Authentication Issue in OpenAM-7.4.0 Using OpenIDM-7.4.1 User

anees.am · June 12, 2024, 1:43pm

Hello,

I’m currently working on integrating OpenAM[Ver 7.4.0] with OpenIDM [Ver 7.4.1] to authenticate users registered in OpenIDM through OpenAM. Here is the process I followed and the issues I am encountering:
Setup and Configuration

Authentication Tree in OpenAM:
    I created an authentication tree in OpenAM, which includes a scripted node. This script sends requests to OpenIDM to authenticate users.

Organization Authentication Configuration:
    I set the Organization Authentication Configuration to use the new authentication tree I created.

OpenIDM using mysql as the database to store user details (managed user).

Authentication Flow

Step 1: Obtain Admin Session Token from OpenIDM
    First, I authenticate as an admin in OpenIDM to get a session token. This is done via a POST request:

curl -X POST \
  http://<openidm-host>:8080/openidm/authentication?_action=login \
  -H "Content-Type: application/json" \
  -d '{
        "username": "openidm-admin",
        "password": "openidm-admin"
      }'

The response contains a session token in the Set-Cookie header.

Step 2: Authenticate the User Using the Admin Session Token

Next, I use the admin session token to authenticate the user. This is done via another POST request:

    curl -X POST \
      http://<openidm-host>:8080/openidm/authentication?_action=login \
      -H "Content-Type: application/json" \
      -H "Cookie: session-jwt=<admin-session-token>" \
      -H "X-OpenIDM-Username: openidm-admin" \
      -H "X-OpenIDM-Password: openidm-admin" \
      -d '{
            "username": "anees",
            "password": "Ushustech123#$"
          }'

Issue

When I attempt to log in through the OpenAM web UI using the user credentials registered in OpenIDM, the authentication script returns false. The response body shows:

json


{
  "authenticationId": "openidm-admin"
}

Instead of authenticating the user “anees,” the script is returning the authentication ID of the admin user (“openidm-admin”).
Details of the Script

Here is the script used in the authentication tree node in OpenAM:

var openidmURL = "http://<openidm-host>:8080/openidm/authentication?_action=login";
var openidmAdminUsername = "openidm-admin";
var openidmAdminPassword = "openidm-admin";

var username = sharedState.get("username");
var password = transientState.get("password");

logger.error("Attempting to authenticate user: " + username);

var request = new org.forgerock.http.protocol.Request();
request.setUri(openidmURL);
request.setMethod("POST");
request.getHeaders().add("Content-Type", "application/json");
request.getHeaders().add("X-OpenIDM-Username", openidmAdminUsername);
request.getHeaders().add("X-OpenIDM-Password", openidmAdminPassword);
request.getEntity().setJson({
    "username": username,
    "password": password
});

var response = httpClient.send(request).get();

logger.error("Response Code: " + response.getStatus().getCode());
logger.error("Response Body: " + response.getEntity().getString());

if (response.getStatus().getCode() === 200) {
    var responseBody = response.getEntity().getJson();
    if (responseBody.authLogin === true && responseBody.authenticationId === username) {
        outcome = "true";
        logger.error("Authentication successful for user: " + username);
    } else {
        outcome = "false";
        logger.error("Authentication failed for user: " + username);
    }
} else {
    outcome = "false";
    logger.error("Authentication failed with response code: " + response.getStatus().getCode());
}

Request for Help

Why is the script returning the authentication ID of the admin user instead of the user trying to log in?

Is there a different way to authenticate a user in OpenIDM using an admin session token that correctly identifies the user?

Any advice or pointers on what I might be missing or doing wrong would be greatly appreciated. Thank you!

mwtech · June 12, 2024, 5:34pm

Hi @anees.am

The short answer here is that you just need to pass the username and password of the user you want to authenticate in the X-OpenIDM-Username and X-OpenIDM-Password headers as described in Authenticate users :: IDM 7.4.1. The JSON payload you are sending is not considered with the endpoint you’ve specified, and there is no need to have an IDM admin session to perform this authentication.

The longer answer is that this approach to authentication feels very backwards. I can honestly say I’ve never heard of a use case where someone would use AM to authenticate a user in IDM’s managed user repo versus having IDM synchronize that user and their credentials in to an identity store that AM could communicate with directly, or simply utilizing the Identity Platform (About the platform :: ForgeRock Identity Platform) approach to deploying these components.

anees.am · June 13, 2024, 4:55am

mwtech:

The short answer here is that you just need to pass the username and password of the user you want to authenticate in the X-OpenIDM-Username and X-OpenIDM-Password headers as described in Authenticate users :: IDM 7.4.1. The JSON payload you are sending is not considered with the endpoint you’ve specified, and there is no need to have an IDM admin session to perform this authentication.

The longer answer is that this approach to authentication feels very backwards. I can honestly say I’ve never heard of a use case where someone would use AM to authenticate a user in IDM’s managed user repo versus having IDM synchronize that user and their credentials in to an identity store that AM could communicate with directly, or simply utilizing the Identity Platform (About the platform :: ForgeRock Identity Platform) approach to deploying these components.

Hello,

Thank you for your assistance with the authentication issue. Following your advice, I passed the username and password of the user I wanted to authenticate in the X-OpenIDM-Username and X-OpenIDM-Password headers, and the authentication is now working correctly.

However, I am encountering a new issue related to redirection after authentication. In the authentication tree, I have added success and failure URL nodes with specific redirection addresses. Although the authentication is successful (as verified in the script logs), the redirection to the specified URLs is not occurring.

Current Configuration
Authentication Tree:
Success URL Node: Configured with the redirection address for successful authentication.
Failure URL Node: Configured with the redirection address for failed authentication.
Issue
Despite the authentication succeeding (as indicated by the logs), the redirection to the specified success or failure URLs is not happening.

Request for Assistance
Could you please provide guidance on the following:

Are there additional configurations or settings required to enable redirection in the authentication tree?
Is there a specific way to handle redirections post-authentication in OpenAM to ensure they function correctly?
Any debugging tips or common pitfalls to look out for that might cause redirections to fail?
Thank you again for your help. Your advice has been invaluable in resolving the initial authentication issue, and I look forward to your guidance on addressing the redirection problem.

Best regards,
Anees

patrick_diligent · June 13, 2024, 5:37am

AM needs to retrieve the user’s profile in order to create the session token, but since authenticating via IDM, I guess the user profile is not available in AM’s identity store? So this could be the reason why the tree is failing. You could try to make this configuration change:

In Authentication → Settings → User profile, set to “none”, or “dynamic”

Note that this applies to the entire realm…