Upcoming Tech Events
The leaderboard is based on our rockin' informal points system, read about it here.
Hello, I have a requirement to impersonate users. Please spare me the waggling fingers, there are legitimate needs for this. I know there is an impersonate module but it’s not supported for production use.
So to implement, I configured an Authentication chain, which is protected at the network layer to only one authorized application. The goal of this chain is to issue an iPlanetDirectoryPro cookie for a specified user without a password. I decided to use the Scripting Module, and wrote a Server-side Authentication script to simply set “authState = SUCCESS”. I engage the module with a specific URL and a username parameter (e.g. https://openam.example.org/openam/UI/Login?realm=myrealm&service=ImpersonateChain&gx_charset=UTFemail@example.com ).
However, I get an error: “User has no profile in this organization”. I *think* this means OpenAM can’t find the user in the datastore, but I don’t understand why. When the same username is specified in other Authentication Modules, it works fine. Is there something that other Authentication Modules are doing that the Scripting Module is not? Is there some internal information that my script needs to add or account for?
Yes, that is what that means. If you are using the default Authentication setting to require user profiles, then authentication is a two part process. First authenticate the user and then using the settings in your data store, locate the user’s profile.
To debug this, kick up your debug log level to “Message”, rerun your authentication and check out your IdRepo debug file for clues as to what it is complaining about. Better yet, check the logs of your data store. If your data store is an LDAP (OpenDJ?) repository, check the access log for the search that is being performed that is not returning your user profile. I’m guessing you might have a mismatch with the username that is being used in your scripted module vs what you have configured in your Data Store.
You must be logged in to reply to this topic.
ForgeRock builds secure relationships across the modern Web including cloud, social, mobile, and enterprise environments. ForgeRock can extend identities to any “thing” connected to the Internet. We support mission-critical operations with a fully open source platform.
Our customers are recognized market leaders such as GEICO, salesforce.com, Thomson Reuters, McKesson, and Vantiv, as well as governments building out online services for their citizens, such as the Government of Norway.