OpenAM C SDK authentication chain not followed

Tagged: , ,

This topic has 0 replies, 1 voice, and was last updated 6 years, 6 months ago by s.purcell.

  • Author
    Posts
  • #10700
     s.purcell
    Participant

    Hello world,

    I’m currently working on a PoC that involves modernizing authentication in a legacy system primarily written in C/C++. It doesn’t seem to be working 100%. From the server audit logs, it looks as though authentication stops after the first step in the authentication chain, regardless the first step fails or succeeds.

    The authentication chain is relatively simple:
    1) DataStore (Requiste)
    2) AdaptiveRisk (Optional): check for specific IP address
    3) AdaptiveRisk (Required): check for valid IP address

    If I log in via the admin page, I see the all of the authentication steps on the server audit log. It seems to work perfectly. Logins from with the correct credentials succeed. Logins with invalid credentials (e.g wrong user name/password, unknown IP address) fail. All of authentication events appear in the audit log.

    On the other hand, if I log in via the client SDK, the audit log only shows the first step in the chain. It does not seem to reach the IP steps.

    Here’s the source code for the client. I suspect that setting the module might be causing the issue. I tried leaving it an empty string, but it failed.

    I’d be very grateful for some advice.

    
    /// Authenticate the user.
    /// @param userId of the user
    /// @param passWd of the user
    /// @param token granted if authentication is successful.
    void SECopenAmClient::authenticate(const String &userId, const String &passWd,
      String &token)
    {
      // Get authorization context
      const char *organizationName = "/";
      char *certificateNickname = NULL;
      char *url = NULL;
      am_auth_index_t moduleType = AM_AUTH_INDEX_MODULE_INSTANCE;
      const char *module = "LDAP";
      am_status_t status = am_auth_create_auth_context(&context, organizationName,
        certificateNickname, url);
    
      if (AM_SUCCESS != status)
      {
        MSG_TRACE(1, "Failed to create auth context.");
        return;
      }
      status = am_auth_login(context, moduleType, module);
      if (AM_SUCCESS != status)
      {
        MSG_TRACE(1, "Failed to login.");
        return;
      }
    
      processLoginCallbackRequirement(context, userId, passWd);
      am_auth_status_t auth_status = am_auth_get_status(context);
    
      if (AM_AUTH_STATUS_SUCCESS != auth_status)
      {
        MSG_TRACE(1, "Failed to authenticate.");
        return;
      }
    
      token = am_auth_get_sso_token_id(context);
      MSG_TRACE(1, "Authenticated user.");
    }
    

    Cheers

    Scott

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?