Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13088

RFE: add option for isInitiator=false to WDSSO configuration

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.0.0
    • Fix Version/s: 6.5.1, 7.0.0, 5.5.2
    • Component/s: authentication
    • Labels:
    • Sprint:
      AM Sustaining Sprint 57
    • Story Points:
      2
    • Support Ticket IDs:

      Description

      There may be valid scenarios where the user configured in AD as the principal used in WDSSO has a different UPN to the SPN. 

      Normally when generating the keytab these values get set to be the same, for example:

      servicePrincipalName:
      HTTP/openam.internal.forgerock.com@INTERNAL.FORGEROCK.COM
      
      userPrincipalName:
      HTTP/openam.internal.forgerock.com@INTERNAL.FORGEROCK.COM

      ...however it's also valid for the the UPN to be different, for example:

      openam.internal.forgerock.com@INTERNAL.FORGEROCK.COM

       

      In this case if WDSSO auth is attempted then the following will be seen in the logs:

      javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
              at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763)
      ..

       

      This valid scenario can be allowed to work by setting the JDK isInitiator parameter to false (default is true).  This parameter is not currently implemented in the AM WDSSO module.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                kamal.sivanandam@forgerock.com Kamal Sivanandam
                Reporter:
                andy.itter Andy Itter
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: