How To

How do I use the WDSSO module to authenticate via REST in OpenAM 13.x?

Last updated Jun 3, 2021

The purpose of this article is to provide information on using the Windows Desktop Single-Sign On (WDSSO) module to authenticate via the REST API in OpenAM.

2 readers recommend this article

This article has been archived and is no longer maintained by ForgeRock.

Background information

In AM 5 and later, you should include an Authorization header that contains the string Basic , followed by a base64-encoded string of the username, a colon character and the password. See Development Guide › Windows Desktop SSO Requirements for further information.

OpenAM 13.x

The WDSSO authentication module uses Kerberos authentication. The user presents a Kerberos token to OpenAM through the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol.

In order to authenticate via the REST API, the REST client needs to have access to the Kerberos side of things. For example, you can use curl because it has support for SPNEGO and Kerberos (as of version 7.10.6), but Postman currently does not.

You can check that your version of curl does support SPNEGO and Kerberos using the -V option as follows:

$ curl -V curl 7.54.0 (x86_64-apple-darwin16.0) libcurl/7.54.0 SecureTransport zlib/1.2.8 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets

Using the WDSSO module to authenticate via REST

To authenticate using the WDSSO module, you need to include the following options:

  • -u - this is a fake user option needed to activate the authentication code.
  • --negotiate - this enables the Negotiate (SPNEGO) authentication.

For example, you can authenticate with a command such as the following:$ curl -X POST -u : --negotiate -H "Accept-API-Version: resource=2.1" ""

Example response: { "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/openam/console"}

See Also

How do I troubleshoot Kerberos and WDSSO issues in AM (All versions)?


Using the REST API in AM

Configuring and troubleshooting Kerberos and WDSSO in AM

Postman: New feature: Support API endpoints protected by kerberos

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.