Already existing webpass + Tomcata 5.5 Policy Agent 2.2 and SSO
Hi All,
I try to give SSO & centrelized Auht for an Existing WebApps. For accessing the protected Tomcat Apps I need an User and a Role.
I've set in AM a user, a role and bind the roles as a subject of a policy.
I try to figure HOW Role is passed to the Protected Apps/Tomcat. I've sniff the netwrok to find exactly what the exchange between the agent and AM is and found couples of thinks...but no trace of the Role. Any Idea?
For now is still working IE:
accessing the Protected apps forward me to AM login page, and if I enter valid credential AM forward me back to the Protected Apps ..but to the apps login.jsp .
I've set the security-role and roles-constraint in web.xml of the Apps.
( If I set com.sun.identity.agents.config.user.mapping.mode = HTTP_HEADER) It did not work at all, browser just keeping playing ping pong with the AM... both are on the same domain )
[929 byte] By [
viciousda] at [2007-11-27 6:38:23]
# 2
Yes it's set correctly. Now my Problem is AM did not return the correct Role ( Tomcat receive the uid instead of the Role.. and more, I use AM 7 and I did't receive the Uuid but the ldap uid.So I've set the uid as my role name in web.xml of the Apps... but Tomcat seem to not recognise it :
DEBUG http-58080-Processor25 org.apache.catalina.realm.RealmBase -Checking roles uid=apgAdmin,ou=people,o=505lab
DEBUG http-58080-Processor25 org.apache.catalina.realm.RealmBase - No role found: uid=apgAdmin,ou=people,o=505lab
First debug line seem to be what Tomcat receive from the Agent and the second line seem to be what Tomcat find in web.xml... samething.. ?
Thanks for your help!
# 3
That is strange. Access manager 7.0 is setup in realm mode? Did you try the agentadmin --getUuid command? Also, in AM if you go to the subjects tab, open the apgAdmin account, and click the roles subtab do you see any roles assigned to that user?
I am not familiar with the Tomcat J2EE setup but from what I read it seems like the applications web.xml file needs to be updated to provide the full AM univeral ID as the value of the role-name element. There doesn't seem to be a mapping configuration as there are in other agents.
