The status of the Distributed Authentication Service (DAS) in OpenAM 13

What is the status of DAS in OpenAM 13?

Key points

• OpenAM DAS provided a login interface, which was deployed within network demilitarized zones to limit OpenAM's exposure to the Internet.
• DAS has been removed from the product bundle as of OpenAM 13 see OpenAM Release Notes › Removed Functionality

Rationale

• The background behind this decision is that reverse proxies are the modern way to provide access to a service such as OpenAM.
• The current interface to OpenAM operates via REST calls, which can function through a reverse proxy.
• The architecture of DAS is generally inconsistent with modern reverse proxy scenarios.

What does this mean for my OpenAM deployment?

New deployment

A reverse proxy can be used as a replacement for DAS.  More information about this concept can be found in the Deployment Planning Guide › Example Deployment Topology › Reverse Proxies

ForgeRock offers the Identity Gateway product, which can suit this requirement as it can act as an intelligent reverse proxy server between clients and the OpenAM Service. Please refer to the following documentation to learn more about implementing, installing and configuring OpenIG:

• OpenAM 13 Release Notes › What's New in OpenAM 13 › OpenIG as a Replacement for DAS
• Deployment Planning Guide › Example Deployment Topology › OpenIG
• Gateway Guide

Existing deployment

If DAS is already being used with an OpenAM 12 installation, then the existing deployed DAS can continue to be used in the case where the OpenAM server itself is upgraded to the 13.x release.

Known Issues

DAS 12.0.4 will not work with OpenAM 13.x due to changes made in OPENAM-9567 (The HttpServletRequest from the DAS can be null at the authentication module level), but DAS 12.0.3 will work with OpenAM 13. 

There is a known issue: OPENAM-8551 (J2EE Agent logs 'The user does not have permission to perform the operation' errors during bootstrap), which prevents DAS 12.0.3 working with OpenAM 13.5.