Chapter 7. Service Endpoints

Table of Contents
7.1. JSP Endpoints
7.2. Main Directory JSP Endpoints
7.3. User Interface JSP Endpoints
7.4. Default Authentication JSP Endpoints
7.5. Default Federation JSP Endpoints
7.6. Console Agent Configuration JSP Endpoints
7.7. Console Ajax JSP Endpoints
7.8. Console Authentication JSP Endpoints
7.9. Base Console JSP Endpoints
7.10. Delegation Console JSP Endpoints
7.11. Federation Console JSP Endpoints
7.12. Policy Console JSP Endpoints
7.13. IDM Console JSP Endpoints
7.14. Console Realm JSP Endpoints
7.15. Service Console JSP Endpoints
7.16. Session Console JSP Endpoints
7.17. Task Console JSP Endpoints
7.18. User Console JSP Endpoints
7.19. Web Services Console JSP Endpoints
7.20. OAuth JSP Endpoints
7.21. Password JSP Endpoints
7.22. SAML2 JSP Endpoints
7.23. WS Federation JSP Endpoints
7.24. WEB-INF Endpoints
7.25. JSON REST Endpoints
7.26. Well-Known Endpoints

A service endpoint is a URL which serves as the access port for a web service. It may be a standard HTML-based web page, or it may be a *.jsp page.

As every service endpoint is a potential security issue, it may be appropriate to restrict access to some of those endpoints that you do not use. But be careful. Some endpoints, such as isAlive.jsp in the main /path/to/tomcat/webapps/openam directory, are essential and should not be blocked or changed.

Given the large number of available endpoints, this chapter has been organized primarily by subdirectory. Most of the directories were created when the OpenAM war archive was copied to the appropriate web application container, such as the webapps/ subdirectory.

OpenAM may expose several hundred service endpoints, listed in this chapter. Each endpoint shown is listed relative to the deployment URL. For example, if you have deployed OpenAM at https://openam.example.com:8443/openam/, the full URL to the isAlive.jsp endpoint is https://openam.example.com:8443/openam/isAlive.jsp.

OpenAM includes two types of endpoints. One is based on URL patterns, shown with the url-pattern tag. You can find these patterns in the web.xml file, in the /path/to/tomcat/webapps/openam/WEB-INF directory. The other type is based on *.jsp pages, starting in the main /path/to/tomcat/webapps/openam directory, and also in many associated subdirectories. If you copied or created a WAR archive to a name other than openam.war, as described in the installation guide, substitute for the second openam accordingly.

Some of these endpoints can be applied directly to a URL when you've connected to the OpenAM server; for example, if you've configured OpenAM on http://idp.example.com:8080/openam, you can log in and review debug options by navigating to http://idp.example.com:8080/openam/Debug.jsp

Other endpoints can only be used when called by some option in the OpenAM console. For example, while the AgentAdd.jsp endpoint exists in the console/agentconfig subdirectory, you would get an error by navigating directly to a URL such as http://sp.example.com:8080/openam/console/agentconfig/AgentAdd.jsp. For that particular endpoint, you'll have click through the options required to add an agent. (Access Control > realm name > Agents > Agent > New)

In general, this chapter does not include dynamic endpoints, such as those that may include security tokens. The endpoints described in this chapter are based on files included in the installation of an OpenAM server.

There have been two security advisories related to OpenAM endpoints: OpenAM Security Advisory #201203 and OpenAM Security Advisory #201204

Several options are available for endpoints at risk. Recommendations from the noted security advisories include the following:

Of course, you can take additional steps to help secure your OpenAM deployment. For more information, see the the chapter on Securing OpenAM in the Administration Guide.

7.1. JSP Endpoints

The OpenAM WAR archive includes *.jsp files in a number of different categories. Many are associated with the applicable subdirectory, such as console/realm. The following sections will examine each *.jsp file, divided by subdirectories.

In some highlighted cases, the noted *.jsp file appears in the code for one or more .java files. If you remove the noted *.jsp file from the container, there is a risk that will break some functionality within OpenAM. In other cases, such as any files related to the GUI installation wizard, the applicable *.jsp file can be safely removed from a production system.

7.2. Main Directory JSP Endpoints

If you're working in Tomcat, you'll find the endpoints in this subsection in the /path/to/tomcat/webapps/openam directory. For other web application containers, you may find the endpoints in a different openam subdirectory.

Debug.jsp

Supports debug logging by service. For more information, see the Administration Guide chapter on Debug Logging by Service.

encode.jsp

Enables access to a page that encodes text passwords. The algorithm is based on PBEWithMD5AndDES, password-based encryption (PBE) using the MD5 message-digest algorithm, configured with the data encryption standard (DES)

getServerInfo.jsp

Supports requests for server information. As getServerInfo.jsp is encoded in some .java files, you should retain getServerInfo.jsp in your deployment.

isAlive.jsp

Verifies the current status of the OpenAM service; the "Server is ALIVE:" message also verifies activity on OpenAM systems behind load balancers. This can be a useful tool in a production environment.

proxyidpfinder.jsp

Supports access to a remote identity provider, through the federation broker.

services.jsp

Lists active services within OpenAM. The details shown on this page can be used with the ssoadm command to create a second OpenAM server with matching services. Be aware, the amadmin administrative user is hard-coded into this file. If you change the identity of the administrative user to something other than amadmin, that user won't have access to services.jsp.

showServerConfig.jsp

Specifies configuration information for the system, including the URL, the OS, the Java VM, the configuration directory, and more.

ssoadm.jsp

Supports GUI-based access to the options associated with the ssoadm command. The ssoadm.jsp file is disabled by default. Instructions for enabling this feature are available from the Administration Guide entry on OpenAM ssoadm.jsp.

validateWait.jsp

May be called by the validator.jsp or validatorMain.jsp files, to display progress in verifying the status of federation.

validator.jsp

Refers to the ValidateSAML2 function to identify the realm, IdP and SP for the federation.

validatorAuthFail.jsp

Starts an "Authentication Failed" message.

validatorFooter.jsp

Incorporates a "Back to Login" button in validatorMain.jsp.

validatorMain.jsp

Sets up a federation connectivity test. If you've set up a Federation Circle of Trust, this file is accessible from the "Test Federation Connectivity" option in the main OpenAM console.

validatorRpt.jsp

Opens a "Connectivity Test Results" window, specifying the status of a federation circle of trust. Tests relate to IdP authentication, SP authentication, account linking, single log out, single sign on, and account unlinking.

validatorStatus.jsp

Adds information to validator.jsp and validatorMain.jsp with federation status information as it relates to the currently configured circle of trust.

All of the validat*.jsp files near the end of this list relate to testing and verifying federation. It requires at least one identity provider (IDP) and one service provider (SP). At least one of these components must be configured remotely to set up a valid Circle of Trust (COT). If federation does not apply to your configuration, the validat*.jsp files are not essential to your configuration.

7.3. User Interface JSP Endpoints

The endpoints in this section can be found in several com_sun_web_ui/jsp/ subdirectories. These endpoints appear to relate to JavaHelp; per OPENAM-806, this functionality was removed from OpenAM, starting with version 9.5.3. Thus, the endpoints in this section, with one possible exception (Masthead.jsp in the com_sun_web_ui/jsp/version subdirectory) may no longer serve any purpose.

DateTimeWindow.jsp

The only endopint in the com_sun_web_ui/jsp/datetime subdirectory. May be a legacy endpoint; it calls a DateTimeWindowViewBean class; the corresponding .java file does not exist in the current trunk.

Help.jsp

One of two endpoints in the com_sun_web_ui/jsp/help subdirectory. May be a legacy endpoint; it calls a HelpViewBean class; the corresponding .java file does not exist in the current trunk.

Masthead.jsp

One of two endpoints in the com_sun_web_ui/jsp/help subdirectory. Also exists in a slightly different format in the com_sun_web_ui/jsp/help2 subdirectory, as well as the com_sun_web_ui/ jsp/version subdirectory. May be a legacy endpoint; it calls a MastheadViewBean class; the Masthead.jsp file and the corresponding MastheadViewBean.java were last changed in 2004. (However, the Masthead.jsp file in the com_sun_web_ui/jsp/version subdirectory includes a VersionViewBean.java file that is used by the Version.jsp endpoint used in the console/base subdirectory.

ButtonNav.jsp

Specifies an endpoint in the com_sun_web_ui/jsp/help2 directory. Points to a ButtonNavViewBean class; the associated .java file no longer exists in the trunk.

Help2Ie.jsp

Specifies an endpoint in the com_sun_web_ui/jsp/help2 directory. Points to a Help2ViewBean class; the associated .java file no longer exists in the trunk.

Help2Nav4.jsp

Specifies an endpoint in the com_sun_web_ui/jsp/help2 directory. Points to a Help2ViewBean class; the associated .java file no longer exists in the trunk.

Help2Nav6up.jsp

Specifies an endpoint in the com_sun_web_ui/jsp/help2 directory. Points to a Help2ViewBean class; the associated .java file no longer exists in the trunk.

Navigator.jsp

Specifies an endpoint in the com_sun_web_ui/jsp/help2 directory. Points to a NavigatorViewBean class; the associated .java file no longer exists in the trunk.

AdvancedSort.jsp

Specifies an endpoint in the com_sun_web_ui/jsp/table directory.

Table.jsp

Specifies an endpoint in the com_sun_web_ui/jsp/table directory. Points to a TableViewBean class; the associated .java file no longer exists in the trunk..

WizardWindow.jsp

Points to an endpoint in the com_sun_web_ui/jsp/wizard subdirectory. Points to a WizardWindowViewBean class, which appears to be unused by any other .jsp file.

