oriolrius.cat

Des del 2000 compartiendo sobre…

Tag: xacml

OpenAM: some ssoadm commands for reference

Reading time: 3 – 4 minutes

OpenAM is as much powerful as complicated sometimes. In this case I spent a lot of time understanding how to set simple settings because of that I decide to take note about that in this blog entry.

First of all don’t forget to set the environment variables and go to ssoadm path:

export JAVA_HOME="/usr/lib/jvm/java-6-openjdk-amd64/jre"
export CLASSPATH="/var/lib/tomcat7/webapps/openam/WEB-INF/lib/policy-plugins.jar::/var/lib/tomcat7/webapps/openam/WEB-INF/lib/openam-core-11.0.0.jar"

cd /opt/openam/ssoadmin/openam/bin

Getting the list of user identities:

./ssoadm list-identities -u amadmin -f /tmp/oam.pwd -e / -t User -x "*"

anonymous (id=anonymous,ou=user,dc=openam)
demo (id=demo,ou=user,dc=openam)
serviceusername (id=serviceusername,ou=user,dc=openam)
amAdmin (id=amAdmin,ou=user,dc=openam)
Search of Identities of type User in realm, / succeeded.

another useful query would be:

./ssoadm list-identities -u amadmin -f /tmp/oam.pwd -e / -t Role -x "*"

No plug-ins configured for this operation

But as you can see it doesn’t work and I don’t know how to solve it.

Taking a look to GUI get to identities list with: Access Control > / (Top Level Realm) > Privileges

In this webpage you have a list of role identities, in my case I have only this: “All Authenticated Users”. Inside this identity I can set different privileges:

  • REST calls for Policy Evaluation (EntitlementRestAccess)
  • Read and write access to all log files (LogAdmin)
  • REST calls for searching entitlements (PrivilegeRestReadAccess)
  • Read access to all log files (LogRead)
  • Read and write access to all federation metadata configurations (FederationAdmin)
  • Read and write access only for policy properties (PolicyAdmin)
  • Read and write access to all configured Agents (AgentAdmin)
  • Read and write access to all realm and policy properties (RealmAdmin)
  • REST calls for managing entitlements (PrivilegeRestAccess)
  • Write access to all log files (LogWrite)

If we want to remove a privilege:

root@vm:/opt/openam/ssoadmin/openam/bin# ./ssoadm remove-privileges -u amAdmin -f /tmp/oam.pwd -e / -g EntitlementRestAccess -i "All Authenticated Users" -t role

Privileges were removed from identity, All Authenticated Users of type, role in realm, /.

or adding a privilege:

root@vm:/opt/openam/ssoadmin/openam/bin# ./ssoadm add-privileges -u amAdmin -f /tmp/oam.pwd -e / -g EntitlementRestAccess -i "All Authenticated Users" -t role

Talking about policies, exporting:

./ssoadm list-policies -u amadmin -f /tmp/oam.pwd -e / -o /tmp/policies.xml

and if we want to import the policies:

./ssoadm create-policies -u amAdmin -f /tmp/oam.pwd -e / --xmlfile /tmp/policies.xml

creating a user:

./ssoadm create-identity -u amadmin -f /tmp/oam.pwd  -e / -i serviceusername -t User --attributevalues "userpassword=servicepassword"

Useful references: