OpenAM Authorization Manual

Important URL: https://iamblog.jelleverbraak.be/?cat=3#sthash.LlRzcvgO.dpbs

 

1.      First define users in OpenDJ, I use it as user data storage.

 

2.      Update hosts file in windows OS for local testing.

 

3.      Tomcat version is 7.0.39 and OpenAM mine is 12.0.0

 

4.      Define a Sub Realm namedfriends

5.      Define a J2EE Policy Agent,agentapp is a project which is provided in OpenAM j2ee_agents, this agentapp.war will be put into Tomcat 7’s webapps directory and act as a listener to user’s event, once a request comes from user, it will delegate Authentication and Authorization to OpenAM. Later I will provide a screenshot of its deployment.

 

6.      There is agentadmin.bat in my downloaded j2ee_agents

 

 

7.      Now open a DOS window, go to this directoy and execute agent install command

 

8.      Fill all the info to finish installation. For Agent URL, we will put agentapp.war to this Tomcat 7 webapps directory.

 

9.      Below is log if successful installation

 

10.  According to ForgeRock official tutorial, there is subtle diff on installation between Tomcat 6 and 7, for 7, should not use tomcat’s global web.xml, but need to update each application’s web.xml deployed in this tomcat, and must put agentapp.war to this tomcat.

 

11.  Now start this tomcat, make.war extracted. We will add AmAgentFilter for all requests.

 

12.  Update config/OpenSSOAgentBootstrap.properties to identify the sub-realm that has your policy agent configuration. Otherwise (initially it is “/” standing for top realm) tomcat will be failed to startup, and theappearance is tomcat console would be auto-closed promptly. (Please read “NOTE”at the end of this article.)

 

13.  This time we can go to define policy itself, but first we create an application, which is the resource template of policy, it is a must in OpenAM 12.0.0, I named it as newtemplate(not good but okay for testing :) )

 

14.  Back to created application,click it to go to Policy definition page, click “Add New Policy”, fill exact definition for this policy

With below OpenDJ REST query we can see the dn is same as the one in OpenDJ Control-panel, while the universalId is shown in Policy’s Subjects values.

 

15.  The final policy looks like as follow:

 

16.  Here we can start testing, but we need to make sure agent filter mode is ALL but not SSO_ONLY, if OpenAM session and our testing application session is in one browser, should logout from OpenAM. It is better to restart tomcat in which our testing application (testpolicy.war)is. We type the protected resource in browser, we can see it is redirected to OpenAM for authentication.

 

17.  Since this resource only can be visited by leizhaojin in policy definition, so amAdmin cannot access, 403 error! It is expected.

18.  As SSO is enabled, so we can go to OpenAM console to logout amAdmin, then try leizhaojin to request protected resource.

 

19.  If you still encounter 403 error, then go to OpenAM console->Access Control<realm name>->Agent->J2EE-><policy name>->OpenAM service->policy client service, to check whether it read top realm’s policy as below screenshot:

20.  Change highlighted 2 fields as following (friends:newtemplate), then revisit protected resource, resource content appears as expected.

 

 

 

NOTE:

 

For top realm, there is a default application named iPlanetAMWebAgentService, this application is policy evaluation entrance, if leave anything default, you must use this application and define policies on it, then your policy would be evaluated by OpenAM, otherwise you will always get 403 error.

Like I define a policy named policy to apply my URL-POLICY authorization

Its detail is:

 

 

If got below error and cannot start tomcat when agentapp.war is in it:

--------------------------------------

**********************************************

amSecurity:11/14/201512:06:25:859 上午 CST:Thread[main,5,main]

ERROR:AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.

CheckAMConfig.properties for the following properties

         com.sun.identity.agents.app.username

         com.iplanet.am.service.password

-------------------------------

It means you created it in a sub-realm where you would then need to change the com.sun.identity.agents.config.organization.name value in the OpenSSOAgentBootstrap.properties file to reference the realm where the agent profile is.