How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I deactivate the default anonymous user in AM (All versions)?

Last updated Apr 19, 2022

The purpose of this article is to provide information on deactivating the anonymous user in AM.


The anonymous user exists by default and is used in conjunction with the Anonymous Authentication module. It is safe to deactivate this user if you do not use this module and this will prevent them logging in to the top level realm.

You must have an Identity Store configured in the top level realm prior to deactivating the anonymous user, otherwise attempts to deactivate the user will fail. This Identity Store does not need to be operational, but does need to allow edit, update and delete operations. You can remove this store once you have deactivated the user if required. See OPENAM-19197 (Identity Store is requires in order to disable anonymous user) for further information.


Please observe the following when constructing REST calls:

  • Make the REST call to the actual AM server URL (not lb).
  • Change the name of the iPlanetDirectoryPro header to the name of your actual session cookie.
  • Set this session cookie header to the token returned when you authenticated.
  • Ensure the Accept-API-Version header contains valid resource versions.

See How do I avoid common issues with REST calls in AM (All versions)? for further information.

Deactivating the anonymous user

You can deactivate the anonymous user as follows:

  1. Deactivate the anonymous user using either the console, REST or ssoadm:
    • AM 6 and later console: you cannot use the console to deactivate the anonymous user due to a known issue: OPENAM-14199 (anonymous user is missing from console as well as amAdmin).
    • Pre-AM 6 console: navigate to: Realms > Top Level Realm / > Subjects > anonymous > User Status and select the Inactive option.
    • REST:
      1. Authenticate as an admin user. For example:$ curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" response:{ "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/openam/console", "realm": "/" }
      2. Deactivate the anonymous user using the following curl command: $ curl -X PUT -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" -H "Accept-API-Version: resource=3.0,protocol=1.0" -d '{"inetUserStatus":"Inactive"}'
    • ssoadm: enter the following command: $ ./ssoadm set-identity-attrs -e / -i anonymous -t User -u [adminID] -f [passwordfile] -a inetUserStatus=Inactive replacing [adminID] and [passwordfile] with appropriate values; the following message is returned if the command is successful: Attribute values of identity, anonymous of type, User in realm, / was modified.
  2. Restart the web application container in which AM runs.

Checking the anonymous user was successfully deactivated

You can verify that the anonymous user was successfully deactivated using either REST or ssoadm.

  • REST

Enter the following curl command: $ curl -X GET -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json"

Example response showing the Inactive status: {"_id":"anonymous","_rev":"-1300605335","username":"anonymous","realm":"/","sunIdentityMSISDNNumber":[],"telephoneNumber":[],"iplanet-am-user-alias-list":[],"mail":[],"roles":[],"givenName":["anonymous"],"dn":["uid=anonymous,ou=people,dc=openam,dc=forgerock,dc=org"],"cn":["anonymous"],"employeeNumber":[],"postalAddress":[],"iplanet-am-user-success-url":[],"universalid":["id=anonymous,ou=user,dc=openam,dc=forgerock,dc=org"],"inetUserStatus":["Inactive"],"sn":["anonymous"],"iplanet-am-user-auth-config":["[Empty]"],"iplanet-am-user-failure-url":[]}

  • ssoadm

Enter the following ssoadm command: $ ./ssoadm get-identity -e / -i anonymous -t User -u [adminID] -f [passwordfile]replacing [adminID] and [passwordfile] with appropriate values.

Example response showing the Inactive status: sunidentitymsisdnnumber= mail= sn=anonymous givenname=anonymous telephonenumber= employeenumber= postaladdress= cn=anonymous iplanet-am-user-success-url= roles= iplanet-am-user-failure-url= inetuserstatus=Inactive dn=uid=anonymous,ou=people,dc=openam,dc=forgerock,dc=org iplanet-am-user-alias-list=

See Also

FAQ: Users in AM

How does AM 5.x and 6.x use anonymous access calls to DS?

Anonymous Authentication Module

Related Training


Related Issue Tracker IDs

OPENAM-19197 (Identity Store is requires in order to disable anonymous user)

OPENAM-14199 (anonymous user is missing from console as well as amAdmin)

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.