Authentication module properties
This page provides a reference to configuration properties for AM authentication modules.
Active Directory module properties
amster
service name: ActiveDirectoryModule
ssoadm
service name: sunAMAuthADService
- Primary ActiveDirectory Server, Secondary ActiveDirectory Server
-
Specify the primary and secondary directory server(s).
Both properties take more than one value, allowing more than one primary or secondary remote server, respectively.
Directory servers generally use built-in data replication for high availability. Thus, a directory service typically consists of a pool of replicas to which AM can connect to retrieve and update directory data. AM attempts to contact the primary server(s) first, but if unavailable, AM attempts to contact the secondary servers.
For the current AM server, specify each directory server in the format
server:port
. For other AM servers in the deployment, define each server aslocal_server_name | server:port
. For example, if theserver
ishttps://openam.example.com:8443/openam
, and the directory server is accessible atopendj.example.com:1636
, enter the value asopenam.example.com|opendj.example.com:1636
.Assuming a multi-data center environment, AM determines priority within the primary and secondary remote servers as follows:
-
LDAP servers that are mapped to the current AM instance have the highest priority.
For example, if you are connected to
openam1.example.com
andldap1.example.com
is mapped to that AM instance, then AM usesldap1.example.com
. -
LDAP servers that are not specifically mapped to a given AM instance have the next highest priority.
For example, if you have another LDAP server,
ldap2.example.com
, that is not connected to a specific AM server and ifldap1.example.com
is unavailable, AM connects to the next highest priority LDAP server,ldap2.example.com
. -
LDAP servers that are mapped to different AM instances have the lowest priority.
For example, if
ldap3.example.com
is connected toopenam3.example.com
andldap1.example.com
andldap2.example.com
are unavailable, thenopenam1.example.com
connects toldap3.example.com
.ssoadm
attributes are: primary isiplanet-am-auth-ldap-server
; secondary isiplanet-am-auth-ldap-server2
.
-
- DN to Start User Search
-
Specifies the base DN from which AM searches for users to authenticate.
LDAP data is organized hierarchically, similar to a file system on Windows or UNIX. More specific DNs likely result in better performance. When configuring the module for a particular part of the organization, you can start searches from a specific organizational unit, such as
OU=sales,DC=example,DC=com
.If multiple entries exist with identical search attribute values, ensure this value is specific enough to return a single entry.
amster
attribute:userSearchStartDN
ssoadm
attribute:iplanet-am-auth-ldap-base-dn
- Bind User DN, Bind User Password
-
Specify the user and password of the administration account used for authentication to the directory server.
If AM stores attributes in the directory, for example, to manage account lockout, or if the directory requires that AM authenticate in order to read users' attributes, then AM needs the DN and password to authenticate to the directory.
Make sure that the password is correct before you logout. If it is incorrect, you will be locked out and you will need to log in with the superuser DN. By default, this is
uid=amAdmin,ou=People,AM-deploy-base
, whereAM-deploy-base
was set during AM configuration.amster
attributes:userBindDN
anduserBindPassword
ssoadm
attributes:iplanet-am-auth-ldap-bind-dn
andiplanet-am-auth-ldap-bind-passwd
- Attribute Used to Retrieve User Profile
-
LDAP uses this attribute to search for the profile of an authenticated user. Usually, this is the same attribute used to find the user account, such as the value set as the
uid
in AM. For example, where the attribute is set tomail
, the LDAP module searchesCN=Users,DC=example,DC=com
with a filter"(MAIL=bjensen@example.com)"
, and the directory returns the user profile that matchesMAIL=bjensen@example.com
.The attribute is only used if User Profile is set to
Required
andReturn User DN to DataStore
is not enabled.amster
attribute:userProfileRetrievalAttribute
ssoadm
attribute:iplanet-am-auth-ldap-user-naming-attribute
- Attributes Used to Search for a User to be Authenticated
-
The attributes specified in this list define the LDAP search filter. Multiple attribute values mean the user can authenticate with any one of the values. For example, if you have both
uid
andmail
, then Barbara Jensen can authenticate with eitherbjensen
orbjensen@example.com
.amster
attribute:userSearchAttributes
ssoadm
attribute:iplanet-am-auth-ldap-user-search-attributes
- User Search Filter
-
The User Search Filter text box provides a more complex filter. For example, if you search using
mail
and add the User Search Filter(objectClass=inetOrgPerson)
, then AM uses the resulting search filter(&(mail=address)(objectClass=inetOrgPerson))
, where address is the mail address provided by the user.amster
attribute:userSearchAttributes
ssoadm
attribute:iplanet-am-auth-ldap-search-filter
- Search Scope
-
This attribute defines the level of directory that will be searched for a matching profile. You can set the search to run at a high level or against a specific area:
-
OBJECT searches only for the entry specified as the 'DN to Start User Search'.
-
ONELEVEL searches only the entries that are direct children of that object.
-
SUBTREE searches the entry specified and all entries at levels below.
ssoadm
attribute:iplanet-am-auth-ldap-search-scope
-
- LDAP Connection Mode
-
If you want to initiate secure communications to data stores using SSL or StartTLS, AM must be able to trust the server’s certificates, either because the certificates were signed by a CA whose certificate is already included in the trust store used by the container where AM runs, or because you imported the certificates into the trust store.
To let users change passwords through AM, Active Directory requires that you connect over SSL. The default LDAP port is 389. If you are connecting to Active Directory over SSL, the default LDAPS port is 636.
For SSL or TLS security, enable the SSL/TLS Access to Active Directory Server property.
ssoadm
attribute:openam-auth-ldap-connection-mode
Possible values:
LDAP
,LDAPS
, andStartTLS
- Return User DN to DataStore
-
If User Profile is set to
Required
, this attribute determines whether the DN or the username is returned as the authentication principal.When enabled, the module returns the DN rather than the User ID or the value set in
Attribute Used to Retrieve User Profile
. The returned value is then used to make the request to retrieve the profile attributes from the user store.amster
attribute:returnUserDN
ssoadm
attribute:iplanet-am-auth-ldap-return-user-dn
- User Creation Attributes
-
This list of attributes defines the mapping of internal attribute names to external attribute names for dynamic profile creation. The attributes retrieved from the user’s authenticated profile are mapped against the values that will be provisioned into their matching account in the data store. This list does not include
uid
mappings.The format of the list is
internal_attr1|external_attr1
.amster
attribute:profileAttributeMappings
ssoadm
attribute:iplanet-am-ldap-user-creation-attr-list
- Trust All Server Certificates
-
When enabled, the module trusts all server certificates, including self-signed certificates.
amster
attribute:trustAllServerCertificates
ssoadm
attribute:iplanet-am-auth-ldap-ssl-trust-all
- LDAP Connection Heartbeat Interval
-
Specifies how often AM should send a heartbeat request to the directory server to ensure that the connection does not remain idle. Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to 0. To set the units for the interval, use LDAP Connection Heartbeat Time Unit.
Default: 1
amster
attribute:connectionHeartbeatInterval
ssoadm
attribute:openam-auth-ldap-heartbeat-interval
- LDAP Connection Heartbeat Time Unit
-
Specifies the time unit corresponding to LDAP Connection Heartbeat Interval. Possible values are
SECONDS
,MINUTES
, andHOURS
.amster
attribute:connectionHeartbeatTimeUnit
ssoadm
attribute:openam-auth-ldap-heartbeat-timeunit
- LDAP operations timeout
-
Defines the timeout, in seconds, that AM should wait for a response from the directory server.
Default: 0 (means no timeout)
amster
attribute:operationTimeout
ssoadm
attribute:openam-auth-ldap-operation-timeout
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:iplanet-am-auth-ldap-auth-level
- Stop LDAP Binds after in-memory lockout
-
If enabled, prevent AM from sending further bind requests to the LDAP Server when the user is locked out through a duration lockout.
amster
attribute:stopLdapbindAfterInmemoryLockedEnabled
ssoadm
attribute:openam-auth-stop-ldap-bind-after-inmemory-locked-enabled
Adaptive Risk authentication module properties
amster
service name: AdaptiveRiskModule
ssoadm
service name: sunAMAuthAdaptiveService
General
The following properties are available under the General tab:
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:openam-auth-adaptive-auth-level
- Risk Threshold
-
Sets the risk threshold score. If the sum of the scores is greater than the threshold, the Adaptive Risk module fails.
Default: 1
amster
attribute:riskThreshold
ssoadm
attribute:openam-auth-adaptive-auth-threshold
Failed Authentications
The following properties are available under the Failed Authentications tab:
- Failed Authentication Check
-
When enabled, checks the user profile for authentication failures since the last successful login. This check therefore requires AM to have access to the user profile, and Account Lockout to be enabled (otherwise, AM does not record authentication failures).
amster
attribute:failedAuthenticationCheckEnabled
ssoadm
attribute:openam-auth-adaptive-failure-check
- Score
-
Sets the value to add to the total score if the user fails the Failed Authentication Check. Default: 1
amster
attribute:failureScore
ssoadm
attribute:openam-auth-adaptive-failure-score
- Invert Result
-
When enabled, adds the score to the total score if the user passes the Failed Authentication Check.
amster
attribute:invertFailureScore
ssoadm
attribute:openam-auth-adaptive-failure-invert
IP Address Range
The following properties are available under the IP Address Range tab:
- IP Range Check
-
When enabled, checks whether the client IP address is within one of the specified IP Ranges.
amster
attribute:ipRangeCheckEnabled
ssoadm
attribute:openam-auth-adaptive-ip-range-check
- IP Range
-
For IPv4, specifies a list of IP ranges either in CIDR-style notation (
x.x.x.x/YY
) or as a range from one address to another (x.x.x.x-y.y.y.y
, meaning from x.x.x.x to y.y.y.y).For IPv6, specifies a list of IP ranges either in CIDR-style notation (
X:X:X:X:X:X:X:X/YY
) or as a range from one address to another (X:X:X:X:X:X:X:X-Y:Y:Y:Y:Y:Y:Y:Y
, meaning from X:X:X:X:X:X:X:X to Y:Y:Y:Y:Y:Y:Y:Y).amster
attribute:ipRange
ssoadm
attribute:openam-auth-adaptive-ip-range-range
- Score
-
Sets the value to add to the total score if the user fails the IP Range Check.
amster
attribute:ipRangeScore
ssoadm
attribute:openam-auth-adaptive-ip-range-score
- Invert Result
-
When enabled, adds the Score to the total score if the user passes the IP Range Check.
amster
attribute:invertIPRangeScoreEnabled
ssoadm
attribute:openam-auth-adaptive-ip-range-invert
IP Address History
The following properties are available under the IP Address History tab:
- IP History Check
-
When enabled, checks whether the client IP address matches one of the known values stored on the profile attribute you specify. This check therefore requires that AM have access to the user profile.
amster
attribute:ipHistoryCheckEnabled
ssoadm
attribute:openam-auth-adaptive-ip-history-check
- History size
-
Specifies how many IP address values to retain on the profile attribute you specify.
Default: 5
amster
attribute:ipHistoryCount
ssoadm
attribute:openam-auth-ip-adaptive-history-count
- Profile Attribute Name
-
Specifies the name of the user profile attribute in which to store known IP addresses. Ensure the specified attribute exists in your user data store; the
iphistory
attribute does not exist by default, and it is not created when performing AM schema updates.Default:
iphistory
amster
attribute:ipHistoryProfileAttribute
ssoadm
attribute:openam-auth-adaptive-ip-history-attribute
- Save Successful IP Address
-
When enabled, saves new client IP addresses to the known IP address list following successful authentication.
amster
attribute:saveSuccessfulIP
ssoadm
attribute:openam-auth-adaptive-ip-history-save
- Score
-
Sets the value to add to the total score if the user fails the IP History Check.
Default: 1
amster
attribute:ipHistoryScore
ssoadm
attribute:openam-auth-adaptive-ip-history-score
- Invert Result
-
When enabled, adds the Score to the total score if the user passes the IP History Check.
amster
attribute:invertIPHistoryScore
ssoadm
attribute:openam-auth-adaptive-ip-history-invert
Known Cookie
The following properties are available under the Known Cookie tab:
- Cookie Value Check
-
When enabled, checks whether the client browser request has the specified cookie and optional cookie value.
amster
attribute:knownCookieCheckEnabled
ssoadm
attribute:openam-auth-adaptive-known-cookie-check
- Cookie Name
-
Specifies the name of the cookie for which AM checks when you enable the Cookie Value Check.
amster
attribute:knownCookieName
ssoadm
attribute:openam-auth-adaptive-known-cookie-name
- Cookie Value
-
Specifies the value of the cookie for which AM checks. If no value is specified, AM does not check the cookie value.
amster
attribute:knownCookieValue
ssoadm
attribute:openam-auth-adaptive-known-cookie-value
- Save Cookie Value on Successful Login
-
When enabled, saves the cookie as specified in the client’s browser following successful authentication. If no Cookie Value is specified, the value is set to 1.
amster
attribute:createKnownCookieOnSuccessfulLogin
ssoadm
attribute:openam-auth-adaptive-known-cookie-save
- Score
-
Sets the value to add to the total score if user passes the Cookie Value Check.
Default: 1
amster
attribute:knownCookieScore
ssoadm
attribute:openam-auth-adaptive-known-cookie-score
- Invert Result
-
When enabled, adds the Score to the total score if the user passes the Cookie Value Check.
amster
attribute:invertKnownCookieScore
ssoadm
attribute:openam-auth-adaptive-known-cookie-invert
Device Cookie
The following properties are available under the Device Cookie tab:
- Device Registration Cookie Check
-
When enabled, the cookie check passes if the client request contains the cookie specified in Cookie Name.
amster
attribute:deviceCookieCheckEnabled
ssoadm
attribute:openam-auth-adaptive-device-cookie-check
- Cookie Name
-
Specifies the name of the cookie for the Device Registration Cookie Check.
Default: Device
amster
attribute:deviceCookieName
ssoadm
attribute:openam-auth-adaptive-device-cookie-name
- Save Device Registration on Successful Login
-
When enabled, saves the specified cookie with a hashed device identifier value in the client’s browser following successful authentication.
amster
attribute:saveDeviceCookieValueOnSuccessfulLogin
ssoadm
attribute:openam-auth-adaptive-device-cookie-save
- Score
-
Sets the value to add to the total score if the user fails the Device Registration Cookie Check.
Default: 1
amster
attribute:deviceCookieScore
ssoadm
attribute:openam-auth-adaptive-device-cookie-score
- Invert Result
-
When enabled, adds the Score to the total score if the user passes the Device Registration Cookie Check.
amster
attribute:invertDeviceCookieScore
ssoadm
attribute:openam-auth-adaptive-device-cookie-invert
Time Since Last Login
The following properties are available under the Time Since Last Login tab:
- Time since Last login Check
-
When enabled, checks whether the client browser request has the specified cookie that holds the encrypted last login time, and check that the last login time is more recent than a maximum number of days you specify.
amster
attribute:timeSinceLastLoginCheckEnabled
ssoadm
attribute:openam-auth-adaptive-time-since-last-login-check
- Cookie Name
-
Specifies the name of the cookie holding the encrypted last login time value.
amster
attribute:timeSinceLastLoginCookieName
ssoadm
attribute:openam-auth-adaptive-time-since-last-login-cookie-name
- Max Time since Last login
-
Specifies a threshold age of the last login time in days. If the client’s last login time is more recent than the number of days specified, then the client successfully passes the check.
amster
attribute:maxTimeSinceLastLogin
ssoadm
attribute:openam-auth-adaptive-time-since-last-login-value
- Save time of Successful Login
-
When enabled, saves the specified cookie with the current time encrypted as the last login value in the client’s browser following successful authentication.
amster
attribute:saveLastLoginTimeOnSuccessfulLogin
ssoadm
attribute:openam-auth-adaptive-time-since-last-login-save
- Score
-
Sets the value to add to the total score if the user fails the Time Since Last Login Check.
Default: 1
amster
attribute:timeSinceLastLoginScore
ssoadm
attribute:openam-auth-adaptive-time-since-last-login-score
- Invert Result
-
When enabled, adds the Score to the total score if the user passes the Time Since Last Login Check.
amster
attribute:invertTimeSinceLastLoginScore
ssoadm
attribute:openam-auth-adaptive-time-since-last-login-invert
Profile Attribute
The following properties are available under the Profile Attribute tab:
- Profile Risk Attribute check
-
When enabled, checks whether the user profile contains the specified attribute and value.
amster
attribute:profileRiskAttributeCheckEnabled
ssoadm
attribute:openam-auth-adaptive-risk-attribute-check
- Attribute Name
-
Specifies the attribute to check on the user profile for the specified value.
amster
attribute:profileRiskAttributeName
ssoadm
attribute:openam-auth-adaptive-risk-attribute-name
- Attribute Value
-
Specifies the value to match on the profile attribute. If the attribute is multi-valued, a single match is sufficient to pass the check.
amster
attribute:profileRiskAttributeValue
ssoadm
attribute:openam-auth-adaptive-risk-attribute-value
- Score
-
Sets the value to add to the total score if the user fails the Profile Risk Attribute Check.
Default: 1
amster
attribute:profileRiskAttributeScore
ssoadm
attribute:openam-auth-adaptive-risk-attribute-score
- Invert Result
-
When enabled, adds the Score to the total score if the user passes the Profile Risk Attribute Check.
amster
attribute:invertProfileRiskAttributeScore
ssoadm
attribute:openam-auth-adaptive-risk-attribute-invert
Geo Location
The following properties are available under the Geo Location tab:
- Geolocation Country Code Check
-
When enabled, checks whether the client IP address location matches a country specified in the Valid Country Codes list.
ssoadm
attribute:forgerock-am-auth-adaptive-geo-location-check
- Geolocation Database Location
-
Path to GeoIP data file used to convert IP addresses to country locations. The geolocation database is not packaged with AM. You can download the GeoIP Country database from MaxMind. Use the binary
.mmdb
file format, rather than.csv
. You can use the GeoLite Country database for testing.amster
attribute:geolocationDatabaseLocation
ssoadm
attribute:openam-auth-adaptive-geo-location-database
- Valid Country Codes
-
Specifies the list of country codes to match. Use
|
to separate multiple values.ssoadm
attribute:openam-auth-adaptive-geo-location-values
. - Score
-
Value to add to the total score if the user fails the Geolocation Country Code Check.
Default: 1
amster
attribute:geolocationScore
ssoadm
attribute:openam-auth-adaptive-geo-location-score
- Invert Result
-
When enabled, adds the Score to the total score if the user passes the Geolocation Country Code Check.
amster
attribute:invertGeolocationScore
ssoadm
attribute:openam-auth-adaptive-geo-location-invert
Request Header
The following properties are available under the Request Header tab:
- Request Header Check
-
When enabled, checks whether the client browser request has the specified header with the correct value.
amster
attribute:requestHeaderCheckEnabled
ssoadm
attribute:openam-auth-adaptive-req-header-check
- Request Header Name
-
Specifies the name of the request header for the Request Header Check.
amster
attribute:requestHeaderName
ssoadm
attribute:openam-auth-adaptive-req-header-name
- Request Header Value
-
Specifies the value of the request header for the Request Header Check.
amster
attribute:requestHeaderValue
ssoadm
attribute:openam-auth-adaptive-req-header-value
- Score
-
Value to add to the total score if the user fails the Request Header Check.
Default: 1
amster
attribute:requestHeaderScore
ssoadm
attribute:openam-auth-adaptive-req-header-score
- Invert Result
-
When enabled, adds the Score to the total score if the user passes the Request Header Check.
amster
attribute:invertRequestHeaderScore
ssoadm
attribute:openam-auth-adaptive-req-header-invert
Amster authentication module properties
amster
service name: AmsterModule
ssoadm
service name: iPlanetAMAuthAmsterService
- Authorized Keys
-
Specifies the location of the
authorized_keys
file that contains the private and public keys used to validate remoteamster
client connections.The default location for the
authorized_keys
file is the/path/to/openam/security/keys/amster/
directory. Its content is similar to an OpenSSHauthorized_keys
file.amster
attribute:forgerock-am-auth-amster-authorized-keys
- Enabled
-
When enabled, allows
amster
clients to authenticate using PKI. When disabled, allowsamster
clients to authenticate using interactive login only.amster
attribute:forgerock-am-auth-amster-enabled
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:forgerock-am-auth-amster-auth-level
Anonymous authentication module properties
amster
service name: AnonymousModule
ssoadm
service name: iPlanetAMAuthAnonymousService
- Valid Anonymous Users
-
Specifies the list of valid anonymous user IDs that can log in without submitting a password.
amster
attribute:validAnonymousUsers
ssoadm
attribute:iplanet-am-auth-anonymous-users-list
When a user accesses the default module instance login URL, the module prompts the user to enter a valid anonymous user name.
The default module instance login URL is defined as follows:
protocol://hostname:port/deploy_URI/XUI/?module=Anonymous&org=org_name#login
- Default Anonymous User Name
-
Specifies the user ID assigned by the module if the Valid Anonymous Users list is empty. The default value is
anonymous
. Note that the anonymous user must be defined in the realm, and its user status must beActive
.amster
attribute:defaultAnonymousUsername
ssoadm
attribute:iplanet-am-auth-anonymous-default-user-name
- Case Sensitive User IDs
-
When enabled, determines whether case matters for anonymous user IDs.
amster
attribute:caseSensitiveUsernameMatchingEnabled
ssoadm
attribute:iplanet-am-auth-anonymous-case-sensitive
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 (default) to any positive integer and is set for each authentication method. The higher number corresponds to a higher level of authentication. If you configured your authentication levels from a 0 to 5 scale, then an authentication level of 5 will require the highest level of authentication.
After a user has authenticated, AM stores the authentication level in the session token. When the user attempts to access a protected resource, the token is presented to the application. The application uses the token’s value to determine if the user has the correct authentication level required to access the resource. If the user does not have the required authentication level, the application can prompt the user to authenticate with a higher authentication level.
amster
attribute:authenticationLevel
ssoadm
attribute:iplanet-am-auth-anonymous-auth-level
Certificate authentication module properties
amster
service name: CertificateModule
ssoadm
service name: iPlanetAMAuthCertService
- Match Certificate in LDAP
-
When enabled, AM searches for a match for the user’s certificate in the LDAP directory. If a match is found and not revoked according to a CRL or OCSP validation, then authentication succeeds.
amster
attribute:matchCertificateInLdap
ssoadm
attribute:iplanet-am-auth-cert-check-cert-in-ldap
- Subject DN Attribute Used to Search LDAP for Certificates
-
Indicates which attribute and value in the certificate Subject DN is used to find the LDAP entry holding the certificate.
Default: CN
amster
attribute:ldapCertificateAttribute
ssoadm
attribute:iplanet-am-auth-cert-attr-check-ldap
- Match Certificate to CRL
-
When enabled, AM checks whether the certificate has been revoked according to a CRL in the LDAP directory.
amster
attribute:matchCertificateToCRL
ssoadm
attribute:iplanet-am-auth-cert-check-crl
- Issuer DN Attribute Used to Search LDAP for CRLs
-
Indicates which attribute and value in the certificate Issuer DN is used to find the CRL in the LDAP directory.
Default: CN
If only one attribute is specified, the LDAP search filter used to find the CRL based on the Subject DN of the CA certificate is
(attr-name=attr-value-in-subject-DN)
.For example, if the subject DN of the issuer certificate is
C=US, CN=Some CA, serialNumber=123456
, and the attribute specified isCN
, then the LDAP search filter used to find the CRL is(CN=Some CA)
.In order to distinguish among different CRLs for the same CA issuer, specify multiple attributes separated by commas (
,
) in the same order they occur in the subject DN. When multiple attribute names are provided in a comma-separated list, the LDAP search filter used is(cn=attr1=attr1-value-in-subject-DN,attr2=attr2-value-in-subject-DN,…,attrN=attrN-value-in-subject-DN)
.For example, if the subject DN of the issuer certificate is
C=US, CN=Some CA, serialNumber=123456
, and the attributes specified areCN,serialNumber
, then the LDAP search filter used to find the CRL is(cn=CN=Some CA,serialNumber=123456)
.amster
attribute:crlMatchingCertificateAttribute
ssoadm
attribute:iplanet-am-auth-cert-attr-check-crl
- HTTP Parameters for CRL Update
-
Specifies parameters to be included in any HTTP CRL call to the CA that issued the certificate.
This property supports key pairs of values separated by commas, for example,
param1=value1,param2=value2
.If the client or CA contains the Issuing Distribution Point Extension, AM uses this information to retrieve the CRL from the distribution point.
amster
attribute:crlHttpParameters
ssoadm
attribute:iplanet-am-auth-cert-param-get-crl
- Match CA Certificate to CRL
-
When enabled, AM checks the CRL against the CA certificate to ensure it has not been compromised.
amster
attribute:matchCACertificateToCRL
ssoadm
attribute:sunAMValidateCACert
- Cache CRLs in memory
-
(LDAP distribution points only) When enabled, AM caches CRLs.
amster
attribute:cacheCRLsInMemory
ssoadm
attribute:openam-am-auth-cert-attr-cache-crl
- Update CA CRLs from CRLDistributionPoint
-
When enabled, AM updates the CRLs stored in the LDAP directory store.
amster
attribute:updateCRLsFromDistributionPoint
ssoadm
attribute:openam-am-auth-cert-update-crl
- OCSP Validation
-
When enabled, AM checks the revocation status of certificates using the Online Certificate Status Protocol (OCSP).
You must configure OSCP for AM under Configure > Server Defaults or Deployment > Servers > Server Name > Security.
amster
attribute:ocspValidationEnabled
ssoadm
attribute:iplanet-am-auth-cert-check-ocsp
- LDAP Server Where Certificates are Stored
-
Identifies the LDAP server that holds users; certificates. The property has the format
ldap-server:port
, for example,ldap1.example.com:636
. To configure a secure connection, enable the Use SSL/TLS for LDAP Access property.AM servers can be associated with LDAP servers by writing multiple chains with the format
openam_server|ldap-server:port
, for example,openam.example.com|ldap1.example.com:636
.amster
attribute:certificateLdapServers
ssoadm
attribute:iplanet-am-auth-cert-ldap-provider-url
- LDAP Search Start or Base DN
-
Valid base DN for the LDAP search, such as
dc=example,dc=com
. To associate AM servers with§ different search base DNs, use the formatopenam_server|base_dn
, for example,openam.example.com|dc=example,dc=com openam1.test.com|dc=test,dc=com
.`amster
attribute:ldapSearchStartDN
ssoadm
attribute:iplanet-am-auth-cert-start-search-loc
- LDAP Server Authentication User, LDAP Server Authentication Password
-
If AM stores attributes in the LDAP directory, for example to manage account lockout, or if the LDAP directory requires that AM authenticate in order to read users' attributes, then AM needs the DN and password to authenticate to the LDAP directory.
ssoadm
attributes:iplanet-am-auth-cert-principal-user
, andiplanet-am-auth-cert-principal-passwd
- Use SSL/TLS for LDAP Access
-
If you use SSL/TLS for LDAP access, AM must be able to trust the LDAP server certificate.
amster
attribute:sslEnabled
ssoadm
attribute:iplanet-am-auth-cert-use-ssl
- Certificate Field Used to Access User Profile
-
If the user profile is in a different entry from the user certificate, then this can be different from subject DN attribute used to find the entry with the certificate. When you select other, provide an attribute name in the Other Certificate Field Used to Access User Profile text box.
amster
attribute:certificateAttributeToProfileMapping
ssoadm
attribute:iplanet-am-auth-cert-user-profile-mapper
Valid values:
subject DN
,subject CN
,subject UID
,email address
,other
, andnone
. - Other Certificate Field Used to Access User Profile
-
This field is only used if the Certificate Field Used to Access User Profile attribute is set to other. This field allows a custom certificate field to be used as the basis of the user search.
amster
attribute:otherCertificateAttributeToProfileMapping
ssoadm
attribute:iplanet-am-auth-cert-user-profile-mapper-other
- SubjectAltNameExt Value Type to Access User Profile
-
Specifies how to look up the user profile:
-
Let the property default to
none
to give preference to the Certificate Field Used to Access User Profile or Other Certificate Field Used to Access User Profile attributes when looking up the user profile. -
Select
RFC822Name
if you want AM to look up the user profile from an RFC 822 style name. -
Select
UPN
if you want AM to look up the user profile as the User Principal Name attribute used in Active Directory.
amster
attribute:certificateAttributeProfileMappingExtension
ssoadm
attribute:iplanet-am-auth-cert-user-profile-mapper-ext
-
- Trusted Remote Hosts
-
Defines a list of hosts trusted to send certificates to AM, such as load balancers doing SSL termination.
Valid values are
none
,any
, andIP_ADDR
, whereIP_ADDR
is one or more IP addresses of trusted hosts that can send client certificates to AM.amster
attribute:trustedRemoteHosts
ssoadm
attribute:iplanet-am-auth-cert-gw-cert-auth-enabled
- HTTP Header Name for Client Certificates
-
Specifies the name of the HTTP request header containing the certificate, which can be in one of the following formats:
-
Raw PEM-encoded.
-
PEM-encoded first, and then URL-encoded.
If Trusted Remote Hosts is set to
any
or specifies the IP address of the trusted host (for example, an SSL-terminated load balancer) that can supply client certificates to AM, the administrator must specify the header name in this attribute.amster
attribute:clientCertificateHttpHeaderName
ssoadm
attribute:sunAMHttpParamName
-
- Use only Certificate from HTTP request header
-
When enabled, AM always uses the client certificate from the HTTP header rather than the certificate the servlet container receives during the SSL handshake.
Default: false
ssoadm
attribute:iplanet-am-auth-cert-gw-cert-preferred
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:iplanet-am-auth-cert-auth-level
Data Store authentication module properties
amster
service name: DataStoreModule
ssoadm
service name: sunAMAuthDataStoreService
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:sunAMAuthDataStoreAuthLevel
Device ID (Match) authentication module properties
amster
service name: DeviceIdMatchModule
ssoadm
service name: iPlanetAMAuthDeviceIdMatchService
- Client-Side Script Enabled
-
Enable Device ID (Match) to send JavaScript in an authentication page to the device to collect data about the device by a self-submitting form.
amster
attribute:clientScriptEnabled
ssoadm
attribute:iplanet-am-auth-scripted-client-script-enabled
- Client-Side Script, Server-Side Script
-
Specify the client-side and server-side Javascript scripts to use with the Device Id (Match) module.
To view and modify the contents of the scripts, go to Realms > Realm Name > Scripts and select the name of the script.
If you change the client-side script, you must make a corresponding change in the server-side script to account for the specific addition or removal of an element.
ssoadm
attribute:iplanet-am-auth-scripted-client-script
andiplanet-am-auth-scripted-server-script
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:iplanet-am-auth-scripted-auth-level
Device ID (Save) authentication module properties
amster
service name: DeviceIdSaveModule
ssoadm
service name: iPlanetAMAuthDeviceIdSaveService
- Automatically store new profiles
-
When enabled, AM assumes user consent to store new profiles. After successful HOTP confirmation, AM stores the new profile automatically.
amster
attribute:autoStoreProfiles
ssoadm
attribute:iplanet-am-auth-device-id-save-auto-store-profile
- Maximum stored profile quantity
-
Sets the maximum number of stored profiles on the user’s record.
amster
attribute:maxProfilesAllowed
ssoadm
attribute:iplanet-am-auth-device-id-save-max-profiles-allowed
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:iplanet-am-auth-device-id-save-auth-level
Federation authentication module properties
amster
service name: FederationModule
ssoadm
service name: sunAMAuthFederationService
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:sunAMAuthFederationAuthLevel
ForgeRock Authenticator (OATH) authentication module properties
amster
service name: AuthenticatorOathModule
ssoadm
service name: iPlanetAMAuthAuthenticatorOATHService
Also refer to Differences between authentication modules that support HOTP.
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
ssoadm
attribute:iplanet-am-auth-fr-oath-auth-level
- One-Time Password Length
-
Sets the length of the OTP to six digits or longer. The default value is six.
amster
attribute:passwordLength
ssoadm
attribute:iplanet-am-auth-fr-oath-password-length
- Minimum Secret Key Length
-
The minimum number of hexadecimal characters allowed for the secret key.
amster
attribute:minimumSecretKeyLength
ssoadm
attribute:iplanet-am-auth-fr-oath-min-secret-key-length
- OATH Algorithm to Use
-
Select whether to use HOTP or TOTP. You can create an authentication chain to allow for a greater variety of devices. The default value is HOTP.
amster
attribute:oathAlgorithm
ssoadm
attribute:iplanet-am-auth-fr-oath-algorithm
- HOTP Window Size
-
The window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the server’s last successful login was at counter value 2, then the server will accept an OTP from device counter 3 to 102. The default value is 100.
amster
attribute:hotpWindowSize
ssoadm
attribute:iplanet-am-auth-fr-oath-hotp-window-size
- Add Checksum Digit
-
Adds a checksum digit at the end of the HOTP password to verify the OTP was generated correctly. This is in addition to the actual password length. Set this only if your device supports it. The default value is No.
amster
attribute:addChecksumToOtpEnabled
ssoadm
attribute:iplanet-am-auth-fr-oath-add-checksum
- Truncation Offset
-
Advanced feature that is device-specific. Let this value default unless you know your device uses a truncation offset. The default value is -1.
amster
attribute:truncationOffset
ssoadm
attribute:iplanet-am-auth-fr-oath-truncation-offset
- TOTP Time Step Interval
-
The time interval for which an OTP is valid. For example, if the time step interval is 30 seconds, a new OTP will be generated every 30 seconds, and an OTP will be valid for 30 seconds. The default value is 30 seconds.
amster
attribute:totpTimeStepInterval
ssoadm
attribute:iplanet-am-auth-fr-oath-size-of-time-step
- TOTP Time Steps
-
The number of time step intervals that the system and the device can be off before password resynchronization is required. For example, if the number of TOTP time steps is 2 and the TOTP time step interval is 30 seconds, the server will allow an 89 second clock skew between the client and the server—two 30 second steps plus 29 seconds for the interval in which the OTP arrived. The default value is 2.
amster
attribute:totpTimeStepsInWindow
ssoadm
attribute:iplanet-am-auth-fr-oath-steps-in-window
- One Time Password Max Retry
-
The number of times entry of the OTP may be attempted. Minimum is 1, maximum is 10.
Default: 3
amster
attribute:oathOtpMaxRetry
ssoadm
attribute:forgerock-oath-max-retry
- Maximum Allowed Clock Drift
-
The maximum acceptable clock skew before authentication fails. When this value is exceeded, the user must re-register the device.
amster
attribute:totpMaximumClockDrift
ssoadm
attribute:openam-auth-fr-oath-maximum-clock-drift
- Name of the Issuer
-
A value that appears as an identifier on the user’s device. Common choices are a company name, a web site, or an AM realm.
amster
attribute:oathIssuerName
ssoadm
attribute:openam-auth-fr-oath-issuer-name
ForgeRock Authenticator (Push) authentication module properties
amster
service name: AuthenticatorPushModule
ssoadm
service name: iPlanetAMAuthAuthenticatorPushService
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:forgerock-am-auth-authenticatorpush-auth-level
- Return Message Timeout (ms)
-
The period of time (in milliseconds) within which a push notification should be replied to.
Default:
120000
amster
attribute:timeoutInMilliSecconds
ssoadm
attribute:forgerock-am-auth-push-message-response-timeout
- Login Message
-
Text content of the push message, which is used for the notification displayed on the registered device. The following variables can be used in the message:
{{user}}
-
Replaced with the username value of the account registered in the ForgeRock Authenticator app, for example Demo.
{{issuer}}
-
Replaced with the issuer value of the account registered in the ForgeRock Authenticator app, for example ForgeRock.
Default:
Login attempt from {{user}} at {{issuer}}
amster
attribute:pushMessage
ssoadm
attribute:forgerock-am-auth-push-message
ForgeRock Authenticator (Push) registration authentication module properties
amster
service name: AuthenticatorPushRegistrationModule
ssoadm
service name: iPlanetAMAuthAuthenticatorPushRegistrationService
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:forgerock-am-auth-push-reg-auth-level
- Issuer Name
-
A value that appears as an identifier on the user’s device. Common choices are a company name, a web site, or an AM realm.
amster
attribute:issuer
ssoadm
attribute:forgerock-am-auth-push-reg-issuer
- Registration Response Timeout (ms)
-
The period of time (in milliseconds) to wait for a response to the registration QR code. If no response is received during this time the QR code times out and the registration process fails.
Default:
120000
amster
attribute:timeoutInMilliSecconds
ssoadm
attribute:forgerock-am-auth-push-message-registration-response-timeout
- Background Color
-
The background color in hex notation to display behind the issuer’s logo within the ForgeRock Authenticator app.
Default:
#519387
amster
attribute:bgcolour
ssoadm
attribute:forgerock-am-auth-hex-bgcolour
- Image URL
-
The location of an image to download and display as the issuer’s logo within the ForgeRock Authenticator app.
amster
attribute:imgUrl
ssoadm
attribute:forgerock-am-auth-img-url
- App Store App URL
-
URL of the app to download on the App Store.
Default:
https://itunes.apple.com/app/forgerock-authenticator/id1038442926
(the ForgeRock Authenticator app)amster
attribute:appleLink
ssoadm
attribute:forgerock-am-auth-apple-link
- Google Play URL
-
URL of the app to download on Google Play.
Default:
https://play.google.com/store/apps/details?id=com.forgerock.authenticator
(the ForgeRock Authenticator app)amster
attribute:googleLink
ssoadm
attribute:forgerock-am-auth-google-link
HOTP authentication module properties
amster
service name: HotpModule
ssoadm
service name: sunAMAuthHOTPService
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:sunAMAuthHOTPAuthLevel
- SMS Gateway Implementation Class
-
Specifies the class the HOTP module uses to send SMS or email messages. Specify a class that implements the
com.sun.identity.authentication.modules.hotp.SMSGateway
interface to customize the SMS gateway implementation.amster
attribute:smsGatewayClass
ssoadm
attribute:sunAMAuthHOTPSMSGatewayImplClassName
- Mail Server Host Name
-
Specifies the hostname of the mail server supporting SMTP for electronic mail.
amster
attribute:smtpHostname
ssoadm
attribute:sunAMAuthHOTPSMTPHostName
- Mail Server Host Port
-
Specifies the outgoing mail server port. The default port is 25, 465 (when connecting over SSL), or 587 (for StartTLS).
amster
attribute:smtpHostPort
ssoadm
attribute:sunAMAuthHOTPSMTPHostPort
- Mail Server Authentication Username
-
Specifies the username for AM to connect to the mail server.
amster
attribute:smtpUsername
ssoadm
attribute:sunAMAuthHOTPSMTPUserName
- Mail Server Authentication Password
-
Specifies the password for AM to connect to the mail server.
amster
attribute:smtpUserPassword
ssoadm
attribute:sunAMAuthHOTPSMTPUserPassword
- Mail Server Secure Connection
-
Specifies whether to connect to the mail server securely. If enabled, AM must be able to trust the server certificate.
The possible values for this property are:
SSL
Non SSL
Start TLS
amster
attribute:smtpSslEnabled
ssoadm
attribute:sunAMAuthHOTPSMTPSSLEnabled
- Email From Address
-
Specifies the
From:
address when sending a one-time password by mail.amster
attribute:smtpFromAddress
ssoadm
attribute:sunAMAuthHOTPSMTPFromAddress
- One-Time Password Validity Length (in minutes)
-
Specifies the amount of time, in minutes, the one-time passwords are valid after they are generated. The default is
5
minutes.amster
attribute:otpValidityDuration
ssoadm
attribute:sunAMAuthHOTPPasswordValidityDuration
- One-Time Password Length
-
Sets the length of one-time passwords.
amster
attribute:otpLength
ssoadm
attribute:sunAMAuthHOTPPasswordLength
Valid values:
6
and8
. - One Time Password Max Retry
-
The number of times entry of the OTP may be attempted. Minimum is 1, maximum is 10.
Default: 3
amster
attribute:oathOtpMaxRetry
ssoadm
attribute:forgerock-oath-max-retry
- One-Time Password Delivery
-
Specifies whether to send the one-time password by SMS, by mail, or both.
amster
attribute:otpDeliveryMethod
ssoadm
attribute:sunAMAuthHOTPasswordDelivery
Valid values:
SMS
,E-mail
, andSMS and E-mail
. - Mobile Phone Number Attribute Name
-
Provides the attribute name used for the text message. The default value is
telephoneNumber
.amster
attribute:userProfileTelephoneAttribute
ssoadm
attribute:openamTelephoneAttribute
- Mobile Carrier Attribute Name
-
Specifies a user profile attribute that contains a mobile carrier domain for sending SMS messages.
The uncustomized AM user profile does not have an attribute for the mobile carrier domain. You can:
-
Customize the AM user profile by adding a new attribute to it. Then you can populate the new attribute with users' SMS messaging domains.
All mobile carriers and bulk SMS messaging services have associated SMS messaging domains. For example, Verizon uses
vtext.com
, T-Mobile usestmomail.net
, and the TextMagic service usestextmagic.com
. If you plan to send text messages internationally, determine whether the messaging service requires a country code. -
Leave the value for Mobile Carrier Attribute Name blank, and let AM default to sending SMS messages using
txt.att.net
for all users.
amster
attribute:mobileCarrierAttribute
ssoadm
attribute:openamSMSCarrierAttribute
-
- Email Attribute Name
-
Provides the attribute name used to email the OTP. The default value is
mail
(email).amster
attribute:userProfileEmailAttribute
ssoadm
attribute:openamEmailAttribute
- Auto Send OTP Code
-
When enabled, configures the HOTP module to automatically generate an email or text message when users begin the login process.
ssoadm
attribute:sunAMAuthHOTPAutoClicking
HTTP Basic authentication module properties
amster
service name: HttpBasicModule
ssoadm
service name: iPlanetAMAuthHTTPBasicService
- Backend Module Name
-
Specifies the module that checks the user credentials. The credentials are then supplied to either a data store or other identity repository module for authentication.
amster
attribute:backendModuleName
ssoadm
attribute:iplanet-am-auth-http-basic-module-configured
Valid values:
LDAP
andDataStore
. - Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:iplanet-am-auth-httpbasic-auth-level
JDBC authentication module properties
amster
service name: JdbcModule
ssoadm
service name: sunAMAuthJDBCService
- Connection Type
-
Determines how the module obtains the connection to the database.
amster
attribute:connectionType
ssoadm
attribute:sunAMAuthJDBCConnectionType
Valid values:
JNDI
andJDBC
. - Connection Pool JNDI Name
-
Specifies the URL of the connection pool for JNDI connections. Refer to your web container’s documentation for instructions on setting up the connection pool.
amster
attribute:connectionPoolJndiName
ssoadm
attribute:sunAMAuthJDBCJndiName
- JDBC Driver
-
Specifies the JDBC driver to use for JDBC connections.
Install a suitable Oracle or MySQL driver in the container where AM is installed, for example in the
/path/to/tomcat/webapps/openam/WEB-INF/lib
path. You can add it to the AM.war
file when you deploy AM.amster
attribute:jdbcDriver
ssoadm
attribute:sunAMAuthJDBCDriver
- JDBC URL
-
Specifies the URL to connect to the database when using a JDBC connection.
amster
attribute:jdbcUrl
ssoadm
attribute:sunAMAuthJDBCUrl
- Database Username, Database Password
-
Specifies the user name and password used to authenticate to the database when using a JDBC connection.
ssoadm
attribute:sunAMAuthJDBCDbuser
andsunAMAuthJDBCDbpassword
- Password Column Name
-
Specifies the database column name where passwords are stored.
amster
attribute:passwordColumn
ssoadm
attribute:sunAMAuthJDBCPasswordColumn
- Prepared Statement
-
Specifies the SQL query to return the password corresponding to the user to authenticate.
amster
attribute:passwordStatement
ssoadm
attribute:sunAMAuthJDBCStatement
- Class to Transform Password Syntax
-
Specifies the class that transforms the password retrieved to the same format as provided by the user.
The default class expects the password in cleartext. Custom classes must implement the
JDBCPasswordSyntaxTransform
interface.amster
attribute:passwordTransformClass
ssoadm
attribute:sunAMAuthJDBCPasswordSyntaxTransformPlugin
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:sunAMAuthJDBCAuthLevel
AM provides two properties, When using JDBC databases, consider adding the |
LDAP authentication module properties
amster
service name: LdapModule
ssoadm
service name: iPlanetAMAuthLDAPService
- Primary LDAP Server, Secondary LDAP Server
-
Specify the primary and secondary directory server(s).
Both properties take more than one value, allowing more than one primary or secondary remote server, respectively.
Directory servers generally use built-in data replication for high availability. Thus, a directory service typically consists of a pool of replicas to which AM can connect to retrieve and update directory data. AM attempts to contact the primary server(s) first, but if unavailable, AM attempts to contact the secondary servers.
For the current AM server, specify each directory server in the format
server:port
. For other AM servers in the deployment, define each server aslocal_server_name | server:port
. For example, if theserver
ishttps://openam.example.com:8443/openam
, and the directory server is accessible atopendj.example.com:1636
, enter the value asopenam.example.com|opendj.example.com:1636
.Assuming a multi-data center environment, AM determines priority within the primary and secondary remote servers as follows:
-
LDAP servers that are mapped to the current AM instance have the highest priority.
For example, if you are connected to
openam1.example.com
andldap1.example.com
is mapped to that AM instance, then AM usesldap1.example.com
. -
LDAP servers that are not specifically mapped to a given AM instance have the next highest priority.
For example, if you have another LDAP server,
ldap2.example.com
, that is not connected to a specific AM server and ifldap1.example.com
is unavailable, AM connects to the next highest priority LDAP server,ldap2.example.com
. -
LDAP servers that are mapped to different AM instances have the lowest priority.
For example, if
ldap3.example.com
is connected toopenam3.example.com
andldap1.example.com
andldap2.example.com
are unavailable, thenopenam1.example.com
connects toldap3.example.com
.ssoadm
attributes are: primary isiplanet-am-auth-ldap-server
; secondary isiplanet-am-auth-ldap-server2
.
-
- DN to Start User Search
-
Specifies the base DN from which AM searches for users to authenticate.
LDAP data is organized hierarchically, similar to a file system on Windows or UNIX. More specific DNs likely result in better performance. When configuring the module for a particular part of the organization, you can start searches from a specific organizational unit, such as
OU=sales,DC=example,DC=com
.If multiple entries exist with identical search attribute values, ensure this value is specific enough to return a single entry.
amster
attribute:userSearchStartDN
ssoadm
attribute:iplanet-am-auth-ldap-base-dn
- Bind User DN, Bind User Password
-
Specify the user and password of the administration account used for authentication to the directory server.
If AM stores attributes in the directory, for example, to manage account lockout, or if the directory requires that AM authenticate in order to read users' attributes, then AM needs the DN and password to authenticate to the directory.
Make sure that the password is correct before you logout. If it is incorrect, you will be locked out and you will need to log in with the superuser DN. By default, this is
uid=amAdmin,ou=People,AM-deploy-base
, whereAM-deploy-base
was set during AM configuration.amster
attributes:userBindDN
anduserBindPassword
ssoadm
attributes:iplanet-am-auth-ldap-bind-dn
andiplanet-am-auth-ldap-bind-passwd
- Attribute Used to Retrieve User Profile
-
LDAP uses this attribute to search for the profile of an authenticated user. Usually, this is the same attribute used to find the user account, such as the value set as the
uid
in AM. For example, where the attribute is set tomail
, the LDAP module searchesCN=Users,DC=example,DC=com
with a filter"(MAIL=bjensen@example.com)"
, and the directory returns the user profile that matchesMAIL=bjensen@example.com
.The attribute is only used if User Profile is set to
Required
andReturn User DN to DataStore
is not enabled.amster
attribute:userProfileRetrievalAttribute
ssoadm
attribute:iplanet-am-auth-ldap-user-naming-attribute
- Attributes Used to Search for a User to be Authenticated
-
The attributes specified in this list define the LDAP search filter. Multiple attribute values mean the user can authenticate with any one of the values. For example, if you have both
uid
andmail
, then Barbara Jensen can authenticate with eitherbjensen
orbjensen@example.com
.amster
attribute:userSearchAttributes
ssoadm
attribute:iplanet-am-auth-ldap-user-search-attributes
- User Search Filter
-
The User Search Filter text box provides a more complex filter. For example, if you search using
mail
and add the User Search Filter(objectClass=inetOrgPerson)
, then AM uses the resulting search filter(&(mail=address)(objectClass=inetOrgPerson))
, where address is the mail address provided by the user.amster
attribute:userSearchAttributes
ssoadm
attribute:iplanet-am-auth-ldap-search-filter
- Search Scope
-
This attribute defines the level of directory that will be searched for a matching profile. You can set the search to run at a high level or against a specific area:
-
OBJECT searches only for the entry specified as the 'DN to Start User Search'.
-
ONELEVEL searches only the entries that are direct children of that object.
-
SUBTREE searches the entry specified and all entries at levels below.
ssoadm
attribute:iplanet-am-auth-ldap-search-scope
-
- LDAP Connection Mode
-
If you want to initiate secure communications to data stores using SSL or StartTLS, AM must be able to trust the server’s certificates, either because the certificates were signed by a CA whose certificate is already included in the trust store used by the container where AM runs, or because you imported the certificates into the trust store.
ssoadm
attribute:openam-auth-ldap-connection-mode
Possible values:
LDAP
,LDAPS
, andStartTLS
- Return User DN to DataStore
-
If User Profile is set to
Required
, this attribute determines whether the DN or the username is returned as the authentication principal.When enabled, the module returns the DN rather than the User ID or the value set in
Attribute Used to Retrieve User Profile
. The returned value is then used to make the request to retrieve the profile attributes from the user store.amster
attribute:returnUserDN
ssoadm
attribute:iplanet-am-auth-ldap-return-user-dn
- User Creation Attributes
-
This list of attributes defines the mapping of internal attribute names to external attribute names for dynamic profile creation. The attributes retrieved from the user’s authenticated profile are mapped against the values that will be provisioned into their matching account in the data store. This list does not include
uid
mappings.The format of the list is
internal_attr1|external_attr1
.amster
attribute:profileAttributeMappings
ssoadm
attribute:iplanet-am-ldap-user-creation-attr-list
- Minimum Password Length
-
Set the minimum length required for a valid password when a user needs to reset their password during authentication.
This value is distinct from password requirements set by the underlying directory server. To avoid confusion, set the value to 0 if an external LDAP server is enforcing password policy.
amster
attribute:minimumPasswordLength
ssoadm
attribute:iplanet-am-auth-ldap-min-password-length
- LDAP Behera Password Policy Support
-
Determines whether LDAP Behera password policies are supported by a directory server such as PingDS. If the property is set to false, then only the older Netscape VCHU password policy standard will be enforced.
amster
attribute:beheraPasswordPolicySupportEnabled
ssoadm
attribute:iplanet-am-auth-ldap-behera-password-policy-enabled
- Trust All Server Certificates
-
When enabled, the module trusts all server certificates, including self-signed certificates.
amster
attribute:trustAllServerCertificates
ssoadm
attribute:iplanet-am-auth-ldap-ssl-trust-all
- LDAP Connection Heartbeat Interval
-
Specifies how often AM should send a heartbeat request to the directory server to ensure that the connection does not remain idle. Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to 0. To set the units for the interval, use LDAP Connection Heartbeat Time Unit.
Default: 1
amster
attribute:connectionHeartbeatInterval
ssoadm
attribute:openam-auth-ldap-heartbeat-interval
- LDAP Connection Heartbeat Time Unit
-
Specifies the time unit corresponding to LDAP Connection Heartbeat Interval. Possible values are
SECONDS
,MINUTES
, andHOURS
.amster
attribute:connectionHeartbeatTimeUnit
ssoadm
attribute:openam-auth-ldap-heartbeat-timeunit
- LDAP operations timeout
-
Defines the timeout, in seconds, that AM should wait for a response from the directory server.
Default: 0 (means no timeout)
amster
attribute:operationTimeout
ssoadm
attribute:openam-auth-ldap-operation-timeout
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:iplanet-am-auth-ldap-auth-level
- Stop LDAP Binds after in-memory lockout
-
If enabled, prevent AM from sending further bind requests to the LDAP Server when the user is locked out through a duration lockout.
amster
attribute:stopLdapbindAfterInmemoryLockedEnabled
ssoadm
attribute:openam-auth-stop-ldap-bind-after-inmemory-locked-enabled
Legacy OAuth 2.0/OpenID Connect authentication module properties
This authentication module is labelled as legacy. Equivalent functionality is provided by the following authentication modules: The Legacy OAuth 2.0/OpenID Connect Authentication Module will only be available in AM when upgrading from a previous version that was making use of the module in a chain. It is not available in new, clean installations since AM 5.5. |
The default settings are for Facebook.
amster
service name: OAuth2Module
ssoadm
service name: sunAMAuthOAuthService
- Client id
-
Specifies the OAuth 2.0
client_id
parameter as described in section 2.2 of RFC 6749.amster
attribute:clientId
ssoadm
attribute:iplanet-am-auth-oauth-client-id
- Client Secret
-
Specifies the OAuth 2.0
client_secret
parameter as described in section 2.3 of RFC 6749.amster
attribute:clientSecret
ssoadm
attribute:iplanet-am-auth-oauth-client-secret
- Authentication Endpoint URL
-
Specifies the URL to the endpoint handling OAuth 2.0 authentication as described in section 3.1 of RFC 6749.
amster
attribute:authenticationEndpointUrl
ssoadm
attribute:iplanet-am-auth-oauth-auth-service
- Access Token Endpoint URL
-
Specifies the URL to the endpoint handling access tokens as described in section 3.2 of RFC 6749.
amster
attribute:accessTokenEndpointUrl
ssoadm
attribute:iplanet-am-auth-oauth-token-service
- User Profile Service URL
-
Specifies the user profile URL that returns profile information in JSON format.
Default:
https://graph.facebook.com/me
.amster
attribute:userProfileServiceUrl
ssoadm
attribute:iplanet-am-auth-oauth-user-profile-service
- Scope
-
Specifies a space-delimited list of user profile attributes that the client application requires, according to The OAuth 2.0 Authorization Framework. The list depends on the permissions that the resource owner, such as the end user, grants to the client application.
Some authorization servers use non-standard separators for scopes. Facebook, for example, takes a comma-separated list.
Default:
email,read_stream
(Facebook example)amster
attribute:scope
ssoadm
attribute:iplanet-am-auth-oauth-scope
- OAuth2 Access Token Profile Service Parameter name
-
Specifies the name of the parameter that contains the access token value when accessing the profile service.
Default:
access_token
.amster
attribute:accessTokenParameterName
ssoadm
attribute:iplanet-am-auth-oauth-user-profile-param
- Proxy URL
-
Sets the URL to the
/oauth2c/OAuthProxy.jsp
file, which provides AM with GET to POST proxying capabilities. Change this URL only if an external server performs the GET to POST proxying.Default:
@SERVER_PROTO@://@SERVER_HOST@:@SERVER_PORT@/@SERVER_URI@/oauth2c/OAuthProxy.jsp
.amster
attribute:ssoProxyUrl
ssoadm
attribute:iplanet-am-auth-oauth-sso-proxy-url
- Account Provider
-
Specifies the name of the class that implements the account provider.
Default:
org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
amster
attribute:accountProviderClass
ssoadm
attribute:org-forgerock-auth-oauth-account-provider
- Account Mapper
-
Specifies the name of the class that implements the attribute mapping for the account search.
For Google implementations, use
_org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper|*|Google-+
.For Facebook implementations, use
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|facebook-
.Default:
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
amster
attribute:accountMapperClass
ssoadm
attribute:org-forgerock-auth-oauth-account-mapper
- Account Mapper Configuration
-
Specifies the attribute configuration used to map the account of the user authenticated in the OAuth 2.0 provider to the local data store in AM. Valid values are in the form
provider-attr=local-attr
.When using the
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
class, you can parse JSON objects in mappings, by using dot notation.For example, given a JSON payload of:
{ "sub" : "12345", "name" : { "first_name" : "Demo", "last_name" : "User" } }
You can create a mapper, such as
name.first_name=cn
.Default:
email=mail
andid=facebook-id
.amster
attribute:accountMapperConfiguration
ssoadm
attribute:org-forgerock-auth-oauth-account-mapper-configuration
- Attribute Mapper
-
Specifies the list of fully qualified class names for implementations that map attributes from the OAuth 2.0 authorization server or OpenID Connect provider to AM profile attributes.
Default:
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
Provided implementations are:
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
,org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
(can only be used when using theopenid
scope)You can provide string constructor parameters by appending pipe (
|
) separated values.For example, the
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
class can take two constructor parameters: a comma-separated list of attributes and a prefix to apply to their values. Specify these as follows:org.forgerock.openam.authentication.modules.oidc.JsonAttributeMapper
amster
attribute:attributeMappingClasses
ssoadm
attribute:org-forgerock-auth-oauth-attribute-mapper
- Attribute Mapper Configuration
-
Map of OAuth 2.0 provider user account attributes to local user profile attributes, with values in the form
provider-attr=local-attr
.When using the
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
class, you can parse JSON objects in mappings, by using dot notation.For example, given a JSON payload of:
{ "sub" : "12345", "name" : { "first_name" : "Demo", "last_name" : "User" } }
You can create a mapper, such as
name.first_name=cn
.Default:
first_name=givenname
,last_name=sn
,name=cn
,email=mail
,id=facebook-id
,first_name=facebook-fname
,last_name=facebook-lname
,email=facebook-email
.amster
attribute:attributeMapperConfiguration
ssoadm
attribute:org-forgerock-auth-oauth-attribute-mapper-configuration
- Save attributes in the session
-
When enabled, saves the attributes in the Attribute Mapper Configuration field to the AM session.
amster
attribute:saveAttributesInSession
ssoadm
attribute:org-forgerock-auth-oauth-save-attributes-to-session-flag
- Email attribute in OAuth2 Response
-
Specifies the attribute identifying the authenticated user’s email address in the response from the profile service in the OAuth 2.0 provider. This setting is used to send an email message with an activation code for accounts created dynamically.
amster
attribute:oauth2EmailAttribute
ssoadm
attribute:org-forgerock-auth-oauth-mail-attribute
- Create account if it does not exist
-
When enabled, AM creates an account for the user if the user profile does not exist. If the Prompt for password setting and activation code attribute is enabled, AM prompts the user for a password and activation code before creating the account.
When the OAuth 2.0/OpenID Connect client is configured to create new accounts, the SMTP settings must also be valid. As part of account creation, the OAuth 2.0/OpenID Connect client authentication module sends the resource owner an email with an account activation code. To send the mail, AM uses the SMTP settings you provide here in the OAuth 2.0/OpenID Connect client configuration.
When disabled, a user without a profile may still log into AM if the Ignore Profile attribute is set in the authentication service of the realm, or if the account is mapped to an anonymous account.
amster
attribute:createAccount
ssoadm
attribute:org-forgerock-auth-oauth-createaccount-flag
- Prompt for password setting and activation code
-
When enabled, the user must set a password before AM creates an account dynamically. An activation code is also sent to the user’s email address. Both the password and the code are required before the account is created.
amster
attribute:promptForPassword
ssoadm
attribute:org-forgerock-auth-oauth-prompt-password-flag
- Map to anonymous user
-
When enabled, maps the OAuth 2.0 authenticated user to the specified anonymous user. If the Create account if it does not exist property is enabled, AM creates an account for the authenticated user instead of mapping the account to the anonymous user.
amster
attribute:mapToAnonymousUser
ssoadm
attribute:org-forgerock-auth-oauth-map-to-anonymous-flag
- Anonymous User
-
Specifies an anonymous user that exists in the current realm. The user status of this anonymous user must be
Active
. TheMap to anonymous user
property maps authorized users without a profile to this anonyomus user, if enabled.Default:
anonymous
.amster
attribute:anonymousUserName
ssoadm
attribute:org-forgerock-auth-oauth-anonymous-user
- OAuth 2.0 Provider logout service
-
Specifies the optional URL of the OAuth 2.0 provider’s logout service, if required.
amster
attribute:oauth2LogoutServiceUrl
ssoadm
attribute:org-forgerock-auth-oauth-logout-service-url
- Logout options
-
Specifies whether not to log the user out without prompting from the OAuth 2.0 provider on logout, to log the user out without prompting, or to prompt the user regarding whether to log out from the OAuth 2.0 provider.
Valid values are:
-
prompt
, to ask the user whether or not to log out from the OAuth 2.0 provider. -
logout
, to log the user out of the OAuth 2.0 provider without prompting. -
donotlogout
, to keep the user logged in to the OAuth 2.0 provider. There is no prompt to the user.
Default:
prompt
.amster
attribute:logoutBehaviour
ssoadm
attribute:org-forgerock-auth-oauth-logout-behaviour
-
- Mail Server Gateway implementation class
-
Specifies the class used by the module to send email. A custom subclass of
org.forgerock.openam.authentication.modules.oauth2.EmailGateway
class can be provided.Default:
org.forgerock.openam.authentication.modules.oauth2.DefaultEmailGatewayImpl
amster
attribute:mailGatewayClass
ssoadm
attribute:org-forgerock-auth-oauth-email-gwy-impl
- SMTP host
-
Specifies the host name of the mail server.
Default:
localhost
.amster
attribute:smtpHostName
ssoadm
attribute:org-forgerock-auth-oauth-smtp-hostname
- SMTP port
-
Specifies the SMTP port number for the mail server.
Default:
25
.amster
attribute:smtpHostPort
ssoadm
attribute:org-forgerock-auth-oauth-smtp-port
- SMTP User Name, SMTP User Password
-
Specifies the username and password AM uses to authenticate to the mail server.
ssoadm
attribute:org-forgerock-auth-oauth-smtp-username
andorg-forgerock-auth-oauth-smtp-password
. - SMTP SSL Enabled
-
When enabled, connects to the mail server over SSL. AM must be able to trust the SMTP server certificate.
amster
attribute:smtpSslEnabled
ssoadm
attribute:org-forgerock-auth-oauth-smtp-ssl_enabled
- SMTP From address
-
Specifies the address of the email sender, such as
no-reply@example.com
.Default:
info@forgerock.com
.amster
attribute:smtpFromAddress
ssoadm
attribute:org-forgerock-auth-oauth-smtp-email-from
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
Default: 0.
amster
attribute:authenticationLevel
ssoadm
attribute:iplanet-am-auth-oauth-auth-level
- OpenID Connect validation configuration type
-
Validates the ID token from the OpenID Connect provider. The module needs either a URL to get the public keys for the provider or the symmetric key for an ID token signed with a HMAC-based algorithm.
By default, the configuration type is
.well-known/openid-configuration_url
. This means the module should retrieve the keys based on information in the OpenID Connect provider configuration document.You can instead configure the authentication module to validate the ID token signature with the client secret key you provide, or to validate the ID token with the keys retrieved from the URL to the OpenID Connect provider’s JSON web key set.
/oauth2/realms/root/.well-known/openid-configuration_url
(Default)-
Retrieve the provider keys based on the information provided in the OpenID Connect Provider Configuration Document.
Specify the URL to the document as the discovery URL.
client_secret
-
Use the client secret that you specify as the key to validate the ID token signature according to the HMAC by using the client secret to the decrypt the hash, and then checking that the hash matches the hash of the ID token JWT.
jwk_url
-
Retrieve the provider’s JSON web key set as the URL that you specify.
amster
attribute:cryptoContextType
ssoadm
attribute:openam-auth-openidconnect-crypto-context-type
- OpenID Connect validation configuration value
-
Edit this field depending on the Configuration type you specified in the OpenId Connect validation configuration type field.
amster
attribute:cryptoContextValue
ssoadm
attribute:openam-auth-openidconnect-crypto-context-value
- Token Issuer
-
Required when the
openid
scope is included. Value must match theiss
field in the issued ID token. For example,accounts.google.com
.The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled. For more information, see OAuth 2.0 Mix-Up Mitigation.
amster
attribute:idTokenIssuer
ssoadm
attribute:openam-auth-openidconnect-issuer-name
Old uses of |
The following table shows endpoint URLs for AM when configured as an OAuth 2.0 provider. For details, see OAuth 2.0. The default endpoints are for Facebook as the OAuth 2.0 provider.
In addition to the endpoint URLs you can set other fields, like scope and attribute mapping, depending on the provider you use:
AM Field | Details |
---|---|
Authorization Endpoint URL |
This AM endpoint can take additional parameters. In particular, you must specify the realm if the AM OAuth 2.0 provider is configured for a subrealm rather than the Top Level Realm. When making a REST API call, specify the realm in the path component of the endpoint.
You must specify the entire hierarchy of the realm, starting at the Top Level Realm.
Prefix each realm in the hierarchy with the For example, if the OAuth 2.0 provider is configured for the subrealm The Example: |
Access Token Endpoint URL |
This AM endpoint can take additional parameters. In particular, you must specify the realm if the AM OAuth 2.0 provider is configured for a subrealm rather than the Top Level Realm. When making a REST API call, specify the realm in the path component of the endpoint.
You must specify the entire hierarchy of the realm, starting at the Top Level Realm.
Prefix each realm in the hierarchy with the For example, if the OAuth 2.0 provider is configured for the subrealm The Example: |
User Profile Service URL |
Example: |
OAuth 2.0 Mix-Up Mitigation
AM has added a new property to the OAuth 2.0 authentication module,
openam-auth-oauth-mix-up-mitigation-enabled
.
This OAuth 2.0 Mix-Up Mitigation property controls
whether the OAuth 2.0 authentication module carries out additional verification steps
when it receives the authorization code from the authorization server.
This setting should be only enabled when the authorization server also supports OAuth 2.0 Mix-Up Mitigation.
- OAuth 2.0 Mix-Up Mitigation Enabled
-
Specifies that the client must compare the issuer identifier of the authorization server upon registration with the issuer value returned in the
iss
response parameter. If they do not match, the client must abort the authorization process. The client must also confirm that the authorization server’s response is intended for the client by comparing the client’s client identifier to the value of theclient_id
response parameter.For more information, see section 4 of OAuth 2.0 Mix-Up Mitigation Draft.
At the time of this release, Facebook, Google, and Microsoft identity providers do not support this draft. amster
attribute:mixUpMitigation
ssoadm
attribute:openam-auth-oauth-mix-up-mitigation-enabled
In the AM admin UI, the field Token Issuer must be provided when the OAuth 2.0 Mix-Up Mitigation feature is enabled. The authorization code response will contain an issuer value (
iss
) that will be validated by the client. When the module is an OAuth2-only module (that is, OIDC is not used), the issuer value needs to be explicitly set in the Token Issuer field, so that the validation can succeed.Consult with the authorization server’s documentation on what value it uses for the issuer field.
MSISDN authentication module properties
amster
service name: MsisdnModule
ssoadm
service name: sunAMAuthMSISDNService
- Trusted Gateway IP Address
-
Specifies a list of IP addresses of trusted clients that can access MSISDN modules. Either restrict the clients allowed to access the MSISDN module by adding each IPv4 or IPv6 address here, or leave the list empty to allow all clients to access the module. If you specify the value
none
, no clients are allowed access.amster
attribute:trustedGatewayIPAddresses
ssoadm
attribute:sunAMAuthMSISDNTrustedGatewayList
- MSISDN Number Search Parameter Name
-
Specifies a list of parameter names that identify which parameters to search in the request header or cookie header for the MSISDN number. For example, if you define x-Cookie-Param, AM_NUMBER, and COOKIE-ID, the MSISDN authentication service checks those parameters for the MSISDN number.
amster
attribute:msisdnParameterNames
ssoadm
attribute:sunAMAuthMSISDNParameterNameList
- LDAP Server and Port
-
Specifies the LDAP server FQDN and its port in the format
ldap-server:port
. AM servers can be paired with LDAP servers and ports by adding entries of the formAM-server|ldap_server:port
, for example,openam.example.com|ldap1.example.com:649
.To use SSL or TLS for security, enable the SSL/TLS Access to LDAP property. Make sure that AM can trust the servers' certificates when using this option.
amster
attribute:ldapProviderUrl
ssoadm
attribute:sunAMAuthMSISDNLdapProviderUrl
- LDAP Start Search DN
-
Specifies the DN of the entry where the search for the user’s MSISDN number should start. AM servers can be paired with search base DNs by adding entries with the format
AM-server|base-dn
. For example,openam.example.com|dc=openam,dc=forgerock,dc=com
.amster
attribute:baseSearchDN
ssoadm
attribute:sunAMAuthMSISDNBaseDn
- Attribute To Use To Search LDAP
-
Specifies the name of the attribute in the user’s profile that contains the MSISDN number to search for the user. The default is
sunIdentityMSISDNNumber
.amster
attribute:userProfileMsisdnAttribute
ssoadm
attribute:sunAMAuthMSISDNUserSearchAttribute
- LDAP Server Authentication User, LDAP Server Authentication Password
-
Specifies the bind DN and password of the service account AM uses to authenticate to the directory server. The default is
uid=admin
.ssoadm
attribute:sunAMAuthMSISDNPrincipalUser
andsunAMAuthMSISDNPrincipalPasswd
. - SSL/TLS for LDAP Access
-
When enabled, AM uses LDAPS or StartTLS to connect to the directory server. If you choose to enable SSL or TLS, then make sure that AM can trust the servers' certificates.
amster
attribute:ldapSslEnabled
ssoadm
attribute:sunAMAuthMSISDNUseSsl
- MSISDN Header Search Attribute
-
Specifies which elements are searched for the MSISDN number. The possible values are:
searchCookie
-
To search the cookie.
searchRequest
-
To search the request header.
searchParam
-
To search the request parameters.
amster
attribute:msisdnRequestSearchLocations
ssoadm
attribute:sunAMAuthMSISDNHeaderSearch
- LDAP Attribute Used to Retrieve User Profile
-
Specify the LDAP attribute that is used during a search to return the user profile for MSISDN authentication service. The default is
uid
.amster
attribute:msisdnUserNamingAttribute
ssoadm
attribute:sunAMAuthMSISDNUserNamingAttribute
- Return User DN to DataStore
-
When enabled, this option allows the authentication module to return the DN instead of the User ID. AM thus does not need to perform an additional search with the user ID to find the user’s entry.
Enable this option only when the AM directory is the same as the directory configured for MSISDN searches.
amster
attribute:returnUserDN
ssoadm
attribute:sunAMAuthMSISDNReturnUserDN
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:sunAMAuthMSISDNAuthLevel
OATH authentication module properties
amster
service name: OathModule
ssoadm
service name: iPlanetAMAuthOATHService
Also refer to Differences between authentication modules that support HOTP.
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:iplanet-am-auth-oath-auth-level
- One Time Password Length
-
Sets the length of the OTP to six digits or longer. The default value is six.
amster
attribute:passwordLength
ssoadm
attribute:iplanet-am-auth-oath-password-length
- Minimum Secret Key Length
-
The minimum number of hexadecimal characters allowed for the secret key.
amster
attribute:minimumSecretKeyLength
ssoadm
attribute:iplanet-am-auth-oath-min-secret-key-length
- Secret Key Attribute Name
-
The name of the attribute where the key will be stored in the user profile.
amster
attribute:secretKeyAttribute
ssoadm
attribute:iplanet-am-auth-oath-secret-key-attribute
- OATH Algorithm to Use
-
Select whether to use HOTP or TOTP. You can create an authentication chain to allow for a greater variety of devices. The default value is HOTP.
amster
attribute:oathAlgorithm
ssoadm
attribute:iplanet-am-auth-oath-algorithm
- HOTP Window Size
-
The window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the server’s last successful login was at counter value 2, then the server will accept an OTP from device counter 3 to 102. The default value is 100.
amster
attribute:hotpWindowSize
ssoadm
attribute:iplanet-am-auth-oath-hotp-window-size
For information on resetting the HOTP counter, see Reset registered devices over REST. - Counter Attribute Name
-
The name of the HOTP attribute where the counter will be stored in the user profile.
amster
attribute:hotpCounterAttribute
ssoadm
attribute:iplanet-am-auth-oath-hotp-counter-attribute
- Add Checksum Digit
-
Adds a checksum digit at the end of the HOTP password to verify the OTP was generated correctly. This is in addition to the actual password length. Set this only if your device supports it. The default value is No.
amster
attribute:addChecksum
ssoadm
attribute:iplanet-am-auth-oath-add-checksum
- Truncation Offset
-
Advanced feature that is device-specific. Let this value default unless you know your device uses a truncation offset. The default value is -1.
amster
attribute:truncationOffset
ssoadm
attribute:iplanet-am-auth-oath-truncation-offset
- TOTP Time Step Interval
-
The time interval for which an OTP is valid. For example, if the time step interval is 30 seconds, a new OTP will be generated every 30 seconds, and an OTP will be valid for 30 seconds. The default value is 30 seconds.
amster
attribute:timeStepSize
ssoadm
attribute:iplanet-am-auth-oath-size-of-time-step
- One Time Password Max Retry
-
The number of times entry of the OTP may be attempted. Minimum is 1, maximum is 10.
Default: 3
amster
attribute:oathOtpMaxRetry
ssoadm
attribute:forgerock-oath-max-retry
- TOTP Time Steps
-
The number of time step intervals that the system and the device can be off before password resynchronization is required. For example, if the number of TOTP time steps is 2 and the TOTP time step interval is 30 seconds, the server will allow an 89 second clock skew between the client and the server—two 30 second steps plus 29 seconds for the interval in which the OTP arrived. The default value is 2.
amster
attribute:stepsInWindow
ssoadm
attribute:iplanet-am-auth-oath-steps-in-window
- Last Login Time Attribute
-
The name of the attribute where both HOTP and TOTP authentication will store information on when a person last logged in.
amster
attribute:lastLoginTimeAttribute
ssoadm
attribute:iplanet-am-auth-oath-last-login-time-attribute-name
- The Shared Secret Provider Class
-
The class that processes the user profile attribute where the user’s secret key is stored. The name of this attribute is specified in the Secret Key Attribute Name property.
Default:
org.forgerock.openam.authentication.modules.oath.plugins.DefaultSharedSecretProvider
ssoadm
attribute:forgerock-oath-sharedsecret-implementation-class
- Clock Drift Attribute Name
-
The user profile attribute where the clock drift is stored. If this field is not specified, then AM does not check for clock drift.
ssoadm
attribute:forgerock-oath-observed-clock-drift-attribute-name
- Maximum Allowed Clock Drift
-
The maximum acceptable clock drift before authentication fails. If this value is exceeded, the user must register their device again.
The Maximum Allowed Clock Drift value should be greater than the TOTP Time Steps value.
ssoadm
attribute:forgerock-oath-maximum-clock-drift
OpenID Connect id_token bearer authentication module properties
The default settings are for Google’s provider.
amster
service name: SocialAuthOpenIDModule
ssoadm
service name: amAuthOpenIdConnect
- Account provider class
-
The account provider provides the means to search for and create OpenID Connect users given a set of attributes.
Default:
org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
amster
attribute:accountProviderClass
ssoadm
attribute:openam-auth-openidconnect-account-provider-class
- OpenID Connect validation configuration type
-
In order to validate the ID token from the OpenID Connect provider, the module needs either a URL to get the public keys for the provider, or the symmetric key for an ID token signed with a HMAC-based algorithm; AM ignores keys specified in JWT headers, such as `jku` and `jwe`.
By default, the configuration type is
.well-known/openid-configuration_url
. This means the module should retrieve the keys based on information in the OpenID Connect Provider Configuration Document.You can instead configure the authentication module to validate the ID token signature with the client secret key you provide, or to validate the ID token with the keys retrieved from the URL to the OpenID Connect provider’s JSON web key set.
.well-known/openid-configuration_url
(Default)-
Retrieve the provider keys based on the information provided in the OpenID Connect Provider Configuration Document.
Specify the URL to the document as the discovery URL.
client_secret
-
Use the client secret that you specify as the key to validate the ID token signature according to the HMAC, using the client secret to the decrypt the hash and checking that the hash matches the hash of the ID token JWT.
jwk_url
-
Retrieve the provider’s JSON web key set at the URL that you specify.
amster
attribute:cryptoContextType
ssoadm
attribute:openam-auth-openidconnect-crypto-context-type
- OpenID Connect validation configuration value
-
Specifies the discovery URL, JWK or the client secret corresponding to the configuration type selected in the OpenID Connect validation configuration type property.
amster
attribute:cryptoContextValue
ssoadm
attribute:openam-auth-openidconnect-crypto-context-value
- Name of header referencing the ID Token
-
Specifies the name of the HTTP request header to search for the ID token.
Default:
oidc_id_token
amster
attribute:idTokenHeaderName
ssoadm
attribute:openam-auth-openidconnect-header-name
- Name of OpenID Connect ID Token Issuer
-
Corresponds to the expected issue identifier value in the
iss
field of the ID token.Default:
accounts.google.com
amster
attribute:idTokenIssuer
ssoadm
attribute:openam-auth-openidconnect-issuer-name
- Mapping of jwt attributes to local LDAP attributes
-
Maps OpenID Connect ID token claims to local user profile attributes, allowing the module to retrieve the user profile based on the ID token.
In OpenID Connect, an ID token is represented as a JSON Web Token (JWT). The ID Token section of the OpenID Connect Core 1.0 specification defines a number of claims included in the ID token for all flows. Additional claims depend on the scopes requested of the OpenID Connect provider.
For each item in the map, the key is the ID token field name and the value is the local user profile attribute name.
Default:
mail=email
,uid=sub
ssoadm
attribute:openam-auth-openidconnect-jwt-to-local-attribute-mappings
- Audience name
-
Specifies a case-sensitive audience name for this OpenID Connect authentication module. Used to check that the ID token received is intended for this module as an audience.
Default:
example
amster
attribute:audienceName
ssoadm
attribute:openam-auth-openidconnect-audience-name
- List of accepted authorized parties
-
Specifies a list of case-sensitive strings and/or URIs from which this authentication module accepts ID tokens. This list is checked against the authorized party claim of the ID token.
Default:
AuthorizedPartyExample http://www.example.com/authorized/party
amster
attribute:acceptedAuthorizedParties
ssoadm
attribute:openam-auth-openidconnect-accepted-authorized-parties
- Principal Mapper class
-
Specifies the class that implements the mapping of the OpenID Connect end user to an AM account. The default principal mapper uses the mapping of local attributes to ID token attributes to find a user profile.
Default:
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
amster
attribute:principalMapperClass
ssoadm
attribute:openam-auth-openidconnect-principal-mapper-class
Persistent Cookie authentication module properties
amster
service name: PersistentCookieModule
ssoadm
service name: iPlanetAMAuthPersistentCookieService
- Idle Timeout
-
Specifies the maximum idle time between requests in hours. If that time is exceeded, the cookie is no longer valid.
ssoadm
attribute:openam-auth-persistent-cookie-idle-time
- Max Life
-
Specifies the maximum life of the cookie in hours.
ssoadm
attribute:openam-auth-persistent-cookie-max-life
- Enforce Client IP
-
When enabled, enforces that the persistent cookie can only be used from the same client IP to which the cookie was issued.
ssoadm
attribute:openam-auth-persistent-cookie-enforce-ip
- Use secure cookie
-
When enabled, adds the "Secure" attribute to the persistent cookie.
ssoadm
attribute:openam-auth-persistent-cookie-secure-cookie
- Use HTTP only cookie
-
When enabled, adds the
HttpOnly
attribute to the persistent cookie.ssoadm
attribute:openam-auth-persistent-cookie-http-only-cookie
- Persistent Cookie Name
-
Set the name of the persistent cookie.
Default:
session-jwt
ssoadm
attribute:openam-auth-persistent-cookie-name
RADIUS authentication module properties
amster
service name: RadiusModule
ssoadm
service name: iPlanetAMAuthRadiusService
- Primary Radius Servers, Secondary Radius Servers
-
Specify one or more primary and secondary RADIUS servers.
When configuring RADIUS servers, specify their IP address or FQDN. Configuring multiple servers allows you to map a RADIUS server to a specific AM instance of the form
AM-instance | RADIUS-server
, where the AM instance is also specified by its IP address or FQDN.Ensure each RADIUS server listens to the port specified in the Port Number field. When authenticating users from a directory server that is remote to AM, set the primary values and, optionally, the secondary server values. Assuming a multi-data center environment, AM determines priority within the primary and secondary remote servers, respectively, as follows:
-
Every RADIUS server that is mapped to the current AM instance has highest priority.
-
Every RADIUS server that was not specifically mapped to a given AM instance has the next highest priority.
-
RADIUS servers that are mapped to different AM instances have the lowest priority.
AM does not use round-robin load balancing to set priority. AM uses an active-passive algorithm, determining the highest priority to the first available server within the primary server list. If no primary servers are available, AM uses the secondary remote server.
ssoadm
attribute:primary is iplanet-am-auth-radius-server1
; secondary isiplanet-am-auth-radius-server2
-
- Shared Secret
-
Specify the shared secret for RADIUS authentication. The shared secret should be as secure as a well-chosen password.
amster
attribute:sharedSecret
ssoadm
attribute:iplanet-am-auth-radius-secret
- Port Number
-
Specify the RADIUS server port.
Default is 1645.
amster
attribute:serverPortNumber
ssoadm
attribute:iplanet-am-auth-radius-server-port
- Timeout
-
Specify how many seconds to wait for the RADIUS server to respond. The default value is 3 seconds.
amster
attribute:serverTimeout
ssoadm
attribute:iplanet-am-auth-radius-timeout
- Health Check Interval
-
Used for failover. Specify how often AM performs a health check on a previously unavailable RADIUS server by sending an invalid authentication request.
Default: 5 minutes
amster
attribute:healthCheckInterval
ssoadm
attribute:openam-auth-radius-healthcheck-interval
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:iplanet-am-auth-radius-auth-level
SAE authentication module properties
amster
service name: SaeModule
ssoadm
service name: sunAMAuthSAEService
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
ssoadm
service name:sunAMAuthSAEAuthLevel
SAML2 authentication module properties
amster
service name: Saml2Module
ssoadm
service name: iPlanetAMAuthSAML2Service
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
ssoadm
attribute:iplanet-am-auth-saml2-auth-level
- IDP Entity ID
-
Specifies the identity provider (IDP) for authentication requests to this module. Specify the name of a SAML v2.0 entity provider that is defined in the SAML2 authentication module’s realm.
You can find configured entity providers in the AM admin UI under Federation. The Realm column identifies the realm in which an entity provider has been configured.
amster
attribute:entityName
ssoadm
attribute:forgerock-am-auth-saml2-entity-name
- SP MetaAlias
-
Specifies the local alias for the service provider (SP).
For service providers configured in the Top Level Realm, use the format
/SP Name
.For service providers configured in subrealms, use the format
/Realm Name/SP Name
.To find the local aliases for entity providers in the AM admin UI, go to Realms > Realm Name > Applications > Federation > Entity Providers > Entity Provider Name > Services.
amster
attribute:metaAlias
ssoadm
attribute:forgerock-am-auth-saml2-meta-alias
- Allow IDP to Create NameID
-
Specifies whether the IDP should create a new identifier for the authenticating user if none exists.
A value of
true
permits the IDP to create an identifier for the authenticating user if none exists. A value offalse
indicates a request to constrain the IDP from creating an identifier.For detailed information, see the section on the
AllowCreate
property in SAML Version 2.0 Errata 05.Default:
true
amster
attribute:allowCreate
ssoadm
attribute:forgerock-am-auth-saml2-allow-create
- Linking Authentication Chain
-
Specifies an authentication chain that is invoked when a user requires authentication to the SP.
Authentication to the SP is required when the authentication module running on the SP is unable to determine the user’s identity based on the assertion received from the IDP. In this case, the linking authentication chain is invoked to allow the end user to link their remote and local accounts.
amster
attribute:loginChain
ssoadm
attribute:forgerock-am-auth-saml2-login-chain
- Comparison Type
-
Specifies a comparison method to evaluate authentication context classes or statements. The value specified in this property overrides the value set in the SP configuration under Realms > Realm Name > Applications > Federation > Entity Providers > Service Provider Name > Assertion Content > Authentication Context > Comparison Type.
Valid comparison methods are
exact
,minimum
,maximum
, orbetter
.For more information about the comparison methods, see the section on the
<RequestedAuthnContext>
element in Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0.Default:
exact
amster
attribute:authComparison
ssoadm
attribute:forgerock-am-auth-saml2-auth-comparison
- Authentication Context Class Reference
-
Specifies one or more URIs for authentication context classes to be included in the SAML request. Authentication context classes are unique identifiers for an authentication mechanism. The SAML v2.0 protocol supports a standard set of authentication context classes, defined in Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0. In addition to the standard authentication context classes, you can specify customized authentication context classes.
Any authentication context class that you specify in this field must be supported for the service provider. To determine which authentication context classes are supported, locate the list of authentication context classes that are available to the SP under Realms > Realm Name > Applications > Federation > Entity Providers > Service Provider Name > Assertion Content > Authentication Context, and then review the values in the Supported column.
When specifying multiple authentication context classes, use the | character to separate the classes.
Example value:
urn:oasis:names:tc:SAML:2.0:ac:classes:Password|urn:oasis:names:tc:SAML:2.0:ac:classes:TimesyncToken
amster
attribute:authnContextClassRef
ssoadm
attribute:forgerock-am-auth-saml2-authn-context-class-ref
- Authentication Context Declaration Reference
-
Specifies one or more URIs that identify authentication context declarations.
This field is optional.
When specifying multiple URIs, use the | character to separate the URIs.
For more information, see the section on the
<RequestedAuthnContext>
element in Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0.amster
attribute:authnContextDeclRef
ssoadm
attribute:forgerock-am-auth-saml2-authn-context-decl-ref
- Request Binding
-
Specifies the format used to send the authentication request from the SP to the IDP.
Valid values are
HTTP-Redirect
andHTTP-POST
.Default:
HTTP-Redirect
ssoadm
attribute:forgerock-am-auth-saml2-req-binding
.When using the
ssoadm
command, set this attribute’s value tourn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
orurn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
. - Response Binding
-
Specifies the format used to send the response from the IDP to the SP.
A value of
HTTP-POST
indicates that the HTTP POST binding with a self-submitting form should be used in assertion processing. A value ofHTTP-Artifact
indicates that the HTTP Artifact binding should be used.Default:
HTTP-Artifact
ssoadm
attribute:forgerock-am-auth-saml2-binding
.When using the
ssoadm
command, set this attribute’s value tourn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
orurn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
. - Force IDP Authentication
-
Specifies whether the IDP should force authentication or can reuse existing security contexts.
A value of
true
indicates that the IDP should force authentication. A value offalse
indicates that the IDP can reuse existing security contexts.amster
attribute:forceAuthn
ssoadm
attribute:forgerock-am-auth-saml2-force-authn
- Passive Authentication
-
Specifies whether the IDP should use passive authentication or not. Passive authentication requires the IDP to only use authentication methods that do not require user interaction. For example, authenticating using an X.509 certificate.
A value of
true
indicates that the IDP should authenticate passively. A value offalse
indicates that the IDP should not authenticate passively.amster
attribute:isPassive
ssoadm
attribute:forgerock-am-auth-saml2-is-passive
- NameID Format
-
Specifies a SAML name ID format to be requested in the SAML authentication request.
Default:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
amster
attribute:nameIdFormat
ssoadm
attribute:forgerock-am-auth-saml2-name-id-format
- Single Logout Enabled
-
Specifies whether AM should attempt to log out of the user’s IDP session during session logout.
When enabling SAML v2.0 single logout, you must also configure the post-authentication processing class for the authentication chain containing the SAML2 authentication module to
org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin
.For more information about configuring single logout when implementing SAML v2.0 federation using the SAML2 authentication module, see Configuring SLO in Integrated Mode (Chains).
Default:
false
amster
attribute:sloEnabled
ssoadm
attribute:forgerock-am-auth-saml2-slo-enabled
- Single Logout URL
-
Specifies the URL to which the user is forwarded after successful IDP logout. Configure this property only if you have enabled SAML v2.0 single logout by selecting the Single Logout Enabled check box.
amster
attribute:sloRelay
ssoadm
attribute:forgerock-am-auth-saml2-slo-relay
Scripted authentication module properties
amster
service name: scripted
ssoadm
service name: iPlanetAMAuthScriptedService
Use the following settings at the realm level when configuring an individual scripted authentication module, in the AM admin UI under Realms > Realm Name > Authentication > Modules.
- Client-side Script Enabled
-
When enabled, the module includes the specified client-side script in the login page to be executed on the user-agent prior to the server-side script.
amster
attribute:clientScriptEnabled
ssoadm
attribute:iplanet-am-auth-scripted-client-script-enabled
- Client-side Script
-
Specifies the ID of the script to include in the login page. This script is run on the user-agent prior to the server-side script. This script must be written in a language the user-agent can interpret, such as JavaScript, even if the server-side script is written in Groovy.
To create, view, or modify the content of the scripts, go to Realms > Realm Name > Scripts.
amster
attribute:clientScript
ssoadm
attribute:iplanet-am-auth-scripted-client-script
- Server-side Script
-
Specifies the ID of the script to run in AM after the client-side script has completed.
To create, view, or modify the content of the scripts, go to Realms > Realm Name > Scripts.
amster
attribute:serverScript
ssoadm
attribute:iplanet-am-auth-scripted-server-script
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the scripted authentication module.
The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:iplanet-am-auth-scripted-auth-level
In the AM admin UI, go to Configure > Global Services > Scripting > Secondary Configurations > Server-Side Script Type > Secondary Configurations > engineConfiguration.
On the engineConfiguration page, configure the following settings for the scripting engine of the selected type:
- Server-side Script Timeout
-
Specifies the maximum execution time any individual script should take on the server (in seconds). AM terminates scripts which take longer to run than this value.
ssoadm
attribute:serverTimeout
- Core thread pool size
-
Specifies the initial number of threads in the thread pool from which scripts operate. AM will ensure the pool contains at least this many threads.
ssoadm
attribute:coreThreads
- Maximum thread pool size
-
Specifies the maximum number of threads in the thread pool from which scripts operate. If no free thread is available in the pool, AM creates new threads in the pool for script execution up to the configured maximum. It is recommended to set the maximum number of threads to 300.
ssoadm
attribute:maxThreads
- Thread pool queue size
-
Specifies the number of threads to use for buffering script execution requests when the maximum thread pool size is reached.
For short, CPU-bound scripts, consider a small pool size and larger queue length. For I/O-bound scripts, for example, REST calls, consider a larger maximum pool size and a smaller queue.
Not hot-swappable: restart server for changes to take effect.
ssoadm
attribute:queueSize
- Thread idle timeout (seconds)
-
Specifies the length of time (in seconds) for a thread to be idle before AM terminates created threads. If the current pool size contains the number of threads set in
Core thread pool size
, then idle threads will not be terminated, maintaining the initial pool size.ssoadm
attribute:idleTimeout
- Java class whitelist
-
Specifies the list of class name patterns allowed to be invoked by the script. Every class accessed by the script must match at least one of these patterns.
You can specify the class name as-is or use a regular expression.
ssoadm
attribute:whiteList
- Java class blacklist
-
Specifies the list of class name patterns that are NOT allowed to be invoked by the script. The denylist is applied AFTER the allowlist to exclude those classes. Access to a class specified in both the allowlist and the denylist will be denied.
