Under Configuration > Global you can set defaults for a range of federation services, for password reset, for policy configuration, for session management, and for dynamic user attributes.
Common Federation Configuration
ssoadm service name:
sunFAMFederationCommon
- Datastore SPI implementation class
-
Used by the Federation system to access user profile attributes
ssoadm attribute:
DatastoreClass
- ConfigurationInstance SPI implementation class
-
Used by the Federation system to access service configuration
ssoadm attribute:
ConfigurationClass
- Logger SPI implementation class
-
Used by the Federation system to record log messages
ssoadm attribute:
LoggerClass
- SessionProvider SPI implementation class
-
Used by the Federation system to access the session service
ssoadm attribute:
SessionProviderClass
- Maximum allowed content length
-
Maximum number of bytes for Federation communications
ssoadm attribute:
MaxContentLength
- PasswordDecoder SPI implementation class
-
Used by the Federation system to decode passwords encoded by OpenAM
ssoadm attribute:
PasswordDecoderClass
- SignatureProvider SPI implementation class
-
Used by the Federation system digitally to sign SAML documents
ssoadm attribute:
SignatureProviderClass
- KeyProvider SPI implementation class
-
Used by the Federation system to access the Java key store
ssoadm attribute:
KeyProviderClass
- Check presence of certificates
-
If enabled, OpenAM checks that the partner's signing certificate presented in the XML matches the certificate from the partner's metadata
ssoadm attribute:
CheckCert
- XML canonicalization algorithm
-
Algorithm used to render the canonical versions of XML documents
ssoadm attribute:
CannonicalizationAlgorithm
- XML signature algorithm
-
Algorithm used to sign XML documents
ssoadm attribute:
SignatureAlgorithm
- XML transformation algorithm
-
Algorithm used for XML transformations
ssoadm attribute:
TransformationAlgorithm
- SAML Error Page URL
-
OpenAM redirects users here when an error occurs in the SAML2 engine. Users are redirected to absolute URLs, whereas releative URLs are displayed within the request.
ssoadm attribute:
SAMLErrorPageURL
- SAML Error Page HTTP Binding
-
Set this either to
HTTP-Redirect
or toHTTP-POST
.ssoadm attribute:
SAMLErrorPageHTTPBinding
- Monitoring Agent Provider Class
-
Used by the Federation system to access the monitoring system
ssoadm attribute:
MonAgentClass
- Monitoring Provider Class for SAML1
-
Used by the SAMLv1 engine to access the monitoring system
ssoadm attribute:
MonSAML1Class
- Monitoring Provider Class for SAML2
-
Used by the SAML2 engine to access the monitoring system
ssoadm attribute:
MonSAML2Class
- Monitoring Provider Class for ID-FF
-
Used by the ID-FF engine to access the monitoring system
ssoadm attribute:
MonIDFFClass
Dashboard Configuration
ssoadm service name:
dashboardService
- Dashboard Class Name
-
Identifies how to access the application, for example
SAML2ApplicationClass
for a SAML 2.0 applicationssoadm attribute:
dashboardClassName
- Dashboard Name
-
The application name as it will appear to the administrator for configuring the dashboard
ssoadm attribute:
dashboardName
- Dashboard Display Name
-
The application name that displays on the dashboard client
ssoadm attribute:
dashboardDisplayName
- Dashboard Icon
-
The icon name that will be displayed on the dashboard client identifying the application
ssoadm attribute:
dashboardIcon
- Dashboard Login
-
The URL that takes the user to the application
ssoadm attribute:
dashboardLogin
- Available Dashboard Apps
-
List of application dashboard names available by default for realms with the Dashboard configured
ssoadm attribute:
assignedDashboard
Email Service
ssoadm service name:
ForgeRockSendEmailService
- Email Message Implementation Class
-
Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.
Default:
org.forgerock.openam.services.email.MailServerImpl
ssoadm attribute:
forgerockMailServerImplClassName
- Mail Server Host Name
-
Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.
Default:
smtp.gmail.com
ssoadm attribute:
forgerockEmailServiceSMTPHostName
- Mail Server Host Port
-
Specifies the port number for the SMTP mail server.
Default: 465
ssoadm attribute:
forgerockEmailServiceSMTPHostPort
- Mail Server Authentication Username
-
Specifies the user name for the SMTP mail server.
Default:
forgerocksmtp
ssoadm attribute:
forgerockEmailServiceSMTPUserName
- Mail Server Authentication Password
-
Specifies the password for the SMTP user name.
ssoadm attribute:
forgerockEmailServiceSMTPUserPassword
- Mail Server Secure Connection
-
Specifies whether to connect to the SMTP mail server using SSL.
Default: use SSL (
true
)ssoadm attribute:
forgerockEmailServiceSMTPSSLEnabled
- Email From Address
-
Specifies the address from which to send email notifications.
Default:
no-reply@openam.org
ssoadm attribute:
forgerockEmailServiceSMTPFromAddress
- Email Attribute Name
-
Specifies the profile attribute from which to retrieve the end user's email address.
Default:
mail
ssoadm attribute:
openamEmailAttribute
- Email Subject
-
Specifies a subject for notification messages. If you do not set this OpenAM does not set the subject for notification messages.
ssoadm attribute:
forgerockEmailServiceSMTPSubject
- Email Content
-
Specifies content for notification messages. If you do not set this OpenAM includes only the confirmation URL in the mail body.
ssoadm attribute:
forgerockEmailServiceSMTPMessage
Liberty ID-FF Service Configuration
ssoadm service name:
sunFAMIDFFConfiguration
- Federation Cookie Name
-
Cookie name for Liberty ID-FF
ssoadm attribute:
FedCookieName
- IDP Proxy Finder SPI implementation class
-
Used by the ID-FF engine to find the IDP proxy
ssoadm attribute:
IDPProxyFinderClass
- Request cache cleanup interval
-
Seconds between times OpenAM cleans up the request cache
ssoadm attribute:
RequestCacheCleanupInterval
- Request cache timeout
-
Seconds cached requests remain valid
ssoadm attribute:
RequestCacheTimeout
- IDP Login URL
-
Login URL for the ID-FF IDP
ssoadm attribute:
IDPLoginURL
- XML signing on
-
If yes, require XML signing.
ssoadm attribute:
XMLSigningOn
Liberty Interaction Service
ssoadm service name:
sunFAMLibertyInteractionService
- WSP to redirect user for interaction
-
ssoadm attribute:
WSPWillRedirect
- WSP to redirect user for interaction for data
-
ssoadm attribute:
WSPWillRedirectForData
- WSP's expected duration for interaction
-
ssoadm attribute:
WSPRedirectTime
- WSP to enforce that returnToURL must be SSL
-
ssoadm attribute:
WSPWillEnforceHttpsCheck
- WSP to enforce return to host be the same as request host
-
ssoadm attribute:
WSPWillEnforceReturnToHostEqualsRequestHost
- HTML style sheet location
-
ssoadm attribute:
HTMLStyleSheetLocation
- WML style sheet location
-
ssoadm attribute:
WMLStyleSheetLocation
- WSP interaction URL
-
ssoadm attribute:
WSPRedirectHandlerURL
- WSP interaction URL if behind load balancer
-
ssoadm attribute:
LBWSPRedirectHandler
- List of interaction URLs of WSP cluster (site) behind the load balancer
-
ssoadm attribute:
TrustedWspRedirectHandlers
- Interaction Configuration Class
-
ssoadm attribute:
InteractionConfigClass
- Options for WSC to participate in interaction
-
ssoadm attribute:
WSCSpecifiedInteractionChoice
- WSC to include userInteractionHeader
-
ssoadm attribute:
WSCWillIncludeUserInteractionHeader
- WSC to redirect user for interaction
-
ssoadm attribute:
WSCWillRedirect
- WSC's expected duration for interaction
-
ssoadm attribute:
WSCSpecifiedMaxInteractionTime
- WSC to enforce that redirection URL must be SSL
-
ssoadm attribute:
WSCWillEnforceHttpsCheck
Multi-Federation Protocol
ssoadm service name:
sunMultiFederationProtocol
- Single Logout Handler List
-
List of logout handlers used for each different federation protocol
ssoadm attribute:
SingleLogoutHandlerList
OAuth2 Provider Configuration
ssoadm service name:
OAuth2Provider
- Authorization Code Lifetime
-
Lifetime of OAuth 2.0 authorization code in seconds.
ssoadm attribute:
forgerock-oauth2-provider-authorization-code-lifetime
- Refresh Token Lifetime
-
Lifetime of OAuth 2.0 refresh token in seconds.
ssoadm attribute:
forgerock-oauth2-provider-refresh-token-lifetime
- Access Token Lifetime
-
Lifetime of OAuth 2.0 access token in seconds.
ssoadm attribute:
forgerock-oauth2-provider-access-token-lifetime
- Issue Refresh Tokens
-
Whether to issue a refresh token when returning an access token.
ssoadm attribute:
forgerock-oauth2-provider-issue-refresh-token
- Issue Refresh Tokens on Refreshing Access Tokens
-
Whether to issue a refresh token when refreshing an access token.
ssoadm attribute:
forgerock-oauth2-provider-issue-refresh-token-on-refreshing-token
- Scope Implementation Class
-
Name of class on OpenAM classpath implementing scopes.
ssoadm attribute:
forgerock-oauth2-provider-scope-implementation-class
- Response Type Plugins
-
List of plugins that handle the valid
response_type
values. OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization end point (/oauth2/authorize
) to indicate which grant type is requested from the provider. For example, the client passescode
when requesting an authorization code, andtoken
when requesting an access token.Values in this list take the form
.response-type
|plugin-class-name
Defaults:
code|org.forgerock.restlet.ext.oauth2.flow.responseTypes.CodeResponseType
,id_token|org.forgerock.restlet.ext.oauth2.flow.responseTypes
,token|org.forgerock.restlet.ext.oauth2.flow.responseTypes.TokenResponseType
ssoadm attribute:
forgerock-oauth2-provider-response-type-map-class
- User Profile Attribute(s) the Resource Owner is Authenticated On
-
Names of profile attributes that resource owners use to log in. The default is
uid
, and you can add others such asmail
.ssoadm attribute:
forgerock-oauth2-provider-authentication-attributes
- Shared Consent Attribute Name
-
Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions. When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.
ssoadm attribute:
forgerock-oauth2-provider-saved-consent-attribute
- JSON Web Key URL
-
The URL where the OpenID Connect provider's JSON Web Key can be retrieved.
ssoadm attribute:
forgerock-oauth2-provider-jkws-uri
- ID Token Signing Algorithms supported
-
Algorithms supported to sign OpenID Connect
id_tokens
.ssoadm attribute:
forgerock-oauth2-provider-id-token-signing-algorithms-supported
- Supported Claims
-
List of claims supported by the OpenID Connect
/oauth2/userinfo
endpoint.ssoadm attribute:
forgerock-oauth2-provider-supported-claims
Password Reset
- Realm Attributes
-
See the Administration Guide chapter on Configuring Password Reset for details.
Policy Configuration
You can change global policy configuration, and the defaults per realm.
ssoadm service name:
iPlanetAMPolicyConfigService
- Resource Comparator
-
OpenAM uses resource comparators to match resources specified in policy rules. When setting comparators on the command line, separate fields with
|
characters.ssoadm attribute:
iplanet-am-policy-config-resource-comparator
- Continue Evaluation on Deny Decision
-
If no, then OpenAM stops evaluating policy as soon as it reaches a deny decision.
ssoadm attribute:
iplanet-am-policy-config-continue-evaluation-on-deny-decision
- Advices Handleable by OpenAM
-
Lists advice names for which policy agents redirect users to OpenAM for further authentication and authorization
ssoadm attribute:
sun-am-policy-config-advices-handleable-by-am
- Realm Alias Referrals
-
If yes, then OpenAM allows creation of policies for HTTP and HTTPS resources whose FQDN matches the DNS alias for the realm even when no referral policy exists.
