Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2016-02-04

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
07:38 KermitTheFragger joined #openam
08:34 aldaris joined #openam
08:44 prasannaa joined #openam
08:44 prasannaa HI aldaris
08:47 aldaris joined #openam
08:47 aldaris Good morning
08:47 prasannaa hi mate good morning
08:47 prasannaa yesterday i was around trying to find someone
08:48 prasannaa advise
08:48 prasannaa question is back to the login screen
08:48 prasannaa :p
08:48 prasannaa i know you will hate this question
08:48 aldaris you probably guess right :)
08:49 asyd morning folks
08:50 prasannaa good morning @asyd
08:50 prasannaa i am testing ... working on or playing with openam modules
08:50 prasannaa securID module in particular
08:51 prasannaa and securID module needs username and another field called passcode
08:51 aldaris username is usually determined by previous auth modules imo
08:51 prasannaa therefore the login screen should be having 3 attributes username ... pasword and passcode
08:52 prasannaa i want to gave ldap + securID
08:52 aldaris then set up a chain with LDAP and then a SecurID module
08:52 prasannaa oke
08:52 prasannaa in case of login in the first screen i will have username and password
08:53 prasannaa passed to the scurID module
08:53 aldaris yes
08:53 aldaris no
08:53 aldaris the username/password goes to ldap module
08:53 prasannaa oke
08:53 prasannaa when sucessfull it will go to the securID module
08:54 aldaris that's the idea
08:54 prasannaa securID needs somethng called pin
08:54 jjpp (you might need to give some special parameters about shared state to some modules in the chain configuration)
08:55 prasannaa any notes or pointers (or links) for giving parameters shared state in the chain?
08:59 prasannaa is the pin and passcode same in regards to openam SecurID module?
08:59 aldaris no
09:00 prasannaa because in the scurID module ... i see there are 2 parmeters ... username and passcode being used ...
09:00 prasannaa i dont see a place where openam talks of the pin
09:01 aldaris passcode is the stuff you see on the sw/hw token iirc
09:01 aldaris PIN is something internal to RSA and you only need to reset the PIN in certain SecurID flows
09:02 prasannaa securid module ... which i am testing is asking for username and pin ...
09:03 prasannaa then it sends a passcode to the client ... which we can then enter in the screen in openam
09:03 aldaris AM doesn't ask for the PIN afaik
09:03 aldaris it only needs the passcode to let users in
09:03 aldaris I think there is only a reset PIN flow implemented in the module
09:04 aldaris and I'm not really convinced that a regular securid module should ask for a PIN
09:04 aldaris but then again AM never finished with the RSA SecurID compliance tests
09:04 prasannaa there are 3 methods
09:05 prasannaa 1/sw, 2)hw, 3) ondemand
09:05 prasannaa and the 3rd is the one i am testing ...
09:05 prasannaa which actually requires username and pin to be sent to the RSA server
09:09 prasannaa does that mean openam does not satisfy RSA compliance?
09:10 aldaris I'm not sure why this ondemand method is better than the others
09:11 aldaris AM probably only implements sw/hw, that seemed to work
09:11 prasannaa this is the one i have been testing :)
09:11 aldaris good 3-4 years ago when I was involved with the compliance work I think RSA said that there is something dodgy with our PIN reset flow
09:12 aldaris regular passcode validations should work fine imo
09:12 prasannaa according to my prototype(or idea) i am working i wont be needing the reset pin flow
09:13 prasannaa just need the pin to be supplied with the username when we are trying to make a connection
09:14 prasannaa in that case ... i ahve to rewrite 2 modules?
09:14 prasannaa 1 for the LDAP and 2nd securID module?
09:14 aldaris why would you need to rewrite the LDAP module..
09:16 prasannaa i need PIN to be entered in the login screen
09:16 prasannaa or have to get the pin in the securID module
09:18 aldaris well if that's important, then yes you will need to modify the securid module
09:18 aldaris but if you enter the pin, then you probably don't need the ldap module at all
09:18 aldaris the pin should authenticate your user
09:19 prasannaa my idea is for 2FA
09:19 prasannaa first LDAP + then with SecurID
09:20 aldaris for 2FA you don't need to reauthenticate the user with a PIN, it's not called 1+2FA
09:22 prasannaa will try to use this advice of yours
09:22 prasannaa one more question
09:23 prasannaa in case if i need to get the pin from LDAP ... using the login screen
09:23 prasannaa LDAP module ...
09:23 aldaris you shouldn't do that
09:23 aldaris the LDAP module does not know what a PIN is, and it shouldn't try to validate it against an RSA server
09:23 aldaris you know because it's dealing with LDAP and not with SecurID
09:24 prasannaa in case if my story is first validate the user against the LDAP and then with SecurID
09:25 prasannaa i thought of getting the pin from the login Screen
09:25 aldaris it still doesn't make sense
09:26 aldaris PIN is 1FA, passcode is 2FA. If you are really doing 2FA authentication, then you should only ask the 2FA when a user accesses a protected site
09:26 aldaris so why the hell would you ask a user accessing regular content to enter their PIN?
09:27 aldaris especially if it's not going to be validated at that time?
09:27 aldaris where would you *securely* store the PIN entered?
09:27 prasannaa we have to pass the pin and username to the RSA server
09:27 prasannaa we are nto going to store or validate the pin
09:28 prasannaa i get your point ...
09:28 prasannaa i rem jjpp ... was taking about sharing the state of a paramter in the chain flow
09:29 aldaris but sharedState doesn't work across session upgrades
09:29 prasannaa is it possible to share the username
09:29 prasannaa session upgrades?
09:30 aldaris when you only authenticate with LDAP module to obtain a session and then you perform a step-up authentication when accessing a more protected resource
09:31 prasannaa any links or blogs or openam docs for em to study on about in in detail?
09:32 aldaris https://backstage.forgerock.com/#!/docs/openam/13/admin-guide#session-upgrade
09:53 prasannaa joined #openam
09:54 prasannaa thank you @aldaris
10:07 jjpp aldaris: btw, have the logging-apis and -backends changed lateli (eg for openam13/opendj3)?
10:07 jjpp lately
10:07 aldaris some
10:08 aldaris you need to be more specific than that
10:08 jjpp can we use logback or smth like that to get "std" logging?
10:08 aldaris you can use logback with *some* of the product
10:08 aldaris we have an slf4j binding to log stuff using the old Debug framework
10:09 aldaris but you can replace that binding
10:09 aldaris but Debug is still used directly
10:45 jjpp hm. okay.
10:45 jjpp so. should i have eg auth module that uses slf4j then it can log to debuglog next to the other stuff. but i cannot send debuglog to some other backend, at least not yet?
10:54 jjpp and on completely other tune. there is something that causes some entitlement-related queries against ldap.
10:55 jjpp eg for 10days period there is some 38M entitlement-related queries. half of those are with filter "(&(|(sunxmlKeyValue=hostindex=://o=sunamhiddenrealmdelegationservicepermissions,ou=services,dc=opensso,dc=java,dc=net))(|(sunxmlKeyValue=pathparentindex=/sunEntitlementService/1.0/application/default/application)))"
10:55 jjpp which gives no results. shouldn't it be cached and use persistent query or something like that?
11:44 aldaris you can use slf4j Logger instances and with the default openam-slf4j binding they will end up in the debug logs, but if you remove the openam-slf4j binding, then everything is up to you
11:44 aldaris if you are using the Debug instances then your logs will always go to the debug logs
11:44 aldaris new code should utilize slf4j imo
11:45 aldaris policycache is a bit dodgy, and mostly the cache only works if you have cached every entitlement in the system already
11:45 aldaris so that may not always happen
11:45 aldaris so that search looks like has something to do with delegation privileges
11:46 aldaris if I would have to guess that's probably related to policy evaluations performed using the PLL endpoint
11:46 aldaris and that you are using 12 during your tests
11:47 aldaris and your issue is most likely related to openam-6069
11:47 aldaris but I'm guessing a lot
13:01 mckeanbs joined #openam
13:02 jjpp well. actually it is modified 11. :)
13:02 jjpp and some home that we might be able to upgrade to 13 or whatever will be out by then :)
13:12 aldaris 11 is gonna be eosl this November
13:14 jjpp the support-question is an unsolved thing as well.. have the pricing policies come clearer in last year or so? :)
13:14 aldaris not for me I'm sure :)
13:14 aldaris but I'm not the best person to ask really :)
13:26 jjpp i can imagine. the licensing agreements of my own company are sometimes weird for me as well. but i know that "it is politics" and i rather would not dig into that.. :)
14:02 aldaris joined #openam
14:04 aldaris1 joined #openam
15:33 aldaris joined #openam
16:28 jjpp hmhm, btw have any standardized ways of installing multinode clusters of opendj and openam appeared lately?
17:23 aldaris joined #openam
19:26 aldaris joined #openam
20:24 aldaris1 joined #openam
20:55 aldaris joined #openam
22:07 balo joined #openam
22:25 aldaris joined #openam
23:16 aldaris joined #openam
23:46 aldaris1 joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary