Download presentation
Presentation is loading. Please wait.
1
ISAM APPLIANCE (FEDERATION) ADMINISTRATION
5/20/2018 ISAM APPLIANCE (FEDERATION) ADMINISTRATION Author notes: <please delete these instructions before presenting> This is the IBM Security Default Template for both internal and external use. It’s aspect ratio is 16:10 and measures 10 x 6.25”. This template was created in Microsoft PowerPoint 365 Pro Plus 2016. Template files (saved with the file extension .potx) contain slide designs and customized layouts and are stored in your Microsoft templates folder* To save your new template as your default template for future use: Click “File / Save as” and choose “PowerPoint template (.potx) from the pull down menu” Rename file to, “Blank.potx” and click “Save” (file will then be stored to the default template location) Themes provide a complete slide design that can be applied to your existing presentation, including background designs, font styles, colors, and layouts To save your new template’s theme file; click “View / Slide Master / Themes” On the Themes pull down menu, select, “Save Current Theme” This new Theme file is how you apply the new template design to your existing presentations For more information, visit: Office.com / PowerPoint / Support Copy your existing source slides in slide sorter view Paste special by right-clicking in slide sorter view of destination file or template Select “Keep source formatting” This helps to ensure your slides retain their existing styles Each slide needs to be adjusted by doing the following in “Normal view” Select body content except title and footer by (Control “A”; then select title and footers while holding shift key) Cut remaining selected body content (Control “X”) Reset slide layout using new template layouts Paste slide content back onto slide (Control “V”) Learn more about using templates, visit: Office.com / PowerPoint / Support Virag patel – ibm security support
2
Agenda Introduction Discuss REST API with demo CLI usage LMI usage
5/20/2018 Agenda Introduction Discuss REST API with demo CLI usage LMI usage Supported federation types Configure reverse proxy instance (webseal) as poc Mapping rules Template files Troubleshooting and logs/trace analysis
3
5/20/2018 Introduction The federation module is available from ISAM appliance v9.0.0 and later The federation module provides support for federated single sign-on for users across multiple applications and different domains to avoid managing multiple userIDs and passwords.
4
Available Interfaces REST API
5/20/2018 Available Interfaces REST API The use of RESTful Web service is to manage and automate the configuration of federations and partner. Easy to deploy new configuration or update existing configuration while managing multiple environments. LMI Console (Local management interface) It is a web interface to manage the ISAM appliance CLI (Command line interface – limited functionality) It is accessible via ssh port 22
5
REST API Manage Federations Manage STS Modules and Chains
Create/delete/update federation configuration Create/delete/update partner configuration Export/Import federation and partner configuration Retrieve existing federation and partner configuration Manage STS Modules and Chains Create/delete/update STS chain Retrieve existing STS chain configuration Retrieve list of STS module instances and types Manage Alias Services Manage Attribute Sources Manage Point of contact profiles
6
List federation Scripting using Federation REST API helps to automate configuration of federations. Download REST APIs using LMI $ curl -k -u -X GET -H 'Accept: application/json‘ [{"protocol":"SAML2_0","role":"ip","templateName":"","configuration":{"pointOfContactUrl":" Time":120,"companyName":"idp company","manageNameIDService":[{"binding":"artifact","url":" t","url":" 0idp\/saml20\/mnids"},{"binding":"soap","url":" Options":{"validateAuthnRequest":false},"transformAlgorithmElements":{"includeInclusiveNamespaces":true},"signingOptions":{"signAssertion ":false,"signLogoutResponse":false,"signArtifactRequest":false,"signNameIDManagementRequest":false,"signAuthnResponse":false,"signArti factResponse":false,"signNameIDManagementResponse":false,"signLogoutRequest":false},"signingKeyIdentifier":{"keystore":"rt_profile_ke ys","label":"server"},"keyInfoElements":{"includeX509CertificateData":true,"includePublicKey":false,"includeX509IssuerDetails":false,"includeX50 9SubjectKeyIdentifier":false,"includeX509SubjectName":false}},"identityMapping":{"activeDelegateId":"default- map","properties":{"identityMappingRuleReference":"7","ruleType":"JAVASCRIPT"}},"singleLogoutService":[{"binding":"artifact","url":" p1.example.com\/isam\/sps\/saml20idp\/saml20\/slo"},{"binding":"post","url":" ding":"redirect","url":" \/saml20idp\/saml20\/soap"}],"artifactResolutionService":[{"default":true,"index":0,"binding":"soap","url":" ml20idp\/saml20\/soap"}],"assertionSettings":{"assertionValidAfter":300,"assertionValidBefore":300},"attributeMapping":{"map":[]},"singleSignOnS ervice":[{"binding":"artifact","url":" m\/isam\/sps\/saml20idp\/saml20\/login"},{"binding":"redirect","url":" ":" format: Address","supported":["urn:oasis:names:tc:SAML:2.0:nameid-format:persistent","urn:oasis:names:tc:SAML:1.1:nameid- format: Address","urn:oasis:names:tc:SAML:2.0:nameid-format:transient","urn:oasis:names:tc:SAML:1.1:nameid- format:unspecified"]},"sessionTimeout":7200,"needConsentToFederate":false,"messageValidTime":300,"encryptionSettings":{"decryptionKeyI dentifier":{"keystore":"rt_profile_keys","label":"server"}}},"name":"saml20idp","id":"uuid22baab b-9e58-ef894c5ace23"}] Author notes: Note that the contents/agenda items are written in sentence case. Initial caps are reserved for IBM-branded solution names. When referring to IBM products, use the correct full name, (e.g., IBM Rational ClearCase). Title the page “Table of contents” if the document is meant to be read or is a “leave behind.” Use “Agenda” if the document will be presented formally. This page should appear at the beginning of each section, with the highlighted section appearing in blue and bold. 6
