Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2014-12-17

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:12 openamnewbie joined #openam
00:14 openamnewbie Hi I've a couple of questions about the new module self service in openam 12, that one already existed in openam 11 with membership auth module like you can see here
00:14 openamnewbie http://marginnotes2.wordpress.com/​2012/06/21/openam-self-registratio​n-with-the-membership-auth-module/
00:14 openamnewbie anyone knows if it's a provisioning system and it can be customized?
00:15 aldaris it is not an auth module in 12
00:15 aldaris the self registration introduced with XUI is just using the REST API to register a user
00:16 openamnewbie yep I attended to webinar today but it's not clear to me if it's some kind of provisioning system
00:16 openamnewbie register in OPENDJ?
00:17 aldaris register in the configured data store
00:17 aldaris it does not have to be opendj..
00:18 openamnewbie sure datastore configured in my realm whatever it is
00:18 openamnewbie you think registering users is the same that provisioning users?
00:19 aldaris provisioning is a fancy word for registering++
00:20 aldaris anyways, the self service registration code in OpenAM doesn't use openidm APIs or anything like that
00:20 openamnewbie ok and you know if these fields are customizable to "register" an user?
00:20 aldaris so it is not provisioning in the IDM term
00:20 aldaris you should be able to modify the HTML pages to include additional fields
00:22 openamnewbie behind scenes everything is using openam's rest webservice as you tell me
00:22 aldaris (webservice is an ugly word, and reminds people about the terrible days of JAX-WS and JAX-RPC :) )
00:23 openamnewbie oh i didn't know that ugly experience :)
00:23 aldaris it is using the OpenAM REST endpoints indeed
00:24 openamnewbie ok thanks!
00:24 openamnewbie you think it should be better using opendj REST endpoints?
00:25 aldaris for managing identity data? hell yes
00:26 openamnewbie I get it!
00:41 openamnewbie thanks!
07:38 KermitTheFragger joined #openam
08:25 aldaris joined #openam
09:55 aldaris joined #openam
11:35 aldaris joined #openam
11:35 aldaris joined #openam
11:41 HansWurst joined #openam
11:41 HansWurst hey guys
11:41 HansWurst is it possible to change the cookiedomain within the webinterface?
11:49 aldaris yes
11:58 HansWurst where? xD
12:05 aldaris conifguration - System - Platform settings
12:07 HansWurst and it has to start with a ".", right?
12:07 aldaris not really
12:07 aldaris according to the spec at least
12:53 HansWurst hmm
12:54 HansWurst is it possible to force openam to delete the iPlanetDirectoryPro-cookie?
12:54 aldaris when?
12:55 asyd morning
12:55 aldaris Good afternoon
13:01 HansWurst i login to openam and redirect to an own site
13:01 HansWurst then i log out of my site and want to delete the cookie completely
13:01 aldaris well how do you perform logout?
13:01 HansWurst because at the moment, when i refresh the page after logging out, i get "session aborted"
13:02 aldaris there is no such error message
13:02 HansWurst logout is done via REST action logout
13:02 HansWurst in german it says "Sitzung abgebrochen"
13:02 aldaris then what did you expect, how would that remove the iPDP cookie from OpenAM?
13:03 HansWurst json/sessions/?_action=logout
13:03 aldaris I've got that part
13:04 HansWurst i didnt expected it ;) it just worked but i never refreshed the page after logging out
13:04 aldaris but REST calls normally are done by backends (unless you've set up CORS) where the user's browser isn't involved
13:07 HansWurst my site is just jsp
13:07 aldaris doesn't seem like you are using an agent
13:07 aldaris so how do you authenticate?
13:07 aldaris and is it CDSSO or just plain SSO?
13:08 HansWurst i created a realm
13:08 HansWurst and when authentication successes
13:08 HansWurst i redirect to the jsp
13:09 aldaris so the app and AM is on the same cookie domain
13:09 HansWurst the jsp lookes for the cookie and asks periodically if the token is valid (via rest)
13:09 HansWurst yes
13:09 HansWurst but i didn't find a way to delete the cookie by myself
13:09 HansWurst just set it to expired
13:10 aldaris are you asking now how to delete cookies using plain old Java EE?
13:11 aldaris In which case I'm not sure this is the right forum for that. I'd hope that if you write a JSP you know how to create and delete cookies
13:15 HansWurst i just try to solve the problem ;)
13:17 HansWurst is it enough to set the iPDP setMaxAge(0) or do i also have to do it with the AMAuth-cookie?
13:51 aldaris AMAuthCookie is only used during authentication
13:51 aldaris when the login UI creates the session cookie, it should delete the auth session cookie
13:55 HansWurst ok
13:56 HansWurst it seems like the problem is that the jsp is not able to edit the cookie
13:56 aldaris more likely that you are just incorrectly creating the cookie
13:56 HansWurst what do u mean with that?
13:58 aldaris http://blogs.forgerock.org/petermajor/tag/cookie/
13:58 aldaris I should rename the post and call it "cookies for dummies"
14:00 asyd :)
14:12 HansWurst left #openam
19:53 aldaris joined #openam
20:35 penk_ joined #openam
20:37 penk_ hi folks, we are having an insanely frustrating problem.  under what seem to be identical load balancer configurations, when the app redirects to the IDP, the return redirect URL is not the app anymore, it's the local SP.  this seems to stop if we have the SP and the app on different load balancers.  Is there some issue with SAML or Openam not handling CNAMEs properly?  Requiring A records or something?
20:37 penk_ we're using openam 11.0.0
20:50 asyd penk: do you have 2 lb? are you sure the configuration are exactly the same?
20:53 penk what hapepned is we had the app on one lb, and the openam front end handler on another LB'.  that worked.  then i combined the two onto the same LB with different vhost rules (something we do zillions of times), now the redirect targetis wrong
20:54 penk the user goes to the app, gets redirected to the SP, which redirects tot eh IDP, authenticates, and after authentication, should go back to the app.  but ends up on the SP.  which makes no sense.
23:18 penk joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary