July 26, 2020 at 5:27 pm #28114
Here is the definition of my Authentication Chain :-
(1) LDAP Module (takes uid/pwd) marked as “requisite” .
(2) Radius Module (takes uid/ Otp) marked as “required” .
User enters the uid/pwd for the 1st module followed by uid/otp in second module for this authn-chain to be successful. I am using OOB login pages. How can I pre-populate the uid in 2nd module from the 1st module, so user does not have to re-enter it?
KabiJuly 27, 2020 at 4:18 pm #28118
Hi Kabi, I would suggest to look into utilizing
sharedStatefor this scenario. Shared state is AM’s way of sharing information between authentication modules/or nodes.July 27, 2020 at 9:05 pm #28128
The shared state did not work. I set the followings :-
(1) LDAP Module (takes uid/pwd) has option “iplanet-am-auth-store-shared-state-enabled=true” .
(2) Radius Module (takes uid/ Otp) has option “iplanet-am-auth-shared-state-enabled=true” .
I did not see the value of “username” transferred from 1st module to 2nd one. Note that only the “userName” is common between this two modules. User still required to enter the password and OTP in respective module. All I wanted is, the value of userName to appear on the UI of 2nd module for convenience.
KabiJuly 29, 2020 at 5:53 pm #28137
So, it doesn’t actually work that way. If it’s configured correctly, the RADIUS module will use information stored in shared state to perform authentication instead pre-populating and rendering the UI. Also, I would suggest to enable
iplanet-am-auth-shared-state-behavior-pattern=useFirstPasson the RADIUS module. And enable
Debugand share logs if still experiencing issues.July 29, 2020 at 7:59 pm #28142
My use case is different. I simply wanted to pre-fill the userName in module 2 from module 1. User still require to fill the OTP in module2. Module1 collect user’s password that is validated against LDAP, while Module2 collect OTP validated against a Radius server.
Using “UserFirstPass” will try to authenticate the user in Radius module (Module2) with the credential from module1 meant for LDAP. The authentication will fail.
KabiAugust 4, 2020 at 1:41 am #28159
Will try out the authn state mentioned here. That may capture the userName from shared object.
https://backstage.forgerock.com/docs/am/6.5/dev-guide/index.html#scripting-api-authn-stateAugust 4, 2020 at 7:39 pm #28163
I suggest downloading the
am-externalsource-code to see how these modules work. I have yet to work with the RADIUS module but from what it seems like you will have to modify the module to implement your requirements. The stock behaviour of the module is to either ask user for username/password if not present in shared state or use shared state data directly. It will not pre-populate those fields as you want.
And I am not aware of your requirements but it seems like you want to collect username/password and OTP values at the same time. Shouldn’t you validate username/password first and then ask for OTP as a second-factor?
August 4, 2020 at 7:54 pm #28165
- This reply was modified 1 week ago by Jatinder Singh.
And I just looked at the RADIUS module source-code again and if my understanding around your requirements is correct – this is how it should work if there’s an OTP challenge involved:
P.S this is from the Auth Chain perspective.
1. Username/Password information is passed via shared state to RAIDUS module;
2. RADIUS module picks the username/password from shared state and authenticates user by invoking
3. RADIUS module successfully validates the username/password and returns a challenge response, and state of the module is set to
4. User enters the OTP in the password input box and hits submit;
5. RADIUS module intercepts the
LOGIN_CHALLENGEreply from user and invokes
6. For a happy case scenario, RADIUS module returns
Hope this clarifies any confusion!
You must be logged in to reply to this topic.