This topic has 35 replies, 9 voices, and was last updated 5 years, 3 months ago by 
-
Posts
-
@Rondini,
I am also working on same type of POC using Openam restful service.
1. In ‘Source application’ custom login user was authenticated using openam rest call. In response we get token Id and Success url. After which custom code should set the iPlanetDirectoryPro cookie in the browser.
2. Know if the users needs to do SSO to other agent. Which rest api should we call ? Do we need to add Agent filter in web.xml of agent application if we are using restful service.
Please let us know the procedure.
Thanks,
BhanuHi @BhanuKiran,
To set cookie you should to do something like following snippet of code..
Cookie cookie = new Cookie("iPlanetDirectoryPro", ssotokenid); cookie.setDomain(".example.com"); cookie.setPath("/"); response.addCookie(cookie);It is important to note the setDomain above is a example. You will need to do the right domain of your deployment.
About second question, if you just have Agent installed to protect another application you should add the Agent Filter in that application. Once you have being authenticated and added the cookie in the Browser, the Agent Filter will retrieve the cookie and does no ask for authentication again.
At
Rogerio RondiniHi All,
I am new to Forgerock and facing one problem in authentication. When hitting the http://localhost:8080/openam/json/authenticate using postman , Its returns me the token id and success URL :
{
“tokenId”: “AQIC5wM2LY4Sfcylxw9On_6SjJKF8j82g-TfLos2HEaf-Q4.*AAJTSQACMDEAAlNLABMxNTEyODI0Mzg3MDQ5MjI4NTYyAAJTMQAA*”,
“successUrl”: “/openam/console”
}
But when i consume this rest API through Java Code, I get auth id as :
{“authId”:”eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAib3RrIjogImNlYXI5Y2Q3a2ptdWIyczgyajU2NDFiMDEzIiwgInJlYWxtIjogImRjPW9wZW5hbSxkYz1mb3JnZXJvY2ssZGM9b3JnIiwgInNlc3Npb25JZCI6ICJBUUlDNXdNMkxZNFNmY3owazFfRjZQcl94enk4cjJTNVFQN290LUxqU19RWWdRQS4qQUFKVFNRQUNNREVBQWxOTEFCUXROamN6TmpRNE1EYzVNalF4T0RVNU1UVXpNZ0FDVXpFQUFBLi4qIiB9.ZqD3bOuEpjAfKfqi4UcojqZClrMaFrHlV4w8bKBmeCE”,”template”:””,”stage”:”DataStore1″,”header”:”Sign in to OpenAM”,”callbacks”:[{“type”:”NameCallback”,”output”:[{“name”:”prompt”,”value”:”User Name:”}],”input”:[{“name”:”IDToken1″,”value”:””}]},{“type”:”PasswordCallback”,”output”:[{“name”:”prompt”,”value”:”Password:”}],”input”:[{“name”:”IDToken2″,”value”:””}]}]}Why I am not able to authenticate the user through my web application. I need help please…
Hi @jang2212,
Please, take a look at this document https://backstage.forgerock.com/#!/docs/openam/12.0.0/dev-guide#rest-api-auth.
Basically, you can use the “zero page login” by passing username and password into the Header like the sample below, which works only for username/password auth method…
$ curl \ --request POST \ --header "X-OpenAM-Username: demo" \ --header "X-OpenAM-Password: changeit" \ --header "Content-Type: application/json" \ --data "{}" \ https://openam.example.com:8443/openam/json/authenticate { "tokenId": "AQIC5w...NTcy*", "successUrl": "/openam/console" }or the second way more flexible which works in 2 steps: First step return required callback; Second step you send the callbacks from first step and Rest returns tokenid.
Abs,
Rogerio.Thanks Rogerio, But I am calling the exposed Rest API from my Java code like below :
JSONObject object = new JSONObject();
object.put(“X-OpenAM-Username”, userName);
object.put(“X-OpenAM-Password”, password);
String auth = “amadmin:[email protected]”;
String authStringEnc = new BASE64Encoder().encode(auth.getBytes());
System.out.println(“Base64 encoded auth string: ” + authStringEnc);
object.put(“Content-Type”, “application/json”);
object.put(“Authorization”, authStringEnc);
String url = “http://localhost:8080/openam/json/authenticate?X-OpenAM-Username=”+userName+”&X-OpenAM-Password=”+password+”&Content-Type=application/json”;
System.out.println(“URL=>”+url);
Client client = Client.create();WebResource webResource = client.resource(url);
ClientResponse response = webResource.post(ClientResponse.class);
System.out.println(response.getEntity(String.class));But this is not returning me the Token id but this :
{“authId”:”eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAib3RrIjogIm9xNXJ1NTJyOHE1NDlhYWJraHV1NGR2ajg4IiwgInJlYWxtIjogImRjPW9wZW5hbSxkYz1mb3JnZXJvY2ssZGM9b3JnIiwgInNlc3Npb25JZCI6ICJBUUlDNXdNMkxZNFNmY3hyWm5uV20yY0l4cEluQjJraGtTUWxVb0loNXBKbm1Xby4qQUFKVFNRQUNNREVBQWxOTEFCUXROemsxTWpJNE1UTXpPVFF4T0RVeU9ERTVNZ0FDVXpFQUFBLi4qIiB9.9g8_J0FZ3rLhS9m6hDj1lLU1Z0ogTYR6VouCb_fK2WQ”,”template”:””,”stage”:”DataStore1″,”header”:”Sign in to OpenAM”,”callbacks”:[{“type”:”NameCallback”,”output”:[{“name”:”prompt”,”value”:”User Name:”}],”input”:[{“name”:”IDToken1″,”value”:””}]},{“type”:”PasswordCallback”,”output”:[{“name”:”prompt”,”value”:”Password:”}],”input”:[{“name”:”IDToken2″,”value”:””}]}]}So,
I don’t know what REST/JSON framework you are using, but a quick look in your code above I found a stranger thing…
You have create a JSONObject with some header fields but it is not being used in any other place any more. And the URL used to build WebResource object is sending parameter “X-OpenAM-Username” and “X-OpenAM-Password” in the query string which probably is not being recognized by the REST Endpoint.
I think you need to review how your REST/JSON client framework works.
Abs,
Rogerio.Thanks Rogerio. I have another doubt and i think i get some answers from you on this.
I am performing authentication using openAM and now need to perform role based authorisation also, i.e admin role can view few extra pages than the normal users. Is this possible with openAM ? I tried following many documents but I am not successful in following any of them. Is there any documentation/vedio available for openAM authorisation .
Regards
JangHi @jang2212
Yes… That is the reason you deploy an Access Manager product :-)…
So.. I don`t know if you have looked at the OpenAM document, but in the following link you will find a complete explanation on OpenAM Authorization https://backstage.forgerock.com/#!/docs/openam/13/admin-guide#chap-authz-policy.
Policy is the way to drive authorization for web resources, i.e, URLs. Thinking in a scenario when you have “http://app.example.com/myapp/page1.html” and “http://app.example.com/myapp/page2.html” and all users can access page1.html and only Admins can access page2.html, you can create a 2 policies in OpenAM: First policy protecting “http://app.example.com/myapp/page1.html” assigned to “All authenticated Users” for action “GET/POST”; Another policy protecting “http://app.example.com/myapp/page2.html” assigned only to administrators for action “GET/POST”.
If you have deployed Policy Agent in your application, an Agent Filter will evaluate and grant or deny access according to the authenticated user.
If you plan to do it by your self without policy agent, you can call Authorization REST Endpoints from your application. In the following link you will find a complete explanation on Authz REST API https://backstage.forgerock.com/#!/docs/openam/13/dev-guide#sec-rest-authz-policy.Abs,
Rogerio.Thanks Rogerio for stopping by. Okay that helps but how configure role types with openam. I a facing problem in configuring subjects while creating policy. While creating a policy which will be allowed only for admin, what is to select in subject. I am select Users & Group and in the next drop down i.e. Users Subject its giving me the list of all users in DB, What i have to select there. What is to be select in Group Subject.
So, I can use Users OR Groups, not both. If you have only one admin user or a very small numbers of admins you can select these on Users field. But the best practice is you add users in a AdminGroup (the name is a suggestion) and in the Groups field just select “AdminGroup”.
It is important your OpenAM configuration be able to read users and groups from your LDAP database.
I am using openam 13.0 , and the option here is User & Group in type tab.
Second tab is of User Subject which is populating a list of all users available in DB.
Third is Group Subject which is editable and whatever i am writing over it , its not accepting it.I am using JDBC not LDAP.
Table schema for auth users is :
mysql> desc auth_users;
+————————————————+————-+——+—–+—
——+——-+
| Field | Type | Null | Key | De
fault | Extra |
+————————————————+————-+——+—–+—
——+——-+
| uid | varchar(50) | YES | | NU
LL | |
| cn | varchar(50) | YES | | NU
LL | |
| inetuserstatus | varchar(20) | YES | | NU
LL | |
| userpassword | varchar(50) | YES | | NU
LL | |
| ChangePassword | varchar(50) | YES | | NU
LL | |
| mail | varchar(50) | YES | | NU
LL | |
| sunIdentityMSISDNNumber | varchar(50) | YES | | NU
LL | |
| sn | varchar(50) | YES | | NU
LL | |
| manager | varchar(50) | YES | | NU
LL | |
| preferredlocale | varchar(10) | YES | | NU
LL | |
| iplanet_am_user_password_reset_force_reset | varchar(50) | YES | | NU
LL | |
| givenname | varchar(50) | YES | | NU
LL | |
| iplanet_am_user_alias_list | varchar(50) | YES | | NU
LL | |
| iplanet_am_user_account_life | varchar(50) | YES | | NU
LL | |
| telephonenumber | varchar(50) | YES | | NU
LL | |
| employeenumber | varchar(50) | YES | | NU
LL | |
| iplanet_am_user_auth_config | varchar(50) | YES | | NU
LL | |
| postaladdress | varchar(50) | YES | | NU
LL | |
| iplanet_am_user_password_resetoptions | varchar(50) | YES | | NU
LL | |
| iplanet_am_user_password_reset_question_answer | varchar(50) | YES | | NU
LL | |
| iplanet_am_user_success_url | varchar(50) | YES | | NU
LL | |
| iplanet_am_user_failure_url | varchar(50) | YES | | NU
LL | |
+————————————————+————-+——+—–+—
——+——-+Humm..
So… You can`t edit Group Subject field because it will accept only values from DB.
Database Table is not a good option to DataStore, but yet you can have a User table and a Group table with 1 to many relationship between. In the “Database Repository (Early Access)” data store type configuration you will find “Database User Table name” and “Database Membership table name”. You need to configure both and all relationship fields so that OpenAM can read users from the User table and Groups from the group table and identity the users in a group.
I think there isn’t a script for that. Actually, I’ve never used DB table before.
I can try to test it, but it will take some time so I’m busy right now.
You must be logged in to reply to this topic.
