Tagged: , , ,

This topic has 5 replies, 2 voices, and was last updated 4 years, 5 months ago by bertalanvoros.

  • Author
    Posts
  • #21138
     bertalanvoros
    Participant

    Hello All,

    I am configuring yet another proof of concept to test IG as a PEP to protect an api.

    I have set up everything according to the guide.
    (https://backstage.forgerock.com/docs/ig/5.5/gateway-guide/#chap-pep)

    When I try to access my test api, I get redirected to the AM login page where after a successful login having obtained the cookie it goes into a loop once you are sent to the api page to get the content.

    What could be causing this?

    The policy agent is not installed on IG.

    Thanks a lot in advance,
    Bertalan

    #21140
     Joachim Andres
    Participant

    Hi Bertalan,

    Both AM and IG need to be on the same cookie domain (e.g. am.example.com and ig.exmaple.com). I suspect that AM does not set a domain cookie for example.com but a host cookie for am.example.com. In this case the cookie is never received by IG.
    Setting by default a host-based cookie was a change of default behaviour in a recent AM release. AM used to set domain-based cookies.

    To verify, with AM 5 and later console, navigate to: Configure > Global Services > Platform > Cookie Domains. Coming back to the example above, it should say example.com.
    Also see : https://backstage.forgerock.com/knowledge/kb/article/a19829000#hostbased

    One other thing, for API protection, you should look at the OAuth2ResourceServerFilter . Most of the time clients to APIs cannot “digest” re-directs and such and OAuth2 is often more appropriate.

    Cheers,
    Joachim

    #21141
     bertalanvoros
    Participant

    Thanks a lot Joachim, everything is now working as expected.
    Also thanks for the advice about OAuth2.

    #21143
     bertalanvoros
    Participant

    One sideeffect, I can no longer log in into the OpenAM gui.
    Is it possible to recover from that without having to reinstall?

    #21151
     Joachim Andres
    Participant

    That should not be the case. IG and AM are well on the same domain ? I suppose you have restarted the browser after making the change in AM.

    #21152
     bertalanvoros
    Participant

    Hi, thanks again.
    Ended up rebuilding only to encounter the same problem.
    I then restarted the browser.
    Yes, they are on the same domain.
    All is well now.
    Thanks a lot once more.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?