January 15, 2016 at 12:24 pm #6866
Let us consider,
There are 2 authentication chains – Chain1 (default) and Chain2.
For every request coming to J2EE Agent, it redirects users to default login URI of OpenAM. That’s fine.
Now, if I want to authenticate users using Chain2.
Manually, I can append “&service=Chain2” to login URI.
But how can I automate this thing?
How can I tell agent to redirect to login URI having appended “&service=Chain2” also?
Any help would be appreciated.
January 15, 2016 at 3:32 pm #6870Scott HegerParticipant
- This topic was modified 3 years, 1 month ago by pankajgoyal0801.
Can you describe under what circumstances you would want to switch from using one chain vs the other?January 15, 2016 at 4:40 pm #6872
Let me rephrase my question …
Suppose I have two users – Alice and Bob.
I want Alice to authenticate herself using Chain1 (Default) and
I want Bob to authenticate himself using Chain2 (non-default).
What I have to do is:-
1) Select “Chain2” in Authentication Processing Attribute in Bob’s account.
2) Append “&user=bob” to the default login URI.
But the agent does not redirect me to user-specific URI.
Is it doable? If yes, how can I do that?January 15, 2016 at 7:50 pm #6883Scott HegerParticipant
The issue is that neither the agent nor OpenAM know that it is Bob vs Alice until after authentication. It’s the chicken and egg scenario.
As an example, what would the differences in your two auth chains be? Maybe knowing a bit more why you want to do what you are asking could help in coming up with a different approach.January 16, 2016 at 10:40 am #6890
As an example,
Suppose I trust Alice more, so I will allow her to login using only the credentials (DataStore).
But I don’t trust Bob that much, so I want Bob to enter credentials as well as OTP for login (DataStore and HOTP).
Hope this will help.January 16, 2016 at 1:20 pm #6893Rogerio RondiniParticipant
As Scott said, OpenAM does not know Bob and Alice until authentication be processed. If OpenAM does not know Bob and Alice, it can`t evaluate whether trust more or less…
What you need to do is keep a single Chain with “DataStore” as the first Auth Module, and “OTP” as the last Auth Module. Between DataStore and OTP you can setup another auth module which will evaluate the user under certain conditions and Chain will decide whether call “OTP” or not.
So.. take a look in the OpenAM document https://backstage.forgerock.com/#!/docs/openam/12.0.0/admin-guide/chap-auth-services#adaptive-auth-module-conf-hints. There you will see a Chain with LDAP, Adaptive Risk, and HOTP. After user send their credentials to LDAP module and it get success, Adaptive Risk will evaluate if trust or not. If NOT, HOTP module will be called.
That is the way to implement your requirement.
Rogerio RondiniJanuary 19, 2016 at 8:54 pm #6933Peter MajorModerator
Indeed, you could use Adaptive Risk or DevicePrint/Device ID modules (or just write your own) to conditionally trigger OTP based authentication.January 20, 2016 at 2:10 pm #6966
Thanks to everyone. I got your points.
But I am thinking – why is Authentication Attribute required in Subject’s Profile? Is there any use of it? Why does OpenAM give me an option of modifying it?
Wouldn’t it be good if OpenAM can behave in the following manner :-
1) OpenAM will ask for only the username during login.
2) If it is a valid user, then OpenAM can respond with SUCCESS to Agent.
3) Then Agent must redirect the user again to login url after appending “&user=<username>” at the end.
4) Doing so, each and every subject can be authenticated with their configured service chain.
Correct me if I am wrong !!!November 14, 2016 at 2:55 pm #14249Thomas LiebeckParticipant
I pick up this thread because I have the same technical Problem but a different use case.
I have one web policy Agent protected application which is used by serveral user Groups.
user group1 is registered locally and OpenAm Server authenticates the users against LDAP and HOTP (chain 1)
user Group2 is managed in a foreign security Domain, i.e. OpenAm Server authenticates the users using the SAML Module (chain 2)
Fortunately my protected resoure will be linked from another application. My idea was to have different URLs as the link, e.g.
or something like myprotectdedapp.mydomain.com/?group=value
Depending on the Group either the chain with LDAP and HOTP (group1) should be used or the chain with SAML module (group2) should be used.
Having one chain with all modules in does not make sense because I will try federated users to Login against LDAP and would refer local users to a foreign IDP.
I guess I can use conditional Login when having two Domains like
and use different Login URLs. But with many user Groups this is not the way to go I think.
Any ideas for this Scenario?December 15, 2016 at 1:54 am #14826bipinkParticipant
From another forum i learnt that it is possible to invoke different authentication chain if i pass parameter and authentication chain name as followed,
I also agree that OpenAM won’t know which authentication chain should be invoked, but in this case, i want to rely on application to define this and may be one custom attribute in my OpenDJ can say for this user invoke this chain.
Also in OpenAM under Subjects i can see “User Authentication Configuration” with all chains, but despite of selecting specific chain it always invoke default chain. In OpenDJ i can see “iplanet-am-user-auth-config” store the chain which i have selected from OpenAM.
So two questions here,
1) How can i pass the parameter dynamically or how openAM can read from OpenDJ and understand which authentication chain should be invoked for this user, after completion of basic authentication? Note: All my chains have dataservice as first module and then each chain contains different authentication module. e.g. LDAP + GoogleAuthentication, LDAP + ForgeRockAuthentication, LDAP + so on..
2) Why OpenAM is not invoking specified chain for a user despite of selecting it under “User Authentication Configuration” and available in OpenDJ under attribute “iplanet-am-user-auth-config”
I am using OIDC feature on liberty while my OpenAM (13.0.0) is running on Websphere Application Server (8.5.x)September 7, 2018 at 10:23 am #23141frankParticipant
I’m having quite the same issue, but maybe a clear idea on how to distinguish
both URL’s are being served by the same apache (actually proxying to some backends)
How would I do this ?
And maybe related: Both Chains should authenticate against a datastore, but each to a different one. -> haven’t found a way to define which datastore to use when defining the chain and using the datastore module.
This all sounds a lot like I should do multiple realms, but there is only one agent handling it all, so I guess it should be in the same realm.
You must be logged in to reply to this topic.