tag:blogger.com,1999:blog-11679649952452783942024-03-20T03:19:13.965-04:00The Infinite LooperCharan Mannhttp://www.blogger.com/profile/09232150213727625395noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-1167964995245278394.post-78763840645592707492017-09-12T09:48:00.006-04:002017-09-25T09:24:25.617-04:00Extending IG as a complete UMA-RS<br />
<span style="font-family: "verdana" , sans-serif;">Both <a href="https://backstage.forgerock.com/docs/am/5.1/uma-guide/#chap-uma-introduction">AM</a> and <a href="https://backstage.forgerock.com/docs/ig/5/gateway-guide/#chap-uma">IG</a> support <a href="https://docs.kantarainitiative.org/uma/rec-uma-core-v1_0_1.html">UMA 1.0.1</a> where AM acts as UMA Authorization Server (AS) and IG as UMA Resource Server (RS). </span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Currently there are some limitations in <a href="https://backstage.forgerock.com/docs/ig/5/gateway-guide#uma-limitations">UMA support in IG</a>, one of the most important is: PAT is stored in IG memory and is not persisted and if IG is restarted then the resource owner must perform the entire share process again.</span><br />
<br />
<span style="font-family: "verdana" , sans-serif;"><i>Note: This post is based on <b>UMA 1.0.1</b> </i></span><i><span style="font-family: "verdana" , sans-serif;"><a href="https://backstage.forgerock.com/docs/am/5.1/release-notes/#deprecated">(Support for UMA 1.0 and UMA 1.0.1 will be removed in a future version of ForgeRock Access Management)</a> </span></i><br />
<i><span style="font-family: "verdana" , sans-serif;"><br /></span></i>
<h2 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">Solution</span></h2>
<div>
<span style="font-family: "verdana" , sans-serif;"><u style="color: #24292e; font-size: 16px;">Versions used for this implementation: IG 5, AM 5.1 and DS 5</u></span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">We can overcome some of these limitations by extending IG-UMA filter:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMHLIhzcgwLWsxZXpB_7ry7BDPZXetAOAKqx2bD-pD-3KJk7KzeRkYyhcZXSvszrSBIdTRW-izls3mchzxMsF8dW93IpHBoPEFzEqcWDXOCIyrBHHfsCsJu6DOvA0Kjjq1kk28gki0QBTO/s1600/SampleCompany+usecases+-+OpenIG-UMA-RS.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="741" data-original-width="1600" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMHLIhzcgwLWsxZXpB_7ry7BDPZXetAOAKqx2bD-pD-3KJk7KzeRkYyhcZXSvszrSBIdTRW-izls3mchzxMsF8dW93IpHBoPEFzEqcWDXOCIyrBHHfsCsJu6DOvA0Kjjq1kk28gki0QBTO/s640/SampleCompany+usecases+-+OpenIG-UMA-RS.jpeg" width="640" /></a></div>
<div style="text-align: left;">
</div>
<span style="font-family: "verdana" , sans-serif;">Some of the features of this extension:</span><br />
<br />
<ul>
<li><span style="font-family: "verdana" , sans-serif;">Realm support </span></li>
<li><span style="font-family: "verdana" , sans-serif;">Extend IG-UMA REST endpoint: Authentication using PAT </span></li>
<li><span style="font-family: "verdana" , sans-serif;">User friendly UMA Resource name </span></li>
<li><span style="font-family: "verdana" , sans-serif;">Persisting UMA ResourceSet id and PAT in DS/OpenDJ:</span><span style="font-family: "verdana" , sans-serif;"> </span></li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilcekmHHEoKCpYKH712hMXKYg0Y1HSClQP-vz1j-W-Z28gb2tUZ1uTxuKgPj5FysAflMXXPqpnTdtaWB0EnP4n-LpbZrB5XufWuwGFGkIsOwBMDGcrb5w3muSv0eUDtFJ-PYCs-PxkCg1Z/s1600/DS-UMARS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="422" data-original-width="1398" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilcekmHHEoKCpYKH712hMXKYg0Y1HSClQP-vz1j-W-Z28gb2tUZ1uTxuKgPj5FysAflMXXPqpnTdtaWB0EnP4n-LpbZrB5XufWuwGFGkIsOwBMDGcrb5w3muSv0eUDtFJ-PYCs-PxkCg1Z/s640/DS-UMARS.png" width="640" /></a></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<br />
<span style="font-family: "verdana" , sans-serif;"></span></div>
<div style="text-align: start; text-indent: 0px;">
<h3 style="-webkit-text-stroke-width: 0px; color: black; font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<span style="font-family: "verdana" , sans-serif;">UMA Flows</span></h3>
<div>
<ul>
<li><span style="font-family: "verdana" , sans-serif;">Alice share UMA resource</span></li>
</ul>
<div>
</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGseNOzY07kKtJM3w6hWjlN77QV01DvhNXpf4F5hioXMSTtwLRM_AYljudtGZMavITrzY7ToJiQEvvITEiMhmFHB-WPo1Dwj-RrXPlZbj0jVkerb_ai687AfFSOOwwKK_tumTYYLMDLcVD/s1600/ShareUMAResource.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="421" data-original-width="568" height="474" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGseNOzY07kKtJM3w6hWjlN77QV01DvhNXpf4F5hioXMSTtwLRM_AYljudtGZMavITrzY7ToJiQEvvITEiMhmFHB-WPo1Dwj-RrXPlZbj0jVkerb_ai687AfFSOOwwKK_tumTYYLMDLcVD/s640/ShareUMAResource.png" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<ul>
<li><span style="font-family: "verdana" , sans-serif;">Bob access UMA resource</span></li>
</ul>
</div>
<h3 style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjPSL6ICA2kPxgXB5-Cm7jmsnxZaUtdImNOa5AY6yWCwXKKC5GqB4v0dPgtY6tq80gS9OlGmUHzE57uOKVe8p1O9JlAN6WSaOf0tDZipwPZWz-jouyN0-3-Vacb2Z1ux8orbvcmKQ03xSc/s1600/AccessUMAResource.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="495" data-original-width="486" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjPSL6ICA2kPxgXB5-Cm7jmsnxZaUtdImNOa5AY6yWCwXKKC5GqB4v0dPgtY6tq80gS9OlGmUHzE57uOKVe8p1O9JlAN6WSaOf0tDZipwPZWz-jouyN0-3-Vacb2Z1ux8orbvcmKQ03xSc/s640/AccessUMAResource.png" width="628" /></a></div>
<div>
<span style="font-family: "verdana" , sans-serif; font-size: small;"><span style="font-weight: normal;"><br /></span></span></div>
<div>
</div>
</h3>
<h3 style="-webkit-text-stroke-width: 0px; color: black; font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; letter-spacing: normal; text-align: left; text-transform: none; white-space: normal; word-spacing: 0px;">
<span style="font-family: "verdana" , sans-serif;">Deploy</span></h3>
<div>
<ul>
<li><span style="font-family: "verdana" , sans-serif;"><a href="https://github.com/CharanMann/OpenIG-UMA-Extensions#pre-requisites-">Pre-requisites</a> </span></li>
<li><a href="https://github.com/CharanMann/OpenIG-UMA-Extensions#opendj-uma-rs-store-installation--configuration" style="font-family: verdana, sans-serif;">DS configurations</a><span style="font-family: "verdana" , sans-serif;"> </span></li>
<li><span style="font-family: "verdana" , sans-serif;"><a href="https://github.com/CharanMann/OpenIG-UMA-Extensions#openig-configuration">IG configurations</a></span></li>
</ul>
<div>
<br /></div>
</div>
<div>
<h3 style="-webkit-text-stroke-width: 0px; color: black; font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<span style="font-family: "verdana" , sans-serif;">Testing</span></h3>
<div>
<ul>
<li><span style="font-family: "verdana" , sans-serif;"><a href="https://github.com/CharanMann/OpenIG-UMA-Extensions#openig-uma-rest-endpoints">IG-UMA REST endpoints</a></span></li>
<li><span style="font-family: "verdana" , sans-serif;"><a href="https://github.com/CharanMann/OpenIG-UMA-Extensions#openig-use-cases-testing">UMA use-case testing </a></span></li>
</ul>
</div>
</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a></div>
</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<br /></div>
</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<h2 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">See Also</span></h2>
<div>
<div style="margin: 0px;">
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><a href="https://github.com/CharanMann/OpenIG-UMA-Extensions">Get code</a></span></span></span></div>
<div style="margin: 0px;">
<br /></div>
<div style="margin: 0px;">
<span style="font-family: "verdana" , sans-serif;"></span></div>
</div>
<div style="margin: 0px;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<span style="color: #555555;"><span style="font-size: 14px;"><br /></span></span></div>
</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<br /></div>
</div>
</div>
Charan Mannhttp://www.blogger.com/profile/09232150213727625395noreply@blogger.com0tag:blogger.com,1999:blog-1167964995245278394.post-55311309715122058112017-06-28T15:23:00.003-04:002017-06-29T09:56:50.673-04:00Unlock user account using OpenAM Forgot Password flow<br />
<span style="font-family: "verdana" , sans-serif;">OpenAM provides "Account Lockout" functionality which can be used to configure various lockout parameters such as failure count, lockout interval etc</span><span style="font-family: "verdana" , sans-serif;">. </span><br />
<span style="font-family: "verdana" , sans-serif;">Note that OpenDJ also provides Account Lockout functionality, this article is based on OpenAM Account Lockout policies. Refer this <a href="https://backstage.forgerock.com/knowledge/kb/article/a50950116">KB article</a> for more differences between OpenAM and OpenDJ lockout polices. </span><br />
<a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="blob:https://www.blogger.com/09659878-240b-4efc-9445-5ca32be80416" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Using OpenAM </span><span style="font-family: "verdana" , sans-serif;">"Account Lockout" policies,</span><span style="font-family: "verdana" , sans-serif;"> users may get locked out with invalid login attempts. OpenAM offers both <a href="https://backstage.forgerock.com/knowledge/kb/article/a52215804">Memory and Physical lockouts</a>. Using memory lockout, users get unlocked automatically after specified duration. </span><br />
<a href="blob:https://www.blogger.com/09659878-240b-4efc-9445-5ca32be80416" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "verdana" , sans-serif;"></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="blob:https://www.blogger.com/09659878-240b-4efc-9445-5ca32be80416" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjR7y5pCC9yqVwvK3ta5SvFtTMG6X2eFd18fZef-g6L21J4tKzH0FdysuaxYX7faz4zjFcMdN6h17_nPbivSm4l2djN6i0QeGRoD2BfIiFSIPpuWdGa8RswVR4afLzP7Spw-GndCLOUAgGf/s1600/Screen+Shot+2017-06-28+at+2.54.54+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="833" data-original-width="1315" height="404" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjR7y5pCC9yqVwvK3ta5SvFtTMG6X2eFd18fZef-g6L21J4tKzH0FdysuaxYX7faz4zjFcMdN6h17_nPbivSm4l2djN6i0QeGRoD2BfIiFSIPpuWdGa8RswVR4afLzP7Spw-GndCLOUAgGf/s640/Screen+Shot+2017-06-28+at+2.54.54+PM.png" width="640" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Many deployments use "Physical lockout" due to security requirements. When this lockout mode is used then there should be some Self-service flow so that user can unlock themselves. Why not use OpenAM forgot password self-service flow ? </span><br />
<span style="font-family: "verdana" , sans-serif;">OpenAM forgot password allows user to reset password after successfully completing various stages (such as KBA, email confirmation, reCaptcha etc). Unfortunately, the problem is that the account is not unlocked when this flow is used. There is already an open <a href="https://bugster.forgerock.org/jira/browse/OPENAM-7776#">RFE</a> for this issue. </span><br />
<h2 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></h2>
<h2 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">Solution</span></h2>
<div>
<span style="font-family: "verdana" , sans-serif;"><u style="color: #24292e; font-size: 16px;">Versions used for this implementation: OpenAM 13.5, OpenDJ 3.5</u></span><br />
<a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "verdana" , sans-serif;">One of the solution can include extending out of the box OpenAM's forgot password self-service flow by adding custom stage to unlock user's account: </span></div>
<div>
<ul><span style="font-family: "verdana" , sans-serif;">
<li>Implement ForgottenPasswordConfigProviderExt to include account unlock stage. </li>
<li>Implement unlock custom stage</li>
<li>Extend selfServiceExt.xml to include custom provider.</li>
</span></ul>
<h3 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></h3>
<h3 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">Deploy</span></h3>
<div>
<ul style="text-align: left;"><a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>
<li style="box-sizing: border-box;"><span style="font-family: "verdana" , sans-serif;">Build the custom stage by using maven.</span></li>
<li style="box-sizing: border-box; margin-top: 0.25em;"><span style="font-family: "verdana" , sans-serif;">Delete all instances of User Self-Service from all realms.</span></li>
<li style="box-sizing: border-box; margin-top: 0.25em;"><span style="font-family: "verdana" , sans-serif;">Remove existing selfService</span></li>
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;">
<pre style="line-height: 16.25px;">./ssoadm delete-svc --adminid amadmin --password-file /tmp/pwd.txt -s selfService
</pre>
</div>
<li style="box-sizing: border-box;"><span style="font-family: "verdana" , sans-serif;">Restart OpenAM</span></li>
<li style="box-sizing: border-box; margin-top: 0.25em;"><span style="font-family: "verdana" , sans-serif;">Register custom selfService</span></li>
<li style="box-sizing: border-box;"><span style="font-family: "verdana" , sans-serif;">Restart OpenAM</span></li>
<div style="background-color: white; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;">
<pre style="line-height: 16.25px;">./ssoadm create-svc --adminid amadmin --password-file /tmp/pwd.txt --xmlfile ~/softwares/selfServiceExt.xml</pre>
</div>
<li style="box-sizing: border-box; margin-top: 0.25em;"><span style="font-family: "verdana" , sans-serif;">Add User Self-Service to specified realm and enable forgot password flow.</span></li>
</ul>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
</div>
<div>
<h3>
<span style="font-family: "verdana" , sans-serif;">Testing</span></h3>
</div>
<div>
<ol>
<li><span style="font-family: "verdana" , sans-serif;">Lock user by authenticating using wrong password till user is locked out.</span></li>
<li><span style="font-family: "verdana" , sans-serif;">Follow forgot password flow to reset password and unlock account.</span></li>
<li><span style="font-family: "verdana" , sans-serif;">Try authenticating again with new password. This should succeed.</span></li>
</ol>
</div>
<div>
<a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="background-color: white; color: #24292e; font-family: , , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol"; font-size: 16px;"><br /></span></div>
<div>
<br /></div>
<div>
<h2 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">See Also</span></h2>
<div>
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><a href="https://github.com/CharanMann/unlockAccountStage-ForgotPassword">Get code</a></span></span></span><br />
<span style="font-family: "verdana" , sans-serif;"><a href="https://backstage.forgerock.com/knowledge/kb/article/a50950116">Understanding OpenAM and OpenDJ account lockout behaviors</a></span><br />
<span style="font-family: "verdana" , sans-serif;"><a href="https://backstage.forgerock.com/docs/openam/13.5/admin-guide/chap-auth-services#configure-account-lockout">Configuring OpenAM Account Lockout</a></span><br />
<span style="font-family: "verdana" , sans-serif;"><a href="https://backstage.forgerock.com/knowledge/kb/article/a52215804">Memory vs Physical OpenAM lockouts</a></span></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="color: #555555;"><span style="font-size: 14px;"><br /></span></span></div>
<div style="orphans: 2; widows: 2;">
<br /></div>
</div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
Charan Mannhttp://www.blogger.com/profile/09232150213727625395noreply@blogger.com0tag:blogger.com,1999:blog-1167964995245278394.post-53382088263882109572017-05-03T21:32:00.000-04:002017-05-05T08:27:13.544-04:00Extending OpenAM HOTP module to display OTP delivery details<br />
<a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "verdana" , sans-serif;">OpenAM provide HOTP authentication module which can send OTP to user's email address and/or telephone number. By default, OpenAM doesn't displays user's email address </span><span style="font-family: "verdana" , sans-serif;">and/or telephone number while sending this OTP. </span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPBQR1yIWfgmKeBjkKaoy5NpPNc3oYaPBZxW18g4g4VMofUCMsRYyPJGNjZsDxHK2I_TFMWmndvhzMYswtHPKtanSH3I9hVZDr-mrBory0Jl17HGR2iyZJuTjL-BNnsziTefkCXsL0xdA-/s1600/Screen+Shot+2017-05-03+at+4.15.05+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPBQR1yIWfgmKeBjkKaoy5NpPNc3oYaPBZxW18g4g4VMofUCMsRYyPJGNjZsDxHK2I_TFMWmndvhzMYswtHPKtanSH3I9hVZDr-mrBory0Jl17HGR2iyZJuTjL-BNnsziTefkCXsL0xdA-/s400/Screen+Shot+2017-05-03+at+4.15.05+PM.png" width="400" /></a></div>
<br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<h2 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">Solution</span></h2>
<div>
<span style="font-family: "verdana" , sans-serif;"><u style="color: #24292e; font-size: 16px;">Versions used for this implementation: OpenAM 13.5, OpenDJ 3.5</u></span><br />
<a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "verdana" , sans-serif;">One of the solution can include extending out of the box OpenAM's HOTP module: </span></div>
<div>
<ul><span style="font-family: "verdana" , sans-serif;">
<li>Extend HOTP auth module (openam-auth-hotp). </li>
<li><span style="background-color: transparent; font-family: "verdana" , sans-serif;">Update below property in extended</span><span style="background-color: transparent; font-family: "verdana" , sans-serif;"> </span><a href="http://amauthhotp.properties/" rel="noreferrer" style="cursor: pointer; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;">amAuthHOTP.properties</a><span style="background-color: transparent; font-family: "verdana" , sans-serif;">: </span><span style="background-color: transparent; font-family: "verdana" , sans-serif;">send.success=Please enter your One Time Password sent at</span></li>
<li><span style="font-family: "verdana" , sans-serif;">Extend HOTPService appropriately to retrieve user profile details. </span></li>
<li>Change extended HOTP module code as per below (both for auto send and on request): </li>
<!-- HTML generated using hilite.me --><div style="background: #ffffff; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;">
<pre style="line-height: 125%; margin: 0;">substituteHeader(START_STATE, bundle.getString(<span style="font-style: italic;">"send.success"</span>) + <Get User contact details from HOTPService>);
</pre>
</div>
</span></ul>
<h3 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></h3>
<h3 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">Deploy</span></h3>
<div>
<ul style="text-align: left;">
<a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>
<li style="box-sizing: border-box;"><span style="font-family: "verdana" , sans-serif;">Build the custom auth module by using maven.</span></li>
<li style="box-sizing: border-box; margin-top: 0.25em;"><span style="font-family: "verdana" , sans-serif;">Deploy the custom auth module. Refer instructions: <em style="box-sizing: border-box;"><a href="https://backstage.forgerock.com/docs/openam/13.5/dev-guide#build-config-sample-auth-module" style="box-sizing: border-box; color: #0366d6; text-decoration: none;">Building and Installing Custom Authentication Modules</a> </em></span></li>
<!-- HTML generated using hilite.me --><div style="background: #ffffff; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;">
<pre style="line-height: 125%; margin: 0;">Register service and module (Note that for OpenAM v12 use amAuthHOTPExt-12.xml) :
$ ./ssoadm create-svc --adminid amadmin --password-file /tmp/pwd.txt --xmlfile ~/softwares/amAuthHOTPExt.xml
$ ./ssoadm register-auth-module --adminid amadmin --password-file /tmp/pwd.txt --authmodule com.sun.identity.authentication.modules.hotp.HOTPExt
UnRegister service and module (in case module needs to be uninstalled) :
$ ./ssoadm unregister-auth-module --adminid amadmin --password-file /tmp/pwd.txt --authmodule com.sun.identity.authentication.modules.hotp.HOTPExt
$ ./ssoadm delete-svc --adminid amadmin --password-file /tmp/pwd.txt -s sunAMAuthHOTPExtService
</pre>
</div>
<li style="box-sizing: border-box; margin-top: 0.25em;"><span style="color: #24292e;"><span style="font-family: "verdana" , sans-serif;">Configure HOTPExt module with required SMTP server. Enable both SMS and Email.</span></span></li>
<li><span style="font-family: "verdana" , sans-serif;">Create a chain(otpChain) with (LDAP:Required, HOTPExt:Required). Set this chain as default for "Organization Authentication"</span></li>
<li><span style="font-family: "verdana" , sans-serif;">Restart OpenAM</span></li>
<li><span style="font-family: "verdana" , sans-serif;">Invoke HOTP module and appropriate message is displayed on screen with </span><span style="font-family: "verdana" , sans-serif;">user's email address </span><span style="font-family: "verdana" , sans-serif;">and/or telephone number: </span></li>
</ul>
</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigFI0EVkJKRallZgQttTeiUx-UUBjrjQUb7p0VVPeRKhEF7FpQHxOoEZa7ZUAAR0PXlbv329BT0Zz-z7QNzaGozBGwIYZ83Rh5oN-lUspQkNQMs1-daKuPUqjSLCMHeREn-gBQVS8is-MY/s1600/Screen+Shot+2017-05-03+at+4.16.19+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigFI0EVkJKRallZgQttTeiUx-UUBjrjQUb7p0VVPeRKhEF7FpQHxOoEZa7ZUAAR0PXlbv329BT0Zz-z7QNzaGozBGwIYZ83Rh5oN-lUspQkNQMs1-daKuPUqjSLCMHeREn-gBQVS8is-MY/s640/Screen+Shot+2017-05-03+at+4.16.19+PM.png" width="640" /></a></div>
<a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "verdana" , sans-serif;"><span style="background-color: white; color: #24292e; font-size: 16px;"><br /></span></span></div>
<div>
<a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="background-color: white; color: #24292e; font-family: , , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol"; font-size: 16px;"><br /></span></div>
<div>
<br /></div>
<div>
<span style="font-family: "verdana" , sans-serif;"></span><br />
<h2 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">See Also</span></h2>
<div>
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">Get code: </span></span><a href="https://github.com/CharanMann/OpenAM-HOTP-Extended">https://github.com/CharanMann/OpenAM-HOTP-Extended</a> </span><br />
<a href="https://backstage.forgerock.com/docs/openam/13.5/admin-guide#hotp-module-conf-hints"><span style="font-family: "verdana" , sans-serif;">Ope</span><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">nAM HOTP Authentication Module</span></span></a><br />
<span style="font-family: "verdana" , sans-serif;"><a href="https://backstage.forgerock.com/docs/openam/13.5/dev-guide#sec-auth-spi">OpenAM Custom Auth module sample</a></span></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="color: #555555;"><span style="font-size: 14px;"><br /></span></span></div>
<div style="orphans: 2; widows: 2;">
<br /></div>
</div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<br />Charan Mannhttp://www.blogger.com/profile/09232150213727625395noreply@blogger.com0tag:blogger.com,1999:blog-1167964995245278394.post-89968710598411734062017-04-28T09:52:00.001-04:002017-05-05T08:26:24.261-04:00OpenAM SP SAML Attribute Mapper extension for updating profile attributes<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: "verdana" , sans-serif;">OpenAM can act as both SP and IdP for SAML webSSO flows. OpenAM also provides ability to dynamically create user profiles.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDTo3cG8072ByGTsF6iWyAJY2ZORw7GbVAoJQG6i0xK_TCFYQx9W029lqhicLb3npxHWjdceIzbNFuGS2JgXHAHQHfih5YNZvOsQkV55rJpuUxWciuLj0oknDQd3eznDVf7HTx_zbXtvqM/s1600/Screen+Shot+2017-04-28+at+9.39.24+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="305" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDTo3cG8072ByGTsF6iWyAJY2ZORw7GbVAoJQG6i0xK_TCFYQx9W029lqhicLb3npxHWjdceIzbNFuGS2JgXHAHQHfih5YNZvOsQkV55rJpuUxWciuLj0oknDQd3eznDVf7HTx_zbXtvqM/s640/Screen+Shot+2017-04-28+at+9.39.24+AM.png" width="640" /></a></div>
<br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">When OpenAM is acting as SAML SP and Dynamic user profile is enabled, if user profile doesn't exist on OpenAM then OpenAM dynamically creates this profile from attributes in SAML assertion. </span><br />
<span style="font-family: "verdana" , sans-serif;">The problem comes if user profile is updated at IdP side, all subsequent SAML webSSO flows doesn't update these changes at OpenAM SP side. More details here: </span><a href="https://bugster.forgerock.org/jira/browse/OPENAM-8340" style="font-family: verdana, sans-serif;">OPENAM-8340</a><br />
<br />
<h2 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">Solution</span></h2>
<span style="color: #24292e; font-family: Verdana, sans-serif; font-size: 16px;"><u>Versions used for this implementation: OpenAM 13.5, OpenDJ 3.5</u></span><br />
<div>
<a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "verdana" , sans-serif;">One of the solution can include extending OpenAM SP Attribute Mapper. This extension may include just checking if user profile exists in OpenAM SP and updating any modified or new attributes in OpenAM datastore. Some tips for this implementation:</span></div>
<div>
<ol style="background-color: white; border: 0px; margin: -8px 0px 15px 15px; outline: 0px; padding: 0px 0px 0px 15px; vertical-align: baseline;">
<li style="background-color: transparent; background-position: initial initial; background-repeat: initial initial; border: 0px; line-height: 20px; margin: 10px 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><span style="font-family: "verdana" , sans-serif;">Extend DefaultSPAttributeMapper and override getAttributes()</span></li>
<li style="background-color: transparent; background-position: initial initial; background-repeat: initial initial; border: 0px; line-height: 20px; margin: 10px 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><span style="font-family: "verdana" , sans-serif;">Get datastore provider from SAML2Utils.getDataStoreProvider()</span></li>
<li style="background-color: transparent; background-position: initial initial; background-repeat: initial initial; border: 0px; line-height: 20px; margin: 10px 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><span style="font-family: "verdana" , sans-serif;">Check if user exists: dataStoreProvider.isUserExists(userID)</span></li>
<li style="background-color: transparent; background-position: initial initial; background-repeat: initial initial; border: 0px; line-height: 20px; margin: 10px 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><span style="font-family: "verdana" , sans-serif;">Get existing user attributes: dataStoreProvider.getAttributes()</span></li>
<li style="background-color: transparent; background-position: initial initial; background-repeat: initial initial; border: 0px; line-height: 20px; margin: 10px 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><span style="font-family: "verdana" , sans-serif;">Compare attributes in SAML assertion with existing user attributes. </span></li>
<li style="background-color: transparent; background-position: initial initial; background-repeat: initial initial; border: 0px; line-height: 20px; margin: 10px 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><span style="font-family: "verdana" , sans-serif;">Finally persist any new and updated attributes: dataStoreProvider.setAttributes()</span></li>
</ol>
<h3 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">Deploy</span></h3>
<div>
<ul style="text-align: left;">
<li><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">Compile and deploy this extension in OpenAM under </span><span style="background-color: white; color: #24292e;"> </span><span style="background-color: white; color: #24292e;">(OpenAM-Tomcat)/webapps/openam/WEB-INF/lib </span></span></li>
<li><span style="font-family: "verdana" , sans-serif;"><span style="background-color: white; color: #24292e;">Change SAML attribute setting in OpenAM. </span><span style="font-family: "verdana" , sans-serif;">Navigate to Federation > Entity Providers > (SP Hosted Entity) > Assertion Processing. Specify '</span><span style="font-family: "verdana" , sans-serif;">org.forgerock.openam.saml2.plugins.examples.UpdateDynamicUserSPAttMapper' under Attribute Mapper.</span></span></li>
<li><span style="font-family: "verdana" , sans-serif;">Restart OpenAM</span></li>
<li><span style="font-family: "verdana" , sans-serif;">And we are good to go! Any changes in user profile attributes in SAML assertion will now be persisted in OpenAM datastore.</span></li>
</ul>
</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6I-XWXlrI6KuAutHgS7M6FAs3j53C1K2_84mPgoYAl0L8CXh5j76UaLt5QDU1YiRiE0t3GP6grYYiPsfRuk4UAy6Zr-SBInWcqpAIM-YqieR9sslR9SYZGavG0oYuCefgLFGu0quA-sVa/s1600/Screen+Shot+2017-04-28+at+10.02.44+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6I-XWXlrI6KuAutHgS7M6FAs3j53C1K2_84mPgoYAl0L8CXh5j76UaLt5QDU1YiRiE0t3GP6grYYiPsfRuk4UAy6Zr-SBInWcqpAIM-YqieR9sslR9SYZGavG0oYuCefgLFGu0quA-sVa/s640/Screen+Shot+2017-04-28+at+10.02.44+AM.png" width="640" /></a></div>
<a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "verdana" , sans-serif;"><span style="background-color: white; color: #24292e; font-size: 16px;"><br /></span></span></div>
<div>
<a href="https://www.blogger.com/blogger.g?blogID=1167964995245278394" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="background-color: white; color: #24292e; font-family: , , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol"; font-size: 16px;"><br /></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><b><i>Note that ideally attributes between different sources should be synced by using some tool like OpenIDM </i></b></span></div>
<div>
<br /></div>
<div>
<span style="font-family: "verdana" , sans-serif;"></span><br />
<h2 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">See Also</span></h2>
<div>
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">Get code: </span><a href="https://github.com/CharanMann/OpenAM-SAMLSP-updateDynamicUser">https://github.com/CharanMann/OpenAM-SAMLSP-updateDynamicUser</a> </span><br />
<span style="font-family: "verdana" , sans-serif;">OpenAM User Profile settings: <a href="https://backstage.forgerock.com/docs/openam/13.5/admin-guide#auth-core-realm-attributes">https://backstage.forgerock.com/docs/openam/13.5/admin-guide#auth-core-realm-attributes</a> </span><br />
<span style="font-family: "verdana" , sans-serif;">OpenAM SAML configuration: <a href="https://backstage.forgerock.com/docs/openam/13.5/admin-guide#chap-federation">https://backstage.forgerock.com/docs/openam/13.5/admin-guide#chap-federation</a> </span></div>
<div>
<br /></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="color: #555555;"><span style="font-size: 14px;"><br /></span></span></div>
<div style="orphans: 2; widows: 2;">
<br /></div>
</div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<br />
<br /></div>
Charan Mannhttp://www.blogger.com/profile/09232150213727625395noreply@blogger.com0