@chris-fry
active 3 years, 3 months ago-
chris-fry replied to the topic force user to change the password on first login in the forum Identity Management 3 years, 8 months ago
Hi eppinger,
Got a similar proof-of-concept working using a mapping from a boolean attribute in IDM to iplanet-am-user-password-reset-force-reset in OpenDJ and a Scripted Authentication module in OpenAM to force the redirect to a custom change password app.
Here’s another forum post about it:…[Read more]
-
chris-fry started the topic Identity Management Aggregate Queries in the forum Identity Management 3 years, 8 months ago
Hi all,
What’s the best way to run simple aggregation queries in an IDM prod environment?
For example, if I wanted a count of all users with accountStatus of active.
In SQL, this would be something like:
S3LECT COUNT(userName) FROM user WHERE accountStatus = 'active';(had to misspell ‘SELECT’ due to the WAF on this forum)I’ve experimented…[Read more]
-
chris-fry replied to the topic Allow standard user to query pwdChangedTime in the forum Directory Services 3 years, 8 months ago
Thanks, Ludo – sounds good.
Chris
-
chris-fry started the topic Allow standard user to query pwdChangedTime in the forum Directory Services 3 years, 8 months ago
Hi all,
I have an application with a standard user account in OpenDJ (not Directory Manager) that needs to read the pwdChangedTime attribute from any user.
What’s the best way to allow this?
Thanks,
Chris
-
chris-fry started the topic Dynamic Resource Definition for Authorization Policies in the forum Access Management 3 years, 9 months ago
Hi,
Is it possible in Access Manager to define Authorization Policies that protect resources with dynamic components like a username embedded in them?
So, say I have a set of subjects in OpenAM, e.g.
jsmith,
jdoe
…and a set of Resources with user profiles for each…[Read more]
-
chris-fry started the topic Change Password on Next Login – Custom Redirect in the forum Access Management 3 years, 10 months ago
Hi all,
I have an existing Access Manager (AM) implementation that is functioning correctly using FR Directory Services (DS) as the user data store.
I’d like to implement a solution that allows an admin to flag an account for “Change Password on Next Login” using the ‘iplanet-am-user-password-reset-force-reset’ attribute in DS, then redirects…[Read more]
-
chris-fry started the topic IDM for passwords only – sequencing problem in the forum Identity Management 3 years, 11 months ago
Hi,
We are in the process of migrating from a legacy ID mgmt. system to ForgeRock Identity Management. Next up for the project is to move password management to IDM.
We have a source system containing user data, the old and new ID mgmt tools and downstream targets.
Our goal is to have, for now, IDM to provision accounts and passwords to OpenDJ,…[Read more]
-
chris-fry started the topic Custom Objects and Assignments in the forum Identity Management 4 years, 7 months ago
Hi,
I’m having trouble creating an assignment that applies to a custom managed object.
Here’s the steps I’ve taken:
* Install IDM (5.5, MySQL repo)
* Create the custom object (employee)
* Configure two way relationships between employee and role (similar to user/role)
* Configure effectiveRoles and effectiveAssignments attributes for employee…[Read more] -
chris-fry started the topic Problem with Assignments on Custom Managed Object in the forum Identity Management 4 years, 7 months ago
Hi all,
I’m trying to create a custom object in IDM v5.5 and map this to my directory, including assignments. The mapping is working for normal attributes, but not assignments.
Here’s the steps I’ve taken:
- Perform base install of IDM 5.5, using MySQL repository as per install guide
- Create the custom object (employee)
- Configure two way…
-
chris-fry replied to the topic Common Logging Config for all routes in the forum Identity Gateway 4 years, 8 months ago
Hi Guillaume,
So, just use a named audit service configuration in the heap and refer to it in each route? I have done this, but I was hoping to have it set by default to avoid configuration duplication.
– Chris
-
chris-fry replied to the topic OpenIG – Apache rewrite 302 in the forum Identity Gateway 4 years, 8 months ago
I might be missing something, but if you just want a rewrite (without path transformation), this should do it:
{
"baseURI": "http://emanuals.example.com",
"condition": "${request.uri.host eq 'www.example.com'}",
"handler": "ClientHandler"
}If you want a redirect (302), this is probably more what you want. It redirects requests to…[Read more]
-
chris-fry started the topic Common Logging Config for all routes in the forum Identity Gateway 4 years, 8 months ago
Hi,
Is there a way to create an an AuditService configuration that applies to all routes without specifying it in each individual route?
I’ve been able to create a named audit service in the heap and include that in each route, but I’d rather just have it on for all routes without needing to be consciously included each time.
Here’s the…[Read more]
-
chris-fry replied to the topic Authorization Policy Design in the forum Access Management 4 years, 8 months ago
Hi Scott, thanks for your reply.
We’ve reached an approach that I think will work for our use case.
We will use multiple policy sets (and avoid using the default set), grouping policies by technology type (because URL format is highly affected by this) and if required owning business unit (because in some cases a popular technology in an…[Read more]
-
chris-fry replied to the topic OpenIG unable to load all pages and login from the proxied url in the forum Identity Gateway 4 years, 8 months ago
A few questions:
* Have you confirmed you can route to the ec2 machine from the IG machine directly (perhaps using curl or similar)?
* Do you have conditions on your route handlers? If so, what are they and what order are the routes configured?
* Can you share your route(s)?It sounds like your first route might be picking up the requests…[Read more]
-
chris-fry replied to the topic Evaluate policy for multiple policy-sets in the forum Identity Gateway 4 years, 8 months ago
The Policy Enforcement Point (PEP) filter can only accept a single “application” (Policy Set), but you should be able to chain multiple PEP filters.
e.g.
{[Read more]
"handler": {
"type": "DispatchHandler",
"config": {
"bindings": == null}",
"handler": {
"type": "StaticResponseHandler",
"config": {… -
chris-fry started the topic Authorization Policy Design in the forum Access Management 4 years, 8 months ago
Hi all – a bit of a design question;
I’ve just started playing around with Authorization Policies in Access Manager.
It looks like there are many ways to approach these (akin to directory design) e.g. using a single policy set, or perhaps one set per application, one per information asset class (might be better for auditing) etc. Then there’s…[Read more]
-
chris-fry replied to the topic Add Basic Authentication against Access Manager to an Application in the forum Identity Gateway 4 years, 8 months ago
Ok – got it working. I created a scriptable filter that checks for, decodes and validates a basic authentication header against Access Manager, then passes the resulting token to the next filter/handler in the chain. Then I just added this in front of an SSO, Policy Enforcement Point filter chain (as per this guide). I wanted to avoid non-standard…[Read more]
-
chris-fry replied to the topic Add Basic Authentication against Access Manager to an Application in the forum Identity Gateway 4 years, 9 months ago
Thanks for your response, Joachim.
It’s getting close – I’ve used an approach similar to what you’ve described, decoding the Basic Auth header and using an LDAP provider for authentication.
I can’t figure out how to call OpenAM from the scriptable filter however. I’ve done this from a number of other clients (Python, Postman etc.), but can’t…[Read more]
-
chris-fry started the topic Add Basic Authentication against Access Manager to an Application in the forum Identity Gateway 4 years, 9 months ago
I have a web application with no built in security isolated in a secured network and would like to expose this to a wider network via IG, using OpenAM for AuthN/AuthZ.
My consumer can only support Basic Authentication at this stage.
Two questions:
– Can I configure a Basic Authentication filter that uses OpenAM (or even DJ/LDAPS) as the…[Read more]
