This is certainly a weird one though I managed to work it out. The error string value states that the agent deployment was 'Unable to get Application SSO Token'
The issue from the log files...
To perform the agent user authentication, it instantiates the AuthContext by requesting to OpenAM on what it actually needs (hence the authContents.getRequirements())
If the login is successful, then OpenAM will setup the SSOToken. The code however never gets that far though because the exception is thrown with the string value of 'Unable to get Application SSO Token'. Therefore when this issue occurs, it's not even completing the AuthContext, which implies to either the credentials being incorrect or that the service name is unreachable/unavailable.
From my side, I eliminated the credentials because this was an initial installation of the agent, which requires the agent profile username/password.
My statement is also supportive based on the return response, 'Failed to create new Authentication Context: Cannot find server ID'. One way to test the service name is accessing the /namingservice URL of your OpenAM instance. For example, http://servername:8080/openam/namingservice. This should bring back something such as 'OpenSSO', which is the identifer you require for the AuthContext initiation. If you're sitting behind a LB with multiple instances, then ensure that the naming service is also available.
My issue was actually related to the server in which it tries to access the naming service. Within the OpenSSOAgentBootstrap.properties, you should be able to locate the 'com.iplanet.am.naming.url' value pointing to the namingservice value.
I altered this value to be pointing to the LB instead of the designated server that was SSL enabled and not the open port directed to the single instance
#com.iplanet.am.naming.url=https://server1:8080/openam/namingservice
com.iplanet.am.naming.url=https://loadbalancer:443/openam/namingservice
Once I did this, I was able to progress with the initiation of newly deployed J2EE agent.
Issue #2 - Check your stack trace
I returned back to this thread because I was receiving the same, 'Caused by: com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token' error
however the stack trace presented a different error. In this scenario, it was 'Check AMConfig.properties for the following properties' followed by 'com.sun.identity.agents.app.username'
and 'com.iplanet.am.service.password' values.
I confirmed (repeatedly) the credentials within the properties file as well as the agent profile was correct though I was still receiving the same error
Solution - conflicting agent profiles
Even though the agent was pointing to the sub-realm, the root domain has an agent that was exact to the one within the sub domain. Removing the agent from the root or changing the name from within the sub-realm will resolve the issue
About the author
Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.Daniel has built from scratch this blog as well as technicalconfessions.com
Follow Daniel on twitter @nervouswiggles
Comments
Other Posts
AS I was migrating my environment into an S3 environment, I wanted to leverage off the SES services that AWS provide, more specifically, to leverage the off the SMTP functionality by sending an email via PHP
Read More...
The WeMos D1 is a ESP8266 WiFi based board is an extension to the current out-of-the-box library that comes with the Arduino installation. Because of this, you need to import in the libraries as well as acknowledging the specific board. This process is highly confusion with a number of different individuals talking about a number of different ways to integrate.
Read More...
NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration.
Read More...
For what I see, there's not too many supportive documentations out there that will demonstrate how provision AD group membership with the ICF connector using OpenIDM. The use of the special ldapGroups attribute is not explained anywhere in the Integrators guides to to the date of this blog. This quick blog identifies the tasks required to provision AD group membership from OpenIDM to AD using the LDAP ICF connector. However this doesn't really explain what ldapGroups actually does and there's no real worked example of how to go from an Assignment to ldapGroups to an assigned group in AD. I wrote up a wiki article for my own reference: AD group memberships automatically to users This is just my view, others may disagree, but I think the implementation experience could be improved with some more documentation and a more detailed example here.
Read More...
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...
org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...
ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...
When performing the attempt of a reconciliation from ForgeRock IDM to Active Directory, I would get the following error
Read More...
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...
During the reconcilation from OpenIDM to the ICF google apps connector, the following error response would occur. ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_grant
Read More...
Tags
Recent Posts
Monthly Activity
Group by date