-
grk replied to the topic how to pass external parameter to idp initiated sso federation in the forum Access Management 3 years, 2 months ago
@mei-liusaa-com
for #3, you need to append your query parameter to ACS URL as below.
https://lightweight2–ssotest.cs51.my.salesforce.com?MyOtherActivities=AAAAAAAI think it is better if you get this ACS URL from SP so that it will match both sides and it will not fail in SP initiated SSO
-
grk replied to the topic Invalidate all the session of a given user in the forum Access Management 3 years, 2 months ago
You can try below Rest/curl to get sessions for a given user. You need to pass admin token in header.
curl -X GET –header ‘Accept: application/json’ –header ‘Accept-API-Version: resource=2.0’ –header…[Read more]
-
grk replied to the topic how to pass external parameter to idp initiated sso federation in the forum Access Management 3 years, 2 months ago
@mei-liusaa-com Is this additional parameter value static? IDPInitSSO URL does not support any additional query parameters.
I see only below 3 options to pass a value to SP.
1. Pass in SAML Response. If this value is a static value, you can set that static value in attribute mapping as MyOtherActivities=”AAAAAAA”. SP will get it from SAML…[Read more] -
grk replied to the topic No Such Attribute: 00000057 in the forum Access Management 3 years, 6 months ago
@sstelino-fr check Federation debug log for errors.
-
grk replied to the topic OpenAM 13 – Login page not loading after setup in the forum Access Management 3 years, 7 months ago
xyz.abcservices.com or abcservices.com but no leading dot. Is your AWS tomcat and current tomcat running exact same minor versios? Not sure if some of the tomcat8 minor versions still support leading dot.
https://bugster.forgerock.org/jira/browse/OPENAM-8668
Thanks,
Ravikumar Geejula -
grk replied to the topic Force Change Password on Next Login in the forum Access Management 3 years, 7 months ago
@alinturbut “force-change-on-reset” property in Password policy should be set to True to notify the user. If you are using “Default Password Policy”, “force-change-on-reset” is set to False by default.
Thanks,
Ravikumar Geejula -
grk replied to the topic OpenAM 13 – Login page not loading after setup in the forum Access Management 3 years, 7 months ago
@dhilipswaminathan, Tomcat8 does not support cookie domain starting with dot(.). Change cookie domain to “xyz.abcservices.com” to fix the issue. Alternatively, if you have any dependency to use cookie domain starting with dot(.), update tomcat context.xml to use LegacyCookieProcessor which supports cookie domain starting with…[Read more]
-
grk replied to the topic User Data Store Creation with multiple OpenDJ servers in OpenAM 5.5 in the forum Access Management 3 years, 10 months ago
Server ID is a unique id set for each server. Always first instance in a site will be created with 01 and subsequent servers will get 02,03 etc.
If you go to Deployment->Servers->Server Name->Advanced, you will see a value set for com.iplanet.am.lbcookie.value property. Usally this is same as Server ID. Also, You can run list-server-cfg ssoadm…[Read more] -
grk replied to the topic Multi Tenant and Log Files in the forum Access Management 3 years, 10 months ago
@apcheidm, which version of AM you are using? OpenAM 13(probably 12) and above, you can have separate audit log files for each tenant/realm. You cannot have separate debug files for each tenant/realm.
Thanks,
-
grk replied to the topic ssoadm in the forum Access Management 3 years, 10 months ago
You can use show-datastore to get datastore config. This lists the config attributes
ssoadm show-datastore -u amadmin -f /path/to/password-file -e realm-name -m Datastore-Name
Below command lists all CoTs in a realm
ssoadm list-cots -u amadmin -f /path/to/password-file -e realm-nameBelow command lists all the IDPs and SPs in a CoT
ssoadm…[Read more] -
grk replied to the topic How to access OAuth2 endpoint within OpenAM instance in the forum Access Management 4 years, 1 month ago
@danbrodsky looks like openam context root is missing in your oauth2 endpoint url. That could return 404.
http://<openam host name or vip>:<port>/<context root>/oauth2/authorizeIf you have configured OAuth2Privider service and policy as per the documentation, you are good.
Thanks,
-
grk replied to the topic Queries about Federation in the forum Access Management 4 years, 1 month ago
@aniru2d per AuthnRequest schema, it seems NameidPolicy is not mandatory but per my observation, SPs send persistent NameidPolicy if none is provided on IDP and SP configuration.
Thanks,
-
grk replied to the topic Queries about Federation in the forum Access Management 4 years, 2 months ago
@aniru2dh
1. Yes, you can use same OpenAM instance as Hosted IDP and Hosted SP.
https://backstage.forgerock.com/docs/am/5.5/saml2-guide/#saml2-providers-and-cots2. IDP/SP name can be any string. It is not necessary to have in URL format. You can change it while creating IDP/SP
Thanks,
-
grk replied to the topic dynamic user-profile creation in the forum Access Management 4 years, 2 months ago
@cs501 i don’t think this issue was fixed in any version.Bug status shows “OPEN”. If it is fixed, FR will update bug status to “Resolved” and provide fixed version numbers against Fix Version/s
Thanks,
-
grk replied to the topic dynamic user-profile creation in the forum Access Management 4 years, 2 months ago
@cs501 when attribute values are updated at IDP, OpenAM SP will not update attribues if the profile already exist in DataStore.
You may need to follow the link avaible in above Jira defect for custom solution.
Thanks,
-
grk replied to the topic Issue with Federation in the forum Access Management 4 years, 2 months ago
@aniru2dh, Check if signing cert public key was imported into SP system OR public key is matching or not.
Here is Service Now SAML setup doc.
https://docs.servicenow.com/bundle/geneva-servicenow-platform/page/integrate/saml/task/t_InstallTheIdentityProviderCert.htmlThanks,
-
grk replied to the topic Issue with realm redirection with webagents 5 and openAM 5.5.1 in the forum Access Management 4 years, 3 months ago
@aniru2dh are you using centralized or local configuration? If you are using local configuration, you need to update agent.conf stored on web server under agent installation dir. Otherwiese, switch to “centralized”.
Thanks,
-
grk replied to the topic multiple SAML CoTs in one IDP instance in the forum Access Management 4 years, 3 months ago
@thirujay, Yes
-
grk replied to the topic statelss session upgrade in the forum Access Management 4 years, 3 months ago
@cs501, looks like stateless session does not support session upgrade
Thanks,
-
grk replied to the topic Getting custom claims in OpenID Connect Access Tokens in the forum Access Management 4 years, 4 months ago
@paulhaggerty. Yes, you need to add cliams parameter to authorization endpoint. Here is my earlier post
“Enable “claims_parameter_supported” on OAuth2 provider service. This will let you append “cliams” query parameter to authorize endpoint with value in json format. This is returning whatever json string we pass for “cliams” parameter in JWT acce…[Read more] - Load More