OPENIG with response attributes from a Policy

This topic has 0 replies, 1 voice, and was last updated 2 years, 11 months ago by ak.tokas.

  • Author
    Posts
  • #18784
     ak.tokas
    Participant

    Hi, everyone

    I was doing a POC on OPENIG 4.5 and i encountered a problem.
    I have configured openig as PEP with openam, and i am using the following route file.
    I have configured mail and employeenumber as response attributes from authorization policy, cross checked i am getting these attributes in response,
    but while using openig i am redirected to openam for auth & after login to openam i get *Authorization Required* html page in my browser. and an unauthorized error in OpenIG Log.
    Can anyone help me rectifying this issue.
    Thanks in Advance.

    Also, does policy matters??? in “target”: “${attributes.currentPolicy.attributes}”

    {
    “baseURI”: “http://marvelstudios.starkindustries.com:8081/”,
    “handler”: {
    “type”: “DispatchHandler”,
    “config”: {
    “bindings”: [
    {
    “comment”: “Redirect to OpenAM authentication”,
    “name”: “OpenAM Authentication”,
    “condition”: “${request.cookies[‘iPlanetDirectoryPro’] == null}”,
    “handler”: {
    “type”: “StaticResponseHandler”,
    “config”: {
    “status”: 302,
    “reason”: “Found”,
    “headers”: {
    “Location”: [
    https://openam.starkindustries.com:7773/openam/XUI/#login/marvel/&goto=${urlEncodeQueryParameterNameOrValue(contexts.router.originalUri)}”
    ]
    },
    “entity”: “Redirecting to OpenAM for authentication…”
    },
    “capture”: “all”
    }
    },
    {
    “comment”: “OpenAM Authorization chain for policy validation and attributes retrieval”,
    “name”: “OpenAM Authorization Chain”,
    “condition”: “${request.cookies[‘iPlanetDirectoryPro’] != null}”,
    “handler”: {
    “type”: “Chain”,
    “config”: {
    “filters”: [
    {
    “comment”: “OpenAM Authorization check filter”,
    “name”: “OpenAM Authorization”,
    “type”: “PolicyEnforcementFilter”,
    “config”: {
    “openamUrl”: “https://openam.starkindustries.com:7773/openam/”,
    “pepUsername”: “ak.tokas”,
    “pepPassword”: “password”,
    “realm”: “Marvel”,
    “application”: “OPENIG”,
    “ssoTokenSubject”: “${request.cookies[‘iPlanetDirectoryPro’][0].value}”
    },
    “capture”: “all”
    },

    {
    “type”: “PasswordReplayFilter”,
    “config”: {
    “loginPage”: “${true}”,
    “credentials”: {
    “type”: “PolicyEnforcementFilter”,
    “config”: {
    “openamUrl”: “https://openam.starkindustries.com:7773/openam/”,
    “pepUsername”: “ak.tokas”,
    “pepPassword”: “password”,
    “realm”: “Marvel”,
    “application”: “OPENIG”,
    “ssoTokenSubject”: “${request.cookies[‘iPlanetDirectoryPro’][0].value}”,
    “target”: “${attributes.currentPolicy.attributes}”
    }
    },
    “request”: {
    “method”: “POST”,
    “uri”: “http://marvelstudios.starkindustries.com:8081”,
    “form”: {
    “username”: [
    “${attributes.currentPolicy.attributes.mail}”
    ],
    “password”: [
    “${attributes.currentPolicy.attributes.employeeNumber}”
    ]
    }
    }
    }
    }

    ],
    “handler”: “ClientHandler”
    }
    }
    }

    ]
    }
    },
    “condition”: “${matches(request.uri.path, ‘^/pep’)}”
    }

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?