How to get username from openSSO/openAM system?

authentication cookies opensso openam
Goren picture Goren · Apr 5, 2012 · Viewed 12.4k times · Source

I'm currently using openAM to protect a small webapp of mine using a Java EE web agent. Someone tries to access the app, they get redirected to the openAM instance, they login, they go to the app. Simple stuff.

What I'd like is for openAM to pass the username that was successfully used to the web app. It's my understanding that "session attributes" should be used for this. When in the admin, I go to my Java EE webagent and open up the "Application" tab to see the "Session Attributes Processing". I see that HTTP_COOKIE is a choice for fetching.

1) is it the case that I should expect to see the username, if properly set up, as plaintext in the cookie? 2) what value do I enter in the session mapping to get the username? How do I find what value in the data store corresponds to this?

Thanks

Answer

n2studio picture n2studio · Jan 31, 2014

We are using HTTP_HEADER with our agents. So if you are already using agents (which sounds like you are), then the following should work for you. In OpenAM web console:

  • Access Control > Top Level Realm > Agents > Web / J2EE / etc. > click on an agent
  • Application tab > Profile Attributes Processing section > Profile Attribute Fetch Mode:
  • Click on the "HTTP_HEADER" choice
  • Profile Attribute Mapping:
  • Map Key: [uid] ... Corresponding Map Value: uid
  • Click Add. It should look like [uid]=uid once you've added it. Add any other mapping you need that matches attributes to your backend authentication system. Ours is ldap.

In your web application, retrieve the HTTP Header elements and look for the token. It should look something like this: AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.AAJTSQABMDE.

You can then use the OpenAM REST interface to validate and retrieve attributes associated with the token such as user name, password, cn, etc. To retrieve all attributes, the URL would be like this:

http://<OpenAM_Host>:<Port>/<deploy_uri>/identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*

You can also specify attributes you want like this:

http://<OpenAM_Host>:<Port>/<deploy_uri>/identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*&attributenames=uid&attributenames=userpassword

References:
https://wikis.forgerock.org/confluence/display/openam/Use+OpenAM+RESTful+Services
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/dev-guide/index/chap-rest.html

Related questions

How to use Python to login to a webpage and retrieve cookies for later usage?

I want to download and parse webpage using python, but to access it I need a couple of cookies set. Therefore I need to login over https to the webpage first. The login moment involves sending two POST params (username, …

Read More
How does cookie based authentication work?

Can someone give me a step by step description of how cookie based authentication works? I've never done anything involving either authentication or cookies. What does the browser need to do? What does the server need to do? In what …

Read More
Token Authentication vs. Cookies

What is the difference between token authentication and authentication using cookies? I am trying to implement the Ember Auth Rails Demo but I do not understand the reasons behind using token authentication as described in the Ember Auth FAQ on …

Read More