Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
michewl
@michewl:privacytools.io
[m]
Hello,
I am working on implementing a SAML login initiated by a SP. My current requirement is to display a list of remote IdPs on the login page so the user can choose to log in locally (filling out the form) or on a remote system (clicking a link to be redirected within the SAML context to login on a remote IdP).
Does anyone know if OpenAM provides a way to show the list of remote IdPs in the CoT on the login page? I did not find anything yet and figured it may be required to create a custom authentication module.
Unfortunately we cannot use the proxy approach (which I would prefer).
withusandeep
@withusandeep
Hi ,I am trying to use openam 14.6.2 running in kubernetes for google social authentication . My request has to go through proxy server which needs authentication .I tried setting up proxyHost,proxyPort,proxyUser and proxyPassword and it always fails with 407 status code and this error :com.sun.identity.authentication.spi.AuthLoginException: Authentication failed with an Input/Output exception while trying to get content
Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 authenticationrequired"
can anyone plz help me to fix the above issue
Maxim Thomas
@maximthomas
@withusandeep Hi, can your provide a http requests and responses dump from OpenAM to proxy?
withusandeep
@withusandeep
Hi Thomas , I sorted the issue by adding a servletcontextlistener in openam web.xml with proxy authentication code
Hello , when running openig 5.0.10 anyone facing issues like logs flooding in debug mode .The logs are coming from org.apache.http package . Tried to switch off debug logs but nothing seem to be working
Maxim Thomas
@maximthomas
@withusandeep
Try to edit WEB-INF/classes/logback.xml in OpenIG war file and add logger 
<logger name="org.apache.http" level="INFO" />
withusandeep
@withusandeep
@maximthomas .Thanks for the reply. I could see logback.xml only on apache-tomcat-9.0.45/IG/webapps/ROOT/WEB-INF/classes/org/forgerock/openig/web/logback.xml. I did the change you mentioned but the logs are still coming as DEBUG
withusandeep
@withusandeep
@maximthomas .thanks for your help . i copied the file to the location you mentioned and it works .
withusandeep
@withusandeep
Has anyone integrated openam authorization code with pkce on a react SPA ? i am getting cors error when loading wellknown endpoint using AppAuth-js library .
Ramón Rial
@rrialq
Good days.
Is there some way to pass data between custom modules and PAP?
Is there any way to access to the token while inside custom module logic or the token is created after all custom modules are evaluated?
Thank you for your help and for your time.
withusandeep
@withusandeep
@rrialq : not completely sure abt ur requirements . but you can associate any token/property to session using session whitelist service and retrieve using getSessionProperties thru REST from any custom module.
ignacepyl
@ignacepyl
Hi All, I have an OpenAM related question. We are trying to set-up OpenAM as authentication method for a Microsoft Business Central on-prem installation. So far, the IT team has been trying for over 2 months without result. Do you guys have any experience?
Maxim Thomas
@maximthomas
Hi @ignacepyl, sure. Could you provide more details? Please send RFP to support@3a-systems.ru
ignacepyl
@ignacepyl
Hi @maximthomas . Surely, what kind of details are you looking for? In brief, Business Central supports Microsoft ADFS out of the box. So we are using the same methodology with an OpenAM WS-FED set-up. The following is the error we keep bumping in to ‘The type of security token provided by the Identity Provider is not supported.’
michewl
@michewl:privacytools.io
[m]

Hello everyone. I am working on adding support for something similar to the extention for requesting attributes.
I figured that I could use the AttributeMapper to manipulate the attributes but I am missing the extension data from the AuthN request.

Anyone got an idea how to get the AuthN request within the AttributeMapper?
I guess one option would be to use the session but I think that is just a workaround. Any input helps. Thanks

Yuen Yalung
@yuen-os
Hi guys, have you experience and empty page on global services using a docker image of openam with default config?
i can't seem to find a way to show the global services
gggg.PNG
Maxim Thomas
@maximthomas
@yuen-os Hi, create an issue in the https://github.com/OpenIdentityPlatform/OpenAM repo. I will look at the problem
Yuen Yalung
@yuen-os
Hi @maximthomas thanks, already created the issue OpenIdentityPlatform/OpenAM#384
Yuen Yalung
@yuen-os
Hi I'am new to openAM and I'am try to install openam webagent by downloading the IIS_WINNT_4.1.0 and run agentadmin.exe --i , what would be the value of "Enter IIS Server Site identification number" ?
Yuen Yalung
@yuen-os
Hi does openam have documentation on the url endpoint for oauth and openid connect?

http://openam.example.com:9000/openam/oauth2/access_token
http://openam.example.com:9000/openam/oauth2/authorize
http://openam.example.com:9000/openam/oauth2/userinfo

i've seen this one on a code base on github but i want to know if they have official docs as reference?

ajlugt
@ajlugt
When will the next (patch) release happen? There are a few changes which I'd like to see released soon...
Ramón Rial
@rrialq

Good days.
I have a problem with OpenAM running inside Tomcat with JDK 8 (Sun and Azul JDK tested), and SHA256withRSA Algorithm in OpenAM 14.5.4.
I have got this Exception:

amAuth:09/24/2021 05:06:53:843 PM CEST: Thread[http-nio-24780-exec-3,5,main]: TransactionId[ecfa7a6a-e6ab-42eb-a005-82d2a247c573-35826615]
ERROR: JwsSigningException
org.forgerock.json.jose.exceptions.JwsSigningException: Unsupported Signing Algorithm, SHA256withRSA
at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.signWithHMAC(HmacSigningHandler.java:81)
at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.verify(HmacSigningHandler.java:104)

This problem is related with BouncyCastle, because it is the library which provides SHA256withRSA.
The problem seems to be with the Mac.java (JCE), when Mac.getInstance(algorithm); that throws NoSuchAlgoritmException.
I can see that SHA256withRSA algorithm is provided with BouncyCastle (log file), but it seems there is a problem with the JceSecurity.canUseProvider( s.getProvider() ). Do you know the right way to enable this in OpenAM inside Tomcat?

I suspect the problem is that I need to add to the trusted CA one certificate related to Bounce Castle library, but I am not sure about this.
Have you seen this problem before?
Any ideas?

4 replies
Thank you for your time, and for your help.
The problem is part of our attempt to add a rudimentary support for Mobile Connect to openam-auth-oauth2.
Our provider signed the JWT with SHA256withRSA.
It works with an old unsecure version of the provider API, that uses another algorithm.
Ramón Rial
@rrialq
Hello again.
I have wroted a custom module.
I have registered in the OpenAM, and I have created a module for use it.
My surprise is that the AttributeSchema's appears in an unsorted order (I have not found criteria on sorted them).
Is there a way to sort them?
It seems the sms.dtd supports the "order" attribute in "AttributeSchema", but I don't know if this attribute is used for sortering the UI or what.
Any ideas about sortering AttributeSchema's in UI?
Ramón Rial
@rrialq
Please, forget it.
I 'just got it using the order attribute starting at "0" value.
Thank you.
Ramón Rial
@rrialq

In my custom module authentication I'have defined a custom callback:

<ModuleProperties moduleName="MobileConnectionRequirements" version="1.0" >
<Callbacks length="0" order="1" timeout="600" header="#WILL NOT BE SHOWN#" />
<Callbacks length="1" order="2" timeout="600" header="#WILL BE SUBSTITUTED#">
<TextInputCallback isRequired="true" >
<Prompt>#PHONE_NUMBER#</Prompt>
</TextInputCallback>
</Callbacks>
</ModuleProperties>

2 replies
It is mandatory to implement a custom Login page for this?
Is there any guidelines for that?
Ramón Rial
@rrialq
Another question. I am writing a PAP. Is it possible determine de module in a chain that makes failure authentication?
I am not sure about how to test it.
In onLogonFailure I need to write an action that sends a code to a webservice depending of the module that goes into failure.
9 replies
Ramón Rial
@rrialq
More questions. This time about commons versions.
It seems there is a org.openidentityplatform.commons.audit:parent versions 2.07, 2.0.8, 2.0.9, 2.0.10, 2.0.11 and 2.0.12, but there is not tag on git repository greater than 2.0.6. Is this right for some reason?
2 replies
Ramón Rial
@rrialq

Hello everybody.
I've seen that in OpenAM (>=14.4.2) file WEB-INF/classes/log4j.properties contains an extrange first line:

#Set the global log level to ERROR.log4j.rootLogger=ERROR, ROOT

I think it should be splitted in two lines:

#Set the global log level to ERROR.
log4j.rootLogger=ERROR,ROOT

Is this right?

1 reply
Ramón Rial
@rrialq
@maximthomas I've created a pull request for solving the OpenIdentityPlatform/OpenAM#410:
openam-auth-msisdn doesn't handle multiple ldap servers.
2 replies
vugrinov
@vugrinov
Hey guys, can you help me th this error using default configuration in openam 14.6.4 in docker :
An unexpectederror occurred while attempting to initialize the command-line arguments:The provided value "-1" for argument --adminConnectorPort is not acceptable:The provided adminConnectorPort value -1 is unacceptable because it is belowthe lower bound of 1
1 reply
Ramón Rial
@rrialq
Hello, again.
I am giving my first steps with XUI customization.
I just now how to create a custom theme, how to modify some parts of the login page, how to translate it...
But I don't know how to customize the index.html page.
It seems this page is common for all themes.
I've test to copy inside root of my theme, but OpenAM doesn't see it.
Is it possible to customize index.html inside a theme? I don't want modify index.html for all realms.
Ramón Rial
@rrialq
I want to add a static header to all pages, so I need to modify the main page of every category (admin, user, login...).
Ramón Rial
@rrialq
Hello, again.
Another question.
How can I change the language in the login page without losing parameters?
It seems that there is no standard way to do this.
May be with XUI?locale=es&login# (but this way loses service parameter, for example)
What about iterating through available locales?
Ramón Rial
@rrialq
Another question. How can I check inside XUI if the locale is "en" or "es", for example?
I can't see in manual a list of variables that I can use in templates.
Ramón Rial
@rrialq
Good days, again.
One more question: Is there any way to restrict languages to a subset?
For example, my requirements are support only es (Spanish) and gl (Galician), so if the browser sends something different (for example en) it should rely to default 'gl'. I¡ve just configured the default locale at Platform, Server site and realm, but it seems there is no way to restrict languages supported.
nightswimmings
@nightswimmings
Hi! Hi, is there any way to emulatel http://idp.ssocircle.com/sso/toolbox/ossoPwDecrypt.jsp with openssl (so it's confidentially scriptable)?
marcelo
@marceloibanez
Hello community
have a question for you
do you know if openAM use log4j?
or openAM use logback?
1 reply