-
handat replied to the topic Unable to install OpenAM with Amster in the forum Access Management 4 years, 3 months ago
Use JDK 1.8 rather than 1.7
-
handat replied to the topic Revoke all the refresh token issued to the user during resetpassword in the forum Access Management 4 years, 3 months ago
Try passing in an empty Set instead of null to the search
-
handat replied to the topic Getting custom claims in OpenID Connect Access Tokens in the forum Access Management 4 years, 4 months ago
Have a look at this: https://bugster.forgerock.org/jira/browse/OPENAM-11445
I looked at STS with a custom mapping class to add custom claims to generate a stateless access token. That works fine but I had to add custom headers too :(
-
handat replied to the topic Data Store LDAP server list is reordered by OpenAM in the forum Access Management 4 years, 4 months ago
I have not tried it myself, but maybe if you import the config using amster it may retain its order?
-
handat replied to the topic Handle 500 error with PEP filter in the forum Identity Gateway 4 years, 4 months ago
Actually, I figured it out. I was mistakenly expecting the filter that follows the PEP filter to be able to handle the error, but it turns out the filter before the PEP filter actually does it. I had the PEP filter sandwiched between two custom scripted filters and debugging the wrong filter, ie the one after and not the one before.
-
handat started the topic Handle 500 error with PEP filter in the forum Identity Gateway 4 years, 4 months ago
I’ve configured the PEP filter and it works well when the SSO session is valid. However, if it is expired, then a 500 error is thrown and execution does not continue to the next filter in the chain so it cannot replace the error page with something custom. How can I handle this error condition so that I can display a custom error page? The…[Read more]
-
handat replied to the topic OpenIG not returning access token in the forum Access Management 4 years, 4 months ago
You would need to configure the access token to be stateless in order for it to be in JWT format. Not sure if that option is available in 13.0, but it is available in 13.5 and newer.
-
handat replied to the topic Getting custom claims in OpenID Connect Access Tokens in the forum Access Management 4 years, 4 months ago
There’s no interface for you to customize the access token unlike the groovy script for the ID token.
-
handat replied to the topic OpenAM Authentication issue with openDJ datastore. in the forum Access Management 4 years, 5 months ago
Did you increase your open file limits?
-
handat replied to the topic Free Self -Learning Material in the forum Access Management 4 years, 5 months ago
Try the blogs and the associated videos. There is a lot of good info in the videos and there are quite of lot of them.
-
handat replied to the topic RS256 token validation failure in the forum Access Management 4 years, 5 months ago
It happened to me when my token had an extra r or l right at the end. Removing that very last char resulted in successful validation.
-
handat replied to the topic jwk_uri in the forum Access Management 4 years, 5 months ago
Answering my own question for anyone who is interested, it turns out that it was easier than I thought.
Basically, this is all I needed:
RsaJWK jwk = new RsaJWK((RSAPublicKey)key, KeyUse.SIG, jwsAlgorithm.name(), kid, x5u, x5t, x5c);
System.out.println(jwk.toJsonString());Then stick that into jwk_uri file under the keys section.
-
handat replied to the topic Error during initial config of OpenAM 5.5.1 in the forum Access Management 4 years, 5 months ago
Try connecting to AD using LDAPS instead of LDAP.
-
handat started the topic jwk_uri in the forum Access Management 4 years, 5 months ago
I am using the OPENID CONNECT ID_TOKEN BEARER authentication module to allow authentication using a third party ID token and jwk_url for validation. This is fine if the third party provides their jwk_url and it is accessible. However, there are some who do not provide it and instead just provide their public certificate out of band. Now I would…[Read more]
-
handat replied to the topic ldap and ldaps password are different? in the forum Directory Services 4 years, 6 months ago
It appears in 5.5, the LDAP connection handler defaults to startTLS, so if you are using ldapsearch on LDAP protocol, you need to use the -Z option.
-
handat replied to the topic OpenAm how to default inetuserstatus to Active in the forum Access Management 4 years, 6 months ago
It is not there by default, but you can add the attribute in your mapping. Just create a new target attribute.
-
handat started the topic transactional authz strategy specifier in the forum Access Management 4 years, 6 months ago
I am looking at the AM 5.5 transactional authz conditions and wanting to use the Auth Level Authentication Strategy. I am wondering what the valid Strategy Specifier is for that. I understand that when you do any of the other Authentication strategies, the user will need to authenticate to the specified chain/realm/tree/module, but what about the…[Read more]
-
handat replied to the topic Internal OpenAM 13.5 server with SAML 2 redirection in the forum Access Management 4 years, 7 months ago
You can change this in the web container, ie if you are using tomcat, then you can change the tomcat connector. Alternatively, you can also add a FQDN mapping in AM advanced config, ie com.sun.identity.server.fqdnMap=ex.ter.nal.ip
com.sun.identity.server.fqdnMap=in.ter.nal.ip -
handat replied to the topic How to specify certificate alias for ClientHandler in the forum Identity Gateway 4 years, 7 months ago
Hi,
Thanks for confirming. That means that each keystore can only have a single private key and the alias does not matter as it would just get the only private key. If there were more private keys, it would fail? There is no hardcoded default alias it will try to look for?
-
handat started the topic How to specify certificate alias for ClientHandler in the forum Identity Gateway 4 years, 7 months ago
I’m trying to configure mutual authentication for https connections where OpenIG is connecting to a TLS enabled site that requires a client certificate to be presented for mutual authentication. I’ve configured a keyManager containing the client certificate that IG needs to present. How do I specify that certificate? Logically, one would add an…[Read more]
- Load More