Authentication with Module Chain

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Authentication with Module Chain

Alberto Treviño
I am setting up a policy that uses the Authentication with Module Chain
environment condition in OpenAM 12.0.2. This is what I've done so far.

I created a module chain called MyChain. (I only have one realm). Then I
created my policy and added the Authentication with Module Chain environment
condition. When prompted for the Service Name, I entered "MyChain".

When I visit the resource, the browser goes into an infinite redirect loop. I
attached the debugger to AuthenticateToServiceCondition and I can see the
evaluate() method return false in the ConditionDecision satisfied parameter
and the following for the advices:

  {AuthenticateToServiceConditionAdvice=[/:MyChain]}

So I know my condition is being evaluated and the name of the chain is being
passed.

On the browser side, the browser first does a POST to Login?goto=..., then it
performs a GET on the same URL which returns a 302 back to my site, which
triggers the redirect to to Login?goto=... until I close the tab. It's almost
as if the advice is being ignored by OpenAM.

I also made sure my chain was set up correctly, I went to my login URL and set
the service=MyChain parameter which logs me in through my custom chain. What's
interesting is that if I log in directly into my chain and visit the resource
I'm trying to protect, I get in just fine. In the debugger I can see
AuthenticateToServiceCondition setting satisfied to true in the
ConditionDecision, which means the policy is being evaluated correctly.

The only thing I can figure out is that the Service Name in the condition
needs to be something other than the name of my chain. The documentation
doesn't really say what that name should be.

Can someone help me figure out what I need to enter in the Service Name to get
my policy to work?

--
Alberto Treviño
WAM Team, ICS
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Authentication with Module Chain

Bernhard Thalmayr
Normally the Policy Decision should contain an advice which the agent
processes. If the advice is not met the Agent sends the user to the
LoginUrl with and advice to the user has a chance to fullfill that advice.

In your case there should be an auth-chain advice.

set debug level to 'ALL' on agent and check agent debug log.

set debug level to 'message' on OpenAM side, Policy and Entitlement
debug log should show the advice being calculated.

-Bernhard

Am 09/02/16 um 20:24 schrieb Alberto Treviño:

> I am setting up a policy that uses the Authentication with Module Chain
> environment condition in OpenAM 12.0.2. This is what I've done so far.
>
> I created a module chain called MyChain. (I only have one realm). Then I
> created my policy and added the Authentication with Module Chain environment
> condition. When prompted for the Service Name, I entered "MyChain".
>
> When I visit the resource, the browser goes into an infinite redirect loop. I
> attached the debugger to AuthenticateToServiceCondition and I can see the
> evaluate() method return false in the ConditionDecision satisfied parameter
> and the following for the advices:
>
>   {AuthenticateToServiceConditionAdvice=[/:MyChain]}
>
> So I know my condition is being evaluated and the name of the chain is being
> passed.
>
> On the browser side, the browser first does a POST to Login?goto=..., then it
> performs a GET on the same URL which returns a 302 back to my site, which
> triggers the redirect to to Login?goto=... until I close the tab. It's almost
> as if the advice is being ignored by OpenAM.
>
> I also made sure my chain was set up correctly, I went to my login URL and set
> the service=MyChain parameter which logs me in through my custom chain. What's
> interesting is that if I log in directly into my chain and visit the resource
> I'm trying to protect, I get in just fine. In the debugger I can see
> AuthenticateToServiceCondition setting satisfied to true in the
> ConditionDecision, which means the policy is being evaluated correctly.
>
> The only thing I can figure out is that the Service Name in the condition
> needs to be something other than the name of my chain. The documentation
> doesn't really say what that name should be.
>
> Can someone help me figure out what I need to enter in the Service Name to get
> my policy to work?
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Authentication with Module Chain

Alberto Treviño
On Tuesday, February 9, 2016 8:32:00 PM MST Bernhard Thalmayr wrote:
> Normally the Policy Decision should contain an advice which the agent
> processes. If the advice is not met the Agent sends the user to the
> LoginUrl with and advice to the user has a chance to fullfill that advice.
>
> In your case there should be an auth-chain advice.

There is an auth-chain advice coming back from the policy:

{AuthenticateToServiceConditionAdvice=[/:MyChain]}

> set debug level to 'message' on OpenAM side, Policy and Entitlement
> debug log should show the advice being calculated.

The advice is being calculated properly by the policy. OpenAM for some reason
doesn't understand it and ignores it, creating the infinite loop. When I
authenticate directly with MyChain, I can access my resource and no infinite
loop.

So ask again: what should I provide in the Service Name when I add the
Authentication with Module Chain environment condition? Or is this a bug in
OpenAM 12.0.2?

--
Alberto Treviño
WAM Team, ICS
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Authentication with Module Chain

Bernhard Thalmayr
Is agent running in CDSSO or regular SSO mode?

-Bernhard

Am 09/02/16 um 21:43 schrieb Alberto Treviño:

> On Tuesday, February 9, 2016 8:32:00 PM MST Bernhard Thalmayr wrote:
>> Normally the Policy Decision should contain an advice which the agent
>> processes. If the advice is not met the Agent sends the user to the
>> LoginUrl with and advice to the user has a chance to fullfill that advice.
>>
>> In your case there should be an auth-chain advice.
>
> There is an auth-chain advice coming back from the policy:
>
> {AuthenticateToServiceConditionAdvice=[/:MyChain]}
>
>> set debug level to 'message' on OpenAM side, Policy and Entitlement
>> debug log should show the advice being calculated.
>
> The advice is being calculated properly by the policy. OpenAM for some reason
> doesn't understand it and ignores it, creating the infinite loop. When I
> authenticate directly with MyChain, I can access my resource and no infinite
> loop.
>
> So ask again: what should I provide in the Service Name when I add the
> Authentication with Module Chain environment condition? Or is this a bug in
> OpenAM 12.0.2?
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Authentication with Module Chain

Peter Major
In reply to this post by Alberto Treviño
The service name does not have much to do with your problem most likely.
There are a few things of interest:
* if you are looking at an HTTP trace can you see the
sunamcompositeadvice ever reaching the /UI/Login endpoint?
* if you are debugging the condition class, do you see why the condition
evaluation fails?
* what happens if you rename your chain to all lowercase? There were a
few past cases when case sensitive checks were causing problems with
condition evaluations.

Anyways, the easiest way to test this really is just to go through a
login flow by accessing the protected site and then check if the Service
session property has been populated correctly:
http://foo.bar.com:8080/openam/identity/attributes?attributenames=Service

if this contains the value of MyChain then the condition should be
satisfied.

cheers,
Peter

2016. 02. 09. 20:43 keltezéssel, Alberto Treviño írta:

> On Tuesday, February 9, 2016 8:32:00 PM MST Bernhard Thalmayr wrote:
>> Normally the Policy Decision should contain an advice which the agent
>> processes. If the advice is not met the Agent sends the user to the
>> LoginUrl with and advice to the user has a chance to fullfill that advice.
>>
>> In your case there should be an auth-chain advice.
>
> There is an auth-chain advice coming back from the policy:
>
> {AuthenticateToServiceConditionAdvice=[/:MyChain]}
>
>> set debug level to 'message' on OpenAM side, Policy and Entitlement
>> debug log should show the advice being calculated.
>
> The advice is being calculated properly by the policy. OpenAM for some reason
> doesn't understand it and ignores it, creating the infinite loop. When I
> authenticate directly with MyChain, I can access my resource and no infinite
> loop.
>
> So ask again: what should I provide in the Service Name when I add the
> Authentication with Module Chain environment condition? Or is this a bug in
> OpenAM 12.0.2?
>
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Authentication with Module Chain

Alberto Treviño
In reply to this post by Bernhard Thalmayr
On Tuesday, February 9, 2016 9:52:55 PM MST Bernhard Thalmayr wrote:
> Is agent running in CDSSO or regular SSO mode?

Regular SSO mode.

Here is the output of the Entitlement debug log:

Entitlement:02/09/2016 02:05:32:635 PM MST: Thread[http-bio-8080-exec-1,5,main]
At AuthenticateToServiceCondition.evaluate():authenticateToService =
/:MyChain, requestAuthnServices = [/:ldapService],  allowed = false


--
Alberto Treviño
WAM Team, ICS
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Authentication with Module Chain

Alberto Treviño
In reply to this post by Peter Major
On Tuesday, February 9, 2016 8:59:18 PM MST Peter Major wrote:
> The service name does not have much to do with your problem most likely.
> There are a few things of interest:
>
> * if you are looking at an HTTP trace can you see the
> sunamcompositeadvice ever reaching the /UI/Login endpoint?

Yes. The first redirect, a POST to Login?goto=... has the following as the
body:

<Advices>
<AttributeValuePair>
<Attribute name="AuthenticateToServiceConditionAdvice"/>
<Value>/:MyChain</Value>
</AttributeValuePair>
</Advices>

That request yields a 302 to Login?goto=... (there is no service=). That
yields another 302 back to the goto URL.

> * if you are debugging the condition class, do you see why the condition
> evaluation fails?

The condition fails because the user hasn't authenticated with that chain. If
I specifically ask to authenticate with my chain via Login?service=MyChain (or
by setting the default chain to MyChain) the condition is satisfied and
everything works fine.

> * what happens if you rename your chain to all lowercase? There were a
> few past cases when case sensitive checks were causing problems with
> condition evaluations.

Same problem. Infinite redirect loop.

> Anyways, the easiest way to test this really is just to go through a
> login flow by accessing the protected site and then check if the Service
> session property has been populated correctly:

> foo.bar.com:8080/openam/identity/attributes?attributenames=Service
>
> if this contains the value of MyChain then the condition should be
> satisfied.

I'm on legacy UI, and the second redirect does not contain the service=MyChain
attribute. Turning on XUI does not resolve the problem.

So this leaves me wondering about the AuthenticateToServiceConditionAdvice
being returned in the advices list: is that the right advice type?

--
Alberto Treviño
WAM Team, ICS
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Authentication with Module Chain

Peter Major
> Yes. The first redirect, a POST to Login?goto=... has the following as the
> body:
>
> <Advices>
> <AttributeValuePair>
> <Attribute name="AuthenticateToServiceConditionAdvice"/>
> <Value>/:MyChain</Value>
> </AttributeValuePair>
> </Advices>
>
> That request yields a 302 to Login?goto=... (there is no service=). That
> yields another 302 back to the goto URL.

After the POST you shouldn't see a 302, you should get a login page
straight away instead. Have you customized the login flow by any means?

> I'm on legacy UI, and the second redirect does not contain the service=MyChain
> attribute. Turning on XUI does not resolve the problem.

The POST will contain all the data the LoginViewBean needs to figure out
what to display, so there is no specific need for that request parameter
to be present.

> So this leaves me wondering about the AuthenticateToServiceConditionAdvice
> being returned in the advices list: is that the right advice type?

Yes.

cheers,
Peter
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Authentication with Module Chain

Alberto Treviño
On Tuesday, February 9, 2016 9:42:55 PM MST Peter Major wrote:
> After the POST you shouldn't see a 302, you should get a login page
> straight away instead. Have you customized the login flow by any means?

That was the problem. The agent was redirecting to an alias of the OpenAM
server. OpenAM didn't recognize the second hostname and would redirect back to
its known hostname and lose the advice. By correcting the URL in the agent
configuration everything works as it should.

Thanks for helping me find this.

--
Alberto Treviño
WAM Team, ICS
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam