Authentication
Realm Operations
Resource path:
/realm-config/authentication
Resource version: 1.0
create
Usage
am> create Authentication --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "postauthprocess" : { "type" : "object", "title" : "Post Authentication Processing", "propertyOrder" : 6, "properties" : { "usernameGeneratorClass" : { "title" : "Pluggable User Name Generator Class", "description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>", "propertyOrder" : 2200, "required" : true, "type" : "string", "exampleValue" : "" }, "loginSuccessUrl" : { "title" : "Default Success Login URL", "description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.", "propertyOrder" : 1800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userAttributeSessionMapping" : { "title" : "User Attribute Mapping to Session Attribute", "description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ", "propertyOrder" : 3000, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "loginFailureUrl" : { "title" : "Default Failure Login URL ", "description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.", "propertyOrder" : 1900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "loginPostProcessClass" : { "title" : "Authentication Post Processing Classes", "description" : "A list of post authentication processing classes for all users in this realm.<br><br>The list of Post-Processing Classes called by AM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set. Realm-level post-authentication plugins are only called when no post-authentication plugin is configured for the authentication chain.<br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.", "propertyOrder" : 2000, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "usernameGeneratorEnabled" : { "title" : "Generate UserID Mode", "description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.", "propertyOrder" : 2100, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "accountlockout" : { "type" : "object", "title" : "Account Lockout", "propertyOrder" : 2, "properties" : { "lockoutDuration" : { "title" : "Login Failure Lockout Duration", "description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.", "propertyOrder" : 1300, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutEmailAddress" : { "title" : "Email Address to Send Lockout Notification", "description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "loginFailureLockoutMode" : { "title" : "Login Failure Lockout Mode", "description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.", "propertyOrder" : 800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "lockoutAttributeName" : { "title" : "Lockout Attribute Name", "description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ", "propertyOrder" : 1500, "required" : true, "type" : "string", "exampleValue" : "" }, "loginFailureDuration" : { "title" : "Login Failure Lockout Interval", "description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.", "propertyOrder" : 1000, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutDurationMultiplier" : { "title" : "Lockout Duration Multiplier", "description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function. ", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutWarnUserCount" : { "title" : "Warn User After N Failures", "description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.", "propertyOrder" : 1200, "required" : true, "type" : "integer", "exampleValue" : "" }, "loginFailureCount" : { "title" : "Login Failure Lockout Count", "description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.", "propertyOrder" : 900, "required" : true, "type" : "integer", "exampleValue" : "" }, "storeInvalidAttemptsInDataStore" : { "title" : "Store Invalid Attempts in Data Store", "description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled AM will store the user's invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property. This setting only applies to authentication modules and chains; authentication trees will <i>always</i> write their account lockout progress and status to the data store.", "propertyOrder" : 2700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invalidAttemptsDataAttributeName" : { "title" : "Invalid Attempts Data Attribute Name", "description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "lockoutAttributeValue" : { "title" : "Lockout Attribute Value", "description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "" } } }, "core" : { "type" : "object", "title" : "Core", "propertyOrder" : -1, "properties" : { "adminAuthModule" : { "title" : "Administrator Authentication Configuration", "description" : "Default Authentication Service for administrators<br><br>This is the authentication service that will be used to authentication administrative users to this realm.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "orgConfig" : { "title" : "Organization Authentication Configuration", "description" : "Default Authentication Service for users<br><br>This is the authentication service that will be used to authenticate users to this realm.", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" } } }, "trees" : { "type" : "object", "title" : "Trees", "propertyOrder" : 4, "properties" : { "authenticationTreeCookieHttpOnly" : { "title" : "Stops sending tokenId", "description" : "Stops sending tokenId when HttpOnly cookies are on.<br><br>If enabled and HttpOnly cookies are on, the tree authentication will not return tokenId.", "propertyOrder" : 3885, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationSessionsMaxDuration" : { "title" : "Max duration (minutes)", "description" : "Specify how long an authentication session can last.<br><br>From the time an authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed.", "propertyOrder" : 3860, "required" : true, "type" : "integer", "exampleValue" : "" }, "suspendedAuthenticationTimeout" : { "title" : "Suspended authentication duration (minutes)", "description" : "Specify how long a suspended authentication session can last.<br><br>From the time a suspended authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed. This timeout should be less than or equal to the authentication sessionâs timeout value.", "propertyOrder" : 3870, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationSessionsWhitelist" : { "title" : "Enable Allowlisting", "description" : "Enables explicit allowlisting of valid authentication states to prevent replay attacks.<br><br>If enabled, each time a response is sent to the user a randomly generated state parameter is also sent back to user. This state parameter is stored accessible to AM and must be sent in with the subsequent request. After a request has been received with a valid state parameter, the next response contains a new state, and the server's view of the valid state parameter is updated.", "propertyOrder" : 3880, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationSessionsStateManagement" : { "title" : "Authentication session state management scheme", "description" : "Specify how the authentication session state is managed.<br><br>CTS option will write the state down to the underlying core token store.<br />JWT option will transmit the state in a JWT to the client.<br />In-Memory option will maintain the state in the memory (requires sticky loadbalancing).<br /><br /> <em>To configure JWT signing, encryption, and denylisting use the options in the Client-Side Sessions section of the Sessions global service.</em>", "propertyOrder" : 3850, "required" : true, "type" : "string", "exampleValue" : "" } } }, "security" : { "type" : "object", "title" : "Security", "propertyOrder" : 5, "properties" : { "zeroPageLoginAllowedWithoutReferrer" : { "title" : "Zero Page Login Allowed without Referer?", "description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.", "propertyOrder" : 3700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "sharedSecret" : { "title" : "Organization Authentication Signing Secret", "description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>This is the shared secret for signing state used in RESTful authentication requests. Should be at Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.", "propertyOrder" : 4000, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "moduleBasedAuthEnabled" : { "title" : "Module Based Authentication", "description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.", "propertyOrder" : 2800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "keyAlias" : { "title" : "Persistent Cookie Encryption Certificate Alias", "description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests.", "propertyOrder" : 3300, "required" : true, "type" : "string", "exampleValue" : "" }, "addClearSiteDataHeader" : { "title" : "Add clear-site-data Header on Logout", "description" : "If true then a clear-site-data header will be added to successful logout responses. This header will have the value '\"cache\", \"cookies\", \"storage\", \"executionContexts\"'", "propertyOrder" : 3920, "required" : true, "type" : "boolean", "exampleValue" : "" }, "zeroPageLoginEnabled" : { "title" : "Zero Page Login", "description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.", "propertyOrder" : 3400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "zeroPageLoginReferrerWhiteList" : { "title" : "Zero Page Login Referer Allowlist", "description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.", "propertyOrder" : 3600, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "general" : { "type" : "object", "title" : "General", "propertyOrder" : 3, "properties" : { "userStatusCallbackPlugins" : { "title" : "Pluggable User Status Event Classes", "description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.", "propertyOrder" : 2600, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "externalLoginPageUrl" : { "title" : "External Login Page URL", "description" : "Link to the external login user interface.<br><br>If the authentication user interface is hosted separately from AM, its URL can be provided here. AM will use this URL for example when it's constructing the resume URI in case authentication is suspended in an authentication tree.", "propertyOrder" : 3910, "required" : true, "type" : "string", "exampleValue" : "" }, "locale" : { "title" : "Default Authentication Locale", "description" : "", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "identityType" : { "title" : "Identity Types", "description" : "", "propertyOrder" : 2500, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "defaultAuthLevel" : { "title" : "Default Authentication Level", "description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.", "propertyOrder" : 4100, "required" : true, "type" : "integer", "exampleValue" : "" }, "twoFactorRequired" : { "title" : "Two Factor Authentication Mandatory", "description" : "Enforces ALL 2FA (OATH and Push) authentication Modules (not nodes) only for this authentication realm.", "propertyOrder" : 3900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "statelessSessionsEnabled" : { "title" : "Use Client-Side Sessions", "description" : "Enables client-side sessions.<br><br>Client-side sessions provide elastic scalability by storing all session state as a JWT in a cookie stored on the client. It is highly recommended to enable signing and encryption of the JWT in the global session service.", "propertyOrder" : 3800, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "userprofile" : { "type" : "object", "title" : "User Profile", "propertyOrder" : 0, "properties" : { "defaultRole" : { "title" : "User Profile Dynamic Creation Default Roles", "description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "aliasAttributeName" : { "title" : "Alias Search Attribute Name", "description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.", "propertyOrder" : 400, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "dynamicProfileCreation" : { "title" : "User Profile", "description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" } } } } }
update
Usage
am> update Authentication --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "postauthprocess" : { "type" : "object", "title" : "Post Authentication Processing", "propertyOrder" : 6, "properties" : { "usernameGeneratorClass" : { "title" : "Pluggable User Name Generator Class", "description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>", "propertyOrder" : 2200, "required" : true, "type" : "string", "exampleValue" : "" }, "loginSuccessUrl" : { "title" : "Default Success Login URL", "description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.", "propertyOrder" : 1800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userAttributeSessionMapping" : { "title" : "User Attribute Mapping to Session Attribute", "description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ", "propertyOrder" : 3000, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "loginFailureUrl" : { "title" : "Default Failure Login URL ", "description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.", "propertyOrder" : 1900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "loginPostProcessClass" : { "title" : "Authentication Post Processing Classes", "description" : "A list of post authentication processing classes for all users in this realm.<br><br>The list of Post-Processing Classes called by AM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set. Realm-level post-authentication plugins are only called when no post-authentication plugin is configured for the authentication chain.<br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.", "propertyOrder" : 2000, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "usernameGeneratorEnabled" : { "title" : "Generate UserID Mode", "description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.", "propertyOrder" : 2100, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "accountlockout" : { "type" : "object", "title" : "Account Lockout", "propertyOrder" : 2, "properties" : { "lockoutDuration" : { "title" : "Login Failure Lockout Duration", "description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.", "propertyOrder" : 1300, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutEmailAddress" : { "title" : "Email Address to Send Lockout Notification", "description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "loginFailureLockoutMode" : { "title" : "Login Failure Lockout Mode", "description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.", "propertyOrder" : 800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "lockoutAttributeName" : { "title" : "Lockout Attribute Name", "description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ", "propertyOrder" : 1500, "required" : true, "type" : "string", "exampleValue" : "" }, "loginFailureDuration" : { "title" : "Login Failure Lockout Interval", "description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.", "propertyOrder" : 1000, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutDurationMultiplier" : { "title" : "Lockout Duration Multiplier", "description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function. ", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutWarnUserCount" : { "title" : "Warn User After N Failures", "description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.", "propertyOrder" : 1200, "required" : true, "type" : "integer", "exampleValue" : "" }, "loginFailureCount" : { "title" : "Login Failure Lockout Count", "description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.", "propertyOrder" : 900, "required" : true, "type" : "integer", "exampleValue" : "" }, "storeInvalidAttemptsInDataStore" : { "title" : "Store Invalid Attempts in Data Store", "description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled AM will store the user's invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property. This setting only applies to authentication modules and chains; authentication trees will <i>always</i> write their account lockout progress and status to the data store.", "propertyOrder" : 2700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invalidAttemptsDataAttributeName" : { "title" : "Invalid Attempts Data Attribute Name", "description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "lockoutAttributeValue" : { "title" : "Lockout Attribute Value", "description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "" } } }, "core" : { "type" : "object", "title" : "Core", "propertyOrder" : -1, "properties" : { "adminAuthModule" : { "title" : "Administrator Authentication Configuration", "description" : "Default Authentication Service for administrators<br><br>This is the authentication service that will be used to authentication administrative users to this realm.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "orgConfig" : { "title" : "Organization Authentication Configuration", "description" : "Default Authentication Service for users<br><br>This is the authentication service that will be used to authenticate users to this realm.", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" } } }, "trees" : { "type" : "object", "title" : "Trees", "propertyOrder" : 4, "properties" : { "authenticationTreeCookieHttpOnly" : { "title" : "Stops sending tokenId", "description" : "Stops sending tokenId when HttpOnly cookies are on.<br><br>If enabled and HttpOnly cookies are on, the tree authentication will not return tokenId.", "propertyOrder" : 3885, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationSessionsMaxDuration" : { "title" : "Max duration (minutes)", "description" : "Specify how long an authentication session can last.<br><br>From the time an authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed.", "propertyOrder" : 3860, "required" : true, "type" : "integer", "exampleValue" : "" }, "suspendedAuthenticationTimeout" : { "title" : "Suspended authentication duration (minutes)", "description" : "Specify how long a suspended authentication session can last.<br><br>From the time a suspended authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed. This timeout should be less than or equal to the authentication sessionâs timeout value.", "propertyOrder" : 3870, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationSessionsWhitelist" : { "title" : "Enable Allowlisting", "description" : "Enables explicit allowlisting of valid authentication states to prevent replay attacks.<br><br>If enabled, each time a response is sent to the user a randomly generated state parameter is also sent back to user. This state parameter is stored accessible to AM and must be sent in with the subsequent request. After a request has been received with a valid state parameter, the next response contains a new state, and the server's view of the valid state parameter is updated.", "propertyOrder" : 3880, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationSessionsStateManagement" : { "title" : "Authentication session state management scheme", "description" : "Specify how the authentication session state is managed.<br><br>CTS option will write the state down to the underlying core token store.<br />JWT option will transmit the state in a JWT to the client.<br />In-Memory option will maintain the state in the memory (requires sticky loadbalancing).<br /><br /> <em>To configure JWT signing, encryption, and denylisting use the options in the Client-Side Sessions section of the Sessions global service.</em>", "propertyOrder" : 3850, "required" : true, "type" : "string", "exampleValue" : "" } } }, "security" : { "type" : "object", "title" : "Security", "propertyOrder" : 5, "properties" : { "zeroPageLoginAllowedWithoutReferrer" : { "title" : "Zero Page Login Allowed without Referer?", "description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.", "propertyOrder" : 3700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "sharedSecret" : { "title" : "Organization Authentication Signing Secret", "description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>This is the shared secret for signing state used in RESTful authentication requests. Should be at Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.", "propertyOrder" : 4000, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "moduleBasedAuthEnabled" : { "title" : "Module Based Authentication", "description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.", "propertyOrder" : 2800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "keyAlias" : { "title" : "Persistent Cookie Encryption Certificate Alias", "description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests.", "propertyOrder" : 3300, "required" : true, "type" : "string", "exampleValue" : "" }, "addClearSiteDataHeader" : { "title" : "Add clear-site-data Header on Logout", "description" : "If true then a clear-site-data header will be added to successful logout responses. This header will have the value '\"cache\", \"cookies\", \"storage\", \"executionContexts\"'", "propertyOrder" : 3920, "required" : true, "type" : "boolean", "exampleValue" : "" }, "zeroPageLoginEnabled" : { "title" : "Zero Page Login", "description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.", "propertyOrder" : 3400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "zeroPageLoginReferrerWhiteList" : { "title" : "Zero Page Login Referer Allowlist", "description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.", "propertyOrder" : 3600, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "general" : { "type" : "object", "title" : "General", "propertyOrder" : 3, "properties" : { "userStatusCallbackPlugins" : { "title" : "Pluggable User Status Event Classes", "description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.", "propertyOrder" : 2600, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "externalLoginPageUrl" : { "title" : "External Login Page URL", "description" : "Link to the external login user interface.<br><br>If the authentication user interface is hosted separately from AM, its URL can be provided here. AM will use this URL for example when it's constructing the resume URI in case authentication is suspended in an authentication tree.", "propertyOrder" : 3910, "required" : true, "type" : "string", "exampleValue" : "" }, "locale" : { "title" : "Default Authentication Locale", "description" : "", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "identityType" : { "title" : "Identity Types", "description" : "", "propertyOrder" : 2500, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "defaultAuthLevel" : { "title" : "Default Authentication Level", "description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.", "propertyOrder" : 4100, "required" : true, "type" : "integer", "exampleValue" : "" }, "twoFactorRequired" : { "title" : "Two Factor Authentication Mandatory", "description" : "Enforces ALL 2FA (OATH and Push) authentication Modules (not nodes) only for this authentication realm.", "propertyOrder" : 3900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "statelessSessionsEnabled" : { "title" : "Use Client-Side Sessions", "description" : "Enables client-side sessions.<br><br>Client-side sessions provide elastic scalability by storing all session state as a JWT in a cookie stored on the client. It is highly recommended to enable signing and encryption of the JWT in the global session service.", "propertyOrder" : 3800, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "userprofile" : { "type" : "object", "title" : "User Profile", "propertyOrder" : 0, "properties" : { "defaultRole" : { "title" : "User Profile Dynamic Creation Default Roles", "description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "aliasAttributeName" : { "title" : "Alias Search Attribute Name", "description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.", "propertyOrder" : 400, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "dynamicProfileCreation" : { "title" : "User Profile", "description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" } } } } }
Global Operations
Resource path:
/global-config/authentication
Resource version: 1.0
update
Usage
am> update Authentication --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "keepPostProcessInstances" : { "title" : "Keep Post Process Objects for Logout Processing", "description" : "Store Post Processing Classes for the duration of the session.<br><br>Enabling this setting will cause OpenAM to store instances of post processing classes into the users session. When the user logs out the original instances of the post processing classes will be called instead of new instances. This may be needed for special logout processing.<br/><br/><i>NB </i>Enabling this setting will increase the memory usage of OpenAM.", "propertyOrder" : 3100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "remoteAuthSecurityEnabled" : { "title" : "Remote Auth Security", "description" : "OpenAM requires authentication client to authenticate itself before authenticating users.<br><br>When this setting is enabled, OpenAM will require the authentication client (such as a policy agent) to authentication itself to OpenAM before the client will be allow to use the remote authentication API to authenticate users. ", "propertyOrder" : 2900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ldapConnectionPoolSize" : { "title" : "LDAP Connection Pool Size", "description" : "Controls the size of the LDAP connection pool used for authentication<br><br>Control the size of the connection pool to the LDAP directory server used by any of the authentication modules that use LDAP directly such as LDAP or Active Directory.Different OpenAM servers can be configured with different connection pool settings.<br/><br/>Format: host:port:minimum:maximum", "propertyOrder" : 2300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authenticators" : { "title" : "Pluggable Authentication Module Classes", "description" : "List of configured authentication modules<br><br>The list of configured authentication modules available to OpenAM. All modules must extend from the <code>com.sun.identity.authentication.spi.AMLoginModule</code> class.", "propertyOrder" : 500, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "ldapConnectionPoolDefaultSize" : { "title" : "Default LDAP Connection Pool Size", "description" : "The default connection pool size; format is: mininum:maximum", "propertyOrder" : 2400, "required" : true, "type" : "string", "exampleValue" : "" }, "defaults" : { "properties" : { "general" : { "type" : "object", "title" : "General", "propertyOrder" : 3, "properties" : { "externalLoginPageUrl" : { "title" : "External Login Page URL", "description" : "Link to the external login user interface.<br><br>If the authentication user interface is hosted separately from AM, its URL can be provided here. AM will use this URL for example when it's constructing the resume URI in case authentication is suspended in an authentication tree.", "propertyOrder" : 3910, "required" : true, "type" : "string", "exampleValue" : "" }, "userStatusCallbackPlugins" : { "title" : "Pluggable User Status Event Classes", "description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.", "propertyOrder" : 2600, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "locale" : { "title" : "Default Authentication Locale", "description" : "", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "defaultAuthLevel" : { "title" : "Default Authentication Level", "description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.", "propertyOrder" : 4100, "required" : true, "type" : "integer", "exampleValue" : "" }, "twoFactorRequired" : { "title" : "Two Factor Authentication Mandatory", "description" : "Enforces ALL 2FA (OATH and Push) authentication Modules (not nodes) only for this authentication realm.", "propertyOrder" : 3900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "statelessSessionsEnabled" : { "title" : "Use Client-Side Sessions", "description" : "Enables client-side sessions.<br><br>Client-side sessions provide elastic scalability by storing all session state as a JWT in a cookie stored on the client. It is highly recommended to enable signing and encryption of the JWT in the global session service.", "propertyOrder" : 3800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "identityType" : { "title" : "Identity Types", "description" : "", "propertyOrder" : 2500, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "postauthprocess" : { "type" : "object", "title" : "Post Authentication Processing", "propertyOrder" : 6, "properties" : { "loginSuccessUrl" : { "title" : "Default Success Login URL", "description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.", "propertyOrder" : 1800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "usernameGeneratorEnabled" : { "title" : "Generate UserID Mode", "description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.", "propertyOrder" : 2100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "usernameGeneratorClass" : { "title" : "Pluggable User Name Generator Class", "description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>", "propertyOrder" : 2200, "required" : true, "type" : "string", "exampleValue" : "" }, "userAttributeSessionMapping" : { "title" : "User Attribute Mapping to Session Attribute", "description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ", "propertyOrder" : 3000, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "loginFailureUrl" : { "title" : "Default Failure Login URL ", "description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.", "propertyOrder" : 1900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "loginPostProcessClass" : { "title" : "Authentication Post Processing Classes", "description" : "A list of post authentication processing classes for all users in this realm.<br><br>The list of Post-Processing Classes called by AM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set. Realm-level post-authentication plugins are only called when no post-authentication plugin is configured for the authentication chain.<br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.", "propertyOrder" : 2000, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "accountlockout" : { "type" : "object", "title" : "Account Lockout", "propertyOrder" : 2, "properties" : { "lockoutAttributeName" : { "title" : "Lockout Attribute Name", "description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ", "propertyOrder" : 1500, "required" : true, "type" : "string", "exampleValue" : "" }, "lockoutDuration" : { "title" : "Login Failure Lockout Duration", "description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.", "propertyOrder" : 1300, "required" : true, "type" : "integer", "exampleValue" : "" }, "loginFailureLockoutMode" : { "title" : "Login Failure Lockout Mode", "description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.", "propertyOrder" : 800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "loginFailureCount" : { "title" : "Login Failure Lockout Count", "description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.", "propertyOrder" : 900, "required" : true, "type" : "integer", "exampleValue" : "" }, "storeInvalidAttemptsInDataStore" : { "title" : "Store Invalid Attempts in Data Store", "description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled AM will store the user's invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property. This setting only applies to authentication modules and chains; authentication trees will <i>always</i> write their account lockout progress and status to the data store.", "propertyOrder" : 2700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "lockoutWarnUserCount" : { "title" : "Warn User After N Failures", "description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.", "propertyOrder" : 1200, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutAttributeValue" : { "title" : "Lockout Attribute Value", "description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "" }, "lockoutDurationMultiplier" : { "title" : "Lockout Duration Multiplier", "description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function. ", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutEmailAddress" : { "title" : "Email Address to Send Lockout Notification", "description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "invalidAttemptsDataAttributeName" : { "title" : "Invalid Attempts Data Attribute Name", "description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "loginFailureDuration" : { "title" : "Login Failure Lockout Interval", "description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.", "propertyOrder" : 1000, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "security" : { "type" : "object", "title" : "Security", "propertyOrder" : 5, "properties" : { "zeroPageLoginAllowedWithoutReferrer" : { "title" : "Zero Page Login Allowed without Referer?", "description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.", "propertyOrder" : 3700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "zeroPageLoginReferrerWhiteList" : { "title" : "Zero Page Login Referer Allowlist", "description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.", "propertyOrder" : 3600, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "zeroPageLoginEnabled" : { "title" : "Zero Page Login", "description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.", "propertyOrder" : 3400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "sharedSecret" : { "title" : "Organization Authentication Signing Secret", "description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>This is the shared secret for signing state used in RESTful authentication requests. Should be at Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.", "propertyOrder" : 4000, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "keyAlias" : { "title" : "Persistent Cookie Encryption Certificate Alias", "description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests.", "propertyOrder" : 3300, "required" : true, "type" : "string", "exampleValue" : "" }, "addClearSiteDataHeader" : { "title" : "Add clear-site-data Header on Logout", "description" : "If true then a clear-site-data header will be added to successful logout responses. This header will have the value '\"cache\", \"cookies\", \"storage\", \"executionContexts\"'", "propertyOrder" : 3920, "required" : true, "type" : "boolean", "exampleValue" : "" }, "moduleBasedAuthEnabled" : { "title" : "Module Based Authentication", "description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.", "propertyOrder" : 2800, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "trees" : { "type" : "object", "title" : "Trees", "propertyOrder" : 4, "properties" : { "authenticationSessionsStateManagement" : { "title" : "Authentication session state management scheme", "description" : "Specify how the authentication session state is managed.<br><br>CTS option will write the state down to the underlying core token store.<br />JWT option will transmit the state in a JWT to the client.<br />In-Memory option will maintain the state in the memory (requires sticky loadbalancing).<br /><br /> <em>To configure JWT signing, encryption, and denylisting use the options in the Client-Side Sessions section of the Sessions global service.</em>", "propertyOrder" : 3850, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationSessionsWhitelist" : { "title" : "Enable Allowlisting", "description" : "Enables explicit allowlisting of valid authentication states to prevent replay attacks.<br><br>If enabled, each time a response is sent to the user a randomly generated state parameter is also sent back to user. This state parameter is stored accessible to AM and must be sent in with the subsequent request. After a request has been received with a valid state parameter, the next response contains a new state, and the server's view of the valid state parameter is updated.", "propertyOrder" : 3880, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationSessionsMaxDuration" : { "title" : "Max duration (minutes)", "description" : "Specify how long an authentication session can last.<br><br>From the time an authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed.", "propertyOrder" : 3860, "required" : true, "type" : "integer", "exampleValue" : "" }, "suspendedAuthenticationTimeout" : { "title" : "Suspended authentication duration (minutes)", "description" : "Specify how long a suspended authentication session can last.<br><br>From the time a suspended authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed. This timeout should be less than or equal to the authentication sessionâs timeout value.", "propertyOrder" : 3870, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationTreeCookieHttpOnly" : { "title" : "Stops sending tokenId", "description" : "Stops sending tokenId when HttpOnly cookies are on.<br><br>If enabled and HttpOnly cookies are on, the tree authentication will not return tokenId.", "propertyOrder" : 3885, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "userprofile" : { "type" : "object", "title" : "User Profile", "propertyOrder" : 0, "properties" : { "aliasAttributeName" : { "title" : "Alias Search Attribute Name", "description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.", "propertyOrder" : 400, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "dynamicProfileCreation" : { "title" : "User Profile", "description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "defaultRole" : { "title" : "User Profile Dynamic Creation Default Roles", "description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "core" : { "type" : "object", "title" : "Core", "propertyOrder" : -1, "properties" : { "orgConfig" : { "title" : "Organization Authentication Configuration", "description" : "Default Authentication Service for users<br><br>This is the authentication service that will be used to authenticate users to this realm.", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "adminAuthModule" : { "title" : "Administrator Authentication Configuration", "description" : "Default Authentication Service for administrators<br><br>This is the authentication service that will be used to authentication administrative users to this realm.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" } } } }, "type" : "object", "title" : "Realm Defaults" } } }