Some authentication scenarios require that context data used in making an
access control decision be available during authentication. You can configure Security Access
Manager to capture the content data and make it available to the one-time password mapping
rules.
About this task
You can configure Security Access Manager to perform access control policy
evaluation when a resource is accessed. The access control policy evaluation can result on a permit
with authentication. The required authentication is determined by the access control policy. Some
scenarios require that the context data used to perform the access control decision be available
during the authentication. In order to provide access to the access control context data, you can
persist the context information for the predefined authentication obligations that perform one-time
password authentication. Note: The context data available is limited to the attributes referenced by
the access control policy and the request attributes provided by the policy enforcement point. If
the policy relies on the risk score to perform access control, the context data available also
includes the risk-profile attributes.
Procedure
-
Log in to the local management interface.
-
Click .
-
Select attributeCollection.authenticationContextAttributes.
-
Click
for the property.
-
In the text field, enter a list of comma separated attribute names to be collected during the
authorization policy evaluation.
For example, if your scenario requires the authentication level and host of the request
the configuration property, enter authenticationLevel, http:host.
The access control context data is provided to the one-time password mapping rules as context
attributes values. The following format is
used:
<stsuuser:Attribute name="AttributeName-AttributeURI"
type=""authn.service.context.attribute.type.AttributeDatatype">
<stsuuser:Value>AttributeValue</stsuuser:Value>
</stsuuser:Attribute>
Where:
name is the attribute name and attribute identifier separated by a dash
(-).type is the attribute data type prefixed by
authn.service.context.attribute.type.
For example the
authenticationLevel attribute value is added as:
<stsuuser:Attribute name="authenticationlevel-urn-ibm:
security:subject:authenticationlevel"
type="authn.service.context.attribute.type.Integer">
<stsuuser:Value>1</stsuuser:Value>
</stsuuser:Attribute>
-
Click OK.
-
When you edit a property, a message indicates that there are undeployed changes. If you have
finished making changes, deploy them.
-
Configure the mapping rule to use the information collected by this property as the context
attribute.
-
Click Secure Access Control.
-
Under Policy, click Authentication.
-
Click Advanced.
-
Select and export the mapping rule.
-
Use a text editor and modify the rule to access the attributes collected during the access
control policy evaluation in the following format:
var accessControlAttribute =
contextAttributesAttributeContainer.getAttributeValueByNameAndType
("AttributeName-AttributeURI",
"authn.service.context.attribute.type.AttributeDatatype");
Where:
name is the attribute name and attribute identifier separated by a dash
(-).type is the attribute data type prefixed by
authn.service.context.attribute.type.
For example, the
authenticationLevel attribute can be obtained using the
following
information:
var accessControlAuthenticationLevel =
contextAttributesAttributeContainer.getAttributeValueByNameAndType
("authenticationlevel-urn-ibm:security:subject:authenticationlevel",
"authn.service.context.attribute.type.Integer");
-
Save the mapping rule and take note of its location.
-
In the local management interface, click Secure Access
Control.
-
Under Policy, click Authentication.
-
Click Advanced.
-
Select the mapping rule you want to replace.
-
Click Replace. The Replace Mapping Rule panel opens.
-
Click the field or the Browse button and select the file for your saved
mapping rule.
Attention: The name of the mapping rule cannot be replaced. The name of the uploaded
file is ignored.
-
Click OK to upload the mapping rule.