Multiple authentication schemes with single web agent?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Multiple authentication schemes with single web agent?

Bernie Jones

I haven’t been able to work out from the OpenAM docs whether this functionality is supported:

 

I have a single web agent currently configured to use the native forms-based authentication against an external LDAP – all works fine.

After building a new SAML2 federation scheme in integrated mode, (OpenAM as SP) what I wish to do is to be able to determine the required authentication method based on the URL space within the web server in which the agent is installed.

 

For example:

<server>/internal/* will challenge for the forms authentication against the corporate directory

<server>/partners/* will initiate SAML2 federation using the new scheme

 

Is this possible please and if so what steps are needed to configure?

If not possible then what are the alternative solutions?

 

Many thanks,

Bernie




Avast logo

This email has been checked for viruses by Avast antivirus software.
www.avast.com





Avast logo

This email has been checked for viruses by Avast antivirus software.
www.avast.com



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple authentication schemes with single web agent?

Steve Ferris
Given your question, I believe the option you are looking for is to be found here.

<a href="https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#web-agent-login-url-properties">https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#web-agent-login-url-properties

Refer to the OpenAM Conditional Login URL section.

regards
Steve

On Mon, Jun 6, 2016 at 11:21 AM, Bernie Jones <[hidden email]> wrote:

I haven’t been able to work out from the OpenAM docs whether this functionality is supported:

 

I have a single web agent currently configured to use the native forms-based authentication against an external LDAP – all works fine.

After building a new SAML2 federation scheme in integrated mode, (OpenAM as SP) what I wish to do is to be able to determine the required authentication method based on the URL space within the web server in which the agent is installed.

 

For example:

<server>/internal/* will challenge for the forms authentication against the corporate directory

<server>/partners/* will initiate SAML2 federation using the new scheme

 

Is this possible please and if so what steps are needed to configure?

If not possible then what are the alternative solutions?

 

Many thanks,

Bernie




Avast logo

This email has been checked for viruses by Avast antivirus software.
www.avast.com





Avast logo

This email has been checked for viruses by Avast antivirus software.
www.avast.com



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple authentication schemes with single web agent?

Bernhard Thalmayr
I'm afraid conditional login URL feature can not be used for URIs but
only for FQDNs (HTTP host header).

Resource-based auth may help, but I think it has never covered mixing
proprietary Web SSO (OpenAM) and standards based WebSSO.

If you don't use host-based cookies for OpenAM and the agents are not
using CDSSO mode you could craft an unprotected intermediate page which
could be used as a 'router' (to be specified for the Login URL property).

-Bernhard

Am 06/06/16 um 16:48 schrieb Steve Ferris:

> Given your question, I believe the option you are looking for is to be
> found here.
>
> <a href="https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#web-agent-login-url-properties">https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#web-agent-login-url-properties
> <<a href="https://backstage.forgerock.com/#%21/docs/openam-web-policy-agents/4/web-users-guide#web-agent-login-url-properties">https://backstage.forgerock.com/#%21/docs/openam-web-policy-agents/4/web-users-guide#web-agent-login-url-properties>
>
> Refer to the OpenAM Conditional Login URL section.
>
> regards
> Steve
>
> On Mon, Jun 6, 2016 at 11:21 AM, Bernie Jones
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     I haven’t been able to work out from the OpenAM docs whether this
>     functionality is supported:____
>
>     __ __
>
>     I have a single web agent currently configured to use the native
>     forms-based authentication against an external LDAP – all works
>     fine.____
>
>     After building a new SAML2 federation scheme in integrated mode,
>     (OpenAM as SP) what I wish to do is to be able to determine the
>     required authentication method based on the URL space within the web
>     server in which the agent is installed.____
>
>     __ __
>
>     For example:____
>
>     <server>/internal/* will challenge for the forms authentication
>     against the corporate directory____
>
>     <server>/partners/* will initiate SAML2 federation using the new
>     scheme____
>
>     __ __
>
>     Is this possible please and if so what steps are needed to
>     configure?____
>
>     If not possible then what are the alternative solutions?____
>
>     __ __
>
>     Many thanks,____
>
>     Bernie____
>
>
>
>     ------------------------------------------------------------------------
>     Avast logo <https://www.avast.com/antivirus>
>
>     This email has been checked for viruses by Avast antivirus software.
>     www.avast.com <https://www.avast.com/antivirus>
>
>
>
>
>     ------------------------------------------------------------------------
>     Avast logo
>     <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>    
>
>     This email has been checked for viruses by Avast antivirus software.
>     www.avast.com
>     <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
>
>
>
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple authentication schemes with single web agent?

Stromberg, Pat
Are you sure about that, Bernhard?  We definitely use them (web policy agent 3.3.x) on at least one level of URI, for example, matching my.example.com/testenv1 or my.example.com/testenv2 and sending them to two different places if there is no session token.

Thanks,

pat

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: Monday, June 06, 2016 3:54 PM
To: [hidden email]
Subject: Re: [OpenAM] Multiple authentication schemes with single web agent?

I'm afraid conditional login URL feature can not be used for URIs but only for FQDNs (HTTP host header).

Resource-based auth may help, but I think it has never covered mixing proprietary Web SSO (OpenAM) and standards based WebSSO.

If you don't use host-based cookies for OpenAM and the agents are not using CDSSO mode you could craft an unprotected intermediate page which could be used as a 'router' (to be specified for the Login URL property).

-Bernhard

Am 06/06/16 um 16:48 schrieb Steve Ferris:

> Given your question, I believe the option you are looking for is to be
> found here.
>
>
> Refer to the OpenAM Conditional Login URL section.
>
> regards
> Steve
>
> On Mon, Jun 6, 2016 at 11:21 AM, Bernie Jones
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     I haven’t been able to work out from the OpenAM docs whether this
>     functionality is supported:____
>
>     __ __
>
>     I have a single web agent currently configured to use the native
>     forms-based authentication against an external LDAP – all works
>     fine.____
>
>     After building a new SAML2 federation scheme in integrated mode,
>     (OpenAM as SP) what I wish to do is to be able to determine the
>     required authentication method based on the URL space within the web
>     server in which the agent is installed.____
>
>     __ __
>
>     For example:____
>
>     <server>/internal/* will challenge for the forms authentication
>     against the corporate directory____
>
>     <server>/partners/* will initiate SAML2 federation using the new
>     scheme____
>
>     __ __
>
>     Is this possible please and if so what steps are needed to
>     configure?____
>
>     If not possible then what are the alternative solutions?____
>
>     __ __
>
>     Many thanks,____
>
>     Bernie____
>
>
>
>     ------------------------------------------------------------------------
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple authentication schemes with single web agent?

Bernhard Thalmayr
Hi Pat, at least this has been the case and multiple bugs have been
filed to get it documented more properly.

The latest doc
<a href="https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#configure-web-pa-services-props">https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#configure-web-pa-services-props

tells

"If the domain before the vertical bar matches an incoming request URL,
then the policy agent uses the list of URLs to determine how to redirect
the user-agent."

and the examples uses FQDNs
(https://bugster.forgerock.org/jira/browse/OPENAM-849)

However 'domain' is not really accurate as the HTTP host header is the
source of information.

Also it states

"To conditionally redirect users based on the incoming request URL, set
this property."

which might not be accurate as one could think the whole URL is taken
into account.

Side note: The request line of an HTTP request only includes the whole
URL if it's a proxy request, otherwise the request line only shows the
URI --> what's an "incoming request URL"?

There is also

https://bugster.forgerock.org/jira/browse/OPENAM-849

but the description is questionable as the same request URL is used ?!?

Futhermore there is also RFE
https://bugster.forgerock.org/jira/browse/OPENAM-3652

-Bernhard




Am 06/06/16 um 22:01 schrieb Stromberg, Pat:

> Are you sure about that, Bernhard?  We definitely use them (web policy agent 3.3.x) on at least one level of URI, for example, matching my.example.com/testenv1 or my.example.com/testenv2 and sending them to two different places if there is no session token.
>
> Thanks,
>
> pat
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: Monday, June 06, 2016 3:54 PM
> To: [hidden email]
> Subject: Re: [OpenAM] Multiple authentication schemes with single web agent?
>
> I'm afraid conditional login URL feature can not be used for URIs but only for FQDNs (HTTP host header).
>
> Resource-based auth may help, but I think it has never covered mixing proprietary Web SSO (OpenAM) and standards based WebSSO.
>
> If you don't use host-based cookies for OpenAM and the agents are not using CDSSO mode you could craft an unprotected intermediate page which could be used as a 'router' (to be specified for the Login URL property).
>
> -Bernhard
>
> Am 06/06/16 um 16:48 schrieb Steve Ferris:
>> Given your question, I believe the option you are looking for is to be
>> found here.
>>
>>
>> Refer to the OpenAM Conditional Login URL section.
>>
>> regards
>> Steve
>>
>> On Mon, Jun 6, 2016 at 11:21 AM, Bernie Jones
>> <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>>     I haven’t been able to work out from the OpenAM docs whether this
>>     functionality is supported:____
>>
>>     __ __
>>
>>     I have a single web agent currently configured to use the native
>>     forms-based authentication against an external LDAP – all works
>>     fine.____
>>
>>     After building a new SAML2 federation scheme in integrated mode,
>>     (OpenAM as SP) what I wish to do is to be able to determine the
>>     required authentication method based on the URL space within the web
>>     server in which the agent is installed.____
>>
>>     __ __
>>
>>     For example:____
>>
>>     <server>/internal/* will challenge for the forms authentication
>>     against the corporate directory____
>>
>>     <server>/partners/* will initiate SAML2 federation using the new
>>     scheme____
>>
>>     __ __
>>
>>     Is this possible please and if so what steps are needed to
>>     configure?____
>>
>>     If not possible then what are the alternative solutions?____
>>
>>     __ __
>>
>>     Many thanks,____
>>
>>     Bernie____
>>
>>
>>
>>     ------------------------------------------------------------------------
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple authentication schemes with single web agent?

Bernie Jones
Many thanks for your replies - I'm still getting my head around the OpenAM model and relationship between the components and expect that will improve rapidly as soon as I get on to a course.

However, I was wondering, in a more general case, if it is not then possible to segregate the URL space served by a single web agent into multiple zones each associated with a specific authentication mechanism e.g. user/password auth for regular content at auth level x but 2FA auth to more sensitive content at auth level x+1. I'm not clear that the ability to redirect to separate login pages based on host header provides that?

Apologies for changing the question!

Regards,
Bernie

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: 07 June 2016 09:06
To: [hidden email]
Subject: Re: [OpenAM] Multiple authentication schemes with single web agent?

Hi Pat, at least this has been the case and multiple bugs have been
filed to get it documented more properly.

The latest doc
<a href="https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#configure-web-pa-services-props">https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#configure-web-pa-services-props

tells

"If the domain before the vertical bar matches an incoming request URL,
then the policy agent uses the list of URLs to determine how to redirect
the user-agent."

and the examples uses FQDNs
(https://bugster.forgerock.org/jira/browse/OPENAM-849)

However 'domain' is not really accurate as the HTTP host header is the
source of information.

Also it states

"To conditionally redirect users based on the incoming request URL, set
this property."

which might not be accurate as one could think the whole URL is taken
into account.

Side note: The request line of an HTTP request only includes the whole
URL if it's a proxy request, otherwise the request line only shows the
URI --> what's an "incoming request URL"?

There is also

https://bugster.forgerock.org/jira/browse/OPENAM-849

but the description is questionable as the same request URL is used ?!?

