I am basing this off of the
Access Management Authentication Class Extension to Retrieve Password for Single Sign-on | Novell User Communities coolsolution. I have tried the exact class from this coolsolution, and I have also tried decompiling the code and making numerous changes to it for validation. I have not been able to verify that this coolsolution works in 3.1.
We have two methods on a contract. The first method uses the Kerberos class. The second was custom developed, who's purpose is to find the ID of the logged in user (the NIDPPrincipal), grab the password from Universal Password (using NMAS tools), and set it in the AM credential profile for use in policies.
The status is that Kerberos authenticates successfully, the second class runs, successfully grabs the Universal Password, and runs the following commands:
SSSecret localSSSecret = new SSSecret();
localSSSecret.setName(new SSName("LDAPCredentials"));
SSSecretEntry localSSSecretEntry = new SSSecretEntry("UserPassword", paramString);
localSSSecret.addSecretEntry(localSSSecretEntry);
addCredential(WSCQSSToken.SS_SecretEntry_LDAPCrede ntials_UserPassword, localSSSecretEntry);
Where "paramString" is the Universal Password. I have printed this password to the log to verify it is the correct Universal Password for the user.
If I do a getCredentials() prior to running the addCredential method, I get 0 back. If I run it after, I get 1. This seems OK, however I would expect that my username and DN should already be in the credential profile, and that I should initially be getting 2 credentials back, not 0.
Here is a section of the IDP log that I see directly after the second, custom, Authentication class runs. I copied it twice, once in the scenario when the custom authentication class follows a Kerberos class (so no password provided by the user), and the second when followed by a Form-based authentication (password provided by the user). In the first case, notice there is no "WSCCacheEntry Found!" entry in the log after the final lookup of UserPassword, but it does appear in the Form example.
I have tried doing an addCredentials() in the custom auth class, and this adds two more entries into the credential profile (when I run the getCredentials() function). However, still the password credential is not available after the class is done.
Set: AuthenticationCredentials, Allowed override: false
</amLogEntry>
<amLogEntry> 2009-04-24T16:29:37Z NIDS Trace: Method: WSCCachePushedCacheSet.find()
Thread: http-80-Processor21
(1 of 6):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~40~40~40~40WSCQSST oken~40~40~40~40~2Fcp~3ASecrets~2Fcp~3ASecret~5Bcp ~3AName~3D~22LDAPCredentials~22~5D, set: AuthenticationCredentials
(2 of 6):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~2Fcp~3AEntry~40~40 ~40~40WSCQSSToken~40~40~40~40~2Fcp~3ASecrets~2Fcp~ 3ASecret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2F cp~3AEntry~5Bcp~3AName~3D~22UserName~22~5D, set: AuthenticationCredentials
(3 of 6):
WSCCacheEntry Found!
(4 of 6):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~2Fcp~3AEntry~40~40 ~40~40WSCQSSToken~40~40~40~40~2Fcp~3ASecrets~2Fcp~ 3ASecret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2F cp~3AEntry~5Bcp~3AName~3D~22UserDN~22~5D, set: AuthenticationCredentials
(5 of 6):
WSCCacheEntry Found!
(6 of 6):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~2Fcp~3AEntry~40~40 ~40~40WSCQSSToken~40~40~40~40~2Fcp~3ASecrets~2Fcp~ 3ASecret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2F cp~3AEntry~5Bcp~3AName~3D~22UserPassword~22~5D, set: AuthenticationCredentials
</amLogEntry>
When doing in the form auth, I see the following:
Set: AuthenticationCredentials, Allowed override: false
</amLogEntry>
<amLogEntry> 2009-04-24T16:48:32Z NIDS Trace: Method: WSCCachePushedCacheSet.find()
Thread: http-80-Processor25
(1 of 7):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~40~40~40~40WSCQSST oken~40~40~40~40~2Fcp~3ASecrets~2Fcp~3ASecret~5Bcp ~3AName~3D~22LDAPCredentials~22~5D, set: AuthenticationCredentials
(2 of 7):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~2Fcp~3AEntry~40~40 ~40~40WSCQSSToken~40~40~40~40~2Fcp~3ASecrets~2Fcp~ 3ASecret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2F cp~3AEntry~5Bcp~3AName~3D~22UserName~22~5D, set: AuthenticationCredentials
(3 of 7):
WSCCacheEntry Found!
(4 of 7):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~2Fcp~3AEntry~40~40 ~40~40WSCQSSToken~40~40~40~40~2Fcp~3ASecrets~2Fcp~ 3ASecret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2F cp~3AEntry~5Bcp~3AName~3D~22UserDN~22~5D, set: AuthenticationCredentials
(5 of 7):
WSCCacheEntry Found!
(6 of 7):
Looking for WSCCacheEntry in WSCCachePushedCacheSet! Target token uniqueId: NEPXurn~3Anovell~3Acredentialprofile~3A2005-03~2Fcp~3ASecrets~2Fcp~3ASecret~2Fcp~3AEntry~40~40 ~40~40WSCQSSToken~40~40~40~40~2Fcp~3ASecrets~2Fcp~ 3ASecret~5Bcp~3AName~3D~22LDAPCredentials~22~5D~2F cp~3AEntry~5Bcp~3AName~3D~22UserPassword~22~5D, set: AuthenticationCredentials
(7 of 7):
WSCCacheEntry Found!
</amLogEntry>
So, somehow it doesn't seem to set the value in the credential cache, or whatever that thing is. And since it's not there, it doesn't add it to the credential set.
Any thoughts on whether should be doing what I want it to? This whole scenario can be tested by installing the coolsolution package and adding it after a Kerberos class.
Thanks to anyone who can support me on this.
Custom Authorization Class to set Credentials
Threaded Mode
