handat

Use JDK 1.8 rather than 1.7

Try passing in an empty Set instead of null to the search

Have a look at this: https://bugster.forgerock.org/jira/browse/OPENAM-11445

I looked at STS with a custom mapping class to add custom claims to generate a stateless access token. That works fine but I had to add custom headers too :(

I have not tried it myself, but maybe if you import the config using amster it may retain its order?

Actually, I figured it out. I was mistakenly expecting the filter that follows the PEP filter to be able to handle the error, but it turns out the filter before the PEP filter actually does it. I had the PEP filter sandwiched between two custom scripted filters and debugging the wrong filter, ie the one after and not the one before.

You would need to configure the access token to be stateless in order for it to be in JWT format. Not sure if that option is available in 13.0, but it is available in 13.5 and newer.

There’s no interface for you to customize the access token unlike the groovy script for the ID token.

Did you increase your open file limits?

Try the blogs and the associated videos. There is a lot of good info in the videos and there are quite of lot of them.

It happened to me when my token had an extra r or l right at the end. Removing that very last char resulted in successful validation.

Answering my own question for anyone who is interested, it turns out that it was easier than I thought.

Basically, this is all I needed:

RsaJWK jwk = new RsaJWK((RSAPublicKey)key, KeyUse.SIG, jwsAlgorithm.name(), kid, x5u, x5t, x5c);
System.out.println(jwk.toJsonString());

Then stick that into jwk_uri file under the keys section.

Try connecting to AD using LDAPS instead of LDAP.

It appears in 5.5, the LDAP connection handler defaults to startTLS, so if you are using ldapsearch on LDAP protocol, you need to use the -Z option.

It is not there by default, but you can add the attribute in your mapping. Just create a new target attribute.

You can change this in the web container, ie if you are using tomcat, then you can change the tomcat connector. Alternatively, you can also add a FQDN mapping in AM advanced config, ie com.sun.identity.server.fqdnMap=ex.ter.nal.ip
com.sun.identity.server.fqdnMap=in.ter.nal.ip

Hi,

Thanks for confirming. That means that each keystore can only have a single private key and the alias does not matter as it would just get the only private key. If there were more private keys, it would fail? There is no hardcoded default alias it will try to look for?