This topic has 7 replies, 4 voices, and was last updated 1 year, 12 months ago by Andy Cory.
-
AuthorPosts
-
June 4, 2020 at 5:39 pm #28006
letroncoso
ParticipantHi all
my test environment is AM 5.5.1, for now.In an realm, I have multiple DNSAlias configured, for example idensaml.domain1.com and idensaml.domain2.com, with the corresponding Cookie Domains (Configure> Global Services > Platform)
To simplify the tests we are entering the profile through each dns
http://idensaml.domain1.com:8780/openam
http://idensaml.domain2.com:8780/openamMy problem is that by not sharing a cookie, each of them asks me for authentication and it is correct, according to the documentation to solve it, I should use a web / java agent.
I recognize it, I tried to install the java agent for tomcat, in the AM and this did not work. This approach would be correct, there is some documentation on how to install a java agent in the AM. There would be another way to do it
Thanks in advance
June 5, 2020 at 12:20 am #28007Jatinder Singh
ParticipantA
Java Agent
is configured within AM but installed in the application you want to protect. We typically use aJava Agent
when the application is a Java Web Application. If your application is not Java based, you may want to look into using a Web Agent or IG. Now since you are attempting to install a Java Agent, I would suggest to follow the Java Agent >User Guide
as it is very detailed. And don’t forget to also update yourweb.xml
file descriptor, as otherwise your agent filter will not get invoked.June 9, 2020 at 3:24 pm #28014letroncoso
ParticipantThanks for your reply.
Since most of the documentation is to put the agent on an external web server and not on the web server where the AM runs.
So my question is about whether it is feasible to put a java agent on the AM tomcat, so there is CDSSO between both dns aliases.
Since once I install the java agent, I lose access to AM. I found a KB https://backstage.forgerock.com/knowledge/kb/article/a54838100
which we are verifying.June 9, 2020 at 9:24 pm #28015Jatinder Singh
ParticipantYou cannot put Java Agent and AM within the same container. An agent is basically an enforcer of the policies and decisions made by AM; as such, is placed on the application side one wants to protect. If you want to implement CDSSO between AM and the application you want to protect, placing Java Agent on the same machine as AM won’t help. CDSSO is essentially achieved using the OAuth2 authorization process by the agent. So as you can see – the location of the agent doesn’t matter as long as there is connectivity between AM and the Agent.
Hope this helps!
June 11, 2020 at 10:48 pm #28019Scott Heger
ParticipantAn agent may help, depending on what domain the app it is protecting is using and which AM domain it is using in its agent profile. Before going any further, let me ask this: Why do you have two different domains for AM? Typically DNS aliases are used with the same domain, but different hostnames. For example:
http://idensaml1.domain.com:8780/openam
http://idensaml2.domain.com:8780/openamBut you may have a valid reason to use different domains. If you can explain that it may help us provide you a solution. Also, what domain or domains are your applications in?
Oh, and as a best practice, deploy AM as something other than /openam. :)
June 17, 2020 at 3:30 pm #28029Andy Cory
ParticipantSo my question is about whether it is feasible to put a java agent on the AM tomcat
No, it is not. I think you are misunderstanding something fundamental, installing an agent in the same container is not a solution to a scenario I can imagine even if it were possible to somehow get it running. Can you share more detail about your use case?
June 17, 2020 at 3:54 pm #28030letroncoso
ParticipantThe scenario is basically a company that has multiple products.
2 of products use the same realm, and access with 2 different domains, which is why the DNS alias to the realm was configured; Now they want to have SSO between them, since they have 2 domains, they do not have a cookie in common, this would not be viable, which is why, it was seen in the documentation that the agents would be recommended.
So the question would be how to have SSO between 2 DNS aliases of a realm.June 30, 2020 at 3:48 pm #28039Andy Cory
ParticipantWhat are your protected resources? And what is it that protects them? I understand that you have AM configured to authenticate users in a realm, and they can authenticate in that realm using either of two DNS aliases. Using either alias they should get a session on AM and a cookie containing the session ID, and with whichever domain they came in on. What I don’t get is what they use that cookie for. I would expect them to access a resource that requires authentication – commonly, this resource would be running on a web server or HTTP server somewhere, which would have an agent deployed to it. The agent would require the cookie. It sounds like you don’t have any agent in this scenario yet. So what is it that the user authenticates to actually do?
-
AuthorPosts
You must be logged in to reply to this topic.