Mrudul's web blog

Get the answer here ...

You can get the plain text password entered by user for OpenSSO server login / authentication, at agent / client side with following configuration steps :

1) Add "com.sun.identity.wss.security.useHashedPassword=false" property at OpenSSO server side and agent/client side.
2) Add a new value "com.sun.identity.authentication.spi.WSSReplayPasswd" in Access Control -> Top Level Realm -> Authentication -> Advanced Properties -> Authentication Post Processing Classes, on OpenSSO server side.
3) Make sure you have same value for "am.encryption.pwd" on OpenSSO server side and agent/client side.

After this, following can be executed on agent/client side :

String encryptedPassword = ssoToken.getProperty("EncryptedUserPassword");
String clearPassword = Crypt.decrypt(encryptedPassword);

Well...here is your answer .... Try new "Resource / IP / Environment based Authentication" feature in OpenSSO Express build 8 and above, by following the detail SDN article.

You could have pretty extensive UI generated for custom authentication module based on the callbacks defined in the module's xml properties file. Module xml file defines the set of callbacks (based on Auth_Module_Properties.dtd) and since Auth UI is completely driven by callbacks, it renders these callbacks via JSP pages.

OpenSSO support all standard JAAS callbacks + additional ones that we have implemented like "HttpCallback", "RedirectCallback" and "PagePrpertiescalback". As long as custom authentication module uses these callbacks in its xml file, Auth UI layer can understand and render those. With this set of callbacks, you can achieve extensive UI where you can exercise HTTP protocol level negotiation parameters, redirect to third party urls, change page branding like images, headers, templates (jsp pages), page time outs, etc.. in addition to what stand JAAS callbacks support. You can also do multi-step authentication if custom authentication module defines multiple set of "Callbacks" elements for multiple page orders or page states.

But if custom auth module wants to define its own custom callback, then Auth UI would not be able to render that callback since it would not know about it. If this case is required then one can use auth remote API to authenticate to custom auth module and process and render that custom callback in the client application itself. Auth remote API does support custom callbacks communication from auth module to the API caller, as per remote-auth.dtd.

If you can not login as "amadmin" to OpenSSO server, you may want to check following :

• Have you configured OpenSSO instance to point to same DIT as AM 7.x, and used different encryption key than the original AM 7.1 server ?

You have to use same encryption key here.

• Are you authenticating "amadmin" with its password in OpenSSO's user store ?
  

"amadmin" and its password will be first authenticated against configuration store, i.e. this user and its password should match the "amadmin" user and its password in OpenSSO's configuration store (special users under IdRepo service).
Actual auth module store and / or user store and configuration store could be different as long as above is successful.

• Are you authenticating "amadmin" with its password to sub-realm ?

"amadmin" can only login to top level or root realm.

• Organization/SubOrganization - this is the organization/sub-organization of the request.
• Locale - Locale of the request
• Client Path - Client Type information of the request
• Service Name (serviceName) - Service name for service based authentication

Note: the Locale ,Client Path ,Service Name are optional

The file search path is as follows (under deployed opensso web app i.e. ....opensso/config/auth/) :
default_locale/orgPath/filePath/fileName
default/orgPath/filePath/fileName
(where "default" is default / root realm)         

where
orgPath = services/subOrg/sub-subOrg
filePath = clientPath + serviceName
clientPath = clientType/sub-clientType
fileName = module xml file / auth UI JSP file

Example :
locale = en
subOrg = solaris
clientPath = html/nokia/
serviceName = paycheck
fileName = Login.jsp

                FileLookup for the above would be (in the order below):

                default_en/services/solaris/html/nokia/paycheck/Login.jsp
                default_en/services/solaris/html/nokia/paycheck/Login.jsp
                default_en/services/solaris/html/Login.jsp
                default_en/services/solaris/Login.jsp
                default_en/html/nokia/paycheck/Login.jsp
                default_en/html/nokia/Login.jsp
                default_en/html/Login.jsp
                default_en/Login.jsp

                default/services/solaris/html/nokia/paycheck/Login.jsp
                default/services/solaris/html/nokia/paycheck/Login.jsp
                default/services/solaris/html/Login.jsp
                default/services/solaris/Login.jsp
                default/html/nokia/paycheck/Login.jsp
                default/html/nokia/Login.jsp
                default/html/Login.jsp
                default/Login.jsp

Federated Access manager 8.0 product (based on OpenSSO project) demonstrated its functionality as IDP, enabling Managed InfoCard provider and Security Token Service end points with Windows CardSpace Identity selector, at Burton group's Catalyst conference (Barcelona 22-25 October, 2007) IOP event.

The SUN's OpenSSO IDP/STS presentation and IOP results shows the interoperatibility between multiple Identity Selectors and Relying Parties.

Check out  OpenSSO Extensions is Launched

So include more and more innovations to OpenSSO, quickly and easily.