ssoadm attribute:
sun-am-policy-config-org-alias-mapped-resources-enabled
- Primary LDAP Server
-
Configuration directory server host:port that OpenAM searches for policy information
ssoadm attribute:
iplanet-am-policy-config-ldap-server
- LDAP Base DN
-
Base DN for policy searches
ssoadm attribute:
iplanet-am-policy-config-ldap-base-dn
- LDAP Users Base DN
-
Base DN for LDAP Users subject searches
ssoadm attribute:
iplanet-am-policy-config-ldap-users-base-dn
- OpenAM Roles Base DN
-
Base DN for OpenAM Roles searches
ssoadm attribute:
iplanet-am-policy-config-is-roles-base-dn
- LDAP Bind DN
-
Bind DN to connect to the directory server for policy information
ssoadm attribute:
iplanet-am-policy-config-ldap-bind-dn
- LDAP Bind Password
-
Bind password to connect to the directory server for policy information
ssoadm attribute:
iplanet-am-policy-config-ldap-bind-password
- LDAP Organization Search Filter
-
Search filter to match organization entries
ssoadm attribute:
iplanet-am-policy-config-ldap-organizations-search-filter
- LDAP Organization Search Scope
-
Search scope to find organization entries
ssoadm attribute:
iplanet-am-policy-config-ldap-organizations-search-scope
- LDAP Groups Search Filter
-
Search filter to match group entries
ssoadm attribute:
iplanet-am-policy-config-ldap-groups-search-filter
- LDAP Groups Search Scope
-
Search scope to find group entries
ssoadm attribute:
iplanet-am-policy-config-ldap-groups-search-scope
- LDAP Users Search Filter
-
Search filter to match user entries
ssoadm attribute:
iplanet-am-policy-config-ldap-users-search-filter
- LDAP Users Search Scope
-
Search scope to find user entries
ssoadm attribute:
iplanet-am-policy-config-ldap-users-search-scope
- LDAP Roles Search Filter
-
Search filter to match nsRole definition entries
ssoadm attribute:
iplanet-am-policy-config-ldap-roles-search-filter
- LDAP Roles Search Scope
-
Search scope to find nsRole definition entries
ssoadm attribute:
iplanet-am-policy-config-ldap-roles-search-scope
- OpenAM Roles Search Scope
-
Search scope to find OpenAM roles entries
ssoadm attribute:
iplanet-am-policy-config-is-roles-search-scope
- LDAP Organization Search Attribute
-
Naming attribute for organization entries
ssoadm attribute:
iplanet-am-policy-config-ldap-organizations-search-attribute
- LDAP Groups Search Attribute
-
Naming attribute for group entries
ssoadm attribute:
iplanet-am-policy-config-ldap-groups-search-attribute
- LDAP Users Search Attribute
-
Naming attribute for user entries
ssoadm attribute:
iplanet-am-policy-config-ldap-users-search-attribute
- LDAP Roles Search Attribute
-
Naming attribute for nsRole definition entries
ssoadm attribute:
iplanet-am-policy-config-ldap-roles-search-attribute
- Maximum Results Returned from Search
-
Search limit for LDAP searches
ssoadm attribute:
iplanet-am-policy-config-search-limit
- Search Timeout
-
Seconds after which OpenAM returns an error for an incomplete search
ssoadm attribute:
iplanet-am-policy-config-search-timeout
- LDAP SSL/TLS
-
If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.
ssoadm attribute:
iplanet-am-policy-config-ldap-ssl-enabled
- LDAP Connection Pool Minimum Size
-
Minimum number of connections in the pool
ssoadm attribute:
iplanet-am-policy-config-connection_pool_min_size
- LDAP Connection Pool Maximum Size
-
Maximum number of connections in the pool
ssoadm attribute:
iplanet-am-policy-config-connection_pool_max_size
- Selected Policy Subjects
-
Lists subjects available for policy definition in realms
ssoadm attribute:
iplanet-am-policy-selected-subjects
- Selected Policy Conditions
-
Lists conditions available for policy definition in realms
ssoadm attribute:
iplanet-am-policy-selected-conditions
- Selected Policy Referrals
-
Lists referral types available for policy definition in realms
ssoadm attribute:
iplanet-am-policy-selected-referrals
- Subjects Result Time to Live
-
Maximum minutes OpenAM caches a subject result for evaluating policy requests. A value of 0 prevents OpenAM from caching subject evaluations for policy decisions.
Default: 10
ssoadm attribute:
iplanet-am-policy-config-subjects-result-ttl
- User Alias
-
If enabled, OpenAM can evaluate policy for remote users aliased to local users.
ssoadm attribute:
iplanet-am-policy-config-user-alias-enabled
- Selected Response Providers
-
Lists available response providers available for policy definition
ssoadm attribute:
sun-am-policy-selected-responseproviders
- Selected Dynamic Response Attributes
-
Lists dynamic response attributes available for policy definition
ssoadm attribute:
sun-am-policy-dynamic-response-attributes
REST Security
ssoadm service name:
RestSecurity
The order of options that appear in the console may vary depending on whether you are running from a new installation or an upgrade of OpenAM.
- Self-Registration for Users
-
If enabled, new users can sign up using a REST API client.
Default: not enabled
ssoadm attribute:
forgerockRESTSecuritySelfRegistrationEnabled
- Self-Registration Token LifeTime (seconds)
-
Maximum life time for the token allowing user self-registration using the REST API.
Default: 900 (seconds)
ssoadm attribute:
forgerockRESTSecuritySelfRegTokenTTL
- Self-Registration Confirmation Email URL
-
This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.
Default:
wheredeployment-base-url
/XUI/confirm.htmldeployment-base-url
is something likehttps://openam.example.com:8443/openam
ssoadm attribute:
forgerockRESTSecuritySelfRegConfirmationUrl
- Forgot Password for Users
-
If enabled, users can assign themselves a new password using a REST API client.
Default: not enabled
ssoadm attribute:
forgerockRESTSecurityForgotPasswordEnabled
- Forgot Password Token LifeTime (seconds)
-
Maximum life time for the token allowing user to process a forgotten password using the REST API.
Default: 900 (seconds)
ssoadm attribute:
forgerockRestSecurityForgotPassTokenTTL
- Forgot Password Confirmation Email URL
-
This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.
Default:
wheredeployment-base-url
/XUI/confirm.htmldeployment-base-url
is something likehttps://openam.example.com:8443/openam
ssoadm attribute:
forgerockRESTSecurityForgotPassConfirmationUrl
SAMLv2 Service Configuration
ssoadm service name:
sunFAMSAML2Configuration
- Cache cleanup interval
-
Seconds between cache cleanup operations
ssoadm attribute:
CacheCleanupInterval
- Attribute name for Name ID information
-
User entry attribute to store name identifier information
ssoadm attribute:
NameIDInfoAttribute
- Attribute name for NAME ID information key
-
User entry attribute to store the name identifier key
ssoadm attribute:
NameIDInfoKeyAttribute
- Cookie domain for IDP Discovery Service
-
Specifies the cookie domain for the IDP discovery service
ssoadm attribute:
IDPDiscoveryCookieDomain
- Cookie type for IDP Discovery Service
-
Indicates whether to use PERSISTENT or SESSION cookies
ssoadm attribute:
IDPDiscoveryCookieType
- URL scheme for IDP Discovery Service
-
Indicates whether to use HTTP or HTTPS
ssoadm attribute:
IDPDiscoveryURLScheme
- XML Encryption SPI implementation class
-
Used by the SAML2 engine to encrypt and decrypt documents
ssoadm attribute:
XMLEncryptionClass
- Include xenc:EncryptedKey Inside ds:KeyInfo Element
-
ssoadm attribute:
EncryptedKeyInKeyInfo
- XML Signing SPI implementation class
-
Used by the SAML2 engine to sign documents
ssoadm attribute:
XMLSigningClass
- XML Signing Certificate Validation
-
If enabled, then validate certificates used to sign documents.
ssoadm attribute:
SigningCertValidation
- CA Certificate Validation
-
If enabled, then validate CA certificates.
ssoadm attribute:
CACertValidation
- Enable SAMLv2 failover
-
If enabled, the OpenAM can failover requests to another instance.
ssoadm attribute:
failOverEnabled
- Buffer length to decompress request
-
The size is specified in bytes.
ssoadm attribute:
bufferLength
SAMLv2 SOAP Binding
ssoadm service name:
sunfmSAML2SOAPBindingService
- Request Handler List
-
List of handlers to deal with SAML2 requests bound to SOAP. The key for a request handler is the meta alias, whereas the class indicates the name of the class that implements the handler.
ssoadm attribute:
sunSAML2RequestHandlerList
Security Token Service
ssoadm service name:
sunFAMSTSService
- Issuer
-
Specifies the name of the security token service
ssoadm attribute:
stsIssuer
- End Point
-
Specifies the STS service endpoint
ssoadm attribute:
stsEndPoint
- Lifetime for Security Token
-
Milliseconds the security token remains valid
ssoadm attribute:
stsLifetime
- Certificate Alias Name
-
Specifies the alias for the signing certificate
ssoadm attribute:
stsCertAlias
- STS End User Token Plugin class
-
Specifies the class that converts end user tokens
ssoadm attribute:
com.sun.identity.wss.sts.clientusertoken
- Security Mechanism
-
Lists credentials used to secure the token, and credentials OpenAM accepts in the incoming request
ssoadm attribute:
SecurityMech
- Authentication Chain
-
Specifies the authentication chain OpenAM applies for incoming requests for authenticated security tokens
ssoadm attribute:
AuthenticationChain
- User Credential
-
User name and password shared secrets to validate UserName tokens in incoming requests
ssoadm attribute:
UserCredential
- Detect Message Replay
-
If yes, then OpenAM checks for and rejects replayed messages.
ssoadm attribute:
DetectMessageReplay
- Detect User Token Replay
-
If yes, then OpenAM checks for and rejects replayed user tokens.
ssoadm attribute:
DetectUserTokenReplay
- Is Request Signature Verified
-
If yes, then OpenAM verifies signatures on incoming requests.
ssoadm attribute:
isRequestSign
- Is Response Signed Enabled
-
If yes, then OpenAM signs the selected parts of the response.
ssoadm attribute:
isResponseSign
- Signing Reference Type
-
Specifies the reference type used to sign the response. One of
DirectReference
,KeyIdentifierRef
, orX509IssuerSerialRef
.ssoadm attribute:
SigningRefType
- Is Request Decrypted
-
If yes, then OpenAM decrypts the selected parts of the request.
ssoadm attribute:
isRequestEncrypt
- Is Response Encrypted
-
If yes, then OpenAM encrypts responses.
ssoadm attribute:
isResponseEncrypt
- Encryption Algorithm
-
Specifies the algorithm used to encrypt responses
ssoadm attribute:
EncryptionAlgorithm
- Private Key Alias
-
Alias for the private key used to sign responses and decrypt requests
ssoadm attribute:
privateKeyAlias
- Private Key Type
-
Type of private key. One of
publicKey
,symmetricKey
, ornoProofKey
.ssoadm attribute:
privateKeyType
- Public Key Alias of Web Service Client
-
Alias for the certificate used to verify request signatures and encrypt responses
ssoadm attribute:
publicKeyAlias
- Kerberos Domain Server
-
Specifies the FQDN of the KDC
ssoadm attribute:
KerberosDomainServer
- Kerberos Domain
-
Specifies the domain name of the KDC
ssoadm attribute:
KerberosDomain
- Kerberos Service Principal
-
Specifies the Kerberos principal who owns the generated token. Use the format
HTTP/
.host
.domain
@kdc-domain
ssoadm attribute:
KerberosServicePrincipal
- Kerberos Key Tab File
-
Specifies the key tab file used to issue the token
ssoadm attribute:
KerberosKeyTabFile
- Is Verify Kerberos Signature
-
If yes, then OpenAM requires signed Kerberos tokens.
ssoadm attribute:
isVerifyKrbSignature
- SAML Attribute Mapping
-
Lists attribute mappings for generated assertions
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
SAMLAttributeMapping
- NameID Mapper
-
Specifies the NameID mapper for generated assertions
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
NameIDMapper
- Should Include Memberships
-
If yes, then OpenAM requires generated assertions include user memberships.