You can specify the class name to exclude as-is or use a regular expression.
ssoadm
attribute:blackList
- Use system SecurityManager
-
When enabled, AM makes a call to the
System.getSecurityManager().checkPackageAccess(…)
method for each class that is accessed. The method throwsSecurityException
if the calling thread is not allowed to access the package.This feature only takes effect if the security manager is enabled for the JVM. ssoadm
attribute:useSecurityManager
SecurID Authentication Module Properties
To use the SecurID authentication module,
you must first build an AM By default, the module uses the following TCP/IP ports: |
amster
service name: securid
ssoadm
service name: iPlanetAMAuthSecurIDService
- ACE/Server Configuration Path
-
Specify the directory where the SecurID ACE/Server
sdconf.rec
file is located, which by default is expected under the AM configuration directory, such as/path/to/openam/config/auth/ace/data
. The directory must exist before AM can use SecurID authentication.amster
attribute:serverConfigPath
ssoadm
attribute:iplanet-am-auth-securid-server-config-path
- Authentication Level
-
Sets the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:iplanet-am-auth-securid-auth-level
Social authentication module properties - Instagram
amster
service name: SocialAuthInstagramModule
ssoadm
service name: iPlanetAMAuthSocialAuthInstagramService
Core
The following properties are available under the Core tab:
- Authentication Level
-
Specifies the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
Default:
0
amster
data attribute:authenticationLevel
- Social Provider
-
Specifies the name of the social provider for which this module is being set up.
Default:
Instagram
amster
data attribute:provider
- Client Id
-
Specifies the
client_id
parameter as described in section 2.2 of The OAuth 2.0 Authorization Framework (RFC 6749).To register an application with Instagram and obtain an OAuth 2.0
client_id
andclient_secret
, visit https://www.instagram.com/developer/.amster
attribute:clientId
- Client Secret
-
Specifies the
client_secret
parameter as described in section 2.3 of The OAuth 2.0 Authorization Framework (RFC 6749).amster
attribute:clientSecret
- Authentication Endpoint URL
-
Specifies the URL to the social provider’s endpoint handling authentication as described in section 3.1 of The OAuth 2.0 Authorization Framework (RFC 6749).
amster
attribute:authorizeEndpoint
- Access Token Endpoint URL
-
Specifies the URL to the endpoint handling access tokens as described in section 3.2 of The OAuth 2.0 Authorization Framework (RFC 6749).
amster
attribute:tokenEndpoint
- User Profile Service URL
-
Specifies the user profile URL that returns profile information in JSON format.
amster
attribute:userInfoEndpoint
- Scope
-
Specifies a list of user profile attributes that the client application requires, according to The OAuth 2.0 Authorization Framework (RFC 6749). The list depends on the permissions that the resource owner, such as the end user, grants to the client application.
Default:
basic
amster
attribute:scope
- Scope Delimiter
-
Specifies the delimiter used to separate scope values.
Some authorization servers use non-standard separators for scopes. Facebook, for example, uses commas.
Default: space character
amster
attribute:scopeDelimiter
- Subject Property
-
Specifies the attribute the social provider uses to identify a user.
Default:
id
amster
attribute:subjectProperty
- Use Basic Auth
-
Specifies that the client uses HTTP Basic authentication when authenticating to the social provider.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:usesBasicAuth
-
- Proxy URL
-
Specifies the URL to the
/oauth2c/OAuthProxy.jsp
file, which provides AM with GET to POST proxying capabilities. Change this URL only if an external server performs the GET to POST proxying.Default:
@SERVER_PROTO@://@SERVER_HOST@:@SERVER_PORT@/@SERVER_URI@/oauth2c/OAuthProxy.jsp
Example:
https://openam.example.com:8443/openam/oauth2c/OAuthProxy.jsp
amster
attribute:ssoProxyUrl
- OAuth 2.0 Provider Logout Service
-
Specifies the URL of the social provider’s logout service.
To enable logout of the social authentication provider when logging out of AM, you must add
org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin
to the Authentication Post Processing Classes property. To add the class, go to Authentication > Settings > Post Authentication Processing.amster
attribute:logoutServiceUrl
- Logout Options
-
Specifies the social provider logout actions to take when logging out of AM.
Valid options are:
prompt
-
Asks the user whether or not to log out from the social provider.
logout
-
Logs the user out of the social provider without prompting.
donotlogout
-
Keeps the user logged in to the social provider. There is no prompt to the user.
Default:
prompt
amster
attribute:logoutBehaviour
Account Provisioning
The following properties are available under the Account Provisioning tab:
- Use IDM as Registration Service
-
Whether to use IDM as an external registration service to complete registration for new users. You must configure and enable the IDM Provisioning service to use this option. See IDM Provisioning.
AM passes IDM these parameters:
-
clientToken
: Signed, encrypted JWT of the OAuth 2.0 authentication state. -
returnParams
: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.
Default:
False
amster
attribute:enableRegistrationService
-
- Create account if it does not exist
-
When enabled, AM creates an account for the user if the user profile does not exist.
When disabled, a user without a profile may still log into AM if the Ignore Profile attribute is set in the authentication service of the realm, or if the account is mapped to an anonymous account.
Valid values are:
-
true
-
false
Default:
true
amster
attribute:createAccount
-
- Account Provider
-
Specifies the name of the class that implements the account provider.
Default:
org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
amster
attribute:accountProviderClass
- Account Mapper
-
Specifies the name of the class that implements the attribute mapping for the account search.
You can provide string constructor parameters by appending pipe-separated (|) values. Default:
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|instagram-
amster
attribute:accountMapperClass
- Account Mapper Configuration
-
Specifies the attribute configuration used to map the account of the user authenticated in the social provider to the local data store in AM. Valid values take the form
provider-attr=local-attr`
.When using the
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
class, you can parse JSON objects in mappings, by using dot notation.For example, given a JSON payload of:
{ "sub" : "12345", "name" : { "first_name" : "Demo", "last_name" : "User" } }
You can create a mapper, such as
name.first_name=cn
.Default:
id=uid
amster
attribute:accountMapperConfiguration
- Attribute Mapper
-
Specifies the list of fully qualified class names for implementations that map attributes from the social provider to AM profile attributes.
You can provide a custom attribute mapper. A custom attribute mapper must implement the
org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper
interface.Provided implementations are:
-
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
-
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
- can only be used when using theopenid
scope
You can provide string constructor parameters by appending pipe-separated (|) values.
For example, the
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
class can take two constructor parameters:a comma-separated list of attributes, and a prefix to apply to their values. Specify these as follows:org.forgerock.openam.authentication.modules.oidc.JsonAttributeMapper|uid|instagram-
Default:
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|instagram-
amster
attribute:attributeMappingClasses
-
- Attribute Mapper Configuration
-
Specifies a map of social provider user account attributes to local user profile attributes with values in the form
provider-attr=local-attr
.
When using the For example, given a JSON payload of:
You can create a mapper, such as |
Default:
id=uid
full_name=sn
username=cn
username=givenName
amster
attribute: attributeMapperConfiguration
- Map to anonymous user
-
When enabled, maps the social provider authenticated user to a specified anonymous user. If the Create account if it does not exist property is enabled, AM creates an account for the authenticated user instead of mapping the account to an anonymous user.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:mapToAnonymousUser
-
- Anonymous User
-
Specifies an anonymous user that exists in the current realm. The user status of this anonymous user must be
Active
. TheMap to anonymous user property
maps authorized users without a profile to this anonyomus user, if enabled.Default:
anonymous
amster
attribute:anonymousUserName
- Save attributes in the session
-
When enabled, saves the values of attributes specified in the Attribute Mapper Configuration property in the AM session.
Valid values are:
-
true
-
false
Default:
true
amster
attribute:saveAttributesInSession
-
Social authentication module properties - OAuth 2.0
amster
service name: SocialAuthOAuth2Module
ssoadm
service name: iPlanetAMAuthSocialAuthOAuth2Service
Core
The following properties are available under the Core tab:
- Authentication Level
-
Specifies the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
Default:
0
amster
data attribute:authenticationLevel
- Social Provider
-
Specifies the name of the social provider for which this module is being set up.
Example:
Google
amster
data attribute:provider
- Client Id
-
Specifies the
client_id
parameter as described in section 2.2 of The OAuth 2.0 Authorization Framework (RFC 6749).amster
attribute:clientId
- Client Secret
-
Specifies the
client_secret
parameter as described in section 2.3 of The OAuth 2.0 Authorization Framework (RFC 6749).amster
attribute:clientSecret
- Authentication Endpoint URL
-
Specifies the URL to the social provider’s endpoint handling authentication as described in section 3.1 of The OAuth 2.0 Authorization Framework (RFC 6749).
Example:
https://accounts.google.com/o/oauth2/v2/auth
amster
attribute:authorizeEndpoint
- Access Token Endpoint URL
-
Specifies the URL to the endpoint handling access tokens as described in section 3.2 of The OAuth 2.0 Authorization Framework (RFC 6749).
Example:
https://www.googleapis.com/oauth2/v4/token
amster
attribute:tokenEndpoint
- User Profile Service URL
-
Specifies the user profile URL that returns profile information in JSON format.
amster
attribute:userInfoEndpoint
- Scope
-
Specifies a list of user profile attributes that the client application requires, according to The OAuth 2.0 Authorization Framework (RFC 6749). The list depends on the permissions that the resource owner, such as the end user, grants to the client application.
amster
attribute:scope
- Scope Delimiter
-
Specifies the delimiter used to separate scope values.
Some authorization servers use non-standard separators for scopes. Facebook, for example, uses commas.
amster
attribute:scopeDelimiter
- Subject Property
-
Specifies the attribute the social provider uses to identify a user.
Example:
sub
amster
attribute:subjectProperty
- Use Basic Auth
-
Specifies that the client uses HTTP Basic authentication when authenticating to the social provider.
Valid values are:
-
true
-
false
Default:
true
amster
attribute:usesBasicAuth
-
- Proxy URL
-
Specifies the URL to the
/oauth2c/OAuthProxy.jsp
file, which provides AM with GET to POST proxying capabilities. Change this URL only if an external server performs the GET to POST proxying.Default:
@SERVER_PROTO@://@SERVER_HOST@:@SERVER_PORT@/@SERVER_URI@/oauth2c/OAuthProxy.jsp
Example:
https://openam.example.com:8443/openam/oauth2c/OAuthProxy.jsp
amster
attribute:ssoProxyUrl
- OAuth 2.0 Provider Logout Service
-
Specifies the URL of the social provider’s logout service.
To enable logout of the social authentication provider when logging out of AM, you must add
org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin
to the Authentication Post Processing Classes property. To add the class, go to Authentication > Settings > Post Authentication Processing.amster
attribute:logoutServiceUrl
- Logout Options
-
Specifies the social provider logout actions to take when logging out of AM.
Valid options are:
prompt
-
Asks the user whether or not to log out from the social provider.
logout
-
Logs the user out of the social provider without prompting.
donotlogout
-
Keeps the user logged in to the social provider. There is no prompt to the user.
Default:
prompt
amster
attribute:logoutBehaviour
- Token Issuer
-
Corresponds to the expected issue identifier value in the
iss
field of the ID token.Example:
https://accounts.google.com
amster
attribute:issuerName
- OAuth 2.0 Mix-Up Mitigation Enabled
-
Controls whether the OAuth 2.0 authentication module carries out additional verification steps when it receives the authorization code from the authorization server.
Specifies that the client must compare the issuer identifier of the authorization server upon registration with the issuer value returned in the
iss
response parameter. If they do not match, the client must abort the authorization process. The client must also confirm that the authorization server’s response is intended for the client by comparing the client’s client identifier to the value of theclient_id
response parameter.The Token Issuer property must be entered when the OAuth 2.0 Mix-Up Mitigation feature is enabled, so that the validation can succeed. The authorization code response will contain an issuer value (
iss
) that will be validated by the client.Consult with the authorization server’s documentation on what value it uses for the issuer field. For more information, see section 4 of OAuth 2.0 Mix-Up Mitigation Draft.
amster
attribute:mixUpMitigation
Account Provisioning
The following properties are available under the Account Provisioning tab:
- Use IDM as Registration Service
-
Whether to use IDM as an external registration service to complete registration for new users. You must configure and enable the IDM Provisioning service to use this option. See IDM Provisioning
AM passes IDM these parameters:
-
clientToken
: Signed, encrypted JWT of the OAuth 2.0 authentication state. -
returnParams
: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.
Default:
False
amster
attribute:enableRegistrationService
-
- Create account if it does not exist
-
When enabled, AM creates an account for the user if the user profile does not exist. If the Prompt for password setting and activation code attribute is enabled, AM prompts the user for a password and activation code before creating the account.
When configured to create new accounts, the SMTP settings must also be valid. As part of account creation, the authentication module sends the resource owner an email with an account activation code. To send the mail, AM uses the SMTP settings you provide in the module configuration.
When disabled, a user without a profile may still log into AM if the Ignore Profile attribute is set in the authentication service of the realm, or if the account is mapped to an anonymous account.
Valid values are:
-
true
-
false
Default:
true
amster
attribute:createAccount
-
- Account Provider
-
Specifies the name of the class that implements the account provider.
Default:
org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
amster
attribute:accountProviderClass
- Account Mapper
-
Specifies the name of the class that implements the attribute mapping for the account search.
Example:
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-
amster
attribute:accountMapperClass
- Account Mapper Configuration
-
Specifies the attribute configuration used to map the account of the user authenticated in the social provider to the local data store in AM. Valid values take the form
provider-attr=local-attr
.When using the
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
class, you can parse JSON objects in mappings, by using dot notation.For example, given a JSON payload of:
{ "sub" : "12345", "name" : { "first_name" : "Demo", "last_name" : "User" } }
You can create a mapper, such as
name.first_name=cn
.amster
attribute:accountMapperConfiguration
- Attribute Mapper
-
Specifies the list of fully qualified class names for implementations that map attributes from the social provider to AM profile attributes.
You can provide a custom attribute mapper. A custom attribute mapper must implement the
org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper
interface.Provided implementations are:
-
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
-
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
- can only be used when using theopenid
scope
You can provide string constructor parameters by appending pipe-separated (|) values.
For example, the
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
class can take two constructor parameters: a comma-separated list of attributes, and a prefix to apply to their values. Specify these as follows:org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper|*|google-
amster
attribute:attributeMappingClasses
-
- Attribute Mapper Configuration
-
Specifies a map of social provider user account attributes to local user profile attributes with values in the form
provider-attr=local-attr
.When using the
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
class, you can parse JSON objects in mappings, by using dot notation.For example, given a JSON payload of:
{ "sub" : "12345", "name" : { "first_name" : "Demo", "last_name" : "User" } }
You can create a mapper, such as
name.first_name=cn
.amster
attribute:attributeMapperConfiguration
- Prompt for password setting and activation code
-
When enabled, the user must set a password before AM creates an account dynamically. An activation code is also sent to the user’s email address. Both the password and the code are required before the account is created.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:promptPasswordFlag
-
- Map to anonymous user
-
When enabled, maps the social provider authenticated user to a specified anonymous user. If the Create account if it does not exist property is enabled, AM creates an account for the authenticated user instead of mapping the account to an anonymous user.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:mapToAnonymousUser
-
- Anonymous User
-
Specifies an anonymous user that exists in the current realm. The user status of this anonymous user must be
Active
. TheMap to anonymous user
property maps authorized users without a profile to this anonymous user, if enabled.Default:
anonymous
amster
attribute:anonymousUserName
- Save attributes in the session
-
When enabled, saves the values of attributes specified in the Attribute Mapper Configuration property in the AM session.
Valid values are:
-
true
-
false
Default:
true
amster
attribute:saveAttributesInSession
-
The following properties are available under the Email tab:
- Email attribute in the Response
-
Specifies the attribute identifying the authenticated user’s email address in the response from the profile service in the social provider. This setting is used to send an email message with an activation code for accounts created dynamically.
amster
attribute:emailAttribute
- Mail Server Gateway implementation class
-
Specifies the class used by the module to send email. A custom subclass of
org.forgerock.openam.authentication.modules.oauth2.EmailGateway
class can be provided.Default:
org.forgerock.openam.authentication.modules.oauth2.DefaultEmailGatewayImpl
amster
attribute:emailGateway
- SMTP host
-
Specifies the host name of the mail server.
Default:
localhost
amster
attribute:smtpHost
- SMTP port
-
Specifies the SMTP port number for the mail server.
Default:
25
amster
attribute:smtpPort
- SMTP User Name
-
Specifies the username AM uses to authenticate to the mail server.
amster
attribute:smtpUsername
- SMTP User Password
-
Specifies the password AM uses to authenticate to the mail server.
amster
attribute:smtpPassword
- SMTP SSL Enabled
-
When enabled, connects to the mail server over SSL. AM must be able to trust the SMTP server certificate.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:smtpSslEnabled
-
- SMTP From address
-
Specifies the address of the email sender, such as
no-reply@example.com
.amster
attribute:smtpFromAddress
Social authentication module properties - OpenID Connect 1.0
The example settings are for Google.
amster
service name: SocialAuthOpenIDModule
ssoadm
service name: iPlanetAMAuthSocialAuthOpenIDService
Core
The following properties are available under the Core tab:
- Social Provider
-
Specifies the name of the social provider for which this module is being set up.
Example:
Google
amster
data attribute:provider
- Client Id
-
Specifies the
client_id
parameter as described in section 2.2 of The OAuth 2.0 Authorization Framework (RFC 6749).amster
attribute:clientId
- Client Secret
-
Specifies the
client_secret
parameter as described in section 2.3 of The OAuth 2.0 Authorization Framework (RFC 6749).amster
attribute:clientSecret
- Authentication Level
-
Specifies the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
Default:
0
amster
data attribute:authenticationLevel
- Authentication Endpoint URL
-
Specifies the URL to the social provider’s endpoint handling authentication as described in section 3.1 of The OAuth 2.0 Authorization Framework (RFC 6749).
amster
attribute:authorizeEndpoint
- Access Token Endpoint URL
-
Specifies the URL to the endpoint handling access tokens as described in section 3.2 of The OAuth 2.0 Authorization Framework (RFC 6749).
amster
attribute:tokenEndpoint
- User Profile Service URL
-
Specifies the user profile URL that returns profile information in JSON format.
amster
attribute:userInfoEndpoint
- Scope
-
Specifies a list of user profile attributes that the client application requires, according to The OAuth 2.0 Authorization Framework (RFC 6749). The list depends on the permissions that the resource owner, such as the end user, grants to the client application.
Default:
openid
amster
attribute:scope
- Scope Delimiter
-
Specifies the delimiter used to separate scope values.
Some authorization servers use non-standard separators for scopes. Facebook, for example, uses commas.
amster
attribute:scopeDelimiter
- Subject Property
-
Specifies the attribute the social provider uses to identify a user.
Example:
sub
amster
attribute:subjectProperty
- Use Basic Auth
-
Specifies that the client uses HTTP Basic authentication when authenticating to the social provider.
Valid values are:
-
true
-
false
Default:
true
amster
attribute:usesBasicAuth
-
- Proxy URL
-
Specifies the URL to the
/oauth2c/OAuthProxy.jsp
file, which provides AM with GET to POST proxying capabilities. Change this URL only if an external server performs the GET to POST proxying.Default:
@SERVER_PROTO@://@SERVER_HOST@:@SERVER_PORT@/@SERVER_URI@/oauth2c/OAuthProxy.jsp
Example:
https://openam.example.com:8443/openam/oauth2c/OAuthProxy.jsp
amster
attribute:ssoProxyUrl
- OAuth 2.0 Provider Logout Service
-
Specifies the URL of the social provider’s logout service.
To enable logout of the social authentication provider when logging out of AM, you must add
org.forgerock.openam.authentication.modules.oauth2.OAuth2PostAuthnPlugin
to the Authentication Post Processing Classes property. To add the class, go to Authentication > Settings > Post Authentication Processing.amster
attribute:logoutServiceUrl
- Logout Options
-
Specifies the social provider logout actions to take when logging out of AM.
Valid options are:
prompt
-
Asks the user whether or not to log out from the social provider.
logout
-
Logs the user out of the social provider without prompting.
donotlogout
-
Keeps the user logged in to the social provider. There is no prompt to the user.
Default:
prompt
amster
attribute:logoutBehaviour
- Token Issuer
-
Corresponds to the expected issue identifier value in the
iss
field of the ID token.Example:
https://accounts.google.com
amster
attribute:issuerName
- OAuth 2.0 Mix-Up Mitigation Enabled
-
Controls whether the OAuth 2.0 authentication module carries out additional verification steps when it receives the authorization code from the authorization server.
Specifies that the client must compare the issuer identifier of the authorization server upon registration with the issuer value returned in the
iss
response parameter. If they do not match, the client must abort the authorization process. The client must also confirm that the authorization server’s response is intended for the client by comparing the client’s client identifier to the value of theclient_id
response parameter.The Token Issuer property must be entered when the OAuth 2.0 Mix-Up Mitigation feature is enabled, so that the validation can succeed. The authorization code response will contain an issuer value (
iss
) that will be validated by the client.Consult with the authorization server’s documentation on what value it uses for the issuer field. For more information, see section 4 of OAuth 2.0 Mix-Up Mitigation Draft.
amster
attribute:mixUpMitigation
OpenID Connect
The following properties are available under the OpenID Connect tab:
- OpenID Connect validation configuration type
-
In order to validate the ID token from the OpenID Connect provider, the module needs either a URL to get the public keys for the provider, or the symmetric key for an ID token signed with a HMAC-based algorithm.
By default, the configuration type is .well-known/openid-configuration_url
.
This means the module should retrieve the keys
based on information in the OpenID Connect Provider Configuration Document.
You can instead configure the authentication module to validate the ID token signature with the client secret key you provide, or to validate the ID token with the keys retrieved from the URL to the OpenID Connect provider’s JSON web key set.
.well-known/openid-configuration_url
(Default)-
Retrieve the provider keys based on the information provided in the OpenID Connect Provider Configuration Document.
Specify the URL to the document in the OpenID Connect validation configuration value property
client_secret
-
Use the client secret that you specify in the Client Secret property (not the OpenID Connect validation configuration value property, which is ignored) as the key to validate the ID token signature according to the HMAC, using the client secret to the decrypt the hash and then checking that the hash matches the hash of the ID token JWT.
jwk_url
-
Retrieve the provider’s JSON web key set at the URL that you specify in the OpenID Connect validation configuration value property.
amster
attribute:cryptoContextType
- OpenID Connect validation configuration value
-
Specifies the full URL to the discovery or JWK location, corresponding to the configuration type selected in the OpenID Connect validation configuration type property.
amster
attribute:cryptoContextValue
Account Provisioning
The following properties are available under the Account Provisioning tab:
- Use IDM as Registration Service
-
Whether to use IDM as an external registration service to complete registration for new users. You must configure and enable the IDM Provisioning service to use this option. See IDM Provisioning.
AM passes IDM these parameters:
-
clientToken
: Signed, encrypted JWT of the OAuth 2.0 authentication state. -
returnParams
: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.
Default:
False
amster
attribute:enableRegistrationService
-
- Create account if it does not exist
-
When enabled, AM creates an account for the user if the user profile does not exist. If the Prompt for password setting and activation code attribute is enabled, AM prompts the user for a password and activation code before creating the account.
When configured to create new accounts, the SMTP settings must also be valid. As part of account creation, the authentication module sends the resource owner an email with an account activation code. To send the mail, AM uses the SMTP settings you provide in the module configuration.
When disabled, a user without a profile may still log into AM if the Ignore Profile attribute is set in the authentication service of the realm, or if the account is mapped to an anonymous account.
Valid values are:
-
true
-
false
Default:
true
amster
attribute:createAccount
-
- Account Provider
-
Specifies the name of the class that implements the account provider.
Default:
org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
amster
attribute:accountProviderClass
- Account Mapper
-
Specifies the name of the class that implements the attribute mapping for the account search.
You can provide string constructor parameters by appending pipe-separated (|) values. Example:
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|google-
amster
attribute:accountMapperClass
- Account Mapper Configuration
-
Specifies the attribute configuration used to map the account of the user authenticated in the social provider to the local data store in AM. Valid values take the form
provider-attr=local-attr
.When using the
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
class, you can parse JSON objects in mappings, by using dot notation.For example, given a JSON payload of:
{ "sub" : "12345", "name" : { "first_name" : "Demo", "last_name" : "User" } }
You can create a mapper, such as
name.first_name=cn
.amster
attribute:accountMapperConfiguration
- Attribute Mapper
-
Specifies the list of fully qualified class names for implementations that map attributes from the social provider to AM profile attributes.
You can provide a custom attribute mapper. A custom attribute mapper must implement the
org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper
interface.Provided implementations are:
-
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
-
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
- can only be used when using theopenid
scope
You can provide string constructor parameters by appending pipe-separated (|) values.
For example, the
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
class can take two constructor parameters: a comma-separated list of attributes, and a prefix to apply to their values. Specify these as follows:org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper|*|google-
amster
attribute:attributeMappingClasses
-
- Attribute Mapper Configuration
-
Specifies a map of social provider user account attributes to local user profile attributes with values in the form
provider-attr=local-attr
.When using the
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
class, you can parse JSON objects in mappings, by using dot notation.For example, given a JSON payload of:
{ "sub" : "12345", "name" : { "first_name" : "Demo", "last_name" : "User" } }
You can create a mapper, such as
name.first_name=cn
.amster
attribute:attributeMapperConfiguration
- Prompt for password setting and activation code
-
When enabled, the user must set a password before AM creates an account dynamically. An activation code is also sent to the user’s email address. Both the password and the code are required before the account is created.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:promptPasswordFlag
-
- Map to anonymous user
-
When enabled, maps the social provider authenticated user to a specified anonymous user. If the Create account if it does not exist property is enabled, AM creates an account for the authenticated user instead of mapping the account to an anonymous user.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:mapToAnonymousUser
-
- Anonymous User
-
Specifies an anonymous user that exists in the current realm. The user status of this anonymous user must be
Active
. TheMap to anonymous user
property maps authorized users without a profile to this anonyomus user, if enabled.Default:
anonymous
amster
attribute:anonymousUserName
- Save attributes in the session
-
When enabled, saves the values of attributes specified in the Attribute Mapper Configuration property in the AM session.
Valid values are:
-
true
-
false
Default:
true
amster
attribute:saveAttributesInSession
-
The following properties are available under the Email tab:
- Email attribute in the Response
-
Specifies the attribute identifying the authenticated user’s email address in the response from the profile service in the social provider. This setting is used to send an email message with an activation code for accounts created dynamically.
amster
attribute:emailAttribute
- Mail Server Gateway implementation class
-
Specifies the class used by the module to send email. A custom subclass of
org.forgerock.openam.authentication.modules.oauth2.EmailGateway
class can be provided.Default:
org.forgerock.openam.authentication.modules.oauth2.DefaultEmailGatewayImpl
amster
attribute:emailGateway
- SMTP host
-
Specifies the host name of the mail server.
Default:
localhost
amster
attribute:smtpHost
- SMTP port
-
Specifies the SMTP port number for the mail server.
Default:
25
amster
attribute:smtpPort
- SMTP User Name
-
Specifies the username AM uses to authenticate to the mail server.
amster
attribute:smtpUsername
- SMTP User Password
-
Specifies the password AM uses to authenticate to the mail server.
amster
attribute:smtpPassword
- SMTP SSL Enabled
-
When enabled, connects to the mail server over SSL. AM must be able to trust the SMTP server certificate.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:smtpSslEnabled
-
- SMTP From address
-
Specifies the address of the email sender, such as
no-reply@example.com
.amster
attribute:smtpFromAddress
Social authentication module properties - VKontakte
amster
service name: SocialAuthVKontakteModule
ssoadm
service name: iPlanetAMAuthSocialAuthVKService
Core
The following properties are available under the Core tab:
- Social Provider
-
Specifies the name of the social provider for which this module is being set up.
Default:
VKontakte
amster
data attribute:provider
- Client Id
-
Specifies the
client_id
parameter as described in section 2.2 of The OAuth 2.0 Authorization Framework (RFC 6749).To register an application with VKontakte and obtain an OAuth 2.0
client_id
andclient_secret
, visit https://vk.com/apps?act=manage.amster
attribute:clientId
- Client Secret
-
Specifies the
client_secret
parameter as described in section 2.3 of The OAuth 2.0 Authorization Framework (RFC 6749).amster
attribute:clientSecret
- Authentication Level
-
Specifies the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
Default:
0
amster
data attribute:authenticationLevel
- Authentication Endpoint URL
-
Specifies the URL to the endpoint handling authentication as described in section 3.1 of The OAuth 2.0 Authorization Framework (RFC 6749).
Default:
https://oauth.vk.com/authorize
amster
attribute:authorizeEndpoint
- Access Token Endpoint URL
-
Specifies the URL to the social provider’s endpoint handling access tokens as described in section 3.2 of The OAuth 2.0 Authorization Framework (RFC 6749).
Default:
https://oauth.vk.com/access_token
amster
attribute:tokenEndpoint
- User Profile Service URL
-
Specifies the user profile URL that returns profile information in JSON format.
Default:
https://api.vk.com/method/users.get
amster
attribute:userInfoEndpoint
- Scope
-
Specifies a list of user profile attributes that the client application requires, according to The OAuth 2.0 Authorization Framework (RFC 6749). The list depends on the permissions that the resource owner, such as the end user, grants to the client application.
amster
attribute:scope
- Proxy URL
-
Specifies the URL to the
/oauth2c/OAuthProxy.jsp
file, which provides AM with GET to POST proxying capabilities. Change this URL only if an external server performs the GET to POST proxying.Default:
@SERVER_PROTO@://@SERVER_HOST@:@SERVER_PORT@/@SERVER_URI@/oauth2c/OAuthProxy.jsp
Example:
https://openam.example.com:8443/openam/oauth2c/OAuthProxy.jsp
amster
attribute:ssoProxyUrl
- Subject Property
-
Specifies the attribute the social provider uses to identify a user.
Default:
id
amster
attribute:subjectProperty
Account Provisioning
The following properties are available under the Account Provisioning tab:
- Account Provider
-
Specifies the name of the class that implements the account provider.
Default:
org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
amster
attribute:accountProviderClass
- Use IDM as Registration Service
-
Whether to use IDM as an external registration service to complete registration for new users. You must configure and enable the IDM Provisioning service to use this option. See IDM Provisioning.
AM passes IDM these parameters:
-
clientToken
: Signed, encrypted JWT of the OAuth 2.0 authentication state. -
returnParams
: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.
Default:
False
amster
attribute:enableRegistrationService
-
- Create account if it does not exist
-
When enabled, AM creates an account for the user if the user profile does not exist. If the Prompt for password setting and activation code attribute is enabled, AM prompts the user for a password and activation code before creating the account.
When configured to create new accounts, the SMTP settings must also be valid. As part of account creation, the authentication module sends the resource owner an email with an account activation code. To send the mail, AM uses the SMTP settings you provide in the module configuration.
When disabled, a user without a profile may still log into AM if the Ignore Profile attribute is set in the authentication service of the realm, or if the account is mapped to an anonymous account.
Valid values are:
-
true
-
false
Default:
true
amster
attribute:createAccount
-
- Account Mapper
-
Specifies the name of the class that implements the attribute mapping for the account search.
Default:
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|vkontakte-
amster
attribute:accountMapperClass
- Account Mapper Configuration
-
Specifies the attribute configuration used to map the account of the user authenticated in the social provider to the local data store in AM. Valid values take the form
provider-attr=local-attr
.When using the
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
class, you can parse JSON objects in mappings, by using dot notation.For example, given a JSON payload of:
{ "sub" : "12345", "name" : { "first_name" : "Demo", "last_name" : "User" } }
You can create a mapper, such as
name.first_name=cn
.Default:
uid=uid
amster
attribute:accountMapperConfiguration
- Attribute Mapper
-
Specifies the list of fully qualified class names for implementations that map attributes from the social provider to AM profile attributes.
You can provide a custom attribute mapper. A custom attribute mapper must implement the
org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper
interface.Provided implementations are:
-
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
-
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
- can only be used when using theopenid
scope
You can provide string constructor parameters by appending pipe-separated (|) values.
For example, the
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
class can take two constructor parameters: a comma-separated list of attributes, and a prefix to apply to their values. Specify these as follows:org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper|uid|vkontakte-
Default:
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|uid|vkontakte-
amster
attribute:attributeMappingClasses
-
- Attribute Mapper Configuration
-
Specifies a map of social provider user account attributes to local user profile attributes with values in the form
provider-attr=local-attr
.When using the
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
class, you can parse JSON objects in mappings, by using dot notation.For example, given a JSON payload of:
{ "sub" : "12345", "name" : { "first_name" : "Demo", "last_name" : "User" } }
You can create a mapper, such as
name.first_name=cn
.Default:
uid=uid
full_name=givenName
first_name=cn
last_name=sn
email=mail
amster
attribute:attributeMapperConfiguration
- Prompt for password setting and activation code
-
When enabled, the user must set a password before AM creates an account dynamically. An activation code is also sent to the user’s email address. Both the password and the code are required before the account is created.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:promptPasswordFlag
-
- Map to anonymous user
-
When enabled, maps the social provider authenticated user to a specified anonymous user. If the Create account if it does not exist property is enabled, AM creates an account for the authenticated user instead of mapping the account to an anonymous user.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:mapToAnonymousUser
-
- Anonymous User
-
Specifies an anonymous user that exists in the current realm. The user status of this anonymous user must be
Active
. TheMap to anonymous user
property maps authorized users without a profile to this anonyomus user, if enabled.Default:
anonymous
amster
attribute:anonymousUserName
- Save attributes in the session
-
When enabled, saves the values of attributes specified in the Attribute Mapper Configuration property in the AM session.
Valid values are:
-
true
-
false
Default:
true
amster
attribute:saveAttributesInSession
-
The following properties are available under the Email tab:
- Email attribute in the Response
-
Specifies the attribute identifying the authenticated user’s email address in the response from the profile service in the social provider. This setting is used to send an email message with an activation code for accounts created dynamically.
amster
attribute:emailAttribute
- Mail Server Gateway implementation class
-
Specifies the class used by the module to send email. A custom subclass of
org.forgerock.openam.authentication.modules.oauth2.EmailGateway
class can be provided.Default:
org.forgerock.openam.authentication.modules.oauth2.DefaultEmailGatewayImpl
amster
attribute:emailGateway
- SMTP host
-
Specifies the host name of the mail server.
Default:
localhost
amster
attribute:smtpHost
- SMTP port
-
Specifies the SMTP port number for the mail server.
Default:
25
amster
attribute:smtpPort
- SMTP User Name
-
Specifies the username AM uses to authenticate to the mail server.
amster
attribute:smtpUsername
- SMTP User Password
-
Specifies the password AM uses to authenticate to the mail server.
amster
attribute:smtpPassword
- SMTP SSL Enabled
-
When enabled, connects to the mail server over SSL. AM must be able to trust the SMTP server certificate.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:smtpSslEnabled
-
- SMTP From address
-
Specifies the address of the email sender, such as
no-reply@example.com
.Default:
info@forgerock.com
amster
attribute:smtpFromAddress
Social authentication module properties - WeChat
amster
service name: SocialAuthWeChatModule
ssoadm
service name: iPlanetAMAuthSocialAuthWeChatService
Core
The following properties are available under the Core tab:
- Authentication Level
-
Specifies the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
Default:
0
amster
data attribute:authenticationLevel
- Social Provider
-
Specifies the name of the social provider for which this module is being set up.
Default:
WeChat
amster
data attribute:provider
- Client Id
-
Specifies the
client_id
parameter as described in section 2.2 of The OAuth 2.0 Authorization Framework (RFC 6749).To register an application with WeChat and obtain an OAuth 2.0
client_id
andclient_secret
, visit https://open.weixin.qq.com/cgi-bin/frame?t=home/web_tmpl.amster
attribute:clientId
- Client Secret
-
Specifies the
client_secret
parameter as described in section 2.3 of The OAuth 2.0 Authorization Framework (RFC 6749).amster
attribute:clientSecret
- Authentication Endpoint URL
-
Specifies the URL to the social provider’s endpoint handling authentication as described in section 3.1 of The OAuth 2.0 Authorization Framework (RFC 6749).
Default:
https://open.weixin.qq.com/connect/qrconnect
amster
attribute:authorizeEndpoint
- Access Token Endpoint URL
-
Specifies the URL to the endpoint handling access tokens as described in section 3.2 of The OAuth 2.0 Authorization Framework (RFC 6749).
amster
attribute:tokenEndpoint
- User Profile Service URL
-
Specifies the user profile URL that returns profile information in JSON format.
Default:
https://api.wechat.com/sns/userinfo
amster
attribute:userInfoEndpoint
- Scope
-
Specifies a list of user profile attributes that the client application requires, according to The OAuth 2.0 Authorization Framework (RFC 6749). The list depends on the permissions that the resource owner, such as the end user, grants to the client application.
amster
attribute:scope
- Scope Delimiter
-
Specifies the delimiter used to separate scope values.
Some authorization servers use non-standard separators for scopes. Facebook, for example, uses commas.
Default: space character
amster
attribute:scopeDelimiter
- Subject Property
-
Specifies the attribute the social provider uses to identify a user.
Default:
openid
amster
attribute:subjectProperty
- Use Basic Auth
-
Specifies that the client uses HTTP Basic authentication when authenticating to the social provider.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:usesBasicAuth
-
- Proxy URL
-
Specifies the URL to the
/oauth2c/OAuthProxy.jsp
file, which provides AM with GET to POST proxying capabilities. Change this URL only if an external server performs the GET to POST proxying.Default:
@SERVER_PROTO@://@SERVER_HOST@:@SERVER_PORT@/@SERVER_URI@/oauth2c/OAuthProxy.jsp
Example:
https://openam.example.com:8443/openam/oauth2c/OAuthProxy.jsp
amster
attribute:ssoProxyUrl
Account Provisioning
The following properties are available under the Account Provisioning tab:
- Use IDM as Registration Service
-
Whether to use IDM as an external registration service to complete registration for new users. You must configure and enable the IDM Provisioning service to use this option. See IDM Provisioning.
AM passes IDM these parameters:
-
clientToken
: Signed, encrypted JWT of the OAuth 2.0 authentication state. -
returnParams
: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.
Default:
False
amster
attribute:enableRegistrationService
-
- Create account if it does not exist
-
When enabled, AM creates an account for the user if the user profile does not exist. If the Prompt for password setting and activation code attribute is enabled, AM prompts the user for a password and activation code before creating the account.
When configured to create new accounts, the SMTP settings must also be valid. As part of account creation, the authentication module sends the resource owner an email with an account activation code. To send the mail, AM uses the SMTP settings you provide in the module configuration.
When disabled, a user without a profile may still log into AM if the Ignore Profile attribute is set in the authentication service of the realm, or if the account is mapped to an anonymous account.
Valid values are:
-
true
-
false
Default:
true
amster
attribute:createAccount
-
- Account Provider
-
Specifies the name of the class that implements the account provider.
Default:
org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
amster
attribute:accountProviderClass
- Account Mapper
-
Specifies the name of the class that implements the attribute mapping for the account search.
Default:
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|wechat-
amster
attribute:accountMapperClass
- Account Mapper Configuration
-
Specifies the attribute configuration used to map the account of the user authenticated in the social provider to the local data store in AM. Valid values take the form
provider-attr=local-attr
.When using the
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
class, you can parse JSON objects in mappings, by using dot notation.For example, given a JSON payload of:
{ "sub" : "12345", "name" : { "first_name" : "Demo", "last_name" : "User" } }
You can create a mapper, such as
name.first_name=cn
.Default:
openid=uid
amster
attribute:accountMapperConfiguration
- Attribute Mapper
-
Specifies the list of fully qualified class names for implementations that map attributes from the social provider to AM profile attributes.
You can provide a custom attribute mapper. A custom attribute mapper must implement the
org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper
interface.Provided implementations are:
-
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
-
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
- can only be used when using theopenid
scope
You can provide string constructor parameters by appending pipe-separated (|) values.
For example, the
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
class can take two constructor parameters: a comma-separated list of attributes, and a prefix to apply to their values. Specify these as follows:org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper|*|wechat-
Default:
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|wechat-
amster
attribute:attributeMappingClasses
-
- Attribute Mapper Configuration
-
Specifies a map of social provider user account attributes to local user profile attributes with values in the form
provider-attr=local-attr
.When using the
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
class, you can parse JSON objects in mappings, by using dot notation.For example, given a JSON payload of:
{ "sub" : "12345", "name" : { "first_name" : "Demo", "last_name" : "User" } }
You can create a mapper, such as
name.first_name=cn
.Default:
openid=uid
nickname=sn
nickname=cn
nickname=givenName
amster
attribute:attributeMapperConfiguration
- Prompt for password setting and activation code
-
When enabled, the user must set a password before AM creates an account dynamically. An activation code is also sent to the user’s email address. Both the password and the code are required before the account is created.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:promptPasswordFlag
-
- Map to anonymous user
-
When enabled, maps the social provider authenticated user to a specified anonymous user. If the Create account if it does not exist property is enabled, AM creates an account for the authenticated user instead of mapping the account to an anonymous user.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:mapToAnonymousUser
-
- Anonymous User
-
Specifies an anonymous user that exists in the current realm. The user status of this anonymous user must be
Active
. TheMap to anonymous user
property maps authorized users without a profile to this anonyomus user, if enabled.Default:
anonymous
amster
attribute:anonymousUserName
- Save attributes in the session
-
When enabled, saves the values of attributes specified in the Attribute Mapper Configuration property in the AM session.
Valid values are:
-
true
-
false
Default:
true
amster
attribute:saveAttributesInSession
-
The following properties are available under the Email tab:
- Email attribute in the Response
-
Specifies the attribute identifying the authenticated user’s email address in the response from the profile service in the social provider. This setting is used to send an email message with an activation code for accounts created dynamically.
amster
attribute:emailAttribute
- Mail Server Gateway implementation class
-
Specifies the class used by the module to send email. A custom subclass of
org.forgerock.openam.authentication.modules.oauth2.EmailGateway
class can be provided.Default:
org.forgerock.openam.authentication.modules.oauth2.DefaultEmailGatewayImpl
amster
attribute:emailGateway
- SMTP host
-
Specifies the host name of the mail server.
Default:
localhost
amster
attribute:smtpHost
- SMTP port
-
Specifies the SMTP port number for the mail server.
Default:
25
amster
attribute:smtpPort
- SMTP User Name
-
Specifies the username AM uses to authenticate to the mail server.
amster
attribute:smtpUsername
- SMTP User Password
-
Specifies the password AM uses to authenticate to the mail server.
amster
attribute:smtpPassword
- SMTP SSL Enabled
-
When enabled, connects to the mail server over SSL. AM must be able to trust the SMTP server certificate.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:smtpSslEnabled
-
- SMTP From address
-
Specifies the address of the email sender, such as
no-reply@example.com
.Default:
info@forgerock.com
amster
attribute:smtpFromAddress
Social authentication module properties - WeChat Mobile
amster
service name: SocialAuthWeChatMobileModule
ssoadm
service name: iPlanetAMAuthSocialAuthWeChatMobileService
Core
The following properties are available under the Core tab:
- Authentication Level
-
Specifies the authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
Default:
0
amster
data attribute:authenticationLevel
- Social Provider
-
Specifies the name of the social provider for which this module is being set up.
Default:
WeChat
amster
data attribute:provider
- User Profile Service URL
-
Specifies the user profile URL that returns profile information in JSON format.
Default:
https://api.wechat.com/sns/userinfo
amster
attribute:userInfoEndpoint
- Scope
-
Specifies a list of user profile attributes that the client application requires, according to The OAuth 2.0 Authorization Framework (RFC 6749). The list depends on the permissions that the resource owner, such as the end user, grants to the client application.
Default:
snsapi_userinfo
amster
attribute:scope
- Subject Property
-
Specifies the attribute the social provider uses to identify a user.
Default:
openid
amster
attribute:subjectProperty
- Proxy URL
-
Specifies the URL to the
/oauth2c/OAuthProxy.jsp
file, which provides AM with GET to POST proxying capabilities. Change this URL only if an external server performs the GET to POST proxying.Default:
@SERVER_PROTO@://@SERVER_HOST@:@SERVER_PORT@/@SERVER_URI@/oauth2c/OAuthProxy.jsp
Example:
https://openam.example.com:8443/openam/oauth2c/OAuthProxy.jsp
amster
attribute:ssoProxyUrl
Account Provisioning
The following properties are available under the Account Provisioning tab:
- Use IDM as Registration Service
-
Whether to use IDM as an external registration service to complete registration for new users. You must configure and enable the IDM Provisioning service to use this option. See IDM Provisioning.
AM passes IDM these parameters:
-
clientToken
: Signed, encrypted JWT of the OAuth 2.0 authentication state. -
returnParams
: Encoded URL parameters, required to be returned to AM to resume authentication after registration in IDM is complete.
Default:
False
amster
attribute:enableRegistrationService
-
- Create account if it does not exist
-
When enabled, AM creates an account for the user if the user profile does not exist. If the Prompt for password setting and activation code attribute is enabled, AM prompts the user for a password and activation code before creating the account.
When configured to create new accounts, the SMTP settings must also be valid. As part of account creation, the authentication module sends the resource owner an email with an account activation code. To send the mail, AM uses the SMTP settings you provide in the module configuration.
When disabled, a user without a profile may still log into AM if the Ignore Profile attribute is set in the authentication service of the realm, or if the account is mapped to an anonymous account.
Valid values are:
-
true
-
false
Default:
true
amster
attribute:createAccount
-
- Account Provider
-
Specifies the name of the class that implements the account provider.
Default:
org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
amster
attribute:accountProviderClass
- Account Mapper
-
Specifies the name of the class that implements the attribute mapping for the account search.
Default:
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|wechat-
amster
attribute:accountMapperClass
- Account Mapper Configuration
-
Specifies the attribute configuration used to map the account of the user authenticated in the social provider to the local data store in AM. Valid values take the form
provider-attr=local-attr
.When using the
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
class, you can parse JSON objects in mappings, by using dot notation.For example, given a JSON payload of:
{ "sub" : "12345", "name" : { "first_name" : "Demo", "last_name" : "User" } }
You can create a mapper, such as
name.first_name=cn
.Default:
openid=uid
amster
attribute:accountMapperConfiguration
- Attribute Mapper
-
Specifies the list of fully qualified class names for implementations that map attributes from the social provider to AM profile attributes.
You can provide a custom attribute mapper. A custom attribute mapper must implement the
org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper
interface.Provided implementations are:
-
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
-
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
- can only be used when using theopenid
scope
You can provide string constructor parameters by appending pipe-separated (|) values.
For example, the
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
class can take two constructor parameters: a comma-separated list of attributes, and a prefix to apply to their values. Specify these as follows:org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper|*|wechat-
Default:
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|wechat-
amster
attribute:attributeMappingClasses
-
- Attribute Mapper Configuration
-
Specifies a map of social provider user account attributes to local user profile attributes with values in the form
provider-attr=local-attr
.When using the
org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
class, you can parse JSON objects in mappings, by using dot notation.For example, given a JSON payload of:
{ "sub" : "12345", "name" : { "first_name" : "Demo", "last_name" : "User" } }
You can create a mapper, such as
name.first_name=cn
.Default:
openid=uid
nickname=sn
nickname=cn
nickname=givenName
amster
attribute:attributeMapperConfiguration
- Prompt for password setting and activation code
-
When enabled, the user must set a password before AM creates an account dynamically. An activation code is also sent to the user’s email address. Both the password and the code are required before the account is created.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:promptPasswordFlag
-
- Map to anonymous user
-
When enabled, maps the social provider authenticated user to a specified anonymous user. If the Create account if it does not exist property is enabled, AM creates an account for the authenticated user instead of mapping the account to an anonymous user.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:mapToAnonymousUser
-
- Anonymous User
-
Specifies an anonymous user that exists in the current realm. The user status of this anonymous user must be
Active
. TheMap to anonymous user property
maps authorized users without a profile to this anonyomus user, if enabled.Default:
anonymous
amster
attribute:anonymousUserName
- Save attributes in the session
-
When enabled, saves the values of attributes specified in the Attribute Mapper Configuration property in the AM session.
Valid values are:
-
true
-
false
Default:
true
amster
attribute:saveAttributesInSession
-
The following properties are available under the Email tab:
- Email attribute in the Response
-
Specifies the attribute identifying the authenticated user’s email address in the response from the profile service in the social provider. This setting is used to send an email message with an activation code for accounts created dynamically.
amster
attribute:emailAttribute
- Mail Server Gateway implementation class
-
Specifies the class used by the module to send email. A custom subclass of
org.forgerock.openam.authentication.modules.oauth2.EmailGateway
class can be provided.Default:
org.forgerock.openam.authentication.modules.oauth2.DefaultEmailGatewayImpl
amster
attribute:emailGateway
- SMTP host
-
Specifies the host name of the mail server.
Default:
localhost
amster
attribute:smtpHost
- SMTP port
-
Specifies the SMTP port number for the mail server.
Default:
25
amster
attribute:smtpPort
- SMTP User Name
-
Specifies the username AM uses to authenticate to the mail server.
amster
attribute:smtpUsername
- SMTP User Password
-
Specifies the password AM uses to authenticate to the mail server.
amster
attribute:smtpPassword
- SMTP SSL Enabled
-
When enabled, connects to the mail server over SSL. AM must be able to trust the SMTP server certificate.
Valid values are:
-
true
-
false
Default:
false
amster
attribute:smtpSslEnabled
-
- SMTP From address
-
Specifies the address of the email sender, such as
no-reply@example.com
.Default:
info@forgerock.com
amster
attribute:smtpFromAddress
Windows Desktop SSO authentication module properties
amster
service name: WindowsDesktopSsoModule
ssoadm
service name: iPlanetAMAuthWindowsDesktopSSOService
Before configuring the authentication module, create an Active Directory account and a |
- Service Principal
-
The Kerberos principal for authentication in the format
HTTP/host.domain@DC-DOMAIN-NAME
.host.domain corresponds to the host and domain names of the AM instance and DC-DOMAIN-NAME is the domain name of the Kerberos realm (the FQDN of the Active Directory domain).
DC-DOMAIN-NAME can differ from the domain name for AM.
In multi-server deployments, configure host.domain as the load balancer FQDN or IP address in front of the AM instances. For example,
HTTP/openamLB.example.com@KERBEROSREALM.INTERNAL.COM
.For details, refer to How do I set up the WDSSO authentication module in AM in a load-balanced environment?.
amster
attribute:principalName
ssoadm
attribute:iplanet-am-auth-windowsdesktopsso-principal-name
- Keytab File Name
-
The full path to the keytab file for the Service Principal. Generate the keytab file using the Windows
ktpass
utility.amster
attribute:keytabFileName
ssoadm
attribute:iplanet-am-auth-windowsdesktopsso-keytab-file
- Kerberos Realm
-
The Kerberos Key Distribution Center realm. For the Windows Kerberos service, this is the domain controller server domain name.
amster
attribute:kerberosRealm
ssoadm
attribute:iplanet-am-auth-windowsdesktopsso-kerberos-realm
- Kerberos Server Name
-
The FQDN of the Kerberos Key Distribution Center server; for example, the FQDN of the domain controller server.
amster
attribute:kerberosServerName
ssoadm
attribute:iplanet-am-auth-windowsdesktopsso-kdc
- Return Principal with Domain Name
-
When enabled, AM automatically returns the Kerberos principal with the domain controller’s domain name during authentication.
amster
attribute:returnPrincipalWithDomainName
ssoadm
attribute:iplanet-am-auth-windowsdesktopsso-returnRealm
- Authentication Level
-
The authentication level used to indicate the level of security associated with the module. The value can range from 0 to any positive integer.
amster
attribute:authenticationLevel
ssoadm
attribute:iplanet-am-auth-windowsdesktopsso-auth-level
- Trusted Kerberos realms
-
List of trusted Kerberos realms for user Kerberos tickets. When realms are configured, Kerberos tickets are only accepted if the realm part of the user principal name of the user’s Kerberos ticket matches a realm from the list.
amster
attribute:trustedKerberosRealms
ssoadm
attribute:iplanet-am-auth-windowsdesktopsso-kerberos-realms-trusted
- isInitiator
-
Configuration used for the JDK Kerberos LoginModule (
Krb5LoginModule
), which authenticates users using Kerberos principals. Possible values aretrue
for initiator credentials, andfalse
for acceptor credentials.Default value:
true
amster
attribute:kerberosServiceIsinitiator
ssoadm
attribute:iplanet-am-auth-windowsdesktopsso-kerberos-isinitiator
- Search for the user in the realm
-
Validates the user against the configured data stores. If the user from the Kerberos token isn’t found, authentication fails. If an authentication chain is set, the user can authenticate through another module. This search uses the
Alias Search Attribute Name
from the core realm attributes. For details, refer to User Profile.amster
attribute:lookupUserInRealm
ssoadm
attribute:iplanet-am-auth-windowsdesktopsso-lookupUserInRealm
Authenticating with Windows Desktop SSO over REST
To authenticate with Windows Desktop SSO over REST, add an Authorization
header containing the string Basic
,
followed by a base64-encoded string of the username, a colon character, and the password.
For example, if the credentials demo:Ch4ng31t
are base64-encoded, the resulting string is ZGVtbzpDaDRuZzMxdA==
.
The REST request would then be as follows:
$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "Accept-API-Version: resource=2.0, protocol=1.0" \
--header "Authorization: Basic ZGVtbzpDaDRuZzMxdA==" \
'https://openam.example.com:8443/openam/json/realms/root/realms/alpha/authenticate'
{
"tokenId":"AQIC5w…NTcy*",
"successUrl":"/openam/console",
"realm":"/alpha"
}
Differences between authentication modules that support HOTP
AM provides two authentication modules that support OATH:
We recommend using the ForgeRock Authenticator (OATH) authentication module when possible. |
The ForgeRock Authenticator (OATH), OATH, and HOTP authentication modules let you configure authentication that prompts users to enter HMAC one-time passwords. It is important that administrators understand the differences among these authentication modules:
-
The ForgeRock Authenticator (OATH) and OATH authentication modules accept one-time passwords generated by the end user’s device, while the HOTP authentication module generates passwords and sends them to users by e-mail or SMS.
-
All three of the authentication modules support HOTP passwords. The ForgeRock Authenticator (OATH) and OATH authentication modules also support TOTP passwords.
-
The ForgeRock Authenticator (OATH) and OATH authentication modules require users to register their devices, and store the device registration details in the user profile. The HOTP authentication module requires the presence of mobile phone numbers and/or e-mail addresses in user profiles.
-
The ForgeRock Authenticator (OATH) authentication module can encrypt stored device registration details.
Before deciding on an implementation strategy, assess your requirements against the following capabilities in AM:
Requirement | Available With the ForgeRock Authenticator (OATH) Authentication Module? | Available With the HOTP Authentication Module? |
---|---|---|
End users can authenticate using a HOTP password |
✔ |
✔ |
AM can generate a HOTP password and send it to end users in a text message or an e-mail |
✖ |
✔ |
End users can register a mobile phone with AM, and an authenticator app on the phone can generate a HOTP or TOTP password that AM accepts as proof of authentication |
✔ |
✖ |
End users can authenticate with a TOTP password |
✔ |
✖ |
End users can opt out of providing a one-time password |
✔ |
✖ |
End users can authenticate using XUI |
✔ |
✔ |