I am trying to generate a http cookie for succesfull user login in openam.
The cookie is expected to be populated with a ldap attribute name 'commerce' which is a boolean attribute.
In order to achieve this I have done settings under --
access control --top level realm --agent -- configured policy agent --Profile Attributes Processing
Over here I have created a map with key as commerce and value of commerce, now ideally after a succesfull login it should generate a cookie with name --HTTP_COMMERCE with value of attribute, but this is not working as expected.
Can some one help me out in resolving what I may be missing over here.
When using Profile Attributes Processing it is probably important to know that the attributes are retrieved from the configured data stores, hence you should probably make sure that the data store has correctly configured in OpenAM.
Most likely you are just missing the "commerce" attribute from the "LDAP User Attributes" setting.
Related
So I created an enterprise application and have it configured for SAML based SSO. As I understand it, I've configured it so that the Unique User Identifier (Name ID) should be set the the email of the user within Azure.
When I attempted to login to test or use my new application through the portal, I can see that the NameID value in the response is actually set to a random string of characters (zReN4-W7ufefDDEh4pJ19K7pcMV84O5RKHSeOQ6wArU) which I assume unique identifies my user. I've tries altering the source attribute of the Name ID as well as the name identifer format but it always comes back as the exact same string in the response.
The application I'm trying to log into requires that the name ID be set to the user's email address and I don't understand why it's not being shown that way in the response. Any ideas why this is happening?
The NameID value is a targeted identifier that is directed only to the service provider that is the audience for the token. It is persistent - it can be revoked, but is never reassigned. It is also opaque, in that it does not reveal anything about the user and cannot be used as an identifier for attribute queries.
Generally, if the user does not have value in mail attribute, then Azure AD would send persistent format for Name ID and set random value in it.
For more information on the SAML Protocol can go through this article and similar question
I wonder if anyone can help. I am working on a project that requires the use of wso2is and openldap together on linux. I am quite new to both technologies, so there may be some things I dont quite understand properly.
I have set openldap up as a secondary user store in wso2is. In openldap, using ldif files I have managed to create groups, and some dummy users. These entries can be read and displayed successfully by wso2is. The good user entries follow the format below
In wso2is I can create new users for the secondary data store and it lookks like I can assign them to the different roles. The problem is that when I create a new user in wso2, it seems to be lacking certain attributes such as password, and mail. When I view users created in wso2 (using ldap admin) they are different to users created manually using ldif. I dont know how to add the extra attributes such as email to new users created using wso2 (The extra attributes are necessary for ldap to log into another program).
The image below for user "bob" does not have the correct attributes.
The other things I dont understand is that in wso2is if I set 'cn' as the username attribute and try to view the extra attribute fields for users I created in wso2, I get an 'error reading metadata screen'. However if I set 'uid' as the username attribute and try to view extra attributes, I am allowed to see them (most are blank), but if I try to populate those fields such as surname or mail, I then get an error message saying they are not supported by the underlying ldap.
Maybe Im missing something fundamental but I dont know what it is, apparently it almost does what I want.
When you configure an external LDAP, you need to map its attributes to the WSO2 local Claims. Because with in WSO2 Identity Server all user attributes are considered as claims. Hence please try mapping secondary userstore attributes to the each local claim in the user profile. For example http://wso2.org/claims/emailaddress claim can be mapped your secondary user-store attribute as shown in the image.
Moreover, Hope you have added User Search Base, User Search Filter and User List filter properly in the secondary userstore configurations.
I am having CouchDB installed in a developer environment and exposed the port to public. I have also added admin party. So if I go to http://ip:5984/_utils its asking for username and password which is expected.
However, if I make the direct request with my db name for example http://ip:5984/{dbname} then its returning json value and also I am able to access this data also via same get request. Am I doing anything wrong here?
It sounds like you need to set up the database's security document to control which users have what access. Be sure to read the entire document on security so you have a complete understanding of CouchDB's security model, and how to configure it.
Correct me if I'm wrong but you probably meant that you Removed the admin party?
If so, removing admin party only disable annonymous users from doing admin operations. They can still access database.
If you want to restrict access only to authenticated users, you MUST set this configuration value:
[couch_httpd_auth]
require_valid_user = true
Otherwise, you can set per database permissions (see Database Security)
I have a custom page type (kff.SeasonCTA), that I'm trying to access. The goal is the present the data from the custom pages on a static HTML page using jQuery. I've confirmed the REST service is working as i can get the county json object as per the documentation.
I've set authentication to Basic, and the service enabled as Both. I generated a hash with this URL: http://dev.knowledgefirstfinancial.ca/rest/kff.SeasonalCTA?format=json
I get a 403. I read more, and i think it's because i'm doing an ALL. So how can i specify only published pages.
Or is it possible to get all the child data from a cms.folder if i specify the folder by it's GUID?
I'd recommend using basic authentication: create user account and make sure it has all necessary permissions (use impersonation to verify access) and pass that user in authorization header.
It is possible to request all the child by node alias path:
/content/currentsite/<culture>/childrenof/<alias path>
/content/currentsite/en-us/childrenof/news
Using openam 12.0.0.0 Found One issue with openam with retrieving groups information of current login using api
"/json/users/username/?_fields=ismemberof"
scenario:
I had tried with this rest api by adding User attribute” ismemberof” from openam console.
after than I had retrieve groups information for current login user using restapi "/json/users/username/?_fields=ismemberof"
which return me this:
curl --header"iPlanetDirectoryPro:AQIC5wM2LY4SfczExeheltxgjSN7wrCR5XhfEGF5kj6t6C4.*AAJTSQACMDEAAlNLABQtMzQ0NzM3MDc3MzE1MjMwNjEwOQ..*" http://openam.server:8080/openam/json/users/indrani?_fields=ismemberof
output:
{"ismemberof":["cn=grp1,ou=groups,o=openam","cn=grp2,ou=groups,o=openam"]}
After some time I had remove my user from grp1 and save from openam console
ie, now current user only have one group ie grp2
Again using curl command for getting list of groups for current user:
curl --header"iPlanetDirectoryPro:AQIC5wM2LY4SfczExeheltxgjSN7wrCR5XhfEGF5kj6t6C4.*AAJTSQACMDEAAlNLABQtMzQ0NzM3MDc3MzE1MjMwNjEwOQ..*" http://openam.server:8080/openam/json/users/indrani?_fields=ismemberof
output:
{"ismemberof":["cn=grp1,ou=groups,o=openam","cn=grp2,ou=groups,o=openam"]}
the issue is it gving same response with two groups,
even Current user only have one group. ie it give old response
This issue is solve if I restart the openam server I will get expected result.
{"ismemberof":["cn=grp2,ou=groups,o=openam"]}
It should not take to restart openam server , to get original response.
When I connect to my LDAP data store using active directory studio, i can see values updated against the user for ismemberof which is an virtual attribute but when I hit curl response is old cached one only.
depending on the settings and data store used OpenAM caches attributes of user identities. The cache is kept in synch with the real LDAP server by either using persistent search - or notification change control (AD).
If your LDAP server does not support persistent search control or you did not allow notification change control the cache can not be dirtied hence OpenAM will return the outdated value for the identity attribute 'isMemberOf'