Originally Posted by jessesmith
|
I am basing this off of the Access Management Authentication Class Extension to Retrieve Password for Single Sign-on | Novell User Communities coolsolution. I have tried the exact class from this coolsolution, and I have also tried decompiling the code and making numerous changes to it for validation. I have not been able to verify that this coolsolution works in 3.1.
We have two methods on a contract. The first method uses the Kerberos class. The second was custom developed, who's purpose is to find the ID of the logged in user (the NIDPPrincipal), grab the password from Universal Password (using NMAS tools), and set it in the AM credential profile for use in policies.
The status is that Kerberos authenticates successfully, the second class runs, successfully grabs the Universal Password, and runs the following commands:
SSSecret localSSSecret = new SSSecret();
localSSSecret.setName(new SSName("LDAPCredentials"));
SSSecretEntry localSSSecretEntry = new SSSecretEntry("UserPassword", paramString);
localSSSecret.addSecretEntry(localSSSecretEntry);
addCredential(WSCQSSToken.SS_SecretEntry_LDAPCrede ntials_UserPassword, localSSSecretEntry);
Where "paramString" is the Universal Password. I have printed this password to the log to verify it is the correct Universal Password for the user.
If I do a getCredentials() prior to running the addCredential method, I get 0 back. If I run it after, I get 1. This seems OK, however I would expect that my username and DN should already be in the credential profile, and that I should initially be getting 2 credentials back, not 0.
Here is a section of the IDP log that I see directly after the second, custom, Authentication class runs. I copied it twice, once in the scenario when the custom authentication class follows a Kerberos class (so no password provided by the user), and the second when followed by a Form-based authentication (password provided by the user). In the first case, notice there is no "WSCCacheEntry Found!" entry in the log after the final lookup of UserPassword, but it does appear in the Form example.
I have tried doing an addCredentials() in the custom auth class, and this adds two more entries into the credential profile (when I run the getCredentials() function). However, still the password credential is not available after the class is done.
Set: AuthenticationCredentials, Allowed override: false
</amLogEntry>
<amLogEntry> 2009-04-24T16:29:37Z NIDS Trace: Method: WSCCachePushedCacheSet.find()
Thread: http-80-Processor21
(1 of 6):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~40~40~40~40WSCQSST oken~40~40~40~40~2Fcp~3ASecrets~2Fcp~3ASecret~5Bcp ~3AName~3D~22LDAPCredentials~22~5D, set: AuthenticationCredentials
(2 of 6):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~2Fcp~3AEntry~40~40 ~40~40WSCQSSToken~40~40~40~40~2Fcp~3ASecrets~2Fcp~ 3ASecret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2F cp~3AEntry~5Bcp~3AName~3D~22UserName~22~5D, set: AuthenticationCredentials
(3 of 6):
WSCCacheEntry Found!
(4 of 6):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~2Fcp~3AEntry~40~40 ~40~40WSCQSSToken~40~40~40~40~2Fcp~3ASecrets~2Fcp~ 3ASecret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2F cp~3AEntry~5Bcp~3AName~3D~22UserDN~22~5D, set: AuthenticationCredentials
(5 of 6):
WSCCacheEntry Found!
(6 of 6):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~2Fcp~3AEntry~40~40 ~40~40WSCQSSToken~40~40~40~40~2Fcp~3ASecrets~2Fcp~ 3ASecret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2F cp~3AEntry~5Bcp~3AName~3D~22UserPassword~22~5D, set: AuthenticationCredentials
</amLogEntry>
When doing in the form auth, I see the following:
Set: AuthenticationCredentials, Allowed override: false
</amLogEntry>
<amLogEntry> 2009-04-24T16:48:32Z NIDS Trace: Method: WSCCachePushedCacheSet.find()
Thread: http-80-Processor25
(1 of 7):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~40~40~40~40WSCQSST oken~40~40~40~40~2Fcp~3ASecrets~2Fcp~3ASecret~5Bcp ~3AName~3D~22LDAPCredentials~22~5D, set: AuthenticationCredentials
(2 of 7):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~2Fcp~3AEntry~40~40 ~40~40WSCQSSToken~40~40~40~40~2Fcp~3ASecrets~2Fcp~ 3ASecret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2F cp~3AEntry~5Bcp~3AName~3D~22UserName~22~5D, set: AuthenticationCredentials
(3 of 7):
WSCCacheEntry Found!
(4 of 7):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~2Fcp~3AEntry~40~40 ~40~40WSCQSSToken~40~40~40~40~2Fcp~3ASecrets~2Fcp~ 3ASecret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2F cp~3AEntry~5Bcp~3AName~3D~22UserDN~22~5D, set: AuthenticationCredentials
(5 of 7):
WSCCacheEntry Found!
(6 of 7):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~2Fcp~3AEntry~40~40 ~40~40WSCQSSToken~40~40~40~40~2Fcp~3ASecrets~2Fcp~ 3ASecret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2F cp~3AEntry~5Bcp~3AName~3D~22UserPassword~22~5D, set: AuthenticationCredentials
(7 of 7):
WSCCacheEntry Found!
</amLogEntry>
So, somehow it doesn't seem to set the value in the credential cache, or whatever that thing is. And since it's not there, it doesn't add it to the credential set.
Any thoughts on whether should be doing what I want it to? This whole scenario can be tested by installing the coolsolution package and adding it after a Kerberos class.
Thanks to anyone who can support me on this.
|
just updating this one with the solution ... just needed to go to the method used and disable the 'identify user' option.
Here's the online help regarding this option:
Identifies User: Specifies whether this authentication method should be used to identify the user. Usually, you should enable this option. When configuring multiple methods for a contract, you might need to disable this option for some methods.
If you enable this option on two or more methods in a contract, these methods need to identify the same user in the same user store.
If you enable this option on just one method in the contract, that method identifies the user when the authentication method succeeds. The other methods in the contract must succeed, but might not authenticated the user. For example, the method that identifies the user could require a name and a password for authentication, and the other method in the contract could prompt for a certificate that identifies the user’s computer.
Re: Custom Authorization Class to set Credentials
Threaded Mode
