Permission denied after redirect

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Permission denied after redirect

Anish Narang

I have setup an OpenAM Idp with a Python Django SP,along with LDAP integration module for authentication. The SP is redirected to the OpenAM login page. But after successfully authentication,the user is denied access to the SP’s ACS page. Could this be an authorization issue related to Policies? If so, how to we give the LDAP users access to the SP’s pages.


Thanks,
Anish Narang


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Permission denied after redirect

Bernhard Thalmayr
If you use SAML based WebSSO there are actually no OpenAM policies in
the play, except you are using an OpenAM policy agent in addition to it
(which would be questionable) or you check authorization via some OpenAM
API as well (which migt also be questionable).

-Bernhard



Am 13/06/16 um 08:29 schrieb Anish Narang:

> I have setup an OpenAM Idp with a Python Django SP,along with LDAP
> integration module for authentication. The SP is redirected to the
> OpenAM login page. But after successfully authentication,the user is
> denied access to the SP’s ACS page. Could this be an authorization issue
> related to Policies? If so, how to we give the LDAP users access to the
> SP’s pages.
>
>
> Thanks,
> Anish Narang
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Permission denied after redirect

Anish Narang

Yes Im looking at SAML based WebSSO. The sign in works successfully with the demo user. What does this mean? How can I go about using the OpenAM API for SSO? Is there any other workaround? 


Thanks,
Anish 




From: [hidden email] <[hidden email]> on behalf of Bernhard Thalmayr <[hidden email]>
Sent: Monday, June 13, 2016 12:20 PM
To: [hidden email]
Subject: Re: [OpenAM] Permission denied after redirect
 
If you use SAML based WebSSO there are actually no OpenAM policies in
the play, except you are using an OpenAM policy agent in addition to it
(which would be questionable) or you check authorization via some OpenAM
API as well (which migt also be questionable).

-Bernhard



Am 13/06/16 um 08:29 schrieb Anish Narang:
> I have setup an OpenAM Idp with a Python Django SP,along with LDAP
> integration module for authentication. The SP is redirected to the
> OpenAM login page. But after successfully authentication,the user is
> denied access to the SP’s ACS page. Could this be an authorization issue
> related to Policies? If so, how to we give the LDAP users access to the
> SP’s pages.
>
>
> Thanks,
> Anish Narang
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
forgerock.org
Search for: This forum contains 861 topics and 2,779 replies, and was last updated by masonah 23 hours, 58 minutes ago. Topic Voices Posts Freshness Introduce yourself!


> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Permission denied after redirect

Bernhard Thalmayr
Am 13/06/16 um 09:18 schrieb Anish Narang:
> Yes Im looking at SAML based WebSSO. The sign in works successfully with
> the demo user. What does this mean? How can I go about using the OpenAM
> API for SSO? Is there any other workaround?

The 'permission denied' is an issue with your SP implementation, you
need to check this one.

-Bernhard


>
>
> Thanks,
> Anish
>
>
>
> ------------------------------------------------------------------------
> *From:* [hidden email] <[hidden email]> on
> behalf of Bernhard Thalmayr <[hidden email]>
> *Sent:* Monday, June 13, 2016 12:20 PM
> *To:* [hidden email]
> *Subject:* Re: [OpenAM] Permission denied after redirect
>  
> If you use SAML based WebSSO there are actually no OpenAM policies in
> the play, except you are using an OpenAM policy agent in addition to it
> (which would be questionable) or you check authorization via some OpenAM
> API as well (which migt also be questionable).
>
> -Bernhard
>
>
>
> Am 13/06/16 um 08:29 schrieb Anish Narang:
>> I have setup an OpenAM Idp with a Python Django SP,along with LDAP
>> integration module for authentication. The SP is redirected to the
>> OpenAM login page. But after successfully authentication,the user is
>> denied access to the SP’s ACS page. Could this be an authorization issue
>> related to Policies? If so, how to we give the LDAP users access to the
>> SP’s pages.
>>
>>
>> Thanks,
>> Anish Narang
>>
>>
>>
>> _______________________________________________
>> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> <https://forgerock.org/forum/fr-projects/openam/>
>
> OpenAM - ForgeRock Community
> <https://forgerock.org/forum/fr-projects/openam/>
> forgerock.org
> Search for: This forum contains 861 topics and 2,779 replies, and was
> last updated by masonah 23 hours, 58 minutes ago. Topic Voices Posts
> Freshness Introduce yourself!
>
>
>
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] - Solution Architect
> http://www.xing.com/profile/Bernhard_Thalmayr
> http://de.linkedin.com/in/bernhardthalmayr
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Permission denied after redirect

Anish Narang

Yes you're right. The SP shows permission denied due to a missing attribute statement in the SAML response. Here are the logs on the SP:


 [INFO] saml2.response: Subject NameID: <?xml version='1.0' encoding='UTF-8'?>
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="http://openam.example.com:8080/openamidp" SPNameQualifier="http://sp1.localhost:5001/saml2/metadata/">EjHTF8XSRwpFhBqodepyRxaaWvTZ</saml:NameID>
 [ERROR] saml2.response: Missing Attribute Statement
[DEBUG] djangosaml2: Trying to authenticate the user
 [ERROR] djangosaml2: The attributes dictionary is empty
 [DEBUG] djangosaml2: attributes: {}

Whereas the default demo user logs in successfully with the following response:


<saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Attribute Name="uri" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">demo</saml:AttributeValue></saml:Attribute><saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">demo</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>



Does this mean that the attribute statement is empty because the LDAP users are not given appropriate permissions to access the SP on the IdP?


Thanks,
Anish Narang




From: [hidden email] <[hidden email]> on behalf of Bernhard Thalmayr <[hidden email]>
Sent: Monday, June 13, 2016 12:56 PM
To: [hidden email]
Subject: Re: [OpenAM] Permission denied after redirect
 
Am 13/06/16 um 09:18 schrieb Anish Narang:
> Yes Im looking at SAML based WebSSO. The sign in works successfully with
> the demo user. What does this mean? How can I go about using the OpenAM
> API for SSO? Is there any other workaround?

The 'permission denied' is an issue with your SP implementation, you
need to check this one.

-Bernhard


>
>
> Thanks,
> Anish
>
>
>
> ------------------------------------------------------------------------
> *From:* [hidden email] <[hidden email]> on
> behalf of Bernhard Thalmayr <[hidden email]>
> *Sent:* Monday, June 13, 2016 12:20 PM
> *To:* [hidden email]
> *Subject:* Re: [OpenAM] Permission denied after redirect

> If you use SAML based WebSSO there are actually no OpenAM policies in
> the play, except you are using an OpenAM policy agent in addition to it
> (which would be questionable) or you check authorization via some OpenAM
> API as well (which migt also be questionable).
>
> -Bernhard
>
>
>
> Am 13/06/16 um 08:29 schrieb Anish Narang:
>> I have setup an OpenAM Idp with a Python Django SP,along with LDAP
>> integration module for authentication. The SP is redirected to the
>> OpenAM login page. But after successfully authentication,the user is
>> denied access to the SP’s ACS page. Could this be an authorization issue
>> related to Policies? If so, how to we give the LDAP users access to the
>> SP’s pages.
>>
>>
>> Thanks,
>> Anish Narang
>>
>>
>>
>> _______________________________________________
>> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
forgerock.org
Search for: This forum contains 861 topics and 2,779 replies, and was last updated by masonah 23 hours, 58 minutes ago. Topic Voices Posts Freshness Introduce yourself!


> <https://forgerock.org/forum/fr-projects/openam/>
>       
> OpenAM - ForgeRock Community
> <https://forgerock.org/forum/fr-projects/openam/>
> forgerock.org
> Search for: This forum contains 861 topics and 2,779 replies, and was
> last updated by masonah 23 hours, 58 minutes ago. Topic Voices Posts
> Freshness Introduce yourself!
>
>
>
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] - Solution Architect
> http://www.xing.com/profile/Bernhard_Thalmayr
> http://de.linkedin.com/in/bernhardthalmayr
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Permission denied after redirect

Bernhard Thalmayr
It means the other user identities do not have the identity attribute
you configured for the SAML attribute mapping on the IdP side.

On IdP side you have 'User Identity attribute' -> 'Name in SAML
attribute statement'

and SP side you have 'Name in SAML attribute statement' -> 'some other
or same attribute name in application'

-Bernhard

Am 13/06/16 um 09:34 schrieb Anish Narang:

> Yes you're right. The SP shows permission denied due to a missing
> attribute statement in the SAML response. Here are the logs on the SP:
>
>
>  [INFO] saml2.response: Subject NameID: <?xml version='1.0'
> encoding='UTF-8'?>
> <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
> NameQualifier="http://openam.example.com:8080/openamidp"
> SPNameQualifier="http://sp1.localhost:5001/saml2/metadata/">EjHTF8XSRwpFhBqodepyRxaaWvTZ</saml:NameID>
>  [ERROR] saml2.response: Missing Attribute Statement
> [DEBUG] djangosaml2: Trying to authenticate the user
>  [ERROR] djangosaml2: The attributes dictionary is empty
>  [DEBUG] djangosaml2: attributes: {}
>
> Whereas the default demo user logs in successfully with the following
> response:
>
>
> <saml:AttributeStatement
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Attribute
> Name="uri"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue
> xsi:type="xs:string">demo</saml:AttributeValue></saml:Attribute><saml:Attribute
> Name="uid"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue
> xsi:type="xs:string">demo</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>
>
>
>
> Does this mean that the attribute statement is empty because the LDAP
> users are not given appropriate permissions to access the SP on the IdP?
>
>
> Thanks,
> Anish Narang
>
>
>
> ------------------------------------------------------------------------
> *From:* [hidden email] <[hidden email]> on
> behalf of Bernhard Thalmayr <[hidden email]>
> *Sent:* Monday, June 13, 2016 12:56 PM
> *To:* [hidden email]
> *Subject:* Re: [OpenAM] Permission denied after redirect
>  
> Am 13/06/16 um 09:18 schrieb Anish Narang:
>> Yes Im looking at SAML based WebSSO. The sign in works successfully with
>> the demo user. What does this mean? How can I go about using the OpenAM
>> API for SSO? Is there any other workaround?
>
> The 'permission denied' is an issue with your SP implementation, you
> need to check this one.
>
> -Bernhard
>
>
>>
>>
>> Thanks,
>> Anish
>>
>>
>>
>> ------------------------------------------------------------------------
>> *From:* [hidden email] <[hidden email]> on
>> behalf of Bernhard Thalmayr <[hidden email]>
>> *Sent:* Monday, June 13, 2016 12:20 PM
>> *To:* [hidden email]
>> *Subject:* Re: [OpenAM] Permission denied after redirect
>>  
>> If you use SAML based WebSSO there are actually no OpenAM policies in
>> the play, except you are using an OpenAM policy agent in addition to it
>> (which would be questionable) or you check authorization via some OpenAM
>> API as well (which migt also be questionable).
>>
>> -Bernhard
>>
>>
>>
>> Am 13/06/16 um 08:29 schrieb Anish Narang:
>>> I have setup an OpenAM Idp with a Python Django SP,along with LDAP
>>> integration module for authentication. The SP is redirected to the
>>> OpenAM login page. But after successfully authentication,the user is
>>> denied access to the SP’s ACS page. Could this be an authorization issue
>>> related to Policies? If so, how to we give the LDAP users access to the
>>> SP’s pages.
>>>
>>>
>>> Thanks,
>>> Anish Narang
>>>
>>>
>>>
>>> _______________________________________________
>>> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> <https://forgerock.org/forum/fr-projects/openam/>
>
> OpenAM - ForgeRock Community
> <https://forgerock.org/forum/fr-projects/openam/>
> forgerock.org
> Search for: This forum contains 861 topics and 2,779 replies, and was
> last updated by masonah 23 hours, 58 minutes ago. Topic Voices Posts
> Freshness Introduce yourself!
>
>
>
>> <https://forgerock.org/forum/fr-projects/openam/>
>>        
>> OpenAM - ForgeRock Community
>> <https://forgerock.org/forum/fr-projects/openam/>
>> forgerock.org
>> Search for: This forum contains 861 topics and 2,779 replies, and was
>> last updated by masonah 23 hours, 58 minutes ago. Topic Voices Posts
>> Freshness Introduce yourself!
>>
>>
>>
>>> OpenAM mailing list
>>> [hidden email]
>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>
>>
>>
>> --
>> Painstaking Minds
>> IT-Consulting Bernhard Thalmayr
>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>> Tel: +49 (0)8062 7769174
>> Mobile: +49 (0)176 55060699
>>
>> [hidden email] - Solution Architect
>> http://www.xing.com/profile/Bernhard_Thalmayr
>> http://de.linkedin.com/in/bernhardthalmayr
>>
>> This e-mail may contain confidential and/or privileged information.If
>> you are not the intended recipient (or have received this email in
>> error) please notify the sender immediately and delete this e-mail. Any
>> unauthorized copying, disclosure or distribution of the material in this
>> e-mail is strictly forbidden.
>> _______________________________________________
>> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>>
>> _______________________________________________
>> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] - Solution Architect
> http://www.xing.com/profile/Bernhard_Thalmayr
> http://de.linkedin.com/in/bernhardthalmayr
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Permission denied after redirect

Anish Narang

Worked like a charm,thanks.





From: [hidden email] <[hidden email]> on behalf of Bernhard Thalmayr <[hidden email]>
Sent: Monday, June 13, 2016 1:22 PM
To: [hidden email]
Subject: Re: [OpenAM] Permission denied after redirect
 
It means the other user identities do not have the identity attribute
you configured for the SAML attribute mapping on the IdP side.

On IdP side you have 'User Identity attribute' -> 'Name in SAML
attribute statement'

and SP side you have 'Name in SAML attribute statement' -> 'some other
or same attribute name in application'

-Bernhard

Am 13/06/16 um 09:34 schrieb Anish Narang:
> Yes you're right. The SP shows permission denied due to a missing
> attribute statement in the SAML response. Here are the logs on the SP:
>
>
>  [INFO] saml2.response: Subject NameID: <?xml version='1.0'
> encoding='UTF-8'?>
> <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
> NameQualifier="http://openam.example.com:8080/openamidp"
> SPNameQualifier="http://sp1.localhost:5001/saml2/metadata/">EjHTF8XSRwpFhBqodepyRxaaWvTZ</saml:NameID>
>  [ERROR] saml2.response: Missing Attribute Statement
> [DEBUG] djangosaml2: Trying to authenticate the user
>  [ERROR] djangosaml2: The attributes dictionary is empty
>  [DEBUG] djangosaml2: attributes: {}
>
> Whereas the default demo user logs in successfully with the following
> response:
>
>
> <saml:AttributeStatement
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Attribute
> Name="uri"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue
> xsi:type="xs:string">demo</saml:AttributeValue></saml:Attribute><saml:Attribute
> Name="uid"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue
> xsi:type="xs:string">demo</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>
>
>
>
> Does this mean that the attribute statement is empty because the LDAP
> users are not given appropriate permissions to access the SP on the IdP?
>
>
> Thanks,
> Anish Narang
>
>
>
> ------------------------------------------------------------------------
> *From:* [hidden email] <[hidden email]> on
> behalf of Bernhard Thalmayr <[hidden email]>
> *Sent:* Monday, June 13, 2016 12:56 PM
> *To:* [hidden email]
> *Subject:* Re: [OpenAM] Permission denied after redirect

> Am 13/06/16 um 09:18 schrieb Anish Narang:
>> Yes Im looking at SAML based WebSSO. The sign in works successfully with
>> the demo user. What does this mean? How can I go about using the OpenAM
>> API for SSO? Is there any other workaround?
>
> The 'permission denied' is an issue with your SP implementation, you
> need to check this one.
>
> -Bernhard
>
>
>>
>>
>> Thanks,
>> Anish
>>
>>
>>
>> ------------------------------------------------------------------------
>> *From:* [hidden email] <[hidden email]> on
>> behalf of Bernhard Thalmayr <[hidden email]>
>> *Sent:* Monday, June 13, 2016 12:20 PM
>> *To:* [hidden email]
>> *Subject:* Re: [OpenAM] Permission denied after redirect
>> 
>> If you use SAML based WebSSO there are actually no OpenAM policies in
>> the play, except you are using an OpenAM policy agent in addition to it
>> (which would be questionable) or you check authorization via some OpenAM
>> API as well (which migt also be questionable).
>>
>> -Bernhard
>>
>>
>>
>> Am 13/06/16 um 08:29 schrieb Anish Narang:
>>> I have setup an OpenAM Idp with a Python Django SP,along with LDAP
>>> integration module for authentication. The SP is redirected to the
>>> OpenAM login page. But after successfully authentication,the user is
>>> denied access to the SP’s ACS page. Could this be an authorization issue
>>> related to Policies? If so, how to we give the LDAP users access to the
>>> SP’s pages.
>>>
>>>
>>> Thanks,
>>> Anish Narang
>>>
>>>
>>>
>>> _______________________________________________
>>> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> <https://forgerock.org/forum/fr-projects/openam/>
>       
> OpenAM - ForgeRock Community
> <https://forgerock.org/forum/fr-projects/openam/>
> forgerock.org
> Search for: This forum contains 861 topics and 2,779 replies, and was
> last updated by masonah 23 hours, 58 minutes ago. Topic Voices Posts
> Freshness Introduce yourself!
>
>
>
>> <https://forgerock.org/forum/fr-projects/openam/>
>>       
>> OpenAM - ForgeRock Community
>> <https://forgerock.org/forum/fr-projects/openam/>
>> forgerock.org
>> Search for: This forum contains 861 topics and 2,779 replies, and was
>> last updated by masonah 23 hours, 58 minutes ago. Topic Voices Posts
>> Freshness Introduce yourself!
>>
>>
>>
>>> OpenAM mailing list
>>> [hidden email]
>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>
>>
>>
>> --
>> Painstaking Minds
>> IT-Consulting Bernhard Thalmayr
>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>> Tel: +49 (0)8062 7769174
>> Mobile: +49 (0)176 55060699
>>
>> [hidden email] - Solution Architect
>> http://www.xing.com/profile/Bernhard_Thalmayr
>> http://de.linkedin.com/in/bernhardthalmayr
>>
>> This e-mail may contain confidential and/or privileged information.If
>> you are not the intended recipient (or have received this email in
>> error) please notify the sender immediately and delete this e-mail. Any
>> unauthorized copying, disclosure or distribution of the material in this
>> e-mail is strictly forbidden.
>> _______________________________________________
>> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>>
>> _______________________________________________
>> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] - Solution Architect
> http://www.xing.com/profile/Bernhard_Thalmayr
> http://de.linkedin.com/in/bernhardthalmayr
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam