3

Please help me out with this: I am trying to setup federation with one idp and one sp in openam. Data store being used is ApacheDS. I am trying to follow the following tutorial for the same.

http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity.html

I was receiving following error in the openam logs during Test Federation Connectivity (from console)**

libSAML2:10/30/2012 06:48:41:399 PM IST: Thread[http-8080-1,5,main]
AccountUtils.setAccountFederation:  set fedinfo {sun-fm-saml2-nameid-info=[http://www.idp.com:8080/openam_10.0.0|http://www.sp.com:8090/openam_10.0.0|WC++1dcclPD//rTlgpYLD0EEISg2|http://www.idp.com:8080/openam_10.0.0|urn:oasis:names:tc:SAML:2.0:nameid-format:persistent|null|http://www.sp.com:8090/openam_10.0.0|IDPRole|false], sun-fm-saml2-nameid-infokey=[http://www.idp.com:8080/openam_10.0.0|http://www.sp.com:8090/openam_10.0.0|WC++1dcclPD//rTlgpYLD0EEISg2]} userID = id=appu,ou=user,dc=opensso,dc=java,dc=net
libPlugins:10/30/2012 06:48:41:543 PM IST: Thread[http-8080-1,5,main]
ERROR: IdRepoDataStoreProvider.setAttribute(): IdRepo exception
Message:Plug-in com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo encountered an ldap exception.  LDAP Error 16: The specified attribute could not be found.
                        at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.handleLDAPException(LDAPv3Repo.java:6117)
                        at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.setAttributes(LDAPv3Repo.java:4141)
                        at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.setAttributes(LDAPv3Repo.java:3921)
                        at com.sun.identity.idm.server.IdServicesImpl.setAttributes(IdServicesImpl.java:1701)

Which probably meant that openam was trying to use some LDAP attribute which wasn’t present (since I created minimal attribute set in ApacheDS). So I went to Data store settings in both IDP and SP and removed the non-available attributes from LDAP User Attributes. Now it is giving the following error:

WARNING: IdServicesImpl.setAttributes: Unable to modify identity in the following repository com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo :: Illegal arguments: One or more required arguments is null or empty
amIdm:10/31/2012 10:20:26:362 AM IST: Thread[http-8080-1,5,main]
IdServicesImpl.setAttributes: Unable to set attributes in the following repository com.sun.identity.idm.plugins.internal.SpecialRepo :: Plug-in com.sun.identity.idm.plugins.internal.SpecialRepo does not support operation edit for type {2}
amIdm:10/31/2012 10:20:26:362 AM IST: Thread[http-8080-1,5,main]
WARNING: IdServicesImpl.setAttributes: Unable to set attributes  for identity user::appu in any configured data store
Message:Illegal arguments: One or more required arguments is null or empty
                        at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.setAttributes(LDAPv3Repo.java:4039)
                        at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.setAttributes(LDAPv3Repo.java:3921)

Some forums are saying that attributes like sun-fm-saml2-nameid-info and sun-fm-saml2-nameid-infokey are required. But I cannot add them to my data store as they don’t match with schema. Also I am unable to import the LDIFs given in openam installation to Apache DS. I have two questions: 1. I am going in the right direction (Adding attributes to Apache ds data store will help) ? If yes how can I push openam related schmea items in Apache ds as well? 2. Is there something I am missing here completely.

Apoorve
  • 165
  • 3
  • 9
  • Could not get the solution but got the federation running. What was happening was openam tries to write to LDAP store when linking accounts. It failed to do so with ApacheDS (for unkown reasons). However when i tried to use opendj in its place it was able to easily read write schema/entries into LDAP. So with the same implementation as mentioned in http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity.html and the ldap store as OpenDJ the federation started to work. – Apoorve Nov 01 '12 at 04:34
  • why it doesnt work with ApacheDS is a mystery though :( – Apoorve Nov 01 '12 at 04:37

1 Answers1

2

Depending on the SAML NameID-Format, OpenAM will try to save Federation info in the user data store. By default these attributes are "sun-fm-saml2-nameid-info" and "sun-fm-saml2-nameid-infokey", but you can change the attribute names to anything you'd like on the Configuration -> Global -> SAMLv2 Service Configuration page.

In case your SP is using transient NameID-Format, this info won't be saved.

In case your SP is using unspecified NameID-Format, then on the remote SP configuration on the Assertion Content page you can use the option called: "Disable Federation persistence if NameID Format is unspecified", to disable this data store update.

In any other case OpenAM will try to save/use Account Federation to/from data store, which means that it will try to change/read the attribute in the data store as well. If your data store is unable to recognize these attributes, then it will throw an error as you've mentioned. Also it is most likely that when you use OpenDJ, the OpenAM schema is loaded there, hence the attribute can be saved.

In OpenAM 10.1.0 there will be an option to disable this update IF the ignored user profile mode is being used: https://bugster.forgerock.org/jira/browse/OPENAM-1427 .

So your current options are:

  • change the NameID-Format in your setup to transient/unspecified as described earlier
  • change the attributenames in the configuration to attributes, that are actually present in your ApacheDS schema
Peter Major
  • 2,975
  • 4
  • 16
  • 17
  • Thanks Peter. The "Disable Federation persistence if NameID Format is unspecified" did nto work somehow. But "change the attributenames in the configuration to attributes, that are actually present in your ApacheDS schema" method worked like a charm :). Thanks a lot for your help – Apoorve Nov 02 '12 at 07:17
  • Just wondering is there a readymade ldif which can be imported into any data stores to for adding openam specific attribute names to apacheds schema. – Apoorve Nov 02 '12 at 07:20
  • there's no LDIF for ApacheDS but for others like OpenDJ/OpenDS,Active Directory, Tivoli Directory Server ... you may have a look at 'opendj_user_schema.ldif' or 'ad_user_schema.ldif'. – Bernhard Thalmayr Nov 02 '12 at 14:48
  • Thanks Bernhard for that piece of information. I appreciate both of your for taking time to solve my queries. – Apoorve Nov 08 '12 at 10:17