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
includeMemberships
- Attribute Namespace
-
Specifies the namespace for generated assertions
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
AttributeNamespace
- Trusted Issuers
-
Lists issuers OpenAM can trust to send security tokens
ssoadm attribute:
trustedIssuers
- Trusted IP Addresses
-
Lists issuer IP address that OpenAM can trust to send security tokens
ssoadm attribute:
trustedIPAddresses
Session
ssoadm service name:
iPlanetAMSessionService
- Secondary Configuration Instance
-
When session failover is configured, you can set up additional configurations for connecting to the session repository here.
- Maximum Number of Search Results
-
Maximum number of results from a session search
ssoadm attribute:
iplanet-am-session-max-session-list-size
- Timeout for Search
-
Seconds after which OpenAM sees an incomplete search as having failed
ssoadm attribute:
iplanet-am-session-session-list-retrieval-timeout
- Enable Property Change Notifications
-
If on, then OpenAM notifies other applications participating in SSO when a session property in the Notification Properties list changes.
ssoadm attribute:
iplanet-am-session-property-change-notification
- Enable Quota Constraints
-
If on, then OpenAM allows you to set constraints on user sessions.
ssoadm attribute:
iplanet-am-session-enable-session-constraint
- Read Timeout for Quota Constraint
-
Milliseconds after which OpenAM considers a search for live session count as having failed if quota constraints are enabled
ssoadm attribute:
iplanet-am-session-constraint-max-wait-time
- Resulting behavior if session quota exhausted
-
You can either set the next expiring session to be destroyed,
DESTROY_NEXT_EXPIRING
, the oldest session to be destroyed,DESTROY_OLDEST_SESSION
, all previous sessions to be destroyed,DESTROY_OLD_SESSIONS
, or deny the new session creation request,DENY_ACCESS
.ssoadm attribute:
iplanet-am-session-constraint-resulting-behavior
- Deny user login when session repository is down
-
This attribute takes effect when quota constraints are enabled.
ssoadm attribute:
iplanet-am-session-deny-login-if-db-is-down
- Notification Properties
-
Lists session properties for which OpenAM can send notifications upon modification
ssoadm attribute:
iplanet-am-session-notification-property-list
- DN Restriction Only Enabled
-
If enabled, OpenAM does not perform DNS lookups when checking restrictions in cookie hijacking mode.
ssoadm attribute:
iplanet-am-session-dnrestrictiononly
- Enable Session Trimming
-
If yes, then OpenAM stores only a limited set of session properties after session timeout and before session purging.
ssoadm attribute:
iplanet-am-session-enable-session-trimming
- Session Timeout Handler implementations
-
Lists plugin classes implementing session timeout handlers
ssoadm attribute:
openam-session-timeout-handler-list
- Maximum Session Time
-
Maximum minutes a session can remain valid before OpenAM requires the user to authenticate again
ssoadm attribute:
iplanet-am-session-max-session-time
- Maximum Idle Time
-
Maximum minutes a session can remain idle before OpenAM requires the user to authenticate again
ssoadm attribute:
iplanet-am-session-max-idle-time
- Maximum Caching Time
-
Maximum minutes before OpenAM refreshes a session that has been cached
ssoadm attribute:
iplanet-am-session-max-caching-time
- Active User Sessions
-
Maximum number of concurrent sessions OpenAM allows a user to have
ssoadm attribute:
iplanet-am-session-quota-limit
User
ssoadm service name:
iPlanetAMUserService
- User Preferred Timezone
-
Time zone for accessing OpenAM console
ssoadm attribute:
preferredtimezone
- Administrator DN Starting View
-
Specifies the DN for the initial screen when the OpenAM administrator successfully logs in to the OpenAM console
ssoadm attribute:
iplanet-am-user-admin-start-dn
- Default User Status
-
Inactive users cannot authenticate, though OpenAM stores their profiles. Default:
Active
ssoadm attribute:
iplanet-am-user-login-status