How To
Archived

How do I correctly configure the OPENAM_SESSION authentication module in OpenIDM 4.5?

Last updated Jan 5, 2021

The purpose of this article is to provide assistance with setting up the OPENAM_SESSION authentication module in OpenIDM 4.5 for integration with OpenAM. You can still use this authentication module in IDM 5.x in certain circumstances (in which case the advice in this article applies), but typically you should use the OAUTH_CLIENT module (IDM 5.5) or the OPENID_CONNECT module (IDM 5) instead. The OPENAM_SESSION authentication module is deprecated as of IDM 5.5.


1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Changes in IDM 5.x

IDM 5.5

Changes were made in IDM 5.5 to introduce a new OAUTH_CLIENT module (which replaces the OPENID_CONNECT module introduced in IDM 5) and to deprecate the OPENAM_SESSION module.

See the following documentation links for further information in IDM 5.5:

IDM 5

Changes were made in IDM 5 to introduce a new OPENID_CONNECT module and to remove the OPENAM_SESSION module integration from the UI login. This means you should only use the OPENAM_SESSION module in situations where the client application has already authenticated to OpenAM in a separate workflow; otherwise you should use the new OPENID_CONNECT module.

See the following documentation links for further information in IDM 5:

Configuring the OPENAM_SESSION authentication module

OpenIDM does not manage sessions (that is, it has no concept of destroying or invalidating sessions in the same way that OpenAM does).

There are three key requirements when configuring the OPENAM_SESSION authentication module to ensure it behaves as expected:

  • Set the JWT_SESSION module timeouts to 5 seconds.
  • Set the OPENAM_SESSION module to exclusively use OpenAM login.
  • Ensure there is a user in your OpenAM identity repository that has the openidm-admin role. 

 Configuring the OPENAM_SESSION authentication module

You should configure the OPENAM_SESSION module per the Samples documentation: Configuring OpenIDM for the Full Stack Sample and then ensure you follow these steps:

  1. Edit the authentication.json file (located in the /path/to/idm/conf directory) and set the following timeout properties to 5 seconds for the JWT_SESSION module: "maxTokenLifeSeconds" : "5", "tokenIdleTimeSeconds" : "5", For example, the configuration for this module would now look similar to this: "sessionModule" : { "name" : "JWT_SESSION", "properties" : { "keyAlias" : "openidm-localhost", "privateKeyPassword" : "&{openidm.keystore.password}", "keystoreType" : "&{openidm.keystore.type}", "keystoreFile" : "&{openidm.keystore.location}", "keystorePassword" : "&{openidm.keystore.password}", "maxTokenLifeSeconds" : "5", "tokenIdleTimeSeconds" : "5", "sessionOnly" : true, }
  2. Edit the ui-configuration.json file (located in the /path/to/idm/conf directory) and set the following property to true: "openamUseExclusively" : true, For example, the configuration relating to the OPENAM_SESSION module would now look similar to this: "defaultNotificationType" : "info", "openamLoginUrl" : "http://host1.example.com:8080/openam/XUI/#login/", "openamUseExclusively" : true, "openamAuthEnabled" : true, "openamLoginLinkText" : "Login with AM"
  3. Ensure there is a user in your OpenAM identity repository that has the openidm-admin role. The users in the OpenAM identity repository (typically OpenDJ) should be in sync with the users in the OpenIDM repository (the way this is reconciled will depend on which repository holds the master data in your deployment). You should ensure that one user in your OpenIDM repository has been assigned the openidm-admin role. You can either assign this role via the admin UI or REST as detailed in OpenIDM Integrator's Guide › Managing Users, Groups, Roles and Relationships › Granting a Role to a User.

See Also

How do I invoke the OpenIDM 4.x REST API when OpenIDM is protected by OpenAM?

OpenIDM Integrator's Guide › Managing Authentication, Authorization and Role-Based Access Control › Supported Authentication Modules

OpenIDM Integrator's Guide › Authentication and Session Module Configuration Details

OpenIDM Samples Guide › Full Stack Sample - Using OpenIDM in the ForgeRock Identity Platform › Configuring OpenIDM for the Full Stack Sample

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.