Customizing one-time password mapping rules to use access control context data
Some authentication scenarios require that context data used in making an access control decision be available during authentication. You can configure Security Verify Access to capture the content data and make it available to the one-time password mapping rules.
You can configure Security Verify Access to perform access control policy evaluation when a resource is accessed. The access control policy evaluation can result on a permit with authentication. The required authentication is determined by the access control policy. Some scenarios require the context data used to perform the access control decision be available during the authentication. In order to provide access to the access control context data, we can persist the context information for the predefined authentication obligations that perform one-time password authentication. The context data available is limited to the attributes referenced by the access control policy and the request attributes provided by the policy enforcement point. If the policy relies on the risk score to perform access control, the context data available also includes the risk-profile attributes.
- Log in to the local management interface.
- Click AAC > Global Settings > Advanced Configuration.
- Select attributeCollection.authenticationContextAttributes.
-
Click
for the property.
-
In the text field, enter a list of comma separated attribute names to be collected during the
authorization policy evaluation.
For example, if your scenario requires the authentication level and host of the request
the configuration property, enter authenticationLevel, http:host.
The access control context data is provided to the one-time password mapping rules as context
attributes values. The following format is
used:
<stsuuser:Attribute name="AttributeName-AttributeURI" type=""authn.service.context.attribute.type.AttributeDatatype"> <stsuuser:Value>AttributeValue</stsuuser:Value> </stsuuser:Attribute>
Where:- name is the attribute name and attribute identifier separated by a dash (-).
- type is the attribute data type prefixed by authn.service.context.attribute.type.
<stsuuser:Attribute name="authenticationlevel-urn-ibm: security:subject:authenticationlevel" type="authn.service.context.attribute.type.Integer"> <stsuuser:Value>1</stsuuser:Value> </stsuuser:Attribute>
- Click OK.
-
When you edit a property, a message indicates there are undeployed changes. If you have
finished making changes, deploy them.
For more information, see Deploying pending changes.
-
Configure the mapping rule to use the information collected by this property as the context
attribute.
- Click AAC.
- Under Policy, click Authentication.
- Click Advanced.
- Select and export the mapping rule.
-
Use a text editor and modify the rule to access the attributes collected during the access
control policy evaluation in the following format:
var accessControlAttribute = contextAttributesAttributeContainer.getAttributeValueByNameAndType ("AttributeName-AttributeURI", "authn.service.context.attribute.type.AttributeDatatype");Where:
- name is the attribute name and attribute identifier separated by a dash (-).
- type is the attribute data type prefixed by authn.service.context.attribute.type.
var accessControlAuthenticationLevel = contextAttributesAttributeContainer.getAttributeValueByNameAndType ("authenticationlevel-urn-ibm:security:subject:authenticationlevel", "authn.service.context.attribute.type.Integer"); - Save the mapping rule and take note of its location.
- In the local management interface, click AAC.
- Under Policy, click Authentication.
- Click Advanced.
- Select the mapping rule you want to replace.
- Click Replace. The Replace Mapping Rule panel opens.
- Click the field or the Browse button and select the file for your saved mapping rule. Attention: The name of the mapping rule cannot be replaced. The name of the uploaded file is ignored.
- Click OK to upload the mapping rule.
Parent topic: Managing mapping rules