-
nkarthik82 replied to the topic Policy Agent vs OpenIG for new applications in the forum Access Management 6 years, 5 months ago
Ok.
In case I want to do a cross-domain SSO, what is the best option?
I know we can use Policy agent approach or OpenIG approach. Problem with OpenIG approach is I can’t do a single logout across domains and that is a very complex problem to solve.
But with Policy agent CDSSO, it is easy to handle SLO across domains. -
nkarthik82 started the topic Policy Agent vs OpenIG for new applications in the forum Access Management 6 years, 5 months ago
For new applications, is it advisable to go with Policy agent approach or OpenIG approach.
In documentation, I see that OpenIG is mainly for legacy applications. Is it true?
But, problem with OpenIG is, it doesn’t support cross-domain single logout feature and this creates major issues when we have multiple applications integrated with…[Read more] -
nkarthik82 started the topic SAML vs OAuth2 SSO in the forum Access Management 6 years, 5 months ago
We have users who can use mobile apps as well as web applications.
Is it fine to use a common approach like OAuth2 for both mobile as well as web applications to implement SSO? Or go with SAML for web SSO and OAuth2 for mobile SSO?Problem that we are facing is OpenAM doesn’t allow change password and some other functionalities without a SSO…[Read more]
-
nkarthik82 replied to the topic OAuth2 – Default expiration time for Access token and refresh token in the forum Access Management 6 years, 6 months ago
@peter-major Thanks for the suggestion.
Are these tokens stored in memory or DB/file system? If we restart the servers for some production deployment, will these tokens get cleared forcing the users to login again? -
nkarthik82 replied to the topic OAuth2 – Default expiration time for Access token and refresh token in the forum Access Management 6 years, 6 months ago
@rajeshr Yes. It has all the values. I hope same guidelines are applicable for OpenAM 12 as well.
Coming back to my question, If I set the refresh token expiration to -1 (never expire), is it a good practice? In case the user count is in millions, its going to store millions of tokens that will never expire. Is there any recommended time? -
nkarthik82 started the topic OAuth2 – Default expiration time for Access token and refresh token in the forum Access Management 6 years, 6 months ago
What is the default expiration set for Access Token and Refresh Token in OpenAM?
Generally, refresh tokens are not supposed to expire. So, I want to know whether OpenAM has any limit on the number of refresh tokens or any expiration is set.In case, we have millions of users and if each user has generated a access token and refresh token, will…[Read more]
-
nkarthik82 replied to the topic Duplicate userids across OpenAM realms in the forum Access Management 6 years, 6 months ago
@rajeshr @peter-major
Ok. In OpenAM settings, I see only 2 attributes “LDAP People Container Naming Attribute” and “LDAP People Container Value” which has default values of “ou” and “people”.
If I add a new ou under people, say “appA”, is there any way to configure that directly in OpenAM? -
nkarthik82 replied to the topic Duplicate userids across OpenAM realms in the forum Access Management 6 years, 6 months ago
@rajeshr
Got it. So, if I want 2 OU’s for appA and appB, then I will have to manually create 2 OU’s in OpenDJ and map it to these 2 realms in OpenAM Data Store configuration. right?
If my understanding is correct, is it a good practice to have same OpenDJ with 2 different OU’s for different apps or have totally different OpenDJ’s for each app? -
nkarthik82 replied to the topic Duplicate userids across OpenAM realms in the forum Access Management 6 years, 6 months ago
@rajeshr
Thanks for the info.
Just now browsed the OpenDJ in a ldap browser. I see all the userid’s added under the same root “People” even though they were created in different realms. If OpenAM creates different OU’s for each realm, I think we can have same userid’s in 2 different realms. Is it possible to have different OU’s for each realm in…[Read more] -
nkarthik82 replied to the topic Duplicate userids across OpenAM realms in the forum Access Management 6 years, 6 months ago
@rajeshr
Thanks for the info.
Just now browsed the OpenDJ in a ldap browser. I see all the userid’s added under the same root “People” even though they were created in different realms. If OpenAM creates different OU’s for each realm, I think we can have same userid’s in 2 different realms. -
nkarthik82 replied to the topic Duplicate userids across OpenAM realms in the forum Access Management 6 years, 6 months ago
Thanks for the answers.
Now, I get an idea of how it works. In my case, the requirement is to have only one OpenDJ configured at the top-level realm shared across all the sub-realms.
So, if we have 2 different users with same username in 2 different applications and if we try to migrate the users to OpenAM, say realm1 (app1) and realm2 (app2),…[Read more] -
nkarthik82 started the topic Duplicate userids across OpenAM realms in the forum General Discussion 6 years, 6 months ago
I want to know whether duplicate user ids are allowed across OpenAM realms.
This is a very rare scenario, but it can happen when we try to migrate different idps to OpenAM.
We might end up with 2 different users having same userid in 2 different idps.
If we can have duplicate userids across realms, we can at least migrate the users to different…[Read more] -
nkarthik82 started the topic Duplicate userids across OpenAM realms in the forum General Discussion 6 years, 6 months ago
I want to know whether duplicate user ids are allowed across OpenAM realms.
This is a very rare scenario, but it can happen when we try to migrate different idps to OpenAM.
We might end up with 2 different users having same userid in 2 different idps.
If we can have duplicate userids across realms, we can at least migrate the users to different…[Read more] -
nkarthik82 replied to the topic Secure a rest webservice sprin application using OpenAM Oauth2 in the forum Access Management 6 years, 6 months ago
So, the only option that I could think of is to write a custom module in my application which can get tokens from OpenAM and validate the token using /oauth2/tokeninfo for every request.
Am I right?
I thought we can directly protect the web services using OpenAM OAuth similar to how we protect web applications with login pages. -
nkarthik82 replied to the topic Secure a rest webservice sprin application using OpenAM Oauth2 in the forum Access Management 6 years, 7 months ago
I forgot to mention. Our application is a spring rest service which gets data from a DB which is outside OpenAM. So, we can say it is a service provider.
Different Clients use this rest service for doing CRUD operations on the database and right now, it is protected using Spring OAuth which generates and validates access token.
Now, we are…[Read more] -
nkarthik82 replied to the topic Secure a rest webservice sprin application using OpenAM Oauth2 in the forum Access Management 6 years, 7 months ago
We use Client Credentials (client_credentials), Resource Owner Password Credentials Grant (password)
Right now, we use the spring security OAuth implementation to generate the access token. Then, we pass this token in the header for making rest api calls.
I don’t get how Spring will be able to validate the access token passed in the request…[Read more] -
nkarthik82 started the topic Secure a rest webservice sprin application using OpenAM Oauth2 in the forum Access Management 6 years, 7 months ago
I have an existing Spring based restful web service application which is protected by OAuth2.0 using sprinG security. Now, I am planning to migrate the users from current database to OpenAM. Once that is done, I want to protect the same sprint based restful web service using OpenAM’s OAuth2.0.
Current flow is:
1) Get oauth token from application…[Read more] -
nkarthik82 started the topic Secure a rest webservice sprin application using OpenAM Oauth2 in the forum Access Management 6 years, 7 months ago
I have an existing Spring based restful web service application which is protected by OAuth2.0 using sprinG security. Now, I am planning to migrate the users from current database to OpenAM. Once that is done, I want to protect the same sprint based restful web service using OpenAM’s OAuth2.0.
Current flow is:
1) Get oauth token from application…[Read more] -
nkarthik82 replied to the topic Open AM REST API for Ldap attribute search in the forum Access Management 6 years, 8 months ago
Thanks Peter.
When will v13 be released? -
nkarthik82 started the topic Open AM REST API for Ldap attribute search in the forum Access Management 6 years, 9 months ago
Hi,
In 12.0 version, I don’t find any Open AM Rest API for reading identities using different attributes like email address.
But, legacy API supports search based on ldap attributes.Is there any alternate way to enable search using userid as well as some other ldap attribute using the new rest APIs in v12.0?