OpenAM Administration Guide
Chapter 6. Configuring Policy Agent Profiles

General properties

Group

For assigning the agent to a previously configured agent group in order to inherit selected properties from the group.

Password

Agent password used when creating the password file and when installing the agent.

Status

Status of the agent configuration.

WS-Trust Version

Specifies whether to use WS-Trust 1.3 or 1.0.

Universal Identifier

OpenAM identifier for the agent configuration.

Security properties

Security Mechanism

Specifies the mechanism used to secure the STS request.

STS Configuration

Specifies the STS Client agent profile to use if the security mechanism is STS Security.

Preserve Security Headers in Message

Yes means the agent preserves SOAP security headers for subsequent processing.

Credential for User Token

Specifies the user name and password credentials the agent uses to generate a Username security token.

Requested Key Type

Specifies the type of key, such as PublicKey, used to encrypt responses.

Requested Claims

Specifies the Uniform Resource Identitiers for the claims to be represented in the Security Token.

DNS Claim

Specifies a Uniform Resource Identitier shared by the agent and the WSC.

SAML Configuration properties

SAML Attribute Mapping

Maps SAML attribute names from the incoming request to attribute names as retrieved from the SSOToken or the identity repository, used to have the Security Token Service generate an appropriate SAML assertion.

SAML NameID Mapper Plugin

Specifies the class name of a plugin used to perform SAML account mapping.

SAML Attributes Namespace

Identifies the attribute name space used when generating SAML assertions.

Include Memberships

Yes means the agent includes the principal's membership as a SAML attribute.

Signing and Encryption properties

Is Response Signature Verified

Yes means verify signatures in responses.

Is Request Signed Enabled

Yes means the agent signs the specified parts of the request with its x509 certificate.

Signing Reference Type

Specifies how the x509 certificate used to sign requests is referenced in the request.

Is Request Encryption Enabled

Yes means do encrypt the specified parts of requests.

Is Response Decrypted

Yes means do decrypt the response.

Encryption Algorithm

Specifies whether to use Advanced Encryption Standard, corresponding to an Encryption Strength of 128, 192, or 256, or to use Triple DES with a key length of 0, 112, or 168.

Encryption Strength

Specifies the key length used for encryption.

Key Store properties

Public Key Alias of Web Service Provider

Specifies the alias of the certificate in the key store used to verify response signatures and encrypt requests.

Private Key Alias

Specifies the alias of the certificate in the key store used to sign requests and decrypt responses.

Key Store Usage

If you use your own, custom key store, specify how to access it here.

End Points properties

Security Token Service End Point

Specifies the URL to the Security Token Service end point.

Security Token Service MEX End Point

Specifies the URL to the Security Token Service message exchange end point.

Kerberos Configuration properties

Kerberos Domain Server

Specifies the fully qualified domain name of the Kerberos Distribution Center service.

Kerberos Domain

Specifies the Kerberos Distribution Center domain name. For Windows environments this is the domain controller domain name.

Kerberos Service Principal

Specifies the Kerberos principal used by OpenAM, using the form HTTP/openam-fqdn@krb-domain, where openam-fqdn is the fully qualified domain name for OpenAM, and krb-domain is the Kerberos Domain.

Kerberos Ticket Cache Directory

Specifies the directory in which Kerberos Ticket Granting Tickets (TGT) are cached. The kinit command stores the TGT from the KDC here.