Configuring authentication

The appliance reverse proxy server can be configured to use the authentication service for authentication. The user will be required to complete an authentication policy flow when the Security Verify Access policy (ACL or POP) dictates the user authenticates.

  1. Configure the appliance using the isamcfg tool.

  2. Modify the appliance login.html so that it redirects the authentication request to the Security Verify Access Authentication Service.

    1. Locate the login.html file on the appliance.

    2. Edit login.html and set the meta refresh tag to send the request to the authentication service. To indicate where to send the user agent after successful authentication, pass the Target query string parameters, which is the default. For example: 

        <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<meta http-equiv="refresh" 
      content="2;url=https://HOST:PORT/JUNCTION/sps/authsvc?Target=%HTTPS_BASE%%URL_ENCODED&PolicyId=POLICY_ID">
<TITLE>Access Manager for Web Login</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
</BODY>
</HTML>

      Where:

        HOST The host name for the reverse proxy instance.
        PORT The port number for the reverse proxy instance.
        JUNCTION The Advanced Access Control junction name. For example: mga.
        POLICY_ID The authentication policy identifier to execute when the user is requested to step up.

    The following example uses user name and password as the login mechanism: 

      <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<meta http-equiv="refresh" content="2;url=https://example.com/mga/sps/authsvc?Target=%HTTPS_BASE%%URL_ENCODED%&PolicyId=urn:ibm:security:authentication:asf:password">
<TITLE>Access Manager for Web Login</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
</BODY>
</HTML>

  3. Restart the appliance.

  4. Verify the configuration:

    1. Create a test user account. For example:

        pdadmin> user create john cn=john,dc=iswga John Doe password

    2. Activate the account. For example:

        pdadmin> user modify john account-valid yes

    3. Create a test resource that is protected with the isam_mobile_anyauth ACL and place it in the document root of WebSEAL. For example:

        junction-root/test.html

      For information about working with reverse proxy pages, see HTML server response page modification

    4. Attach the isam_mobile_anyauth ACL to the protected resource. For example:

        pdadmin> acl attach /WebSEAL/mga.example.com-default/test.html isam_mobile_anyauth

    5. Open a new browser session and try accessing the test resource. You are forwarded to the authentication service endpoint. You are now starting the authentication policy.

    6. Enter the required credentials to complete the authentication policy. If you authentication successfully, you are redirected to the test resource and we can access the contents of that resource.

Parent topic: Authentication configuration scenarios