The DataPower Gateway providing user authentication intermediary services must conform to FICAM-issued profiles.

From IBM DataPower ALG Security Technical Implementation Guide

Associated with: CCI-002014

SV-79757r1_rule The DataPower Gateway providing user authentication intermediary services must conform to FICAM-issued profiles.

Vulnerability discussion

Without conforming to Federal Identity, Credential, and Access Management (FICAM)-issued profiles, the information system may not be interoperable with FICAM-authentication protocols, such as SAML 2.0 and OpenID 2.0.Use of FICAM-issued profiles addresses open identity management standards.This requirement only applies to components where this is specific to the function of the device or has the concept of a non-organizational user, (e.g., ALG capability that is the front end for an application in a DMZ).

Check content

Search Bar "AAA Policy" >> Select AAA Policy >> Identity Extraction "Name from SAML Authentication assertion" >> Authentication >> Method "Accept SAML assertion with valid signature". If no AAA Policy is present, this is a finding.

Fix text

Search Bar “AAA Policy” >> Select AAA Policy >> Identity Extraction “Name from SAML Authentication assertion” >> Authentication >> Method “Accept SAML assertion with valid signature”

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.