- ForgeRock Forum and Blog

Kabi Patt replied to the topic IG for internal and external Apps in the forum Identity Gateway 1 year, 2 months ago

Basically, we do not want to use password replay option to log in to backend applications.As per the above-given possibilities, HeaderFilter and CryptoHeaderFilter are one way of communicating authenticated user identity information to backend applications.

Hi Joachim
Thank you for sharing your insight. Few follow up questions on the above…[Read more]
Kabi Patt replied to the topic Using Single Login screen for a chain that has multiple authn modules in the forum Access Management 1 year, 2 months ago

Thank you Brad,
The solution worked !

Kabi
Kabi Patt replied to the topic Using Single Login screen for a chain that has multiple authn modules in the forum Access Management 1 year, 2 months ago

Hi Andy,
The AM version is 6.0.0.4.

This chain is used for Radius authentication and attached to a Radius client. FR does not support authentication for Radius yet.

Thanks,
Kabi
Kabi Patt started the topic Using Single Login screen for a chain that has multiple authn modules in the forum Access Management 1 year, 2 months ago

My authentication chain :-

(1) Radius Module (Requisite) –> Radius-UserId / Radius-Password
(2) Ldap Module (Sufficient) –> Ldap-UserId/ Ldap-Password.

No usability issue for Radius Authentication, User enters Radius-Uid/ Radius-Pwd to Radius-Login screen and get authenticated.

But for Ldap authentication, User goes thru two Login…[Read more]
Kabi Patt started the topic Best practice :- COT for every SP ? in the forum Access Management 2 years, 4 months ago

We have one IDP and multiple SPs tied together in one Circle Of Trust (COT). We are debating whether to create a SP-Specific COT instead of using just one generic COT.

What is the best practice ?
Kabi Patt replied to the topic Invoking SP Specific Authentication Chain in AM in the forum Access Management 2 years, 4 months ago

Thank you Scott, Will try the solution you suggested. Currently we wrote IDP-Adapter for this which is really not necessary.

Yes we can check membership check in Adaptive Risk Module. But How will I bring the SP-ID in to this equation ? We have groups meant for specific SP-ID.

Thanks,
Kabi
Kabi Patt replied to the topic Invoking SP Specific Authentication Chain in AM in the forum Access Management 2 years, 4 months ago

Thanks Scott for the explanations. My use case is complex and looks like I will end in creating multiple IDPs for each case. Here are my use cases :-

(1) SP1 will use just Kerberos for all users.
(2) SP2 will use Kerberors for all users + 2Fa for user with “SP2-Admin” group .
(3) SP3 will use 2FA for all users.

I don’t see any issues for…[Read more]
Kabi Patt started the topic Invoking SP Specific Authentication Chain in AM in the forum Access Management 2 years, 4 months ago

We are using AM 5.5.1 as IDP. The IDP is linked to to the realm’s default authentication chain configured in Realm > Authentication > Setting > Core “Organization Authentication Configuration”. The default authentication-chain is currently set to Kerberos. So all our SPs are going thru kerberos authentication.

However, our requirement is to…[Read more]
Kabi Patt replied to the topic OpenIG as a reverseProxy in the forum Identity Gateway 3 years, 8 months ago

I found my mistake. I had kept the .openig file in $TOMCAT_HOME folder instead of $HOME (/root in my case) directory. Once I transferred the .openif directory to $HOME, rest started working as expected. I also moved the app1 specific routing syntax from config.json to routes/01-app-routes.json file for clean separation. I guess config.json meant…[Read more]
Kabi Patt replied to the topic OpenIG as a reverseProxy in the forum Identity Gateway 3 years, 8 months ago

Thanks Joachim for quick reply. Yes that condition should be “/app1”.

(1) What is the difference between config.json and route JSON file in “routes” directory ?
(2) Can I put the above said configuration in 01-app1-route.json file with no config.json file ?
(3) my config.json file has following entries, which suppose to show the log in…[Read more]
Kabi Patt replied to the topic Using OpenIG as a regular ReverseProxy similar to NGINX or Apache in the forum Identity Gateway 3 years, 8 months ago

Hi
I am new to OpenIG. Few questions on the configuration mentioned above.

(1) “baseURI”: “http://1.1.1.1:8080” :- Is this the IP where the target app “www.acme.com” is hosted ?
(2) When to use config.json file vs “../routes/xxx.json” . Can the config.json file be empty ?

Thanks,
Kabi
Kabi Patt replied to the topic Using OpenIG as a regular ReverseProxy similar to NGINX or Apache in the forum Identity Gateway 3 years, 8 months ago

Hi
I am new to OpenIG. Few questions on the configuration mentioned above.

(1) “baseURI”: “http://1.1.1.1:8080” :- Is this the IP wheretarget app “www.acme.com” is hosted ?
(2) When to use config.json file vs “../routes/xxx.json” . Can the config.json file be empty ?

Thanks,
Kabi
Kabi Patt started the topic OpenIG as a reverseProxy in the forum Identity Gateway 3 years, 8 months ago

Hi ,

I am new to Open IG. Trying to use OpenIG as a proxy to start with.

I have a sample app http://box1.abc.com/app1 running in box and I wanted to access it thru http://openig.abc.com/app1 (this is the box2 for openIG) . I followed the instruction mentioned section 2.4 in…[Read more]
Kabi Patt's profile was updated 3 years, 9 months ago
Kabi Patt started the topic Searching the OpenDJ Forum ? in the forum Directory Services 3 years, 9 months ago

Bill, I am new to the ForgeRock Forum. Is there any way I can search the existing forum for specific topic like OpenDJ or OpenAM ? The search icon on the top menu brings the results beyond forum content.

Kabi
Kabi Patt replied to the topic Open DJ Not starting :- could not acquire an exclusive lock on file server.lock in the forum Directory Services 3 years, 9 months ago

Bill, I am new to the ForgeRock Forum. Is there any way I can search the existing forum for specific topic like OpenDJ or OpenAM ? The search icon on the top menu brings the results beyond forum content.

Kabi
Kabi Patt replied to the topic Open DJ Not starting :- could not acquire an exclusive lock on file server.lock in the forum Directory Services 3 years, 9 months ago

Thank you Bill,
That strace command was very helpful. I found that the configuration was not complete. I ran the setup again and the issue got resolved.

Thanks,
Kabi
Kabi Patt started the topic Open DJ Not starting :- could not acquire an exclusive lock on file server.lock in the forum Directory Services 3 years, 9 months ago

Hi
I did a fresh installation of OpenDJ on RHEL. Running start-ds command is giving me following error. I am running start-ds command as the same user used for installing OpenDJ.

The Directory Server could not acquire an exclusive lock on file /apps/forgerock/opendj/locks/server.lock: The attempt to obtain an exclusive lock on file…[Read more]
Kabi Patt replied to the topic OpenAM in OSX El Captain :- not loading the login page in the forum Access Management 3 years, 10 months ago

Thank you Peter. I resolved it by upgrading to openam 14 snapshot war file. I did not check the jason response before. Openam 13 has some issues I guess.

Thanks
Kabi
Kabi Patt started the topic OpenAM in OSX El Captain :- not loading the login page in the forum Access Management 3 years, 10 months ago

Hi,

I am trying to showcase some OpenAM capabilities to my management. So installed OpenAM 13.0 with Embeded-DJ on Tomcat 8 with JDK 8 on my OSX-El-Captain. I installed and completed the OpenAM configuration, but no luck in getting the the first login screen to the admin console so far.

I am getting “Loading….” message for the URL…[Read more]