Hello,
I’m currently working on integrating OpenAM[Ver 7.4.0] with OpenIDM [Ver 7.4.1] to authenticate users registered in OpenIDM through OpenAM. Here is the process I followed and the issues I am encountering:
Setup and Configuration
Authentication Tree in OpenAM:
I created an authentication tree in OpenAM, which includes a scripted node. This script sends requests to OpenIDM to authenticate users.
Organization Authentication Configuration:
I set the Organization Authentication Configuration to use the new authentication tree I created.
OpenIDM using mysql as the database to store user details (managed user).
Authentication Flow
Step 1: Obtain Admin Session Token from OpenIDM
First, I authenticate as an admin in OpenIDM to get a session token. This is done via a POST request:
curl -X POST \
http://<openidm-host>:8080/openidm/authentication?_action=login \
-H "Content-Type: application/json" \
-d '{
"username": "openidm-admin",
"password": "openidm-admin"
}'
The response contains a session token in the Set-Cookie header.
Step 2: Authenticate the User Using the Admin Session Token
Next, I use the admin session token to authenticate the user. This is done via another POST request:
curl -X POST \
http://<openidm-host>:8080/openidm/authentication?_action=login \
-H "Content-Type: application/json" \
-H "Cookie: session-jwt=<admin-session-token>" \
-H "X-OpenIDM-Username: openidm-admin" \
-H "X-OpenIDM-Password: openidm-admin" \
-d '{
"username": "anees",
"password": "Ushustech123#$"
}'
Issue
When I attempt to log in through the OpenAM web UI using the user credentials registered in OpenIDM, the authentication script returns false. The response body shows:
json
{
"authenticationId": "openidm-admin"
}
Instead of authenticating the user “anees,” the script is returning the authentication ID of the admin user (“openidm-admin”).
Details of the Script
Here is the script used in the authentication tree node in OpenAM:
var openidmURL = "http://<openidm-host>:8080/openidm/authentication?_action=login";
var openidmAdminUsername = "openidm-admin";
var openidmAdminPassword = "openidm-admin";
var username = sharedState.get("username");
var password = transientState.get("password");
logger.error("Attempting to authenticate user: " + username);
var request = new org.forgerock.http.protocol.Request();
request.setUri(openidmURL);
request.setMethod("POST");
request.getHeaders().add("Content-Type", "application/json");
request.getHeaders().add("X-OpenIDM-Username", openidmAdminUsername);
request.getHeaders().add("X-OpenIDM-Password", openidmAdminPassword);
request.getEntity().setJson({
"username": username,
"password": password
});
var response = httpClient.send(request).get();
logger.error("Response Code: " + response.getStatus().getCode());
logger.error("Response Body: " + response.getEntity().getString());
if (response.getStatus().getCode() === 200) {
var responseBody = response.getEntity().getJson();
if (responseBody.authLogin === true && responseBody.authenticationId === username) {
outcome = "true";
logger.error("Authentication successful for user: " + username);
} else {
outcome = "false";
logger.error("Authentication failed for user: " + username);
}
} else {
outcome = "false";
logger.error("Authentication failed with response code: " + response.getStatus().getCode());
}
Request for Help
Why is the script returning the authentication ID of the admin user instead of the user trying to log in?
Is there a different way to authenticate a user in OpenIDM using an admin session token that correctly identifies the user?
Any advice or pointers on what I might be missing or doing wrong would be greatly appreciated. Thank you!