AM 7.5.0

Metadata annotation

The annotation specifies two required attributes: the outcomeProvider and the configClass. Typically, the configClass attribute is an inner interface in the node implementation class.

Optionally, you can also specify a class as a configValidator, and tags to categorize the node type for display in the UI.


The class that defines the possible outcomes.

The abstract implementations of the node interface, org.forgerock.openam.auth.node.api.SingleOutcomeNode and org.forgerock.openam.auth.node.api.AbstractDecisionNode, define outcome providers you can use for simple use cases. Provide your own implementation for more complex use cases.

For example, the following is the custom outcome provider from the LDAP Decision node, which has True, False, Locked, Cancelled, and Expired exit paths:

* Defines the possible outcomes from this Ldap node.
public static class LdapOutcomeProvider implements OutcomeProvider {
  public List<Outcome> getOutcomes(PreferredLocales locales, JsonValue nodeAttributes) {
    ResourceBundle bundle = locales.getBundleInPreferredLocale(LdapDecisionNode.BUNDLE,
    return ImmutableList.of(
      new Outcome(, bundle.getString("trueOutcome")),
      new Outcome(, bundle.getString("falseOutcome")),
      new Outcome(, bundle.getString("lockedOutcome")),
      new Outcome(, bundle.getString("cancelledOutcome")),
      new Outcome(, bundle.getString("expiredOutcome")));

The class name that contains the configuration of any attributes requested by the node when using it as part of a tree.

For more information, See Config interface.


An optional class name used to validate the provided configuration.


An optional list of tags to categorize the node within the tree designer view.

Tags are made up of one or more text strings that let users find the node more easily when designing trees. For example, you could include common pseudonyms for the functionality the node provides, such as mfa for a node that provides multi-factor authentication functionality.

The tree designer view organizes nodes into a number of categories, based on the presence of certain tag values, as described in the table below:

Authentication node tag categories
Category Tag Example nodes

Basic Authentication

"basic authentication"

Data Store Decision node
Username Collector node



Push Sender node
WebAuthn Authentication node



Account Lockout node



Increment Login Count node
Login Count Decision node



Cookie Presence Decision node
Set Persistent Cookie node



OAuth 2.0 node
OpenID Connect node

Identity Management

"identity management"

Anonymous User Mapping node
Terms and Conditions Decision node



Choice Collector node
Scripted Decision node

Nodes that aren’t tagged with one of these tags appear in an Uncategorized section.

For example, the @Node.Metadata annotation for Timer Start node places it in the Utilities section:

@Node.Metadata(outcomeProvider = SingleOutcomeNode.OutcomeProvider.class,
        configClass = TimerStartNode.Config.class,
        tags = {"metrics", "utilities"})

For more information on the @Node.Metadata annotation, see the Node.Metadata annotation type in the AM Public API Javadoc.

Copyright © 2010-2024 ForgeRock, all rights reserved.