SP Adapter OR JDBC Data Store OR...

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

SP Adapter OR JDBC Data Store OR...

epleisman

Simply put, we are a multi-tenant  Saas application provider.

I want to offer SAML2 Federation whereby the user is their own IdP (so IdP initiated SSO), they will assert uid and customerid, and I want to authenticate against my application DB. If successful, initiate a session object and take the user into the application sans our login screen (ie – authenticated and ready to roll).

 Given the state of the OpenAM product I was thinking of writing a custom SAML2ServiceProviderAdapter to accomplish this and apply a J2EE agent.

Now I am wondering if I could accomplish the same thing by using the JDBC data store?  Need advise.(also considering using the OpenIG Gateway since we provide WebService API access but Im in POC mode and cant try everything at once.)

Seeking advice and/or best practice recommendation.


Edward P. Leisman

Software Development Manager, Predictive Solutions
__________________________

Description: Description: Description: logo

An Industrial Scientific Company

 

“We save lives by predicting workplace injuries"

 

1 Life Way

Pittsburgh, PA 15205

United States

Office:

+1 800-338-3287 (x1642)

Direct:

+1 412-788-0400 (x1642)

Email:

[hidden email]

Web:

http://www.predictivesolutions.com

 

 


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: SP Adapter OR JDBC Data Store OR...

Bernhard Thalmayr
Agents are the way of achieving Web SSO with OpenAM proprietary means.

SAMLv2 is the standards based way to achieve Web SSO.

(JDBC) user data store (still not perfect) will be used by the default
IdPAttribute mapper to populate attributes statements in the SAML
authentication assertion (as long as the settings for core-auth service
are good ... https://bugster.forgerock.org/jira/browse/OPENAM-8226)

Of course you can create your own IDPAttributeMapper
(https://backstage.forgerock.com/static/docs/openam/13/apidocs/com/sun/identity/saml2/plugins/IDPAttributeMapper.html)
which does not use OpenAM's IdRepo API but plain JDBC, Spring, JPA ..

-Bernhard

Am 29/02/16 um 21:44 schrieb Leisman, Edward:

> Simply put, we are a multi-tenant  Saas application provider.
>
> I want to offer SAML2 Federation whereby the user is their own IdP (so
> IdP initiated SSO), they will assert uid and customerid, and I want to
> authenticate against my application DB. If successful, initiate a
> session object and take the user into the application sans our login
> screen (ie – authenticated and ready to roll).
>
>  Given the state of the OpenAM product I was thinking of writing a
> custom SAML2ServiceProviderAdapterto accomplish this and apply a J2EE agent.
>
> Now I am wondering if I could accomplish the same thing by using the
> JDBC data store?  Need advise.(also considering using the OpenIG Gateway
> since we provide WebService API access but Im in POC mode and cant try
> everything at once.)
>
> Seeking advice and/or best practice recommendation.
>
>
> *Edward P. Leisman***
>
> Software Development Manager, Predictive Solutions
> __________________________
>
> *Description: Description: Description: logo*
>
>
>
> *An Industrial Scientific Company*
>
> * *
>
> “We save lives by predicting workplace injuries"
>
>  
>
> 1 Life Way
>
> Pittsburgh, PA 15205
>
> United States
>
> Office:
>
>
>
> +1 800-338-3287 (x1642)
>
> Direct:
>
>
>
> +1 412-788-0400 (x1642)
>
> Email:
>
>
>
> [hidden email] <mailto:[hidden email]>
>
> Web:
>
>
>
> http://www.predictivesolutions.com
>
>  
>
>  
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: SP Adapter OR JDBC Data Store OR...

epleisman
Berhard,

Can you help me out with a bit more information?
Which approach seems most salient for my needs?

Also, we are the SP and our clients will be the IdP.
In that case, how would I implement an IDPAttributeMapper?  Or would I want DefaultSPAttributeMapper extended?

SO many options.
All I want to do is provide a SAML2 Federation with my clients and check a custom DB based on asserted values. Right now the method I am trying is an agent along with a custom SAML2ServiceProviderAdapter, but I get the feeling this isn't the best / easiest way.

Any clarity provided would be greatly appreciated!

Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: SP Adapter OR JDBC Data Store OR...

Bernhard Thalmayr
Hi Edward, actually your description is a bit puzzling.

You told

>
and I want to authenticate against my application DB
>

but also you told you will act as the SP. Authentication does actually
ONLY happen on the SP side as well if you want to perform 'account
linking' (you may check SAML tech overview).

However I doubt this is the case.

Furthermore you also tell that you use an 'Agent', which means you are
mixing OpenAM's proprietary way of achieving web-based SSO with 'SAML',
which is a standards-based way of achieving web-based SSO.

Potentially some diagram would shed more light.

-Bernhard

Am 25/10/16 um 20:23 schrieb epleisman:

> Berhard,
>
> Can you help me out with a bit more information?
> Which approach seems most salient for my needs?
>
> Also, we are the SP and our clients will be the IdP.
> In that case, how would I implement an IDPAttributeMapper?  Or would I want
> DefaultSPAttributeMapper extended?
>
> SO many options.
> All I want to do is provide a SAML2 Federation with my clients and check a
> custom DB based on asserted values. Right now the method I am trying is an
> agent along with a custom SAML2ServiceProviderAdapter, but I get the feeling
> this isn't the best / easiest way.
>
> Any clarity provided would be greatly appreciated!
>
> Thanks!
>
>
>
> --
> View this message in context: http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5172.html
> Sent from the OpenAM mailing list archive at Nabble.com.
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...

epleisman

Bernhard,

 

First, thank you so much for taking the time to reply.

 

Here is my scenario (attached):

 

Goal:

I want to allow for certain subscribing clients, SAML2 Federated SSO Integration.

I want to be the SP only and do not want to maintain a duplicate set of credentials on my side.

All I want to do is have a list of users from the client who may use my system (ie – just because the IdP says the user is authenticated on their end, doesn’t mean that same user has a license seat on my software).

So, when an assertion is made, I want to be able to check the company id and user id against my local db verifying this fact.

 

OpenAM offers SO many options, I am left confused as to my best route.

1.       Do I need an agent on my app servers to forward to SSO Server?

2.       Best method to perform the company / user check noted above?  Chained auth?  Some kind of custom code extending an OpenAM class (ex: SAML2ServiceProviderAdapter)?

3.       If scripting in a chained auth module, guidance?

 

 

Sorry If I may be missing something basic, Bernhard.

With this many options, I want to do best practice and gain some understanding.

 

Thank you for ANY help you might be able to provide.

 

 

 


Edward P. Leisman

Software Development Manager, Predictive Solutions
__________________________

Description: Description: Description: logo

An Industrial Scientific Company

 

“We save lives by predicting workplace injuries"

 

1 Life Way

Pittsburgh, PA 15205

United States

Office:

+1 800-338-3287 (x1642)

Direct:

+1 412-788-0400 (x1642)

Email:

[hidden email]

Web:

http://www.predictivesolutions.com

 

 

From: Bernhard Thalmayr [via OpenAM] [mailto:ml-node+[hidden email]]
Sent: Wednesday, October 26, 2016 12:22 PM
To: Leisman, Edward <[hidden email]>
Subject: [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...

 

Hi Edward, actually your description is a bit puzzling.

You told

>
and I want to authenticate against my application DB
>

but also you told you will act as the SP. Authentication does actually
ONLY happen on the SP side as well if you want to perform 'account
linking' (you may check SAML tech overview).

However I doubt this is the case.

Furthermore you also tell that you use an 'Agent', which means you are
mixing OpenAM's proprietary way of achieving web-based SSO with 'SAML',
which is a standards-based way of achieving web-based SSO.

Potentially some diagram would shed more light.

-Bernhard

Am 25/10/16 um 20:23 schrieb epleisman:


> Berhard,
>
> Can you help me out with a bit more information?
> Which approach seems most salient for my needs?
>
> Also, we are the SP and our clients will be the IdP.
> In that case, how would I implement an IDPAttributeMapper?  Or would I want
> DefaultSPAttributeMapper extended?
>
> SO many options.
> All I want to do is provide a SAML2 Federation with my clients and check a
> custom DB based on asserted values. Right now the method I am trying is an
> agent along with a custom SAML2ServiceProviderAdapter, but I get the feeling
> this isn't the best / easiest way.
>
> Any clarity provided would be greatly appreciated!
>
> Thanks!
>
>
>
> --
> View this message in context: http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5172.html
> Sent from the OpenAM mailing list archive at Nabble.com.
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>



--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


If you reply to this email, your message will be added to the discussion below:

http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5175.html

To unsubscribe from SP Adapter OR JDBC Data Store OR..., click here.
NAML


20161027110032569.pdf (447K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...

Bernhard Thalmayr
The diagram was quite helpful Edward.

One question would be ... why does the App not act as SAML2 SP directly?

If you really need OpenAM in the middle as SP and then leveraging the
created OpenAM SSO Session for further properietary OpenAM SSO with the
agent protected the app it depends upon which NameID format is used.

If 'transient' NameId format is used by the IdP, then the default
DefaultSPAccountMapper does not look up the identity in the configured
OpenAM user data store and you would need your custom SPAccountMapper
which just

However then you must have a user data store configured leveraging your
data base system.

If you don't want to implement the rich IDRepo API or use the provided
JDBC user data store (which still not nice), then just implement a
custom SPAccountMapper.

-Bernhard






Am 27/10/16 um 15:51 schrieb epleisman:

> Bernhard,
>
>  
>
> First, thank you so much for taking the time to reply.
>
>  
>
> Here is my scenario (attached):
>
>  
>
> Goal:
>
> I want to allow for certain subscribing clients, SAML2 Federated SSO
> Integration.
>
> I want to be the SP only and do not want to maintain a duplicate set of
> credentials on my side.
>
> All I want to do is have a list of users from the client who may use my
> system (ie – just because the IdP says the user is authenticated on
> their end, doesn’t mean that same user has a license seat on my software).
>
> So, when an assertion is made, I want to be able to check the company id
> and user id against my local db verifying this fact.
>
>  
>
> OpenAM offers SO many options, I am left confused as to my best route.
>
> 1.       Do I need an agent on my app servers to forward to SSO Server?
>
> 2.       Best method to perform the company / user check noted above?
> Chained auth?  Some kind of custom code extending an OpenAM class (ex:
> SAML2ServiceProviderAdapter)?
>
> 3.       If scripting in a chained auth module, guidance?
>
>  
>
>  
>
> Sorry If I may be missing something basic, Bernhard.
>
> With this many options, I want to do best practice and gain some
> understanding.
>
>  
>
> Thank you for ANY help you might be able to provide.
>
>  
>
>  
>
>  
>
>
> *Edward P. Leisman***
>
> Software Development Manager, Predictive Solutions
> __________________________
>
> *Description: Description: Description: logo*
>
>
>
> *An Industrial Scientific Company*
>
> * *
>
> “We save lives by predicting workplace injuries"
>
>  
>
> 1 Life Way
>
> Pittsburgh, PA 15205
>
> United States
>
> Office:
>
>
>
> +1 800-338-3287 (x1642)
>
> Direct:
>
>
>
> +1 412-788-0400 (x1642)
>
> Email:
>
>
>
> [hidden email] </user/SendEmail.jtp?type=node&node=5177&i=0>
>
> Web:
>
>
>
> http://www.predictivesolutions.com
>
>  
>
>  
>
> *From:*Bernhard Thalmayr [via OpenAM] [mailto:ml-node+[hidden email]
> </user/SendEmail.jtp?type=node&node=5177&i=1>]
> *Sent:* Wednesday, October 26, 2016 12:22 PM
> *To:* Leisman, Edward <[hidden email]
> </user/SendEmail.jtp?type=node&node=5177&i=2>>
> *Subject:* [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...
>
>  
>
> Hi Edward, actually your description is a bit puzzling.
>
> You told
>
>>
> and I want to authenticate against my application DB
>>
>
> but also you told you will act as the SP. Authentication does actually
> ONLY happen on the SP side as well if you want to perform 'account
> linking' (you may check SAML tech overview).
>
> However I doubt this is the case.
>
> Furthermore you also tell that you use an 'Agent', which means you are
> mixing OpenAM's proprietary way of achieving web-based SSO with 'SAML',
> which is a standards-based way of achieving web-based SSO.
>
> Potentially some diagram would shed more light.
>
> -Bernhard
>
> Am 25/10/16 um 20:23 schrieb epleisman:
>
>
>> Berhard,
>>
>> Can you help me out with a bit more information?
>> Which approach seems most salient for my needs?
>>
>> Also, we are the SP and our clients will be the IdP.
>> In that case, how would I implement an IDPAttributeMapper?  Or would I
> want
>> DefaultSPAttributeMapper extended?
>>
>> SO many options.
>> All I want to do is provide a SAML2 Federation with my clients and
> check a
>> custom DB based on asserted values. Right now the method I am trying
> is an
>> agent along with a custom SAML2ServiceProviderAdapter, but I get the
> feeling
>> this isn't the best / easiest way.
>>
>> Any clarity provided would be greatly appreciated!
>>
>> Thanks!
>>
>>
>>
>> --
>> View this message in context:
> http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5172.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5172.html&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=v1HpFXVorZNvlQPjASeC_fQLmOlEMgOXs62aEZFZ2NI&e=>
>> Sent from the OpenAM mailing list archive at Nabble.com.
>> _______________________________________________
>> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=lHu22E0LHbEbPSBY6k05ah0myRkM2cKeq5oNCjVKW7E&e=>
>> OpenAM mailing list
>> [hidden email] </user/SendEmail.jtp?type=node&node=5175&i=0>
>> https://lists.forgerock.org/mailman/listinfo/openam
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=0_L5M5YuAVM0YW5wm5N2LtXptfPU_TLApMAGodRYTfI&e=>
>>
>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] </user/SendEmail.jtp?type=node&node=5175&i=1> - Solution
> Architect
> http://www.xing.com/profile/Bernhard_Thalmayr
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xing.com_profile_Bernhard-5FThalmayr&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=4LJmbMhuSpCXexyKjL_aylPjAzwsHK_PkNMq1Ne2jAI&e=>
> http://de.linkedin.com/in/bernhardthalmayr
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__de.linkedin.com_in_bernhardthalmayr&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=dfa3s5Xu36RmOeRA4O60PocdyvszLzyHwPVpYkysg0w&e=>
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=lHu22E0LHbEbPSBY6k05ah0myRkM2cKeq5oNCjVKW7E&e=>
> OpenAM mailing list
> [hidden email] </user/SendEmail.jtp?type=node&node=5175&i=2>
> https://lists.forgerock.org/mailman/listinfo/openam
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=0_L5M5YuAVM0YW5wm5N2LtXptfPU_TLApMAGodRYTfI&e=>
>
> ------------------------------------------------------------------------
>
> *If you reply to this email, your message will be added to the
> discussion below:*
>
> http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5175.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5175.html&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=GW3j2Z36l7KgFI9lXPr89LjW5EzN0te-rJ9OVRRjLGI&e=>
>
>
> To unsubscribe from SP Adapter OR JDBC Data Store OR..., click here
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_template_NamlServlet.jtp-3Fmacro-3Dunsubscribe-5Fby-5Fcode-26node-3D4724-26code-3DRWxlaXNtYW5AaW5kc2NpLmNvbXw0NzI0fDE4NTczODAwNjU-3D&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=PT__B1jP7V3_qX4faUTOwg1Spe9gnwP3b-yg4BEkwWE&e=>.
> NAML
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_template_NamlServlet.jtp-3Fmacro-3Dmacro-5Fviewer-26id-3Dinstant-5Fhtml-2521nabble-253Aemail.naml-26base-3Dnabble.naml.namespaces.BasicNamespace-2Dnabble.view.web.template.NabbleNamespace-2Dnabble.view.web.template.NodeNamespace-26breadcrumbs-3Dnotify-5Fsubscribers-2521nabble-253Aemail.naml-2Dinstant-5Femails-2521nabble-253Aemail.naml-2Dsend-5Finstant-5Femail-2521nabble-253Aemail.naml&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=R0F6xkO2QfCmvVfiGw3fb03hR7CjAsxci9_EIpTamU0&e=>
>
>
>
> *20161027110032569.pdf* (447K) Download Attachment
> <http://openam.27691.n7.nabble.com/attachment/5177/1/20161027110032569.pdf>
>
> ------------------------------------------------------------------------
> View this message in context: RE: [EXTERNAL] Re: SP Adapter OR JDBC Data
> Store OR...
> <http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5177.html>
> Sent from the OpenAM mailing list archive
> <http://openam.27691.n7.nabble.com/> at Nabble.com.
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...

epleisman

Bernhard,

 

By what means could I implement the App as SAML2 SP directly?

I am not familiar.  Point me in the right direction?

 

 


Edward P. Leisman

Software Development Manager, Predictive Solutions
__________________________

Description: Description: Description: logo

An Industrial Scientific Company

 

“We save lives by predicting workplace injuries"

 

1 Life Way

Pittsburgh, PA 15205

United States

Office:

+1 800-338-3287 (x1642)

Direct:

+1 412-788-0400 (x1642)

Email:

[hidden email]

Web:

http://www.predictivesolutions.com

 

 

From: Bernhard Thalmayr [via OpenAM] [mailto:ml-node+[hidden email]]
Sent: Friday, October 28, 2016 11:31 AM
To: Leisman, Edward <[hidden email]>
Subject: Re: [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...

 

The diagram was quite helpful Edward.

One question would be ... why does the App not act as SAML2 SP directly?

If you really need OpenAM in the middle as SP and then leveraging the
created OpenAM SSO Session for further properietary OpenAM SSO with the
agent protected the app it depends upon which NameID format is used.

If 'transient' NameId format is used by the IdP, then the default
DefaultSPAccountMapper does not look up the identity in the configured
OpenAM user data store and you would need your custom SPAccountMapper
which just

However then you must have a user data store configured leveraging your
data base system.

If you don't want to implement the rich IDRepo API or use the provided
JDBC user data store (which still not nice), then just implement a
custom SPAccountMapper.

-Bernhard






Am 27/10/16 um 15:51 schrieb epleisman:


> Bernhard,
>
>  
>
> First, thank you so much for taking the time to reply.
>
>  
>
> Here is my scenario (attached):
>
>  
>
> Goal:
>
> I want to allow for certain subscribing clients, SAML2 Federated SSO
> Integration.
>
> I want to be the SP only and do not want to maintain a duplicate set of
> credentials on my side.
>
> All I want to do is have a list of users from the client who may use my
> system (ie – just because the IdP says the user is authenticated on
> their end, doesn’t mean that same user has a license seat on my software).
>
> So, when an assertion is made, I want to be able to check the company id
> and user id against my local db verifying this fact.
>
>  
>
> OpenAM offers SO many options, I am left confused as to my best route.
>
> 1.       Do I need an agent on my app servers to forward to SSO Server?
>
> 2.       Best method to perform the company / user check noted above?
> Chained auth?  Some kind of custom code extending an OpenAM class (ex:
> SAML2ServiceProviderAdapter)?
>
> 3.       If scripting in a chained auth module, guidance?
>
>  
>
>  
>
> Sorry If I may be missing something basic, Bernhard.
>
> With this many options, I want to do best practice and gain some
> understanding.
>
>  
>
> Thank you for ANY help you might be able to provide.
>
>  
>
>  
>
>  
>
>
> *Edward P. Leisman***
>
> Software Development Manager, Predictive Solutions
> __________________________
>
> *Description: Description: Description: logo*
>
>
>
> *An Industrial Scientific Company*
>
> * *
>
> “We save lives by predicting workplace injuries"
>
>  
>
> 1 Life Way
>
> Pittsburgh, PA 15205
>
> United States
>
> Office:
>
>
>
> +1 800-338-3287 (x1642)
>
> Direct:
>
>
>
> +1 412-788-0400 (x1642)
>
> Email:
>
>
>
> [hidden email] </user/SendEmail.jtp?type=node&node=5177&i=0>
>
> Web:
>
>
>
> http://www.predictivesolutions.com
>
>  
>
>  
>
> *From:*Bernhard Thalmayr [via OpenAM] [mailto:ml-node+[hidden email]
> </user/SendEmail.jtp?type=node&node=5177&i=1>]
> *Sent:* Wednesday, October 26, 2016 12:22 PM
> *To:* Leisman, Edward <[hidden email]
> </user/SendEmail.jtp?type=node&node=5177&i=2>>
> *Subject:* [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...
>
>  
>
> Hi Edward, actually your description is a bit puzzling.
>
> You told
>
>>
> and I want to authenticate against my application DB
>>
>
> but also you told you will act as the SP. Authentication does actually
> ONLY happen on the SP side as well if you want to perform 'account
> linking' (you may check SAML tech overview).
>
> However I doubt this is the case.
>
> Furthermore you also tell that you use an 'Agent', which means you are
> mixing OpenAM's proprietary way of achieving web-based SSO with 'SAML',
> which is a standards-based way of achieving web-based SSO.
>
> Potentially some diagram would shed more light.
>
> -Bernhard
>
> Am 25/10/16 um 20:23 schrieb epleisman:
>
>
>> Berhard,
>>
>> Can you help me out with a bit more information?
>> Which approach seems most salient for my needs?
>>
>> Also, we are the SP and our clients will be the IdP.
>> In that case, how would I implement an IDPAttributeMapper?  Or would I
> want
>> DefaultSPAttributeMapper extended?
>>
>> SO many options.
>> All I want to do is provide a SAML2 Federation with my clients and
> check a
>> custom DB based on asserted values. Right now the method I am trying
> is an
>> agent along with a custom SAML2ServiceProviderAdapter, but I get the
> feeling
>> this isn't the best / easiest way.
>>
>> Any clarity provided would be greatly appreciated!
>>
>> Thanks!
>>
>>
>>
>> --
>> View this message in context:
> http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5172.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5172.html&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=v1HpFXVorZNvlQPjASeC_fQLmOlEMgOXs62aEZFZ2NI&e=>
>> Sent from the OpenAM mailing list archive at Nabble.com.
>> _______________________________________________
>> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=lHu22E0LHbEbPSBY6k05ah0myRkM2cKeq5oNCjVKW7E&e=>
>> OpenAM mailing list
>> [hidden email] </user/SendEmail.jtp?type=node&node=5175&i=0>
>> https://lists.forgerock.org/mailman/listinfo/openam
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=0_L5M5YuAVM0YW5wm5N2LtXptfPU_TLApMAGodRYTfI&e=>
>>
>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] </user/SendEmail.jtp?type=node&node=5175&i=1> - Solution
> Architect
> http://www.xing.com/profile/Bernhard_Thalmayr
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xing.com_profile_Bernhard-5FThalmayr&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=4LJmbMhuSpCXexyKjL_aylPjAzwsHK_PkNMq1Ne2jAI&e=>
> http://de.linkedin.com/in/bernhardthalmayr
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__de.linkedin.com_in_bernhardthalmayr&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=dfa3s5Xu36RmOeRA4O60PocdyvszLzyHwPVpYkysg0w&e=>
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=lHu22E0LHbEbPSBY6k05ah0myRkM2cKeq5oNCjVKW7E&e=>
> OpenAM mailing list
> [hidden email] </user/SendEmail.jtp?type=node&node=5175&i=2>
> https://lists.forgerock.org/mailman/listinfo/openam
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=0_L5M5YuAVM0YW5wm5N2LtXptfPU_TLApMAGodRYTfI&e=>
>
> ------------------------------------------------------------------------
>
> *If you reply to this email, your message will be added to the
> discussion below:*
>
> http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5175.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5175.html&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=GW3j2Z36l7KgFI9lXPr89LjW5EzN0te-rJ9OVRRjLGI&e=>
>
>
> To unsubscribe from SP Adapter OR JDBC Data Store OR..., click here
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_template_NamlServlet.jtp-3Fmacro-3Dunsubscribe-5Fby-5Fcode-26node-3D4724-26code-3DRWxlaXNtYW5AaW5kc2NpLmNvbXw0NzI0fDE4NTczODAwNjU-3D&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=PT__B1jP7V3_qX4faUTOwg1Spe9gnwP3b-yg4BEkwWE&e=>.
> NAML
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_template_NamlServlet.jtp-3Fmacro-3Dmacro-5Fviewer-26id-3Dinstant-5Fhtml-2521nabble-253Aemail.naml-26base-3Dnabble.naml.namespaces.BasicNamespace-2Dnabble.view.web.template.NabbleNamespace-2Dnabble.view.web.template.NodeNamespace-26breadcrumbs-3Dnotify-5Fsubscribers-2521nabble-253Aemail.naml-2Dinstant-5Femails-2521nabble-253Aemail.naml-2Dsend-5Finstant-5Femail-2521nabble-253Aemail.naml&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=R0F6xkO2QfCmvVfiGw3fb03hR7CjAsxci9_EIpTamU0&e=>
>
>
>
> *20161027110032569.pdf* (447K) Download Attachment
> <http://openam.27691.n7.nabble.com/attachment/5177/1/20161027110032569.pdf>
>
> ------------------------------------------------------------------------
> View this message in context: RE: [EXTERNAL] Re: SP Adapter OR JDBC Data
> Store OR...
> <http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5177.html>
> Sent from the OpenAM mailing list archive
> <http://openam.27691.n7.nabble.com/> at Nabble.com.
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>



--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


If you reply to this email, your message will be added to the discussion below:

http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5178.html

To unsubscribe from SP Adapter OR JDBC Data Store OR..., click here.
NAML

Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...

Bernhard Thalmayr
Which Platform/ Programming Language is the app based on? 

 -Bernhard

Von meinem iPad gesendet

Am 28.10.2016 um 17:35 schrieb epleisman <[hidden email]>:

Bernhard,

 

By what means could I implement the App as SAML2 SP directly?

I am not familiar.  Point me in the right direction?

 

 


Edward P. Leisman

Software Development Manager, Predictive Solutions
__________________________

Description: Description: Description: logo

An Industrial Scientific Company

 

“We save lives by predicting workplace injuries"

 

1 Life Way

Pittsburgh, PA 15205

United States

Office:

+1 800-338-3287 (x1642)

Direct:

+1 412-788-0400 (x1642)

Email:

[hidden email]

Web:

http://www.predictivesolutions.com

 

 

From: Bernhard Thalmayr [via OpenAM] [mailto:ml-node+[hidden email]]
Sent: Friday, October 28, 2016 11:31 AM
To: Leisman, Edward <[hidden email]>
Subject: Re: [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...

 

The diagram was quite helpful Edward.

One question would be ... why does the App not act as SAML2 SP directly?

If you really need OpenAM in the middle as SP and then leveraging the
created OpenAM SSO Session for further properietary OpenAM SSO with the
agent protected the app it depends upon which NameID format is used.

If 'transient' NameId format is used by the IdP, then the default
DefaultSPAccountMapper does not look up the identity in the configured
OpenAM user data store and you would need your custom SPAccountMapper
which just

However then you must have a user data store configured leveraging your
data base system.

If you don't want to implement the rich IDRepo API or use the provided
JDBC user data store (which still not nice), then just implement a
custom SPAccountMapper.

-Bernhard






Am 27/10/16 um 15:51 schrieb epleisman:


> Bernhard,
>
>  
>
> First, thank you so much for taking the time to reply.
>
>  
>
> Here is my scenario (attached):
>
>  
>
> Goal:
>
> I want to allow for certain subscribing clients, SAML2 Federated SSO
> Integration.
>
> I want to be the SP only and do not want to maintain a duplicate set of
> credentials on my side.
>
> All I want to do is have a list of users from the client who may use my
> system (ie – just because the IdP says the user is authenticated on
> their end, doesn’t mean that same user has a license seat on my software).
>
> So, when an assertion is made, I want to be able to check the company id
> and user id against my local db verifying this fact.
>
>  
>
> OpenAM offers SO many options, I am left confused as to my best route.
>
> 1.       Do I need an agent on my app servers to forward to SSO Server?
>
> 2.       Best method to perform the company / user check noted above?
> Chained auth?  Some kind of custom code extending an OpenAM class (ex:
> SAML2ServiceProviderAdapter)?
>
> 3.       If scripting in a chained auth module, guidance?
>
>  
>
>  
>
> Sorry If I may be missing something basic, Bernhard.
>
> With this many options, I want to do best practice and gain some
> understanding.
>
>  
>
> Thank you for ANY help you might be able to provide.
>
>  
>
>  
>
>  
>
>
> *Edward P. Leisman***
>
> Software Development Manager, Predictive Solutions
> __________________________
>
> *Description: Description: Description: logo*
>
>
>
> *An Industrial Scientific Company*
>
> * *
>
> “We save lives by predicting workplace injuries"
>
>  
>
> 1 Life Way
>
> Pittsburgh, PA 15205
>
> United States
>
> Office:
>
>
>
> +1 800-338-3287 (x1642)
>
> Direct:
>
>
>
> +1 412-788-0400 (x1642)
>
> Email:
>
>
>
> [hidden email] </user/SendEmail.jtp?type=node&node=5177&i=0>
>
> Web:
>
>
>
> http://www.predictivesolutions.com
>
>  
>
>  
>
> *From:*Bernhard Thalmayr [via OpenAM] [mailto:ml-node+[hidden email]
> </user/SendEmail.jtp?type=node&node=5177&i=1>]
> *Sent:* Wednesday, October 26, 2016 12:22 PM
> *To:* Leisman, Edward <[hidden email]
> </user/SendEmail.jtp?type=node&node=5177&i=2>>
> *Subject:* [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...
>
>  
>
> Hi Edward, actually your description is a bit puzzling.
>
> You told
>
>>
> and I want to authenticate against my application DB
>>
>
> but also you told you will act as the SP. Authentication does actually
> ONLY happen on the SP side as well if you want to perform 'account
> linking' (you may check SAML tech overview).
>
> However I doubt this is the case.
>
> Furthermore you also tell that you use an 'Agent', which means you are
> mixing OpenAM's proprietary way of achieving web-based SSO with 'SAML',
> which is a standards-based way of achieving web-based SSO.
>
> Potentially some diagram would shed more light.
>
> -Bernhard
>
> Am 25/10/16 um 20:23 schrieb epleisman:
>
>
>> Berhard,
>>
>> Can you help me out with a bit more information?
>> Which approach seems most salient for my needs?
>>
>> Also, we are the SP and our clients will be the IdP.
>> In that case, how would I implement an IDPAttributeMapper?  Or would I
> want
>> DefaultSPAttributeMapper extended?
>>
>> SO many options.
>> All I want to do is provide a SAML2 Federation with my clients and
> check a
>> custom DB based on asserted values. Right now the method I am trying
> is an
>> agent along with a custom SAML2ServiceProviderAdapter, but I get the
> feeling
>> this isn't the best / easiest way.
>>
>> Any clarity provided would be greatly appreciated!
>>
>> Thanks!
>>
>>
>>
>> --
>> View this message in context:
> http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5172.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5172.html&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=v1HpFXVorZNvlQPjASeC_fQLmOlEMgOXs62aEZFZ2NI&e=>
>> Sent from the OpenAM mailing list archive at Nabble.com.
>> _______________________________________________
>> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=lHu22E0LHbEbPSBY6k05ah0myRkM2cKeq5oNCjVKW7E&e=>
>> OpenAM mailing list
>> [hidden email] </user/SendEmail.jtp?type=node&node=5175&i=0>
>> https://lists.forgerock.org/mailman/listinfo/openam
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=0_L5M5YuAVM0YW5wm5N2LtXptfPU_TLApMAGodRYTfI&e=>
>>
>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] </user/SendEmail.jtp?type=node&node=5175&i=1> - Solution
> Architect
> http://www.xing.com/profile/Bernhard_Thalmayr
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xing.com_profile_Bernhard-5FThalmayr&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=4LJmbMhuSpCXexyKjL_aylPjAzwsHK_PkNMq1Ne2jAI&e=>
> http://de.linkedin.com/in/bernhardthalmayr
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__de.linkedin.com_in_bernhardthalmayr&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=dfa3s5Xu36RmOeRA4O60PocdyvszLzyHwPVpYkysg0w&e=>
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=lHu22E0LHbEbPSBY6k05ah0myRkM2cKeq5oNCjVKW7E&e=>
> OpenAM mailing list
> [hidden email] </user/SendEmail.jtp?type=node&node=5175&i=2>
> https://lists.forgerock.org/mailman/listinfo/openam
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=0_L5M5YuAVM0YW5wm5N2LtXptfPU_TLApMAGodRYTfI&e=>
>
> ------------------------------------------------------------------------
>
> *If you reply to this email, your message will be added to the
> discussion below:*
>
> http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5175.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5175.html&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=GW3j2Z36l7KgFI9lXPr89LjW5EzN0te-rJ9OVRRjLGI&e=>
>
>
> To unsubscribe from SP Adapter OR JDBC Data Store OR..., click here
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_template_NamlServlet.jtp-3Fmacro-3Dunsubscribe-5Fby-5Fcode-26node-3D4724-26code-3DRWxlaXNtYW5AaW5kc2NpLmNvbXw0NzI0fDE4NTczODAwNjU-3D&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=PT__B1jP7V3_qX4faUTOwg1Spe9gnwP3b-yg4BEkwWE&e=>.
> NAML
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_template_NamlServlet.jtp-3Fmacro-3Dmacro-5Fviewer-26id-3Dinstant-5Fhtml-2521nabble-253Aemail.naml-26base-3Dnabble.naml.namespaces.BasicNamespace-2Dnabble.view.web.template.NabbleNamespace-2Dnabble.view.web.template.NodeNamespace-26breadcrumbs-3Dnotify-5Fsubscribers-2521nabble-253Aemail.naml-2Dinstant-5Femails-2521nabble-253Aemail.naml-2Dsend-5Finstant-5Femail-2521nabble-253Aemail.naml&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=R0F6xkO2QfCmvVfiGw3fb03hR7CjAsxci9_EIpTamU0&e=>
>
>
>
> *20161027110032569.pdf* (447K) Download Attachment
> <http://openam.27691.n7.nabble.com/attachment/5177/1/20161027110032569.pdf>
>
> ------------------------------------------------------------------------
> View this message in context: RE: [EXTERNAL] Re: SP Adapter OR JDBC Data
> Store OR...
> <http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5177.html>
> Sent from the OpenAM mailing list archive
> <http://openam.27691.n7.nabble.com/> at Nabble.com.
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>



--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


If you reply to this email, your message will be added to the discussion below:

http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5178.html

To unsubscribe from SP Adapter OR JDBC Data Store OR..., click here.
NAML



View this message in context: RE: [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...
Sent from the OpenAM mailing list archive at Nabble.com.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...

epleisman

Java J2EE v8 running on Liberty WAS Server

 


Edward P. Leisman

Software Development Manager, Predictive Solutions
__________________________

Description: Description: Description: logo

An Industrial Scientific Company

 

“We save lives by predicting workplace injuries"

 

1 Life Way

Pittsburgh, PA 15205

United States

Office:

+1 800-338-3287 (x1642)

Direct:

+1 412-788-0400 (x1642)

Email:

[hidden email]

Web:

http://www.predictivesolutions.com

 

 

From: Bernhard Thalmayr [via OpenAM] [mailto:ml-node+[hidden email]]
Sent: Friday, October 28, 2016 3:05 PM
To: Leisman, Edward <[hidden email]>
Subject: Re: [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...

 

Which Platform/ Programming Language is the app based on? 

 

 -Bernhard

Von meinem iPad gesendet


Am 28.10.2016 um 17:35 schrieb epleisman <[hidden email]>:

Bernhard,

 

By what means could I implement the App as SAML2 SP directly?

I am not familiar.  Point me in the right direction?

 

 


Edward P. Leisman

Software Development Manager, Predictive Solutions
__________________________

Description: Description: Description: logo

An Industrial Scientific Company

 

“We save lives by predicting workplace injuries"

 

1 Life Way

Pittsburgh, PA 15205

United States

Office:

+1 800-338-3287 (x1642)

Direct:

+1 412-788-0400 (x1642)

Email:

[hidden email]

Web:

http://www.predictivesolutions.com

 

 

From: Bernhard Thalmayr [via OpenAM] [mailto:ml-node+[hidden email]]
Sent: Friday, October 28, 2016 11:31 AM
To: Leisman, Edward <[hidden email]>
Subject: Re: [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...

 

The diagram was quite helpful Edward.

One question would be ... why does the App not act as SAML2 SP directly?

If you really need OpenAM in the middle as SP and then leveraging the
created OpenAM SSO Session for further properietary OpenAM SSO with the
agent protected the app it depends upon which NameID format is used.

If 'transient' NameId format is used by the IdP, then the default
DefaultSPAccountMapper does not look up the identity in the configured
OpenAM user data store and you would need your custom SPAccountMapper
which just

However then you must have a user data store configured leveraging your
data base system.

If you don't want to implement the rich IDRepo API or use the provided
JDBC user data store (which still not nice), then just implement a
custom SPAccountMapper.

-Bernhard






Am 27/10/16 um 15:51 schrieb epleisman:


> Bernhard,
>
>  
>
> First, thank you so much for taking the time to reply.
>
>  
>
> Here is my scenario (attached):
>
>  
>
> Goal:
>
> I want to allow for certain subscribing clients, SAML2 Federated SSO
> Integration.
>
> I want to be the SP only and do not want to maintain a duplicate set of
> credentials on my side.
>
> All I want to do is have a list of users from the client who may use my
> system (ie – just because the IdP says the user is authenticated on
> their end, doesn’t mean that same user has a license seat on my software).
>
> So, when an assertion is made, I want to be able to check the company id
> and user id against my local db verifying this fact.
>
>  
>
> OpenAM offers SO many options, I am left confused as to my best route.
>
> 1.       Do I need an agent on my app servers to forward to SSO Server?
>
> 2.       Best method to perform the company / user check noted above?
> Chained auth?  Some kind of custom code extending an OpenAM class (ex:
> SAML2ServiceProviderAdapter)?
>
> 3.       If scripting in a chained auth module, guidance?
>
>  
>
>  
>
> Sorry If I may be missing something basic, Bernhard.
>
> With this many options, I want to do best practice and gain some
> understanding.
>
>  
>
> Thank you for ANY help you might be able to provide.
>
>  
>
>  
>
>  
>
>
> *Edward P. Leisman***
>
> Software Development Manager, Predictive Solutions
> __________________________
>
> *Description: Description: Description: logo*
>
>
>
> *An Industrial Scientific Company*
>
> * *
>
> “We save lives by predicting workplace injuries"
>
>  
>
> 1 Life Way
>
> Pittsburgh, PA 15205
>
> United States
>
> Office:
>
>
>
> +1 800-338-3287 (x1642)
>
> Direct:
>
>
>
> +1 412-788-0400 (x1642)
>
> Email:
>
>
>
> [hidden email] </user/SendEmail.jtp?type=node&node=5177&i=0>
>
> Web:
>
>
>
> http://www.predictivesolutions.com
>
>  
>
>  
>
> *From:*Bernhard Thalmayr [via OpenAM] [mailto:ml-node+[hidden email]
> </user/SendEmail.jtp?type=node&node=5177&i=1>]
> *Sent:* Wednesday, October 26, 2016 12:22 PM
> *To:* Leisman, Edward <[hidden email]
> </user/SendEmail.jtp?type=node&node=5177&i=2>>
> *Subject:* [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...
>
>  
>
> Hi Edward, actually your description is a bit puzzling.
>
> You told
>
>>
> and I want to authenticate against my application DB
>>
>
> but also you told you will act as the SP. Authentication does actually
> ONLY happen on the SP side as well if you want to perform 'account
> linking' (you may check SAML tech overview).
>
> However I doubt this is the case.
>
> Furthermore you also tell that you use an 'Agent', which means you are
> mixing OpenAM's proprietary way of achieving web-based SSO with 'SAML',
> which is a standards-based way of achieving web-based SSO.
>
> Potentially some diagram would shed more light.
>
> -Bernhard
>
> Am 25/10/16 um 20:23 schrieb epleisman:
>
>
>> Berhard,
>>
>> Can you help me out with a bit more information?
>> Which approach seems most salient for my needs?
>>
>> Also, we are the SP and our clients will be the IdP.
>> In that case, how would I implement an IDPAttributeMapper?  Or would I
> want
>> DefaultSPAttributeMapper extended?
>>
>> SO many options.
>> All I want to do is provide a SAML2 Federation with my clients and
> check a
>> custom DB based on asserted values. Right now the method I am trying
> is an
>> agent along with a custom SAML2ServiceProviderAdapter, but I get the
> feeling
>> this isn't the best / easiest way.
>>
>> Any clarity provided would be greatly appreciated!
>>
>> Thanks!
>>
>>
>>
>> --
>> View this message in context:
> http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5172.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5172.html&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=v1HpFXVorZNvlQPjASeC_fQLmOlEMgOXs62aEZFZ2NI&e=>
>> Sent from the OpenAM mailing list archive at Nabble.com.
>> _______________________________________________
>> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=lHu22E0LHbEbPSBY6k05ah0myRkM2cKeq5oNCjVKW7E&e=>
>> OpenAM mailing list
>> [hidden email] </user/SendEmail.jtp?type=node&node=5175&i=0>
>> https://lists.forgerock.org/mailman/listinfo/openam
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=0_L5M5YuAVM0YW5wm5N2LtXptfPU_TLApMAGodRYTfI&e=>
>>
>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] </user/SendEmail.jtp?type=node&node=5175&i=1> - Solution
> Architect
> http://www.xing.com/profile/Bernhard_Thalmayr
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xing.com_profile_Bernhard-5FThalmayr&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=4LJmbMhuSpCXexyKjL_aylPjAzwsHK_PkNMq1Ne2jAI&e=>
> http://de.linkedin.com/in/bernhardthalmayr
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__de.linkedin.com_in_bernhardthalmayr&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=dfa3s5Xu36RmOeRA4O60PocdyvszLzyHwPVpYkysg0w&e=>
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=lHu22E0LHbEbPSBY6k05ah0myRkM2cKeq5oNCjVKW7E&e=>
> OpenAM mailing list
> [hidden email] </user/SendEmail.jtp?type=node&node=5175&i=2>
> https://lists.forgerock.org/mailman/listinfo/openam
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=0_L5M5YuAVM0YW5wm5N2LtXptfPU_TLApMAGodRYTfI&e=>
>
> ------------------------------------------------------------------------
>
> *If you reply to this email, your message will be added to the
> discussion below:*
>
> http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5175.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5175.html&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=GW3j2Z36l7KgFI9lXPr89LjW5EzN0te-rJ9OVRRjLGI&e=>
>
>
> To unsubscribe from SP Adapter OR JDBC Data Store OR..., click here
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_template_NamlServlet.jtp-3Fmacro-3Dunsubscribe-5Fby-5Fcode-26node-3D4724-26code-3DRWxlaXNtYW5AaW5kc2NpLmNvbXw0NzI0fDE4NTczODAwNjU-3D&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=PT__B1jP7V3_qX4faUTOwg1Spe9gnwP3b-yg4BEkwWE&e=>.
> NAML
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_template_NamlServlet.jtp-3Fmacro-3Dmacro-5Fviewer-26id-3Dinstant-5Fhtml-2521nabble-253Aemail.naml-26base-3Dnabble.naml.namespaces.BasicNamespace-2Dnabble.view.web.template.NabbleNamespace-2Dnabble.view.web.template.NodeNamespace-26breadcrumbs-3Dnotify-5Fsubscribers-2521nabble-253Aemail.naml-2Dinstant-5Femails-2521nabble-253Aemail.naml-2Dsend-5Finstant-5Femail-2521nabble-253Aemail.naml&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=R0F6xkO2QfCmvVfiGw3fb03hR7CjAsxci9_EIpTamU0&e=>
>
>
>
> *20161027110032569.pdf* (447K) Download Attachment
> <http://openam.27691.n7.nabble.com/attachment/5177/1/20161027110032569.pdf>
>
> ------------------------------------------------------------------------
> View this message in context: RE: [EXTERNAL] Re: SP Adapter OR JDBC Data
> Store OR...
> <http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5177.html>
> Sent from the OpenAM mailing list archive
> <http://openam.27691.n7.nabble.com/> at Nabble.com.
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>



--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


If you reply to this email, your message will be added to the discussion below:

http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5178.html

To unsubscribe from SP Adapter OR JDBC Data Store OR..., click here.
NAML

 


View this message in context: RE: [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...
Sent from the OpenAM mailing list archive at Nabble.com.

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


If you reply to this email, your message will be added to the discussion below:

http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5180.html

To unsubscribe from SP Adapter OR JDBC Data Store OR..., click here.
NAML

Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...

Bernhard Thalmayr
Am 28/10/16 um 21:06 schrieb epleisman:
> Java J2EE v8 running on Liberty WAS Server

IBM's WAS server actually has it's own SAML SP implementation embedded ...

You could also use Spring Security SAML extension which will most likely
only take an hour to get it working.

-Bernhard

>
>  
>
>
> *Edward P. Leisman***
>
> Software Development Manager, Predictive Solutions
> __________________________
>
> *Description: Description: Description: logo*
>
>
>
> *An Industrial Scientific Company*
>
> * *
>
> “We save lives by predicting workplace injuries"
>
>  
>
> 1 Life Way
>
> Pittsburgh, PA 15205
>
> United States
>
> Office:
>
>
>
> +1 800-338-3287 (x1642)
>
> Direct:
>
>
>
> +1 412-788-0400 (x1642)
>
> Email:
>
>
>
> [hidden email] </user/SendEmail.jtp?type=node&node=5181&i=0>
>
> Web:
>
>
>
> http://www.predictivesolutions.com
>
>  
>
>  
>
> *From:*Bernhard Thalmayr [via OpenAM] [mailto:ml-node+[hidden email]
> </user/SendEmail.jtp?type=node&node=5181&i=1>]
> *Sent:* Friday, October 28, 2016 3:05 PM
> *To:* Leisman, Edward <[hidden email]
> </user/SendEmail.jtp?type=node&node=5181&i=2>>
> *Subject:* Re: [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...
>
>  
>
> Which Platform/ Programming Language is the app based on?
>
>  
>
>  -Bernhard
>
> Von meinem iPad gesendet
>
>
> Am 28.10.2016 um 17:35 schrieb epleisman <[hidden email]
> </user/SendEmail.jtp?type=node&node=5180&i=0>>:
>
>     Bernhard,
>
>      
>
>     By what means could I implement the App as SAML2 SP directly?
>
>     I am not familiar.  Point me in the right direction?
>
>      
>
>      
>
>
>     *Edward P. Leisman*
>
>     Software Development Manager, Predictive Solutions
>     __________________________
>
>     *Description: Description: Description: logo*
>
>    
>
>     *An Industrial Scientific Company*
>
>     * *
>
>     “We save lives by predicting workplace injuries"
>
>      
>
>     1 Life Way
>
>     Pittsburgh, PA 15205
>
>     United States
>
>     Office:
>
>    
>
>     +1 800-338-3287 (x1642)
>
>     Direct:
>
>    
>
>     +1 412-788-0400 (x1642)
>
>     Email:
>
>    
>
>     [hidden email] </user/SendEmail.jtp?type=node&node=5179&i=0>
>
>     Web:
>
>    
>
>     http://www.predictivesolutions.com
>
>      
>
>      
>
>     *From:*Bernhard Thalmayr [via OpenAM] [mailto:ml-node+[hidden email]
>     </user/SendEmail.jtp?type=node&node=5179&i=1>]
>     *Sent:* Friday, October 28, 2016 11:31 AM
>     *To:* Leisman, Edward <[hidden email]
>     </user/SendEmail.jtp?type=node&node=5179&i=2>>
>     *Subject:* Re: [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...
>
>      
>
>     The diagram was quite helpful Edward.
>
>     One question would be ... why does the App not act as SAML2 SP
>     directly?
>
>     If you really need OpenAM in the middle as SP and then leveraging the
>     created OpenAM SSO Session for further properietary OpenAM SSO with the
>     agent protected the app it depends upon which NameID format is used.
>
>     If 'transient' NameId format is used by the IdP, then the default
>     DefaultSPAccountMapper does not look up the identity in the configured
>     OpenAM user data store and you would need your custom SPAccountMapper
>     which just
>
>     However then you must have a user data store configured leveraging your
>     data base system.
>
>     If you don't want to implement the rich IDRepo API or use the provided
>     JDBC user data store (which still not nice), then just implement a
>     custom SPAccountMapper.
>
>     -Bernhard
>
>
>
>
>
>
>     Am 27/10/16 um 15:51 schrieb epleisman:
>
>
>     > Bernhard,
>     >
>     >  
>     >
>     > First, thank you so much for taking the time to reply.
>     >
>     >  
>     >
>     > Here is my scenario (attached):
>     >
>     >  
>     >
>     > Goal:
>     >
>     > I want to allow for certain subscribing clients, SAML2 Federated SSO
>     > Integration.
>     >
>     > I want to be the SP only and do not want to maintain a duplicate
>     set of
>     > credentials on my side.
>     >
>     > All I want to do is have a list of users from the client who may
>     use my
>     > system (ie – just because the IdP says the user is authenticated on
>     > their end, doesn’t mean that same user has a license seat on my
>     software).
>     >
>     > So, when an assertion is made, I want to be able to check the
>     company id
>     > and user id against my local db verifying this fact.
>     >
>     >  
>     >
>     > OpenAM offers SO many options, I am left confused as to my best
>     route.
>     >
>     > 1.       Do I need an agent on my app servers to forward to SSO
>     Server?
>     >
>     > 2.       Best method to perform the company / user check noted above?
>     > Chained auth?  Some kind of custom code extending an OpenAM class
>     (ex:
>     > SAML2ServiceProviderAdapter)?
>     >
>     > 3.       If scripting in a chained auth module, guidance?
>     >
>     >  
>     >
>     >  
>     >
>     > Sorry If I may be missing something basic, Bernhard.
>     >
>     > With this many options, I want to do best practice and gain some
>     > understanding.
>     >
>     >  
>     >
>     > Thank you for ANY help you might be able to provide.
>     >
>     >  
>     >
>     >  
>     >
>     >  
>     >
>     >
>     > *Edward P. Leisman***
>     >
>     > Software Development Manager, Predictive Solutions
>     > __________________________
>     >
>     > *Description: Description: Description: logo*
>     >
>     >
>     >
>     > *An Industrial Scientific Company*
>     >
>     > * *
>     >
>     > “We save lives by predicting workplace injuries"
>     >
>     >  
>     >
>     > 1 Life Way
>     >
>     > Pittsburgh, PA 15205
>     >
>     > United States
>     >
>     > Office:
>     >
>     >
>     >
>     > +1 800-338-3287 (x1642)
>     >
>     > Direct:
>     >
>     >
>     >
>     > +1 412-788-0400 (x1642)
>     >
>     > Email:
>     >
>     >
>     >
>     > [hidden email] </user/SendEmail.jtp?type=node&node=5177&i=0>
>     >
>     > Web:
>     >
>     >
>     >
>     > http://www.predictivesolutions.com
>     >
>     >  
>     >
>     >  
>     >
>     > *From:*Bernhard Thalmayr [via OpenAM] [mailto:ml-node+[hidden email]
>     > </user/SendEmail.jtp?type=node&node=5177&i=1>]
>     > *Sent:* Wednesday, October 26, 2016 12:22 PM
>     > *To:* Leisman, Edward <[hidden email]
>     > </user/SendEmail.jtp?type=node&node=5177&i=2>>
>     > *Subject:* [EXTERNAL] Re: SP Adapter OR JDBC Data Store OR...
>     >
