Reputation: 129
How to get username from openSSO/openAM system?
I'm currently using openAM to protect a small webapp of mine using a Java EE web agent. Someone tries to access the app, they get redirected to the openAM instance, they login, they go to the app. Simple stuff.
What I'd like is for openAM to pass the username that was successfully used to the web app. It's my understanding that "session attributes" should be used for this. When in the admin, I go to my Java EE webagent and open up the "Application" tab to see the "Session Attributes Processing". I see that HTTP_COOKIE is a choice for fetching.
1) is it the case that I should expect to see the username, if properly set up, as plaintext in the cookie? 2) what value do I enter in the session mapping to get the username? How do I find what value in the data store corresponds to this?
Thanks
Upvotes: 1
Views: 12880
Answers (2)
Reputation: 306
We are using HTTP_HEADER with our agents. So if you are already using agents (which sounds like you are), then the following should work for you. In OpenAM web console:
- Access Control > Top Level Realm > Agents > Web / J2EE / etc. > click on an agent
- Application tab > Profile Attributes Processing section > Profile Attribute Fetch Mode:
- Click on the "HTTP_HEADER" choice
- Profile Attribute Mapping:
- Map Key: [uid] ... Corresponding Map Value: uid
- Click Add. It should look like [uid]=uid once you've added it. Add any other mapping you need that matches attributes to your backend authentication system. Ours is ldap.
In your web application, retrieve the HTTP Header elements and look for the token. It should look something like this: AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.AAJTSQABMDE.
You can then use the OpenAM REST interface to validate and retrieve attributes associated with the token such as user name, password, cn, etc. To retrieve all attributes, the URL would be like this:
http://<OpenAM_Host>:<Port>/<deploy_uri>/identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*
You can also specify attributes you want like this:
http://<OpenAM_Host>:<Port>/<deploy_uri>/identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*&attributenames=uid&attributenames=userpassword
References:
https://wikis.forgerock.org/confluence/display/openam/Use+OpenAM+RESTful+Services
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/dev-guide/index/chap-rest.html
Upvotes: 5
Reputation: 2995
1) yes, the agent will create plaintext cookies (and if the user sends malicious ones it will recreate them just fine), however using HTTP_HEADER method to pass on attributes is considered as a better solution (since it's not stored on the client side).
2) Session Attributes Processing only works if you actually stored something in the session. For that you can either use the "User Attribute Mapping to Session Attribute" feature in Authentication All Core Settings or write some custom module to save derivative values. Otherwise if you just want to get the uid of the user, then use Profile Attributes Processing (uid key HTTP_UID value and your app will see a HTTP_UID cookie/header).
Upvotes: 2
Related Questions
- Oracle Weblogic OAM get user information using session cookies
- Pass SSOTokenID as set-cookie value in OpenAM
- OpenAM Configuration
- OPENAM: How to add information to the "User Information" OAuth2 / OpenID Connect endpoint
- OpenAM - Use OAuth2 Access Token to get User Details?
- How can I make a name request in OpenIG?
- Custom Identity Provider for OpenAM/OpenSSO
- Composing a SAML2 AuthnRequest for OpenAM
- How to get user details from OpenID server?
- Extracting a username from an OpenID identity