Futhermore there is also RFE
https://bugster.forgerock.org/jira/browse/OPENAM-3652

-Bernhard




Am 06/06/16 um 22:01 schrieb Stromberg, Pat:

> Are you sure about that, Bernhard?  We definitely use them (web policy agent 3.3.x) on at least one level of URI, for example, matching my.example.com/testenv1 or my.example.com/testenv2 and sending them to two different places if there is no session token.
>
> Thanks,
>
> pat
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: Monday, June 06, 2016 3:54 PM
> To: [hidden email]
> Subject: Re: [OpenAM] Multiple authentication schemes with single web agent?
>
> I'm afraid conditional login URL feature can not be used for URIs but only for FQDNs (HTTP host header).
>
> Resource-based auth may help, but I think it has never covered mixing proprietary Web SSO (OpenAM) and standards based WebSSO.
>
> If you don't use host-based cookies for OpenAM and the agents are not using CDSSO mode you could craft an unprotected intermediate page which could be used as a 'router' (to be specified for the Login URL property).
>
> -Bernhard
>
> Am 06/06/16 um 16:48 schrieb Steve Ferris:
>> Given your question, I believe the option you are looking for is to be
>> found here.
>>
>>
>> Refer to the OpenAM Conditional Login URL section.
>>
>> regards
>> Steve
>>
>> On Mon, Jun 6, 2016 at 11:21 AM, Bernie Jones
>> <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>>     I haven’t been able to work out from the OpenAM docs whether this
>>     functionality is supported:____
>>
>>     __ __
>>
>>     I have a single web agent currently configured to use the native
>>     forms-based authentication against an external LDAP – all works
>>     fine.____
>>
>>     After building a new SAML2 federation scheme in integrated mode,
>>     (OpenAM as SP) what I wish to do is to be able to determine the
>>     required authentication method based on the URL space within the web
>>     server in which the agent is installed.____
>>
>>     __ __
>>
>>     For example:____
>>
>>     <server>/internal/* will challenge for the forms authentication
>>     against the corporate directory____
>>
>>     <server>/partners/* will initiate SAML2 federation using the new
>>     scheme____
>>
>>     __ __
>>
>>     Is this possible please and if so what steps are needed to
>>     configure?____
>>
>>     If not possible then what are the alternative solutions?____
>>
>>     __ __
>>
>>     Many thanks,____
>>
>>     Bernie____
>>
>>
>>
>>     ------------------------------------------------------------------------
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple authentication schemes with single web agent?

Jari Ahonen
Hi,

Authorization policies can have environmental conditions specifying additional authentication details such as level/module/chain. See the admin guide chapter about authorization policies for more info.

- Jari

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernie Jones
Sent: Wednesday, June 08, 2016 10:31 AM
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Multiple authentication schemes with single web agent?

Many thanks for your replies - I'm still getting my head around the OpenAM model and relationship between the components and expect that will improve rapidly as soon as I get on to a course.

However, I was wondering, in a more general case, if it is not then possible to segregate the URL space served by a single web agent into multiple zones each associated with a specific authentication mechanism e.g. user/password auth for regular content at auth level x but 2FA auth to more sensitive content at auth level x+1. I'm not clear that the ability to redirect to separate login pages based on host header provides that?

Apologies for changing the question!

Regards,
Bernie

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: 07 June 2016 09:06
To: [hidden email]
Subject: Re: [OpenAM] Multiple authentication schemes with single web agent?

Hi Pat, at least this has been the case and multiple bugs have been
filed to get it documented more properly.

The latest doc
<a href="https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#configure-web-pa-services-props">https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#configure-web-pa-services-props

tells

"If the domain before the vertical bar matches an incoming request URL,
then the policy agent uses the list of URLs to determine how to redirect
the user-agent."

and the examples uses FQDNs
(https://bugster.forgerock.org/jira/browse/OPENAM-849)

However 'domain' is not really accurate as the HTTP host header is the
source of information.

Also it states

"To conditionally redirect users based on the incoming request URL, set
this property."

which might not be accurate as one could think the whole URL is taken
into account.

Side note: The request line of an HTTP request only includes the whole
URL if it's a proxy request, otherwise the request line only shows the
URI --> what's an "incoming request URL"?

There is also

https://bugster.forgerock.org/jira/browse/OPENAM-849

but the description is questionable as the same request URL is used ?!?

Futhermore there is also RFE
https://bugster.forgerock.org/jira/browse/OPENAM-3652

-Bernhard




Am 06/06/16 um 22:01 schrieb Stromberg, Pat:

> Are you sure about that, Bernhard?  We definitely use them (web policy agent 3.3.x) on at least one level of URI, for example, matching my.example.com/testenv1 or my.example.com/testenv2 and sending them to two different places if there is no session token.
>
> Thanks,
>
> pat
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: Monday, June 06, 2016 3:54 PM
> To: [hidden email]
> Subject: Re: [OpenAM] Multiple authentication schemes with single web agent?
>
> I'm afraid conditional login URL feature can not be used for URIs but only for FQDNs (HTTP host header).
>
> Resource-based auth may help, but I think it has never covered mixing proprietary Web SSO (OpenAM) and standards based WebSSO.
>
> If you don't use host-based cookies for OpenAM and the agents are not using CDSSO mode you could craft an unprotected intermediate page which could be used as a 'router' (to be specified for the Login URL property).
>
> -Bernhard
>
> Am 06/06/16 um 16:48 schrieb Steve Ferris:
>> Given your question, I believe the option you are looking for is to be
>> found here.
>>
>>
>> Refer to the OpenAM Conditional Login URL section.
>>
>> regards
>> Steve
>>
>> On Mon, Jun 6, 2016 at 11:21 AM, Bernie Jones
>> <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>>     I haven’t been able to work out from the OpenAM docs whether this
>>     functionality is supported:____
>>
>>     __ __
>>
>>     I have a single web agent currently configured to use the native
>>     forms-based authentication against an external LDAP – all works
>>     fine.____
>>
>>     After building a new SAML2 federation scheme in integrated mode,
>>     (OpenAM as SP) what I wish to do is to be able to determine the
>>     required authentication method based on the URL space within the web
>>     server in which the agent is installed.____
>>
>>     __ __
>>
>>     For example:____
>>
>>     <server>/internal/* will challenge for the forms authentication
>>     against the corporate directory____
>>
>>     <server>/partners/* will initiate SAML2 federation using the new
>>     scheme____
>>
>>     __ __
>>
>>     Is this possible please and if so what steps are needed to
>>     configure?____
>>
>>     If not possible then what are the alternative solutions?____
>>
>>     __ __
>>
>>     Many thanks,____
>>
>>     Bernie____
>>
>>
>>
>>     ------------------------------------------------------------------------
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple authentication schemes with single web agent?

Nicolas Seigneur
I believe you can leverage Auth Level for your use case. Each login module can be configured to have a different Authentication Level. So your 2fa could have an Auth Level "10" which would allow you to define Policies for specific URL that require "Auth Level 10".

When the request would come through the Web Agent, OpenAM would advise the Agent that the user is currently at Auth Level 1 and should have Auth Level 10. If everything is configured properly, the user would be redirected to the 2fa login module.

If you find Auth Level is not flexible enough, as Jari hinted, you can use multiple environmental conditions to fullfill your requirement.

Nicolas Seigneur
Indigo Consulting Canada

On Wed, Jun 8, 2016 at 5:11 AM, Jari Ahonen <[hidden email]> wrote:
Hi,

Authorization policies can have environmental conditions specifying additional authentication details such as level/module/chain. See the admin guide chapter about authorization policies for more info.

- Jari

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernie Jones
Sent: Wednesday, June 08, 2016 10:31 AM
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Multiple authentication schemes with single web agent?

Many thanks for your replies - I'm still getting my head around the OpenAM model and relationship between the components and expect that will improve rapidly as soon as I get on to a course.

However, I was wondering, in a more general case, if it is not then possible to segregate the URL space served by a single web agent into multiple zones each associated with a specific authentication mechanism e.g. user/password auth for regular content at auth level x but 2FA auth to more sensitive content at auth level x+1. I'm not clear that the ability to redirect to separate login pages based on host header provides that?

Apologies for changing the question!

Regards,
Bernie

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: 07 June 2016 09:06
To: [hidden email]
Subject: Re: [OpenAM] Multiple authentication schemes with single web agent?

Hi Pat, at least this has been the case and multiple bugs have been
filed to get it documented more properly.

The latest doc
<a href="https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#configure-web-pa-services-props" rel="noreferrer" target="_blank">https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#configure-web-pa-services-props

tells

"If the domain before the vertical bar matches an incoming request URL,
then the policy agent uses the list of URLs to determine how to redirect
the user-agent."

and the examples uses FQDNs
(https://bugster.forgerock.org/jira/browse/OPENAM-849)

However 'domain' is not really accurate as the HTTP host header is the
source of information.

Also it states

"To conditionally redirect users based on the incoming request URL, set
this property."

which might not be accurate as one could think the whole URL is taken
into account.

Side note: The request line of an HTTP request only includes the whole
URL if it's a proxy request, otherwise the request line only shows the
URI --> what's an "incoming request URL"?

There is also

https://bugster.forgerock.org/jira/browse/OPENAM-849

but the description is questionable as the same request URL is used ?!?

Futhermore there is also RFE
https://bugster.forgerock.org/jira/browse/OPENAM-3652

-Bernhard




Am 06/06/16 um 22:01 schrieb Stromberg, Pat:
> Are you sure about that, Bernhard?  We definitely use them (web policy agent 3.3.x) on at least one level of URI, for example, matching my.example.com/testenv1 or my.example.com/testenv2 and sending them to two different places if there is no session token.
>
> Thanks,
>
> pat
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: Monday, June 06, 2016 3:54 PM
> To: [hidden email]
> Subject: Re: [OpenAM] Multiple authentication schemes with single web agent?
>
> I'm afraid conditional login URL feature can not be used for URIs but only for FQDNs (HTTP host header).
>
> Resource-based auth may help, but I think it has never covered mixing proprietary Web SSO (OpenAM) and standards based WebSSO.
>
> If you don't use host-based cookies for OpenAM and the agents are not using CDSSO mode you could craft an unprotected intermediate page which could be used as a 'router' (to be specified for the Login URL property).
>
> -Bernhard
>
> Am 06/06/16 um 16:48 schrieb Steve Ferris:
>> Given your question, I believe the option you are looking for is to be
>> found here.
>>
>>
>> Refer to the OpenAM Conditional Login URL section.
>>
>> regards
>> Steve
>>
>> On Mon, Jun 6, 2016 at 11:21 AM, Bernie Jones
>> <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>>     I haven’t been able to work out from the OpenAM docs whether this
>>     functionality is supported:____
>>
>>     __ __
>>
>>     I have a single web agent currently configured to use the native
>>     forms-based authentication against an external LDAP – all works
>>     fine.____
>>
>>     After building a new SAML2 federation scheme in integrated mode,
>>     (OpenAM as SP) what I wish to do is to be able to determine the
>>     required authentication method based on the URL space within the web
>>     server in which the agent is installed.____
>>
>>     __ __
>>
>>     For example:____
>>
>>     <server>/internal/* will challenge for the forms authentication
>>     against the corporate directory____
>>
>>     <server>/partners/* will initiate SAML2 federation using the new
>>     scheme____
>>
>>     __ __
>>
>>     Is this possible please and if so what steps are needed to
>>     configure?____
>>
>>     If not possible then what are the alternative solutions?____
>>
>>     __ __
>>
>>     Many thanks,____
>>
>>     Bernie____
>>
>>
>>
>>     ------------------------------------------------------------------------
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:%2B49%20%280%298062%207769174" value="+4980627769174">+49 (0)8062 7769174
Mobile: <a href="tel:%2B49%20%280%29176%2055060699" value="+4917655060699">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



--
-------------------------------------------------
Nicolas Seigneur
Indigo Technologies Canada, Inc.
mobile: +1.514.965.4890

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple authentication schemes with single web agent?

Cyril Grosjean-2
In reply to this post by Steve Ferris

Another way to proceed can be to define a couple of policy sets (one per
application to protect)
and then define an environment condition where you would require a
different authentication
chain for each application.

This approach is more admin friendly (since available from the console)
and if you've lots of agents
or agent groups, you don't need to maintain those different agent or
agent groups configurations.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple authentication schemes with single web agent?

Bernie Jones
In reply to this post by Nicolas Seigneur

Thanks for all the replies but I now think I may have been asking the wrong question originally - having assumed that different authentication modules would require different login URLs.

 

In fact I just want unauthenticated users to be redirected to a login prompt that is appropriate for the authentication level required for resource access based on the URL

So, within a single realm I might require:

 

/public/* – no auth required

/secure/* – U/P login required e.g. ldap (auth level 1)

/secret/* –  some stronger authentication required e.g. certificate (auth level 2)

 

What I can’t work out is how to configure such that an unauthenticated user will get challenged directly for the associated login requirements.

 

If I create an authorisation policy for /secret with an environment condition that requires auth level >= 2 then the behaviour is:

 

A request for /secure prompts for U/P and then I am authorised

A request for /secret still prompts first for U/P and then the authorisation policy for /secret is triggered which prompts for the stronger authentication

 

But what I want to achieve is the association of the URL space directly to an authentication policy such that the user is prompted just once for the associated login.

 

It seems maybe that OpenAM only allows policies to be attached to authorisation and not authentication and that this is not therefore straightforward?

 

Many thanks,

Bernie

 

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Nicolas Seigneur
Sent: 08 June 2016 15:02
To: Users
Subject: Re: [OpenAM] Multiple authentication schemes with single web agent?

 

I believe you can leverage Auth Level for your use case. Each login module can be configured to have a different Authentication Level. So your 2fa could have an Auth Level "10" which would allow you to define Policies for specific URL that require "Auth Level 10".

 

When the request would come through the Web Agent, OpenAM would advise the Agent that the user is currently at Auth Level 1 and should have Auth Level 10. If everything is configured properly, the user would be redirected to the 2fa login module.

 

If you find Auth Level is not flexible enough, as Jari hinted, you can use multiple environmental conditions to fullfill your requirement.

 

Nicolas Seigneur

Indigo Consulting Canada

 

On Wed, Jun 8, 2016 at 5:11 AM, Jari Ahonen <[hidden email]> wrote:

Hi,

Authorization policies can have environmental conditions specifying additional authentication details such as level/module/chain. See the admin guide chapter about authorization policies for more info.

- Jari


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernie Jones
Sent: Wednesday, June 08, 2016 10:31 AM
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Multiple authentication schemes with single web agent?

Many thanks for your replies - I'm still getting my head around the OpenAM model and relationship between the components and expect that will improve rapidly as soon as I get on to a course.

However, I was wondering, in a more general case, if it is not then possible to segregate the URL space served by a single web agent into multiple zones each associated with a specific authentication mechanism e.g. user/password auth for regular content at auth level x but 2FA auth to more sensitive content at auth level x+1. I'm not clear that the ability to redirect to separate login pages based on host header provides that?

Apologies for changing the question!

Regards,
Bernie

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: 07 June 2016 09:06
To: [hidden email]
Subject: Re: [OpenAM] Multiple authentication schemes with single web agent?

Hi Pat, at least this has been the case and multiple bugs have been
filed to get it documented more properly.

The latest doc
<a href="https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#configure-web-pa-services-props" target="_blank">https://backstage.forgerock.com/#!/docs/openam-web-policy-agents/4/web-users-guide#configure-web-pa-services-props

tells

"If the domain before the vertical bar matches an incoming request URL,
then the policy agent uses the list of URLs to determine how to redirect
the user-agent."

and the examples uses FQDNs
(https://bugster.forgerock.org/jira/browse/OPENAM-849)

However 'domain' is not really accurate as the HTTP host header is the
source of information.

Also it states

"To conditionally redirect users based on the incoming request URL, set
this property."

which might not be accurate as one could think the whole URL is taken
into account.

Side note: The request line of an HTTP request only includes the whole
URL if it's a proxy request, otherwise the request line only shows the
URI --> what's an "incoming request URL"?

There is also

https://bugster.forgerock.org/jira/browse/OPENAM-849

but the description is questionable as the same request URL is used ?!?

Futhermore there is also RFE
https://bugster.forgerock.org/jira/browse/OPENAM-3652

-Bernhard




Am 06/06/16 um 22:01 schrieb Stromberg, Pat:
> Are you sure about that, Bernhard?  We definitely use them (web policy agent 3.3.x) on at least one level of URI, for example, matching my.example.com/testenv1 or my.example.com/testenv2 and sending them to two different places if there is no session token.
>
> Thanks,
>
> pat
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: Monday, June 06, 2016 3:54 PM
> To: [hidden email]
> Subject: Re: [OpenAM] Multiple authentication schemes with single web agent?
>
> I'm afraid conditional login URL feature can not be used for URIs but only for FQDNs (HTTP host header).
>
> Resource-based auth may help, but I think it has never covered mixing proprietary Web SSO (OpenAM) and standards based WebSSO.
>
> If you don't use host-based cookies for OpenAM and the agents are not using CDSSO mode you could craft an unprotected intermediate page which could be used as a 'router' (to be specified for the Login URL property).
>
> -Bernhard
>
> Am 06/06/16 um 16:48 schrieb Steve Ferris:
>> Given your question, I believe the option you are looking for is to be
>> found here.
>>
>>
>> Refer to the OpenAM Conditional Login URL section.
>>
>> regards
>> Steve
>>
>> On Mon, Jun 6, 2016 at 11:21 AM, Bernie Jones
>> <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>>     I haven’t been able to work out from the OpenAM docs whether this
>>     functionality is supported:____
>>
>>     __ __
>>
>>     I have a single web agent currently configured to use the native
>>     forms-based authentication against an external LDAP – all works
>>     fine.____
>>
>>     After building a new SAML2 federation scheme in integrated mode,
>>     (OpenAM as SP) what I wish to do is to be able to determine the
>>     required authentication method based on the URL space within the web
>>     server in which the agent is installed.____
>>
>>     __ __
>>
>>     For example:____
>>
>>     <server>/internal/* will challenge for the forms authentication
>>     against the corporate directory____
>>
>>     <server>/partners/* will initiate SAML2 federation using the new
>>     scheme____
>>
>>     __ __
>>
>>     Is this possible please and if so what steps are needed to
>>     configure?____
>>
>>     If not possible then what are the alternative solutions?____
>>
>>     __ __
>>
>>     Many thanks,____
>>
>>     Bernie____
>>
>>
>>
>>     ------------------------------------------------------------------------
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:%2B49%20%280%298062%207769174">+49 (0)8062 7769174
Mobile: <a href="tel:%2B49%20%280%29176%2055060699">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



 

--

-------------------------------------------------

Nicolas Seigneur
Indigo Technologies Canada, Inc.
mobile: +1.514.
965.4890




Avast logo

This email has been checked for viruses by Avast antivirus software.
www.avast.com



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...