Validating identity error Mom chat dirtiest


02-Feb-2018 18:30

The user typically authenticates to OAM when requesting the HTML page.

The AJAX-like calls also go through the Webgate, when an authorization policy is triggered and the identity assertion is issued back to the Webgate, that adds it to the outgoing request to the service endpoint.

We want to protect the services and the HTML page itself with OAM.

Verifying the digital signature seems good enough for the whole majority of services, since a compromised OAM’s private key means a deep serious disaster already.

But if for some reason we really need to cross check the session id, one idea is doing it selectively, based on some custom attribute in the identity assertion itself.

From OAM’s perspective, the point to consider here is that a REST service is nothing different than a traditional web-based resource typically secured by OAM.

The diagram below illustrates the REST service invocation.The screen shot below shows the adding of the user “mail” attribute.For an overall discussion on Policy Responses, look at Introduction to Policy Responses for SSO.Here’s how it looks like: MIIBxz CCATACAWYw DQYJKo ZIhvc NAQEEBQAw LDEq MCg GA1UEAx Mh T0FNIFVz ZXIg QXNz ZXJ0a W9u IElzc3Vlci BDQSBSb290MB4XDTE1MTAx Mz E1MTIw MVo XDTI0MDMy Mj E1MTIw MVow LDEq MCg GA1UEAx Mh T0FNIFVz ZXIg QXNz ZXJ0a W9u IElzc3Vlci BDQSBSb290MIGf MA0GCSq GSIb3DQEBAQUAA4GNADCBi QKBg QCX1C6Qrk42Ds LD0QC4mx9U0kyl2MD6K1qu13N9qqv/x YHi2nm M6h/M8fr FP0Czngjlm7g Hzg HDRVLk MBx Ei OOOp Ch Onyg F0Ohdrmeziw UNd2Vxj Kf8p DU17YYR06lwj4ad702Z4d Fmz rs BX/MPap8Xzfw Oa6Dj1DPa/5x C7busw IDAQABMA0GCSq GSIb3DQEBBAUAA4GBADCM5s2f Um4l Henm3Bl Rwq8JVjj6D31DWKu N4qj MKY1v Hluqmfexjofzs2Pt Ak/4bw ZN4DIKJg6q VTs5Yq Stl Gcv Dsa Bs SJox Em POJ8PF7jd DP1bx Zfxfz6Aajth A4f Mfw Pf VDu VGEBZ9AYBc7f9tsk IDN/TVynt Ql WD1he9Ru A few important aspects to notice when looking at the Identity Assertion are listed below.