November 23, 2017 at 8:22 pm #19702
Hi, we are in the process of upgrading our site from version OpenAM 10.0.0 to OpenAM 13.0.0.
We do have a topology in 3 zones.
– Zone 1: F5 servers doing the http proxy
– Zone 2: Application Zone containing a distributed Authentication Service and another server with the J2EE agent for the application
– Zone 3 : Security zone which contains both OpenDJ servers along with OpenAM server
When we started, we found in the release notes that there is no more distributed authentication service available. However, we don’t see any ways to replicate or any documentation pointing on it.
Could you help up in guiding us to the proper solution. We would want to avoid having the OpenAM server from changing of zone.
AlainNovember 28, 2017 at 1:23 pm #19734Andy CoryParticipant
If you need a replacement for the functionality of the DAS and don’t want to re-architect your zones, you could look at:
1. Using a simple reverse proxy like Apache in Zone 2, protecting the OpenAM UI in Zone 3.
2. Using OpenIG (for more complex use cases).
3. Writing your own UI pages, hosting them in Zone 2 and driving OpenAM using the REST interface.
Which, if any, is best, depends on what the most important functionality of the DAS actually is in your case. For example, option 1 may be pointless given your F5s in Zone 1. If you need a fairly simple UI (authentication, for example, rather than a raft of self-service functionalities) then option 3 would be attractive. The REST APIs in v13 are way superior to those in v10.
-AndyNovember 28, 2017 at 3:11 pm #19737
Thanks for your response,
The reason we had the DAS before was to only have the authentication part accessible from the client via F5 without the administration part. We did not much use of big features.
We had the application fronted by the F5 with a j2ee agent redirecting to the DAS (fronted by F5 also) for the authentication part, then forwarded to the application.
I found in a JIRA ticket that OpenIG was suggested as replacement. Can you confirm this could be the case. The client is not quite fund of apache proxy.
AlainNovember 28, 2017 at 4:15 pm #19738Andy CoryParticipant
I have never replaced DAS with IG myself, so cannot confirm directly from my own experience. But it’s certainly my understanding that IG can fulfil this use case – it is very flexible. I’ve had to replace DAS with custom UI pages as per my option 3 a couple of times. The easiest was a case like yours, when only the authentication was handled by DAS, and could be dealt with using a pretty simple angular.js app using OpenAM’s /authenticate endpoint.
-AndyNovember 29, 2017 at 4:56 pm #19751
I did manage to make the solution work with OpenIG and all updated in our test environment.
However, I still have a problem which could be really annoying to the customer. I can successfully login, but if i am on the login screen and I wait for the login timeout and press the login button, it shows the session timeout page. If I click return to login, i keeps presenting the session timeout page.
Do you have an hint of the cause?November 29, 2017 at 4:57 pm #19752
If it close the browser or flush the cache. I can relogin again.
You must be logged in to reply to this topic.