How to use our own login page instead of OpenAM default login page?

Tagged: ,

This topic has 35 replies, 9 voices, and was last updated 4 years, 8 months ago by [email protected].

  • Author
    Posts
  • #9974
     BhanuKiran
    Participant

    @Rondini,

    I am also working on same type of POC using Openam restful service.

    1. In ‘Source application’ custom login user was authenticated using openam rest call. In response we get token Id and Success url. After which custom code should set the iPlanetDirectoryPro cookie in the browser.

    2. Know if the users needs to do SSO to other agent. Which rest api should we call ? Do we need to add Agent filter in web.xml of agent application if we are using restful service.

    Please let us know the procedure.

    Thanks,
    Bhanu

    #9990
     Rogerio Rondini
    Participant

    Hi @BhanuKiran,

    To set cookie you should to do something like following snippet of code..

    Cookie cookie = new Cookie("iPlanetDirectoryPro", ssotokenid);
    cookie.setDomain(".example.com");
    cookie.setPath("/");
    response.addCookie(cookie);

    It is important to note the setDomain above is a example. You will need to do the right domain of your deployment.

    About second question, if you just have Agent installed to protect another application you should add the Agent Filter in that application. Once you have being authenticated and added the cookie in the Browser, the Agent Filter will retrieve the cookie and does no ask for authentication again.

    At
    Rogerio Rondini

    #10000
     BhanuKiran
    Participant

    Thanks @Rogerio Rondini

    #12337
     Exploring_Singh
    Participant

    Hi All,
    I am new to Forgerock and facing one problem in authentication. When hitting the http://localhost:8080/openam/json/authenticate using postman , Its returns me the token id and success URL :
    {
    “tokenId”: “AQIC5wM2LY4Sfcylxw9On_6SjJKF8j82g-TfLos2HEaf-Q4.*AAJTSQACMDEAAlNLABMxNTEyODI0Mzg3MDQ5MjI4NTYyAAJTMQAA*”,
    “successUrl”: “/openam/console”
    }
    But when i consume this rest API through Java Code, I get auth id as :
    {“authId”:”eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAib3RrIjogImNlYXI5Y2Q3a2ptdWIyczgyajU2NDFiMDEzIiwgInJlYWxtIjogImRjPW9wZW5hbSxkYz1mb3JnZXJvY2ssZGM9b3JnIiwgInNlc3Npb25JZCI6ICJBUUlDNXdNMkxZNFNmY3owazFfRjZQcl94enk4cjJTNVFQN290LUxqU19RWWdRQS4qQUFKVFNRQUNNREVBQWxOTEFCUXROamN6TmpRNE1EYzVNalF4T0RVNU1UVXpNZ0FDVXpFQUFBLi4qIiB9.ZqD3bOuEpjAfKfqi4UcojqZClrMaFrHlV4w8bKBmeCE”,”template”:””,”stage”:”DataStore1″,”header”:”Sign in to OpenAM”,”callbacks”:[{“type”:”NameCallback”,”output”:[{“name”:”prompt”,”value”:”User Name:”}],”input”:[{“name”:”IDToken1″,”value”:””}]},{“type”:”PasswordCallback”,”output”:[{“name”:”prompt”,”value”:”Password:”}],”input”:[{“name”:”IDToken2″,”value”:””}]}]}

    Why I am not able to authenticate the user through my web application. I need help please…

    #12338
     Rogerio Rondini
    Participant

    Hi @jang2212,

    Please, take a look at this document https://backstage.forgerock.com/#!/docs/openam/12.0.0/dev-guide#rest-api-auth.

    Basically, you can use the “zero page login” by passing username and password into the Header like the sample below, which works only for username/password auth method…

    $ curl \
     --request POST \
     --header "X-OpenAM-Username: demo" \
     --header "X-OpenAM-Password: changeit" \
     --header "Content-Type: application/json" \
     --data "{}" \
     https://openam.example.com:8443/openam/json/authenticate
    { "tokenId": "AQIC5w...NTcy*", "successUrl": "/openam/console" }

    or the second way more flexible which works in 2 steps: First step return required callback; Second step you send the callbacks from first step and Rest returns tokenid.

    Abs,
    Rogerio.

    #12340
     Exploring_Singh
    Participant

    Thanks Rogerio, But I am calling the exposed Rest API from my Java code like below :
    JSONObject object = new JSONObject();
    object.put(“X-OpenAM-Username”, userName);
    object.put(“X-OpenAM-Password”, password);
    String auth = “amadmin:[email protected]”;
    String authStringEnc = new BASE64Encoder().encode(auth.getBytes());
    System.out.println(“Base64 encoded auth string: ” + authStringEnc);
    object.put(“Content-Type”, “application/json”);
    object.put(“Authorization”, authStringEnc);
    String url = “http://localhost:8080/openam/json/authenticate?X-OpenAM-Username=”+userName+”&X-OpenAM-Password=”+password+”&Content-Type=application/json”;
    System.out.println(“URL=>”+url);
    Client client = Client.create();

    WebResource webResource = client.resource(url);

    ClientResponse response = webResource.post(ClientResponse.class);
    System.out.println(response.getEntity(String.class));

    But this is not returning me the Token id but this :
    {“authId”:”eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAib3RrIjogIm9xNXJ1NTJyOHE1NDlhYWJraHV1NGR2ajg4IiwgInJlYWxtIjogImRjPW9wZW5hbSxkYz1mb3JnZXJvY2ssZGM9b3JnIiwgInNlc3Npb25JZCI6ICJBUUlDNXdNMkxZNFNmY3hyWm5uV20yY0l4cEluQjJraGtTUWxVb0loNXBKbm1Xby4qQUFKVFNRQUNNREVBQWxOTEFCUXROemsxTWpJNE1UTXpPVFF4T0RVeU9ERTVNZ0FDVXpFQUFBLi4qIiB9.9g8_J0FZ3rLhS9m6hDj1lLU1Z0ogTYR6VouCb_fK2WQ”,”template”:””,”stage”:”DataStore1″,”header”:”Sign in to OpenAM”,”callbacks”:[{“type”:”NameCallback”,”output”:[{“name”:”prompt”,”value”:”User Name:”}],”input”:[{“name”:”IDToken1″,”value”:””}]},{“type”:”PasswordCallback”,”output”:[{“name”:”prompt”,”value”:”Password:”}],”input”:[{“name”:”IDToken2″,”value”:””}]}]}

    #12341
     Rogerio Rondini
    Participant

    So,

    I don’t know what REST/JSON framework you are using, but a quick look in your code above I found a stranger thing…

    You have create a JSONObject with some header fields but it is not being used in any other place any more. And the URL used to build WebResource object is sending parameter “X-OpenAM-Username” and “X-OpenAM-Password” in the query string which probably is not being recognized by the REST Endpoint.

    I think you need to review how your REST/JSON client framework works.

    Abs,
    Rogerio.

    #12393
     Exploring_Singh
    Participant

    Thanks Rogerio. I have another doubt and i think i get some answers from you on this.

    I am performing authentication using openAM and now need to perform role based authorisation also, i.e admin role can view few extra pages than the normal users. Is this possible with openAM ? I tried following many documents but I am not successful in following any of them. Is there any documentation/vedio available for openAM authorisation .

    Regards
    Jang

    #12395
     Rogerio Rondini
    Participant

    Hi @jang2212

    Yes… That is the reason you deploy an Access Manager product :-)…

    So.. I don`t know if you have looked at the OpenAM document, but in the following link you will find a complete explanation on OpenAM Authorization https://backstage.forgerock.com/#!/docs/openam/13/admin-guide#chap-authz-policy.

    Policy is the way to drive authorization for web resources, i.e, URLs. Thinking in a scenario when you have “http://app.example.com/myapp/page1.html” and “http://app.example.com/myapp/page2.html” and all users can access page1.html and only Admins can access page2.html, you can create a 2 policies in OpenAM: First policy protecting “http://app.example.com/myapp/page1.html” assigned to “All authenticated Users” for action “GET/POST”; Another policy protecting “http://app.example.com/myapp/page2.html” assigned only to administrators for action “GET/POST”.

    If you have deployed Policy Agent in your application, an Agent Filter will evaluate and grant or deny access according to the authenticated user.
    If you plan to do it by your self without policy agent, you can call Authorization REST Endpoints from your application. In the following link you will find a complete explanation on Authz REST API https://backstage.forgerock.com/#!/docs/openam/13/dev-guide#sec-rest-authz-policy.

    Abs,
    Rogerio.

    #12408
     Exploring_Singh
    Participant

    Thanks Rogerio for stopping by. Okay that helps but how configure role types with openam. I a facing problem in configuring subjects while creating policy. While creating a policy which will be allowed only for admin, what is to select in subject. I am select Users & Group and in the next drop down i.e. Users Subject its giving me the list of all users in DB, What i have to select there. What is to be select in Group Subject.

    #12410
     Rogerio Rondini
    Participant

    So, I can use Users OR Groups, not both. If you have only one admin user or a very small numbers of admins you can select these on Users field. But the best practice is you add users in a AdminGroup (the name is a suggestion) and in the Groups field just select “AdminGroup”.

    It is important your OpenAM configuration be able to read users and groups from your LDAP database.

    #12411
     Exploring_Singh
    Participant

    I am using openam 13.0 , and the option here is User & Group in type tab.
    Second tab is of User Subject which is populating a list of all users available in DB.
    Third is Group Subject which is editable and whatever i am writing over it , its not accepting it.

    I am using JDBC not LDAP.
    Table schema for auth users is :
    mysql> desc auth_users;
    +————————————————+————-+——+—–+—
    ——+——-+
    | Field | Type | Null | Key | De
    fault | Extra |
    +————————————————+————-+——+—–+—
    ——+——-+
    | uid | varchar(50) | YES | | NU
    LL | |
    | cn | varchar(50) | YES | | NU
    LL | |
    | inetuserstatus | varchar(20) | YES | | NU
    LL | |
    | userpassword | varchar(50) | YES | | NU
    LL | |
    | ChangePassword | varchar(50) | YES | | NU
    LL | |
    | mail | varchar(50) | YES | | NU
    LL | |
    | sunIdentityMSISDNNumber | varchar(50) | YES | | NU
    LL | |
    | sn | varchar(50) | YES | | NU
    LL | |
    | manager | varchar(50) | YES | | NU
    LL | |
    | preferredlocale | varchar(10) | YES | | NU
    LL | |
    | iplanet_am_user_password_reset_force_reset | varchar(50) | YES | | NU
    LL | |
    | givenname | varchar(50) | YES | | NU
    LL | |
    | iplanet_am_user_alias_list | varchar(50) | YES | | NU
    LL | |
    | iplanet_am_user_account_life | varchar(50) | YES | | NU
    LL | |
    | telephonenumber | varchar(50) | YES | | NU
    LL | |
    | employeenumber | varchar(50) | YES | | NU
    LL | |
    | iplanet_am_user_auth_config | varchar(50) | YES | | NU
    LL | |
    | postaladdress | varchar(50) | YES | | NU
    LL | |
    | iplanet_am_user_password_resetoptions | varchar(50) | YES | | NU
    LL | |
    | iplanet_am_user_password_reset_question_answer | varchar(50) | YES | | NU
    LL | |
    | iplanet_am_user_success_url | varchar(50) | YES | | NU
    LL | |
    | iplanet_am_user_failure_url | varchar(50) | YES | | NU
    LL | |
    +————————————————+————-+——+—–+—
    ——+——-+

    #12413
     Rogerio Rondini
    Participant

    Humm..

    So… You can`t edit Group Subject field because it will accept only values from DB.

    Database Table is not a good option to DataStore, but yet you can have a User table and a Group table with 1 to many relationship between. In the “Database Repository (Early Access)” data store type configuration you will find “Database User Table name” and “Database Membership table name”. You need to configure both and all relationship fields so that OpenAM can read users from the User table and Groups from the group table and identity the users in a group.

    #12414
     Exploring_Singh
    Participant

    Is there any script available for both the table, I am kinda stuck on this from two days. May be the table create script can do the magic or you can help me on skype.

    #12420
     Rogerio Rondini
    Participant

    @jang2212,

    I think there isn’t a script for that. Actually, I’ve never used DB table before.

    I can try to test it, but it will take some time so I’m busy right now.

Viewing 15 posts - 16 through 30 (of 36 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?