Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-1454

No policysvc call should occur if session attributes fetch used with SSO Only

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 4.2.0.0
    • Web Agents
    • Seen in logs for 4.1.0-32

      Description

      With these set in local mode:
      com.sun.identity.agents.config.profile.attribute.fetch.mode = 0
      com.sun.identity.agents.config.profile.attribute.mapping[] = com.sun.identity.agents.config.response.attribute.fetch.mode = 0
      com.sun.identity.agents.config.response.attribute.mapping[] =
      com.sun.identity.agents.config.session.attribute.fetch.mode = HTTP_HEADER
      com.sun.identity.agents.config.session.attribute.mapping[uid]=USERID
      ...
      com.sun.identity.agents.config.session.attribute.mapping[guid]= GUID
      com.sun.identity.agents.config.sso.only = true

      com.sun.identity.agents.config.notenforced.url.invert = true
      com.sun.identity.agents.config.notenforced.url[0] = /mywebsite/members/

      If a request is made to an authenticated website, then the policy call should not be made according to the documentation:

      This will also have the favourable side-effect of removing the performance impact of an extra policy call.

      The agent intercepts all inbound client requests to access a protected resource and processes the request based on a global configuration property, com.sun.identity.agents.config.sso.only. The configuration setting determines the mode of operation that should be carried out on the intercepted inbound request.

      *When com.sun.identity.agents.config.sso.only is true, the web policy agent only manages user authentication. The filter invokes the AM Authentication Service to verify the identity of the user. If the user's identity is verified, the user is issued a session token through AM's Session Service.
      *
      When com.sun.identity.agents.config.sso.only is false, which is the default, the web policy agents will also manage user authorization, by using the policy engine in AM.

        Attachments

          Activity

            People

            mareks Mareks Malnacs
            alex.levin@forgerock.com Alex Levin
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: