Supported Standards

AM implements the following RFCs, Internet-Drafts, and standards:

RFC 4226: HOTP: An HMAC-Based One-Time Password Algorithm, supported by the OAUTH authentication module.

RFC 6238: TOTP: Time-Based One-Time Password Algorithm, supported by the OAUTH authentication module.

See more:

OpenID Connect Core 1.0 incorporating errata set 1.

In section 5.6 of this specification, AM supports Normal Claims. The optional Aggregated Claims and Distributed Claims representations are not supported by AM.

OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0 draft-02

AM applies the guidelines suggested by the OpenID Financial-grade API (FAPI) Working Group to the implementation of CIBA, which shapes the support of CIBA in AM:

  • AM only supports the CIBA "poll" mode, not the "push" or "ping" modes.

  • AM requires use of confidential clients for CIBA.

  • AM requires use of signed JSON-web tokens (JWT) to pass parameters, using one of the following algorithms:

    • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

    • PS256 - RSASSA-PSS using SHA-256.

    Plain JSON or form parameters for CIBA-related data is not supported.

OpenID Connect Discovery 1.0

OpenID Connect Dynamic Client Registration 1.0

OpenID Connect Session Management 1.0- Draft 05

OpenID Connect Session Management 1.0- Draft 10

OAuth 2.0 Multiple Response Type Encoding Practices

OAuth 2.0 Form Post Response Mode

OpenID Connect Back-Channel Logout 1.0 Draft 06.

AM currently only supports backchannel logout when acting as the provider.

See more:

AM supports SAML v2.0; support for SAML v1.1 and v1.0 was removed in AM 7, although WS-Federation functionality still creates assertions in SAML v1.x format.

SAML Specifications are available from the OASIS standards page.

Web Services Federation Language (WS-Federation)

Web Services Description Language (WSDL)

eXtensible Access Control Markup Language (XACML)

See more:

Read a different version of :