@karthik-nagarajanthomsonreuters-com
active 2 years, 3 months ago-
[email protected] commented on the post, Step up authentication OpenID Connect 4 years, 10 months ago
Hi,
If the application tries to login with acr=2 without going through the initial login, will OpenAM automatically show login page followed by OTP?
Thanks,
Karthik -
[email protected] replied to the topic SAML SSO IDP session upgrade in the forum Access Management 4 years, 11 months ago
Hi Peter,
I have a similar use case with SAML Federation.
Let’s say I have 2 different AuthnContexts mapped to different chains:
Context1 – Chain 1 – Auth Level 10
Context2 – Chain 2 – Auth Level 20Chain 1 = LDAP module with Auth Level 10
Chain 2 = LDAP module with Auth Level 10 + HOTP module with Auth Level 20If a user is already…[Read more]
-
[email protected] replied to the topic Pass dynamic parameters for policy evaluation in the forum Access Management 5 years, 4 months ago
Thanks Peter.
Regarding environment map, I have a question regarding the Identity Membership condition.
I am not sure how it works, but if I try to invoke a policy with “Identity Membership” condition, it doesn’t work. In the logs, I see InvocatorUUID not available. Should we pass any particular parameter in policy request body for “Identity…[Read more] -
[email protected] started the topic Pass dynamic parameters for policy evaluation in the forum Access Management 5 years, 4 months ago
Is it possible to pass dynamic parameter values to OpenAM policy endpoint and evaluate a particular attribute against the passed value?
For ex: I would like to pass some value like type=admin to evaluate endpoint and in the policy, I want to check if attribute “employeeType=admin”. -
[email protected] replied to the topic changing nameid format in IdpProxy in the forum Access Management 5 years, 7 months ago
Ok. What is the purpose of SP or IDP Adapters? Can we write custom adapters to replace the name-id format before sending the assertion from IdpProxy to SP?
-
[email protected] replied to the topic changing nameid format in IdpProxy in the forum Access Management 5 years, 7 months ago
Thanks Peter. Is it possible to write any plugin to translate the NameID-Format?
-
[email protected] started the topic changing nameid format in IdpProxy in the forum Access Management 5 years, 7 months ago
We have IdpProxy setup like SP -> IdpProxy -> Remote Idp.
SP supports only emailAddress nameid format and Remote Idp supports only unspecified nameid format. IdpProxy has to get assertion from Remote Idp and send it to SP.
Is it possible to change the nameid format at IdpProxy before sending the assertion to SP? I didn’t find any configuration to…[Read more] -
[email protected] replied to the topic “Unable to do Single Sign On or Federation” to successURL in the forum Access Management 5 years, 8 months ago
Hi Peter,
I get this same error page due to the following issue:
libSAML2:03/17/2017 03:14:28:281 PM UTC: Thread
ERROR: IDPSSOFederate.doSSOFederate: The realm of the session does not correspond to that of the IdP,
Thread
ERROR: IDPSSOFederate.doSSOFederate: The realm of the session does not correspond to that of the IdPBut, OpenAM displays a…[Read more]
-
[email protected] replied to the topic OAuth default scope and requested scope in the forum Access Management 5 years, 9 months ago
Thanks Scott.
So, the only option to return default scopes as well as Scope(s) in the same request is to add all the default scopes to Scope(s) configuration and ask the client to request a union of default & Scope(s) value. Correct? -
[email protected] started the topic OAuth default scope and requested scope in the forum Access Management 5 years, 9 months ago
I am defining cn,sn as default scope for a OAuth client. And, I defined givenName in Scope.
Now, If I make a authroization request without any scope, OpenAM returns a token which has both the default scopes – cn, sn.If I make an authorization request with scope=givenName, OpenAM returns a token which has only givenName scope.
My understanding…[Read more]
