-
Paresh replied to the topic OpenAM / Office365 SSO. in the forum Access Management 7 years, 1 month ago
Thanks Peter.
I had a look at the details in OPENAM-3470, but my understanding is that it resolves an issue with persisting nameid format values other than “Persistent” nameid format. Hence, it does not seem relevant with Office365 which only supports Persistent NameID format only.
Does OpenAM support any means to specify an existing user…[Read more]
-
Paresh replied to the topic LiveSync using AD connector not working. in the forum Identity Management 7 years, 1 month ago
Hi,
I was able to get LiveSync working with AD connector. The issue was due to bug #2667 , which resulted in the “baseContextsToSynchronize” not being set. After setting the same value as “baseContexts” to “baseContextsToSynchronize”, LiveSync worked for most part i.e. create, updates were immediately synchronized from AD.
However, when I…[Read more]
-
Paresh replied to the topic Failure building OpenIDM (tag: 3.1.0) from source. in the forum Identity Management 7 years, 1 month ago
Figured out the problem. The issue was because Codehaus has closed and it is no longer hosting the required maven repo. Hence, we need to switch to another repo.
After updating the codehaus-release-repo in openidm/pom.xml file to point to http://maven.forgerock.org/, the build was successful.
Regards,
Paresh. -
Paresh started the topic Failure building OpenIDM (tag: 3.1.0) from source. in the forum Identity Management 7 years, 1 month ago
Hi,
I am trying to build OpenIDM from the source for the first time and running into an error. Here are the environment details:
svn, version 1.6.11 (r934486)
Apache Maven 3.3.3 (7994120775791599e205a5524ec3e0dfe41d4a06; 2015-04-22T07:57:37-04:00)
Java home: /usr/java/jdk1.8.0_45/jre
OpenIDM tag checked out is: 3.1.0Following is the error…[Read more]
-
Paresh started the topic OpenAM / Office365 SSO. in the forum Access Management 7 years, 1 month ago
Hi,
We want to support SSO from OpenAM to Office365. In our test environment, we are using the embedded OpenDJ in OpenAM to manage users, but our production system talks to Corporate AD for users/groups.
By referring to this wiki document we were able to successfully get SSO working from OpenAM to Office365 in test setup. Now we are planning…[Read more]
-
Paresh replied to the topic LiveSync using AD connector not working. in the forum Identity Management 7 years, 1 month ago
Thanks Rogério. I will try out the LDAP connector and keep you posted.
Regards,
Paresh. -
Paresh replied to the topic LiveSync using AD connector not working. in the forum Identity Management 7 years, 1 month ago
Hi Rogério,
I have already tried grabbing the actual filter with uSNChanged attribute from OpenIDM logs (with logging level set to FINEST) and running it directly against my AD. It does indeed return the modified objects that should be synchronized. Hence, the filter is working fine.
Any tips on how to go about debugging the connector? I…[Read more]
-
Paresh replied to the topic LiveSync using AD connector not working. in the forum Identity Management 7 years, 1 month ago
Hi,
Adding uSNChanged to the provisioner did not help. Here is what I added to provisioner.openicf-AD.json:
“__ACCOUNT__” : {
“id” : “__ACCOUNT__”,
“properties” : {
“__GIVENNAME__” : {
“type” : “string”,
“required” : false,
“nativeName” :…[Read more] -
Paresh replied to the topic LiveSync using AD connector not working. in the forum Identity Management 7 years, 2 months ago
Thanks Rogério.
Do I need to add uSNChanged in the provisioned file for LiveSync to work? Also, then does it need to be mapped in sync.json to managed/user?
