Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Jose Luis Villaverde Balsa
@josecho
@maximthomas Thanks, we keep moving forward.
mssso
@mssso
@maximthomas , Is the Google Authenticator supported on OpenAM ? If yes, is there a reference document I can follow to configure it ?
Maxim Thomas
@maximthomas
@mssso yes, OATH Authentication module support Google Authenticator. Unforunately, we don't have a manual how to setup Google Authenticator with OpenAM yet. We'll create the manual as soon as possible.
mssso
@mssso
@maximthomas , would it be possible to expedite the process of creating the manual to setup OpenAM with Google Authenticator
Maxim Thomas
@maximthomas
@mssso , Can't promise anything, I write docs at my free time.
mssso
@mssso
@maximthomas , Thanks a ton !! I will try it out tomorrow and get back to you. Thanks again.
mssso
@mssso
@maximthomas , Thankyou, it worked.
Maxim Thomas
@maximthomas
@mssso, great! Glad I could help!
mancheaka
@mancheaka
I saw some older messages from back in February about the SameSite cookie support, it doesn't look like that was merged into master. What's the current best practice for dealing with that?
Marcelo Ohashi
@mgohashi
Hello guys, I am trying to configure using the default settings the openam and the latest docker image, but I am getting this error:
11/25/2020 03:23:02:015 PM UTC: Creating OpenAM suffix
ERROR:  The server rejected the task for the following reason: None of the
Directory Server backends are configured with the requested backend ID or base
DNs that include the specified branches
1 reply
Does anyone know why the default config is not able to configure the openam?
Marcelo Ohashi
@mgohashi
I am sorry guys, but is this the right place to put these questions?
1 reply
myregaccount
@myregaccount
@maximthomas , thanks a lot for the documentation. I am following this instruction: https://www.openidentityplatform.org/blog/how-to-add-authorization-with-openam-openig#preparation. How to add user groups from OpenAM to HTTP headers?
3 replies
Ramón Rial
@rrialq
Good days. Can anybody say me if there is OpenAM (OpenIdentityPlatform) has an authenticator for Android similar to the ForgeRock Authenticator, for using with MFA?
I didn't found nor the project in GitHub neither information in wiki pages.
Thank you.
Maxim Thomas
@maximthomas
@rrialq hello, you can use Google Authenticator with OpenAM, see https://www.openidentityplatform.org/blog/how-to-setup-2fa-with-google-authenticatior-in-openam
Ramón Rial
@rrialq
@Maxim Thomas. Thank you for the link.
I suposse no Google Account is needed, neither for the server nor the user.
Is that right?
@maximthomas Thank you for the link.
I suposse no Google Account is needed, neither for the server nor the user.
Is that right?
Maxim Thomas
@maximthomas
@rrialq yes, your are right. There is no need for a Google Account
Ramón Rial
@rrialq
maximthomas.
Ok, thank you.
I will try to configure it.
Ramón Rial
@rrialq

@maximthomas Hi again.
I have problems to generate the QR, that conforms to: otpauth://totp/<account id>@<issuer>?secret=<base32 encoded secret>&issuer=<Issuer Name>

<account id> No problem, the uid of the user.

<issuer> What do you means by issuer? The URL of the OpenAM server?

<base 32 encoded secret> No problem.

<Issuer Name> It may be any?

Thank you for your time.

Is there any way to enable logs for OATH? I did not found anything related under Debug.jsp.
Ramón Rial
@rrialq

@maximthomas Thank you.
I've just gotted.

<issuer> I've just put the LDAP domain and any Issuer Name and it works.

Ramón Rial
@rrialq
@maximthomas This scenery contains a big requirement: All users should use MFA
OpenAM does not check if user has the sunIdentityServerPPEncryptKey attribute, so OpenAM asks OTP always.
Is there anyway to ask for OTP only if the user contains the attribute?
May be with the help of a custom PAM configured in the chain before the google-authenticator and setted as sufficient?
Maxim Thomas
@maximthomas
@rrialq im afraid not, it is not possible out of the box
Ramón Rial
@rrialq
And with a custom PAM defined as sufficient in the chain ?
I will try to do that.
Ramón Rial
@rrialq

Good days.
I've just successful in setting HOTP (smtp based) authentication and OATH Google Authentication smtp based.
But I have a minor problem with HOTP.
If the mail address is in an attribute different than mail I've not successful.
I've just setted the attribute name (NEW_EMAIL_ATTRIBUTE_NAME) in Email Attribute Name, the attribute exists for the user test, and it contains a valid value, but I have the following error (I have omitted non relevant log lines):

Auto sending OTP code
HOTP.sendSMS() : Using phone attribute of telephoneNumber
HOTP.sendSMS() : IdRepoException : no phone number found with username : test
HOTP.sendSMS() : Using email attribute of NEW_EMAIL_ATTRIBUTE_NAME
HOTP.sendSMS() : IdRepo: no email found with username : test
HOTP.sendSMS() : IdRepo: no phone or email found with username : test

When I replace NEW_EMAIL_ATTRIBUTE_NAME with mail (both attributes contains the same value in my tests) then it works.
Any idea?
Thank you.

Maxim Thomas
@maximthomas
@rrialq hello,
please create an issue in the OpenAM repo, and we'll figure out what is happening
Ramón Rial
@rrialq
@maximthomas I've just seen that there is a newer OpenAM version (I am testing 14.5.4), so I will install it and test it before opening the issue.
yuna-s
@yuna-s
@maximthomas
Hi, I want to apply local time instead of UTC to the audit logging, is there a setting in OpenAM that allows me to do that?
thanks.
Maxim Thomas
@maximthomas
@yuna-s hi, are you running OpenAM in a Docker container?
yuna-s
@yuna-s
@maximthomas
Thanks for the reply!
I am also using Docker for testing, but eventually I will use war files and run it on tomcat.
Ramón Rial
@rrialq

maximthomas Hi again.
I downloaded the custom-authentication-module (inside openam-samples) to have a template to write CAM's for OpenIdentityPlatform.
I've tried to build it for versions 14.6.2 and 14.5.4, but I've got error because non available dependencies:

  • org.openidentityplatform.external.com.iplanet.jato:jato
  • org.openidentityplatform.external.com.sun.web.ui:cc

Are there in some repository?

I excluded them from openam-core dependency, and then the custom-auth-sample project buillt OK.
But I am felling that those libraries should be necessery in some sceneries.

Maxim Thomas
@maximthomas
@yuna-s can't reproduce the issue using tomcat 7, can only reproduce in Docker. But there is a Docker issue, because Docker does not know about host machine timezone. If you are still facing the problem, please create an issue in the github
@rrialq these libraries only need for rendering legacy UI, so you can develop a custom auth module without the libraries. OpenAM war file contains them.
Ramón Rial
@rrialq
maximthomas OK. So it is necessery to exclude them in dependency declaration.
Thank you.
yuna-s
@yuna-s
@maximthomas
Sorry for the late reply.
Does "can't reproduce the issue using tomcat 7" mean that there is a setting in the war file version of OpenAM(OpenAM-14.6.2.war
) that allows the local time to be displayed in the audit log?
Maxim Thomas
@maximthomas
@yuna-s there must be misunderstanding, I meant OpenAM Tomcat console log. In csv logs I see UTC instead of local time. I'm afraid you can't configure csv timezone out of the box.
yuna-s
@yuna-s
@maximthomas I understand, the tomcat logs show that the local time is indeed applied. However, if there is a discrepancy in the time shown between the tomcat log and the audit log, it may cause confusion when comparing them, so I was looking for a way to apply the local time to the audit log as well.
I found out that there is no configuration item for this at the moment.
Thank you for confirming this.
Maxim Thomas
@maximthomas
@mancheaka, Hello, I've accidently removed your comment, could you repeat it or create an issue in OpenAM github repo?
Maxim Thomas
@maximthomas
@mancheaka fixed the issue OpenIdentityPlatform/OpenAM#350
mancheaka
@mancheaka
@maximthomas Thanks a lot! I updated the service configs with your changes and now the modules show up again.
michewl
@michewl:privacytools.io
[m]
Hello,
I am working on implementing a SAML login initiated by a SP. My current requirement is to display a list of remote IdPs on the login page so the user can choose to log in locally (filling out the form) or on a remote system (clicking a link to be redirected within the SAML context to login on a remote IdP).
Does anyone know if OpenAM provides a way to show the list of remote IdPs in the CoT on the login page? I did not find anything yet and figured it may be required to create a custom authentication module.
Unfortunately we cannot use the proxy approach (which I would prefer).
withusandeep
@withusandeep
Hi ,I am trying to use openam 14.6.2 running in kubernetes for google social authentication . My request has to go through proxy server which needs authentication .I tried setting up proxyHost,proxyPort,proxyUser and proxyPassword and it always fails with 407 status code and this error :com.sun.identity.authentication.spi.AuthLoginException: Authentication failed with an Input/Output exception while trying to get content
Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 authenticationrequired"
can anyone plz help me to fix the above issue
Maxim Thomas
@maximthomas
@withusandeep Hi, can your provide a http requests and responses dump from OpenAM to proxy?