How do I use the WDSSO module to authenticate via REST in OpenAM 13.x?
The purpose of this article is to provide information on using the Windows Desktop Single-Sign On (WDSSO) module to authenticate via the REST API in OpenAM.
2 readers recommend this article
Archived
This article has been archived and is no longer maintained by ForgeRock.
Background information
In AM 5 and later, you should include an Authorization header that contains the string Basic , followed by a base64-encoded string of the username, a colon character and the password. See Development Guide › Windows Desktop SSO Requirements for further information.
OpenAM 13.x
The WDSSO authentication module uses Kerberos authentication. The user presents a Kerberos token to OpenAM through the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol.
In order to authenticate via the REST API, the REST client needs to have access to the Kerberos side of things. For example, you can use curl because it has support for SPNEGO and Kerberos (as of version 7.10.6), but Postman currently does not.
You can check that your version of curl does support SPNEGO and Kerberos using the -V option as follows:
$ curl -V curl 7.54.0 (x86_64-apple-darwin16.0) libcurl/7.54.0 SecureTransport zlib/1.2.8 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSocketsUsing the WDSSO module to authenticate via REST
To authenticate using the WDSSO module, you need to include the following options:
- -u - this is a fake user option needed to activate the authentication code.
- --negotiate - this enables the Negotiate (SPNEGO) authentication.
For example, you can authenticate with a command such as the following:$ curl -X POST -u : --negotiate -H "Accept-API-Version: resource=2.1" "http://host1.example.com:8080/openam/json/realms/root/authenticate?service=winsso&authIndexType=service&authIndexValue=winsso"
Example response: { "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/openam/console"}
See Also
How do I troubleshoot Kerberos and WDSSO issues in AM (All versions)?
Configuring and troubleshooting Kerberos and WDSSO in AM
Postman: New feature: Support API endpoints protected by kerberos
Related Training
N/A
Related Issue Tracker IDs
N/A