OERealm in Authentication Gateway 11.7 - Forum - OpenEdge Development - Progress Community

OERealm in Authentication Gateway 11.7

 Forum

OERealm in Authentication Gateway 11.7

This question is not answered

The Authentication Gateway appears to strip off a domain before passing credentials to whatever scheme is configured. In most cases this is fine, but I have an OERealm scheme that relies on getting that domain name to uniquely identify a user in a multi-tenanted environment. Is there a way to configure the gateway to pass along the domain name, so I don’t need to append it twice?

Example: I have a PAS app set up for STS authentication. The user logs in as user@domain. When my Realm receives credentials from the Gateway, it logs out username: "user", domain: "". If the user logs in as user@domain@domain, the realm logs username: "user", domain: "domain".

All Replies
  • The policy provider is passed a client-principal as part of the ApplyPolicy event. That C-P has a qualified-user-id (or user-id) which should contain the user name and domain.
     
     
    /* Applies a policy
          
           @param character  (mandatory) The sender of the event
           @param character  (mandatory) The name of the policy event
           @param Principal  (mandatory)The client-principal/token currently being processed in the STS.
                             Modifications to the contained Token will be returned to the STS.
           @param JsonObject (optional) A collection of options and operations supported by the domain 
           @param character out (optional) Status detail text
           @return PAMStatusEnum (optional) A new status for the CP based on the policy */
        method public PAMStatusEnum ApplyPolicy(input  pcSender as character,
                                                input  pcPolicyName as character,
                                                input  poPrincipal as Principal,
                                                input  poDomainCtx as JsonObject,
                                                output pcStatusDetail as character ):
     
  • With OERealm, I never get to the stage where the policy is applied.

    When I run stsclientutil with username bennettb@APP, my Realm logs out the correct username, but a blank domain name, and then the CLIENT-AUTHENTICATION-ERROR event fires: 

    sender: STS
    event: CLIENT-AUTHENTICATING
    C-P Token 1150
    context: Progress.Json.ObjectModel.JsonObject_1152
    Request by sparkRest@OESPA for 'ValidateUser' is valid.
    User: bennettb Domain:
    sender: STS
    event: CLIENT-AUTHENTICATION-ERROR
    C-P Token 1160
    context: Progress.Json.ObjectModel.JsonObject_1162

    When I run with username bennettb@APP@APP, authentication succeeds, and only the inner domain is registered by the policy (confirmed by setting up a second domain on the same scheme):

    sender: STS
    event: CLIENT-AUTHENTICATING
    C-P Token 1297
    context: Progress.Json.ObjectModel.JsonObject_1299
    Request by sparkRest@OESPA for 'ValidateUser' is valid.
    User: bennettb Domain: APP
    Request by sparkRest@OESPA for 'GetAttribute' is valid.
    10005 : ATTR_ROLES : WatchlistAdminMaster,WatchlistCreate,WatchlistDelete,WatchlistRead,WatchlistUpdate
    Request by sparkRest@OESPA for 'GetAttribute' is valid.
    10005 : ATTR_ENABLED : 1
    Request by sparkRest@OESPA for 'GetAttribute' is valid.
    10005 : ATTR_LOCKED : 0
    Request by sparkRest@OESPA for 'GetAttribute' is valid.
    10005 : ATTR_EXPIRED : 0
    Request by sparkRest@OESPA for 'ValidatePassword' is valid.
    UserID: 10005 Password: n*******
    sender: STS
    event: POLICY-APPLYING
    C-P Token 1328
    context: Progress.Json.ObjectModel.JsonObject_1330
    POLICY User: bennettb@APP, Status: INITIAL
    sender: STS
    event: POLICY-APPLIED
    C-P Token 1342
    context: Progress.Json.ObjectModel.JsonObject_1344
    sender: STS
    event: CLIENT-AUTHENTICATED
    C-P Token 1349
    Progress.Json.ObjectModel.JsonObject_1351


  • We have the exact same problem now, so I am curious if there is a solution.

    Using the double @ doesn't work for us either. The STS gives the error "Domain qualified user not allowed.