Service Endpoints
A service endpoint is an entry point to a web service. This chapter lists AM service endpoints that are accessible by default.
If you are certain that a particular AM service endpoint is not used in your deployment, you can block access to the endpoint. For more information, see Securing Network Communication.
JSP Files
Some AM JSP pages are directly accessible as service endpoints. The following sections describe the files for those JSP pages. Directory paths in this section are relative to AM's deployment path, for example, /path/to/tomcat/webapps/openam/
.
You will find these files in the top-level directory of AM's deployment path.
Logback.jsp
Provides a page to configure debug logging. See Debug Logging for details.
encode.jsp
Provides a page to encode a cleartext password for use in SAML entity configurations.
getServerInfo.jsp
Supports requests for server information. This page is used internally by AM.
isAlive.jsp
Displays a "Server is ALIVE" message when AM is ready to serve requests.
proxyidpfinder.jsp
Supports access to a remote identity provider through the federation broker.
services.jsp
Lists service configuration information. Use this page when translating configuration changes made in the console into corresponding ssoadm commands.
showServerConfig.jsp
Displays system configuration information, including the deployment URL, OS, Java VM, configuration directory, and more.
validat*.jsp
pagesThese files serve pages and provide endpoints for the classic, JATO-based UI when testing and verifying SAML v2.0 federation.
Some classic, JATO-based UI pages rely on JSP files in the com_sun_web_ui/jsp/
directory. They are not intended to be used directly as external endpoints.
The JSP files in the config/auth/default*/
directories provide templates and endpoints to serve classic, JATO-based UI pages of the AM console that allow users to authenticate.
To adapt the current UI for your deployment, see the UI Customization Guide instead.
The JSP file, oauth2/registerClient.jsp
, provides a template page to register an OAuth 2.0 client application without using the main console.
The JSP files in the oauth2c/
directory serve the Legacy OAuth 2.0/OpenID Connect authentication module. They are not intended to be used directly as external endpoints.
The JSP files in the saml2/jsp/
directory provide endpoints used in SAML v2.0 deployments.
See Federating Identities for descriptions of externally useful endpoints.
The JSP files in the wsfederation/jsp/
directory provide endpoints used in WS-Federation deployments.
WEB-INF URL Patterns
The AM .war
file includes a deployment descriptor file, WEB-INF/web.xml
. The deployment descriptor lists services implemented as servlets, and <url-pattern>
elements that map services to AM endpoints.
When protecting an AM server, consider blocking external access to unused services based on their URL patterns.
REST API Endpoints
REST API endpoints are discussed in detail as follows:
- Authenticating (REST)
How to use the AM REST APIs to authenticate to AM.
- Policies (REST), Policy Sets (REST), Resource Types (REST), and Policy Set Application Types (REST)
How to use the AM REST APIs for policy management.
- Requesting Policy Decisions Using REST
How to use the AM REST APIs for requesting authorization decisions from AM.
- OAuth 2.0 Endpoints
How to use OAuth 2.0-specific endpoints to request access and refresh tokens, as well as introspecting and revoking them.
- OAuth 2.0 Administration and Supporting REST Endpoints
How to use perform OAuth 2.0 administrative tasks, such as register, read, and delete clients.
- OpenID Connect 1.0 Endpoints
How to use OpenID Connect-specific endpoints to retrieve information about an authenticated user, as well as validate ID tokens and check sessions.
- Retrieving Forgotten Usernames, Resetting Forgotten Passwords, and Registering Users
How to use the AM REST APIs for user self-registration and forgotten password reset.
- Configuring Realms (REST)
How to use the AM REST APIs for managing AM identities and realms.
- Managing Scripts (REST)
How to use the AM REST APIs to manage AM scripts.
- Recording Troubleshooting Information
How to use the AM REST APIs to record information that can help you troubleshoot AM.
- Consuming REST STS Instances and Querying, Validating, and Canceling Tokens
How to use the AM REST APIs to manage AM's Security Token Service, which lets you bridge identities across web and enterprise identity access management (IAM) systems through its token transformation process.
Well-Known Endpoints
The endpoints described in this section are Well-Known URIs supported by AM:
/.well-known/openid-configuration
Exposes OpenID Provider configuration by HTTP GET as specified by OpenID Connect Discovery 1.0. No query string parameters are required.
/uma/.well-known/uma2-configuration
Exposes User-Managed Access (UMA) configuration by HTTP GET as specified by UMA Profile of OAuth 2.0. No query string parameters are required.
For an example, see "/uma/.well-known/uma2-configuration".
/.well-known/webfinger
Allows a client to retrieve the provider URL for an end user by HTTP GET as specified by OpenID Connect Discovery 1.0.
For an example, see "OpenID Connect Discovery".