7.4. Default Authentication JSP Endpoints

Many of the .jsp files in this category can be modified to help you modify the messages that appear to users in the OpenAM console. Standard messages for most of these endpoints can be found in the amAuth.properties and amAuthUI.properties files. You'll find the endpoints in this subsection in the config/auth/default subdirectory.

account_expired.jsp

Specifies an error page for account expiration. The message displayed to the user can be modified in the amAuthUI.properties file.

authException.jsp

Option to Exception.jsp; called if there is an existing resource bundle, as specified in AuthExceptionViewBean.java.

auth_error_template.jsp

Specifies an error page for authentication errors. The message displayed to the user can be modified in the amAuthUI.properties file.

disclaimer.jsp

Associated with the self-registration module, which can be configured in the OpenAM Console, under Access Control > Realm Name > Authentication > Module Instances. The default disclaimer is associated with the disclaimer.notice parameter, defined in the amAuthUI.properties file.

disclaimerDeclined.jsp

Associated with the self-registration module, which can be configured in the OpenAM Console, under Access Control > Realm Name > Authentication > Module Instances. The default disclaimer_denied message is associated with the disclaimer.declined parameter, defined in the amAuthUI.properties file.

Exception.jsp

Includes the following error message: "Authentication Service is not initialized." Cited by several other .java files in the code, so it should not be removed in a secure deployment..

invalidAuthlevel.jsp

Used to specify an issue with the authentication level. The default invalidauthlevel and contactadmin messages can be redefined in the amAuthUI.properties file.

invalidPCookieUserID.jsp

Notes a problem with a specified user name for a cookie, which presumably does not exist in the relevant domain. The default cookie.notpersistent and contactadmin messages can be modified in the amAuthUI.properties file.

invalid_domain.jsp

Displays a "No such Organization found" message when a domain is not defined in the OpenAM database. Refers to the nosuch.domain parameter in the amAuthUI.properties file.

login_denied.jsp

Defines the response of OpenAM to a user who enters an undefined profile. Uses the userhasnosuchprofile.org and contactadmin parameters in the amAuthUI.properties file.

login_failed_template.jsp

Provides a message in the event of a login failure. The message uses the auth.failed parameter in the amAuthUI.properties file.

Login.jsp

Specifies a regular authentication template. As noted in the Administration Guide entry on Securing OpenAM Administration, the Login.jsp file may be customized for different deployments.

Logout.jsp

The Logout.jsp file may also be customized for different deployments.

maxSessions.jsp

Specifies the message given to users when the number of sessions has hit the preconfigured limit. The default is 5000, defined in the OpenAM console under Configuration > Servers and Sites > Default Server Settings > Session. The message uses the session.max.limit parameter defined in the amAuthUI.properties file.

membership.jsp

Specifies information for the page associated with the self-registration module.

Message.jsp

Calls text messages related to the authentication process.

module_denied.jsp

Includes a message to a target user that he does not have access to a specified module. The message uses the authmodule.denied parameter defined in the amAuthUI.properties file..

module_template.jsp

Adds a page which can be used to help customize appropriate modules.

new_org.jsp

Includes a warning when a user is trying to access a different realm. The message uses the newOrg.agree parameter, as defined in the amAuthUI.properties file.

noConfig.jsp

Specifies the lack of a defined configuration module. The message uses the noconfig.found parameter, defined in the amAuthUI.properties file.

OAuthActivate.jsp

Shows a default template for entering an activation code. Used by OAuth.xml for password changes. As this file is not configured for OAuth2, the file is deprecated and may be removed from a future release.

OAuthPwd.jsp

Displays a password change screen, with an option for terms and conditions of service. As this file is not configured for OAuth2, it is deprecated and may be removed from a future release.

org_inactive.jsp

Transmits the message that the target organization is not active in the OpenAM database.

profileError.jsp

Specifies the message that is sent when there's a failure in the use of the self-registration module. Associated with the profile.error parameter, defined in the amAuthUI.properties file.

Redirect.jsp

Notes a file used by other code to redirect users for events such as login failures.

register.jsp

Identifies the page with the self-registration template.

session_timeout.jsp

Adds a message to a user when a session has gone past its allocated login time. Uses the session.timeout parameter, defined in the amAuthUI.properties file.

userDenied.jsp

Associated with role-based authentication. Tells a user when the required role has not been configured for that user. Message defined by the user.not.inrole parameter, defined in the amAuthUI.prooperties file.

user_inactive.jsp

Identifies a message sent to a user that is not currently active in the database. Message defined by the usernot.active parameter, as shown in the amAuthUI.properties file.

7.5. Default Federation JSP Endpoints

Many of the files in this config/federation/default subdirectory use the com.sun.liberty.LibertyManager interface. In general, you'll want to keep these files in a production deployment, to support adding to and deleting users from different Circles Of Trust (COT). Many of these files are customizable for different organizational interfaces. Interfaces in different languages may be configured in slightly different subdirectories such as config/federation/default_fr.

cdclogin.jsp

Supports a non-blank page for cross-domain single sign-ons; associated with a Cross-Domain Controller (CDC) servlet.

CommonLogin.jsp

Supports links to login pages of trusted identity providers.

Error.jsp

Sets up an error message, using the com.sun.liberty.LibertyManager interface.

Federate.jsp

Supports a connection to providers that can be configured in a federation.

FederationDone.jsp

Specifies the status of a federation request; the default response is either "The user has cancelled account federation." or "Federation has been successfully completed with the remote provider.

Footer.jsp

Sets up code that you can use to include a custom footer on all pages.

Header.jsp

Sets up code that you can use to include a custom header on all pages; the default version is configured with the OpenAM logo.

ListOfCOTs.jsp

When a service provider (SP) belongs to more than one COT, this page prompts the user to select a preferred identity provider (IDP).

LogoutDone.jsp

Specifies success or failure during a logout operation. Where a user has an account on multiple providers, he may see the following message: "Unable to log the user out from one or more providers where the user may still have active sessions."

NameRegistration.jsp

Supports registration with a new remote provider; this endpoint is associated with NameRegistrationDone.jsp.

NameRegistrationDone.jsp

Displays different messages based on a registration attempt with a remote provider. The message varies depending on whether the request was successful, a failure, or cancelled.

Termination.jsp

Supports defederation from an existing remote provider; goes with TerminationDone.jsp.

TerminationDone.jsp

Displays different messages based on a defederation attempt with a remote provider. The message varies depending on whether the request was successful, a failure, or cancelled.

7.6. Console Agent Configuration JSP Endpoints

The JSP files in the console/agentconfig subdirectory relate to the configuration of Web Agents. To see what is done by each JSP file, log into the console as the administrator. Select Access Control > [Some Realm] > Agents. Several of the options that appear corresponds to the JSP files in the target subdirectory.

Some of the endpoints include messages from relevant sections of the amConsole.properties file. The agents in this directory are part of the com.sun.identity.console.agentconfig package.

Several endpoints relate to Web Service Client (WSC) policy agents, which secure outgoing requests and validate incoming requests from Web Service Providers (WSP). For more information, see the chapter on Configuring Policy Agent Profiles in the Administrative Guide.

If you are not using agent functionality such as that related to the Security Token Service (STS), the related endpoints listed in this section may not be essential in a production deployment.

AgentAdd.jsp

Includes a newly created web agent for a specified realm. The AgentAdd page appears in the OpenAM console after an agent is added to a realm.

AgentConfigInherit.jsp

Allows an administrator to review default settings for the agent, as configured in the Inheritance Settings page. Inheritance assumes that agent is part of a previously confiugred group. To access Inheritance Settings, refer to the Creating Agent Profiles" section of the Administration Guide.

AgentDump.jsp

Displays information about the current configuration of an agent or an agent group, and how it might be exported.

AgentExportPolicy.jsp

Shows how the information about an agent may be exported.

AgentGroup.jsp

Includes a newly created agent group for common web agents within a specified realm. The AgentGroup page appears in the OpenAM console after an agent is added to a realm.

AgentGroupMembers.jsp

Supports the display of agents that are members of a specified agent group.

Agents.jsp

Enables access to a form to specify a new agent to add. The same form is used for every category of new agents configured from the OpenAM console, when you navigate to Access Control -> [Realm name] -> Agents.

Home.jsp

Per comments in the HomeViewBean, this file should forward requests for other agents.

WebServiceClientEdit.jsp

Includes customizable options for web service clients. Accessible when you edit and then save or export the configuration for a specific web service client.

WebServiceProviderEdit.jsp

Includes customizable options for web service providers. Accessible when you edit and then save or export the configuration for a specific web service provider.

WebServiceSTSEdit.jsp

Includes customizable options for web service STS providers. Accessible when you edit and then save or export the configuration for a specific web service STS provider.

WebServiceUserCredAdd.jsp

Supports the configuration of an WSP agent username and password.

WebServiceUserCredEdit.jsp

Supports changes to an WSP agent username and password.

7.7. Console Ajax JSP Endpoints

The only JSP file that appears to be active in this subdirectory is AjaxProxy.jsp, which appears to be used by several other endpoints.

AjaxProxy.jsp

Specifies an element used by several other endpoints, including ConfigureGoogleApps.jsp and ConfigureSalesForceApps.jsp.

FileUpload.jsp

Used by the FileUploader.jsp endpoint, described in the section on Federation Console JSP Endpoints.

7.8. Console Authentication JSP Endpoints

You can find console authentication endpoints in the console/authentication subdirectory. The associated endpoints relate to authentication settings in a realm. To access these endpoints, navigate to Access Control > [some realm] > Authentication.

AuthConfig.jsp

Part of the creation of a New Authentication Chain; associated with the Authentication Chaining section of the Authentication tab for a realm.

AuthProperties.jsp

Specifies properties that might be configured under the authentication tab for a specific or top-level realm.

CoreAttributes.jsp

Associated with the Core section of the Authentication tab of a specific or the top-level realm. Includes options for Realm Attributes, Persistent Cookies, Account Lockout, and Post-Authentication Processing.

EditAuthType.jsp

Supports changes to Module Instances, under the Authentication tab of a specific or the top-level realm.

NewAuthConfig.jsp

Associated with the creation of a New Authentication Chain, an option available from the Authentication Chaining section of the Authentication tab.

NewAuthInstance.jsp

Supports the implementation of a new authentication module, available from the Module Instances section of the Authentication tab.

ReorderAuthChains.jsp

Supports a change in sequence of authentication criteria; to access, select an existing Authentication Chaining service under the Authentication tab for a specified realm.

7.9. Base Console JSP Endpoints

The endpoints in this subdirectory (console/base) relate to options associated with the "home page" for the OpenAM GUI console; in essence, these are the options available when you log in as the administrative user (typically amadmin).

AMAdminFrame.jsp

Defaults to the opening page for the OpenAM console.

AMInvalidURL.jsp

Provides an "Invalid URL" error message.

AMLogin.jsp

Redirects users to the default login page; assumes no user is currently logged into OpenAM.

AMPost.jsp

Endpoint that either returns success of a post or an "Invalid or Missing Input" error.

AMUncaughtException.jsp

Default uncaught exception error message endpoint: "An error occurred while processing this request. Contact your administrator."

Authenticated.jsp

Displays a "You're logged in" information message.

CloseWindow.jsp

Endpoint that closes existing windows.

Message.jsp

Specifies a template endpoint used for messages.

Version.jsp

Specifies current version information, copyright notice, and licensing.

7.10. Delegation Console JSP Endpoints

The two service endpoints under the console/delegation subdirectory relate to the privileges associated with configured realms.

Delegation.jsp

Associated with the privileges for a realm. The privileges can be assigned for different groups of users, as configured via Access Control > [realm] > Subjects > Group.

DelegationProperties.jsp

Supports changes in properties for group privileges, described in the Delegation.jsp endpoint. To get to these properties, select Access Control > [some realm] > Privileges > [name of group].

7.11. Federation Console JSP Endpoints

The JSP files in this section relate to federation, specified in the console/federation subdirectory. Specifically, when you access the OpenAM GUI console and click the Federation tab, the variety of options that you select call the JSP files in this directory. References in each JSP file in that subdirectory are associated with the Federation tab.

Generally, the JSP files in this directory are essential if you want to add or modify federation partners in your Circles of Trust (COT), SAMLv2 / ID-FF / WS-Federation entity providers, and SAML 1.x configured partners.

If you're not using the legacy elements of federation, such as Liberty ID-FF, WS-Federation, and SAML 1.x, you may be able to delete related service endpoints in a more secure deployment.

Many of the endpoints in this section are accessible from the OpenAM console, under the Federation tab. Some of the endpoints are accessible only after you've created an appropriate entity provider, such as SAMLv2, ID-FF, or WS-Federation.

CreateCOT.jsp

When you create a Circle of Trust (COT) via Federation > New, you can access the COT Configuration window. You can then access all configured COTs.

CreateSAML2MetaData.jsp

Used when creating a new entity provider, configured with the SAML2 protocol.

FSAuthDomainsEditViewBean.jsp

Associated with an edit of a COT; to access, select a previously configured COT.

FSSAMLSelectTrustedPartnerType.jsp

Opened when you configure a new Trusted Partner under the SAML 1.x Configuration section.

FSSAMLService.jsp

Associated with FSSAMLServiceViewBean, which is used by a number of other JSP files in the console/federation subdirectory.

FSSAMLSetTrustedPartnerType.jsp

Associated with the FSSAMLSetTrustedPartnersEdit.jsp file; used when you select a configured SAML 1.x Configuration trusted partner.

FSSAMLSiteIDAdd.jsp

Supports the addition of a Site ID for a SAML-configured partner.

FSSAMLSiteIDEdit.jsp

Supports the modification of a Site ID for a SAML-configured partner.

FSSAMLTargetURLsAdd.jsp

Includes a new POST to a specified URL.

FSSAMLTargetURLsEdit.jsp

Supports editing of a POST to a specified URL.

FSSAMLTrustedPartnersAdd.jsp

Called when you create a new "trusted partner" in the SAML 1.x Configuration area of the Federation window.

FSSAMLTrustedPartersEdit.jsp

Called when you edit an existing "trusted partner" in the SAML 1.x Configuration area of the Federation window.

Federation.jsp

Cited when you click New in the "Circle of Trust" section of the Federation window.

FileUploader.jsp

Called by the ImportEntity.jsp file, to support uploads of metadata files associated with a previously configured entity provider.

IDFFAffiliate.jsp

Specifies an IDFF affiliate in a COT.

IDFFGeneral.jsp

Includes general parameters associated with an IDFF affiliate in a COT. The corresponding IDFFGeneralViewBean parameter is cited only in this and the IDFFGeneralViewBean.java files.

IDFFIDP.jsp

Associated with the Identity Provider (IDP) for IDFF.

ISFFSP.jsp

Associated with the Service Provider (SP) for IDFF.

ImportEntity.jsp

Supports the import of pre-existing metadata files which define an entity provider. Allows you to import metadata from a URL to a desired Realm.

SAMLv2Affiliate.jsp

Enables a view of SAML version 2 affiliates.

SAMLv2AttrAuthority.jsp

Associated with an IDP acting as an attribute authority.

SAMLv2AttrQuery.jsp

Supports queries and saves of SAML2 attribute metadata.

SAMLv2AuthnAuthority.jsp

Enables communication with an IDP acting as an authentication authority.

SAMLv2General.jsp

Identifies general properties of a SAML version 2 affiliate.

SAMLv2IDPAdvanced.jsp

Supports the configuration of advanced properties for a SAMLv2 IDP.

SAMLv2AssertionContent.jsp

Associated with the Assertion Content tab, accessible when you select Federation > Entity Providers > Provider Name.

SAMLv2AssertionProcessing.jsp

Associated with the Assertion Processing tab, accessible when you select Federation > Entity Providers > Provider Name.

SAMLv2IDPServices.jsp

Supports the configuration of IDP service properties for a SAML2 provider.

SAMLv2PDP.jsp

Enables the configuration of a SAMLv2-based Policy Decision Point (PDP).

SAMLv2PEP.jsp

Enables the configuration of a SAMLv2-based Policy Enforcement Point (PEP).

SAMLv2SPAdvanced.jsp

Supports the configuration of advanced properties for a SP. Accessible when you select Federation > Entity Providers > Provider Name > SP > Advanced.

SAMLv2SPAssertionContent.jsp

Associated with the Assertion Content tab; supports the configuration of such for SPs; It is accessible when you select Federation > Entity Providers > Provider Name > SP > Assertion Content.

SAMLv2SPAssertionProcessing.jsp

Associated with the Assertion Content tab; supports the configuration of assertion processing-related properties for SPs. It is accessible when you select Federation > Entity Providers > Provider Name > SP > Assertion Processing.

SAMLv2SPServices.jsp

Supports the configuration of services-related properties for an SP. It is accessible when you select Federation > Entity Providers > Provider Name > SP > Services.

WSFedGeneral.jsp

Associated with the configuration of a legacy WS-Federation entity provider.

WSFedIDP.jsp

Supports the configuration of an IDP under WS-Federation.

WSFedSP.jsp

Supports the configuration of an SP under WS-Federation.

7.12. Policy Console JSP Endpoints

The JSP service endpoints in the console/policy subdirectory relate to a policies under a specific realm. To v iew the options listed in this section, start the GUI console and navigate to Access Control > [Name of Realm] > Policies.

For more information, see the chapter on Defining Authorization Policies OpenAM in the Administration Guide.

AuthToRealm.jsp

Supports a policy that depends on the realm where the user authenticated.

AuthToRealmAdd.jsp

Adds a policy that depends on the realm where the user authenticated.

AuthToRealmEdit.jsp

Edits an existing policy that depends on the realm where the user authenticated.

AuthToServiceAdd.jsp

Enables a policy that depends on an authentication realm for a user.

AuthToServiceEdit.jsp

Edits a policy that depends on an authentication realm for a user.

ConditionAdd.jsp

Supports adding a condition to a policy realm. Associated with the SelectConditionType.jsp file.

ConditionEdit.jsp

Edits a condition that has been added to a policy realm. Associated with the SelectConditionType.jsp file.

ConditionProxy.jsp

Supports a proxy of a condition that has been added to a policy realm. Cited only by the ConditionProxyViewBean.java file.

IdentityMembershipConditionAdd.jsp

Supports a policy that depends on a list of selected OpenAM subjects, as well as group membership.

IdentityMembershipConditionEdit.jsp

Edits an existing policy that depends on a list of selected OpenAM subjects, as well as group membership.

IdentitySubject.jsp

Supports the configuration of a policy based on users or groups.

IdentitySubjectAdd.jsp

Adds a policy that configures a policy based on users or groups.

IdentitySubjectEdit.jsp

Edits an existing policy based on the configuration of users or groups.

IDRepoResponseProviderAdd.jsp

Identifies a response provider that provide additional information on policy enforcement, such as why a request was allowed or denied.

IDRepoResponseProviderEdit.jsp

Edits an ID response provider that provide additional information on policy enforcement, such as why a request was allowed or denied.

PMAuthenticatedUsersSubjectAdd.jsp

Supports the configuration of a new policy for authenticated users.

PMAuthenticatedUsersSubjectEdit.jsp

Supports the editing of an existing policy for authenticated users.

PMDefaultAuthLevelCondition.jsp

Supports a policy that depends on the realm where the user authenticated, with a minimum or maximum acceptable authentication level.

PMDefaultAuthLevelConditionAdd.jsp

Adds a policy that depends on the realm where the user authenticated, with a minimum or maximum acceptable authentication level.

PMDefaultAuthLevelConditionEdit.jsp

Edits an existing policy that depends on the realm where the user authenticated, with a minimum or maximum acceptable authentication level.

PMDefaultAuthSchemeCondition.jsp

Supports the configuration of a policy that depends on the realm where the user authenticated.

PMDefaultAuthSchemeConditionAdd.jsp

Adds a policy that depends on the realm where the user authenticated.

PMDefaultAuthSchemeConditionEdit.jsp

Edits an existing policy that depends on the realm where the user authenticated.

PMDefaultIPCondition.jsp

Supports a policy based on clients in a specific range of IP addresses or associated with a specific DNS domain name.

PMDefaultIPConditionAdd.jsp

Adds a policy based on clients in a specific range of IP addresses or associated with a specific DNS domain name.

PMDefaultIPConditionEdit.jsp

Edits an existing policy based on clients in a specific range of IP addresses or associated with a specific DNS domain name.

PMDefaultSessionCondition.jsp

Supports the configuration of an Active Session policy condition.

PMDefaultSessionConditionAdd.jsp

Adds a new policy related to an Active Session policy condition.

PMDefaultSessionConditionEdit.jsp

Edits an existing policy related to an Active Session policy condition.

PMDefaultTimeCondition.jsp

Relates to a policy associated with time restrictions on a user or group.

PMDefaultTimeConditionAdd.jsp

Adds a policy for time restrictions on a user or a group.

PMDefaultTimeConditionEdit.jsp

Edits an existing policy related to time restrictions on a user or a group.

PMDSAMERoleSubject.jsp

Used for user/group roles associated with the Directory Server Access Management Edition.

PMLDAPGroupSubject.jsp

Relates to a policy dependent on group membership within the LDAP database.

PMLDAPOrgSubject.jsp

Relates to a policy dependent on organizational (OU) membership within the LDAP database.

PMLDAPRoleSubject.jsp

Relates to a policy dependent on user roles configured within the LDAP database.

Policy.jsp

Displays currently configured policies for the target realm.

PolicyNormalAdd.jsp

Shows what policy has been added from the Policies tab, after configuring a new policy with the New Policy button.

PolicyNormalEdit.jsp

Supports the creation of a new policy rule, or the edit of an existing policy rule. To access, click New in any policy category, or select an existing policy.

PolicyReferralAdd.jsp

Displays a newly configured referral policy.

PolicyReferralEdit.jsp

Supports editing of an existing referral policy.

PolicySelectType.jsp

Supports selection of a policy, by name, in either a "normal" or a "referral" category.

ReferralAdd.jsp

Adds referrals to and from an existing policy.

ReferralEdit.jsp

Edits referrals associated with an existing policy.

ReferralProxy.jsp

Supports changes in referrals to and from an existing policy.

ResponseProviderAdd.jsp

Associated with IDRepoResponseProviderAdd.jsp.

ResponseProviderEdit.jsp

Associated with IDRepoResponseProviderEdit.jsp.

ResponseProviderProxy.jsp

Supports changes in response providers for an existing policy.

RuleAdd.jsp

Displays a newly created policy, in the Edit Policy window.

RuleEdit.jsp

Supports edits of an existing policy.

RuleWithPrefixAdd.jsp

Associated with the SelectServiceType.jsp endpoint.

RuleWithPrefixEdit.jsp

Associated with the SelectServiceType.jsp endpoint.

RuleNoResourceAdd.jsp

Associated with the SelectServiceType.jsp endpoint.

RuleNoResourceEdit.jsp

Associated with the SelectServiceType.jsp endpoint.

SelectConditionType.jsp

Enables a policy that depends on whether the information for a specific user can be found in the identity repository LDAP database.

SelectRealm.jsp

Opens a window that supports a selection from existing realms, based on available authentication modules.

SelectReferralType.jsp

Supports the configuration of a referral type for a sub-realm.

SelectResponseProviderType.jsp

Supports the configuration of a response provider type for an identity repository.

SelectServiceType.jsp

Supports the configuration of a policy service type; supports the customization of a new rule for configurable service types such as the Discovery Service.

SelectSubjectType.jsp

Enables creation of a policy for web service clients, associated with federated access management.

SessionPropertyAdd.jsp

Supports a policy that depends on attributes in a user's session.

SessionPropertyConditionAdd.jsp

Supports a policy that includes conditions based on attributes in a user's session.

SessionPropertyConditionEdit.jsp

Edits conditions in a policy based on attributes in a user's session.

SessionPropertyEdit.jsp

Edits attributes in a policy based on attributes in a user's session.

SubjectAdd.jsp

Supports the configuration of a new policy for authenticated users; associated with PMAuthenticatedUsersSubjectAdd.jsp.

SubjectEdit.jsp

Edits the configuration of a policy for authenticated users; associated with PMAuthenticatedUsersSubjectEdit.jsp.

SubjectNoneAdd.jsp

Associated with a policy for web service clients; related to SelectSubjectType.jsp.

SubjectNoneEdit.jsp

Supports the configuration of a new policy for authenticated users; associated with PMAuthenticatedUsersSubjectEdit.jsp.

SubjectProxy.jsp

Configures a proxy for web service client policies; associated with SelectSubjectType.jsp.

7.13. IDM Console JSP Endpoints

This group of service endpoints are associated with an identity management (IDM) interface from OpenAM. You can find these endpoints in the console/idm subdirectory. You may not need all of the functionality provided by the endpoints in this section.

Some of the endpoints in this section include references to UM*.jsp endpoints, User Console JSP Endpoints located in the console/user subdirectory, and described later in this chapter.

EndUser.jsp

Accesses the information page for the currently logged in user.

Entities.jsp

Opens the list of currently configured users, available via Access Control > [selected realm] > Subjects.

EntityAdd.jsp

Used when adding a new user or group.

EntityDiscoveryDescriptionAdd.jsp

Associated with the Discovery Service. To access that service, select a non-administrative user and select the Services tab. The EntityDiscoveryDescriptionAdd.jsp file is used when selecting a new Security Mechanism ID as a Service Description as a new Discovery Resource Offering.

EntityDiscoveryDescriptionEdit.jsp

Associated with an edit of an existing Security Mechanism ID.

EntityEdit.jsp

Called when saving changes to an existing user.

EntityMembers.jsp

Lists the members of a configured group.

EntityMembersFilteredIdentity.jsp

Lists the members of a configured group based on some filter.

EntityMembership.jsp

Accessed when a regular user is made a member of a previously configured group.

EntityResourceOffering.jsp

Supports custom resource offering entries for a previously configured user. Also seen when accessing the UMUserResourceOffering.jsp file.

EntityResourceOfferingAdd.jsp

Supports entries of new resource offerings for a previously configured user. Also seen when accessing the UMUserResourceOfferingAdd.jsp file.

EntityResourceOfferingEdit.jsp

Supports edits of existing resource offerings for a previously configured user. Also seen when accessing the UMUserResourceOfferingEdit.jsp file.

EntityServices.jsp

Supports a new service for a specific user. As of this writing, available services are: Dashboard, Discovery Service, Liberty Personal Profile Service, and Session.

Home.jsp

Opens a list of currently configured users.

ServicesAdd.jsp

Accessible after adding a new service for a currently configured user; associated with the EntityServices.jsp file.

ServicesEdit.jsp

Accessible for editing services associated with a currently configured user.

ServicesNoAttribute.jsp

Used if a configured organization has no available attributes.

ServicesSelect.jsp

Opened when adding a service for a specific user.

7.14. Console Realm JSP Endpoints

If you want to know how to configure services and data stores within a realm, you'll want to understand the workings of these service endpoints. If you want to customize realms in production, you'll want to keep these endpoints available on an OpenAM console. You can find these endpoints in the console/realm subdirectory.

HomePage.jsp

Associated with the main Access Control page in the OpenAM GUI console, which lists configured realms. If you call realm/HomePage.jsp directly, it cites messages associated with changes for a specific user, and functions more closely associated with JSP endpoints in the console/idm subdirectory.

IDRepo.jsp

Enables links with directory server data stores within a realm. To access, select Access Control > [some realm] > Data Stores > New. You should see a variety of supported directory server data stores, such as Active Directory, OpenDJ, and Tivoli Directory Server.

IDRepoAdd.jsp

Appears when you add a data store; associated with the IDRepo.jsp service endpoint.

IDRepoEdit.jsp

Appears when you edit an existing data store; associated with the IDRepo.jsp service endpoint.

IDRepoSelectType.jsp

Includes a list of supported data stores, from Active Directory to OpenDJ; associated with the IDRepo.jsp service endpoint.

RMRealm.jsp

Supports the configuration of a new realm, or editing of an existing realm.

RMRealmAdd.jsp

Supports the addition of a new realm; associated with the RMRealm.jsp service endpoint.

RealmDiscoveryDescriptionAdd.jsp

Supports a new description for a realm; associated with the RealmResourceOffering.jsp service endpoint.

RealmDiscoveryDescriptionEdit.jsp

Supports an edited description; associated with the RealmResourceOffering.jsp service endpoint.

RealmProperties.jsp

Works with the pages that allow you to edit an existing realm.

RealmResourceOffering.jsp

Supports the configuration of a security mechanism to a new realm resource offering. Requires the configuration of the discovery service, and the configuration of a directory resource offering for the specified realm.

RealmResourceOfferingAdd.jsp

Supports the addition of a security mechanism to a new realm resource offering. Requires the configuration of the discovery service, and the configuration of a directory resource offering for the specified realm.

RealmResourceOfferingEdit.jsp

Supports the editing of a security mechanism for an existing realm resource offering. Requires the configuration of the discovery service, and the configuration of a directory resource offering for the specified realm.

Services.jsp

Supports the configuration of a service within a specified realm.

ServicesAdd.jsp

Supports the addition of a service to a specified realm; available services to add include Administration, Dashboard, Discovery, Globalization Settings, OAuth2 Provider, Password Reset, Session, and User.

ServicesCannotAssignService.jsp

If a desired service is not compatible with directory data available from an organization, it is rejected.

ServicesEdit.jsp

Supports the editing of an existing service; associated with the Services.jsp endpoint.

ServicesNoAttribute.jsp

Supports the editing of an existing service; called if the attribute cannot be found or changed.

ServicesSelect.jsp

Implements step 1 of the addition of a new service; associated with the Services.jsp endpoint.

7.15. Service Console JSP Endpoints

You can find the JSP files in this category in the console/service subdirectory. Most of the endpoints are accessible in the console, from various options associated with the Configuration menu. If you don't use some of the functionality described such as Liberty ID-FF or SOAP binding, you may be able to delete the associated endpoints.

G11NCharsetAliasAdd.jsp

Supports the configuration of a new character set alias. Accessible from the Globalization Settings > Charset Aliases submenu.

G11NCharsetAliasEdit.jsp

Supports the editing of an existing character set alias. Accessible from the Globalization Settings > Charset Aliases submenu.

