Anonymous_User Absent Member.
Absent Member.
855 views

Set the value of a shared secret in a custom auth class


Hello All,
We are trying to use a custom authentication class to gain
additional parameter to pass along in a SAML assertion to a third party
vendor. We have successfully added the new custom auth class, but we
are unable to determine how to assign the value of this new parameter to
anything that is accessible in the creation of the SAML profile.

The first idea was to use a shared secret. Although we have been able
to create the shared secret, it does not have any value assigned.
Here's the code used based on the code used by the PwLookupLogin class
in the ba-idp-auth.jar file:

private void setUserTAG(String paramString) {
SSSecret localSSSecret = new SSSecret();
localSSSecret.setName(new SSName("tag_van"));
SSSecretEntry localSSSecretEntry = new SSSecretEntry("tag_van",
paramString);
localSSSecret.addSecretEntry(localSSSecretEntry);
addCredential(WSCQSSToken.SS_SecretName, localSSSecretEntry);
}


The second idea was to make use of the "CustomizableStringOne" found in
a posting in this forum on how to extend a X.509 auth class:
http://forums.novell.com/novell-developer-forums/dev-access-manager/376654-using-x509-subject-identity-injection-post1826642.html#poststop


The code we have tried follows:


private void setUserSSN(String paramString) {
// Makes use of the "Customizable String One [Custom Profile]"
try
{
// Customizable attribute 1 is the one we use to contain
customer data to send,
// but this can change to another if necessary
WSCMOPToken token =
(WSCMOPToken)WSCToken.getToken(WSCMOPToken.OP_CS_CustomizableString1.getTokenUniqueId());

// Build object for new data
WSFModelEntry modelEntry = token.getModelEntry();
IDSISCommonAttributeElement data =
modelEntry.getSchemaClassInstance();
if (data instanceof IDSISLeafAttributeElement) {
((IDSISLeafAttributeElement)data).setText(paramString);
}

WSCMDataToken dataToken = new WSCMDataToken(token, data);
dataToken.setAllowOverride(true);
}
catch (Exception ex) {}
}


Again, the same problem. No value is found when the idpsend CGI tries
to generate the assertion.

We are really struggling to understand how this should work. The basic
problem is this: How can we set a variable within a Java class that can
be accessed by the idpsend CGI to be used as an attribute within the
SAML assertion?

Any ideas would be greatly appreciated. Thanks.


--
keongregory
------------------------------------------------------------------------
keongregory's Profile: http://forums.novell.com/member.php?userid=40599
View this thread: http://forums.novell.com/showthread.php?t=415440

Labels (1)
0 Likes
16 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Set the value of a shared secret in a custom auth class

keongregory wrote:

>
> Hello All,
> We are trying to use a custom authentication class to gain
> additional parameter to pass along in a SAML assertion to a third
> party vendor. We have successfully added the new custom auth class,
> but we are unable to determine how to assign the value of this new
> parameter to anything that is accessible in the creation of the SAML
> profile.
>
> The first idea was to use a shared secret. Although we have been
> able to create the shared secret, it does not have any value
> assigned. Here's the code used based on the code used by the
> PwLookupLogin class in the ba-idp-auth.jar file:
>
> private void setUserTAG(String paramString) {
> SSSecret localSSSecret = new SSSecret();
> localSSSecret.setName(new SSName("tag_van"));
> SSSecretEntry localSSSecretEntry = new SSSecretEntry("tag_van",
> paramString);
> localSSSecret.addSecretEntry(localSSSecretEntry);
> addCredential(WSCQSSToken.SS_SecretName, localSSSecretEntry);
> }
>
>
> The second idea was to make use of the "CustomizableStringOne" found
> in a posting in this forum on how to extend a X.509 auth class:
> http://forums.novell.com/novell-developer-forums/dev-access-manager/37
> 6654-using-x509-subject-identity-injection-post1826642.html#poststop
>
>
> The code we have tried follows:
>
>
> private void setUserSSN(String paramString) {
> // Makes use of the "Customizable String One [Custom Profile]"
> try
> {
> // Customizable attribute 1 is the one we use to contain
> customer data to send,
> // but this can change to another if necessary
> WSCMOPToken token =
> (WSCMOPToken)WSCToken.getToken(WSCMOPToken.OP_CS_CustomizableString1.g
> etTokenUniqueId());
>
> // Build object for new data
> WSFModelEntry modelEntry = token.getModelEntry();
> IDSISCommonAttributeElement data =
> modelEntry.getSchemaClassInstance();
> if (data instanceof IDSISLeafAttributeElement) {
> ((IDSISLeafAttributeElement)data).setText(paramString);
> }
>
> WSCMDataToken dataToken = new WSCMDataToken(token, data);
> dataToken.setAllowOverride(true);
> }
> catch (Exception ex) {}
> }
>
>
> Again, the same problem. No value is found when the idpsend CGI
> tries to generate the assertion.
>
> We are really struggling to understand how this should work. The
> basic problem is this: How can we set a variable within a Java class
> that can be accessed by the idpsend CGI to be used as an attribute
> within the SAML assertion?
>
> Any ideas would be greatly appreciated. Thanks.


We are using this successfully (the code looks stragely familiar :)).
Don't try to store it in the secret store. you can actually store it in
the customizable string attributes.

Try to use this:

protected int doAuthenticate()
{

String attribute1 = m_Request.getParameter("attribute1");


//Custom Attribute 1

try
{
// Customizable attribute 1 is the one we use to contain customer
data to send,
// but this can change to another if necessary
WSCMOPToken token =

(WSCMOPToken)WSCToken.getToken(WSCMOPToken.OP_CS_CustomizableString1.get
TokenUniqueId());

// Build object for new data
WSFModelEntry modelEntry = token.getModelEntry();
IDSISCommonAttributeElement data =
modelEntry.getSchemaClassInstance();
if (data instanceof IDSISLeafAttributeElement)
((IDSISLeafAttributeElement)data).setText(attribute1);

WSCMDataToken dataToken = new WSCMDataToken(token, data);
dataToken.setAllowOverride(true);
}

catch (Exception ex) {}

String url =
m_SessionData.appendIDToUrl(NIDPContext.getNIDPContext().getBaseUrl() +
getProperty("Protocol") + "/idpsend?PID=" + getProperty("ITS"));

m_Request.setAttribute("url",url);

// Going to top ensures we are not displaying in any frames

((NIDPServletContext)NIDPContext.getNIDPContext()).goJSP(m_Request,m_Res
ponse,"top");
return HANDLED_REQUEST;
}

The above code is a non-identifying method (it doesn't return a
'authenticated'). YOu would chain it with another method that
identifies the user before this is being processed.

To check if a user is authenticated or not you could use:

if (!m_Session.isAuthenticated())
return NOT_AUTHENTICATED;

Once the method is processed it should have created a
LibertyUserProfile object within the eDir that comes with the admin
console.

You can find these in
ou=libertyUserProfile0,ou=<clusterobject>,ou=cluster,ou=nids,ou=accessMa
nagerContainer,o=novell

Hopefully this helps.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set the value of a shared secret in a custom auth class


Edward,
Thank you very much for the help. We are still struggling with
how to gain access to "attribute1" in a SAML profile. I know you
stated this would be added to the local eDirectory on the Admin Console,
and it appears that there are objects being created in the container you
have specified. However, we mapped an attribute to "Customizable
String One [Custom Profile]" which is what we thought the above code
referenced, but there is no value being retrieved when the IDP attempts
to read this value. Here's the failed attempt in the catalina.out:

<amLogEntry> 2010-07-13T21:13:18Z DEBUG NIDS WSC:
Method: WSC.A
Thread: http-209.46.37.198-8443-Processor5
Completed Request. Response: WSCResponse:
Status: All Failure
WSCQResponseEntry:
WSCQOPToken:
Model Entry: CustomizableString1
Unique Id:
NEPXurn~3Anovell~3Aid-sis-ncp~3A2005-03~2Fop~3AOP~2Fop~3ACustomizableStrings~2Fop~3ACustomizableString1~40~40~40~40WSCQOPToken
Select String:
/op:OP/op:CustomizableStrings/op:CustomizableString1

Status: DataNotAvailable
WSCQResponse: </amLogEntry>


--
keongregory
------------------------------------------------------------------------
keongregory's Profile: http://forums.novell.com/member.php?userid=40599
View this thread: http://forums.novell.com/showthread.php?t=415440

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set the value of a shared secret in a custom auth class

keongregory wrote:

>
> Edward,
> Thank you very much for the help. We are still struggling with
> how to gain access to "attribute1" in a SAML profile. I know you
> stated this would be added to the local eDirectory on the Admin
> Console, and it appears that there are objects being created in the
> container you have specified. However, we mapped an attribute to
> "Customizable String One [Custom Profile]" which is what we thought
> the above code referenced, but there is no value being retrieved when
> the IDP attempts to read this value. Here's the failed attempt in
> the catalina.out:
>
> <amLogEntry> 2010-07-13T21:13:18Z DEBUG NIDS WSC:
> Method: WSC.A
> Thread: http-209.46.37.198-8443-Processor5
> Completed Request. Response: WSCResponse:
> Status: All Failure
> WSCQResponseEntry:
> WSCQOPToken:
> Model Entry: CustomizableString1
> Unique Id:
> NEPXurn~3Anovell~3Aid-sis-ncp~3A2005-03~2Fop~3AOP~2Fop~3ACustomizableS
> trings~2Fop~3ACustomizableString1~40~40~40~40WSCQOPToken Select
> String: /op:OP/op:CustomizableStrings/op:CustomizableString1
>
> Status: DataNotAvailable
> WSCQResponse: </amLogEntry>


Thats really odd, we never had that problem. Two questions, which
version of NAM are you using and two, is the custom profile actually
enabled under IDP Cluster | Liberty | Web service provider

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set the value of a shared secret in a custom auth class


edmaa;1998353 Wrote:
>
>
> Thats really odd, we never had that problem. Two questions, which
> version of NAM are you using and two, is the custom profile actually
> enabled under IDP Cluster | Liberty | Web service provider
>
> --
> Cheers,
> Edward


We are using NAM 3.1 SP1 (3.1.1-265). The custom profile was not
enabled. Which leads me to believe there must be several other things
we have missed. We are reviewing the "Configuring Liberty Web
Services" section of the Identity Server guide to try to understand what
we are doing wrong. Enabling the custom profile did not change the
result -- there is still nothing being written to the eDirectory on the
Admin Console that corresponds to the variable we are trying to set.
This means there is something fundamentally wrong with our
configuration. We really appreciate the assistance you've provided so
far. I'll write back later today once we read through the
documentation.


--
keongregory
------------------------------------------------------------------------
keongregory's Profile: http://forums.novell.com/member.php?userid=40599
View this thread: http://forums.novell.com/showthread.php?t=415440

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set the value of a shared secret in a custom auth class


Hello everybody,
I'm trying to do the same thing in a custom authentication class.
During authentication I access an external db and I need to save
information "somewhere" in the session so I can to get them retrieved in
an idenityt injection policy. I've tried both methods explained in this
thread but neither of them is working. I'd prefer using the Secret Store
solution because I need to inject credential information. But I can't
see them in the Credential Profile for the authenticated user.

Using the CustomizableStringOne solution I get the following error:

<amLogEntry> 2010-09-29T14:49:28Z WARNING NIDS WSC: AM#200103003:
AMDEVICEID#E54A507F91BA17F6: AMAUTHID#E68BB61639EF1145186EC54E985C2FFE:
Unable to locate an identity id from the authentications available in
the provided NIDPSession! </amLogEntry>

when I try to write the data with the following code (that was missing
in the example in the starting message):

WSCResponse response = WSC.modifyData(m_Session, new WSCMDataToken[] {
dataToken }, m_Request.getLocale());

Can you help me?

Thanks
Giovanni


--
cannata_g
------------------------------------------------------------------------
cannata_g's Profile: http://forums.novell.com/member.php?userid=17484
View this thread: http://forums.novell.com/showthread.php?t=415440

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set the value of a shared secret in a custom auth class

cannata g wrote:

>
> Hello everybody,
> I'm trying to do the same thing in a custom authentication class.
> During authentication I access an external db and I need to save
> information "somewhere" in the session so I can to get them retrieved
> in an idenityt injection policy. I've tried both methods explained in
> this thread but neither of them is working. I'd prefer using the
> Secret Store solution because I need to inject credential
> information. But I can't see them in the Credential Profile for the
> authenticated user.
>
> Using the CustomizableStringOne solution I get the following error:
>
> <amLogEntry> 2010-09-29T14:49:28Z WARNING NIDS WSC: AM#200103003:
> AMDEVICEID#E54A507F91BA17F6:
> AMAUTHID#E68BB61639EF1145186EC54E985C2FFE: Unable to locate an
> identity id from the authentications available in the provided
> NIDPSession! </amLogEntry>
>
> when I try to write the data with the following code (that was missing
> in the example in the starting message):
>
> WSCResponse response = WSC.modifyData(m_Session, new WSCMDataToken[] {
> dataToken }, m_Request.getLocale());
>
> Can you help me?


Have you chained this class with another class or is it a class on its
own ? I'm not really sure but it looks like its missing a principal


--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set the value of a shared secret in a custom auth class


Hi Edward,
thanks for your message. I'm trying using the method in both ways, but
probably I'm missing the principal somewhere in the code. I'll check it.


Do you know if there is any documentation on how to pass information
from a method to another or from a method to the Identity Server itself?
IMHO the documentation on the Novell developer site is very poor. There
are many undocumented classes that should be helpful when developing
additional authentication methods.

