Highlighted
Absent Member.
Absent Member.
305 views

Replace OSP with NAM OAuth Authentication Server


Does anyone have any experience with changing the OAuth authentication
provider for IDM 4.5.3?

We are in the process of writing an application that will coexist with
the landing, dash, etc. applications. This application will interact
directly with the IDM REST endpoints to let users request roles. I need
the in-house application to be able to act as a OAuth client just as
landing or dash or rra does. In order to accomplish this, I either need
to replace OSP with the NAM authentication server or add a new client to
OSP. I would prefer to use NAM because all of our authentication is
going to be coming from NAM in the future. Documentation is very slim
on how to accomplish this, so any information is appreciated.


--
bbarnes
------------------------------------------------------------------------
bbarnes's Profile: https://forums.netiq.com/member.php?userid=1466
View this thread: https://forums.netiq.com/showthread.php?t=55823

Labels (1)
0 Likes
4 Replies
Highlighted
Absent Member.
Absent Member.

Re: Replace OSP with NAM OAuth Authentication Server


Is there a reason you need to replace the OAuth of 4.5.3 instead of just
using the SAML integration of OSP to SSO between the in-house app and
the suite of Identity Apps?


--
schwoerb
------------------------------------------------------------------------
schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=55823

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Replace OSP with NAM OAuth Authentication Server

On 5/9/2016 4:44 PM, schwoerb wrote:
>
> Is there a reason you need to replace the OAuth of 4.5.3 instead of just
> using the SAML integration of OSP to SSO between the in-house app and
> the suite of Identity Apps?


I think he wants to add one more Oauth consumer. So he would need to
tell OSP to send an OAUth ticket to his service. But I am guessing there
is no obvious way to do that. At least not a documented way.

Thus if you replace it with say, NAM, then you can add as many OAuth
suplicants (Is that what they are called?)

I.e. You login somehow. That logs you into OSP (be it NAM then SAML to
OSP, or name/password or kerb to OSP) then you now have an OSP session.

Each app you access makes an OAuth request for a session ticket to OSP.
Since your OSP session is good, it issues it. Sort of like Kerb in some
ways. Then since the app trusts OSP as its OAUth provider it lets you in.

Because if you do not have 3 to 4 layers of auth in the process, you are
just not doing it right! 🙂

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Replace OSP with NAM OAuth Authentication Server


Precisely, the first goal is to make the authentication as complicated
at possible.

That being said, it really does need to be OAuth not SAML. If the
authentication was happening on the front end of the application we
could use SAML. Since we want to be able to submit a role request as
the user on the back-end using the REST interface, we need to follow the
OAuth use case. The user is going to log into our in-house developed
application, that application then needs to get an OAuth token with the
users permission to make an IDM request. Really I am just trying to
mimic the way that home integrates with IDM and add my own
applications.

OSP would work out fine if I could get any documentation on adding
additional clients. NAM has the documentation, but there is a big black
hole when it comes to how IDM uses OAuth.


--
bbarnes
------------------------------------------------------------------------
bbarnes's Profile: https://forums.netiq.com/member.php?userid=1466
View this thread: https://forums.netiq.com/showthread.php?t=55823

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Replace OSP with NAM OAuth Authentication Server

On 5/10/2016 12:04 PM, bbarnes wrote:
>
> Precisely, the first goal is to make the authentication as complicated
> at possible.
>
> That being said, it really does need to be OAuth not SAML. If the
> authentication was happening on the front end of the application we
> could use SAML. Since we want to be able to submit a role request as
> the user on the back-end using the REST interface, we need to follow the
> OAuth use case. The user is going to log into our in-house developed
> application, that application then needs to get an OAuth token with the
> users permission to make an IDM request. Really I am just trying to
> mimic the way that home integrates with IDM and add my own
> applications.
>
> OSP would work out fine if I could get any documentation on adding
> additional clients. NAM has the documentation, but there is a big black
> hole when it comes to how IDM uses OAuth.


Try looking at the Cloud Access/Mobile Access/Social Access products,
since that is where OSP is being developed and comes from.

Alas, there is a GUI that controls the settings. If you dig in deep,
you can see how OSP is configured via the files it leaves on your
server. It starts making some sense after a while, but it is nested very
deeply, and cross references other files. So a GUI to do it would be
nice. Might be able to install Cloud Access, snag the OSP file space.
Then configure a new OAUth client, and diff the files, see what changed,
that might give you the hints you need to do it with OAuth.



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.