Whither DistAuth?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Whither DistAuth?

Joe Fletcher-2

Hi,

 

On a whim today I decided to build an OpenAM13 setup. In the docs it mentions (very briefly) that the DAS has been retired and in its place we use OpenIG.

Documentation on the subject is proving somewhat sparse. I’ve run into a number of apparently dead links and the OpenIG Gateway guide which I believe is where I should be looking makes no mention of the DAS or DistAuth.

 

Anyone got a cookbook, blog, jira or old napkin wherein the method of installing the equivalent functionality to what was the DAS can be found?

 

Cheers

 

Joe

 

 

This email with all information contained herein or attached hereto may contain confidential and/or privileged information intended for the addressee(s) only. If you have received this email in error, please contact the sender and immediately delete this email in its entirety and any attachments thereto.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Whither DistAuth?

Bernhard Thalmayr
OpenIG can not replace DistAuth at the moment; I thought this section
has been dropped.

-Bernhard

Am 04/04/16 um 16:19 schrieb Joe Fletcher:

> Hi,
>
>  
>
> On a whim today I decided to build an OpenAM13 setup. In the docs it
> mentions (very briefly) that the DAS has been retired and in its place
> we use OpenIG.
>
> Documentation on the subject is proving somewhat sparse. I’ve run into a
> number of apparently dead links and the OpenIG Gateway guide which I
> believe is where I should be looking makes no mention of the DAS or
> DistAuth.
>
>  
>
> Anyone got a cookbook, blog, jira or old napkin wherein the method of
> installing the equivalent functionality to what was the DAS can be found?
>
>  
>
> Cheers
>
>  
>
> Joe
>
>  
>
>  
>
> This email with all information contained herein or attached hereto may
> contain confidential and/or privileged information intended for the
> addressee(s) only. If you have received this email in error, please
> contact the sender and immediately delete this email in its entirety and
> any attachments thereto.
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Whither DistAuth?

Marc Priebee
In reply to this post by Joe Fletcher-2

My reading of it was that was that the suggestion is to use OpenIG as a reverse proxy to the login pages hosted on the OpenAM server.

An Apache reverse proxy would also suffice. (That’s what I’ve been using in my testing of OpenAM13)

 

I’m proxying /<deployment path>/XUI/   & /<deployment path>/json/  which seems to be sufficient so far

 

 

Marc

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Joe Fletcher
Sent: Tuesday, 5 April 2016 2:19 a.m.
To: Users <[hidden email]>
Subject: [OpenAM] Whither DistAuth?

 

Hi,

 

On a whim today I decided to build an OpenAM13 setup. In the docs it mentions (very briefly) that the DAS has been retired and in its place we use OpenIG.

Documentation on the subject is proving somewhat sparse. I’ve run into a number of apparently dead links and the OpenIG Gateway guide which I believe is where I should be looking makes no mention of the DAS or DistAuth.

 

Anyone got a cookbook, blog, jira or old napkin wherein the method of installing the equivalent functionality to what was the DAS can be found?

 

Cheers

 

Joe

 

 

This email with all information contained herein or attached hereto may contain confidential and/or privileged information intended for the addressee(s) only. If you have received this email in error, please contact the sender and immediately delete this email in its entirety and any attachments thereto.


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Whither DistAuth?

Bernhard Thalmayr
DistAuth initially had two goals

- dont't act as an HTTP reverse proxy server but as an authentication
level proxy ... a huge difference. (This helped a lot to protect against
some attacks)

- integrate it in any web application to have application level
customizable login pages

I don't see how those goals are currently achievable with OpenIG.

-Bernhard

Am 04/04/16 um 22:04 schrieb Marc Priebee:

> My reading of it was that was that the suggestion is to use OpenIG as a
> reverse proxy to the login pages hosted on the OpenAM server.
>
> An Apache reverse proxy would also suffice. (That’s what I’ve been using
> in my testing of OpenAM13)
>
>  
>
> I’m proxying /<deployment path>/XUI/   & /<deployment path>/json/  which
> seems to be sufficient so far
>
>  
>
>  
>
> Marc
>
>  
>
> *From:*[hidden email]
> [mailto:[hidden email]] *On Behalf Of *Joe Fletcher
> *Sent:* Tuesday, 5 April 2016 2:19 a.m.
> *To:* Users <[hidden email]>
> *Subject:* [OpenAM] Whither DistAuth?
>
>  
>
> Hi,
>
>  
>
> On a whim today I decided to build an OpenAM13 setup. In the docs it
> mentions (very briefly) that the DAS has been retired and in its place
> we use OpenIG.
>
> Documentation on the subject is proving somewhat sparse. I’ve run into a
> number of apparently dead links and the OpenIG Gateway guide which I
> believe is where I should be looking makes no mention of the DAS or
> DistAuth.
>
>  
>
> Anyone got a cookbook, blog, jira or old napkin wherein the method of
> installing the equivalent functionality to what was the DAS can be found?
>
>  
>
> Cheers
>
>  
>
> Joe
>
>  
>
>  
>
> This email with all information contained herein or attached hereto may
> contain confidential and/or privileged information intended for the
> addressee(s) only. If you have received this email in error, please
> contact the sender and immediately delete this email in its entirety and
> any attachments thereto.
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Whither DistAuth?

Jamie Bowen
In reply to this post by Joe Fletcher-2
Hi Joe, 

The rationale behind removing the DAS functionality was;

  • That reverse proxies are the modern way to provide access to a service such as OpenAM.
  • The current interface to OpenAM operates via REST calls, which can function through a reverse proxy.
  • The architecture of DAS was generally inconsistent with modern reverse proxy scenarios.

The deployment guide discusses these issues and explains how to use OpenAM securely. Check out the OpenAM deployment example here; 
<a href="https://backstage.forgerock.com/#!/docs/openam/13/deployment-planning#logical-topology">https://backstage.forgerock.com/#!/docs/openam/13/deployment-planning#logical-topology

OpenIG is a reverse proxy with OAuth2, OpenID Connect and SAML2 support, password capture and replay, SSO etc and can be used to protect OpenAM in the way you describe and also act as a policy agent for legacy apps. 
The OpenIG product page, docs etc may be found here;

I'm afraid we don't currently have a simple to follow blog post covering how to set up OpenIG to provide equivalent functionality, but we're always looking for such material. If you continue on this journey and would like to create a blog post then we could incorporate it into our blog platform so others following you may benefit from your hard work! Just let me know and I'll set that up for you! 

Hope the links have been of some help to you! 

Jamie

On 4 April 2016 at 15:19, Joe Fletcher <[hidden email]> wrote:

Hi,

 

On a whim today I decided to build an OpenAM13 setup. In the docs it mentions (very briefly) that the DAS has been retired and in its place we use OpenIG.

Documentation on the subject is proving somewhat sparse. I’ve run into a number of apparently dead links and the OpenIG Gateway guide which I believe is where I should be looking makes no mention of the DAS or DistAuth.

 

Anyone got a cookbook, blog, jira or old napkin wherein the method of installing the equivalent functionality to what was the DAS can be found?

 

Cheers

 

Joe

 

 

This email with all information contained herein or attached hereto may contain confidential and/or privileged information intended for the addressee(s) only. If you have received this email in error, please contact the sender and immediately delete this email in its entirety and any attachments thereto.

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--
ForgeRockJamie Bowen
Community Contributions Development Lead  |  ForgeRock
t +44 7765 109527      |  e [hidden email]
skype jamie.p.bowen  |  web www.forgerock.com


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam