WebAgents
Realm Operations
Agents handler that is responsible for managing agents
Resource path:
/realm-config/agents/WebAgent
Resource version: 2.0
create
Usage
am> create WebAgents --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "applicationWebAgentConfig" : { "type" : "object", "title" : "Application", "propertyOrder" : 1, "properties" : { "invertNotEnforcedUrls" : { "title" : "Invert Not Enforced URLs", "description" : "Only not enforced list of urls will be enforced. (property name: com.sun.identity.agents.config.notenforced.url.invert)", "propertyOrder" : 27800, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "notEnforcedUrlsRegex" : { "title" : "Regular Expressions for Not-Enforced URLs", "description" : "When true, enables use of Perl-compatible regular expressions in Not-enforced URL settings. (property: com.forgerock.agents.notenforced.url.regex.enable)", "propertyOrder" : 27850, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "ignorePathInfoForNotEnforcedUrls" : { "title" : "Ignore Path Info for Not Enforced URLs", "description" : "Indicate whether the path info and query should be stripped from the request URL before being compared with the URLs of the not enforced list when those URLs have a wildcard '*' character. (property name: com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list) ", "propertyOrder" : 27600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "notEnforcedIps" : { "title" : "Not Enforced Client IP List", "description" : "No authentication and authorization are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br> Examples: <br> 192.18.145.* <br> 192.18.146.123", "propertyOrder" : 28000, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "profileAttributeMap" : { "title" : "Profile Attribute Map", "description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.", "propertyOrder" : 28300, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "object", "required" : false } } }, "continuousSecurityHeaders" : { "title" : "Continuous Security Header Map", "description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent. <br>Property: org.forgerock.agents.continuous.security.headers.map <br>Valid for Agent 5.0 onwards", "propertyOrder" : 29000, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "object", "required" : false } } }, "responseAttributeFetchMode" : { "title" : "Response Attribute Fetch Mode", "description" : "(property name: com.sun.identity.agents.config.response.attribute.fetch.mode)", "propertyOrder" : 28400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "notEnforcedIpsRegex" : { "title" : "Regular Expressions for Not-Enforced IPs", "description" : "Enable use of Perl-compatible regular expressions in Not-Enforced URL from IP settings. (property: org.forgerock.agents.config.notenforced.ext.regex.enable)", "propertyOrder" : 28150, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "continuousSecurityCookies" : { "title" : "Continuous Security Cookie Map", "description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent. <br>Property: org.forgerock.agents.continuous.security.cookies.map <br>Valid for Agent 5.0 onwards", "propertyOrder" : 28900, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "object", "required" : false } } }, "responseAttributeMap" : { "title" : "Response Attribute Map", "description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.", "propertyOrder" : 28500, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "object", "required" : false } } }, "sessionAttributeFetchMode" : { "title" : "Session Attribute Fetch Mode", "description" : "(property name: com.sun.identity.agents.config.session.attribute.fetch.mode)", "propertyOrder" : 28600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "sessionAttributeMap" : { "title" : "Session Attribute Map", "description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.", "propertyOrder" : 28700, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "object", "required" : false } } }, "notEnforcedUrls" : { "title" : "Not Enforced URLs", "description" : "List of urls for which no authentication required. (property name: com.sun.identity.agents.config.notenforced.url) <br> Example: <br> http://myagent.mydomain.com/*.gif", "propertyOrder" : 27700, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "profileAttributeFetchMode" : { "title" : "Profile Attribute Fetch Mode", "description" : "(property name: com.sun.identity.agents.config.profile.attribute.fetch.mode)", "propertyOrder" : 28200, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "fetchAttributesForNotEnforcedUrls" : { "title" : "Fetch Attributes for Not Enforced URLs", "description" : "Agent fetches profile attributes for not enforced urls by doing policy evaluation. (property name: com.sun.identity.agents.config.notenforced.url.attributes.enable)", "propertyOrder" : 27900, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "attributeMultiValueSeparator" : { "title" : "Attribute Multi Value Separator", "description" : "Specifies separator for multiple values. Applies to all types of attributes i.e. profile, session and response attributes. (property name: com.sun.identity.agents.config.attribute.multi.value.separator)", "propertyOrder" : 28800, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "notEnforcedIpsList" : { "title" : "Not-Enforced URL from IP Processing List", "description" : "Specifies a list of client IP addresses that do not require authentication when requesting the indicated URLs. <br>The supported format requires a list of IP addresses separated by spaces, the horizontal bar (|) character, and a list of URLs separated by spaces. <br>For example: <br> 10.1.2.1 192.168.0.2|/public/* <br>In the preceding example, the IP addresses 10.1.2.1 and 192.168.0.2 can access any resource inside /public without authenticating. (property: org.forgerock.agents.config.notenforced.ipurl)", "propertyOrder" : 28050, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "clientIpValidation" : { "title" : "Client IP Validation", "description" : "This validates if the subsequent browser requests come from the same ip address that the SSO token is initially issued against. (property name: com.sun.identity.agents.config.client.ip.validation.enable)", "propertyOrder" : 28100, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } } } }, "amServicesWebAgent" : { "type" : "object", "title" : "AM Services", "propertyOrder" : 3, "properties" : { "applicationLogoutUrls" : { "title" : "Logout URL List", "description" : "List of application logout URLs. User gets logged out from AM session when these urls accessed. (property name: com.sun.identity.agents.config.agent.logout.url). If this property is used, user should specify a value for the below Logout Redirect URL property. <br> Example: <br> http://myagent.mydomain.com/logout.html", "propertyOrder" : 30300, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "regexConditionalLoginPattern" : { "title" : "Regular Expression Conditional Login Pattern", "description" : "Conditionally redirect users based on the incoming request URL. If the incoming request URL matches a regular expression, the web agent redirects the request to a specific URL. That specific URL can be an AM instance, site, or a different website. Specifies the regular expression that the domain name must match. This property needs to configure \"Regular Expression Conditional Login URL\" <br>Example: <br> org.forgerock.agents.config.conditional.login.pattern[0] = .*shop <br> org.forgerock.agents.config.conditional.login.url[0] = http://am.example.com/am/oauth2/authorize?realm=sales <br><br>Property: org.forgerock.agents.config.conditional.login.pattern", "propertyOrder" : 30050, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "fetchPoliciesFromRootResource" : { "title" : "Fetch Policies from Root Resource", "description" : "Agent caches policy decision of the resource and all resources from the root of the resource down. (property name: com.sun.identity.agents.config.fetch.from.root.resource) <br>Requires Agent Restart", "propertyOrder" : 31000, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "policyClockSkew" : { "title" : "Policy Clock Skew", "description" : "Time in seconds used adjust time difference between Agent machine and AM. Clock skew in seconds = AgentTime - AMServerTime. (property name: com.sun.identity.agents.config.policy.clock.skew) <br>Requires Agent Restart", "propertyOrder" : 31200, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "policyEvaluationRealm" : { "title" : "Policy Evaluation Realm", "description" : "Which realm to start evaluating from. (property name: org.forgerock.openam.agents.config.policy.evaluation.realm)", "propertyOrder" : 31300, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "amLogoutUrl" : { "title" : "AM Logout URL", "description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br> Example: <br> http://host:port/am/UI/Logout", "propertyOrder" : 30200, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "ssoCachePollingInterval" : { "title" : "SSO Cache Polling Period", "description" : "Polling interval in minutes to refresh agent's sso cache. (property name: com.sun.identity.agents.config.sso.cache.polling.interval) <br>Requires Agent Restart", "propertyOrder" : 30700, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "regexConditionalLoginUrl" : { "title" : "Regular Expression Conditional Login URL", "description" : "Conditionally redirect users based on the incoming request URL. If the incoming request URL matches a regular expression, the web agent redirects the request to a specific URL. That specific URL can be an AM instance, site, or a different website. Specifies the redirection URL and its parameters. This property needs to configure \"Regular Expression Conditional Login Pattern\" <br>Example: <br> org.forgerock.agents.config.conditional.login.pattern[0] = .*shop <br> org.forgerock.agents.config.conditional.login.url[0] = http://am.example.com/am/oauth2/authorize?realm=sales <br><br>Property: org.forgerock.agents.config.conditional.login.url", "propertyOrder" : 30100, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "customLoginMode" : { "title" : "Custom Login Mode", "description" : "Specifies whether the agent should use the default or the custom login mode when redirecting unauthenticated users.<br>Possible values are: <br>0. Disabled. Default login redirection mode enabled <br> 1. Custom login mode enabled based on converts the SSO token into an ID token <br> 2. Legacy Custom login mode. Can be used in specific migration cases from agent 4 <br>(property: org.forgerock.openam.agents.config.allow.custom.login)", "propertyOrder" : 29890, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "policyCachePollingInterval" : { "title" : "Policy Cache Polling Period", "description" : "Polling interval in minutes to refresh agent's policy cache. (property name: com.sun.identity.agents.config.policy.cache.polling.interval) <br>Requires Agent Restart", "propertyOrder" : 30600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "logoutRedirectDisabled" : { "title" : "Disabled Logout Redirection", "description" : "When disabled, instead of redirecting the user-agent, the web agent performs session logout in the background and then continues processing access to the current URL. (property: com.forgerock.agents.config.logout.redirect.disable)", "propertyOrder" : 30510, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "enableLogoutRegex" : { "title" : "Enable Regex for Logout URL List", "description" : "This property allows regular expressions in \"Logout URL List\" (property: org.forgerock.agents.config.logout.regex.enable)", "propertyOrder" : 30530, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "retrieveClientHostname" : { "title" : "Retrieve Client Hostname", "description" : "Gets the client's hostname through DNS reverse lookup for use in policy evaluation. (property name: com.sun.identity.agents.config.get.client.host.name)", "propertyOrder" : 31100, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "logoutUrlRegex" : { "title" : "Logout URL Regular Expression", "description" : "Perl-compatible regular expression that matches logout URLs. For example, to match URLs with protectedA or protectedB in the path and op=logout in the query string, use the following setting: <br>*(/protectedA\\?|/protectedB\\?/).*(\\&op=logout\\&)(.*|$) <br>When you use this property, the agent ignores the settings for Logout URL List. (property: com.forgerock.agents.agent.logout.url.regex)", "propertyOrder" : 30540, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "conditionalLoginUrl" : { "title" : "AM Conditional Login URL", "description" : "Conditionally redirect users based on the incoming request URL. If the incoming request URL matches a specified domain name, the web agent redirects the request to a specific URL. That specific URL can be an AM instance, site, or a different website. <br>Example: <br> example.com|https://am.example.com/am/oauth2/authorize <br> myapp.domain.com|https://am2.example.com/am/oauth2/authorize?realm=sales <br><br>Property: com.forgerock.agents.conditional.login.url", "propertyOrder" : 30000, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "invalidateLogoutSession" : { "title" : "Invalidate Logout Session", "description" : "Specifies whether the agent must invalidate the user session in AM when redirecting to the logout URL specified either by the Logout URL list (com.sun.identity.agents.config.agent.logout.url) or the AM logout URL (com.sun.identity.agents.config.logout.url) properties. (property: org.forgerock.agents.config.logout.session.invalidate)", "propertyOrder" : 30520, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "userIdParameter" : { "title" : "User ID Parameter", "description" : "Agent sets value of User Id to REMOTE_USER server variable. (property name: com.sun.identity.agents.config.userid.param)", "propertyOrder" : 30800, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "logoutResetCookies" : { "title" : "Logout Cookies List for Reset", "description" : "Any cookies to be reset upon logout in the same format as cookie reset list. (property name: com.sun.identity.agents.config.logout.cookie.reset) <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com", "propertyOrder" : 30400, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "amLoginUrl" : { "title" : "AM Login URL", "description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br> Example: <br> http://host:port/am/UI/Login", "propertyOrder" : 29900, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "policyEvaluationApplication" : { "title" : "Policy Set", "description" : "Which application contains the policies to evaluate with. (property name: org.forgerock.openam.agents.config.policy.evaluation.application)", "propertyOrder" : 31400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "logoutRedirectUrl" : { "title" : "Logout Redirect URL", "description" : "User gets redirected to this url after logout. (property name: com.sun.identity.agents.config.logout.redirect.url). This property should be specified along with the above Logout URL List.", "propertyOrder" : 30500, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "userIdParameterType" : { "title" : "User ID Parameter Type", "description" : "User ID can be fetched from either SESSION and LDAP attributes. (property name: com.sun.identity.agents.config.userid.param.type)", "propertyOrder" : 30900, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "publicAmUrl" : { "title" : "Public AM URL", "description" : "Overrides the agent's behavior of finding a suitable AM server and specifies the public URL of the AM to redirect to. <br> Use this property if: <br> - Your environment uses custom login pages (OIDC-compliant and non-OIDC-compliant flows). <br> - Your environment's custom login pages are in a network that can only access AM using a proxy, a firewall, or any other technology that remaps the AM URL to one accessible by the custom login pages. <br> -End-users cannot log in due to their cookies being set in the wrong domains. <br>(property: com.forgerock.agents.public.am.url) ", "propertyOrder" : 29950, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } } } }, "advancedWebAgentConfig" : { "type" : "object", "title" : "Advanced", "propertyOrder" : 5, "properties" : { "customProperties" : { "title" : "Custom Properties", "description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2", "propertyOrder" : 35100, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "clientHostnameHeader" : { "title" : "Client Hostname Header", "description" : "HTTP header name that holds the Hostname of the client. <br>Property: org.forgerock.agents.http.header.containing.remote.hostname <br>Valid for Agent 5.0 onwards", "propertyOrder" : 32900, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "pdpStickySessionValue" : { "title" : "POST Data Sticky Load Balancing Value", "description" : "Specifies a key-value pair separated by the = character that the web agent creates when evaluating the \"POST Data Sticky Load Balancing Mode\". For example, a setting of lb=myserver either sets an lb cookie with myserver value, or adds lb=myserver to the URL query string. When configuring POST data preservation with cookies, set the cookie name in the cookie pair to the same value configured in the \"POST Data Sticky Load Balancing Cookie Name\". (property: com.sun.identity.agents.config.postdata.preserve.stickysession.value)", "propertyOrder" : 33710, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "clientIpHeader" : { "title" : "Client IP Address Header", "description" : "HTTP header name that holds the IP address of the client. <br>Property: org.forgerock.agents.http.header.containing.ip.address <br>Valid for Agent 5.0 onwards", "propertyOrder" : 32800, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "retainSessionCache" : { "title" : "Retain Session Cache After Configuration Change", "description" : "Use this property to manage how the session cache is used after a change to the agent configuration: <br> False: Purge the session cache, and re-read the user session data. <br> True: Do not purge the session cache, and do not re-read the user session data. <br><br>Use this value to prevent the agent from flooding AM instances with requests, when the agent configuration changes regularly, and the changes do not affect the agent authorisation decisions. <br><br>Property: com.forgerock.agents.session.cache.eventually.consistent <br>Introduced in Web Agent 5.9.0", "propertyOrder" : 34700, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "postDataPreservation" : { "title" : "POST Data Preservation", "description" : "Enables POST data preservation. (property name: com.sun.identity.agents.config.postdata.preserve.enable) <br> Note that this feature is not supported in all the web agents. Please refer individual agents documentation for more details.", "propertyOrder" : 33500, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "overrideRequestHost" : { "title" : "Override Request URL Host", "description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the host with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.host)", "propertyOrder" : 33200, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "pdpStickySessionCookieName" : { "title" : "POST Data Sticky Load Balancing Cookie Name", "description" : "Specifies the name of a cookie to use for enabling sticky load balancing when the \"POST Data Sticky Load Balancing Mode\" property is set to COOKIE. Set the cookie name to the same value configured in the \"POST Data Sticky Load Balancing Value\" property. (property: com.sun.identity.agents.config.postdata.preserve.lbcookie)", "propertyOrder" : 33720, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "pdpJavascriptRepost" : { "title" : "Submit POST Data using JavaScript", "description" : "When set to true, preserved POST data will be resubmitted to the destination server after authentication by using JavaScript. (property: org.forgerock.agents.pdp.javascript.repost)", "propertyOrder" : 33730, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "apacheAuthDirectives" : { "title" : "Use Built-in Apache HTTPD Authentication Directives", "description" : "A regular expression pattern to specify which not-enforced URLs can use built-in Apache authentication directives, such as AuthName, FilesMatch, and Require, for basic authentication. <br>Requests with not-enforced URLs that match the expression can use built-in Apache authentication directives. <br><br>Property: com.forgerock.agents.no.remoteuser.module.compatibility <br>Introduced in Web Agent 5.9.0", "propertyOrder" : 34600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "postDataCachePeriod" : { "title" : "POST Data Entries Cache Period", "description" : "POST cache entry lifetime in minutes. (property name: com.sun.identity.agents.config.postcache.entry.lifetime)", "propertyOrder" : 33600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "overrideRequestPort" : { "title" : "Override Request URL Port", "description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the port with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.port)", "propertyOrder" : 33300, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "replayPasswordKey" : { "title" : "Replay Password Key", "description" : "DES key for decrypting the basic authentication password in the session. <br>The value of this property is inherited from the secret mapped to the <code>am.authentication.replaypassword.key</code> secret label.<br>If you set a value in this field, it is ignored.", "propertyOrder" : 33900, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "hostnameToIpAddress" : { "title" : "Hostname to IP Address Map", "description" : "Map of a hostname to an IP address. The mapped hostname is automatically resolved to the IP address. <br>Format: Hostname|IP <br>Example: am.example.com|10.199.0.2 <br><br>Property: com.forgerock.agents.config.hostmap <br>Valid for Agent 5.0 onwards", "propertyOrder" : 32950, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "showPasswordInHeader" : { "title" : "Show Password in HTTP Header", "description" : "Set to true if encrypted password should be set in HTTP header AUTH_PASSWORD. (property name: com.sun.identity.agents.config.iis.password.header)", "propertyOrder" : 34400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "fragmentRedirectEnabled" : { "title" : "Fragment Redirect Enabled", "description" : "Enable to save the browser's URL fragment during authentication. <br>(property: org.forgerock.agents.config.fragment.redirect.enable) (Agent 5.7+ only)", "propertyOrder" : 33400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "logonAndImpersonation" : { "title" : "Logon and Impersonation", "description" : "Set to true if agent should do Windows Logon and User Impersonation. (property name: com.sun.identity.agents.config.iis.logonuser)", "propertyOrder" : 34500, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "pdpStickySessionMode" : { "title" : "POST Data Sticky Load Balancing Mode", "description" : "Specifies whether to create a cookie, or to append a query string to the URL to assist with sticky load balancing. Possible values are: <br>COOKIE. The web agent creates a cookie with the value specified in the com.sun.identity.agents.config.postdata.preserve.stickysession.value property. <br>URL. The web agent appends the value specified in the com.sun.identity.agents.config.postdata.preserve.stickysession.value to the URL query string. <br> (property: com.sun.identity.agents.config.postdata.preserve.stickysession.mode)", "propertyOrder" : 33700, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "pdpSkipPostUrl" : { "title" : "URLs Ignored by the Agent POST Data Inspector", "description" : "Specifies a list of URLs that will not be processed by the web agent POST data inspector. This allows other modules on the same server to access the POST data directly. <br>The following example uses wildcards to add a file named postreader.jsp in the root of any protected website to the list of URLs that will not have their POST data inspected: <br>http*://*:*/postreader.jsp <br>Any URLs added to this property should also be added to the Not-Enforced URLs <br> (property: org.forgerock.agents.config.skip.post.url)", "propertyOrder" : 33740, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "overrideRequestProtocol" : { "title" : "Override Request URL Protocol", "description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the protocol with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.protocol)", "propertyOrder" : 33100, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } } } }, "globalWebAgentConfig" : { "type" : "object", "title" : "Global", "propertyOrder" : 0, "properties" : { "agentUriPrefix" : { "title" : "Agent Deployment URI Prefix", "description" : "(property name: com.sun.identity.agents.config.agenturi.prefix)", "propertyOrder" : 25800, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "disableJwtAudit" : { "title" : "Disable validation of the audience claim", "description" : "Specifies whether the agent should validate the audience claim matches the agent profile ID represented in the JWT containing the end user's session. <br>Possible values are: <br> false = The agent validates audience claim. <br> true = The agent does not validate audience claim.<br> (property: com.forgerock.agents.jwt.aud.disable)", "propertyOrder" : 25510, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "cdssoRootUrl" : { "title" : "Agent Root URL for CDSSO", "description" : "The list of agent root URLs for CDSSO. The valid value is in the format protocol://hostname:port/, where protocol represents the protocol used, such as http or https, hostname represents the host name of the system where the agent resides, and port represents the port number on which the agent is installed. The slash following the port number is required.<br> If your agent system also has virtual host names, add URLs with the virtual host names to this list as well. AM checks that goto URLs match one of the agent root URLs for CDSSO.<br>Property: sunIdentityServerDeviceKeyValue <br>Valid for Agent 5.0 onwards", "propertyOrder" : 26100, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "fqdnMapping" : { "title" : "FQDN Virtual Host Map", "description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.", "propertyOrder" : 27500, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "object", "required" : false } } }, "amLbCookieEnable" : { "title" : "AM Load Balancer Cookie Enabled", "description" : "When true, the Web Agent passes the amlbcookie to AM. Use this property to improve performance. AM Load balancer cookies can reduce the number of calls that different AM instances make to the Core Token Service (CTS). <br>Property: com.forgerock.agents.config.add.amlbcookie <br>Introduced in Web Agent 5.8", "propertyOrder" : 26150, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "agentConfigChangeNotificationsEnabled" : { "title" : "Enable Notifications of Agent Configuration Change", "description" : "Enable agent to receive notification messages (via websockets) from AM server for configuration changes.<br>Property: com.sun.identity.agents.config.change.notification.enable <br>Valid for Web Agent 5.0 onwards", "propertyOrder" : 25300, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "secretLabelIdentifier" : { "title" : "Secret Label Identifier", "description" : "AM uses this identifier to create a specific secret label, using the template <code>am.applications.agents.{{identifier}}.secret</code> where {{identifier}} is the Secret Label Identifier. <br>The Secret Label Identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}. <br>As a best practice, use a different Secret Label Identifier per agent. <br><br> If you update or delete this value, any corresponding secret mapping for the previous identifier is updated or deleted, provided no other agent shares that secret mapping.", "propertyOrder" : 25050, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "fqdnDefault" : { "title" : "FQDN Default", "description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default)", "propertyOrder" : 27400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "ssoOnlyMode" : { "title" : "SSO Only Mode", "description" : "Agent will just enforce authentication (SSO), but no authorization for policies. (property name: com.sun.identity.agents.config.sso.only)", "propertyOrder" : 26200, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "accessDeniedUrl" : { "title" : "Resources Access Denied URL", "description" : "The URL of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.url)", "propertyOrder" : 26300, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "fqdnCheck" : { "title" : "FQDN Check", "description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable)", "propertyOrder" : 27300, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "repositoryLocation" : { "title" : "Location of Agent Configuration Repository", "description" : "Indicates agent's configuration located either on agent's host or centrally on AM server (property: org.forgerock.agents.config.location).", "propertyOrder" : 25200, "required" : true, "type" : "string", "exampleValue" : "" }, "auditAccessType" : { "title" : "Audit Access Types", "description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype)", "propertyOrder" : 26700, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "agentgroup" : { "title" : "Group", "description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.", "propertyOrder" : 100, "required" : false, "type" : "string", "exampleValue" : "" }, "notificationsEnabled" : { "title" : "Enable Notifications", "description" : "The notifications help in maintaining agent's sso, policy and configuration caches. (property name: com.sun.identity.agents.config.notification.enable) <br>Requires Agent Restart", "propertyOrder" : 25600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "userpassword" : { "title" : "Password", "description" : "The agent password. Used to authenticate the agent if you don't store agent passwords in a secret store. This password is ignored if you specify a Secret Label Identifier and the corresponding secret mapping.", "propertyOrder" : 25000, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "jwtName" : { "title" : "JWT Cookie Name", "description" : "The name used by the agent to set the OIDC JWT on the user's browser.<br>Property: org.forgerock.agents.jwt.cookie.name <br>Valid for Java Agent 5.0 onwards", "propertyOrder" : 25500, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "resetIdleTime" : { "title" : "Reset Idle Timeout", "description" : "If the agent is configured in SSO-only mode, the session may unexpectedly expire in AM due to idle timeout before the user has finished accessing the application. <br>Set this property to true to refresh the timeout when the user performs an action. <br>When set to true, the agent makes an additional call to AM, this may cause a performance impact. Configure this property only if: <br> The agent is configured in SSO-only mode. <br> User's sessions are timing out in AM because they are unexpectedly reaching the maximum idle timeout value. <br>(property: com.forgerock.agents.call.session.refresh)", "propertyOrder" : 26250, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "webSocketConnectionIntervalInMinutes" : { "title" : "WebSocket Connection Interval", "description" : "The time in minutes before WebSockets to AM are killed and reopened. This property helps ensure a balanced distribution of connections across the AM servers on the site. <br>Default: 30<br>Type: Integer<br>Hot-swap: Yes<br> Property: org.forgerock.agents.balance.websocket.interval.minutes <br>Valid for Java Agent 5.0 onwards", "propertyOrder" : 25400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "auditLogLocation" : { "title" : "Audit Log Location", "description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition)", "propertyOrder" : 26800, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "jwtAuditWhitelist" : { "title" : "Agent Profile ID Allow List", "description" : "Specifies a comma-separated list of profile IDs that the agent will consider as valid values for the audience claim. This claim is represented in the JWT containing the end user's session. <br>Example: <br>agentprofile1,agentprofile2,.... <br>When several agents configured with different agent profiles protect the same application, set this property to a list of the agent profiles that are protecting the same application. <br>Property: com.forgerock.agents.jwt.aud.whitelist <br>Introduced in Web Agent 5.6.2", "propertyOrder" : 25520, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "agentDebugLevel" : { "title" : "Agent Debug Level", "description" : "Agent debug level. (property name: com.sun.identity.agents.config.debug.level)", "propertyOrder" : 26400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "configurationPollingInterval" : { "title" : "Configuration Reload Interval", "description" : "Interval in minutes to fetch agent configuration from AM. (property name: com.sun.identity.agents.config.polling.interval) <br>Requires Agent Restart", "propertyOrder" : 25900, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "status" : { "title" : "Status", "description" : "Status of the agent configuration.", "propertyOrder" : 25100, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : true } } } } }, "ssoWebAgentConfig" : { "type" : "object", "title" : "SSO", "propertyOrder" : 2, "properties" : { "httpOnly" : { "title" : "HTTP Only Mode", "description" : "Agents with this property set to true mark cookies as HTTPOnly to prevent scripts and third-party programs from accessing the cookies. (property: com.sun.identity.cookie.httponly)", "propertyOrder" : 29250, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "multivaluePreAuthnCookie" : { "title" : "Multivalue for Pre-Authn Cookie", "description" : "With this set, the agent will use a legacy mode to create cookies that are used to track unauthenticated requests that have been redirected to login. This mode should only be used for backward compatibility, where the pre-5.7 way of tracking redirected requests is required, perhaps because the cookie names are referenced in proxy configuration. This property need not be set in any other situation. (property: org.forgerock.openam.agents.config.multivalue.pre.authn.cookies)", "propertyOrder" : 29280, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "sameSite" : { "title" : "SameSite Cookie Attribute", "description" : "If set, agent will add SameSite attribute to all cookies created by agent with value which is provided in this property. <br>Example: Strict, Lax, None (property: com.forgerock.agents.cdsso.cookie.samesite)", "propertyOrder" : 29260, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "secureCookies" : { "title" : "Cookie Security", "description" : "Agent sends secure cookies if communication is secure. (property name: com.sun.identity.agents.config.cookie.secure) <br>Requires Agent Restart", "propertyOrder" : 29200, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "cookieResetList" : { "title" : "Cookies Reset Name List", "description" : "List of cookies in the format: name[=value][;Domain=value]. (property name: com.sun.identity.agents.config.cookie.reset) <br> Examples: <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com", "propertyOrder" : 29800, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "cookieResetOnRedirect" : { "title" : "Session Cookie Reset on Authentication Redirect", "description" : "When set to true. the agent will not reset the session cookie on an authentication redirect if there is a policy advice present.By default, the agent resets the session cookie in all configured domains on every authentication redirect when a policy advice is present. (property: org.forgerock.agents.config.cdsso.advice.cleanup.disable)", "propertyOrder" : 29400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "persistentJwtCookie" : { "title" : "Persistent JWT Cookie", "description" : "Enable persistence for JWT cookie. If true JWT cookie will not be set as Session Cookie. (property: org.forgerock.agents.config.cdsso.persistent.cookie.enable)", "propertyOrder" : 29270, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "acceptSsoToken" : { "title" : "Accept SSO Token", "description" : "Specifies whether the agent should accept SSO tokens as session cookies alongside with ID tokens. Possible values: <br>- false. The agent does not accept SSO Tokens <br>- true. The agent accepts both SSO tokens and ID tokens as session tokens during the login flow, and afterwards. SSO tokens are not converted to ID tokens <br>Set this property to \"true\" only for specific migration cases (see documentation for more info) <br>(property: com.forgerock.agents.accept.sso.token) (Agent 5.7+ only)", "propertyOrder" : 29850, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "cdssoCookieDomain" : { "title" : "Cookies Domain List", "description" : "List of domains in which cookies have to be set in CDSSO. (property name: com.sun.identity.agents.config.cdsso.cookie.domain) <br> Example: <br> .example.com", "propertyOrder" : 29600, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "cookieName" : { "title" : "Cookie Name", "description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.sun.identity.agents.config.cookie.name)<br>Requires Agent Restart", "propertyOrder" : 29100, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "cdssoRedirectUri" : { "title" : "Authentication Redirect URI", "description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. <br>Property: org.forgerock.agents.authn.redirect.uri <br>Valid for Java Agent 5.0 onwards", "propertyOrder" : 29300, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "cookieResetEnabled" : { "title" : "Cookie Reset", "description" : "Agent resets cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable)", "propertyOrder" : 29700, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } } } }, "miscWebAgentConfig" : { "type" : "object", "title" : "Miscellaneous", "propertyOrder" : 4, "properties" : { "profileAttributesCookieMaxAge" : { "title" : "Profile Attributes Cookie Maxage", "description" : "Maxage of attributes cookie headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.maxage)", "propertyOrder" : 31900, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "gotoParameterName" : { "title" : "Goto Parameter Name", "description" : "This is the name of the HTTP query \"goto\" parameter. It is not recommended to change it.<br>Property: com.sun.identity.agents.config.redirect.param <br>Valid for Java Agent 5.0 onwards", "propertyOrder" : 32600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "compositeAdviceRedirect" : { "title" : "Composite Advice Handling", "description" : "When set to true, the agent sends composite advice in the query (GET request) instead of sending it through a POST request. (property: com.sun.am.use_redirect_for_advice)", "propertyOrder" : 32200, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "compositeAdviceEncode" : { "title" : "Composite Advice Encode", "description" : "This property is used to specify whether AM composite advices should be based64url encoded before sending to custom login endpoints. (property: com.forgerock.agents.advice.b64.url.encode)", "propertyOrder" : 32300, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "statusCodeJsonResponse" : { "title" : "HTTP Return Code for JSON-Formatted Responses", "description" : "Specifies an HTTP response code to return when a JSON-formatted error is triggered. (property: org.forgerock.agents.config.json.response.code)", "propertyOrder" : 32760, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "addCacheControlHeader" : { "title" : "Add Cache-Control Headers", "description" : "Set this property to true to enable use of Cache-Control headers that prevent proxies from caching resources accessed by unauthenticated users. (property: com.forgerock.agents.cache_control_header.enable)", "propertyOrder" : 32710, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "invalidUrlRegex" : { "title" : "Invalid URL Regular Expression", "description" : "Specifies a Perl-compatible regular expression to parse valid request URLs. The web agent rejects requests to invalid URLs with HTTP 403 Forbidden status without further processing. <br>Example, to filter out URLs containing a list of characters and words such as ./ /. / . %00-%1f, %7f-%ff, %25, %2B, %2C, %7E, .info, configure the following regular expression: <br>^(\\?!.\\/|\\/.|.|.info|%2B|%00-%1f|%7f-%ff|%25|%2C|%7E).*$ <br>(property: com.forgerock.agents.agent.invalid.url.regex)", "propertyOrder" : 32500, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "profileAttributesCookiePrefix" : { "title" : "Profile Attributes Cookie Prefix", "description" : "Sets cookie prefix in the attributes headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.prefix)", "propertyOrder" : 31800, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "invertUrlJsonResponse" : { "title" : "Invert Properties That Receive JSON-Formatted Responses", "description" : "Set to true to invert the meaning of both the org.forgerock.agents.config.json.url and org.forgerock.agents.config.json.header properties. When inverted the specified values in those two properties will not trigger JSON-formatted responses. Any non-specified value will trigger JSON-formatted responses, instead. (property: org.forgerock.agents.config.json.url.invert)", "propertyOrder" : 32750, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "ignorePathInfo" : { "title" : "Ignore Path Info in Request URL", "description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. <br>Property: com.sun.identity.agents.config.ignore.path.info <br>Valid for Agent 5.0 onwards", "propertyOrder" : 32400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "headerJsonResponse" : { "title" : "Headers and Values to Receive JSON-Formatted Responses", "description" : "Specify HTTP headers and associated values that trigger JSON-formatted errors to be returned. <br>Example: <br>org.forgerock.agents.config.json.header[enableJsonResponse]=true <br>org.forgerock.agents.config.json.response.code=202 <br>(property: org.forgerock.agents.config.json.header[Header]=Value)", "propertyOrder" : 32740, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "object", "required" : false } } }, "urlJsonResponse" : { "title" : "URLs to Receive JSON-Formatted Responses", "description" : "Returning the responses in JSON format is useful for non-browser-based, or AJAX applications, that may not want to redirect users to the AM user interface for authentication. <br>Example: org.forgerock.agents.config.json.url[0]=http*://*.example.com:*/api/* <br>org.forgerock.agents.config.json.response.code=202 <br>(property: org.forgerock.agents.config.json.url)", "propertyOrder" : 32730, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "mineEncodeHeader" : { "title" : "MIME-Encode HTTP Header Values", "description" : "Specifies whether the agent must MIME-encode HTTP header values, and when to do it. Possible values are: <br> 0. The agent MIME-encodes the value of HTTP headers if said value is a multi-byte Unicode string. <br> 1. The agent MIME-encodes the value of every HTTP header. <br> 2. The agent does not MIME-encode the value of any HTTP header. <br> (property: com.forgerock.agents.header.mime.encode)", "propertyOrder" : 32720, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "caseInsensitiveUrlComparison" : { "title" : "URL Comparison Case Sensitivity Check", "description" : "Enforces case insensitivity in both policy and not enforced url evaluation. (property name: com.sun.identity.agents.config.url.comparison.case.ignore)", "propertyOrder" : 32000, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "anonymousUserId" : { "title" : "Anonymous User Default Value", "description" : "User id of unauthenticated users. (property name: com.sun.identity.agents.config.anonymous.user.id)", "propertyOrder" : 32700, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "anonymousUserEnabled" : { "title" : "Anonymous User", "description" : "Enable/Disable REMOTE_USER processing for anonymous users. (property name: com.sun.identity.agents.config.anonymous.user.enable)", "propertyOrder" : 31600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "encodeUrlSpecialCharacters" : { "title" : "Encode URL's Special Characters", "description" : "Encodes the url which has special characters before doing policy evaluation. (property name: com.sun.identity.agents.config.encode.url.special.chars.enable)", "propertyOrder" : 32100, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "encodeSpecialCharsInCookies" : { "title" : "Encode special chars in Cookies", "description" : "Encode special chars in cookie by URL encoding. Useful when profile, session and response attributes contain special chars and attributes fetch mode is set to HTTP_COOKIE. (property name: com.sun.identity.agents.config.encode.cookie.special.chars.enable) ", "propertyOrder" : 31700, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } } } } } }
delete
Usage
