Impersonation and session creation

Tagged: 

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Scott Heger Scott Heger 2 months, 1 week ago.

  • Author
    Posts
  • #15765
    Profile photo of Jim Mulvey Jim Mulvey 
    Participant

    Hello, I have a requirement to impersonate users. Please spare me the waggling fingers, there are legitimate needs for this. I know there is an impersonate module but it’s not supported for production use.

    So to implement, I configured an Authentication chain, which is protected at the network layer to only one authorized application. The goal of this chain is to issue an iPlanetDirectoryPro cookie for a specified user without a password. I decided to use the Scripting Module, and wrote a Server-side Authentication script to simply set “authState = SUCCESS”. I engage the module with a specific URL and a username parameter (e.g. https://openam.example.org/openam/UI/Login?realm=myrealm&service=ImpersonateChain&gx_charset=UTF-8&user=user@example.org ).

    However, I get an error: “User has no profile in this organization”. I *think* this means OpenAM can’t find the user in the datastore, but I don’t understand why. When the same username is specified in other Authentication Modules, it works fine. Is there something that other Authentication Modules are doing that the Scripting Module is not? Is there some internal information that my script needs to add or account for?

    #15770
    Profile photo of Scott Heger Scott Heger 
    Participant

    Yes, that is what that means. If you are using the default Authentication setting to require user profiles, then authentication is a two part process. First authenticate the user and then using the settings in your data store, locate the user’s profile.

    To debug this, kick up your debug log level to “Message”, rerun your authentication and check out your IdRepo debug file for clues as to what it is complaining about. Better yet, check the logs of your data store. If your data store is an LDAP (OpenDJ?) repository, check the access log for the search that is being performed that is not returning your user profile. I’m guessing you might have a mismatch with the username that is being used in your scripted module vs what you have configured in your Data Store.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2017 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?