Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12617

REST-STS translate examples incorrectly require iPlanetDirectoryPro header

    XMLWordPrintable

Details

    • Rank:
      1|hzvk87:
    • No
    • No
    • No (add reasons in the comment)

    Description

      $ curl \
      --request POST \
      --header "iPlanetDirectoryPro: AQIC5..." \
      --header "Content-Type: application/json" \
      --data '{
      "input_token_state": {
      "token_type": "USERNAME",
      "username": "demo",
      "password": "changeit"
      },
      "output_token_state": {
      "token_type": "SAML2",
      "subject_confirmation": "BEARER"
      }
      }' \
      https://openam.example.com:8443/openam/rest-sts/username-transformer?_action=translate
      {
      "issued_token":
      "<saml:Assertion
      xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"
      Version=\"2.0\"
      ID=\"s2c51ebd0ad10aae44fb76e4b400164497c63b4ce6\"
      IssueInstant=\"2016-03-02T00:14:47Z\">\n
      <saml:Issuer>saml2-issuer</saml:Issuer>
      <saml:Subject>\n
      <saml:NameID
      Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">demo
      </saml:NameID>
      <saml:SubjectConfirmation
      Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\">\n
      <saml:SubjectConfirmationData
      NotOnOrAfter=\"2016-03-02T00:24:47Z\" >
      </saml:SubjectConfirmationData>
      </saml:SubjectConfirmation>\n
      </saml:Subject>
      <saml:Conditions
      NotBefore=\"2016-03-02T00:14:47Z\"
      NotOnOrAfter=\"2016-03-02T00:24:47Z\">\n
      <saml:AudienceRestriction>\n
      <saml:Audience>saml2-issuer-entity</saml:Audience>\n
      </saml:AudienceRestriction>\n</saml:Conditions>\n
      <saml:AuthnStatement
      AuthnInstant=\"2016-03-02T00:14:47Z\">
      <saml:AuthnContext>
      <saml:AuthnContextClassRef>
      urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
      </saml:AuthnContextClassRef>
      </saml:AuthnContext>
      </saml:AuthnStatement>
      </saml:Assertion>\n"
      }
      The iPlanetDirectoryPro header is required and should contain the SSO token of an administrative user, such as amAdmin, who has access to perform the operation.

      https://backstage.forgerock.com/docs/am/5.5/sts-guide/

       

      This is not correct. The iPlanetDirectoryPro header is not required for this example nor probably for the other action=translate examples.

       

       

      $ curl --request POST --header "Content-Type: application/json" --data '{
      "input_token_state": {
      "token_type": "USERNAME",
      "username": "demo",
      "password": "changeit"
      },
      "output_token_state": {
      "token_type": "SAML2",
      "subject_confirmation": "BEARER"
      }
      }' http://am551a.fr.local:8080/openam/rest-sts/stsuri?_action=translate
      {"issued_token":"<saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" Version=\"2.0\" ID=\"s2b0777ca95e51d39bd4fdc65ada0d7de9ecf1df31\" IssueInstant=\"2018-03-15T14:17:19Z\">\n<saml:Issuer>issuerid</saml:Issuer><saml:Subject>\n<saml:NameID Format=\"urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified\">demo</saml:NameID><saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\">\n<saml:SubjectConfirmationData NotOnOrAfter=\"2018-03-15T14:27:19Z\" ></saml:SubjectConfirmationData></saml:SubjectConfirmation>\n</saml:Subject><saml:Conditions NotBefore=\"2018-03-15T14:17:19Z\" NotOnOrAfter=\"2018-03-15T14:27:19Z\">\n<saml:AudienceRestriction>\n<saml:Audience>spid</saml:Audience>\n</saml:AudienceRestriction>\n</saml:Conditions>\n<saml:AuthnStatement AuthnInstant=\"2018-03-15T14:17:19Z\"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>\n"}

      Attachments

        Issue Links

          Activity

            People

              austingene Gene Hirayama
              andrew.dunn Andrew Dunn [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: