Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jun 28 22:10

    vharseko on master

    setNextModule: allow resetCurre… (compare)

  • Jun 26 08:46
    baajarmeh starred OpenIdentityPlatform/OpenAM
  • Jun 23 05:14

    maximthomas on master

    Bump OpenDJ to 4.5.1-SNAPSHOT (… (compare)

  • Jun 23 05:14
    maximthomas closed #515
  • Jun 22 15:55
    maximthomas opened #515
  • Jun 22 15:55
    maximthomas review_requested #515
  • Jun 22 12:26

    github-actions[bot] on master

    [maven-release-plugin] prepare … (compare)

  • Jun 22 12:26

    github-actions[bot] on 14.6.6

    (compare)

  • Jun 22 12:26

    github-actions[bot] on master

    [maven-release-plugin] prepare … (compare)

  • Jun 22 12:05

    vharseko on master

    (compare)

  • Jun 22 12:01

    vharseko on 14.6.6

    (compare)

  • Jun 22 10:49

    github-actions[bot] on master

    [maven-release-plugin] prepare … (compare)

  • Jun 22 10:49

    github-actions[bot] on 14.6.6

    (compare)

  • Jun 22 10:49

    github-actions[bot] on master

    [maven-release-plugin] prepare … (compare)

  • Jun 21 11:47
    vharseko closed #513
  • Jun 21 11:47

    vharseko on master

    fix NT auth module vulnerabilit… (compare)

  • Jun 21 11:47
    vharseko closed #514
  • Jun 21 08:54
    maximthomas review_requested #514
  • Jun 21 08:54
    maximthomas opened #514
  • Jun 20 17:54
Ramón Rial
@rrialq
@Maxim Thomas. Thank you for the link.
I suposse no Google Account is needed, neither for the server nor the user.
Is that right?
@maximthomas Thank you for the link.
I suposse no Google Account is needed, neither for the server nor the user.
Is that right?
Maxim Thomas
@maximthomas
@rrialq yes, your are right. There is no need for a Google Account
Ramón Rial
@rrialq
maximthomas.
Ok, thank you.
I will try to configure it.
Ramón Rial
@rrialq

@maximthomas Hi again.
I have problems to generate the QR, that conforms to: otpauth://totp/<account id>@<issuer>?secret=<base32 encoded secret>&issuer=<Issuer Name>

<account id> No problem, the uid of the user.

<issuer> What do you means by issuer? The URL of the OpenAM server?

<base 32 encoded secret> No problem.

<Issuer Name> It may be any?

Thank you for your time.

Is there any way to enable logs for OATH? I did not found anything related under Debug.jsp.
Ramón Rial
@rrialq

@maximthomas Thank you.
I've just gotted.

<issuer> I've just put the LDAP domain and any Issuer Name and it works.

Ramón Rial
@rrialq
@maximthomas This scenery contains a big requirement: All users should use MFA
OpenAM does not check if user has the sunIdentityServerPPEncryptKey attribute, so OpenAM asks OTP always.
Is there anyway to ask for OTP only if the user contains the attribute?
May be with the help of a custom PAM configured in the chain before the google-authenticator and setted as sufficient?
Maxim Thomas
@maximthomas
@rrialq im afraid not, it is not possible out of the box
Ramón Rial
@rrialq
And with a custom PAM defined as sufficient in the chain ?
I will try to do that.
Ramón Rial
@rrialq

Good days.
I've just successful in setting HOTP (smtp based) authentication and OATH Google Authentication smtp based.
But I have a minor problem with HOTP.
If the mail address is in an attribute different than mail I've not successful.
I've just setted the attribute name (NEW_EMAIL_ATTRIBUTE_NAME) in Email Attribute Name, the attribute exists for the user test, and it contains a valid value, but I have the following error (I have omitted non relevant log lines):

Auto sending OTP code
HOTP.sendSMS() : Using phone attribute of telephoneNumber
HOTP.sendSMS() : IdRepoException : no phone number found with username : test
HOTP.sendSMS() : Using email attribute of NEW_EMAIL_ATTRIBUTE_NAME
HOTP.sendSMS() : IdRepo: no email found with username : test
HOTP.sendSMS() : IdRepo: no phone or email found with username : test

When I replace NEW_EMAIL_ATTRIBUTE_NAME with mail (both attributes contains the same value in my tests) then it works.
Any idea?
Thank you.

Maxim Thomas
@maximthomas
@rrialq hello,
please create an issue in the OpenAM repo, and we'll figure out what is happening
Ramón Rial
@rrialq
@maximthomas I've just seen that there is a newer OpenAM version (I am testing 14.5.4), so I will install it and test it before opening the issue.
yuna-s
@yuna-s
@maximthomas
Hi, I want to apply local time instead of UTC to the audit logging, is there a setting in OpenAM that allows me to do that?
thanks.
Maxim Thomas
@maximthomas
@yuna-s hi, are you running OpenAM in a Docker container?
yuna-s
@yuna-s
@maximthomas
Thanks for the reply!
I am also using Docker for testing, but eventually I will use war files and run it on tomcat.
Ramón Rial
@rrialq

maximthomas Hi again.
I downloaded the custom-authentication-module (inside openam-samples) to have a template to write CAM's for OpenIdentityPlatform.
I've tried to build it for versions 14.6.2 and 14.5.4, but I've got error because non available dependencies:

  • org.openidentityplatform.external.com.iplanet.jato:jato
  • org.openidentityplatform.external.com.sun.web.ui:cc

Are there in some repository?

I excluded them from openam-core dependency, and then the custom-auth-sample project buillt OK.
But I am felling that those libraries should be necessery in some sceneries.

Maxim Thomas
@maximthomas
@yuna-s can't reproduce the issue using tomcat 7, can only reproduce in Docker. But there is a Docker issue, because Docker does not know about host machine timezone. If you are still facing the problem, please create an issue in the github
@rrialq these libraries only need for rendering legacy UI, so you can develop a custom auth module without the libraries. OpenAM war file contains them.
Ramón Rial
@rrialq
maximthomas OK. So it is necessery to exclude them in dependency declaration.
Thank you.
yuna-s
@yuna-s
@maximthomas
Sorry for the late reply.
Does "can't reproduce the issue using tomcat 7" mean that there is a setting in the war file version of OpenAM(OpenAM-14.6.2.war
) that allows the local time to be displayed in the audit log?
Maxim Thomas
@maximthomas
@yuna-s there must be misunderstanding, I meant OpenAM Tomcat console log. In csv logs I see UTC instead of local time. I'm afraid you can't configure csv timezone out of the box.
yuna-s
@yuna-s
@maximthomas I understand, the tomcat logs show that the local time is indeed applied. However, if there is a discrepancy in the time shown between the tomcat log and the audit log, it may cause confusion when comparing them, so I was looking for a way to apply the local time to the audit log as well.
I found out that there is no configuration item for this at the moment.
Thank you for confirming this.
Maxim Thomas
@maximthomas
@mancheaka, Hello, I've accidently removed your comment, could you repeat it or create an issue in OpenAM github repo?
Maxim Thomas
@maximthomas
@mancheaka fixed the issue OpenIdentityPlatform/OpenAM#350
mancheaka
@mancheaka
@maximthomas Thanks a lot! I updated the service configs with your changes and now the modules show up again.
michewl
@michewl:privacytools.io
[m]
Hello,
I am working on implementing a SAML login initiated by a SP. My current requirement is to display a list of remote IdPs on the login page so the user can choose to log in locally (filling out the form) or on a remote system (clicking a link to be redirected within the SAML context to login on a remote IdP).
Does anyone know if OpenAM provides a way to show the list of remote IdPs in the CoT on the login page? I did not find anything yet and figured it may be required to create a custom authentication module.
Unfortunately we cannot use the proxy approach (which I would prefer).
withusandeep
@withusandeep
Hi ,I am trying to use openam 14.6.2 running in kubernetes for google social authentication . My request has to go through proxy server which needs authentication .I tried setting up proxyHost,proxyPort,proxyUser and proxyPassword and it always fails with 407 status code and this error :com.sun.identity.authentication.spi.AuthLoginException: Authentication failed with an Input/Output exception while trying to get content
Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 authenticationrequired"
can anyone plz help me to fix the above issue
Maxim Thomas
@maximthomas
@withusandeep Hi, can your provide a http requests and responses dump from OpenAM to proxy?
withusandeep
@withusandeep
Hi Thomas , I sorted the issue by adding a servletcontextlistener in openam web.xml with proxy authentication code
Hello , when running openig 5.0.10 anyone facing issues like logs flooding in debug mode .The logs are coming from org.apache.http package . Tried to switch off debug logs but nothing seem to be working
Maxim Thomas
@maximthomas
@withusandeep
Try to edit WEB-INF/classes/logback.xml in OpenIG war file and add logger
<logger name="org.apache.http" level="INFO" />
withusandeep
@withusandeep
@maximthomas .Thanks for the reply. I could see logback.xml only on apache-tomcat-9.0.45/IG/webapps/ROOT/WEB-INF/classes/org/forgerock/openig/web/logback.xml. I did the change you mentioned but the logs are still coming as DEBUG
withusandeep
@withusandeep
@maximthomas .thanks for your help . i copied the file to the location you mentioned and it works .
withusandeep
@withusandeep
Has anyone integrated openam authorization code with pkce on a react SPA ? i am getting cors error when loading wellknown endpoint using AppAuth-js library .
Ramón Rial
@rrialq
Good days.
Is there some way to pass data between custom modules and PAP?
Is there any way to access to the token while inside custom module logic or the token is created after all custom modules are evaluated?
Thank you for your help and for your time.
withusandeep
@withusandeep
@rrialq : not completely sure abt ur requirements . but you can associate any token/property to session using session whitelist service and retrieve using getSessionProperties thru REST from any custom module.
ignacepyl
@ignacepyl
Hi All, I have an OpenAM related question. We are trying to set-up OpenAM as authentication method for a Microsoft Business Central on-prem installation. So far, the IT team has been trying for over 2 months without result. Do you guys have any experience?
Maxim Thomas
@maximthomas
Hi @ignacepyl, sure. Could you provide more details? Please send RFP to support@3a-systems.ru
ignacepyl
@ignacepyl
Hi @maximthomas . Surely, what kind of details are you looking for? In brief, Business Central supports Microsoft ADFS out of the box. So we are using the same methodology with an OpenAM WS-FED set-up. The following is the error we keep bumping in to ‘The type of security token provided by the Identity Provider is not supported.’
michewl
@michewl:privacytools.io
[m]

Hello everyone. I am working on adding support for something similar to the extention for requesting attributes.
I figured that I could use the AttributeMapper to manipulate the attributes but I am missing the extension data from the AuthN request.

Anyone got an idea how to get the AuthN request within the AttributeMapper?
I guess one option would be to use the session but I think that is just a workaround. Any input helps. Thanks

Yuen Yalung
@yuen-os
Hi guys, have you experience and empty page on global services using a docker image of openam with default config?
i can't seem to find a way to show the global services
gggg.PNG
Maxim Thomas
@maximthomas
@yuen-os Hi, create an issue in the https://github.com/OpenIdentityPlatform/OpenAM repo. I will look at the problem