@rob_swann
active 4 years, 5 months ago-
rob_swann replied to the topic SAML SSO IDP session upgrade in the forum Access Management 4 years, 5 months ago
Thanks Peter.
Yes, there no doubt about the behaviour when levels do not match
but in my use-casethe auth.-level in session-token is SAME as auth-level derived by IDPAuthnContextMapper after zeroed-in the requested authn-context in saml-request with the realms’s auth-service
however,
the auth.-service in session-token is NOT SAME with the…[Read more]
-
rob_swann replied to the topic conditional login url openam using webAgent in the forum Access Management 4 years, 5 months ago
That was really funny …LOL
I need to catch up all these short-forms, making me realize I am old.
Peter — > appreciate if you could clarify my doubt that I just posted in the other thread about IDP SAML SSO -
rob_swann started the topic SAML SSO IDP session upgrade in the forum Access Management 4 years, 5 months ago
Hi,
In case of SAML based SSO, I have one important question to ask to the expert.OpenAM-IDP receives a <samlp:AuthnRequest> asking to use a particular <samlp:RequestedAuthnContext>
This request also comes with a valid SSO-tokenWould OpenAM always re-authenticate the user, if the requested-authn-context in the request maps to a different…[Read more]
-
rob_swann replied to the topic conditional login url openam using webAgent in the forum Access Management 4 years, 5 months ago
Thanks Peter. Yes, what you suggested is the simplest way. OpenAM could send advice to use different chains.
I did not follow IMO and IIRC, though. Would you please help me understand it.
-
rob_swann replied to the topic web-agent policy-advice processing in the forum Access Management 4 years, 5 months ago
Thanks Peter for your quick response.
This clarifies my doubt. -
rob_swann replied to the topic conditional login url openam using webAgent in the forum Access Management 4 years, 5 months ago
I requested kind of same question at. Still waiting for the answer, though.
-
rob_swann started the topic web-agent policy-advice processing in the forum Access Management 4 years, 5 months ago
Hello,
We know that when web-agent is requesting policy-decision from OpenAM, OpenAM can return advice.
for eg., AuthLevelConditionAdvice OR AuthenticateToRealmConditionAdvice
When such advice reaches to web-agent, web-agent will send a 302 redirect to the browser.I want to know, how exactly web-agent forms the new login-URL
Would it just…[Read more]
-
rob_swann started the topic web-agent design approach in the forum Access Management 4 years, 7 months ago
I have to accomplish SSO between 3 single-domain applications. let’s say,
app1.server.com
app2.server.com
app3.server.comMy OpenAM is on openam.server.com
I have to choose from following 2 approaches
Single web-agent which would route the user to the right realm/module/chain
so app1.server.com, app2.server.com and app3.server.com all…[Read more] -
rob_swann commented on the post, Dynamic Profiles in OpenAM 13 4 years, 7 months ago
Hi Andrew,
This is excellent article to properly understand the confusing attributes’ relationship. I really tried hard in beginning of this year to demystify myself.
I have one thing to draw your attention -
rob_swann replied to the topic multiple SAML CoTs in one IDP instance in the forum Access Management 4 years, 7 months ago
Thanks Rogerio.
Yes, that is exactly what my thought-process is.Like you said, if user navigates to another SP whose Circle of Trust is between SP2 and IDP2 configured in Realm2, probably OpenAM will ask for new authentication.
And now this new SSOToken will have realm2 and corresponding universal-ID etc. everything around it.If user…[Read more]
-
rob_swann replied to the topic multiple SAML CoTs in one IDP instance in the forum Access Management 4 years, 7 months ago
Thanks Peter for looking into it.
I am not following your statement , you said
“As soon as you have a session established, OpenAM forgets about CoTs altogether.”I am using OpenAM 13
I have a valid SSOToken from OpenAM-IDP in CoT1 (IDP1 & SP1 & Realm1)
Will this token be helpful to get SAMLResponse for subsequent Service Providers ?I doubt…[Read more]
-
rob_swann started the topic multiple SAML CoTs in one IDP instance in the forum Access Management 4 years, 7 months ago
In case of SAML federation, on IDP side, I have 2 CoTs (CoT1 and CoT2)
User starts at IDP-side,
IDP initiates user-handshake with CoT1, establishes SSOToken, prepare SAMLResponse and sends it out to the ServiceProvider
So far so good ,and user is on the service-provider’s home page.
From that page User is hitting another link which results…[Read more] -
rob_swann replied to the topic policy-agent authorization in the forum Access Management 4 years, 7 months ago
Can somebody help me demystifying above please.
My point is, when OpenAM agent or java-client makes a policy-decision call, which policy-set in which realm OpenAM evaluates ?
Theoretically, my understanding is, the realm and policy-sets that will be evaluated has NO relationship with the realm under which the SSO-token was created during…[Read more]
-
rob_swann started the topic sso cookie and user mapping in the forum Access Management 4 years, 8 months ago
Hello,
I have one important question with respect to iplanetdirectorypro cookie.
As we know, the in-memory representation of this cookie is made up following attributes
sessionID: QIC5wM2LY4Sfcy954IRN6Ixz7ZMwVdJkGlqr9urGirFNMQ.*Asdfsfsf
maxSessionTime: 120
maxIdleTime: 30
timeLeft: 6500
userID: bnelson
authLevel:…[Read more] -
rob_swann replied to the topic TOTP Password resynchronization in the forum Access Management 4 years, 9 months ago
Very nice explanation Neil !!! Really appreciate it.
I want to share one more thought with you.
Is it possible to register 2 devices for the SAME user in the SAME datastore.
Now, let me clarify one thing,
REGISTERING 2 DEVICES DOES NOT MEAN THAT YOU PHYSICALLY NEED 2 DEVICES.
SINGLE MOBILE DEVICE, SINGLE FORGEROCK-Authenticator App. but with…[Read more] -
rob_swann started the topic TOTP Password resynchronization in the forum Access Management 4 years, 9 months ago
In case of TOTP based 2-step authentication we have a configuration called
“TOTP Time Step Interval” and “TOTP Time Steps”As we know, above 2 attributes work closely and defines the number of time step intervals that the system and the device can be off before password resynchronization.
So if I am off by more than the permitted time limit,…[Read more]
-
rob_swann started the topic OATH – HOTP in the forum Access Management 4 years, 10 months ago
Hi,
I am trying to configure OATH-HOTP authentication module in OpeanAM 13 along with the LDAP module for 2-step authentication.
While configuring OATH, we need to provide “Secret Key Attribute Name:” and “Counter Attribute Name:”
At the same, we have to configure “Device Profile Location” attribute in the user-store (default is oathDevicePr…[Read more]
-
rob_swann replied to the topic Restful-STS Vs SOAP-based in the forum Access Management 4 years, 10 months ago
Oh really !!!
I am using OpenAM 12.0 where I can configure “STS Client” as one the agents.However, the reason I deduce that it will also be in OpenAM 13 is because I am following OpenAM 13 documentation and there is a clear mention of such agent in the admin guide.
So from OpenAM 13 I believe we have decommissioned STS Client, WSP and WSC…[Read more]
-
rob_swann started the topic Restful STS authentication target setting in the forum Access Management 4 years, 10 months ago
Hello,
In case of Restful-STS service configuration, we have to do “Authentication Target Mappings”
Here we can configure four pieces of information related to each input token separated by |
For eg.,OPENIDCONNECT|module|oidc|oidc_id_token_auth_target_header_key=oidc_id_token
I am focusing on the last parameter.
The OIDC authentication module…[Read more]
-
rob_swann started the topic Restful-STS Vs SOAP-based in the forum Access Management 4 years, 10 months ago
In OpenAM 13 we got Restful-STS as well as “STS Client” as on the the agent profiles.
From OpenAM Console, I understand that I can create and publish one Restful-STS instance in the realm and then anybody can invoke this restful interface to transform the token with SAML
So where does “STS Client” agent profile fits in ?
Do you I need to…[Read more] - Load More