>     >  
>     >
>     > Hi Edward, actually your description is a bit puzzling.
>     >
>     > You told
>     >
>     >>
>     > and I want to authenticate against my application DB
>     >>
>     >
>     > but also you told you will act as the SP. Authentication does
>     actually
>     > ONLY happen on the SP side as well if you want to perform 'account
>     > linking' (you may check SAML tech overview).
>     >
>     > However I doubt this is the case.
>     >
>     > Furthermore you also tell that you use an 'Agent', which means you
>     are
>     > mixing OpenAM's proprietary way of achieving web-based SSO with
>     'SAML',
>     > which is a standards-based way of achieving web-based SSO.
>     >
>     > Potentially some diagram would shed more light.
>     >
>     > -Bernhard
>     >
>     > Am 25/10/16 um 20:23 schrieb epleisman:
>     >
>     >
>     >> Berhard,
>     >>
>     >> Can you help me out with a bit more information?
>     >> Which approach seems most salient for my needs?
>     >>
>     >> Also, we are the SP and our clients will be the IdP.
>     >> In that case, how would I implement an IDPAttributeMapper?  Or
>     would I
>     > want
>     >> DefaultSPAttributeMapper extended?
>     >>
>     >> SO many options.
>     >> All I want to do is provide a SAML2 Federation with my clients and
>     > check a
>     >> custom DB based on asserted values. Right now the method I am trying
>     > is an
>     >> agent along with a custom SAML2ServiceProviderAdapter, but I get the
>     > feeling
>     >> this isn't the best / easiest way.
>     >>
>     >> Any clarity provided would be greatly appreciated!
>     >>
>     >> Thanks!
>     >>
>     >>
>     >>
>     >> --
>     >> View this message in context:
>     >
>     http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5172.html
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5172.html&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=aGYpEYedla0PxG5vVI8oBuzSYNHom9xzdg7B3q2gTR0&e=>
>     >
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5172.html&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=v1HpFXVorZNvlQPjASeC_fQLmOlEMgOXs62aEZFZ2NI&e=>
>
>     >> Sent from the OpenAM mailing list archive at Nabble.com
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__Nabble.com&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=CJihX8ly5LZThTB5O4lpKOOicPbVUnr1cGaRXoTNhME&s=Srp4MdUHT1185ERFNThw3EefVzOgvfiY1EifMDZ3hI0&e=>.
>
>     >> _______________________________________________
>     >> Visit the OpenAM forum at
>     > https://forgerock.org/forum/fr-projects/openam/
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=nKRZtl1ys4kiq22YOVu1GDvydAKIDFmMiDkLZwdL5sI&e=>
>     >
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=lHu22E0LHbEbPSBY6k05ah0myRkM2cKeq5oNCjVKW7E&e=>
>
>     >> OpenAM mailing list
>     >> [hidden email] </user/SendEmail.jtp?type=node&node=5175&i=0>
>     >> https://lists.forgerock.org/mailman/listinfo/openam
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=Z7612rDC-B8yjhv-dPPBhNod4E1H8Poi1rpZtszIuy8&e=>
>     >
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=0_L5M5YuAVM0YW5wm5N2LtXptfPU_TLApMAGodRYTfI&e=>
>
>     >>
>     >
>     >
>     >
>     > --
>     > Painstaking Minds
>     > IT-Consulting Bernhard Thalmayr
>     > Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     > Tel: +49 (0)8062 7769174
>     > Mobile: +49 (0)176 55060699
>     >
>     > [hidden email] </user/SendEmail.jtp?type=node&node=5175&i=1> -
>     Solution
>     > Architect
>     > http://www.xing.com/profile/Bernhard_Thalmayr
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xing.com_profile_Bernhard-5FThalmayr&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=gOMq6Cs_GB0B3YzroeYvVqDrsHV1Ax2hRcowOALan4A&e=>
>     >
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xing.com_profile_Bernhard-5FThalmayr&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=4LJmbMhuSpCXexyKjL_aylPjAzwsHK_PkNMq1Ne2jAI&e=>
>
>     > http://de.linkedin.com/in/bernhardthalmayr
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__de.linkedin.com_in_bernhardthalmayr&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=B4XXcOg9YY4tlHEIfbIkgjC_OGNfHhJxXIh1hjW0DUM&e=>
>     >
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__de.linkedin.com_in_bernhardthalmayr&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=dfa3s5Xu36RmOeRA4O60PocdyvszLzyHwPVpYkysg0w&e=>
>
>     >
>     > This e-mail may contain confidential and/or privileged information.If
>     > you are not the intended recipient (or have received this email in
>     > error) please notify the sender immediately and delete this
>     e-mail. Any
>     > unauthorized copying, disclosure or distribution of the material
>     in this
>     > e-mail is strictly forbidden.
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     > https://forgerock.org/forum/fr-projects/openam/
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=nKRZtl1ys4kiq22YOVu1GDvydAKIDFmMiDkLZwdL5sI&e=>
>     >
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=lHu22E0LHbEbPSBY6k05ah0myRkM2cKeq5oNCjVKW7E&e=>
>
>     > OpenAM mailing list
>     > [hidden email] </user/SendEmail.jtp?type=node&node=5175&i=2>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=Z7612rDC-B8yjhv-dPPBhNod4E1H8Poi1rpZtszIuy8&e=>
>     >
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=0_L5M5YuAVM0YW5wm5N2LtXptfPU_TLApMAGodRYTfI&e=>
>
>     >
>     >
>     ------------------------------------------------------------------------
>
>     >
>     > *If you reply to this email, your message will be added to the
>     > discussion below:*
>     >
>     >
>     http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5175.html
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5175.html&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=i8l5brvciLPoUaQMvOV7P_4X3C8Ir4bISoEmlgHqG1Q&e=>
>     >
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5175.html&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=GW3j2Z36l7KgFI9lXPr89LjW5EzN0te-rJ9OVRRjLGI&e=>
>
>     >
>     >
>     > To unsubscribe from SP Adapter OR JDBC Data Store OR..., click here
>     >
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_template_NamlServlet.jtp-3Fmacro-3Dunsubscribe-5Fby-5Fcode-26node-3D4724-26code-3DRWxlaXNtYW5AaW5kc2NpLmNvbXw0NzI0fDE4NTczODAwNjU-3D&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=PT__B1jP7V3_qX4faUTOwg1Spe9gnwP3b-yg4BEkwWE&e=>.
>
>     > NAML
>     >
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_template_NamlServlet.jtp-3Fmacro-3Dmacro-5Fviewer-26id-3Dinstant-5Fhtml-2521nabble-253Aemail.naml-26base-3Dnabble.naml.namespaces.BasicNamespace-2Dnabble.view.web.template.NabbleNamespace-2Dnabble.view.web.template.NodeNamespace-26breadcrumbs-3Dnotify-5Fsubscribers-2521nabble-253Aemail.naml-2Dinstant-5Femails-2521nabble-253Aemail.naml-2Dsend-5Finstant-5Femail-2521nabble-253Aemail.naml&d=DQMCAg&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=dv7zUcTtoUSr9W9qV5Ib2mlknxuBPetzQ1fD_hf6FIU&s=R0F6xkO2QfCmvVfiGw3fb03hR7CjAsxci9_EIpTamU0&e=>
>
>     >
>     >
>     >
>     > *20161027110032569.pdf* (447K) Download Attachment
>     >
>     <http://openam.27691.n7.nabble.com/attachment/5177/1/20161027110032569.pdf
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_attachment_5177_1_20161027110032569.pdf&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=k73l5WBmohoaXFj3xl9H_i4QaBLCNG5zxHIp-r4Qqj8&e=>>
>
>     >
>     >
>     ------------------------------------------------------------------------
>
>     > View this message in context: RE: [EXTERNAL] Re: SP Adapter OR
>     JDBC Data
>     > Store OR...
>     >
>     <http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5177.html
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5177.html&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=Sx62kvwbWjh-ESAvelc9m7zyNLH9NYEyyR2nqGmKfAM&e=>>
>
>     > Sent from the OpenAM mailing list archive
>     > <http://openam.27691.n7.nabble.com/
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=ObrRZ-X670Ain1tB9EFDG3vRNUuveDLiehoZoUQ0Mjs&e=>>
>     at Nabble.com
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__Nabble.com&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=CJihX8ly5LZThTB5O4lpKOOicPbVUnr1cGaRXoTNhME&s=Srp4MdUHT1185ERFNThw3EefVzOgvfiY1EifMDZ3hI0&e=>.
>
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=nKRZtl1ys4kiq22YOVu1GDvydAKIDFmMiDkLZwdL5sI&e=>
>     > OpenAM mailing list
>     > [hidden email] </user/SendEmail.jtp?type=node&node=5178&i=0>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=Z7612rDC-B8yjhv-dPPBhNod4E1H8Poi1rpZtszIuy8&e=>
>     >
>
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: +49 (0)8062 7769174
>     Mobile: +49 (0)176 55060699
>
>     [hidden email] </user/SendEmail.jtp?type=node&node=5178&i=1> -
>     Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xing.com_profile_Bernhard-5FThalmayr&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=gOMq6Cs_GB0B3YzroeYvVqDrsHV1Ax2hRcowOALan4A&e=>
>     http://de.linkedin.com/in/bernhardthalmayr
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__de.linkedin.com_in_bernhardthalmayr&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=B4XXcOg9YY4tlHEIfbIkgjC_OGNfHhJxXIh1hjW0DUM&e=>
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in
>     this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=nKRZtl1ys4kiq22YOVu1GDvydAKIDFmMiDkLZwdL5sI&e=>
>     OpenAM mailing list
>     [hidden email] </user/SendEmail.jtp?type=node&node=5178&i=2>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=Z7612rDC-B8yjhv-dPPBhNod4E1H8Poi1rpZtszIuy8&e=>
>
>     ------------------------------------------------------------------------
>
>     *If you reply to this email, your message will be added to the
>     discussion below:*
>
>     http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5178.html
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5178.html&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=5PFBGisp_TKqA11KAeKJsto3t6noouLaOj8acm-D7IA&e=>
>
>
>     To unsubscribe from SP Adapter OR JDBC Data Store OR..., click here
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_template_NamlServlet.jtp-3Fmacro-3Dunsubscribe-5Fby-5Fcode-26node-3D4724-26code-3DRWxlaXNtYW5AaW5kc2NpLmNvbXw0NzI0fDE4NTczODAwNjU-3D&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=FYL24ngD6N0Q-KLwZAVOZ9WBw9HjMHAA8wuWKxds3cY&e=>.
>     NAML
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_template_NamlServlet.jtp-3Fmacro-3Dmacro-5Fviewer-26id-3Dinstant-5Fhtml-2521nabble-253Aemail.naml-26base-3Dnabble.naml.namespaces.BasicNamespace-2Dnabble.view.web.template.NabbleNamespace-2Dnabble.view.web.template.NodeNamespace-26breadcrumbs-3Dnotify-5Fsubscribers-2521nabble-253Aemail.naml-2Dinstant-5Femails-2521nabble-253Aemail.naml-2Dsend-5Finstant-5Femail-2521nabble-253Aemail.naml&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=Gnf7RhSCipKRhV0fF2qsrsTsICcgl8kMW15mazMCZ6Q&s=okey1TXmBtkybdQRzeeaKPs9Kmf--hTktD8oSGgLHqg&e=>
>
>
>      
>
>     ------------------------------------------------------------------------
>
>     View this message in context: RE: [EXTERNAL] Re: SP Adapter OR JDBC
>     Data Store OR...
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5179.html&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=CJihX8ly5LZThTB5O4lpKOOicPbVUnr1cGaRXoTNhME&s=zdUkD6wXnYSZ3RpFVy3hSJq9fMvsItKvOTcY0ekeGoQ&e=>
>     Sent from the OpenAM mailing list archive
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=CJihX8ly5LZThTB5O4lpKOOicPbVUnr1cGaRXoTNhME&s=oBrSO3WhJIZuZQ9KC4eKrAHt_ukSRzgPv2xNobogcwU&e=>
>     at Nabble.com
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__Nabble.com&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=CJihX8ly5LZThTB5O4lpKOOicPbVUnr1cGaRXoTNhME&s=Srp4MdUHT1185ERFNThw3EefVzOgvfiY1EifMDZ3hI0&e=>.
>
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=CJihX8ly5LZThTB5O4lpKOOicPbVUnr1cGaRXoTNhME&s=h-NcIapWhpSi_WXJbmsPSfPkTV1Lw3_IK4_aSCw7eko&e=>
>     OpenAM mailing list
>     [hidden email] </user/SendEmail.jtp?type=node&node=5180&i=1>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=CJihX8ly5LZThTB5O4lpKOOicPbVUnr1cGaRXoTNhME&s=e6e7xCf_hkEhvETw2n5qjAl_eyPX0Cgkdx8VfRFtxPg&e=>
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=CJihX8ly5LZThTB5O4lpKOOicPbVUnr1cGaRXoTNhME&s=h-NcIapWhpSi_WXJbmsPSfPkTV1Lw3_IK4_aSCw7eko&e=>
> OpenAM mailing list
> [hidden email] </user/SendEmail.jtp?type=node&node=5180&i=2>
> https://lists.forgerock.org/mailman/listinfo/openam
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=CJihX8ly5LZThTB5O4lpKOOicPbVUnr1cGaRXoTNhME&s=e6e7xCf_hkEhvETw2n5qjAl_eyPX0Cgkdx8VfRFtxPg&e=>
>
> ------------------------------------------------------------------------
>
> *If you reply to this email, your message will be added to the
> discussion below:*
>
> http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5180.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_SP-2DAdapter-2DOR-2DJDBC-2DData-2DStore-2DOR-2Dtp4724p5180.html&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=CJihX8ly5LZThTB5O4lpKOOicPbVUnr1cGaRXoTNhME&s=MEIS0F6lsS1e5cTVbOfVJ0Ar1igPPICGACZ3Xo3zLJU&e=>
>
>
> To unsubscribe from SP Adapter OR JDBC Data Store OR..., click here
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_template_NamlServlet.jtp-3Fmacro-3Dunsubscribe-5Fby-5Fcode-26node-3D4724-26code-3DRWxlaXNtYW5AaW5kc2NpLmNvbXw0NzI0fDE4NTczODAwNjU-3D&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=CJihX8ly5LZThTB5O4lpKOOicPbVUnr1cGaRXoTNhME&s=8rldUB1-2oX8jr8Wi_-Od_ia8_NOSbdgssBEb0TPABY&e=>.
> NAML
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openam.27691.n7.nabble.com_template_NamlServlet.jtp-3Fmacro-3Dmacro-5Fviewer-26id-3Dinstant-5Fhtml-2521nabble-253Aemail.naml-26base-3Dnabble.naml.namespaces.BasicNamespace-2Dnabble.view.web.template.NabbleNamespace-2Dnabble.view.web.template.NodeNamespace-26breadcrumbs-3Dnotify-5Fsubscribers-2521nabble-253Aemail.naml-2Dinstant-5Femails-2521nabble-253Aemail.naml-2Dsend-5Finstant-5Femail-2521nabble-253Aemail.naml&d=DQMFaQ&c=TFDCfPa-MFOBkCC1fZabpw&r=oHmVf4WdF8nc0E8ZsUEu-26zTfZdr3fJQdQCsbodkCk&m=CJihX8ly5LZThTB5O4lpKOOicPbVUnr1cGaRXoTNhME&s=fmRUvtfothzGwfx6xy1j1j8vgv2abFRnNO3O6EHsglo&e=>
>
>
>
> ------------------------------------------------------------------------
> View this message in context: RE: [EXTERNAL] Re: SP Adapter OR JDBC Data
> Store OR...
> <http://openam.27691.n7.nabble.com/SP-Adapter-OR-JDBC-Data-Store-OR-tp4724p5181.html>
> Sent from the OpenAM mailing list archive
> <http://openam.27691.n7.nabble.com/> at Nabble.com.
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam