March 8, 2018 at 11:43 am #21138
I am configuring yet another proof of concept to test IG as a PEP to protect an api.
I have set up everything according to the guide.
When I try to access my test api, I get redirected to the AM login page where after a successful login having obtained the cookie it goes into a loop once you are sent to the api page to get the content.
What could be causing this?
The policy agent is not installed on IG.
Thanks a lot in advance,
BertalanMarch 8, 2018 at 1:07 pm #21140Joachim AndresParticipant
Both AM and IG need to be on the same cookie domain (e.g. am.example.com and ig.exmaple.com). I suspect that AM does not set a domain cookie for example.com but a host cookie for am.example.com. In this case the cookie is never received by IG.
Setting by default a host-based cookie was a change of default behaviour in a recent AM release. AM used to set domain-based cookies.
To verify, with AM 5 and later console, navigate to: Configure > Global Services > Platform > Cookie Domains. Coming back to the example above, it should say example.com.
Also see : https://backstage.forgerock.com/knowledge/kb/article/a19829000#hostbased
One other thing, for API protection, you should look at the OAuth2ResourceServerFilter . Most of the time clients to APIs cannot “digest” re-directs and such and OAuth2 is often more appropriate.
JoachimMarch 8, 2018 at 1:14 pm #21141
Thanks a lot Joachim, everything is now working as expected.
Also thanks for the advice about OAuth2.March 8, 2018 at 2:05 pm #21143
One sideeffect, I can no longer log in into the OpenAM gui.
Is it possible to recover from that without having to reinstall?March 8, 2018 at 6:54 pm #21151Joachim AndresParticipant
That should not be the case. IG and AM are well on the same domain ? I suppose you have restarted the browser after making the change in AM.March 8, 2018 at 6:59 pm #21152
Hi, thanks again.
Ended up rebuilding only to encounter the same problem.
I then restarted the browser.
Yes, they are on the same domain.
All is well now.
Thanks a lot once more.
You must be logged in to reply to this topic.