How to implement OpenAM SSO on existing web applications

Home Forums ForgeRock Products Access Management How to implement OpenAM SSO on existing web applications

Learn more about our upcoming Identity Summits

Tagged: ,

This topic has 5 replies, 2 voices, and was last updated 1 month, 1 week ago by Jatinder Singh.

  • Author
    Posts
  • April 20, 2020 at 2:48 pm #27828
     fugaoling
    Participant

    Our web application uses IIS and already has its own login page.
    We installed the OpenAM Web_agent to protect the IIS application.
    When opening the IIS application, the OpenAM login page will pop up first, After logging in to OpenAM, the login page of the IIS application will pop up.
    We want to skip the existing login page of the IIS application and get single sign-on.
    In this case, what should I do? Do I need to modify the login function of the IIS application?

    April 20, 2020 at 8:11 pm #27829
     Jatinder Singh
    Participant

    Since you plan to use OpenAM for SSO, this will essentially replace existing “login/logout” functionality in your ISS application. You can configure Web Agent to be in SSO mode (i.e. no policy based authorization) and pass user information (username, mail, etc.) via HTTP headers to your ISS application.

    Hope this helps!

    April 21, 2020 at 9:10 am #27830
     fugaoling
    Participant

    Thanks Jatinder,
    I’m new to OpenAM, is my understanding follow correct?
    1. We need to change our IIS application(remove the login/logout functionality?).
    2. We need to change our IIS application to read the HTTP headers passed by OpenAM.
    3. How to pass user information via HTTP headers? through the path “Realm/Applications/Agents/Web/myagents/Application”,set the “Profile Attribute FetchMode” with “HTTP_HEADER” and add “Profile Attribute Map”?

    April 21, 2020 at 4:39 pm #27832
     Jatinder Singh
    Participant

    Yes, you are on the right track.

    1. For your first point, the Login and Logout URL list will be configured in the Web Agent configuration – this helps Web Agent decide where to go for Login and what URL decides user wants to logout;
    2. Yes, the HTTP headers are passed for it to be consumed by protected application. For example, displaying username after successful login.
    3. Yes, you define attribute fetch mode and provide a map of attributes. The data is sent to Web Agent which ends up relaying it to protected application using the configured fetch mode.

    Useful links:
    https://backstage.forgerock.com/knowledge/kb/article/a43004700
    https://backstage.forgerock.com/knowledge/kb/article/a81991865
    https://backstage.forgerock.com/docs/openam-web-policy-agents/5.6/web-agents-guide/#web-agent-profile-attributes-processing-properties
    https://backstage.forgerock.com/docs/openam-web-policy-agents/5.6/web-agents-guide/#configure-web-pa-services-props

    April 23, 2020 at 7:52 am #27834
     fugaoling
    Participant

    Thanks Jatinder,
    Now I understand OpenAM better.

    April 23, 2020 at 4:45 pm #27835
     Jatinder Singh
    Participant

    Np :)

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.
Visit our blog

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?