iPlanetDirectoryPro cookie domain not set after authentication

[ssdowdavalon]

I've deployed FR via the CDM instructions. My domain is a.b.c and I'm deplpyoing into my dev namespace (dev.a.b.c).

In my frconfig configmap, DOMAIN is .a.b.c.

In my amster-config configmap, the options include: --cookieDomain .a.b.c \

and --lbPrimaryUrl https://login.dev.a.b.c/ \

The ingress for openam has a spec.rules.host of login.dev.a.b.c and tls uses the wildcard cert. DNS resolves to the ingress load balancer (AWS).

I have an example app deployed as example.dev.a.b.c and it works. Within that I have an OpenIG route that will protect /private/ by validating the cookie.

When I go to https://login.dev.a.b.c/openam/XUI/#login/&goto=https://example.dev.a.b.c/ and login, I successfully authenticate and am redirected to https://example.dev.a.b.c.

However when I look at the cookies using the browser's developer mode, I don't see a domain= on the iPlanetDirectoryPro cookie. I see that the iPlanetDirectoryPro cookie only has a path=/ annotation, not a domain= annotation. This means the cookie is not sent to example.dev.a.b.c. In viewing the doco, this appears to be the new default for openam.

I can see how to set the cookie domain via the OpenAM admin console (Configure -> Global Services -> Platform -> Cookie Domains) but I want to set it via helm when I deploy into each environment. In amster's pod, COOKIE_DOMAIN=a.b.c.

I'd expect the iPlanetDirectoryPro cookie to include domain=a.b.c or domain=dev.a.b.c.

[wstrange]

Can you try the new skaffold/workflow on the master branch - this will be easier for us to help debug the issue. The newer workflow puts all the ingresses behind a single FQDN *.iam.acme.com - which might address your issue.

The docs for the new workflow can be found on https://ea.forgerock.com/docs/forgeops/index.html

[ssdowdavalon]

@wstrange I'm getting a 403 trying to access that. Is there a public link for it?

[ssdowdavalon]

I've also tried setting the Cookies Domain List directly in OpenAM (Top Level Realm -> Applications -> Web -> ig-agent -> SSO -> Cookies Domain List) and that does not seem to have any effect. I then tried renaming the iPlanetDirectoryPro cookie on that same UI and that also had no effect so I'm wondering if there is some other OpenAM configuration required?

[wstrange]

You need to create a backstage account for the EA docs. See https://backstage.forgerock.com/knowledge/kb/article/a68789999

[wstrange]

In the latest deploy (on master), I see the cookie domain being set for iPlanetDirectoryPro. I think there is something going on with your load balancer or ingress. If you can try the deploy from master we can help to diagnose

[ssdowdavalon]

In 6.5, data.cookieDomains is an empty array in 6.5/cdm/m-cluster/am/global/Platform.json, resulting in the cookie only working for the FQDN.

I would have expected the array to contain something like "&{namespace}&{domain}".

I set it to that and the behavior I'm seeing appears correct: iPlanet cookie set for the domain associated with the namespace.

[wstrange]

On forgeops master: https://github.com/ForgeRock/forgeops/tree/master/config/6.5/cdk/amster/config/global

it looks like we are not explicitly setting it - and letting it default - which is probably why it is working on master.

On Mon, Jan 13, 2020 at 10:56 AM ssdowdavalon notifications@github.com wrote:

In 6.5, data.cookieDomains is an empty array in 6.5/cdm/m-cluster/am/global/Platform.json, resulting in the cookie only working for the FQDN.

I would have expected the array to contain something like "&{namespace}&{domain}".

I set it to that and the behavior I'm seeing appears correct: iPlanet cookie set for the domain associated with the namespace.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ForgeRock/forgeops/issues/635?email_source=notifications&email_token=AADNEZA27MIMJZLKUIJLYWDQ5STM5A5CNFSM4KCSP66KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIZVI5A#issuecomment-573789300, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADNEZEYZWKDRJVNDWED3NLQ5STM5ANCNFSM4KCSP66A .