June 22, 2019 | Written by: shane.weeden
Categorized: FIDO2 | General Technical | ISAM
Share this post:
This week I am excited to share that IBM has just released the latest version of IBM Security Access Manager (version 126.96.36.199). As usual, the best place to find out what’s new, is the What’s new in this release page, however two things stand out as significant new features:
- FIDO2 and WebAuthn authentication services
- API-friendly WebSEAL enhancements
FIDO2 and WebAuthn
In September of 2018 IBM was issued with FIDO2 certification for a component we called the IBM FIDO Service 2.0. This component has now been embedded into ISAM, bringing the ability for ISAM customers to realise both browser-based (via WebAuthn) and thick client (e.g. native mobile) authentication via FIDO2. I will be blogging more about FIDO2 scenarios soon, including how to set it up in ISAM and what I believe are some of the key differentiating features of our implementation, but in the meantime I would encourage you to try out the end-user experiences for registration and authentication (including username-less login) on our demonstration site:
These videos (made last year just after certification) give you an idea of the experiences:
Some of the browser experiences are now much better than when these videos were made. The browser support for WebAuthn and FIDO2 resident keys are evolving, so keep in mind that your exact experience may be a little different than shown. There is also a much wider variety of security key vendors in the market than those I’ve built demonstration videos for – take a look at the FIDO Alliance Certified Products page (filter on Specification=FIDO2, Type=Authenticator) to see plenty more. You’ll also find our IBM implementation in the certified FIDO2 Server list on that same page.
Besides browser-based registration and login using WebAuthn, the FIDO2 service in ISAM also exposes JSON/HTTPS web services endpoints for relying-parties to leverage. This allows, for example, a backend application supporting a native mobile application to use the ISAM FIDO2 service to facilitate all the message exchanges required for the FIDO2 registration and authentication ceremonies. ISAM will manage all FIDO2 challenge generation, validation and processing as well as lifecycle management of the registration credentials (public keys).
Finally, IBM recently joined the FIDO Alliance as a sponsor member and we are actively involved in progressing these standards. If you are interested in deploying FIDO2 in your organization, please reach out and I or someone from our team will be happy to help!
API WebSEAL enhancements
Historically the web reverse proxy component of ISAM (aka WebSEAL) has serviced browsers dealing with HTML content. WebSEALs bread and butter has been in URL and HTML filtering and re-writing services. The modern web application has changed significantly – in my opinion led by two major events in technical history – the proliferation of smartphones, and single-page browser applications. Both these types of client applications transact with APIs rather than HTML, most commonly JSON/HTTP APIs.
To cater for this shift in the format of client traffic, WebSEAL is also undergoing change to be more friendly to the proxying, authentication and authorization needs of API-based applications. This started quite some time ago with the inclusion of OAuth support in the product, and continues to evolve with features in more recent releases such as content-type-aware response page templates, and rate limiting.
In ISAM 9.0.7 more investment has been made in API-friendly WebSEAL features including:
- The ability to do simple POP-based authorization on any arbitrary credential attributes rather than needing to call out to a context-based access policy. This allows, for example, oauth token scope to be used as an authorization control inside WebSEAL with no external services.
- The ability to author separate authentication and authorization policy on HTTP methods (GET, PUT, POST, DELETE, etc)
- An easy way to define front-end vs back-end URLs for an API. E.g. I can very simply map /myservice on the front of WebSEAL to /jct/app/someservice on the back.
All this API management is done using an intuitive GUI in the management console, and the primitives used to deliver these capabilities (such as HTTP transformation rules, POPs, ACLs, and custom object space definitions) are all authored and managed for you automatically by ISAM. I would encourage anyone integrating an API-based application into an ISAM-protected environment to check it out!
All things considered, this is an exciting release for us at IBM and we hope you take the chance to try out these new features soon.