am> delete WebAgents --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action WebAgents --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action WebAgents --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action WebAgents --realm Realm --actionName nextdescendents
query
Querying the agents of a specific type
Usage
am> query WebAgents --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read WebAgents --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update WebAgents --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "applicationWebAgentConfig" : { "type" : "object", "title" : "Application", "propertyOrder" : 1, "properties" : { "invertNotEnforcedUrls" : { "title" : "Invert Not Enforced URLs", "description" : "Only not enforced list of urls will be enforced. (property name: com.sun.identity.agents.config.notenforced.url.invert)", "propertyOrder" : 27800, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "notEnforcedUrlsRegex" : { "title" : "Regular Expressions for Not-Enforced URLs", "description" : "When true, enables use of Perl-compatible regular expressions in Not-enforced URL settings. (property: com.forgerock.agents.notenforced.url.regex.enable)", "propertyOrder" : 27850, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "ignorePathInfoForNotEnforcedUrls" : { "title" : "Ignore Path Info for Not Enforced URLs", "description" : "Indicate whether the path info and query should be stripped from the request URL before being compared with the URLs of the not enforced list when those URLs have a wildcard '*' character. (property name: com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list) ", "propertyOrder" : 27600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "notEnforcedIps" : { "title" : "Not Enforced Client IP List", "description" : "No authentication and authorization are required for the requests coming from these client IP addresses. (property name: com.sun.identity.agents.config.notenforced.ip) <br> Examples: <br> 192.18.145.* <br> 192.18.146.123", "propertyOrder" : 28000, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "profileAttributeMap" : { "title" : "Profile Attribute Map", "description" : "Maps the profile attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.profile.attribute.mapping) <br> Example: <br> To populate the value of profile attribute cn under name CUSTOM-Common-Name: enter cn in Map Key field, and enter CUSTOM-Common-Name in Corresponding Map Value field. <br> To populate the value of profile attribute mail under name CUSTOM-Email: enter mail in Map Key field, and enter CUSTOM-Email in Corresponding Map Value field.", "propertyOrder" : 28300, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "object", "required" : false } } }, "continuousSecurityHeaders" : { "title" : "Continuous Security Header Map", "description" : "The name of the headers in the user's original request, that will be sent as part of the payload during policy evaluation, which can then be accessed via the 'environment' variable in a policy script. The 'key' is the name of the header to be sent, and the 'value' is the name which it will appear as in the policy evaluation script.It is possible to map multiple headers to the same name (they will simply appear as an array in the evaluation script). If the header doesn't exist, then the empty string will be sent. <br>Property: org.forgerock.agents.continuous.security.headers.map <br>Valid for Agent 5.0 onwards", "propertyOrder" : 29000, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "object", "required" : false } } }, "responseAttributeFetchMode" : { "title" : "Response Attribute Fetch Mode", "description" : "(property name: com.sun.identity.agents.config.response.attribute.fetch.mode)", "propertyOrder" : 28400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "notEnforcedIpsRegex" : { "title" : "Regular Expressions for Not-Enforced IPs", "description" : "Enable use of Perl-compatible regular expressions in Not-Enforced URL from IP settings. (property: org.forgerock.agents.config.notenforced.ext.regex.enable)", "propertyOrder" : 28150, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "continuousSecurityCookies" : { "title" : "Continuous Security Cookie Map", "description" : "The name of the cookies to be sent as part of the payload during policy evaluation, which can be accessed via the 'environment' variable in a policy script. The 'key' is the name of the cookie to be sent, and the 'value' is the name which it will appear as in the policy evaluation script. It is possible to map multiple cookies to the same name (they will simply appear as an array in the evaluation script). If the cookie doesn't exist, then the empty string will be sent. <br>Property: org.forgerock.agents.continuous.security.cookies.map <br>Valid for Agent 5.0 onwards", "propertyOrder" : 28900, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "object", "required" : false } } }, "responseAttributeMap" : { "title" : "Response Attribute Map", "description" : "Maps the policy response attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.response.attribute.mapping) <br> Example: <br> To populate the value of response attribute uid under name CUSTOM-USER-NAME: enter uid in Map Key field, and enter CUSTOM-USER-NAME in Corresponding Map Value field.", "propertyOrder" : 28500, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "object", "required" : false } } }, "sessionAttributeFetchMode" : { "title" : "Session Attribute Fetch Mode", "description" : "(property name: com.sun.identity.agents.config.session.attribute.fetch.mode)", "propertyOrder" : 28600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "sessionAttributeMap" : { "title" : "Session Attribute Map", "description" : "Maps the session attributes to be populated under specific names for the currently authenticated user. (property name: com.sun.identity.agents.config.session.attribute.mapping) <br> Example: <br> To populate the value of session attribute UserToken under name CUSTOM-userid: enter UserToken in Map Key field, and enter CUSTOM-userid in Corresponding Map Value field.", "propertyOrder" : 28700, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "object", "required" : false } } }, "notEnforcedUrls" : { "title" : "Not Enforced URLs", "description" : "List of urls for which no authentication required. (property name: com.sun.identity.agents.config.notenforced.url) <br> Example: <br> http://myagent.mydomain.com/*.gif", "propertyOrder" : 27700, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "profileAttributeFetchMode" : { "title" : "Profile Attribute Fetch Mode", "description" : "(property name: com.sun.identity.agents.config.profile.attribute.fetch.mode)", "propertyOrder" : 28200, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "fetchAttributesForNotEnforcedUrls" : { "title" : "Fetch Attributes for Not Enforced URLs", "description" : "Agent fetches profile attributes for not enforced urls by doing policy evaluation. (property name: com.sun.identity.agents.config.notenforced.url.attributes.enable)", "propertyOrder" : 27900, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "attributeMultiValueSeparator" : { "title" : "Attribute Multi Value Separator", "description" : "Specifies separator for multiple values. Applies to all types of attributes i.e. profile, session and response attributes. (property name: com.sun.identity.agents.config.attribute.multi.value.separator)", "propertyOrder" : 28800, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "notEnforcedIpsList" : { "title" : "Not-Enforced URL from IP Processing List", "description" : "Specifies a list of client IP addresses that do not require authentication when requesting the indicated URLs. <br>The supported format requires a list of IP addresses separated by spaces, the horizontal bar (|) character, and a list of URLs separated by spaces. <br>For example: <br> 10.1.2.1 192.168.0.2|/public/* <br>In the preceding example, the IP addresses 10.1.2.1 and 192.168.0.2 can access any resource inside /public without authenticating. (property: org.forgerock.agents.config.notenforced.ipurl)", "propertyOrder" : 28050, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "clientIpValidation" : { "title" : "Client IP Validation", "description" : "This validates if the subsequent browser requests come from the same ip address that the SSO token is initially issued against. (property name: com.sun.identity.agents.config.client.ip.validation.enable)", "propertyOrder" : 28100, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } } } }, "amServicesWebAgent" : { "type" : "object", "title" : "AM Services", "propertyOrder" : 3, "properties" : { "applicationLogoutUrls" : { "title" : "Logout URL List", "description" : "List of application logout URLs. User gets logged out from AM session when these urls accessed. (property name: com.sun.identity.agents.config.agent.logout.url). If this property is used, user should specify a value for the below Logout Redirect URL property. <br> Example: <br> http://myagent.mydomain.com/logout.html", "propertyOrder" : 30300, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "regexConditionalLoginPattern" : { "title" : "Regular Expression Conditional Login Pattern", "description" : "Conditionally redirect users based on the incoming request URL. If the incoming request URL matches a regular expression, the web agent redirects the request to a specific URL. That specific URL can be an AM instance, site, or a different website. Specifies the regular expression that the domain name must match. This property needs to configure \"Regular Expression Conditional Login URL\" <br>Example: <br> org.forgerock.agents.config.conditional.login.pattern[0] = .*shop <br> org.forgerock.agents.config.conditional.login.url[0] = http://am.example.com/am/oauth2/authorize?realm=sales <br><br>Property: org.forgerock.agents.config.conditional.login.pattern", "propertyOrder" : 30050, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "fetchPoliciesFromRootResource" : { "title" : "Fetch Policies from Root Resource", "description" : "Agent caches policy decision of the resource and all resources from the root of the resource down. (property name: com.sun.identity.agents.config.fetch.from.root.resource) <br>Requires Agent Restart", "propertyOrder" : 31000, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "policyClockSkew" : { "title" : "Policy Clock Skew", "description" : "Time in seconds used adjust time difference between Agent machine and AM. Clock skew in seconds = AgentTime - AMServerTime. (property name: com.sun.identity.agents.config.policy.clock.skew) <br>Requires Agent Restart", "propertyOrder" : 31200, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "policyEvaluationRealm" : { "title" : "Policy Evaluation Realm", "description" : "Which realm to start evaluating from. (property name: org.forgerock.openam.agents.config.policy.evaluation.realm)", "propertyOrder" : 31300, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "amLogoutUrl" : { "title" : "AM Logout URL", "description" : "AM logout page URL. (property name: com.sun.identity.agents.config.logout.url) <br> Example: <br> http://host:port/am/UI/Logout", "propertyOrder" : 30200, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "ssoCachePollingInterval" : { "title" : "SSO Cache Polling Period", "description" : "Polling interval in minutes to refresh agent's sso cache. (property name: com.sun.identity.agents.config.sso.cache.polling.interval) <br>Requires Agent Restart", "propertyOrder" : 30700, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "regexConditionalLoginUrl" : { "title" : "Regular Expression Conditional Login URL", "description" : "Conditionally redirect users based on the incoming request URL. If the incoming request URL matches a regular expression, the web agent redirects the request to a specific URL. That specific URL can be an AM instance, site, or a different website. Specifies the redirection URL and its parameters. This property needs to configure \"Regular Expression Conditional Login Pattern\" <br>Example: <br> org.forgerock.agents.config.conditional.login.pattern[0] = .*shop <br> org.forgerock.agents.config.conditional.login.url[0] = http://am.example.com/am/oauth2/authorize?realm=sales <br><br>Property: org.forgerock.agents.config.conditional.login.url", "propertyOrder" : 30100, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "customLoginMode" : { "title" : "Custom Login Mode", "description" : "Specifies whether the agent should use the default or the custom login mode when redirecting unauthenticated users.<br>Possible values are: <br>0. Disabled. Default login redirection mode enabled <br> 1. Custom login mode enabled based on converts the SSO token into an ID token <br> 2. Legacy Custom login mode. Can be used in specific migration cases from agent 4 <br>(property: org.forgerock.openam.agents.config.allow.custom.login)", "propertyOrder" : 29890, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "policyCachePollingInterval" : { "title" : "Policy Cache Polling Period", "description" : "Polling interval in minutes to refresh agent's policy cache. (property name: com.sun.identity.agents.config.policy.cache.polling.interval) <br>Requires Agent Restart", "propertyOrder" : 30600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "logoutRedirectDisabled" : { "title" : "Disabled Logout Redirection", "description" : "When disabled, instead of redirecting the user-agent, the web agent performs session logout in the background and then continues processing access to the current URL. (property: com.forgerock.agents.config.logout.redirect.disable)", "propertyOrder" : 30510, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "enableLogoutRegex" : { "title" : "Enable Regex for Logout URL List", "description" : "This property allows regular expressions in \"Logout URL List\" (property: org.forgerock.agents.config.logout.regex.enable)", "propertyOrder" : 30530, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "retrieveClientHostname" : { "title" : "Retrieve Client Hostname", "description" : "Gets the client's hostname through DNS reverse lookup for use in policy evaluation. (property name: com.sun.identity.agents.config.get.client.host.name)", "propertyOrder" : 31100, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "logoutUrlRegex" : { "title" : "Logout URL Regular Expression", "description" : "Perl-compatible regular expression that matches logout URLs. For example, to match URLs with protectedA or protectedB in the path and op=logout in the query string, use the following setting: <br>*(/protectedA\\?|/protectedB\\?/).*(\\&op=logout\\&)(.*|$) <br>When you use this property, the agent ignores the settings for Logout URL List. (property: com.forgerock.agents.agent.logout.url.regex)", "propertyOrder" : 30540, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "conditionalLoginUrl" : { "title" : "AM Conditional Login URL", "description" : "Conditionally redirect users based on the incoming request URL. If the incoming request URL matches a specified domain name, the web agent redirects the request to a specific URL. That specific URL can be an AM instance, site, or a different website. <br>Example: <br> example.com|https://am.example.com/am/oauth2/authorize <br> myapp.domain.com|https://am2.example.com/am/oauth2/authorize?realm=sales <br><br>Property: com.forgerock.agents.conditional.login.url", "propertyOrder" : 30000, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "invalidateLogoutSession" : { "title" : "Invalidate Logout Session", "description" : "Specifies whether the agent must invalidate the user session in AM when redirecting to the logout URL specified either by the Logout URL list (com.sun.identity.agents.config.agent.logout.url) or the AM logout URL (com.sun.identity.agents.config.logout.url) properties. (property: org.forgerock.agents.config.logout.session.invalidate)", "propertyOrder" : 30520, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "userIdParameter" : { "title" : "User ID Parameter", "description" : "Agent sets value of User Id to REMOTE_USER server variable. (property name: com.sun.identity.agents.config.userid.param)", "propertyOrder" : 30800, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "logoutResetCookies" : { "title" : "Logout Cookies List for Reset", "description" : "Any cookies to be reset upon logout in the same format as cookie reset list. (property name: com.sun.identity.agents.config.logout.cookie.reset) <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com", "propertyOrder" : 30400, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "amLoginUrl" : { "title" : "AM Login URL", "description" : "AM login page URL. (property name: com.sun.identity.agents.config.login.url) <br> Example: <br> http://host:port/am/UI/Login", "propertyOrder" : 29900, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "policyEvaluationApplication" : { "title" : "Policy Set", "description" : "Which application contains the policies to evaluate with. (property name: org.forgerock.openam.agents.config.policy.evaluation.application)", "propertyOrder" : 31400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "logoutRedirectUrl" : { "title" : "Logout Redirect URL", "description" : "User gets redirected to this url after logout. (property name: com.sun.identity.agents.config.logout.redirect.url). This property should be specified along with the above Logout URL List.", "propertyOrder" : 30500, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "userIdParameterType" : { "title" : "User ID Parameter Type", "description" : "User ID can be fetched from either SESSION and LDAP attributes. (property name: com.sun.identity.agents.config.userid.param.type)", "propertyOrder" : 30900, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "publicAmUrl" : { "title" : "Public AM URL", "description" : "Overrides the agent's behavior of finding a suitable AM server and specifies the public URL of the AM to redirect to. <br> Use this property if: <br> - Your environment uses custom login pages (OIDC-compliant and non-OIDC-compliant flows). <br> - Your environment's custom login pages are in a network that can only access