Bye,
Giovanni


--
cannata_g
------------------------------------------------------------------------
cannata_g's Profile: http://forums.novell.com/member.php?userid=17484
View this thread: http://forums.novell.com/showthread.php?t=415440

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set the value of a shared secret in a custom auth class

cannata g wrote:

>
> Hi Edward,
> thanks for your message. I'm trying using the method in both ways, but
> probably I'm missing the principal somewhere in the code. I'll check
> it.
>
>
> Do you know if there is any documentation on how to pass information
> from a method to another or from a method to the Identity Server
> itself? IMHO the documentation on the Novell developer site is very
> poor. There are many undocumented classes that should be helpful when
> developing additional authentication methods.


yeah, the api doco isn't all that flash. We struggled as well trying to
develop some custom code and fortunately Novell helped us a bit.

have a look at the m_Session class. It might have some helpfull methods
available. For example m_Session.isAuthenticated() checks if the
previous method authenticated the user. I don't have an IDE available
right now so can't check what other methods are available.


--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set the value of a shared secret in a custom auth class


Hi,
I've found that if I chain the class to another class it works, but if
I use it as a stand alone class I get the exception, even if I've set
the Principal. I think the problem is about the session that is still
not established because my function still doesn't return AUTHENTICATED
to the IDS. There a way to set the session as soon as I set the
Principal?

Thanks,
Giovanni

edmaa;2029711 Wrote:
> cannata g wrote:
> Have you chained this class with another class or is it a class on its
> own ? I'm not really sure but it looks like its missing a principal
>
>
> --
> Cheers,
> Edward



--
cannata_g
------------------------------------------------------------------------
cannata_g's Profile: http://forums.novell.com/member.php?userid=17484
View this thread: http://forums.novell.com/showthread.php?t=415440

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set the value of a shared secret in a custom auth class

cannata g wrote:

>
> Hi,
> I've found that if I chain the class to another class it works, but if
> I use it as a stand alone class I get the exception, even if I've set
> the Principal. I think the problem is about the session that is still
> not established because my function still doesn't return AUTHENTICATED
> to the IDS. There a way to set the session as soon as I set the
> Principal?


once you've set a principal you need to return a AUTHENTICATED in the
do_authenticate() (or authenticate()) method of your class.


--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set the value of a shared secret in a custom auth class


Hi Edward,
I know that my class must return AUTHENTICATED, but when I return
AUTHENTICATED my class ends, and I can't set any customizable string in
the custom profile!

Bye,
Giovanni


--
cannata_g
------------------------------------------------------------------------
cannata_g's Profile: http://forums.novell.com/member.php?userid=17484
View this thread: http://forums.novell.com/showthread.php?t=415440

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set the value of a shared secret in a custom auth class

cannata g wrote:

>
> Hi Edward,
> I know that my class must return AUTHENTICATED, but when I return
> AUTHENTICATED my class ends, and I can't set any customizable string
> in the custom profile!


Sorry, maybe I misunderstood something, so once you've authenticated
the user you want to set customizable string attributes and then use
those ?


--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set the value of a shared secret in a custom auth class


Yes, in my authentication class I need to add a string to be passed
later in an identity injection policy. I tought the simplest way is to
add a custom string (from an external db) in the custom profile and
retrieve it later in the identity injection policy.
I've tried to put the code in the same authentication class I use to
identify the user, after I set the principal and before i return from
doAuthenticate. But the session still is stil not defined.
So I developed an additional authentication class (that not identify
the user, but cjust retrieve info for the user) and chained it to the
main authentication class in the same contract, but the problem is still
the same. When the chainded class is executed i can set the custom
profile but it doesn't get saved. I think the session is created after
all the methods of the contract.

I found 2 workaround to the problem:
the first is to have 2 different contracts (one for the main
authentication class and one for the other class). I execute the first
contract for authentication and the second just for retrieving info and
setting the custom profile. It works but is a bit odd and hard to
implement in a large NAM configuration.

the second is using role extension, but I can't pass more than one
string in the role, so I need to develop a custom identity injection to
split the role string in the relevant field to use in the identity
injection policy, and repeat this policy extension for each field in the
identity injection policy.

In a single sentence my question is quite simple.
How can I pass additional information from the authentication class to
the identity injection policy?

Thanks.
Giovanni

edmaa;2033940 Wrote:
> cannata g wrote:
>
> >
> > Hi Edward,
> > I know that my class must return AUTHENTICATED, but when I return
> > AUTHENTICATED my class ends, and I can't set any customizable string
> > in the custom profile!

>
> Sorry, maybe I misunderstood something, so once you've authenticated
> the user you want to set customizable string attributes and then use
> those ?
>
>
> --
> Cheers,
> Edward



--
cannata_g
------------------------------------------------------------------------
cannata_g's Profile: http://forums.novell.com/member.php?userid=17484
View this thread: http://forums.novell.com/showthread.php?t=415440

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set the value of a shared secret in a custom auth class

cannata g wrote:


> In a single sentence my question is quite simple.
> How can I pass additional information from the authentication class to
> the identity injection policy?


Hmm...I've never really used the custom policy stuff and I'm not really
a developer. What you could do maybe is store the info from the auth
class in seperate customizable strings (there are 10 of them) and use
those in the II policy perhaps ?


--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.