1.4. Global Configuration

Under Configuration > Global you can set defaults for a range of federation services, for password reset, for policy configuration, for session management, and for dynamic user attributes.

Common Federation Configuration

ssoadm service name: sunFAMFederationCommon

Datastore SPI implementation class

Used by the Federation system to access user profile attributes

ssoadm attribute: DatastoreClass

ConfigurationInstance SPI implementation class

Used by the Federation system to access service configuration

ssoadm attribute: ConfigurationClass

Logger SPI implementation class

Used by the Federation system to record log messages

ssoadm attribute: LoggerClass

SessionProvider SPI implementation class

Used by the Federation system to access the session service

ssoadm attribute: SessionProviderClass

Maximum allowed content length

Maximum number of bytes for Federation communications

ssoadm attribute: MaxContentLength

PasswordDecoder SPI implementation class

Used by the Federation system to decode passwords encoded by OpenAM

ssoadm attribute: PasswordDecoderClass

SignatureProvider SPI implementation class

Used by the Federation system digitally to sign SAML documents

ssoadm attribute: SignatureProviderClass

KeyProvider SPI implementation class

Used by the Federation system to access the Java key store

ssoadm attribute: KeyProviderClass

Check presence of certificates

If enabled, OpenAM checks that the partner's signing certificate presented in the XML matches the certificate from the partner's metadata

ssoadm attribute: CheckCert

XML canonicalization algorithm

Algorithm used to render the canonical versions of XML documents

ssoadm attribute: CannonicalizationAlgorithm

XML signature algorithm

Algorithm used to sign XML documents

ssoadm attribute: SignatureAlgorithm

XML transformation algorithm

Algorithm used for XML transformations

ssoadm attribute: TransformationAlgorithm

SAML Error Page URL

OpenAM redirects users here when an error occurs in the SAML2 engine. Users are redirected to absolute URLs, whereas releative URLs are displayed within the request.

ssoadm attribute: SAMLErrorPageURL

SAML Error Page HTTP Binding

Set this either to HTTP-Redirect or to HTTP-POST.

ssoadm attribute: SAMLErrorPageHTTPBinding

Monitoring Agent Provider Class

Used by the Federation system to access the monitoring system

ssoadm attribute: MonAgentClass

Monitoring Provider Class for SAML1

Used by the SAMLv1 engine to access the monitoring system

ssoadm attribute: MonSAML1Class

Monitoring Provider Class for SAML2

Used by the SAML2 engine to access the monitoring system

ssoadm attribute: MonSAML2Class

Monitoring Provider Class for ID-FF

Used by the ID-FF engine to access the monitoring system

ssoadm attribute: MonIDFFClass

Dashboard Configuration

ssoadm service name: dashboardService

Dashboard Class Name

Identifies how to access the application, for example SAML2ApplicationClass for a SAML 2.0 application

ssoadm attribute: dashboardClassName

Dashboard Name

The application name as it will appear to the administrator for configuring the dashboard

ssoadm attribute: dashboardName

Dashboard Display Name

The application name that displays on the dashboard client

ssoadm attribute: dashboardDisplayName

Dashboard Icon

The icon name that will be displayed on the dashboard client identifying the application

ssoadm attribute: dashboardIcon

Dashboard Login

The URL that takes the user to the application

ssoadm attribute: dashboardLogin

Available Dashboard Apps

List of application dashboard names available by default for realms with the Dashboard configured

ssoadm attribute: assignedDashboard

Email Service

ssoadm service name: ForgeRockSendEmailService

Email Message Implementation Class

Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.

Default: org.forgerock.openam.services.email.MailServerImpl

ssoadm attribute: forgerockMailServerImplClassName

Mail Server Host Name

Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.

Default: smtp.gmail.com

ssoadm attribute: forgerockEmailServiceSMTPHostName

Mail Server Host Port

Specifies the port number for the SMTP mail server.

Default: 465

ssoadm attribute: forgerockEmailServiceSMTPHostPort

Mail Server Authentication Username

Specifies the user name for the SMTP mail server.

Default: forgerocksmtp

ssoadm attribute: forgerockEmailServiceSMTPUserName

Mail Server Authentication Password

Specifies the password for the SMTP user name.

ssoadm attribute: forgerockEmailServiceSMTPUserPassword

Mail Server Secure Connection

Specifies whether to connect to the SMTP mail server using SSL.

Default: use SSL (true)

ssoadm attribute: forgerockEmailServiceSMTPSSLEnabled

Email From Address

Specifies the address from which to send email notifications.

Default: no-reply@openam.org

ssoadm attribute: forgerockEmailServiceSMTPFromAddress

Email Attribute Name

Specifies the profile attribute from which to retrieve the end user's email address.

Default: mail

ssoadm attribute: openamEmailAttribute

Email Subject

Specifies a subject for notification messages. If you do not set this OpenAM does not set the subject for notification messages.

ssoadm attribute: forgerockEmailServiceSMTPSubject

Email Content

Specifies content for notification messages. If you do not set this OpenAM includes only the confirmation URL in the mail body.

ssoadm attribute: forgerockEmailServiceSMTPMessage

Liberty ID-FF Service Configuration

ssoadm service name: sunFAMIDFFConfiguration

Federation Cookie Name

Cookie name for Liberty ID-FF

ssoadm attribute: FedCookieName

IDP Proxy Finder SPI implementation class

Used by the ID-FF engine to find the IDP proxy

ssoadm attribute: IDPProxyFinderClass

Request cache cleanup interval

Seconds between times OpenAM cleans up the request cache

ssoadm attribute: RequestCacheCleanupInterval

Request cache timeout

Seconds cached requests remain valid

ssoadm attribute: RequestCacheTimeout

IDP Login URL

Login URL for the ID-FF IDP

ssoadm attribute: IDPLoginURL

XML signing on

If yes, require XML signing.

ssoadm attribute: XMLSigningOn

Liberty Interaction Service

ssoadm service name: sunFAMLibertyInteractionService

WSP to redirect user for interaction

ssoadm attribute: WSPWillRedirect

WSP to redirect user for interaction for data

ssoadm attribute: WSPWillRedirectForData

WSP's expected duration for interaction

ssoadm attribute: WSPRedirectTime

WSP to enforce that returnToURL must be SSL

ssoadm attribute: WSPWillEnforceHttpsCheck

WSP to enforce return to host be the same as request host

ssoadm attribute: WSPWillEnforceReturnToHostEqualsRequestHost

HTML style sheet location

ssoadm attribute: HTMLStyleSheetLocation

WML style sheet location

ssoadm attribute: WMLStyleSheetLocation

WSP interaction URL

ssoadm attribute: WSPRedirectHandlerURL

WSP interaction URL if behind load balancer

ssoadm attribute: LBWSPRedirectHandler

List of interaction URLs of WSP cluster (site) behind the load balancer

ssoadm attribute: TrustedWspRedirectHandlers

Interaction Configuration Class

ssoadm attribute: InteractionConfigClass

Options for WSC to participate in interaction

ssoadm attribute: WSCSpecifiedInteractionChoice

WSC to include userInteractionHeader

ssoadm attribute: WSCWillIncludeUserInteractionHeader

WSC to redirect user for interaction

ssoadm attribute: WSCWillRedirect

WSC's expected duration for interaction

ssoadm attribute: WSCSpecifiedMaxInteractionTime

WSC to enforce that redirection URL must be SSL

ssoadm attribute: WSCWillEnforceHttpsCheck

Multi-Federation Protocol

ssoadm service name: sunMultiFederationProtocol

Single Logout Handler List

List of logout handlers used for each different federation protocol

ssoadm attribute: SingleLogoutHandlerList

OAuth2 Provider Configuration

ssoadm service name: OAuth2Provider

Authorization Code Lifetime

Lifetime of OAuth 2.0 authorization code in seconds.

ssoadm attribute: forgerock-oauth2-provider-authorization-code-lifetime

Refresh Token Lifetime

Lifetime of OAuth 2.0 refresh token in seconds.

ssoadm attribute: forgerock-oauth2-provider-refresh-token-lifetime

Access Token Lifetime

Lifetime of OAuth 2.0 access token in seconds.

ssoadm attribute: forgerock-oauth2-provider-access-token-lifetime

Issue Refresh Tokens

Whether to issue a refresh token when returning an access token.

ssoadm attribute: forgerock-oauth2-provider-issue-refresh-token

Issue Refresh Tokens on Refreshing Access Tokens

Whether to issue a refresh token when refreshing an access token.

ssoadm attribute: forgerock-oauth2-provider-issue-refresh-token-on-refreshing-token

Scope Implementation Class

Name of class on OpenAM classpath implementing scopes.

ssoadm attribute: forgerock-oauth2-provider-scope-implementation-class

Response Type Plugins

List of plugins that handle the valid response_type values. OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization end point (/oauth2/authorize) to indicate which grant type is requested from the provider. For example, the client passes code when requesting an authorization code, and token when requesting an access token.

Values in this list take the form response-type|plugin-class-name.

Defaults: code|org.forgerock.restlet.ext.oauth2.flow.responseTypes.CodeResponseType, id_token|org.forgerock.restlet.ext.oauth2.flow.responseTypes, token|org.forgerock.restlet.ext.oauth2.flow.responseTypes.TokenResponseType

ssoadm attribute: forgerock-oauth2-provider-response-type-map-class

User Profile Attribute(s) the Resource Owner is Authenticated On

Names of profile attributes that resource owners use to log in. The default is uid, and you can add others such as mail.

ssoadm attribute: forgerock-oauth2-provider-authentication-attributes

Shared Consent Attribute Name

Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions. When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.

ssoadm attribute: forgerock-oauth2-provider-saved-consent-attribute

JSON Web Key URL

The URL where the OpenID Connect provider's JSON Web Key can be retrieved.

ssoadm attribute: forgerock-oauth2-provider-jkws-uri

ID Token Signing Algorithms supported

Algorithms supported to sign OpenID Connect id_tokens.

ssoadm attribute: forgerock-oauth2-provider-id-token-signing-algorithms-supported

Supported Claims

List of claims supported by the OpenID Connect /oauth2/userinfo endpoint.

ssoadm attribute: forgerock-oauth2-provider-supported-claims

Password Reset

Realm Attributes

See the Administration Guide chapter on Configuring Password Reset for details.

Policy Configuration

You can change global policy configuration, and the defaults per realm.

ssoadm service name: iPlanetAMPolicyConfigService

Resource Comparator

OpenAM uses resource comparators to match resources specified in policy rules. When setting comparators on the command line, separate fields with | characters.

ssoadm attribute: iplanet-am-policy-config-resource-comparator

Continue Evaluation on Deny Decision

If no, then OpenAM stops evaluating policy as soon as it reaches a deny decision.

ssoadm attribute: iplanet-am-policy-config-continue-evaluation-on-deny-decision

Advices Handleable by OpenAM

Lists advice names for which policy agents redirect users to OpenAM for further authentication and authorization

ssoadm attribute: sun-am-policy-config-advices-handleable-by-am

Realm Alias Referrals

If yes, then OpenAM allows creation of policies for HTTP and HTTPS resources whose FQDN matches the DNS alias for the realm even when no referral policy exists.

ssoadm attribute: sun-am-policy-config-org-alias-mapped-resources-enabled

Primary LDAP Server

Configuration directory server host:port that OpenAM searches for policy information

ssoadm attribute: iplanet-am-policy-config-ldap-server

LDAP Base DN

Base DN for policy searches

ssoadm attribute: iplanet-am-policy-config-ldap-base-dn

LDAP Users Base DN

Base DN for LDAP Users subject searches

ssoadm attribute: iplanet-am-policy-config-ldap-users-base-dn

OpenAM Roles Base DN

Base DN for OpenAM Roles searches

ssoadm attribute: iplanet-am-policy-config-is-roles-base-dn

LDAP Bind DN

Bind DN to connect to the directory server for policy information

ssoadm attribute: iplanet-am-policy-config-ldap-bind-dn

LDAP Bind Password

Bind password to connect to the directory server for policy information

ssoadm attribute: iplanet-am-policy-config-ldap-bind-password

LDAP Organization Search Filter

Search filter to match organization entries

ssoadm attribute: iplanet-am-policy-config-ldap-organizations-search-filter

LDAP Organization Search Scope

Search scope to find organization entries

ssoadm attribute: iplanet-am-policy-config-ldap-organizations-search-scope

LDAP Groups Search Filter

Search filter to match group entries

ssoadm attribute: iplanet-am-policy-config-ldap-groups-search-filter

LDAP Groups Search Scope

Search scope to find group entries

ssoadm attribute: iplanet-am-policy-config-ldap-groups-search-scope

LDAP Users Search Filter

Search filter to match user entries

ssoadm attribute: iplanet-am-policy-config-ldap-users-search-filter

LDAP Users Search Scope

Search scope to find user entries

ssoadm attribute: iplanet-am-policy-config-ldap-users-search-scope

LDAP Roles Search Filter

Search filter to match nsRole definition entries

ssoadm attribute: iplanet-am-policy-config-ldap-roles-search-filter

LDAP Roles Search Scope

Search scope to find nsRole definition entries

ssoadm attribute: iplanet-am-policy-config-ldap-roles-search-scope

OpenAM Roles Search Scope

Search scope to find OpenAM roles entries

ssoadm attribute: iplanet-am-policy-config-is-roles-search-scope

LDAP Organization Search Attribute

Naming attribute for organization entries

ssoadm attribute: iplanet-am-policy-config-ldap-organizations-search-attribute

LDAP Groups Search Attribute

Naming attribute for group entries

ssoadm attribute: iplanet-am-policy-config-ldap-groups-search-attribute

LDAP Users Search Attribute

Naming attribute for user entries

ssoadm attribute: iplanet-am-policy-config-ldap-users-search-attribute

LDAP Roles Search Attribute

Naming attribute for nsRole definition entries

ssoadm attribute: iplanet-am-policy-config-ldap-roles-search-attribute

Maximum Results Returned from Search

Search limit for LDAP searches

ssoadm attribute: iplanet-am-policy-config-search-limit

Search Timeout

Seconds after which OpenAM returns an error for an incomplete search

ssoadm attribute: iplanet-am-policy-config-search-timeout

LDAP SSL/TLS

If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.

ssoadm attribute: iplanet-am-policy-config-ldap-ssl-enabled

LDAP Connection Pool Minimum Size

Minimum number of connections in the pool

ssoadm attribute: iplanet-am-policy-config-connection_pool_min_size

LDAP Connection Pool Maximum Size

Maximum number of connections in the pool

ssoadm attribute: iplanet-am-policy-config-connection_pool_max_size

Selected Policy Subjects

Lists subjects available for policy definition in realms

ssoadm attribute: iplanet-am-policy-selected-subjects

Selected Policy Conditions

Lists conditions available for policy definition in realms

ssoadm attribute: iplanet-am-policy-selected-conditions

Selected Policy Referrals

Lists referral types available for policy definition in realms

ssoadm attribute: iplanet-am-policy-selected-referrals

Subjects Result Time to Live

Maximum minutes OpenAM caches a subject result for evaluating policy requests. A value of 0 prevents OpenAM from caching subject evaluations for policy decisions.

Default: 10

ssoadm attribute: iplanet-am-policy-config-subjects-result-ttl

User Alias

If enabled, OpenAM can evaluate policy for remote users aliased to local users.

ssoadm attribute: iplanet-am-policy-config-user-alias-enabled

Selected Response Providers

Lists available response providers available for policy definition

ssoadm attribute: sun-am-policy-selected-responseproviders

Selected Dynamic Response Attributes

Lists dynamic response attributes available for policy definition

ssoadm attribute: sun-am-policy-dynamic-response-attributes

REST Security

ssoadm service name: RestSecurity

The order of options that appear in the console may vary depending on whether you are running from a new installation or an upgrade of OpenAM.

Self-Registration for Users

If enabled, new users can sign up using a REST API client.

Default: not enabled

ssoadm attribute: forgerockRESTSecuritySelfRegistrationEnabled

Self-Registration Token LifeTime (seconds)

Maximum life time for the token allowing user self-registration using the REST API.

Default: 900 (seconds)

ssoadm attribute: forgerockRESTSecuritySelfRegTokenTTL

Self-Registration Confirmation Email URL

This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.

Default: deployment-base-url/XUI/confirm.html where deployment-base-url is something like https://openam.example.com:8443/openam

ssoadm attribute: forgerockRESTSecuritySelfRegConfirmationUrl

Forgot Password for Users

If enabled, users can assign themselves a new password using a REST API client.

Default: not enabled

ssoadm attribute: forgerockRESTSecurityForgotPasswordEnabled

Forgot Password Token LifeTime (seconds)

Maximum life time for the token allowing user to process a forgotten password using the REST API.

Default: 900 (seconds)

ssoadm attribute: forgerockRestSecurityForgotPassTokenTTL

Forgot Password Confirmation Email URL

This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.

Default: deployment-base-url/XUI/confirm.html where deployment-base-url is something like https://openam.example.com:8443/openam

ssoadm attribute: forgerockRESTSecurityForgotPassConfirmationUrl

SAMLv2 Service Configuration

ssoadm service name: sunFAMSAML2Configuration

Cache cleanup interval

Seconds between cache cleanup operations

ssoadm attribute: CacheCleanupInterval

Attribute name for Name ID information

User entry attribute to store name identifier information

ssoadm attribute: NameIDInfoAttribute

Attribute name for NAME ID information key

User entry attribute to store the name identifier key

ssoadm attribute: NameIDInfoKeyAttribute

Cookie domain for IDP Discovery Service

Specifies the cookie domain for the IDP discovery service

ssoadm attribute: IDPDiscoveryCookieDomain

Cookie type for IDP Discovery Service

Indicates whether to use PERSISTENT or SESSION cookies

ssoadm attribute: IDPDiscoveryCookieType

URL scheme for IDP Discovery Service

Indicates whether to use HTTP or HTTPS

ssoadm attribute: IDPDiscoveryURLScheme

XML Encryption SPI implementation class

Used by the SAML2 engine to encrypt and decrypt documents

ssoadm attribute: XMLEncryptionClass

Include xenc:EncryptedKey Inside ds:KeyInfo Element

ssoadm attribute: EncryptedKeyInKeyInfo

XML Signing SPI implementation class

Used by the SAML2 engine to sign documents

ssoadm attribute: XMLSigningClass

XML Signing Certificate Validation

If enabled, then validate certificates used to sign documents.

ssoadm attribute: SigningCertValidation

CA Certificate Validation

If enabled, then validate CA certificates.

ssoadm attribute: CACertValidation

Enable SAMLv2 failover

If enabled, the OpenAM can failover requests to another instance.

ssoadm attribute: failOverEnabled

Buffer length to decompress request

The size is specified in bytes.

ssoadm attribute: bufferLength

SAMLv2 SOAP Binding

ssoadm service name: sunfmSAML2SOAPBindingService

Request Handler List

List of handlers to deal with SAML2 requests bound to SOAP. The key for a request handler is the meta alias, whereas the class indicates the name of the class that implements the handler.

ssoadm attribute: sunSAML2RequestHandlerList

Security Token Service

ssoadm service name: sunFAMSTSService

Issuer

Specifies the name of the security token service

ssoadm attribute: stsIssuer

End Point

Specifies the STS service endpoint

ssoadm attribute: stsEndPoint

Lifetime for Security Token

Milliseconds the security token remains valid

ssoadm attribute: stsLifetime

Certificate Alias Name

Specifies the alias for the signing certificate

ssoadm attribute: stsCertAlias

STS End User Token Plugin class

Specifies the class that converts end user tokens

ssoadm attribute: com.sun.identity.wss.sts.clientusertoken

Security Mechanism

Lists credentials used to secure the token, and credentials OpenAM accepts in the incoming request

ssoadm attribute: SecurityMech

Authentication Chain

Specifies the authentication chain OpenAM applies for incoming requests for authenticated security tokens

ssoadm attribute: AuthenticationChain

User Credential

User name and password shared secrets to validate UserName tokens in incoming requests

ssoadm attribute: UserCredential

Detect Message Replay

If yes, then OpenAM checks for and rejects replayed messages.

ssoadm attribute: DetectMessageReplay

Detect User Token Replay

If yes, then OpenAM checks for and rejects replayed user tokens.

ssoadm attribute: DetectUserTokenReplay

Is Request Signature Verified

If yes, then OpenAM verifies signatures on incoming requests.

ssoadm attribute: isRequestSign

Is Response Signed Enabled

If yes, then OpenAM signs the selected parts of the response.

ssoadm attribute: isResponseSign

Signing Reference Type

Specifies the reference type used to sign the response. One of DirectReference, KeyIdentifierRef, or X509IssuerSerialRef.

ssoadm attribute: SigningRefType

Is Request Decrypted

If yes, then OpenAM decrypts the selected parts of the request.

ssoadm attribute: isRequestEncrypt

Is Response Encrypted

If yes, then OpenAM encrypts responses.

ssoadm attribute: isResponseEncrypt

Encryption Algorithm

Specifies the algorithm used to encrypt responses

ssoadm attribute: EncryptionAlgorithm

Private Key Alias

Alias for the private key used to sign responses and decrypt requests

ssoadm attribute: privateKeyAlias

Private Key Type

Type of private key. One of publicKey, symmetricKey, or noProofKey.

ssoadm attribute: privateKeyType

Public Key Alias of Web Service Client

Alias for the certificate used to verify request signatures and encrypt responses

ssoadm attribute: publicKeyAlias

Kerberos Domain Server

Specifies the FQDN of the KDC

ssoadm attribute: KerberosDomainServer

Kerberos Domain

Specifies the domain name of the KDC

ssoadm attribute: KerberosDomain

Kerberos Service Principal

Specifies the Kerberos principal who owns the generated token. Use the format HTTP/host.domain@kdc-domain.

ssoadm attribute: KerberosServicePrincipal

Kerberos Key Tab File

Specifies the key tab file used to issue the token

ssoadm attribute: KerberosKeyTabFile

Is Verify Kerberos Signature

If yes, then OpenAM requires signed Kerberos tokens.

ssoadm attribute: isVerifyKrbSignature

SAML Attribute Mapping

Lists attribute mappings for generated assertions

This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.

ssoadm attribute: SAMLAttributeMapping

NameID Mapper

Specifies the NameID mapper for generated assertions

This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.

ssoadm attribute: NameIDMapper

Should Include Memberships

If yes, then OpenAM requires generated assertions include user memberships.

This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.

ssoadm attribute: includeMemberships

Attribute Namespace

Specifies the namespace for generated assertions

This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.

ssoadm attribute: AttributeNamespace

Trusted Issuers

Lists issuers OpenAM can trust to send security tokens

ssoadm attribute: trustedIssuers

Trusted IP Addresses

Lists issuer IP address that OpenAM can trust to send security tokens

ssoadm attribute: trustedIPAddresses

Session

ssoadm service name: iPlanetAMSessionService

Secondary Configuration Instance

When session failover is configured, you can set up additional configurations for connecting to the session repository here.

Maximum Number of Search Results

Maximum number of results from a session search

ssoadm attribute: iplanet-am-session-max-session-list-size

Timeout for Search

Seconds after which OpenAM sees an incomplete search as having failed

ssoadm attribute: iplanet-am-session-session-list-retrieval-timeout

Enable Property Change Notifications

If on, then OpenAM notifies other applications participating in SSO when a session property in the Notification Properties list changes.

ssoadm attribute: iplanet-am-session-property-change-notification

Enable Quota Constraints

If on, then OpenAM allows you to set constraints on user sessions.

ssoadm attribute: iplanet-am-session-enable-session-constraint

Read Timeout for Quota Constraint

Milliseconds after which OpenAM considers a search for live session count as having failed if quota constraints are enabled

ssoadm attribute: iplanet-am-session-constraint-max-wait-time

Resulting behavior if session quota exhausted

You can either set the next expiring session to be destroyed, DESTROY_NEXT_EXPIRING, the oldest session to be destroyed, DESTROY_OLDEST_SESSION, all previous sessions to be destroyed, DESTROY_OLD_SESSIONS, or deny the new session creation request, DENY_ACCESS.

ssoadm attribute: iplanet-am-session-constraint-resulting-behavior

Deny user login when session repository is down

This attribute takes effect when quota constraints are enabled.

ssoadm attribute: iplanet-am-session-deny-login-if-db-is-down

Notification Properties

Lists session properties for which OpenAM can send notifications upon modification

ssoadm attribute: iplanet-am-session-notification-property-list

DN Restriction Only Enabled

If enabled, OpenAM does not perform DNS lookups when checking restrictions in cookie hijacking mode.

ssoadm attribute: iplanet-am-session-dnrestrictiononly

Enable Session Trimming

If yes, then OpenAM stores only a limited set of session properties after session timeout and before session purging.

ssoadm attribute: iplanet-am-session-enable-session-trimming

Session Timeout Handler implementations

Lists plugin classes implementing session timeout handlers

ssoadm attribute: openam-session-timeout-handler-list

Maximum Session Time

Maximum minutes a session can remain valid before OpenAM requires the user to authenticate again

ssoadm attribute: iplanet-am-session-max-session-time

Maximum Idle Time

Maximum minutes a session can remain idle before OpenAM requires the user to authenticate again

ssoadm attribute: iplanet-am-session-max-idle-time

Maximum Caching Time

Maximum minutes before OpenAM refreshes a session that has been cached

ssoadm attribute: iplanet-am-session-max-caching-time

Active User Sessions

Maximum number of concurrent sessions OpenAM allows a user to have

ssoadm attribute: iplanet-am-session-quota-limit

User

ssoadm service name: iPlanetAMUserService

User Preferred Timezone

Time zone for accessing OpenAM console

ssoadm attribute: preferredtimezone

Administrator DN Starting View

Specifies the DN for the initial screen when the OpenAM administrator successfully logs in to the OpenAM console

ssoadm attribute: iplanet-am-user-admin-start-dn

Default User Status

Inactive users cannot authenticate, though OpenAM stores their profiles. Default: Active

ssoadm attribute: iplanet-am-user-login-status