[email protected]

I think you could set inside your datastore configuration:

User Status Attribute: userattrib1
User Status Active Value:
User Status Inactive Value: 999

The problem is “for all other values”, I don’t know if OpenAM only checks if the attribute equals or not the “User Status Inactive Value” or also performs a strict comparison with “User Status…[Read more]

Maybe a Forgerock engineer will prove me wrong, but I think that user creation from OpenAM admin console is based on default user schema embedded with OpenAM.

If you are using a different datastore with a different schema from the default one, you should create users using another way (manually, using a script, or using an IDM solution).

Vincent

Did you configure a policy to allow access to “http://openam.test.mobi:8000/” for authenticated users ? See https://backstage.forgerock.com/docs/openam/13/getting-started#configure-policy.

You can use ssoadm:

$ ssoadm show-datastore -e <your realm> -m embedded -u amadmin -f <file containing amadmin password> > embedded_datastore.backup.config

Vincent

Yes you can use an OpenLDAP as your datastore by configuring an “Generic LDAPv3” Data Store using OpenAM admin console.

Don’t know about a CRUD api for LDAP groups (if by roles you mean ldap groups). I suggest you to read the documentation to see how you can configure policies based on user…[Read more]

You should use a proper IDM solution to achieve RBAC management (OpenIDM for example or another IDM solution). OpenAM is an access control solution and I think it is not suited for managing roles/groups/resources/assignation.

You can configure OpenAM to perform access control based on your RBAC model though (through policies for example).

Vincent

From my knowledge, it is not possible using just one or two commands, but scripting it using ssoadm is pretty easy.

You can use “ssoadm list-entities” and “ssoadm export-entity” to export your entities for each realm and use “ssoadm import-entity” to import entity for the specified realm.

Vincent

Hello,

If you customize the OpenAM XUI, I don’t think there will be any issue regarding OpenID Connect or SAML2 authentication. These flows will use the specified authentication modules/chains therefore your customized XUI templates.

I you make your own UI and use the REST API, then you will have to configure the OAuth2 Provider so that OpenID…[Read more]

Based on the source of OAuthProxy.java, you also should have a cookie named ORIG_URL. What are the parameters passed to /OAuth2Proxy.jsp ?

If not already done set your debug level to Message and look into the “Authentication” debug file.

Vincent

This is a known bug : https://bugster.forgerock.org/jira/browse/OPENAM-8371

It is fixed on 13.5.0 but you can apply the workaround described in the ticket description for 13.0.0.

Vincent

Are you sure that user exists in OpenAM identity repository ?

To quickly check if the authentication process goes to the end, you can set Authentication settings > User profile to “Dynamic” (OpenAM will automatically create a user profile if it does not find it inside the IdRepo).

Or maybe the issue is because OpenAM can not map the user using…[Read more]

Oh sorry I misread your previous message when you mentioned Facebook authentication.

1. http://openam.example.com:8080/openam/XUI/locales/en-US/translation.json?v=13.0.0 is 404 not found : This is a just a file used for localizing the UI, there is no impact if this file is missing.

2.…[Read more]

There is an important point I missed from your previous message.

You want to use Facebook as your third party authentication. I am not sure, but I do not think that Facebook implements pure OAuth2/OpenID Connect protocol. I think you will need to use social login feature from OpenAM :…[Read more]

Hello,

From my understanding, the OAuthProxy.jsp file is used to continue the authentication process when you are redirected from the IDP (your django server in your case).

I also encountered the “Request Not Valid” error. Make sure that the “Prompt for password setting and activation code” field is unchecked inside the OAuth2 / OpenID Con…[Read more]

One way to achieve that is to customize the LDAP/DataStore authentication module by adding a callback field which will contain the ‘remember me’ state (checked or not checked).

The LDAP module will need to set a flag inside the session properties based on the callback value. Then you will also need to customize the persistent cookie post auth…[Read more]