How to protect application with help of OpenIG without changing multiple URLs

This topic has 11 replies, 3 voices, and was last updated 6 years, 4 months ago by raghukanakala.

  • Author
    Posts
  • #8953
     raghukanakala
    Participant

    My application as below:

                                            http://openam.test.com:8085/openam
                                               -----------------
                                              |  Tomcat 2       |
     OpenIG                                   |                 | 
    http://openig.test.com:7080/test          |                 |
    -------------------|                      |                 |  
    Tomcat 1 j2ee_agent|----------------------|--J2eeAgent      |
                       |                      |                 |
                                              |  apache22_agent |                                 
    ------------------|                             |
                                               -----|---------------- 
                                               |  apache22_agent    |                                       
                                               |                    |
                                               |IBM HTTP Server8.0  |
                                               -----------------------
               Application URL  --------------> http://openam.test.com:8083/test
    

    The above steps are my installation. My application, i am trying to access through OpenIG URL http://openig.test.com:7080/test then it is redirecting to OpenAM (http://openam.test.com:8085/opeam) for authentication and it is return back to application URL (http://openam.test.com:8083/test).

    In the above process i need to use same URL of OpenIG (http://openig.test.com:7080/test) and rest of them internally need to route to OpenAM and Application .

    Is my setup is correct or any suggestion.

    #8954
     raghukanakala
    Participant

    Above images is scattered, please find below:

    Apache Tomcat 1 (OpenIG installed ) URL : http://openig.test.com:7080/test

    Apache Tomcat 2 (OpenAM installed ) URL : http://openam.test.com:8085/openam

    IBM HTTP Server 8.0 (Application server) URL : http://openam.test.com:8083/test
    Agent Details :
    1. installed j2ee agent on Tomcat 1 (OpenIG)
    OpenAM URL : http://openam.test.com:8085/openam
    Agent URL: http://openam.test.com:7080/agentapp
    configured in OpenAM with above details

    2. installed apache web agent 2.2 on IBm HTTP Server
    OpenAM URL : http://openam.test.com:8085/openam
    Agent URL: http://openam.test.com:8083
    configured in OpenAM with above details

    Please let me know if you need any other details.

    #8986
     Rajesh R
    Participant

    @raghukanakala Not an exact answer to the question that you’ve raised, but the following video log that I made while protecting an OpenAM and OpenIDM instance using OpenIG might just give you enough hint to draft a solution for your situation:

    https://forgerock.org/2016/03/addendum-forgerock-full-stack-configuration-using-forgerock-openig/

    #9112
     raghukanakala
    Participant

    Thanks Rajesh for the video.
    I have following doubts:
    1. Did you install any J2ee Agent for OpenIG to OpenAM integration?
    2. Is there any OpenAM configuration related to the OpenIDM?

    #9113
     Rajesh R
    Participant

    @raghukanakala Since my idea was only to route the requests to OpenAM and OpenIDM, I did not install an agent on OpenIG. So all it does in the video log is based on rules defined in the Route Configuration files of OpenIG, the requests are redirected to/from OpenAM/OpenIDM.

    For the OpenAM Configuration related to OpenIDM, there is none. Just that the OpenIDM should have identities synchronized to a Identity Repository used by OpenAM. Also, you’ll have to configure OpenIDM to use the OpenAM Authentication Module. All that is there in the video Full Stack Configuration here: https://forgerock.org/2016/02/forgerock-full-stack-configuration/

    If you want to protect OpenIG with OpenAM for the purpose such as replaying user credentials to Legacy Applications, then you have to install Agent on OpenIG. I had made a video tutorial around the same earlier, which you can view at the link below:

    https://forgerock.org/2015/08/forgerock-openig-getting-credentials-from-forgerock-openam/

    I do not edit out any steps performed during the demonstrations in my videos. So what you see is all that I do.

    #9124

    My guess is that the apache agent consider that the entering connection is not authenticated (no iPlanetDirectoryPro cookie yet), so, it generates a redirect to AM (a second one, given that you already authenticated your browser the first time you’ve been through IG and it’s own J2EE Agent). This redirect has a goto URL included in it that will be your landing page after authentication.

    Make sure that your apache agent is configured to redirect you, no directly to the protected application, but to IG.

    #9163
     raghukanakala
    Participant

    Thank you very much. Let me integrate and will let you know all.

    #9255
     raghukanakala
    Participant

    Hello Rajesh,

    Looks like OpenIG integration video replaced with OpenIDM (https://forgerock.org/2016/02/forgerock-full-stack-configuration/). Could you please share the same.

    Thanks, Raghu

    #9257
     Rajesh R
    Participant
    #9258
     raghukanakala
    Participant

    Thanks Rajesh for the URL. I am not sure where i am missing while doing setup. I am not able to re-direct to sample http server instead if OpenIDM mentioned in the above video. I had used same setup but after authentication, it is re-directing back to OpenAM http://openam.test.com:8080/openam/XUI/#realms page. Is am missing some configuration here.
    Following are my details.

    Jetty : OpenIG 4.0 deployed (http://openam.test.com:8080)
    Tomcat: OpenAm 13 deployed (http://openam.test.com:8085)
    HTTP: openig-doc-samples-3.1.0-jar-with-dependencies (http://openam.test.com:8888)

    My POC : When i am trying to access OpenIG url (http://openam.test.com:8080/openam), it need to authenticate with OpenAM and need to re-direct to HTTP server.
    This my requirement.

    1. config.json
    {
    “handler”: {
    “type”: “Router”
    },
    “heap”: [
    {
    “name”: “LogSink”,
    “type”: “ConsoleLogSink”,
    “config”: {
    “level”: “DEBUG”
    }
    },
    {
    “name”: “capture”,
    “type”: “CaptureDecorator”,
    “config”: {
    “captureEntity”: true,
    “captureContext”: true
    }
    }
    ]
    }
    2. demo.json
    {
    “handler”: {
    “type”: “DispatchHandler”,
    “config”: {
    “bindings”: [
    {
    “condition”: “${request.cookies[‘iPlanetDirectoryPro’] == null}”,
    “handler”: {
    “type”: “StaticResponseHandler”,
    “config”: {
    “status”: 302,
    “reason”: “Found”,
    “headers”: {
    “Location”: [
    http://openam.test.com:8080/openam/XUI/#login/&goto=http%3A%2A%2Aopenam.test.com%3A8080%2F”
    ]
    },
    “entity”: “Redirecting to OpenAM…”
    }
    },
    “baseURI” :”http://openam.test.com:8888″
    },
    {
    “comment”: “This condition is optional, but included for clarity.”,
    “condition”: “${request.cookies[‘iPlanetDirectoryPro’] != null}”,
    “handler”: “ClientHandler”,
    “baseURI” :”http://openam.test.com:8888″
    }
    ]
    }
    },
    “condition”: “${not contains(request.uri.path,’openam’)}”
    }

    3. openam.json
    {
    “handler” : “ClientHandler”,
    “condition” : “${matches(request.uri.path,’^/openam’)}”,
    “baseURI” :”http://openam.test.com:8085″
    }

    The above configuration taken from your video as a input.

    Thanks Rajesh helping in all faces of integration of OpenAM.

    #9260
     Rajesh R
    Participant

    @raghukanakala Is the ‘goto’ parameter is the demo.son file pointing to the OpenIG url? Not able to see that for some reason. if yes, a the same configuration worked fine for me..
    tar
    Can you see, if the OpenIG log says something. Maybe you can clear the logs to start with, then try running through the flow to see how OpenIG is handling the routes.

    #9270
     raghukanakala
    Participant

    Hello Rajesh,

    I could see all the logs properly what you showed in the video.

    The below URL what your missing
    http://openam.flexipas.com:8080/openam/XUI/#login/&
    goto=http%3A%2A%2Aopenam.flexipas.com%3A8080%2F”

    After that authenticaton, it is re-directing to below URL :
    http://openam.flexipas.com:8080/openam/XUI
    /**openam.flexipas.com:8080/”
    This is the issues i am facing.
    Looks like you are configured OpenAM with OpenIDM it may be due to that it is re-directing. Can you please provide any clue please.

    Thank you very much.

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?