Chapter 7. Service Endpoints

Supports debug logging by service. For more information, see the Administration Guide chapter on Debug Logging by Service.

Enables access to a page that encodes text passwords. The algorithm is based on PBEWithMD5AndDES, password-based encryption (PBE) using the MD5 message-digest algorithm, configured with the data encryption standard (DES)

Supports requests for server information. As getServerInfo.jsp is encoded in some .java files, you should retain getServerInfo.jsp in your deployment.

Verifies the current status of the OpenAM service; the "Server is ALIVE:" message also verifies activity on OpenAM systems behind load balancers. This can be a useful tool in a production environment.

Supports access to a remote identity provider, through the federation broker.

Lists active services within OpenAM. The details shown on this page can be used with the ssoadm command to create a second OpenAM server with matching services. Be aware, the amadmin administrative user is hard-coded into this file. If you change the identity of the administrative user to something other than amadmin, that user won't have access to services.jsp.

Specifies configuration information for the system, including the URL, the OS, the Java VM, the configuration directory, and more.

Supports GUI-based access to the options associated with the ssoadm command. The ssoadm.jsp file is disabled by default. Instructions for enabling this feature are available from the Administration Guide entry on OpenAM ssoadm.jsp.

May be called by the validator.jsp or validatorMain.jsp files, to display progress in verifying the status of federation.

Refers to the ValidateSAML2 function to identify the realm, IdP and SP for the federation.

Starts an "Authentication Failed" message.

Incorporates a "Back to Login" button in validatorMain.jsp.

Sets up a federation connectivity test. If you've set up a Federation Circle of Trust, this file is accessible from the "Test Federation Connectivity" option in the main OpenAM console.

Opens a "Connectivity Test Results" window, specifying the status of a federation circle of trust. Tests relate to IdP authentication, SP authentication, account linking, single log out, single sign on, and account unlinking.

Adds information to validator.jsp and validatorMain.jsp with federation status information as it relates to the currently configured circle of trust.

The only endopint in the com_sun_web_ui/jsp/datetime subdirectory. May be a legacy endpoint; it calls a DateTimeWindowViewBean class; the corresponding .java file does not exist in the current trunk.

One of two endpoints in the com_sun_web_ui/jsp/help subdirectory. May be a legacy endpoint; it calls a HelpViewBean class; the corresponding .java file does not exist in the current trunk.

One of two endpoints in the com_sun_web_ui/jsp/help subdirectory. Also exists in a slightly different format in the com_sun_web_ui/jsp/help2 subdirectory, as well as the com_sun_web_ui/ jsp/version subdirectory. May be a legacy endpoint; it calls a MastheadViewBean class; the Masthead.jsp file and the corresponding MastheadViewBean.java were last changed in 2004. (However, the Masthead.jsp file in the com_sun_web_ui/jsp/version subdirectory includes a VersionViewBean.java file that is used by the Version.jsp endpoint used in the console/base subdirectory.

Specifies an endpoint in the com_sun_web_ui/jsp/help2 directory. Points to a ButtonNavViewBean class; the associated .java file no longer exists in the trunk.

Specifies an endpoint in the com_sun_web_ui/jsp/help2 directory. Points to a Help2ViewBean class; the associated .java file no longer exists in the trunk.

Specifies an endpoint in the com_sun_web_ui/jsp/help2 directory. Points to a Help2ViewBean class; the associated .java file no longer exists in the trunk.

Specifies an endpoint in the com_sun_web_ui/jsp/help2 directory. Points to a Help2ViewBean class; the associated .java file no longer exists in the trunk.

Specifies an endpoint in the com_sun_web_ui/jsp/help2 directory. Points to a NavigatorViewBean class; the associated .java file no longer exists in the trunk.

Specifies an endpoint in the com_sun_web_ui/jsp/table directory.

Specifies an endpoint in the com_sun_web_ui/jsp/table directory. Points to a TableViewBean class; the associated .java file no longer exists in the trunk..

Points to an endpoint in the com_sun_web_ui/jsp/wizard subdirectory. Points to a WizardWindowViewBean class, which appears to be unused by any other .jsp file.

Specifies an error page for account expiration. The message displayed to the user can be modified in the amAuthUI.properties file.

Option to Exception.jsp; called if there is an existing resource bundle, as specified in AuthExceptionViewBean.java.

Specifies an error page for authentication errors. The message displayed to the user can be modified in the amAuthUI.properties file.

Associated with the self-registration module, which can be configured in the OpenAM Console, under Access Control > Realm Name > Authentication > Module Instances. The default disclaimer is associated with the disclaimer.notice parameter, defined in the amAuthUI.properties file.

Associated with the self-registration module, which can be configured in the OpenAM Console, under Access Control > Realm Name > Authentication > Module Instances. The default disclaimer_denied message is associated with the disclaimer.declined parameter, defined in the amAuthUI.properties file.

Includes the following error message: "Authentication Service is not initialized." Cited by several other .java files in the code, so it should not be removed in a secure deployment..

Used to specify an issue with the authentication level. The default invalidauthlevel and contactadmin messages can be redefined in the amAuthUI.properties file.

Notes a problem with a specified user name for a cookie, which presumably does not exist in the relevant domain. The default cookie.notpersistent and contactadmin messages can be modified in the amAuthUI.properties file.

Displays a "No such Organization found" message when a domain is not defined in the OpenAM database. Refers to the nosuch.domain parameter in the amAuthUI.properties file.

Defines the response of OpenAM to a user who enters an undefined profile. Uses the userhasnosuchprofile.org and contactadmin parameters in the amAuthUI.properties file.

Provides a message in the event of a login failure. The message uses the auth.failed parameter in the amAuthUI.properties file.

Specifies a regular authentication template. As noted in the Administration Guide entry on Securing OpenAM Administration, the Login.jsp file may be customized for different deployments.

The Logout.jsp file may also be customized for different deployments.

Specifies the message given to users when the number of sessions has hit the preconfigured limit. The default is 5000, defined in the OpenAM console under Configuration > Servers and Sites > Default Server Settings > Session. The message uses the session.max.limit parameter defined in the amAuthUI.properties file.

Specifies information for the page associated with the self-registration module.

Calls text messages related to the authentication process.

Includes a message to a target user that he does not have access to a specified module. The message uses the authmodule.denied parameter defined in the amAuthUI.properties file..

Adds a page which can be used to help customize appropriate modules.

Includes a warning when a user is trying to access a different realm. The message uses the newOrg.agree parameter, as defined in the amAuthUI.properties file.

Specifies the lack of a defined configuration module. The message uses the noconfig.found parameter, defined in the amAuthUI.properties file.

Shows a default template for entering an activation code. Used by OAuth.xml for password changes. As this file is not configured for OAuth2, the file is deprecated and may be removed from a future release.

Displays a password change screen, with an option for terms and conditions of service. As this file is not configured for OAuth2, it is deprecated and may be removed from a future release.

Transmits the message that the target organization is not active in the OpenAM database.

Specifies the message that is sent when there's a failure in the use of the self-registration module. Associated with the profile.error parameter, defined in the amAuthUI.properties file.

Notes a file used by other code to redirect users for events such as login failures.

Identifies the page with the self-registration template.

Adds a message to a user when a session has gone past its allocated login time. Uses the session.timeout parameter, defined in the amAuthUI.properties file.

Associated with role-based authentication. Tells a user when the required role has not been configured for that user. Message defined by the user.not.inrole parameter, defined in the amAuthUI.prooperties file.

Identifies a message sent to a user that is not currently active in the database. Message defined by the usernot.active parameter, as shown in the amAuthUI.properties file.

Supports a non-blank page for cross-domain single sign-ons; associated with a Cross-Domain Controller (CDC) servlet.

Supports links to login pages of trusted identity providers.

Sets up an error message, using the com.sun.liberty.LibertyManager interface.

Supports a connection to providers that can be configured in a federation.

Specifies the status of a federation request; the default response is either "The user has cancelled account federation." or "Federation has been successfully completed with the remote provider.

Sets up code that you can use to include a custom footer on all pages.

Sets up code that you can use to include a custom header on all pages; the default version is configured with the OpenAM logo.

When a service provider (SP) belongs to more than one COT, this page prompts the user to select a preferred identity provider (IDP).

Specifies success or failure during a logout operation. Where a user has an account on multiple providers, he may see the following message: "Unable to log the user out from one or more providers where the user may still have active sessions."

Supports registration with a new remote provider; this endpoint is associated with NameRegistrationDone.jsp.

Displays different messages based on a registration attempt with a remote provider. The message varies depending on whether the request was successful, a failure, or cancelled.

Supports defederation from an existing remote provider; goes with TerminationDone.jsp.

Displays different messages based on a defederation attempt with a remote provider. The message varies depending on whether the request was successful, a failure, or cancelled.

Includes a newly created web agent for a specified realm. The AgentAdd page appears in the OpenAM console after an agent is added to a realm.

Allows an administrator to review default settings for the agent, as configured in the Inheritance Settings page. Inheritance assumes that agent is part of a previously confiugred group. To access Inheritance Settings, refer to the Creating Agent Profiles" section of the Administration Guide.

Displays information about the current configuration of an agent or an agent group, and how it might be exported.

Shows how the information about an agent may be exported.

Includes a newly created agent group for common web agents within a specified realm. The AgentGroup page appears in the OpenAM console after an agent is added to a realm.

Supports the display of agents that are members of a specified agent group.

Enables access to a form to specify a new agent to add. The same form is used for every category of new agents configured from the OpenAM console, when you navigate to Access Control -> [Realm name] -> Agents.

Per comments in the HomeViewBean, this file should forward requests for other agents.

Includes customizable options for web service clients. Accessible when you edit and then save or export the configuration for a specific web service client.

Includes customizable options for web service providers. Accessible when you edit and then save or export the configuration for a specific web service provider.

Includes customizable options for web service STS providers. Accessible when you edit and then save or export the configuration for a specific web service STS provider.

Supports the configuration of an WSP agent username and password.

Supports changes to an WSP agent username and password.

Specifies an element used by several other endpoints, including ConfigureGoogleApps.jsp and ConfigureSalesForceApps.jsp.

Used by the FileUploader.jsp endpoint, described in the section on Federation Console JSP Endpoints.

Part of the creation of a New Authentication Chain; associated with the Authentication Chaining section of the Authentication tab for a realm.

Specifies properties that might be configured under the authentication tab for a specific or top-level realm.

Associated with the Core section of the Authentication tab of a specific or the top-level realm. Includes options for Realm Attributes, Persistent Cookies, Account Lockout, and Post-Authentication Processing.

Supports changes to Module Instances, under the Authentication tab of a specific or the top-level realm.

Associated with the creation of a New Authentication Chain, an option available from the Authentication Chaining section of the Authentication tab.

Supports the implementation of a new authentication module, available from the Module Instances section of the Authentication tab.

Supports a change in sequence of authentication criteria; to access, select an existing Authentication Chaining service under the Authentication tab for a specified realm.

Defaults to the opening page for the OpenAM console.

Provides an "Invalid URL" error message.

Redirects users to the default login page; assumes no user is currently logged into OpenAM.

Endpoint that either returns success of a post or an "Invalid or Missing Input" error.

Default uncaught exception error message endpoint: "An error occurred while processing this request. Contact your administrator."

Displays a "You're logged in" information message.

Endpoint that closes existing windows.

Specifies a template endpoint used for messages.

Specifies current version information, copyright notice, and licensing.

Associated with the privileges for a realm. The privileges can be assigned for different groups of users, as configured via Access Control > [realm] > Subjects > Group.

Supports changes in properties for group privileges, described in the Delegation.jsp endpoint. To get to these properties, select Access Control > [some realm] > Privileges > [name of group].

When you create a Circle of Trust (COT) via Federation > New, you can access the COT Configuration window. You can then access all configured COTs.

Used when creating a new entity provider, configured with the SAML2 protocol.

Associated with an edit of a COT; to access, select a previously configured COT.

Opened when you configure a new Trusted Partner under the SAML 1.x Configuration section.

Associated with FSSAMLServiceViewBean, which is used by a number of other JSP files in the console/federation subdirectory.

Associated with the FSSAMLSetTrustedPartnersEdit.jsp file; used when you select a configured SAML 1.x Configuration trusted partner.

Supports the addition of a Site ID for a SAML-configured partner.

Supports the modification of a Site ID for a SAML-configured partner.

Includes a new POST to a specified URL.

Supports editing of a POST to a specified URL.

Called when you create a new "trusted partner" in the SAML 1.x Configuration area of the Federation window.

Called when you edit an existing "trusted partner" in the SAML 1.x Configuration area of the Federation window.

Cited when you click New in the "Circle of Trust" section of the Federation window.

Called by the ImportEntity.jsp file, to support uploads of metadata files associated with a previously configured entity provider.

Specifies an IDFF affiliate in a COT.

Includes general parameters associated with an IDFF affiliate in a COT. The corresponding IDFFGeneralViewBean parameter is cited only in this and the IDFFGeneralViewBean.java files.

Associated with the Identity Provider (IDP) for IDFF.

Associated with the Service Provider (SP) for IDFF.

Supports the import of pre-existing metadata files which define an entity provider. Allows you to import metadata from a URL to a desired Realm.

Enables a view of SAML version 2 affiliates.

Associated with an IDP acting as an attribute authority.

Supports queries and saves of SAML2 attribute metadata.

Enables communication with an IDP acting as an authentication authority.

Identifies general properties of a SAML version 2 affiliate.

Supports the configuration of advanced properties for a SAMLv2 IDP.

Associated with the Assertion Content tab, accessible when you select Federation > Entity Providers > Provider Name.

Associated with the Assertion Processing tab, accessible when you select Federation > Entity Providers > Provider Name.

Supports the configuration of IDP service properties for a SAML2 provider.

Enables the configuration of a SAMLv2-based Policy Decision Point (PDP).

Enables the configuration of a SAMLv2-based Policy Enforcement Point (PEP).

Supports the configuration of advanced properties for a SP. Accessible when you select Federation > Entity Providers > Provider Name > SP > Advanced.

Associated with the Assertion Content tab; supports the configuration of such for SPs; It is accessible when you select Federation > Entity Providers > Provider Name > SP > Assertion Content.

Associated with the Assertion Content tab; supports the configuration of assertion processing-related properties for SPs. It is accessible when you select Federation > Entity Providers > Provider Name > SP > Assertion Processing.

Supports the configuration of services-related properties for an SP. It is accessible when you select Federation > Entity Providers > Provider Name > SP > Services.

Associated with the configuration of a legacy WS-Federation entity provider.

Supports the configuration of an IDP under WS-Federation.

Supports the configuration of an SP under WS-Federation.

Supports a policy that depends on the realm where the user authenticated.

Adds a policy that depends on the realm where the user authenticated.

Edits an existing policy that depends on the realm where the user authenticated.

Enables a policy that depends on an authentication realm for a user.

Edits a policy that depends on an authentication realm for a user.

Supports adding a condition to a policy realm. Associated with the SelectConditionType.jsp file.

Edits a condition that has been added to a policy realm. Associated with the SelectConditionType.jsp file.

Supports a proxy of a condition that has been added to a policy realm. Cited only by the ConditionProxyViewBean.java file.

Supports a policy that depends on a list of selected OpenAM subjects, as well as group membership.

Edits an existing policy that depends on a list of selected OpenAM subjects, as well as group membership.

Supports the configuration of a policy based on users or groups.

Adds a policy that configures a policy based on users or groups.

Edits an existing policy based on the configuration of users or groups.

Identifies a response provider that provide additional information on policy enforcement, such as why a request was allowed or denied.

Edits an ID response provider that provide additional information on policy enforcement, such as why a request was allowed or denied.

Supports the configuration of a new policy for authenticated users.

Supports the editing of an existing policy for authenticated users.

Supports a policy that depends on the realm where the user authenticated, with a minimum or maximum acceptable authentication level.

Adds a policy that depends on the realm where the user authenticated, with a minimum or maximum acceptable authentication level.

Edits an existing policy that depends on the realm where the user authenticated, with a minimum or maximum acceptable authentication level.

Supports the configuration of a policy that depends on the realm where the user authenticated.

Adds a policy that depends on the realm where the user authenticated.

Edits an existing policy that depends on the realm where the user authenticated.

Supports a policy based on clients in a specific range of IP addresses or associated with a specific DNS domain name.

Adds a policy based on clients in a specific range of IP addresses or associated with a specific DNS domain name.

Edits an existing policy based on clients in a specific range of IP addresses or associated with a specific DNS domain name.

Supports the configuration of an Active Session policy condition.

Adds a new policy related to an Active Session policy condition.

Edits an existing policy related to an Active Session policy condition.

Relates to a policy associated with time restrictions on a user or group.

Adds a policy for time restrictions on a user or a group.

Edits an existing policy related to time restrictions on a user or a group.

Used for user/group roles associated with the Directory Server Access Management Edition.

Relates to a policy dependent on group membership within the LDAP database.

Relates to a policy dependent on organizational (OU) membership within the LDAP database.

Relates to a policy dependent on user roles configured within the LDAP database.

Displays currently configured policies for the target realm.

Shows what policy has been added from the Policies tab, after configuring a new policy with the New Policy button.

Supports the creation of a new policy rule, or the edit of an existing policy rule. To access, click New in any policy category, or select an existing policy.

Displays a newly configured referral policy.

Supports editing of an existing referral policy.

Supports selection of a policy, by name, in either a "normal" or a "referral" category.

Adds referrals to and from an existing policy.

Edits referrals associated with an existing policy.

Supports changes in referrals to and from an existing policy.

Associated with IDRepoResponseProviderAdd.jsp.

Associated with IDRepoResponseProviderEdit.jsp.

Supports changes in response providers for an existing policy.

Displays a newly created policy, in the Edit Policy window.

Supports edits of an existing policy.

Associated with the SelectServiceType.jsp endpoint.

Associated with the SelectServiceType.jsp endpoint.

Associated with the SelectServiceType.jsp endpoint.

Associated with the SelectServiceType.jsp endpoint.

Enables a policy that depends on whether the information for a specific user can be found in the identity repository LDAP database.

Opens a window that supports a selection from existing realms, based on available authentication modules.

Supports the configuration of a referral type for a sub-realm.

Supports the configuration of a response provider type for an identity repository.

Supports the configuration of a policy service type; supports the customization of a new rule for configurable service types such as the Discovery Service.

Enables creation of a policy for web service clients, associated with federated access management.

Supports a policy that depends on attributes in a user's session.

Supports a policy that includes conditions based on attributes in a user's session.

Edits conditions in a policy based on attributes in a user's session.

Edits attributes in a policy based on attributes in a user's session.

Supports the configuration of a new policy for authenticated users; associated with PMAuthenticatedUsersSubjectAdd.jsp.

Edits the configuration of a policy for authenticated users; associated with PMAuthenticatedUsersSubjectEdit.jsp.

Associated with a policy for web service clients; related to SelectSubjectType.jsp.

Supports the configuration of a new policy for authenticated users; associated with PMAuthenticatedUsersSubjectEdit.jsp.

Configures a proxy for web service client policies; associated with SelectSubjectType.jsp.

Accesses the information page for the currently logged in user.

Opens the list of currently configured users, available via Access Control > [selected realm] > Subjects.

Used when adding a new user or group.

Associated with the Discovery Service. To access that service, select a non-administrative user and select the Services tab. The EntityDiscoveryDescriptionAdd.jsp file is used when selecting a new Security Mechanism ID as a Service Description as a new Discovery Resource Offering.

Associated with an edit of an existing Security Mechanism ID.

Called when saving changes to an existing user.

Lists the members of a configured group.

Lists the members of a configured group based on some filter.

Accessed when a regular user is made a member of a previously configured group.

Supports custom resource offering entries for a previously configured user. Also seen when accessing the UMUserResourceOffering.jsp file.

Supports entries of new resource offerings for a previously configured user. Also seen when accessing the UMUserResourceOfferingAdd.jsp file.

Supports edits of existing resource offerings for a previously configured user. Also seen when accessing the UMUserResourceOfferingEdit.jsp file.

Supports a new service for a specific user. As of this writing, available services are: Dashboard, Discovery Service, Liberty Personal Profile Service, and Session.

Opens a list of currently configured users.

Accessible after adding a new service for a currently configured user; associated with the EntityServices.jsp file.

Accessible for editing services associated with a currently configured user.

Used if a configured organization has no available attributes.

Opened when adding a service for a specific user.

Associated with the main Access Control page in the OpenAM GUI console, which lists configured realms. If you call realm/HomePage.jsp directly, it cites messages associated with changes for a specific user, and functions more closely associated with JSP endpoints in the console/idm subdirectory.

Enables links with directory server data stores within a realm. To access, select Access Control > [some realm] > Data Stores > New. You should see a variety of supported directory server data stores, such as Active Directory, OpenDJ, and Tivoli Directory Server.

Appears when you add a data store; associated with the IDRepo.jsp service endpoint.

Appears when you edit an existing data store; associated with the IDRepo.jsp service endpoint.

Includes a list of supported data stores, from Active Directory to OpenDJ; associated with the IDRepo.jsp service endpoint.

Supports the configuration of a new realm, or editing of an existing realm.

Supports the addition of a new realm; associated with the RMRealm.jsp service endpoint.

Supports a new description for a realm; associated with the RealmResourceOffering.jsp service endpoint.

Supports an edited description; associated with the RealmResourceOffering.jsp service endpoint.

Works with the pages that allow you to edit an existing realm.

Supports the configuration of a security mechanism to a new realm resource offering. Requires the configuration of the discovery service, and the configuration of a directory resource offering for the specified realm.

Supports the addition of a security mechanism to a new realm resource offering. Requires the configuration of the discovery service, and the configuration of a directory resource offering for the specified realm.

Supports the editing of a security mechanism for an existing realm resource offering. Requires the configuration of the discovery service, and the configuration of a directory resource offering for the specified realm.

Supports the configuration of a service within a specified realm.

Supports the addition of a service to a specified realm; available services to add include Administration, Dashboard, Discovery, Globalization Settings, OAuth2 Provider, Password Reset, Session, and User.

If a desired service is not compatible with directory data available from an organization, it is rejected.

Supports the editing of an existing service; associated with the Services.jsp endpoint.

Supports the editing of an existing service; called if the attribute cannot be found or changed.

Implements step 1 of the addition of a new service; associated with the Services.jsp endpoint.

Supports the configuration of a new character set alias. Accessible from the Globalization Settings > Charset Aliases submenu.

Supports the editing of an existing character set alias. Accessible from the Globalization Settings > Charset Aliases submenu.

Supports the configuration of a new character set supported by a locale. Accessible from the Globalization Settings > Charsets Supported by Each Locale submenu.

Supports the editing of an existing character set supported by a locale. Accessible from the Globalization Settings > Charsets Supported by Each Locale submenu.

Supports a list of client types. Associated with the Default Client Type option available via Configuration > System > Client Detection.

Supports creation of client devices.

Supports creation of client devices.

Supports step 1 of creating a new client device.

Used with duplicate client devices.

Associated with basic Service Configuration data, and the other endpoints accessible from the Configuration menu.

Supports the configuration of available authentication databases. You can get to this window by selecting Configuration > Authentication.

Supports the configuration of administrative an globalization console properties. You can get to this window by selecting Configuration > Console.

Supports the configuration of OpenAM global properties. You can get to this window by selecting Configuration > Global.

Supports the configuration of OpenAM system properties. You can get to this window by selecting Configuration > System.

Accesses current global attributes and cookie domain settings. To get to this window, select Configuration > System > Platform.

Supports a view of the current policy configuration. To access this window, select Configuration > Global > Policy Configuration.

Supports the addition of a new resource comparator to the current policy configuration. To access the relevant window, select Configuration > Global > Policy Configuration.

Supports the editing of an existing resource comparator in the current policy configuration. To access the relevant window, select Configuration > Global > Policy Configuration.

Enables a review of current SAMLv2 SOAP binding request handlers. Associated with SOAP-based communications, using SAMLv2 requests, between a client and a server. To access the relevant screen, select Configuration > Global > SAMLv2 SOAP Binding.

Allows you to add a new SAMLv2 SOAP binding request handler. To access the relevant screen, select Configuration > Global > SAMLv2 SOAP Binding.

Allows you to duplicate an existing SAMLv2 SOAP binding request handler. To access the relevant screen, select Configuration > Global > SAMLv2 SOAP Binding.

Allows you to edit an existing SAMLv2 SOAP binding request handler. To access the relevant screen, select Configuration > Global > SAMLv2 SOAP Binding.

Enables a review of current SOAP binding request handlers. Associated with the Liberty Alliance Project Identity Federation Framework (Liberty ID-FF).

Allows you to add a new SOAP binding request handler. Associated with the Liberty Alliance Project Identity Federation Framework (Liberty ID-FF).

Allows you to duplicate an existing SOAP binding request handler. Associated with the Liberty Alliance Project Identity Federation Framework (Liberty ID-FF).

Allows you to edit an existing SOAP binding request handler. Associated with the Liberty Alliance Project Identity Federation Framework (Liberty ID-FF).

Supports the configuration of tokens associated with the Security Token Service (STS). To access the associated screen, select Configuration > Global > Security Token Service.

Supports the addition of an OpenAM server to work behind a load balancer in support of Session Failover (SFO). Available from Configuration > Servers and Sites, in the Servers subsection.

Supports the cloning of an existing OpenAM server to work behind a load balancer in support of Session Failover (SFO). Available from Configuration > Servers and Sites, in the Servers subsection.

Supports the inheritance of the default configuration for servers, as it relates to SFO.

Enables the configuration fo a new server; relates to SFO.

Supports the review of the XML settings of an existing server, as it relates to SFO.

Supports the editing of advanced properties for default servers, in the configuration of servers for SFO. To access, select Configuration > Severs and Sites > Default Server Settings, and click Advanced.

Supports the editing of general properties for default servers, such as the base directory, default locale, debug level, mail server for notifications, and more. Relates to the configuration of servers for SFO. To access, select Configuration > Severs and Sites > Default Server Settings, and click General.

Supports the editing of SDK-related properties for default servers, associated with SFO. Supports editing of settings such as datastore notifications, event service connection retries, LDAP connections, Time To Live (TTL) for user entries, and more. To access, select Configuration > Severs and Sites > Default Server Settings, and click SDK.

Supports the editing of security properties for default servers; associated wtih SFO. Includes default security settings such as encryption keys, cookie encoding, key stores, and certificate management. To access, select Configuration > Severs and Sites > Default Server Settings, and click Security.

Supports the editing of session properties for default servers; associated with SFO. Note the Session Limit default specifies a maximum of 5000, well short of the 100,000 sessions that can be handled by a standard 3GB dual-core production system. To access, select Configuration > Severs and Sites > Default Server Settings, and click Session.

Associated with the addition or editing of a load balancer that distributes requests to other OpenAM servers. Available from the Configuration > Servers and Sites, in the Servers subsection.

Enables the configuration of a load balancer to distribute requests to other existing OpenAM servers. Available from the Configuration > Servers and Sites, in the Sites subsection.

Enables changes to a configured load balancer in how it distributes requests to other existing OpenAM servers. Available from the Configuration > Servers and Sites, in the Sites subsection.

Includes new resource offerings for the discovery service, bootstrapped using a standard such as SAML2.

Supports the editing of existing resource offerings for the discovery service, bootstrapped with a standard such as SAML2.

Includes the addition of of new options for the discovery service.

Supports the editing of existing options for the discovery service.

Supports the mapping of a new resource ID for the discovery service.

Supports the editing of an existing resource ID for the discovery service.

Supports a review and configuration of the Discovery Server, for global attributes, the ResourceID Mapper plug-in, and bootstrapping.

Allows you to configure globalization settings for OpenAM; accessible via Configuration > Console > Globalization Settings.

Allows you to configure globalization settings for OpenAM; accessible via Configuration > Console > Globalization Settings.

Allows you to review and copy STS policies for export, input, and output. You can review this via Configuration > Global > Security Token Service > Export Policy.

Allows you to configure a secondary configuration instance; accessible via Configuration > Global > Session.

Allows you to edit an existing secondary configuration instance; accessible via Configuration > Global > Session.

Allows you to configure a schema assocaited with breadcrumbs.

Provides information on current login session statistics. Available from the Sessions tab from the main console.

Supports session high availability statistics collection.

Provides information on what the administrator can do after configuring an Identity Provider (IDP). Options listed include registering a remote Service Provider (SP), creating a fedlet, configuring Google Apps, and configuring Salesforce CRM. Includes links to such functionality, which depend on the configuration of a Circle of Trust (CoT).

Supports the configuration of Google Apps for Single-sign on (SSO). Requires a CoT configured with an IDP.

Enables entries to configure the SP. Includes steps "To Enable Access to the Google Apps API."

Includes a default warning message related to the ConfigureGoogleApps.jsp endpoint. The message is self-explanatory, though grammatically questionable: "Unable to configure because there are no circle of trust with Identity Provider."

Supports the configuration of OAuth2 Authorization. For more information, see the the chapter on Managing OAuth2 Authorization in the Administration Guide.

Accessible when you select the Configure Salesforce CRM link shown in the main GUI console. Requires IDP and SP information for an appropriate CoT, where OpenAM is the IDP and Salesforce is configured as the SP.

Supports the configuration of SSO with a Salesforce CRM account. Includes instructions on the settings to add to an applicable Salesforce account.

Sets up a warning message related to a need for a Salesforce Login URL for the configuration.

A fedlet supports federation for a SP that does not already have its own federation solution. For more information, see the the chapter on Using Fedlets in Java Web Applications in the Development Guide .

Sets up a warning message related to the prerequisite for a CoT with the IDP.

Supports the configuration of a SAMLv2 IDP on the local instance of OpenAM.

Supports the configuration of a SAMLv2 SP on the local instance of OpenAM.

Supports the configuration of a SAMLv2 IDP on a remote system, within a configured CoT.

Supports the configuration of a SAMLv2 SP on a remote system, within a configured CoT.

Endpoint that redirects the client to the startup page for OpenAM.

Supports the test of a federation connection between an IDP and SP in a CoT.

This service endpoint is normally opened in a separate window to enable a user (or administrator) to change their login password. Accessible from the Edit User screen. All you need to do from the screen is click Edit next to the Password entry.

Relates to the security mechanism identifier associated wih a user. To access from the screen for an individual user, select Services > Discovery Service > Add > scroll down to the Service Description box > New Description > select and Add a Security Mechanism ID. Example IDs include urn:liberty:security:2003-08:ClientTLS:SAML, which relates to the former Liberty Alliance project, using Transaction Layer Security (TLS) on the client, with SAML assertions.

Supports editing of the security mechanism identifier associated with a user. Closely related to the UMUserDiscoveryDescriptionAdd.jsp endpoint.

Allows you to "Force Change Password on Next Login". Accessible from the Edit User screen for a specific user, via the "Password Reset Options" entry near the bottom of the window.

Accessible as an option to the Discovery Service for a specific user. To access from the Edit User screen for a specific user, select Services > Discovery Service > Add.

Accessible as an option to the Discovery Service for a specific user. To access from the Edit User screen for a specific user, select Services > Discovery Service > Add.

Accessible as an option to the Discovery Service for a specific user. To edit an existing resource offering, navigate to the Edit User screen for a specific user, select Services > Discovery Service > [some previously configured service].

Supports the configuration of various mechanism handlers for authentication, including CRAM-MD5, PLAIN, and SSOToken.

Supports the addition of a new mechanism handler for authentication.

Supports changes to an existing mechanism handler for authentication.

Enables the addition of a new LDAP attribute, with a name prefix.

Enables the editing of an existing LDAP attribute, with a name prefix.

Enables the creation of a new supported container for ID-FF.

Enables the editing of an existing container.

Allows you to configure ID-FF for global attributes, supported containers, PPLDAP attributes and alternative security mechanisms.

Specifies an endpoint used to register service consumers, which get resources from SPs. Provides access to registerconsumer.jsp. Associated with OAuth 1.0.

Defines an endpoint used to register a consumer of services from SPs. Associated with OAuth 1.0.

Allows a user to authorize or revoke a request for an OAuth 1.0 token..

Enables registration of an OAuth 2.0 client with the OpenAM OAuth 2.0 authorization service. For details, see the Administration Guide chatper on Managing OAuth 2.0 Authorization.

Used to log out the resource owner with teh OAuth 2.0 provider. For more information, see the Administration Guide chapter on Defining Authentication Services.

Endpoint used for redirection. For more information, see the Administration Guide chapter on Managing OAuth 2.0 Authorization.

This simple endpoint includes a redirection of the ServiceURI, and specifies OpenAM as the ProductName. It's cited by the other endpoints in the password/ui subdirectory.

This endpoint is called with the PWResetInvalidURLViewBean class, when a module servlet gets an invalid URL.

Starts the password reset process by propmting for the User ID. For more information on the process, see the method for the associated PWResetQuestionModel, available from the Interface PWResetQuestionModel specification page.

Specifies the endpoint that is called when an account password is successfully reset.

Specifies a "Contact your administrator" message when there is an error in a related endpoint.

Opens a screen that prompts for a user ID (UID). If that UID is found in the database, configured with an accessible email address, on a system connected to a mail server, a reset link is sent to that address.

May be used by other files to return a success or failure message. While the default.jsp name is common in the trunk, the jsp/default.jsp filename is used only by SPSingleLogout.java, which is not commonly used.

Supports the export of XML-based metadata with other providers within a circle of trust (CoT). Currently used. For more information, see the chapter on Managing SAML2 Federation in the Administration Guide.

Supports the configuration of SAML attribute query headers.

Supports the configuration of SAML attribute response headers.

Previously used to start single sign-on at the Fedlet.

Specifies a sample fedlet application that can be removed in production.

Enables a sample SAML XACML query handler; used for testing, to prompt users to specify a resource URL along with an action (GET, POST).

Retrieves a sample SAML XACML resource URL for a yes, no, or maybe decision (PERMIT, DENY, or INDETERMINATE).

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. This particular JSP file processes a request from an IDP through an HTTP redirect.

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. This particular JSP file processes a request from an IDP through an HTTP redirect. It uses a metadata-based alias, an entity ID for the service provider, and the type of MNI request; examples include NewID and terminate.

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. As described in the Managing SAML2 Federation in the Administration Guide chapter of the Administration Guide, it allows you to change federation of persistently linked accounts. The chapter also includes an example of this endpoint at work.

Specifies an endpoint that takes authentication requests from an SP, with a SAMLRequest data, a metaAlias and a RelayState with information from the target URL.

Specifies an endpoint that starts SSO, either from cache, or by verifying metaAlias and SP identifier data.For more information, see the chapter on Managing SAML2 Federation in the Administration Guide.

Starts a LogoutRequest from the identity provider.For more information, see the chapter on Managing SAML2 Federation in the Administration Guide.

Specifies an endpoint that receives logout requests from IDPs and receives logout responses from SPs. Also sends logout responses to SPs.

Takes the SAMLRequest and SAMLResponse messages for logouts from the SP. May also handle the RelayState directive.

Used for SAML authentication for communication with identity providers (IDPs).

Used for SAML authentication for communication with service providers (SPs).

Returns an error message related to Secure Attribute Exchange (SAE). Currently used only by the SA_IDP.jsp and SA_SP.jsp endpoints.

Endpoint that may return one of many error codes, specified in the comments of the file.

Used on a SP, to interpret information from an IDP. The request to the IDP is an AuthnRequest; the response from the IDP is read by this endpoint.

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. This particular endpoint takes the associated request, using an HTTP Redirect, from a SP. Less commonly used.

This particular endpoint handles the ManageNameIDRequest and ManageNameIDRespnose messages with the help of HTTP Redirect. Less commonly used.

This particular endpoint supports changes to federation of persistently linked accounts, in a fashion similar to idpMNIRequestInit.jsp. For an example of this endpoint in work, see the chapter on Managing SAML2 Federation in the Administration Guide.

Supports SSO messages from the SP. For more information and an example of how this endpoint is used, see the chapter on Managing SAML2 Federation in the Administration Guide.

Supports SSO messages from the SP. For more information, see the chapter on Managing SAML2 Federation in the Administration Guide.

Specifies an endpoint that receives logout requests from SPs and receives logout responses from IDPs. Also sends logout responses to IDPs. Converse endpoint to idpSingleLogoutPOST.jsp.

Takes the SAMLRequest and SAMLResponse messages for logouts from the IDP. May also handle the RelayState directive. Converse endpoint to idpSingleLogoutRedirect.jsp.

Shows a page after a successful logout.

Used for multi-federation protocol configurations.

Sets up a form for single sign-on (SSO) responses sent from the IDP to the SP.

Default display if no realms are defined.

This entry is more of a filter for all endpoints. It's associated with the ResponseValidationFilter, which checks for valid URLs. It's also associated with the AMSetupFilter.java file; on systems not yet configured, it redirects users to the setup wizard.

Specifies a group of URLs related to authentication endpoints, as it is associated with the AuthNFilter.java and AuthZFilter.java files. However, those files (and the associated RestServiceManager.java file) are not called by any other files in the trunk.

With the help of the LoginLogoutMapping.java file, this would forward to the /UI/Login.jsp endpoint.

With the help of the LoginLogoutMapping.java file, this would forward to the /UI/Logout.jsp endpoint.

With the help of the LoginServlet.java file, this forwards to the default login page for an OpenAM system.

Uses the AMSetupServlet, which as noted in the associated .java file, "is the first class to get loaded by the Servlet * container"

Used by the installation wizard to display the progress.

Used by the upgrade wizard to display progress.

Associated with the servlet naemd PWResetServlet, associated with password resets.

Used with the servlet named GatewayServlet. Associated with the Gateway.java file, which takes an authentication module and forwards it to a login URL.

The associated .java file is associated with Session Failover (SFO).

All of these endpoints are associated with OpenAM Security Advisory #201203. As suggested in the advisory, if you're using OpenAM version 9.5.4 or 10.0.0, you should be sure to apply the updates required to upgrade your systems to versions 9.5.5 or 10.0.1 (or higher).

These endpoints provide information on configured web services, including the port name, status, URL, and implementation class. Both endpoints show the same data. The IdentityServices servlet name points to the following description: "Web Service Endpoint - Identity Services".

Includes system configuration information when available, as documented in the comments to the AMSystemConfig.java file.

The associated servlet named notificationservlet appears to be commonly used. When the URL is entered, the default output is 200, associated with an URL success message.

Used by the NetworkMonitor.java file, which is essential to the monitoring of OpenAM services.

Possibly a legacy endpoint. While the associated IdentityServicesHandler servlet is identified as "REST Endpoint - Identity Services", it is only cited in the IdentityServicesHandler.java file.

Linked to an oauth servlet. The associated com.sun.identity.oauth.service.RestService class is rarely used.

Associated with the servlet named AuthServlet. The associated AuthServer.java file is the controller servlet for realm authentication pages. When the URL is entered prior to login, it defaults to the standard login page.

Associated with the servlet named AMBaseServlet. While the associated AMBaseServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

Associated with the servlet named SCServlet. While the associated SCServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

Associated with the servlet named SMServlet. While the associated SMServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

Associated with the servlet named RMServlet. While the associated RMServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

Associated with the servlet named PMServlet. While the associated PMServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

Associated with the servlet named IDMServlet. While the associated IDMServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

Associated with the servlet named UMServlet. While the associated UMServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

Associated with the servlet named DelegationServlet. While the associated DelegationServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

Associated with the servlet named TaskServlet. While the associated TaskServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

Associated with the servlet named AgentConfigurationServlet. The associated AgentConfigurationServlet class is called by the amAccessControl.xml file, which suggests that it can be configured from the GUI console, through the Agents section of the Access Control menu. It is rarely used otherwise. The URL prior to login defaults to the standard login page.

Associated with the servlet named click-servlet. There is no associated click-servlet.java or ClickServlet.java file.

Associated with the servlet named FSServlet. While the associated FSServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

Used by the WSServlet.java and SecurityTokenService.java files. If you're using web services and/or the Security Token Service (STS), you may want to keep this in place.

Associated with the STS. Be aware, this endpoint exposes basic service and port information for STS, Metadata Exchange (MEX), Simple Object Access Protocol 1.1 (SOAP11), and Web Service Definition Language (WSDL) endpoints without logons.

Associated with the STS. Be aware, this endpoint exposes basic service and port information for STS, Metadata Exchange (MEX), Simple Object Access Protocol 1.1 (SOAP11), and Web Service Definition Language (WSDL) endpoints without logons.

Associated with the STS. Be aware, this endpoint exposes basic service and port information for STS, Metadata Exchange (MEX), Simple Object Access Protocol 1.1 (SOAP11), and Web Service Definition Language (WSDL) endpoints without logons.

Associated with the STS. Unlike related STS endpoints, it returns a 404 message by default.

Used by a servlet named SPMniSoap; associated with a com.sun.identity.saml2.servlet.SPManageNameIDServiceSOAP servlet class. The associated .java file works with Manage Name ID communications using SOAP binding from the SP. As the former spMNISOAP.jsp file no longer exists in the trunk, this may be a legacy endpoint.

Used by a servlet named spMNIPOST.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named spMNIRedirect.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named spMNIRequestInit.jsp; previously defined in the SAML2 JSP Endpoints section.

The associated SPECPService class receives and processes single logout (SLO) requests, using SOAP bindings on the SP.

The associated SPSingleLogoutServiceSOAP class receives and processes single logout (SLO) requests, using SOAP bindings on the SP.

Used by a servlet named spSingleLogoutPOST.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named spSingleLogoutRedirect.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named spSingleLogoutInit.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named spAssertionConsumer.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named idpSSOFederate.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named idpSSOFederate.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named NameIDMappingServiceSOAP.

Used by a servlet named AssertionIDRequestServiceSoap.

Used by a servlet named AssertionIDRequestServiceSoap.

Used by a servlet named AuthnQueryServiceSoap.

Used by a servlet named AttributeServiceSoap.

Used by a servlet named SSOSoap.

Used by a servlet named IDPMniSoap.

Used by a servlet named idpMNIPOST.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named idpMNIRedirect.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named idpMNIRequestInit.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named IDPSloSoap.

Used by a servlet named idpSingleLogoutPOST.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named idpSingleLogoutRedirect.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named idpSingleLogoutInit.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named IDPArtifactResolver.

Used by a servlet named spSSOInit.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named idpSSOInit.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named idpSSOFederate.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named SA_IDP.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named IDP_SP.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named IDPFinderService; The associated FSIDPFinderService.java file can be used to find a preferred IDP with a common domain cookie.

Used by a servlet named CDCServlet. It is associated with a Cross Domain Controller Servlet, as described in the the chapter on Configuring Cross-Domain Single Sign On in the Administration Guide .

Used by a servlet named SAMLAwareServlet. It is associated with communications between a client, an SP, and an IDP. The transfer service on the IDP is the SAML Aware Servlet, and is part of the client web browser artifact profile. It validates a session token from a request run through the IDP.

Used by a servlet named SAMLPOSTProfileServlet. It is associated with communications between a client, an SP, and an IDP. The transfer service on the IDP is the SAML Aware Servlet, and is part of the client web browser POST profile, which supplies assertion IDs, and returns the response to the client browser.

Used by a servlet named SAMLSOAPReceiver. The servlet extracts a SAML request from a message sent in SOAP format. That message can be a query for authorization, attributes, or authentication. It supports POST messages only.

Used by a servlet named AssertionManagerServlet. It supports dynamic substitution, using the host name, port number, and the deployment location.

Used by a servlet named FSAssertionManagerServlet. It provides remote interfaces for the assertion manager class.

Used by a servlet named SecurityTokenManagerServlet. It supports dynamic substitution, using session parameters.

Used by a servlet named preLoginHandler. As there is no associated .java or .jsp file, it may be a legacy endpoint.

Used by a servlet named postLoginHandler. As there is no associated .java or .jsp file, it may be a legacy endpoint.

Used by a servlet named FederationServlet. Associated with the com.sun.identity.federation.login.FSFederationHandler class. The matching FSFederationHandler.java file processes requests to initiate a federation.

Used by a servlet named consentHandler. Associated with the com.sun.identity.federation.login.FSConsentHandler class. The matching FSConsentHandler.java file processes redirect requests in an existing federation.

Used by a servlet named ProcessLogout. Associated with the FSProcessLogoutServlet class. It is designed to handle single logout requests related to Kantera / Liberty ID-FF processes.

Used by a servlet named ReturnLogout. Associated with the FSReturnLogoutServlet class. It is designed to handle single logout responses related to Kantera / Liberty ID-FF processes. (Note the subtle difference with the ProcessLogout endpoint which handles logout requests.)

Used by a servlet named LogoutServlet. Associated with the FSSingleLogoutServlet class. It is designed to start single logout requests related to Kantera / Liberty ID-FF processes.

Used by a servlet named SingleSignOnService. Associated with the FSSSOAndFedService class. Configured for SSO on the IDP.

Used by a servlet named IntersiteTransferService. Associated with the FSIntersiteTransferService class. It is designed to send a AuthnRequest to an IDP.

Used by a servlet named AssertionConsumerService. Associated with the FSAssertionConsumerService class. For more information, see the chapter on Managing SAML 2.0 Federation in the Administration Guide.

Used by a servlet named SOAPReceiver. Associated with the FSSOAPReceiver class. SOAP endpoint that handles federation and specifies a URI to the SP.

Used by a servlet named FederationTerminationServlet. Associated with the FSTerminationInitiationServlet.java file, used to initiate termination of a federation connection. The IDP will send the termination request to the associated URL.

Used by a servlet named ProcessTermination. Associated with the FSTerminationRequestServlet class. The associated .java file is used when a request is received by a remote SP.

Used by a servlet named ReturnTermination. Associated with the FSTerminationReturnServlet class. The associated .java file is used to define a URL used by an IP to send termination responses.

Used by a servlet named InitiateRegistration. Associated with the FSRegistrationInitiationServlet class. The associated .java file is used to handle the registration request from a remote IDP.

Used by a servlet named ProcessRegistration. Associated with the FSRegistrationRequestServlet class. Processes registration requests from remote SPs.

Used by a servlet named ReturnRegistration. Associated with the FSRegistrationReturnServlet class. Defines a URL for IDPs to send registration responses.

Used by a servlet named WSSOAPReceiver. Associated with the SOAPReceiver class. Defines an endpoint that handles SOAP requests.

Used by a servlet named WSPRedirectHandler. Associated with the WSPRedirectHandlerServlet class. Used by the SP for user redirects.

Used by a servlet with a matching name (idffwriter, saml2writer). Associated with the CookieWriterServlet class. Used by the IDP to help the web container find app-specific info such as Java classes or Java Archives (JARs).

Used by a servlet with a matching name (idffreader, saml2reader). Associated with the CookieReaderServlet class. Used by the SP to help find the preferred IDP.

Used by a servlet named MultiProtocolRelayServlet. Associated with the MultiProtocolRelayServlet class. Used as a RelayState to continue to the next protocol; associated with a federation.

Used by a servlet named WSFederationServlet. Associated with the WSFederationServlet class. Used as a service endpoint for WS-Federation.

Used by am endpoint named realmSelection.jsp. Previously defined in the WS-Federation JSP Endpoints section.

Used by a servlet named saml2query. Associated with the QueryHandlerServlet class. The corresponding .java file receives and processes SAML2 queries.

Used by a servlet named federationrest. Associated with the ServletContainer class. Does not appear to be included in any current .java or .jsp file, so it may be a legacy endpoint.

Used by a servlet named XACMLContentAdapter. Associated with the XacmlContentHandlerService class. Provides the main endpoint for all XACML requests.

Used by a servlet named OAuth2Rest. Associated with the RestTokenDispatcher class. class. For more information, see the the chapter on Using RESTful Web Services.

Used by a servlet named OAuth2RegisterClient. For more information, see the the Administration Guide chapter on Managing OAuth 2.0 Authorization.

Used by a servlet named OAuth2RestletAdapter. Associated with the RestTokenDispatcher class. For more information, see the chapter on the chapter on Using RESTful Web Services.

Used by a servlet named ForgeRockRest. Associated with the HttpServlet class. For more information, see the chapter on Using RESTful Web Services. In addition, you can read more about associated REST endpoints in reference#json-rest-endpoints JSON REST Endpoints

Authorization: Supports the PassThroughAuthorizationFilter. No authorization logic is performed in the filter. Information is logged. The authorization logic is performed by the underlying identity services.

Authentication: Supports HTTP GET and POST methods. Can handle Integrated Windows Authentication.

Authorization: No filter.

Authorization: Supports the PassThroughAuthorizationFilter. No authorization logic is performed in the filter. Information is logged.

Authorization: Supports the PassThroughAuthorizationFilter. No authorization logic is performed in the filter. Information is logged. The authorization logic is performed by the underlying identity services.

Authorization: Supports the PassThroughAuthorizationFilter. No authorization logic is performed in the filter. Information is logged. One sub-endpoint, /json/serverinfo/cookieDomains, supports HTTP GET.

Authorization: Supports the SessionResourceAuthZFilter. Allows POST _action=logout for all users. Other functionality is limited to the administrative amadmin superuser.

Authorization: Supports the AdminAuthorizationFilter. Access limited to the amadmin superuser.

Authentication: Supports HTTP POST. Uses the _action query parameter with the following allowed values: register, confirm, forgotPassword, forgotPasswordReset.

Authorization: Supports the PassThroughAuthorizationFilter. No authorization logic is performed in the filter. Information is logged. The authorization logic is performed by the underlying identity services.

Exposes OpenID Provider configuration by HTTP GET as specified by OpenID Connect Discovery 1.0. No query string parameters are required.

Allows a client to retrieve the provider URL for an end user by HTTP GET as specified by OpenID Connect Discovery 1.0.

For an example, see Configuring OpenAM For OpenID Connect Discovery.