Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 04:44
    maximthomas review_requested #516
  • 04:44
    maximthomas opened #516
  • Jul 03 02:38
  • Jun 28 22:10

    vharseko on master

    setNextModule: allow resetCurre… (compare)

  • Jun 26 08:46
    baajarmeh starred OpenIdentityPlatform/OpenAM
  • Jun 23 05:14

    maximthomas on master

    Bump OpenDJ to 4.5.1-SNAPSHOT (… (compare)

  • Jun 23 05:14
    maximthomas closed #515
  • Jun 22 15:55
    maximthomas opened #515
  • Jun 22 15:55
    maximthomas review_requested #515
  • Jun 22 12:26

    github-actions[bot] on master

    [maven-release-plugin] prepare … (compare)

  • Jun 22 12:26

    github-actions[bot] on 14.6.6

    (compare)

  • Jun 22 12:26

    github-actions[bot] on master

    [maven-release-plugin] prepare … (compare)

  • Jun 22 12:05

    vharseko on master

    (compare)

  • Jun 22 12:01

    vharseko on 14.6.6

    (compare)

  • Jun 22 10:49

    github-actions[bot] on master

    [maven-release-plugin] prepare … (compare)

  • Jun 22 10:49

    github-actions[bot] on 14.6.6

    (compare)

  • Jun 22 10:49

    github-actions[bot] on master

    [maven-release-plugin] prepare … (compare)

  • Jun 21 11:47
    vharseko closed #513
  • Jun 21 11:47

    vharseko on master

    fix NT auth module vulnerabilit… (compare)

  • Jun 21 11:47
    vharseko closed #514
yuna-s
@yuna-s
@maximthomas
Hi, I want to apply local time instead of UTC to the audit logging, is there a setting in OpenAM that allows me to do that?
thanks.
Maxim Thomas
@maximthomas
@yuna-s hi, are you running OpenAM in a Docker container?
yuna-s
@yuna-s
@maximthomas
Thanks for the reply!
I am also using Docker for testing, but eventually I will use war files and run it on tomcat.
Ramón Rial
@rrialq

maximthomas Hi again.
I downloaded the custom-authentication-module (inside openam-samples) to have a template to write CAM's for OpenIdentityPlatform.
I've tried to build it for versions 14.6.2 and 14.5.4, but I've got error because non available dependencies:

  • org.openidentityplatform.external.com.iplanet.jato:jato
  • org.openidentityplatform.external.com.sun.web.ui:cc

Are there in some repository?

I excluded them from openam-core dependency, and then the custom-auth-sample project buillt OK.
But I am felling that those libraries should be necessery in some sceneries.

Maxim Thomas
@maximthomas
@yuna-s can't reproduce the issue using tomcat 7, can only reproduce in Docker. But there is a Docker issue, because Docker does not know about host machine timezone. If you are still facing the problem, please create an issue in the github
@rrialq these libraries only need for rendering legacy UI, so you can develop a custom auth module without the libraries. OpenAM war file contains them.
Ramón Rial
@rrialq
maximthomas OK. So it is necessery to exclude them in dependency declaration.
Thank you.
yuna-s
@yuna-s
@maximthomas
Sorry for the late reply.
Does "can't reproduce the issue using tomcat 7" mean that there is a setting in the war file version of OpenAM(OpenAM-14.6.2.war
) that allows the local time to be displayed in the audit log?
Maxim Thomas
@maximthomas
@yuna-s there must be misunderstanding, I meant OpenAM Tomcat console log. In csv logs I see UTC instead of local time. I'm afraid you can't configure csv timezone out of the box.
yuna-s
@yuna-s
@maximthomas I understand, the tomcat logs show that the local time is indeed applied. However, if there is a discrepancy in the time shown between the tomcat log and the audit log, it may cause confusion when comparing them, so I was looking for a way to apply the local time to the audit log as well.
I found out that there is no configuration item for this at the moment.
Thank you for confirming this.
Maxim Thomas
@maximthomas
@mancheaka, Hello, I've accidently removed your comment, could you repeat it or create an issue in OpenAM github repo?
Maxim Thomas
@maximthomas
@mancheaka fixed the issue OpenIdentityPlatform/OpenAM#350
mancheaka
@mancheaka
@maximthomas Thanks a lot! I updated the service configs with your changes and now the modules show up again.
michewl
@michewl:privacytools.io
[m]
Hello,
I am working on implementing a SAML login initiated by a SP. My current requirement is to display a list of remote IdPs on the login page so the user can choose to log in locally (filling out the form) or on a remote system (clicking a link to be redirected within the SAML context to login on a remote IdP).
Does anyone know if OpenAM provides a way to show the list of remote IdPs in the CoT on the login page? I did not find anything yet and figured it may be required to create a custom authentication module.
Unfortunately we cannot use the proxy approach (which I would prefer).
withusandeep
@withusandeep
Hi ,I am trying to use openam 14.6.2 running in kubernetes for google social authentication . My request has to go through proxy server which needs authentication .I tried setting up proxyHost,proxyPort,proxyUser and proxyPassword and it always fails with 407 status code and this error :com.sun.identity.authentication.spi.AuthLoginException: Authentication failed with an Input/Output exception while trying to get content
Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 authenticationrequired"
can anyone plz help me to fix the above issue
Maxim Thomas
@maximthomas
@withusandeep Hi, can your provide a http requests and responses dump from OpenAM to proxy?
withusandeep
@withusandeep
Hi Thomas , I sorted the issue by adding a servletcontextlistener in openam web.xml with proxy authentication code
Hello , when running openig 5.0.10 anyone facing issues like logs flooding in debug mode .The logs are coming from org.apache.http package . Tried to switch off debug logs but nothing seem to be working
Maxim Thomas
@maximthomas
@withusandeep
Try to edit WEB-INF/classes/logback.xml in OpenIG war file and add logger
<logger name="org.apache.http" level="INFO" />
withusandeep
@withusandeep
@maximthomas .Thanks for the reply. I could see logback.xml only on apache-tomcat-9.0.45/IG/webapps/ROOT/WEB-INF/classes/org/forgerock/openig/web/logback.xml. I did the change you mentioned but the logs are still coming as DEBUG
withusandeep
@withusandeep
@maximthomas .thanks for your help . i copied the file to the location you mentioned and it works .
withusandeep
@withusandeep
Has anyone integrated openam authorization code with pkce on a react SPA ? i am getting cors error when loading wellknown endpoint using AppAuth-js library .
Ramón Rial
@rrialq
Good days.
Is there some way to pass data between custom modules and PAP?
Is there any way to access to the token while inside custom module logic or the token is created after all custom modules are evaluated?
Thank you for your help and for your time.
withusandeep
@withusandeep
@rrialq : not completely sure abt ur requirements . but you can associate any token/property to session using session whitelist service and retrieve using getSessionProperties thru REST from any custom module.
ignacepyl
@ignacepyl
Hi All, I have an OpenAM related question. We are trying to set-up OpenAM as authentication method for a Microsoft Business Central on-prem installation. So far, the IT team has been trying for over 2 months without result. Do you guys have any experience?
Maxim Thomas
@maximthomas
Hi @ignacepyl, sure. Could you provide more details? Please send RFP to support@3a-systems.ru
ignacepyl
@ignacepyl
Hi @maximthomas . Surely, what kind of details are you looking for? In brief, Business Central supports Microsoft ADFS out of the box. So we are using the same methodology with an OpenAM WS-FED set-up. The following is the error we keep bumping in to ‘The type of security token provided by the Identity Provider is not supported.’
michewl
@michewl:privacytools.io
[m]

Hello everyone. I am working on adding support for something similar to the extention for requesting attributes.
I figured that I could use the AttributeMapper to manipulate the attributes but I am missing the extension data from the AuthN request.

Anyone got an idea how to get the AuthN request within the AttributeMapper?
I guess one option would be to use the session but I think that is just a workaround. Any input helps. Thanks

Yuen Yalung
@yuen-os
Hi guys, have you experience and empty page on global services using a docker image of openam with default config?
i can't seem to find a way to show the global services
gggg.PNG
Maxim Thomas
@maximthomas
@yuen-os Hi, create an issue in the https://github.com/OpenIdentityPlatform/OpenAM repo. I will look at the problem
Yuen Yalung
@yuen-os
Hi @maximthomas thanks, already created the issue OpenIdentityPlatform/OpenAM#384
Yuen Yalung
@yuen-os
Hi I'am new to openAM and I'am try to install openam webagent by downloading the IIS_WINNT_4.1.0 and run agentadmin.exe --i , what would be the value of "Enter IIS Server Site identification number" ?
Yuen Yalung
@yuen-os
Hi does openam have documentation on the url endpoint for oauth and openid connect?
ajlugt
@ajlugt
When will the next (patch) release happen? There are a few changes which I'd like to see released soon...
Ramón Rial
@rrialq

Good days.
I have a problem with OpenAM running inside Tomcat with JDK 8 (Sun and Azul JDK tested), and SHA256withRSA Algorithm in OpenAM 14.5.4.
I have got this Exception:

amAuth:09/24/2021 05:06:53:843 PM CEST: Thread[http-nio-24780-exec-3,5,main]: TransactionId[ecfa7a6a-e6ab-42eb-a005-82d2a247c573-35826615]
ERROR: JwsSigningException
org.forgerock.json.jose.exceptions.JwsSigningException: Unsupported Signing Algorithm, SHA256withRSA
at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.signWithHMAC(HmacSigningHandler.java:81)
at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.verify(HmacSigningHandler.java:104)

This problem is related with BouncyCastle, because it is the library which provides SHA256withRSA.
The problem seems to be with the Mac.java (JCE), when Mac.getInstance(algorithm); that throws NoSuchAlgoritmException.
I can see that SHA256withRSA algorithm is provided with BouncyCastle (log file), but it seems there is a problem with the JceSecurity.canUseProvider( s.getProvider() ). Do you know the right way to enable this in OpenAM inside Tomcat?

I suspect the problem is that I need to add to the trusted CA one certificate related to Bounce Castle library, but I am not sure about this.
Have you seen this problem before?
Any ideas?

4 replies
Thank you for your time, and for your help.
The problem is part of our attempt to add a rudimentary support for Mobile Connect to openam-auth-oauth2.
Our provider signed the JWT with SHA256withRSA.
It works with an old unsecure version of the provider API, that uses another algorithm.
Ramón Rial
@rrialq
Hello again.
I have wroted a custom module.
I have registered in the OpenAM, and I have created a module for use it.
My surprise is that the AttributeSchema's appears in an unsorted order (I have not found criteria on sorted them).
Is there a way to sort them?
It seems the sms.dtd supports the "order" attribute in "AttributeSchema", but I don't know if this attribute is used for sortering the UI or what.
Any ideas about sortering AttributeSchema's in UI?
Ramón Rial
@rrialq
Please, forget it.
I 'just got it using the order attribute starting at "0" value.
Thank you.
Ramón Rial
@rrialq

In my custom module authentication I'have defined a custom callback:

<ModuleProperties moduleName="MobileConnectionRequirements" version="1.0" >
<Callbacks length="0" order="1" timeout="600" header="#WILL NOT BE SHOWN#" />
<Callbacks length="1" order="2" timeout="600" header="#WILL BE SUBSTITUTED#">
<TextInputCallback isRequired="true" >
<Prompt>#PHONE_NUMBER#</Prompt>
</TextInputCallback>
</Callbacks>
</ModuleProperties>

2 replies
It is mandatory to implement a custom Login page for this?
Is there any guidelines for that?
Ramón Rial
@rrialq
Another question. I am writing a PAP. Is it possible determine de module in a chain that makes failure authentication?
I am not sure about how to test it.
In onLogonFailure I need to write an action that sends a code to a webservice depending of the module that goes into failure.
9 replies
Ramón Rial
@rrialq
More questions. This time about commons versions.
It seems there is a org.openidentityplatform.commons.audit:parent versions 2.07, 2.0.8, 2.0.9, 2.0.10, 2.0.11 and 2.0.12, but there is not tag on git repository greater than 2.0.6. Is this right for some reason?
2 replies
Ramón Rial
@rrialq

Hello everybody.
I've seen that in OpenAM (>=14.4.2) file WEB-INF/classes/log4j.properties contains an extrange first line:

#Set the global log level to ERROR.log4j.rootLogger=ERROR, ROOT

I think it should be splitted in two lines:

#Set the global log level to ERROR.
log4j.rootLogger=ERROR,ROOT

Is this right?

1 reply
Ramón Rial
@rrialq
@maximthomas I've created a pull request for solving the OpenIdentityPlatform/OpenAM#410:
openam-auth-msisdn doesn't handle multiple ldap servers.
2 replies