Under Configuration > Global you can set defaults for a range of federation services, for password reset, for policy configuration, for session management, and for dynamic user attributes.
Common Federation Configuration
ssoadm service name:
sunFAMFederationCommon
- Datastore SPI implementation class
-
Used by the Federation system to access user profile attributes
ssoadm attribute:
DatastoreClass - ConfigurationInstance SPI implementation class
-
Used by the Federation system to access service configuration
ssoadm attribute:
ConfigurationClass - Logger SPI implementation class
-
Used by the Federation system to record log messages
ssoadm attribute:
LoggerClass - SessionProvider SPI implementation class
-
Used by the Federation system to access the session service
ssoadm attribute:
SessionProviderClass - Maximum allowed content length
-
Maximum number of bytes for Federation communications
ssoadm attribute:
MaxContentLength - PasswordDecoder SPI implementation class
-
Used by the Federation system to decode passwords encoded by OpenAM
ssoadm attribute:
PasswordDecoderClass - SignatureProvider SPI implementation class
-
Used by the Federation system digitally to sign SAML documents
ssoadm attribute:
SignatureProviderClass - KeyProvider SPI implementation class
-
Used by the Federation system to access the Java key store
ssoadm attribute:
KeyProviderClass - Check presence of certificates
-
If enabled, OpenAM checks that the partner's signing certificate presented in the XML matches the certificate from the partner's metadata
ssoadm attribute:
CheckCert - XML canonicalization algorithm
-
Algorithm used to render the canonical versions of XML documents
ssoadm attribute:
CannonicalizationAlgorithm - XML signature algorithm
-
Algorithm used to sign XML documents
ssoadm attribute:
SignatureAlgorithm - XML transformation algorithm
-
Algorithm used for XML transformations
ssoadm attribute:
TransformationAlgorithm - SAML Error Page URL
-
OpenAM redirects users here when an error occurs in the SAML2 engine. Users are redirected to absolute URLs, whereas releative URLs are displayed within the request.
ssoadm attribute:
SAMLErrorPageURL - SAML Error Page HTTP Binding
-
Set this either to
HTTP-Redirector toHTTP-POST.ssoadm attribute:
SAMLErrorPageHTTPBinding - Monitoring Agent Provider Class
-
Used by the Federation system to access the monitoring system
ssoadm attribute:
MonAgentClass - Monitoring Provider Class for SAML1
-
Used by the SAMLv1 engine to access the monitoring system
ssoadm attribute:
MonSAML1Class - Monitoring Provider Class for SAML2
-
Used by the SAML2 engine to access the monitoring system
ssoadm attribute:
MonSAML2Class - Monitoring Provider Class for ID-FF
-
Used by the ID-FF engine to access the monitoring system
ssoadm attribute:
MonIDFFClass
Dashboard Configuration
ssoadm service name:
dashboardService
- Dashboard Class Name
-
Identifies how to access the application, for example
SAML2ApplicationClassfor a SAML 2.0 applicationssoadm attribute:
dashboardClassName - Dashboard Name
-
The application name as it will appear to the administrator for configuring the dashboard
ssoadm attribute:
dashboardName - Dashboard Display Name
-
The application name that displays on the dashboard client
ssoadm attribute:
dashboardDisplayName - Dashboard Icon
-
The icon name that will be displayed on the dashboard client identifying the application
ssoadm attribute:
dashboardIcon - Dashboard Login
-
The URL that takes the user to the application
ssoadm attribute:
dashboardLogin - Available Dashboard Apps
-
List of application dashboard names available by default for realms with the Dashboard configured
ssoadm attribute:
assignedDashboard
Email Service
ssoadm service name:
ForgeRockSendEmailService
- Email Message Implementation Class
-
Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.
Default:
org.forgerock.openam.services.email.MailServerImplssoadm attribute:
forgerockMailServerImplClassName - Mail Server Host Name
-
Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.
Default:
smtp.gmail.comssoadm attribute:
forgerockEmailServiceSMTPHostName - Mail Server Host Port
-
Specifies the port number for the SMTP mail server.
Default: 465
ssoadm attribute:
forgerockEmailServiceSMTPHostPort - Mail Server Authentication Username
-
Specifies the user name for the SMTP mail server.
Default:
forgerocksmtpssoadm attribute:
forgerockEmailServiceSMTPUserName - Mail Server Authentication Password
-
Specifies the password for the SMTP user name.
ssoadm attribute:
forgerockEmailServiceSMTPUserPassword - Mail Server Secure Connection
-
Specifies whether to connect to the SMTP mail server using SSL.
Default: use SSL (
true)ssoadm attribute:
forgerockEmailServiceSMTPSSLEnabled - Email From Address
-
Specifies the address from which to send email notifications.
Default:
no-reply@openam.orgssoadm attribute:
forgerockEmailServiceSMTPFromAddress - Email Attribute Name
-
Specifies the profile attribute from which to retrieve the end user's email address.
Default:
mailssoadm attribute:
openamEmailAttribute - Email Subject
-
Specifies a subject for notification messages. If you do not set this OpenAM does not set the subject for notification messages.
ssoadm attribute:
forgerockEmailServiceSMTPSubject - Email Content
-
Specifies content for notification messages. If you do not set this OpenAM includes only the confirmation URL in the mail body.
ssoadm attribute:
forgerockEmailServiceSMTPMessage
Liberty ID-FF Service Configuration
ssoadm service name:
sunFAMIDFFConfiguration
- Federation Cookie Name
-
Cookie name for Liberty ID-FF
ssoadm attribute:
FedCookieName - IDP Proxy Finder SPI implementation class
-
Used by the ID-FF engine to find the IDP proxy
ssoadm attribute:
IDPProxyFinderClass - Request cache cleanup interval
-
Seconds between times OpenAM cleans up the request cache
ssoadm attribute:
RequestCacheCleanupInterval - Request cache timeout
-
Seconds cached requests remain valid
ssoadm attribute:
RequestCacheTimeout - IDP Login URL
-
Login URL for the ID-FF IDP
ssoadm attribute:
IDPLoginURL - XML signing on
-
If yes, require XML signing.
ssoadm attribute:
XMLSigningOn
Liberty Interaction Service
ssoadm service name:
sunFAMLibertyInteractionService
- WSP to redirect user for interaction
-
ssoadm attribute:
WSPWillRedirect - WSP to redirect user for interaction for data
-
ssoadm attribute:
WSPWillRedirectForData - WSP's expected duration for interaction
-
ssoadm attribute:
WSPRedirectTime - WSP to enforce that returnToURL must be SSL
-
ssoadm attribute:
WSPWillEnforceHttpsCheck - WSP to enforce return to host be the same as request host
-
ssoadm attribute:
WSPWillEnforceReturnToHostEqualsRequestHost - HTML style sheet location
-
ssoadm attribute:
HTMLStyleSheetLocation - WML style sheet location
-
ssoadm attribute:
WMLStyleSheetLocation - WSP interaction URL
-
ssoadm attribute:
WSPRedirectHandlerURL - WSP interaction URL if behind load balancer
-
ssoadm attribute:
LBWSPRedirectHandler - List of interaction URLs of WSP cluster (site) behind the load balancer
-
ssoadm attribute:
TrustedWspRedirectHandlers - Interaction Configuration Class
-
ssoadm attribute:
InteractionConfigClass - Options for WSC to participate in interaction
-
ssoadm attribute:
WSCSpecifiedInteractionChoice - WSC to include userInteractionHeader
-
ssoadm attribute:
WSCWillIncludeUserInteractionHeader - WSC to redirect user for interaction
-
ssoadm attribute:
WSCWillRedirect - WSC's expected duration for interaction
-
ssoadm attribute:
WSCSpecifiedMaxInteractionTime - WSC to enforce that redirection URL must be SSL
-
ssoadm attribute:
WSCWillEnforceHttpsCheck
Multi-Federation Protocol
ssoadm service name:
sunMultiFederationProtocol
- Single Logout Handler List
-
List of logout handlers used for each different federation protocol
ssoadm attribute:
SingleLogoutHandlerList
OAuth2 Provider Configuration
ssoadm service name:
OAuth2Provider
- Authorization Code Lifetime
-
Lifetime of OAuth 2.0 authorization code in seconds.
ssoadm attribute:
forgerock-oauth2-provider-authorization-code-lifetime - Refresh Token Lifetime
-
Lifetime of OAuth 2.0 refresh token in seconds.
ssoadm attribute:
forgerock-oauth2-provider-refresh-token-lifetime - Access Token Lifetime
-
Lifetime of OAuth 2.0 access token in seconds.
ssoadm attribute:
forgerock-oauth2-provider-access-token-lifetime - Issue Refresh Tokens
-
Whether to issue a refresh token when returning an access token.
ssoadm attribute:
forgerock-oauth2-provider-issue-refresh-token - Issue Refresh Tokens on Refreshing Access Tokens
-
Whether to issue a refresh token when refreshing an access token.
ssoadm attribute:
forgerock-oauth2-provider-issue-refresh-token-on-refreshing-token - Scope Implementation Class
-
Name of class on OpenAM classpath implementing scopes.
ssoadm attribute:
forgerock-oauth2-provider-scope-implementation-class - Response Type Plugins
-
List of plugins that handle the valid
response_typevalues. OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization end point (/oauth2/authorize) to indicate which grant type is requested from the provider. For example, the client passescodewhen requesting an authorization code, andtokenwhen requesting an access token.Values in this list take the form
response-type|plugin-class-nameDefaults:
code|org.forgerock.restlet.ext.oauth2.flow.responseTypes.CodeResponseType,id_token|org.forgerock.restlet.ext.oauth2.flow.responseTypes,token|org.forgerock.restlet.ext.oauth2.flow.responseTypes.TokenResponseTypessoadm attribute:
forgerock-oauth2-provider-response-type-map-class - User Profile Attribute(s) the Resource Owner is Authenticated On
-
Names of profile attributes that resource owners use to log in. The default is
uid, and you can add others such asmail.ssoadm attribute:
forgerock-oauth2-provider-authentication-attributes - Shared Consent Attribute Name
-
Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions. When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.
ssoadm attribute:
forgerock-oauth2-provider-saved-consent-attribute - JSON Web Key URL
-
The URL where the OpenID Connect provider's JSON Web Key can be retrieved.
ssoadm attribute:
forgerock-oauth2-provider-jkws-uri - ID Token Signing Algorithms supported
-
Algorithms supported to sign OpenID Connect
id_tokens.ssoadm attribute:
forgerock-oauth2-provider-id-token-signing-algorithms-supported - Supported Claims
-
List of claims supported by the OpenID Connect
/oauth2/userinfoendpoint.ssoadm attribute:
forgerock-oauth2-provider-supported-claims
Password Reset
- Realm Attributes
-
See the Administration Guide chapter on Configuring Password Reset for details.
Policy Configuration
You can change global policy configuration, and the defaults per realm.
ssoadm service name:
iPlanetAMPolicyConfigService
- Resource Comparator
-
OpenAM uses resource comparators to match resources specified in policy rules. When setting comparators on the command line, separate fields with
|characters.ssoadm attribute:
iplanet-am-policy-config-resource-comparator - Continue Evaluation on Deny Decision
-
If no, then OpenAM stops evaluating policy as soon as it reaches a deny decision.
ssoadm attribute:
iplanet-am-policy-config-continue-evaluation-on-deny-decision - Advices Handleable by OpenAM
-
Lists advice names for which policy agents redirect users to OpenAM for further authentication and authorization
ssoadm attribute:
sun-am-policy-config-advices-handleable-by-am - Realm Alias Referrals
-
If yes, then OpenAM allows creation of policies for HTTP and HTTPS resources whose FQDN matches the DNS alias for the realm even when no referral policy exists.
ssoadm attribute:
sun-am-policy-config-org-alias-mapped-resources-enabled - Primary LDAP Server
-
Configuration directory server host:port that OpenAM searches for policy information
ssoadm attribute:
iplanet-am-policy-config-ldap-server - LDAP Base DN
-
Base DN for policy searches
ssoadm attribute:
iplanet-am-policy-config-ldap-base-dn - LDAP Users Base DN
-
Base DN for LDAP Users subject searches
ssoadm attribute:
iplanet-am-policy-config-ldap-users-base-dn - OpenAM Roles Base DN
-
Base DN for OpenAM Roles searches
ssoadm attribute:
iplanet-am-policy-config-is-roles-base-dn - LDAP Bind DN
-
Bind DN to connect to the directory server for policy information
ssoadm attribute:
iplanet-am-policy-config-ldap-bind-dn - LDAP Bind Password
-
Bind password to connect to the directory server for policy information
ssoadm attribute:
iplanet-am-policy-config-ldap-bind-password - LDAP Organization Search Filter
-
Search filter to match organization entries
ssoadm attribute:
iplanet-am-policy-config-ldap-organizations-search-filter - LDAP Organization Search Scope
-
Search scope to find organization entries
ssoadm attribute:
iplanet-am-policy-config-ldap-organizations-search-scope - LDAP Groups Search Filter
-
Search filter to match group entries
ssoadm attribute:
iplanet-am-policy-config-ldap-groups-search-filter - LDAP Groups Search Scope
-
Search scope to find group entries
ssoadm attribute:
iplanet-am-policy-config-ldap-groups-search-scope - LDAP Users Search Filter
-
Search filter to match user entries
ssoadm attribute:
iplanet-am-policy-config-ldap-users-search-filter - LDAP Users Search Scope
-
Search scope to find user entries
ssoadm attribute:
iplanet-am-policy-config-ldap-users-search-scope - LDAP Roles Search Filter
-
Search filter to match nsRole definition entries
ssoadm attribute:
iplanet-am-policy-config-ldap-roles-search-filter - LDAP Roles Search Scope
-
Search scope to find nsRole definition entries
ssoadm attribute:
iplanet-am-policy-config-ldap-roles-search-scope - OpenAM Roles Search Scope
-
Search scope to find OpenAM roles entries
ssoadm attribute:
iplanet-am-policy-config-is-roles-search-scope - LDAP Organization Search Attribute
-
Naming attribute for organization entries
ssoadm attribute:
iplanet-am-policy-config-ldap-organizations-search-attribute - LDAP Groups Search Attribute
-
Naming attribute for group entries
ssoadm attribute:
iplanet-am-policy-config-ldap-groups-search-attribute - LDAP Users Search Attribute
-
Naming attribute for user entries
ssoadm attribute:
iplanet-am-policy-config-ldap-users-search-attribute - LDAP Roles Search Attribute
-
Naming attribute for nsRole definition entries
ssoadm attribute:
iplanet-am-policy-config-ldap-roles-search-attribute - Maximum Results Returned from Search
-
Search limit for LDAP searches
ssoadm attribute:
iplanet-am-policy-config-search-limit - Search Timeout
-
Seconds after which OpenAM returns an error for an incomplete search
ssoadm attribute:
iplanet-am-policy-config-search-timeout - LDAP SSL/TLS
-
If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.
ssoadm attribute:
iplanet-am-policy-config-ldap-ssl-enabled - LDAP Connection Pool Minimum Size
-
Minimum number of connections in the pool
ssoadm attribute:
iplanet-am-policy-config-connection_pool_min_size - LDAP Connection Pool Maximum Size
-
Maximum number of connections in the pool
ssoadm attribute:
iplanet-am-policy-config-connection_pool_max_size - Selected Policy Subjects
-
Lists subjects available for policy definition in realms
ssoadm attribute:
iplanet-am-policy-selected-subjects - Selected Policy Conditions
-
Lists conditions available for policy definition in realms
ssoadm attribute:
iplanet-am-policy-selected-conditions - Selected Policy Referrals
-
Lists referral types available for policy definition in realms
ssoadm attribute:
iplanet-am-policy-selected-referrals - Subjects Result Time to Live
-
Maximum minutes OpenAM caches a subject result for evaluating policy requests. A value of 0 prevents OpenAM from caching subject evaluations for policy decisions.
Default: 10
ssoadm attribute:
iplanet-am-policy-config-subjects-result-ttl - User Alias
-
If enabled, OpenAM can evaluate policy for remote users aliased to local users.
ssoadm attribute:
iplanet-am-policy-config-user-alias-enabled - Selected Response Providers
-
Lists available response providers available for policy definition
ssoadm attribute:
sun-am-policy-selected-responseproviders - Selected Dynamic Response Attributes
-
Lists dynamic response attributes available for policy definition
ssoadm attribute:
sun-am-policy-dynamic-response-attributes
REST Security
ssoadm service name:
RestSecurity
The order of options that appear in the console may vary depending on whether you are running from a new installation or an upgrade of OpenAM.
- Self-Registration for Users
-
If enabled, new users can sign up using a REST API client.
Default: not enabled
ssoadm attribute:
forgerockRESTSecuritySelfRegistrationEnabled - Self-Registration Token LifeTime (seconds)
-
Maximum life time for the token allowing user self-registration using the REST API.
Default: 900 (seconds)
ssoadm attribute:
forgerockRESTSecuritySelfRegTokenTTL - Self-Registration Confirmation Email URL
-
This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.
Default:
deployment-base-url/XUI/confirm.htmldeployment-base-urlis something likehttps://openam.example.com:8443/openamssoadm attribute:
forgerockRESTSecuritySelfRegConfirmationUrl - Forgot Password for Users
-
If enabled, users can assign themselves a new password using a REST API client.
Default: not enabled
ssoadm attribute:
forgerockRESTSecurityForgotPasswordEnabled - Forgot Password Token LifeTime (seconds)
-
Maximum life time for the token allowing user to process a forgotten password using the REST API.
Default: 900 (seconds)
ssoadm attribute:
forgerockRestSecurityForgotPassTokenTTL - Forgot Password Confirmation Email URL
-
This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.
Default:
deployment-base-url/XUI/confirm.htmldeployment-base-urlis something likehttps://openam.example.com:8443/openamssoadm attribute:
forgerockRESTSecurityForgotPassConfirmationUrl
SAMLv2 Service Configuration
ssoadm service name:
sunFAMSAML2Configuration
- Cache cleanup interval
-
Seconds between cache cleanup operations
ssoadm attribute:
CacheCleanupInterval - Attribute name for Name ID information
-
User entry attribute to store name identifier information
ssoadm attribute:
NameIDInfoAttribute - Attribute name for NAME ID information key
-
User entry attribute to store the name identifier key
ssoadm attribute:
NameIDInfoKeyAttribute - Cookie domain for IDP Discovery Service
-
Specifies the cookie domain for the IDP discovery service
ssoadm attribute:
IDPDiscoveryCookieDomain - Cookie type for IDP Discovery Service
-
Indicates whether to use PERSISTENT or SESSION cookies
ssoadm attribute:
IDPDiscoveryCookieType - URL scheme for IDP Discovery Service
-
Indicates whether to use HTTP or HTTPS
ssoadm attribute:
IDPDiscoveryURLScheme - XML Encryption SPI implementation class
-
Used by the SAML2 engine to encrypt and decrypt documents
ssoadm attribute:
XMLEncryptionClass - Include xenc:EncryptedKey Inside ds:KeyInfo Element
-
ssoadm attribute:
EncryptedKeyInKeyInfo - XML Signing SPI implementation class
-
Used by the SAML2 engine to sign documents
ssoadm attribute:
XMLSigningClass - XML Signing Certificate Validation
-
If enabled, then validate certificates used to sign documents.
ssoadm attribute:
SigningCertValidation - CA Certificate Validation
-
If enabled, then validate CA certificates.
ssoadm attribute:
CACertValidation - Enable SAMLv2 failover
-
If enabled, the OpenAM can failover requests to another instance.
ssoadm attribute:
failOverEnabled - Buffer length to decompress request
-
The size is specified in bytes.
ssoadm attribute:
bufferLength
SAMLv2 SOAP Binding
ssoadm service name:
sunfmSAML2SOAPBindingService
- Request Handler List
-
List of handlers to deal with SAML2 requests bound to SOAP. The key for a request handler is the meta alias, whereas the class indicates the name of the class that implements the handler.
ssoadm attribute:
sunSAML2RequestHandlerList
Security Token Service
ssoadm service name:
sunFAMSTSService
- Issuer
-
Specifies the name of the security token service
ssoadm attribute:
stsIssuer - End Point
-
Specifies the STS service endpoint
ssoadm attribute:
stsEndPoint - Lifetime for Security Token
-
Milliseconds the security token remains valid
ssoadm attribute:
stsLifetime - Certificate Alias Name
-
Specifies the alias for the signing certificate
ssoadm attribute:
stsCertAlias - STS End User Token Plugin class
-
Specifies the class that converts end user tokens
ssoadm attribute:
com.sun.identity.wss.sts.clientusertoken - Security Mechanism
-
Lists credentials used to secure the token, and credentials OpenAM accepts in the incoming request
ssoadm attribute:
SecurityMech - Authentication Chain
-
Specifies the authentication chain OpenAM applies for incoming requests for authenticated security tokens
ssoadm attribute:
AuthenticationChain - User Credential
-
User name and password shared secrets to validate UserName tokens in incoming requests
ssoadm attribute:
UserCredential - Detect Message Replay
-
If yes, then OpenAM checks for and rejects replayed messages.
ssoadm attribute:
DetectMessageReplay - Detect User Token Replay
-
If yes, then OpenAM checks for and rejects replayed user tokens.
ssoadm attribute:
DetectUserTokenReplay - Is Request Signature Verified
-
If yes, then OpenAM verifies signatures on incoming requests.
ssoadm attribute:
isRequestSign - Is Response Signed Enabled
-
If yes, then OpenAM signs the selected parts of the response.
ssoadm attribute:
isResponseSign - Signing Reference Type
-
Specifies the reference type used to sign the response. One of
DirectReference,KeyIdentifierRef, orX509IssuerSerialRef.ssoadm attribute:
SigningRefType - Is Request Decrypted
-
If yes, then OpenAM decrypts the selected parts of the request.
ssoadm attribute:
isRequestEncrypt - Is Response Encrypted
-
If yes, then OpenAM encrypts responses.
ssoadm attribute:
isResponseEncrypt - Encryption Algorithm
-
Specifies the algorithm used to encrypt responses
ssoadm attribute:
EncryptionAlgorithm - Private Key Alias
-
Alias for the private key used to sign responses and decrypt requests
ssoadm attribute:
privateKeyAlias - Private Key Type
-
Type of private key. One of
publicKey,symmetricKey, ornoProofKey.ssoadm attribute:
privateKeyType - Public Key Alias of Web Service Client
-
Alias for the certificate used to verify request signatures and encrypt responses
ssoadm attribute:
publicKeyAlias - Kerberos Domain Server
-
Specifies the FQDN of the KDC
ssoadm attribute:
KerberosDomainServer - Kerberos Domain
-
Specifies the domain name of the KDC
ssoadm attribute:
KerberosDomain - Kerberos Service Principal
-
Specifies the Kerberos principal who owns the generated token. Use the format
HTTP/.host.domain@kdc-domainssoadm attribute:
KerberosServicePrincipal - Kerberos Key Tab File
-
Specifies the key tab file used to issue the token
ssoadm attribute:
KerberosKeyTabFile - Is Verify Kerberos Signature
-
If yes, then OpenAM requires signed Kerberos tokens.
ssoadm attribute:
isVerifyKrbSignature - SAML Attribute Mapping
-
Lists attribute mappings for generated assertions
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
SAMLAttributeMapping - NameID Mapper
-
Specifies the NameID mapper for generated assertions
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
NameIDMapper - Should Include Memberships
-
If yes, then OpenAM requires generated assertions include user memberships.
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
includeMemberships - Attribute Namespace
-
Specifies the namespace for generated assertions
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
AttributeNamespace - Trusted Issuers
-
Lists issuers OpenAM can trust to send security tokens
ssoadm attribute:
trustedIssuers - Trusted IP Addresses
-
Lists issuer IP address that OpenAM can trust to send security tokens
ssoadm attribute:
trustedIPAddresses
Session
ssoadm service name:
iPlanetAMSessionService
- Secondary Configuration Instance
-
When session failover is configured, you can set up additional configurations for connecting to the session repository here.
- Maximum Number of Search Results
-
Maximum number of results from a session search
ssoadm attribute:
iplanet-am-session-max-session-list-size - Timeout for Search
-
Seconds after which OpenAM sees an incomplete search as having failed
ssoadm attribute:
iplanet-am-session-session-list-retrieval-timeout - Enable Property Change Notifications
-
If on, then OpenAM notifies other applications participating in SSO when a session property in the Notification Properties list changes.
ssoadm attribute:
iplanet-am-session-property-change-notification - Enable Quota Constraints
-
If on, then OpenAM allows you to set constraints on user sessions.
ssoadm attribute:
iplanet-am-session-enable-session-constraint - Read Timeout for Quota Constraint
-
Milliseconds after which OpenAM considers a search for live session count as having failed if quota constraints are enabled
ssoadm attribute:
iplanet-am-session-constraint-max-wait-time - Resulting behavior if session quota exhausted
-
You can either set the next expiring session to be destroyed,
DESTROY_NEXT_EXPIRING, the oldest session to be destroyed,DESTROY_OLDEST_SESSION, all previous sessions to be destroyed,DESTROY_OLD_SESSIONS, or deny the new session creation request,DENY_ACCESS.ssoadm attribute:
iplanet-am-session-constraint-resulting-behavior - Deny user login when session repository is down
-
This attribute takes effect when quota constraints are enabled.
ssoadm attribute:
iplanet-am-session-deny-login-if-db-is-down - Notification Properties
-
Lists session properties for which OpenAM can send notifications upon modification
ssoadm attribute:
iplanet-am-session-notification-property-list - DN Restriction Only Enabled
-
If enabled, OpenAM does not perform DNS lookups when checking restrictions in cookie hijacking mode.
ssoadm attribute:
iplanet-am-session-dnrestrictiononly - Enable Session Trimming
-
If yes, then OpenAM stores only a limited set of session properties after session timeout and before session purging.
ssoadm attribute:
iplanet-am-session-enable-session-trimming - Session Timeout Handler implementations
-
Lists plugin classes implementing session timeout handlers
ssoadm attribute:
openam-session-timeout-handler-list - Maximum Session Time
-
Maximum minutes a session can remain valid before OpenAM requires the user to authenticate again
ssoadm attribute:
iplanet-am-session-max-session-time - Maximum Idle Time
-
Maximum minutes a session can remain idle before OpenAM requires the user to authenticate again
ssoadm attribute:
iplanet-am-session-max-idle-time - Maximum Caching Time
-
Maximum minutes before OpenAM refreshes a session that has been cached
ssoadm attribute:
iplanet-am-session-max-caching-time - Active User Sessions
-
Maximum number of concurrent sessions OpenAM allows a user to have
ssoadm attribute:
iplanet-am-session-quota-limit
User
ssoadm service name:
iPlanetAMUserService
- User Preferred Timezone
-
Time zone for accessing OpenAM console
ssoadm attribute:
preferredtimezone - Administrator DN Starting View
-
Specifies the DN for the initial screen when the OpenAM administrator successfully logs in to the OpenAM console
ssoadm attribute:
iplanet-am-user-admin-start-dn - Default User Status
-
Inactive users cannot authenticate, though OpenAM stores their profiles. Default:
Activessoadm attribute:
iplanet-am-user-login-status
