AM implements the following RFCs, Internet-Drafts, and standards:
RFC 4226: HOTP: An HMAC-Based One-Time Password Algorithm, supported by the OATH authentication modules and nodes.
RFC 6238: TOTP: Time-Based One-Time Password Algorithm, supported by the OATH authentication modules and nodes.
For more information, refer to Open Authentication.
RFC 7522: Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
RFC 8693: OAuth 2.0 Token Exchange (Access token to access token, access token to ID token, ID token to ID token, and ID token to access token)
For more information, see OAuth 2.0
OpenID Connect 1.0
In section 5.6 of this specification, AM supports Normal Claims. AM does not support the optional Aggregated Claims and Distributed Claims representations.
AM applies the guidelines suggested by the OpenID Financial-grade API (FAPI) Working Group to the implementation of CIBA, which shapes the support of CIBA in AM.
Implementation Decisions Applying to CIBA Support in AM
Plain JSON or form parameters for CIBA-related data is not supported.
AM currently only supports backchannel logout when acting as the provider.
For more information, see:
User-Managed Access (UMA) 2.0
Security Assertion Markup Language (SAML) and Federation-related standards
AM supports SAML v2.0; support for SAML v1.1 and v1.0 was removed in AM 7, although WS-Federation functionality still creates assertions in SAML v1.x format.
SAML Specifications are available from the OASIS standards page.
For more information, see Security Assertion Markup Language (SAML)
Encryption and signatures
Query string signatures:
Recommendation E.146, concerning Mobile Subscriber ISDN Numbers (MSISDN), supported for authentication.
RFC 1271: Remote Network Monitoring Management Information Base, supported for monitoring over SNMP.
RFC 2578: Structure of Management Information Version 2 (SMIv2), supported for monitoring over SNMP.
RFC 2579: Textual Conventions for SMIv2, supported for monitoring over SNMP.
RFC 2617: HTTP Authentication: Basic and Digest Access Authentication, supported as an authentication module.
RFC 2865: Remote Authentication Dial In User Service (RADIUS), supported as an AM service.
RFC 4510: Lightweight Directory Access Protocol (LDAP), for authentication modules and when accessing data stores.
RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, supported for certificate-based authentication.
RFC 6265: HTTP State Management Mechanism
regarding HTTP Cookies and
Set-Cookie header fields.