[OpenAM] Authentication Chain Problem

Hillert, Paul T. Paul.Hillert at Channelvantage.com
Wed May 2 18:40:17 BST 2012

Hi all,

I have an authentication chain set up in a subrealm consisting of 3 modules.  The first two I have set up as SUFFICIENT, the last one (the embedded datastore) I have set up as REQUIRED.  In the case of the first two modules, users are authenticated based on differences in requestIP and/or request headers, not by logging in.  My issue is that when I am trying to authenticate with a valid user/valid headers etc., to either module, the rest of the chain is executed afterwards regardless.   This is causing an infinite redirection loop back to the OpenAM DataStore authentication module.  I am hoping that maybe there is some setting that I am forgetting?  I have been up and down the OpenAM console and reconfigured my policy agent multiple times trying to see what could be wrong, but no luck.  Any suggestions are welcome, I’m thinking it should be something simple I’m just overlooking.

Is there any reason that a user authenticated through a SUFFICIENT module should ever be passed down any further in the chain though?


Paul Hillert

This email is for the use of the intended recipient(s) only and may contain privileged, confidential, copyrighted or proprietary information. If you have received this email in error, please notify the sender immediately and then delete it. If you are not the intended recipient, you must not keep, use, disclose, copy or distribute this email without the author's prior permission. We have taken precautions to minimize the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses. The information contained in this communication may be confidential and may be subject to the attorney-client privilege.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.forgerock.org/pipermail/openam/attachments/20120502/1095cbeb/attachment.html>

More information about the OpenAM mailing list