How to reference subject attributes of an OpenAM response?

This topic has 7 replies, 5 voices, and was last updated 2 years, 11 months ago by ak.tokas.

  • Author
    Posts
  • #10549
     bertalanvoros
    Participant

    Hello All,

    I am configuring OpenIG as a Polocy Enforcement Point for OpenAM.
    I can successfully check against a given policy and have a decision made.

    I would like to know how to reference a Subject Attribute from OpenAM’s response.

    I am trying to get the user’s email address later to be used.

    #10557
     Simon Moffatt
    Participant

    In the policy definition within OpenAM, try adding in response attributes…if the decision is true either static or dynamic profile data can be sent back in the policy decision payload. See response attributes in https://backstage.forgerock.com/#!/docs/openam/13/admin-guide#what-is-authz-policies

    • This reply was modified 4 years, 2 months ago by Simon Moffatt.
    #10571
     bertalanvoros
    Participant

    Thanks for this Simon,

    I would like to know how to actually refer to the response attribute in my OpenIG code, from a syntax point of view, couldn’t find an example.

    I have “mail” configured under Response Attributes – Subject Attributes in my Policy, just couldn’t figure out how to refer to that in my config.

    Would you be able to show an example?

    #10709
     violette
    Participant

    Hi bertalanvoros!

    In OpenIG, if the policy is verified then the ${attributes.policy} will be
    fulfilled with extra “attributes” and “advices” map field. (empty by default)
    example: ${attributes.policy.attributes} or ${attributes.policy.advices}

    See “target” attribute in the policy enforcement filter documentation.

    Regards,
    Violette.

    • This reply was modified 4 years, 2 months ago by violette.
    #15034
     xpchg
    Participant

    hi ,
    who can tell me,how to get the Response attributes in openIG.

    I’m Configuring the mail and uid in openam->Authorization->Policy Sets->policy->response attributes,
    I want to get them at openIG without policy agent ,What should I do?

    • This reply was modified 3 years, 7 months ago by xpchg.
    #15105
     violette
    Participant

    Hi xpchg,

    By using a PolicyEnforcementFilter, in IG 4.5, the responses attributes are under ${attributes.policy.attributes}
    For example, if you add subject attributes mail and uid in your policy, you will retrieve them under ${attributes.policy.attributes.mail} and ${attributes.policy.attributes.uid}

    #18781
     ak.tokas
    Participant

    Hi, everyone

    I was doing a POC on OPENIG 4.5 and i encountered a similar problem.
    I have configured openig as PEP with openam, and i am using the following route file. whenever i login to openam i get *Authorization Required* html page in my browser. and a similar unauthorized error in OpenIG Log.
    Can anyone help me rectifying this issue.
    Thanks in Advance.

    {
    “baseURI”: “http://marvelstudios.starkindustries.com:8081/”,
    “handler”: {
    “type”: “DispatchHandler”,
    “config”: {
    “bindings”: [
    {
    “comment”: “Redirect to OpenAM authentication”,
    “name”: “OpenAM Authentication”,
    “condition”: “${request.cookies[‘iPlanetDirectoryPro’] == null}”,
    “handler”: {
    “type”: “StaticResponseHandler”,
    “config”: {
    “status”: 302,
    “reason”: “Found”,
    “headers”: {
    “Location”: [
    https://openam.starkindustries.com:7773/openam/XUI/#login/marvel/&goto=${urlEncodeQueryParameterNameOrValue(contexts.router.originalUri)}”
    ]
    },
    “entity”: “Redirecting to OpenAM for authentication…”
    },
    “capture”: “all”
    }
    },
    {
    “comment”: “OpenAM Authorization chain for policy validation and attributes retrieval”,
    “name”: “OpenAM Authorization Chain”,
    “condition”: “${request.cookies[‘iPlanetDirectoryPro’] != null}”,
    “handler”: {
    “type”: “Chain”,
    “config”: {
    “filters”: [
    {
    “comment”: “OpenAM Authorization check filter”,
    “name”: “OpenAM Authorization”,
    “type”: “PolicyEnforcementFilter”,
    “config”: {
    “openamUrl”: “https://openam.starkindustries.com:7773/openam/”,
    “pepUsername”: “ak.tokas”,
    “pepPassword”: “password”,
    “realm”: “Marvel”,
    “application”: “OPENIG”,
    “ssoTokenSubject”: “${request.cookies[‘iPlanetDirectoryPro’][0].value}”
    },
    “capture”: “all”
    },

    {
    “type”: “PolicyEnforcementFilter”,
    “config”: {
    “openamUrl”: “https://openam.starkindustries.com:7773/openam/”,
    “pepUsername”: “ak.tokas”,
    “pepPassword”: “password”,
    “realm”: “Marvel”,
    “application”: “OPENIG”,
    “ssoTokenSubject”: “${request.cookies[‘iPlanetDirectoryPro’][0].value}”
    “target”: “${attributes.currentPolicy.attributes}”
    }
    },
    “request”: {
    “method”: “POST”,
    “uri”: “http://marvelstudios.starkindustries.com:8081”,
    “form”: {
    “username”: [
    “${attributes.currentPolicy.attributes.mail}”
    ],
    “password”: [
    “${attributes.currentPolicy.attributes.employeeNumber}”
    ]
    }
    }
    }
    }

    ],
    “handler”: “ClientHandler”
    }
    }
    }

    ]
    }
    },
    “condition”: “${matches(request.uri.path, ‘^/pep’)}”
    }

    #18782
     ak.tokas
    Participant

    Updated Routes File..

    {
    “baseURI”: “http://marvelstudios.starkindustries.com:8081/”,
    “handler”: {
    “type”: “DispatchHandler”,
    “config”: {
    “bindings”: [
    {
    “comment”: “Redirect to OpenAM authentication”,
    “name”: “OpenAM Authentication”,
    “condition”: “${request.cookies[‘iPlanetDirectoryPro’] == null}”,
    “handler”: {
    “type”: “StaticResponseHandler”,
    “config”: {
    “status”: 302,
    “reason”: “Found”,
    “headers”: {
    “Location”: [
    https://openam.starkindustries.com:7773/openam/XUI/#login/marvel/&goto=${urlEncodeQueryParameterNameOrValue(contexts.router.originalUri)}”
    ]
    },
    “entity”: “Redirecting to OpenAM for authentication…”
    },
    “capture”: “all”
    }
    },
    {
    “comment”: “OpenAM Authorization chain for policy validation and attributes retrieval”,
    “name”: “OpenAM Authorization Chain”,
    “condition”: “${request.cookies[‘iPlanetDirectoryPro’] != null}”,
    “handler”: {
    “type”: “Chain”,
    “config”: {
    “filters”: [
    {
    “comment”: “OpenAM Authorization check filter”,
    “name”: “OpenAM Authorization”,
    “type”: “PolicyEnforcementFilter”,
    “config”: {
    “openamUrl”: “https://openam.starkindustries.com:7773/openam/”,
    “pepUsername”: “ak.tokas”,
    “pepPassword”: “password”,
    “realm”: “Marvel”,
    “application”: “OPENIG”,
    “ssoTokenSubject”: “${request.cookies[‘iPlanetDirectoryPro’][0].value}”
    },
    “capture”: “all”
    },

    {
    “type”: “PasswordReplayFilter”,
    “config”: {
    “loginPage”: “${true}”,
    “credentials”: {
    “type”: “PolicyEnforcementFilter”,
    “config”: {
    “openamUrl”: “https://openam.starkindustries.com:7773/openam/”,
    “pepUsername”: “ak.tokas”,
    “pepPassword”: “password”,
    “realm”: “Marvel”,
    “application”: “OPENIG”,
    “ssoTokenSubject”: “${request.cookies[‘iPlanetDirectoryPro’][0].value}”,
    “target”: “${attributes.currentPolicy.attributes}”
    }
    },
    “request”: {
    “method”: “POST”,
    “uri”: “http://marvelstudios.starkindustries.com:8081”,
    “form”: {
    “username”: [
    “${attributes.currentPolicy.attributes.mail}”
    ],
    “password”: [
    “${attributes.currentPolicy.attributes.employeeNumber}”
    ]
    }
    }
    }
    }

    ],
    “handler”: “ClientHandler”
    }
    }
    }

    ]
    }
    },
    “condition”: “${matches(request.uri.path, ‘^/pep’)}”
    }

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?