7
CLI console Very useful when LMI console is not available
5/20/2018 CLI console Very useful when LMI console is not available Reset network configuration to restore the service Real time log monitoring while troubleshooting the error isam logs monitor Create IBM Support file and log management
8
First step… using LMI Console
5/20/2018 First step… using LMI Console Download “Activation key” from IBM Passport Advantage online Import the key in ISAM appliance using LMI console
9
Network configuration
5/20/2018 Network configuration Set IP address for ISAM federation runtime Set SSL/Non SSL port Verify ISAM federation runtime by calling one of the WS-Trust web-service ip address>/TrustServerWS/SecurityTokenService Provide default basic authentication credentials ‘easuser’ and ‘passw0rd’
10
Verify Runtime status :Standalone & Cluster
5/20/2018 Verify Runtime status :Standalone & Cluster
11
Supported federation types
5/20/2018 Supported federation types SAML 2.0 SAML 2.0 (Quick Connect) OpenID Connect
12
How to create Federations SAML2.0/OpenID Connect
5/20/2018 How to create Federations SAML2.0/OpenID Connect Navigation LMI->Secure Federation->Manage->Federations What can be done? Add SAML2.0/OpenID Connect based federation(Identity provider/Service Provider) Edit existing Federation Delete existing Federations Export the metadata configuration file in xml format Partners Add openID connect or SAML2.0 based partners Edit partner configurations, used to enable a disabled partner Delete partner Disable partner
13
Federations Screenshot to demonstrate
LMI->Secure->Manage-Federations
14
SAML 2 (Quick Connect) Connectors available for SAML 2.0:
5/20/2018 SAML 2 (Quick Connect) Connectors available for SAML 2.0: Navigate Secure Federation -> Global settings -> Partner Templates
15
5/20/2018 Mapping rules Javascript based Mapping rule for SAML and OpendID connect For SAML you can manipulate STSUU to map identities For OpenID connect you can manipulate Claims Navigation LMI->Secure Federation->Global Settings->mapping rules Appliance comes with default mapping rules
16
5/20/2018 Mapping rules
17
Configure reverse proxy as point of contact server
The webseal instance at the Identity Provider authenticates user and issues tokens The webseal instance at the Service Provider consumes token and performs single sign on to get access to protected resources Create atleast one federation before you configure webseal as poc /isam junction and required ACLs are created and configured (1) ISAM runtime details (2) Select federation name (3) ACL and Certificate reuse Author notes: Note that the contents/agenda items are written in sentence case. Initial caps are reserved for IBM-branded solution names. When referring to IBM products, use the correct full name, (e.g., IBM Rational ClearCase). Title the page “Table of contents” if the document is meant to be read or is a “leave behind.” Use “Agenda” if the document will be presented formally. This page should appear at the beginning of each section, with the highlighted section appearing in blue and bold. 17
18
Template files HTML files that are provided with the appliance and contain elements, such as fields, text, or graphics, and sometimes macros that are replaced with information that is specific to the request or to provide a response to the request. Use HTML pages for the following purposes: Displaying success and error messages to users Asking users for confirmation Sending SAML messages You can customize these HTML pages so that they display what you want. These pages contain macros and are similar to other HTML pages in Security Access Manager. A macro is text in an HTML page that is replaced with context-specific information. For example, the macro is replaced by text that describes the error that occurred. Author notes: Note that the contents/agenda items are written in sentence case. Initial caps are reserved for IBM-branded solution names. When referring to IBM products, use the correct full name, (e.g., IBM Rational ClearCase). Title the page “Table of contents” if the document is meant to be read or is a “leave behind.” Use “Agenda” if the document will be presented formally. This page should appear at the beginning of each section, with the highlighted section appearing in blue and bold. 18
19
Troubleshooting Increase tracing level Trace components Author notes:
Note that the contents/agenda items are written in sentence case. Initial caps are reserved for IBM-branded solution names. When referring to IBM products, use the correct full name, (e.g., IBM Rational ClearCase). Title the page “Table of contents” if the document is meant to be read or is a “leave behind.” Use “Agenda” if the document will be presented formally. This page should appear at the beginning of each section, with the highlighted section appearing in blue and bold. 19
20
Logs and traces You can monitor the log files using CLI, LMI Console or using REST API Author notes: Note that the contents/agenda items are written in sentence case. Initial caps are reserved for IBM-branded solution names. When referring to IBM products, use the correct full name, (e.g., IBM Rational ClearCase). Title the page “Table of contents” if the document is meant to be read or is a “leave behind.” Use “Agenda” if the document will be presented formally. This page should appear at the beginning of each section, with the highlighted section appearing in blue and bold. 20
21
Mandatory closing slide with copyright and legal disclaimers.
5/20/2018 Mandatory closing slide with copyright and legal disclaimers.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.