When a policy condition is defined, Authentication greater than is set to 1, a module satisfying that condition must be available in the top level realm for the second authentication prompt to be given to the end user.
Steps to reproduce:
- Deployed am, embedded config and user store. Server url: http://openam.amtest2.com:8080/access. Cookie domain of amtest2.com
- Setup apache, so that url http://web.amtest2.com:80/test1/index.html results in viewing an html page.
- Created a sub-realm, subscribers.
- In AM, subscribers realm, created profile: web-agent-01, Agent url: http://web.amtest2.com:80, Server URL: http://openam.amtest2.com:8080/access, Password: secret
- Then installed web agent /opt/webagents_5_5_0_0
- Created file /opt/web_agents/5_5_0_0/passwd.txt with value inside of secret.
- Changed permission on the file to be 400.
- agentadmin —i. Configuration file: /etc/httpd/conf/httpd.conf, Change ownership: yes, Existing OpenSSOAgentBootstrap.properties file: <Hit return to ignore>, OpenAM Server url: http://openam.amtest2.com:8080/access, Agent URL: http://web.amtest2.com:80, Agent profile name: web-agent-01, Agent realm: /subscribers, Path to a file that contains password to be used: /opt/web_agents_5_5_0_0/passwd.txt
- In AM console, created a policy set TestApplication01.
- Then created a policy, TestPolicy01 allowing access to http://web.amtest2.com:80/test1/. for user demo for GET and POST requests.
- Edited web agent profile to have OpenAM Services, Application: TestApplication01
- Tested login via web browser to http://web.amtest2.com:80/test1/index.html. Verified that after login, user was navigated to test application page.
- Then added a policy condition, authentication level greater than 0. Refreshed page (not sure if need to re-login) and now page displays 'Unable to login', with red error message 'No configuration found'.
- Add a new authentication module in subrealm, Datastore, authn level of 1. Repeat the login. Observe that the same error is presented.
- Now create an authn module of type Datastore and authn level 1 in top level realm and repeat the test. Observe that a second login is presented to the end user and after completing this successfully, the user is navigated to the protected application.
To enable the second login to occur (to satisfy the policy condition) the authentication module should need to be created within the sub-realm.
The expected flow only works if the step-up authentication module is created in the top level realm.
Define the step-up authentication module in the top level realm.