nikolaosinlight

Home Members nikolaosinlight

Learn more about our upcoming Identity Summits

show less show more
Profile picture of nikolaosinlight

@nikolaosinlight

active 5 years, 4 months ago
Points balance: 182 ♪
Rank: nikolaosinlight
  • Activity
  • Profile
  • Groups 0
  • Forums
  • Personal
  • Mentions
  • Favorites
  • Groups
  • Profile picture of nikolaosinlight

    nikolaosinlight replied to the topic Install OpenAM in Tomcat root? in the forum Access Management 5 years, 4 months ago

    I don’t know of a list offhand although IIRC the docs do talk to endpoints to restrict for security however I think what may be beneficial is how we deal with amadmin access since you mention a concern with exposing administrative functionality to the Internet.

    We have the RP(‘s) “only” reverse proxy to OpenAM “sub realms” (with DNS alias) that…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight replied to the topic Install OpenAM in Tomcat root? in the forum Access Management 5 years, 4 months ago

    We use OpenIG heavily as a reverse proxy to front our OpenAM stack. As was mentioned a reverse proxy can easily handle this like Nginx. Essentially you create an FQDN whose root maps to /openam just behind it (in fact in such a case you don’t even need to worry about renaming /openam unless say for Intranet users).

    BTW if your Access Management…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight replied to the topic Install OpenAM in Tomcat root? in the forum Access Management 5 years, 4 months ago

    We use OpenIG heavily as a reverse proxy to front out OpenAM stack. As was mentioned a reverse proxy can easily handle this like Nginx. Essentially you create an FQDN whose root maps to /openam just behind it (in fact in such a case you don’t even need to worry about renaming /openam unless say for Intranet users).

    BTW if your Access Management…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight replied to the topic Rename a Federated Realm of OpenAM in the forum Access Management 5 years, 4 months ago

    We use sub realms a lot for the Application portion of our SP configuration and moreover configure a separate COT in each of our sub realms and would love to simply inherit it but I am quite certain it is not possible. We haven’t tried it since the OpenAM SAMLv2 auth module which we use in the Application sub realm requires that the COT is defined…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight replied to the topic single logout not working while using OpenAM as Service provider. in the forum Access Management 5 years, 4 months ago

    pradeep0202 When you say “…but now he can able to authenticate by using the LDAP also” I assume you mean the user can still use module=LDAP to authenticate. Yes?

    If so, an OpenAM Best Practice (see in Admin Guide “27.1. Avoiding Obvious Defaults”) is to disable module based authentication for OpenAM realms. To disable for realm, select realm in…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight started the topic SAMLv2 IDP Proxy Redirect/Back Points in the forum Access Management 5 years, 4 months ago

    Hello,

    We have setup with SP, IDP Proxy, 2 IDPs and user selects IDP from a JSP IDP Finder/Chooser Page and we are using HTTP Redirect / POST bindings. I need to:

    1.) Introduce – PRIOR to SAML request going to IDP – a http redirect to a common cookie domain FQDN (to set language cookie to be used by IDP) and then have it continue SAMLv2 to the…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight replied to the topic OpenAM 13.5 vs. OpenSSO 8 "Custom Authentication Modules" in the forum Access Management 5 years, 6 months ago

    Hello Peter,

    Thank You for that information. So it would appear that although an OpenSSO CAM may not work immediately out of the box that after several extremely “minor” adjustments (i.e. accounting for generics and perhaps some new methods, adding XML mandatory attribute and adjusting 0 length callbacks) that an OpenSSO CAM can be quite easily…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight started the topic OpenAM 13.5 vs. OpenSSO 8 "Custom Authentication Modules" in the forum Access Management 5 years, 6 months ago

    Hello,

    If I compare OpenAM 13.5 and OpenSSO 8 custom authentication modules the interface, XML and even the default samples appears 100% identical. In fact, if I develop a OpenAM Custom Authentication Module I would compile strictly against what are clearly OpenSSO (and even appear to be earlier like Sun AM) JARs:
    – amserver.jar
    -…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight started the topic OpenAM 13.5 vs. OpenSSO 8 "Custom Authentication Modules" in the forum Access Management 5 years, 6 months ago

    Hello,

    If I compare OpenAM 13.5 and OpenSSO 8 custom authentication modules the interface, XML and even the default samples appears 100% identical. In fact, if I develop a OpenAM Custom Authentication Module I would compile strictly against what are clearly OpenSSO (and even appear to be earlier like Sun AM) JARs:
    – amserver.jar
    -…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight started the topic OpenAM 13.5 vs. OpenSSO 8 "Custom Authentication Modules" in the forum Access Management 5 years, 6 months ago

    Hello,

    If I compare OpenAM 13.5 and OpenSSO 8 custom authentication modules the interface, XML and even the default samples appears 100% identical. In fact, if I develop a OpenAM Custom Authentication Module I would compile strictly against what are clearly OpenSSO (and even appear to be earlier like Sun AM)…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight replied to the topic is there a way to directly pass the user details(name, mail) to http header? in the forum Access Management 5 years, 7 months ago

    Policy Agents have the ability to (among many other things):

    1. Map user profile attributes to alternate/same attribute names AND inject in HTTP Header or HTTP Cookie
    2. Map session attributes to alternate/same attribute names AND inject in HTTP Header or HTTP Cookie
    3. Map policy response attributes to alternate/same attribute names AND inject…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight replied to the topic SAMLv2 Autofederate Attribute Not Clear… in the forum Access Management 5 years, 7 months ago

    Hi Peter,

    That is a great explanation and to be honest I get all that it is just the language between >> << that isn’t clear.

    In re-reading it I presume it means that in the case of Dynamic or Ignored that instead of simply using the NameID to federate that it will use this autofederate attribute and assign its value from the assertion to the…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight replied to the topic IDP Proxy and Profile Ignored in the forum Access Management 5 years, 7 months ago

    Hi Peter,

    Thank You for the response. Indeed I am aware of the fact that User Profile attributes are not updated – have seen this with Dynamic Profiles flowed from AD. Would be cool if OpenAM had the OOB ability but that is another RFE topic :-)

    I get that auto federation works on the SP but does it not work as well for the SP configuration of…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight started the topic SAMLv2 Autofederate Attribute Not Clear… in the forum Access Management 5 years, 7 months ago

    Hello,

    Unlike a typical IDM scenario ours is such that the IDP does not flow any user profile information to the IDP Proxy / SPs. The only thing it does flow is a unique id and our IDP Proxy / SP needs to generate a user profile random uid.

    Autofederate attribute docs state in part “If the local user can not be found and Dynamic or Ignored…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight started the topic IDP Proxy and Profile Ignored in the forum Access Management 5 years, 7 months ago

    Hello,

    I am setting up on an IDP Proxy and an SP (both OpenAM 13.5) and would like to NOT have user accounts created on the IDP Proxy. Essentially I would like to flow the SAMLv2 assertion/attributes through the IDP Proxy to the SP were the user profile gets dynamically created.

    1. I plan on setting IDP Proxy “User Profile” to Ignored. Should…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight replied to the topic OpenAM Agent Notifications behind LB in the forum Access Management 5 years, 8 months ago

    Anyone have any idea. I assume that 1 of the 2 agents gets hit and polling accounts for the other agent.

    Thoughts???

    –Nikolaos

  • Profile picture of nikolaosinlight

    nikolaosinlight replied to the topic Two openam webapps installed on the same machine in the forum Access Management 5 years, 9 months ago

    See reply here: Two standalone instances on same Tomcat container

    Two standalone instances on same Tomcat container

    –Nikolaos

  • Profile picture of nikolaosinlight

    nikolaosinlight started the topic OpenAM Agent Notifications behind LB in the forum Access Management 5 years, 9 months ago

    Hello,

    If I have an OpenAM (with policy agent notifications enabled) that is connected to:
    – a LB with 2 policy agents A + B protecting their respective server’s web containers

    And I access any of A or and log in and thereafter logout of OpenAM…

    Q. How would OpenAM communicate to B and C that the session has expired?

    I know that the caching…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight started the topic OpenAM Agent Notifications behind LB in the forum Access Management 5 years, 9 months ago

    Hello,

    If I have an OpenAM (with policy agent notifications enabled) that is connected to:
    – a LB with 2 policy agents A + B protecting their respective server’s web containers

    And I access any of A or and log in and thereafter logout of OpenAM…

    Q. How would OpenAM communicate to B and C that the session has expired?

    I know that the caching…[Read more]

  • Profile picture of nikolaosinlight

    nikolaosinlight replied to the topic OpenIG Licensing Model… in the forum Identity Gateway 6 years, 4 months ago

    Just got the answer from Sales… It’s the same subscriber user model.

  • Load More
Profile Photo walid Profile Photo lukas.pavlech

Search the forums

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.

Recent blog posts

  • Using an Authentication Tree Stage to Build a Custom UI with the ForgeRock JavaScript SDK February 26, 2020
  • Identity Workflow with AM using Zeebe and Cloud Functions February 19, 2020
  • IDM: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 23, 2020
  • DS: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 22, 2020
  • AM and IG: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 22, 2020
Visit our blog

Recent Topics

  • Handle exception in Node Patch Object
  • SP Initiated SSO – Unable to do sso or federation
  • Realm level access
  • How can I generate 32 bytes Random salt in js script
  • Bypass Login Page in Chain

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

  • Blog
  • Documentation
    • OpenAM / Access Management
    • OpenDJ / Directory Services
    • OpenIDM / Identity Management
    • OpenIG / Identity Gateway
    • OpenICF / Open Connector Framework
    • Intro to Identity
  • Forums
    • General Discussion
    • ForgeRock Products
      • OpenAM
      • OpenIDM
      • OpenDJ
      • OpenIG
      • OpenUMA
    • DevOps
    • Internet of Things
    • Documentation
    • Groups
  • Twitter
  • Facebook
  • Linkedin
  • Youtube

Log in with your credentials

Lost your password?

Forgot your details?

I remember my details