This topic has 35 replies, 9 voices, and was last updated 5 years, 3 months ago by 
-
Posts
-
Okay @rarondini . I am asking the same coz i tried it myself many times but still i am not able to configure policy. And being stuck on same issue for two days can make you unrest and crazy. May be i am sounding kiddo but i need supervision on what i am doing wrong or can have demo video of authorization , that will be a great help..
Are you able to use OpenDJ as identity store instead of DB Table ?
If so, you will not need to take care of datastore group configuration so that it is pretty easy. Using the OpenAM EndUser page itself you will be able to create groups and assign users to group. After that you will see in the Policy Configuration page/Subject Group field all groups that you have created.
I think it would be better for a test and understanding of how things works. After all be workin with OpenDJ you can try to back to DB Datastore and figureout group configuration.
Just a suggestion.
@rarondini.. By God grace i am able to make policy and resources mapped to policy using my MYSQL DB.
But now I am facing problem in hitting the REST API. Version of openam i am using is 13.0. On hitting rest APIopenam/identity/authorize?uri=http://localhost:8085/ForgeRockSample/home/jang/jang&action=GET&subjectid=AQIC5wM2LY4Sfcxq_F_hUGnRU56FajQEoCgQYf_TiK5vDEE.*AAJTSQACMDEAAlNLABQtMjc4ODk1MzU1NTAxMjk2NDkwMgACUzEAAA..*
Results is : exception.name=java.lang.UnsupportedOperationException AUTHORIZE
Still I am getting same results |:java.lang.UnsupportedOperationException AUTHORIZE
What is correct way to check the authorisation in openam using REST API..
Jan2212,
You are using the older API … I don’t know if it’s been deprecated. See the current documentation for more information on using the current API:
https://backstage.forgerock.com/#!/docs/openam/13/dev-guide#rest-api-authz-policy-decisions
Here is the example curl statement from the docs:
$ curl \ --request POST \ --header "iPlanetDirectoryPro: AQIC5..." \ --header "Content-Type: application/json" \ --data '{ "resources": [ "http://www.example.com/index.html", "http://www.example.com/do?action=run" ], "application": "iPlanetAMWebAgentService" }' \ https://openam.example.com:8443/openam/json/policies?_action=evaluate [ { "resource" : "http://www.example.com/do?action=run", "actions" : { }, "attributes" : { }, "advices" : { "AuthLevelConditionAdvice" : [ "3" ] } }, { "resource" : "http://www.example.com/index.html", "actions" : { "POST" : false, "GET" : true }, "attributes" : { "cn" : [ "demo" ] }, "advices" : { } } ]I am trying to use my own login page instead of OpenAM default page using facebook module.So far I am able to do the following:
1. I have successfully POST: http://openam.mydomain.com:8080/openam/json/authenticate?authIndexType=module&authIndexValue=FacebookSocialAuthentication
In my response I get authId,NTID in response cookie and redirectURL.2. I did a GET on my redirectURL and successfully obtained code and state from facebook.
3.this is where my problem begins.Now I am trying to POST :http://openam.mydomain.com:8080/openam/json/authenticate?authIndexType=module&authIndexValue=FacebookSocialAuthentication again with my NTID and authId in cookie and below json object:
{
authIndexType:”service”
authIndexValue:”linkedinchain”
code:”AQQGJyMx3EScnpcpumrQodtiRJ95UkrGPCjIlwfyfTYfCDv_nm9VoehrLRW3lsTM1b4O3Nd-5LFaOu9QZOx3h2uzu-9J6wWg3tBdNyU0uFrXgoz0Epk”
realm:”/”
state:”lmizhlpxu8qj8wif0veiqxc2x1uc2cg”
}this returns me 401 unauthorized error.
how do I send my last POST call to get the token ID or I am missng anything.Please Help.
thanks
Priya JainHi Rondini,
In your post about a custom login site in a SAML2 flow…
You just need to remember to setup the right cookie (iPlanetDirectoryPro) and redirect to IDP end point like “../openam/SSOPOST/metaAlias/idp” or “../open/SSORedirect/metaAlias/idp” after authentication, and leave the rest of the service to OpenAM.
Are you suggesting that we have the SP first redirect the user to our custom login page to authenticate? If so, do we first need to capture the SAML2.0 parameters in the post body like ‘RelayState’ and ‘SAMLRequest’? I assume we do, so that we can later replay them to /openam/SSOPOST/metaAlias/idp after successful authentication. The custom login site would temporarily store these in session state. Does this sound right? In a sense, we’re asking the user to log into our custom page, independent of the SAML2.0 process, and then we resume the SAML2 handshake after successful authentication. Does this sound right?
I’m also trying to figure out what happens if we still have the iPlanetDirectoryPro cookie in the browser when they visit the custom login site. Should we attempt to validate that first in order to avoid an unncessary authentication? Does the /openam/SSOPOST/metaAlias/idp endpoint do anything with that session cookie? Any guidance is appreciated..
You must be logged in to reply to this topic.
