Forum Replies Created

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #20170
     aktokas
    Participant

    Thanks Jochen & Violette for the quick responses.. For now i am using OpenIG 4.0.

    Violette i tried to use the switch filter before PolicyEnforcementFilter but i am still facing the blank page issue.. Since i am using 2 policyenforcement filters in my configuration i am getting 403 forbidden response twice but my switch filter is unable to recognize anyone of it..for testing: i used switch filter before both the policyenforcement filters..

    #20141
     aktokas
    Participant

    In this setup, i am still facing the blank page when i try to access the resource from an unauthorized account. But everything works fine when the user is authorized.

    Kindly Ignore Marvel and Starkindustries in the URLs :P

    #20139
     aktokas
    Participant

    PEP JSON FILE

    {
    “baseURI”: “http://marvelstudios.starkindustries.com:8081/”,
    “handler”: {
    “type”: “DispatchHandler”,
    “config”: {
    “bindings”: [{
    “comment”: “Redirect to OpenAM authentication”,
    “name”: “OpenAM Authentication”,
    “condition”: “${request.cookies[‘iPlanetDirectoryPro’] == null}”,
    “handler”: {
    “type”: “StaticResponseHandler”,
    “config”: {
    “status”: 302,
    “reason”: “Found”,
    “headers”: {
    “Location”: [
    https://openam.starkindustries.com:7773/openam/XUI/#login/marvel/&goto=${urlEncodeQueryParameterNameOrValue(contexts.router.originalUri)}”
    ]
    },
    “entity”: “Redirecting to OpenAM for authentication…”
    },
    “capture”: “all”
    }
    },

    {
    “comment”: “OpenAM Authorization chain for policy validation and attributes retrieval”,
    “name”: “OpenAM Authorization Chain”,
    “condition”: “${request.cookies[‘iPlanetDirectoryPro’] != null}”,
    “handler”: {
    “type”: “Chain”,
    “config”: {
    “filters”: [{
    “comment”: “OpenAM Authorization check filter”,
    “name”: “OpenAM Authorization”,
    “type”: “PolicyEnforcementFilter”,
    “config”: {
    “openamUrl”: “https://openam.starkindustries.com:7773/openam/”,
    “pepUsername”: “ak.tokas”,
    “pepPassword”: “password”,
    “realm”: “Marvel”,
    “application”: “OPENIG”,
    “ssoTokenSubject”: “${request.cookies[‘iPlanetDirectoryPro’][0].value}”
    },
    “capture”: “all”
    },

    {
    “type”: “PasswordReplayFilter”,
    “config”: {
    “loginPage”: “${true}”,
    “credentials”: {
    “type”: “PolicyEnforcementFilter”,
    “config”: {
    “openamUrl”: “https://openam.starkindustries.com:7773/openam/”,
    “pepUsername”: “ak.tokas”,
    “pepPassword”: “password”,
    “realm”: “Marvel”,
    “application”: “OPENIG”,
    “ssoTokenSubject”: “${request.cookies[‘iPlanetDirectoryPro’][0].value}”,
    “claimsSubject”: “${attributes.claimsSubject}”,
    “target”: “${attributes.currentPolicy}”
    }
    },
    “request”: {
    “method”: “POST”,
    “uri”: “http://marvelstudios.starkindustries.com:8081”,
    “form”: {
    “username”: [
    “${attributes.currentPolicy.attributes.mail[0]}”
    ],
    “password”: [
    “${attributes.currentPolicy.attributes.employeeNumber[0]}”
    ]
    }
    }
    }
    },

    {
    “name”: “SwitchFilter”,
    “type”: “SwitchFilter”,
    “config”: {
    “onResponse”: [{
    “condition”: “${exchange.response.status == 403}”,
    “handler”: {
    “name”: “AccessDeniedHandler”,
    “type”: “StaticResponseHandler”,
    “config”: {
    “status”: 403,
    “reason”: “NOT Found”,
    “entity”: “<html><head><Title>Apache Website</Title></head><body><h1 align = center > -ACCESS DENIED – </h1>Kindly Contact Administrator</body></html>”
    }
    }
    }]
    }
    }

    ],
    “handler”: “ClientHandler”
    }
    }
    }

    ]
    }
    },
    “condition”: “${matches(request.uri.path, ‘^/pep’)}”,
    “session”: “JwtSession”
    }

    #20127
     aktokas
    Participant

    Did you resolve this issue jitendra??
    I am currently facing an exact same issue..

    I can see in the OpenIG logs that i have a 403 forbidded error..
    but when i use the switch filter with condition – exchange.response.status == 403

    It does not work… Anyone has any suggestions??

    Thanks,
    Akshay

    #20068
     aktokas
    Participant

    Hi,
    You have missed configuration of the Authorization policy for OpenIG URL in your setup OR there is some mistake in the authorization policies you have created.

    #18379
     aktokas
    Participant

    Hi Abhishek, any updates on how you resolved the above mentioned issue.. i am doing a POC on openam and i am stuck at exact same issue.
    Thanks and Regards,
    Akshay

    #16652
     aktokas
    Participant

    Resolved: I had made the data store as required instead of sufficient in the newly defined chain.
    Luckily, i was able to re-login as admin from a tab where i had not logged out. Else, i don’t know how i would have got my setup back.

    #16173
     aktokas
    Participant

    Hi Nemanja,
    Can you please share the javascript you used to fetch the attributes client side, if you still have them.
    I have recently started working on OpenAM and i am working on how to fetch the attributes using HTTP headers.
    Thanks in Advance.
    Akshay

Viewing 8 posts - 1 through 8 (of 8 total)