Auth chain using WDSSO

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Auth chain using WDSSO

Josep Maria Comas

Hi everybody,

 

Were migrating to OpenAM 13.5

 

We have an auth chain: WDSSO -> DataStore

 

Weve tested with a machine OUTSIDE the Windows domain configured.

 

Weve got no problem using Chrome, Firefox, Edge

 

Using IE, even we have the server on Local Intranet Sites, it always fail with Authentication Failed message. And even with a correct user + password.

 

We think the reason is: IE sends a HTTP header Authentication:Negotiate with NTLM token.,  when it POSTs the user + password login page. It fails at OpenAM side and hence the Authentication Failed message.

 

If we delete the server on Local Intranet Sites, then we have an additional authentication dialog box previous to the login page. But after that, login works flawlessly.

 

Heres a post of Simon Harding: https://forum.forgerock.com/2016/08/openam-windows-desktop-sso-deep-dive-part-1/, who comments:

 

UPDATE: That’s not quite always true. The change in OpenAM 13 allows the WDSSO module to fall back to another module if the browser has negotiate support turned off, for example as it is by default in Safari and FireFox. However, this won’t prevent the login dialog (shown above) from appearing if negotiate support is turned on in the browser, as it is by default in IE. I’ll look into this in more detail in my next blog post. Thanks to my colleague Cyril Grosjean for pointing this out.

 

Maybe this change in OpenAM 13 is resposible to this behaviour? Any clues?

 

Best,

 

JM


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...