How to create a web policy agent in OpenAM given that the server URL has a not fully qualified hostname?
Question: How to create a web policy agent in OpenAM given that the server URL, which OpenAM runs on, has a not fully qualified hostname?
Initial situation: For a Prove of concept (POC), I emulate a server structure using docker. I have an apache webserver as a resource server (docker container), an OpenAM docker container for the access management, and a flask web app running in a third container as the client. I configured OpenAM via the GUI. Sofar my flask app can authenticate, request, and retrieve access tokens using simple requests as specified here. However now I also want to protect the apache resource server. For the start without flask and simply by installing an OpenAM Web Policy Agent on the apache webserver and configuring a web policy agent profile in OpenAM following this official ForgeRock guide.
Problem:
When configuring the agent profile in OpenAM using the GUI the OpenAM container's domain name http://openam:8080/openam is not accepted as a valid server URL.
If I use instead e.g. http://openam.local:8080/openam the error does not show.
What I tried so far:
- I added an Nginx container that functions as a reverse proxy and used it to change the container's hostnames to
<container>.local. Now I can reach the containers e.g. viahttp://openam.local:8080/openamandhttp://apache.local:8080. However, when I now access the OpenAM GUI usinghttp://openam.local:8080/openam, enter the default passwords, and pressCreate Configurationthe configuration fails with the following message:
- Unable to solve the problem from (1) I figured that I recall the Nginx setup and instead try to configure the agent profile using the command line - in the hope that the above error
Hostname of server URL is not fully qualifiedis restricted to the GUI. For the setup via the command line there existed the easy command./ssoadm create-agent ...as descript here. Butssoadmwas deprecated in favor ofAmsterand I am unable to figure out how to configure the agent policy usingAmster.
When using docker as described in the original question you can simply set the hostname of the container using -h flag.
Example OpeanAM:
docker run -h openam.example.com -p 8080:8080 --name openam openidentityplatform/openam
Example Apache Web Server:
docker run -it --name apache_agent -p 80:80 -h example.com --shm-size 2G --link=openam apache_agent
OpenAM can now be reached via http://openam.example.com:8080/openam and the apache server via http://example.com.
The OpenAM configuration runs through without an error and when configuring the Web Policy Agent the URL is fully qualified.
Reference and best resource to get started with OpenAM is this Quick-Start-Guide from the OpenAM git repo's wiki.
- How does service discovery work with modern docker/docker-compose?
- Eureka client in docker not connecting with Eureka server
- Laravel flash messages not working as expected
- how to add these settings to my php.ini in docker
- Docker create network should ignore existing network
- Docker - mysqld: Table 'mysql.plugin' doesn't exist
- Breakpoints in vscode (Win 10) "unverified" and not hit when remote debugging Go app in Linux Docker container (Hyper-V)
- How to fix "cannot find -lpq" error when using alpine linux docker image?
- custom name resolution failing on docker container
- pip dependencies from env yaml file missed during building docker container
- After docker-compose build the docker-compose up run old not updated containers
- Mongo DB deployment not working in kubernetes because processor doesn't have AVX support
- How do I get into a Docker container's shell?
- Reading an environment variable in react which was set by docker
- Error 403 while running Docker image on Windows, but works on RHEL8
- Docker container fails to build when installing GRPC
- Que failing with Distillery release and Docker
- Connecting from a docker container to the host on MacOS
- Docker filling up storage on macOS
- How to get Elastic Container Repository URI from Cloud Formation?
- An exception has been raised that is likely due to a transient failure - connect local PostgreSQL to Docker container
- Jenkins Pipeline Error: "Selected Git installation does not exist."
- Docker Installation: ImportError: cannot import name '_gi' from 'gi' (/usr/lib/python3/dist-packages/gi/__init__.py)
- How can I give a containerRegistry to a DevcontainersCi task in an Azure DevOps YAML Pipeline?
- AttributeError: module 'numba' has no attribute 'generated_jit'
- Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error
- Why do I still getting error, Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock?
- Postgres inside Docker container, how to log JSON to Loki via Promtail?
- Can't install Kubernetes on Vagrant
- How do I open another port in a docker nginx container (only in the container; so, NOT publishing which is the -p flag)?