Help understanding OpenAM behavior

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Help understanding OpenAM behavior

Alberto Treviño

We just ran into some interesting behavior with OpenAM. I'm wondering if this is desired behavior (and if so why), if it can be turned off, or if it's a bug. This is how you reproduce it:


In a new browser session, bring up your site's login page but don't sign in yet (how you do it is irrelevant). Then, with the login page just sitting there, open up a second tab with the same login page (again, how you do it is irrelevant). Log in to the first site with say, UserA. Once you are logged in, go back to the second tab that still has a login page and log in with UserB. The result we see in the second tab is that you go to that tab's successful login destination but you are still authenticated with UserA.


There is another interesting twist as well. You can pass a goto parameter to the login page in the second tab, and then provide absolutely bogus credentials and the tab will be redirected to the goto location but still have the credentials of UserA that was previously logged in.


This behavior seems odd to us. We would expect that when you go to the second tab and put in valid credentials, all previous sessions would be destroyed and you would become the new user. (Most sites seem to do that.) On the second case, if you provide invalid credentials, you should get an error page.


Any ideas?


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Kiran Ramineni

Alberto,

 

In my opinion this is expected behavior.

 

Let me present a case:

 

So, let’s say you are logged in one tab.  Now, you go to another tab and attempt to go to login page,  wouldn’t you expect that you get the profile page (to indicate that you are already logged in.)

 

The reason behind is that OpenAM places a cookie once the user is logged in.  When you go to the login page again, it obtains the cookie and identifies that you are already logged in. 

 

HTH

Kiran Ramineni

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Alberto Treviño
Sent: Wednesday, June 22, 2016 9:51 AM
To: Users
Subject: [OpenAM] Help understanding OpenAM behavior

 

We just ran into some interesting behavior with OpenAM. I'm wondering if this is desired behavior (and if so why), if it can be turned off, or if it's a bug. This is how you reproduce it:

 

In a new browser session, bring up your site's login page but don't sign in yet (how you do it is irrelevant). Then, with the login page just sitting there, open up a second tab with the same login page (again, how you do it is irrelevant). Log in to the first site with say, UserA. Once you are logged in, go back to the second tab that still has a login page and log in with UserB. The result we see in the second tab is that you go to that tab's successful login destination but you are still authenticated with UserA.

 

There is another interesting twist as well. You can pass a goto parameter to the login page in the second tab, and then provide absolutely bogus credentials and the tab will be redirected to the goto location but still have the credentials of UserA that was previously logged in.

 

This behavior seems odd to us. We would expect that when you go to the second tab and put in valid credentials, all previous sessions would be destroyed and you would become the new user. (Most sites seem to do that.) On the second case, if you provide invalid credentials, you should get an error page.

 

Any ideas?


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Hedrick, Brooke - 43

I have seen the same behavior.  A user is logged in on one tab.  Then, they go to a new tab, access the main page on the site to log in, enter different credentials, BUT, OpenAM uses the previous credentials, no warning, no nothing.

 

I would not say that this is expected behavior.

 

OpenAM should either use the new credentials or prevent you from moving on ( after entering new credentials ) until you accept some prompt explaining that you have a previous login as ___username___ that will be used instead.

 

This is disconcerting when you run into it and users don’t always pay attention to the fact that they are using different credentials than they expect.

 

-Brooke

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kiran Ramineni
Sent: Wednesday, June 22, 2016 1:59 PM
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Help understanding OpenAM behavior

 

Alberto,

 

In my opinion this is expected behavior.

 

Let me present a case:

 

So, let’s say you are logged in one tab.  Now, you go to another tab and attempt to go to login page,  wouldn’t you expect that you get the profile page (to indicate that you are already logged in.)

 

The reason behind is that OpenAM places a cookie once the user is logged in.  When you go to the login page again, it obtains the cookie and identifies that you are already logged in. 

 

HTH

Kiran Ramineni

 

From: [hidden email] [[hidden email]] On Behalf Of Alberto Treviño
Sent: Wednesday, June 22, 2016 9:51 AM
To: Users
Subject: [OpenAM] Help understanding OpenAM behavior

 

We just ran into some interesting behavior with OpenAM. I'm wondering if this is desired behavior (and if so why), if it can be turned off, or if it's a bug. This is how you reproduce it:

 

In a new browser session, bring up your site's login page but don't sign in yet (how you do it is irrelevant). Then, with the login page just sitting there, open up a second tab with the same login page (again, how you do it is irrelevant). Log in to the first site with say, UserA. Once you are logged in, go back to the second tab that still has a login page and log in with UserB. The result we see in the second tab is that you go to that tab's successful login destination but you are still authenticated with UserA.

 

There is another interesting twist as well. You can pass a goto parameter to the login page in the second tab, and then provide absolutely bogus credentials and the tab will be redirected to the goto location but still have the credentials of UserA that was previously logged in.

 

This behavior seems odd to us. We would expect that when you go to the second tab and put in valid credentials, all previous sessions would be destroyed and you would become the new user. (Most sites seem to do that.) On the second case, if you provide invalid credentials, you should get an error page.

 

Any ideas?


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Bernhard Thalmayr
Am 22/06/16 um 23:38 schrieb Hedrick, Brooke - 43:
> I have seen the same behavior.  A user is logged in on one tab.  Then,
> they go to a new tab, access the main page on the site to log in, enter
> different credentials, BUT, OpenAM uses the previous credentials, no
> warning, no nothing.

OpenAM won't show any login dialogue by default if the SSO tracking
cookie is sent.

In your case the question is ... how was OpenAM accessed?

-Bernhard

>
>  
>
> I would not say that this is expected behavior.
>
>  
>
> OpenAM should either use the new credentials or prevent you from moving
> on ( after entering new credentials ) until you accept some prompt
> explaining that you have a previous login as ___username___ that will be
> used instead.
>
>  
>
> This is disconcerting when you run into it and users don’t always pay
> attention to the fact that they are using different credentials than
> they expect.
>
>  
>
> -Brooke
>
>  
>
>  
>
> *From:*[hidden email]
> [mailto:[hidden email]] *On Behalf Of *Kiran Ramineni
> *Sent:* Wednesday, June 22, 2016 1:59 PM
> *To:* 'Users' <[hidden email]>
> *Subject:* Re: [OpenAM] Help understanding OpenAM behavior
>
>  
>
> Alberto,
>
>  
>
> In my opinion this is expected behavior.
>
>  
>
> Let me present a case:
>
>  
>
> So, let’s say you are logged in one tab.  Now, you go to another tab and
> attempt to go to login page,  wouldn’t you expect that you get the
> profile page (to indicate that you are already logged in.)
>
>  
>
> The reason behind is that OpenAM places a cookie once the user is logged
> in.  When you go to the login page again, it obtains the cookie and
> identifies that you are already logged in.
>
>  
>
> HTH
>
> Kiran Ramineni
>
>  
>
> *From:*[hidden email]
> <mailto:[hidden email]>
> [mailto:[hidden email]] *On Behalf Of *Alberto Treviño
> *Sent:* Wednesday, June 22, 2016 9:51 AM
> *To:* Users
> *Subject:* [OpenAM] Help understanding OpenAM behavior
>
>  
>
> We just ran into some interesting behavior with OpenAM. I'm wondering if
> this is desired behavior (and if so why), if it can be turned off, or if
> it's a bug. This is how you reproduce it:
>
>  
>
> In a new browser session, bring up your site's login page but don't sign
> in yet (how you do it is irrelevant). Then, with the login page just
> sitting there, open up a second tab with the same login page (again, how
> you do it is irrelevant). Log in to the first site with say, UserA. Once
> you are logged in, go back to the second tab that still has a login page
> and log in with UserB. The result we see in the second tab is that you
> go to that tab's successful login destination but you are still
> authenticated with UserA.
>
>  
>
> There is another interesting twist as well. You can pass a goto
> parameter to the login page in the second tab, and then provide
> absolutely bogus credentials and the tab will be redirected to the goto
> location but still have the credentials of UserA that was previously
> logged in.
>
>  
>
> This behavior seems odd to us. We would expect that when you go to the
> second tab and put in valid credentials, all previous sessions would be
> destroyed and you would become the new user. (Most sites seem to do
> that.) On the second case, if you provide invalid credentials, you
> should get an error page.
>
>  
>
> Any ideas?
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Hedrick, Brooke - 43
Bernhard,

Have you tried:
===================
1. access https://yourserver/openam/UI/Login?module=DataStore
2. Login as userA
3. access https://yourserver/openam/UI/Login?module=DataStore
4. Login as userB
5.  Now - check to see which user OpenAM thinks you are logged in as.

To answer your question:
===================
Another page, that fits in better with the site and can be included with other content, which has the username/password boxes and posts to the normal login URL.


Our resolution
===================
We ended up creating a filter to resolve the issue.  The filter removes the iPlanetDirectoryPro cookie.

public class SsoPasswordFilter
  implements Filter
{
  public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain filterChain)
    throws IOException, ServletException
  {
    HttpServletRequest request = (HttpServletRequest)arg0;
   
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
      for (int i = 0; i < cookies.length; i++)
      {
        Cookie cookie = cookies[i];
        if (cookie.getName().equals("iPlanetDirectoryPro"))
        {
          cookie.setValue("");
          cookie.setMaxAge(0);
        }
      }
    }
    HttpServletRequest wrapper = getWrapperRequest(request);
    filterChain.doFilter(wrapper, arg1);
  }
}

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: Thursday, June 23, 2016 11:26 AM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Am 22/06/16 um 23:38 schrieb Hedrick, Brooke - 43:
> I have seen the same behavior.  A user is logged in on one tab.  Then,
> they go to a new tab, access the main page on the site to log in, enter
> different credentials, BUT, OpenAM uses the previous credentials, no
> warning, no nothing.

OpenAM won't show any login dialogue by default if the SSO tracking
cookie is sent.

In your case the question is ... how was OpenAM accessed?

-Bernhard

>
>  
>
> I would not say that this is expected behavior.
>
>  
>
> OpenAM should either use the new credentials or prevent you from moving
> on ( after entering new credentials ) until you accept some prompt
> explaining that you have a previous login as ___username___ that will be
> used instead.
>
>  
>
> This is disconcerting when you run into it and users don't always pay
> attention to the fact that they are using different credentials than
> they expect.
>
>  
>
> -Brooke
>
>  
>
>  
>
> *From:*[hidden email]
> [mailto:[hidden email]] *On Behalf Of *Kiran Ramineni
> *Sent:* Wednesday, June 22, 2016 1:59 PM
> *To:* 'Users' <[hidden email]>
> *Subject:* Re: [OpenAM] Help understanding OpenAM behavior
>
>  
>
> Alberto,
>
>  
>
> In my opinion this is expected behavior.
>
>  
>
> Let me present a case:
>
>  
>
> So, let's say you are logged in one tab.  Now, you go to another tab and
> attempt to go to login page,  wouldn't you expect that you get the
> profile page (to indicate that you are already logged in.)
>
>  
>
> The reason behind is that OpenAM places a cookie once the user is logged
> in.  When you go to the login page again, it obtains the cookie and
> identifies that you are already logged in.
>
>  
>
> HTH
>
> Kiran Ramineni
>
>  
>
> *From:*[hidden email]
> <mailto:[hidden email]>
> [mailto:[hidden email]] *On Behalf Of *Alberto Treviño
> *Sent:* Wednesday, June 22, 2016 9:51 AM
> *To:* Users
> *Subject:* [OpenAM] Help understanding OpenAM behavior
>
>  
>
> We just ran into some interesting behavior with OpenAM. I'm wondering if
> this is desired behavior (and if so why), if it can be turned off, or if
> it's a bug. This is how you reproduce it:
>
>  
>
> In a new browser session, bring up your site's login page but don't sign
> in yet (how you do it is irrelevant). Then, with the login page just
> sitting there, open up a second tab with the same login page (again, how
> you do it is irrelevant). Log in to the first site with say, UserA. Once
> you are logged in, go back to the second tab that still has a login page
> and log in with UserB. The result we see in the second tab is that you
> go to that tab's successful login destination but you are still
> authenticated with UserA.
>
>  
>
> There is another interesting twist as well. You can pass a goto
> parameter to the login page in the second tab, and then provide
> absolutely bogus credentials and the tab will be redirected to the goto
> location but still have the credentials of UserA that was previously
> logged in.
>
>  
>
> This behavior seems odd to us. We would expect that when you go to the
> second tab and put in valid credentials, all previous sessions would be
> destroyed and you would become the new user. (Most sites seem to do
> that.) On the second case, if you provide invalid credentials, you
> should get an error page.
>
>  
>
> Any ideas?
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Kiran Ramineni
Brooke,

What do you see as the response after step 3?  

Do you see a login screen?  

As far as removing the iPlanetDirectoryPro cookie, I would be concerned
regarding achieving SSO.  

Optionally, if you want to force a user to login, you can append
arg=newSession to the login url.

Best Regards
Kiran

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 1:58 PM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Bernhard,

Have you tried:
===================
1. access https://yourserver/openam/UI/Login?module=DataStore
2. Login as userA
3. access https://yourserver/openam/UI/Login?module=DataStore
4. Login as userB
5.  Now - check to see which user OpenAM thinks you are logged in as.

To answer your question:
===================
Another page, that fits in better with the site and can be included with
other content, which has the username/password boxes and posts to the normal
login URL.


Our resolution
===================
We ended up creating a filter to resolve the issue.  The filter removes the
iPlanetDirectoryPro cookie.

public class SsoPasswordFilter
  implements Filter
{
  public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain filterChain)
    throws IOException, ServletException
  {
    HttpServletRequest request = (HttpServletRequest)arg0;
   
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
      for (int i = 0; i < cookies.length; i++)
      {
        Cookie cookie = cookies[i];
        if (cookie.getName().equals("iPlanetDirectoryPro"))
        {
          cookie.setValue("");
          cookie.setMaxAge(0);
        }
      }
    }
    HttpServletRequest wrapper = getWrapperRequest(request);
    filterChain.doFilter(wrapper, arg1);
  }
}

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Bernhard Thalmayr
Sent: Thursday, June 23, 2016 11:26 AM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Am 22/06/16 um 23:38 schrieb Hedrick, Brooke - 43:
> I have seen the same behavior.  A user is logged in on one tab.  Then,
> they go to a new tab, access the main page on the site to log in,
> enter different credentials, BUT, OpenAM uses the previous
> credentials, no warning, no nothing.

OpenAM won't show any login dialogue by default if the SSO tracking cookie
is sent.

In your case the question is ... how was OpenAM accessed?

-Bernhard

>
>  
>
> I would not say that this is expected behavior.
>
>  
>
> OpenAM should either use the new credentials or prevent you from
> moving on ( after entering new credentials ) until you accept some
> prompt explaining that you have a previous login as ___username___
> that will be used instead.
>
>  
>
> This is disconcerting when you run into it and users don't always pay
> attention to the fact that they are using different credentials than
> they expect.
>
>  
>
> -Brooke
>
>  
>
>  
>
> *From:*[hidden email]
> [mailto:[hidden email]] *On Behalf Of *Kiran Ramineni
> *Sent:* Wednesday, June 22, 2016 1:59 PM
> *To:* 'Users' <[hidden email]>
> *Subject:* Re: [OpenAM] Help understanding OpenAM behavior
>
>  
>
> Alberto,
>
>  
>
> In my opinion this is expected behavior.
>
>  
>
> Let me present a case:
>
>  
>
> So, let's say you are logged in one tab.  Now, you go to another tab
> and attempt to go to login page,  wouldn't you expect that you get the
> profile page (to indicate that you are already logged in.)
>
>  
>
> The reason behind is that OpenAM places a cookie once the user is
> logged in.  When you go to the login page again, it obtains the cookie
> and identifies that you are already logged in.
>
>  
>
> HTH
>
> Kiran Ramineni
>
>  
>
> *From:*[hidden email]
> <mailto:[hidden email]>
> [mailto:[hidden email]] *On Behalf Of *Alberto Treviño
> *Sent:* Wednesday, June 22, 2016 9:51 AM
> *To:* Users
> *Subject:* [OpenAM] Help understanding OpenAM behavior
>
>  
>
> We just ran into some interesting behavior with OpenAM. I'm wondering
> if this is desired behavior (and if so why), if it can be turned off,
> or if it's a bug. This is how you reproduce it:
>
>  
>
> In a new browser session, bring up your site's login page but don't
> sign in yet (how you do it is irrelevant). Then, with the login page
> just sitting there, open up a second tab with the same login page
> (again, how you do it is irrelevant). Log in to the first site with
> say, UserA. Once you are logged in, go back to the second tab that
> still has a login page and log in with UserB. The result we see in the
> second tab is that you go to that tab's successful login destination
> but you are still authenticated with UserA.
>
>  
>
> There is another interesting twist as well. You can pass a goto
> parameter to the login page in the second tab, and then provide
> absolutely bogus credentials and the tab will be redirected to the
> goto location but still have the credentials of UserA that was
> previously logged in.
>
>  
>
> This behavior seems odd to us. We would expect that when you go to the
> second tab and put in valid credentials, all previous sessions would
> be destroyed and you would become the new user. (Most sites seem to do
> that.) On the second case, if you provide invalid credentials, you
> should get an error page.
>
>  
>
> Any ideas?
>
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you
are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Hedrick, Brooke - 43
Hey Kiran,

What do you mean after Step 3?

We see the exact same login screen after step 3 as we did after step 1, the form asking for a username and password.

We have had this solution in place for 2 years without issue.

This is an interesting tip!
arg=newSession

Egads!  That has been around since at least OpenSSO v8 from Sun/Oracle too!   https://docs.oracle.com/cd/E19681-01/820-3885/gbanu/index.html .

I wouldn't have known what to Google for when we first found the issue as we figured it was just a bug as it seemed that it would not be intentional behavior!

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Kiran Ramineni
Sent: Thursday, June 23, 2016 2:23 PM
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Brooke,

What do you see as the response after step 3?  

Do you see a login screen?  

As far as removing the iPlanetDirectoryPro cookie, I would be concerned
regarding achieving SSO.  

Optionally, if you want to force a user to login, you can append
arg=newSession to the login url.

Best Regards
Kiran

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 1:58 PM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Bernhard,

Have you tried:
===================
1. access https://yourserver/openam/UI/Login?module=DataStore
2. Login as userA
3. access https://yourserver/openam/UI/Login?module=DataStore
4. Login as userB
5.  Now - check to see which user OpenAM thinks you are logged in as.

To answer your question:
===================
Another page, that fits in better with the site and can be included with
other content, which has the username/password boxes and posts to the normal
login URL.


Our resolution
===================
We ended up creating a filter to resolve the issue.  The filter removes the
iPlanetDirectoryPro cookie.

public class SsoPasswordFilter
  implements Filter
{
  public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain filterChain)
    throws IOException, ServletException
  {
    HttpServletRequest request = (HttpServletRequest)arg0;
   
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
      for (int i = 0; i < cookies.length; i++)
      {
        Cookie cookie = cookies[i];
        if (cookie.getName().equals("iPlanetDirectoryPro"))
        {
          cookie.setValue("");
          cookie.setMaxAge(0);
        }
      }
    }
    HttpServletRequest wrapper = getWrapperRequest(request);
    filterChain.doFilter(wrapper, arg1);
  }
}

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Bernhard Thalmayr
Sent: Thursday, June 23, 2016 11:26 AM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Am 22/06/16 um 23:38 schrieb Hedrick, Brooke - 43:
> I have seen the same behavior.  A user is logged in on one tab.  Then,
> they go to a new tab, access the main page on the site to log in,
> enter different credentials, BUT, OpenAM uses the previous
> credentials, no warning, no nothing.

OpenAM won't show any login dialogue by default if the SSO tracking cookie
is sent.

In your case the question is ... how was OpenAM accessed?

-Bernhard

>
>  
>
> I would not say that this is expected behavior.
>
>  
>
> OpenAM should either use the new credentials or prevent you from
> moving on ( after entering new credentials ) until you accept some
> prompt explaining that you have a previous login as ___username___
> that will be used instead.
>
>  
>
> This is disconcerting when you run into it and users don't always pay
> attention to the fact that they are using different credentials than
> they expect.
>
>  
>
> -Brooke
>
>  
>
>  
>
> *From:*[hidden email]
> [mailto:[hidden email]] *On Behalf Of *Kiran Ramineni
> *Sent:* Wednesday, June 22, 2016 1:59 PM
> *To:* 'Users' <[hidden email]>
> *Subject:* Re: [OpenAM] Help understanding OpenAM behavior
>
>  
>
> Alberto,
>
>  
>
> In my opinion this is expected behavior.
>
>  
>
> Let me present a case:
>
>  
>
> So, let's say you are logged in one tab.  Now, you go to another tab
> and attempt to go to login page,  wouldn't you expect that you get the
> profile page (to indicate that you are already logged in.)
>
>  
>
> The reason behind is that OpenAM places a cookie once the user is
> logged in.  When you go to the login page again, it obtains the cookie
> and identifies that you are already logged in.
>
>  
>
> HTH
>
> Kiran Ramineni
>
>  
>
> *From:*[hidden email]
> <mailto:[hidden email]>
> [mailto:[hidden email]] *On Behalf Of *Alberto Treviño
> *Sent:* Wednesday, June 22, 2016 9:51 AM
> *To:* Users
> *Subject:* [OpenAM] Help understanding OpenAM behavior
>
>  
>
> We just ran into some interesting behavior with OpenAM. I'm wondering
> if this is desired behavior (and if so why), if it can be turned off,
> or if it's a bug. This is how you reproduce it:
>
>  
>
> In a new browser session, bring up your site's login page but don't
> sign in yet (how you do it is irrelevant). Then, with the login page
> just sitting there, open up a second tab with the same login page
> (again, how you do it is irrelevant). Log in to the first site with
> say, UserA. Once you are logged in, go back to the second tab that
> still has a login page and log in with UserB. The result we see in the
> second tab is that you go to that tab's successful login destination
> but you are still authenticated with UserA.
>
>  
>
> There is another interesting twist as well. You can pass a goto
> parameter to the login page in the second tab, and then provide
> absolutely bogus credentials and the tab will be redirected to the
> goto location but still have the credentials of UserA that was
> previously logged in.
>
>  
>
> This behavior seems odd to us. We would expect that when you go to the
> second tab and put in valid credentials, all previous sessions would
> be destroyed and you would become the new user. (Most sites seem to do
> that.) On the second case, if you provide invalid credentials, you
> should get an error page.
>
>  
>
> Any ideas?
>
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you
are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Kiran Ramineni
Brooke,

I am "Definitely" not expecting to see the login page after step 3.  Just
for kicks, I tried the sequence just a few minutes ago and I don't see the
login page.  It shows me the profile page of User A.  (I hope you are not
running these steps on a machine that's stripping the iplanetDirectoryPro
cookie.)

Regards
Kiran


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 2:38 PM
To: 'Users'
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Hey Kiran,

What do you mean after Step 3?

We see the exact same login screen after step 3 as we did after step 1, the
form asking for a username and password.

We have had this solution in place for 2 years without issue.

This is an interesting tip!
arg=newSession

Egads!  That has been around since at least OpenSSO v8 from Sun/Oracle too!
https://docs.oracle.com/cd/E19681-01/820-3885/gbanu/index.html .

I wouldn't have known what to Google for when we first found the issue as we
figured it was just a bug as it seemed that it would not be intentional
behavior!

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Kiran Ramineni
Sent: Thursday, June 23, 2016 2:23 PM
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Brooke,

What do you see as the response after step 3?  

Do you see a login screen?  

As far as removing the iPlanetDirectoryPro cookie, I would be concerned
regarding achieving SSO.  

Optionally, if you want to force a user to login, you can append
arg=newSession to the login url.

Best Regards
Kiran

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 1:58 PM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Bernhard,

Have you tried:
===================
1. access https://yourserver/openam/UI/Login?module=DataStore
2. Login as userA
3. access https://yourserver/openam/UI/Login?module=DataStore
4. Login as userB
5.  Now - check to see which user OpenAM thinks you are logged in as.

To answer your question:
===================
Another page, that fits in better with the site and can be included with
other content, which has the username/password boxes and posts to the normal
login URL.


Our resolution
===================
We ended up creating a filter to resolve the issue.  The filter removes the
iPlanetDirectoryPro cookie.

public class SsoPasswordFilter
  implements Filter
{
  public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain filterChain)
    throws IOException, ServletException
  {
    HttpServletRequest request = (HttpServletRequest)arg0;
   
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
      for (int i = 0; i < cookies.length; i++)
      {
        Cookie cookie = cookies[i];
        if (cookie.getName().equals("iPlanetDirectoryPro"))
        {
          cookie.setValue("");
          cookie.setMaxAge(0);
        }
      }
    }
    HttpServletRequest wrapper = getWrapperRequest(request);
    filterChain.doFilter(wrapper, arg1);
  }
}

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Bernhard Thalmayr
Sent: Thursday, June 23, 2016 11:26 AM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Am 22/06/16 um 23:38 schrieb Hedrick, Brooke - 43:
> I have seen the same behavior.  A user is logged in on one tab.  Then,
> they go to a new tab, access the main page on the site to log in,
> enter different credentials, BUT, OpenAM uses the previous
> credentials, no warning, no nothing.

OpenAM won't show any login dialogue by default if the SSO tracking cookie
is sent.

In your case the question is ... how was OpenAM accessed?

-Bernhard

>
>  
>
> I would not say that this is expected behavior.
>
>  
>
> OpenAM should either use the new credentials or prevent you from
> moving on ( after entering new credentials ) until you accept some
> prompt explaining that you have a previous login as ___username___
> that will be used instead.
>
>  
>
> This is disconcerting when you run into it and users don't always pay
> attention to the fact that they are using different credentials than
> they expect.
>
>  
>
> -Brooke
>
>  
>
>  
>
> *From:*[hidden email]
> [mailto:[hidden email]] *On Behalf Of *Kiran Ramineni
> *Sent:* Wednesday, June 22, 2016 1:59 PM
> *To:* 'Users' <[hidden email]>
> *Subject:* Re: [OpenAM] Help understanding OpenAM behavior
>
>  
>
> Alberto,
>
>  
>
> In my opinion this is expected behavior.
>
>  
>
> Let me present a case:
>
>  
>
> So, let's say you are logged in one tab.  Now, you go to another tab
> and attempt to go to login page,  wouldn't you expect that you get the
> profile page (to indicate that you are already logged in.)
>
>  
>
> The reason behind is that OpenAM places a cookie once the user is
> logged in.  When you go to the login page again, it obtains the cookie
> and identifies that you are already logged in.
>
>  
>
> HTH
>
> Kiran Ramineni
>
>  
>
> *From:*[hidden email]
> <mailto:[hidden email]>
> [mailto:[hidden email]] *On Behalf Of *Alberto Treviño
> *Sent:* Wednesday, June 22, 2016 9:51 AM
> *To:* Users
> *Subject:* [OpenAM] Help understanding OpenAM behavior
>
>  
>
> We just ran into some interesting behavior with OpenAM. I'm wondering
> if this is desired behavior (and if so why), if it can be turned off,
> or if it's a bug. This is how you reproduce it:
>
>  
>
> In a new browser session, bring up your site's login page but don't
> sign in yet (how you do it is irrelevant). Then, with the login page
> just sitting there, open up a second tab with the same login page
> (again, how you do it is irrelevant). Log in to the first site with
> say, UserA. Once you are logged in, go back to the second tab that
> still has a login page and log in with UserB. The result we see in the
> second tab is that you go to that tab's successful login destination
> but you are still authenticated with UserA.
>
>  
>
> There is another interesting twist as well. You can pass a goto
> parameter to the login page in the second tab, and then provide
> absolutely bogus credentials and the tab will be redirected to the
> goto location but still have the credentials of UserA that was
> previously logged in.
>
>  
>
> This behavior seems odd to us. We would expect that when you go to the
> second tab and put in valid credentials, all previous sessions would
> be destroyed and you would become the new user. (Most sites seem to do
> that.) On the second case, if you provide invalid credentials, you
> should get an error page.
>
>  
>
> Any ideas?
>
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you
are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Hedrick, Brooke - 43
Sorry Kiran,

Not sure what to tell you.  I saw the same issue as Alberto only 2 years ago.  I solved the problem with a filter.

Obviously, if we indiscriminately remove the iPlanetDirectoryPro the sso system would never work.  It would be silly for us to be paying customers in that case as well!

Kiran, would you expect every one of the OpenAM customers that create their own login page/block to have added the arg=newSession, then?

What does the URL you tested with look like?



Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Kiran Ramineni
Sent: Thursday, June 23, 2016 3:25 PM
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Brooke,

I am "Definitely" not expecting to see the login page after step 3.  Just
for kicks, I tried the sequence just a few minutes ago and I don't see the
login page.  It shows me the profile page of User A.  (I hope you are not
running these steps on a machine that's stripping the iplanetDirectoryPro
cookie.)

Regards
Kiran


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 2:38 PM
To: 'Users'
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Hey Kiran,

What do you mean after Step 3?

We see the exact same login screen after step 3 as we did after step 1, the
form asking for a username and password.

We have had this solution in place for 2 years without issue.

This is an interesting tip!
arg=newSession

Egads!  That has been around since at least OpenSSO v8 from Sun/Oracle too!
https://docs.oracle.com/cd/E19681-01/820-3885/gbanu/index.html .

I wouldn't have known what to Google for when we first found the issue as we
figured it was just a bug as it seemed that it would not be intentional
behavior!

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Kiran Ramineni
Sent: Thursday, June 23, 2016 2:23 PM
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Brooke,

What do you see as the response after step 3?  

Do you see a login screen?  

As far as removing the iPlanetDirectoryPro cookie, I would be concerned
regarding achieving SSO.  

Optionally, if you want to force a user to login, you can append
arg=newSession to the login url.

Best Regards
Kiran

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 1:58 PM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Bernhard,

Have you tried:
===================
1. access https://yourserver/openam/UI/Login?module=DataStore
2. Login as userA
3. access https://yourserver/openam/UI/Login?module=DataStore
4. Login as userB
5.  Now - check to see which user OpenAM thinks you are logged in as.

To answer your question:
===================
Another page, that fits in better with the site and can be included with
other content, which has the username/password boxes and posts to the normal
login URL.


Our resolution
===================
We ended up creating a filter to resolve the issue.  The filter removes the
iPlanetDirectoryPro cookie.

public class SsoPasswordFilter
  implements Filter
{
  public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain filterChain)
    throws IOException, ServletException
  {
    HttpServletRequest request = (HttpServletRequest)arg0;
   
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
      for (int i = 0; i < cookies.length; i++)
      {
        Cookie cookie = cookies[i];
        if (cookie.getName().equals("iPlanetDirectoryPro"))
        {
          cookie.setValue("");
          cookie.setMaxAge(0);
        }
      }
    }
    HttpServletRequest wrapper = getWrapperRequest(request);
    filterChain.doFilter(wrapper, arg1);
  }
}

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Bernhard Thalmayr
Sent: Thursday, June 23, 2016 11:26 AM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Am 22/06/16 um 23:38 schrieb Hedrick, Brooke - 43:
> I have seen the same behavior.  A user is logged in on one tab.  Then,
> they go to a new tab, access the main page on the site to log in,
> enter different credentials, BUT, OpenAM uses the previous
> credentials, no warning, no nothing.

OpenAM won't show any login dialogue by default if the SSO tracking cookie
is sent.

In your case the question is ... how was OpenAM accessed?

-Bernhard

>
>  
>
> I would not say that this is expected behavior.
>
>  
>
> OpenAM should either use the new credentials or prevent you from
> moving on ( after entering new credentials ) until you accept some
> prompt explaining that you have a previous login as ___username___
> that will be used instead.
>
>  
>
> This is disconcerting when you run into it and users don't always pay
> attention to the fact that they are using different credentials than
> they expect.
>
>  
>
> -Brooke
>
>  
>
>  
>
> *From:*[hidden email]
> [mailto:[hidden email]] *On Behalf Of *Kiran Ramineni
> *Sent:* Wednesday, June 22, 2016 1:59 PM
> *To:* 'Users' <[hidden email]>
> *Subject:* Re: [OpenAM] Help understanding OpenAM behavior
>
>  
>
> Alberto,
>
>  
>
> In my opinion this is expected behavior.
>
>  
>
> Let me present a case:
>
>  
>
> So, let's say you are logged in one tab.  Now, you go to another tab
> and attempt to go to login page,  wouldn't you expect that you get the
> profile page (to indicate that you are already logged in.)
>
>  
>
> The reason behind is that OpenAM places a cookie once the user is
> logged in.  When you go to the login page again, it obtains the cookie
> and identifies that you are already logged in.
>
>  
>
> HTH
>
> Kiran Ramineni
>
>  
>
> *From:*[hidden email]
> <mailto:[hidden email]>
> [mailto:[hidden email]] *On Behalf Of *Alberto Treviño
> *Sent:* Wednesday, June 22, 2016 9:51 AM
> *To:* Users
> *Subject:* [OpenAM] Help understanding OpenAM behavior
>
>  
>
> We just ran into some interesting behavior with OpenAM. I'm wondering
> if this is desired behavior (and if so why), if it can be turned off,
> or if it's a bug. This is how you reproduce it:
>
>  
>
> In a new browser session, bring up your site's login page but don't
> sign in yet (how you do it is irrelevant). Then, with the login page
> just sitting there, open up a second tab with the same login page
> (again, how you do it is irrelevant). Log in to the first site with
> say, UserA. Once you are logged in, go back to the second tab that
> still has a login page and log in with UserB. The result we see in the
> second tab is that you go to that tab's successful login destination
> but you are still authenticated with UserA.
>
>  
>
> There is another interesting twist as well. You can pass a goto
> parameter to the login page in the second tab, and then provide
> absolutely bogus credentials and the tab will be redirected to the
> goto location but still have the credentials of UserA that was
> previously logged in.
>
>  
>
> This behavior seems odd to us. We would expect that when you go to the
> second tab and put in valid credentials, all previous sessions would
> be destroyed and you would become the new user. (Most sites seem to do
> that.) On the second case, if you provide invalid credentials, you
> should get an error page.
>
>  
>
> Any ideas?
>
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you
are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Kiran Ramineni
Brooke,

The newSession is choice available for certain use cases but not for all.
When invalidating a previous session is mandatory, then it comes in handy.

I tested with exactly the url you gave -
<a href="http://host:port/openam13/UI/Login?module=Datastore">http://host:port/openam13/UI/Login?module=Datastore

Also, the usecase alberto mentioned is slightly different from your use
case.  It's a case where a user left one tab(A) open with login screen,
opened another tab(B), logged in and came back to tab(A) to login with a
different credential.  (May be in a shared computer scenario.)  In this
case, the user actually did not go to the login url second time.   Well, by
the time the user came to tab(A) for the second time, a valid session
exists.  That's why I would think it's an expected behavior.

Regards
Kiran

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 3:38 PM
To: 'Users'
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Sorry Kiran,

Not sure what to tell you.  I saw the same issue as Alberto only 2 years
ago.  I solved the problem with a filter.

Obviously, if we indiscriminately remove the iPlanetDirectoryPro the sso
system would never work.  It would be silly for us to be paying customers in
that case as well!

Kiran, would you expect every one of the OpenAM customers that create their
own login page/block to have added the arg=newSession, then?

What does the URL you tested with look like?



Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Kiran Ramineni
Sent: Thursday, June 23, 2016 3:25 PM
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Brooke,

I am "Definitely" not expecting to see the login page after step 3.  Just
for kicks, I tried the sequence just a few minutes ago and I don't see the
login page.  It shows me the profile page of User A.  (I hope you are not
running these steps on a machine that's stripping the iplanetDirectoryPro
cookie.)

Regards
Kiran


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 2:38 PM
To: 'Users'
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Hey Kiran,

What do you mean after Step 3?

We see the exact same login screen after step 3 as we did after step 1, the
form asking for a username and password.

We have had this solution in place for 2 years without issue.

This is an interesting tip!
arg=newSession

Egads!  That has been around since at least OpenSSO v8 from Sun/Oracle too!
https://docs.oracle.com/cd/E19681-01/820-3885/gbanu/index.html .

I wouldn't have known what to Google for when we first found the issue as we
figured it was just a bug as it seemed that it would not be intentional
behavior!

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Kiran Ramineni
Sent: Thursday, June 23, 2016 2:23 PM
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Brooke,

What do you see as the response after step 3?  

Do you see a login screen?  

As far as removing the iPlanetDirectoryPro cookie, I would be concerned
regarding achieving SSO.  

Optionally, if you want to force a user to login, you can append
arg=newSession to the login url.

Best Regards
Kiran

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 1:58 PM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Bernhard,

Have you tried:
===================
1. access https://yourserver/openam/UI/Login?module=DataStore
2. Login as userA
3. access https://yourserver/openam/UI/Login?module=DataStore
4. Login as userB
5.  Now - check to see which user OpenAM thinks you are logged in as.

To answer your question:
===================
Another page, that fits in better with the site and can be included with
other content, which has the username/password boxes and posts to the normal
login URL.


Our resolution
===================
We ended up creating a filter to resolve the issue.  The filter removes the
iPlanetDirectoryPro cookie.

public class SsoPasswordFilter
  implements Filter
{
  public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain filterChain)
    throws IOException, ServletException
  {
    HttpServletRequest request = (HttpServletRequest)arg0;
   
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
      for (int i = 0; i < cookies.length; i++)
      {
        Cookie cookie = cookies[i];
        if (cookie.getName().equals("iPlanetDirectoryPro"))
        {
          cookie.setValue("");
          cookie.setMaxAge(0);
        }
      }
    }
    HttpServletRequest wrapper = getWrapperRequest(request);
    filterChain.doFilter(wrapper, arg1);
  }
}

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Bernhard Thalmayr
Sent: Thursday, June 23, 2016 11:26 AM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Am 22/06/16 um 23:38 schrieb Hedrick, Brooke - 43:
> I have seen the same behavior.  A user is logged in on one tab.  Then,
> they go to a new tab, access the main page on the site to log in,
> enter different credentials, BUT, OpenAM uses the previous
> credentials, no warning, no nothing.

OpenAM won't show any login dialogue by default if the SSO tracking cookie
is sent.

In your case the question is ... how was OpenAM accessed?

-Bernhard

>
>  
>
> I would not say that this is expected behavior.
>
>  
>
> OpenAM should either use the new credentials or prevent you from
> moving on ( after entering new credentials ) until you accept some
> prompt explaining that you have a previous login as ___username___
> that will be used instead.
>
>  
>
> This is disconcerting when you run into it and users don't always pay
> attention to the fact that they are using different credentials than
> they expect.
>
>  
>
> -Brooke
>
>  
>
>  
>
> *From:*[hidden email]
> [mailto:[hidden email]] *On Behalf Of *Kiran Ramineni
> *Sent:* Wednesday, June 22, 2016 1:59 PM
> *To:* 'Users' <[hidden email]>
> *Subject:* Re: [OpenAM] Help understanding OpenAM behavior
>
>  
>
> Alberto,
>
>  
>
> In my opinion this is expected behavior.
>
>  
>
> Let me present a case:
>
>  
>
> So, let's say you are logged in one tab.  Now, you go to another tab
> and attempt to go to login page,  wouldn't you expect that you get the
> profile page (to indicate that you are already logged in.)
>
>  
>
> The reason behind is that OpenAM places a cookie once the user is
> logged in.  When you go to the login page again, it obtains the cookie
> and identifies that you are already logged in.
>
>  
>
> HTH
>
> Kiran Ramineni
>
>  
>
> *From:*[hidden email]
> <mailto:[hidden email]>
> [mailto:[hidden email]] *On Behalf Of *Alberto Treviño
> *Sent:* Wednesday, June 22, 2016 9:51 AM
> *To:* Users
> *Subject:* [OpenAM] Help understanding OpenAM behavior
>
>  
>
> We just ran into some interesting behavior with OpenAM. I'm wondering
> if this is desired behavior (and if so why), if it can be turned off,
> or if it's a bug. This is how you reproduce it:
>
>  
>
> In a new browser session, bring up your site's login page but don't
> sign in yet (how you do it is irrelevant). Then, with the login page
> just sitting there, open up a second tab with the same login page
> (again, how you do it is irrelevant). Log in to the first site with
> say, UserA. Once you are logged in, go back to the second tab that
> still has a login page and log in with UserB. The result we see in the
> second tab is that you go to that tab's successful login destination
> but you are still authenticated with UserA.
>
>  
>
> There is another interesting twist as well. You can pass a goto
> parameter to the login page in the second tab, and then provide
> absolutely bogus credentials and the tab will be redirected to the
> goto location but still have the credentials of UserA that was
> previously logged in.
>
>  
>
> This behavior seems odd to us. We would expect that when you go to the
> second tab and put in valid credentials, all previous sessions would
> be destroyed and you would become the new user. (Most sites seem to do
> that.) On the second case, if you provide invalid credentials, you
> should get an error page.
>
>  
>
> Any ideas?
>
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you
are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Alberto Treviño

In the shared computer scenario, the user is expecting to be logged in as his/herself since he/she doesn't know there was a previous login.


When switching realms, OpenAM presents a page saying you are already logged in in another organization and gives you the chance to log in again. Perhaps a page like that would be a better behavior?


From: [hidden email] <[hidden email]> on behalf of Kiran Ramineni <[hidden email]>
Sent: Thursday, June 23, 2016 4:12:33 PM
To: 'Users'
Subject: Re: [OpenAM] Help understanding OpenAM behavior
 
Brooke,

The newSession is choice available for certain use cases but not for all.
When invalidating a previous session is mandatory, then it comes in handy.

I tested with exactly the url you gave -
https://urldefense.proofpoint.com/v2/url?u=http-3A__host-3Aport_openam13_UI_Login-3Fmodule-3DDatastore&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=B29w6OzTuOI8jlaFojzkMoY7IFAvmZwK0ZJagoEXQhc&e=

Also, the usecase alberto mentioned is slightly different from your use
case.  It's a case where a user left one tab(A) open with login screen,
opened another tab(B), logged in and came back to tab(A) to login with a
different credential.  (May be in a shared computer scenario.)  In this
case, the user actually did not go to the login url second time.   Well, by
the time the user came to tab(A) for the second time, a valid session
exists.  That's why I would think it's an expected behavior.

Regards
Kiran

-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 3:38 PM
To: 'Users'
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Sorry Kiran,

Not sure what to tell you.  I saw the same issue as Alberto only 2 years
ago.  I solved the problem with a filter.

Obviously, if we indiscriminately remove the iPlanetDirectoryPro the sso
system would never work.  It would be silly for us to be paying customers in
that case as well!

Kiran, would you expect every one of the OpenAM customers that create their
own login page/block to have added the arg=newSession, then?

What does the URL you tested with look like?



Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Kiran Ramineni
Sent: Thursday, June 23, 2016 3:25 PM
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Brooke,

I am "Definitely" not expecting to see the login page after step 3.  Just
for kicks, I tried the sequence just a few minutes ago and I don't see the
login page.  It shows me the profile page of User A.  (I hope you are not
running these steps on a machine that's stripping the iplanetDirectoryPro
cookie.)

Regards
Kiran


-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 2:38 PM
To: 'Users'
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Hey Kiran,

What do you mean after Step 3?

We see the exact same login screen after step 3 as we did after step 1, the
form asking for a username and password.

We have had this solution in place for 2 years without issue.

This is an interesting tip!
arg=newSession

Egads!  That has been around since at least OpenSSO v8 from Sun/Oracle too!
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.oracle.com_cd_E19681-2D01_820-2D3885_gbanu_index.html&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=-lFcnJp6fhuekUvPCyjxbQl671OMzXMgIkxOxJFeVtc&e=  .

I wouldn't have known what to Google for when we first found the issue as we
figured it was just a bug as it seemed that it would not be intentional
behavior!

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Kiran Ramineni
Sent: Thursday, June 23, 2016 2:23 PM
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Brooke,

What do you see as the response after step 3? 

Do you see a login screen? 

As far as removing the iPlanetDirectoryPro cookie, I would be concerned
regarding achieving SSO. 

Optionally, if you want to force a user to login, you can append
arg=newSession to the login url.

Best Regards
Kiran

-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 1:58 PM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Bernhard,

Have you tried:
===================
1. access https://urldefense.proofpoint.com/v2/url?u=https-3A__yourserver_openam_UI_Login-3Fmodule-3DDataStore&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=Mfq08-BXRK58c6JlJ2ul96MydZveNWWN9CAmVj_A-dI&e=
2. Login as userA
3. access https://urldefense.proofpoint.com/v2/url?u=https-3A__yourserver_openam_UI_Login-3Fmodule-3DDataStore&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=Mfq08-BXRK58c6JlJ2ul96MydZveNWWN9CAmVj_A-dI&e=
4. Login as userB
5.  Now - check to see which user OpenAM thinks you are logged in as.

To answer your question:
===================
Another page, that fits in better with the site and can be included with
other content, which has the username/password boxes and posts to the normal
login URL.


Our resolution
===================
We ended up creating a filter to resolve the issue.  The filter removes the
iPlanetDirectoryPro cookie.

public class SsoPasswordFilter
  implements Filter
{
  public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain filterChain)
    throws IOException, ServletException
  {
    HttpServletRequest request = (HttpServletRequest)arg0;
   
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
      for (int i = 0; i < cookies.length; i++)
      {
        Cookie cookie = cookies[i];
        if (cookie.getName().equals("iPlanetDirectoryPro"))
        {
          cookie.setValue("");
          cookie.setMaxAge(0);
        }
      }
    }
    HttpServletRequest wrapper = getWrapperRequest(request);
    filterChain.doFilter(wrapper, arg1);
  }
}

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Bernhard Thalmayr
Sent: Thursday, June 23, 2016 11:26 AM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Am 22/06/16 um 23:38 schrieb Hedrick, Brooke - 43:
> I have seen the same behavior.  A user is logged in on one tab.  Then,
> they go to a new tab, access the main page on the site to log in,
> enter different credentials, BUT, OpenAM uses the previous
> credentials, no warning, no nothing.

OpenAM won't show any login dialogue by default if the SSO tracking cookie
is sent.

In your case the question is ... how was OpenAM accessed?

-Bernhard
>

>
> I would not say that this is expected behavior.
>

>
> OpenAM should either use the new credentials or prevent you from
> moving on ( after entering new credentials ) until you accept some
> prompt explaining that you have a previous login as ___username___
> that will be used instead.
>

>
> This is disconcerting when you run into it and users don't always pay
> attention to the fact that they are using different credentials than
> they expect.
>

>
> -Brooke
>

>

>
> *From:*[hidden email]
> [[hidden email]] *On Behalf Of *Kiran Ramineni
> *Sent:* Wednesday, June 22, 2016 1:59 PM
> *To:* 'Users' <[hidden email]>
> *Subject:* Re: [OpenAM] Help understanding OpenAM behavior
>

>
> Alberto,
>

>
> In my opinion this is expected behavior.
>

>
> Let me present a case:
>

>
> So, let's say you are logged in one tab.  Now, you go to another tab
> and attempt to go to login page,  wouldn't you expect that you get the
> profile page (to indicate that you are already logged in.)
>

>
> The reason behind is that OpenAM places a cookie once the user is
> logged in.  When you go to the login page again, it obtains the cookie
> and identifies that you are already logged in.
>

>
> HTH
>
> Kiran Ramineni
>

>
> *From:*[hidden email]
> <[hidden email]>
> [[hidden email]] *On Behalf Of *Alberto Treviño
> *Sent:* Wednesday, June 22, 2016 9:51 AM
> *To:* Users
> *Subject:* [OpenAM] Help understanding OpenAM behavior
>

>
> We just ran into some interesting behavior with OpenAM. I'm wondering
> if this is desired behavior (and if so why), if it can be turned off,
> or if it's a bug. This is how you reproduce it:
>

>
> In a new browser session, bring up your site's login page but don't
> sign in yet (how you do it is irrelevant). Then, with the login page
> just sitting there, open up a second tab with the same login page
> (again, how you do it is irrelevant). Log in to the first site with
> say, UserA. Once you are logged in, go back to the second tab that
> still has a login page and log in with UserB. The result we see in the
> second tab is that you go to that tab's successful login destination
> but you are still authenticated with UserA.
>

>
> There is another interesting twist as well. You can pass a goto
> parameter to the login page in the second tab, and then provide
> absolutely bogus credentials and the tab will be redirected to the
> goto location but still have the credentials of UserA that was
> previously logged in.
>

>
> This behavior seems odd to us. We would expect that when you go to the
> second tab and put in valid credentials, all previous sessions would
> be destroyed and you would become the new user. (Most sites seem to do
> that.) On the second case, if you provide invalid credentials, you
> should get an error page.
>

>
> Any ideas?
>
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
> OpenAM mailing list
> [hidden email]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xing.com_profile_Bernhard-5FThalmayr&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=WPUekc24M7uY-dciEpaSEuETHUtD4jaPTOHmvoxyNZ8&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__de.linkedin.com_in_bernhardthalmayr&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=aAFw2B9BBT5yIv4Xr2Y7Osl92Sa3e0LexkY3XAm0J0A&e=

This e-mail may contain confidential and/or privileged information.If you
are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Bernhard Thalmayr
In reply to this post by Hedrick, Brooke - 43
Am 23/06/16 um 22:37 schrieb Hedrick, Brooke - 43:
> Sorry Kiran,
>
> Not sure what to tell you.  I saw the same issue as Alberto only 2 years ago.  I solved the problem with a filter.

This is definitely not the expected behavior, the login screen should
not appear unless you use 'private / icongnito' mode. As long as the
browser will send the SSO tracking cookie and you try to authenticate in
the same realm and do not perform 'session upgrade' there won't be a
Login page.

-Bernhard

>
> Obviously, if we indiscriminately remove the iPlanetDirectoryPro the sso system would never work.  It would be silly for us to be paying customers in that case as well!
>
> Kiran, would you expect every one of the OpenAM customers that create their own login page/block to have added the arg=newSession, then?
>
> What does the URL you tested with look like?
>
>
>
> Brooke Hedrick
> AVP Web Administration
> Rain and Hail, IT Division
> Office: 515.559.1322
> Cell: 515.314.8953
> [hidden email]
>
> For more information about the Agriculture Insurance from Rain and Hail visit www.RainHail.com.
>
> Rain and Hail
> A Chubb Company
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Kiran Ramineni
> Sent: Thursday, June 23, 2016 3:25 PM
> To: 'Users' <[hidden email]>
> Subject: Re: [OpenAM] Help understanding OpenAM behavior
>
> Brooke,
>
> I am "Definitely" not expecting to see the login page after step 3.  Just
> for kicks, I tried the sequence just a few minutes ago and I don't see the
> login page.  It shows me the profile page of User A.  (I hope you are not
> running these steps on a machine that's stripping the iplanetDirectoryPro
> cookie.)
>
> Regards
> Kiran
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On
> Behalf Of Hedrick, Brooke - 43
> Sent: Thursday, June 23, 2016 2:38 PM
> To: 'Users'
> Subject: Re: [OpenAM] Help understanding OpenAM behavior
>
> Hey Kiran,
>
> What do you mean after Step 3?
>
> We see the exact same login screen after step 3 as we did after step 1, the
> form asking for a username and password.
>
> We have had this solution in place for 2 years without issue.
>
> This is an interesting tip!
> arg=newSession
>
> Egads!  That has been around since at least OpenSSO v8 from Sun/Oracle too!
> https://docs.oracle.com/cd/E19681-01/820-3885/gbanu/index.html .
>
> I wouldn't have known what to Google for when we first found the issue as we
> figured it was just a bug as it seemed that it would not be intentional
> behavior!
>
> Brooke Hedrick
> AVP Web Administration
> Rain and Hail, IT Division
> Office: 515.559.1322
> Cell: 515.314.8953
> [hidden email]
>
> For more information about the Agriculture Insurance from Rain and Hail
> visit www.RainHail.com.
>
> Rain and Hail
> A Chubb Company
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On
> Behalf Of Kiran Ramineni
> Sent: Thursday, June 23, 2016 2:23 PM
> To: 'Users' <[hidden email]>
> Subject: Re: [OpenAM] Help understanding OpenAM behavior
>
> Brooke,
>
> What do you see as the response after step 3?  
>
> Do you see a login screen?  
>
> As far as removing the iPlanetDirectoryPro cookie, I would be concerned
> regarding achieving SSO.  
>
> Optionally, if you want to force a user to login, you can append
> arg=newSession to the login url.
>
> Best Regards
> Kiran
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On
> Behalf Of Hedrick, Brooke - 43
> Sent: Thursday, June 23, 2016 1:58 PM
> To: [hidden email]
> Subject: Re: [OpenAM] Help understanding OpenAM behavior
>
> Bernhard,
>
> Have you tried:
> ===================
> 1. access https://yourserver/openam/UI/Login?module=DataStore
> 2. Login as userA
> 3. access https://yourserver/openam/UI/Login?module=DataStore
> 4. Login as userB
> 5.  Now - check to see which user OpenAM thinks you are logged in as.
>
> To answer your question:
> ===================
> Another page, that fits in better with the site and can be included with
> other content, which has the username/password boxes and posts to the normal
> login URL.
>
>
> Our resolution
> ===================
> We ended up creating a filter to resolve the issue.  The filter removes the
> iPlanetDirectoryPro cookie.
>
> public class SsoPasswordFilter
>   implements Filter
> {
>   public void doFilter(ServletRequest arg0, ServletResponse arg1,
> FilterChain filterChain)
>     throws IOException, ServletException
>   {
>     HttpServletRequest request = (HttpServletRequest)arg0;
>    
>     Cookie[] cookies = request.getCookies();
>     if (cookies != null) {
>       for (int i = 0; i < cookies.length; i++)
>       {
>         Cookie cookie = cookies[i];
>         if (cookie.getName().equals("iPlanetDirectoryPro"))
>         {
>           cookie.setValue("");
>           cookie.setMaxAge(0);
>         }
>       }
>     }
>     HttpServletRequest wrapper = getWrapperRequest(request);
>     filterChain.doFilter(wrapper, arg1);
>   }
> }
>
> Brooke Hedrick
> AVP Web Administration
> Rain and Hail, IT Division
> Office: 515.559.1322
> Cell: 515.314.8953
> [hidden email]
>
> For more information about the Agriculture Insurance from Rain and Hail
> visit www.RainHail.com.
>
> Rain and Hail
> A Chubb Company
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On
> Behalf Of Bernhard Thalmayr
> Sent: Thursday, June 23, 2016 11:26 AM
> To: [hidden email]
> Subject: Re: [OpenAM] Help understanding OpenAM behavior
>
> Am 22/06/16 um 23:38 schrieb Hedrick, Brooke - 43:
>> I have seen the same behavior.  A user is logged in on one tab.  Then,
>> they go to a new tab, access the main page on the site to log in,
>> enter different credentials, BUT, OpenAM uses the previous
>> credentials, no warning, no nothing.
>
> OpenAM won't show any login dialogue by default if the SSO tracking cookie
> is sent.
>
> In your case the question is ... how was OpenAM accessed?
>
> -Bernhard
>>
>>  
>>
>> I would not say that this is expected behavior.
>>
>>  
>>
>> OpenAM should either use the new credentials or prevent you from
>> moving on ( after entering new credentials ) until you accept some
>> prompt explaining that you have a previous login as ___username___
>> that will be used instead.
>>
>>  
>>
>> This is disconcerting when you run into it and users don't always pay
>> attention to the fact that they are using different credentials than
>> they expect.
>>
>>  
>>
>> -Brooke
>>
>>  
>>
>>  
>>
>> *From:*[hidden email]
>> [mailto:[hidden email]] *On Behalf Of *Kiran Ramineni
>> *Sent:* Wednesday, June 22, 2016 1:59 PM
>> *To:* 'Users' <[hidden email]>
>> *Subject:* Re: [OpenAM] Help understanding OpenAM behavior
>>
>>  
>>
>> Alberto,
>>
>>  
>>
>> In my opinion this is expected behavior.
>>
>>  
>>
>> Let me present a case:
>>
>>  
>>
>> So, let's say you are logged in one tab.  Now, you go to another tab
>> and attempt to go to login page,  wouldn't you expect that you get the
>> profile page (to indicate that you are already logged in.)
>>
>>  
>>
>> The reason behind is that OpenAM places a cookie once the user is
>> logged in.  When you go to the login page again, it obtains the cookie
>> and identifies that you are already logged in.
>>
>>  
>>
>> HTH
>>
>> Kiran Ramineni
>>
>>  
>>
>> *From:*[hidden email]
>> <mailto:[hidden email]>
>> [mailto:[hidden email]] *On Behalf Of *Alberto Treviño
>> *Sent:* Wednesday, June 22, 2016 9:51 AM
>> *To:* Users
>> *Subject:* [OpenAM] Help understanding OpenAM behavior
>>
>>  
>>
>> We just ran into some interesting behavior with OpenAM. I'm wondering
>> if this is desired behavior (and if so why), if it can be turned off,
>> or if it's a bug. This is how you reproduce it:
>>
>>  
>>
>> In a new browser session, bring up your site's login page but don't
>> sign in yet (how you do it is irrelevant). Then, with the login page
>> just sitting there, open up a second tab with the same login page
>> (again, how you do it is irrelevant). Log in to the first site with
>> say, UserA. Once you are logged in, go back to the second tab that
>> still has a login page and log in with UserB. The result we see in the
>> second tab is that you go to that tab's successful login destination
>> but you are still authenticated with UserA.
>>
>>  
>>
>> There is another interesting twist as well. You can pass a goto
>> parameter to the login page in the second tab, and then provide
>> absolutely bogus credentials and the tab will be redirected to the
>> goto location but still have the credentials of UserA that was
>> previously logged in.
>>
>>  
>>
>> This behavior seems odd to us. We would expect that when you go to the
>> second tab and put in valid credentials, all previous sessions would
>> be destroyed and you would become the new user. (Most sites seem to do
>> that.) On the second case, if you provide invalid credentials, you
>> should get an error page.
>>
>>  
>>
>> Any ideas?
>>
>>
>>
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] - Solution Architect
> http://www.xing.com/profile/Bernhard_Thalmayr
> http://de.linkedin.com/in/bernhardthalmayr
>
> This e-mail may contain confidential and/or privileged information.If you
> are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Allan Foster
In reply to this post by Alberto Treviño

So I have been reading this thread,  and I have my own $0.02 to put in!


First, the initial comment was about going to the login page, (thereby caching it in the browser),  and then going to a new tab and going to the login page,  and logging in.


The key point here,  is that in going back to the initial tab,  the old login page is STILL present.  Now normally this page will time out in 3 minutes, but lets say it is under that time....   The credentials are now put in, and submitted.  Since the SSOToken cookie has been already created, the login will "Appear" to work,  although we are actually just ignoring the login, and using the existing session.


There might definitely be an enhancement,  in that if credentials are posted while an existing session is present, that it should handle it by failing, or some other action.


They key to reproducing this,  is that the initial page load needs to be "Non SSOToken" and the submit needs to be "With SSOToken"


Allan



On 6/23/16 3:26 PM, Alberto Treviño wrote:

In the shared computer scenario, the user is expecting to be logged in as his/herself since he/she doesn't know there was a previous login.


When switching realms, OpenAM presents a page saying you are already logged in in another organization and gives you the chance to log in again. Perhaps a page like that would be a better behavior?


From: [hidden email] [hidden email] on behalf of Kiran Ramineni [hidden email]
Sent: Thursday, June 23, 2016 4:12:33 PM
To: 'Users'
Subject: Re: [OpenAM] Help understanding OpenAM behavior
 
Brooke,

The newSession is choice available for certain use cases but not for all.
When invalidating a previous session is mandatory, then it comes in handy.

I tested with exactly the url you gave -
https://urldefense.proofpoint.com/v2/url?u=http-3A__host-3Aport_openam13_UI_Login-3Fmodule-3DDatastore&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=B29w6OzTuOI8jlaFojzkMoY7IFAvmZwK0ZJagoEXQhc&e=

Also, the usecase alberto mentioned is slightly different from your use
case.  It's a case where a user left one tab(A) open with login screen,
opened another tab(B), logged in and came back to tab(A) to login with a
different credential.  (May be in a shared computer scenario.)  In this
case, the user actually did not go to the login url second time.   Well, by
the time the user came to tab(A) for the second time, a valid session
exists.  That's why I would think it's an expected behavior.

Regards
Kiran

-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 3:38 PM
To: 'Users'
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Sorry Kiran,

Not sure what to tell you.  I saw the same issue as Alberto only 2 years
ago.  I solved the problem with a filter.

Obviously, if we indiscriminately remove the iPlanetDirectoryPro the sso
system would never work.  It would be silly for us to be paying customers in
that case as well!

Kiran, would you expect every one of the OpenAM customers that create their
own login page/block to have added the arg=newSession, then?

What does the URL you tested with look like?



Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Kiran Ramineni
Sent: Thursday, June 23, 2016 3:25 PM
To: 'Users' [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Brooke,

I am "Definitely" not expecting to see the login page after step 3.  Just
for kicks, I tried the sequence just a few minutes ago and I don't see the
login page.  It shows me the profile page of User A.  (I hope you are not
running these steps on a machine that's stripping the iplanetDirectoryPro
cookie.)

Regards
Kiran


-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 2:38 PM
To: 'Users'
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Hey Kiran,

What do you mean after Step 3?

We see the exact same login screen after step 3 as we did after step 1, the
form asking for a username and password.

We have had this solution in place for 2 years without issue.

This is an interesting tip!
arg=newSession

Egads!  That has been around since at least OpenSSO v8 from Sun/Oracle too!
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.oracle.com_cd_E19681-2D01_820-2D3885_gbanu_index.html&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=-lFcnJp6fhuekUvPCyjxbQl671OMzXMgIkxOxJFeVtc&e=  .

I wouldn't have known what to Google for when we first found the issue as we
figured it was just a bug as it seemed that it would not be intentional
behavior!

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Kiran Ramineni
Sent: Thursday, June 23, 2016 2:23 PM
To: 'Users' [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Brooke,

What do you see as the response after step 3? 

Do you see a login screen? 

As far as removing the iPlanetDirectoryPro cookie, I would be concerned
regarding achieving SSO. 

Optionally, if you want to force a user to login, you can append
arg=newSession to the login url.

Best Regards
Kiran

-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 1:58 PM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Bernhard,

Have you tried:
===================
1. access https://urldefense.proofpoint.com/v2/url?u=https-3A__yourserver_openam_UI_Login-3Fmodule-3DDataStore&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=Mfq08-BXRK58c6JlJ2ul96MydZveNWWN9CAmVj_A-dI&e=
2. Login as userA
3. access https://urldefense.proofpoint.com/v2/url?u=https-3A__yourserver_openam_UI_Login-3Fmodule-3DDataStore&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=Mfq08-BXRK58c6JlJ2ul96MydZveNWWN9CAmVj_A-dI&e=
4. Login as userB
5.  Now - check to see which user OpenAM thinks you are logged in as.

To answer your question:
===================
Another page, that fits in better with the site and can be included with
other content, which has the username/password boxes and posts to the normal
login URL.


Our resolution
===================
We ended up creating a filter to resolve the issue.  The filter removes the
iPlanetDirectoryPro cookie.

public class SsoPasswordFilter
  implements Filter
{
  public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain filterChain)
    throws IOException, ServletException
  {
    HttpServletRequest request = (HttpServletRequest)arg0;
   
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
      for (int i = 0; i < cookies.length; i++)
      {
        Cookie cookie = cookies[i];
        if (cookie.getName().equals("iPlanetDirectoryPro"))
        {
          cookie.setValue("");
          cookie.setMaxAge(0);
        }
      }
    }
    HttpServletRequest wrapper = getWrapperRequest(request);
    filterChain.doFilter(wrapper, arg1);
  }
}

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Bernhard Thalmayr
Sent: Thursday, June 23, 2016 11:26 AM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Am 22/06/16 um 23:38 schrieb Hedrick, Brooke - 43:
> I have seen the same behavior.  A user is logged in on one tab.  Then,
> they go to a new tab, access the main page on the site to log in,
> enter different credentials, BUT, OpenAM uses the previous
> credentials, no warning, no nothing.

OpenAM won't show any login dialogue by default if the SSO tracking cookie
is sent.

In your case the question is ... how was OpenAM accessed?

-Bernhard
>

>
> I would not say that this is expected behavior.
>

>
> OpenAM should either use the new credentials or prevent you from
> moving on ( after entering new credentials ) until you accept some
> prompt explaining that you have a previous login as ___username___
> that will be used instead.
>

>
> This is disconcerting when you run into it and users don't always pay
> attention to the fact that they are using different credentials than
> they expect.
>

>
> -Brooke
>

>

>
> *From:*[hidden email]
> [[hidden email]] *On Behalf Of *Kiran Ramineni
> *Sent:* Wednesday, June 22, 2016 1:59 PM
> *To:* 'Users' [hidden email]
> *Subject:* Re: [OpenAM] Help understanding OpenAM behavior
>

>
> Alberto,
>

>
> In my opinion this is expected behavior.
>

>
> Let me present a case:
>

>
> So, let's say you are logged in one tab.  Now, you go to another tab
> and attempt to go to login page,  wouldn't you expect that you get the
> profile page (to indicate that you are already logged in.)
>

>
> The reason behind is that OpenAM places a cookie once the user is
> logged in.  When you go to the login page again, it obtains the cookie
> and identifies that you are already logged in.
>

>
> HTH
>
> Kiran Ramineni
>

>
> *From:*[hidden email]
> <[hidden email]>
> [[hidden email]] *On Behalf Of *Alberto Treviño
> *Sent:* Wednesday, June 22, 2016 9:51 AM
> *To:* Users
> *Subject:* [OpenAM] Help understanding OpenAM behavior
>

>
> We just ran into some interesting behavior with OpenAM. I'm wondering
> if this is desired behavior (and if so why), if it can be turned off,
> or if it's a bug. This is how you reproduce it:
>

>
> In a new browser session, bring up your site's login page but don't
> sign in yet (how you do it is irrelevant). Then, with the login page
> just sitting there, open up a second tab with the same login page
> (again, how you do it is irrelevant). Log in to the first site with
> say, UserA. Once you are logged in, go back to the second tab that
> still has a login page and log in with UserB. The result we see in the
> second tab is that you go to that tab's successful login destination
> but you are still authenticated with UserA.
>

>
> There is another interesting twist as well. You can pass a goto
> parameter to the login page in the second tab, and then provide
> absolutely bogus credentials and the tab will be redirected to the
> goto location but still have the credentials of UserA that was
> previously logged in.
>

>
> This behavior seems odd to us. We would expect that when you go to the
> second tab and put in valid credentials, all previous sessions would
> be destroyed and you would become the new user. (Most sites seem to do
> that.) On the second case, if you provide invalid credentials, you
> should get an error page.
>

>
> Any ideas?
>
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
> OpenAM mailing list
> [hidden email]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xing.com_profile_Bernhard-5FThalmayr&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=WPUekc24M7uY-dciEpaSEuETHUtD4jaPTOHmvoxyNZ8&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__de.linkedin.com_in_bernhardthalmayr&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=aAFw2B9BBT5yIv4Xr2Y7Osl92Sa3e0LexkY3XAm0J0A&e=

This e-mail may contain confidential and/or privileged information.If you
are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

--
Simplify Email: Email Charter

ForgeRock Logo Allan  Foster - Forge Rock
Vice President Global Partner Enablement
Location: Vancouver, WA, US
p: +1.360.229.7102
email: [hidden email]
www: www.forgerock.com
www: www.forgerock.org
blogs: blogs.forgerock.com/GuruAllan

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Kiran Ramineni

Alan,

 

That sounds like a good enhancement for the product.

 

Best Regards

Kiran

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Allan Foster
Sent: Friday, June 24, 2016 3:09 AM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

 

So I have been reading this thread,  and I have my own $0.02 to put in!

 

First, the initial comment was about going to the login page, (thereby caching it in the browser),  and then going to a new tab and going to the login page,  and logging in.

 

The key point here,  is that in going back to the initial tab,  the old login page is STILL present.  Now normally this page will time out in 3 minutes, but lets say it is under that time....   The credentials are now put in, and submitted.  Since the SSOToken cookie has been already created, the login will "Appear" to work,  although we are actually just ignoring the login, and using the existing session.

 

There might definitely be an enhancement,  in that if credentials are posted while an existing session is present, that it should handle it by failing, or some other action.

 

They key to reproducing this,  is that the initial page load needs to be "Non SSOToken" and the submit needs to be "With SSOToken"

 

Allan

 

 

On 6/23/16 3:26 PM, Alberto Treviño wrote:

In the shared computer scenario, the user is expecting to be logged in as his/herself since he/she doesn't know there was a previous login.

 

When switching realms, OpenAM presents a page saying you are already logged in in another organization and gives you the chance to log in again. Perhaps a page like that would be a better behavior?


From: [hidden email] [hidden email] on behalf of Kiran Ramineni [hidden email]
Sent: Thursday, June 23, 2016 4:12:33 PM
To: 'Users'
Subject: Re: [OpenAM] Help understanding OpenAM behavior

 

Brooke,

The newSession is choice available for certain use cases but not for all.
When invalidating a previous session is mandatory, then it comes in handy.

I tested with exactly the url you gave -
https://urldefense.proofpoint.com/v2/url?u=http-3A__host-3Aport_openam13_UI_Login-3Fmodule-3DDatastore&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=B29w6OzTuOI8jlaFojzkMoY7IFAvmZwK0ZJagoEXQhc&e=

Also, the usecase alberto mentioned is slightly different from your use
case.  It's a case where a user left one tab(A) open with login screen,
opened another tab(B), logged in and came back to tab(A) to login with a
different credential.  (May be in a shared computer scenario.)  In this
case, the user actually did not go to the login url second time.   Well, by
the time the user came to tab(A) for the second time, a valid session
exists.  That's why I would think it's an expected behavior.

Regards
Kiran

-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 3:38 PM
To: 'Users'
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Sorry Kiran,

Not sure what to tell you.  I saw the same issue as Alberto only 2 years
ago.  I solved the problem with a filter.

Obviously, if we indiscriminately remove the iPlanetDirectoryPro the sso
system would never work.  It would be silly for us to be paying customers in
that case as well!

Kiran, would you expect every one of the OpenAM customers that create their
own login page/block to have added the arg=newSession, then?

What does the URL you tested with look like?



Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Kiran Ramineni
Sent: Thursday, June 23, 2016 3:25 PM
To: 'Users' [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Brooke,

I am "Definitely" not expecting to see the login page after step 3.  Just
for kicks, I tried the sequence just a few minutes ago and I don't see the
login page.  It shows me the profile page of User A.  (I hope you are not
running these steps on a machine that's stripping the iplanetDirectoryPro
cookie.)

Regards
Kiran


-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 2:38 PM
To: 'Users'
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Hey Kiran,

What do you mean after Step 3?

We see the exact same login screen after step 3 as we did after step 1, the
form asking for a username and password.

We have had this solution in place for 2 years without issue.

This is an interesting tip!
arg=newSession

Egads!  That has been around since at least OpenSSO v8 from Sun/Oracle too!
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.oracle.com_cd_E19681-2D01_820-2D3885_gbanu_index.html&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=-lFcnJp6fhuekUvPCyjxbQl671OMzXMgIkxOxJFeVtc&e=  .

I wouldn't have known what to Google for when we first found the issue as we
figured it was just a bug as it seemed that it would not be intentional
behavior!

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Kiran Ramineni
Sent: Thursday, June 23, 2016 2:23 PM
To: 'Users' [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Brooke,

What do you see as the response after step 3? 

Do you see a login screen? 

As far as removing the iPlanetDirectoryPro cookie, I would be concerned
regarding achieving SSO. 

Optionally, if you want to force a user to login, you can append
arg=newSession to the login url.

Best Regards
Kiran

-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Hedrick, Brooke - 43
Sent: Thursday, June 23, 2016 1:58 PM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Bernhard,

Have you tried:
===================
1. access https://urldefense.proofpoint.com/v2/url?u=https-3A__yourserver_openam_UI_Login-3Fmodule-3DDataStore&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=Mfq08-BXRK58c6JlJ2ul96MydZveNWWN9CAmVj_A-dI&e=
2. Login as userA
3. access https://urldefense.proofpoint.com/v2/url?u=https-3A__yourserver_openam_UI_Login-3Fmodule-3DDataStore&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=Mfq08-BXRK58c6JlJ2ul96MydZveNWWN9CAmVj_A-dI&e=
4. Login as userB
5.  Now - check to see which user OpenAM thinks you are logged in as.

To answer your question:
===================
Another page, that fits in better with the site and can be included with
other content, which has the username/password boxes and posts to the normal
login URL.


Our resolution
===================
We ended up creating a filter to resolve the issue.  The filter removes the
iPlanetDirectoryPro cookie.

public class SsoPasswordFilter
  implements Filter
{
  public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain filterChain)
    throws IOException, ServletException
  {
    HttpServletRequest request = (HttpServletRequest)arg0;
   
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
      for (int i = 0; i < cookies.length; i++)
      {
        Cookie cookie = cookies[i];
        if (cookie.getName().equals("iPlanetDirectoryPro"))
        {
          cookie.setValue("");
          cookie.setMaxAge(0);
        }
      }
    }
    HttpServletRequest wrapper = getWrapperRequest(request);
    filterChain.doFilter(wrapper, arg1);
  }
}

Brooke Hedrick
AVP Web Administration
Rain and Hail, IT Division
Office: 515.559.1322
Cell: 515.314.8953
[hidden email]

For more information about the Agriculture Insurance from Rain and Hail
visit www.RainHail.com.

Rain and Hail
A Chubb Company


-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of Bernhard Thalmayr
Sent: Thursday, June 23, 2016 11:26 AM
To: [hidden email]
Subject: Re: [OpenAM] Help understanding OpenAM behavior

Am 22/06/16 um 23:38 schrieb Hedrick, Brooke - 43:
> I have seen the same behavior.  A user is logged in on one tab.  Then,
> they go to a new tab, access the main page on the site to log in,
> enter different credentials, BUT, OpenAM uses the previous
> credentials, no warning, no nothing.

OpenAM won't show any login dialogue by default if the SSO tracking cookie
is sent.

In your case the question is ... how was OpenAM accessed?

-Bernhard


>

>
> I would not say that this is expected behavior.
>

>
> OpenAM should either use the new credentials or prevent you from
> moving on ( after entering new credentials ) until you accept some
> prompt explaining that you have a previous login as ___username___
> that will be used instead.
>

>
> This is disconcerting when you run into it and users don't always pay
> attention to the fact that they are using different credentials than
> they expect.
>

>
> -Brooke
>

>

>
> *From:*[hidden email]
> [[hidden email]] *On Behalf Of *Kiran Ramineni
> *Sent:* Wednesday, June 22, 2016 1:59 PM
> *To:* 'Users' [hidden email]
> *Subject:* Re: [OpenAM] Help understanding OpenAM behavior
>

>
> Alberto,
>

>
> In my opinion this is expected behavior.
>

>
> Let me present a case:
>

>
> So, let's say you are logged in one tab.  Now, you go to another tab
> and attempt to go to login page,  wouldn't you expect that you get the
> profile page (to indicate that you are already logged in.)
>

>
> The reason behind is that OpenAM places a cookie once the user is
> logged in.  When you go to the login page again, it obtains the cookie
> and identifies that you are already logged in.
>

>
> HTH
>
> Kiran Ramineni
>

>
> *From:*[hidden email]
> <[hidden email]>
> [[hidden email]] *On Behalf Of *Alberto Treviño
> *Sent:* Wednesday, June 22, 2016 9:51 AM
> *To:* Users
> *Subject:* [OpenAM] Help understanding OpenAM behavior
>

>
> We just ran into some interesting behavior with OpenAM. I'm wondering
> if this is desired behavior (and if so why), if it can be turned off,
> or if it's a bug. This is how you reproduce it:
>

>
> In a new browser session, bring up your site's login page but don't
> sign in yet (how you do it is irrelevant). Then, with the login page
> just sitting there, open up a second tab with the same login page
> (again, how you do it is irrelevant). Log in to the first site with
> say, UserA. Once you are logged in, go back to the second tab that
> still has a login page and log in with UserB. The result we see in the
> second tab is that you go to that tab's successful login destination
> but you are still authenticated with UserA.
>

>
> There is another interesting twist as well. You can pass a goto
> parameter to the login page in the second tab, and then provide
> absolutely bogus credentials and the tab will be redirected to the
> goto location but still have the credentials of UserA that was
> previously logged in.
>

>
> This behavior seems odd to us. We would expect that when you go to the
> second tab and put in valid credentials, all previous sessions would
> be destroyed and you would become the new user. (Most sites seem to do
> that.) On the second case, if you provide invalid credentials, you
> should get an error page.
>

>
> Any ideas?
>
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
> OpenAM mailing list
> [hidden email]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xing.com_profile_Bernhard-5FThalmayr&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=WPUekc24M7uY-dciEpaSEuETHUtD4jaPTOHmvoxyNZ8&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__de.linkedin.com_in_bernhardthalmayr&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=aAFw2B9BBT5yIv4Xr2Y7Osl92Sa3e0LexkY3XAm0J0A&e=

This e-mail may contain confidential and/or privileged information.If you
are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=

_______________________________________________
Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=G6IpKQprSmdU4GCwvaYIJvh3Rxhiw7XoFeMtYfTCPKM&e=
OpenAM mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=qCEer_ZIRmYncDJiiJGOOJObdd-XgPYb9CYqNHLVx4M&m=zDo6zwJ3cM-1dtSMDGFjEU30pFCOHNhPhhQ1_PLu51s&s=ukjObBA_9WrUF60yUoz5yRi8QowhDkZa1KJ76TW6ozQ&e=




_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

 

--

Simplify Email: Email Charter

ForgeRock Logo

Allan  Foster - Forge Rock
Vice President Global Partner Enablement
Location: Vancouver, WA, US
p: +1.360.229.7102

email: [hidden email]
www: www.forgerock.com
www: www.forgerock.org
blogs: blogs.forgerock.com/GuruAllan

 


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Alberto Treviño
In reply to this post by Bernhard Thalmayr
> This is definitely not the expected behavior, the login screen should
> not appear unless you use 'private / icongnito' mode. As long as the
> browser will send the SSO tracking cookie and you try to authenticate in
> the same realm and do not perform 'session upgrade' there won't be a
> Login page.

Yes, if you are already logged in and you visit the login page again, OpenAM
just skips through it. If you opened up to tabs (or windows) and both require
login, the first logs you in, the second is just ignored, even if you post
different valid credentials. This second behavior (although incredibly rare)
is what seems weird to me. There are no warnings, the credentials are ignored,
and everything appears to work until you realize you are not who you think you
are.

I would like to see the user change (since new credentials were posted) or a
message saying you are already logged in with an option to log out. Am I alone
on this view?

--
Alberto Treviño
WAM Team, ICS
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Mark Boyd ソフトウェア 建築家
My vote: +1

The current behavior just doesn't feel right to me.

Mark




On 6/27/16, 7:47 AM, "[hidden email] on behalf of Alberto Treviño" <[hidden email] on behalf of [hidden email]> wrote:

>> This is definitely not the expected behavior, the login screen should
>> not appear unless you use 'private / icongnito' mode. As long as the
>> browser will send the SSO tracking cookie and you try to authenticate in
>> the same realm and do not perform 'session upgrade' there won't be a
>> Login page.
>
>Yes, if you are already logged in and you visit the login page again, OpenAM
>just skips through it. If you opened up to tabs (or windows) and both require
>login, the first logs you in, the second is just ignored, even if you post
>different valid credentials. This second behavior (although incredibly rare)
>is what seems weird to me. There are no warnings, the credentials are ignored,
>and everything appears to work until you realize you are not who you think you
>are.
>
>I would like to see the user change (since new credentials were posted) or a
>message saying you are already logged in with an option to log out. Am I alone
>on this view?
>
>--
>Alberto Treviño
>WAM Team, ICS
>_______________________________________________
>Visit the OpenAM forum at https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=9S2WvTsGLxaxQh_CINm5IiSJAfRHEwiLoDxBClrtLaM&s=sBO6C7tjo0cu2gIKl9dZ-ykDYDNiR8g7DIXu0osufWo&e= 
>OpenAM mailing list
>[hidden email]
>https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwIFAw&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=9S2WvTsGLxaxQh_CINm5IiSJAfRHEwiLoDxBClrtLaM&s=feZjWOxHReD89yJnhESeOmaM2NNaXeHmsmjGoQvDXTc&e= 
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help understanding OpenAM behavior

Bernhard Thalmayr
In reply to this post by Alberto Treviño
Please file an improvement request or bug at https://bugster.forgerock.org

Thanks,
Bernhard

Am 27/06/16 um 15:47 schrieb Alberto Treviño:

>> This is definitely not the expected behavior, the login screen should
>> not appear unless you use 'private / icongnito' mode. As long as the
>> browser will send the SSO tracking cookie and you try to authenticate in
>> the same realm and do not perform 'session upgrade' there won't be a
>> Login page.
>
> Yes, if you are already logged in and you visit the login page again, OpenAM
> just skips through it. If you opened up to tabs (or windows) and both require
> login, the first logs you in, the second is just ignored, even if you post
> different valid credentials. This second behavior (although incredibly rare)
> is what seems weird to me. There are no warnings, the credentials are ignored,
> and everything appears to work until you realize you are not who you think you
> are.
>
> I would like to see the user change (since new credentials were posted) or a
> message saying you are already logged in with an option to log out. Am I alone
> on this view?
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...