General
ForgeRock Identity Platform
Does not apply to Identity Cloud

What federation standards does AM support?

Last updated Oct 18, 2021

The purpose of this article is to provide information on the supported federation standards in AM.


2 readers recommend this article

Overview

This article provides information on the following federation standards:

OAuth 2.0 support

Grant Flows AM 7.1 AM 7 AM 6.5.2, 6.5.3, 6.5.4 AM 6.5.1 AM 6.5 AM 6 AM 5.5.x AM 5, 5.1 Documentation Reference
Authorization Code Yes Yes Yes Yes Yes Yes Yes Yes Implementing OAuth 2.0 Grant Flows

 (RFC 6749)

Authorization Code with PKCE Yes Yes Yes Yes Yes -- -- -- Implementing OAuth 2.0 Grant Flows

 (RFC 6749, RFC 7636)

Implicit Yes Yes Yes Yes Yes Yes Yes Yes Implementing OAuth 2.0 Grant Flows

 (RFC 6749)

Client Credentials Yes Yes Yes Yes Yes Yes Yes Yes Implementing OAuth 2.0 Grant Flows

 (RFC 6749)

Resource Owner Password Credentials  Yes Yes Yes Yes Yes Yes Yes Yes Implementing OAuth 2.0 Grant Flows

 (RFC 6749)

Device Flow Yes Yes Yes Yes Yes Yes Yes Yes

Implementing OAuth 2.0 Grant Flows

(Internet-Draft: OAuth 2.0 Device Flow for Browserless and Input Constrained Devices)

Device Flow with PKCE  Yes Yes Yes Yes Yes -- -- --

Implementing OAuth 2.0 Grant Flows

(Internet-Draft: OAuth 2.0 Device Flow for Browserless and Input Constrained Devices, RFC 7636)

SAML v2.0 Profile for Authorization Yes Yes Yes Yes Yes Yes Yes Yes Implementing OAuth 2.0 Grant Flows

 (RFC 7522)

Client Type                   
Confidential Yes Yes Yes Yes Yes Yes Yes Yes /json/realm-config/agents/OAuth2Client
Public Yes Yes Yes Yes Yes Yes Yes Yes /json/realm-config/agents/OAuth2Client
Credential Type                   
Access token Yes Yes Yes Yes Yes Yes Yes Yes AM as the Authorization Server
Refresh token Yes Yes Yes Yes Yes Yes Yes Yes AM as the Authorization Server
Additional Features                   
Bearer Token Usage Yes Yes Yes Yes Yes Yes Yes Yes Using Your Own Client and Resource Server 

(RFC 6750)

Token Revocation Yes Yes Yes Yes Yes Yes Yes Yes Supported Standards

 (RFC 7009)

OAuth 2.0 Token Introspection Yes Yes Yes Yes Yes Yes Yes Yes Supported Standards

 (RFC 7662)

JWT Response for OAuth Token Introspection Yes Yes -- -- -- -- -- --

/oauth2/introspect

(Internet Draft: JWT Response for OAuth Token Introspection)

OAuth 2.0 Token Exchange Yes -- -- -- -- -- -- -- Supported Standards

(RFC 8693)

JSON Web Token (JWT) Yes Yes Yes Yes Yes Yes  Yes Yes Supported Standards

(RFC 7519)

JSON Web Token (JWT) Profile Yes Yes Yes Yes Yes Yes Yes Yes Authenticating Clients Using JWT Profiles

 (RFC 7523)

JWT Profile for OAuth 2.0 Authorization Grant Yes Yes Yes -- -- -- -- -- JWT Profile for OAuth 2.0 Authorization Grant

 (RFC 7523)

OAuth 2.0 Mutual TLS (mTLS) Yes Yes Yes Yes -- -- -- --

Authenticating Clients Using Mutual TLS

(Internet-Draft: OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens)

Proof-of-Possession Key Semantics for JWT Yes Yes Yes Yes Yes Yes Yes Yes Supported Standards

 (RFC 7800)

JSON Web Signature (JWS) Yes Yes Yes Yes Yes Yes Yes Yes Supported Standards

 (RFC 7515)

JSON Web Encryption (JWE) Yes Yes Yes Yes Yes Yes Yes Yes Supported Standards

 (RFC 7516)

JSON Web Key (JWK) Yes Yes Yes Yes Yes Yes Yes Yes Supported Standards

 (RFC 7517)

JSON Web Algorithms (JWA) Yes Yes Yes Yes Yes Yes Yes Yes Supported Standards

 (RFC 7518)

Dynamic Client Registration Yes Yes Yes Yes Yes Yes Yes -- Dynamic Client Registration

 (RFC 7591)

Dynamic Client Registration Management Yes Yes Yes * Yes * -- -- -- -- Dynamic Client Registration Management

 (RFC 7592)

Remote Consent Service Support Yes Yes Yes Yes Yes Yes Yes -- The Remote Consent Service

* Support for read operations only.

OpenID Connect 1.0 support

Specification AM 7.1 AM 7 AM 6.5.2, 6.5.3, 6.5.4 AM 6, 6.5, 6.5.1 AM 5.x Documentation Reference
OpenID Connect Core 1.0 Yes Yes Yes Yes Yes Supported Standards
OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0 Yes Yes Yes -- -- Supported Standards
OpenID Connect Backchannel Logout 1.0 Draft 06(Supported when AM is acting as the provider) Yes -- -- -- -- Supported Standards
OpenID Connect Discovery 1.0 Yes Yes Yes Yes Yes Supported Standards
OpenID Connect Dynamic Client Registration 1.0 Yes Yes Yes Yes Yes Supported Standards
OpenID Connect Session Management 1.0 (Draft) Yes Yes Yes Yes Yes Supported Standards
OAuth 2.0 Multiple Response Type Encoding Practices Yes Yes Yes Yes Yes Supported Standards
OAuth 2.0 Form Post Response Mode Yes Yes Yes Yes Yes Supported Standards
OpenID Connect Basic Client Implementer's Guide 1.0 Yes Yes Yes Yes Yes Supported Standards
OpenID Connect Implicit Client Implementer's Guide 1.0 Yes Yes Yes Yes Yes Supported Standards

UMA 2.0 support

Specification AM 7.x AM 6.x AM 5.5.x AM 5/5.1 Documentation Reference
UMA 2.0 Grant for OAuth 2.0 Authorization Yes Yes Yes -- Supported Standards
Federated Authorization for UMA 2.0 Yes Yes Yes -- Supported Standards

UMA 1.x support (pre-AM 5.5)

Specification AM 5.5 AM 5/5.1 Documentation Reference
User-Managed Access (UMA) Profile of OAuth 2.0 -- Yes Supported Standards
OAuth 2.0 Resource Set Registration -- Yes Supported Standards

SAML 2.0 support

Profile AM 7.x AM 6.x AM 5.x Documentation Reference
Web Browser SSO Profile Yes Yes Yes  
Enhanced Client or Proxy (ECP) Profile Yes Yes Yes Configuring for the ECP Profile
Identity Provider Discovery Profile Yes Yes Yes Deploying the Identity Provider Discovery Service
Single Logout Profile Yes Yes Yes Implementing SSO and SLO
Name Identifier Management Profile Yes Yes Yes Managing Federation of Persistently Linked Accounts
Artifact Resolution Profile Yes Yes Yes Services
Assertion Query/Request Profile Yes Yes Yes Assertion Content
Name Identifier Mapping Profile Yes Yes Yes Services

SAML Attribute Profiles 

  • Basic Attribute Profile
  • X.500/LDAP Attribute Profile
  • UUID Attribute Profile
  • DCE PAC Attribute Profile
  • XACML Attribute Profile
Yes Yes Yes Assertion Processing
Binding         
SAML SOAP Binding Yes Yes Yes JSP Files
Reverse SOAP (PAOS) Binding Yes Yes Yes Configuring for the ECP Profile
HTTP Redirect Binding Yes Yes Yes JSP Pages for SSO and SLO
HTTP POST Binding Yes Yes Yes JSP Pages for SSO and SLO
HTTP Artifact Binding Yes Yes Yes JSP Pages for SSO and SLO
Assertion Signature Algorithms         
rsa-sha1  Yes Yes Yes Supported Standards
rsa-sha256  Yes Yes Yes Supported Standards
rsa-sha384  Yes Yes Yes Supported Standards
rsa-sha512  Yes Yes Yes Supported Standards
Assertion Encryption Algorithms         
aes128-cbc  Yes Yes Yes Supported Standards
aes192-cbc  Yes Yes Yes Supported Standards
aes256-cbc  Yes Yes Yes Supported Standards
tripledes-cbc  Yes Yes Yes Supported Standards
QueryString Signature Algorithms *         
rsa-sha1  Yes Yes Yes Supported Standards
rsa-sha256  Yes Yes Yes Supported Standards
rsa-sha384  Yes Yes Yes Supported Standards
rsa-sha512  Yes Yes Yes Supported Standards
dsa-sha1  Yes Yes Yes Supported Standards
ecdsa-sha1  Yes Yes Yes Supported Standards
ecdsa-sha256  Yes Yes Yes Supported Standards
ecdsa-sha384  Yes Yes Yes Supported Standards
ecdsa-sha512  Yes Yes Yes Supported Standards

SAML 1.x support (pre-AM 7)

Profile AM 7 * AM 6.x * AM 5.x Documentation Reference
IdP-initated SSO Browser Post -- Yes Yes About SAML v1.x
IdP-initated SSO Browser Artifact -- Yes Yes About SAML v1.x
Non-normative SP-initiated scenario (called “destination-first”) -- Yes Yes About SAML v1.x

* SAML 1.x support is deprecated in AM 6.5 and removed in AM 7. 

WS-Federation 1.1 support

Protocol AM 7.x AM 6.x AM 5.x Documentation Reference
WS-Federation Passive Requestor Profile for SP-initiated SSO Yes Yes Yes How do I configure AM (All versions) as an Identity Provider for Microsoft Office 365 and Azure using WS-Federation?
WS-Federation Active Requestor Profile Yes Yes Yes  

Web Services Security support

Specification Namespace AM 7.x AM 6.x AM 5.x Documentation Reference
SOAP 1.1 Schema for the SOAP/1.1 envelope   Yes Yes Yes Class SAMLConstants
SOAP 1.2 Schema defined in the SOAP Version 1.2 Part 1 specification  Yes Yes Yes Class SAMLConstants
WS-Trust 1.4 WS-Trust 1.4  Yes Yes Yes Security Token Service Guide

See Also

FAQ: SAML federation in AM

FAQ: SAML certificate management in AM 5.x and 6.x

How does AM (All versions) use account mapping to identify the end user from a SAML Assertion?

How do I know which binding to use for SAML2 federation in Identity Cloud or AM (All versions)?

How do I configure AM (All versions) to integrate with Microsoft Office 365 using SAML2?

How do I configure AM (All versions) as an Identity Provider for Microsoft Office 365 and Azure using WS-Federation?

FAQ: OAuth 2.0 in Identity Cloud and AM

SAML Federation in AM

OAuth 2.0 in AM

Supported Standards


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.