chris-fry

Home Members chris-fry

Learn more about our upcoming Identity Summits

show less show more
Profile picture of chris-fry

@chris-fry

active 3 years, 3 months ago
Points balance: 230 ♪
Rank: chris-fry
  • Activity
  • Profile
  • Groups 0
  • Forums
  • Personal
  • Mentions
  • Favorites
  • Groups
  • Profile picture of chris-fry

    chris-fry replied to the topic force user to change the password on first login in the forum Identity Management 3 years, 8 months ago

    Hi eppinger,

    Got a similar proof-of-concept working using a mapping from a boolean attribute in IDM to iplanet-am-user-password-reset-force-reset in OpenDJ and a Scripted Authentication module in OpenAM to force the redirect to a custom change password app.

    Here’s another forum post about it:…[Read more]

  • Profile picture of chris-fry

    chris-fry started the topic Identity Management Aggregate Queries in the forum Identity Management 3 years, 8 months ago

    Hi all,

    What’s the best way to run simple aggregation queries in an IDM prod environment?

    For example, if I wanted a count of all users with accountStatus of active.

    In SQL, this would be something like:
    S3LECT COUNT(userName) FROM user WHERE accountStatus = 'active'; (had to misspell ‘SELECT’ due to the WAF on this forum)

    I’ve experimented…[Read more]

  • Profile picture of chris-fry

    chris-fry replied to the topic Allow standard user to query pwdChangedTime in the forum Directory Services 3 years, 8 months ago

    Thanks, Ludo – sounds good.

    Chris

  • Profile picture of chris-fry

    chris-fry started the topic Allow standard user to query pwdChangedTime in the forum Directory Services 3 years, 8 months ago

    Hi all,

    I have an application with a standard user account in OpenDJ (not Directory Manager) that needs to read the pwdChangedTime attribute from any user.

    What’s the best way to allow this?

    Thanks,

    Chris

  • Profile picture of chris-fry

    chris-fry started the topic Dynamic Resource Definition for Authorization Policies in the forum Access Management 3 years, 9 months ago

    Hi,

    Is it possible in Access Manager to define Authorization Policies that protect resources with dynamic components like a username embedded in them?

    So, say I have a set of subjects in OpenAM, e.g.
    jsmith,
    jdoe
    …

    and a set of Resources with user profiles for each…[Read more]

  • Profile picture of chris-fry

    chris-fry started the topic Change Password on Next Login – Custom Redirect in the forum Access Management 3 years, 10 months ago

    Hi all,

    I have an existing Access Manager (AM) implementation that is functioning correctly using FR Directory Services (DS) as the user data store.

    I’d like to implement a solution that allows an admin to flag an account for “Change Password on Next Login” using the ‘iplanet-am-user-password-reset-force-reset’ attribute in DS, then redirects…[Read more]

  • Profile picture of chris-fry

    chris-fry started the topic IDM for passwords only – sequencing problem in the forum Identity Management 3 years, 11 months ago

    Hi,

    We are in the process of migrating from a legacy ID mgmt. system to ForgeRock Identity Management. Next up for the project is to move password management to IDM.

    We have a source system containing user data, the old and new ID mgmt tools and downstream targets.

    Our goal is to have, for now, IDM to provision accounts and passwords to OpenDJ,…[Read more]

  • Profile picture of chris-fry

    chris-fry started the topic Custom Objects and Assignments in the forum Identity Management 4 years, 7 months ago

    Hi,

    I’m having trouble creating an assignment that applies to a custom managed object.

    Here’s the steps I’ve taken:

    * Install IDM (5.5, MySQL repo)
    * Create the custom object (employee)
    * Configure two way relationships between employee and role (similar to user/role)
    * Configure effectiveRoles and effectiveAssignments attributes for employee…[Read more]

  • Profile picture of chris-fry

    chris-fry started the topic Problem with Assignments on Custom Managed Object in the forum Identity Management 4 years, 7 months ago

    Hi all,

    I’m trying to create a custom object in IDM v5.5 and map this to my directory, including assignments. The mapping is working for normal attributes, but not assignments.

    Here’s the steps I’ve taken:

  • Perform base install of IDM 5.5, using MySQL repository as per install guide
  • Create the custom object (employee)
  • Configure two way…
  • [Read more]

  • Profile picture of chris-fry

    chris-fry replied to the topic Common Logging Config for all routes in the forum Identity Gateway 4 years, 8 months ago

    Hi Guillaume,

    So, just use a named audit service configuration in the heap and refer to it in each route? I have done this, but I was hoping to have it set by default to avoid configuration duplication.

    – Chris

  • Profile picture of chris-fry

    chris-fry replied to the topic OpenIG – Apache rewrite 302 in the forum Identity Gateway 4 years, 8 months ago

    I might be missing something, but if you just want a rewrite (without path transformation), this should do it:
    {
    "baseURI": "http://emanuals.example.com",
    "condition": "${request.uri.host eq 'www.example.com'}",
    "handler": "ClientHandler"
    }

    If you want a redirect (302), this is probably more what you want. It redirects requests to…[Read more]

  • Profile picture of chris-fry

    chris-fry started the topic Common Logging Config for all routes in the forum Identity Gateway 4 years, 8 months ago

    Hi,

    Is there a way to create an an AuditService configuration that applies to all routes without specifying it in each individual route?

