IBM-Security / isam-ansible-roles

DEPRECATED Ansible Custom Modules, Handlers and Tasks for ISAM. Requires "ibmsecurity" python package.
Apache License 2.0
24 stars 43 forks source link

add_federation SAML protocol #57

Open ewschulz opened 6 years ago

ewschulz commented 6 years ago

Hello,

we are testing use of 'add_federation' and getting an error returned for 'add_federation_templateName:' The REST API documentation shows this is not a required value, but if is commented out the entire role is skipped. We also tried uncommenting and using 'SAML2_0' and also 'saml_post' for the template values and these cause the error at bottom of this post.. any ideas what we are doing wrong?

following is our parameters for the role: role: "add_federation" add_federation_name: "resilientfed2" add_federation_protocol: "SAML2_0" add_federation_role: "ip" add_federation_templateName: "" add_federation_configuration: pointOfContactUrl: "https://192.168.0.35/isam" companyName: "company" sessionTimeout: 7200 singleSignOnService: "192.168.0.35" needConsentToFederate: True singleSignOnServiceData: binding: ["post","redirect"] url: "https://192.168.0.35" singleLogoutService: "192.168.0.35" serviceData: binding: ["post","redirect"] identityMapping: activeDelegateId: "skip-identity-map"

error that results with the above.. ...[ibmsecurity.appliance.ibmappliance] [_process_warnings():92] Checking for minimum version: 9.0.1.0.\n[2018-02-27 21:35:52,382] [PID:27823 TID:139956807944000] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():108] Checking for one of required modules: ['federation'].\n[2018-02-27 21:35:52,382] [PID:27823 TID:139956807944000] [INFO] [ibmsecurity.appliance.ibmappliance] [_process_warnings():119] Modules satisfying requirement: [u'federation']\n[2018-02-27 21:35:52,382] [PID:27823 TID:139956807944000] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():125] Warnings: []\n[2018-02-27 21:35:52,383] [PID:27823 TID:139956807944000] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():301] Headers are: {'Content-type': 'application/json', 'Accept': 'application/json'}\n[2018-02-27 21:35:52,383] [PID:27823 TID:139956807944000] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():306] Input Data: {\"role\": \"ip\", \"configuration\": {\"singleLogoutService\": \"192.168.0.35\", \"serviceData\": {\"binding\": [\"post\", \"redirect\"]}, \"sessionTimeout\": 7200, \"needConsentToFederate\": true, \"singleSignOnServiceData\": {\"url\": \"https://192.168.0.35\", \"binding\": [\"post\", \"redirect\"]}, \"companyName\": \"company\", \"singleSignOnService\": \"192.168.0.35\", \"pointOfContactUrl\": \"https://192.168.0.35/isam\", \"identityMapping\": {\"activeDelegateId\": \"skip-identity-map\"}}, \"protocol\": \"SAML2_0\", \"name\": \"resilientfed2\", \"templateName\": \"\"}\n[2018-02-27 21:35:52,383] [PID:27823 TID:139956807944000] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_suppress_ssl_warning():35] Suppressing SSL Warnings.\n[2018-02-27 21:35:52,383] [PID:27823 TID:139956807944000] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_url():24] Issuing request to: https://192.168.0.33:443/iam/access/v8/federations\n[2018-02-27 21:35:52,385] [PID:27823 TID:139956807944000] [DEBUG] [urllib3.connectionpool] [_new_conn():824] Starting new HTTPS connection (1): 192.168.0.33\n[2018-02-27 21:35:53,030] [PID:27823 TID:139956807944000] [DEBUG] [urllib3.connectionpool] [_make_request():396] https://192.168.0.33:443 \"POST /iam/access/v8/federations HTTP/1.1\" 500 75\n[2018-02-27 21:35:53,033] [PID:27823 TID:139956807944000] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():46] Request failed: \n[2018-02-27 21:35:53,034] [PID:27823 TID:139956807944000] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():47] status code: 500\n[2018-02-27 21:35:53,034] [PID:27823 TID:139956807944000] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():49] text: {\"result\":\"java.lang.String incompatible with com.ibm.json.java.JSONArray\"}\n", "msg": "('HTTP Return code: 500', u'{\"result\":\"java.lang.String incompatible with com.ibm.json.java.JSONArray\"}')", "name": "ibmsecurity.isam.fed.federations.add"}

ram-ibm commented 6 years ago

I have found the best option is to execute a get() against a federation created using the LMI and then use that output JSON to create a YAML file for future creates. The above YAML lost the indentation so I cannot tell for sure what the issue is - I suspect the identity mapping is not set corrct, but could be wrong.

ewschulz commented 6 years ago

Hello Ram,

We will try the get() this morning and compare results. For the identity mapping we do not need an actual mapping rule initially so I am setting as skip-identity-mapping similar to how a federation created in the same way shows on the LMI summary page.

ram-ibm commented 6 years ago

I suspect that the JSON takes a different value for skipping it compared to what you see in the LMI. Please be sure to use back quotes around YAML so it gets formatted in a code like fashion (for posting here).

alwayslearning321 commented 6 years ago

Just my 2c.

I noticed the inconsistency between REST API document and the ansible call as well. After a few trial and errors, found the following settings works.

- role: add_federation
  add_federation_name: 'fedTest'
  add_federation_protocol: 'SAML2_0'
  add_federation_role: "ip"
  add_federation_templateName: ''
  add_federation_configuration: 
    companyName: 'companyName'
    pointOfContactUrl: 'https://www.myidp.ibm.com/sps'
    singleSignOnService: [{'binding': 'post', 'url': 'https://www.myidp.ibm.com/sps/saml20idp/saml20/login'},{'binding': 'redirect', 'url': 'https://www.myidp.ibm.com/sps/saml20idp/saml20/login'}]
    identityMapping:
      activeDelegateId: 'default-map'
      properties:
        identityMappingRuleReference: '101'
        ruleType: 'JAVASCRIPT'
henrikt99 commented 5 years ago

It seems that the signingOptions is missing signAuthnRequest option completely. This is not in the REST interface documentation either. Is there a way to set the signAuthnRequest to true?

ram-ibm commented 5 years ago

Can I get a sample YAML or JSON showing where signAuthnRequest is please? I expect that it is contained within the "configuration" parameter you pass to the python code. I typically create a federation using LMI - and then extract that to craft the YAML in the playbook. You simply need to create your configuration variable with all elements in it.

henrikt99 commented 5 years ago

I mean that there is no signAuthnRequest option documented in the REST interface from ISAM side. If I do the GET /iam/access/v8/federations/{federation_id} request for my SP federation, where "Require outgoing SAML authentication requests to be signed."-option is enabled, I get this data to the signing options: signingOptions: signLogoutResponse: false signArtifactRequest: false signNameIDManagementRequest: false signArtifactResponse: false signAuthnRequest: true signNameIDManagementResponse: false signLogoutRequest: false

As You can see that there is the signAuthnRequest: true, but if I go to the LMI it is not enabled, so it seems that the bug might be on the LMI. It is also somewhat confusing that it is missing from the documentation.

ram-ibm commented 5 years ago

Please note that if you pass a value in the JSON that is not valid - there is a good chance that it is simply being ignored. Could you please configure the federation as desired in the LMI and then call the get() function to look at what the JSON looks like for it. Should be trivial to convert the JSON to a YAML in the playbook.