Regarding federation and token validation issues

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Regarding federation and token validation issues

aakash agarwal
Hi,

I am using openam-12 and total five servers (replicated servers) are configured behind "load-balancer".

Configuration:
1. Some legacy SSO server is Identity provider
2. Openam server is service provider

Here we use "demo" user (which is available in openDS, comes with openam default setup) for federation.

We didn't use auto federation so for the first time user would redirect to openam login page and federated user (demo) user credential needs to be provided here.
After this openam wont ask/need this user credential for any subsequent calls.

Below two issues:
1. This demo user credential (which we need to fill for the first time) is required for all openam servers (even though replication is in place).
I mean since we have five servers so lets say for the first time traffic comes to first server and we provided federated user credential for federation,
if any subsequent request comes to same server it wont ask for credential again but if goes to any other server then again this credential needs to be provide
for the first time. This shouldn;t happen or is it expected behaviour even though replication is in place?

2. When this federation completes and user opens end application sometime tokens are getting invalidated, I mean token validation rest calls returns false.
I need to debug this issue but here challenge is openam servers logs doesn't print token id.
Here my question is: Is there any way where we can print entire token journey generation to expire (due to logout or timeout) in some logs.
Also when token validation calls (via rest or tomcat agent) happens I  want to log this calls.

Please provide me some link or information for above two questions? I tried on google but didn't find any concrete answer for the same.

Thanks,
Akash

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Regarding federation and token validation issues

Paul Figura
Hi Akash,

For issue 1: You need to enable Core Token Service (CTS, also known as Session Failover (SFO)) in order to get session to be replicated between OpenAM servers. Keep in mind this will add some overhead to your deployment.

<a class="moz-txt-link-freetext" href="https://backstage.forgerock.com/#!/docs/openam/12.0.0/install-guide#chap-cts">https://backstage.forgerock.com/#!/docs/openam/12.0.0/install-guide#chap-cts

Issue 2: This could also be related to your lack of CTS support. If your token validation goes through a LB and it round robins to the wrong server, it's possible that it may not return a positive result. As far as your question about logging, I suppose you could up the logging levels to maximum and see if that gives you what you want to see. Otherwise, you might need to modify the code that invalidates expired sessions to insert extra logging, and recompile it. But that's a bit more advanced.


Regards,
Paul Figura
Identity & Access Management Architect
Indigo Consulting Canada
Tel: 514-432-6233
Email: [hidden email]  http://www.indigoconsulting.ca
   
On 3/24/2016 4:16 AM, aakash agarwal wrote:
Hi,

I am using openam-12 and total five servers (replicated servers) are configured behind "load-balancer".

Configuration:
1. Some legacy SSO server is Identity provider
2. Openam server is service provider

Here we use "demo" user (which is available in openDS, comes with openam default setup) for federation.

We didn't use auto federation so for the first time user would redirect to openam login page and federated user (demo) user credential needs to be provided here.
After this openam wont ask/need this user credential for any subsequent calls.

Below two issues:
1. This demo user credential (which we need to fill for the first time) is required for all openam servers (even though replication is in place).
I mean since we have five servers so lets say for the first time traffic comes to first server and we provided federated user credential for federation,
if any subsequent request comes to same server it wont ask for credential again but if goes to any other server then again this credential needs to be provide
for the first time. This shouldn;t happen or is it expected behaviour even though replication is in place?

2. When this federation completes and user opens end application sometime tokens are getting invalidated, I mean token validation rest calls returns false.
I need to debug this issue but here challenge is openam servers logs doesn't print token id.
Here my question is: Is there any way where we can print entire token journey generation to expire (due to logout or timeout) in some logs.
Also when token validation calls (via rest or tomcat agent) happens I  want to log this calls.

Please provide me some link or information for above two questions? I tried on google but didn't find any concrete answer for the same.

Thanks,
Akash


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Regarding federation and token validation issues

Bernhard Thalmayr
You never need SSO Session Failover (SFO, implemented via CTS) for token
validation to succeed.

"SSO Sessions' are never replicated, but you can get Session Failover if
the 'authoriative OpenAM instance' for a given SSO Session is not
avaialble anymore.

'replication' is only performed by the current implementation of the CTS
persistence store, which is OpenDJ.

-Bernhard

Am 24/03/16 um 15:22 schrieb Paul Figura:

> Hi Akash,
>
> For issue 1: You need to enable Core Token Service (CTS, also known as
> Session Failover (SFO)) in order to get session to be replicated between
> OpenAM servers. Keep in mind this will add some overhead to your deployment.
>
> <a href="https://backstage.forgerock.com/#!/docs/openam/12.0.0/install-guide#chap-cts">https://backstage.forgerock.com/#!/docs/openam/12.0.0/install-guide#chap-cts
>
> Issue 2: This could also be related to your lack of CTS support. If your
> token validation goes through a LB and it round robins to the wrong
> server, it's possible that it may not return a positive result. As far
> as your question about logging, I suppose you could up the logging
> levels to maximum and see if that gives you what you want to see.
> Otherwise, you might need to modify the code that invalidates expired
> sessions to insert extra logging, and recompile it. But that's a bit
> more advanced.
>
>
> Regards,
> *Paul Figura*
> Identity & Access Management Architect Indigo Consulting Canada
> *Tel:* 514-432-6233
> *Email: *[hidden email]
> <mailto:[hidden email]> <http://ca.linkedin.com/in/paulfigura>
> ** <http://www.indigoconsulting.ca>*http://www.indigoconsulting.ca*
>
>  
>
> On 3/24/2016 4:16 AM, aakash agarwal wrote:
>> Hi,
>>
>> I am using openam-12 and total five servers (replicated servers) are
>> configured behind "load-balancer".
>>
>> Configuration:
>> 1. Some legacy SSO server is Identity provider
>> 2. Openam server is service provider
>>
>> Here we use "demo" user (which is available in openDS, comes with
>> openam default setup) for federation.
>>
>> We didn't use auto federation so for the first time user would
>> redirect to openam login page and federated user (demo) user
>> credential needs to be provided here.
>> After this openam wont ask/need this user credential for any
>> subsequent calls.
>>
>> Below two issues:
>> 1. This demo user credential (which we need to fill for the first
>> time) is required for all openam servers (even though replication is
>> in place).
>> I mean since we have five servers so lets say for the first time
>> traffic comes to first server and we provided federated user
>> credential for federation,
>> if any subsequent request comes to same server it wont ask for
>> credential again but if goes to any other server then again this
>> credential needs to be provide
>> for the first time. This shouldn;t happen or is it expected behaviour
>> even though replication is in place?
>>
>> 2. When this federation completes and user opens end application
>> sometime tokens are getting invalidated, I mean token validation rest
>> calls returns false.
>> I need to debug this issue but here challenge is openam servers logs
>> doesn't print token id.
>> Here my question is: Is there any way where we can print entire token
>> journey generation to expire (due to logout or timeout) in some logs.
>> Also when token validation calls (via rest or tomcat agent) happens I
>>  want to log this calls.
>>
>> Please provide me some link or information for above two questions? I
>> tried on google but didn't find any concrete answer for the same.
>>
>> Thanks,
>> Akash
>>
>>
>> _______________________________________________
>> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam