Nikolaos Giannopoulos

Hello Stefan,

Have you tried looking at using the transient NameID-Format?

getIdentity(…) SPAccountMapper invoked on the IDP Proxy states the following for:

“… The implementation of this method first checks if the NaemID-Format is transient and returns the transient user. ….”

Also a bit of a gotcha in case it is adding to your issue is…[Read more]

So if you directly try with your web browser can you login to that /test subrealm?
http://openam.web.domain:8080/tolltest/XUI/#login/test

If it does work then one other thing you appear to be doing different than typical (albeit its a best practice) is to use a custom webapp context other than “openam”. Perhaps you can try to redeploy OpenAM…[Read more]

Hi @mreagin,

You said:

You can avoid this if the user passwords on DSEE are encrypted in a format supported by OpenDJ. Before importing the users, assign a password policy to them that allow encrypted passwords and, after import, revert to your normal password policy.

There is something I don’t understand here. If the user passwords are not…[Read more]

Looking at your specific issue more carefully I suspect your issue is that you are not specifying the URL properly.

If you are using the “realm” login URL parameter then you must specify the full path of the subrealm including its parent part beginning with a / e.g. if the parent realm is “sp” and subrealm is “test” then…[Read more]

Restarting a web container that has a web agent installed on it can not hurt and would not be a limitation if it turns out to resolve your issue. That is one of the first things to try beyond restarting OpenAM as well especially if you tried install/uninstall several times and tweaked configurations in between.

–Nikolaos

Thank You both very much for the detailed responses / feedback. This was very helpful.

–Nikolaos

You mean if you use different cookie domain you won’t be prompted that you are already logged in an can authenticate to have a different SSO session.

So yes you can have active sessions across realms but regardless cannot have SSO across realms. So sure it does depend on the solution requirements.

I often wish OpenAM was flexible in allowing…[Read more]

OpenAM most definitely does not allow SSO between realms and some would see this as a feature… at least one of our clients does as they want to restricts users straddling applications of different realms.

If you are logged into a realm and try to hit another realm you will be told that you are already logged in to an Organization and asked if…[Read more]

With AM 5.5 being currently released… and as we look to AM 5.5 and have a large scripted install that heavily uses ssoadm with OpenAM 13.5.1 I wonder:

– If we can still do a full install of AM 5.5 with our existing OpenAM 13.5.1 ssoadm commands? (to be clear I am sure there may be some minor changes/tweaks like some removed settings, etc. but…[Read more]

A couple things:

1.) The example in the bug report has “Accept-API-Version: protocol=1.0,resource=2.0” yet says that is what is needed to avoid the issue. The example probably should not have it mentioned or use it as the workaround.

2.) Not sure the header is case-sensitive or not (you use lower case) or “moreover” how picky it is in parsing…[Read more]

One thing that pops out is that the SAMLRequest value is not URL encoded. It may be intermittent because only in cases where special chars are introduced in the value that the issue arises. Do you have a RP layer in front of the OpenAM like OpenIG – I ask because we had an issue with SAML2 signing validation which was the opposite in that the…[Read more]

You don’t mention what Windows OS the Agent is running on… so apologies for the guessing/assuming.

So try this from the Windows box with the Agent:
telnet oam.uat.csc.local 443

If the OS is Windows Server 2012 then telnet is not installed OOB and you could install it before hand with:
pkgmgr /iu:TelnetClient

–Nikolaos

You will get a 403 if the Agent cannot talk to the OpenAM.

So oam.uat.csc.local:443 is the LB in front of the OpenAM servers?

If so, can you login to OpenAM with amadmin using:
https://oam.uat.csc.local:443/openam

If so, also are you using a self-signed cert – if you are the Agent communication needs to trust the SSL cert which you may have…[Read more]

As Scott mentions it “should” work as the Java JVM is key but is not supported by ForgeRock and as you are on Community Edition well you are on your own anyways so no big deal. Of course you need to make sure you have a compatible Java JVM and J2EE container that both support Windows Server 2016.

Oracle Java JDK 8 first provided certified…[Read more]

You don’t mention how/where you are creating the user on the SP side that it requires you to establish a password for every user. Are you doing this in a SP Adapter?

We create users in a combined IDP Proxy / SP at the IDP Proxy and we simply include a random password that the user will never be able to login directly with as they will never be…[Read more]

So if you do a “ls” (in Powershell) on the path does the file come up?

Also although you didn’t get this error a problem on Windows Server 2012 R2 that I found is solved by unlocking a configuration entry. Check…[Read more]