AM 7.5.0

OTP Email Sender node

The OTP Email Sender node sends an email containing a generated one-time password (OTP) to the user.

Send mail requests time out after 10 seconds.

You can change the timeout in the following advanced AM server properties:

  • org.forgerock.openam.smtp.system.connect.timeout


  • org.forgerock.openam.smtp.system.socket.write.timeout

How do I configure advanced server properties?
  • To configure advanced server properties for all the instances of the AM environment, go to Configure > Server Defaults > Advanced in the AM admin UI.

  • To configure advanced server properties for a specific instance, go to Deployment > Servers > Server Name > Advanced.

If the property you want to add or edit is already configured, click the pencil () button to edit it, then click the checkmark () button.

Save your changes.

For more information, refer to advanced properties.


Product Compatible?

ForgeRock Identity Cloud


ForgeRock Access Management (self-managed)


ForgeRock Identity Platform (self-managed)



  • The node requires a configured email provider.


This node requires the following input from the shared state:

  • The authenticating user’s ID. The node queries the user’s entry for an email address.

    Implement an Attribute Collector node node before this node to obtain the user’s ID.

  • The OTP stored in the oneTimePassword transient state property.

    Implement the HOTP Generator node before this node in the journey to obtain the OTP.


Property Usage

Mail Server Host Name (required)

The hostname of the SMTP email server.

Mail Server Host Port

The outgoing mail server port.

Common ports are 25, 465 for SSL/TLS, or 587 for StartTLS.

Mail Server Authentication Username

The username AM uses to connect to the mail server.

Mail Server Authentication Password

The password AM uses to connect to the mail server.

This property is deprecated. Use the Mail Server Secret Label Identifier instead.

If you set a Mail Server Secret Label Identifier, this password is ignored.

Mail Server Secret Label Identifier

An identifier used to create a secret label for mapping to a secret in a secret store.

AM uses this identifier to create a specific secret label for this node. The secret label takes the form am.authentication.nodes.otp.mail.identifier.password where identifier is the value of Mail Server Secret Label Identifier. The identifier can only contain alphanumeric characters a-z, A-Z, 0-9, and periods (.). It can’t start or end with a period.

If you set a Mail Server Secret Label Identifier and AM finds a matching secret in a secret store, the Mail Server Authentication Password is ignored.

Email From Address (required)

The email address from which the OTP will appear to have been sent.

Email Attribute Name

The attribute in the user profile that contains the email address to which the email with the OTP is sent.

Default: mail

The subject of the email

Click Add to add a new email subject. Enter the locale, such as en-uk, in the Key field and the subject in the Value field. Repeat these steps for each locale that you support.

The content of the email

Click Add to add the content of the email. Enter the locale, such as en-uk, in the Key field and the email content in the Value field. Repeat these steps for each locale that you support.

Mail Server Secure Connection

Set the connection method to the mail server.

If you set a secure method here, AM must trust the server certificate of the mail server.

The possible values for this property are:



  • Start TLS

Default: SSL/TLS

Gateway Implementation Class

The class the node uses to send SMS and email messages. A custom class must implement the com.sun.identity.authentication.modules.hotp.SMSGateway interface.

Default: com.sun.identity.authentication.modules.hotp.DefaultSMSGatewayImpl


This node copies shared and transient state into the outgoing node state.


The node throws an IdRepoException and an SSOException error if it’s unable to obtain the user’s email address.


Single outcome path.

Implement an OTP Collector Decision node after this node to continue the authentication journey.


journey otp email sender
Copyright © 2010-2024 ForgeRock, all rights reserved.