G11NSupportedCharsetAdd.jsp

Supports the configuration of a new character set supported by a locale. Accessible from the Globalization Settings > Charsets Supported by Each Locale submenu.

G11NCharsetAliasEdit.jsp

Supports the editing of an existing character set supported by a locale. Accessible from the Globalization Settings > Charsets Supported by Each Locale submenu.

MAPClientManager.jsp

Supports a list of client types. Associated with the Default Client Type option available via Configuration > System > Client Detection.

MAPCreateDevice.jsp

Supports creation of client devices.

MAPCreateDeviceTwo.jsp

Supports creation of client devices.

MAPDeviceProfile.jsp

Supports step 1 of creating a new client device.

MAPDuplicationDevice.jsp

Used with duplicate client devices.

SCConfig.jsp

Associated with basic Service Configuration data, and the other endpoints accessible from the Configuration menu.

SCConfigAuth.jsp

Supports the configuration of available authentication databases. You can get to this window by selecting Configuration > Authentication.

SCConfigConsole.jsp

Supports the configuration of administrative an globalization console properties. You can get to this window by selecting Configuration > Console.

SCConfigGlobal.jsp

Supports the configuration of OpenAM global properties. You can get to this window by selecting Configuration > Global.

SCConfigSystem.jsp

Supports the configuration of OpenAM system properties. You can get to this window by selecting Configuration > System.

SCPlatform30.jsp

Accesses current global attributes and cookie domain settings. To get to this window, select Configuration > System > Platform.

SCPolicy.jsp

Supports a view of the current policy configuration. To access this window, select Configuration > Global > Policy Configuration.

SCPolicyResourceComparatorAdd.jsp

Supports the addition of a new resource comparator to the current policy configuration. To access the relevant window, select Configuration > Global > Policy Configuration.

SCPolicyResourceComparatorEdit.jsp

Supports the editing of an existing resource comparator in the current policy configuration. To access the relevant window, select Configuration > Global > Policy Configuration.

SCSAML2SOAPBinding.jsp

Enables a review of current SAMLv2 SOAP binding request handlers. Associated with SOAP-based communications, using SAMLv2 requests, between a client and a server. To access the relevant screen, select Configuration > Global > SAMLv2 SOAP Binding.

SCSAML2SOAPBindingRequestHandlerListAdd.jsp

Allows you to add a new SAMLv2 SOAP binding request handler. To access the relevant screen, select Configuration > Global > SAMLv2 SOAP Binding.

SCSAML2SOAPBindingRequestHandlerListDup.jsp

Allows you to duplicate an existing SAMLv2 SOAP binding request handler. To access the relevant screen, select Configuration > Global > SAMLv2 SOAP Binding.

SCSAML2SOAPBindingRequestHandlerListEdit.jsp

Allows you to edit an existing SAMLv2 SOAP binding request handler. To access the relevant screen, select Configuration > Global > SAMLv2 SOAP Binding.

SCSOAPBinding.jsp

Enables a review of current SOAP binding request handlers. Associated with the Liberty Alliance Project Identity Federation Framework (Liberty ID-FF).

SCSOAPBindingRequestHandlerListAdd.jsp

Allows you to add a new SOAP binding request handler. Associated with the Liberty Alliance Project Identity Federation Framework (Liberty ID-FF).

SCSOAPBindingRequestHandlerListDup.jsp

Allows you to duplicate an existing SOAP binding request handler. Associated with the Liberty Alliance Project Identity Federation Framework (Liberty ID-FF).

SCSOAPBindingRequestHandlerListEdit.jsp

Allows you to edit an existing SOAP binding request handler. Associated with the Liberty Alliance Project Identity Federation Framework (Liberty ID-FF).

SecurityTokenService.jsp

Supports the configuration of tokens associated with the Security Token Service (STS). To access the associated screen, select Configuration > Global > Security Token Service.

ServerAdd.jsp

Supports the addition of an OpenAM server to work behind a load balancer in support of Session Failover (SFO). Available from Configuration > Servers and Sites, in the Servers subsection.

ServerClone.jsp

Supports the cloning of an existing OpenAM server to work behind a load balancer in support of Session Failover (SFO). Available from Configuration > Servers and Sites, in the Servers subsection.

ServerConfigInherit.jsp

Supports the inheritance of the default configuration for servers, as it relates to SFO.

ServerConfigXMLAddServer.jsp

Enables the configuration fo a new server; relates to SFO.

ServerConfigXML.jsp

Supports the review of the XML settings of an existing server, as it relates to SFO.

ServerEditAdvanced.jsp

Supports the editing of advanced properties for default servers, in the configuration of servers for SFO. To access, select Configuration > Severs and Sites > Default Server Settings, and click Advanced.

ServerEditGeneral.jsp

Supports the editing of general properties for default servers, such as the base directory, default locale, debug level, mail server for notifications, and more. Relates to the configuration of servers for SFO. To access, select Configuration > Severs and Sites > Default Server Settings, and click General.

ServerEditSDK.jsp

Supports the editing of SDK-related properties for default servers, associated with SFO. Supports editing of settings such as datastore notifications, event service connection retries, LDAP connections, Time To Live (TTL) for user entries, and more. To access, select Configuration > Severs and Sites > Default Server Settings, and click SDK.

ServerEditSecurity.jsp

Supports the editing of security properties for default servers; associated wtih SFO. Includes default security settings such as encryption keys, cookie encoding, key stores, and certificate management. To access, select Configuration > Severs and Sites > Default Server Settings, and click Security.

ServerEditSession.jsp

Supports the editing of session properties for default servers; associated with SFO. Note the Session Limit default specifies a maximum of 5000, well short of the 100,000 sessions that can be handled by a standard 3GB dual-core production system. To access, select Configuration > Severs and Sites > Default Server Settings, and click Session.

ServerSite.jsp

Associated with the addition or editing of a load balancer that distributes requests to other OpenAM servers. Available from the Configuration > Servers and Sites, in the Servers subsection.

SiteAdd.jsp

Enables the configuration of a load balancer to distribute requests to other existing OpenAM servers. Available from the Configuration > Servers and Sites, in the Sites subsection.

SiteEdit.jsp

Enables changes to a configured load balancer in how it distributes requests to other existing OpenAM servers. Available from the Configuration > Servers and Sites, in the Sites subsection.

SMDiscoveryBootstrapRefOffAdd.jsp

Includes new resource offerings for the discovery service, bootstrapped using a standard such as SAML2.

SMDiscoveryBootstrapRefOffEdit.jsp

Supports the editing of existing resource offerings for the discovery service, bootstrapped with a standard such as SAML2.

SMDiscoveryDescriptionAdd.jsp

Includes the addition of of new options for the discovery service.

SMDiscoveryDescriptionEdit.jsp

Supports the editing of existing options for the discovery service.

SMDiscoveryProviderResourceIdMapperAdd.jsp

Supports the mapping of a new resource ID for the discovery service.

SMDiscoveryProviderResourceIdMapperEdit.jsp

Supports the editing of an existing resource ID for the discovery service.

SMDiscoveryService.jsp

Supports a review and configuration of the Discovery Server, for global attributes, the ResourceID Mapper plug-in, and bootstrapping.

SMG11N.jsp

Allows you to configure globalization settings for OpenAM; accessible via Configuration > Console > Globalization Settings.

SMG11N.jsp

Allows you to configure globalization settings for OpenAM; accessible via Configuration > Console > Globalization Settings.

STSExportPolicy.jsp

Allows you to review and copy STS policies for export, input, and output. You can review this via Configuration > Global > Security Token Service > Export Policy.

SubConfigAdd.jsp

Allows you to configure a secondary configuration instance; accessible via Configuration > Global > Session.

SubConfigEdit.jsp

Allows you to edit an existing secondary configuration instance; accessible via Configuration > Global > Session.

SubSchemaTypeSelect.jsp

Allows you to configure a schema assocaited with breadcrumbs.

7.16. Session Console JSP Endpoints

There are currently two service endpoints configured in the console/session subdirectory, related to login sessions.

SMProfile.jsp

Provides information on current login session statistics. Available from the Sessions tab from the main console.

SessionHAStatistics.jsp

Supports session high availability statistics collection.

7.17. Task Console JSP Endpoints

The service endpoints in the console/task subdirectory relate to the options available from the default start page when an administrator logs into the OpenAM console. If you don't use Google Apps or Salesforce, you may not need some of the functionality in the associated endpoints.

CompleteCreateHostedIDP.jsp

Provides information on what the administrator can do after configuring an Identity Provider (IDP). Options listed include registering a remote Service Provider (SP), creating a fedlet, configuring Google Apps, and configuring Salesforce CRM. Includes links to such functionality, which depend on the configuration of a Circle of Trust (CoT).

ConfigureGoogleApps.jsp

Supports the configuration of Google Apps for Single-sign on (SSO). Requires a CoT configured with an IDP.

ConfigureGoogleAppsComplete.jsp

Enables entries to configure the SP. Includes steps "To Enable Access to the Google Apps API."

ConfigureGoogleAppsWarning.jsp

Includes a default warning message related to the ConfigureGoogleApps.jsp endpoint. The message is self-explanatory, though grammatically questionable: "Unable to configure because there are no circle of trust with Identity Provider."

ConfigureOAuth2.jsp

Supports the configuration of OAuth2 Authorization. For more information, see the the chapter on Managing OAuth2 Authorization in the Administration Guide.

ConfigureSalesForceApps.jsp

Accessible when you select the Configure Salesforce CRM link shown in the main GUI console. Requires IDP and SP information for an appropriate CoT, where OpenAM is the IDP and Salesforce is configured as the SP.

ConfigureSalesForceAppsComplete.jsp

Supports the configuration of SSO with a Salesforce CRM account. Includes instructions on the settings to add to an applicable Salesforce account.

ConfigureSalesForceAppsFinishWarning.jsp

Sets up a warning message related to a need for a Salesforce Login URL for the configuration.

CreateFedlet.jsp

A fedlet supports federation for a SP that does not already have its own federation solution. For more information, see the the chapter on Using Fedlets in Java Web Applications in the Development Guide .

CreateFedletWarning.jsp

Sets up a warning message related to the prerequisite for a CoT with the IDP.

CreateHostedIDP.jsp

Supports the configuration of a SAMLv2 IDP on the local instance of OpenAM.

CreateHostedSP.jsp

Supports the configuration of a SAMLv2 SP on the local instance of OpenAM.

CreateRemoteIDP.jsp

Supports the configuration of a SAMLv2 IDP on a remote system, within a configured CoT.

CreateRemoteSP.jsp

Supports the configuration of a SAMLv2 SP on a remote system, within a configured CoT.

Home.jsp

Endpoint that redirects the client to the startup page for OpenAM.

ValidateSAML2Setup.jsp

Supports the test of a federation connection between an IDP and SP in a CoT.

7.18. User Console JSP Endpoints

Endpoints in the console/user subdirectory support account configuration tasks. Many of these endpoints are accessible by realm. From the home page screen, select Access Control > [realm] > Subjects > [name of user]. This should open up an Edit User screen

UMChangeUserPassword.jsp

This service endpoint is normally opened in a separate window to enable a user (or administrator) to change their login password. Accessible from the Edit User screen. All you need to do from the screen is click Edit next to the Password entry.

UMUserDiscoveryDescriptionAdd.jsp

Relates to the security mechanism identifier associated wih a user. To access from the screen for an individual user, select Services > Discovery Service > Add > scroll down to the Service Description box > New Description > select and Add a Security Mechanism ID. Example IDs include urn:liberty:security:2003-08:ClientTLS:SAML, which relates to the former Liberty Alliance project, using Transaction Layer Security (TLS) on the client, with SAML assertions.

UMUserDiscoveryDescriptionEdit.jsp

Supports editing of the security mechanism identifier associated with a user. Closely related to the UMUserDiscoveryDescriptionAdd.jsp endpoint.

UMUserPasswordResetOptions.jsp

Allows you to "Force Change Password on Next Login". Accessible from the Edit User screen for a specific user, via the "Password Reset Options" entry near the bottom of the window.

UMUserResourceOffering.jsp

Accessible as an option to the Discovery Service for a specific user. To access from the Edit User screen for a specific user, select Services > Discovery Service > Add.

UMUserResourceOfferingAdd.jsp

Accessible as an option to the Discovery Service for a specific user. To access from the Edit User screen for a specific user, select Services > Discovery Service > Add.

UMUserResourceOfferingEdit.jsp

Accessible as an option to the Discovery Service for a specific user. To edit an existing resource offering, navigate to the Edit User screen for a specific user, select Services > Discovery Service > [some previously configured service].

7.19. Web Services Console JSP Endpoints

Web services include endpoints in the console/webservices subdirectory. You can use them to define legacy options for services such as the Liberty Identity Federation Framework (ID-FF). As such, these endpoints may be less essential to your implementation of OpenAM. For more information, see the OpenAM Wiki on Web Services .

WSAuthNServices.jsp

Supports the configuration of various mechanism handlers for authentication, including CRAM-MD5, PLAIN, and SSOToken.

WSAuthNServicesHandlersAdd.jsp

Supports the addition of a new mechanism handler for authentication.

WSAuthNServicesHandlersEdit.jsp

Supports changes to an existing mechanism handler for authentication.

WSPPServiceDSAttributeMapListAdd.jsp

Enables the addition of a new LDAP attribute, with a name prefix.

WSPPServiceDSAttributeMapListEdit.jsp

Enables the editing of an existing LDAP attribute, with a name prefix.

WSPPServiceSupportedContainerAdd.jsp

Enables the creation of a new supported container for ID-FF.

WSPPServiceSupportedContainerEdit.jsp

Enables the editing of an existing container.

WSPersonalProfileService.jsp

Allows you to configure ID-FF for global attributes, supported containers, PPLDAP attributes and alternative security mechanisms.

7.20. OAuth JSP Endpoints

Includes endpoints in the oauth, oauth2, and oauth2c subdirectories. Some of the service endpoints in the oauth subdirectory are based on OAuth 1.0, which may be deprecated in an upcoming release.

index.jsp

Specifies an endpoint used to register service consumers, which get resources from SPs. Provides access to registerconsumer.jsp. Associated with OAuth 1.0.

registerconsumer.jsp

Defines an endpoint used to register a consumer of services from SPs. Associated with OAuth 1.0.

userconsole.jsp

Allows a user to authorize or revoke a request for an OAuth 1.0 token..

registerClient.jsp

Enables registration of an OAuth 2.0 client with the OpenAM OAuth 2.0 authorization service. For details, see the Administration Guide chatper on Managing OAuth 2.0 Authorization.

OAuthLogout.jsp

Used to log out the resource owner with teh OAuth 2.0 provider. For more information, see the Administration Guide chapter on Defining Authentication Services.

OAuthProxy.jsp

Endpoint used for redirection. For more information, see the Administration Guide chapter on Managing OAuth 2.0 Authorization.

7.21. Password JSP Endpoints

The endpoints in this section can be found in the password/ui subdirectory. Each of these endpoints use the PWResetViewBeanBase.java file, as a class to set up messages. You can view some of these endpoints by omitting the password. For example, to view the effect of the PWResetUserValidation.jsp endpoint on an OpenAM system using an URL of openam.example.org in a standard Tomcat container, navigate to http://openam.exmaple.org/openam/ui/PWResetUserValidation.jsp. You can set associated options from the main console by selecting Configuration > Global > Password Reset. For more information on the process, see the chapter on Configuring Password Reset in the Administration Guide.

PWResetBase.jsp

This simple endpoint includes a redirection of the ServiceURI, and specifies OpenAM as the ProductName. It's cited by the other endpoints in the password/ui subdirectory.

PWResetInvalidURL.jsp

This endpoint is called with the PWResetInvalidURLViewBean class, when a module servlet gets an invalid URL.

PWResetQuestion.jsp

Starts the password reset process by propmting for the User ID. For more information on the process, see the method for the associated PWResetQuestionModel, available from the Interface PWResetQuestionModel specification page.

PWResetSuccess.jsp

Specifies the endpoint that is called when an account password is successfully reset.

PWResetUncaughtException.jsp

Specifies a "Contact your administrator" message when there is an error in a related endpoint.

PWResetUserValidation.jsp

Opens a screen that prompts for a user ID (UID). If that UID is found in the database, configured with an accessible email address, on a system connected to a mail server, a reset link is sent to that address.

7.22. SAML2 JSP Endpoints

You can find the endpoints described in this section in the saml2/jsp subdirectory. As of this writing, some of these endpoints are not used in the current implementation of OpenAM. Active endpoints in this category are discussed in the chapter on Managing SAML2 Federation in the Administration Guide.

default.jsp

May be used by other files to return a success or failure message. While the default.jsp name is common in the trunk, the jsp/default.jsp filename is used only by SPSingleLogout.java, which is not commonly used.

exportmetadata.jsp

Supports the export of XML-based metadata with other providers within a circle of trust (CoT). Currently used. For more information, see the chapter on Managing SAML2 Federation in the Administration Guide.

fedletAttrQuery.jsp

Supports the configuration of SAML attribute query headers.

fedletAttrResp.jsp

Supports the configuration of SAML attribute response headers.

fedletSSOInit.jsp

Previously used to start single sign-on at the Fedlet.

fedletSampleApp.jsp

Specifies a sample fedlet application that can be removed in production.

fedletXACMLQuery.jsp

Enables a sample SAML XACML query handler; used for testing, to prompt users to specify a resource URL along with an action (GET, POST).

fedletXACMLResp.jsp

Retrieves a sample SAML XACML resource URL for a yes, no, or maybe decision (PERMIT, DENY, or INDETERMINATE).

idpMNIPOST.jsp

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. This particular JSP file processes a request from an IDP through an HTTP redirect.

idpMNIRedirect.jsp

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. This particular JSP file processes a request from an IDP through an HTTP redirect. It uses a metadata-based alias, an entity ID for the service provider, and the type of MNI request; examples include NewID and terminate.

idpMNIRequestInit.jsp

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. As described in the Managing SAML2 Federation in the Administration Guide chapter of the Administration Guide, it allows you to change federation of persistently linked accounts. The chapter also includes an example of this endpoint at work.

idpSSOFederate.jsp

Specifies an endpoint that takes authentication requests from an SP, with a SAMLRequest data, a metaAlias and a RelayState with information from the target URL.

idpSSOInit.jsp

Specifies an endpoint that starts SSO, either from cache, or by verifying metaAlias and SP identifier data.For more information, see the chapter on Managing SAML2 Federation in the Administration Guide.

idpSingleLogoutInit.jsp

Starts a LogoutRequest from the identity provider.For more information, see the chapter on Managing SAML2 Federation in the Administration Guide.

idpSingleLogoutPOST.jsp

Specifies an endpoint that receives logout requests from IDPs and receives logout responses from SPs. Also sends logout responses to SPs.

idpSingleLogoutRedirect.jsp

Takes the SAMLRequest and SAMLResponse messages for logouts from the SP. May also handle the RelayState directive.

SA_IDP.jsp

Used for SAML authentication for communication with identity providers (IDPs).

SA_SP.jsp

Used for SAML authentication for communication with service providers (SPs).

saeerror.jsp

Returns an error message related to Secure Attribute Exchange (SAE). Currently used only by the SA_IDP.jsp and SA_SP.jsp endpoints.

saml2error.jsp

Endpoint that may return one of many error codes, specified in the comments of the file.

spAssertionConsumer.jsp

Used on a SP, to interpret information from an IDP. The request to the IDP is an AuthnRequest; the response from the IDP is read by this endpoint.

spMNIPOST.jsp

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. This particular endpoint takes the associated request, using an HTTP Redirect, from a SP. Less commonly used.

spMNIRedirect.jsp

This particular endpoint handles the ManageNameIDRequest and ManageNameIDRespnose messages with the help of HTTP Redirect. Less commonly used.

spMNIRequestInit.jsp

This particular endpoint supports changes to federation of persistently linked accounts, in a fashion similar to idpMNIRequestInit.jsp. For an example of this endpoint in work, see the chapter on Managing SAML2 Federation in the Administration Guide.

spSSOInit.jsp

Supports SSO messages from the SP. For more information and an example of how this endpoint is used, see the chapter on Managing SAML2 Federation in the Administration Guide.

spSingleLogoutInit.jsp

Supports SSO messages from the SP. For more information, see the chapter on Managing SAML2 Federation in the Administration Guide.

spSingleLogoutPOST.jsp

Specifies an endpoint that receives logout requests from SPs and receives logout responses from IDPs. Also sends logout responses to IDPs. Converse endpoint to idpSingleLogoutPOST.jsp.

spSingleLogoutRedirect.jsp

Takes the SAMLRequest and SAMLResponse messages for logouts from the IDP. May also handle the RelayState directive. Converse endpoint to idpSingleLogoutRedirect.jsp.

7.23. WS Federation JSP Endpoints

The endpoints described in this section, in the wsfederation/jsp subdirectory, relate to Kantera Alliance standards that originated with the Liberty Alliance Project Identity Federation Framework.

logout.jsp

Shows a page after a successful logout.

multi.jsp

Used for multi-federation protocol configurations.

post.jsp

Sets up a form for single sign-on (SSO) responses sent from the IDP to the SP.

realmSelection.jsp

Default display if no realms are defined.

7.24. WEB-INF Endpoints

The OpenAM WAR archive includes pointers to different URL patterns in the web.xml file. The following section includes a description of each of the identified URL patterns.

Many of the endpoints in this section are based on what you would add to an OpenAM URL. Many of the endpoints described in the web.xml file are not directly related to the .jsp files described in other parts of this chapter.

The endpoints in this chapter are taken from all items tagged with the url-pattern label. These endpoints are listed in that they appear in the web.xml file available at the time of this writing; the list is changed frequently. If you want to disable one or more of these endpoints, you may be able to delete them from the web.xml file.

Each of the url-patterns shown in the web.xml file is associated with elements such as a filter-name or a servlet-name. The definitions that follow use those elements to help identify the function of each endpoint listed in the web.xml file. Many of these elements can be directly related to a .java file.

The endpoints in this section are in the order found in the list of url-pattern entries shown in the web.xml file at the time of this writing.

/*

This entry is more of a filter for all endpoints. It's associated with the ResponseValidationFilter, which checks for valid URLs. It's also associated with the AMSetupFilter.java file; on systems not yet configured, it redirects users to the setup wizard.

ws/*

Specifies a group of URLs related to authentication endpoints, as it is associated with the AuthNFilter.java and AuthZFilter.java files. However, those files (and the associated RestServiceManager.java file) are not called by any other files in the trunk.

/login

With the help of the LoginLogoutMapping.java file, this would forward to the /UI/Login.jsp endpoint.

/logout

With the help of the LoginLogoutMapping.java file, this would forward to the /UI/Logout.jsp endpoint.

/UI/*

With the help of the LoginServlet.java file, this forwards to the default login page for an OpenAM system.

/config/configurator

Uses the AMSetupServlet, which as noted in the associated .java file, "is the first class to get loaded by the Servlet * container"

/setup/setSetupProgress

Used by the installation wizard to display the progress.

/upgrade/setUpgradeProgress

Used by the upgrade wizard to display progress.

/ui/*

Associated with the servlet naemd PWResetServlet, associated with password resets.

/gateway

Used with the servlet named GatewayServlet. Associated with the Gateway.java file, which takes an authentication module and forwards it to a login URL.

/GetHttpSession

The associated .java file is associated with Session Failover (SFO).

/sessionservice, /profileservice, /policyservice, /namingservice, /loggingservice, /authservice, /notificationservice

All of these endpoints are associated with OpenAM Security Advisory #201203. As suggested in the advisory, if you're using OpenAM version 9.5.4 or 10.0.0, you should be sure to apply the updates required to upgrade your systems to versions 9.5.5 or 10.0.1 (or higher).

/jaxrpc/*, /identityservices/*

These endpoints provide information on configured web services, including the port name, status, URL, and implementation class. Both endpoints show the same data. The IdentityServices servlet name points to the following description: "Web Service Endpoint - Identity Services".

/SMSServlet

Includes system configuration information when available, as documented in the comments to the AMSystemConfig.java file.

/notification

The associated servlet named notificationservlet appears to be commonly used. When the URL is entered, the default output is 200, associated with an URL success message.

/entitlementmonitor

Used by the NetworkMonitor.java file, which is essential to the monitoring of OpenAM services.

/identity/*

Possibly a legacy endpoint. While the associated IdentityServicesHandler servlet is identified as "REST Endpoint - Identity Services", it is only cited in the IdentityServicesHandler.java file.

/resources/*

Linked to an oauth servlet. The associated com.sun.identity.oauth.service.RestService class is rarely used.

/authentication/*

Associated with the servlet named AuthServlet. The associated AuthServer.java file is the controller servlet for realm authentication pages. When the URL is entered prior to login, it defaults to the standard login page.

/base/*

Associated with the servlet named AMBaseServlet. While the associated AMBaseServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/service/*

Associated with the servlet named SCServlet. While the associated SCServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/session/*

Associated with the servlet named SMServlet. While the associated SMServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/realm/*

Associated with the servlet named RMServlet. While the associated RMServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/policy/*

Associated with the servlet named PMServlet. While the associated PMServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/idm/*

Associated with the servlet named IDMServlet. While the associated IDMServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/user/*

Associated with the servlet named UMServlet. While the associated UMServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/delegation/*

Associated with the servlet named DelegationServlet. While the associated DelegationServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/task/*

Associated with the servlet named TaskServlet. While the associated TaskServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/agentconfig/*

Associated with the servlet named AgentConfigurationServlet. The associated AgentConfigurationServlet class is called by the amAccessControl.xml file, which suggests that it can be configured from the GUI console, through the Agents section of the Access Control menu. It is rarely used otherwise. The URL prior to login defaults to the standard login page.

/ccversion/*

Associated with the servlet named click-servlet. There is no associated click-servlet.java or ClickServlet.java file.

/federation/*

Associated with the servlet named FSServlet. While the associated FSServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

/webservices

Used by the WSServlet.java and SecurityTokenService.java files. If you're using web services and/or the Security Token Service (STS), you may want to keep this in place.

/sts

Associated with the STS. Be aware, this endpoint exposes basic service and port information for STS, Metadata Exchange (MEX), Simple Object Access Protocol 1.1 (SOAP11), and Web Service Definition Language (WSDL) endpoints without logons.

/sts/mex

Associated with the STS. Be aware, this endpoint exposes basic service and port information for STS, Metadata Exchange (MEX), Simple Object Access Protocol 1.1 (SOAP11), and Web Service Definition Language (WSDL) endpoints without logons.

/sts/soap11

Associated with the STS. Be aware, this endpoint exposes basic service and port information for STS, Metadata Exchange (MEX), Simple Object Access Protocol 1.1 (SOAP11), and Web Service Definition Language (WSDL) endpoints without logons.

/sts/mexsoap11

Associated with the STS. Unlike related STS endpoints, it returns a 404 message by default.

/SPMniSoap/*

Used by a servlet named SPMniSoap; associated with a com.sun.identity.saml2.servlet.SPManageNameIDServiceSOAP servlet class. The associated .java file works with Manage Name ID communications using SOAP binding from the SP. As the former spMNISOAP.jsp file no longer exists in the trunk, this may be a legacy endpoint.

/SPMniPOST/*

Used by a servlet named spMNIPOST.jsp; previously defined in the SAML2 JSP Endpoints section.

/SPMniRedirect/*

Used by a servlet named spMNIRedirect.jsp; previously defined in the SAML2 JSP Endpoints section.

/SPMniInit/*

Used by a servlet named spMNIRequestInit.jsp; previously defined in the SAML2 JSP Endpoints section.

/SPECP/*

The associated SPECPService class receives and processes single logout (SLO) requests, using SOAP bindings on the SP.

/SPSloSoap/*

The associated SPSingleLogoutServiceSOAP class receives and processes single logout (SLO) requests, using SOAP bindings on the SP.

/SPSloPOST/*

Used by a servlet named spSingleLogoutPOST.jsp; previously defined in the SAML2 JSP Endpoints section.

/SPSloRedirect/*

Used by a servlet named spSingleLogoutRedirect.jsp; previously defined in the SAML2 JSP Endpoints section.

/SPSloInit/*

Used by a servlet named spSingleLogoutInit.jsp; previously defined in the SAML2 JSP Endpoints section.

/Consumer/*, /SSORedirect/*

Used by a servlet named spAssertionConsumer.jsp; previously defined in the SAML2 JSP Endpoints section.

/SSOPOST/*, /SSORedirect/*

Used by a servlet named idpSSOFederate.jsp; previously defined in the SAML2 JSP Endpoints section.

/SSORedirect/*

Used by a servlet named idpSSOFederate.jsp; previously defined in the SAML2 JSP Endpoints section.

/NIMSoap/*

Used by a servlet named NameIDMappingServiceSOAP.

/AIDReqUri/*

Used by a servlet named AssertionIDRequestServiceSoap.

/AIDReqSoap/*

Used by a servlet named AssertionIDRequestServiceSoap.

/AuthnQuerySerivceSoap/*

Used by a servlet named AuthnQueryServiceSoap.

/AttributeServiceSoap/*

Used by a servlet named AttributeServiceSoap.

/SSOSoap/*

Used by a servlet named SSOSoap.

/IDPMniSoap/*

Used by a servlet named IDPMniSoap.

/IDPMniPOST/*

Used by a servlet named idpMNIPOST.jsp; previously defined in the SAML2 JSP Endpoints section.

/IDPMniRedirect/*

Used by a servlet named idpMNIRedirect.jsp; previously defined in the SAML2 JSP Endpoints section.

/IDPMniInit/*

Used by a servlet named idpMNIRequestInit.jsp; previously defined in the SAML2 JSP Endpoints section.

/IDPSloSoap/*

Used by a servlet named IDPSloSoap.

/IDPSloPOST/*

Used by a servlet named idpSingleLogoutPOST.jsp; previously defined in the SAML2 JSP Endpoints section.

/IDPSloRedirect/*

Used by a servlet named idpSingleLogoutRedirect.jsp; previously defined in the SAML2 JSP Endpoints section.

/IDPSloInit/*

Used by a servlet named idpSingleLogoutInit.jsp; previously defined in the SAML2 JSP Endpoints section.

/ArtifactResolver/*

Used by a servlet named IDPArtifactResolver.

/spssoinit

Used by a servlet named spSSOInit.jsp; previously defined in the SAML2 JSP Endpoints section.

/idpssoinit

Used by a servlet named idpSSOInit.jsp; previously defined in the SAML2 JSP Endpoints section.

/idpSSOFederate

Used by a servlet named idpSSOFederate.jsp; previously defined in the SAML2 JSP Endpoints section.

/idpsaehandler/*

Used by a servlet named SA_IDP.jsp; previously defined in the SAML2 JSP Endpoints section.

/spsaehandler/*

Used by a servlet named IDP_SP.jsp; previously defined in the SAML2 JSP Endpoints section.

/idpfinder

Used by a servlet named IDPFinderService; The associated FSIDPFinderService.java file can be used to find a preferred IDP with a common domain cookie.

/cdcservlet

Used by a servlet named CDCServlet. It is associated with a Cross Domain Controller Servlet, as described in the the chapter on Configuring Cross-Domain Single Sign On in the Administration Guide .

/SAMLAwareServlet

Used by a servlet named SAMLAwareServlet. It is associated with communications between a client, an SP, and an IDP. The transfer service on the IDP is the SAML Aware Servlet, and is part of the client web browser artifact profile. It validates a session token from a request run through the IDP.

/SAMLPOSTProfileServlet

Used by a servlet named SAMLPOSTProfileServlet. It is associated with communications between a client, an SP, and an IDP. The transfer service on the IDP is the SAML Aware Servlet, and is part of the client web browser POST profile, which supplies assertion IDs, and returns the response to the client browser.

/SAMLSOAPReceiver

Used by a servlet named SAMLSOAPReceiver. The servlet extracts a SAML request from a message sent in SOAP format. That message can be a query for authorization, attributes, or authentication. It supports POST messages only.

/AssertionManagerServlet/*

Used by a servlet named AssertionManagerServlet. It supports dynamic substitution, using the host name, port number, and the deployment location.

/FSAssertionManagerServlet/*

Used by a servlet named FSAssertionManagerServlet. It provides remote interfaces for the assertion manager class.

/SecurityTokenManagerServlet/*

Used by a servlet named SecurityTokenManagerServlet. It supports dynamic substitution, using session parameters.

/preLogin

Used by a servlet named preLoginHandler. As there is no associated .java or .jsp file, it may be a legacy endpoint.

/postLogin/*

Used by a servlet named postLoginHandler. As there is no associated .java or .jsp file, it may be a legacy endpoint.

/federation

Used by a servlet named FederationServlet. Associated with the com.sun.identity.federation.login.FSFederationHandler class. The matching FSFederationHandler.java file processes requests to initiate a federation.

/consentHandler

Used by a servlet named consentHandler. Associated with the com.sun.identity.federation.login.FSConsentHandler class. The matching FSConsentHandler.java file processes redirect requests in an existing federation.

/ProcessLogout/*

Used by a servlet named ProcessLogout. Associated with the FSProcessLogoutServlet class. It is designed to handle single logout requests related to Kantera / Liberty ID-FF processes.

/ReturnLogout/*

Used by a servlet named ReturnLogout. Associated with the FSReturnLogoutServlet class. It is designed to handle single logout responses related to Kantera / Liberty ID-FF processes. (Note the subtle difference with the ProcessLogout endpoint which handles logout requests.)

/liberty-logout

Used by a servlet named LogoutServlet. Associated with the FSSingleLogoutServlet class. It is designed to start single logout requests related to Kantera / Liberty ID-FF processes.

/SingleSignOnService/*

Used by a servlet named SingleSignOnService. Associated with the FSSSOAndFedService class. Configured for SSO on the IDP.

/IntersiteTransferService

Used by a servlet named IntersiteTransferService. Associated with the FSIntersiteTransferService class. It is designed to send a AuthnRequest to an IDP.

/AssertionConsumerService/*

Used by a servlet named AssertionConsumerService. Associated with the FSAssertionConsumerService class. For more information, see the chapter on Managing SAML 2.0 Federation in the Administration Guide.

/SOAPReceiver/*

Used by a servlet named SOAPReceiver. Associated with the FSSOAPReceiver class. SOAP endpoint that handles federation and specifies a URI to the SP.

/federation-terminate

Used by a servlet named FederationTerminationServlet. Associated with the FSTerminationInitiationServlet.java file, used to initiate termination of a federation connection. The IDP will send the termination request to the associated URL.

/ProcessTermination/*

Used by a servlet named ProcessTermination. Associated with the FSTerminationRequestServlet class. The associated .java file is used when a request is received by a remote SP.

/ReturnTermination/*

Used by a servlet named ReturnTermination. Associated with the FSTerminationReturnServlet class. The associated .java file is used to define a URL used by an IP to send termination responses.

/InitiateRegistration/*

Used by a servlet named InitiateRegistration. Associated with the FSRegistrationInitiationServlet class. The associated .java file is used to handle the registration request from a remote IDP.

/ProcessRegistration/*

Used by a servlet named ProcessRegistration. Associated with the FSRegistrationRequestServlet class. Processes registration requests from remote SPs.

/ReturnRegistration/*

Used by a servlet named ReturnRegistration. Associated with the FSRegistrationReturnServlet class. Defines a URL for IDPs to send registration responses.

/Liberty/*

Used by a servlet named WSSOAPReceiver. Associated with the SOAPReceiver class. Defines an endpoint that handles SOAP requests.

/WSPRedirectHandler/*

Used by a servlet named WSPRedirectHandler. Associated with the WSPRedirectHandlerServlet class. Used by the SP for user redirects.

/idffwriter, /saml2writer

Used by a servlet with a matching name (idffwriter, saml2writer). Associated with the CookieWriterServlet class. Used by the IDP to help the web container find app-specific info such as Java classes or Java Archives (JARs).

/idffreader, /saml2reader

Used by a servlet with a matching name (idffreader, saml2reader). Associated with the CookieReaderServlet class. Used by the SP to help find the preferred IDP.

/multiprotocolrelay

Used by a servlet named MultiProtocolRelayServlet. Associated with the MultiProtocolRelayServlet class. Used as a RelayState to continue to the next protocol; associated with a federation.

/WSFederationServlet/*, /FederationMetadata/*

Used by a servlet named WSFederationServlet. Associated with the WSFederationServlet class. Used as a service endpoint for WS-Federation.

/RealmSelection/*

Used by am endpoint named realmSelection.jsp. Previously defined in the WS-Federation JSP Endpoints section.

/saml2query/*

Used by a servlet named saml2query. Associated with the QueryHandlerServlet class. The corresponding .java file receives and processes SAML2 queries.

/federationws/*

Used by a servlet named federationrest. Associated with the ServletContainer class. Does not appear to be included in any current .java or .jsp file, so it may be a legacy endpoint.

/xacml/*

Used by a servlet named XACMLContentAdapter. Associated with the XacmlContentHandlerService class. Provides the main endpoint for all XACML requests.

/frrest/oauth2/*

Used by a servlet named OAuth2Rest. Associated with the RestTokenDispatcher class. class. For more information, see the the chapter on Using RESTful Web Services.

/oauth2/registerClient.jsp

Used by a servlet named OAuth2RegisterClient. For more information, see the the Administration Guide chapter on Managing OAuth 2.0 Authorization.

/oauth2/*

Used by a servlet named OAuth2RestletAdapter. Associated with the RestTokenDispatcher class. For more information, see the chapter on the chapter on Using RESTful Web Services.

/json/*

Used by a servlet named ForgeRockRest. Associated with the HttpServlet class. For more information, see the chapter on Using RESTful Web Services. In addition, you can read more about associated REST endpoints in reference#json-rest-endpoints JSON REST Endpoints

7.25. JSON REST Endpoints

The endpoints in this section document the REST-based JSON interfaces used for authentication and authorization.

/json/agents

Authorization: Supports the PassThroughAuthorizationFilter. No authorization logic is performed in the filter. Information is logged. The authorization logic is performed by the underlying identity services.

/json/authenticate

Authentication: Supports HTTP GET and POST methods. Can handle Integrated Windows Authentication.

Authorization: No filter.

/json/dashboard

Authorization: Supports the PassThroughAuthorizationFilter. No authorization logic is performed in the filter. Information is logged.

/json/groups

Authorization: Supports the PassThroughAuthorizationFilter. No authorization logic is performed in the filter. Information is logged. The authorization logic is performed by the underlying identity services.

/json/serverinfo

Authorization: Supports the PassThroughAuthorizationFilter. No authorization logic is performed in the filter. Information is logged. One sub-endpoint, /json/serverinfo/cookieDomains, supports HTTP GET.

/json/sessions

Authorization: Supports the SessionResourceAuthZFilter. Allows POST _action=logout for all users. Other functionality is limited to the administrative amadmin superuser.

/json/tokens

Authorization: Supports the AdminAuthorizationFilter. Access limited to the amadmin superuser.

/json/users

Authentication: Supports HTTP POST. Uses the _action query parameter with the following allowed values: register, confirm, forgotPassword, forgotPasswordReset.

Authorization: Supports the PassThroughAuthorizationFilter. No authorization logic is performed in the filter. Information is logged. The authorization logic is performed by the underlying identity services.

7.26. Well-Known Endpoints

The endpoints described in this section are Well-Known URIs supported by OpenAM.

/.well-known/openid-configuration

Exposes OpenID Provider configuration by HTTP GET as specified by OpenID Connect Discovery 1.0. No query string parameters are required.

/.well-known/webfinger

Allows a client to retrieve the provider URL for an end user by HTTP GET as specified by OpenID Connect Discovery 1.0.

For an example, see Configuring OpenAM For OpenID Connect Discovery.