This topic has 2 replies, 3 voices, and was last updated 3 years, 11 months ago by sai_kumar.

  • Author
    Posts
  • #4309
     monginm
    Participant

    Hello,

    Currently, I am working on OpenAM and I’d like to know if the WebAgent replication among the realms is possible or not. I explain my case:

    I installed the master realm [/] in OpenAM: one WebAgent , one authentication strategy for the URL : http://www.example.com:8000/* , I also have one authentication policy using OpenAM default form (Login/Pwd OpenAM).
    I’ve a second realm [/realm1], that inherits of [/]. I assigned in the realm one authentication strategy for the URL : http://www.example.com:8000/appli1/ , with authentication by HTTP Basic (Pop-Up).

    When I try to connect on http://www.example.com:8000/appli1/ , I’m redirected to the Login page of OpenAM by form and not by HTTP Basic.

    If I delete http://www.example.com:8000/* ; my other URL don’t work .

    If I configure my WebAgent for the realm [/realm1], my http://www.example.com:8000/appli1/ is working but not with the HTTP basic authentication.

    Hence my question, in order to test different authentication mechanisms (HTTP Basic, form, ..), can I do it with 1 single realm (/) with sub-realms and apply one authentication mechanism for each subrealm ? or the only way is to have different realms (Apache instances with OpenAM webagent) and apply one authentication mechanism for each of these realms ?

    Regard,

    #4334
     Peter Major
    Moderator

    Looks like you are looking at things from the wrong angle. Here are some things you should probably know:
    * realms don’t really inherit things from each other, more like the parent realm usually serves as a template for the subrealm, but after the realm is created there is no inheritance/relation whatsoever.
    * whether your agent is configured in a subrealm in the top level realm has little to do with how authentication is actually done. Each agent profile has a setting for a Login URL, so if you want to use different authentication mechanism for an agent, then you’d just set up the login URL so that it points to the right realm and the right authentication mechanism.
    * when you access the login interface without any extra parameters then the Organization Authentication Configuration will kick in for the corresponding realm. To control which authentication mechanism is used when you access the UI, check out the docs:
    http://docs.forgerock.org/en/openam/12.0.0/admin-guide/index.html#authn-from-browser
    * It’s possible to tie agent protected applications to authentication mechanisms (by using policies), the agents will remain to redirect end users to the configured login URL though. To overcome that, you would either need to set up conditional login URL, or you would need to start to use resource based authentication.

    In short: there is no need to set up new realms for different authentication mechanisms.

    #10134
     sai_kumar
    Participant

    Hello,
    I am new to OpenAM and i am also having the same issue. Have you figured out a way to provide two different authentication mechanisms under the single realm?. In our application we are using the form based and basic authentication for the REST.

    I want to provide a form based authentication for the below resource
    http://www.example.com:8080/sampleapp/*

    except for the

    http://www.example.com/sampleapp/restapp/*

    For the above resource I need to provide a Http Basic authentication. Is there any way we can do that. The same set of users need to be authenticated aganist both the resources.

    Regards,
    sai

    • This reply was modified 5 years, 4 months ago by sai_kumar.
Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?