Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2014-10-29

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
05:47 ramteid joined #openam
07:09 rghose joined #openam
07:41 pfreixes joined #openam
07:59 KermitTheFragger joined #openam
08:28 bthalmayr joined #openam
08:34 aldaris joined #openam
11:01 aldaris1 joined #openam
11:24 rghose joined #openam
11:24 MegaMatt joined #openam
12:19 insanidOpenAM joined #openam
12:20 insanidOpenAM anyone alive ?
12:20 insanidOpenAM at least awake ?
12:20 MegaMatt Nope
12:21 aldaris1 all dead
12:23 insanidOpenAM damn
12:23 insanidOpenAM so, I managed to authenticate against the openAM server.
12:24 insanidOpenAM thanks for your support
12:24 insanidOpenAM any hints on how to get logged out ?
12:30 asyd click on logout?
12:33 MegaMatt or call the REST logout?
12:36 insanidOpenAM I mean 'from my application'.
12:36 aldaris configure the agent?
12:37 MegaMatt http://docs.forgerock.org/en/openam/10.​1.0/admin-guide/index/chap-agents.html  -> Agent Logout URL properties
12:42 insanidOpenAM all I can do in terms of log out is to invalidate the session and call request.
12:42 insanidOpenAM I didn't have to write a single line of code to get logged in
12:42 MegaMatt You don’t have to write any code to logout?
12:42 insanidOpenAM do I have to write code in my app to get logged out ? I mean: explicitly invoke something from openam ?
12:42 MegaMatt No
12:43 MegaMatt Did you read the doc above?
12:43 MegaMatt At the location I mentioned?
12:43 aldaris did you? :)
12:43 insanidOpenAM I'm reading it right now.
12:43 aldaris goood :)
12:43 insanidOpenAM not clear yet. give me a few moments  :_)
12:43 MegaMatt “The user is logged out of the OpenAM session when these URLs are accessed.”
13:20 MegaMatt Hrmm
13:21 MegaMatt If I have a J2EE app that has it’s own form login, and it’s protected by the J2EE agent …
13:22 MegaMatt What’s the best approach? IG?
13:23 aldaris only if you can't modify the form to log in with OpenAM and create the cookie on the app's domain
13:23 MegaMatt Ok, good to know. Thanks.
13:26 MegaMatt I take it then I’d just not enforce the form, and login - and then access all my enforced pages
13:27 aldaris you would just change the agent's login URL to the app's login page
13:27 MegaMatt Ok, yes - that’s basically the idea I was trying to convey but used the wrong words
13:27 MegaMatt Thanks :D
13:48 insanidOpenAM hmm that would also apply to me.
13:48 MegaMatt I figured it might ;)
13:48 MegaMatt That’s why I asked here
13:49 aldaris I think the point of SSO is that you have a single authentication screen, so you can educate your users to only provide their credentials at a single place
13:50 MegaMatt That does make sense....
13:50 MegaMatt :D
13:50 aldaris I mean the same thing happened with google accounts
13:50 insanidOpenAM my first plan was that everytime a user tried to access my app, he would be redirected to openam's login screen.
13:50 insanidOpenAM don't you agree ?
13:51 aldaris how should I know what your first plan was :)
13:51 insanidOpenAM you should not. :_)
13:52 insanidOpenAM what I just got from your conversation is that I could just tell the agent to use my app's login screen and redirect login requests to openam's server. am I wrong ?
13:54 aldaris well the agent doesn't have to protect everything on your site
14:01 rghose joined #openam
14:05 pfreixes joined #openam
14:06 ramteid joined #openam
14:52 rcasell joined #openam
14:55 rcasell Hi all, question: using j2ee agent can my app be notified when a user gets added via openam REST API?
14:56 aldaris why would you want that
15:01 rcasell I have several web apps each with a different user DB/management, every one of them stores different preferences/informations for each user
15:01 aldaris then you need an IDM system
15:02 rcasell can you explain more in depth please
15:02 rcasell ?
15:02 aldaris OpenAM is an access management tool, which is all about authentication and authorization
15:02 aldaris and doesn't really deal with user provisioning or identity management
15:05 rcasell correct me if I'm wrong, are you saying that OpenAM keeps credentials (username, pwd, etc) and roles, but not additional informations (user wants blue theme, etc)?
15:05 aldaris it doesn't even keep credentials
15:06 aldaris those are stored somewhere else, like in a database or in a directory server
15:06 rcasell is opendj one of those storage right?
15:07 aldaris yes
15:09 rcasell ok so the openam rest api is a sort of 'passthrough' interface with opendj/db/whatever to do CRUD operations on identities?
15:10 MegaMatt I wouldn’t use OpenAM even via rest to do identity management
15:11 MegaMatt You can use the REST interface to login, logout, validate tokens, and all that jazz
15:11 aldaris yeah, AM's REST endpoints are interacting with those configured data stores, but it doesn't handle too complex scenarios
15:12 rcasell ok so good to have, better to avoid?
15:12 rcasell :)
15:12 MegaMatt There’s the OpenIDM product that handles all the funky identity stuff
15:14 rcasell so let me rephrase my first question
15:15 rcasell I currently have 3 different apps to put under the 'openam' umbrella, they all have different user databases.
15:16 rcasell I'll have to unify the account management for them (i have full access to every app and can change that)
15:17 rcasell what will be your approach to that?
15:18 rcasell I mean start with the user storage, then go for UI
15:18 MegaMatt IDM can connect to and reconcile them all, most likely
15:18 rcasell ok so the flow could be:
15:19 rcasell get rid of existing dbs, store creds into IDM, interface with that for crud and let openam auth/auth using it as backend
15:19 MegaMatt No, …not quite
15:20 MegaMatt You wouldn’t have to get rid of existing dbs if you use IDM
15:20 MegaMatt If you want to get rid of DBs, you could put them all into a directory server -> OpenDJ
15:24 rcasell using IDM can I have the same 'user' in all DBs? will it decide the one to provide based on contexts?
15:25 rcasell I mean in my case I have the same set of users for the 3 app that needs to login one time to go everywhere (based on roles of course)
15:27 rcasell this is quite simple thanks to openam with the embedded opendj (and it's in fact working) except that for every app i also need to store additional infos (different of course)
15:28 rcasell right now i'm using a per app db that based on the login name gets the infos, but this means that the user needs to be in each app db and that's a pain...
15:28 aldaris getting all data out of db into a directory isn't that simple, the concepts are a bit different, and you may find some data to be impossible to migrate
15:31 rcasell i understand that
15:32 aldaris balo can talk all about it I guess :)
15:33 aldaris for a while I had a mixed system, where we had the users in DJ and in PostgreSQL as well, it certainly wasn't pleasant
15:33 MegaMatt I think you want to look at the IDM docs and Wiki
15:34 rcasell aldaris, that's my situation: 3 apps, 2 pgsql, 1mysql, opendj
15:34 rcasell :(
15:34 aldaris well first drop mysql :)
15:36 rcasell you don't even imaging how hard I'm trying to eradicate it :)
15:36 rcasell _imagine_
15:36 aldaris just make sure they don't throw it away just to get mariadb :)
15:36 rcasell MegaMatt, are you talking about this wiki: https://wikis.forgerock.org/co​nfluence/display/OPENIDM/Home
15:37 MegaMatt Yes, it’s too bad that’s on 2.1 though and not IDM 3
15:37 rcasell ahahah
15:37 rcasell doh!
15:37 MegaMatt But it’s still good
15:38 rcasell ok I'll have a look (and come back with more questions :D)
15:39 rcasell thank you all for the explanations and the patience
16:03 aldaris1 joined #openam
17:15 aldaris joined #openam
17:21 metadaddy joined #openam
21:28 MegaMatt joined #openam
21:43 pfreixes joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary