Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2014-02-27

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:48 ilbot3 joined #openam
00:48 Topic for #openam is now Chat about the OpenAM project - http://download.forgerock.com - OpenAM 11.0.0 is out!!! - OpenAM 10.0.2 is out!!! Channel logs at: http://irclog.perlgeek.de/openam/today
05:52 Wusel_ joined #openam
06:01 rghose joined #openam
07:21 Wusel_ is it possible to make a field required when registering and then not editable in the EndUser-page?
08:14 bthalmayr joined #openam
08:24 rghose hi I am looking for an openam connector with php using openid connect, where can I find a sample code? thanks in advacne
08:25 aldaris joined #openam
08:45 asyd Scient: use lSC
08:45 asyd Scient: http://lsc-project.org/wiki/
09:08 Wusel_ do i have to create a new authentication module if I want to make the mail-field uneditable to the user?
09:30 asyd no you can customize a xml file to choos which field are displayed/editable in end user page
09:33 Wusel_ can u give me a hint which xml file? ;)
09:34 Wusel_ datastore.xml?
09:34 aldaris amuser.xml, it's a service definition
09:35 aldaris have you read the docs??
09:36 Wusel_ i read the docs, yes
09:36 Wusel_ that's why I'm looking in the config/auth folder
09:36 aldaris guess you've missed this chapter: http://openam.forgerock.org/openam-d​ocumentation/openam-doc-source/doc/d​ev-guide/index.html#chap-custom-attr
09:40 Wusel_ there is no xml directory under config
09:42 aldaris asyd: how did you feel about anders' blog entry about OATH?
09:43 Wusel_ there is no xml directory in webapps/openam/config
09:43 Wusel_ or where should it be
09:44 Wusel_ I'm confused
09:46 asyd aldaris: hmm url?
09:47 aldaris http://identitybrandwag.blogspot.se/2014/02​/two-factor-authentication-for-mobile.html
09:47 asyd thanks i'll read that later
09:47 aldaris tomorrow's subject is still HOTP and TOTP :)
09:49 asyd cool
09:54 Wusel_ aldaris there is definetly no xml directory and no amUser.xml o_O
09:55 Wusel_ did i miss something?
09:57 aldaris just confusing the WAR with the openam configuration directory, that's all
10:11 Wusel_ asyd: I built OpenAM 11 from source and got a OpenAM-11.0.0.war in the openam-server directory
10:11 Wusel_ there is no xml directory and no amUser.xml in this WAR
10:31 rghose1 joined #openam
10:41 aldaris joined #openam
10:41 rghose joined #openam
11:16 dean Hey guys, is there a definition of what c66 encoding is somewhere?
11:21 aldaris basically something that is friendly for cookies :)
11:25 dean Hah I guessed, I meant more like a specification for the encoding or a reference implementation
11:25 aldaris lol, it's probably not even a standard or something
11:25 dean Yeah I'm not finding very much about it.
11:26 dean We switched it on recently and all of a sudden a bug stopped happening so we're guessing it's related. Just trying to track down what happened now.
11:27 dean My guess is that one of our clients wasn't handling cookies properly and this encoding effectively side stepped the problem but I wanted to confirm.
11:28 dean Ahh found it https://github.com/aldaris/openam/blob/7​42f8f18d70da8143d5551f8e8ad92accb9cd2cc/​openam/openam-core/src/main/java/com/ipl​anet/dpro/session/SessionID.java#L571
11:30 aldaris yeah, that's it
11:59 MegaMatt joined #openam
12:00 aldaris joined #openam
12:14 rghose1 joined #openam
12:33 aldaris joined #openam
13:07 hos002 joined #openam
13:32 rghose joined #openam
13:41 aldaris joined #openam
13:57 rghose I am using a sample php client for openid connect ("https://github.com/jumbojett/OpenID-Connect-PHP") I get this:  redirect_uri_mismatch
14:09 aldaris then probably the redirect_uri needs to be fixed
14:09 rghose I haven't provided any redirect_uri in the agent configuration
14:11 rghose a sample:  redirect_uri=http%3A%2F%2F172.16.136.125%2​Fopenam_test%2Fclient_example.php&client_i​d=test&nonce=f470aa33f3f237c59ba650799c5a2​3e1&state=1ae580fdd57ca67fcf5b02ee7ea0c680
14:17 auke- joined #openam
14:56 rghose anyone any ideas?
15:16 asyd_ joined #openam
15:20 asyd_ roysjosh: btw bhy openid? it's mandatory you can use something else?
15:20 roysjosh rghose, ^^
15:22 balo joined #openam
15:23 asyd_ ah yeah, thanks to the split
15:27 balo you too?
15:29 rghose joined #openam
15:30 asyd_ yeah
15:35 rghose how does one know which redirect_urls are valid on OAuth (OpenID connect) agents?
15:46 rghose joined #openam
16:49 Scient asyd: LSC is basically a periodical syncing tool right? is there something that would like... mirror stuff into LDAP in real time?
16:49 asyd n
16:49 asyd oups
16:50 Scient well shit...
16:51 asyd good luck to have something in 'real time' especially for free
16:51 asyd what is your sql serveR?
16:51 Scient postgresql
16:51 Scient near-real time is fine as well i suppose :P
16:51 asyd trigger?
16:52 Scient we have an application that handles new user enrollment among other things and now i want to use OpenAM on top of that existing data
16:52 Scient i could do it by doing straight JDBC authentication
16:52 Scient but i feel like i would be missing out on some of the benefits LDAP provides
16:53 Scient so i would rather just somehow mirror the needed specific attribute set into LDAP for OpenAM to use
17:58 aldaris joined #openam
18:56 hos002 left #openam
19:46 aldaris joined #openam
20:40 Scient so where is the amadmin user stored? i cant seem to find it in OpenDJ (which im using as my storage)
20:40 aldaris it's in the configuration store
20:40 aldaris well hidden ;)
20:41 Scient hah
20:41 Scient okay
20:42 Scient and i had this weird thing happen earlier where i enabled XUI and could not log into the top level realm with amadmin anymore
20:42 Scient it just gave me an error message, no login forms, no nothing
20:43 aldaris well XUI is experimental I wouldn't expect any good from it
20:43 asyd XUI?
20:46 Scient yeah i figured as much
20:55 Wusel_ joined #openam
21:18 MegaMatt Did you mean like cn=Administrators,cn=admin data ?
21:19 asyd s/ 6
21:26 MegaMatt Or did you mean like .. ou=amAdmin,ou=users,ou=default,ou=GlobalCon​fig,ou=1.0,ou=sunIdentityRepositoryService,​ou=services,dc=openam,dc=forgerock,dc=org ?
21:26 asyd oh aldaris left
21:27 asyd just curious if FG have planned to improve privileged users in openam
21:27 asyd and role seperation
21:27 asyd segmentation
21:27 asyd don't remember the english term
21:27 aldaris joined #openam
22:33 Scient i have two different realms, testing it with 2 different SAML SP-s
22:33 Scient when i authenticate against realm1, why do i need to sign out and re-authenticate against realm2?
22:34 Scient why isnt the session "re-used"?
22:53 Scient and every time i get this screen https://www.dropbox.com/s/0gql6pa3yvp5jn​4/Screenshot%202014-02-27%2017.24.49.png and press "No", i get an error
22:54 asyd is realm1 a subrealm of realm1?
22:54 asyd sorry
22:54 asyd is realm2 a subrealm of realm1?
22:58 Scient yes
22:59 Scient wait... i dont think so
22:59 Scient good point, both seem to be subrealms of /
22:59 Scient how do i change this
23:00 asyd well
23:00 asyd good luck :)
23:00 asyd is in a test environment?
23:00 Scient haha
23:00 Scient yes
23:00 Scient im just trying to figure out OpenAM in general before i actually start integrating it
23:00 asyd why you have two realms if you want users having the same access?
23:01 Scient well its different LOA-s, so they will eventually have different policies
23:01 asyd LOA?
23:01 Scient level of assurance
23:02 Scient different levels of authorization basically
23:02 asyd ah yeah ok
23:03 asyd well, I must confess I have no idea
23:03 Scient so my goal is that we have the same user base across all realms,  different SP-s want different LOA-s, so how i think it should work is that those SP-s make the user authenticate against a specific realm (which determines the LOA)
23:04 Scient and that realm has an appropriate authentication chain (like 2factor auth if needed for higher levels etc)
23:04 Scient and then has policies that verify this user actually has the necessary attributes for a higher LOA
23:05 Scient and when i finally understand how this all works in OpenAM, i need to integrate it with a proprietary application for new user enrollment and actual attribute verification
23:06 asyd hmm about 2factor auth, a SP can request a specific authentication schema
23:06 asyd I don't remember the attribute
23:06 asyd and you can disable schema per SP
23:06 asyd about attributes, I don't know
23:07 asyd you should ask on the mailing list
23:07 Scient yeah ill try, thanks anyway
23:08 Scient i just feel like im way over my head with this right now, im not sure what the fuck im doing :d
23:10 asyd ah, openam side, authentication context is configure in iDP
23:11 asyd s/ 27
23:11 asyd oups
23:22 balo joined #openam
23:25 aldaris joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary