Configuring AM for Authentication

AM provides the following features to authenticate users:

  • Authentication Nodes and Trees. AM provides a number of authentication nodes to handle different modes of authenticating users. The nodes must be connected together in a tree to provide multiple authentication paths to users.

  • Authentication Modules and Chains. AM provides a number of authentication modules to handle different modes of authenticating users. The modules also can be chained together to provide multiple authentication mechanisms, so that a user's or entity's credentials must be evaluated by one module before control passes to another module.


Authentication nodes and trees are replacing authentication modules and chains. We recommend that you implement nodes and trees when possible.

AM leaves the authentication process flexible so that you can adapt how it works to your situation. Although the number of choices can seem daunting, once you understand the basic process you will see how AM allows you to protect access to a wide range of applications used in your organization.

Authentication happens at realm level in AM. Each realm has its own authentication configuration that is copied from the parent realm at creation time, which may save you some time if you are configuring subrealms.

The following table summarizes the high-level tasks required to configure authentication in a realm:


Configure the Required Authentication Trees or Chains

You need to decide how your users are going to log in. For example, you may require your users to provide multiple credentials, or to log in using third-party identity providers, such as Facebook or Google.

Configure the Realm Defaults for Authentication

Authentication chains and trees use several defaults that are configured at realm level. Review and configure them to suit your environment.

Deactivate the Anonymous User

The anonymous user is enabled by default. To harden security, deactivate the anonymous user, unless anonymous access is specifically required in your deployment.

Configure the Success and Failure URLs for the Realm

By default, AM redirects users to the console after successful authentication. No failure URL is defined by default.

Configure an Identity Store in your Realm.

The identity store you configure in the realm should contain those users that would log in to the realm.

Read a different version of :