grk

@mei-liusaa-com
for #3, you need to append your query parameter to ACS URL as below.
https://lightweight2–ssotest.cs51.my.salesforce.com?MyOtherActivities=AAAAAAA

I think it is better if you get this ACS URL from SP so that it will match both sides and it will not fail in SP initiated SSO

You can try below Rest/curl to get sessions for a given user. You need to pass admin token in header.

http://openam.example.com:8080/openam/json/sessions?_queryFilter=realm%20eq%20%22%2Ftest%22%20and%20username%20eq%20%22demo%22

curl -X GET –header ‘Accept: application/json’ –header ‘Accept-API-Version: resource=2.0’ –header…[Read more]

@mei-liusaa-com Is this additional parameter value static? IDPInitSSO URL does not support any additional query parameters.
I see only below 3 options to pass a value to SP.
1. Pass in SAML Response. If this value is a static value, you can set that static value in attribute mapping as MyOtherActivities=”AAAAAAA”. SP will get it from SAML…[Read more]

@sstelino-fr check Federation debug log for errors.

xyz.abcservices.com or abcservices.com but no leading dot. Is your AWS tomcat and current tomcat running exact same minor versios? Not sure if some of the tomcat8 minor versions still support leading dot.

https://bugster.forgerock.org/jira/browse/OPENAM-8668

Thanks,
Ravikumar Geejula

@alinturbut “force-change-on-reset” property in Password policy should be set to True to notify the user. If you are using “Default Password Policy”, “force-change-on-reset” is set to False by default.

Thanks,
Ravikumar Geejula

@dhilipswaminathan, Tomcat8 does not support cookie domain starting with dot(.). Change cookie domain to “xyz.abcservices.com” to fix the issue. Alternatively, if you have any dependency to use cookie domain starting with dot(.), update tomcat context.xml to use LegacyCookieProcessor which supports cookie domain starting with…[Read more]

Server ID is a unique id set for each server. Always first instance in a site will be created with 01 and subsequent servers will get 02,03 etc.
If you go to Deployment->Servers->Server Name->Advanced, you will see a value set for com.iplanet.am.lbcookie.value property. Usally this is same as Server ID. Also, You can run list-server-cfg ssoadm…[Read more]

@apcheidm, which version of AM you are using? OpenAM 13(probably 12) and above, you can have separate audit log files for each tenant/realm. You cannot have separate debug files for each tenant/realm.

Thanks,

You can use show-datastore to get datastore config. This lists the config attributes

ssoadm show-datastore -u amadmin -f /path/to/password-file -e realm-name -m Datastore-Name

Below command lists all CoTs in a realm
ssoadm list-cots -u amadmin -f /path/to/password-file -e realm-name

Below command lists all the IDPs and SPs in a CoT
ssoadm…[Read more]

@danbrodsky looks like openam context root is missing in your oauth2 endpoint url. That could return 404.
http://<openam host name or vip>:<port>/<context root>/oauth2/authorize

If you have configured OAuth2Privider service and policy as per the documentation, you are good.

Thanks,

@aniru2d per AuthnRequest schema, it seems NameidPolicy is not mandatory but per my observation, SPs send persistent NameidPolicy if none is provided on IDP and SP configuration.

Thanks,

@aniru2dh
1. Yes, you can use same OpenAM instance as Hosted IDP and Hosted SP.
https://backstage.forgerock.com/docs/am/5.5/saml2-guide/#saml2-providers-and-cots

2. IDP/SP name can be any string. It is not necessary to have in URL format. You can change it while creating IDP/SP

Thanks,

@cs501 i don’t think this issue was fixed in any version.Bug status shows “OPEN”. If it is fixed, FR will update bug status to “Resolved” and provide fixed version numbers against Fix Version/s

Thanks,

@cs501 when attribute values are updated at IDP, OpenAM SP will not update attribues if the profile already exist in DataStore.

OPENAM-8340

You may need to follow the link avaible in above Jira defect for custom solution.

Thanks,

@aniru2dh, Check if signing cert public key was imported into SP system OR public key is matching or not.

Here is Service Now SAML setup doc.
https://docs.servicenow.com/bundle/geneva-servicenow-platform/page/integrate/saml/task/t_InstallTheIdentityProviderCert.html

Thanks,

@aniru2dh are you using centralized or local configuration? If you are using local configuration, you need to update agent.conf stored on web server under agent installation dir. Otherwiese, switch to “centralized”.

Thanks,

@thirujay, Yes

@cs501, looks like stateless session does not support session upgrade

https://backstage.forgerock.com/docs/am/5.5/authentication-guide/#session-state-stateless-limitations

Thanks,

@paulhaggerty. Yes, you need to add cliams parameter to authorization endpoint. Here is my earlier post
“Enable “claims_parameter_supported” on OAuth2 provider service. This will let you append “cliams” query parameter to authorize endpoint with value in json format. This is returning whatever json string we pass for “cliams” parameter in JWT acce…[Read more]