grk

Home Members grk

Learn more about our upcoming Identity Summits

show less show more
Profile picture of grk

@grk

active 1 year ago
Points balance: 439 ♪
Rank: grk
  • Activity
  • Profile
  • Groups 2
  • Forums
  • Personal
  • Mentions
  • Favorites
  • Groups
  • Profile picture of grk

    grk replied to the topic how to pass external parameter to idp initiated sso federation in the forum Access Management 3 years, 2 months ago

    @mei-liusaa-com
    for #3, you need to append your query parameter to ACS URL as below.
    https://lightweight2–ssotest.cs51.my.salesforce.com?MyOtherActivities=AAAAAAA

    I think it is better if you get this ACS URL from SP so that it will match both sides and it will not fail in SP initiated SSO

  • Profile picture of grk

    grk replied to the topic Invalidate all the session of a given user in the forum Access Management 3 years, 2 months ago

    You can try below Rest/curl to get sessions for a given user. You need to pass admin token in header.

    http://openam.example.com:8080/openam/json/sessions?_queryFilter=realm%20eq%20%22%2Ftest%22%20and%20username%20eq%20%22demo%22

    curl -X GET –header ‘Accept: application/json’ –header ‘Accept-API-Version: resource=2.0’ –header…[Read more]

  • Profile picture of grk

    grk replied to the topic how to pass external parameter to idp initiated sso federation in the forum Access Management 3 years, 2 months ago

    @mei-liusaa-com Is this additional parameter value static? IDPInitSSO URL does not support any additional query parameters.
    I see only below 3 options to pass a value to SP.
    1. Pass in SAML Response. If this value is a static value, you can set that static value in attribute mapping as MyOtherActivities=”AAAAAAA”. SP will get it from SAML…[Read more]

  • Profile picture of grk

    grk replied to the topic No Such Attribute: 00000057 in the forum Access Management 3 years, 6 months ago

    @sstelino-fr check Federation debug log for errors.

  • Profile picture of grk

    grk replied to the topic OpenAM 13 – Login page not loading after setup in the forum Access Management 3 years, 7 months ago

    xyz.abcservices.com or abcservices.com but no leading dot. Is your AWS tomcat and current tomcat running exact same minor versios? Not sure if some of the tomcat8 minor versions still support leading dot.

    https://bugster.forgerock.org/jira/browse/OPENAM-8668

    Thanks,
    Ravikumar Geejula

  • Profile picture of grk

    grk replied to the topic Force Change Password on Next Login in the forum Access Management 3 years, 7 months ago

    @alinturbut “force-change-on-reset” property in Password policy should be set to True to notify the user. If you are using “Default Password Policy”, “force-change-on-reset” is set to False by default.

    Thanks,
    Ravikumar Geejula

  • Profile picture of grk

    grk replied to the topic OpenAM 13 – Login page not loading after setup in the forum Access Management 3 years, 7 months ago

    @dhilipswaminathan, Tomcat8 does not support cookie domain starting with dot(.). Change cookie domain to “xyz.abcservices.com” to fix the issue. Alternatively, if you have any dependency to use cookie domain starting with dot(.), update tomcat context.xml to use LegacyCookieProcessor which supports cookie domain starting with…[Read more]

  • Profile picture of grk

    grk replied to the topic User Data Store Creation with multiple OpenDJ servers in OpenAM 5.5 in the forum Access Management 3 years, 10 months ago

    Server ID is a unique id set for each server. Always first instance in a site will be created with 01 and subsequent servers will get 02,03 etc.
    If you go to Deployment->Servers->Server Name->Advanced, you will see a value set for com.iplanet.am.lbcookie.value property. Usally this is same as Server ID. Also, You can run list-server-cfg ssoadm…[Read more]

  • Profile picture of grk

    grk replied to the topic Multi Tenant and Log Files in the forum Access Management 3 years, 10 months ago

    @apcheidm, which version of AM you are using? OpenAM 13(probably 12) and above, you can have separate audit log files for each tenant/realm. You cannot have separate debug files for each tenant/realm.

    Thanks,

  • Profile picture of grk

    grk replied to the topic ssoadm in the forum Access Management 3 years, 10 months ago

    You can use show-datastore to get datastore config. This lists the config attributes

    ssoadm show-datastore -u amadmin -f /path/to/password-file -e realm-name -m Datastore-Name

    Below command lists all CoTs in a realm
    ssoadm list-cots -u amadmin -f /path/to/password-file -e realm-name

    Below command lists all the IDPs and SPs in a CoT
    ssoadm…[Read more]

  • Profile picture of grk

    grk replied to the topic How to access OAuth2 endpoint within OpenAM instance in the forum Access Management 4 years, 1 month ago

    @danbrodsky looks like openam context root is missing in your oauth2 endpoint url. That could return 404.
    http://<openam host name or vip>:<port>/<context root>/oauth2/authorize

    If you have configured OAuth2Privider service and policy as per the documentation, you are good.

