Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2013-12-09

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
23:21 aldaris joined #openam
02:03 MegaMatt joined #openam
03:56 bthalmay_ joined #openam
05:23 pdurbin joined #openam
08:23 oxyehho joined #openam
08:32 hos001 joined #openam
08:36 balo aaand it's monday again. morning guys
08:49 asyd morning
09:17 aldaris joined #openam
09:27 bthalmay_ good morning
09:28 aldaris Good morning
09:30 balo this Post Data Preservation feature looks pretty neat
09:31 aldaris I think it only works if the POST was done using an HTML form
09:31 aldaris regular POST payloads can get lost AFAIK
09:47 balo does the lares response (when the idp redirects back to the agent protected application w/ cdsso) can contain user profile attributes? I see it contains the ProviderID, the token and the statuscode. Will the agent do another request to the idp for the user profile attributes with the token?
09:48 aldaris so, no it won't contain anything else
09:48 aldaris yes, it will be a second request
09:48 balo thanks! :)
09:48 aldaris if you look at the LARES response you can easily identify that it isn't signed at all
09:49 aldaris so agent shouldn't trust anything that comes back from that - except the session id
09:49 balo oh, i didn't think of that
09:51 balo there are sooo much things to learn
10:19 balo another (maybe silly) question but it's bugs me: I assume there is some kind of user session caching mechanism in the (web) policy agent. I'm looking at the com.sun.identity.agents.config.sso.cache.polling.interval option. Does this mean that the agent will update its cache at every n minutes independently from the activity of the protected applications? And, If I get this right, if the com.sun.identity.agents.config.notification.enab
10:20 balo s/it's bugs me/it bugs me/ sry
10:24 bthalmay_ if polling mode is used it will poll if sessions are in the cache ...not matter if a request hits the agent
10:24 bthalmay_ do you need polling mode?
10:25 bthalmay_ if notification mode is working fine you can even extend polling interval
10:26 balo as i see, the notifications currently disabled. idk exactly why.
10:28 balo bthalmay_: "if polling mode is used it will poll if sessions are in the cache ...not matter if a  request hits the agent"
10:28 balo sry, silly client
10:30 bthalmay_ it has not been changed since invented by Sun ..
10:30 balo so, if the agent get a request and if the token is in its cache, then it won't do a request to the idp to see if it's valid
10:31 bthalmay_ 'idp' is not accurate ...
10:31 bthalmay_ 'session servcie'
10:31 balo :)
10:32 bthalmay_ correct
10:32 bthalmay_ agent has 3 caches , session, policy decision, agent configuration  ... hence 3 different properties
10:33 bthalmay_ J2EE agent has 4 caches ...
10:35 balo thanks, the source of the confusion was the session and policy decision cache
10:39 aldaris joined #openam
10:43 bthalmay_ the property you mentioned was related to 'agent configuration cache'
10:43 aldaris bthalmay_ IIRC the session cache in Apache PA isn't stored in the shared cache, so it is actually more like a per child cache, would that mean each child polling?
10:43 bthalmay_ yep
10:44 bthalmay_ You know how my feelings are about this ;-)
10:44 aldaris I guess one more reason to use notification mode
10:44 bthalmay_ sometimes it's not possible ...
10:44 bthalmay_ ALL OpenAM instance MUST be possible to communicate with ALL agents ...
10:45 bthalmay_ sometimes hard to achieve.
10:45 bthalmay_ we would need a FAN-out service ...
10:45 aldaris Is this resolved in trunk?
10:45 aldaris I think there were some changes recently removing APR requirements
10:45 aldaris I wonder if that covered this problem area
10:45 bthalmay_ One agent in the group gets the notification (through LB) and distributes it to other members of the groups ... could be cool
10:46 bthalmay_ I don't think the cache per process has changed ...
10:46 aldaris (sounds cool, but would be also fun to debug :)
10:47 bthalmay_ you have the agent logs .... so it's not that difficult ... at least not more then today
10:49 bthalmay_ of course notification mode should be used whenever possible
10:49 bthalmay_ when agent sends polling request 'amlbcookie' is not there ... so if this is used at LB for persistence --> x-talk
10:50 bthalmay_ 'lb enabled' setting in agent profile is quite questionable as it only sends value of SSOToken in polling request ...
10:50 aldaris right, but I don't think the agent caches the amlbcookie with session IDs
10:51 aldaris also does the agent create a batch request for the polling (is it like a GetSession for lots of different IDs)?
10:51 bthalmay_ that's the issue
10:51 bthalmay_ true
10:51 balo hmmm. I mentioned com.sun.identity.agents.config.sso.cache.polling.interval option but i think the config cache config is this: com.sun.identity.agents.config.polling.interval
10:52 bthalmay_ sorry I thought I've read the latter ..
10:53 balo so the ideal solution would be: com.sun.identity.agents.config.sso.cache.polling.interval=0 and com.sun.identity.agents.config.notification.enable=true
10:54 aldaris when using more than one agent, make sure all agents have their own profile (so use agent group for shared settings, but make the notification urls unique)
10:57 balo i didn't know about that more agent could work with one profile. Is it used when the agent and application instances behind a load balancer? omg
10:57 aldaris you can create an agent group
10:57 aldaris and define all the settings in the agent group
10:58 aldaris then you can have separate agent profiles for each agent you have to install
10:58 balo nice. I haven't use that before
10:58 aldaris basically if your application is being load balanced in some way, then you should deploy the agent on each node and create an agent group to store the shared settings
10:58 bthalmay_ if you can guarantee notifications are working fine, increase polling interval
10:58 bthalmay_ I have not tried to set it to '0' ... I guess this is not valid
10:59 aldaris I thought enabling notification automatically disables polling
11:00 bthalmay_ but the cache will be dirtied if polling interval is reached, Agent is running in an 'hybrid' mode actually
11:01 balo wow
11:02 balo These are very useful notes guys, should be in the docs :P
11:04 balo damn, i was into this totally, almost missed my 4hrs meeting -.-" thanks for the help!
12:16 MegaMatt joined #openam
13:22 MegaMatt What does PLL stand for? http://download.forgerock.org/downloads/openam/javadocs/internal/com/iplanet/services/comm/share/PLLBundle.html
13:22 aldaris TimRS knows
13:22 bthalmay_ Platform Low Level
13:24 bthalmay_ it's really old ... I think it originates from a product Tom Mueller created before the company he worked for was acquired by Sun
13:24 MegaMatt Ah ok :)
13:25 asyd waveset?
13:25 asyd ah no waveset is idm
13:28 bthalmay_ the company was 'Iplanet' IIRC, not to be confused with 'iPlanet', the virtual, tax-saving company founded by Sun and AOL/Netscape
14:30 tsmalmbe1 left #openam
15:07 kala_ joined #openam
15:44 Zendron joined #openam
17:22 kala joined #openam
18:11 SteveF__ joined #openam
18:44 aldaris joined #openam
19:56 aldaris joined #openam
20:17 Zendron joined #openam
20:47 aldaris joined #openam
21:13 SteveF joined #openam
21:58 aldaris joined #openam
22:35 MegaMatt joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary