Identity Cloud

Reference

This reference is written for access management designers, developers, and administrators using ForgeRock Access Management tools, logs, and global configuration.

ForgeRockĀ® Identity Platform serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see https://www.forgerock.com.

Realm services configuration

You can configure services in AM in two places:

  • Under Configure > Global Services, you can find the CORS Service and the Dashboard service. These services affect all the realms in AM.

  • Under Realms > Realm Name > Services, you can enable, remove, or configure different services for the realm.

Base URL Source

The following settings are available in this service:

Base URL Source

Specifies the source of the base URL. Choose from the following:

  • Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter org.forgerock.openam.services.baseurl.BaseURLProvider.

  • Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.

  • Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in RFC7239.

  • Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.

  • X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as X-Forwarded-For, X-Forwarded-By, and X-Forwarded-Proto.

    The possible values for this property are:

  • Label: Fixed value (Value: FIXED_VALUE)

  • Label: Forwarded header (Value: FORWARDED_HEADER)

  • Label: X-Forwarded- headers* (Value: X_FORWARDED_HEADERS)

  • Label: Host/protocol from incoming request (Value: REQUEST_VALUES)

  • Label: Extension class (Value: EXTENSION_CLASS)

amster attribute: source

Fixed value base URL

If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.

amster attribute: fixedValue

Extension class name

If Extension class is selected as the Base URL source, enter org.forgerock.openam.services.baseurl.BaseURLProvider in the Extension class name field.

amster attribute: extensionClassName

Context path

Specifies the context path for the base URL.

If provided, the base URL includes the deployment context path appended to the calculated URL.

For example, /openam.

amster attribute: contextPath

CORS Service

Configuration

The following settings appear on the Configuration tab:

Enable the CORS filter

If disable, no CORS headers will be added to responses.

Default value: true

amster attribute: enabled

Secondary Configurations

This service has the following Secondary Configurations.

configuration
Enable the CORS filter

If disable, no CORS headers will be added to responses.

Default value: false

amster attribute: enabled

Accepted Origins

The set of accepted origins.

amster attribute: acceptedOrigins

Accepted Methods

The set of (non-simple) accepted methods, included in the pre-flight response in the header Access-Control-Allow-Methods.

amster attribute: acceptedMethods

Accepted Headers

The set of (non-simple) accepted headers, included in the pre-flight response in the header Access-Control-Allow-Headers.

amster attribute: acceptedHeaders

Exposed Headers

The set of headers to transmit in the header Access-Control-Expose-Headers.

amster attribute: exposedHeaders

Max Age

The max age (in seconds) for caching, included in the pre-flight response in the header Access-Control-Max-Age.

Default value: 0

amster attribute: maxAge

Allow Credentials

Whether to transmit the Access-Control-Allow-Credentials: true header in the response.

Default value: false

amster attribute: allowCredentials

Dashboard

Realm Defaults

The following settings appear on the Realm Defaults tab:

Available Dashboard Apps

List of application dashboard names available by default for realms with the Dashboard service configured.

amster attribute: assignedDashboard

Secondary Configurations

This service has the following Secondary Configurations.

instances
Dashboard Class Name

Identifies how to access the application, for example SAML2ApplicationClass for a SAML v2.0 application.

amster attribute: className

Dashboard Name

The application name as it will appear to the administrator for configuring the dashboard.

amster attribute: name

Dashboard Display Name

The application name that displays on the dashboard client.

amster attribute: displayName

Dashboard Icon

The icon name that will be displayed on the dashboard client identifying the application.

amster attribute: icon

Dashboard Login

The URL that takes the user to the application.

amster attribute: login

ICF Identifier

amster attribute: icfIdentifier

Device ID Service

The following settings are available in this service:

Profile Storage Attribute

The user’s attribute in which to store Device ID profiles.

The default attribute is added to the schema when you prepare a user store for use with AM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to enabling the Device ID authentication module. AM must be able to write to the attribute.

amster attribute: deviceIdAttrName

Device Profile Encryption Scheme

Encryption scheme to use to secure device profiles stored on the server.

If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.

Note: AES-256 may require installation of the JCE Unlimited Strength policy files.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (Value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (Value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings. (Value: NONE)

amster attribute: deviceIdSettingsEncryptionScheme

Encryption Key Store

Path to the key store from which to load encryption keys.

amster attribute: deviceIdSettingsEncryptionKeystore

Key Store Type

Type of key store to load.

See the JDK 8 PKCS#11 Reference Guide for more details.

The possible values for this property are:

  • Label: Java Key Store (JKS). (Value: JKS)

  • Label: Java Cryptography Extension Key Store (JCEKS). (Value: JCEKS)

  • Label: PKCS#11 Hardware Crypto Storage. (Value: PKCS11)

  • Label: PKCS#12 Key Store. (Value: PKCS12)

amster attribute: deviceIdSettingsEncryptionKeystoreType

Key Store Password

Password to unlock the key store. This password is encrypted when it is saved in the AM configuration.

amster attribute: deviceIdSettingsEncryptionKeystorePassword

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.

amster attribute: deviceIdSettingsEncryptionKeystoreKeyPairAlias

Private Key Password

Password to unlock the private key.

amster attribute: deviceIdSettingsEncryptionKeystorePrivateKeyPassword

Device Profiles Service

The following settings are available in this service:

Profile Storage Attribute

The user’s attribute in which to store Device profiles.

amster attribute: deviceProfilesAttrName

Device Profile Encryption Scheme

Encryption scheme to use to secure device profiles stored on the server.

If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.

Note: AES-256 may require installation of the JCE Unlimited Strength policy files.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (Value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (Value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings. (Value: NONE)

amster attribute: deviceProfilesSettingsEncryptionScheme

Encryption Key Store

Path to the key store from which to load encryption keys.

amster attribute: deviceProfilesSettingsEncryptionKeystore

Key Store Type

Type of key store to load.

See the JDK 8 PKCS#11 Reference Guide for more details.

The possible values for this property are:

  • Label: Java Key Store (JKS). (Value: JKS)

  • Label: Java Cryptography Extension Key Store (JCEKS). (Value: JCEKS)

  • Label: PKCS#11 Hardware Crypto Storage. (Value: PKCS11)

  • Label: PKCS#12 Key Store. (Value: PKCS12)

amster attribute: deviceProfilesSettingsEncryptionKeystoreType

Key Store Password

Password to unlock the key store. This password is encrypted when it is saved in the AM configuration.

amster attribute: deviceProfilesSettingsEncryptionKeystorePassword

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.

amster attribute: deviceProfilesSettingsEncryptionKeystoreKeyPairAlias

Private Key Password

Password to unlock the private key.

amster attribute: deviceProfilesSettingsEncryptionKeystorePrivateKeyPassword

Email Service

The following settings are available in this service:

Email Message Implementation Class

Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.

amster attribute: emailImplClassName

Mail Server Host Name

Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.

For example, you might set this property to: smtp.example.com

amster attribute: hostname

Mail Server Host Port

Specifies the port number for the SMTP mail server.

amster attribute: port

Mail Server Authentication Username

Specifies the user name for the SMTP mail server.

For example, you might set this property to: username

amster attribute: username

Mail Server Authentication Password

Specifies the password for the SMTP user name.

amster attribute: password

Mail Server Secure Connection

Specifies whether to connect to the SMTP mail server using SSL.

The possible values for this property are:

  • SSL

  • Non SSL

  • Start TLS

amster attribute: sslState

Email From Address

Specifies the address from which to send email notifications.

For example, you might set this property to: no-reply@example.com

amster attribute: from

Email Attribute Name

Specifies the profile attribute from which to retrieve the end user’s email address.

amster attribute: emailAddressAttribute

Email Subject

Specifies a subject for notification messages. If you do not set this, AM does not set the subject for notification messages.

amster attribute: subject

Email Content

Specifies content for notification messages. If you do not set this, AM includes only the confirmation URL in the mail body.

amster attribute: message

Email Rate Limit

Specifies the minimum number of seconds which must elapse between sending emails to an individual user.

amster attribute: emailRateLimitSeconds

ForgeRock Authenticator (OATH) Service

The following settings are available in this service:

Profile Storage Attribute

Attribute for storing ForgeRock Authenticator OATH profiles.

amster attribute: oathAttrName

Device Profile Encryption Scheme

Encryption scheme for securing device profiles stored on the server.

If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.

Note: AES-256 may require installation of the JCE Unlimited Strength policy files.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (Value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (Value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings. (Value: NONE)

amster attribute: authenticatorOATHDeviceSettingsEncryptionScheme

Encryption Key Store

Path to the key store from which to load encryption keys.

amster attribute: authenticatorOATHDeviceSettingsEncryptionKeystore

Key Store Type

Type of encryption key store.

See the JDK 8 PKCS#11 Reference Guide for more details.

The possible values for this property are:

  • Label: Java Key Store (JKS). (Value: JKS)

  • Label: Java Cryptography Extension Key Store (JCEKS). (Value: JCEKS)

  • Label: PKCS#11 Hardware Crypto Storage. (Value: PKCS11)

  • Label: PKCS#12 Key Store. (Value: PKCS12)

amster attribute: authenticatorOATHDeviceSettingsEncryptionKeystoreType

Key Store Password

Password to unlock the key store. This password will be encrypted.

amster attribute: authenticatorOATHDeviceSettingsEncryptionKeystorePassword

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.

amster attribute: authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias

Private Key Password

Password to unlock the private key.

amster attribute: authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword

ForgeRock Authenticator (OATH) Device Skippable Attribute Name

The data store attribute that holds the user’s decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.

amster attribute: authenticatorOATHSkippableName

ForgeRock Authenticator (Push) Service

The following settings are available in this service:

Profile Storage Attribute

The user’s attribute in which to store Push Notification profiles.

amster attribute: pushAttrName

Device Profile Encryption Scheme

Encryption scheme to use to secure device profiles stored on the server.

If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.

Note: AES-256 may require installation of the JCE Unlimited Strength policy files.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (Value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (Value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings. (Value: NONE)

amster attribute: authenticatorPushDeviceSettingsEncryptionScheme

Encryption Key Store

Path to the key store from which to load encryption keys.

amster attribute: authenticatorPushDeviceSettingsEncryptionKeystore

Key Store Type

Type of key store to load.

See the JDK 8 PKCS#11 Reference Guide for more details.

The possible values for this property are:

  • Label: Java Key Store (JKS). (Value: JKS)

  • Label: Java Cryptography Extension Key Store (JCEKS). (Value: JCEKS)

  • Label: PKCS#11 Hardware Crypto Storage. (Value: PKCS11)

  • Label: PKCS#12 Key Store. (Value: PKCS12)

amster attribute: authenticatorPushDeviceSettingsEncryptionKeystoreType

Key Store Password

Password to unlock the key store. This password is encrypted when it is saved in the AM configuration.

amster attribute: authenticatorPushDeviceSettingsEncryptionKeystorePassword

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.

amster attribute: authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias

Private Key Password

Password to unlock the private key.

amster attribute: authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword

ForgeRock Authenticator (Push) Device Skippable Attribute Name

Name of the attribute on a user’s profile used to store their selection of whether to skip ForgeRock Authenticator (Push) 2FA modules.

amster attribute: authenticatorPushSkippableName

Globalization Settings

The following settings are available in this service:

Auto Generated Common Name Format

Use this list to configure how AM formats names shown in the console banner.

This setting allows the name of the authenticated user shown in the AM UI banner to be customised based on the locale of the user.

amster attribute: commonNameFormats

OAuth2 Provider

Core

The following settings appear on the Core tab:

Use Client-Based Access & Refresh Tokens

When enabled, AM issues access and refresh tokens that can be inspected by resource servers.

This setting can be overridden at the client level. See client profile configuration.

amster attribute: statelessTokensEnabled

Use Macaroon Access and Refresh Tokens

When enabled, AM will issue access and refresh tokens as Macaroons with caveats.

amster attribute: macaroonTokensEnabled

Authorization Code Lifetime (seconds)

The time an authorization code is valid for, in seconds.

amster attribute: codeLifetime

Refresh Token Lifetime (seconds)

The time in seconds a refresh token is valid for. If this field is set to -1, the refresh token will never expire.

amster attribute: refreshTokenLifetime

Access Token Lifetime (seconds)

The time an access token is valid for, in seconds. Note that if you set the value to 0, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.

amster attribute: accessTokenLifetime

Issue Refresh Tokens

Whether to issue a refresh token when returning an access token.

This setting can be overridden at the client level. See client profile configuration.

amster attribute: issueRefreshToken

Issue Refresh Tokens on Refreshing Access Tokens

Whether to issue a refresh token when refreshing an access token.

This setting can be overridden at the client level. See client profile configuration.

amster attribute: issueRefreshTokenOnRefreshedToken

Use Policy Engine for Scope decisions

With this setting enabled, the policy engine is consulted for each scope value that is requested.

Scope decisions are made in the following way when based on the policy engine:

  • If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow.

  • If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow.

  • If no policy returns a value for the GRANT action:

    • For user-facing grant types, such as the authorization or device code flows, the user is asked for consent or saved consent is used.

    • For grant types that are not user-facing, such as those using password or client credentials, the scope is not added to any resulting token.

This setting can be overridden at the client level. See client profile configuration.

amster attribute: usePolicyEngineForScope

OAuth2 Access Token May Act Script

The script that is executed when issuing an access token explicitly to modify the may_act claim placed on the token.

This setting can be overridden at the client level. See client profile configuration.

The possible values for this property are:

  • c735de08-f8f2-4e69-aa4a-2d8d3d438323. OAuth2 May Act Script

  • [Empty]. --- Select a script ---

amster attribute: accessTokenMayActScript

OIDC ID Token May Act Script

The script that is executed when issuing an OIDC ID Token explicitly to modify the may_act claim placed on the token.

This setting can be overridden at the client level. See client profile configuration.

The possible values for this property are:

  • c735de08-f8f2-4e69-aa4a-2d8d3d438323. OAuth2 May Act Script

  • [Empty]. --- Select a script ---

amster attribute: oidcMayActScript

Advanced

The following settings appear on the Advanced tab:

Custom Login URL Template

Custom URL for handling login, to override the default AM login page.

Supports Freemarker syntax, with the following variables:

Variable

Description

gotoUrl

The URL to redirect to after login.

acrValues

The Authentication Context Class Reference (acr) values for the authorization request.

realm

The AM realm the authorization request was made on.

service

The name of the AM authentication tree requested to perform resource owner authentication.

locale

A space-separated list of locales, ordered by preference.

The following example template redirects users to a non-AM front end to handle login, which will then redirect back to the /oauth2/authorize endpoint with any required parameters:

http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if>

The default AM login page is constructed using "Base URL Source" service.

This setting can be overridden at the client level. See client profile configuration.

amster attribute: customLoginUrlTemplate

Scope Implementation Class

The class that contains the required scope implementation, must implement the org.forgerock.oauth2.core.ScopeValidator interface.

This setting can be overridden at the client level. See client profile configuration.

amster attribute: scopeImplementationClass

Additional Audience Values

The additional audience values that will be permitted when verifying Client Authentication JWTs.

These audience values will be in addition to the AS base, issuer and endpoint URIs.

amster attribute: allowedAudienceValues

User Profile Attribute(s) the Resource Owner is Authenticated On

Names of profile attributes that resource owners use to log in. You can add others to the default, for example mail.

amster attribute: authenticationAttributes

User Display Name attribute

The profile attribute that contains the name to be displayed for the user on the consent page.

amster attribute: displayNameAttribute

Client Registration Scope Whitelist

The set of scopes allowed when registering clients dynamically, with translations.

Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.

For example: read|en|Permission to view email messages in your account

Locale strings are in the format: language_country_variant, for example en, en_GB, or en_US_WIN.

If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.

If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying read| would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.

amster attribute: supportedScopes

Subject Types supported

List of subject types supported. Valid values are:

  • public - Each client receives the same subject (sub) value.

  • pairwise - Each client receives a different subject (sub) value, to prevent correlation between clients.

amster attribute: supportedSubjectTypes

Default Client Scopes

List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are NOT auto-granted to clients created through the AM admin UI.

amster attribute: defaultScopes

OAuth2 Token Signing Algorithm

Algorithm used to sign client-based OAuth 2.0 tokens in order to detect tampering.

AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

    The possible values for this property are:

  • HS256

  • HS384

  • HS512

  • RS256

  • RS384

  • RS512

  • ES256

  • ES384

  • ES512

  • PS256

  • PS384

  • PS512

amster attribute: tokenSigningAlgorithm

Client-Based Token Compression

Whether client-based access and refresh tokens should be compressed.

amster attribute: tokenCompressionEnabled

Encrypt Client-Based Tokens

Whether client-based access and refresh tokens should be encrypted.

Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.

This setting can be overridden at the client level. See client profile configuration.

amster attribute: tokenEncryptionEnabled

Subject Identifier Hash Salt

If pairwise subject types are supported, it is STRONGLY RECOMMENDED to change this value. It is used in the salting of hashes for returning specific sub claims to individuals using the same request_uri or sector_identifier_uri.

amster attribute: hashSalt

Code Verifier Parameter Required

If enabled, requests using the authorization code grant or device flow require a code_challenge attribute to comply with the PKCE standard.

For more information, read the PKCE specification.

Note that if a client specifies a code_challenge parameter in the authorization request, PKCE is enabled regardless of the value of this attribute.

The possible values for this property are:

  • true. All requests

  • public. Requests from all public clients

  • passwordless. Requests from all passwordless public clients

  • false. No requests

amster attribute: codeVerifierEnforced

Modified Timestamp Attribute Name

The identity Data Store attribute used to return modified timestamp values.

This attribute is paired together with the Created Timestamp Attribute Name attribute (createdTimestampAttribute). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.

For example, when you configure AM as an OpenID Connect Provider in a Mobile Connect application and use DS as an identity data store, the client accesses the userinfo endpoint to obtain the updated_at claim value in the ID token. The updated_at claim obtains its value from the modifiedTimestampAttribute attribute in the user profile. If the profile has never been modified the updated_at claim uses the createdTimestampAttribute attribute.

amster attribute: modifiedTimestampAttribute

Created Timestamp Attribute Name

The identity Data Store attribute used to return created timestamp values.

amster attribute: createdTimestampAttribute

Password Grant Authentication Service

The authentication tree that will be used to authenticate the username and password for the resource owner password credentials grant type.

The possible values for this property are:

  • [Empty]

  • ldapService

  • amsterService

  • Example

  • Agent

  • RetryLimit

  • PersistentCookie

  • HmacOneTimePassword

  • Facebook-ProvisionIDMAccount

  • Google-AnonymousUser

  • Google-DynamicAccountCreation

  • PlatformRegistration

  • PlatformProgressiveProfile

  • PlatformLogin

  • PlatformForgottenUsername

  • PlatformResetPassword

  • PlatformUpdatePassword

amster attribute: passwordGrantAuthService

Enable Auth Module Messages for Password Credentials Grant

If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.

The Password Grant Type requires the grant_type=password parameter.

amster attribute: moduleMessageEnabledInPasswordGrant

Grant Types

The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.

If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.

amster attribute: grantTypes

Trusted TLS Client Certificate Header

HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.

Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.

amster attribute: tlsClientCertificateTrustedHeader

TLS Client Certificate Header Format

Format of the HTTP header used to communicate a client certificate from a reverse proxy.

The following formats are supported:

  • URLENCODED_PEM - a URL-encoded PEM format certificate. This is the format used by Nginx.

  • X_FORWARDED_CLIENT_CERT - the X-Forwarded-Client-Certformat used by Envoy and Istio.

    The possible values for this property are:

  • URLENCODED_PEM

  • X_FORWARDED_CLIENT_CERT

amster attribute: tlsClientCertificateHeaderFormat

Support TLS Certificate-Bound Access Tokens

Whether to bind access tokens to the client certificate when using TLS client certificate authentication.

amster attribute: tlsCertificateBoundAccessTokensEnabled

Check TLS Certificate Revocation Status

Whether to check if TLS client certificates have been revoked.

If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements "soft fail" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.

amster attribute: tlsCertificateRevocationCheckingEnabled

OCSP Responder URI

URI of the OCSP responder service to use for checking certificate revocation status.

If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.

amster attribute: tlsOcspResponderUri

OCSP Responder Certificate

PEM-encoded certificate to use to verify OCSP responses.

If specified this certificate will be used to verify the signature on all OCSP responses. Otherwise the appropriate certificate will be determined from the trusted CA certificates.

amster attribute: tlsOcspResponderCert

Macaroon Token Format

The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.

The possible values for this property are:

  • V1

  • V2

amster attribute: macaroonTokenFormat

Require exp claim in Request Object

If enabled, the exp claim must be included in JWT request objects specified at /oauth2/authorize or /oauth2/par.

The exp (expiration time) claim defines the lifetime of the JWT, after which the JWT is no longer valid.

To comply with the FAPI security profile, this setting must be enabled.

Default value: false

amster attribute: expClaimRequiredInRequestObject

Require nbf claim in Request Object

If enabled, the nbf claim must be included in JWT request objects specified at /oauth2/authorize or /oauth2/par.

The nbf (not before) claim defines the earliest time that the JWT can be accepted for processing.

To comply with the FAPI security profile, this setting must be enabled.

Default value: false

amster attribute: nbfClaimRequiredInRequestObject

Max nbf and exp difference

The maximum permitted difference, in minutes, between the nbf and exp claims, as defined in the request object JWT.

A value of 0 indicates that there is no maximum time requirement.

If set to a value greater than 0, and either nbf or exp is not defined, the JWT is validated successfully, providing the claims are not required.

If set to a value greater than 0, and both claims are present, the JWT is validated accordingly, even when not required.

To comply with the FAPI security profile, this setting must be 60 (minutes) or less.

Default value: 0

amster attribute: maxDifferenceBetweenRequestObjectNbfAndExp

Max nbf age

The maximum permitted age, in minutes, of the nbf claim.

A value of 0 indicates that there is no maximum time requirement.

If set to a value greater than 0, and nbf is neither required nor specified, the JWT is validated successfully.

If set to a value greater than 0, and nbf is present, the JWT is validated accordingly, even when not required.

To comply with the FAPI security profile, this setting must be 60 (minutes) or less.

Default value: 0

amster attribute: maxAgeOfRequestObjectNbfClaim

Request Object Processing Specification

For OpenID Connect requests only, this setting determines which specification is used to validate request object JWTs.

For example, the following OpenID Connect request specifies a request object JWT, and could be validated either according to the JAR specification, or as a standard OpenID Connect request:

/authorize?client_id=myClient&request={JWT with scope=openid, response_type=id_token}

OAuth 2.0 requests that do not fall into this category, such as PAR, or non-OpenID Connect JWT requests, are processed according to the JAR specification, regardless of the value of this setting.

The possible values are:

This table summarizes the differences between the rules that need to be adhered to in each case.

Table 1. Specification Rules
OIDC specification JAR specification

Request object

May be unsigned.

Must be JWS signed, and optionally, JWE encrypted.

Authorization request parameters

Assembles parameters from both the request object and the query parameters.

If duplicates exist, the request object parameter takes precedence.

Assembles parameters from the request object ONLY.

Duplicates that are defined as query parameters are ignored.

Required request parameters

  • client_id

  • response_type

  • scope, including openid scope value

  • client_id (must match the client ID specified in the request itself)

  • request OR request_uri

Default value: OIDC

amster attribute: requestObjectProcessing

PAR Request URI Lifetime (seconds)

The length of time that the PAR Request URI is valid, in seconds.

It is strongly recommended to set this value to a short interval; for example, between 5 and 150 seconds. Setting this attribute to a higher value increases the load on the CTS, and may even result in denial of service if the requests are large and consume the available storage capacity.

For information about the PAR flow, see Authorization code grant with PAR.

Default value: 90

amster attribute: parRequestUriLifetime

Require Pushed Authorization Requests

If enabled, clients must use the PAR endpoint to initiate authorization requests, otherwise AM will throw an error indicating a missing or invalid request object.

This applies to all clients, including clients that are not configured to require PAR. See Advanced client properties for details.

Default value: false

amster attribute: requirePushedAuthorizationRequests

Client Dynamic Registration

The following settings appear on the Client Dynamic Registration tab:

Require Software Statement for Dynamic Client Registration

When enabled, a software statement JWT containing at least the iss (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.

amster attribute: dynamicClientRegistrationSoftwareStatementRequired

Required Software Statement Attested Attributes

The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.

Leave blank to allow any attributes to be present.

amster attribute: requiredSoftwareStatementAttestedAttributes

Allow Open Dynamic Client Registration

Allow clients to register without an access token. If enabled, you should consider adding some form of rate limiting. For more information, see Client Registration in the OpenID Connect specification.

amster attribute: allowDynamicRegistration

Generate Registration Access Tokens

Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens allow the client to access the Client Configuration Endpoint as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.

amster attribute: generateRegistrationAccessTokens

Scope to give access to dynamic client registration

Mandatory scope required when registering a new OAuth2 client.

amster attribute: dynamicClientRegistrationScope

OpenID Connect

The following settings appear on the OpenID Connect tab:

Overrideable Id_Token Claims

List of claims in the ID token that can be overridden in the OIDC claims script. These should be the subset of the core OpenID Connect claims like aud or azp.

This setting can be overridden at the client level. See client profile configuration.

amster attribute: overrideableOIDCClaims

ID Token Signing Algorithms supported

Algorithms supported to sign OpenID Connect id_tokens.

AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

  • RS384 - RSASSA-PKCS-v1_5 using SHA-384.

  • RS512 - RSASSA-PKCS-v1_5 using SHA-512.

  • PS256 - RSASSA-PSS using SHA-256.

  • PS384 - RSASSA-PSS using SHA-384.

  • PS512 - RSASSA-PSS using SHA-512.

amster attribute: supportedIDTokenSigningAlgorithms

ID Token Encryption Algorithms supported

Encryption algorithms supported to encrypt OpenID Connect ID tokens in order to hide its contents.

AM supports the following ID token encryption algorithms:

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

amster attribute: supportedIDTokenEncryptionAlgorithms

ID Token Encryption Methods supported

Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.

AM supports the following ID token encryption algorithms:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

amster attribute: supportedIDTokenEncryptionMethods

Supported Claims

Set of claims supported by the OpenID Connect /oauth2/userinfo endpoint, with translations.

Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.

For example: name|en|Your full name..

Locale strings are in the format: language + "" + country + "" + variant, for example en, en_GB, or en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.

If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying family_name| would allow the claim family_name to be used by the client, but would not display it to the user on the consent page when requested.

amster attribute: supportedClaims

OpenID Connect JWT Token Lifetime (seconds)

The amount of time the JWT will be valid for, in seconds.

amster attribute: jwtTokenLifetime

OIDC Provider Discovery

Turns on and off OIDC Discovery endpoint.

amster attribute: oidcDiscoveryEndpointEnabled

Advanced OpenID Connect

The following settings appear on the Advanced OpenID Connect tab:

Remote JSON Web Key URL

The Remote URL where the providers JSON Web Key can be retrieved.

If this setting is not configured, then AM provides a local URL to access the public key of the private key used to sign ID tokens.

amster attribute: jkwsURI

Idtokeninfo Endpoint Requires Client Authentication

When enabled, the /oauth2/idtokeninfo endpoint requires client authentication if the signing algorithm is set to HS256, HS384, or HS512.

amster attribute: idTokenInfoClientAuthenticationEnabled

Enable "claims_parameter_supported"

If enabled, clients will be able to request individual claims using the claims request parameter, as per section 5.5 of the OpenID Connect specification.

amster attribute: claimsParameterSupported

OpenID Connect acr_values to Auth Mapping

Maps OpenID Connect ACR values to authentication trees. For more details, see the acr_values parameter in the OpenID Connect authentication request specification.

amster attribute: loaMapping

Default ACR values

Default requested Authentication Context Class Reference values.

List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.

amster attribute: defaultACR

OpenID Connect id_token amr Values to Auth Module Mappings

Specify amr values to be returned in the OpenID Connect id_token. Once authentication has completed, the authentication modules that were used from the authentication service will be mapped to the amr values. If you do not require amr values, or are not providing OpenID Connect tokens, leave this field blank.

amster attribute: amrMappings

Always Return Claims in ID Tokens

If enabled, include scope-derived claims in the id_token, even if an access token is also returned that could provide access to get the claims from the userinfo endpoint.

If not enabled, if an access token is requested the client must use it to access the userinfo endpoint for scope-derived claims, as they will not be included in the ID token.

amster attribute: alwaysAddClaimsToToken

Enable Session Management

If this is not enabled then OpenID Connect session management related endpoints will be disabled. When enabled AM will store ops tokens corresponding to OpenID Connect sessions in the CTS store and an oidc session id in the AM session.

amster attribute: storeOpsTokens

Request Parameter Signing Algorithms Supported

Algorithms supported to verify signature of Request parameterAM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

amster attribute: supportedRequestParameterSigningAlgorithms

Request Parameter Encryption Algorithms Supported

Encryption algorithms supported to decrypt Request parameter.

AM supports the following ID token encryption algorithms:

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

amster attribute: supportedRequestParameterEncryptionAlgorithms

Request Parameter Encryption Methods Supported

Encryption methods supported to decrypt Request parameter.

AM supports the following Request parameter encryption algorithms:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

amster attribute: supportedRequestParameterEncryptionEnc

Supported Token Endpoint JWS Signing Algorithms.

Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.

amster attribute: supportedTokenEndpointAuthenticationSigningAlgorithms

Authorized OIDC SSO Clients

Clients authorized to use OpenID Connect ID tokens as SSO Tokens.

Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.

amster attribute: authorisedOpenIdConnectSSOClients

UserInfo Signing Algorithms Supported

Algorithms supported to verify signature of the UserInfo endpoint. AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

amster attribute: supportedUserInfoSigningAlgorithms

UserInfo Encryption Algorithms Supported

Encryption algorithms supported by the UserInfo endpoint.

AM supports the following UserInfo endpoint encryption algorithms:

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

amster attribute: supportedUserInfoEncryptionAlgorithms

UserInfo Encryption Methods Supported

Encryption methods supported by the UserInfo endpoint.

AM supports the following UserInfo endpoint encryption methods:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

amster attribute: supportedUserInfoEncryptionEnc

Token Introspection Response Signing Algorithms Supported

Algorithms that are supported for signing the Token Introspection endpoint JWT response.

AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

  • RS384 - RSASSA-PKCS-v1_5 using SHA-384.

  • RS512 - RSASSA-PKCS-v1_5 using SHA-512.

  • EdDSA - EdDSA with SHA-512.

amster attribute: supportedTokenIntrospectionResponseSigningAlgorithms

Token Introspection Response Encryption Algorithms Supported

Encryption algorithms supported by the Token Introspection endpoint JWT response.

AM supports the following UserInfo endpoint encryption algorithms:

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

amster attribute: supportedTokenIntrospectionResponseEncryptionAlgorithms

Token Introspection Response Encryption Methods Supported

Encryption methods supported by the Token Introspection endpoint JWT response.

AM supports the following encryption methods:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

amster attribute: supportedTokenIntrospectionResponseEncryptionEnc

Include all kty and alg combinations in jwks_uri

By default only distinct kid entries are returned in the jwks_uri and the alg property is not included. Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. RFC7517 distinct key KIDs

amster attribute: includeAllKtyAlgCombinationsInJwksUri

Device Flow

The following settings appear on the Device Flow tab:

Verification URL

The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.

amster attribute: verificationUrl

Device Completion URL

The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.

amster attribute: completionUrl

Device Code Lifetime (seconds)

The lifetime of the device code, in seconds.

amster attribute: deviceCodeLifetime

Device Polling Interval

The polling frequency for devices waiting for tokens when using the device code flow.

amster attribute: devicePollInterval

User Code Character Length

The number of characters in the generated user code.

Default value: 8

amster attribute: deviceUserCodeLength

User Code Character Set

The set of characters to be used to generate a user code.

Consider limitations of low resolution mobile devices when defining a character set. For example, the OAuth 2.0 Device Grant specification recommends removing characters that can be easily confused, such as "0" and "O" or "1", "l" and "I". See RFC 8628 for further examples.

Default value: 234567ACDEFGHJKLMNPQRSTWXYZabcdefhijkmnopqrstwxyz

amster attribute: deviceUserCodeCharacterSet

The following settings appear on the Consent tab:

Saved Consent Attribute Name

Name of a multi-valued attribute on resource owner profiles where AM can save authorization consent decisions.

When the resource owner chooses to save the decision to authorize access for a client application, then AM updates the resource owner’s profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.

amster attribute: savedConsentAttribute

Allow Clients to Skip Consent

If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.

This setting can be overridden at the client level. See client profile configuration.

amster attribute: clientsCanSkipConsent

Enable Remote Consent

Enables consent to be gathered by a separate service.

This setting can be overridden at the client level. See client profile configuration.

amster attribute: enableRemoteConsent

Remote Consent Service ID

The ID of an existing remote consent service agent.

This setting can be overridden at the client level. See client profile configuration.

The possible values for this property are:

  • [Empty]

amster attribute: remoteConsentServiceId

Remote Consent Service Request Signing Algorithms Supported

Algorithms supported to sign consent_request JWTs for Remote Consent Services.

AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

amster attribute: supportedRcsRequestSigningAlgorithms

Remote Consent Service Request Encryption Algorithms Supported

Encryption algorithms supported to encrypt Remote Consent Service requests.

AM supports the following encryption algorithms:

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

amster attribute: supportedRcsRequestEncryptionAlgorithms

Remote Consent Service Request Encryption Methods Supported

Encryption methods supported to encrypt Remote Consent Service requests.

AM supports the following encryption methods:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

amster attribute: supportedRcsRequestEncryptionMethods

Remote Consent Service Response Signing Algorithms Supported

Algorithms supported to verify signed consent_response JWT from Remote Consent Services.

AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

amster attribute: supportedRcsResponseSigningAlgorithms

Remote Consent Service Response Encryption Algorithms Supported

Encryption algorithms supported to decrypt Remote Consent Service responses.

AM supports the following encryption algorithms:

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

amster attribute: supportedRcsResponseEncryptionAlgorithms

Remote Consent Service Response Encryption Methods Supported

Encryption methods supported to decrypt Remote Consent Service responses.

AM supports the following encryption methods:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

amster attribute: supportedRcsResponseEncryptionMethods

CIBA

The following settings appear on the CIBA tab:

Back Channel Authentication ID Lifetime (seconds)

The time back channel authentication request id is valid for, in seconds.

amster attribute: cibaAuthReqIdLifetime

Polling Wait Interval (seconds)

The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint

amster attribute: cibaMinimumPollingInterval

Signing Algorithms Supported

Algorithms supported to sign the CIBA request parameter.

AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • PS256 - RSASSA-PSS using SHA-256.

amster attribute: supportedCibaSigningAlgorithms

Plugins

The following settings appear on the Plugins tab:

Plugin Implementation Class

The Java class that provides the custom implementation for one or more of the OAuth 2.0 plugin interfaces:

  • org.forgerock.oauth2.core.plugins.AccessTokenModifier

  • org.forgerock.oauth2.core.plugins.UserInfoClaimsPlugin

  • org.forgerock.oauth2.core.plugins.ScopeEvaluator

  • org.forgerock.oauth2.core.plugins.ScopeValidator

  • org.forgerock.oauth2.core.plugins.AuthorizeEndpointDataProvider

    The default class, org.forgerock.oauth2.OpenAMScopeValidator, implements all the OAuth 2.0 plugin interfaces.

amster attribute: evaluateScopeClass

OAuth2 Access Token Modification Script

This script is run when issuing an access token. The script lets you modify the token, for example, by altering the data fields, before it is persisted or returned to the client.

The script is not run if an implementation class is defined for the org.forgerock.oauth2.core.plugins.AccessTokenModifier interface.

Select from a drop-down list of all the OAuth2 Access Token Modification type scripts saved to this realm.

For an example script, see oauth2-access-token-modification-js.

To create, update, or delete OAuth2 Access Token Modification scripts, see Managing Scripts using the Identity Cloud admin UI.

Default value: --- Select a script ---

amster attribute: accessTokenModificationScript

OIDC Claims Script

This script is run when issuing an ID token or during a request to the /userinfo OpenID Connect endpoint. Use this script to retrieve claim values based on an issued access token.

The script is not run if an implementation class is defined for the org.forgerock.oauth2.core.plugins.UserInfoClaimsPlugin interface.

Select from a drop-down list of all the OIDC Claims type scripts saved to this realm.

For an example script, see oidc-claims-extension-js.

To create, update, or delete OIDC Claims scripts, see Managing Scripts Using the Identity Cloud admin UI.

Default value: --- Select a script ---

amster attribute: oidcClaimsScript

Scope Evaluation Script

This script retrieves and evaluates the scope information for an OAuth2 access token.

The script lets you populate the scopes with profile attribute values. For example, if one of the scopes is mail, AM sets mail to the resource owner’s email address in the token information returned.

If defined, the script takes precedence, otherwise AM invokes the Plugin Implementation Class.

Select from a drop-down list of all the OAuth2 Evaluate Scope type scripts saved to this realm.

For an example script, see oauth2-evaluate-scope-js.

To create, update, or delete OAuth2 Evaluate Scope scripts, see Managing Scripts Using the AM admin UI.

Default value: --- Select a script ---

amster attribute: evaluateScopeScript

Scope Validation Script

This script validates and customizes the set of requested scopes for authorize, access token, refresh token, and back channel authorize requests.

If defined, the script takes precedence, otherwise AM invokes the Plugin Implementation Class.

Select from a drop-down list of all the OAuth2 Validate Scope type scripts saved to this realm.

For an example script, see oauth2-validate-scope-js.

To create, update, or delete OAuth2 Validate Scope scripts, see Managing Scripts Using the Identity Cloud admin UI.

Default value: --- Select a script ---

amster attribute: validateScopeScript

Authorize Endpoint Data Provider Script

Use this script to retrieve additional data from an authorization request, such as data from the user’s session or from an external service.

If defined, the script takes precedence, otherwise AM invokes the Plugin Implementation Class.

Select from a drop-down list of all the OAuth2 Authorize Endpoint Data Provider type scripts saved to this realm.

For an example script, see oauth2-authorize-endpoint-data-provider-js.

To create, update, or delete OAuth2 Evaluate Scope scripts, see Managing Scripts Using the AM admin UI.

Default value: --- Select a script ---

amster attribute: authorizeEndpointDataProviderScript

Push Notification Service

The following settings are available in this service:

SNS Access Key ID

Amazon Simple Notification Service Access Key ID. For more information, see Create an AWS (Push Auth) Credential in the ForgeRock Knowledge Base.

For example, you might set this property to: AKIAIOSFODNN7EXAMPLE

amster attribute: accessKey

SNS Access Key Secret

Amazon Simple Notification Service Access Key Secret. For more information, see Create an AWS (Push Auth) Credential in the ForgeRock Knowledge Base.

amster attribute: secret

SNS Endpoint for APNS

The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages to the Apple Push Notification Service (APNS).

For example, you might set this property to: arn:aws:sns:us-east-1:1234567890:app/APNS/production

amster attribute: appleEndpoint

SNS Endpoint for GCM

The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages over Google Cloud Messaging (GCM).

For example, you might set this property to: arn:aws:sns:us-east-1:1234567890:app/GCM/production

amster attribute: googleEndpoint

SNS Client Region

Region of your registered Amazon Simple Notification Service client. For more information, see https://docs.aws.amazon.com/general/latest/gr/rande.html.

The possible values for this property are:

  • us-gov-west-1

  • us-east-1

  • us-west-1

  • us-west-2

  • eu-west-1

  • eu-central-1

  • ap-southeast-1

  • ap-southeast-2

  • ap-northeast-1

  • ap-northeast-2

  • sa-east-1

  • n-north-1

amster attribute: region

Message Transport Delegate Factory

The fully qualified class name of the factory responsible for creating the PushNotificationDelegate. The class must implement org.forgerock.openam.services.push.PushNotificationDelegate.

amster attribute: delegateFactory

Response Cache Duration

The minimum lifetime to keep unanswered message records in the message dispatcher cache, in seconds. To keep unanswered message records indefinitely, set this property to 0.Should be tuned so that it is applicable to the use case of this service. For example, the ForgeRock Authenticator (Push) authentication module has a default timeout of 120 seconds.

amster attribute: mdDuration

Response Cache Concurrency

Level of concurrency to use when accessing the message dispatcher cache. Must be greater than 0. Choose a value to accommodate as many threads as will ever concurrently access the message dispatcher cache.

amster attribute: mdConcurrency

Response Cache Size

Maximum size of the message dispatcher cache, in number of records. If set to 0 the cache can grow indefinitely. If the number of records that need to be stored exceeds this maximum, then older items in the cache will be removed to make space.

amster attribute: mdCacheSize

Remote Consent Service

The following settings are available in this service:

Client Name

The name used to identify this OAuth 2.0 remote consent service when referencedin other services.

amster attribute: clientId

Authorization Server jwk_uri

The jwk_uri for retrieving the authorization server signing and encryption keys.

amster attribute: jwksUriAS

JWK Store Cache Timeout (in minutes)

The cache timeout for the JWK store of the authorization server, in minutes.

amster attribute: jwkStoreCacheTimeout

JWK Store Cache Miss Cache Time (in minutes)

The length of time a cache miss is cached, in minutes.

amster attribute: jwkStoreCacheMissCacheTime

Consent Response Time Limit (in minutes)

The time limit set on the consent response JWT before it expires, in minutes.

amster attribute: consentResponseTimeLimit

Session

Dynamic Attributes

The following settings appear on the Dynamic Attributes tab:

Maximum Session Time

Maximum time a session can remain valid before AM requires the user to authenticate again, in minutes.

amster attribute: maxSessionTime

Maximum Idle Time

Maximum time a CTS-based session can remain idle before AM requires the user to authenticate again, in minutes.

amster attribute: maxIdleTime

Maximum Caching Time

Maximum time that external clients of AM are recommended to cache the session for, in minutes.

amster attribute: maxCachingTime

Active User Sessions

Maximum number of concurrent CTS-based sessions AM allows a user to have.

amster attribute: quotaLimit

Session Property Whitelist Service

The following settings are available in this service:

Whitelisted Session Property Names

A list of properties that users may read, edit the value of, or delete from their session.

Adding properties to sessions can impact AM’s performance. Because there is no size constraint limiting the set of properties that you can add to sessions, and no limit on the number of session properties you can add, keep in mind that adding session properties can increase the load on an AM deployment in the following areas:

  • AM server memory

  • OpenDJ storage

  • OpenDJ replication

Protected attributes will NOT be allowed to be set, edited or deleted, even if they are included in this allowlist.

+ amster attribute: sessionPropertyWhitelist

Session Properties to return for session queries

A list of session properties that can be returned to admins in a REST session query response.

This setting may impact REST query performance - when session properties are added, the CTS token must be retrieved, and will be the subject of decryption and decompression, if configured.

Protected attributes will NOT be allowed to be set, edited or deleted, even if they are included in this list.

amster attribute: whitelistedQueryProperties

Social Identity Provider Service

Configuration

The following settings appear on the Configuration tab:

Enabled

amster attribute: enabled

Secondary Configurations

This service has the following Secondary Configurations.

instagramConfig
Enabled

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: id

amster attribute: authenticationIdKey

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

amster attribute: clientId

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

amster attribute: clientSecret

Authentication Endpoint URL

OAuth authentication endpoint URL.

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://api.instagram.com/oauth/authorize/.

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://api.instagram.com/oauth/access_token.

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL.

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://graph.instagram.com/me?fields=id,username.

amster attribute: userInfoEndpoint

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

For example, you might set this property to: https://graph.instagram.com/debug_token.

amster attribute: introspectEndpoint

Redirect URL

amster attribute: redirectURI

Redirect after form post URL

Specify URL to redirect the form post parameters to.

amster attribute: redirectAfterFormPostURI

Scope Delimiter

The delimiter used by an auth server to separate scopes.

amster attribute: scopeDelimiter

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: user_profile

amster attribute: scopes

Client Authentication Method

Field used to define how the client would be identified by the social provider.

amster attribute: clientAuthenticationMethod

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

amster attribute: pkceMethod

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

amster attribute: jwksUriEndpoint

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

amster attribute: jwtSigningAlgorithm

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionAlgorithm

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionMethod

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

amster attribute: privateKeyJwtExpTime

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

amster attribute: responseMode

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

amster attribute: transform

googleConfig
Enabled

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: sub

amster attribute: authenticationIdKey

Authentication Endpoint URL

OAuth authentication endpoint URL.

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://accounts.google.com/o/oauth2/v2/auth

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://www.googleapis.com/oauth2/v4/token

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL.

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://www.googleapis.com/oauth2/v3/userinfo

amster attribute: userInfoEndpoint

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

amster attribute: introspectEndpoint

Redirect URL

amster attribute: redirectURI

Redirect after form post URL

Specify URL to redirect the form post parameters to.

amster attribute: redirectAfterFormPostURI

Scope Delimiter

The delimiter used by an auth server to separate scopes.

amster attribute: scopeDelimiter

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: openid, profile, email

amster attribute: scopes

Client Authentication Method

Field used to define how the client would be identified by the social provider.

amster attribute: clientAuthenticationMethod

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

amster attribute: pkceMethod

Request Parameter JWT Option

Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.

amster attribute: jwtRequestParameterOption

Encrypt Request Parameter JWT

Enable the option to send an encrypted request parameter JWT.

amster attribute: encryptJwtRequestParameter

ACR Values

Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.

amster attribute: acrValues

Well Known Endpoint

The endpoint for retrieving a list of OAuth/OIDC endpoints.

For example, you might set this property to: https://accounts.google.com/.well-known/openid-configuration

amster attribute: wellKnownEndpoint

Request Object Audience

The intended audience of the request object. If unspecified, the issuer value will be used.

amster attribute: requestObjectAudience

OP Encrypts ID Tokens

Whether the OP encrypts ID Tokens. Will determine which resolver to use.

amster attribute: encryptedIdTokens

Issuer

The Issuer of OIDC ID Tokens.

For example, you might set this property to: https://accounts.google.com

amster attribute: issuer

Enable Native Nonce

When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request.

amster attribute: enableNativeNonce

User Info Response Format

The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.

amster attribute: userInfoResponseType

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

amster attribute: jwksUriEndpoint

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

amster attribute: jwtSigningAlgorithm

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionAlgorithm

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionMethod

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

amster attribute: privateKeyJwtExpTime

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

amster attribute: responseMode

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

amster attribute: transform

oauth2Config
Enabled

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: sub

amster attribute: authenticationIdKey

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

amster attribute: clientId

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

amster attribute: clientSecret

Authentication Endpoint URL

OAuth authentication endpoint URL.

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL.

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

amster attribute: userInfoEndpoint

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

amster attribute: introspectEndpoint

Redirect URL

amster attribute: redirectURI

Redirect after form post URL

Specify URL to redirect the form post parameters to.

amster attribute: redirectAfterFormPostURI

Scope Delimiter

The delimiter used by an auth server to separate scopes.

amster attribute: scopeDelimiter

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

amster attribute: scopes

Client Authentication Method

Field used to define how the client would be identified by the social provider.

amster attribute: clientAuthenticationMethod

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

amster attribute: pkceMethod

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

amster attribute: jwksUriEndpoint

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

amster attribute: jwtSigningAlgorithm

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionAlgorithm

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionMethod

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

amster attribute: privateKeyJwtExpTime

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

amster attribute: responseMode

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

amster attribute: transform

appleConfig
Enabled

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: sub

amster attribute: authenticationIdKey

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

amster attribute: clientId

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

amster attribute: clientSecret

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://appleid.apple.com/auth/authorize

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://appleid.apple.com/auth/token

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

amster attribute: userInfoEndpoint

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

amster attribute: introspectEndpoint

Redirect URL

amster attribute: redirectURI

Redirect after form post URL

Specify URL to redirect the form post parameters to.

amster attribute: redirectAfterFormPostURI

Scope Delimiter

The delimiter used by an auth server to separate scopes.

amster attribute: scopeDelimiter

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

amster attribute: scopes

Client Authentication Method

Field used to define how the client would be identified by the social provider.

amster attribute: clientAuthenticationMethod

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

amster attribute: pkceMethod

Request Parameter JWT Option

Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.

amster attribute: jwtRequestParameterOption

Encrypt Request Parameter JWT

Enable the option to send an encrypted request parameter JWT.

amster attribute: encryptJwtRequestParameter

ACR Values

Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.

amster attribute: acrValues

Well Known Endpoint

The endpoint for retrieving a list of OAuth/OIDC endpoints.

amster attribute: wellKnownEndpoint

Request Object Audience

The intended audience of the request object. If unspecified, the issuer value will be used.

amster attribute: requestObjectAudience

OP Encrypts ID Tokens

Whether the OP encrypts ID Tokens. Will determine which resolver to use.

amster attribute: encryptedIdTokens

Issuer

The Issuer of OIDC ID Tokens.

amster attribute: issuer

Enable Native Nonce

When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request.

amster attribute: enableNativeNonce

User Info Response Format

The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.

amster attribute: userInfoResponseType

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

amster attribute: jwksUriEndpoint

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

amster attribute: jwtSigningAlgorithm

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionAlgorithm

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionMethod

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

amster attribute: privateKeyJwtExpTime

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

amster attribute: responseMode

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

amster attribute: transform

itsmeConfig
Enabled

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: sub

amster attribute: authenticationIdKey

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

amster attribute: clientId

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

amster attribute: clientSecret

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://idp.prd.itsme.services/v2/authorization

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://idp.prd.itsme.services/v2/token

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://idp.prd.itsme.services/v2/userinfo

amster attribute: userInfoEndpoint

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

amster attribute: introspectEndpoint

Redirect URL

amster attribute: redirectURI

Redirect after form post URL

Specify URL to redirect the form post parameters to.

amster attribute: redirectAfterFormPostURI

Scope Delimiter

The delimiter used by an auth server to separate scopes.

amster attribute: scopeDelimiter

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: openid, profile, email

amster attribute: scopes

Client Authentication Method

Field used to define how the client would be identified by the social provider.

amster attribute: clientAuthenticationMethod

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

amster attribute: pkceMethod

Request Parameter JWT Option

Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.

Default value: NONE

amster attribute: jwtRequestParameterOption

Encrypt Request Parameter JWT

Enable the option to send an encrypted request parameter JWT.

Default value: true

amster attribute: encryptJwtRequestParameter

ACR Values

Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.

amster attribute: acrValues

Well Known Endpoint

The endpoint for retrieving a list of OAuth/OIDC endpoints.

For example, you might set this property to: https://idp.prd.itsme.services/v2/.well-known/openid-configuration

amster attribute: wellKnownEndpoint

Request Object Audience

The intended audience of the request object. If unspecified, the issuer value will be used.

For example, you might set this property to: https://idp.prd.itsme.services/v2/authorization

amster attribute: requestObjectAudience

OP Encrypts ID Tokens

Whether the OP encrypts ID Tokens. Will determine which resolver to use.

Default value: true

amster attribute: encryptedIdTokens

Issuer

The Issuer of OIDC ID Tokens.

For example, you might set this property to: https://idp.prd.itsme.services/v2

amster attribute: issuer

Enable Native Nonce

When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request. Enabled by default.

Default value: true

amster attribute: enableNativeNonce

User Info Response Format

The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.

Default value: SIGNED_THEN_ENCRYPTED_JWT

amster attribute: userInfoResponseType

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

For example, you might set this property to: https://idp.prd.itsme.services/v2/jwkSet

amster attribute: jwksUriEndpoint

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

Default value: RS256

amster attribute: jwtSigningAlgorithm

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

Default value: RSA-OAEP

amster attribute: jwtEncryptionAlgorithm

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Default value: AES_128_CBC_HMAC_SHA_256

amster attribute: jwtEncryptionMethod

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

amster attribute: privateKeyJwtExpTime

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

amster attribute: responseMode

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 3d97c436-42c0-4dd0-a571-ea6f34f752b3

amster attribute: transform

amazonConfig
Enabled

Default value: true

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: user_id

Default value: user_id

amster attribute: authenticationIdKey

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

amster attribute: clientId

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

amster attribute: clientSecret

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://www.amazon.com/ap/oa

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://api.amazon.com/auth/o2/token

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://api.amazon.com/user/profile

amster attribute: userInfoEndpoint

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

amster attribute: introspectEndpoint

Redirect URL

amster attribute: redirectURI

Redirect after form post URL

Specify URL to redirect the form post parameters to.

amster attribute: redirectAfterFormPostURI

Scope Delimiter

The delimiter used by an auth server to separate scopes.

amster attribute: scopeDelimiter

OAuth Scopes

List of user profile properties.

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: profile

Default value: profile

amster attribute: scopes

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

amster attribute: clientAuthenticationMethod

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

amster attribute: pkceMethod

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating.

amster attribute: jwksUriEndpoint

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

amster attribute: jwtSigningAlgorithm

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionAlgorithm

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionMethod

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

amster attribute: privateKeyJwtExpTime

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

amster attribute: responseMode

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 6b3cfd48-62d3-48ff-a96f-fe8f3a22ab30

amster attribute: transform

facebookConfig
Enabled

Default value: true

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: id

Default value: id

amster attribute: authenticationIdKey

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

amster attribute: clientId

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

amster attribute: clientSecret

Authentication Endpoint URL

OAuth authentication endpoint URL.

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://www.facebook.com/dialog/oauth

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://graph.facebook.com/v2.7/oauth/access_token

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

amster attribute: userInfoEndpoint

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

For example, you might set this property to: https://graph.facebook.com/debug_token

amster attribute: introspectEndpoint

Redirect URL

amster attribute: redirectURI

Redirect after form post URL

Specify URL to redirect the form post parameters to.

amster attribute: redirectAfterFormPostURI

Scope Delimiter

The delimiter used by an auth server to separate scopes.

amster attribute: scopeDelimiter

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: email, user_birthday

Default value:

email
user_birthday

amster attribute: scopes

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

amster attribute: clientAuthenticationMethod

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

amster attribute: pkceMethod

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

amster attribute: jwksUriEndpoint

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

amster attribute: jwtSigningAlgorithm

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionAlgorithm

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionMethod

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

amster attribute: privateKeyJwtExpTime

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

amster attribute: responseMode

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: bae1d54a-e97d-4997-aa5d-c027f21af82c

amster attribute: transform

weChatConfig
Enabled

Default value: true

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: openid

Default value: openid

amster attribute: authenticationIdKey

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

amster attribute: clientId

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

amster attribute: clientSecret

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://open.weixin.qq.com/connect/qrconnect

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://api.wechat.com/sns/oauth2/access_token

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://api.wechat.com/sns/userinfo

amster attribute: userInfoEndpoint

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

amster attribute: introspectEndpoint

Redirect URL

amster attribute: redirectURI

Redirect after form post URL

Specify URL to redirect the form post parameters to.

amster attribute: redirectAfterFormPostURI

Scope Delimiter

The delimiter used by an auth server to separate scopes.

amster attribute: scopeDelimiter

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: snsapi_login

Default value: snsapi_login

amster attribute: scopes

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

amster attribute: clientAuthenticationMethod

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

amster attribute: pkceMethod

Refresh Token Endpoint

The endpoint for obtaining a refresh token.

amster attribute: refreshTokenEndpoint

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

amster attribute: jwksUriEndpoint

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

amster attribute: jwtSigningAlgorithm

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionAlgorithm

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionMethod

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

amster attribute: privateKeyJwtExpTime

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

amster attribute: responseMode

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 472534ec-a25f-468d-a606-3fb1935190df

amster attribute: transform

yahooConfig
Enabled

Default value: true

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: sub

Default value: sub

amster attribute: authenticationIdKey

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

amster attribute: clientId

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

amster attribute: clientSecret

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://api.login.yahoo.com/oauth2/request_auth

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://api.login.yahoo.com/oauth2/get_token

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

amster attribute: userInfoEndpoint

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL This is the URL endpoint for access token validation using the OAuth Identity Provider.Refer to the RFC 7662 (https://www.rfc-editor.org/info/rfc7662).

amster attribute: introspectEndpoint

Redirect URL

amster attribute: redirectURI

Redirect after form post URL

Specify URL to redirect the form post parameters to.

amster attribute: redirectAfterFormPostURI

Scope Delimiter

The delimiter used by an auth server to separate scopes.

amster attribute: scopeDelimiter

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: openid, sdpp-w

Default value:

openid
sdpp-w

amster attribute: scopes

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

amster attribute: clientAuthenticationMethod

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

amster attribute: pkceMethod

Request Parameter JWT Option

Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.

Default value: NONE

amster attribute: jwtRequestParameterOption

Encrypt Request Parameter JWT

Enable the option to send an encrypted request parameter JWT.

Default value: false

amster attribute: encryptJwtRequestParameter

ACR Values

Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.

amster attribute: acrValues

Well Known Endpoint

The endpoint for retrieving a list of OAuth/OIDC endpoints.

For example, you might set this property to: https://api.login.yahoo.com/.well-known/openid-configuration

amster attribute: wellKnownEndpoint

Request Object Audience

The intended audience of the request object. If unspecified, the issuer value will be used.

amster attribute: requestObjectAudience

OP Encrypts ID Tokens

Whether the OP encrypts ID Tokens. Will determine which resolver to use.

Default value: false

amster attribute: encryptedIdTokens

Issuer

The Issuer of OIDC ID Tokens.

For example, you might set this property to: https://api.login.yahoo.com

amster attribute: issuer

Enable Native Nonce

When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request. Enabled by default.

Default value: true

amster attribute: enableNativeNonce

User Info Response Format

The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.

Default value: JSON

amster attribute: userInfoResponseType

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

amster attribute: jwksUriEndpoint

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

amster attribute: jwtSigningAlgorithm

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionAlgorithm

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionMethod

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

amster attribute: privateKeyJwtExpTime

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

amster attribute: responseMode

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 424da748-82cc-4b54-be6f-82bd64d82a74

amster attribute: transform

oidcConfig
Enabled

Default value: true

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: sub

amster attribute: authenticationIdKey

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

amster attribute: clientId

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

amster attribute: clientSecret

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

amster attribute: userInfoEndpoint

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

amster attribute: introspectEndpoint

Redirect URL

amster attribute: redirectURI

Redirect after form post URL

Specify URL to redirect the form post parameters to.

amster attribute: redirectAfterFormPostURI

Scope Delimiter

The delimiter used by an auth server to separate scopes.

amster attribute: scopeDelimiter

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

amster attribute: scopes

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

amster attribute: clientAuthenticationMethod

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

amster attribute: pkceMethod

Request Parameter JWT Option

Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.

Default value: NONE

amster attribute: jwtRequestParameterOption

Encrypt Request Parameter JWT

Enable the option to send an encrypted request parameter JWT.

Default value: false

amster attribute: encryptJwtRequestParameter

ACR Values

Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.

amster attribute: acrValues

Well Known Endpoint

The endpoint for retrieving a list of OAuth/OIDC endpoints.

amster attribute: wellKnownEndpoint

Request Object Audience

The intended audience of the request object. If unspecified, the issuer value will be used.

amster attribute: requestObjectAudience

OP Encrypts ID Tokens

Whether the OP encrypts ID Tokens. Will determine which resolver to use.

amster attribute: encryptedIdTokens

Issuer

The Issuer of OIDC ID Tokens.

amster attribute: issuer

Enable Native Nonce

When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request. Enabled by default.

Default value: true

amster attribute: enableNativeNonce

User Info Response Format

The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.

Default value: JSON

amster attribute: userInfoResponseType

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

amster attribute: jwksUriEndpoint

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

amster attribute: jwtSigningAlgorithm

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionAlgorithm

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionMethod

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

amster attribute: privateKeyJwtExpTime

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

amster attribute: responseMode

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

amster attribute: transform

linkedInConfig
Enabled

Default value: true

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: id

Default value: id

amster attribute: authenticationIdKey

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

amster attribute: clientId

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

amster attribute: clientSecret

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://www.linkedin.com/oauth/v2/authorization

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://www.linkedin.com/oauth/v2/accessToken

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

amster attribute: userInfoEndpoint

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

For example, you might set this property to: https://www.linkedin.com/oauth/v2/introspectToken

amster attribute: introspectEndpoint

Redirect URL

amster attribute: redirectURI

Redirect after form post URL

Specify URL to redirect the form post parameters to.

amster attribute: redirectAfterFormPostURI

Scope Delimiter

The delimiter used by an auth server to separate scopes.

amster attribute: scopeDelimiter

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: r_liteprofile, r_emailaddress

Default value:

r_liteprofile
r_emailaddress

amster attribute: scopes

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

amster attribute: clientAuthenticationMethod

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

amster attribute: pkceMethod

Email Address Endpoint

The endpoint for retrieving the email address.

amster attribute: emailAddressEndpoint

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

amster attribute: jwksUriEndpoint

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

amster attribute: jwtSigningAlgorithm

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionAlgorithm

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionMethod

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

amster attribute: privateKeyJwtExpTime

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

amster attribute: responseMode

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 8862ca8f-7770-4af5-a888-ac0df0947f36

amster attribute: transform

salesforceConfig
Enabled

Default value: true

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: user_id

Default value: user_id

amster attribute: authenticationIdKey

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

amster attribute: clientId

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

amster attribute: clientSecret

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://login.salesforce.com/services/oauth2/authorize

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://login.salesforce.com/services/oauth2/token

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://login.salesforce.com/services/oauth2/userinfo

amster attribute: userInfoEndpoint

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

For example, you might set this property to: https://login.salesforce.com/services/oauth2/introspect

amster attribute: introspectEndpoint

Redirect URL

amster attribute: redirectURI

Redirect after form post URL

Specify URL to redirect the form post parameters to.

amster attribute: redirectAfterFormPostURI

Scope Delimiter

The delimiter used by an auth server to separate scopes.

amster attribute: scopeDelimiter

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: id, api, web

Default value:

id
api
web

amster attribute: scopes

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

amster attribute: clientAuthenticationMethod

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

amster attribute: pkceMethod

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

amster attribute: jwksUriEndpoint

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

amster attribute: jwtSigningAlgorithm

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionAlgorithm

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionMethod

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

amster attribute: privateKeyJwtExpTime

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

amster attribute: responseMode

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 312e951f-70c5-49d2-a9ae-93aef909d5df

amster attribute: transform

wordpressConfig
Enabled

Default value: true

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: username

Default value: username

amster attribute: authenticationIdKey

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

amster attribute: clientId

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

amster attribute: clientSecret

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://public-api.wordpress.com/oauth2/authorize

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://public-api.wordpress.com/oauth2/token

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://public-api.wordpress.com/rest/v1.1/me/

amster attribute: userInfoEndpoint

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

amster attribute: introspectEndpoint

Redirect URL

amster attribute: redirectURI

Redirect after form post URL

Specify URL to redirect the form post parameters to.

amster attribute: redirectAfterFormPostURI

Scope Delimiter

The delimiter used by an auth server to separate scopes.

amster attribute: scopeDelimiter

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: auth

Default value: auth

amster attribute: scopes

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

amster attribute: clientAuthenticationMethod

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

amster attribute: pkceMethod

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

amster attribute: jwksUriEndpoint

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

amster attribute: jwtSigningAlgorithm

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionAlgorithm

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionMethod

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

amster attribute: privateKeyJwtExpTime

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

amster attribute: responseMode

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 91d197de-5916-4dca-83b5-9a4df26e7159

amster attribute: transform

microsoftConfig
Enabled

Default value: true

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: id

Default value: id

amster attribute: authenticationIdKey

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

amster attribute: clientId

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

amster attribute: clientSecret

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://login.microsoftonline.com/common/oauth2/v2.0/authorize

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://login.microsoftonline.com/common/oauth2/v2.0/token

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://graph.microsoft.com/v1.0/me

amster attribute: userInfoEndpoint

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

amster attribute: introspectEndpoint

Redirect URL

amster attribute: redirectURI

Redirect after form post URL

Specify URL to redirect the form post parameters to.

amster attribute: redirectAfterFormPostURI

Scope Delimiter

The delimiter used by an auth server to separate scopes.

amster attribute: scopeDelimiter

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: User.Read

Default value: User.Read

amster attribute: scopes

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

amster attribute: clientAuthenticationMethod

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

amster attribute: pkceMethod

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

amster attribute: jwksUriEndpoint

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

amster attribute: jwtSigningAlgorithm

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionAlgorithm

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionMethod

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

amster attribute: privateKeyJwtExpTime

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

amster attribute: responseMode

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 73cecbfc-dad0-4395-be6a-6858ee3a80e5

amster attribute: transform

vkConfig
Enabled

Default value: true

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: sub

Default value: id

amster attribute: authenticationIdKey

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

amster attribute: clientId

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

amster attribute: clientSecret

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://oauth.vk.com/authorize

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://oauth.vk.com/access_token

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://api.vk.com/method/users.get?fields=photo_50

amster attribute: userInfoEndpoint

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

amster attribute: introspectEndpoint

Redirect URL

amster attribute: redirectURI

Redirect after form post URL

Specify URL to redirect the form post parameters to.

amster attribute: redirectAfterFormPostURI

Scope Delimiter

The delimiter used by an auth server to separate scopes.

amster attribute: scopeDelimiter

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: email

Default value: email

amster attribute: scopes

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

amster attribute: clientAuthenticationMethod

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

amster attribute: pkceMethod

API Version

Version of the applicable VKontakte API.

Default value: 5.73

amster attribute: apiVersion

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

amster attribute: jwksUriEndpoint

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

amster attribute: jwtSigningAlgorithm

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionAlgorithm

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

amster attribute: jwtEncryptionMethod

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

amster attribute: privateKeyJwtExpTime

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

amster attribute: responseMode

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 403cf226-6051-4368-8b72-9ba14f9a5140

amster attribute: transform

twitterConfig
Enabled

Default value: true

amster attribute: enabled

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: id_str

Default value: id_str

amster attribute: authenticationIdKey

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

amster attribute: clientId

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

amster attribute: clientSecret

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

amster attribute: authorizationEndpoint

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

amster attribute: tokenEndpoint

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

amster attribute: userInfoEndpoint

Redirect URL

amster attribute: redirectURI

Request Token Endpoint

The endpoint for obtaining an access token.

amster attribute: requestTokenEndpoint

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

amster attribute: uiConfig

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 8e298710-b55e-4085-a464-88a375a4004b

amster attribute: transform

Transaction Authentication Service

The following settings are available in this service:

Time to Live

The number of seconds within which the transaction must be completed.

amster attribute: timeToLive

User

Dynamic Attributes

The following settings appear on the Dynamic Attributes tab:

User Preferred Timezone

Time zone for accessing AM UI .

amster attribute: preferredTimezone

Administrator DN Starting View

Specifies the DN for the initial screen when the AM administrator successfully logs in to the AM admin UI.

amster attribute: adminDNStartingView

Default User Status

Inactive users cannot authenticate, though AM stores their profiles.

The possible values for this property are:

  • Active

  • Inactive

amster attribute: defaultUserStatus

Self Service Trees

Realm Attributes

The following settings appear on the Realm Attributes tab:

Enabled

amster attribute: enabled

Tree Mapping

The following settings appear on the Tree Mapping tab:

Validation Service

The following settings are available in this service:

Valid goto URL Resources

List of valid goto URL resources.

Specifies a list of valid URLs for the goto and gotoOnFail query string parameters. AM only redirects a user after log in or log out to a URL in this list. If the URL is not in the list, AM redirects to either the user profile page, or the administration console. If this property is not set, AM will only allow URLs that match its domain; for example, domain-of-am-instance.com. Use the * wildcard to match all characters except ?.

Examples:

amster attribute: validGotoDestinations

WebAuthn Profile Encryption Service

The following settings are available in this service:

Profile Storage Attribute

The user’s attribute in which to store WebAuthn profiles.

amster attribute: webauthnAttrName

Device Profile Encryption Scheme

Encryption scheme to use to secure device profiles stored on the server.

If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.

Note: AES-256 may require installation of the JCE Unlimited Strength policy files.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (Value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (Value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings. (Value: NONE)

amster attribute: authenticatorWebAuthnDeviceSettingsEncryptionScheme

Encryption Key Store

Path to the key store from which to load encryption keys.

amster attribute: authenticatorWebAuthnDeviceSettingsEncryptionKeystore

Key Store Type

Type of key store to load.

See the JDK 8 PKCS#11 Reference Guide for more details.

The possible values for this property are:

  • Label: Java Key Store (JKS). (Value: JKS)

  • Label: Java Cryptography Extension Key Store (JCEKS). (Value: JCEKS)

  • Label: PKCS#11 Hardware Crypto Storage. (Value: PKCS11)

  • Label: PKCS#12 Key Store. (Value: PKCS12)

amster attribute: authenticatorWebAuthnDeviceSettingsEncryptionKeystoreType

Key Store Password

Password to unlock the key store. This password is encrypted when it is saved in the AM configuration.

amster attribute: authenticatorWebAuthnDeviceSettingsEncryptionKeystorePassword

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.

amster attribute: authenticatorWebAuthnDeviceSettingsEncryptionKeystoreKeyPairAlias

Private Key Password

Password to unlock the private key.

amster attribute: authenticatorWebAuthnDeviceSettingsEncryptionKeystorePrivateKeyPassword

Supported standards

AM implements the following RFCs, Internet-Drafts, and standards:

Open Authentication

RFC 4226: HOTP: An HMAC-Based One-Time Password Algorithm, supported by the OATH authentication nodes.

RFC 6238: TOTP: Time-Based One-Time Password Algorithm, supported by the OATH authentication nodes.

For more information, see Open Authentication.

OAuth 2.0
OpenID Connect 1.0

In section 5.6 of this specification, AM supports Normal Claims. AM does not support the optional Aggregated Claims and Distributed Claims representations.

AM applies the guidelines suggested by the OpenID Financial-grade API (FAPI) Working Group to the implementation of CIBA, which shapes the support of CIBA in AM.

Implementation Decisions Applying to CIBA Support in AM
  • AM only supports the CIBA "poll" mode, not the "push" or "ping" modes.

  • AM requires use of confidential clients for CIBA.

  • AM requires use of signed JSON-web tokens (JWT) to pass parameters, using one of the following algorithms:

    • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

    • PS256 - RSASSA-PSS using SHA-256.

Plain JSON or form parameters for CIBA-related data is not supported.

AM currently only supports backchannel logout when acting as the provider.

For more information, see:

Security Assertion Markup Language (SAML) and federation-related standards
Encryption and signatures
Other standards

Secret ID default mappings

The following groups contain the secret IDs used by the AM features, and their default mappings, if any. Expand the categories for additional information about where or how the mappings are used.

General

PEM decryption password

This table shows the secret ID in which you can store the password used to decrypt password-encrypted PEM files.

Encode the password using the https://openam.example.com:8443/openam/encode.jsp page.

Secret ID Default Alias Algorithms

am.global.services.secret.pem.decryption

Encode using encode.jsp

Encrypt client-based sessions

This table shows the secret ID mapping to use when encrypting client-based sessions:

Secret ID Default Alias Algorithms

am.global.services.session.clientbased.encryption

test

RS256

To use AES-based encryption algorithms, log into the AM admin UI, select Configure > Global Services > Sessions > Advanced, and configure the secret in the Encryption Symmetric AES Key field.

Sign client-based sessions

This table shows the secret ID mapping to use when signing client-based sessions:

Secret ID Default Alias Algorithms

am.global.services.session.clientbased.signing

rsajwtsigningkey

RS256
ES256
ES384
ES512

To use HMAC-based signing algorithms, log into the AM admin UI, select Configure > Global Services > Sessions > Advanced, and configure the secret in the Signing HMAC Shared Secret field.

OAuth 2.0 and OpenID Connect as provider

JWT authenticity signing

This table shows the secret ID mapping used to sign several OAuth 2.0 and OpenID Connect-related JWTs:

Secret ID Default Alias Algorithms

am.services.oauth2.jwt.authenticity.signing

hmacsigningtest

HS256
HS384
HS512

This key is used to sign the following tokens and requests:

  • OpenID Connect tokens for Web and Java Agents.

  • OpenID Connect tokens that are signed with an HMAC algorithm.

  • Macaroon access and refresh tokens.

  • Consent requests to remote consent agents that are signed with an HMAC algorithm.

Encrypt client-based OAuth 2.0 tokens

This table shows the secret ID mapping used to encrypt client-based access tokens:

Secret ID Default Alias Algorithms

am.services.oauth2.stateless.token.encryption

directentest

A128CBC-HS256

Sign client-based OAuth 2.0 tokens

This table shows the secret ID mappings used to sign client-based access tokens:

Secret ID Default Alias Algorithms

am.services.oauth2.stateless.signing.ES256

es256test

ES256

am.services.oauth2.stateless.signing.ES384

es384test

ES384

am.services.oauth2.stateless.signing.ES512

es512test

ES512

am.services.oauth2.stateless.signing.HMAC

hmacsigningtest

HS256
HS384
HS512

am.services.oauth2.stateless.signing.RSA

rsajwtsigningkey

PS256
PS384
PS512
RS256
RS384
RS512

Decrypt OpenID Connect request parameters

This table shows the secret ID mappings used to decrypt OpenID Connect request parameters:

Secret ID Default Alias Algorithms

am.services.oauth2.oidc.decryption.RSA1.5

test

RSA with PKCS#1 v1.5 padding

am.services.oauth2.oidc.decryption.RSA.OAEP

test

RSA with OAEP with SHA-1 and MGF-1

am.services.oauth2.oidc.decryption.RSA.OAEP.256

test

RSA with OAEP with SHA-256 and MGF-1

For confidential clients, if you select an AES algorithm (A128KW, A192KW, or A256KW) or the direct encryption algorithm (dir), the value of the Client Secret field in the OAuth 2.0 Client is used as the secret, instead of an entry from the secret stores.

The following signing and encryption algorithms use the Client Secret field to store the secret:

  • Signing ID tokens with an HMAC algorithm

  • Encrypting ID tokens with AES or direct encryption

  • Encrypting parameters with AES or direct encryption

Store only one secret in the Client Secret field; AM will use different mechanisms to sign and encrypt depending on the algorithm. For more information, see the OpenID Connect Core 1.0 specification.

CA Certificates in mTLS client authentication

This table shows the secret ID mapping used to store the CA certificates AM should trust during mTLS client authentication:

Secret ID Default Alias Algorithms

am.services.oauth2.tls.client.cert.authentication

OAuth 2.0 and OpenID Connect as client/relying party of the social identity provider service

Decrypt ID tokens

This table shows the secret ID mapping to support decryption of ID tokens and userinfo endpoint data in JWT format when AM is configured as a relying party of the Social Identity Provider Service:

Secret ID Default Alias Algorithms

am.services.oauth2.oidc.rp.idtoken.encryption

test

The public key is exposed in the /oauth2/connect/rp/jwk_uri.

For more information about the algorithms supported, and how to configure this secret ID mapping, see Social authentication.

Sign JWTs and objects

This table shows the secret ID mapping that AM uses to sign JWTs and objects, when configured as a relying party of the Social Identity Provider Service:

Secret ID Default Alias Algorithms

am.services.oauth2.oidc.rp.jwt.authenticity.signing

rsajwtsigningkey

The public key is exposed in the /oauth2/connect/rp/jwk_uri.

For more information about the algorithms supported, and how to configure this secret ID mapping, see Social authentication.

CA Certificates in mTLS Client Authentication with AM as relying party

This table shows the secret ID mapping used to store CA or self-signed certificates AM uses for mTLS client authentication when configured as a relying party of the Social Identity Provider Service:

Secret ID Default Alias Algorithms

am.services.oauth2.tls.client.cert.authentication

The public key is exposed in the /oauth2/connect/rp/jwk_uri.

For more information about the algorithms supported, and how to configure this secret ID mapping, see Social authentication.

Web agents and Java agents

Sign agent JWTs

This table shows the secret ID mapping used to sign the JWTs provided to Web and Java agents:

Secret ID Default Alias Algorithms

am.global.services.oauth2.oidc.agent.idtoken.signing

rsajwtsigningkey

RS256
RS384
RS512

Authentication

Encrypt authentication trees' secure state data

This table shows the secret ID mapping used to encrypt sensitive data stored in the secure state of an authentication tree:

Secret ID Default Alias Algorithms

am.authn.trees.transientstate.encryption

directenctest

AES 256-bit

SAML v2.0

Encrypt SAML v2.0 session storage JWTs

This table shows the secret ID mapping used to encrypt the JWTs SAML v2.0 creates in session storage:

Secret ID Default Alias Algorithms

am.global.services.saml2.client.storage.jwt.encryption

directentest

A256GCM

Sign SAML v2.0 metadata

This table shows the secret ID mapping used to sign SAML v2.0 metadata:

Secret ID Default Alias Algorithms

am.services.saml2.metadata.signing.RSA

rsajwtsigningkey

RSA SHA-256

SAML v2.0 signing and encryption

This table shows the secret ID mappings used to sign and encrypt SAML v2.0 elements:

Secret ID Default Alias Algorithms

am.default.applications.federation.entity.providers.saml2.idp.encryption

test

RSA with PKCS#1 v1.5 padding
RSA with OAEP

am.default.applications.federation.entity.providers.saml2.idp.signing

rsajwtsigningkey

RSA SHA-1(1)
ECDSA SHA-256
ECDSA SHA-384
ECDSA SHA-512
RSA SHA-256
RSA SHA-384
RSA SHA-512
DSA SHA-256

am.default.applications.federation.entity.providers.saml2.sp.encryption

test

RSA with PKCS#1 v1.5 padding
RSA with OAEP

am.default.applications.federation.entity.providers.saml2.sp.signing

rsajwtsigningkey

RSA SHA-1(1)
ECDSA SHA-256
ECDSA SHA-384
ECDSA SHA-512
RSA SHA-256
RSA SHA-384
RSA SHA-512
DSA SHA-256

(1) This algorithm is for compatibility purposes only, and its use should be avoided.

You can specify a custom secret ID identifier for each hosted SAML v2.0 entity provider in a realm, which creates new secret IDs. These secret IDs can be unique to the provider, or shared by multiple providers.

For example, you could add a custom secret ID identifier named mySamlSecrets to a hosted identity provider.

AM dynamically creates the following secret IDs, which the hosted identity provider uses for signing and encryption:

  • am.applications.federation.entity.providers.saml2.mySamlSecrets.signing

  • am.applications.federation.entity.providers.saml2.mySamlSecrets.encryption

AM will attempt to look up the secrets with the custom secret ID identifier. If unsuccessful, AM will look up the secrets using the default secret IDs.

Glossary

Access control

Control to grant or to deny access to a resource.

Account lockout

The act of making an account temporarily or permanently inactive after successive authentication failures.

Actions

Defined as part of policies, these verbs indicate what authorized identities can do to resources.

Advice

In the context of a policy decision denying access, a hint to the policy enforcement point about remedial action to take that could result in a decision allowing access.

Agent administrator

User having privileges only to read and write agent profile configuration information, typically created to delegate agent profile creation to the user installing a web or Java agent.

Agent authenticator

Entity with read-only access to multiple agent profiles defined in the same realm; allows an agent to read web service profiles.

Application

In general terms, a service exposing protected resources.

In the context of AM policies, the application is a template that constrains the policies that govern access to protected resources. An application can have zero or more policies.

Application type

Application types act as templates for creating policy applications.

Application types define a preset list of actions and functional logic, such as policy lookup and resource comparator logic.

Application types also define the internal normalization, indexing logic, and comparator logic for applications.

Attribute-based access control (ABAC)

Access control that is based on attributes of a user, such as how old a user is or whether the user is a paying customer.

Authentication

The act of confirming the identity of a principal.

Authentication level

Positive integer associated with an authentication node, usually used to require success with more stringent authentication measures when requesting resources requiring special protection.

Authorization

The act of determining whether to grant or to deny a principal access to a resource.

Authorization server

In OAuth 2.0, issues access tokens to the client after authenticating a resource owner and confirming that the owner authorizes the client to access the protected resource. AM can play this role in the OAuth 2.0 authorization framework.

Auto-federation

Arrangement to federate a principal’s identity automatically based on a common attribute value shared across the principal’s profiles at different providers.

Bulk federation

Batch job permanently federating user profiles between a service provider and an identity provider based on a list of matched user identifiers that exist on both providers.

Circle of trust

Group of providers, including at least one identity provider, who have agreed to trust each other to participate in a SAML v2.0 provider federation.

Client

In OAuth 2.0, requests protected web resources on behalf of the resource owner given the owner’s authorization. AM can play this role in the OAuth 2.0 authorization framework.

Client-based OAuth 2.0 tokens

After a successful OAuth 2.0 grant flow, AM returns a token to the client. This differs from CTS-based OAuth 2.0 tokens, where AM returns a reference to token to the client.

Client-based sessions

AM sessions for which AM returns session state to the client after each request, and require it to be passed in with the subsequent request. For browser-based clients, AM sets a cookie in the browser that contains the session information.

For browser-based clients, AM sets a cookie in the browser that contains the session state. When the browser transmits the cookie back to AM, AM decodes the session state from the cookie.

Conditions

Defined as part of policies, these determine the circumstances under which a policy applies.

Environmental conditions reflect circumstances like the client IP address, time of day, how the subject authenticated, or the authentication level achieved.

Subject conditions reflect characteristics of the subject like whether the subject authenticated, the identity of the subject, or claims in the subject’s JWT.

Configuration datastore

LDAP directory service holding AM configuration data.

Cross-domain single sign-on (CDSSO)

AM capability allowing single sign-on across different DNS domains.

CTS-based OAuth 2.0 tokens

After a successful OAuth 2.0 grant flow, AM returns a reference to the token to the client, rather than the token itself. This differs from client-based OAuth 2.0 tokens, where AM returns the entire token to the client.

CTS-based sessions

AM sessions that reside in the Core Token Service’s token store. CTS-based sessions might also be cached in memory on one or more AM servers. AM tracks these sessions in order to handle events like logout and timeout, to permit session constraints, and to notify applications involved in SSO when a session ends.

Delegation

Granting users administrative privileges with AM.

Entitlement

Decision that defines which resource names can and cannot be accessed for a given identity in the context of a particular application, which actions are allowed and which are denied, and any related advice and attributes.

Extended metadata

Federation configuration information specific to AM.

Extensible Access Control Markup Language (XACML)

Standard, XML-based access control policy language, including a processing model for making authorization decisions based on policies.

Federation

Standardized means for aggregating identities, sharing authentication and authorization data information between trusted providers, and allowing principals to access services across different providers without authenticating repeatedly.

Hot swappable

Refers to configuration properties for which changes can take effect without restarting the container where AM runs.

Identity

Set of data that uniquely describes a person or a thing such as a device or an application.

Identity federation

Linking of a principal’s identity across multiple providers.

Identity provider (IDP)

Entity that produces assertions about a principal (such as how and when a principal authenticated, or that the principal’s profile has a specified attribute value).

Identity repository

Data store holding user profiles and group information; different identity repositories can be defined for different realms.

Java agent

Java web application installed in a web container that acts as a policy enforcement point, filtering requests to other applications in the container with policies based on application resource URLs.

Metadata

Federation configuration information for a provider.

Policy

Set of rules that define who is granted access to a protected resource when, how, and under what conditions.

Policy agent

Java, web, or custom agent that intercepts requests for resources, directs principals to AM for authentication, and enforces policy decisions from AM.

Policy Administration Point (PAP)

Entity that manages and stores policy definitions.

Policy Decision Point (PDP)

Entity that evaluates access rights and then issues authorization decisions.

Policy Enforcement Point (PEP)

Entity that intercepts a request for a resource and then enforces policy decisions from a PDP.

Policy Information Point (PIP)

Entity that provides extra information, such as user profile attributes that a PDP needs in order to make a decision.

Principal

Represents an entity that has been authenticated (such as a user, a device, or an application), and thus is distinguished from other entities.

When a Subject successfully authenticates, AM associates the Subject with the Principal.

Privilege

In the context of delegated administration, a set of administrative tasks that can be performed by specified identities in a given realm.

Provider federation

Agreement among providers to participate in a circle of trust.

Realm

AM unit for organizing configuration and identity information.

Realms can be used for example when different parts of an organization have different applications and identity stores, and when different organizations use the same AM deployment.

Administrators can delegate realm administration. The administrator assigns administrative privileges to users, allowing them to perform administrative tasks within the realm.

Resource

Something a user can access over the network such as a web page.

Defined as part of policies, these can include wildcards in order to match multiple actual resources.

Resource owner

In OAuth 2.0, entity who can authorize access to protected web resources, such as an end user.

Resource server

In OAuth 2.0, server hosting protected web resources, capable of handling access tokens to respond to requests for such resources.

Response attributes

Defined as part of policies, these allow AM to return additional information in the form of "attributes" with the response to a policy decision.

Role based access control (RBAC)

Access control that is based on whether a user has been granted a set of permissions (a role).

Security Assertion Markup Language (SAML)

Standard, XML-based language for exchanging authentication and authorization data between identity providers and service providers.

Service provider (SP)

Entity that consumes assertions about a principal (and provides a service that the principal is trying to access).

Authentication Session

The interval while the user or entity is authenticating to AM.

Session

The interval that starts after the user has authenticated and ends when the user logs out, or when their session is terminated. For browser-based clients, AM manages user sessions across one or more applications by setting a session cookie. See also CTS-based sessions and Client-based sessions.

Session high availability

Capability that lets any AM server in a clustered deployment access shared, persistent information about users' sessions from the CTS token store. The user does not need to log in again unless the entire deployment goes down.

Session token

Unique identifier issued by AM after successful authentication. For a CTS-based sessions, the session token is used to track a principal’s session.

Single log out (SLO)

Capability allowing a principal to end a session once, thereby ending her session across multiple applications.

Single sign-on (SSO)

Capability allowing a principal to authenticate once and gain access to multiple applications without authenticating again.

Site

Group of AM servers configured the same way, accessed through a load balancer layer. The load balancer handles failover to provide service-level availability.

The load balancer can also be used to protect AM services.

Standard metadata

Standard federation configuration information that you can share with other access management software.

Stateless service

Stateless services do not store any data locally to the service. When the service requires data to perform any action, it requests it from a data store. For example, a stateless authentication service stores session state for logged-in users in a database. This way, any server in the deployment can recover the session from the database and service requests for any user.

All AM services are stateless unless otherwise specified. See also Client-based sessions and CTS-based sessions.

Subject

Entity that requests access to a resource

When an identity successfully authenticates, AM associates the identity with the Principal that distinguishes it from other identities. An identity can be associated with multiple principals.

Identity store

Data storage service holding principals' profiles; underlying storage can be an LDAP directory service or a custom IdRepo implementation.

Web agent

Native library installed in a web server that acts as a policy enforcement point with policies based on web page URLs.

Copyright Ā© 2010-2022 ForgeRock, all rights reserved.