OERealm in Authentication Gateway 11.7

Posted by benBuckley on 27-Apr-2018 09:03

The Authentication Gateway appears to strip off a domain before passing credentials to whatever scheme is configured. In most cases this is fine, but I have an OERealm scheme that relies on getting that domain name to uniquely identify a user in a multi-tenanted environment. Is there a way to configure the gateway to pass along the domain name, so I don’t need to append it twice?

Example: I have a PAS app set up for STS authentication. The user logs in as user@domain. When my Realm receives credentials from the Gateway, it logs out username: "user", domain: "". If the user logs in as user@domain@domain, the realm logs username: "user", domain: "domain".

All Replies

Posted by Peter Judge on 30-Apr-2018 12:26

The policy provider is passed a client-principal as part of the ApplyPolicy event. That C-P has a qualified-user-id (or user-id) which should contain the user name and domain.
/* Applies a policy
       @param character  (mandatory) The sender of the event
       @param character  (mandatory) The name of the policy event
       @param Principal  (mandatory)The client-principal/token currently being processed in the STS.
                         Modifications to the contained Token will be returned to the STS.
       @param JsonObject (optional) A collection of options and operations supported by the domain 
       @param character out (optional) Status detail text
       @return PAMStatusEnum (optional) A new status for the CP based on the policy */
    method public PAMStatusEnum ApplyPolicy(input  pcSender as character,
                                            input  pcPolicyName as character,
                                            input  poPrincipal as Principal,
                                            input  poDomainCtx as JsonObject,
                                            output pcStatusDetail as character ):

Posted by benBuckley on 30-Apr-2018 13:01

With OERealm, I never get to the stage where the policy is applied.

When I run stsclientutil with username bennettb@APP, my Realm logs out the correct username, but a blank domain name, and then the CLIENT-AUTHENTICATION-ERROR event fires: 

sender: STS
C-P Token 1150
context: Progress.Json.ObjectModel.JsonObject_1152
Request by sparkRest@OESPA for 'ValidateUser' is valid.
User: bennettb Domain:
sender: STS
C-P Token 1160
context: Progress.Json.ObjectModel.JsonObject_1162

When I run with username bennettb@APP@APP, authentication succeeds, and only the inner domain is registered by the policy (confirmed by setting up a second domain on the same scheme):

sender: STS
C-P Token 1297
context: Progress.Json.ObjectModel.JsonObject_1299
Request by sparkRest@OESPA for 'ValidateUser' is valid.
User: bennettb Domain: APP
Request by sparkRest@OESPA for 'GetAttribute' is valid.
10005 : ATTR_ROLES : WatchlistAdminMaster,WatchlistCreate,WatchlistDelete,WatchlistRead,WatchlistUpdate
Request by sparkRest@OESPA for 'GetAttribute' is valid.
10005 : ATTR_ENABLED : 1
Request by sparkRest@OESPA for 'GetAttribute' is valid.
10005 : ATTR_LOCKED : 0
Request by sparkRest@OESPA for 'GetAttribute' is valid.
10005 : ATTR_EXPIRED : 0
Request by sparkRest@OESPA for 'ValidatePassword' is valid.
UserID: 10005 Password: n*******
sender: STS
C-P Token 1328
context: Progress.Json.ObjectModel.JsonObject_1330
POLICY User: bennettb@APP, Status: INITIAL
sender: STS
C-P Token 1342
context: Progress.Json.ObjectModel.JsonObject_1344
sender: STS
C-P Token 1349

Posted by KorakSchoone on 03-Oct-2018 07:48

We have the exact same problem now, so I am curious if there is a solution.

Using the double @ doesn't work for us either. The STS gives the error "Domain qualified user not allowed.

This thread is closed