Nicolas Seigneur

I corrected the entry and I have added a simple RSS feed to our Main Page and Blog, you should be able to pick it up under http://idstacks.io/

Thanks again for pointing this out.

Nicolas

Thanks for the feedback JnRouvignac.

Regarding setting /metrics/prometheus as HTTP Anonymous we did try to set this with the interactive dsconfig and it was rejected, this was before we ran the server in --productionMode. I will clarify in our post that it is protected by default.

Adding RSS feed to the blog is on top of the list, we will add a…[Read more]

Somehow, there’s always a bunch of trial and error to get this working on my end as well, specifically with custom attributes.

Another trick I used in the past, is to go to /openam/Debug.jsp and set logging level to Message for the Session.
When you log out, it will print the whole session for this user in /debug/Session. This can be useful to…[Read more]

When you enable CDSSO, you need to have a “Home Domain” where the User Agent can be sent to validate if a cookie already exists. The reason is that if you do not have a cookie in one domain, it does not necessarily indicate that you are not logged in, for this reason, you are sent to OpenAM /UI/Login where the CDSSO servlet will kick in and…[Read more]

You simply need to enable replication between the OpenDJ1 and OpenDj2 External Config Store. This will keep both config store in synch, providing the same services on both instances.

Nicolas

Can you validate if you have symlinks in /usr/share/tomcat8/openam?

I believe I ran into similar issue in the past. My solution was to rely on “Session Attributes Processing” instead of the Profile Attribute Processing.

1. Navigate to Realm -> Authentication -> All Core Settings…
2. In “User Attribute Mapping to Session Attribute” set pai|pai
3. In J2EE Agent “Session Attributes Processing” set…[Read more]

Dhillip, if you had to use sudo, that means the current user has no access to the file content as you had to elevate your privilege to do so.

You need to make sure the user you are running ssoadm command from can see the content of that file without using sudo.

Nicolas

Hello Dhilip, with the same user as you are running ssoadm, can you view the content of the file?

In the file, you should see information pertaining to the Configuration Directory connection.

I believe the complete list is to be found in the Knowledge Base:

https://backstage.forgerock.com/#!/knowledge/kb?t=df9926e360b6981885f40d16f08fd5bb

In that scenario, you would have to configure OpenIDM to provision users in your OpenDJ. You would then use OpenIDM for all Identity Related tasks, including creating the user account. Once this is done, you can refer to OpenIDM Documentation on how to trigger an email to be sent during the onCreate events as it’s pretty straight forward.

Is UID/CN part of the DN?

If so, with OpenAM 11.0.1+ you should disable the “DN Cache” at the bottom of the DataStore configuration.

Nicolas Seigneur

You should be able to locate the BootStrap file that OpenAM uses to connect to his Config Directory to Bootstrap itself.

From the error message, it looks like the file is simply not found

Make sure you have “/usr/share/tomcat8/openam/bootstrap” and that the file is visible and content readable by the user you are running ssoadm from.

Nicolas Seigneur

There’s not Workflow engine in OpenAM. This sounds like a job for OpenIDM.

Nicolas Seigneur

For the config store, this is easily done by going to:
Configuration -> Server and Sites -> OpenAM1 -> Directory Configuration
The changes should be reflected in /opt/openam/openam/bootstrap

For the User Store, as Config Store are replicated, the value will be identical. I see a few solutions to achieve your desired Architecture:
1. Add a Load…[Read more]

By default, OpenAM should be relying on LDAP Persistent search to keep the cache from getting dirty.

If you do not see the “fresh” information in OpenAM, I would make sure you do not have issues with persistent search see under /debug/IdRepo.

Regarding caching control, you can refer to the following entry, it is old but still relevant: https://bl…[Read more]

By default, OpenAM can be deployed with a embedded LDAP directory that serves as the configuration repository.

You can see Rajesh’s excellent blog to get started:

ForgeRock OpenAM Installation in a Linux Container

Hello Saurabh, it would be helpful to know how you are protecting the page.

One design you could investigate is to use the Web Agents in response attributes. You could use the Web Agents to inject Headers that could be used by the application to perform the fine grain authorization and render the links accordingly.

If you give us more…[Read more]

I would look at /Agent_001/logs/debug/amAgent as well as the content of the iPlanetDirectoryPro cookie.

I you have a session with OpenAM, you will see a long string in the iPLanetDirectoryPro cookie. That means you’re getting Single Signed On. This is likely the case because otherwise, this would mean that the agent is not protecting the…[Read more]