-
Nikolaos Giannopoulos replied to the topic IDP Proxy NameID creation issue in the forum Access Management 3 years, 11 months ago
Hello Stefan,
Have you tried looking at using the transient NameID-Format?
getIdentity(…) SPAccountMapper invoked on the IDP Proxy states the following for:
“… The implementation of this method first checks if the NaemID-Format is transient and returns the transient user. ….”
Also a bit of a gotcha in case it is adding to your issue is…[Read more]
-
Nikolaos Giannopoulos replied to the topic Issue with realm redirection with webagents 5 and openAM 5.5.1 in the forum Access Management 4 years, 3 months ago
So if you directly try with your web browser can you login to that /test subrealm?
http://openam.web.domain:8080/tolltest/XUI/#login/testIf it does work then one other thing you appear to be doing different than typical (albeit its a best practice) is to use a custom webapp context other than “openam”. Perhaps you can try to redeploy OpenAM…[Read more]
-
Nikolaos Giannopoulos replied to the topic Sun DSEE to OpenDJ User Profiles in the forum Directory Services 4 years, 3 months ago
Hi @mreagin,
You said:
You can avoid this if the user passwords on DSEE are encrypted in a format supported by OpenDJ. Before importing the users, assign a password policy to them that allow encrypted passwords and, after import, revert to your normal password policy.
There is something I don’t understand here. If the user passwords are not…[Read more]
-
Nikolaos Giannopoulos replied to the topic Issue with realm redirection with webagents 5 and openAM 5.5.1 in the forum Access Management 4 years, 3 months ago
Looking at your specific issue more carefully I suspect your issue is that you are not specifying the URL properly.
If you are using the “realm” login URL parameter then you must specify the full path of the subrealm including its parent part beginning with a / e.g. if the parent realm is “sp” and subrealm is “test” then…[Read more]
-
Nikolaos Giannopoulos replied to the topic Issue with realm redirection with webagents 5 and openAM 5.5.1 in the forum Access Management 4 years, 3 months ago
Restarting a web container that has a web agent installed on it can not hurt and would not be a limitation if it turns out to resolve your issue. That is one of the first things to try beyond restarting OpenAM as well especially if you tried install/uninstall several times and tweaked configurations in between.
–Nikolaos
-
Nikolaos Giannopoulos replied to the topic Sun DSEE to OpenDJ User Profiles in the forum Directory Services 4 years, 3 months ago
Thank You both very much for the detailed responses / feedback. This was very helpful.
–Nikolaos
-
Nikolaos Giannopoulos replied to the topic multiple SAML CoTs in one IDP instance in the forum Access Management 4 years, 3 months ago
You mean if you use different cookie domain you won’t be prompted that you are already logged in an can authenticate to have a different SSO session.
So yes you can have active sessions across realms but regardless cannot have SSO across realms. So sure it does depend on the solution requirements.
I often wish OpenAM was flexible in allowing…[Read more]
-
Nikolaos Giannopoulos replied to the topic multiple SAML CoTs in one IDP instance in the forum Access Management 4 years, 3 months ago
OpenAM most definitely does not allow SSO between realms and some would see this as a feature… at least one of our clients does as they want to restricts users straddling applications of different realms.
If you are logged into a realm and try to hit another realm you will be told that you are already logged in to an Organization and asked if…[Read more]
-
Nikolaos Giannopoulos started the topic Sun DSEE to OpenDJ User Profiles in the forum Directory Services 4 years, 3 months ago
We will be migrating user profiles from a Sun DSEE 6.3.1 install to OpenDJ 3.5.2.
I was wondering if we could get a handle on:
– Whether user passwords will need to be reset?
– Any issues / gotchas we might come across?Thank You
-
Nikolaos Giannopoulos replied to the topic REST call to replace ssoadm create-svc in AM5 in the forum Access Management 4 years, 7 months ago
With AM 5.5 being currently released… and as we look to AM 5.5 and have a large scripted install that heavily uses ssoadm with OpenAM 13.5.1 I wonder:
– If we can still do a full install of AM 5.5 with our existing OpenAM 13.5.1 ssoadm commands? (to be clear I am sure there may be some minor changes/tweaks like some removed settings, etc. but…[Read more]
-
Nikolaos Giannopoulos started the topic Migrate OpenSSO Passwords / Secret Q&A in the forum Access Management 4 years, 9 months ago
Hello,
We have a customer that will be migrating OpenSSO 8 / DSEE 6.3.1 users and are wondering if Passwords and/or Secret Questions and Answers will need to be reset when moving to OpenAM 13.5.1 / OpenDJ 3.5.2.
AFAIK this should only be hashed and not encrypted and moreover should be portable.
Can someone please corroborate/confirm. Thank…[Read more]
-
Nikolaos Giannopoulos replied to the topic Minimum password length is 8 in the forum Access Management 4 years, 10 months ago
A couple things:
1.) The example in the bug report has “Accept-API-Version: protocol=1.0,resource=2.0” yet says that is what is needed to avoid the issue. The example probably should not have it mentioned or use it as the workaround.
2.) Not sure the header is case-sensitive or not (you use lower case) or “moreover” how picky it is in parsing…[Read more]
-
Nikolaos Giannopoulos replied to the topic SAMLRequest sometimes not URLEncoded in the forum Access Management 4 years, 10 months ago
One thing that pops out is that the SAMLRequest value is not URL encoded. It may be intermittent because only in cases where special chars are introduced in the value that the issue arises. Do you have a RP layer in front of the OpenAM like OpenIG – I ask because we had an issue with SAML2 signing validation which was the opposite in that the…[Read more]
-
Nikolaos Giannopoulos started the topic IDP Initiated SLO SOAP to HA OpenAM Servers in the forum Access Management 4 years, 10 months ago
Hello,
We are using OpenAM 13.5.1 with LB in front (actually we also have OpenIG 4.5.0 RP’s with LB in front of that).
When a SLO (Single LogOut) SOAP call is sent to our OpenAM’s it may or may not hit the correct OpenAM server as we use passthrough SSL at the LB i.e. the session affinity really is only possible from direct client HTTPS…[Read more]
-
Nikolaos Giannopoulos replied to the topic 403 issue IIS with Agent 4.1-.23 in the forum Access Management 4 years, 10 months ago
You don’t mention what Windows OS the Agent is running on… so apologies for the guessing/assuming.
So try this from the Windows box with the Agent:
telnet oam.uat.csc.local 443If the OS is Windows Server 2012 then telnet is not installed OOB and you could install it before hand with:
pkgmgr /iu:TelnetClient–Nikolaos
-
Nikolaos Giannopoulos replied to the topic 403 issue IIS with Agent 4.1-.23 in the forum Access Management 4 years, 10 months ago
You will get a 403 if the Agent cannot talk to the OpenAM.
So oam.uat.csc.local:443 is the LB in front of the OpenAM servers?
If so, can you login to OpenAM with amadmin using:
https://oam.uat.csc.local:443/openamIf so, also are you using a self-signed cert – if you are the Agent communication needs to trust the SSL cert which you may have…[Read more]
-
Nikolaos Giannopoulos's profile was updated 4 years, 10 months ago
-
Nikolaos Giannopoulos replied to the topic OpenAM: Windows Server 2016 Compatibility in the forum Access Management 4 years, 10 months ago
As Scott mentions it “should” work as the Java JVM is key but is not supported by ForgeRock and as you are on Community Edition well you are on your own anyways so no big deal. Of course you need to make sure you have a compatible Java JVM and J2EE container that both support Windows Server 2016.
Oracle Java JDK 8 first provided certified…[Read more]
-
Nikolaos Giannopoulos replied to the topic Creating federation-only users in embedded user store on SP? in the forum Access Management 4 years, 10 months ago
You don’t mention how/where you are creating the user on the SP side that it requires you to establish a password for every user. Are you doing this in a SP Adapter?
We create users in a combined IDP Proxy / SP at the IDP Proxy and we simply include a random password that the user will never be able to login directly with as they will never be…[Read more]
-
Nikolaos Giannopoulos replied to the topic Failed to fetch instance D:web_agentsiis_agentinstancesagent_1…agent.conf in the forum Access Management 4 years, 10 months ago
So if you do a “ls” (in Powershell) on the path does the file come up?
Also although you didn’t get this error a problem on Windows Server 2012 R2 that I found is solved by unlocking a configuration entry. Check…[Read more]
- Load More