Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2015-05-14

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:28 MegaMatt joined #openam
06:46 aldaris joined #openam
06:46 jjpp good morning.
06:47 jjpp aldaris: from the top of your head and before I dig into the code.. how do I choose language for callbacks in rest authentication api (openam11, at the moment)
06:47 jjpp ?
06:48 aldaris good morning
06:48 aldaris I've barely just woken up
06:48 aldaris but one can only think of the locale request parameter
06:49 jjpp hmhm.
06:52 jjpp okay, that seems to work, indeed. I was thinking about the Accept-Language header but this seems to work.
06:53 jjpp hm, header works as well.
06:53 jjpp nice.
07:34 aldaris joined #openam
07:46 aldaris joined #openam
09:40 aldaris joined #openam
11:24 MegaMatt joined #openam
12:40 aldaris joined #openam
13:30 tudorg joined #openam
14:31 sobrio joined #openam
14:37 z4ce joined #openam
14:37 z4ce Can OpenAM pass information from LDAP to a tomcat server.. like the email address of the principal?
14:38 asyd you can use http headers
14:39 aldaris joined #openam
14:39 z4ce would that kind of request be something more suited to OpenIDM?
14:41 tudorg Hi, is it possible to view the Password Encryption Key without using the OpenAM Web UI? I.e. ssoadm or similar command?
14:43 aldaris joined #openam
14:52 aldaris z4ce AM is probably more suitable for that
14:53 aldaris tudorg, yes: use ssoadm
14:54 z4ce Is the general pattern to have OpenAM do the authentication.. pass it to the agent.. and any additional user attributes you want come across in the header.. or is there a better way?
14:56 tudorg aldaris, I'm trying to search, what flag?
14:57 aldaris z4ce: pretty much that is the approach normally taken, you can replace agents with SAML SPs or fedlets (lightweight SPs) or OpenIG for example though
14:58 aldaris tudorg: you should use http://openam.forgerock.org/doc/bootstrap/reference/index.html#ssoadm-list-server-cfg with -s default
14:58 z4ce If you use SAML SPs.. you can pass the information you need along with the SAML and then use whatever SAML java library you need to pull the info out?
15:28 aldaris joined #openam
15:32 sobrio hi I'm doing researching about how to integrate multi-tenant https://wikis.forgerock.org/confluence/display/openam/Test+Multi-Tenant+Setup+with+Realms with cdsso, because I've tried some configurations but it's not working any tip?
15:34 sobrio I've been working with conditionals in web agent configuration but it's not working either
15:34 aldaris z4ce: there is no real dependency on java, you could use whatever you'd like, and yes, information can be passed around in assertions (but then those may have stale values throughout the life of the session)
15:35 aldaris sobrio: conditional login url is your friend
15:37 sobrio aldaris, I've tried a lot of settings in conditional login url but when I try to login with the "different" domain SSO is not working
15:40 aldaris you need to more explicit than that
15:40 aldaris *be
15:43 sobrio ok there're 3 apps, and there's a mod auth for every app, there's a web agent installed in a web proxy that it's protecting three of them, but one app is using an external domain, so O've configured conditional login url to run a mod auth for every app but as I'm telling you there's some kind of problem with the different domain
15:48 aldaris fyi the "some kind of problem" is not quite explicit :)
15:48 aldaris is it a cookie domain related issue?
15:51 sobrio yes I tried cookie domain also but it's not working either
15:51 sobrio I tried setting on CDSSO and neither
15:51 aldaris joined #openam
15:52 aldaris well, are you really using cross domain sso?
15:53 sobrio yes
15:53 aldaris what are the cookie domains involved?
15:55 sobrio there're two domains set in cookie domains i.e. example.com & exampleweb.com
16:00 aldaris yepp, so cdsso is indeed needed
16:00 aldaris what is AM's domain?
16:01 sobrio example.com is the AM's domain
16:02 aldaris and how did you configure the conditional login url?
16:02 sobrio theres a conditional login url for every app
16:02 sobrio I'll give you an example
16:05 sobrio com.forgerock.agents.conditional.login.url[0]=app1.example.com|https://login.example.com/sso/cdcservlet&module=LDAPMOD1
16:06 sobrio and this one
16:06 sobrio com.forgerock.agents.conditional.login.url[0]=app2.exampleweb.com|https://login.example.com/sso/cdcservlet&module=LDAPMOD2
16:07 sobrio sorry
16:07 sobrio com.forgerock.agents.conditional.login.url[1]=app2.exampleweb.com|https://login.example.com/sso/cdcservlet&module=LDAPMOD2
16:07 sobrio I forgot to change the number in square
16:08 aldaris joined #openam
16:11 aldaris aren't those cdcservlet urls meant to have the realm parameter?
16:13 sobrio login.example.com --> it's working with multinenant
16:13 sobrio https://wikis.forgerock.org/confluence/display/openam/Test+Multi-Tenant+Setup+with+Realms
16:15 aldaris but since you are using the same AM domain for both conditional login urls, surely you should have the realm parameter appended to it to ensure the agent will hit the right AM realm?
16:17 sobrio so you think that multi tenant configuration is not compatible with cdsso?
16:18 aldaris not sure which of my comments suggested that
16:18 sobrio when you tell me to append realm parameter to ensure the agent to hit the right realm
16:20 aldaris the agent doesn't really know which protected domain belongs to which realm, and frankly it doesn't really care about that either
16:22 sobrio ok so you can tell me for your experience which one should be the best practices here?
16:24 aldaris By saying "which" you appear to incline that there are more than possibilities here, but we've been only talking about one thing in my experience..
16:28 sobrio ok I see but I just want to know if I'm missing something, another way to solve this
16:28 aldaris you could set up DNS/realm aliases to make it less obvious, but still inherently by using a different domain for AM, you will select a different realm
16:28 aldaris not sure why this is a problem
16:29 z4ce joined #openam
16:30 z4ce Would it be possible to structure user attributes such that each LDAP group a user is a "memberOf" gets resolved to its "mail attribute"
16:30 aldaris z4ce: what do you mean by that?
16:31 sobrio ok aldaris I'll give it a try for what you're saying, thanks for your time
16:32 z4ce So let's say User "Bob" is in Active Directory. He's part of the SysAdmins group and the NorthAmerica user group. Both are exchange distribution lists so they have a "mail" attribute. When Bob authenticates to my webapp, I also need to know as attributes of Bob that he part of "sysadmins@company.com" and "northamerica@company.com"
16:34 aldaris so you want attributes from the group entries to show up on the user's assertion?
16:35 z4ce Yes
16:36 aldaris well that's not something that you could do out of the box
16:37 z4ce ok.. thanks.. I didn't think so
16:58 sobrio btw you know if it's in the documentation how to configure look& feel for mobile devices? I only could find this link about customization http://docs.forgerock.org/en/openam/12.0.0/install-guide/index/chap-custom-ui.html
17:49 z4ce joined #openam
18:09 aldaris joined #openam
18:33 aldaris joined #openam
20:34 tudorg joined #openam
20:58 aldaris joined #openam
21:14 aldaris joined #openam
21:46 MegaMatt joined #openam
22:54 MegaMatt joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary