May 20, 2015 at 3:01 pm #4216
I want to use openam’s sso login mechanism to authenticate at openidm but didn’t find openidm openam integration guide for openidm 3.1.0.
I was following README.txt(http://openidm-users.989380.n3.nabble.com/attachment/4025913/0/README) given in this thread but it is for openidm2 and do not work on openidm3.
I have explored OPENAM_SESSION_MODULE/ Openam sample but it makes rest calls to authenticate to OpenAM in background.It do not perform actual redirection to OpenAM. Hence it is limited to form based username/password authentication at OpenAM. I am looking for actual redirection to OpenAM so multilayer authentication or cert based authentication at OpenAM can be performed.
Separate Jetty and policy agent based redirection do not work with openidm 3 as given in README.txt . Is there any documentation to perform sso Login to openidm(3.1.0) with actual redirection to OpenAM(12.0.0) ?????
May 20, 2015 at 7:26 pm #4219Jake FeaselModerator
- This topic was modified 7 years, 2 months ago by tehaleankush.
Work to support this type of login process was done right after OpenIDM 3.1 was released. Here is the issue in JIRA for this work: https://bugster.forgerock.org/jira/browse/OPENIDM-2761
The actual code changes to the UI necessary to get this working were done here: http://sources.forgerock.org/cru/CR-6042
I’m not sure what you might want to do for 3.1. It’s not really a supported feature in that release. If you are okay to wait until the next major release (4.0) which will include this, then go ahead and try out trunk and see how it works for you. Otherwise you could try taking the CR under advisement and make the customizations to your 3.1 UI yourself (just be aware that you’d be taking on responsibility for maintaining those changes, as they are not supported in 3.1).May 20, 2015 at 8:33 pm #4220
To elaborate on Jake’s suggestion, you might try our “Full Stack” sample, currently in trunk. I’ve linked to the current Full Stack Sample documentation.
MikeMay 22, 2015 at 9:29 am #4223
Thanks for your replies.
Changes added after 3.1.0 are more of UI functionality.Will it be possible to configure 3.1.0 with these changes manually or with tools likes chef/puppet?( Assuming core functionality is available in 3.1.0 )
Can we configure SSO using OpenAM without using the UI ? If yes, please provide steps.
AnkushMay 22, 2015 at 5:37 pm #4224
Please read the section on our Full Stack Sample.
Our Full Stack Sample includes new (draft, in progress) features that we have included after the release of OpenIDM 3.1. It includes instructions on the changes you can make to configuration files to integrate OpenIDM, OpenAM, and OpenDJ.
As for your second question, we have a lot of documentation on configuring OpenAM from the command line, starting here: http://docs.forgerock.org/en/openam/12.0.0/admin-guide/index/chap-admin-tools.html . In that chapter, we show you the basics of the ssoadm command.
Once you have specifics (e.g. what kind of SSO do you want?), I suggest that you ask your question about configuring SSO wtih OpenAM in the OpenAM forum.
MikeMay 22, 2015 at 11:03 pm #4229Jake FeaselModerator
The work that was done for this after 3.1 was mainly for detecting that the session has expired and automatically redirecting to OpenAM to handle auth. If you aren’t too concerned about that, you should be able to have OpenAM provide auth as normal and then use the &goto=… parameter to send authenticated people back to OpenIDM with a valid token.
If you want to have better handling of auth failures within the OpenIDM UI, you’ll have to make similar changes to the ones I mentioned above.May 26, 2015 at 3:04 pm #4241
I have gone through the full stack documentation but as the sample is not present in 3.1,I am not able to try it with my current setup(3.1).I have tried making similar changes to configuration files under <openidm_home>/conf instead and able to do provisioning on opendj users, but it do not show any link on Openidm login page “Login with OpenAM” as mention in section 3.16.5. I think fullstack installation is dependent on UI changes done after 3.1 to work or it is not supported in 3.1, hence it may not work with 3.1.
Regarding Jake’s suggestion to configure “OpenAM provide Auth as normal and use the &goto=… parameter”, do you mean doing configuring OpenAM auth provider with jetty policy agent in openidm or “OpenAM Session module”. Please could you point me to related docs or give more details.September 2, 2015 at 7:07 pm #5348tlmacalParticipant
Was there an answer to Ankush’s last question? We are trying to sort out how we will use our federated OpenAM network to provide so for our single OpenIDM implementation. We are working with the release 3.1.0 – can we even perform the Full Stack Sample with that? Do we have to start compiling pre-release code for 4.0? Can we punt and just use an agent and if so which one?
Tim MacAlpineSeptember 3, 2015 at 12:12 am #5352
I apologize for not answering your question earlier. The Full Stack Sample is designed to work with our current trunk, OpenIDM 4.0. With the OPENAM_SESSION module, you do not need to use the OpenAM Jetty Policy Agent.
MikeSeptember 3, 2015 at 12:17 am #5353
Thank you for telling us that we did not answer Ankush’s question.
As for your question, we’ve designed the full stack sample with code from our current trunk. You don’t have to compile it: you can download a binary of that from https://forgerock.org/downloads/openidm-builds/.
As I noted to Ankush, our use of the OPENAM_SESSION module means that you do not have to use a policy agent.
Tim, you mentioned a “federated OpenAM network”. What version of OpenAM are you using?
You must be logged in to reply to this topic.