Upgrade 10.0.0 to 13.0 – Distributed Authentication Service Removed

This topic contains 5 replies, has 2 voices, and was last updated by  alain.lavoie@expertus.ca 2 weeks, 1 day ago.

  • Author
    Posts
  • #19702
     alain.lavoie@expertus.ca 
    Participant

    Hi, we are in the process of upgrading our site from version OpenAM 10.0.0 to OpenAM 13.0.0.

    We do have a topology in 3 zones.
    – Zone 1: F5 servers doing the http proxy
    – Zone 2: Application Zone containing a distributed Authentication Service and another server with the J2EE agent for the application
    – Zone 3 : Security zone which contains both OpenDJ servers along with OpenAM server

    When we started, we found in the release notes that there is no more distributed authentication service available. However, we don’t see any ways to replicate or any documentation pointing on it.

    Could you help up in guiding us to the proper solution. We would want to avoid having the OpenAM server from changing of zone.

    Regards,

    Alain

    #19734
     Andy Cory 
    Participant

    Hi Alain

    If you need a replacement for the functionality of the DAS and don’t want to re-architect your zones, you could look at:

    1. Using a simple reverse proxy like Apache in Zone 2, protecting the OpenAM UI in Zone 3.
    2. Using OpenIG (for more complex use cases).
    3. Writing your own UI pages, hosting them in Zone 2 and driving OpenAM using the REST interface.

    Which, if any, is best, depends on what the most important functionality of the DAS actually is in your case. For example, option 1 may be pointless given your F5s in Zone 1. If you need a fairly simple UI (authentication, for example, rather than a raft of self-service functionalities) then option 3 would be attractive. The REST APIs in v13 are way superior to those in v10.

    -Andy

    #19737
     alain.lavoie@expertus.ca 
    Participant

    Hi Andy,

    Thanks for your response,

    The reason we had the DAS before was to only have the authentication part accessible from the client via F5 without the administration part. We did not much use of big features.

    We had the application fronted by the F5 with a j2ee agent redirecting to the DAS (fronted by F5 also) for the authentication part, then forwarded to the application.

    I found in a JIRA ticket that OpenIG was suggested as replacement. Can you confirm this could be the case. The client is not quite fund of apache proxy.

    Regards,

    Alain

    #19738
     Andy Cory 
    Participant

    Hi Alain

    I have never replaced DAS with IG myself, so cannot confirm directly from my own experience. But it’s certainly my understanding that IG can fulfil this use case – it is very flexible. I’ve had to replace DAS with custom UI pages as per my option 3 a couple of times. The easiest was a case like yours, when only the authentication was handled by DAS, and could be dealt with using a pretty simple angular.js app using OpenAM’s /authenticate endpoint.

    -Andy

    #19751
     alain.lavoie@expertus.ca 
    Participant

    Thanks Andy,

    I did manage to make the solution work with OpenIG and all updated in our test environment.

    However, I still have a problem which could be really annoying to the customer. I can successfully login, but if i am on the login screen and I wait for the login timeout and press the login button, it shows the session timeout page. If I click return to login, i keeps presenting the session timeout page.

    Do you have an hint of the cause?

    #19752
     alain.lavoie@expertus.ca 
    Participant

    More details.

    If it close the browser or flush the cache. I can relogin again.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2017 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?