Can't set module options in authentication chain

This topic has 6 replies, 4 voices, and was last updated 6 years, 2 months ago by Peter Major.

  • Author
    Posts
  • #9335
     oyvindr
    Participant

    We have just started to evaluate OpenAM, and I have run into a problem with a fresh install of OpenAM 13.0.0. I’m trying to create a chain with two modules and shared state for username and password. Everything seems fine when I insert and save the shared state options, but after changing to another page and back again, the number of options has changed to 47 or some other high number. If i try to edit the options, it’s empty. No options are set. Trying to re-add the option at this point does nothing.

    When testing the chain, I have to re-enter username and password if I don’t authenticate to the first module.

    The number of options the gui reports seems to correspond with the number of letters in the option names and values.

    #9369
     Peter Major
    Moderator

    Sounds like a rather odd behavior, do you have config exports/screenshot for this? I guess as a workaround you could use ssoadm to set the chain settings instead.

    #10017
     cgjengedal
    Participant

    Experiencing the same issue.
    Is it registered in bugster.forgerock.org?
    ..could not find any open bugs searching for “chain options”

    My configured authentication chain “Defender”:

    > .\ssoadm.bat get-auth-cfg-entr -m defender -e xxx -u amadmin -f C:\openam-tools\pwd.txt
    
    Authentication Configuration's entries:
    [name=AD] [flag=REQUISITE] [options=iplanet-am-auth-store-shared-state-enabled=true]
    [name=DevID-Match] [flag=SUFFICIENT] [options=]
    [name=Defender] [flag=REQUISITE] [options=iplanet-am-auth-shared-state-enabled=true,iplanet-am-auth-shared-state-behavior-pattern=useFirstPass]
    [name=DevID-Save] [flag=REQUIRED] [options=]

    Chain shown in XUI:
    XUI - auth chain listed

    Module options for first module:
    module options for first module in chain

    #10018
     cgjengedal
    Participant

    Additional observation: the count of options per module is just the length of each options string:
    “iplanet-am-auth-store-shared-state-enabled=true” is 48 characters long
    “iplanet-am-auth-shared-state-enabled=true,iplanet-am-auth-shared-state-behavior-pattern=useFirstPass” is 100 characters long

    #10898
     cgjengedal
    Participant

    My current workaround is to use ‘ssoadm update-auth-cfg-entr’ for chain options:

    https://wikis.forgerock.org/confluence/display/openam/ssoadm-authentication#ssoadm-authentication-get-auth-cfg-entr
    https://wikis.forgerock.org/confluence/display/openam/ssoadm-authentication#ssoadm-authentication-update-auth-cfg-entr

    Windows example with inline config:
    .\ssoadm.bat update-auth-cfg-entr -m myChain -e myRealm -u amadmin -f C:\openam-tools\pwd.txt -a "myAuthModule|REQUISITE|iplanet-am-auth-shared-state-enabled=true iplanet-am-auth-shared-state-behavior-pattern=tryFirstPass"

    Windows Powershell ssoadm example with config file:

    $spec = @"
    AD|REQUISITE|iplanet-am-auth-store-shared-state-enabled=true
    DevID-Match|SUFFICIENT|
    Defender|REQUISITE|iplanet-am-auth-shared-state-enabled=true iplanet-am-auth-shared-state-behavior-pattern=useFirstPass
    DevID-Save|REQUIRED|
    "@
    $spec | out-file -FilePath "c:\temp\ac-myChain.conf" -Encoding ASCII
    .\ssoadm.bat update-auth-cfg-entr -m myChain -e myRealm -u amadmin -f C:\openam-tools\pwd.txt -D c:\temp\ac-myChain.conf
    #10912
     bertalanvoros
    Participant

    Hello All,

    I have the same problem and I can confirm that setting it using ssoadmin works.

    #10913
     Peter Major
    Moderator
Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?