Access and Authentication

ISAM Advanced Access Control Infomap to run info.js

Share this post:

In the past Level II Support has received Cases asking for various ways to force the running of the info.js script which is needed for AAC device registration.  The Knowledge Center section Configuring the attribute collection service notes to add the URL of info.js to the <head> block in the HTML landing page of your application.  This may not always be possible.  Adding the URL to the login.html page of WebSEAL can work but requires modifying default ACLs and it only works for Forms login.  We had yet another Case a few weeks ago in which a customer asked for a different way to do this so I came up with an Infomap solution that is transparent to the user and can be used in various ways.  This example shows the use case of accessing a resource as unauthenticated and then after authentication being sent to a landing page.   Under the covers the info.js script is run and the attributes collected.  Go to Support’s GitHub at InfoJSLoader  to download InfoJSLoader.js and InfoJSLoader.html.  Be sure to update the URLs in the html file to point your website.

 

Update the WebSEAL config file

[server]
maximum-followed-redirects = 4
follow-redirects-for = GET /mga/sps/authsvc*
follow-redirects-for = GET /jct/*

[azn-decision-info]
urn:ibm:security:custom:infojsloaded = cookie:AMWEBJCT!%2Fmga!ac.uuid

[user-attribute-definitions]
urn:ibm:security:custom:infojsloaded.datatype = string
urn:ibm:security:custom:infojsloaded.category = Environment

[acnt-mgt]
login-redirect-page = /jct/

[enable-redirects]
redirect = forms-auth

Set this if using SPNEGO or BA.
[session]
update-session-cookie-in-login-request = true

We will use the infojsloaded attribute to check if info.js has been run or not.  You may ask why not just use the already defined ac.uuid attribute?  The reason is that attribute is a built-in and is not defined to be used in AAC Policy.

 

Create the corresponding attribute in AAC

There is no need to provide an Issuer due to the WebSEAL config setting.

 

Create the template page for the Infomap

Navigate to https://appliance_hostname/mga/template_files, create the directory, and upload the html file.

Create the mapping rule for the Infomap

Navigate to https://appliance_hostname/mga/mapping_rules and import InfoJSLoader.js.  Name it InfoJSLoader.

 

Create a new Authentication Mechanism

Navigate to https://appliance_hostname/mga/authentication and select the “Mechanisms” tab.

Select the “+” and create a new “Info Map Authentication”

Move to the Properties tab and set:

 

Create a new Authentication Policy

Navigate to https://appliance_hostname/mga/authentication and select the “Policies” tab.  The only Workflow Step is the InfoJSLoader mechanism.

 

Create an Access Control Policy

Navigate to https://appliance_hostname/mga/policy and select the “Policies Tab”.  Create a new Policy.

 

Attach the Policy to a Resource:

 

Let’s test out the Policy

I want to access https://isamotp.level2.org/jct/AAC_DRIVER.html unauthenticated.  Here we show the browser has no cookies set for https://isamotp.level2.org:

 

Let’s access https://isamotp.level2.org/jct/AAC_DRIVER.html.  I get prompted to authenticate:

 

Enter my credentials and I get taken to my site’s dashboard.  Note the AAC info.js related cookies.

This is a simple use case and when there is more complex policy on specific resources that use a riskScore you will need to add the check for infojsloaded to make sure info.js has been run.

As with any security policy, thoroughly test and make sure this Infomap will work for your environment.

Click here to rate this article

Rate this article :

More Access and Authentication stories
By Jeroen Tiggelman on August 4, 2019

IBM Security zSecure Suite 2.4 announced

IBM Security zSecure suite V2.4 was announced on July 23, 2019 with a planned availability date of September 30, 2019. You can read the US announcement letter here. RACF has made new JSON Web Token functionality in support of Multi-Factor Authentication also available for z/OS V2.2 and V2.3. Details about zSecure compatibility fixes can be […]

Continue reading

By Gerard Boekhoud on July 24, 2019

IF001 for IGI 5.2.5.1 now available

On July 19, 2019 we made  IF001 on top of IGI 5.2.5.1 publicly available on FixCentral. This iFix include some strong performance improvements especially within the Access Certification module. Improvements are made in the following areas: a. Time to launch Campaign Summary Page (Especially in the event of a high number of campaigns). This improves by […]

Continue reading

By Martin Schmidt on July 11, 2019

Modernizing your B2C Portal Security – LDAP Proxy Deep Dive

In this part of our series we are taking a deeper look on how the LDAP reverse proxy works and what is needed to be done to make it work. Enable CI In this part we look at what needs to be done on the CI side and what information needs to be collected. We […]

Continue reading