urn:ibm:security:asf:mmfa", "extras", '{"type": "transaction"}');
}

 

I’m going to add to a static address so that it appears in IBM Verify when a transaction is displayed.  Here is the updated Javascript code:

importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
// this has to be an attribute name, and appear in the advanced configuration property
// attributeCollection.authenticationContextAttributes so that it is made available
// from CBA authorization policy
var param = context.get(Scope.SESSION, "urn:ibm:security:asf:cba:attribute", "transferAmount");
IDMappingExtUtils.traceString("Received a transfer amount of: " + param);


// Callout to a location service to determine the address.
var location = function()
{
  return "Franklin Barbecue, 900 E 11th St, Austin, TX 78702, USA";
}

if(param != null && param != "")
{
  var message = "You have a pending transaction amount of: $" + param;
  success.setValue(true);
  context.set(Scope.SESSION, "urn:ibm:security:asf:demo", "prompt", message);
  context.set(Scope.SESSION, "urn:ibm:security:asf:mmfa", "extras", '{"type": "transaction", "originLocation" : "' + location() + '"}');
}

While the example above used a static address location, you can get creative to determine where an event originated, typically based on an IP address.

 

Transaction Output

In addition to originLocation, you can add other transaction attributes which get displayed at the top of the view, such asoriginIpAddress and originUserAgent.  Other custom attributes (including emojies ?) are also passed to IBM Verify, but they are displayed at the bottom of the view.

 

Click here to rate this article

Rate this article :

More Access and Authentication stories
By Jeroen Tiggelman on August 4, 2019

IBM Security zSecure Suite 2.4 announced

IBM Security zSecure suite V2.4 was announced on July 23, 2019 with a planned availability date of September 30, 2019. You can read the US announcement letter here. RACF has made new JSON Web Token functionality in support of Multi-Factor Authentication also available for z/OS V2.2 and V2.3. Details about zSecure compatibility fixes can be […]

Continue reading

By Gerard Boekhoud on July 24, 2019

IF001 for IGI 5.2.5.1 now available

On July 19, 2019 we made  IF001 on top of IGI 5.2.5.1 publicly available on FixCentral. This iFix include some strong performance improvements especially within the Access Certification module. Improvements are made in the following areas: a. Time to launch Campaign Summary Page (Especially in the event of a high number of campaigns). This improves by […]

Continue reading

By Martin Schmidt on July 11, 2019

Modernizing your B2C Portal Security – LDAP Proxy Deep Dive

In this part of our series we are taking a deeper look on how the LDAP reverse proxy works and what is needed to be done to make it work. Enable CI In this part we look at what needs to be done on the CI side and what information needs to be collected. We […]

Continue reading