How do I use the WDSSO module to authenticate via REST in OpenAM 13.x?

Background information

In AM 5 and later, you should include an Authorization header that contains the string Basic , followed by a base64-encoded string of the username, a colon character and the password. See Development Guide › Windows Desktop SSO Requirements for further information.

OpenAM 13.x

The WDSSO authentication module uses Kerberos authentication. The user presents a Kerberos token to OpenAM through the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol.

In order to authenticate via the REST API, the REST client needs to have access to the Kerberos side of things. For example, you can use curl because it has support for SPNEGO and Kerberos (as of version 7.10.6), but Postman currently does not.

You can check that your version of curl does support SPNEGO and Kerberos using the -V option as follows:

Using the WDSSO module to authenticate via REST

To authenticate using the WDSSO module, you need to include the following options:

• -u - this is a fake user option needed to activate the authentication code.
• --negotiate - this enables the Negotiate (SPNEGO) authentication.

For example, you can authenticate with a command such as the following:$ curl -X POST -u : --negotiate -H "Accept-API-Version: resource=2.1" "http://host1.example.com:8080/openam/json/realms/root/authenticate?service=winsso&authIndexType=service&authIndexValue=winsso"

Example response: { "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/openam/console"}

See Also

How do I troubleshoot Kerberos and WDSSO issues in AM (All versions)?

FAQ: REST API in AM

Using the REST API in AM

Configuring and troubleshooting Kerberos and WDSSO in AM

Postman: New feature: Support API endpoints protected by kerberos

Related Training

N/A

Related Issue Tracker IDs

N/A