-
nikolaosinlight replied to the topic Install OpenAM in Tomcat root? in the forum Access Management 5 years, 4 months ago
I don’t know of a list offhand although IIRC the docs do talk to endpoints to restrict for security however I think what may be beneficial is how we deal with amadmin access since you mention a concern with exposing administrative functionality to the Internet.
We have the RP(‘s) “only” reverse proxy to OpenAM “sub realms” (with DNS alias) that…[Read more]
-
nikolaosinlight replied to the topic Install OpenAM in Tomcat root? in the forum Access Management 5 years, 4 months ago
We use OpenIG heavily as a reverse proxy to front our OpenAM stack. As was mentioned a reverse proxy can easily handle this like Nginx. Essentially you create an FQDN whose root maps to /openam just behind it (in fact in such a case you don’t even need to worry about renaming /openam unless say for Intranet users).
BTW if your Access Management…[Read more]
-
nikolaosinlight replied to the topic Install OpenAM in Tomcat root? in the forum Access Management 5 years, 4 months ago
We use OpenIG heavily as a reverse proxy to front out OpenAM stack. As was mentioned a reverse proxy can easily handle this like Nginx. Essentially you create an FQDN whose root maps to /openam just behind it (in fact in such a case you don’t even need to worry about renaming /openam unless say for Intranet users).
BTW if your Access Management…[Read more]
-
nikolaosinlight replied to the topic Rename a Federated Realm of OpenAM in the forum Access Management 5 years, 4 months ago
We use sub realms a lot for the Application portion of our SP configuration and moreover configure a separate COT in each of our sub realms and would love to simply inherit it but I am quite certain it is not possible. We haven’t tried it since the OpenAM SAMLv2 auth module which we use in the Application sub realm requires that the COT is defined…[Read more]
-
nikolaosinlight replied to the topic single logout not working while using OpenAM as Service provider. in the forum Access Management 5 years, 4 months ago
pradeep0202 When you say “…but now he can able to authenticate by using the LDAP also” I assume you mean the user can still use module=LDAP to authenticate. Yes?
If so, an OpenAM Best Practice (see in Admin Guide “27.1. Avoiding Obvious Defaults”) is to disable module based authentication for OpenAM realms. To disable for realm, select realm in…[Read more]
-
nikolaosinlight started the topic SAMLv2 IDP Proxy Redirect/Back Points in the forum Access Management 5 years, 4 months ago
Hello,
We have setup with SP, IDP Proxy, 2 IDPs and user selects IDP from a JSP IDP Finder/Chooser Page and we are using HTTP Redirect / POST bindings. I need to:
1.) Introduce – PRIOR to SAML request going to IDP – a http redirect to a common cookie domain FQDN (to set language cookie to be used by IDP) and then have it continue SAMLv2 to the…[Read more]
-
nikolaosinlight replied to the topic OpenAM 13.5 vs. OpenSSO 8 "Custom Authentication Modules" in the forum Access Management 5 years, 6 months ago
Hello Peter,
Thank You for that information. So it would appear that although an OpenSSO CAM may not work immediately out of the box that after several extremely “minor” adjustments (i.e. accounting for generics and perhaps some new methods, adding XML mandatory attribute and adjusting 0 length callbacks) that an OpenSSO CAM can be quite easily…[Read more]
-
nikolaosinlight started the topic OpenAM 13.5 vs. OpenSSO 8 "Custom Authentication Modules" in the forum Access Management 5 years, 6 months ago
Hello,
If I compare OpenAM 13.5 and OpenSSO 8 custom authentication modules the interface, XML and even the default samples appears 100% identical. In fact, if I develop a OpenAM Custom Authentication Module I would compile strictly against what are clearly OpenSSO (and even appear to be earlier like Sun AM) JARs:
– amserver.jar
-…[Read more] -
nikolaosinlight started the topic OpenAM 13.5 vs. OpenSSO 8 "Custom Authentication Modules" in the forum Access Management 5 years, 6 months ago
Hello,
If I compare OpenAM 13.5 and OpenSSO 8 custom authentication modules the interface, XML and even the default samples appears 100% identical. In fact, if I develop a OpenAM Custom Authentication Module I would compile strictly against what are clearly OpenSSO (and even appear to be earlier like Sun AM) JARs:
– amserver.jar
-…[Read more] -
nikolaosinlight started the topic OpenAM 13.5 vs. OpenSSO 8 "Custom Authentication Modules" in the forum Access Management 5 years, 6 months ago
Hello,
If I compare OpenAM 13.5 and OpenSSO 8 custom authentication modules the interface, XML and even the default samples appears 100% identical. In fact, if I develop a OpenAM Custom Authentication Module I would compile strictly against what are clearly OpenSSO (and even appear to be earlier like Sun AM)…[Read more]
-
nikolaosinlight replied to the topic is there a way to directly pass the user details(name, mail) to http header? in the forum Access Management 5 years, 7 months ago
Policy Agents have the ability to (among many other things):
1. Map user profile attributes to alternate/same attribute names AND inject in HTTP Header or HTTP Cookie
2. Map session attributes to alternate/same attribute names AND inject in HTTP Header or HTTP Cookie
3. Map policy response attributes to alternate/same attribute names AND inject…[Read more] -
nikolaosinlight replied to the topic SAMLv2 Autofederate Attribute Not Clear… in the forum Access Management 5 years, 7 months ago
Hi Peter,
That is a great explanation and to be honest I get all that it is just the language between >> << that isn’t clear.
In re-reading it I presume it means that in the case of Dynamic or Ignored that instead of simply using the NameID to federate that it will use this autofederate attribute and assign its value from the assertion to the…[Read more]
-
nikolaosinlight replied to the topic IDP Proxy and Profile Ignored in the forum Access Management 5 years, 7 months ago
Hi Peter,
Thank You for the response. Indeed I am aware of the fact that User Profile attributes are not updated – have seen this with Dynamic Profiles flowed from AD. Would be cool if OpenAM had the OOB ability but that is another RFE topic :-)
I get that auto federation works on the SP but does it not work as well for the SP configuration of…[Read more]
-
nikolaosinlight started the topic SAMLv2 Autofederate Attribute Not Clear… in the forum Access Management 5 years, 7 months ago
Hello,
Unlike a typical IDM scenario ours is such that the IDP does not flow any user profile information to the IDP Proxy / SPs. The only thing it does flow is a unique id and our IDP Proxy / SP needs to generate a user profile random uid.
Autofederate attribute docs state in part “If the local user can not be found and Dynamic or Ignored…[Read more]
-
nikolaosinlight started the topic IDP Proxy and Profile Ignored in the forum Access Management 5 years, 7 months ago
Hello,
I am setting up on an IDP Proxy and an SP (both OpenAM 13.5) and would like to NOT have user accounts created on the IDP Proxy. Essentially I would like to flow the SAMLv2 assertion/attributes through the IDP Proxy to the SP were the user profile gets dynamically created.
1. I plan on setting IDP Proxy “User Profile” to Ignored. Should…[Read more]
-
nikolaosinlight replied to the topic OpenAM Agent Notifications behind LB in the forum Access Management 5 years, 8 months ago
Anyone have any idea. I assume that 1 of the 2 agents gets hit and polling accounts for the other agent.
Thoughts???
–Nikolaos
-
nikolaosinlight replied to the topic Two openam webapps installed on the same machine in the forum Access Management 5 years, 9 months ago
See reply here: Two standalone instances on same Tomcat container
–Nikolaos
-
nikolaosinlight started the topic OpenAM Agent Notifications behind LB in the forum Access Management 5 years, 9 months ago
Hello,
If I have an OpenAM (with policy agent notifications enabled) that is connected to:
– a LB with 2 policy agents A + B protecting their respective server’s web containersAnd I access any of A or and log in and thereafter logout of OpenAM…
Q. How would OpenAM communicate to B and C that the session has expired?
I know that the caching…[Read more]
-
nikolaosinlight started the topic OpenAM Agent Notifications behind LB in the forum Access Management 5 years, 9 months ago
Hello,
If I have an OpenAM (with policy agent notifications enabled) that is connected to:
– a LB with 2 policy agents A + B protecting their respective server’s web containersAnd I access any of A or and log in and thereafter logout of OpenAM…
Q. How would OpenAM communicate to B and C that the session has expired?
I know that the caching…[Read more]
-
nikolaosinlight replied to the topic OpenIG Licensing Model… in the forum Identity Gateway 6 years, 4 months ago
Just got the answer from Sales… It’s the same subscriber user model.
- Load More