Closed ssdowdavalon closed 4 years ago
Can you try the new skaffold/workflow on the master branch - this will be easier for us to help debug the issue. The newer workflow puts all the ingresses behind a single FQDN *.iam.acme.com - which might address your issue.
The docs for the new workflow can be found on https://ea.forgerock.com/docs/forgeops/index.html
@wstrange I'm getting a 403 trying to access that. Is there a public link for it?
I've also tried setting the Cookies Domain List directly in OpenAM (Top Level Realm -> Applications -> Web -> ig-agent -> SSO -> Cookies Domain List) and that does not seem to have any effect. I then tried renaming the iPlanetDirectoryPro cookie on that same UI and that also had no effect so I'm wondering if there is some other OpenAM configuration required?
You need to create a backstage account for the EA docs. See https://backstage.forgerock.com/knowledge/kb/article/a68789999
In the latest deploy (on master), I see the cookie domain being set for iPlanetDirectoryPro. I think there is something going on with your load balancer or ingress. If you can try the deploy from master we can help to diagnose
In 6.5, data.cookieDomains is an empty array in 6.5/cdm/m-cluster/am/global/Platform.json
, resulting in the cookie only working for the FQDN.
I would have expected the array to contain something like "&{namespace}&{domain}"
.
I set it to that and the behavior I'm seeing appears correct: iPlanet cookie set for the domain associated with the namespace.
On forgeops master: https://github.com/ForgeRock/forgeops/tree/master/config/6.5/cdk/amster/config/global
it looks like we are not explicitly setting it - and letting it default - which is probably why it is working on master.
On Mon, Jan 13, 2020 at 10:56 AM ssdowdavalon notifications@github.com wrote:
In 6.5, data.cookieDomains is an empty array in 6.5/cdm/m-cluster/am/global/Platform.json, resulting in the cookie only working for the FQDN.
I would have expected the array to contain something like "&{namespace}&{domain}".
I set it to that and the behavior I'm seeing appears correct: iPlanet cookie set for the domain associated with the namespace.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ForgeRock/forgeops/issues/635?email_source=notifications&email_token=AADNEZA27MIMJZLKUIJLYWDQ5STM5A5CNFSM4KCSP66KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIZVI5A#issuecomment-573789300, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADNEZEYZWKDRJVNDWED3NLQ5STM5ANCNFSM4KCSP66A .
I've deployed FR via the CDM instructions. My domain is a.b.c and I'm deplpyoing into my dev namespace (dev.a.b.c).
In my frconfig configmap, DOMAIN is
.a.b.c
.In my amster-config configmap, the options include:
--cookieDomain .a.b.c \
and
--lbPrimaryUrl https://login.dev.a.b.c/ \
The ingress for openam has a spec.rules.host of login.dev.a.b.c and tls uses the wildcard cert. DNS resolves to the ingress load balancer (AWS).
I have an example app deployed as example.dev.a.b.c and it works. Within that I have an OpenIG route that will protect /private/ by validating the cookie.
When I go to https://login.dev.a.b.c/openam/XUI/#login/&goto=https://example.dev.a.b.c/ and login, I successfully authenticate and am redirected to https://example.dev.a.b.c.
However when I look at the cookies using the browser's developer mode, I don't see a
domain=
on the iPlanetDirectoryPro cookie. I see that the iPlanetDirectoryPro cookie only has apath=/
annotation, not a domain= annotation. This means the cookie is not sent to example.dev.a.b.c. In viewing the doco, this appears to be the new default for openam.I can see how to set the cookie domain via the OpenAM admin console (Configure -> Global Services -> Platform -> Cookie Domains) but I want to set it via helm when I deploy into each environment. In amster's pod,
COOKIE_DOMAIN=a.b.c
.I'd expect the iPlanetDirectoryPro cookie to include
domain=a.b.c
ordomain=dev.a.b.c
.