How To

How do I authenticate to another chain but keep the same session token in AM (All versions)?

Last updated Mar 15, 2019

The purpose of this article is to provide information on authenticating to another chain (using ForceAuth) while keeping the same session tokenId in AM. Keeping the same session tokenId is often a requirement for audit purposes. Session upgrade using the ForceAuth parameter is only supported for CTS-based sessions (called Stateful in AM 5.x).


Overview

The following example demonstrates a user authenticating to one chain and then doing a session upgrade to a second chain with the same session token. When the session is upgraded, the existing session token is checked to ensure it is valid and any existing session properties are copied across to the second chain. The authentication parameters required to achieve this are: sessionUpgradeSSOTokenId and ForceAuth.

Note

You must ensure you use the correct case for the ForceAuth parameter; forceAuth=true will be ignored and the session token will change after you authenticate to the second chain.

This example uses a very simple authentication setup purely for demonstration purposes. You can adapt this to your environment as needed ensuring you use the same authentication parameters to retain the session token.

Example setup

  • Create two authentication modules: DataStore and LDAP.
  • Set different Authentication Levels for each module, for example:
    • DataStore: 10
    • LDAP: 20
  • Create authChain1 and add the DataStore module as required.
  • Create authChain2 and add the LDAP module as required.

Authenticating to another chain with same session token

Note

Please observe the following when constructing REST calls:

  • Make the REST call to the actual AM server URL (not lb).
  • Change the name of the iPlanetDirectoryPro header to the name of your actual session cookie.
  • Set this session cookie header to the token returned when you authenticated.
  • Ensure the Accept-API-Version header contains valid resource versions (AM 5 and later).

See How do I avoid common issues with REST calls in AM/OpenAM (All versions)? for further information.

You can authenticate as follows:

  1. Authenticate to the first chain, for example:
    $ curl -X POST -H "X-OpenAM-Username: demo" -H "X-OpenAM-Password: changeit" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" http://host1.example.com:8080/openam/json/realms/root/authenticate?authIndexType=service&authIndexValue=authChain1
    Example response:
    {
        "tokenId": "35huKgysok9Sg2Uk-MqX6agOArM.*AAJTSQACMDEAAlNLABxJb29DZnN1R1VZU0xNRWd6NDdrTndHVzZzQ1U9AAR0eXBlAANDVFMAAlMxAAA.*",
        "successUrl": "/openam/console",
        "realm": "/"
    }
    
  2. Perform a session upgrade (ForceAuth) to the second chain:
    $ curl -X POST  -H "X-OpenAM-Username: demo" -H "X-OpenAM-Password: changeit" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" http://host1.example.com:8080/openam/json/realms/root/authenticate?authIndexType=service&authIndexValue=authChain2&sessionUpgradeSSOTokenId=35huK...AAA.*&ForceAuth=true
    Example response:
    {
        "tokenId": "35huKgysok9Sg2Uk-MqX6agOArM.*AAJTSQACMDEAAlNLABxJb29DZnN1R1VZU0xNRWd6NDdrTndHVzZzQ1U9AAR0eXBlAANDVFMAAlMxAAA.*",
        "successUrl": "/openam/console",
        "realm": "/"
    }
    
  3. Observe that the session token has stayed the same in both responses.

See Also

How do I validate session tokens and obtain session details using the REST API in AM (All versions)?

FAQ: Core Token Service (CTS) and session high availability in AM/OpenAM

Best practices for configuring sessions in AM (All versions) to reduce the impact on the CTS store

Authentication and Single Sign-On Guide › Session Upgrade

Authentication and Single Sign-On Guide › Performing Session Upgrade

Authentication and Single Sign-On Guide › Using Authentication

Related Training

N/A

Related Issue Tracker IDs

OPENAM-11015 (ForceAuth session upgrade does not work)



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...