nikolaosinlight

I don’t know of a list offhand although IIRC the docs do talk to endpoints to restrict for security however I think what may be beneficial is how we deal with amadmin access since you mention a concern with exposing administrative functionality to the Internet.

We have the RP(‘s) “only” reverse proxy to OpenAM “sub realms” (with DNS alias) that…[Read more]

We use OpenIG heavily as a reverse proxy to front our OpenAM stack. As was mentioned a reverse proxy can easily handle this like Nginx. Essentially you create an FQDN whose root maps to /openam just behind it (in fact in such a case you don’t even need to worry about renaming /openam unless say for Intranet users).

BTW if your Access Management…[Read more]

We use OpenIG heavily as a reverse proxy to front out OpenAM stack. As was mentioned a reverse proxy can easily handle this like Nginx. Essentially you create an FQDN whose root maps to /openam just behind it (in fact in such a case you don’t even need to worry about renaming /openam unless say for Intranet users).

BTW if your Access Management…[Read more]

We use sub realms a lot for the Application portion of our SP configuration and moreover configure a separate COT in each of our sub realms and would love to simply inherit it but I am quite certain it is not possible. We haven’t tried it since the OpenAM SAMLv2 auth module which we use in the Application sub realm requires that the COT is defined…[Read more]

pradeep0202 When you say “…but now he can able to authenticate by using the LDAP also” I assume you mean the user can still use module=LDAP to authenticate. Yes?

If so, an OpenAM Best Practice (see in Admin Guide “27.1. Avoiding Obvious Defaults”) is to disable module based authentication for OpenAM realms. To disable for realm, select realm in…[Read more]

Hello Peter,

Thank You for that information. So it would appear that although an OpenSSO CAM may not work immediately out of the box that after several extremely “minor” adjustments (i.e. accounting for generics and perhaps some new methods, adding XML mandatory attribute and adjusting 0 length callbacks) that an OpenSSO CAM can be quite easily…[Read more]

Policy Agents have the ability to (among many other things):

1. Map user profile attributes to alternate/same attribute names AND inject in HTTP Header or HTTP Cookie
2. Map session attributes to alternate/same attribute names AND inject in HTTP Header or HTTP Cookie
3. Map policy response attributes to alternate/same attribute names AND inject…[Read more]

Hi Peter,

That is a great explanation and to be honest I get all that it is just the language between >> << that isn’t clear.

In re-reading it I presume it means that in the case of Dynamic or Ignored that instead of simply using the NameID to federate that it will use this autofederate attribute and assign its value from the assertion to the…[Read more]

Hi Peter,

Thank You for the response. Indeed I am aware of the fact that User Profile attributes are not updated – have seen this with Dynamic Profiles flowed from AD. Would be cool if OpenAM had the OOB ability but that is another RFE topic :-)

I get that auto federation works on the SP but does it not work as well for the SP configuration of…[Read more]

Anyone have any idea. I assume that 1 of the 2 agents gets hit and polling accounts for the other agent.

Thoughts???

–Nikolaos

See reply here: Two standalone instances on same Tomcat container

Two standalone instances on same Tomcat container

–Nikolaos

Just got the answer from Sales… It’s the same subscriber user model.