Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16285

Web agent authentication happening at top level realm

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 6.5.2.3
    • None
    • authentication, web agents
    • Rank:
      1|i012gf:

      Description

      Description:

      When an agent is configured in a sub-realm without using a dns alias, accessing the protected app url causes redirect to authentication and this then occurs at the top level realm. 

      Steps to reproduce:

      1. Deployed am, embedded config and user store.  Server url: http://openam.amtest2.com:8080/access.  Cookie domain of amtest2.com
      2. Setup apache, so that url http://web.amtest2.com:80/test1/index.html results in viewing an html page.
      3. Created a sub-realm, subscribers.
      4. In AM, subscribers realm, created profile: web-agent-01, Agent url: http://web.amtest2.com:80, Server URL: http://openam.amtest2.com:8080/access, Password: secret
      5. Then installed web agent /opt/webagents_5_6_2_1
      6. Created file /opt/web_agents/5_6_2_1/passwd.txt with value inside of secret.
      7. Changed permission on the file to be 400.
      8. agentadmin —i.  Configuration file: /etc/httpd/conf/httpd.conf, Change ownership: yes, Existing OpenSSOAgentBootstrap.properties file: <Hit return to ignore>, OpenAM Server url: http://openam.amtest2.com:8080/access, Agent URL: http://web.amtest2.com:80, Agent profile name: web-agent-01, Agent realm: /subscribers, Path to a file that contains password to be used: /opt/web_agents_5_6_2_1/passwd.txt
      9. In AM console, created a policy set TestApplication01.
      10. Then created a policy, TestPolicy01 allowing access to http://web.amtest2.com:80/test1/. for user demo for GET and POST requests.
      11. Edited web agent profile to have OpenAM Services, Application: TestApplication01
      12. Tested login via web browser to http://web.amtest2.com:80/test1/index.html.  Verified that after login, user was navigated to test application page.
      13. In admin console, review Sessions for user demo for top level and subscribers realms.  

      Expected behaviour:

      Session is created in sub-realm only.

      Current behaviour:

      The session is created in the top level realm

      Workaround:

      Use a dns alias for the subrealm, e.g. subscribers.amtest2.com, then use this for the AM URL when creating the web agent profile and when performing agentadmin --i (or change the agent.conf com.sun.identity.agents.config.naming.url property after installation to reflect the dns alias).

        Attachments

          Issue Links

            Activity

              People

              Unassigned Unassigned
              lawrence.yarham Lawrence Yarham
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: