WebSphere Application Server & Liberty

WebSphere Application Server & Liberty

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Trying to implement SSO with WebSphere/OpenAm/Oauth2/

    Posted Thu June 02, 2022 08:11 AM
    Hello,

    we're trying to implement a Single Sign on Process with OpenAm as OpenIdProvider. Apart from that we have installed the WebSphereOIDCRP as Relying Party. The user is authenticated successfully and the WebSphere gets the access token from OpenAm. So far so good. Our Problem is that we are redirected to a page with a 403 Authorization failed error. In the WebSphereLog it says that the LTPA Cookies are not set although I can find them in the cookies section set in my browser.

    [01.06.22 19:57:54:582 MESZ] 00000175 WebAuthentica 3   Could not find LTPA cookie(s) in request.
    [01.06.22 19:57:54:582 MESZ] 00000175 WebAuthentica <  handleSSO: (null) Exit
    [01.06.22 19:57:54:582 MESZ] 00000175 WebAuthentica 3   challengeType = FORM Authorization header = null
    [01.06.22 19:57:54:582 MESZ] 00000175 WebAuthentica >  setDomainContext Entry
    [01.06.22 19:57:54:582 MESZ] 00000175 WebAuthentica <  setDomainContext Exit
                                     {​​​​​security.domain.type=application, realm_name=LDAPTest1.prod.blb.de:636}​​​​​
    [01.06.22 19:57:54:582 MESZ] 00000175 TrustAssociat 3   isTrustAssociationEnabled returns [true]
    [01.06.22 19:57:54:582 MESZ] 00000175 WebAuthentica 3   Default redirect URL: /bayernlabo/Welcome/content/ErrorPage.part
    [01.06.22 19:57:54:582 MESZ] 00000175 WebAuthentica 3   handleTrustAssociation was skipped (1)
    [01.06.22 19:57:54:582 MESZ] 00000175 WebAuthentica >  handleSSO Entry
    [01.06.22 19:57:54:582 MESZ] 00000175 WebAuthentica 3   Could not find LTPA cookie(s) in request.
    [01.06.22 19:57:54:582 MESZ] 00000175 WebAuthentica <  handleSSO: (null) Exit
    [01.06.22 19:57:54:582 MESZ] 00000175 TrustAssociat 3   isTrustAssociationEnabled returns [true]
    [01.06.22 19:57:54:582 MESZ] 00000175 WebAuthentica 3   handleTrustAssociation was skipped (2)
    [01.06.22 19:57:54:582 MESZ] 00000175 TrustAssociat 3   isTrustAssociationEnabled returns [true]
    [01.06.22 19:57:54:582 MESZ] 00000175 WebAuthentica >  handleCustomLogin Entry
    [01.06.22 19:57:54:582 MESZ] 00000175 WebAuthentica 3   Form based login is configured for the resource
    [01.06.22 19:57:54:582 MESZ] 00000175 WebAuthentica >  getFormURL Entry
                                     formURL=/Welcome/content/start.part
                                     requestURL=https://edmz-test.prod.blb.de/bayernlabo/parts/common/errors/forbidden.jsp
    [01.06.22 19:57:54:582 MESZ] 00000175 WebAuthentica >  normalizeURL Entry
                                     /Welcome/content/start.part

    Has anybody a solution for this? Thank you very much!

    ------------------------------
    Alper Özdemir
    ------------------------------

    Attachment(s)

    txt
    Trace.txt   273 KB 1 version


  • 2.  RE: Trying to implement SSO with WebSphere/OpenAm/Oauth2/

    Posted Fri June 03, 2022 02:44 AM
    Hello Alper,
    what is the domain the LTPA Token is issues for? Can you inspect the cookie and / or verify in the WAS configuration (Security -> Global security -> Web and SIP security --> Single sign-on ) which Domain name is set and if that domain matches the hostname in the URL used to access the application? Furthermore check there if the "Requires SSL" is set and https is used to access the page.

    If you have a WebServer in front of the WAS you might also log the cookies there. For Apache based servers check out https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats to verify if the LTPA token is sent from the browser to the application server.

    Maybe that helps. Have a good weekend and take care,

    Hermann

    ------------------------------
    Hermann Huebler
    2innovate IT Consulting GmbH
    Vienna
    Austria

    #IBMChampion
    ------------------------------

    Original Message


  • 3.  RE: Trying to implement SSO with WebSphere/OpenAm/Oauth2/

    Posted Fri June 03, 2022 03:21 AM
    I see the user is authenticated correctly but there is a warning  about the realm you are using:
    [02.06.22 14:04:15:042 MESZ] 00000215 WebAuthentica 3   Username retrieved from TAI is [Thomas.Mayr.ext@bayernlb.de]
[02.06.22 14:04:15:042 MESZ] 00000215 WebAuthentica 3   Map credentials for Thomas.Mayr.ext@bayernlb.de.
[02.06.22 14:04:15:043 MESZ] 00000215 WSCredentialT W   SECJ5008W: The realm specified in com.ibm.wsspi.security.cred.realm (https://dmztomtest01.prod.blb.de:37443/openam/oauth2/KissRealm) does not match the current realm (LDAPTest1.prod.blb.de:636). This could cause problems when trying to make a downstream request.

    I can see you that you are not trying to map the user to the LDAP registry mapIdentityToRegistry=[false]

    For fixing the SECJ5008W warning you can try using the OIDC property provider_<id>.useRealm=LDAPTest1.prod.blb.de:636

    Apart of that I see this another error message:

    [02.06.22 14:04:15:065 MESZ] 00000215 WebCollaborat A   SECJ0129E: Authorization failed for user Thomas.Mayr.ext@bayernlb.de:https://dmztomtest01.prod.blb.de:37443/openam/oauth2/KissRealm while invoking GET on dmz-test_host:/bayernlabo/ProtectedLandingPageDispatcher.part, Authorization failed, Not granted any of the required roles: Rolle_Bauministerium Rolle_Bewilligungsstelle Rolle_EigenwohnraumKunde Rolle_Interessent_EigenwohnraumKunde Rolle_KommunalKunde Rolle_MietwohnraumKunde Rolle_Ministerien

    So you need to map the user Thomas.Mayr.ext@bayernlb.de to any of the required roles in the application fur the user getting authorized to access it.




    ------------------------------
    MIGUEL ANGEL CAMACHO CABRERA
    ------------------------------

    Original Message