Integrating IDM With the ForgeRock Identity Platform

This topic contains 12 replies, has 4 voices, and was last updated by  Mike Jang 1 month, 2 weeks ago.

  • Author
    Posts
  • #20003
     Mahesh Algamwar 
    Participant

    Dear All,
    I am performing POC for Integrating IDM With the ForgeRock Identity Platform and following “ForgeRock Identity Management 5.5” Sample guide. I have performed the complete guide and done with all required configuration.
    When trying to login IDM, it redirects me to OpenAM where I am providing “amadmin” credentials and it redirects to IDM url but asking again to enter openidm user credentials. below redirect url:-

    http://localhost:8080/admin/#login&preventAutoLogin=true

    I followed few suggestions given in below forum, but nothing worked.
    https://forum.forgerock.com/2017/10/integrating-idm-dj/

    Guys could you please help me to overcome this issue.
    Apart form this I didn’t find any documentation about what configuration required so that it should works for other users as well apart from amadmin/openidm-admin user (ex. two user given in sample Barbara Jensen and John Doe)

    Product Versions:
    OpenAM 5.0
    IDM 5.5

    #20012
     Mike Jang 
    Moderator

    Hi Mahesh,

    I see you’re mixing versions, AM 5.0 and IDM 5.5. That has not been tested.

    When I wrote the blog post that you’ve cited, I based it on our documented Full Stack Sample (5.5), available from Backstage.

    When you use AM 5.5, IDM 5.5, and DS 5.5, you have to make fewer changes than was required for version 5.0 of each product. For reference, see the Full Stack Sample 5.0 documentation

    Thanks,
    Mike.

    #20173
     Mahesh Algamwar 
    Participant

    Hi Mike,
    Sorry I couldn’t reply early as I was on vacation. Thanks for your inputs, I updated AM 5.0 to AM 5.5 and able to overcome the issue. Now am able to login with amadmin user. But when I am trying to login with Non-admin user then I am getting below issue. It would be great if you can provide any pointer.

    Dec 18, 2017 12:52:34 PM org.forgerock.openidm.auth.modules.DelegatedAuthModule validateRequest
    FINE: DelegatedAuthModule: Authentication successful
    Dec 18, 2017 12:52:34 PM org.forgerock.openidm.auth.modules.DelegatedAuthModule validateRequest
    FINE: DelegatedAuthModule: validateRequest END
    Dec 18, 2017 12:52:34 PM org.forgerock.openidm.audit.impl.AuditServiceImpl handleCreate
    FINE: Audit create called for access with {roles=[openidm-reg], transactionId=f827abd3-3a81-4410-b9e2-40cd60fb7dfa-8966, client={ip=127.0.0.1, port=61942}, server={ip=127.0.0.1, port=8080}, http={request={secure=false, method=POST, path=http://mymachine.hk.hsbc:8080/openidm/authentication, queryParameters={_action=[logout]}, headers={Accept=[application/json, text/javascript, */*; q=0.01], Accept-Encoding=[gzip, deflate], Accept-Language=[en-US;q=1], Cache-Control=[no-cache], Connection=[keep-alive], Content-Length=[0], Content-Type=[application/json], Host=[mymachine.hk.hsbc:8080], Origin=[http://mymachine.hk.hsbc:8080], Referer=[http://mymachine.hk.hsbc:8080/], User-Agent=[Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36], X-OpenIDM-NoSession=[false], X-OpenIDM-Password=[anonymous], X-OpenIDM-Username=[anonymous], X-Requested-With=[XMLHttpRequest]}, cookies={amlbcookie=01, iPlanetDirectoryPro=3kdbqukStcedW6YSBC8nUXmJ-PQ.*AAJTSQACMDEAAlNLABx1STNIKzFmWC9LVmxTanUvVlh3Q3l5ZXdFVU09AAJTMQAA*, i18next=en-us}}}, request={protocol=CREST, operation=ACTION, detail={action=logout}}, eventName=access, userId=anonymous, response={status=SUCCESSFUL, statusCode=null, elapsedTime=7, elapsedTimeUnits=MILLISECONDS}, timestamp=2017-12-18T07:22:34.531Z}
    Dec 18, 2017 12:52:34 PM org.forgerock.jaspi.modules.session.jwt.AbstractJwtSessionModule validateJwtSessionCookie
    FINE: Session JWT cookie found
    Dec 18, 2017 12:52:34 PM org.forgerock.jaspi.modules.session.jwt.AbstractJwtSessionModule validateJwtSessionCookie
    FINE: Invalid Jwt content
    org.forgerock.json.jose.exceptions.InvalidJwtException: not right number of dots, 1
    at org.forgerock.json.jose.common.JwtReconstruction.reconstructJwt(JwtReconstruction.java:62)
    at org.forgerock.json.jose.builders.JwtBuilderFactory.reconstruct(JwtBuilderFactory.java:73)
    at org.forgerock.jaspi.modules.session.jwt.AbstractJwtSessionModule.verifySessionJwt(AbstractJwtSessionModule.java:343)
    at org.forgerock.jaspi.modules.session.jwt.AbstractJwtSessionModule.validateJwtSessionCookie(AbstractJwtSessionModule.java:264)
    at org.forgerock.jaspi.modules.session.jwt.JwtSessionModule.validateJwtSessionCookie(JwtSessionModule.java:48)
    at org.forgerock.jaspi.modules.session.jwt.AbstractJwtSessionModule.validateRequest(AbstractJwtSessionModule.java:211)
    at org.forgerock.jaspi.modules.session.jwt.JwtSessionModule.validateRequest(JwtSessionModule.java:48)
    at org.forgerock.jaspi.modules.session.jwt.JwtSessionModule.validateRequest(JwtSessionModule.java:86)
    at org.forgerock.openidm.auth.modules.IDMAuthModuleWrapper.validateRequest(IDMAuthModuleWrapper.java:277)
    at org.forgerock.caf.authentication.framework.AuthModules$WrappedAuthModule.validateRequest(AuthModules.java:515)

    #20208
     Mike Jang 
    Moderator

    Hi Mahesh,

    Thanks for the follow-up. The error I see in what you’ve provided is:

    FINE: Invalid Jwt content

    If I saw that error, I’d check two things:

    1) The browser cache. Out of habit, I frequently use “Incognito Mode” to make sure I have a fresh browser.
    2) The dev console. I wonder if you’re seeing an error related to CORS (Cross-Origin Resource Sharing).

    Thanks,
    Mike

    #20216
     Mahesh Algamwar 
    Participant

    Hi Mike,
    Thanks for your inputs, it is working perfectly fine after doing required CORS cahnges.

    Thanks
    Mahesh

    #20232
     Mike Jang 
    Moderator

    Hi Mahesh,

    Can you share what changes you made for CORS? (I want to make sure we’re covering more cases.)

    Thanks,
    Mike

    #20254
     Mahesh Algamwar 
    Participant

    Hi Mike,

    You have already mentioned those configuration in your blog so nothing missed out, it was something at my end.. CORS seeting where not correct at first place.After correcting it according to my environment it started working fine.

    Thanks
    Mahesh

    #22256
     ravindareddy 
    Participant

    Hi ,

    I want to list the users who is having admin access ?

    Thanks
    Ravindar

    #22267
     Mike Jang 
    Moderator

    Hi ravindareddy,

    I’m not clear on what you’re asking. Are you asking for a list of users with admin access on

    1) IDM
    2) AM
    3) Both?

    And — are you asking your question in the context of the integrated identity platform (IDM, AM, DS)?

    Thanks,
    Mike

    #22280
     ravindareddy 
    Participant

    Hi Mike,

    Thanks for the reply.

    Actually i want for only OpeIDM who is having admin access need to list those.

    Thanks for your help.

    Thanks
    Ravindar

    #22284
     ravindareddy 
    Participant

    Hi Mike,

    Would be great if i get a query to list the users who is having admin access in IDM.

    Thanks again.

    Thank you
    Ravindar.

    #25865
     nishitsingh 
    Participant

    I am performing POC for Integrating IDM With the ForgeRock Identity Platform and following “ForgeRock Identity Management 6.0” Sample guide. I have performed the complete guide and done with all required configuration.I am able to login with amadmin.But when I am trying to login with Non-admin user then I am getting below issue. It would be great if you can provide any pointer.

    -Caused by: org.forgerock.tokenhandler.InvalidTokenException: Invalid token at org.forgerock.json.jose.tokenhandler.JwtTokenHandler.validateAndExtractClaims(JwtTokenHandler.java:170) at org.forgerock.json.jose.tokenhandler.JwtTokenHandler.validateAndExtractState(JwtTokenHandler.java:143) at org.forgerock.openidm.idp.impl.TokenDataStore.retrieveData(TokenDataStore.java:97) … 109 more Caused by: org.forgerock.json.jose.exceptions.InvalidJwtException: not right number of dots, 1 at org.forgerock.json.jose.common.JwtReconstruction.reconstructJwt(JwtReconstruction.java:62) at org.forgerock.json.jose.builders.JwtBuilderFactory.reconstruct(JwtBuilderFactory.java:73) at org.forgerock.json.jose.tokenhandler.JwtTokenHandler.validateAndExtractClaims(JwtTokenHandler.java:153).

    Also When I configure the AM and the DS instance initially and check in Identites: “I see 2 users and 5 groups imported using the OOTB sample fullstack EXAMPLE.LDIF”. But once I deploy IDM and run RECOINCILIATION, users from AM disappears and ONLY comes back when I to GOTO->AM DATA STORE(DJ) and remove ou = people from USER CONFIGURATION. ) “.
    I am attaching the mapping done in IDM as well w.r.t to the SAMPLE Example.ldif. Please suggest on the mapping as well.
    Also, I see the OIDC issue relating to the CORS . I have modified my CORS file accordingly to match the hosts files :
    172.16.5.200 am.example.com

    172.16.5.200 idm.example.com

    172.16.5.200 ds.example.com

    Below is also a snippet from my CORS web.xml for reference :

    <filter>

    <filter-name>CORSFilter</filter-name>

    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>

    <init-param>

    <param-name>cors.allowed.headers</param-name>

    <param-value>Content-Type,X-OpenIDM-OAuth-Login,X-OpenIDM-DataStoreToken,X-Requested-With,Cache-Control,Accept-Language,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,X-OpenAM-Username,X-OpenAM-Password,iPlanetDirectoryPro,Accept-API-Version</param-value>

    </init-param>

    <init-param>

    <param-name>cors.allowed.methods</param-name>

    <param-value>GET,POST,HEAD,OPTIONS,PUT,DELETE</param-value>

    </init-param>

    <init-param>

    <param-name>cors.allowed.origins</param-name>

    <param-value>http://am.example.com:8080,http://idm.example.com:9080</param-value&gt;

    </init-param>

    <init-param>

    <param-name>cors.exposed.headers</param-name>

    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Set-Cookie</param-value>

    </init-param>

    <init-param>

    <param-name>cors.preflight.maxage</param-name>

    <param-value>10</param-value>

    </init-param>

    <init-param>

    <param-name>cors.support.credentials</param-name>

    <param-value>true</param-value>

    </init-param>

    </filter>

    <filter-mapping>

    <filter-name>CORSFilter</filter-name>

    <url-pattern>/json/*</url-pattern>

    </filter-mapping>

    #25879
     Mike Jang 
    Moderator

    Hi nishitsingh

    The error message that you’ve shared suggests a problem with the JWT tokens that you’re using, similar to the discussion here: https://forum.forgerock.com/topic/bad-request-failed-to-parse-jwt-not-right-number-of-dots-2/

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?