OpenIG | OpenAM AUTH – Cannot get the policy evaluation

This topic has 7 replies, 4 voices, and was last updated 5 years, 6 months ago by AUGSignals.

  • Author
    Posts
  • #16103
     chen369
    Participant

    Hi, I’m trying to get OpenIG/OpenAM Authorization with PEP

    Heres OpenIG Code,

    {
              "comment": "OpenAM Authorization check filter",
              "name": "OpenAM Authorization",
              "type": "PolicyEnforcementFilter",
              "config": {
                "openamUrl": "http://[REDACTED]:8080/openam",
                "pepUsername": "policyAdmin",
                "pepPassword": "[REDACTED]",
                "realm": "/",
                "application": "OpenIG",
                "ssoTokenSubject": "${request.cookies['iPlanetDirectoryPro'][0].value}"
              },
              "capture": "all"
    }

    In OpenAM we have the policyAdmin Account and verified that it is current on LDAP and on OpenAM
    we gave REST Permissions for the Account and Policy EVALs
    But OpenIG cant get past this GATE.

    Here’s the Debug Logs

    FRI MAR 03 03:22:46 UTC 2017 DEBUG OpenAM Authorization --- Cannot get the policy evaluation
    FRI MAR 03 03:22:46 UTC 2017 DEBUG OpenAM Authorization --- Response is not application/json
    # org.forgerock.json.resource.InternalServerErrorException: Response is not application/json
    #       at org.forgerock.json.resource.http.CrestAdapter.loadJsonValueContent(CrestAdapter.java:427)
    #       at org.forgerock.json.resource.http.CrestAdapter.access$000(CrestAdapter.java:137)
    #       at org.forgerock.json.resource.http.CrestAdapter$2.apply(CrestAdapter.java:190)
    #       at org.forgerock.json.resource.http.CrestAdapter$2.apply(CrestAdapter.java:180)
    #       at org.forgerock.util.promise.PromiseImpl$5.handleStateChange(PromiseImpl.java:377)
    #       at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:521)
    #       at org.forgerock.util.promise.PromiseImpl.setState(PromiseImpl.java:562)
    #       at org.forgerock.util.promise.PromiseImpl.tryHandleResult(PromiseImpl.java:265)
    #       at org.forgerock.util.promise.PromiseImpl.handleResult(PromiseImpl.java:215)
    #       at org.forgerock.util.promise.Promises$CompletedPromise.thenOnResult(Promises.java:131)
    #       at org.forgerock.util.promise.PromiseImpl$7.callNestedPromise(PromiseImpl.java:460)
    #       at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:445)
    #       at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:521)
    #       at org.forgerock.util.promise.PromiseImpl.setState(PromiseImpl.java:562)
    #       at org.forgerock.util.promise.PromiseImpl.tryHandleResult(PromiseImpl.java:265)
    #       at org.forgerock.util.promise.PromiseImpl.handleResult(PromiseImpl.java:215)
    #       at org.forgerock.util.promise.Promises$CompletedPromise.thenOnResult(Promises.java:131)
    #       at org.forgerock.util.promise.PromiseImpl$7.callNestedPromise(PromiseImpl.java:460)
    #       at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:445)
    #       at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:521)
    #       at org.forgerock.util.promise.PromiseImpl.setState(PromiseImpl.java:562)
    #       at org.forgerock.util.promise.PromiseImpl.tryHandleResult(PromiseImpl.java:265)
    #       at org.forgerock.util.promise.PromiseImpl.handleResult(PromiseImpl.java:215)
    #       at org.forgerock.util.promise.PromiseImpl$5.handleStateChange(PromiseImpl.java:377)
    #       at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:521)
    #       at org.forgerock.util.promise.PromiseImpl.setState(PromiseImpl.java:562)
    #       at org.forgerock.util.promise.PromiseImpl.tryHandleResult(PromiseImpl.java:265)
    #       at org.forgerock.util.promise.PromiseImpl.handleResult(PromiseImpl.java:215)
    #       at org.forgerock.http.apache.async.AsyncHttpClient$1.completed(AsyncHttpClient.java:62)
    #       at org.forgerock.http.apache.async.AsyncHttpClient$1.completed(AsyncHttpClient.java:57)
    #       at org.apache.http.concurrent.BasicFuture.completed(BasicFuture.java:119)
    #       at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.responseCompleted(DefaultClientExchangeHandlerImpl.java:177)
    #       at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.processResponse(HttpAsyncRequestExecutor.java:412)
    #       at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.inputReady(HttpAsyncRequestExecutor.java:305)
    #       at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:267)
    #       at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81)
    #       at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39)
    #       at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:116)
    #       at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:164)
    #       at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:339)
    #       at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:317)
    #       at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:278)
    #       at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106)
    #       at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:590)
    #       at java.lang.Thread.run(Thread.java:745)
    FRI MAR 03 03:22:46 UTC 2017 INFO @Capture[OpenAM Authorization] --- 
    
    <--- (filtered-response) id:50c282bd-232e-4bd8-acfa-76b35c30656f-7 ---
    
    HTTP/1.1 401 Unauthorized

    What can the probable cause be, I’ve check logs on both OpenAM and OpenIG can’t seem to what is causing it.

    #16105
     Rajesh R
    Participant

    @chen369 OpenIG as PEP for OpenAM works as expected if you follow the instructions in the documentation. While I’m not able to figure out from the logs, why it isn’t working for you, I do have a screen-cast made on this, which you can access at the following link:

    https://forgerock.org/2016/02/forgerock-openig-4-openam-policy-enforcement-point/

    Maybe you get an idea of what could be wrong with your setup.

    #16117

    It seems you don’t get any policy decision back from the policy endpoint, please capture the HTTP request/response in oder to understand what’s going on:

    
    {
      "comment": "OpenAM Authorization check filter",
      "name": "OpenAM Authorization",
      "type": "PolicyEnforcementFilter",
      "config": {
        "openamUrl": "http://[REDACTED]:8080/openam",
        "pepUsername": "policyAdmin",
        "pepPassword": "[REDACTED]",
        "realm": "/",
        "application": "OpenIG",
        "ssoTokenSubject": "${request.cookies['iPlanetDirectoryPro'][0].value}",
        "amHandler": {
          "type": "ClientHandler",
          "capture": "all"
        }
      },
      "capture": "all"
    }

    Look at the additional amHandler perperty

    #16120
     chen369
    Participant

    PRE-PEP Gate Logs

    FRI MAR 03 16:35:59 UTC 2017 INFO OpenAM Authentication redirect (and Attributes retrieval) --- iPlanetDirectoryPro cookie found, performing validation
    FRI MAR 03 16:35:59 UTC 2017 INFO OpenAM Authentication redirect (and Attributes retrieval) --- Token Validation Response : [valid:true, uid:u001, realm:/]
    FRI MAR 03 16:35:59 UTC 2017 INFO OpenAM Authentication redirect (and Attributes retrieval) --- Retrieving user profile attributes: [uid] for user: u001
    FRI MAR 03 16:35:59 UTC 2017 INFO OpenAM Authentication redirect (and Attributes retrieval) --- Retrieving session attributes: [sunIdentityUserPassword] for user: u001
    FRI MAR 03 16:36:00 UTC 2017 INFO OpenAM Authentication redirect (and Attributes retrieval) --- Retrieved user profile attribute values: [u001] for attribute name: uid
    FRI MAR 03 16:36:00 UTC 2017 INFO OpenAM Authentication redirect (and Attributes retrieval) --- Adding following entry in profile attribute map-> uid : u001
    FRI MAR 03 16:36:00 UTC 2017 INFO OpenAM Authentication redirect (and Attributes retrieval) --- Retrieved session attribute values:  for attribute name: sunIdentityUserPassword
    FRI MAR 03 16:36:00 UTC 2017 INFO OpenAM Authentication redirect (and Attributes retrieval) --- Adding following entry in session attribute map-> sunIdentityUserPassword : 
    FRI MAR 03 16:36:00 UTC 2017 INFO OpenAM Authentication redirect (and Attributes retrieval) --- Setting HTTP header: uid, value: u001
    FRI MAR 03 16:36:00 UTC 2017 INFO OpenAM Authentication redirect (and Attributes retrieval) --- Setting HTTP header: sunIdentityUserPassword, value: 
    #16121
     chen369
    Participant

    @rajeshr

    Hi,Thanks for your Video. I followed your guide step by step. but it did not work for me.

    • This reply was modified 5 years, 9 months ago by chen369.
    • This reply was modified 5 years, 9 months ago by chen369.
    #16122
     chen369
    Participant

    @guillaume-sauthier

    I’ve amended the amHandler Property but I do not see any additional log statements in OpenIG.

    #16236
     chen369
    Participant

    Upon Reading logs found this error on OpenAM side,

    Error in getExistingValidSSOToken
    com.iplanet.sso.SSOException: Invalid session ID.

    Could this possibly be why policies are not working ?

    #17426
     AUGSignals
    Participant

    Was a solution found? I am having the same issue where openam gives a 401 error because it cannot validate the ssotoken

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?