My impression was that uSNChanged is a state tracked internally by OpenIDM for LiveSync to work and hence, it need not be explicitly added to provisioner file (AD connector) or sync…[Read more]
-
Paresh started the topic LiveSync using AD connector not working. in the forum Identity Management 7 years, 2 months ago
Hi,
We have configured a connector for AD. It is a fairly simple one, which pulls minimal attributes from AD. we have defined a mapping from AD to managed user. Initially we have performed reconciliation, since it is required to perform reconciliation prior to using LiveSync. On the AD connector we have configured a scheduled job to periodically…[Read more]
-
Paresh started the topic Using "unspecified" NameID format with OpenIG SP. in the forum Identity Gateway 7 years, 2 months ago
Hi,
We would like to use OpenIG to protect OpenIDM. We want to use SAML between OpenIG SP and our SAML IDP. In the prototype we are using OpenAM itself as the SAML IDP. We have followed the steps in OpenIG documentation to setup things. However, we want to use “unspecified” NameID format instead of the default “transient” NameID format used by…[Read more]
-
Paresh started the topic SAML assertion missing attributes. in the forum Access Management 7 years, 2 months ago
Hi,
We have configured OpenAM as IDP with nameID format as “transient” and couple of attributes are meant to be included in the SAML assertion. We noticed that the SAML assertion is missing the attributes.
In our case there are two data stores configured in the realm. One for AD and another for embedded OpenDJ. While searching through the…[Read more]
-
Paresh started the topic OpenIDM and OpenIG integration for SAML SSO based authentication. in the forum Identity Management 7 years, 2 months ago
Hi,
We would like to deploy OpenIG in front of OpenIDM to protect OpenIDM. OpenIG will act as a SAML SP and authenticate the user using our own SAML IDP. Once the authentication is done, we would like OpenIG to send details of the authenticated user to OpenIDM using a HTTP Header variable (or any other similar approach). This would be a header…[Read more]
-
Paresh replied to the topic OpenIDM CLIENT_CERT module issue in the forum Identity Management 7 years, 2 months ago
Hi,
I have figured out the issue here. There is a new parameter/property called “openidm.auth.clientauthonlyports” which needs to be specified in boot.properties file. This needs to be set to the port which can be used for client authentication. Typically 443 port needs to be added here.
Apparently the ClientCertAuthModule uses this property.…[Read more]
-
Paresh started the topic OpenIDM CLIENT_CERT module issue in the forum Identity Management 7 years, 2 months ago
Hi,
We would like to use CLIENT_CERT module to authenticate users in OpenIDM. I referred to this link for more details on configuring CLIENT_CERT module. We will be using the second approach i.e. lookup users from managed/user and only keep Root CA & Issuing CA cert in the truststore.
This is how the CLIENT_CERT configuration looks in…[Read more]
-
Paresh replied to the topic OPENAM_SESSION module and client certificate based authentication. in the forum Identity Management 7 years, 2 months ago
Thanks Jake. This helps clarify things, but I have some more questions as well:
1. To implement the complete SSO workflow between OpenIDM and OpenAM, do we need to either install the OpenAM policy agent on Jetty used by OpenIDM or somehow manage the initial redirect from OpenIDM to OpenAM if SSO token does not exist?
2. Does the OPENAM_SESSION…[Read more]
-
Paresh started the topic OPENAM_SESSION module and client certificate based authentication. in the forum Identity Management 7 years, 2 months ago
Hi,
We have deployed OpenAM and OpenIDM in our test environment. We have setup authentication realm in OpenAM which essentially uses client certificate based authentication. We would like to protect OpenIDM using OpenAM as this would enable us to leverage the authentication policies already defined in OpenAM.
One of the approaches we are…[Read more]
-
Paresh replied to the topic Delegated admin issue with "Create Hosted Identity Provider" in the forum Access Management 7 years, 3 months ago
Thanks Peter.
Regards,
Paresh. -
Paresh started the topic Delegated admin issue with "Create Hosted Identity Provider" in the forum Access Management 7 years, 3 months ago
Hi,
We have configured delegated admins in OpenAM by creating a group and adding the delegated admins to that specific group. The group is provided required privileges using ssoadm tool with RealmAdmin rights. This allows the delegated admins to perform administrative operations.
However, we noticed that when we login as “delegated admin” and…[Read more]
-
Paresh replied to the topic SAML Request invalid with GoogleApps. in the forum Access Management 7 years, 3 months ago
Sorry for the late response. But we identified the issue with entities involved in the Circle of Trust, as you rightly pointed out Peter. One of the entity Identifier was not correct.
Thanks again so much for your help.
Regards,
Paresh. - Load More