Global Services Configuration
Under Configure > Global Services, you can set defaults for a range of AM services.
Audit Logging
amster service name: audit
Global Attributes
The following settings appear on the Global Attributes tab:
- Audit logging
Enable audit logging in AM.
Default value:
true
amster attribute:
auditEnabled
- Field whitelist filters
AM has a predefined whitelist built-in that only records values that do not contain sensitive information. Use this property to whitelist fields in addition to the built-in list.
Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event's topic. The topic will be one of
access
,activity
,authentication
, orconfig
.For example, to record the values of the
Accept-Language
HTTP header in access events, the pointer is/access/http/request/headers/accept-language
.amster attribute:
whitelistFieldFilters
- Field blacklist filters
Blacklist filters can be used to remove audit event fields which are whitelisted by default. These are fields which are safe to log but which you have decided are not necessary for your requirements.
Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event's topic. The topic will be one of
access
,activity
,authentication
, orconfig
.For example, you might want to filter out surnames by hiding the
sn
field from activity events. To do so, add the following pointers to the Field blacklist filters list:/activity/before/sn
/activity/after/sn
amster attribute:
blacklistFieldFilters
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Audit logging
Enable audit logging in AM.
Default value:
true
amster attribute:
auditEnabled
- Field whitelist filters
AM has a predefined whitelist built-in that only records values that do not contain sensitive information. Use this property to whitelist fields in addition to the built-in list.
Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event's topic. The topic will be one of
access
,activity
,authentication
, orconfig
.For example, to record the values of the
Accept-Language
HTTP header in access events, the pointer is/access/http/request/headers/accept-language
.amster attribute:
whitelistFieldFilters
- Field blacklist filters
Blacklist filters can be used to remove audit event fields which are whitelisted by default. These are fields which are safe to log but which you have decided are not necessary for your requirements.
Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event's topic. The topic will be one of
access
,activity
,authentication
, orconfig
.For example, you might want to filter out surnames by hiding the
sn
field from activity events. To do so, add the following pointers to the Field blacklist filters list:/activity/before/sn
/activity/after/sn
amster attribute:
blacklistFieldFilters
Secondary Configurations
This service has the following Secondary Configurations.
JMS
A configured secondary instance of the JMS type has the following tabs:
General Handler Configuration
The General Handler Configuration tab contains the following secondary configuration properties:
- Enabled
Enables or disables an audit event handler.
Default value:
true
amster attribute:
enabled
- Topics
List of topics handled by an audit event handler.
Default value:
access
activity
config
authenticationamster attribute:
topics
Audit Event Handler Factory
The Audit Event Handler Factory tab contains the following secondary configuration properties:
- Factory Class Name
The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement
org.forgerock.openam.audit.AuditEventHandlerFactory
.Default value:
org.forgerock.openam.audit.events.handlers.JmsAuditEventHandlerFactory
amster attribute:
handlerFactory
JMS Configuration
The JMS Configuration tab contains the following secondary configuration properties:
- Delivery Mode
Specifies whether JMS messages used to transmit audit events use persistent or non-persistent delivery.
With persistent delivery, the JMS provider ensures that messages are not lost in transit in case of a provider failure by logging messages to storage when they are sent.
Specify the delivery mode as persistent if it is unacceptable for delivery of audit events to be lost in JMS transit. If the possible loss of audit events is acceptable, choose non-persistent delivery, which provides better performance.
Default value:
NON_PERSISTENT
amster attribute:
deliveryMode
- Session Mode
Specifies the JMS session acknowledgement mode:
AUTO
,CLIENT
, orDUPS_OK
.Auto mode guarantees once-only delivery of JMS messages used to transmit audit events.
Duplicates OK mode ensures that messages are delivered at least once.
Client mode does not ensure delivery.
Use the default setting unless your JMS broker implementation requires otherwise. See your broker documentation for more information.
Default value:
AUTO
amster attribute:
sessionMode
- JNDI Context Properties
Specifies JNDI properties that AM uses to connect to the JMS message broker to which AM will publish audit events.
AM acts as a JMS client, using a JMS connection factory to connect to your JMS message broker. In order for AM to connect to the broker, the JNDI context properties must conform to those needed by the broker. See the documentation for your JMS message broker for required values.
The default properties are example properties for connecting to Apache ActiveMQ.
Default value:
{
"java.naming.factory.initial": "org.apache.activemq.jndi.ActiveMQInitialContextFactory",
"topic.audit": "audit",
"java.naming.provider.url": "tcp://localhost:61616"
}amster attribute:
jndiContextProperties
- JMS Topic Name
JNDI lookup name for the JMS topic
Default value:
audit
amster attribute:
jndiTopicName
- JMS Connection Factory Name
Specifies the JNDI lookup name for the connection factory exposed by your JMS message broker. AM performs a JNDI lookup on this name to locate your broker's connection factory.
See the documentation for your JMS message broker for the required value.
The default is the connection factory name for Apache ActiveMQ.
Default value:
ConnectionFactory
amster attribute:
jndiConnectionFactoryName
Batch Events
The Batch Events tab contains the following secondary configuration properties:
- Capacity
Maximum event count in the batch queue; additional events are dropped.
Default value:
1000
amster attribute:
batchCapacity
- Max Batched
Maximum number of events per batch.
Default value:
100
amster attribute:
maxBatchedEvents
- Writing Interval
The interval (in seconds) for reading events from the buffer to transmit via jms.
Default value:
10
amster attribute:
pollTimeoutSec
JSONStdout
A configured secondary instance of the JSONStdout type has the following tabs:
General Handler Configuration
The General Handler Configuration tab contains the following secondary configuration properties:
- Enabled
Enables or disables an audit event handler.
Default value:
true
amster attribute:
enabled
- Topics
List of topics handled by an audit event handler.
Default value:
access
activity
config
authenticationamster attribute:
topics
Audit Event Handler Factory
The Audit Event Handler Factory tab contains the following secondary configuration properties:
- Factory Class Name
The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement
org.forgerock.openam.audit.AuditEventHandlerFactory
.Default value:
org.forgerock.openam.audit.events.handlers.JsonStdoutAuditEventHandlerFactory
amster attribute:
handlerFactory
JSON Configuration
The JSON Configuration tab contains the following secondary configuration properties:
- ElasticSearch JSON Format Compatible
JSON format should be transformed to be compatible with ElasticSearch format restrictions.
Default value:
false
amster attribute:
elasticsearchCompatible
Elasticsearch
A configured secondary instance of the Elasticsearch type has the following tabs:
General Handler Configuration
The General Handler Configuration tab contains the following secondary configuration properties:
- Enabled
Enables or disables an audit event handler.
Default value:
true
amster attribute:
enabled
- Topics
List of topics handled by an audit event handler.
Default value:
access
activity
config
authenticationamster attribute:
topics
Audit Event Handler Factory
The Audit Event Handler Factory tab contains the following secondary configuration properties:
- Factory Class Name
The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement
org.forgerock.openam.audit.AuditEventHandlerFactory
.Default value:
org.forgerock.openam.audit.events.handlers.ElasticsearchAuditEventHandlerFactory
amster attribute:
handlerFactory
Elasticsearch Configuration
The Elasticsearch Configuration tab contains the following secondary configuration properties:
- Server Hostname
Host name or IP address of the Elasticsearch server.
amster attribute:
host
- Server Port
Specifies the port number used to access Elasticsearch's REST API.
amster attribute:
port
- SSL Enabled
Specifies whether SSL is configured on the Elasticsearch server.
If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs AM before attempting to log audit events to Elasticsearch.
Default value:
false
amster attribute:
sslEnabled
- Elasticsearch Index
Specifies the name of the Elasticsearch index to be used for AM audit logging.
amster attribute:
index
Authentication
The Authentication tab contains the following secondary configuration properties:
- Username
Specifies the username to access the Elasticsearch server.
Required if Elasticsearch Shield authentication is configured.
amster attribute:
username
- Password
Specifies the password to access the Elasticsearch server.
Required if Elasticsearch Shield authentication is configured.
amster attribute:
password
Buffering
The Buffering tab contains the following secondary configuration properties:
- Buffering Enabled
Default value:
true
amster attribute:
bufferingEnabled
- Batch Size
Maximum number of events that can be buffered (default: 10000)
Default value:
500
amster attribute:
batchSize
- Queue Capacity
Maximum number of audit logs in the batch queue. Additional audit events are dropped.
Default value:
10000
amster attribute:
maxEvents
- Write interval (in milliseconds)
Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.
Default value:
250
amster attribute:
writeInterval
Syslog
A configured secondary instance of the Syslog type has the following tabs:
General Handler Configuration
The General Handler Configuration tab contains the following secondary configuration properties:
- Enabled
Enables or disables an audit event handler.
Default value:
true
amster attribute:
enabled
- Topics
List of topics handled by an audit event handler.
Default value:
access
activity
config
authenticationamster attribute:
topics
Audit Event Handler Factory
The Audit Event Handler Factory tab contains the following secondary configuration properties:
- Factory Class Name
The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement
org.forgerock.openam.audit.AuditEventHandlerFactory
.Default value:
org.forgerock.openam.audit.events.handlers.SyslogAuditEventHandlerFactory
amster attribute:
handlerFactory
Syslog Configuration
The Syslog Configuration tab contains the following secondary configuration properties:
- Server hostname
Host name or IP address of receiving syslog server.
amster attribute:
host
- Server port
Port number of receiving syslog server.
amster attribute:
port
- Transport Protocol
Default value:
TCP
amster attribute:
transportProtocol
- Connection timeout
Timeout for connecting to syslog server, in seconds.
amster attribute:
connectTimeout
- Facility
Syslog facility value to apply to all events.
Default value:
USER
amster attribute:
facility
Buffering
The Buffering tab contains the following secondary configuration properties:
- Buffering Enabled
Enables or disables audit event buffering.
Default value:
true
amster attribute:
bufferingEnabled
- Buffer Size
Maximum number of events that can be buffered (default/minimum: 5000)
Default value:
5000
amster attribute:
bufferingMaxSize
CSV
A configured secondary instance of the CSV type has the following tabs:
General Handler Configuration
The General Handler Configuration tab contains the following secondary configuration properties:
- Enabled
Enables or disables an audit event handler.
Default value:
true
amster attribute:
enabled
- Topics
List of topics handled by an audit event handler.
Default value:
access
activity
config
authenticationamster attribute:
topics
Audit Event Handler Factory
The Audit Event Handler Factory tab contains the following secondary configuration properties:
- Factory Class Name
The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement
org.forgerock.openam.audit.AuditEventHandlerFactory
.Default value:
org.forgerock.openam.audit.events.handlers.CsvAuditEventHandlerFactory
amster attribute:
handlerFactory
CSV Configuration
The CSV Configuration tab contains the following secondary configuration properties:
- Log Directory
Directory in which to store audit log CSV files.
Default value:
%BASE_DIR%/var/audit/
amster attribute:
location
File Rotation
The File Rotation tab contains the following secondary configuration properties:
- Rotation Enabled
Enables and disables audit file rotation.
Default value:
true
amster attribute:
rotationEnabled
- Maximum File Size
Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.
Default value:
100000000
amster attribute:
rotationMaxFileSize
- File Rotation Prefix
Prefix to prepend to audit files when rotating audit files.
amster attribute:
rotationFilePrefix
- File Rotation Suffix
Suffix to append to audit files when they are rotated. Suffix should be a timestamp.
Default value:
-yyyy.MM.dd-HH.mm.ss
amster attribute:
rotationFileSuffix
- Rotation Interval
Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.
Default value:
-1
amster attribute:
rotationInterval
- Rotation Times
Durations after midnight to trigger file rotation, in seconds.
amster attribute:
rotationTimes
File Retention
The File Retention tab contains the following secondary configuration properties:
- Maximum Number of Historical Files
Maximum number of backup audit files allowed. A value of
-1
disables pruning of old history files.Default value:
1
amster attribute:
retentionMaxNumberOfHistoryFiles
- Maximum Disk Space
The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.
Default value:
-1
amster attribute:
retentionMaxDiskSpaceToUse
- Minimum Free Space Required
Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.
Default value:
-1
amster attribute:
retentionMinFreeSpaceRequired
Buffering
The Buffering tab contains the following secondary configuration properties:
- Buffering Enabled
Enables or disables buffering.
Default value:
true
amster attribute:
bufferingEnabled
- Flush Each Event Immediately
Performance may be improved by writing all buffered events before flushing.
Default value:
false
amster attribute:
bufferingAutoFlush
Tamper Evident Configuration
The Tamper Evident Configuration tab contains the following secondary configuration properties:
- Is Enabled
Enables the CSV tamper evident feature.
Default value:
false
amster attribute:
securityEnabled
- Certificate Store Location
Path to Java keystore.
Default value:
%BASE_DIR%/var/audit/Logger.jks
amster attribute:
securityFilename
- Certificate Store Password
Password for Java keystore.
amster attribute:
securityPassword
- Signature Interval
Signature generation interval, in seconds.
Default value:
900
amster attribute:
securitySignatureInterval
JDBC
A configured secondary instance of the JDBC type has the following tabs:
General Handler Configuration
The General Handler Configuration tab contains the following secondary configuration properties:
- Enabled
Enables or disables an audit event handler.
Default value:
true
amster attribute:
enabled
- Topics
List of topics handled by an audit event handler.
Default value:
access
activity
config
authenticationamster attribute:
topics
Audit Event Handler Factory
The Audit Event Handler Factory tab contains the following secondary configuration properties:
- Factory Class Name
The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement
org.forgerock.openam.audit.AuditEventHandlerFactory
.Default value:
org.forgerock.openam.audit.events.handlers.JdbcAuditEventHandlerFactory
amster attribute:
handlerFactory
Database Configuration
The Database Configuration tab contains the following secondary configuration properties:
- Database Type
Select the database to use for logging audit events.
Identifies the database in use, for example MySQL, Oracle, or SQL.
Default value:
oracle
amster attribute:
databaseType
- JDBC Database URL
URL of the JDBC database.
amster attribute:
jdbcUrl
- JDBC Driver
Fully qualified JDBC driver class name.
amster attribute:
driverClassName
- Database Username
Specifies the username to access the database server.
amster attribute:
username
- Database Password
Specifies the password to access the database server.
amster attribute:
password
- Connection Timeout (seconds)
Specifies the maximum wait time before failing the connection, in seconds.
Default value:
30
amster attribute:
connectionTimeout
- Maximum Connection Idle Timeout (seconds)
Specifies the maximum idle time before the connection is closed, in seconds.
Default value:
600
amster attribute:
idleTimeout
- Maximum Connection Time (seconds)
Specifies the maximum time a JDBC connection can be open, in seconds.
Default value:
1800
amster attribute:
maxLifetime
- Minimum Idle Connections
Specifies the minimum number of idle connections in the connection pool.
Default value:
10
amster attribute:
minIdle
- Maximum Connections
Specifies the maximum number of connections in the connection pool.
Default value:
10
amster attribute:
maxPoolSize
Buffering
The Buffering tab contains the following secondary configuration properties:
- Buffering Enabled
Enables or disables audit event buffering.
Default value:
true
amster attribute:
bufferingEnabled
- Buffer Size (number of events)
Size of the queue where events are buffered before they are written to the database.
This queue has to be big enough to store all incoming events that have not yet been written to the database.
If the queue reaches capacity, the process will block until a write occurs.
Default value:
100000
amster attribute:
bufferingMaxSize
- Write Interval
Specifies the interval (seconds) at which buffered events are written to the database.
Default value:
5
amster attribute:
bufferingWriteInterval
- Writer Threads
Specifies the number of threads used to write the buffered events.
Default value:
1
amster attribute:
bufferingWriterThreads
- Max Batched Events
Specifies the maximum number of batched statements the database can support per connection.
Default value:
100
amster attribute:
bufferingMaxBatchedEvents
JSON
A configured secondary instance of the JSON type has the following tabs:
General Handler Configuration
The General Handler Configuration tab contains the following secondary configuration properties:
- Enabled
Enables or disables an audit event handler.
Default value:
true
amster attribute:
enabled
- Topics
List of topics handled by an audit event handler.
Default value:
access
activity
config
authenticationamster attribute:
topics
Audit Event Handler Factory
The Audit Event Handler Factory tab contains the following secondary configuration properties:
- Factory Class Name
The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement
org.forgerock.openam.audit.AuditEventHandlerFactory
.Default value:
org.forgerock.openam.audit.events.handlers.JsonAuditEventHandlerFactory
amster attribute:
handlerFactory
JSON Configuration
The JSON Configuration tab contains the following secondary configuration properties:
- Log Directory
Directory in which to store audit log JSON files.
Default value:
%BASE_DIR%/var/audit/
amster attribute:
location
- ElasticSearch JSON Format Compatible
JSON format should be transformed to be compatible with ElasticSearch format restrictions.
Default value:
false
amster attribute:
elasticsearchCompatible
- File Rotation Retention Check Interval
Interval to check time-based file rotation policies, in seconds.
Default value:
5
amster attribute:
rotationRetentionCheckInterval
File Rotation
The File Rotation tab contains the following secondary configuration properties:
- Rotation Enabled
Enables and disables audit file rotation.
Default value:
true
amster attribute:
rotationEnabled
- Maximum File Size
Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.
Default value:
100000000
amster attribute:
rotationMaxFileSize
- File Rotation Prefix
Prefix to prepend to audit files when rotating audit files.
amster attribute:
rotationFilePrefix
- File Rotation Suffix
Suffix to append to audit files when they are rotated. Suffix should be a timestamp.
Default value:
-yyyy.MM.dd-HH.mm.ss
amster attribute:
rotationFileSuffix
- Rotation Interval
Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.
Default value:
-1
amster attribute:
rotationInterval
- Rotation Times
Durations after midnight to trigger file rotation, in seconds.
amster attribute:
rotationTimes
File Retention
The File Retention tab contains the following secondary configuration properties:
- Maximum Number of Historical Files
Maximum number of backup audit files allowed. A value of
-1
disables pruning of old history files.Default value:
1
amster attribute:
retentionMaxNumberOfHistoryFiles
- Maximum Disk Space
The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.
Default value:
-1
amster attribute:
retentionMaxDiskSpaceToUse
- Minimum Free Space Required
Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.
Default value:
-1
amster attribute:
retentionMinFreeSpaceRequired
Buffering
The Buffering tab contains the following secondary configuration properties:
- Batch Size
Maximum number of events that can be buffered (default/minimum: 100000)
Default value:
100000
amster attribute:
bufferingMaxSize
- Write interval
Interval at which buffered events are written to a file, in milliseconds.
Default value:
5
amster attribute:
bufferingWriteInterval
Splunk
A configured secondary instance of the Splunk type has the following tabs:
General Handler Configuration
The General Handler Configuration tab contains the following secondary configuration properties:
- Enabled
Enables or disables an audit event handler.
Default value:
true
amster attribute:
enabled
- Topics
List of topics handled by an audit event handler.
Default value:
access
activity
config
authenticationamster attribute:
topics
Audit Event Handler Factory
The Audit Event Handler Factory tab contains the following secondary configuration properties:
- Factory Class Name
The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement
org.forgerock.openam.audit.AuditEventHandlerFactory
.Default value:
org.forgerock.openam.audit.events.handlers.SplunkAuditEventHandlerFactory
amster attribute:
handlerFactory
Splunk Configuration
The Splunk Configuration tab contains the following secondary configuration properties:
- Authorization Token
Authorization token used to connect to Splunk HTTP Event Collector endpoint.
amster attribute:
authzToken
- Server Hostname
Host name or IP address of Splunk server.
amster attribute:
host
- Server Port
Port number of Splunk server.
amster attribute:
port
- SSL Enabled
Use HTTPS protocol for communication with Splunk.
Default value:
false
amster attribute:
sslEnabled
Buffering
The Buffering tab contains the following secondary configuration properties:
- Batch Size
Maximum number of events that can be buffered (default: 10000).
Default value:
500
amster attribute:
batchSize
- Queue Capacity
Maximum number of audit evens in the batch queue; additional events are dropped.
Default value:
10000
amster attribute:
maxEvents
- Write interval (in milliseconds)
Interval at which buffered events are written to Splunk.
Default value:
250
amster attribute:
writeInterval
Base URL Source
amster service name: BaseUrlSource
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Base URL Source
Specifies how the base URL is generated. Choose from the following:
Extension class (Value:
EXTENSION_CLASS
)The extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter
org.forgerock.openam.services.baseurl.BaseURLProvider
.Fixed value (Value:
FIXED_VALUE
)The base URL is retrieved from the value specified in the Fixed value base URL field.
Forwarded header (Value:
FORWARDED_HEADER
)The base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in RFC7239.
Host/protocol from incoming request (Value:
REQUEST_VALUES
)The hostname, server name, and port are retrieved from the incoming HTTP request.
X-Forwarded-* headers (Value:
X_FORWARDED_HEADERS
)The base URL is retrieved from non-standard header fields, such as
X-Forwarded-For
,X-Forwarded-By
,X-Forwarded-Proto
,X-Forwarded-Host
, andX-Forwarded-Port
.If the
X-Forwarded-Proto
header is not provided, the server uses a fallback scheme, based on the URI of the request.If multiple
X-Forwarded-Host
headers are specified, the outermost proxy host is used.
Default value:
REQUEST_VALUES
amster attribute:
source
- Fixed value base URL
If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.
amster attribute:
fixedValue
- Extension class name
If Extension class is selected as the Base URL source, enter
org.forgerock.openam.services.baseurl.BaseURLProvider
in the Extension class name field.amster attribute:
extensionClassName
- Context path
Specifies the context path for the base URL.
If provided, the base URL includes the deployment context path appended to the calculated URL.
For example,
/openam
.Default value:
/openam
amster attribute:
contextPath
Common Federation Configuration
amster service name: CommonFederationConfiguration
General Configuration
The following settings appear on the General Configuration tab:
- Maximum allowed content length
The maximum content length allowed in federation communications, in bytes.
Default value:
20480
amster attribute:
maxContentLength
- Check presence of certificates
Enable checking of certificates against local copy
Whether to verify that the partner's signing certificate included in the Federation XML document is the same as the one stored in the said partner's meta data.
The possible values for this property are:
off
. Disabledon
. Enabled
Default value:
on
amster attribute:
certificateChecking
- SAML Error Page URL
AM redirects users here when an error occurs in the SAML2 engine.
Both relative and absolute URLs are supported. Users are redirected to an absolute URL using the configured HTTP Binding whereas relative URLs are displayed within the request.
Default value:
/saml2/jsp/saml2error.jsp
amster attribute:
samlErrorPageUrl
- SAML Error Page HTTP Binding
The possible values are HTTP-Redirect or HTTP-POST.
Default value:
HTTP-POST
amster attribute:
samlErrorPageHttpBinding
Implementation Classes
The following settings appear on the Implementation Classes tab:
- Datastore SPI implementation class
The Federation system uses this class to get/set user profile attributes.
The default implementation uses the Identity repository APIs to access user profile attributes. A custom implementation must implement the
com.sun.identity.plugin.datastore.DataStoreProvider
interface.Default value:
com.sun.identity.plugin.datastore.impl.IdRepoDataStoreProvider
amster attribute:
datastoreClass
- Root URL provider SPI implementation class
The Federation system uses this class to get the root URL of the AM deployment.
The default implementation uses the Root URL APIs to access the AM instance root url. A custom implementation must implement the
org.forgerock.openam.federation.plugin.rooturl.RootUrlProvider
interface.Default value:
org.forgerock.openam.federation.plugin.rooturl.impl.FmRootUrlProvider
amster attribute:
rootUrlProviderClass
- ConfigurationInstance SPI implementation class
The Federation system uses this class to fetch service configuration.
The default implementation uses the SMS APIs to access service configuration. A custom implementation must implement the
com.sun.identity.plugin.configuration.ConfigurationInstance
interface.Default value:
com.sun.identity.plugin.configuration.impl.ConfigurationInstanceImpl
amster attribute:
configurationClass
- Logger SPI implementation class
The Federation system uses this class to record log entries.
The default implementation uses the Logging APIs to record log entries. A custom implementation must implement the
com.sun.identity.plugin.log.Logger
interface.Default value:
com.sun.identity.plugin.log.impl.LogProvider
amster attribute:
loggerClass
- SessionProvider SPI implementation class
The Federation system uses this class to interface with the session service.
The default implementation uses the standard authentication and SSO APIs to access the session service. A custom implementation must implement the
com.sun.identity.plugin.session.SessionProvider
interface.Default value:
com.sun.identity.plugin.session.impl.FMSessionProvider
amster attribute:
sessionProviderClass
- PasswordDecoder SPI implementation class
The Federation system uses this class to decode password encoded by AM.
The default implementation uses the internal AM decryption API to decode passwords. A custom implementation must implement the
com.sun.identity.saml.xmlsig.PasswordDecoder
interface.Default value:
com.sun.identity.saml.xmlsig.FMPasswordDecoder
amster attribute:
passwordDecoderClass
- SignatureProvider SPI implementation class
The Federation system uses this class to digitally sign SAML documents.
The default implementation uses the XERCES APIs to sign the documents. A custom implementation must implement the
com.sun.identity.saml.xmlsig.SignatureProvider
interface.Default value:
com.sun.identity.saml.xmlsig.AMSignatureProvider
amster attribute:
signatureProviderClass
- KeyProvider SPI implementation class
The Federation system uses this class to provide access to the underlying Java keystore.
The default implementation uses the Java Cryptographic Engine to provide access to the Java keystore. A custom implementation must implement the
com.sun.identity.saml.xmlsig.KeyProvider
interface.Default value:
com.sun.identity.saml.xmlsig.JKSKeyProvider
amster attribute:
keyProviderClass
Algorithms
The following settings appear on the Algorithms tab:
- XML canonicalization algorithm
The algorithm used to canonicalize XML documents.
The possible values for this property are:
http://www.w3.org/2001/10/xml-exc-c14n#
. i18n:famFederationCommon#http://www.w3.org/2001/10/xml-exc-c14n#http://www.w3.org/2001/10/xml-exc-c14n#WithComments
. i18n:famFederationCommon#http://www.w3.org/2001/10/xml-exc-c14n#WithCommentshttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
. i18n:famFederationCommon#http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
Default value:
http://www.w3.org/2001/10/xml-exc-c14n#
amster attribute:
cannonicalizationAlgorithm
- XML signature algorithm
The algorithm used to sign XML documents.
The possible values for this property are:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
. i18n:famFederationCommon#http://www.w3.org/2000/09/xmldsig#rsa-sha1http://www.w3.org/2000/09/xmldsig#hmac-sha1
. i18n:famFederationCommon#http://www.w3.org/2000/09/xmldsig#hmac-sha1http://www.w3.org/2000/09/xmldsig#dsa-sha1
. i18n:famFederationCommon#http://www.w3.org/2000/09/xmldsig#dsa-sha1http://www.w3.org/2001/04/xmldsig-more#rsa-md5
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#rsa-md5http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#rsa-sha256http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#rsa-sha384http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#rsa-sha512http://www.w3.org/2001/04/xmldsig-more#hmac-md5
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#hmac-md5http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160http://www.w3.org/2001/04/xmldsig-more#hmac-sha256
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#hmac-sha256http://www.w3.org/2001/04/xmldsig-more#hmac-sha384
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#hmac-sha384http://www.w3.org/2001/04/xmldsig-more#hmac-sha512
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#hmac-sha512
Default value:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
amster attribute:
signatureAlgorithm
- XML digest algorithm
The default digest algorithm to use in signing XML.
The possible values for this property are:
http://www.w3.org/2000/09/xmldsig#sha1
. i18n:famFederationCommon#http://www.w3.org/2000/09/xmldsig#sha1http://www.w3.org/2001/04/xmlenc#sha256
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmlenc#sha256http://www.w3.org/2001/04/xmlenc#sha512
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmlenc#sha512http://www.w3.org/2001/04/xmldsig-more#sha384
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#sha384
Default value:
http://www.w3.org/2001/04/xmlenc#sha256
amster attribute:
DigestAlgorithm
- Query String signature algorithm (RSA)
The default signature algorithm to use in case of RSA keys.
The possible values for this property are:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
. i18n:famFederationCommon#http://www.w3.org/2000/09/xmldsig#rsa-sha1http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#rsa-sha256http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#rsa-sha384http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
Default value:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
amster attribute:
QuerySignatureAlgorithmRSA
- Query String signature algorithm (DSA)
The default signature algorithm to use in case of DSA keys.
The possible values for this property are:
http://www.w3.org/2000/09/xmldsig#dsa-sha1
. i18n:famFederationCommon#http://www.w3.org/2000/09/xmldsig#dsa-sha1http://www.w3.org/2009/xmldsig11#dsa-sha256
. i18n:famFederationCommon#http://www.w3.org/2009/xmldsig11#dsa-sha256
Default value:
http://www.w3.org/2009/xmldsig11#dsa-sha256
amster attribute:
QuerySignatureAlgorithmDSA
- Query String signature algorithm (EC)
The default signature algorithm to use in case of EC keys.
The possible values for this property are:
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512
. i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512
Default value:
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512
amster attribute:
QuerySignatureAlgorithmEC
- XML transformation algorithm
The algorithm used to transform XML documents.
The possible values for this property are:
http://www.w3.org/2001/10/xml-exc-c14n#
. i18n:famFederationCommon#http://www.w3.org/2001/10/xml-exc-c14n#http://www.w3.org/2001/10/xml-exc-c14n#WithComments
. i18n:famFederationCommon#http://www.w3.org/2001/10/xml-exc-c14n#WithCommentshttp://www.w3.org/TR/2001/REC-xml-c14n-20010315
http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
. i18n:famFederationCommon#http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithCommentshttp://www.w3.org/TR/1999/REC-xslt-19991116
http://www.w3.org/2000/09/xmldsig#base64
. i18n:famFederationCommon#http://www.w3.org/2000/09/xmldsig#base64http://www.w3.org/TR/1999/REC-xpath-19991116
http://www.w3.org/2000/09/xmldsig#enveloped-signature
. i18n:famFederationCommon#http://www.w3.org/2000/09/xmldsig#enveloped-signaturehttp://www.w3.org/TR/2001/WD-xptr-20010108
http://www.w3.org/2002/04/xmldsig-filter2
http://www.w3.org/2002/06/xmldsig-filter2
http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/#xpathFilter
. i18n:famFederationCommon#http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/#xpathFilter
Default value:
http://www.w3.org/2001/10/xml-exc-c14n#
amster attribute:
transformationAlgorithm
- Mask Generation Function Algorithm
Which MGF algorithm to use when encrypting the symmetric encryption key using RSA OAEP algorithm.
The possible values for this property are:
http://www.w3.org/2009/xmlenc11#mgf1sha1
. i18n:famFederationCommon#http://www.w3.org/2009/xmlenc11#mgf1sha1http://www.w3.org/2009/xmlenc11#mgf1sha224
. i18n:famFederationCommon#http://www.w3.org/2009/xmlenc11#mgf1sha224http://www.w3.org/2009/xmlenc11#mgf1sha256
. i18n:famFederationCommon#http://www.w3.org/2009/xmlenc11#mgf1sha256http://www.w3.org/2009/xmlenc11#mgf1sha384
. i18n:famFederationCommon#http://www.w3.org/2009/xmlenc11#mgf1sha384http://www.w3.org/2009/xmlenc11#mgf1sha512
. i18n:famFederationCommon#http://www.w3.org/2009/xmlenc11#mgf1sha512
Default value:
http://www.w3.org/2009/xmlenc11#mgf1sha256
amster attribute:
maskGenerationFunction
- AES Key Wrap Algorithm
Which AES key wrap algorithm to use when the remote entity provider does not specify which key wrap algorithm it supports.
The possible values for this property are:
http://www.w3.org/2001/04/xmlenc#kw-aes128
http://www.w3.org/2001/04/xmlenc#kw-aes192
http://www.w3.org/2001/04/xmlenc#kw-aes256
Default value:
http://www.w3.org/2001/04/xmlenc#kw-aes256
amster attribute:
aesKeyWrapAlgorithm
- RSA Key Transport Algorithm
The possible values for this property are:
http://www.w3.org/2001/04/xmlenc#rsa-1_5
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
http://www.w3.org/2009/xmlenc11#rsa-oaep
Default value:
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
amster attribute:
rsaKeyTransportAlgorithm
Monitoring
The following settings appear on the Monitoring tab:
- Monitoring Agent Provider Class
The Federation system uses this class to gain access to the monitoring system.
The default implementation uses the built-in AM monitoring system. A custom implementation must implement the
com.sun.identity.plugin.monitoring.FedMonAgent
interface.Default value:
com.sun.identity.plugin.monitoring.impl.AgentProvider
amster attribute:
monitoringAgentClass
- Monitoring Provider Class for SAML2
The SAML2 engine uses this class to gain access to the monitoring system.
The default implementation uses the built-in AM monitoring system. A custom implementation must implement the
com.sun.identity.plugin.monitoring.FedMonSAML2Svc
interface.Default value:
com.sun.identity.plugin.monitoring.impl.FedMonSAML2SvcProvider
amster attribute:
monitoringSaml2Class
Configuration Version Service
amster service name: ConfigurationVersionService
The following settings are available in this service:
- configurationCommit
amster attribute:
configurationCommit
- Configuration Version
AM's configuration version
Default value:
3.0.0.1
amster attribute:
configurationVersion
CORS Service
amster service name: CorsConfiguration
Configuration
The following settings appear on the Configuration tab:
- Enable the CORS filter
If disable, no CORS headers will be added to responses.
Default value:
true
amster attribute:
enabled
Secondary Configurations
This service has the following Secondary Configurations.
configuration
- Enable the CORS filter
If disable, no CORS headers will be added to responses.
Default value:
false
amster attribute:
enabled
- Accepted Origins
The set of accepted origins.
amster attribute:
acceptedOrigins
- Accepted Methods
The set of (non-simple) accepted methods, included in the pre-flight response in the header Access-Control-Allow-Methods.
amster attribute:
acceptedMethods
- Accepted Headers
The set of (non-simple) accepted headers, included in the pre-flight response in the header Access-Control-Allow-Headers.
amster attribute:
acceptedHeaders
- Exposed Headers
The set of headers to transmit in the header Access-Control-Expose-Headers.
amster attribute:
exposedHeaders
- Max Age
The max age (in seconds) for caching, included in the pre-flight response in the header Access-Control-Max-Age.
Default value:
0
amster attribute:
maxAge
- Allow Credentials
Whether to transmit the Access-Control-Allow-Credentials: true header in the response.
Default value:
false
amster attribute:
allowCredentials
Dashboard
amster service name: DashboardUserService
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Available Dashboard Apps
List of application dashboard names available by default for realms with the Dashboard service configured.
amster attribute:
assignedDashboard
Secondary Configurations
This service has the following Secondary Configurations.
instances
- Dashboard Class Name
Identifies how to access the application, for example
SAML2ApplicationClass
for a SAML v2.0 application.amster attribute:
className
- Dashboard Name
The application name as it will appear to the administrator for configuring the dashboard.
amster attribute:
name
- Dashboard Display Name
The application name that displays on the dashboard client.
amster attribute:
displayName
- Dashboard Icon
The icon name that will be displayed on the dashboard client identifying the application.
amster attribute:
icon
- Dashboard Login
The URL that takes the user to the application.
amster attribute:
login
- ICF Identifier
amster attribute:
icfIdentifier
Device ID Service
amster service name: deviceIdService
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Profile Storage Attribute
The user's attribute in which to store Device ID profiles.
The default attribute is added to the schema when you prepare a user store for use with AM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to enabling the Device ID authentication module. AM must be able to write to the attribute.
Default value:
devicePrintProfiles
amster attribute:
deviceIdAttrName
- Device Profile Encryption Scheme
Encryption scheme to use to secure device profiles stored on the server.
If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.
Note: AES-256 may require installation of the JCE Unlimited Strength policy files.
The possible values for this property are:
Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (Value:
RSAES_AES256CBC_HS512
)Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (Value:
RSAES_AES128CBC_HS256
)Label: No encryption of device settings. (Value:
NONE
)
Default value:
NONE
amster attribute:
deviceIdSettingsEncryptionScheme
- Encryption Key Store
Path to the key store from which to load encryption keys.
Default value:
/path/to/openam/security/keystores/keystore.jks
amster attribute:
deviceIdSettingsEncryptionKeystore
- Key Store Type
Type of key store to load.
Note: PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.
See the JDK 8 PKCS#11 Reference Guide for more details.
The possible values for this property are:
Label: Java Key Store (JKS). (Value:
JKS
)Label: Java Cryptography Extension Key Store (JCEKS). (Value:
JCEKS
)Label: PKCS#11 Hardware Crypto Storage. (Value:
PKCS11
)Label: PKCS#12 Key Store. (Value:
PKCS12
)
Default value:
JKS
amster attribute:
deviceIdSettingsEncryptionKeystoreType
- Key Store Password
Password to unlock the key store. This password is encrypted when it is saved in the AM configuration. You should modify the default value.
amster attribute:
deviceIdSettingsEncryptionKeystorePassword
- Key-Pair Alias
Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.
amster attribute:
deviceIdSettingsEncryptionKeystoreKeyPairAlias
- Private Key Password
Password to unlock the private key.
amster attribute:
deviceIdSettingsEncryptionKeystorePrivateKeyPassword
Device Profiles Service
amster service name: DeviceProfilesService
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Profile Storage Attribute
The user's attribute in which to store Device profiles.
The default attribute is added to the schema when you prepare a user store for use with AM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to enabling the Device Profiles authentication module. AM must be able to write to the attribute.
Default value:
deviceProfiles
amster attribute:
deviceProfilesAttrName
- Device Profile Encryption Scheme
Encryption scheme to use to secure device profiles stored on the server.
If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.
Note: AES-256 may require installation of the JCE Unlimited Strength policy files.
The possible values for this property are:
Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (Value:
RSAES_AES256CBC_HS512
)Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (Value:
RSAES_AES128CBC_HS256
)Label: No encryption of device settings. (Value:
NONE
)
Default value:
NONE
amster attribute:
deviceProfilesSettingsEncryptionScheme
- Encryption Key Store
Path to the key store from which to load encryption keys.
Default value:
/path/to/openam/security/keystores/keystore.jks
amster attribute:
deviceProfilesSettingsEncryptionKeystore
- Key Store Type
Type of key store to load.
Note: PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.
See the JDK 8 PKCS#11 Reference Guide for more details.
The possible values for this property are:
Label: Java Key Store (JKS). (Value:
JKS
)Label: Java Cryptography Extension Key Store (JCEKS). (Value:
JCEKS
)Label: PKCS#11 Hardware Crypto Storage. (Value:
PKCS11
)Label: PKCS#12 Key Store. (Value:
PKCS12
)
Default value:
JKS
amster attribute:
deviceProfilesSettingsEncryptionKeystoreType
- Key Store Password
Password to unlock the key store. This password is encrypted when it is saved in the AM configuration. You should modify the default value.
amster attribute:
deviceProfilesSettingsEncryptionKeystorePassword
- Key-Pair Alias
Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.
amster attribute:
deviceProfilesSettingsEncryptionKeystoreKeyPairAlias
- Private Key Password
Password to unlock the private key.
amster attribute:
deviceProfilesSettingsEncryptionKeystorePrivateKeyPassword
Email Service
amster service name: EmailService
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Email Message Implementation Class
Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.
Default value:
org.forgerock.openam.services.email.MailServerImpl
amster attribute:
emailImplClassName
- Mail Server Host Name
Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.
For example, you might set this property to: smtp.example.com
amster attribute:
hostname
- Mail Server Host Port
Specifies the port number for the SMTP mail server.
Default value:
465
amster attribute:
port
- Mail Server Authentication Username
Specifies the user name for the SMTP mail server.
For example, you might set this property to: username
amster attribute:
username
- Mail Server Authentication Password
Specifies the password for the SMTP user name.
amster attribute:
password
- Mail Server Secure Connection
Specifies whether to connect to the SMTP mail server using SSL.
The possible values for this property are:
SSL
Non SSL
Start TLS
Default value:
SSL
amster attribute:
sslState
- Email From Address
Specifies the address from which to send email notifications.
For example, you might set this property to: no-reply@example.com
amster attribute:
from
- Email Attribute Name
Specifies the profile attribute from which to retrieve the end user's email address.
Default value:
mail
amster attribute:
emailAddressAttribute
- Email Subject
Specifies a subject for notification messages. If you do not set this, AM does not set the subject for notification messages.
amster attribute:
subject
- Email Content
Specifies content for notification messages. If you do not set this, AM includes only the confirmation URL in the mail body.
amster attribute:
message
- Email Rate Limit
Specifies the minimum number of seconds which must elapse between sending emails to an individual user.
Default value:
1
amster attribute:
emailRateLimitSeconds
External Data Stores
amster service name: DataStoreService
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Policy Data Store
Select a data store configuration to be used for policy storage
The possible values for this property are:
Label: Default Data Store (Value:
fd270e31-1788-4193-8734-eb2d500c47f3
)
Default value:
fd270e31-1788-4193-8734-eb2d500c47f3
amster attribute:
policyDataStoreId
- Application Data Store
Select a data store configuration to be used for application storage
The possible values for this property are:
Label: Default Data Store (Value:
fd270e31-1788-4193-8734-eb2d500c47f3
)
Default value:
fd270e31-1788-4193-8734-eb2d500c47f3
amster attribute:
applicationDataStoreId
Secondary Configurations
This service has the following Secondary Configurations.
config
- Host Urls
An ordered list of connection strings for LDAP directories.Each connection string is composed as follows: HOST:PORT. serverHostname = Host Name
amster attribute:
serverUrls
- Bind DN
amster attribute:
bindDN
- Bind Password
amster attribute:
bindPassword
- Minimum Connection Pool Size
Default value:
1
amster attribute:
minimumConnectionPool
- Maximum Connection Pool Size
Default value:
10
amster attribute:
maximumConnectionPool
- Use SSL
amster attribute:
useSsl
- Start TLS
amster attribute:
useStartTLS
- Affinity Enabled
amster attribute:
affinityEnabled
ForgeRock Authenticator (OATH) Service
amster service name: AuthenticatorOath
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Profile Storage Attribute
Attribute for storing ForgeRock Authenticator OATH profiles.
The default attribute is added to the user store during AM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in AM. AM must be able to write to the attribute.
Default value:
oathDeviceProfiles
amster attribute:
oathAttrName
- Device Profile Encryption Scheme
Encryption scheme for securing device profiles stored on the server.
If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.
Note: AES-256 may require installation of the JCE Unlimited Strength policy files.
The possible values for this property are:
Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (Value:
RSAES_AES256CBC_HS512
)Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (Value:
RSAES_AES128CBC_HS256
)Label: No encryption of device settings. (Value:
NONE
)
Default value:
NONE
amster attribute:
authenticatorOATHDeviceSettingsEncryptionScheme
- Encryption Key Store
Path to the key store from which to load encryption keys.
Default value:
/path/to/openam/openam/keystore.jks
amster attribute:
authenticatorOATHDeviceSettingsEncryptionKeystore
- Key Store Type
Type of encryption key store.
Note: PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.
See the JDK 8 PKCS#11 Reference Guide for more details.
The possible values for this property are:
Label: Java Key Store (JKS). (Value:
JKS
)Label: Java Cryptography Extension Key Store (JCEKS). (Value:
JCEKS
)Label: PKCS#11 Hardware Crypto Storage. (Value:
PKCS11
)Label: PKCS#12 Key Store. (Value:
PKCS12
)
Default value:
JKS
amster attribute:
authenticatorOATHDeviceSettingsEncryptionKeystoreType
- Key Store Password
Password to unlock the key store. This password will be encrypted.
amster attribute:
authenticatorOATHDeviceSettingsEncryptionKeystorePassword
- Key-Pair Alias
Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.
Default value:
pushDeviceProfiles
amster attribute:
authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias
- Private Key Password
Password to unlock the private key.
amster attribute:
authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword
- ForgeRock Authenticator (OATH) Device Skippable Attribute Name
The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writable.
Default value:
oath2faEnabled
amster attribute:
authenticatorOATHSkippableName
ForgeRock Authenticator (Push) Service
amster service name: AuthenticatorPush
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Profile Storage Attribute
The user's attribute in which to store Push Notification profiles.
The default attribute is added to the schema when you prepare a user store for use with AM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in AM. AM must be able to write to the attribute.
Default value:
pushDeviceProfiles
amster attribute:
pushAttrName
- Device Profile Encryption Scheme
Encryption scheme to use to secure device profiles stored on the server.
If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.
Note: AES-256 may require installation of the JCE Unlimited Strength policy files.
The possible values for this property are:
Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (Value:
RSAES_AES256CBC_HS512
)Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (Value:
RSAES_AES128CBC_HS256
)Label: No encryption of device settings. (Value:
NONE
)
Default value:
NONE
amster attribute:
authenticatorPushDeviceSettingsEncryptionScheme
- Encryption Key Store
Path to the key store from which to load encryption keys.
Default value:
/path/to/openam/openam/keystore.jks
amster attribute:
authenticatorPushDeviceSettingsEncryptionKeystore
- Key Store Type
Type of key store to load.
Note: PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.
See the JDK 8 PKCS#11 Reference Guide for more details.
The possible values for this property are:
Label: Java Key Store (JKS). (Value:
JKS
)Label: Java Cryptography Extension Key Store (JCEKS). (Value:
JCEKS
)Label: PKCS#11 Hardware Crypto Storage. (Value:
PKCS11
)Label: PKCS#12 Key Store. (Value:
PKCS12
)
Default value:
JKS
amster attribute:
authenticatorPushDeviceSettingsEncryptionKeystoreType
- Key Store Password
Password to unlock the key store. This password is encrypted when it is saved in the AM configuration. You should modify the default value.
amster attribute:
authenticatorPushDeviceSettingsEncryptionKeystorePassword
- Key-Pair Alias
Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.
amster attribute:
authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias
- Private Key Password
Password to unlock the private key.
amster attribute:
authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword
- ForgeRock Authenticator (Push) Device Skippable Attribute Name
Name of the attribute on a user's profile used to store their selection of whether to skip ForgeRock Authenticator (Push) 2FA modules.
Default value:
push2faEnabled
amster attribute:
authenticatorPushSkippableName
Globalization Settings
amster service name: Globalization
Global Attributes
The following settings appear on the Global Attributes tab:
- Charsets Supported by Each Locale
This table lets you configure the order of supported character sets used for each supported locale. Change the settings only if the defaults are not appropriate.
Default value:
locale=zh|charset=UTF-8;GB2312
locale=ar|charset=UTF-8;ISO-8859-6
locale=es|charset=UTF-8;ISO-8859-15
locale=de|charset=UTF-8;ISO-8859-15
locale=zh_TW|charset=UTF-8;BIG5
locale=fr|charset=UTF-8;ISO-8859-15
locale=ko|charset=UTF-8;EUC-KR
locale=en|charset=UTF-8;ISO-8859-1
locale=th|charset=UTF-8;TIS-620
locale=ja|charset=UTF-8;Shift_JIS;EUC-JPamster attribute:
charsetMappings
- Charset Aliases
Use this list to map between different character set names used in Java and in MIME.
Default value:
mimeName=EUC-KR|javaName=EUC_KR
mimeName=EUC-JP|javaName=EUC_JP
mimeName=Shift_JIS|javaName=SJISamster attribute:
sun-identity-g11n-settings-charset-alias-mapping
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Auto Generated Common Name Format
Use this list to configure how AM formats names shown in the console banner.
This setting allows the name of the authenticated user shown in the AM console banner to be customised based on the locale of the user.
Default value:
zh={sn}{givenname}
amster attribute:
commonNameFormats
Google Cloud Platform Service Accounts
amster service name: GoogleCloudServiceAccountService
Secondary Configurations
This service has the following Secondary Configurations.
serviceAccounts
- Credentials Secret ID
The ID of the secret that contains the GCP service account credentials. Leave blank to usethe default credentials from the environment. Credentials can be loaded from disk using a FileSystem Secret Store.
amster attribute:
credentialsSecretId
- Allowed Realms
A list of realms that are allowed to use this service account. Realms should be specified in path form, such as
/subrealm/subsubrealm
.amster attribute:
allowedRealms
- Allowed Secret Names
A list of patterns of Google Secret Manager secret names that are allowed to be usedwith this service account. Patterns can include the wildcard "*".
Default value:
*
amster attribute:
allowedSecretNamePatterns
- Disallowed Secret Names
A list of patterns of Google Secret Manager secret names that are not allowed to be used with this service account. Patterns can include the wildcard "*".
amster attribute:
disallowedSecretNamePatterns
IDM Provisioning
amster service name: IDMProvisioning
The following settings are available in this service:
- Enabled
Default value:
false
amster attribute:
enabled
- Deployment URL
URL of the IDM deployment, e.g. https://localhost:8080
amster attribute:
idmDeploymentUrl
- Deployment Path
Path of the IDM deployment, e.g. openidm
amster attribute:
idmDeploymentPath
- IDM Provisioning Client
The name of the oauth client to be used for the client credentials flow
amster attribute:
idmProvisioningClient
- Signing Key Alias
Alias of the signing symmetric key in AM's default keystore. Must be a duplicate of the symmetric key used by IDM.
amster attribute:
provisioningSigningKeyAlias
- Encryption Key Alias
Alias of the encryption asymmetric key in AM's default keystore. Must be a duplicate of the asymmetric key used by IDM.
amster attribute:
provisioningEncryptionKeyAlias
- Signing Algorithm
JWT signing algorithm.
amster attribute:
provisioningSigningAlgorithm
- Signing Compatibility Mode
Enable AM to communicate with OpenIDM 6 and earlier.
When this option is enabled, AM will sign JWTs in a way that is compatible with versions of OpenIDM 6 and earlier. The approach used is incompatible with non-extractable HSM keys. Disable this option if you have upgraded to OpenIDM 6.5, or later.
Default value:
false
amster attribute:
jwtSigningCompatibilityMode
- Encryption Algorithm
JWT encryption algorithm.
amster attribute:
provisioningEncryptionAlgorithm
- Encryption Method
JWT encryption method.
amster attribute:
provisioningEncryptionMethod
IoT Service
amster service name: IoTService
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Create OAuth 2.0 Client
Create an OAuth 2.0 Client with the given name and default configuration required to serve as the client for the IoT Service. The client will be created without any scope(s).
Default value:
false
amster attribute:
createOAuthClient
- OAuth 2.0 Client Name
The name of the default OAuth 2.0 Client used by the IoT Service to request access tokens for things.
Default value:
forgerock-iot-oauth2-client
amster attribute:
oauthClientName
- Create OAuth 2.0 JWT Issuer
Create a Trusted JWT Issuer with the given name and default configuration required for the IoT Service to act as the Issuer when handling request for thing access tokens.
Default value:
false
amster attribute:
createOAuthJwtIssuer
- OAuth 2.0 JWT Issuer Name
The name of the Trusted JWT Issuer used by the IoT Service to request access tokens for things.
Default value:
forgerock-iot-jwt-issuer
amster attribute:
oauthJwtIssuerName
- OAuth 2.0 Subject Attribute
The name of the identity store attribute from which to read the OAuth 2.0 subject value. The subject is used in access tokens issued for things. This allows the thing's access token subject to have a value other than the thing's ID, which is the value used by default.
amster attribute:
oauthSubjectAttribute
- Readable Attributes
Specifies the list of attributes that a thing is allowed to request from its identity.
Default value:
thingConfig
amster attribute:
attributeAllowlist
Legacy User Self Service
amster service name: SecurityProperties
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Legacy Self-Service REST Endpoint
Specify whether to enable the legacy self-service endpoint.
AM supports two User Self-Service components: the Legacy User Self-Service, which is based on a Java SDK and is available in AM versions prior to AM 13, and a common REST-based/XUI-based User Self-Service available in AM 13 and later.
The Legacy User Self-Service will be deprecated in a future release.
Default value:
false
amster attribute:
selfServiceEnabled
- Self-Registration for Users
If enabled, new users can sign up using a REST API client.
Default value:
false
amster attribute:
selfRegistrationEnabled
- Self-Registration Token LifeTime (seconds)
Maximum life time for the token allowing User Self-Registration using the REST API.
Default value:
900
amster attribute:
selfRegistrationTokenLifetime
- Self-Registration Confirmation Email URL
This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.
Default value:
http://openam.example.com:8080/openam/XUI/confirm.html
amster attribute:
selfRegistrationConfirmationUrl
- Forgot Password for Users
If enabled, users can assign themselves a new password using a REST API client.
Default value:
false
amster attribute:
forgotPasswordEnabled
- Forgot Password Token Lifetime (seconds)
Maximum life time for the token that allows a user to process a forgotten password using the REST API.
Default value:
900
amster attribute:
forgotPasswordTokenLifetime
- Forgot Password Confirmation Email URL
This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.
Default value:
http://openam.example.com:8080/openam/XUI/confirm.html
amster attribute:
forgotPasswordConfirmationUrl
- Destination After Successful Self-Registration
Specifies the behavior when self-registration has successfully completed.
The possible values for this property are:
Label: User is sent to a 'successful registration' page, without being logged in. (Value:
default
)Label: User is sent to the login page, to authenticate. (Value:
login
)Label: User is automatically logged in and sent to the appropriate page within the system. (Value:
autologin
)
Default value:
default
amster attribute:
userRegisteredDestination
- Protected User Attributes
A list of user profile attributes. Users modifying any of the attributes in this list will be required to enter a password as confirmation before the change is accepted. This option applies to XUI deployments only.
amster attribute:
protectedUserAttributes
- Confirmation Id HMAC Signing Key
256-bit key (base64-encoded) to use for HMAC signing of the legacy self-service confirmation email links.
Default value:
Bn+TrDWLSv1E3ADHWxgqpv4fZnVmKLqwQcZvGdo/3jU=
amster attribute:
confirmationIdHmacKey
Logging
amster service name: Logging
General
The following settings appear on the General tab:
- Log Status
Enable the AM logging system.
AM supports two Audit Logging Services: the legacy Logging Service, which is based on a Java SDK and is available in AM versions prior to AM 13.5, and a new common REST-based Audit Logging Service available from AM 13.5.
The legacy Logging Service will be deprecated in a future release.
The possible values for this property are:
ACTIVE
INACTIVE
Default value:
INACTIVE
amster attribute:
status
- Logging Type
Specifies whether to log to a database, Syslog, or to the filing system.
If you choose database then be sure to set the connection attributes correctly, including the JDBC driver to use.
The possible values for this property are:
File
DB
Syslog
Default value:
File
amster attribute:
type
- Configurable Log Fields
Controls the fields that are logged by AM.
This property is the list of fields that are logged by default. Administrators can choose to limit the information logged by AM.
Default value:
IPAddr
LoggedBy
LoginID
NameID
ModuleName
ContextID
Domain
LogLevel
HostName
MessageIDamster attribute:
fields
- Log Verification Frequency
The frequency (in seconds) that AM verifies security of the log files.
When secure logging is enabled, this is the period that AM will check the integrity of the log files.
Default value:
3600
amster attribute:
verifyPeriod
- Log Signature Time
The frequency (in seconds) that AM will digitally sign the log records.
When secure logging is enabled, this is the period that AM will digitally signed the contents of the log files. The log signatures form the basis of the log file integrity checking.
Default value:
900
amster attribute:
signaturePeriod
- Secure Logging
Enable or Disable secure logging.
Enabling this setting will cause AM to digitally sign and verify the contents of the log files to help prevent and detect log file tampering. A certificate must be configured for this functionality to be enabled.
The possible values for this property are:
ON
OFF
Default value:
OFF
amster attribute:
security
- Secure Logging Signing Algorithm
Determines the algorithm used to digitally sign the log records.
The possible values for this property are:
MD2withRSA
. MD2 with RSAMD5withRSA
. MD5 with RSASHA1withDSA
. SHA1 with DSASHA1withRSA
. SHA1 with RSA
Default value:
SHA1withRSA
amster attribute:
signingAlgorithm
- Logging Certificate Store Location
The path to the Java keystore containing the logging system certificate.
The secure logging system will use the certificate alias of
Logger
to locate the certificate in the specified keystore.Default value:
%BASE_DIR%/var/audit/Logger.jks
amster attribute:
certificateStore
- Number of Files per Archive
Controls the number of logs files that will be archived by the secure logging system.
Default value:
5
amster attribute:
filesPerKeystore
- Buffer Size
The number of log records held in memory before the log records will be flushed to the logfile or the database.
Default value:
25
amster attribute:
bufferSize
- Buffer Time
The maximum time (in seconds) AM will hold log records in memory before flushing to the underlying repository.
Default value:
60
amster attribute:
bufferTime
- Time Buffering
Enable or Disable log buffering
When enabled AM holds all log records in a memory buffer that it periodically flush to the repository. The period is set in the Buffer Time property.
The possible values for this property are:
ON
OFF
Default value:
ON
amster attribute:
buffering
- Logging Level
Control the level of JDK logging within AM.
The possible values for this property are:
OFF
SEVERE
WARNING
INFO
CONFIG
FINE
FINER
FINEST
Default value:
INFO
amster attribute:
jdkLoggingLevel
File
The following settings appear on the File tab:
- Log Rotation
Enable log rotation to cause new log files to be created when configured thresholds are reached, such as Maximum Log Size or Logfile Rotation Interval.
Default value:
true
amster attribute:
rotationEnabled
- Maximum Log Size
Maximum size of a log file, in bytes.
Default value:
100000000
amster attribute:
maxFileSize
- Number of History Files
Sets the number of history files for each log that AM keeps, including time-based histories.
The previously live file is moved and is included in the history count, and a new log is created to serve as the live log file. Any log file in the history count that goes over the number specified here will be deleted.
For time-based logs, a new set of logs will be created when AM is started because of the time-based file names that are used.
Default value:
1
amster attribute:
numberHistoryFiles
- Logfile Rotation Prefix
The name of the log files will be prefixed with the supplied value.
This field defines the log file prefix. The prefix will be added to the name of all logfiles.
Note: Only used when time-based log rotation is enabled.
amster attribute:
prefix
- Logfile Rotation Suffix
The name of the log files will be suffixed with the supplied value.
This field defines the log file suffix. If no suffix is provided, then the following default suffix format will be used:
-MM.dd.yy-kk.mm
. The suffix allows use of Date and Time patterns defined inSimpleDateFormat
Note: This field is only used if the time based rotation is enabled.
Default value:
-MM.dd.yy-kk.mm
amster attribute:
suffix
- Logfile Rotation Interval
The rotation interval (in minutes).
The rotation interval determines the frequency of when the log files will be rotated. If the value is
-1
, then time based rotation is disabled and log file size based rotation is enabled.Default value:
-1
amster attribute:
rotationInterval
- Log File Location
The path to the location of the log files
This property controls the location of the log files; the value of this property varies on whether File or DB logging is in use:
File: The full pathname to the directory containing the log files.
DB: The JDBC URL to the database used to store the log file database.
Default value:
%BASE_DIR%/var/audit/
amster attribute:
location
Database
The following settings appear on the Database tab:
- Database User Name
When logging to a database, set this to the user name used to connect to the database. If this attribute is incorrectly set, AM performance suffers.
Default value:
dbuser
amster attribute:
user
- Database User Password
When logging to a database, set this to the password used to connect to the database. If this attribute is incorrectly set, AM performance suffers.
amster attribute:
password
- Database Driver Name
When logging to a database, set this to the class name of the JDBC driver used to connect to the database.
The default is for Oracle. AM also works with the MySQL database driver.
Default value:
oracle.jdbc.driver.OracleDriver
amster attribute:
driver
- Maximum Number of Records
The maximum number of records read from the logs via the Logging API
Default value:
500
amster attribute:
maxRecords
- DB Failure Memory Buffer Size
Max number of log records held in memory if DB logging fails.
This is the maximum number of log records that will be held in memory if the database is unavailable. When the buffer is full, new log records cause the oldest record in the buffer to be cleared. AM monitoring records the number of log entries cleared when the database was unavailable.
If the value of this property is less than that of the Buffer Size then the buffer size value will take precedence.
Default value:
2
amster attribute:
databaseFailureMemoryBufferSize
Syslog
The following settings appear on the Syslog tab:
- Syslog server host
The URL or IP address of the syslog server, for example
http://mysyslog.example.com
, orlocalhost
.Default value:
localhost
amster attribute:
host
- Syslog server port
The port number the syslog server is configured to listen to.
Default value:
514
amster attribute:
port
- Syslog transport protocol
The protocol to use to connect to the syslog server.
The possible values for this property are:
UDP
TCP
Default value:
UDP
amster attribute:
protocol
- Syslog facility
Syslog uses the facility level to determine the type of program that is logging the message.
The possible values for this property are:
kern
user
mail
daemon
auth
syslog
lpr
news
uucp
cron
authpriv
ftp
local0
local1
local2
local3
local4
local5
local6
local7
Default value:
local5
amster attribute:
facility
- Syslog connection timeout
The amount of time to wait when attempting to connect to the syslog server before reporting a failure, in seconds.
Default value:
30
amster attribute:
timeout
Monitoring
amster service name: Monitoring
Configuration
The following settings appear on the Configuration tab:
- Monitoring Status
Enable / Disable the monitoring system
Default value:
false
amster attribute:
enabled
- Monitoring HTTP Port
Port number for the HTTP monitoring interface
Default value:
8082
amster attribute:
httpPort
- Monitoring HTTP interface status
Enable / Disable the HTTP access to the monitoring system
Default value:
false
amster attribute:
httpEnabled
- Monitoring HTTP interface authentication file path
Path to the monitoring system authentication file
The
openam_mon_auth
file contains the username and password of the account used to protect the monitoring interfaces. The default username isdemo
with a password ofchangeit
. Use theampassword
command to encrypt a new password.Default value:
%BASE_DIR%/security/openam_mon_auth
amster attribute:
authfilePath
- Monitoring RMI Port
Port number for the JMX monitoring interface
Default value:
9999
amster attribute:
rmiPort
- Monitoring RMI interface status
Enable / Disable the JMX access to the monitoring system
Default value:
false
amster attribute:
rmiEnabled
- Monitoring SNMP Port
Port number for the SNMP monitoring interface
Default value:
8085
amster attribute:
snmpPort
- Monitoring SNMP interface status
Enable / Disable the SNMP access to the monitoring system
Default value:
false
amster attribute:
snmpEnabled
- Policy evaluation monitoring history size
Size of the window of most recent policy evaluations to record to expose via monitoring system. Valid range is 100 - 1000000.
Default value:
10000
amster attribute:
policyHistoryWindowSize
- Session monitoring history size
Size of the window of most recent session operations to record to expose via monitoring system. Valid range is 100 - 1000000.
Default value:
10000
amster attribute:
sessionHistoryWindowSize
Secondary Configurations
This service has the following Secondary Configurations.
crest
- Enabled
Default value:
false
amster attribute:
enabled
graphite
- Hostname
The hostname of the Graphite server to which metrics should be published.
amster attribute:
host
- Port
The port of the Graphite server to which metrics should be published.
Default value:
2004
amster attribute:
port
- Frequency
The frequency (in seconds) at which metrics should be published.
Default value:
30
amster attribute:
frequency
prometheus
- Enabled
Default value:
false
amster attribute:
enabled
- Authentication Type
Default value:
BASIC
amster attribute:
authenticationType
- Username
Default value:
prometheus
amster attribute:
username
- Password
amster attribute:
password
Multi-Federation Protocol
amster service name: MultiFederationProtocol
The following settings are available in this service:
- Single Logout Handler List
List of Logout handlers for each supported federation protocol
The multi-federation protocol engine supports Single Logout. Each federation protocol requires a different single logout handler. Logout handler must implement the
com.sun.identity.multiprotocol.SingleLogoutHandler
interface.Default value:
key=WSFED|class=com.sun.identity.multiprotocol.WSFederationSingleLogoutHandler
key=SAML2|class=com.sun.identity.multiprotocol.SAML2SingleLogoutHandleramster attribute:
singleLogoutHandlerList
Naming
amster service name: Naming
General Configuration
The following settings appear on the General Configuration tab:
- Profile Service URL
Specifies the endpoint used by the profile service.
This attribute is deprecated.
Default value:
%protocol://%host:%port%uri/profileservice
amster attribute:
profileUrl
- Session Service URL
Specifies the endpoint used by the session service.
Default value:
%protocol://%host:%port%uri/sessionservice
amster attribute:
sessionUrl
- Logging Service URL
Specifies the endpoint used by the logging service.
Default value:
%protocol://%host:%port%uri/loggingservice
amster attribute:
loggingUrl
- Policy Service URL
Specifies the endpoint used by the policy service.
Default value:
%protocol://%host:%port%uri/policyservice
amster attribute:
policyUrl
- Authentication Service URL
Specifies the endpoint used by the authentication service.
Default value:
%protocol://%host:%port%uri/authservice
amster attribute:
authUrl
Federation Configuration
The following settings appear on the Federation Configuration tab:
- SAML Web Profile/Artifact Service URL
Specifies the SAML v1 endpoint.
Default value:
%protocol://%host:%port%uri/SAMLAwareServlet
amster attribute:
samlAwareServletUrl
- SAML SOAP Service URL
Specifies the SAML v1 SOAP service endpoint.
Default value:
%protocol://%host:%port%uri/SAMLSOAPReceiver
amster attribute:
samlSoapReceiverUrl
- SAML Web Profile/POST Service URL
Specifies the SAML v1 Web Profile endpoint.
Default value:
%protocol://%host:%port%uri/SAMLPOSTProfileServlet
amster attribute:
samlPostServletUrl
- SAML Assertion Manager Service URL
Specifies the SAML v1 assertion service endpoint.
Default value:
%protocol://%host:%port%uri/AssertionManagerServlet/AssertionManagerIF
amster attribute:
samlAssertionManagerUrl
- JAXRPC Endpoint URL
Specifies the JAXRPC endpoint URL used by the remote IDM/SMS APIs.
Default value:
%protocol://%host:%port%uri/jaxrpc/
amster attribute:
jaxrpcUrl
Endpoint Configuration
The following settings appear on the Endpoint Configuration tab:
- Identity Web Services Endpoint URL
Specifies the endpoint for the Identity WSDL services.
Default value:
%protocol://%host:%port%uri/identityservices/
amster attribute:
jaxwsUrl
- Identity REST Services Endpoint URL
Specifies the endpoint for the Identity REST services.
Default value:
%protocol://%host:%port%uri/identity/
amster attribute:
idsvcsRestUrl
- Security Token Service Endpoint URL
Specifies the STS endpoint.
Default value:
%protocol://%host:%port%uri/sts
amster attribute:
stsUrl
- Security Token Service MEX Endpoint URL
Specifies the STS MEX endpoint.
Default value:
%protocol://%host:%port%uri/sts/mex
amster attribute:
stsMexUrl
OAuth2 Provider
amster service name: OAuth2Provider
Global Attributes
The following settings appear on the Global Attributes tab:
- Token Blacklist Cache Size
Number of blacklisted tokens to cache in memory to speed up blacklist checks and reduce load on the CTS.
Default value:
10000
amster attribute:
blacklistCacheSize
- Blacklist Poll Interval (seconds)
How frequently to poll for token blacklist changes from other servers, in seconds.
How often each server will poll the CTS for token blacklist changes from other servers. This is used to maintain a highly compressed view of the overall current token blacklist improving performance. A lower number will reduce the delay for blacklisted tokens to propagate to all servers at the cost of increased CTS load. Set to 0 to disable this feature completely.
Default value:
60
amster attribute:
blacklistPollInterval
- Blacklist Purge Delay (minutes)
Length of time to blacklist tokens beyond their expiry time.
Allows additional time to account for clock skew to ensure that a token has expired before it is removed from the blacklist.
Default value:
1
amster attribute:
blacklistPurgeDelay
- Client-Based Grant Token Upgrade Compatibility Mode
Enable AM to consume and create client-based OAuth 2.0 tokens in two different formats simultaneously.
Enable this option when upgrading AM to allow the new instance to create and consume client-based OAuth 2.0 tokens in both the previous format, and the new format. Disable this option once all AM instances in the cluster have been upgraded.
Default value:
false
amster attribute:
statelessGrantTokenUpgradeCompatibilityMode
- CTS Storage Scheme
Storage scheme to be used when storing OAuth2 tokens to CTS.
In order to support rolling upgrades, this should be set to the latest storage scheme supported by all AM instances within your cluster. Select the latest storage scheme once all AM instances in the cluster have been upgraded.
One-to-One Storage Scheme
Under this storage scheme, each OAuth2 token maps to an individual CTS entry.
This storage scheme is inefficient - use the Grant-Set Storage Scheme once all servers have been upgraded to a version which supports it.
Grant-Set Storage Scheme
Under this storage scheme, multiple authorization codes, access tokens, and refresh tokens for a given OAuth 2.0 client and resource owner can be stored within a single CTS entry.
The possible values for this property are:
Label: One-to-One Storage Scheme (Value:
CTS_ONE_TO_ONE_MODEL
)Label: Grant-Set Storage Scheme (Value:
CTS_GRANT_SET_MODEL
)
Default value:
CTS_ONE_TO_ONE_MODEL
amster attribute:
storageScheme
- Enforce JWT Unreasonable Lifetime
Enable the enforcement of JWT token unreasonable lifetime during validation.
The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification (https://datatracker.ietf.org/doc/html/rfc7523#section-3) states that an authorization server may reject JWTs with an "exp" claim value that is unreasonably far in the future and an "iat" claim value that is unreasonably far in the past. This enforcement may be disabled, but should only be done if the security implications have been evaluated.
Default value:
true
amster attribute:
jwtTokenLifetimeValidationEnabled
- JWT Unreasonable Lifetime (seconds)
Specify the lifetime (in seconds) of a JWT which should be considered unreasonable and rejected by validation.
The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification (https://datatracker.ietf.org/doc/html/rfc7523#section-3) states that an authorization server may reject JWTs with an "exp" claim value that is unreasonably far in the future and an "iat" claim value that is unreasonably far in the past. During token validation AM enforces that the token must expire within the specified duration and if the "iat" claim value is present, the token must not be older than the specified duration.
Default value:
86400
amster attribute:
jwtTokenUnreasonableLifetime
Core
The following settings appear on the Core tab:
- Use Client-Based Access & Refresh Tokens
When enabled, AM issues access and refresh tokens that can be inspected by resource servers.
Default value:
false
amster attribute:
statelessTokensEnabled
- Use Macaroon Access and Refresh Tokens
When enabled, AM will issue access and refresh tokens as Macaroons with caveats.
Default value:
false
amster attribute:
macaroonTokensEnabled
- Authorization Code Lifetime (seconds)
The time an authorization code is valid for, in seconds.
Default value:
120
amster attribute:
codeLifetime
- Refresh Token Lifetime (seconds)
The time in seconds a refresh token is valid for. If this field is set to
-1
, the refresh token will never expire.Default value:
604800
amster attribute:
refreshTokenLifetime
- Access Token Lifetime (seconds)
The time an access token is valid for, in seconds. Note that if you set the value to
0
, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.Default value:
3600
amster attribute:
accessTokenLifetime
- Issue Refresh Tokens
Whether to issue a refresh token when returning an access token.
Default value:
true
amster attribute:
issueRefreshToken
- Issue Refresh Tokens on Refreshing Access Tokens
Whether to issue a refresh token when refreshing an access token.
Default value:
true
amster attribute:
issueRefreshTokenOnRefreshedToken
- Use Policy Engine for Scope decisions
With this setting enabled, the policy engine is consulted for each scope value that is requested.
If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow. If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow. If no policy returns a value for the GRANT action, then if the grant type is user-facing (i.e. authorization or device code flows), the user is asked for consent (or saved consent is used), and if the grant type is not user-facing (password or client credentials), the scope is not added to any resulting token.
Default value:
false
amster attribute:
usePolicyEngineForScope
- OAuth2 Access Token Modification Script
The script that is executed when issuing an access token. The script can change the access token's internal data structure to include or exclude particular fields.
The possible values for this property are:
Label: OAuth2 Access Token Modification Script (Value:
d22f9a0c-426a-4466-b95e-d0f125b0d5fa
)Label: --- Select a script --- (Value:
[Empty]
)
Default value:
d22f9a0c-426a-4466-b95e-d0f125b0d5fa
amster attribute:
accessTokenModificationScript
- OAuth2 Access Token May Act Script
The script that is executed when issuing an access token explicitly to modify the
may_act
claim placed on the token.The possible values for this property are:
Label: OAuth2 May Act Script (Value:
c735de08-f8f2-4e69-aa4a-2d8d3d438323
)Label: --- Select a script --- (Value:
[Empty]
)
Default value:
[Empty]
amster attribute:
accessTokenMayActScript
- OIDC ID Token May Act Script
The script that is executed when issuing an OIDC ID Token explicitly to modify the
may_act
claim placed on the token.The possible values for this property are:
Label: OAuth2 May Act Script (Value:
c735de08-f8f2-4e69-aa4a-2d8d3d438323
)Label: --- Select a script --- (Value:
[Empty]
)
Default value:
[Empty]
amster attribute:
oidcMayActScript
Advanced
The following settings appear on the Advanced tab:
- Custom Login URL Template
Custom URL for handling login, to override the default AM login page.
Supports Freemarker syntax, with the following variables:
Variable Description gotoUrl
The URL to redirect to after login. acrValues
The Authentication Context Class Reference (acr) values for the authorization request. realm
The AM realm the authorization request was made on. module
The name of the AM authentication module requested to perform resource owner authentication. service
The name of the AM authentication chain requested to perform resource owner authentication. locale
A space-separated list of locales, ordered by preference. The following example template redirects users to a non-AM front end to handle login, which will then redirect back to the
/oauth2/authorize
endpoint with any required parameters:http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if>
NOTE: Default AM login page is constructed using "Base URL Source" service.
amster attribute:
customLoginUrlTemplate
- Scope Implementation Class
The class that contains the required scope implementation, must implement the
org.forgerock.oauth2.core.ScopeValidator
interface.Default value:
org.forgerock.openam.oauth2.OpenAMScopeValidator
amster attribute:
scopeImplementationClass
- Response Type Plugins
List of plugins that handle the valid
response_type
values.OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (
/oauth2/authorize
) to indicate which grant type is requested from the provider. For example, the client passescode
when requesting an authorization code, andtoken
when requesting an access token.Values in this list take the form
response-type|plugin-class-name
.Default value:
code|org.forgerock.oauth2.core.AuthorizationCodeResponseTypeHandler
id_token|org.forgerock.openidconnect.IdTokenResponseTypeHandler
device_code|org.forgerock.oauth2.core.TokenResponseTypeHandler
token|org.forgerock.oauth2.core.TokenResponseTypeHandleramster attribute:
responseTypeClasses
- Additional Audience Values
The additional audience values that will be permitted when verifying Client Authentication JWTs.
These audience values will be in addition to the AS base, issuer and endpoint URIs.
amster attribute:
allowedAudienceValues
- Token Exchanger Plugins
List of plugins that handle the valid
requested_token_type
values.When using the Token Exchange grant type, these handlers will be used to convert the provided
subject_token
andactor_token
into the appropriate impersonation or delegation tokens for use with downstream services.Default value:
urn:ietf:params:oauth:token-type:access_token=>urn:ietf:params:oauth:token-type:access_token|org.forgerock.oauth2.core.tokenexchange.accesstoken.AccessTokenToAccessTokenExchanger
urn:ietf:params:oauth:token-type:id_token=>urn:ietf:params:oauth:token-type:id_token|org.forgerock.oauth2.core.tokenexchange.idtoken.IdTokenToIdTokenExchanger
urn:ietf:params:oauth:token-type:access_token=>urn:ietf:params:oauth:token-type:id_token|org.forgerock.oauth2.core.tokenexchange.accesstoken.AccessTokenToIdTokenExchanger
urn:ietf:params:oauth:token-type:id_token=>urn:ietf:params:oauth:token-type:access_token|org.forgerock.oauth2.core.tokenexchange.idtoken.IdTokenToAccessTokenExchangeramster attribute:
tokenExchangeClasses
- Token Validator Plugins
List of plugins that validate
subject_token
andactor_token
values.When using the Token Exchange grant type, these handlers will be used to convert the validate
subject_token
andactor_token
values to ensure they meet the required criteria to be exchanged.Default value:
urn:ietf:params:oauth:token-type:id_token|org.forgerock.oauth2.core.tokenexchange.idtoken.OidcIdTokenValidator
urn:ietf:params:oauth:token-type:access_token|org.forgerock.oauth2.core.tokenexchange.accesstoken.OAuth2AccessTokenValidatoramster attribute:
tokenValidatorClasses
- User Profile Attribute(s) the Resource Owner is Authenticated On
Names of profile attributes that resource owners use to log in. You can add others to the default, for example
mail
.Default value:
uid
amster attribute:
authenticationAttributes
- User Display Name attribute
The profile attribute that contains the name to be displayed for the user on the consent page.
Default value:
cn
amster attribute:
displayNameAttribute
- Client Registration Scope Whitelist
The set of scopes allowed when registering clients dynamically, with translations.
Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.
For example:
read|en|Permission to view email messages in your account
Locale strings are in the format:
language_country_variant
, for exampleen
,en_GB
, oren_US_WIN
.If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.
If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying
read|
would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.amster attribute:
supportedScopes
- Subject Types supported
List of subject types supported. Valid values are:
public
- Each client receives the same subject (sub
) value.pairwise
- Each client receives a different subject (sub
) value, to prevent correlation between clients.
Default value:
public
pairwiseamster attribute:
supportedSubjectTypes
- Default Client Scopes
List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the AM console.
amster attribute:
defaultScopes
- OAuth2 Token Signing Algorithm
Algorithm used to sign client-based OAuth 2.0 tokens in order to detect tampering.
AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:
HS256
- HMAC with SHA-256.HS384
- HMAC with SHA-384.HS512
- HMAC with SHA-512.ES256
- ECDSA with SHA-256 and NIST standard P-256 elliptic curve.ES384
- ECDSA with SHA-384 and NIST standard P-384 elliptic curve.ES512
- ECDSA with SHA-512 and NIST standard P-521 elliptic curve.RS256
- RSASSA-PKCS-v1_5 using SHA-256.
The possible values for this property are:
HS256
HS384
HS512
RS256
RS384
RS512
ES256
ES384
ES512
PS256
PS384
PS512
Default value:
HS256
amster attribute:
tokenSigningAlgorithm
- Client-Based Token Compression
Whether client-based access and refresh tokens should be compressed.
Default value:
false
amster attribute:
tokenCompressionEnabled
- Encrypt Client-Based Tokens
Whether client-based access and refresh tokens should be encrypted.
Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.
Default value:
false
amster attribute:
tokenEncryptionEnabled
- Subject Identifier Hash Salt
If pairwise subject types are supported, it is STRONGLY RECOMMENDED to change this value. It is used in the salting of hashes for returning specific
sub
claims to individuals using the samerequest_uri
orsector_identifier_uri
.Default value:
changeme
amster attribute:
hashSalt
- Code Verifier Parameter Required
If enabled, requests using the authorization code grant require a
code_challenge
attribute.For more information, read the PKCE specification.
Note that if a client specifies a
code_challenge
parameter in the authorization request, PKCE is enabled regardless of the value of this attribute.The possible values for this property are:
Label: All requests (Value:
true
)Label: Requests from all public clients (Value:
public
)Label: Requests from all passwordless public clients (Value:
passwordless
)Label: No requests (Value:
false
)
Default value:
false
amster attribute:
codeVerifierEnforced
- Modified Timestamp Attribute Name
The identity Data Store attribute used to return modified timestamp values.
This attribute is paired together with the Created Timestamp Attribute Name attribute (
createdTimestampAttribute
). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the
userinfo
endpoint to obtain theupdated_at
claim value in the ID token. Theupdated_at
claim obtains its value from themodifiedTimestampAttribute
attribute in the user profile. If the profile has never been modified theupdated_at
claim uses thecreatedTimestampAttribute
attribute.amster attribute:
modifiedTimestampAttribute
- Created Timestamp Attribute Name
The identity Data Store attribute used to return created timestamp values.
amster attribute:
createdTimestampAttribute
- Password Grant Authentication Service
The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.
The possible values for this property are:
[Empty]
ldapService
amsterService
Example
Agent
RetryLimit
PersistentCookie
HmacOneTimePassword
Facebook-ProvisionIDMAccount
Google-AnonymousUser
Google-DynamicAccountCreation
PlatformRegistration
PlatformProgressiveProfile
PlatformLogin
PlatformForgottenUsername
PlatformResetPassword
PlatformUpdatePassword
amster attribute:
passwordGrantAuthService
- Enable Auth Module Messages for Password Credentials Grant
If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.
The Password Grant Type requires the
grant_type=password
parameter.Default value:
false
amster attribute:
moduleMessageEnabledInPasswordGrant
- Grant Types
The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.
If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.
Default value:
implicit
urn:ietf:params:oauth:grant-type:saml2-bearer
refresh_token
password
client_credentials
urn:ietf:params:oauth:grant-type:device_code
authorization_code
urn:openid:params:grant-type:ciba
urn:ietf:params:oauth:grant-type:uma-ticket
urn:ietf:params:oauth:grant-type:token-exchange
urn:ietf:params:oauth:grant-type:jwt-beareramster attribute:
grantTypes
- Trusted TLS Client Certificate Header
HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.
Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.
amster attribute:
tlsClientCertificateTrustedHeader
- TLS Client Certificate Header Format
Format of the HTTP header used to communicate a client certificate from a reverse proxy.
The following formats are supported:
URLENCODED_PEM
- a URL-encoded PEM format certificate. This is the format used by Nginx.X_FORWARDED_CLIENT_CERT
- the X-Forwarded-Client-Certformat used by Envoy and Istio.
The possible values for this property are:
URLENCODED_PEM
X_FORWARDED_CLIENT_CERT
Default value:
URLENCODED_PEM
amster attribute:
tlsClientCertificateHeaderFormat
- Support TLS Certificate-Bound Access Tokens
Whether to bind access tokens to the client certificate when using TLS client certificate authentication.
Default value:
true
amster attribute:
tlsCertificateBoundAccessTokensEnabled
- Check TLS Certificate Revocation Status
Whether to check if TLS client certificates have been revoked.
If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements "soft fail" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.
Default value:
false
amster attribute:
tlsCertificateRevocationCheckingEnabled
- OCSP Responder URI
URI of the OCSP responder service to use for checking certificate revocation status.
If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.
amster attribute:
tlsOcspResponderUri
- OCSP Responder Certificate
PEM-encoded certificate to use to verify OCSP responses.
If specified this certificate will be used to verify the signature on all OCSP responses. Otherwise the appropriate certificate will be determined from the trusted CA certificates.
amster attribute:
tlsOcspResponderCert
- Macaroon Token Format
The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.
The possible values for this property are:
V1
V2
Default value:
V2
amster attribute:
macaroonTokenFormat
Client Dynamic Registration
The following settings appear on the Client Dynamic Registration tab:
- Require Software Statement for Dynamic Client Registration
When enabled, a software statement JWT containing at least the
iss
(issuer) claim must be provided when registering an OAuth 2.0 client dynamically.Default value:
false
amster attribute:
dynamicClientRegistrationSoftwareStatementRequired
- Required Software Statement Attested Attributes
The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.
Leave blank to allow any attributes to be present.
Default value:
redirect_uris
amster attribute:
requiredSoftwareStatementAttestedAttributes
- Allow Open Dynamic Client Registration
Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see Client Registration in the OpenID Connect specification.
Default value:
false
amster attribute:
allowDynamicRegistration
- Generate Registration Access Tokens
Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the Client Configuration Endpoint as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.
Default value:
true
amster attribute:
generateRegistrationAccessTokens
- Scope to give access to dynamic client registration
Mandatory scope required when registering a new OAuth2 client.
Default value:
dynamic_client_registration
amster attribute:
dynamicClientRegistrationScope
OpenID Connect
The following settings appear on the OpenID Connect tab:
- OIDC Claims Script
The script that is run when issuing an ID token or making a request to the userinfo endpoint during OpenID requests.
The script gathers the scopes and populates claims, and has access to the access token, the user's identity and, if available, the user's session.
The possible values for this property are:
OIDC Claims Script
Default value:
OIDC Claims Script
amster attribute:
oidcClaimsScript
- Overrideable Id_Token Claims
List of claims in the id_token that may be overrideable in the OIDC Claims Script. These should be the subset of the core OpenID Connect claims, like
aud
orazp
.Tip
For information about the core OpenID Connect claims, see the ID Token data structure.
For details of the OIDC script, see "Scripting OpenID Connect 1.0 Claims".
To override claims, follow the steps described in How do I override claims in the OIDC ID token in Identity Cloud or AM 7.1.x?
amster attribute:
overrideableOIDCClaims
- ID Token Signing Algorithms supported
Algorithms supported to sign OpenID Connect
id_tokens
.AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:
HS256
- HMAC with SHA-256.HS384
- HMAC with SHA-384.HS512
- HMAC with SHA-512.ES256
- ECDSA with SHA-256 and NIST standard P-256 elliptic curve.ES384
- ECDSA with SHA-384 and NIST standard P-384 elliptic curve.ES512
- ECDSA with SHA-512 and NIST standard P-521 elliptic curve.RS256
- RSASSA-PKCS-v1_5 using SHA-256.RS384
- RSASSA-PKCS-v1_5 using SHA-384.RS512
- RSASSA-PKCS-v1_5 using SHA-512.PS256
- RSASSA-PSS using SHA-256.PS384
- RSASSA-PSS using SHA-384.PS512
- RSASSA-PSS using SHA-512.
Default value:
PS384
ES384
RS384
HS256
HS512
ES256
RS256
HS384
ES512
PS256
PS512
RS512amster attribute:
supportedIDTokenSigningAlgorithms
- ID Token Encryption Algorithms supported
Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.
AM supports the following ID token encryption algorithms:
RSA-OAEP
- RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.RSA-OAEP-256
- RSA with OAEP with SHA-256 and MGF-1.A128KW
- AES Key Wrapping with 128-bit key derived from the client secret.RSA1_5
- RSA with PKCS#1 v1.5 padding.A256KW
- AES Key Wrapping with 256-bit key derived from the client secret.dir
- Direct encryption with AES using the hashed client secret.A192KW
- AES Key Wrapping with 192-bit key derived from the client secret.
Default value:
ECDH-ES+A256KW
ECDH-ES+A192KW
RSA-OAEP
ECDH-ES+A128KW
RSA-OAEP-256
A128KW
A256KW
ECDH-ES
dir
A192KWamster attribute:
supportedIDTokenEncryptionAlgorithms
- ID Token Encryption Methods supported
Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.
AM supports the following ID token encryption algorithms:
A128GCM
,A192GCM
, andA256GCM
- AES in Galois Counter Mode (GCM) authenticated encryption mode.A128CBC-HS256
,A192CBC-HS384
, andA256CBC-HS512
- AES encryption in CBC mode, with HMAC-SHA-2 for integrity.
Default value:
A256GCM
A192GCM
A128GCM
A128CBC-HS256
A192CBC-HS384
A256CBC-HS512amster attribute:
supportedIDTokenEncryptionMethods
- Supported Claims
Set of claims supported by the OpenID Connect
/oauth2/userinfo
endpoint, with translations.Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.
For example:
name|en|Your full name.
.Locale strings are in the format:
language + "_" + country + "_" + variant
, for exampleen
,en_GB
, oren_US_WIN
. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying
family_name|
would allow the claimfamily_name
to be used by the client, but would not display it to the user on the consent page when requested.amster attribute:
supportedClaims
- OpenID Connect JWT Token Lifetime (seconds)
The amount of time the JWT will be valid for, in seconds.
Default value:
3600
amster attribute:
jwtTokenLifetime
- OIDC Provider Discovery
Turns on and off OIDC Discovery endpoint.
Default value:
false
amster attribute:
oidcDiscoveryEndpointEnabled
Advanced OpenID Connect
The following settings appear on the Advanced OpenID Connect tab:
- Remote JSON Web Key URL
The Remote URL where the providers JSON Web Key can be retrieved.
If this setting is not configured, then AM provides a local URL to access the public key of the private key used to sign ID tokens.
amster attribute:
jkwsURI
- Idtokeninfo Endpoint Requires Client Authentication
When enabled, the
/oauth2/idtokeninfo
endpoint requires client authentication if the signing algorithm is set toHS256
,HS384
, orHS512
.Default value:
true
amster attribute:
idTokenInfoClientAuthenticationEnabled
- Enable "claims_parameter_supported"
If enabled, clients will be able to request individual claims using the
claims
request parameter, as per section 5.5 of the OpenID Connect specification.Default value:
false
amster attribute:
claimsParameterSupported
- OpenID Connect acr_values to Auth Chain Mapping
Maps OpenID Connect ACR values to authentication chains. For more details, see the acr_values parameter in the OpenID Connect authentication request specification.
amster attribute:
loaMapping
- Default ACR values
Default requested Authentication Context Class Reference values.
List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.
amster attribute:
defaultACR
- OpenID Connect id_token amr Values to Auth Module Mappings
Specify
amr
values to be returned in the OpenID Connectid_token
. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to theamr
values. If you do not requireamr
values, or are not providing OpenID Connect tokens, leave this field blank.amster attribute:
amrMappings
- Always Return Claims in ID Tokens
If enabled, include scope-derived claims in the
id_token
, even if an access token is also returned that could provide access to get the claims from theuserinfo
endpoint.If not enabled, if an access token is requested the client must use it to access the
userinfo
endpoint for scope-derived claims, as they will not be included in the ID token.Default value:
false
amster attribute:
alwaysAddClaimsToToken
- Enable Session Management
If this is not enabled then OpenID Connect session management related endpoints will be disabled. When enabled AM will store ops tokens corresponding to OpenID Connect sessions in the CTS store and an oidc session id in the AM session.
Default value:
true
amster attribute:
storeOpsTokens
- Request Parameter Signing Algorithms Supported
Algorithms supported to verify signature of Request parameterAM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:
HS256
- HMAC with SHA-256.HS384
- HMAC with SHA-384.HS512
- HMAC with SHA-512.ES256
- ECDSA with SHA-256 and NIST standard P-256 elliptic curve.ES384
- ECDSA with SHA-384 and NIST standard P-384 elliptic curve.ES512
- ECDSA with SHA-512 and NIST standard P-521 elliptic curve.RS256
- RSASSA-PKCS-v1_5 using SHA-256.
Default value:
PS384
ES384
RS384
HS256
HS512
ES256
RS256
HS384
ES512
PS256
PS512
RS512amster attribute:
supportedRequestParameterSigningAlgorithms
- Request Parameter Encryption Algorithms Supported
Encryption algorithms supported to decrypt Request parameter.
AM supports the following ID token encryption algorithms:
RSA-OAEP
- RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.RSA-OAEP-256
- RSA with OAEP with SHA-256 and MGF-1.A128KW
- AES Key Wrapping with 128-bit key derived from the client secret.RSA1_5
- RSA with PKCS#1 v1.5 padding.A256KW
- AES Key Wrapping with 256-bit key derived from the client secret.dir
- Direct encryption with AES using the hashed client secret.A192KW
- AES Key Wrapping with 192-bit key derived from the client secret.
Default value:
ECDH-ES+A256KW
ECDH-ES+A192KW
ECDH-ES+A128KW
RSA-OAEP
RSA-OAEP-256
A128KW
A256KW
ECDH-ES
dir
A192KWamster attribute:
supportedRequestParameterEncryptionAlgorithms
- Request Parameter Encryption Methods Supported
Encryption methods supported to decrypt Request parameter.
AM supports the following Request parameter encryption algorithms:
A128GCM
,A192GCM
, andA256GCM
- AES in Galois Counter Mode (GCM) authenticated encryption mode.A128CBC-HS256
,A192CBC-HS384
, andA256CBC-HS512
- AES encryption in CBC mode, with HMAC-SHA-2 for integrity.
Default value:
A256GCM
A192GCM
A128GCM
A128CBC-HS256
A192CBC-HS384
A256CBC-HS512amster attribute:
supportedRequestParameterEncryptionEnc
- Supported Token Endpoint JWS Signing Algorithms.
Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.
Default value:
PS384
ES384
RS384
HS256
HS512
ES256
RS256
HS384
ES512
PS256
PS512
RS512amster attribute:
supportedTokenEndpointAuthenticationSigningAlgorithms
- Authorized OIDC SSO Clients
Clients authorized to use OpenID Connect ID tokens as SSO Tokens.
Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.
amster attribute:
authorisedOpenIdConnectSSOClients
- UserInfo Signing Algorithms Supported
Algorithms supported to verify signature of the UserInfo endpoint. AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:
HS256
- HMAC with SHA-256.HS384
- HMAC with SHA-384.HS512
- HMAC with SHA-512.ES256
- ECDSA with SHA-256 and NIST standard P-256 elliptic curve.ES384
- ECDSA with SHA-384 and NIST standard P-384 elliptic curve.ES512
- ECDSA with SHA-512 and NIST standard P-521 elliptic curve.RS256
- RSASSA-PKCS-v1_5 using SHA-256.
Default value:
ES384
HS256
HS512
ES256
RS256
HS384
ES512amster attribute:
supportedUserInfoSigningAlgorithms
- UserInfo Encryption Algorithms Supported
Encryption algorithms supported by the UserInfo endpoint.
AM supports the following UserInfo endpoint encryption algorithms:
RSA-OAEP
- RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.RSA-OAEP-256
- RSA with OAEP with SHA-256 and MGF-1.A128KW
- AES Key Wrapping with 128-bit key derived from the client secret.RSA1_5
- RSA with PKCS#1 v1.5 padding.A256KW
- AES Key Wrapping with 256-bit key derived from the client secret.dir
- Direct encryption with AES using the hashed client secret.A192KW
- AES Key Wrapping with 192-bit key derived from the client secret.
Default value:
ECDH-ES+A256KW
ECDH-ES+A192KW
RSA-OAEP
ECDH-ES+A128KW
RSA-OAEP-256
A128KW
A256KW
ECDH-ES
dir
A192KWamster attribute:
supportedUserInfoEncryptionAlgorithms
- UserInfo Encryption Methods Supported
Encryption methods supported by the UserInfo endpoint.
AM supports the following UserInfo endpoint encryption methods:
A128GCM
,A192GCM
, andA256GCM
- AES in Galois Counter Mode (GCM) authenticated encryption mode.A128CBC-HS256
,A192CBC-HS384
, andA256CBC-HS512
- AES encryption in CBC mode, with HMAC-SHA-2 for integrity.
Default value:
A256GCM
A192GCM
A128GCM
A128CBC-HS256
A192CBC-HS384
A256CBC-HS512amster attribute:
supportedUserInfoEncryptionEnc
- Use Force Authentication for
prompt=login
This setting is applied only when you've implemented modules or chains, and you've specified the
prompt=login
parameter. The default value isfalse
.When set to
false
, AM forces the end user to authenticate even if they already have a valid session. After re-authentication, AM creates a new session.When set to
true
, AM forces the end user to authenticate even if they already have a valid session. But, after re-authentication, AM returns the same session ID.Caution
If you set
Use Force Authentication for prompt=login
totrue
, you must also set theorg.forgerock.openam.authentication.forceAuth.enabled
advanced server property totrue
. If you do not do this, your users may end up in an infinite login loop.For security reasons, it is strongly recommended that you leave
Use Force Authentication for prompt=login
set to the default value (false
), so that a new session is created when the user re-authenticates.- Token Introspection Response Signing Algorithms Supported
Algorithms that are supported for signing the Token Introspection endpoint JWT response.
AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:
HS256
- HMAC with SHA-256.HS384
- HMAC with SHA-384.HS512
- HMAC with SHA-512.ES256
- ECDSA with SHA-256 and NIST standard P-256 elliptic curve.ES384
- ECDSA with SHA-384 and NIST standard P-384 elliptic curve.ES512
- ECDSA with SHA-512 and NIST standard P-521 elliptic curve.RS256
- RSASSA-PKCS-v1_5 using SHA-256.RS384
- RSASSA-PKCS-v1_5 using SHA-384.RS512
- RSASSA-PKCS-v1_5 using SHA-512.EdDSA
- EdDSA with SHA-512.
Default value:
PS384
RS384
EdDSA
ES384
HS256
HS512
ES256
RS256
HS384
ES512
PS256
PS512
RS512amster attribute:
supportedTokenIntrospectionResponseSigningAlgorithms
- Token Introspection Response Encryption Algorithms Supported
Encryption algorithms supported by the Token Introspection endpoint JWT response.
AM supports the following UserInfo endpoint encryption algorithms:
RSA-OAEP
- RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.RSA-OAEP-256
- RSA with OAEP with SHA-256 and MGF-1.A128KW
- AES Key Wrapping with 128-bit key derived from the client secret.RSA1_5
- RSA with PKCS#1 v1.5 padding.A256KW
- AES Key Wrapping with 256-bit key derived from the client secret.dir
- Direct encryption with AES using the hashed client secret.A192KW
- AES Key Wrapping with 192-bit key derived from the client secret.
Default value:
ECDH-ES+A256KW
ECDH-ES+A192KW
RSA-OAEP
ECDH-ES+A128KW
RSA-OAEP-256
A128KW
A256KW
ECDH-ES
dir
A192KWamster attribute:
supportedTokenIntrospectionResponseEncryptionAlgorithms
- Token Introspection Response Encryption Methods Supported
Encryption methods supported by the Token Introspection endpoint JWT response.
AM supports the following encryption methods:
A128GCM
,A192GCM
, andA256GCM
- AES in Galois Counter Mode (GCM) authenticated encryption mode.A128CBC-HS256
,A192CBC-HS384
, andA256CBC-HS512
- AES encryption in CBC mode, with HMAC-SHA-2 for integrity.
Default value:
A256GCM
A192GCM
A128GCM
A128CBC-HS256
A192CBC-HS384
A256CBC-HS512amster attribute:
supportedTokenIntrospectionResponseEncryptionEnc
- Include all kty and alg combinations in jwks_uri
By default only distinct kid entries are returned in the jwks_uri and the alg property is not included.Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. RFC7517 distinct key KIDs
Default value:
false
amster attribute:
includeAllKtyAlgCombinationsInJwksUri
Device Flow
The following settings appear on the Device Flow tab:
- Verification URL
The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.
amster attribute:
verificationUrl
- Device Completion URL
The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.
amster attribute:
completionUrl
- Device Code Lifetime (seconds)
The lifetime of the device code, in seconds.
Default value:
300
amster attribute:
deviceCodeLifetime
- Device Polling Interval
The polling frequency for devices waiting for tokens when using the device code flow.
Default value:
5
amster attribute:
devicePollInterval
Consent
The following settings appear on the Consent tab:
- Saved Consent Attribute Name
Name of a multi-valued attribute on resource owner profiles where AM can save authorization consent decisions.
When the resource owner chooses to save the decision to authorize access for a client application, then AM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.
amster attribute:
savedConsentAttribute
- Allow Clients to Skip Consent
If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.
Default value:
false
amster attribute:
clientsCanSkipConsent
- Enable Remote Consent
Enables consent to be gathered by a separate service.
Default value:
false
amster attribute:
enableRemoteConsent
- Remote Consent Service ID
The ID of an existing remote consent service agent.
The possible values for this property are:
[Empty]
amster attribute:
remoteConsentServiceId
- Remote Consent Service Request Signing Algorithms Supported
Algorithms supported to sign consent_request JWTs for Remote Consent Services.
AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:
HS256
- HMAC with SHA-256.HS384
- HMAC with SHA-384.HS512
- HMAC with SHA-512.ES256
- ECDSA with SHA-256 and NIST standard P-256 elliptic curve.ES384
- ECDSA with SHA-384 and NIST standard P-384 elliptic curve.ES512
- ECDSA with SHA-512 and NIST standard P-521 elliptic curve.RS256
- RSASSA-PKCS-v1_5 using SHA-256.
Default value:
PS384
ES384
RS384
HS256
HS512
ES256
RS256
HS384
ES512
PS256
PS512
RS512amster attribute:
supportedRcsRequestSigningAlgorithms
- Remote Consent Service Request Encryption Algorithms Supported
Encryption algorithms supported to encrypt Remote Consent Service requests.
AM supports the following encryption algorithms:
RSA1_5
- RSA with PKCS#1 v1.5 padding.RSA-OAEP
- RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.RSA-OAEP-256
- RSA with OAEP with SHA-256 and MGF-1.A128KW
- AES Key Wrapping with 128-bit key derived from the client secret.A192KW
- AES Key Wrapping with 192-bit key derived from the client secret.A256KW
- AES Key Wrapping with 256-bit key derived from the client secret.dir
- Direct encryption with AES using the hashed client secret.
Default value:
ECDH-ES+A256KW
ECDH-ES+A192KW
RSA-OAEP
ECDH-ES+A128KW
RSA-OAEP-256
A128KW
A256KW
ECDH-ES
dir
A192KWamster attribute:
supportedRcsRequestEncryptionAlgorithms
- Remote Consent Service Request Encryption Methods Supported
Encryption methods supported to encrypt Remote Consent Service requests.
AM supports the following encryption methods:
A128GCM
,A192GCM
, andA256GCM
- AES in Galois Counter Mode (GCM) authenticated encryption mode.A128CBC-HS256
,A192CBC-HS384
, andA256CBC-HS512
- AES encryption in CBC mode, with HMAC-SHA-2 for integrity.
Default value:
A256GCM
A192GCM
A128GCM
A128CBC-HS256
A192CBC-HS384
A256CBC-HS512amster attribute:
supportedRcsRequestEncryptionMethods
- Remote Consent Service Response Signing Algorithms Supported
Algorithms supported to verify signed consent_response JWT from Remote Consent Services.
AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:
HS256
- HMAC with SHA-256.HS384
- HMAC with SHA-384.HS512
- HMAC with SHA-512.ES256
- ECDSA with SHA-256 and NIST standard P-256 elliptic curve.ES384
- ECDSA with SHA-384 and NIST standard P-384 elliptic curve.ES512
- ECDSA with SHA-512 and NIST standard P-521 elliptic curve.RS256
- RSASSA-PKCS-v1_5 using SHA-256.
Default value:
PS384
ES384
RS384
HS256
HS512
ES256
RS256
HS384
ES512
PS256
PS512
RS512amster attribute:
supportedRcsResponseSigningAlgorithms
- Remote Consent Service Response Encryption Algorithms Supported
Encryption algorithms supported to decrypt Remote Consent Service responses.
AM supports the following encryption algorithms:
RSA1_5
- RSA with PKCS#1 v1.5 padding.RSA-OAEP
- RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.RSA-OAEP-256
- RSA with OAEP with SHA-256 and MGF-1.A128KW
- AES Key Wrapping with 128-bit key derived from the client secret.A192KW
- AES Key Wrapping with 192-bit key derived from the client secret.A256KW
- AES Key Wrapping with 256-bit key derived from the client secret.dir
- Direct encryption with AES using the hashed client secret.
Default value:
ECDH-ES+A256KW
ECDH-ES+A192KW
ECDH-ES+A128KW
RSA-OAEP
RSA-OAEP-256
A128KW
A256KW
ECDH-ES
dir
A192KWamster attribute:
supportedRcsResponseEncryptionAlgorithms
- Remote Consent Service Response Encryption Methods Supported
Encryption methods supported to decrypt Remote Consent Service responses.
AM supports the following encryption methods:
A128GCM
,A192GCM
, andA256GCM
- AES in Galois Counter Mode (GCM) authenticated encryption mode.A128CBC-HS256
,A192CBC-HS384
, andA256CBC-HS512
- AES encryption in CBC mode, with HMAC-SHA-2 for integrity.
Default value:
A256GCM
A192GCM
A128GCM
A128CBC-HS256
A192CBC-HS384
A256CBC-HS512amster attribute:
supportedRcsResponseEncryptionMethods
CIBA
The following settings appear on the CIBA tab:
- Back Channel Authentication ID Lifetime (seconds)
The time back channel authentication request id is valid for, in seconds.
Default value:
600
amster attribute:
cibaAuthReqIdLifetime
- Polling Wait Interval (seconds)
The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint
Default value:
2
amster attribute:
cibaMinimumPollingInterval
- Signing Algorithms Supported
Algorithms supported to sign the CIBA request parameter.
AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:
ES256
- ECDSA with SHA-256 and NIST standard P-256 elliptic curve.PS256
- RSASSA-PSS using SHA-256.
Default value:
ES256
PS256amster attribute:
supportedCibaSigningAlgorithms
Platform
amster service name: Platform
The following settings are available in this service:
- Platform Locale
Set the fallback locale used when the user locale cannot be determined.
Default value:
en_US
amster attribute:
locale
Set the list of domains into which AM writes cookies.
If you set multiple cookie domains, AM only sets the cookie in the domain the client uses to access AM.
If you do not set a value here, the
Set-Cookie
response header will not include aDomain
attribute. In this case, AM sets a host-only cookie rather than a domain cookie.Because host-only cookies are more secure than domain cookies, you should use host-only cookies unless you have a good business case for using domain cookies. In general, domain cookies are required only if your Web or Java agent uses an SSO tracking cookie for SSO.
Default value:
openam.example.com
amster attribute:
cookieDomains
Policy Configuration
amster service name: PolicyConfiguration
Global Attributes
The following settings appear on the Global Attributes tab:
- Resource Comparator
AM uses resource comparators to match resources specified in policy rules. When setting comparators on the command line, separate fields with
|
characters.Default value:
serviceType=iPlanetAMWebAgentService|class=com.sun.identity.policy.plugins.HttpURLResourceName|wildcard=*|oneLevelWildcard=-*-|delimiter=/|caseSensitive=false
amster attribute:
resourceComparators
- Continue Evaluation on Deny Decision
If no, then AM stops evaluating policy as soon as it reaches a deny decision.
Default value:
false
amster attribute:
continueEvaluationOnDeny
- Realm Alias Referrals
If yes, then AM allows creation of policies for HTTP and HTTPS resources whose FQDN matches the DNS alias for the realm even when no referral policy exists.
Default value:
false
amster attribute:
realmAliasReferrals
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Primary LDAP Server
Configuration directory server host:port that AM searches for policy information.
Format:
local AM server name | hostname:port
Multiple entries must be prefixed by local server name. Make sure to place the multiple entries on a single line and separate the hostname:port URLs with a space.
For example, openam.example.com|opendj.example.com:1389 opendj.example.com:2389
Default value:
openam.example.com:50636
amster attribute:
ldapServer
- LDAP Users Base DN
Base DN for LDAP Users subject searches.
Default value:
dc=openam,dc=forgerock,dc=org
amster attribute:
usersBaseDn
- LDAP Bind DN
Bind DN to connect to the directory server for policy information.
Default value:
cn=Directory Manager
amster attribute:
bindDn
- LDAP Bind Password
Bind password to connect to the directory server for policy information.
amster attribute:
bindPassword
- LDAP Organization Search Filter
Search filter to match organization entries.
Default value:
(objectclass=sunismanagedorganization)
amster attribute:
realmSearchFilter
- LDAP Users Search Filter
Search filter to match user entries.
Default value:
(objectclass=inetorgperson)
amster attribute:
usersSearchFilter
- LDAP Users Search Scope
Search scope to find user entries.
The possible values for this property are:
SCOPE_BASE
SCOPE_ONE
SCOPE_SUB
Default value:
SCOPE_SUB
amster attribute:
usersSearchScope
- LDAP Users Search Attribute
Naming attribute for user entries.
Default value:
uid
amster attribute:
usersSearchAttribute
- Maximum Results Returned from Search
Search limit for LDAP searches.
Default value:
100
amster attribute:
maximumSearchResults
- Search Timeout
Time after which AM returns an error for an incomplete search, in seconds.
Default value:
5
amster attribute:
searchTimeout
- LDAP SSL/TLS
If enabled, AM connects securely to the directory server. This requires that you install the directory server certificate.
Default value:
true
amster attribute:
sslEnabled
- LDAP Connection Pool Minimum Size
Minimum number of connections in the pool.
Default value:
1
amster attribute:
connectionPoolMinimumSize
- LDAP Connection Pool Maximum Size
Maximum number of connections in the pool.
Default value:
10
amster attribute:
connectionPoolMaximumSize
- Heartbeat Interval
Specifies how often should AM send a heartbeat request to the directory.
Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.
Default value:
10
amster attribute:
policyHeartbeatInterval
- Heartbeat Unit
Defines the time unit corresponding to the Heartbeat Interval setting.
Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.
The possible values for this property are:
Label: second (Value:
SECONDS
)Label: minute (Value:
MINUTES
)Label: hour (Value:
HOURS
)
Default value:
SECONDS
amster attribute:
policyHeartbeatTimeUnit
- Subjects Result Time to Live
Maximum time that AM caches a subject result for evaluating policy requests, in minutes. A value of
0
prevents AM from caching subject evaluations for policy decisions.Default value:
10
amster attribute:
subjectsResultTTL
- User Alias
If enabled, AM can evaluate policy for remote users aliased to local users.
Default value:
false
amster attribute:
userAliasEnabled
- Check resources exist when Resource Server is updated
Check all registered resources exist when updating Resource Server.
Policy Set will check each registered Resource Types one by one against config datastore if enabled. Consider disabling this option if you have large number of Resource Types registered to a Policy Set.
Default value:
true
amster attribute:
checkIfResourceTypeExists
Push Notification Service
amster service name: PushNotification
Realm Defaults
The following settings appear on the Realm Defaults tab:
- SNS Access Key ID
Amazon Simple Notification Service Access Key ID. For more information, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html.
For example, you might set this property to: AKIAIOSFODNN7EXAMPLE
amster attribute:
accessKey
- SNS Access Key Secret
Amazon Simple Notification Service Access Key Secret. For more information, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html.
amster attribute:
secret
- SNS Endpoint for APNS
The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages to the Apple Push Notification Service (APNS).
For example, you might set this property to: arn:aws:sns:us-east-1:1234567890:app/APNS/production
amster attribute:
appleEndpoint
- SNS Endpoint for GCM
The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages over Google Cloud Messaging (GCM).
For example, you might set this property to: arn:aws:sns:us-east-1:1234567890:app/GCM/production
amster attribute:
googleEndpoint
- SNS Client Region
Region of your registered Amazon Simple Notification Service client. For more information, see https://docs.aws.amazon.com/general/latest/gr/rande.html.
The possible values for this property are:
us-gov-west-1
us-east-1
us-west-1
us-west-2
eu-west-1
eu-central-1
ap-southeast-1
ap-southeast-2
ap-northeast-1
ap-northeast-2
sa-east-1
n-north-1
Default value:
us-east-1
amster attribute:
region
- Message Transport Delegate Factory
The fully qualified class name of the factory responsible for creating the PushNotificationDelegate. The class must implement
org.forgerock.openam.services.push.PushNotificationDelegate
.Default value:
org.forgerock.openam.services.push.sns.SnsHttpDelegateFactory
amster attribute:
delegateFactory
- Response Cache Duration
The minimum lifetime to keep unanswered message records in the message dispatcher cache, in seconds. To keep unanswered message records indefinitely, set this property to
0
.Should be tuned so that it is applicable to the use case of this service. For example, the ForgeRock Authenticator (Push) authentication module has a default timeout of 120 seconds.Default value:
120
amster attribute:
mdDuration
- Response Cache Concurrency
Level of concurrency to use when accessing the message dispatcher cache. Defaults to
16
, and must be greater than0
. Choose a value to accommodate as many threads as will ever concurrently access the message dispatcher cache.Default value:
16
amster attribute:
mdConcurrency
- Response Cache Size
Maximum size of the message dispatcher cache, in number of records. If set to
0
the cache can grow indefinitely. If the number of records that need to be stored exceeds this maximum, then older items in the cache will be removed to make space.Default value:
10000
amster attribute:
mdCacheSize
RADIUS Server
amster service name: RadiusServer
Configuration
The following settings appear on the Configuration tab:
- Enabled
Enables the AM RADIUS server to listen for requests on the listener port and to handle the requests.
The possible values for this property are:
NO
YES
Default value:
NO
amster attribute:
radiusListenerEnabled
- Listener Port
The UDP port on which each AM server will listen for RADIUS Access-Request packets
According to the RADIUS Authentication Specification, RFC 2865, the officially assigned port number for RADIUS is
1812
. Specify a value from1024
to65535
. All client requests are handled through the same port.Default value:
1812
amster attribute:
radiusServerPort
- Thread Pool Core Size
When a RADIUS request is received and fewer than
corePoolSize
threads are running, a new thread is created to handle the request, even if other worker threads are idle. If there are more than "Thread Pool Core Size" but less than "Thread Pool Max Size" threads running, a new thread will be created only if the queue is full. By setting "Thread Pool Core Size" and "Thread Pool Max Size" to the same value, you create a fixed-size thread pool. Specify a value from1
to100
.Default value:
1
amster attribute:
radiusThreadPoolCoreSize
- Thread Pool Max Size
Maximum number of threads allowed in the pool. See also "Thread Pool Core Size".
Default value:
10
amster attribute:
radiusThreadPoolMaxSize
- Thread Pool Keep-Alive Seconds
If the pool currently has more than Thread Pool Core Size threads, excess threads will be terminated if they have been idle for more than the Keep-Alive Seconds. Specify a value from
1
to3600
.Default value:
10
amster attribute:
radiusThreadPoolKeepaliveSeconds
- Thread Pool Queue Size
The number of requests that can be queued for the pool before further requests will be silently dropped. See also "Thread Pool Core Size" and "Thread Pool Max Size". Specify a value from
1
to1000
.Default value:
20
amster attribute:
radiusThreadPoolQueueSize
Secondary Configurations
This service has the following Secondary Configurations.
radiusClient
- Client IP Address
The IP Address of the client.
Section 5.4 of the RADIUS Authentication Specification, RFC 2865, indicates that the source IP address of the Access-Request packet MUST be used to identify a configured client and hence determine the shared secret to use for decrypting the User-Password field.
This property should hold the source IP address of the client. This should match the value obtained from Java's
InetSocketAddress.getAddress().toString()
function.To verify the value, send an Access-Request packet to AM's RADIUS port and watch for a message stating:
"No Defined RADIUS Client matches IP address '/127.0.0.1'. Dropping request."
. The value used in this property should match the IP address returned in the single quotes.Default value:
/127.0.0.1
amster attribute:
clientIpAddress
- Client Secret
This secret shared between server and client for encryption of the user password.
This secret must be conveyed to the RADIUS client and entered into its configuration before the User-Password field of incoming Access-Request packets can be decrypted to validate the password for the represented by that packet.
amster attribute:
clientSecret
- Log Packet Contents for this Client
Indicates if full packet contents should be dumped to the log.
When troubleshooting issues with RADIUS it is helpful to know what was received in a given packet. Enabling this feature will cause packet contents to be logged in a human consumable format. The only caveat is that the USER_PASSWORD field will be obfiscated by replacing with asterisks. This should only be enabled for troubleshooting as it adds significant content to logs and slows processing.
Default value:
NO
amster attribute:
clientPacketsLogged
- Handler Class
The fully qualified name of a class to handle incoming RADIUS Access-Requests for this client.
This class must implement the
com.sun.identity.authentication.modules.radius.server.spi.AccessRequestHandler
interface to handle incoming Access-Request packets and provide a suitable response. An instance of this class is created when configuration is first loaded to validate the class and then once for each new request. The configuration properties will only be passed for the request handling instances and not when validating the class.Default value:
org.forgerock.openam.radius.server.spi.handlers.OpenAMAuthHandler
amster attribute:
handlerClass
- Handler Class Configuration Properties
Properties needed by the handler class for its configuration.
These properties are provided to the handler via its
init
method prior to the call to handle the request packet. If these values are changed the next handler instance created for an incoming request will receive the updated values. Each entry assumes that the first '=
' character incurred separates a key from its value. All entries are placed in a properties file handed to each handler instance.Default value:
realm=/
chain=ldapServiceamster attribute:
handlerConfig
REST APIs
amster service name: RestApis
The following settings are available in this service:
- Default Resource Version
The API resource version to use when the REST request does not specify an explicit version. Choose from:
Latest
. If an explicit version is not specified, the latest resource version of an API is used.Oldest
. If an explicit version is not specified, the oldest supported resource version of an API is used. Note that since APIs may be deprecated and fall out of support, the oldest supported version may not be the first version.None
. If an explicit version is not specified, the request will not be handled and an error status is returned.
The possible values for this property are:
Latest
Oldest
None
Default value:
Latest
amster attribute:
defaultVersion
- Warning Header
Whether to include a warning header in the response to a request which fails to include the
Accept-API-Version
header.Default value:
true
amster attribute:
warningHeader
- API Descriptions
Whether API Explorer and API Docs are enabled in AM and how the documentation for them is generated. Dynamic generation includes descriptions from any custom services and authentication modules you may have added. Static generation only includes services and authentication modules that were present when AM was built. Note that dynamic documentation generation may not work in some application containers.
The possible values for this property are:
Label: Enabled with Dynamic Documentation (Value:
DYNAMIC
)Label: Enabled with Static Documentation (Value:
STATIC
)DISABLED
Default value:
STATIC
amster attribute:
descriptionsState
- Default Protocol Version
The API protocol version to use when a REST request does not specify an explicit version. Choose from:
Oldest
. If an explicit version is not specified, the oldest protocol version is used.Latest
. If an explicit version is not specified, the latest protocol version is used.None
. If an explicit version is not specified, the request will not be handled and an error status is returned.
The possible values for this property are:
Latest
Oldest
None
Default value:
Latest
amster attribute:
defaultProtocolVersion
- Enable CSRF Protection
If enabled, all non-read/query requests will require the X-Requested-With header to be present.
Requiring a non-standard header ensures requests can only be made via methods (XHR) that have stricter same-origin policy protections in Web browsers, preventing Cross-Site Request Forgery (CSRF) attacks. Without this filter, cross-origin requests are prevented by the use of the application/json Content-Type header, which is less robust.
Default value:
true
amster attribute:
csrfFilterEnabled
Remote Consent Service
amster service name: RemoteConsentService
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Client Name
The name used to identify this OAuth 2.0 remote consent service when referencedin other services.
amster attribute:
clientId
- Authorization Server jwk_uri
The jwk_uri for retrieving the authorization server signing and encryption keys.
amster attribute:
jwksUriAS
- JWK Store Cache Timeout (in minutes)
The cache timeout for the JWK store of the authorization server, in minutes.
Default value:
60
amster attribute:
jwkStoreCacheTimeout
- JWK Store Cache Miss Cache Time (in minutes)
The length of time a cache miss is cached, in minutes.
Default value:
1
amster attribute:
jwkStoreCacheMissCacheTime
- Consent Response Time Limit (in minutes)
The time limit set on the consent response JWT before it expires, in minutes.
Default value:
2
amster attribute:
consentResponseTimeLimit
SAML v2.0 SOAP Binding
amster service name: SamlV2SoapBinding
The following settings are available in this service:
- Request Handler List
List of handlers to deal with SAML v2.0 requests bound to SOAP.
The required format is:
key=Meta Alias|class=Handler Class
Set the key property for a request handler to the meta alias, and the class property to the name of the class that implements the handler.
For example:
key=/pdp|class=com.sun.identity.xacml.plugins.XACMLAuthzDecisionQueryHandler
amster attribute:
requestHandlers
SAML v2.0 Service Configuration
amster service name: SamlV2ServiceConfiguration
The following settings are available in this service:
- Cache cleanup interval (in seconds)
Time between cache cleanup operations, in seconds.
Default value:
600
amster attribute:
cacheCleanupInterval
- Attribute name for Name ID information
User entry attribute to store name identifier information.
Default value:
sun-fm-saml2-nameid-info
amster attribute:
nameIDInfoAttribute
- Attribute name for Name ID information key
User entry attribute to store the name identifier key.
Default value:
sun-fm-saml2-nameid-infokey
amster attribute:
nameIDInfoKeyAttribute
- Cookie domain for IdP Discovery Service
Specifies the cookie domain for the IDP discovery service.
Default value:
openam.example.com
amster attribute:
idpDiscoveryCookieDomain
- Cookie type for IdP Discovery Service
Specifies the cookie type to use.
The possible values for this property are:
PERSISTENT
SESSION
Default value:
PERSISTENT
amster attribute:
idpDiscoveryCookieType
- URL scheme for IdP Discovery Service
Specifies the URL scheme to use.
The possible values for this property are:
HTTP
HTTPS
Default value:
HTTPS
amster attribute:
idpDiscoveryUrlSchema
- XML Encryption SPI implementation class
Used by the SAML2 engine to encrypt and decrypt documents.
Default value:
com.sun.identity.saml2.xmlenc.FMEncProvider
amster attribute:
xmlEncryptionClass
- Include xenc:EncryptedKey inside ds:KeyInfo Element
Specify whether to include the
xenc:EncryptedKey
property inside theds:KeyInfo
element.Default value:
true
amster attribute:
encryptedKeyInKeyInfo
- XML Signing SPI implementation class
Used by the SAML2 engine to sign documents.
Default value:
com.sun.identity.saml2.xmlsig.FMSigProvider
amster attribute:
xmlSigningClass
- XML Signing Certificate Validation
If enabled, then validate certificates used to sign documents.
Default value:
false
amster attribute:
signingCertValidation
- CA Certificate Validation
If enabled, then validate CA certificates.
Default value:
false
amster attribute:
caCertValidation
- Buffer length (in bytes) to decompress request
Specify the size of the buffer used for decompressing requests, in bytes.
Default value:
2048
amster attribute:
bufferLength
Scripting
amster service name: Scripting
Configuration
The following settings appear on the Configuration tab:
- Default Script Type
The default script context type when creating a new script.
The possible values for this property are:
Label: Policy Condition (Value:
POLICY_CONDITION
)Label: Server-side Authentication (Value:
AUTHENTICATION_SERVER_SIDE
)Label: Client-side Authentication (Value:
AUTHENTICATION_CLIENT_SIDE
)Label: OIDC Claims (Value:
OIDC_CLAIMS
)Label: Decision node script for authentication trees (Value:
AUTHENTICATION_TREE_DECISION_NODE
)Label: OAuth2 Access Token Modification (Value:
OAUTH2_ACCESS_TOKEN_MODIFICATION
)Label: Social Identity Provider Profile Transformation (Value:
SOCIAL_IDP_PROFILE_TRANSFORMATION
)Label: OAuth2 May Act (Value:
OAUTH2_MAY_ACT
)
Default value:
POLICY_CONDITION
amster attribute:
defaultContext
Secondary Configurations
This service has the following Secondary Configurations.
Engine Configuration
The following properties are available for Scripting Service secondary configuration instances:
- Engine Configuration
Configure script engine parameters for running a particular script type in AM.
ssoadm attribute:
engineConfiguration
To access a secondary configuration instance using the ssoadm command, use:
--subconfigname [primary configuration]/[secondary configuration]
For example:$
ssoadm set-sub-cfg \ --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org \ --password-file admin_pwd_file \ --servicename ScriptingService \ --subconfigname OIDC_CLAIMS/engineConfiguration \ --operation set \ --attributevalues maxThreads=300 queueSize=-1
Note
Supports server-side scripts only. AM cannot configure engine settings for client-side scripts.
The configurable engine settings are as follows:
- Server-side Script Timeout
The maximum execution time any individual script should take on the server (in seconds). AM terminates scripts which take longer to run than this value.
ssoadm attribute:
serverTimeout
- Core thread pool size
The initial number of threads in the thread pool from which scripts operate. AM will ensure the pool contains at least this many threads.
ssoadm attribute:
coreThreads
- Maximum thread pool size
The maximum number of threads in the thread pool from which scripts operate. If no free thread is available in the pool, AM creates new threads in the pool for script execution up to the configured maximum. It is recommended to set the maximum number of threads to 300.
ssoadm attribute:
maxThreads
- Thread pool queue size
Specifies the number of threads to use for buffering script execution requests when the maximum thread pool size is reached.
For short, CPU-bound scripts, consider a small pool size and larger queue length. For I/O-bound scripts, for example, REST calls, consider a larger maximum pool size and a smaller queue.
Not hot-swappable: restart server for changes to take effect.
ssoadm attribute:
queueSize
- Thread idle timeout (seconds)
Length of time (in seconds) for a thread to be idle before AM terminates created threads. If the current pool size contains the number of threads set in
Core thread pool size
idle threads will not be terminated, to maintain the initial pool size.ssoadm attribute:
idleTimeout
- Java class whitelist
Specifies the list of class-name patterns allowed to be invoked by the script. Every class accessed by the script must match at least one of these patterns.
You can specify the class name as-is or use a regular expression.
ssoadm attribute:
whiteList
- Java class blacklist
Specifies the list of class-name patterns that are NOT allowed to be invoked by the script. The blacklist is applied AFTER the whitelist to exclude those classes - access to a class specified in both the whitelist and the blacklist will be denied.
You can specify the class name to exclude as-is or use a regular expression.
ssoadm attribute:
blackList
- Use system SecurityManager
If enabled, AM will make a call to
System.getSecurityManager().checkPackageAccess(...)
for each class that is accessed. The method throwsSecurityException
if the calling thread is not allowed to access the package.Note
This feature only takes effect if the security manager is enabled for the JVM.
ssoadm attribute:
useSecurityManager
- Scripting languages
Select the languages available for scripts on the chosen type. Either
GROOVY
orJAVASCRIPT
.ssoadm attribute:
languages
- Default Script
The source code that is presented as the default when creating a new script of this type.
ssoadm attribute:
defaultScript
Session
amster service name: SessionUserService
General
The following settings appear on the General tab:
- Latest Access Time Update Frequency
Defaults to
60
seconds. At most, AM updates a session's latest access time this often.Subsequent touches to the session that occur within the specified number of seconds after an update will not cause additional updates to the session's access time.
Refreshing a session returns the idle time as the number of seconds since an update has occurred, which will be between
0
and the specified Latest Access Time Update Frequency.Default value:
60
amster attribute:
latestAccessTimeUpdateFrequency
- DN Restriction Only Enabled
If enabled, AM will not perform DNS lookups when checking restrictions in cookie hijacking mode.
Default value:
false
amster attribute:
dnRestrictionOnly
- Session Timeout Handler implementations
Lists plugin classes implementing session timeout handlers. Specify the fully qualified name.
amster attribute:
timeoutHandlers
Session Search
The following settings appear on the Session Search tab:
- Maximum Number of Search Results
Maximum number of results from a session search. Do not set this attribute to a large value, for example more than 1000, unless sufficient system resources are allocated.
Default value:
120
amster attribute:
maxSessionListSize
- Timeout for Search
Time after which AM sees an incomplete search as having failed, in seconds.
Default value:
5
amster attribute:
sessionListRetrievalTimeout
Session Property Change Notifications
The following settings appear on the Session Property Change Notifications tab:
- Enable Property Change Notifications
If on, then AM notifies other applications participating in SSO when a session property in the Notification Properties list changes on a CTS-based session.
The possible values for this property are:
ON
OFF
Default value:
OFF
amster attribute:
propertyChangeNotifications
- Notification Properties
Lists session properties for which AM can send notifications upon modification. Session notification applies to CTS-based sessions only.
amster attribute:
notificationPropertyList
Session Quotas
The following settings appear on the Session Quotas tab:
- Enable Quota Constraints
If on, then AM allows you to set quota constraints on CTS-based sessions.
The possible values for this property are:
ON
OFF
Default value:
OFF
amster attribute:
iplanet-am-session-enable-session-constraint
- Read Timeout for Quota Constraint
Maximum wait time after which AM considers a search for live session count as having failed if quota constraints are enabled, in milliseconds.
Default value:
6000
amster attribute:
quotaConstraintMaxWaitTime
- Resulting behavior if session quota exhausted
Specify the action to take if a session quota is exhausted:
Deny Access. New session creation requests will be denied.
Destroy Next Expiring. The session that would expire next will be destroyed.
Destroy Oldest. The oldest session will be destroyed.
Destroy All. All previous sessions will be destroyed.
The possible values for this property are:
org.forgerock.openam.session.service.DenyAccessAction
. Deny Accessorg.forgerock.openam.session.service.DestroyNextExpiringAction
. Destroy Next Expiringorg.forgerock.openam.session.service.DestroyOldestAction
. Destroy Oldestorg.forgerock.openam.session.service.DestroyAllAction
. Destroy All
Default value:
org.forgerock.openam.session.service.DestroyNextExpiringAction
amster attribute:
behaviourWhenQuotaExhausted
- Deny user login when session repository is down
This property only takes effect when the session quota constraint is enabled, and the session data store is unavailable.
The possible values for this property are:
YES
NO
Default value:
NO
amster attribute:
denyLoginWhenRepoDown
Client-based Sessions
The following settings appear on the Client-based Sessions tab:
- Signing Algorithm Type
Specifies the algorithm that AM uses to sign the JSON Web Token (JWT) containing the session content. Signing the JWT enables tampering detection.
AM supports the following signing algorithms:
HS256. HMAC using SHA-256.
HS384. HMAC using SHA-384.
HS512. HMAC using SHA-512.
RS256. RSASSA-PKCS1-v1_5 using SHA-256.
ES256. ECDSA using SHA-256 and NIST standard P-256 elliptic curve.
ES384. ECDSA using SHA-384 and NIST standard P-384 elliptic curve.
ES512. ECDSA using SHA-512 and NIST standard P-521 elliptic curve.
The possible values for this property are:
NONE
HS256
HS384
HS512
RS256
ES256
ES384
ES512
Default value:
HS256
amster attribute:
statelessSigningType
- Signing HMAC Shared Secret
Specifies the shared secret that AM uses when performing HMAC signing on the session JWT.
Specify a shared secret when using a "Signing Algorithm Type" of
HS256
,HS384
, orHS512
.amster attribute:
statelessSigningHmacSecret
- Encryption Algorithm
Specifies the algorithm that AM uses to encrypt the JSON Web Token (JWT) containing the session content.
AM supports the following encryption algorithms:
NONE. No encryption is selected.
RSA. Session content is encrypted with AES using a unique key. The key is then encrypted with an RSA public key and appended to the JWT.
AM supports the following padding modes, which you can set using the
org.forgerock.openam.session.stateless.rsa.padding
advanced property:RSA1_5
. RSA with PKCS#1 v1.5 padding.RSA-OAEP
. RSA with optimal asymmetric encryption padding (OAEP) and SHA-1.RSA-OAEP-256
. RSA with OAEP padding and SHA-256.
AES KeyWrapping. Session content is encrypted with AES using a unique key and is then wrapped using AES KeyWrap and the master key. This provides additional security, compared to RSA, at the cost of 128 or 256 bits (or 32 bytes) depending on the size of the master key. This method provides authenticated encryption, which removes the need for a separate signature and decreases the byte size of the JWT. See RFC 3394.
Direct AES Encryption. Session content is encrypted with direct AES encryption with a symmetric key. This method provides authenticated encryption, which removes the need for a separate signature and decreases the byte size of the JWT.
Important: To prevent users from accidentally disabling all authentication support, which can be accomplished by disabling signing and not using an authenticated encryption mode, you must set the
org.forgerock.openam.session.stateless.signing.allownone
system property totrue
to turn off signing completely.The possible values for this property are:
NONE
RSA
AES_KEYWRAP
. AES KeyWrappingDIRECT
. Direct AES encryption
Default value:
DIRECT
amster attribute:
statelessEncryptionType
- Encryption Symmetric AES Key
AES key for use with Direct or AES KeyWrap encryption modes.
The symmetric AES key is a base64-encoded random key.
For direct encryption with
AES-GCM
or forAES-KeyWrap
with any content encryption method, this should be 128, 192, or 256 bits.For direct encryption with
AES-CBC-HMAC
, the key should be double those sizes (one half for the AES key, the other have for the HMAC key).AES key sizes greater than 128 bits require installation of the JCE Unlimited Strength policy files in your JRE.
amster attribute:
statelessEncryptionAesKey
- Compression Algorithm
If enabled the session state is compressed before signing and encryption.
WARNING: Enabling compression may compromise encryption. This may leak information about the content of the session state if encryption is enabled.
The possible values for this property are:
NONE
DEF
. Deflate Compression.
Default value:
NONE
amster attribute:
statelessCompressionType
- Enable Session Blacklisting
Blacklists client-based sessions that log out.
We recommend enabling this setting if the maximum session time is high. Blacklist state is stored in the Core Token Service (CTS) token store until the session expires, in order to ensure that sessions cannot continue to be used.
Default value:
false
amster attribute:
openam-session-stateless-enable-session-blacklisting
- Session Blacklist Cache Size
Number of blacklisted sessions to cache in memory to speed up blacklist checks and reduce load on the CTS. The cache size should be approximately the number of logouts expected in the maximum session time.
Default value:
10000
amster attribute:
openam-session-stateless-blacklist-cache-size
- Blacklist Poll Interval (seconds)
Specifies the interval at which AM polls the Core Token Service to update the list of logged out sessions, in seconds.
The longer the polling interval, the more time a malicious user has to connect to other AM servers in a deployment and make use of a stolen session cookie. Shortening the polling interval improves the security for logged out sessions, but might incur a minimal decrease in overall AM performance due to increased network activity. Set to
0
to disable this feature completely.Default value:
60
amster attribute:
openam-session-stateless-blacklist-poll-interval
- Blacklist Purge Delay (minutes)
When added to the maximum session time, specifies the amount of time that AM tracks logged out sessions.
Increase the blacklist purge delay if you expect system clock skews in a deployment of AM servers to be greater than one minute. There is no need to increase the blacklist purge delay for servers running a clock synchronization protocol, such as Network Time Protocol.
Default value:
1
amster attribute:
openam-session-stateless-blacklist-purge-delay
Dynamic Attributes
Note
Configuring any of the following properties at the realm level (Realms > Realm Name > Services > Session) causes the values to be stored in the identity store configured in that realm.
If you remove the identity store from the realm, the properties will use the values configured at the global level (Configure > Global Services > Session).
The following settings appear on the Dynamic Attributes tab:
- Maximum Session Time
Maximum time a session can remain valid before AM requires the user to authenticate again, in minutes.
Default value:
120
amster attribute:
maxSessionTime
- Maximum Idle Time
Maximum time a CTS-based session can remain idle before AM requires the user to authenticate again, in minutes.
Default value:
30
amster attribute:
maxIdleTime
- Maximum Caching Time
Maximum time that external clients of AM are recommended to cache the session for, in minutes.
Default value:
3
amster attribute:
maxCachingTime
- Active User Sessions
Maximum number of concurrent CTS-based sessions AM allows a user to have.
Default value:
5
amster attribute:
quotaLimit
Session Property Whitelist Service
amster service name: SessionPropertyWhiteList
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Whitelisted Session Property Names
A list of properties that users may read, edit the value of, or delete from their session.
Adding properties to sessions can impact AM's performance. Because there is no size constraint limiting the set of properties that you can add to sessions, and no limit on the number of session properties you can add, keep in mind that adding session properties can increase the load on an AM deployment in the following areas:
AM server memory
OpenDJ storage
OpenDJ replication
Protected attributes will NOT be allowed to be set, edited or deleted, even if they are included in this whitelist.
Default value:
AMCtxId
amster attribute:
sessionPropertyWhitelist
- Session Properties to return for session queries
A list of session properties that can be returned to admins in a REST session query response.
This setting may impact REST query performance - when session properties are added, the CTS token must be retrieved, and will be the subject of decryption and decompression, if configured.
Protected attributes will NOT be allowed to be set, edited or deleted, even if they are included in this list.
amster attribute:
whitelistedQueryProperties
Social Authentication Implementations
amster service name: SocialAuthentication
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Display Names
The display names for the implementations - this will be used to provide a name for the icon displayed on the login page. The key should be used across all the settings on this page to join them together.
For example:
Key Value google Google Default value:
{}
amster attribute:
displayNames
- Authentication Chains
The name of the authentication chains that are the entry points to being authenticated by each respective social authentication provider. The key should correspond to a key used to define a Display Name above.
For example:
Key Value google socialAuthChainGoogle Default value:
{}
amster attribute:
authenticationChains
- Icons
Either a full URL or a path relative to the base of the site/server where the image can be found. The image will be used on the login page to link to the authentication chain defined above. The key should correspond to a key used to define a Display Name above.
For example:
Key Value google /images/google-sign-in.png Default value:
{}
amster attribute:
icons
- Enabled Implementations
Provide a key that has been used to define the settings above to enable that set of settings.
For example: google
amster attribute:
enabledKeys
Social Identity Provider Service
amster service name: SocialIdentityProviders
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Enabled
Default value:
true
amster attribute:
enabled
Transaction Authentication Service
amster service name: TransactionAuthentication
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Time to Live
The number of seconds within which the transaction must be completed.
Default value:
180
amster attribute:
timeToLive
UMA Provider
amster service name: UmaProvider
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Permission Ticket Lifetime (seconds)
The maximum life of a permission ticket before it expires, in seconds.
Default value:
120
amster attribute:
permissionTicketLifetime
- Delete user policies when Resource Server is removed
Delete all user policies that relate to a Resource Server when removing the OAuth2 agent entry or removing the
uma_protection
scope from the OAuth2 agent.Default value:
true
amster attribute:
deletePoliciesOnDeleteRS
- Delete resources when Resource Server is removed
Delete all resources that relate to a Resource Server when removing the OAuth2 agent entry or removing the
uma_protection
scope from the OAuth2 agent.Default value:
true
amster attribute:
deleteResourceSetsOnDeleteRS
- Pending Requests Enabled
Specifies whether to use the Pending Requests subsystem that notifies the resource owner that an attempt to access a resource was made.
Default value:
true
amster attribute:
pendingRequestsEnabled
- Email Resource Owner on Pending Request creation
Specifies whether to send an email to the Resource Owner when a Pending Request is created when a Requesting Party requests authorization to a resource.
Default value:
true
amster attribute:
emailResourceOwnerOnPendingRequestCreation
- Email Requesting Party on Pending Request approval
Specifies whether to send an email to the Requesting Party when a Pending Request is approved by the Resource Owner.
Default value:
true
amster attribute:
emailRequestingPartyOnPendingRequestApproval
- User profile preferred Locale attribute
User profile attribute storing the user's preferred locale.
Default value:
inetOrgPerson
amster attribute:
userProfileLocaleAttribute
- Re-Sharing Mode
Specifies whether re-sharing is off or on implicitly for all users, allowing all users to re-share resources that have been shared with them.
The possible values for this property are:
OFF
IMPLICIT
Default value:
IMPLICIT
amster attribute:
resharingMode
- Grant RPTs...
In UMA, scope comes from both the permission ticket and from the token request. An RPT is always granted when all scope matches, and is never granted when no scope matches. You can configure when RPTs are granted for partial match conditions here. For more information, see the UMA Grant Type specification section onAuthorization Assessment and Results Determination.
Default value:
REQUEST_PARTIAL
REQUEST_NONE
TICKET_PARTIALamster attribute:
grantRptConditions
User
amster service name: IdRepositoryUser
Dynamic Attributes
The following settings appear on the Dynamic Attributes tab:
- User Preferred Timezone
Time zone for accessing AM console.
amster attribute:
preferredTimezone
- Administrator DN Starting View
Specifies the DN for the initial screen when the AM administrator successfully logs in to the AM console.
amster attribute:
adminDNStartingView
- Default User Status
Inactive users cannot authenticate, though AM stores their profiles.
The possible values for this property are:
Active
Inactive
Default value:
Active
amster attribute:
defaultUserStatus
User Self-Service
amster service name: UserSelfService
General Configuration
The following settings appear on the General Configuration tab:
- Encryption Key Pair Alias
An encryption key alias in the AM server's JCEKS keystore. Used to encrypt the JWT token that AM uses to track end users during User Self-Service operations.
For example, you might set this property to: selfserviceenctest
amster attribute:
encryptionKeyPairAlias
- Signing Secret Key Alias
A signing secret key alias in the AM server's JCEKS keystore. Used to sign the JWT token that AM uses to track end users during User Self-Service operations.
For example, you might set this property to: selfservicesigntest
amster attribute:
signingSecretKeyAlias
- Google reCAPTCHA Site Key
Google reCAPTCHA plugin site key.
amster attribute:
captchaSiteKey
- Google reCAPTCHA Secret Key
Google reCAPTCHA plugin secret key.
amster attribute:
captchaSecretKey
- Google Re-captcha Verification URL
Google reCAPTCHA plugin verification URL.
Default value:
https://www.google.com/recaptcha/api/siteverify
amster attribute:
captchaVerificationUrl
- Security Questions
Specifies the default set of knowledge-based authentication (KBA) security questions. The security questions can be set for the User Self-Registration, forgotten password reset, and forgotten username services, respectively.
Format is
unique key|locale|question
.Default value:
4|en|What is your mother's maiden name?
3|en|What was the name of your childhood pet?
2|en|What was the model of your first car?
1|en|What is the name of your favourite restaurant?amster attribute:
kbaQuestions
- Minimum Answers to Define
Specifies the minimum number of KBA answers that users must define.
Default value:
1
amster attribute:
minimumAnswersToDefine
- Minimum Answers to Verify
Specifies the minimum number of KBA questions that users need to answer to be granted the privilege to carry out an action, such as registering for an account, resetting a password, or retrieving a username. Specify a value from
0
to50
.Default value:
1
amster attribute:
minimumAnswersToVerify
- Valid Query Attributes
Specifies the valid query attributes used to search for the user. This is a list of attributes used to identify your account for forgotten password and forgotten username.
Default value:
uid
mail
givenName
snamster attribute:
validQueryAttributes
User Registration
The following settings appear on the User Registration tab:
- User Registration
If enabled, new users can sign up for an account.
Default value:
false
amster attribute:
userRegistrationEnabled
- Captcha
If enabled, users must pass a Google reCAPTCHA challenge during user self-registration to mitigate against software bots.
Default value:
false
amster attribute:
userRegistrationCaptchaEnabled
- Email Verification
If enabled, users who self-register must perform email address verification.
Default value:
true
amster attribute:
userRegistrationEmailVerificationEnabled
- Verify Email before User Detail
If enabled, email address verification will be performed first before user details screen is displayed. This will take effect only if Verify Email is enabled.
Default value:
false
amster attribute:
userRegistrationEmailVerificationFirstEnabled
- Security Questions
If enabled, users must set up their security questions during the self-registration process.
Default value:
false
amster attribute:
userRegistrationKbaEnabled
- Token Lifetime (seconds)
Maximum lifetime of the token allowing User Self-Registration, in seconds.
Default value:
300
amster attribute:
userRegistrationTokenTTL
- Outgoing Email Subject
Customize the User Self-Registration verification email subject text. Format is
locale|subject text
.Default value:
en|Registration email
amster attribute:
userRegistrationEmailSubject
- Outgoing Email Body
Customize the User Self-Registration verification email body text. Format is:
locale|body text
.Default value:
en|<h2>Click on this <a href="%link%">link</a> to register.</h2>
amster attribute:
userRegistrationEmailBody
- Valid Creation Attributes
Specifies a whitelist of user attributes that can be set during user creation.
Default value:
userPassword
mail
givenName
kbaInfo
inetUserStatus
sn
usernameamster attribute:
userRegistrationValidUserAttributes
- Destination After Successful Self-Registration
Specifies the action to be taken after a user successfully registers a new account. Choose from:
default
. User is sent to a success page without being logged in.login
. User is sent to the login page to authenticate.autologin
. User is automatically logged in and sent to the appropriate page.
The possible values for this property are:
Label: User sent to 'successful registration' page (Value:
default
)Label: User sent to login page (Value:
login
)Label: User is automatically logged in (Value:
auto-login
)
Default value:
default
amster attribute:
userRegisteredDestination
Forgotten Password
The following settings appear on the Forgotten Password tab:
- Forgotten Password
If enabled, users can reset their forgotten password.
Default value:
false
amster attribute:
forgottenPasswordEnabled
- Captcha
If enabled, users must pass a Google reCAPTCHA challenge during password reset to mitigate against software bots.
Default value:
false
amster attribute:
forgottenPasswordCaptchaEnabled
- Email Verification
If enabled, users who reset passwords must perform email address verification.
Default value:
true
amster attribute:
forgottenPasswordEmailVerificationEnabled
- Security Questions
If enabled, users must answer their security questions during the forgotten password process.
Default value:
false
amster attribute:
forgottenPasswordKbaEnabled
- Enforce password reset lockout
If enabled, users will be prevented from resetting their password after the configured number of failed attempts.
Default value:
false
amster attribute:
numberOfAttemptsEnforced
- Lock Out After number of attempts
Can be set to 1 or more attempts for a user to correctly answer all their security questions. After the number of configured attempts the user has not correctly answered them the password reset feature will be disabled.
Default value:
1
amster attribute:
numberOfAllowedAttempts
- Token Lifetime (seconds)
Maximum lifetime for the token allowing forgotten password reset, in seconds.
Specify a value from
0
to2147483647
.Default value:
300
amster attribute:
forgottenPasswordTokenTTL
- Outgoing Email Subject
Customize the forgotten password email subject text. Format is
locale|subject text
.Default value:
en|Forgotten password email
amster attribute:
forgottenPasswordEmailSubject
- Outgoing Email Body
Customize the forgotten password email body text. Format is
locale|body text
.Default value:
en|<h2>Click on this <a href="%link%">link</a> to reset your password.</h2>
amster attribute:
forgottenPasswordEmailBody
Forgotten Username
The following settings appear on the Forgotten Username tab:
- Forgotten Username
If enabled, users can retrieve their forgotten username.
Default value:
false
amster attribute:
forgottenUsernameEnabled
- Captcha
If enabled, users must pass a Google reCAPTCHA challenge during the forgotten username retrieval process to mitigate against software bots.
Default value:
false
amster attribute:
forgottenUsernameCaptchaEnabled
- Security Questions
If enabled, users must answer their security questions during the forgotten username process.
Default value:
false
amster attribute:
forgottenUsernameKbaEnabled
- Email Username
If enabled, users receive their forgotten username by email.
Default value:
true
amster attribute:
forgottenUsernameEmailUsernameEnabled
- Show Username
If enabled, users see their forgotten username on the browser page.
Default value:
false
amster attribute:
forgottenUsernameShowUsernameEnabled
- Token LifeTime (seconds)
Maximum lifetime for the token allowing forgotten username, in seconds.
Default value:
300
amster attribute:
forgottenUsernameTokenTTL
- Outgoing Email Subject
Customizes the forgotten username email subject text. Format is
locale|subject text
.Default value:
en|Forgotten username email
amster attribute:
forgottenUsernameEmailSubject
- Outgoing Email Body
Customizes the forgotten username email body text. Format is
locale|body text
.Default value:
en|<h2>Your username is <span style="color:blue">%username%</span>.</h2>
amster attribute:
forgottenUsernameEmailBody
Profile Management
The following settings appear on the Profile Management tab:
- Protected Update Attributes
Specifies a profile's protected user attributes, which causes re-authentication when the user attempts to modify these attributes.
amster attribute:
profileProtectedUserAttributes
- Self readable attributes
Specifies the list of attributes that users can view when accessing their user profile.
Default value:
uid
telephoneNumber
mail
kbaInfo
givenName
sn
cnamster attribute:
profileAttributeWhitelist
Advanced Configuration
The following settings appear on the Advanced Configuration tab:
- User Registration Confirmation Email URL
Specifies the confirmation URL that the user receives during the self-registration process. The
${realm}
string is replaced with the current realm.Default value:
http://openam.example.com:8080/openam/XUI/?realm=${realm}#register/
amster attribute:
userRegistrationConfirmationUrl
- Forgotten Password Confirmation Email URL
Specifies the confirmation URL that the user receives after confirming their identity during the forgotten password process. The
${realm}
string is replaced with the current realm.Default value:
http://openam.example.com:8080/openam/XUI/?realm=${realm}#passwordReset/
amster attribute:
forgottenPasswordConfirmationUrl
- User Registration Service Config Provider Class
Specifies the provider class to configure any custom plugins.
Default value:
org.forgerock.openam.selfservice.config.flows.UserRegistrationConfigProvider
amster attribute:
userRegistrationServiceConfigClass
- Forgotten Password Service Config Provider Class
Specifies the provider class to configure any custom plugins.
Default value:
org.forgerock.openam.selfservice.config.flows.ForgottenPasswordConfigProvider
amster attribute:
forgottenPasswordServiceConfigClass
- Forgotten Username Service Config Provider Class
Specifies the provider class to configure any custom plugins.
Default value:
org.forgerock.openam.selfservice.config.flows.ForgottenUsernameConfigProvider
amster attribute:
forgottenUsernameServiceConfigClass
Self Service Trees
amster service name: SelfServiceTrees
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Enabled
Default value:
true
amster attribute:
enabled
- Tree Mapping
Maps the self service function name (the key) to an Authentication Tree (the value).
Default value:
{}
amster attribute:
treeMapping
Validation Service
amster service name: ValidationService
Global Attributes
The following settings appear on the Global Attributes tab:
- Valid goto URL Resources
List of valid goto URL resources.
Specifies a list of valid URLs for the
goto
andgotoOnFail
query string parameters. AM only redirects a user after log in or log out to a URL in this list. If the URL is not in the list, AM redirects to either the user profile page, or the administration console. If this property is not set, AM will only allow URLs that match its domain; for example,domain-of-am-instance.com
. Use the*
wildcard to match all characters except?
.Examples:
http://app.example.com:80/*
http://app.example.com:80/*?*
amster attribute:
validGotoDestinations
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Valid goto URL Resources
List of valid goto URL resources.
Specifies a list of valid URLs for the
goto
andgotoOnFail
query string parameters. AM only redirects a user after log in or log out to a URL in this list. If the URL is not in the list, AM redirects to either the user profile page, or the administration console. If this property is not set, AM will only allow URLs that match its domain; for example,domain-of-am-instance.com
. Use the*
wildcard to match all characters except?
.Examples:
http://app.example.com:80/*
http://app.example.com:80/*?*
amster attribute:
validGotoDestinations
WebAuthn Profile Encryption Service
amster service name: AuthenticatorWebAuthn
Realm Defaults
The following settings appear on the Realm Defaults tab:
- Profile Storage Attribute
The user's attribute in which to store WebAuthn profiles.
The default attribute is added to the schema when you prepare a user store for use with AM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying webauthn with AM. AM must be able to write to the attribute.
Default value:
webauthnDeviceProfiles
amster attribute:
webauthnAttrName
- Device Profile Encryption Scheme
Encryption scheme to use to secure device profiles stored on the server.
If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.
Note: AES-256 may require installation of the JCE Unlimited Strength policy files.
The possible values for this property are:
Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (Value:
RSAES_AES256CBC_HS512
)Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (Value:
RSAES_AES128CBC_HS256
)Label: No encryption of device settings. (Value:
NONE
)
Default value:
NONE
amster attribute:
authenticatorWebAuthnDeviceSettingsEncryptionScheme
- Encryption Key Store
Path to the key store from which to load encryption keys.
Default value:
/path/to/openam/security/keystores/keystore.jceks
amster attribute:
authenticatorWebAuthnDeviceSettingsEncryptionKeystore
- Key Store Type
Type of key store to load.
Note: PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.
See the JDK 8 PKCS#11 Reference Guide for more details.
The possible values for this property are:
Label: Java Key Store (JKS). (Value:
JKS
)Label: Java Cryptography Extension Key Store (JCEKS). (Value:
JCEKS
)Label: PKCS#11 Hardware Crypto Storage. (Value:
PKCS11
)Label: PKCS#12 Key Store. (Value:
PKCS12
)
Default value:
JCEKS
amster attribute:
authenticatorWebAuthnDeviceSettingsEncryptionKeystoreType
- Key Store Password
Password to unlock the key store. This password is encrypted when it is saved in the AM configuration. You should modify the default value.
amster attribute:
authenticatorWebAuthnDeviceSettingsEncryptionKeystorePassword
- Key-Pair Alias
Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.
amster attribute:
authenticatorWebAuthnDeviceSettingsEncryptionKeystoreKeyPairAlias
- Private Key Password
Password to unlock the private key.
amster attribute:
authenticatorWebAuthnDeviceSettingsEncryptionKeystorePrivateKeyPassword