Step 4. Authenticate to AM

Now that you have completed Step 3. Configure AM, you can use the myAuthTree tree you created to authenticate a user.

To test your authentication tree in a web browser, navigate to a URL similar to the following:

http://openam.example.com:8080/openam/XUI/?realm=/&service=myAuthTree#login

Use the correct FQDN, port number, and deployment path for your environment. Also ensure you use the correct authentication tree name, in the example above, the tree is named myAuthTree.

Log in as the built-in demo user, with the password Ch4ng31t.

On successful login, AM creates a cookie named iPlanetDirectoryPro in your browser for your domain; for example, example.com. That cookie is then available to all servers in the example.com domain, such as openam.example.com.

If you examine this cookie, you see that it has a value such as AQI5wM2L...*AAJTS.... This is the SSO Token value. The value is in fact an encrypted reference to the session that is stored only by AM. So, only AM can determine whether you are actually logged in, or instead, that the session is no longer valid and you need to authenticate again.

The AM session is used for SSO. When the browser presents the cookie to a server in the domain, the agent on the server can check with AM using the SSO Token as a reference to the session. This lets AM make policy decisions based on who is authenticated, or prompt for additional authentication, if necessary.

Your SSO session can end in a few ways. For example, when examining the cookie in your browser, you should notice that it expires when the browser session ends (when you shut down your browser). Alternatively, you can log out of AM explicitly.

Sessions can also expire. AM sets two limits: one that causes your session to expire if it remains inactive for a configurable period of time (default: 30 minutes), and another that caps the session lifetime (default: 2 hours).

Congratulations on authenticating your first user with AM!

See what else can AM do for you by reading Next Steps.