Wednesday, August 6, 2014

Open AM-Certificate Authentication-User has no profile in this organization

OpenAM

Certificate Authentication


Setting up OpenAM for certificate authentication was explained in detail at the URL: http://blog.profiq.cz/2012/05/24/certification-based-authentication-with-openam-10-and-tomcat-7/
Following the steps detailed in this article an IdP using OpenAM running in Tomcat was set up.  While the setup was straight forward, encountered a cryptic message User has no profile in this organization, while testing. With self signed certificate, was able to get rid of this message by adding a user with the CN present in the certificate.
Later Tomcat's truststore was replaced with CA root certificate.  The same cryptic message User has no profile in this organization, resurfaced again.  Google search pointed to several discussions which did not help including creating a separate realm.  After scouring OpenAM's debug files, in combination with the public certificate revealed that the certificate had two CNs in the certicate's DN one corresponding to the user's name, and the other as Users.  Open AM's default implementation of Certificate field to access user profile was CN.  Since the cert had two CNs, CN was replaced by the user identified as Users, which does not exist, and should not exist within OpenAM's realm.  Subject DN is one of the options provided by OpenAM for Certificate Field to Access User Profile.  Changed The option to subject DN, created a user within OpenAM's realm with CN presented by the certificate.  IdP processed the request for SAML authentication successfully, and the Service Provider was able to process the SAML assertion.   

No comments:

Post a Comment