How to authenticate users using non-default chains in an automated manner?

This topic contains 10 replies, has 7 voices, and was last updated by  frank 10 months, 2 weeks ago.

  • Author
  • #6866

    Let us consider,

    There are 2 authentication chains – Chain1 (default) and Chain2.
    For every request coming to J2EE Agent, it redirects users to default login URI of OpenAM. That’s fine.

    Now, if I want to authenticate users using Chain2.
    Manually, I can append “&service=Chain2” to login URI.
    But how can I automate this thing?
    How can I tell agent to redirect to login URI having appended “&service=Chain2” also?

    Any help would be appreciated.

     Scott Heger 

    Can you describe under what circumstances you would want to switch from using one chain vs the other?


    Let me rephrase my question …

    Suppose I have two users – Alice and Bob.

    I want Alice to authenticate herself using Chain1 (Default) and
    I want Bob to authenticate himself using Chain2 (non-default).

    What I have to do is:-
    1) Select “Chain2” in Authentication Processing Attribute in Bob’s account.
    2) Append “&user=bob” to the default login URI.

    But the agent does not redirect me to user-specific URI.
    Is it doable? If yes, how can I do that?

     Scott Heger 

    The issue is that neither the agent nor OpenAM know that it is Bob vs Alice until after authentication. It’s the chicken and egg scenario.

    As an example, what would the differences in your two auth chains be? Maybe knowing a bit more why you want to do what you are asking could help in coming up with a different approach.


    As an example,

    Suppose I trust Alice more, so I will allow her to login using only the credentials (DataStore).
    But I don’t trust Bob that much, so I want Bob to enter credentials as well as OTP for login (DataStore and HOTP).

    Hope this will help.

     Rogerio Rondini 


    As Scott said, OpenAM does not know Bob and Alice until authentication be processed. If OpenAM does not know Bob and Alice, it can`t evaluate whether trust more or less…

    What you need to do is keep a single Chain with “DataStore” as the first Auth Module, and “OTP” as the last Auth Module. Between DataStore and OTP you can setup another auth module which will evaluate the user under certain conditions and Chain will decide whether call “OTP” or not.

    So.. take a look in the OpenAM document!/docs/openam/12.0.0/admin-guide/chap-auth-services#adaptive-auth-module-conf-hints. There you will see a Chain with LDAP, Adaptive Risk, and HOTP. After user send their credentials to LDAP module and it get success, Adaptive Risk will evaluate if trust or not. If NOT, HOTP module will be called.
    That is the way to implement your requirement.

    Rogerio Rondini

     Peter Major 

    Indeed, you could use Adaptive Risk or DevicePrint/Device ID modules (or just write your own) to conditionally trigger OTP based authentication.


    Thanks to everyone. I got your points.

    But I am thinking – why is Authentication Attribute required in Subject’s Profile? Is there any use of it? Why does OpenAM give me an option of modifying it?

    Wouldn’t it be good if OpenAM can behave in the following manner :-

    1) OpenAM will ask for only the username during login.
    2) If it is a valid user, then OpenAM can respond with SUCCESS to Agent.
    3) Then Agent must redirect the user again to login url after appending “&user=<username>” at the end.
    4) Doing so, each and every subject can be authenticated with their configured service chain.

    Correct me if I am wrong !!!

     Thomas Liebeck 

    I pick up this thread because I have the same technical Problem but a different use case.
    I have one web policy Agent protected application which is used by serveral user Groups.
    user group1 is registered locally and OpenAm Server authenticates the users against LDAP and HOTP (chain 1)
    user Group2 is managed in a foreign security Domain, i.e. OpenAm Server authenticates the users using the SAML Module (chain 2)

    Fortunately my protected resoure will be linked from another application. My idea was to have different URLs as the link, e.g.
    or something like

    Depending on the Group either the chain with LDAP and HOTP (group1) should be used or the chain with SAML module (group2) should be used.

    Having one chain with all modules in does not make sense because I will try federated users to Login against LDAP and would refer local users to a foreign IDP.

    I guess I can use conditional Login when having two Domains like

    and use different Login URLs. But with many user Groups this is not the way to go I think.

    Any ideas for this Scenario?


    From another forum i learnt that it is possible to invoke different authentication chain if i pass parameter and authentication chain name as followed,


    I also agree that OpenAM won’t know which authentication chain should be invoked, but in this case, i want to rely on application to define this and may be one custom attribute in my OpenDJ can say for this user invoke this chain.

    Also in OpenAM under Subjects i can see “User Authentication Configuration” with all chains, but despite of selecting specific chain it always invoke default chain. In OpenDJ i can see “iplanet-am-user-auth-config” store the chain which i have selected from OpenAM.

    So two questions here,

    1) How can i pass the parameter dynamically or how openAM can read from OpenDJ and understand which authentication chain should be invoked for this user, after completion of basic authentication? Note: All my chains have dataservice as first module and then each chain contains different authentication module. e.g. LDAP + GoogleAuthentication, LDAP + ForgeRockAuthentication, LDAP + so on..

    2) Why OpenAM is not invoking specified chain for a user despite of selecting it under “User Authentication Configuration” and available in OpenDJ under attribute “iplanet-am-user-auth-config”

    I am using OIDC feature on liberty while my OpenAM (13.0.0) is running on Websphere Application Server (8.5.x)


    I’m having quite the same issue, but maybe a clear idea on how to distinguish

    https://specifichost/applicationA should be authenticated by chainA
    https://specifichost/applicationB should be authenticated by chainB

    both URL’s are being served by the same apache (actually proxying to some backends)

    How would I do this ?

    And maybe related: Both Chains should authenticate against a datastore, but each to a different one. -> haven’t found a way to define which datastore to use when defining the chain and using the datastore module.

    This all sounds a lot like I should do multiple realms, but there is only one agent handling it all, so I guess it should be in the same realm.

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?