How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I update Authentication modules in an authentication chain in AM (All versions) using ssoadm?

Last updated May 10, 2022

The purpose of this article is to provide information on updating Authentication modules in an authentication chain in AM using ssoadm. This also includes removing existing Authentication modules. This article assumes the authentication chain already exists.


2 readers recommend this article

Updating the authentication chain

You can update the Authentication modules in an existing authentication chain using the following ssoadm command:

$ ./ssoadm update-auth-cfg-entr -u [adminID] -f [passwordfile] -e [realmname] -m [authchain] -a "[module1|criteria|options]" "[module2|criteria|options]"

replacing [adminID], [passwordfile], [realmname], [authchain] and "[module|criteria|options]" with appropriate values. You should include "[module|criteria|options]" for each module you want included in the chain (in the required order) where:

  • module is the module name, for example, LDAP.
  • criteria is REQUIRED, OPTIONAL, SUFFICIENT or REQUISITE.
  • options are any additional options and values you want to specify. This is optional and each option=value should be separated with a space.

Alternatively, you can use a data file to specify these values using the ssoadm -D option instead of -a.

Note

The update-auth-cfg-entr command overwrites the Authentication modules included in the chain with the ones specified. Therefore you must always specify all the modules you want included. For example, if you already have two modules in a chain and want to add a new one, you must specify all three. Similarly, if you already have three modules in a chain and want to remove one, you must specify the two remaining ones.

Examples (AM 7 and later)

Add a module

To add a second module (LDAP) to the testChain that already includes the DataStore module (no options):

$ ./ssoadm update-auth-cfg-entr -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -e / -m testChain -a "DataStore|REQUIRED" "LDAP|SUFFICIENT"

Update modules

To update these modules in the testChain to share credentials by adding options and to make the LDAP module REQUIRED:

$ ./ssoadm update-auth-cfg-entr -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -e / -m testChain -a "DataStore|REQUIRED|iplanet-am-auth-store-shared-state-enabled=true" "LDAP|REQUIRED| iplanet-am-auth-shared-state-enabled=true iplanet-am-auth-shared-state-behavior-pattern=useFirstPass"

Remove a module

To remove the LDAP module (and the shared credential options) from the testChain:

$ ./ssoadm update-auth-cfg-entr -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -e / -m testChain -a "DataStore|REQUIRED"

Using a data file

To add two new modules (LDAP and HOTP) to the testChain that replace the DataStore module (no options):

  1. Create a data file (called DATA_FILE to match the next command) with the following contents: LDAP|REQUIRED HOTP|REQUIRED
  2. Run the following command: $ ./ssoadm update-auth-cfg-entr -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -e / -m testChain -D DATA_FILE

Examples (Pre-AM 7)

Add a module

To add a second module (LDAP) to the testChain that already includes the DataStore module (no options):

$ ./ssoadm update-auth-cfg-entr -u amadmin -f pwd.txt -e / -m testChain -a "DataStore|REQUIRED" "LDAP|SUFFICIENT"

Update modules

To update these modules in the testChain to share credentials by adding options and to make the LDAP module REQUIRED:

$ ./ssoadm update-auth-cfg-entr -u amadmin -f pwd.txt -e / -m testChain -a "DataStore|REQUIRED|iplanet-am-auth-store-shared-state-enabled=true" "LDAP|REQUIRED| iplanet-am-auth-shared-state-enabled=true iplanet-am-auth-shared-state-behavior-pattern=useFirstPass"

Remove a module

To remove the LDAP module (and the shared credential options) from the testChain:

$ ./ssoadm update-auth-cfg-entr -u amadmin -f pwd.txt -e / -m testChain -a "DataStore|REQUIRED"

Using a data file

To add two new modules (LDAP and HOTP) to the testChain that replace the DataStore module (no options):

  1. Create a data file (called DATA_FILE to match the next command) with the following contents: LDAP|REQUIRED HOTP|REQUIRED
  2. Run the following command: $ ./ssoadm update-auth-cfg-entr -u amadmin -f pwd.txt -e / -m testChain -D DATA_FILE

See Also

FAQ: Installing and using ssoadm in AM

Configuring Authentication Chains

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.