Under Configuration > Global you can set defaults for a range of federation services, for password reset, for policy configuration, for session management, and for dynamic user attributes.
Common Federation Configuration
ssoadm service name:
sunFAMFederationCommon
Used by the Federation system to access user profile attributes
ssoadm attribute:
DatastoreClass
Used by the Federation system to access service configuration
ssoadm attribute:
ConfigurationClass
Used by the Federation system to record log messages
ssoadm attribute:
LoggerClass
Used by the Federation system to access the session service
ssoadm attribute:
SessionProviderClass
Maximum number of bytes for Federation communications
ssoadm attribute:
MaxContentLength
Used by the Federation system to decode passwords encoded by OpenAM
ssoadm attribute:
PasswordDecoderClass
Used by the Federation system digitally to sign SAML documents
ssoadm attribute:
SignatureProviderClass
Used by the Federation system to access the Java key store
ssoadm attribute:
KeyProviderClass
If enabled, OpenAM checks that the partner's signing certificate presented in the XML matches the certificate from the partner's metadata
ssoadm attribute:
CheckCert
Algorithm used to render the canonical versions of XML documents
ssoadm attribute:
CannonicalizationAlgorithm
Algorithm used to sign XML documents
ssoadm attribute:
SignatureAlgorithm
Algorithm used for XML transformations
ssoadm attribute:
TransformationAlgorithm
OpenAM redirects users here when an error occurs in the SAML2 engine. Users are redirected to absolute URLs, whereas releative URLs are displayed within the request.
ssoadm attribute:
SAMLErrorPageURL
Set this either to HTTP-Redirect
or to
HTTP-POST
.
ssoadm attribute:
SAMLErrorPageHTTPBinding
Used by the Federation system to access the monitoring system
ssoadm attribute:
MonAgentClass
Used by the SAMLv1 engine to access the monitoring system
ssoadm attribute:
MonSAML1Class
Used by the SAML2 engine to access the monitoring system
ssoadm attribute:
MonSAML2Class
Used by the ID-FF engine to access the monitoring system
ssoadm attribute:
MonIDFFClass
Dashboard Configuration
ssoadm service name:
dashboardService
Identifies how to access the application, for example
SAML2ApplicationClass
for a SAML 2.0 application
ssoadm attribute:
dashboardClassName
The application name as it will appear to the administrator for configuring the dashboard
ssoadm attribute:
dashboardName
The application name that displays on the dashboard client
ssoadm attribute:
dashboardDisplayName
The icon name that will be displayed on the dashboard client identifying the application
ssoadm attribute:
dashboardIcon
The URL that takes the user to the application
ssoadm attribute:
dashboardLogin
List of application dashboard names available by default for realms with the Dashboard configured
ssoadm attribute:
assignedDashboard
Email Service
ssoadm service name:
ForgeRockSendEmailService
Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.
Default: org.forgerock.openam.services.email.MailServerImpl
ssoadm attribute:
forgerockMailServerImplClassName
Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.
Default: smtp.gmail.com
ssoadm attribute:
forgerockEmailServiceSMTPHostName
Specifies the port number for the SMTP mail server.
Default: 465
ssoadm attribute:
forgerockEmailServiceSMTPHostPort
Specifies the user name for the SMTP mail server.
Default: forgerocksmtp
ssoadm attribute:
forgerockEmailServiceSMTPUserName
Specifies the password for the SMTP user name.
ssoadm attribute:
forgerockEmailServiceSMTPUserPassword
Specifies whether to connect to the SMTP mail server using SSL.
Default: use SSL (true
)
ssoadm attribute:
forgerockEmailServiceSMTPSSLEnabled
Specifies the address from which to send email notifications.
Default: no-reply@openam.org
ssoadm attribute:
forgerockEmailServiceSMTPFromAddress
Specifies the profile attribute from which to retrieve the end user's email address.
Default: mail
ssoadm attribute:
openamEmailAttribute
Specifies a subject for notification messages. If you do not set this OpenAM does not set the subject for notification messages.
ssoadm attribute:
forgerockEmailServiceSMTPSubject
Specifies content for notification messages. If you do not set this OpenAM includes only the confirmation URL in the mail body.
ssoadm attribute:
forgerockEmailServiceSMTPMessage
Liberty ID-FF Service Configuration
ssoadm service name:
sunFAMIDFFConfiguration
Cookie name for Liberty ID-FF
ssoadm attribute:
FedCookieName
Used by the ID-FF engine to find the IDP proxy
ssoadm attribute:
IDPProxyFinderClass
Seconds between times OpenAM cleans up the request cache
ssoadm attribute:
RequestCacheCleanupInterval
Seconds cached requests remain valid
ssoadm attribute:
RequestCacheTimeout
Login URL for the ID-FF IDP
ssoadm attribute:
IDPLoginURL
If yes, require XML signing.
ssoadm attribute:
XMLSigningOn
Liberty Interaction Service
ssoadm service name:
sunFAMLibertyInteractionService
ssoadm attribute:
WSPWillRedirect
ssoadm attribute:
WSPWillRedirectForData
ssoadm attribute:
WSPRedirectTime
ssoadm attribute:
WSPWillEnforceHttpsCheck
ssoadm attribute:
WSPWillEnforceReturnToHostEqualsRequestHost
ssoadm attribute:
HTMLStyleSheetLocation
ssoadm attribute:
WMLStyleSheetLocation
ssoadm attribute:
WSPRedirectHandlerURL
ssoadm attribute:
LBWSPRedirectHandler
ssoadm attribute:
TrustedWspRedirectHandlers
ssoadm attribute:
InteractionConfigClass
ssoadm attribute:
WSCSpecifiedInteractionChoice
ssoadm attribute:
WSCWillIncludeUserInteractionHeader
ssoadm attribute:
WSCWillRedirect
ssoadm attribute:
WSCSpecifiedMaxInteractionTime
ssoadm attribute:
WSCWillEnforceHttpsCheck
Multi-Federation Protocol
ssoadm service name:
sunMultiFederationProtocol
List of logout handlers used for each different federation protocol
ssoadm attribute:
SingleLogoutHandlerList
OAuth2 Provider Configuration
ssoadm service name:
OAuth2Provider
Lifetime of OAuth 2.0 authorization code in seconds.
ssoadm attribute:
forgerock-oauth2-provider-authorization-code-lifetime
Lifetime of OAuth 2.0 refresh token in seconds.
ssoadm attribute:
forgerock-oauth2-provider-refresh-token-lifetime
Lifetime of OAuth 2.0 access token in seconds.
ssoadm attribute:
forgerock-oauth2-provider-access-token-lifetime
Whether to issue a refresh token when returning an access token.
ssoadm attribute:
forgerock-oauth2-provider-issue-refresh-token
Whether to issue a refresh token when refreshing an access token.
ssoadm attribute:
forgerock-oauth2-provider-issue-refresh-token-on-refreshing-token
Name of class on OpenAM classpath implementing scopes.
ssoadm attribute:
forgerock-oauth2-provider-scope-implementation-class
List of plugins that handle the valid
response_type
values. OAuth 2.0 clients pass response
types as parameters to the OAuth 2.0 Authorization end point
(/oauth2/authorize
) to indicate which grant type is
requested from the provider. For example, the client passes
code
when requesting an authorization code, and
token
when requesting an access token.
Values in this list take the form
.response-type
|plugin-class-name
Defaults:
code|org.forgerock.restlet.ext.oauth2.flow.responseTypes.CodeResponseType
,
id_token|org.forgerock.restlet.ext.oauth2.flow.responseTypes
,
token|org.forgerock.restlet.ext.oauth2.flow.responseTypes.TokenResponseType
ssoadm attribute:
forgerock-oauth2-provider-response-type-map-class
Names of profile attributes that resource owners use to log in.
The default is uid
, and you can add others such as
mail
.
ssoadm attribute:
forgerock-oauth2-provider-authentication-attributes
Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions. When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.
ssoadm attribute:
forgerock-oauth2-provider-saved-consent-attribute
The URL where the OpenID Connect provider's JSON Web Key can be retrieved.
ssoadm attribute:
forgerock-oauth2-provider-jkws-uri
Algorithms supported to sign OpenID Connect
id_tokens
.
ssoadm attribute:
forgerock-oauth2-provider-id-token-signing-algorithms-supported
List of claims supported by the OpenID Connect
/oauth2/userinfo
endpoint.
ssoadm attribute:
forgerock-oauth2-provider-supported-claims
Password Reset
See the Administration Guide chapter on Configuring Password Reset for details.
Policy Configuration
You can change global policy configuration, and the defaults per realm.
ssoadm service name:
iPlanetAMPolicyConfigService
OpenAM uses resource comparators to match resources specified in
policy rules. When setting comparators on the command line, separate
fields with |
characters.
ssoadm attribute:
iplanet-am-policy-config-resource-comparator
If no, then OpenAM stops evaluating policy as soon as it reaches a deny decision.
ssoadm attribute:
iplanet-am-policy-config-continue-evaluation-on-deny-decision
Lists advice names for which policy agents redirect users to OpenAM for further authentication and authorization
ssoadm attribute:
sun-am-policy-config-advices-handleable-by-am
If yes, then OpenAM allows creation of policies for HTTP and HTTPS resources whose FQDN matches the DNS alias for the realm even when no referral policy exists.
ssoadm attribute:
sun-am-policy-config-org-alias-mapped-resources-enabled
Configuration directory server host:port that OpenAM searches for policy information
ssoadm attribute:
iplanet-am-policy-config-ldap-server
Base DN for policy searches
ssoadm attribute:
iplanet-am-policy-config-ldap-base-dn
Base DN for LDAP Users subject searches
ssoadm attribute:
iplanet-am-policy-config-ldap-users-base-dn
Base DN for OpenAM Roles searches
ssoadm attribute:
iplanet-am-policy-config-is-roles-base-dn
Bind DN to connect to the directory server for policy information
ssoadm attribute:
iplanet-am-policy-config-ldap-bind-dn
Bind password to connect to the directory server for policy information
ssoadm attribute:
iplanet-am-policy-config-ldap-bind-password
Search filter to match organization entries
ssoadm attribute:
iplanet-am-policy-config-ldap-organizations-search-filter
Search scope to find organization entries
ssoadm attribute:
iplanet-am-policy-config-ldap-organizations-search-scope
Search filter to match group entries
ssoadm attribute:
iplanet-am-policy-config-ldap-groups-search-filter
Search scope to find group entries
ssoadm attribute:
iplanet-am-policy-config-ldap-groups-search-scope
Search filter to match user entries
ssoadm attribute:
iplanet-am-policy-config-ldap-users-search-filter
Search scope to find user entries
ssoadm attribute:
iplanet-am-policy-config-ldap-users-search-scope
Search filter to match nsRole definition entries
ssoadm attribute:
iplanet-am-policy-config-ldap-roles-search-filter
Search scope to find nsRole definition entries
ssoadm attribute:
iplanet-am-policy-config-ldap-roles-search-scope
Search scope to find OpenAM roles entries
ssoadm attribute:
iplanet-am-policy-config-is-roles-search-scope
Naming attribute for organization entries
ssoadm attribute:
iplanet-am-policy-config-ldap-organizations-search-attribute
Naming attribute for group entries
ssoadm attribute:
iplanet-am-policy-config-ldap-groups-search-attribute
Naming attribute for user entries
ssoadm attribute:
iplanet-am-policy-config-ldap-users-search-attribute
Naming attribute for nsRole definition entries
ssoadm attribute:
iplanet-am-policy-config-ldap-roles-search-attribute
Search limit for LDAP searches
ssoadm attribute:
iplanet-am-policy-config-search-limit
Seconds after which OpenAM returns an error for an incomplete search
ssoadm attribute:
iplanet-am-policy-config-search-timeout
If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.
ssoadm attribute:
iplanet-am-policy-config-ldap-ssl-enabled
Minimum number of connections in the pool
ssoadm attribute:
iplanet-am-policy-config-connection_pool_min_size
Maximum number of connections in the pool
ssoadm attribute:
iplanet-am-policy-config-connection_pool_max_size
Lists subjects available for policy definition in realms
ssoadm attribute:
iplanet-am-policy-selected-subjects
Lists conditions available for policy definition in realms
ssoadm attribute:
iplanet-am-policy-selected-conditions
Lists referral types available for policy definition in realms
ssoadm attribute:
iplanet-am-policy-selected-referrals
Maximum minutes OpenAM caches a subject result for evaluating policy requests. A value of 0 prevents OpenAM from caching subject evaluations for policy decisions.
Default: 10
ssoadm attribute:
iplanet-am-policy-config-subjects-result-ttl
If enabled, OpenAM can evaluate policy for remote users aliased to local users.
ssoadm attribute:
iplanet-am-policy-config-user-alias-enabled
Lists available response providers available for policy definition
ssoadm attribute:
sun-am-policy-selected-responseproviders
Lists dynamic response attributes available for policy definition
ssoadm attribute:
sun-am-policy-dynamic-response-attributes
REST Security
ssoadm service name:
RestSecurity
The order of options that appear in the console may vary depending on whether you are running from a new installation or an upgrade of OpenAM.
If enabled, new users can sign up using a REST API client.
Default: not enabled
ssoadm attribute:
forgerockRESTSecuritySelfRegistrationEnabled
Maximum life time for the token allowing user self-registration using the REST API.
Default: 900 (seconds)
ssoadm attribute:
forgerockRESTSecuritySelfRegTokenTTL
This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.
Default:
where deployment-base-url
/XUI/confirm.htmldeployment-base-url
is something like
https://openam.example.com:8443/openam
ssoadm attribute:
forgerockRESTSecuritySelfRegConfirmationUrl
If enabled, users can assign themselves a new password using a REST API client.
Default: not enabled
ssoadm attribute:
forgerockRESTSecurityForgotPasswordEnabled
Maximum life time for the token allowing user to process a forgotten password using the REST API.
Default: 900 (seconds)
ssoadm attribute:
forgerockRestSecurityForgotPassTokenTTL
This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.
Default:
where deployment-base-url
/XUI/confirm.htmldeployment-base-url
is something like
https://openam.example.com:8443/openam
ssoadm attribute:
forgerockRESTSecurityForgotPassConfirmationUrl
SAMLv2 Service Configuration
ssoadm service name:
sunFAMSAML2Configuration
Seconds between cache cleanup operations
ssoadm attribute:
CacheCleanupInterval
User entry attribute to store name identifier information
ssoadm attribute:
NameIDInfoAttribute
User entry attribute to store the name identifier key
ssoadm attribute:
NameIDInfoKeyAttribute
Specifies the cookie domain for the IDP discovery service
ssoadm attribute:
IDPDiscoveryCookieDomain
Indicates whether to use PERSISTENT or SESSION cookies
ssoadm attribute:
IDPDiscoveryCookieType
Indicates whether to use HTTP or HTTPS
ssoadm attribute:
IDPDiscoveryURLScheme
Used by the SAML2 engine to encrypt and decrypt documents
ssoadm attribute:
XMLEncryptionClass
ssoadm attribute:
EncryptedKeyInKeyInfo
Used by the SAML2 engine to sign documents
ssoadm attribute:
XMLSigningClass
If enabled, then validate certificates used to sign documents.
ssoadm attribute:
SigningCertValidation
If enabled, then validate CA certificates.
ssoadm attribute:
CACertValidation
If enabled, the OpenAM can failover requests to another instance.
ssoadm attribute:
failOverEnabled
The size is specified in bytes.
ssoadm attribute:
bufferLength
SAMLv2 SOAP Binding
ssoadm service name:
sunfmSAML2SOAPBindingService
List of handlers to deal with SAML2 requests bound to SOAP. The key for a request handler is the meta alias, whereas the class indicates the name of the class that implements the handler.
ssoadm attribute:
sunSAML2RequestHandlerList
Security Token Service
ssoadm service name:
sunFAMSTSService
Specifies the name of the security token service
ssoadm attribute:
stsIssuer
Specifies the STS service endpoint
ssoadm attribute:
stsEndPoint
Milliseconds the security token remains valid
ssoadm attribute:
stsLifetime
Specifies the alias for the signing certificate
ssoadm attribute:
stsCertAlias
Specifies the class that converts end user tokens
ssoadm attribute:
com.sun.identity.wss.sts.clientusertoken
Lists credentials used to secure the token, and credentials OpenAM accepts in the incoming request
ssoadm attribute:
SecurityMech
Specifies the authentication chain OpenAM applies for incoming requests for authenticated security tokens
ssoadm attribute:
AuthenticationChain
User name and password shared secrets to validate UserName tokens in incoming requests
ssoadm attribute:
UserCredential
If yes, then OpenAM checks for and rejects replayed messages.
ssoadm attribute:
DetectMessageReplay
If yes, then OpenAM checks for and rejects replayed user tokens.
ssoadm attribute:
DetectUserTokenReplay
If yes, then OpenAM verifies signatures on incoming requests.
ssoadm attribute:
isRequestSign
If yes, then OpenAM signs the selected parts of the response.
ssoadm attribute:
isResponseSign
Specifies the reference type used to sign the response. One of
DirectReference
, KeyIdentifierRef
,
or X509IssuerSerialRef
.
ssoadm attribute:
SigningRefType
If yes, then OpenAM decrypts the selected parts of the request.
ssoadm attribute:
isRequestEncrypt
If yes, then OpenAM encrypts responses.
ssoadm attribute:
isResponseEncrypt
Specifies the algorithm used to encrypt responses
ssoadm attribute:
EncryptionAlgorithm
Alias for the private key used to sign responses and decrypt requests
ssoadm attribute:
privateKeyAlias
Type of private key. One of publicKey
,
symmetricKey
, or noProofKey
.
ssoadm attribute:
privateKeyType
Alias for the certificate used to verify request signatures and encrypt responses
ssoadm attribute:
publicKeyAlias
Specifies the FQDN of the KDC
ssoadm attribute:
KerberosDomainServer
Specifies the domain name of the KDC
ssoadm attribute:
KerberosDomain
Specifies the Kerberos principal who owns the generated token.
Use the format HTTP/
.host
.domain
@kdc-domain
ssoadm attribute:
KerberosServicePrincipal
Specifies the key tab file used to issue the token
ssoadm attribute:
KerberosKeyTabFile
If yes, then OpenAM requires signed Kerberos tokens.
ssoadm attribute:
isVerifyKrbSignature
Lists attribute mappings for generated assertions
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
SAMLAttributeMapping
Specifies the NameID mapper for generated assertions
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
NameIDMapper
If yes, then OpenAM requires generated assertions include user memberships.
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
includeMemberships
Specifies the namespace for generated assertions
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
AttributeNamespace
Lists issuers OpenAM can trust to send security tokens
ssoadm attribute:
trustedIssuers
Lists issuer IP address that OpenAM can trust to send security tokens
ssoadm attribute:
trustedIPAddresses
Session
ssoadm service name:
iPlanetAMSessionService
When session failover is configured, you can set up additional configurations for connecting to the session repository here.
Maximum number of results from a session search
ssoadm attribute:
iplanet-am-session-max-session-list-size
Seconds after which OpenAM sees an incomplete search as having failed
ssoadm attribute:
iplanet-am-session-session-list-retrieval-timeout
If on, then OpenAM notifies other applications participating in SSO when a session property in the Notification Properties list changes.
ssoadm attribute:
iplanet-am-session-property-change-notification
If on, then OpenAM allows you to set constraints on user sessions.
ssoadm attribute:
iplanet-am-session-enable-session-constraint
Milliseconds after which OpenAM considers a search for live session count as having failed if quota constraints are enabled
ssoadm attribute:
iplanet-am-session-constraint-max-wait-time
You can either set the next expiring session to be destroyed,
DESTROY_NEXT_EXPIRING
, the oldest session to
be destroyed, DESTROY_OLDEST_SESSION
, all previous
sessions to be destroyed, DESTROY_OLD_SESSIONS
, or deny
the new session creation request, DENY_ACCESS
.
ssoadm attribute:
iplanet-am-session-constraint-resulting-behavior
This attribute takes effect when quota constraints are enabled.
ssoadm attribute:
iplanet-am-session-deny-login-if-db-is-down
Lists session properties for which OpenAM can send notifications upon modification
ssoadm attribute:
iplanet-am-session-notification-property-list
If enabled, OpenAM does not perform DNS lookups when checking restrictions in cookie hijacking mode.
ssoadm attribute:
iplanet-am-session-dnrestrictiononly
If yes, then OpenAM stores only a limited set of session properties after session timeout and before session purging.
ssoadm attribute:
iplanet-am-session-enable-session-trimming
Lists plugin classes implementing session timeout handlers
ssoadm attribute:
openam-session-timeout-handler-list
Maximum minutes a session can remain valid before OpenAM requires the user to authenticate again
ssoadm attribute:
iplanet-am-session-max-session-time
Maximum minutes a session can remain idle before OpenAM requires the user to authenticate again
ssoadm attribute:
iplanet-am-session-max-idle-time
Maximum minutes before OpenAM refreshes a session that has been cached
ssoadm attribute:
iplanet-am-session-max-caching-time
Maximum number of concurrent sessions OpenAM allows a user to have
ssoadm attribute:
iplanet-am-session-quota-limit
User
ssoadm service name:
iPlanetAMUserService
Time zone for accessing OpenAM console
ssoadm attribute:
preferredtimezone
Specifies the DN for the initial screen when the OpenAM administrator successfully logs in to the OpenAM console
ssoadm attribute:
iplanet-am-user-admin-start-dn
Inactive users cannot authenticate, though OpenAM stores their
profiles. Default: Active
ssoadm attribute:
iplanet-am-user-login-status