If not using realm dns aliases and having a web-agent in a sub-realm, when a policy condition is defined, Authentication use service, the session upgrade fails if the authentication service is defined in the same sub-realm.
After authentication the user is shown a red error message indicating that the session upgrade failed because the existing session was from a different realm.
Steps to reproduce:
- Deployed am, embedded config and user store. Server url: http://openam.amtest2.com:8080/access. Cookie domain of amtest2.com
- Setup apache, so that url http://web.amtest2.com:80/test1/index.html results in viewing an html page.
- Created a sub-realm, subscribers.
- In AM, subscribers realm, created profile: web-agent-01, Agent url: http://web.amtest2.com:80, Server URL: http://openam.amtest2.com:8080/access, Password: secret
- Then installed web agent /opt/webagents_5_6_2_1
- Created file /opt/web_agents/5_6_2_1/passwd.txt with value inside of secret.
- Changed permission on the file to be 400.
- agentadmin —i. Configuration file: /etc/httpd/conf/httpd.conf, Change ownership: yes, Existing OpenSSOAgentBootstrap.properties file: <Hit return to ignore>, OpenAM Server url: http://openam.amtest2.com:8080/access, Agent URL: http://web.amtest2.com:80, Agent profile name: web-agent-01, Agent realm: /subscribers, Path to a file that contains password to be used: /opt/web_agents_5_6_2_1/passwd.txt
- In AM console, created a policy set TestApplication01.
- Then created a policy, TestPolicy01 allowing access to http://web.amtest2.com:80/test1/. for user demo for GET and POST requests.
- Edited web agent profile to have OpenAM Services, Application: TestApplication01
- Tested login via web browser to http://web.amtest2.com:80/test1/index.html. Verified that after login, user was navigated to test application page.
- In sub-realm, created a new chain subscribersChain, containing DataStore module.
- Then added a policy condition, authenticate with service and specified subscribersChain.
- In browser, refreshed page (not sure if need to re-login, otherwise can clear browser cookies). Second authentication prompt is shown. Login again as the same user.
User is redirected to protected application after successfully completing second authentication.
After second authentication, user is shown red error message indicating the the session upgrade failed because the existing session was from a different realm. This is because the original session was created at the top level realm (see OPENAM-16285).
- Define the authentication service in the top level realm.
- Use a dns alias for the subrealm, e.g. subscribers.amtest2.com, then use this for the AM URL when creating the web agent profile and when performing agentadmin --i (or change the agent.conf com.sun.identity.agents.config.naming.url property after installation to reflect the dns alias).