nkarthik82

Home Members nkarthik82

Learn more about our upcoming Identity Summits

show less show more
Profile picture of nkarthik82

@nkarthik82

active 6 years, 5 months ago
Points balance: 140 ♪
Rank: nkarthik82
  • Activity
  • Profile
  • Groups 0
  • Forums
  • Personal
  • Mentions
  • Favorites
  • Groups
  • Profile picture of nkarthik82

    nkarthik82 replied to the topic Policy Agent vs OpenIG for new applications in the forum Access Management 6 years, 5 months ago

    Ok.
    In case I want to do a cross-domain SSO, what is the best option?
    I know we can use Policy agent approach or OpenIG approach. Problem with OpenIG approach is I can’t do a single logout across domains and that is a very complex problem to solve.
    But with Policy agent CDSSO, it is easy to handle SLO across domains.

  • Profile picture of nkarthik82

    nkarthik82 started the topic Policy Agent vs OpenIG for new applications in the forum Access Management 6 years, 5 months ago

    For new applications, is it advisable to go with Policy agent approach or OpenIG approach.
    In documentation, I see that OpenIG is mainly for legacy applications. Is it true?
    But, problem with OpenIG is, it doesn’t support cross-domain single logout feature and this creates major issues when we have multiple applications integrated with…[Read more]

  • Profile picture of nkarthik82

    nkarthik82 started the topic SAML vs OAuth2 SSO in the forum Access Management 6 years, 5 months ago

    We have users who can use mobile apps as well as web applications.
    Is it fine to use a common approach like OAuth2 for both mobile as well as web applications to implement SSO? Or go with SAML for web SSO and OAuth2 for mobile SSO?

    Problem that we are facing is OpenAM doesn’t allow change password and some other functionalities without a SSO…[Read more]

  • Profile picture of nkarthik82

    nkarthik82 replied to the topic OAuth2 – Default expiration time for Access token and refresh token in the forum Access Management 6 years, 6 months ago

    @peter-major Thanks for the suggestion.
    Are these tokens stored in memory or DB/file system? If we restart the servers for some production deployment, will these tokens get cleared forcing the users to login again?

  • Profile picture of nkarthik82

    nkarthik82 replied to the topic OAuth2 – Default expiration time for Access token and refresh token in the forum Access Management 6 years, 6 months ago

    @rajeshr Yes. It has all the values. I hope same guidelines are applicable for OpenAM 12 as well.
    Coming back to my question, If I set the refresh token expiration to -1 (never expire), is it a good practice? In case the user count is in millions, its going to store millions of tokens that will never expire. Is there any recommended time?

  • Profile picture of nkarthik82

    nkarthik82 started the topic OAuth2 – Default expiration time for Access token and refresh token in the forum Access Management 6 years, 6 months ago

    What is the default expiration set for Access Token and Refresh Token in OpenAM?
    Generally, refresh tokens are not supposed to expire. So, I want to know whether OpenAM has any limit on the number of refresh tokens or any expiration is set.

    In case, we have millions of users and if each user has generated a access token and refresh token, will…[Read more]

  • Profile picture of nkarthik82

    nkarthik82 replied to the topic Duplicate userids across OpenAM realms in the forum Access Management 6 years, 6 months ago

    @rajeshr @peter-major
    Ok. In OpenAM settings, I see only 2 attributes “LDAP People Container Naming Attribute” and “LDAP People Container Value” which has default values of “ou” and “people”.
    If I add a new ou under people, say “appA”, is there any way to configure that directly in OpenAM?

  • Profile picture of nkarthik82

    nkarthik82 replied to the topic Duplicate userids across OpenAM realms in the forum Access Management 6 years, 6 months ago

    @rajeshr
    Got it. So, if I want 2 OU’s for appA and appB, then I will have to manually create 2 OU’s in OpenDJ and map it to these 2 realms in OpenAM Data Store configuration. right?
    If my understanding is correct, is it a good practice to have same OpenDJ with 2 different OU’s for different apps or have totally different OpenDJ’s for each app?

  • Profile picture of nkarthik82

    nkarthik82 replied to the topic Duplicate userids across OpenAM realms in the forum Access Management 6 years, 6 months ago

    @rajeshr
    Thanks for the info.
    Just now browsed the OpenDJ in a ldap browser. I see all the userid’s added under the same root “People” even though they were created in different realms. If OpenAM creates different OU’s for each realm, I think we can have same userid’s in 2 different realms. Is it possible to have different OU’s for each realm in…[Read more]

  • Profile picture of nkarthik82

    nkarthik82 replied to the topic Duplicate userids across OpenAM realms in the forum Access Management 6 years, 6 months ago

    @rajeshr
    Thanks for the info.
    Just now browsed the OpenDJ in a ldap browser. I see all the userid’s added under the same root “People” even though they were created in different realms. If OpenAM creates different OU’s for each realm, I think we can have same userid’s in 2 different realms.

  • Profile picture of nkarthik82

    nkarthik82 replied to the topic Duplicate userids across OpenAM realms in the forum Access Management 6 years, 6 months ago

    Thanks for the answers.
    Now, I get an idea of how it works. In my case, the requirement is to have only one OpenDJ configured at the top-level realm shared across all the sub-realms.
    So, if we have 2 different users with same username in 2 different applications and if we try to migrate the users to OpenAM, say realm1 (app1) and realm2 (app2),…[Read more]

  • Profile picture of nkarthik82

    nkarthik82 started the topic Duplicate userids across OpenAM realms in the forum General Discussion 6 years, 6 months ago

    I want to know whether duplicate user ids are allowed across OpenAM realms.
    This is a very rare scenario, but it can happen when we try to migrate different idps to OpenAM.
    We might end up with 2 different users having same userid in 2 different idps.
    If we can have duplicate userids across realms, we can at least migrate the users to different…[Read more]

  • Profile picture of nkarthik82

    nkarthik82 started the topic Duplicate userids across OpenAM realms in the forum General Discussion 6 years, 6 months ago

    I want to know whether duplicate user ids are allowed across OpenAM realms.
    This is a very rare scenario, but it can happen when we try to migrate different idps to OpenAM.
    We might end up with 2 different users having same userid in 2 different idps.
    If we can have duplicate userids across realms, we can at least migrate the users to different…[Read more]

  • Profile picture of nkarthik82

    nkarthik82 replied to the topic Secure a rest webservice sprin application using OpenAM Oauth2 in the forum Access Management 6 years, 6 months ago

    So, the only option that I could think of is to write a custom module in my application which can get tokens from OpenAM and validate the token using /oauth2/tokeninfo for every request.
    Am I right?
    I thought we can directly protect the web services using OpenAM OAuth similar to how we protect web applications with login pages.

  • Profile picture of nkarthik82

    nkarthik82 replied to the topic Secure a rest webservice sprin application using OpenAM Oauth2 in the forum Access Management 6 years, 7 months ago

    I forgot to mention. Our application is a spring rest service which gets data from a DB which is outside OpenAM. So, we can say it is a service provider.
    Different Clients use this rest service for doing CRUD operations on the database and right now, it is protected using Spring OAuth which generates and validates access token.
    Now, we are…[Read more]

  • Profile picture of nkarthik82

    nkarthik82 replied to the topic Secure a rest webservice sprin application using OpenAM Oauth2 in the forum Access Management 6 years, 7 months ago

    We use Client Credentials (client_credentials), Resource Owner Password Credentials Grant (password)

    Right now, we use the spring security OAuth implementation to generate the access token. Then, we pass this token in the header for making rest api calls.
    I don’t get how Spring will be able to validate the access token passed in the request…[Read more]

  • Profile picture of nkarthik82

    nkarthik82 started the topic Secure a rest webservice sprin application using OpenAM Oauth2 in the forum Access Management 6 years, 7 months ago

    I have an existing Spring based restful web service application which is protected by OAuth2.0 using sprinG security. Now, I am planning to migrate the users from current database to OpenAM. Once that is done, I want to protect the same sprint based restful web service using OpenAM’s OAuth2.0.
    Current flow is:
    1) Get oauth token from application…[Read more]

  • Profile picture of nkarthik82

    nkarthik82 started the topic Secure a rest webservice sprin application using OpenAM Oauth2 in the forum Access Management 6 years, 7 months ago

    I have an existing Spring based restful web service application which is protected by OAuth2.0 using sprinG security. Now, I am planning to migrate the users from current database to OpenAM. Once that is done, I want to protect the same sprint based restful web service using OpenAM’s OAuth2.0.
    Current flow is:
    1) Get oauth token from application…[Read more]

  • Profile picture of nkarthik82

    nkarthik82 replied to the topic Open AM REST API for Ldap attribute search in the forum Access Management 6 years, 8 months ago

    Thanks Peter.
    When will v13 be released?

  • Profile picture of nkarthik82

    nkarthik82 started the topic Open AM REST API for Ldap attribute search in the forum Access Management 6 years, 9 months ago

    Hi,

    In 12.0 version, I don’t find any Open AM Rest API for reading identities using different attributes like email address.
    But, legacy API supports search based on ldap attributes.

    Is there any alternate way to enable search using userid as well as some other ldap attribute using the new rest APIs in v12.0?

Profile Photo quangbt2005 Profile Photo avancheri

Search the forums

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.

Recent blog posts

  • Using an Authentication Tree Stage to Build a Custom UI with the ForgeRock JavaScript SDK February 26, 2020
  • Identity Workflow with AM using Zeebe and Cloud Functions February 19, 2020
  • IDM: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 23, 2020
  • DS: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 22, 2020
  • AM and IG: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 22, 2020
Visit our blog

Recent Topics

  • Handle exception in Node Patch Object
  • SP Initiated SSO – Unable to do sso or federation
  • Realm level access
  • How can I generate 32 bytes Random salt in js script
  • Bypass Login Page in Chain

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

  • Blog
  • Documentation
    • OpenAM / Access Management
    • OpenDJ / Directory Services
    • OpenIDM / Identity Management
    • OpenIG / Identity Gateway
    • OpenICF / Open Connector Framework
    • Intro to Identity
  • Forums
    • General Discussion
    • ForgeRock Products
      • OpenAM
      • OpenIDM
      • OpenDJ
      • OpenIG
      • OpenUMA
    • DevOps
    • Internet of Things
    • Documentation
    • Groups
  • Twitter
  • Facebook
  • Linkedin
  • Youtube

Log in with your credentials

Lost your password?

Forgot your details?

I remember my details