Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2014-02-26

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:17 aldaris joined #openam
06:14 rghose joined #openam
07:18 rghose I am trying to use the OATH (Google Authenticator) module with my Data Store as an Active Directory Server. The configuration asks for some specific  attributes of the AD, my question is, since my AD is in production, will OpenAM try to write to the AD? Or will it make changes in the local OpenDJ instance?
07:40 kala_ it probably needs to add some information regarding the OATH protocol to the user's attributes
07:40 kala_ so, it will need write access to AD
07:53 rghose okay, so what I don't understand is that, what is the local OpenDJ used for then?
07:54 rghose It would have been a much cleaner design if it used that cache for this purpose. Also from what I understand it needs a shared *secret*, could it not just *read* it from an user-attribute instead?
07:57 kala_ well, this secret has to be written to the attribute somehow?
07:57 kala_ openam uses two different "stores". One is for user data and another is for openam configuration data. And now ... the third is for session data
07:58 kala_ the second and third are placed to the same ldap server and admin cannot configure that. I think
08:00 rghose thanks for your help dude. so I am guessing, OpenAM will not write but rather read from the AD?
08:00 kala_ so ... "local opendj" is not for caching
08:00 rghose I need to manually enter the title in base16 encoded format to the ad?
08:00 rghose yeah got the opendj part now
08:00 kala_ I'm not familiar with this OATH module itself. The best answer is probably in the source code :)
08:01 rghose yeah thanks a lot
08:01 kala_ so far I was just guessing, but I'm afraid am at the limit of my knowledge
08:02 rghose haha, works dude
08:04 aldaris joined #openam
09:19 aldaris joined #openam
09:35 rghose1 joined #openam
09:57 kala_ morning
09:57 kala_ äh, aldaris just left
09:58 kala_ anyone knows what other "actions" the interface "https://openam.example.com:8443/op​enam/json/sessions/?_action=logout" supports?
10:02 kala_ for example ... how is one supposed to get session attributes or find out who is the user behind the session token, using just JSON interfaces?
10:17 rghose1 another OATH query. What will be the url to be qr-coded? I am using: otpauth://totp/test@forgerock.com?secret= for myself. Google authenticator throws an error when scanning. Am I doing something wrong?
10:27 kala_ (oh, there's mailinglist thread about by json question)
10:34 aldaris joined #openam
11:06 rghose joined #openam
11:26 rghose joined #openam
11:55 MegaMatt joined #openam
12:56 rghose joined #openam
13:38 hos002 joined #openam
14:46 rghose joined #openam
15:19 aldaris joined #openam
15:23 rghose1 joined #openam
16:15 rghose joined #openam
19:02 Glass_Home joined #openam
19:03 Glasswalker Hey, quick question. I have the following situation and trying to confirm if it can be done with SAML and OpenAM:
19:03 Glasswalker Service Provider has a web portal, which trusts Organization A (which acts as an Identity Provider Proxy)
19:04 Glasswalker Organization A has federations with several other organizations, lets call them B,C,D
19:04 Glasswalker Organization C in turn has federations with Organizations X,Y,Z
19:04 Glasswalker A user from organization Z needs to access the portal
19:04 Glasswalker using SSO
19:05 asyd god
19:05 Glasswalker Yeah lol
19:05 Glasswalker welcome to my pain
19:06 Glasswalker It's actually far more convoluted than that, but that is as simple a test case as I can come up with that explains it
19:06 asyd at least you have funny use case
19:07 Glasswalker Now OrgA has a service for proxying to their federation members IdP. I don't know what it is yet. But right now working with the assumption it's SAML based
19:08 Glasswalker (and have some info to back this assumption up, waiting on real dev access to their services)
19:09 Glasswalker OrgC has an undefined federation with Org X,Y,Z (ie it's in their control, not mine, and it may be via OpenAM, Oracle IDM, Tivoli, or any other product, or simply ADFS)
19:09 Glasswalker I have the ability to deploy an appliance at OrgC
19:09 Glasswalker to facilitate the whole thing
19:09 Glasswalker so my thinking is I deploy OpenAM on said appliance, and use it to handle anything that may exist behind that
19:10 Glasswalker so that the OrgA -> OrgC relationship is clean, and any other IdP behind OrgC is transparent to OrgA
19:10 Glasswalker That way OrgA signs off on the transaction as authenticated, taking the word of OrgC
19:10 Glasswalker And the Portal allows the user in
19:10 Glasswalker (in theory)
19:11 Glasswalker Assuming this can be done basically by having both IdP and SP at each proxy stage
19:12 Glasswalker so the Portal redirects auth request to OrgA Proxy, which is also essentially another SP, which redirects auth request to the next level down, and so on
19:12 Glasswalker eventually the lowest level is reached, signs off on the token, passes it up, which allows tokens at each higher level to be created and so on
19:29 aldaris joined #openam
19:34 aldaris Glasswalker IdP proxy is meant to be mulitlayered
19:34 aldaris there is a proxycount setting even, you can tell how many times can the request get proxied to another idp
19:35 Glasswalker That's what I thought. I have yet to implement anything quite this convoluted yet ;)
19:35 Glasswalker so wanted to ask around quickly to ensure I wasn't down the wrong path lol
19:40 hos002 left #openam
19:56 Glass_Home joined #openam
19:58 Wusel_ joined #openam
19:58 sayakb joined #openam
19:58 tsmalmbe1 joined #openam
20:05 Wusel_ joined #openam
20:05 sayakb joined #openam
20:11 MegaMatt_ joined #openam
21:08 MegaMatt joined #openam
21:28 Scient joined #openam
21:28 Scient good evening
21:28 Scient anyone awake?'
22:01 aldaris joined #openam
22:08 aldaris Scient: yepp
22:28 aldaris joined #openam
22:35 Scient i cant seem to find anything useful on how to use RDBMs to store policies/configuration (if possible) and users (i guess this part would be more like replicating from RDBMS to OpenDJ?)
22:36 aldaris policies are stored in directory server
22:36 aldaris and so is configuration
22:36 aldaris you can have users in RDBMS, and you can use those exclusively (i.e. no need for synchronizing that with OpendJ)
22:40 Scient so in my case I have OpenDJ set up, with its internal BerkeleyDB as its backend (as i did not configure any external LDAP server) - meaning my config and policies will live here then?
22:41 Scient I also read about having a custom module for doing straight RDBMS authentication, but I think using some kind of LDAP replication schema (be it OpenDJ itself or an external LDAP server) seems more reasonable, as its easier to scale?
22:42 aldaris yes, when you use the embedded configuration store, then yes, that stores the config and the policies (policies are part of config really)
22:42 aldaris not sure what you mean, if your users are stored in DB, then you ought to use a DB based auth module
22:46 Scient i mean i would like to leverage the existing functionality that works with LDAP, so i thought i would just replicate my users with relevant attributes to an LDAP server and use that instead?
22:47 Scient and in my case that LDAP server right now is OpenDJ, might make sense to use something else though, im not familiar with LDAP at all
23:01 aldaris joined #openam
23:02 aldaris right, but you shouldn't use OpenAM for synchronizing users between DB and DJ
23:08 Scient i guess what im asking is how do i replicate my RDBMS users into LDAP (OpenDJ in this case), does OpenDJ provide anything for this?
23:13 balo joined #openam
23:17 MegaMatt joined #openam
23:44 aldaris joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary