Open JirkaAichler opened 2 years ago
@Jinghua-Jiang I have created a new issue to discuss and resolve the problem with the "next token" mode.
I have tried sending two tokens separated by :
and it does not work. Howver, it even does not make much sense. The user does not know that he/she is in this mode. He/she should enter the valid token, it should be validated and then asked to provide one more token.
Hi Jirka,
Sorry for the long wait.
We reviewed the case internally with different component owners.
The conclusion is that for zOSMF UI, we have limited support for next token, as you described in your case, the error response is a common error messages and contains no information about "next token".
For zOSMF Authentication REST API, we currently cannot support "next token".
And if we want to support "next token" in zOSMF elegantly, we need some base component like Liberty to enhance, add new returnable error response for "next token".
As there is nothing to be done on API ML part, we are closing this issue. It's possible to create an enhancement request to find a way how API ML can provide this support, but probably this needs to be resolved on the Zowe level properly.
I suppose you should then modify documentation stating that APIML supports MFA that is not true:
https://docs.zowe.org/stable/user-guide/systemrequirements-zos/#multi-factor-authentication-mfa
Or at least document the limitations.
I suppose there are ways how this can be fixed. There is also an ongoing discussion about the solution with a Liberty team.
I did bring up these liberty issues with the WAS security guys. They are aware of them and also the RACF folks were talking to them too. One of the items that we're talking to them about is using SAF based JWTs in Liberty. This might also help get them MFA/AAM support working when it comes to the issues that you pointed out. Ross from the RACF team is going to work with them on getting both the JWT support and the MFA support implemented.
Opening again to be able to track the progress especially in the ZAAS client that we use for authentication.
Edit: This is a very important issue for me.
We need a more complete statement around the whole zowe on what is supported with regards to MFA than just stating we do not support the next token mode. We intend to prioritize this open topic with the TSC.
Describe the bug ZAAS authentication provider does not support MFA in the RSA "next token" mode. The user is unable to log in when it happens. The only option is to use some other authentication service to reset the authentication process to normal mode.
attempt 1 - 401:
attempt 2 - 401:
It is not supported by z/OSMF. The ticket with IBM / z/OSMF team is opened. It will require additional work on the APIML side afterward to handle messages and response codes correctly.
Documentation:
https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-advanced-authentication-mainframe/2-0/using-with-ca-top-secret/manage-multi-factor-authentication-credentials-ca-top-secret/sign-on-when-using-rsa-securid-while-in-next-token-mode-ca-top-secret.html
https://www.ibm.com/docs/en/zos/2.3.0?topic=SSLTBW_2.3.0/com.ibm.zos.v2r3.azfu100/azf_task_tsonexttoken.htm
Related conversation:
1600