nkarthik82

Ok.
In case I want to do a cross-domain SSO, what is the best option?
I know we can use Policy agent approach or OpenIG approach. Problem with OpenIG approach is I can’t do a single logout across domains and that is a very complex problem to solve.
But with Policy agent CDSSO, it is easy to handle SLO across domains.

@peter-major Thanks for the suggestion.
Are these tokens stored in memory or DB/file system? If we restart the servers for some production deployment, will these tokens get cleared forcing the users to login again?

@rajeshr Yes. It has all the values. I hope same guidelines are applicable for OpenAM 12 as well.
Coming back to my question, If I set the refresh token expiration to -1 (never expire), is it a good practice? In case the user count is in millions, its going to store millions of tokens that will never expire. Is there any recommended time?

@rajeshr @peter-major
Ok. In OpenAM settings, I see only 2 attributes “LDAP People Container Naming Attribute” and “LDAP People Container Value” which has default values of “ou” and “people”.
If I add a new ou under people, say “appA”, is there any way to configure that directly in OpenAM?

@rajeshr
Got it. So, if I want 2 OU’s for appA and appB, then I will have to manually create 2 OU’s in OpenDJ and map it to these 2 realms in OpenAM Data Store configuration. right?
If my understanding is correct, is it a good practice to have same OpenDJ with 2 different OU’s for different apps or have totally different OpenDJ’s for each app?

@rajeshr
Thanks for the info.
Just now browsed the OpenDJ in a ldap browser. I see all the userid’s added under the same root “People” even though they were created in different realms. If OpenAM creates different OU’s for each realm, I think we can have same userid’s in 2 different realms. Is it possible to have different OU’s for each realm in…[Read more]

@rajeshr
Thanks for the info.
Just now browsed the OpenDJ in a ldap browser. I see all the userid’s added under the same root “People” even though they were created in different realms. If OpenAM creates different OU’s for each realm, I think we can have same userid’s in 2 different realms.

Thanks for the answers.
Now, I get an idea of how it works. In my case, the requirement is to have only one OpenDJ configured at the top-level realm shared across all the sub-realms.
So, if we have 2 different users with same username in 2 different applications and if we try to migrate the users to OpenAM, say realm1 (app1) and realm2 (app2),…[Read more]

So, the only option that I could think of is to write a custom module in my application which can get tokens from OpenAM and validate the token using /oauth2/tokeninfo for every request.
Am I right?
I thought we can directly protect the web services using OpenAM OAuth similar to how we protect web applications with login pages.

I forgot to mention. Our application is a spring rest service which gets data from a DB which is outside OpenAM. So, we can say it is a service provider.
Different Clients use this rest service for doing CRUD operations on the database and right now, it is protected using Spring OAuth which generates and validates access token.
Now, we are…[Read more]

We use Client Credentials (client_credentials), Resource Owner Password Credentials Grant (password)

Right now, we use the spring security OAuth implementation to generate the access token. Then, we pass this token in the header for making rest api calls.
I don’t get how Spring will be able to validate the access token passed in the request…[Read more]

Thanks Peter.
When will v13 be released?