Service Endpoints

A service endpoint is an entry point to a web service. This chapter lists AM service endpoints that are accessible by default.

If you are certain that a particular AM service endpoint is not used in your deployment, you can block access to the endpoint. For more information, see Securing Network Communication.

JSP Files

Some AM JSP pages are directly accessible as service endpoints. The following sections describe the files for those JSP pages. Directory paths in this section are relative to AM's deployment path, for example, /path/to/tomcat/webapps/openam/.

Top-Level JSP Files

You will find these files in the top-level directory of AM's deployment path.

Logback.jsp: Provides a page to configure debug logging. See Debug Logging for details.
encode.jsp: Provides a page to encode a cleartext password for use in SAML entity configurations.
getServerInfo.jsp: Supports requests for server information. This page is used internally by AM.
isAlive.jsp: Displays a "Server is ALIVE" message when AM is ready to serve requests.
proxyidpfinder.jsp: Supports access to a remote identity provider through the federation broker.
services.jsp: Lists service configuration information. Use this page when translating configuration changes made in the console into corresponding ssoadm commands.
showServerConfig.jsp: Displays system configuration information, including the deployment URL, OS, Java VM, configuration directory, and more.
validat*.jsp pages: These files serve pages and provide endpoints for the classic, JATO-based UI when testing and verifying SAML v2.0 federation.

User Interface JSP Files

Some classic, JATO-based UI pages rely on JSP files in the com_sun_web_ui/jsp/ directory. They are not intended to be used directly as external endpoints.

Authentication JSP Files

The JSP files in the config/auth/default*/ directories provide templates and endpoints to serve classic, JATO-based UI pages of the AM console that allow users to authenticate.

To adapt the current UI for your deployment, see the UI Customization Guide instead.

OAuth 2.0 JSP Files

The JSP file, oauth2/registerClient.jsp, provides a template page to register an OAuth 2.0 client application without using the main console.

The JSP files in the oauth2c/ directory serve the Legacy OAuth 2.0/OpenID Connect authentication module. They are not intended to be used directly as external endpoints.

SAML v2.0 JSP Files

The JSP files in the saml2/jsp/ directory provide endpoints used in SAML v2.0 deployments.

See Federating Identities for descriptions of externally useful endpoints.

WS Federation JSP Files

The JSP files in the wsfederation/jsp/ directory provide endpoints used in WS-Federation deployments.

WEB-INF URL Patterns

The AM .war file includes a deployment descriptor file, WEB-INF/web.xml. The deployment descriptor lists services implemented as servlets, and <url-pattern> elements that map services to AM endpoints.

When protecting an AM server, consider blocking external access to unused services based on their URL patterns.

REST API Endpoints

REST API endpoints are discussed in detail as follows:

Authenticating (REST): How to use the AM REST APIs to authenticate to AM.
Policies (REST), Policy Sets (REST), Resource Types (REST), and Policy Set Application Types (REST): How to use the AM REST APIs for policy management.
Requesting Policy Decisions Using REST: How to use the AM REST APIs for requesting authorization decisions from AM.
OAuth 2.0 Endpoints: How to use OAuth 2.0-specific endpoints to request access and refresh tokens, as well as introspecting and revoking them.
OAuth 2.0 Administration and Supporting REST Endpoints: How to use perform OAuth 2.0 administrative tasks, such as register, read, and delete clients.
OpenID Connect 1.0 Endpoints: How to use OpenID Connect-specific endpoints to retrieve information about an authenticated user, as well as validate ID tokens and check sessions.
Retrieving Forgotten Usernames, Resetting Forgotten Passwords, and Registering Users: How to use the AM REST APIs for user self-registration and forgotten password reset.
Configuring Realms (REST): How to use the AM REST APIs for managing AM identities and realms.
Managing Scripts (REST): How to use the AM REST APIs to manage AM scripts.
Recording Troubleshooting Information: How to use the AM REST APIs to record information that can help you troubleshoot AM.
Consuming REST STS Instances and Querying, Validating, and Canceling Tokens: How to use the AM REST APIs to manage AM's Security Token Service, which lets you bridge identities across web and enterprise identity access management (IAM) systems through its token transformation process.

Well-Known Endpoints

The endpoints described in this section are Well-Known URIs supported by AM:

/.well-known/openid-configuration

Exposes OpenID Provider configuration by HTTP GET as specified by OpenID Connect Discovery 1.0. No query string parameters are required.

/uma/.well-known/uma2-configuration

Exposes User-Managed Access (UMA) configuration by HTTP GET as specified by UMA Profile of OAuth 2.0. No query string parameters are required.

For an example, see Using the Well-Known UMA Endpoint.

/.well-known/webfinger

Allows a client to retrieve the provider URL for an end user by HTTP GET as specified by OpenID Connect Discovery 1.0.

For an example, see "OpenID Connect Discovery".