    I’ve been able to create a named audit service in the heap and include that in each route, but I’d rather just have it on for all routes without needing to be consciously included each time.

    Here’s the…[Read more]

  • Profile picture of chris-fry

    chris-fry replied to the topic Authorization Policy Design in the forum Access Management 4 years, 8 months ago

    Hi Scott, thanks for your reply.

    We’ve reached an approach that I think will work for our use case.

    We will use multiple policy sets (and avoid using the default set), grouping policies by technology type (because URL format is highly affected by this) and if required owning business unit (because in some cases a popular technology in an…[Read more]

  • Profile picture of chris-fry

    chris-fry replied to the topic OpenIG unable to load all pages and login from the proxied url in the forum Identity Gateway 4 years, 8 months ago

    A few questions:
    * Have you confirmed you can route to the ec2 machine from the IG machine directly (perhaps using curl or similar)?
    * Do you have conditions on your route handlers? If so, what are they and what order are the routes configured?
    * Can you share your route(s)?

    It sounds like your first route might be picking up the requests…[Read more]

  • Profile picture of chris-fry

    chris-fry replied to the topic Evaluate policy for multiple policy-sets in the forum Identity Gateway 4 years, 8 months ago

    The Policy Enforcement Point (PEP) filter can only accept a single “application” (Policy Set), but you should be able to chain multiple PEP filters.

    e.g.
    {
    "handler": {
    "type": "DispatchHandler",
    "config": {
    "bindings": == null}",
    "handler": {
    "type": "StaticResponseHandler",
    "config": {…
    [Read more]

  • Profile picture of chris-fry

    chris-fry started the topic Authorization Policy Design in the forum Access Management 4 years, 8 months ago

    Hi all – a bit of a design question;

    I’ve just started playing around with Authorization Policies in Access Manager.

    It looks like there are many ways to approach these (akin to directory design) e.g. using a single policy set, or perhaps one set per application, one per information asset class (might be better for auditing) etc. Then there’s…[Read more]

  • Profile picture of chris-fry

    chris-fry replied to the topic Add Basic Authentication against Access Manager to an Application in the forum Identity Gateway 4 years, 8 months ago

    Ok – got it working. I created a scriptable filter that checks for, decodes and validates a basic authentication header against Access Manager, then passes the resulting token to the next filter/handler in the chain. Then I just added this in front of an SSO, Policy Enforcement Point filter chain (as per this guide). I wanted to avoid non-standard…[Read more]

  • Profile picture of chris-fry

    chris-fry replied to the topic Add Basic Authentication against Access Manager to an Application in the forum Identity Gateway 4 years, 9 months ago

    Thanks for your response, Joachim.

    It’s getting close – I’ve used an approach similar to what you’ve described, decoding the Basic Auth header and using an LDAP provider for authentication.

    I can’t figure out how to call OpenAM from the scriptable filter however. I’ve done this from a number of other clients (Python, Postman etc.), but can’t…[Read more]

  • Profile picture of chris-fry

    chris-fry started the topic Add Basic Authentication against Access Manager to an Application in the forum Identity Gateway 4 years, 9 months ago

    I have a web application with no built in security isolated in a secured network and would like to expose this to a wider network via IG, using OpenAM for AuthN/AuthZ.

    My consumer can only support Basic Authentication at this stage.

    Two questions:
    – Can I configure a Basic Authentication filter that uses OpenAM (or even DJ/LDAPS) as the…[Read more]

  • Profile Photo Shubhra Profile Photo alexandru.moga

    Search the forums

    Leaderboard

    The leaderboard is based on our rockin' informal points system, read about it here.

    Recent blog posts

    • Using an Authentication Tree Stage to Build a Custom UI with the ForgeRock JavaScript SDK February 26, 2020
    • Identity Workflow with AM using Zeebe and Cloud Functions February 19, 2020
    • IDM: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 23, 2020
    • DS: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 22, 2020
    • AM and IG: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 22, 2020
    Visit our blog

    Recent Topics

    • Handle exception in Node Patch Object
    • SP Initiated SSO – Unable to do sso or federation
    • Realm level access
    • How can I generate 32 bytes Random salt in js script
    • Bypass Login Page in Chain

    ©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

    • Blog
    • Documentation
      • OpenAM / Access Management
      • OpenDJ / Directory Services
      • OpenIDM / Identity Management
      • OpenIG / Identity Gateway
      • OpenICF / Open Connector Framework
      • Intro to Identity
    • Forums
      • General Discussion
      • ForgeRock Products
        • OpenAM
        • OpenIDM
        • OpenDJ
        • OpenIG
        • OpenUMA
      • DevOps
      • Internet of Things
      • Documentation
      • Groups
    • Twitter
    • Facebook
    • Linkedin
    • Youtube

    Log in with your credentials

    Lost your password?

    Forgot your details?

    I remember my details