rob_swann

Home Members rob_swann

Learn more about our upcoming Identity Summits

show less show more
Profile picture of rob_swann

@rob_swann

active 4 years, 5 months ago
Points balance: 268 ♪
Rank: rob_swann
  • Activity
  • Profile
  • Groups 0
  • Forums
  • Personal
  • Mentions
  • Favorites
  • Groups
  • Profile picture of rob_swann

    rob_swann replied to the topic SAML SSO IDP session upgrade in the forum Access Management 4 years, 5 months ago

    Thanks Peter.

    Yes, there no doubt about the behaviour when levels do not match
    but in my use-case

    the auth.-level in session-token is SAME as auth-level derived by IDPAuthnContextMapper after zeroed-in the requested authn-context in saml-request with the realms’s auth-service

    however,

    the auth.-service in session-token is NOT SAME with the…[Read more]

  • Profile picture of rob_swann

    rob_swann replied to the topic conditional login url openam using webAgent in the forum Access Management 4 years, 5 months ago

    That was really funny …LOL
    I need to catch up all these short-forms, making me realize I am old.
    Peter — > appreciate if you could clarify my doubt that I just posted in the other thread about IDP SAML SSO

  • Profile picture of rob_swann

    rob_swann started the topic SAML SSO IDP session upgrade in the forum Access Management 4 years, 5 months ago

    Hi,
    In case of SAML based SSO, I have one important question to ask to the expert.

    OpenAM-IDP receives a <samlp:AuthnRequest> asking to use a particular <samlp:RequestedAuthnContext>
    This request also comes with a valid SSO-token

    Would OpenAM always re-authenticate the user, if the requested-authn-context in the request maps to a different…[Read more]

  • Profile picture of rob_swann

    rob_swann replied to the topic conditional login url openam using webAgent in the forum Access Management 4 years, 5 months ago

    Thanks Peter. Yes, what you suggested is the simplest way. OpenAM could send advice to use different chains.

    I did not follow IMO and IIRC, though. Would you please help me understand it.

  • Profile picture of rob_swann

    rob_swann replied to the topic web-agent policy-advice processing in the forum Access Management 4 years, 5 months ago

    Thanks Peter for your quick response.
    This clarifies my doubt.

  • Profile picture of rob_swann

    rob_swann replied to the topic conditional login url openam using webAgent in the forum Access Management 4 years, 5 months ago

    I requested kind of same question at. Still waiting for the answer, though.

    web-agent design approach

  • Profile picture of rob_swann

    rob_swann started the topic web-agent policy-advice processing in the forum Access Management 4 years, 5 months ago

    Hello,

    We know that when web-agent is requesting policy-decision from OpenAM, OpenAM can return advice.
    for eg., AuthLevelConditionAdvice OR AuthenticateToRealmConditionAdvice
    When such advice reaches to web-agent, web-agent will send a 302 redirect to the browser.

    I want to know, how exactly web-agent forms the new login-URL

    Would it just…[Read more]

  • Profile picture of rob_swann

    rob_swann started the topic web-agent design approach in the forum Access Management 4 years, 7 months ago

    I have to accomplish SSO between 3 single-domain applications. let’s say,
    app1.server.com
    app2.server.com
    app3.server.com

    My OpenAM is on openam.server.com

    I have to choose from following 2 approaches

    Single web-agent which would route the user to the right realm/module/chain
    so app1.server.com, app2.server.com and app3.server.com all…[Read more]

  • Profile picture of rob_swann

    rob_swann commented on the post, Dynamic Profiles in OpenAM 13 4 years, 7 months ago

    Hi Andrew,

    This is excellent article to properly understand the confusing attributes’ relationship. I really tried hard in beginning of this year to demystify myself.
    I have one thing to draw your attention

  • Profile picture of rob_swann

    rob_swann replied to the topic multiple SAML CoTs in one IDP instance in the forum Access Management 4 years, 7 months ago

    Thanks Rogerio.
    Yes, that is exactly what my thought-process is.

    Like you said, if user navigates to another SP whose Circle of Trust is between SP2 and IDP2 configured in Realm2, probably OpenAM will ask for new authentication.
    And now this new SSOToken will have realm2 and corresponding universal-ID etc. everything around it.

    If user…[Read more]

  • Profile picture of rob_swann

    rob_swann replied to the topic multiple SAML CoTs in one IDP instance in the forum Access Management 4 years, 7 months ago

    Thanks Peter for looking into it.

    I am not following your statement , you said
    “As soon as you have a session established, OpenAM forgets about CoTs altogether.”

    I am using OpenAM 13
    I have a valid SSOToken from OpenAM-IDP in CoT1 (IDP1 & SP1 & Realm1)
    Will this token be helpful to get SAMLResponse for subsequent Service Providers ?

    I doubt…[Read more]

  • Profile picture of rob_swann

    rob_swann started the topic multiple SAML CoTs in one IDP instance in the forum Access Management 4 years, 7 months ago

    In case of SAML federation, on IDP side, I have 2 CoTs (CoT1 and CoT2)

    User starts at IDP-side,

    IDP initiates user-handshake with CoT1, establishes SSOToken, prepare SAMLResponse and sends it out to the ServiceProvider

    So far so good ,and user is on the service-provider’s home page.
    From that page User is hitting another link which results…[Read more]

  • Profile picture of rob_swann

    rob_swann replied to the topic policy-agent authorization in the forum Access Management 4 years, 7 months ago

    Can somebody help me demystifying above please.

    My point is, when OpenAM agent or java-client makes a policy-decision call, which policy-set in which realm OpenAM evaluates ?

    Theoretically, my understanding is, the realm and policy-sets that will be evaluated has NO relationship with the realm under which the SSO-token was created during…[Read more]

  • Profile picture of rob_swann

    rob_swann started the topic sso cookie and user mapping in the forum Access Management 4 years, 8 months ago

    Hello,

    I have one important question with respect to iplanetdirectorypro cookie.

    As we know, the in-memory representation of this cookie is made up following attributes

    sessionID: QIC5wM2LY4Sfcy954IRN6Ixz7ZMwVdJkGlqr9urGirFNMQ.*Asdfsfsf
    maxSessionTime: 120
    maxIdleTime: 30
    timeLeft: 6500
    userID: bnelson
    authLevel:…[Read more]

  • Profile picture of rob_swann

    rob_swann replied to the topic TOTP Password resynchronization in the forum Access Management 4 years, 9 months ago

    Very nice explanation Neil !!! Really appreciate it.

    I want to share one more thought with you.
    Is it possible to register 2 devices for the SAME user in the SAME datastore.
    Now, let me clarify one thing,
    REGISTERING 2 DEVICES DOES NOT MEAN THAT YOU PHYSICALLY NEED 2 DEVICES.
    SINGLE MOBILE DEVICE, SINGLE FORGEROCK-Authenticator App. but with…[Read more]

  • Profile picture of rob_swann

    rob_swann started the topic TOTP Password resynchronization in the forum Access Management 4 years, 9 months ago

    In case of TOTP based 2-step authentication we have a configuration called
    “TOTP Time Step Interval” and “TOTP Time Steps”

    As we know, above 2 attributes work closely and defines the number of time step intervals that the system and the device can be off before password resynchronization.

    So if I am off by more than the permitted time limit,…[Read more]

  • Profile picture of rob_swann

    rob_swann started the topic OATH – HOTP in the forum Access Management 4 years, 10 months ago

    Hi,

    I am trying to configure OATH-HOTP authentication module in OpeanAM 13 along with the LDAP module for 2-step authentication.

    While configuring OATH, we need to provide “Secret Key Attribute Name:” and “Counter Attribute Name:”

    At the same, we have to configure “Device Profile Location” attribute in the user-store (default is oathDevicePr…[Read more]

  • Profile picture of rob_swann

    rob_swann replied to the topic Restful-STS Vs SOAP-based in the forum Access Management 4 years, 10 months ago

    Oh really !!!
    I am using OpenAM 12.0 where I can configure “STS Client” as one the agents.

    However, the reason I deduce that it will also be in OpenAM 13 is because I am following OpenAM 13 documentation and there is a clear mention of such agent in the admin guide.

    So from OpenAM 13 I believe we have decommissioned STS Client, WSP and WSC…[Read more]

  • Profile picture of rob_swann

    rob_swann started the topic Restful STS authentication target setting in the forum Access Management 4 years, 10 months ago

    Hello,

    In case of Restful-STS service configuration, we have to do “Authentication Target Mappings”
    Here we can configure four pieces of information related to each input token separated by |
    For eg.,

    OPENIDCONNECT|module|oidc|oidc_id_token_auth_target_header_key=oidc_id_token

    I am focusing on the last parameter.

    The OIDC authentication module…[Read more]

  • Profile picture of rob_swann

    rob_swann started the topic Restful-STS Vs SOAP-based in the forum Access Management 4 years, 10 months ago

    In OpenAM 13 we got Restful-STS as well as “STS Client” as on the the agent profiles.

    From OpenAM Console, I understand that I can create and publish one Restful-STS instance in the realm and then anybody can invoke this restful interface to transform the token with SAML

    So where does “STS Client” agent profile fits in ?
    Do you I need to…[Read more]

  • Load More
Profile Photo rudra.n.halder Profile Photo Nan.Wang

Search the forums

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.

Recent blog posts

  • Using an Authentication Tree Stage to Build a Custom UI with the ForgeRock JavaScript SDK February 26, 2020
  • Identity Workflow with AM using Zeebe and Cloud Functions February 19, 2020
  • IDM: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 23, 2020
  • DS: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 22, 2020
  • AM and IG: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 22, 2020
Visit our blog

Recent Topics

  • Sync with Roles and Assignment are not working
  • Multiple attributes configuration in SAML response
  • Custom Backend Documentation/Sample
  • Add New Link on Self Service Screen in IDM
  • OpenIDM 6.5.1.0 and java 11

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

  • Blog
  • Documentation
    • OpenAM / Access Management
    • OpenDJ / Directory Services
    • OpenIDM / Identity Management
    • OpenIG / Identity Gateway
    • OpenICF / Open Connector Framework
    • Intro to Identity
  • Forums
    • General Discussion
    • ForgeRock Products
      • OpenAM
      • OpenIDM
      • OpenDJ
      • OpenIG
      • OpenUMA
    • DevOps
    • Internet of Things
    • Documentation
    • Groups
  • Twitter
  • Facebook
  • Linkedin
  • Youtube

Log in with your credentials

Lost your password?

Forgot your details?

I remember my details