Configuring authentication

Edit online

The appliance reverse proxy server can be configured to use the authentication service for authentication. The user will be required to complete an authentication policy flow when the Verify Identity Access policy (ACL or POP) dictates that the user authenticates.

Procedure

  1. Configure the appliance using the isamcfg tool. See Using the isamcfg tool .
  2. Modify the appliance login.html so that it redirects the authentication request to the Verify Identity Access Authentication Service.
    1. Locate the login.html file on the appliance.
      For information about working with reverse proxy pages, see HTML server response page modification.
    2. Open the file in a text editor and insert a meta-tag refresh tag to send the request to the authentication service. Optionally, to indicate where to send the user agent after successful authentication, pass the Target query string parameters, which is the default.
      For example: 
      <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<meta http-equiv="refresh" content="2;url=https://<HOST>:<PORT>/<JUNCTION>/
  sps/authsvc?Target=%HTTPS_BASE%%URL_ENCODED&PolicyId=<POLICY_ID>">
<TITLE>Access Manager for Web Login</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
</BODY>
</HTML>
      Where:
      HOST

      The host name for the reverse proxy instance.

      PORT

      The port number for the reverse proxy instance.

      JUNCTION
      The Advanced Access Control junction name. For example: mga.
      POLICY_ID
      The authentication policy identifier to execute when the user is requested to step up.

    The following example uses user name and password as the login mechanism:

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<meta http-equiv="refresh" content="2;url=https://example.com/mga/
  sps/authsvc?Target=%HTTPS_BASE%%URL_ENCODED%&PolicyId=urn:ibm:security:authentication:asf:password">
<TITLE>Access Manager for Web Login</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
</BODY>
</HTML>
  3. Restart the appliance.
  4. Verify the configuration:
    1. Create a test user account.
      For example: 
       pdadmin> user create john cn=john,dc=iswga John Doe password
    2. Activate the account.
      For example: 
      pdadmin> user modify john account-valid yes
    3. Create a test resource that is protected with the isam_mobile_anyauth ACL and place it in the document root of WebSEAL.
      For example: 
      junction-root/test.html
      For information about working with reverse proxy pages, see HTML server response page modification
    4. Attach the isam_mobile_anyauth ACL to the protected resource.
      For example: 
      pdadmin> acl attach /WebSEAL/mga.example.com-default/test.html
          isam_mobile_anyauth
    5. Open a new browser session and try accessing the test resource. You are forwarded to the authentication service endpoint. You are now starting the authentication policy.
    6. Enter the required credentials to complete the authentication policy. If you authentication successfully, you are redirected to the test resource and you can access the contents of that resource.