This topic contains 2 replies, has 2 voices, and was last updated by  AJAY SURI 1 week, 4 days ago.

  • Author
    Posts
  • #24603
     AJAY SURI 
    Participant

    Hi All,

    I have a authentication chain used for login that uses JDBC –> Device ID –> RBA –> HOTP –> Device Save

    It works fine for every user created in the database with a corresponding profile in the embedded user store.

    I have a policy configured to step-up the authentication when the user tries to access certain resources (on Apache web server protected through a web agent). The policy requires users to authenticate through SMS OTP.

    For one user (demo), the step-up works fine as the OTP entered is accepted and user goes back to protected resource.

    For all my other users, SMS OTP is sent successfully during step-up process but when the user enters the OTP, AM doesnt redirect the user back to protected resource. I dont see any authentication error as well. The logs seem to suggest AM succesfully validated the OTP.

    {“realm”:”/”,”transactionId”:”076ba053-994c-4067-9705-38b3f876fb6a-6161″,”userId”:”id=testuser3,ou=user,dc=openam,dc=forgerock,dc=org”,”component”:”Authentication”,”eventName”:”AM-LOGIN-COMPLETED”,”result”:”SUCCESSFUL”,”entries”:[{“moduleId”:”HOTP”,”info”:{“authIndex”:”module_instance”,”ipAddress”:”127.0.0.1″,”authLevel”:”0″}}],”timestamp”:”2019-01-29T17:22:02.967Z”,”trackingIds”:[“076ba053-994c-4067-9705-38b3f876fb6a-5598″,”076ba053-994c-4067-9705-38b3f876fb6a-5535″],”_id”:”076ba053-994c-4067-9705-38b3f876fb6a-6177″}

    Any idea why certain users wouldnt successfully be redirected back?

    AM version is 6.5
    Webagent is also the latest one available for 6.5 and Apache 2.4

    • This topic was modified 2 weeks, 4 days ago by  AJAY SURI.
    • This topic was modified 2 weeks, 4 days ago by  AJAY SURI.
    #24693
     william.hepler 
    Participant

    Is there any different Realm being used for your other users?

    Demo likely is in the global realm. Starting in Agents 5, the Agent always tries to send you to global realm. You need to use as an example:

    com.forgerock.agents.conditional.login.url[1]=myapp.domain.com|https://openam2.example.com/openam/oauth2/authorize?realm=sales

    To redirect to a specific realm.

    https://backstage.forgerock.com/docs/openam-web-policy-agents/5/web-agents-guide/index.html#web-agent-conditional-redirection

    #24696
     AJAY SURI 
    Participant

    Hi William

    Yes, all users in same realm.

    Initial login works fine for all users.

    Its only when step-up is enforced through HOTP for some sensitive resources that demo gets redirected successfully but others dont.

    Regards

    Ajay Suri

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?