    Thanks,

  • Profile picture of grk

    grk replied to the topic Queries about Federation in the forum Access Management 4 years, 1 month ago

    @aniru2d per AuthnRequest schema, it seems NameidPolicy is not mandatory but per my observation, SPs send persistent NameidPolicy if none is provided on IDP and SP configuration.

    Thanks,

  • Profile picture of grk

    grk replied to the topic Queries about Federation in the forum Access Management 4 years, 2 months ago

    @aniru2dh
    1. Yes, you can use same OpenAM instance as Hosted IDP and Hosted SP.
    https://backstage.forgerock.com/docs/am/5.5/saml2-guide/#saml2-providers-and-cots

    2. IDP/SP name can be any string. It is not necessary to have in URL format. You can change it while creating IDP/SP

    Thanks,

  • Profile picture of grk

    grk replied to the topic dynamic user-profile creation in the forum Access Management 4 years, 2 months ago

    @cs501 i don’t think this issue was fixed in any version.Bug status shows “OPEN”. If it is fixed, FR will update bug status to “Resolved” and provide fixed version numbers against Fix Version/s

    Thanks,

  • Profile picture of grk

    grk replied to the topic dynamic user-profile creation in the forum Access Management 4 years, 2 months ago

    @cs501 when attribute values are updated at IDP, OpenAM SP will not update attribues if the profile already exist in DataStore.

    OPENAM-8340

    You may need to follow the link avaible in above Jira defect for custom solution.

    Thanks,

  • Profile picture of grk

    grk replied to the topic Issue with Federation in the forum Access Management 4 years, 2 months ago

    @aniru2dh, Check if signing cert public key was imported into SP system OR public key is matching or not.

    Here is Service Now SAML setup doc.
    https://docs.servicenow.com/bundle/geneva-servicenow-platform/page/integrate/saml/task/t_InstallTheIdentityProviderCert.html

    Thanks,

  • Profile picture of grk

    grk replied to the topic Issue with realm redirection with webagents 5 and openAM 5.5.1 in the forum Access Management 4 years, 3 months ago

    @aniru2dh are you using centralized or local configuration? If you are using local configuration, you need to update agent.conf stored on web server under agent installation dir. Otherwiese, switch to “centralized”.

    Thanks,

  • Profile picture of grk

    grk replied to the topic multiple SAML CoTs in one IDP instance in the forum Access Management 4 years, 3 months ago

    @thirujay, Yes

  • Profile picture of grk

    grk replied to the topic statelss session upgrade in the forum Access Management 4 years, 3 months ago

    @cs501, looks like stateless session does not support session upgrade

    https://backstage.forgerock.com/docs/am/5.5/authentication-guide/#session-state-stateless-limitations

    Thanks,

  • Profile picture of grk

    grk replied to the topic Getting custom claims in OpenID Connect Access Tokens in the forum Access Management 4 years, 4 months ago

    @paulhaggerty. Yes, you need to add cliams parameter to authorization endpoint. Here is my earlier post
    “Enable “claims_parameter_supported” on OAuth2 provider service. This will let you append “cliams” query parameter to authorize endpoint with value in json format. This is returning whatever json string we pass for “cliams” parameter in JWT acce…[Read more]

  • Load More
Profile Photo jason Profile Photo akgpersistent

Search the forums

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.

Recent blog posts

  • Using an Authentication Tree Stage to Build a Custom UI with the ForgeRock JavaScript SDK February 26, 2020
  • Identity Workflow with AM using Zeebe and Cloud Functions February 19, 2020
  • IDM: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 23, 2020
  • DS: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 22, 2020
  • AM and IG: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 22, 2020
Visit our blog

Recent Topics

  • Handle exception in Node Patch Object
  • SP Initiated SSO – Unable to do sso or federation
  • Realm level access
  • How can I generate 32 bytes Random salt in js script
  • Bypass Login Page in Chain

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

  • Blog
  • Documentation
    • OpenAM / Access Management
    • OpenDJ / Directory Services
    • OpenIDM / Identity Management
    • OpenIG / Identity Gateway
    • OpenICF / Open Connector Framework
    • Intro to Identity
  • Forums
    • General Discussion
    • ForgeRock Products
      • OpenAM
      • OpenIDM
      • OpenDJ
      • OpenIG
      • OpenUMA
    • DevOps
    • Internet of Things
    • Documentation
    • Groups
  • Twitter
  • Facebook
  • Linkedin
  • Youtube

Log in with your credentials

Lost your password?

Forgot your details?

I remember my details