by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Rohit Joshi
@rohit1991
@vharseko , Yes..That will also fine..do u have any inputs ?
kedarjapan
@kedarjapan
Hello Guys,
I'm trying to setup OpenAM 14.1.5 war on Tomcat 8 with Windows 64 bit OS. I'm getting exact same issue as mentioned here. tried both default as well as custom configuration options.
OpenIdentityPlatform/OpenAM#57
any pointers on this issue ?
vharseko
@vharseko
@rohit1991 check https://github.com/OpenIdentityPlatform/OpenAM-Web-Agents#downloads (without proprietary FR binary license) Thanks to @FireBurn
@kedarjapan please attach full logs
kedarjapan
@kedarjapan
@vharseko logs are attached in OpenIdentityPlatform/OpenAM#57
satyadevaddepally
@satyadevaddepally
Anybody having document to use openam as idp and google apps as sp. I tried to follow configuration and keep on getting invalid saml request
satyadevaddepally
@satyadevaddepally
i followed this only i am getting invalid saml request
vharseko
@vharseko
which version ? attach a log with an error
barramandi
@barramandi

Testing OpenAM version 14.1.8 (OpenAM 14.1.8 Build 900d6316b5 )

Using the openid demo sample from https://github.com/ForgeRock/openid

Setup OIDC provider and OIDC client as per the requirement of the demo.
Start Implicit, login as user, user prompted for consent, and OIDC flow successful for first time.

Redo the Implicit flow again with same browser session, OpenAM will return error to the authorization request

{
"error_description": "Error running OIDC claims script: java.util.concurrent.ExecutionException: javax.script.ScriptException: javax.script.ScriptException: java.lang.SecurityException: Access to Java class \"java.util.LinkedHashMap$LinkedKeyIterator\" is prohibited.",
"state": "af0ifjsldkj",
"error": "not_found"
}

The issue is not present if user logged out before redoing the OIDC login flow.

vharseko
@vharseko
@barramandi Configuaration->Scripting-> for all instancess add in Engine Configuration "Java class whitelist" java.util.LinkedHashMap$LinkedKeyIterator
Oleksandr
@ahavriluk
Quick start guide is incorrect. First of all you have to specify port when you setup resource. Second you don't use name WebAgent - it won't work. You need to name it apache_agent. Then you have to make sure docker containers can talk to each other (--net host option?). Oh, yeah, apache_agent doesn't work on Mac.
vharseko
@vharseko
Maxim Thomas
@maximthomas
@ahavriluk, could you provide more info about apache_agent on Mac?
Maxim Thomas
@maximthomas

@ahavriluk,

Then you have to make sure docker containers can talk to each other (--net host option?)

default driver is bridge, according to Docker documentation:

bridge: The default network driver. If you don’t specify a driver, this is the type of network you are creating. Bridge networks are usually used when your applications run in standalone containers that need to communicate.

I think, setting network is unnecessary, containers can see each other via bridge network

Oleksandr
@ahavriluk
I had connectivity issues. The instructions could have been tested. Took me a while to figure all errors out. It still doesn't say to specify the port number when policy for Resource *://example:com/? is set. I suggest you test it from scratch: get a fresh linux VM and try to follow instructions.
Oleksandr
@ahavriluk
Another issue. I was trying to setup SAML Authentication and test it with testshib.org site.
Was getting this
00:16:33.363 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - LoginContext key cookie was not present in request
00:16:33.364 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:188] - Incoming request does not contain a login context, processing as first leg of request
00:16:33.364 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:366] - Decoding message with decoder binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
00:16:33.367 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for http://openam.example.com:8080/openam
00:16:33.367 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:134] - No custom relying party configuration found for http://openam.example.com:8080/openam, looking up configuration based on metadata groups.
00:16:33.367 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or group-based relying party configuration found for http://openam.example.com:8080/openam. Using default relying party configuration.
00:16:33.368 - WARN [org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:81] - SPSSODescriptor role metadata for entityID 'http://openam.example.com:8080/openam' could not be resolved
00:16:33.368 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:387] - Decoded request from relying party 'http://openam.example.com:8080/openam'
00:16:33.369 - WARN [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:305] - No metadata for relying party http://openam.example.com:8080/openam, treating party as anonymous
00:16:33.369 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:222] - SAML 2 SSO profile is not configured for relying party http://openam.example.com:8080/openam
Oleksandr
@ahavriluk
Whe using Fedlet to implement SAML Service Provider, do I need a web agent installed?
Oleksandr
@ahavriluk
Oh cool!
Can I use Fedlet as SP and ADFS (active directory) or Shibboleth as IdP?
vharseko
@vharseko
@ahavriluk
Create a Fedlet configuration to enable federation between an identity provider hosted on this instance of OpenAM and a remote service provider that does not have a federation solution. Fedlet as SP -> OpenAM IDP -> OpenAM SP -> Other IdP
Oleksandr
@ahavriluk
@vharseko Is it possible to have Fedlet SP -> Other IdP? I am afraid I don't understand how to setup the link in the middle OpenAM IDP ->OpenAM SP->Other IdP. Do you have any details how to do it?
Meanwhile I have found this blog post and trying to make it work, what do you think? http://htotapally.blogspot.com/2013/11/federated-authentication-using-openam.html
vharseko
@vharseko
@ahavriluk need to try this post
Oleksandr
@ahavriluk
@vharseko that post is full of BS. I did it the other way.
BTW, do you know if this bug is fixed? Look like not matter what my assertionTimeSkew is it doesn't take my settings?
https://bugster.forgerock.org/jira/browse/OPENAM-10191
vharseko
@vharseko
@ahavriluk most likely not fixed
Maciej Debowski
@maciekdeb
Hi, I am planning to use OpenAM Community but can't find anywhere the detailed documentation of REST APIs. Are they the same as the ForgeRock product?
vharseko
@vharseko
yes, you can get prev FR Community docs in wiki https://github.com/OpenIdentityPlatform/OpenAM/wiki/Documentation
Maciej Debowski
@maciekdeb
Ok, thank you. I saw this docs in the github, but I am looking for example for something similiar to this https://backstage.forgerock.com/docs/openam/13.5/dev-guide/#sec-rest will it be consistent with the current 14th version of community version?
Does the ForgeRock product base on the community edition?
vharseko
@vharseko

Ok, thank you. I saw this docs in the github, but I am looking for example for something similiar to this https://backstage.forgerock.com/docs/openam/13.5/dev-guide/#sec-rest will it be consistent with the current 14th version of community version?

yes, more relevant: https://backstage.forgerock.com/docs/am/5/dev-guide/#chap-dev-rest

Does the ForgeRock product base on the community edition?

please check history: http://www.timeforafork.com

Maciej Debowski
@maciekdeb
If I get this page correclty the ForgeRock product since 13 or even 11 is completly different
but v13 in Community and in ForgeRock is the same
right?
and the 5th version that you sent is the next version after the 13th of ForgeRock (they didn't keep the ordering - 5th, 6th and so on are newer than 13th)
and acutally the OpenRock was the old repo that was associated with ForgeRock
Maciej Debowski
@maciekdeb
the last version there is 13th
since then there was one major version with open source license
and at the same time ForgeRock started working on the closed version - thats why the versioning 5, 6, 6.5 appeared
vharseko
@vharseko
OpenAM Community v14 like FR AM v5
Nino
@ninobosteels_gitlab
hi !
how production ready do you think the docker image is ? https://hub.docker.com/r/openidentityplatform/openam
vharseko
@vharseko
we use in production
Nino
@ninobosteels_gitlab
just through docker or rather openshift?
and what's your experience with this image?