AM-6.0.0.4 LDAP Chain AuthN SSO

This topic contains 2 replies, has 2 voices, and was last updated by  Jitendra Niberiya 3 weeks, 3 days ago.

  • Author
    Posts
  • #23249
     Jitendra Niberiya 
    Participant

    Hi,

    I’m going through the ForgeRock Access Management: Core Concepts (Self-Paced Learning) training, and I’m using AM-6.0.0.4 & DS-6.0.0.
    In Chapter 2: > Extending Authentication Lesson 1: > Extending Authentication Functionality: > Exercise 2:Create a chain containing the LDAP module, I followed the steps as provided in the exercise guide.
    Authentication to chain service via direct url (http://subscribers.example.com:18080/openam/XUI/?service=ldapchain#login) is working as expected.
    But authentication to FEC page (Apache+Policyagent) via chain service (default for Organization authn in subscribers realm) is failing with following error.

    —————————————
    OAuth2Provider:09/21/2018 01:36:22:311 PM PDT: Thread[http-nio-18080-exec-4,5,main]: TransactionId[347fdc69-52bc-4715-8a21-599adea90ac4-61136]
    ERROR: Unable to get client AMIdentity:
    org.forgerock.oauth2.core.exceptions.OAuth2ProviderNotFoundException: No OpenID Connect provider for realm /subscribers
    at org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory.getRealmOAuth2ProviderSettings(OAuth2ProviderSettingsFactory.java:162)
    at org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory.get(OAuth2ProviderSettingsFactory.java:134)
    at org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory.get(OAuth2ProviderSettingsFactory.java:117)
    at org.forgerock.openam.oauth2.IdentityManager.getResourceOwnerIdentity(IdentityManager.java:125)
    at org.forgerock.openam.oauth2.IdentityManager.getResourceOwnerOrClientIdentity(IdentityManager.java:77)
    at org.forgerock.openam.oauth2.OpenAMScopeValidator.getUsersIdentity(OpenAMScopeValidator.java:266)
    at org.forgerock.openam.oauth2.OpenAMScopeValidator.getUserInfo(OpenAMScopeValidator.java:225)
    at org.forgerock.oauth2.core.AgentOAuth2ProviderSettings.getUserInfo(AgentOAuth2ProviderSettings.java:212)
    at org.forgerock.openam.oauth2.token.OpenIdConnectTokenStore.createOpenIDToken(OpenIdConnectTokenStore.java:163)
    at org.forgerock.openidconnect.IdTokenResponseTypeHandler.handle(IdTokenResponseTypeHandler.java:58)
    at org.forgerock.oauth2.core.AuthorizationTokenIssuer.issueTokens(AuthorizationTokenIssuer.java:117)
    at org.forgerock.oauth2.core.AuthorizationService.lambda$authorize$0(AuthorizationService.java:200)
    at org.forgerock.util.LambdaExceptionUtils.lambda$rethrowFunction$3(LambdaExceptionUtils.java:258)
    at io.vavr.control.Either.map(Either.java:271)
    at org.forgerock.oauth2.core.AuthorizationService.authorize(AuthorizationService.java:197)
    at org.forgerock.oauth2.restlet.AuthorizeResource.authorize(AuthorizeResource.java:109)
    at sun.reflect.GeneratedMethodAccessor119.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.restlet.resource.ServerResource.doHandle(ServerResource.java:511)
    at org.restlet.resource.ServerResource.get(ServerResource.java:723)
    at org.restlet.resource.ServerResource.doHandle(ServerResource.java:603)
    at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:662)
    at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:348)
    at org.restlet.resource.ServerResource.handle(ServerResource.java:1020)
    at org.restlet.resource.Finder.handle(Finder.java:236)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Router.doHandle(Router.java:422)
    at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:94)
    at org.restlet.routing.Router.handle(Router.java:641)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
    at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:77)
    at org.restlet.Application.handle(Application.java:385)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Router.doHandle(Router.java:422)
    at org.restlet.routing.Router.handle(Router.java:641)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Router.doHandle(Router.java:422)
    at org.restlet.routing.Router.handle(Router.java:641)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
    at org.restlet.Component.handle(Component.java:408)
    at org.restlet.Server.handle(Server.java:507)
    at org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
    at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)
    at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1117)
    at org.forgerock.openam.rest.RestEndpointServlet$RestletHandler.handle(RestEndpointServlet.java:183)
    at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179)
    at org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:88)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
    at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:75)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
    at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:254)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    at org.forgerock.openam.rest.RestEndpointServlet$HttpServletWrapper.service(RestEndpointServlet.java:254)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    at org.forgerock.openam.rest.RestEndpointServlet.service(RestEndpointServlet.java:132)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.forgerock.openam.validation.FQDNValidationFilter.doFilter(FQDNValidationFilter.java:55)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:112)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)
    —————————————

    To fix this, I configured the Directory Server LDAP in Data Store as well. After doing this, the error got resolved.
    Is this the expected functionality for AM-6.0.0.4? or am I doing something wrong?

    Also, when I move from / realm to /subscribers realm, AM asks me if I want to log out of current realm and log in to new realm.
    DNS for /: openam.example.com
    DNS for /subscribers: subscribers.example.com
    Is the SSOToken not valid for cross realm SSO? This is supposed to be valid in AM-5, as per training doc.

    #23250
     joe.starling 
    Participant

    Hi,

    This is a bug: https://bugster.forgerock.org/jira/browse/OPENAM-13114.

    Regarding switching realms – yes this is expected. There is no ‘cross-realm’ SSO, it’s by design.
    Can you point to which part of the docs, or paste the content?

    #23292
     Jitendra Niberiya 
    Participant

    I also got following email Nathalie Hoet. At this point, i’m satisfied with the information provided.
    Thanks to both of you for quick response.

    —————————
    There are no changes regarding behavior on chains and realms/subrealms between AM 5 and AM 6.0.0.x. The error you see makes me think that you are using agent 5 instead of agent 4 as per the instructions for AM 400A. There are fundamental architectural changes between agent 4 and agent 5, where agent 5 gets an access token and IdToken from the user, whereas agent 4 was receiving the cookie containing the session reference.

    The error you are seeing makes me think that you configured and installed your agent to work on the top realm, and not on the subscribers realm, which is why having the OpenDJ on the top realm helped.

    Also, when I move from / realm to /subscribers realm, AM asks me if I want to log out of current realm and log in to new realm.
    Is the SSOToken not valid for cross realm authentication? This is supposed to be valid in AM-5, as per training doc.

    There has been no changes in the product in that area. The confusion is probably the following:

    From the agent point of view, if it is set in SSO-Only, the agent does not check the realm from which the user was authenticated to give access. In that sense it is valid from whichever realm.
    However on AM itself, if you access realm A with a token that was obtained from realm B, AM will not validate the token. Indeed you are supposed to belong to a group of users from realm B and you should not be validated as a user from realm A. So you will need to authenticate again in the correct realm.
    ———————————-

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?