How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I deactivate the default anonymous user in AM (All versions)?

Last updated Feb 24, 2021

The purpose of this article is to provide information on deactivating the anonymous user in AM. This user exists by default and is used in conjunction with the Anonymous Authentication module. It is safe to deactivate this user if you do not use this module and this will prevent them logging in to the top level realm.


Deactivating the anonymous user

Note

Please observe the following when constructing REST calls:

  • Make the REST call to the actual AM server URL (not lb).
  • Change the name of the iPlanetDirectoryPro header to the name of your actual session cookie.
  • Set this session cookie header to the token returned when you authenticated.
  • Ensure the Accept-API-Version header contains valid resource versions.

See How do I avoid common issues with REST calls in AM (All versions)? for further information.

You can deactivate the anonymous user as follows:

  1. Deactivate the anonymous user using either the console, REST or ssoadm:
    • AM 6 and later console: you cannot use the console to deactivate the anonymous user due to a known issue: OPENAM-14199 (anonymous user is missing from console as well as amAdmin).
    • Pre-AM 6 console: navigate to: Realms > Top Level Realm / > Subjects > anonymous > User Status and select the Inactive option.
    • REST:
      1. Authenticate as an admin user. For example:$ curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" http://host1.example.com:8080/openam/json/realms/root/authenticate?authIndexType=service&authIndexValue=adminconsoleservice Example response:{ "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/openam/console", "realm": "/" } 
      2. Deactivate the anonymous user using the following curl command: $ curl -X PUT -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" -H "Accept-API-Version: resource=3.0,protocol=1.0" -d '{"inetUserStatus":"Inactive"}' http://host1.example.com:8080/openam/json/users/anonymous
    • ssoadm: enter the following command: $ ./ssoadm set-identity-attrs -e / -i anonymous -t User -u [adminID] -f [passwordfile] -a inetUserStatus=Inactive replacing [adminID] and [passwordfile] with appropriate values; the following message is returned if the command is successful: Attribute values of identity, anonymous of type, User in realm, / was modified.
  2. Restart the web application container in which AM runs.

Checking the anonymous user was successfully deactivated

You can verify that the anonymous user was successfully deactivated using either REST or ssoadm.

REST

Enter the following curl command:

$ curl -X GET -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" http://host1.example.com:8080/openam/json/users/anonymous

Example response showing the Inactive status:

{"_id":"anonymous","_rev":"-1300605335","username":"anonymous","realm":"/","sunIdentityMSISDNNumber":[],"telephoneNumber":[],"iplanet-am-user-alias-list":[],"mail":[],"roles":[],"givenName":["anonymous"],"dn":["uid=anonymous,ou=people,dc=openam,dc=forgerock,dc=org"],"cn":["anonymous"],"employeeNumber":[],"postalAddress":[],"iplanet-am-user-success-url":[],"universalid":["id=anonymous,ou=user,dc=openam,dc=forgerock,dc=org"],"inetUserStatus":["Inactive"],"sn":["anonymous"],"iplanet-am-user-auth-config":["[Empty]"],"iplanet-am-user-failure-url":[]}

ssoadm

Enter the following ssoadm command:

$ ./ssoadm get-identity -e / -i anonymous -t User -u [adminID] -f [passwordfile]

replacing [adminID] and [passwordfile] with appropriate values; observe the result, which should be similar to the following:

sunidentitymsisdnnumber= mail= sn=anonymous givenname=anonymous telephonenumber= employeenumber= postaladdress= cn=anonymous iplanet-am-user-success-url= roles= iplanet-am-user-failure-url= inetuserstatus=Inactive dn=uid=anonymous,ou=people,dc=openam,dc=forgerock,dc=org iplanet-am-user-alias-list=

See Also

FAQ: Users in AM

How does AM 5.x and 6.x use anonymous access calls to DS?

Authentication and Single Sign-On Guide › Anonymous Authentication Module

Related Training

N/A

Related Issue Tracker IDs

OPENAM-14199 (anonymous user is missing from console as well as amAdmin)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.