Articles

OAuth: Customizing the login page

Share this post:

OAuth: Customizing the login page with Authentication Macros

When providing an immersive authentication experience during an OAuth or OpenID Connect flow, knowing what information was present in the authorization request is often essential in customizing the authentication experience. When a user is directed to make a request to /authorize, they are redirected through the Advanced Access Control and Federation authentication framework, which results in a WebSEAL login page when accessing the resource /sps/auth. This page is usually devoid of any information about the SSO which is currently in progress. Often, this resource is configured with Local Response Redirect to redirect to an External Authentication Interface (EAI) for a custom authentication experience beyond just forms authentication. This EAI will often want to use the values in the SSO experience to influence how the EAI application will act. However there is not an obvious way of retrieving this information.

There is however, within ISAM a capability which allows the SSO Request to be included in the redirect to /sps/auth, and to be included in the WebSEAL redirect to the EAI via LRR. Some administrators may be familiar with such a pattern which existed within TFIM. This same pattern today is present in ISAM. There are three macros which work for OAuth:

 

Macro Query parameter name Description
%PARTNERID%

 

PartnerId

 

The client_id included in the request to authorize

 

%TARGET%

 

Target

 

The redirect_uri included in the request to authorize

 

%SSOREQUEST%

 

SSORequest

 

A base-64 encoded string containing all of the parameters included in the request to authorize.

 

 

On ISAM authentication macros are configured by Point of contact profiles which are responsible for managing how the Federation and AAC services operate with a Reverse Proxy. For example, you’d change your point of contact profile to use external users with federation services. The video below shows configuring the authentication macros using the LMI

The login page

The login.html page may now be customized to show these macros. The following snippets may be used to customize the login page to show these macros:

<head>...
<script>
function onLoad() {
  var dict = {};
  var parts = window.location.href.slice(window.location.href.indexOf('?') +1).split("&");
  for (var part in parts) {
    var key = parts[part].split("=")[0];
    var value = parts[part].split("=")[1];
    dict[key] = value;
  }

  var lookup = {"SSORequest":"ssorequest", "Target":"target","PartnerId":"partnerid"};
  var labels  = {"SSORequest":"SSO Request", "Target":"RedirectUri ","PartnerId":"Client Id"};
  for(var key in lookup) {
    if(dict[key] != null) {
      document.getElementById(lookup[key]).innerHTML = labels[key] + ": " + dict[key];



      if(key == "SSORequest") {
        console.log(dict[key]);
        var decode = atob(decodeURIComponent(dict[key]));
        var parts = decode.split("&");
        document.getElementById("ssorequest_unpacked").innerHTML = "Unpacked SSO Request: " + JSON.stringify(parts);
      }
    }
  }
}
</script>
...<head>

And somewhere in the <body>:

 
<body onload="onLoad()" >...
  <div id="target"></div><br>
  <div id="partnerid"></div><br>
  <div id="ssorequest"></div><br>
  <div id="ssorequest_unpacked"></div><br>
...</body>

Here is a video using the above configuration and snippets in an oauth flow:

This same pattern works when using an custom application and local response redirect just ensure the URL local response redirect macro is enabled, and substitute that value into the javascript example above.

This concludes working with authentication macros. There are other ways to change the login experience during a SSO, Access Policy is a new feature in version 9.0.4.0 which gives control at the time of authentication during an SSO.

 


Click here to rate this article

Rate this article :

Software Engineer - IBM Security Access Manager

More Articles stories
By Martin Schmidt on July 11, 2019

Modernizing your B2C Portal Security – LDAP Proxy Deep Dive

In this part of our series we are taking a deeper look on how the LDAP reverse proxy works and what is needed to be done to make it work. Enable CI In this part we look at what needs to be done on the CI side and what information needs to be collected. We […]

Continue reading

By Martin Schmidt on May 4, 2019

Modernizing your B2C Portal Security – Desired End State

Proposition: As we have seen in part one of this series, managing customer identities for a portal can be a challenge and distraction for the business.  In this part of the series we will outline how a modernized solution for a portal security can simplify operations and free your team up to focus on the […]

Continue reading

By Craig Pearson on April 4, 2019

IBM Verify: Displaying Custom Transaction Data

The release of IBM Verify v2.1.1 (iOS) and v2.1.0 (Android) brings new functionality enhancing the user experience when approving or denying a transaction.  In this article I’ll show you how to configure your ISAM mapping rule to send additional transaction information to IBM Verify. Getting Started Open the ISAM administration web console in the browser […]

Continue reading