AM using a proxy, a firewall, or any other technology that remaps the AM URL to one accessible by the custom login pages. <br> -End-users cannot log in due to their cookies being set in the wrong domains. <br>(property: com.forgerock.agents.public.am.url) ", "propertyOrder" : 29950, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } } } }, "advancedWebAgentConfig" : { "type" : "object", "title" : "Advanced", "propertyOrder" : 5, "properties" : { "customProperties" : { "title" : "Custom Properties", "description" : "Additional properties that allow users to augment the set of properties supported by agent. (property name: com.sun.identity.agents.config.freeformproperties) <br> Examples: <br> customproperty=custom-value1 <br> customlist[0]=customlist-value-0 <br> customlist[1]=customlist-value-1 <br> custommap[key1]=custommap-value-1 <br> custommap[key2]=custommap-value-2", "propertyOrder" : 35100, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "clientHostnameHeader" : { "title" : "Client Hostname Header", "description" : "HTTP header name that holds the Hostname of the client. <br>Property: org.forgerock.agents.http.header.containing.remote.hostname <br>Valid for Agent 5.0 onwards", "propertyOrder" : 32900, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "pdpStickySessionValue" : { "title" : "POST Data Sticky Load Balancing Value", "description" : "Specifies a key-value pair separated by the = character that the web agent creates when evaluating the \"POST Data Sticky Load Balancing Mode\". For example, a setting of lb=myserver either sets an lb cookie with myserver value, or adds lb=myserver to the URL query string. When configuring POST data preservation with cookies, set the cookie name in the cookie pair to the same value configured in the \"POST Data Sticky Load Balancing Cookie Name\". (property: com.sun.identity.agents.config.postdata.preserve.stickysession.value)", "propertyOrder" : 33710, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "clientIpHeader" : { "title" : "Client IP Address Header", "description" : "HTTP header name that holds the IP address of the client. <br>Property: org.forgerock.agents.http.header.containing.ip.address <br>Valid for Agent 5.0 onwards", "propertyOrder" : 32800, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "retainSessionCache" : { "title" : "Retain Session Cache After Configuration Change", "description" : "Use this property to manage how the session cache is used after a change to the agent configuration: <br> False: Purge the session cache, and re-read the user session data. <br> True: Do not purge the session cache, and do not re-read the user session data. <br><br>Use this value to prevent the agent from flooding AM instances with requests, when the agent configuration changes regularly, and the changes do not affect the agent authorisation decisions. <br><br>Property: com.forgerock.agents.session.cache.eventually.consistent <br>Introduced in Web Agent 5.9.0", "propertyOrder" : 34700, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "postDataPreservation" : { "title" : "POST Data Preservation", "description" : "Enables POST data preservation. (property name: com.sun.identity.agents.config.postdata.preserve.enable) <br> Note that this feature is not supported in all the web agents. Please refer individual agents documentation for more details.", "propertyOrder" : 33500, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "overrideRequestHost" : { "title" : "Override Request URL Host", "description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the host with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.host)", "propertyOrder" : 33200, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "pdpStickySessionCookieName" : { "title" : "POST Data Sticky Load Balancing Cookie Name", "description" : "Specifies the name of a cookie to use for enabling sticky load balancing when the \"POST Data Sticky Load Balancing Mode\" property is set to COOKIE. Set the cookie name to the same value configured in the \"POST Data Sticky Load Balancing Value\" property. (property: com.sun.identity.agents.config.postdata.preserve.lbcookie)", "propertyOrder" : 33720, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "pdpJavascriptRepost" : { "title" : "Submit POST Data using JavaScript", "description" : "When set to true, preserved POST data will be resubmitted to the destination server after authentication by using JavaScript. (property: org.forgerock.agents.pdp.javascript.repost)", "propertyOrder" : 33730, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "apacheAuthDirectives" : { "title" : "Use Built-in Apache HTTPD Authentication Directives", "description" : "A regular expression pattern to specify which not-enforced URLs can use built-in Apache authentication directives, such as AuthName, FilesMatch, and Require, for basic authentication. <br>Requests with not-enforced URLs that match the expression can use built-in Apache authentication directives. <br><br>Property: com.forgerock.agents.no.remoteuser.module.compatibility <br>Introduced in Web Agent 5.9.0", "propertyOrder" : 34600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "postDataCachePeriod" : { "title" : "POST Data Entries Cache Period", "description" : "POST cache entry lifetime in minutes. (property name: com.sun.identity.agents.config.postcache.entry.lifetime)", "propertyOrder" : 33600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "overrideRequestPort" : { "title" : "Override Request URL Port", "description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the port with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.port)", "propertyOrder" : 33300, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "replayPasswordKey" : { "title" : "Replay Password Key", "description" : "DES key for decrypting the basic authentication password in the session. <br>The value of this property is inherited from the secret mapped to the <code>am.authentication.replaypassword.key</code> secret label.<br>If you set a value in this field, it is ignored.", "propertyOrder" : 33900, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "hostnameToIpAddress" : { "title" : "Hostname to IP Address Map", "description" : "Map of a hostname to an IP address. The mapped hostname is automatically resolved to the IP address. <br>Format: Hostname|IP <br>Example: am.example.com|10.199.0.2 <br><br>Property: com.forgerock.agents.config.hostmap <br>Valid for Agent 5.0 onwards", "propertyOrder" : 32950, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "showPasswordInHeader" : { "title" : "Show Password in HTTP Header", "description" : "Set to true if encrypted password should be set in HTTP header AUTH_PASSWORD. (property name: com.sun.identity.agents.config.iis.password.header)", "propertyOrder" : 34400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "fragmentRedirectEnabled" : { "title" : "Fragment Redirect Enabled", "description" : "Enable to save the browser's URL fragment during authentication. <br>(property: org.forgerock.agents.config.fragment.redirect.enable) (Agent 5.7+ only)", "propertyOrder" : 33400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "logonAndImpersonation" : { "title" : "Logon and Impersonation", "description" : "Set to true if agent should do Windows Logon and User Impersonation. (property name: com.sun.identity.agents.config.iis.logonuser)", "propertyOrder" : 34500, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "pdpStickySessionMode" : { "title" : "POST Data Sticky Load Balancing Mode", "description" : "Specifies whether to create a cookie, or to append a query string to the URL to assist with sticky load balancing. Possible values are: <br>COOKIE. The web agent creates a cookie with the value specified in the com.sun.identity.agents.config.postdata.preserve.stickysession.value property. <br>URL. The web agent appends the value specified in the com.sun.identity.agents.config.postdata.preserve.stickysession.value to the URL query string. <br> (property: com.sun.identity.agents.config.postdata.preserve.stickysession.mode)", "propertyOrder" : 33700, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "pdpSkipPostUrl" : { "title" : "URLs Ignored by the Agent POST Data Inspector", "description" : "Specifies a list of URLs that will not be processed by the web agent POST data inspector. This allows other modules on the same server to access the POST data directly. <br>The following example uses wildcards to add a file named postreader.jsp in the root of any protected website to the list of URLs that will not have their POST data inspected: <br>http*://*:*/postreader.jsp <br>Any URLs added to this property should also be added to the Not-Enforced URLs <br> (property: org.forgerock.agents.config.skip.post.url)", "propertyOrder" : 33740, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "overrideRequestProtocol" : { "title" : "Override Request URL Protocol", "description" : "Set to true if the agent is sitting behind a ssl/tls off-loader, load balancer, or proxy to override the protocol with the value from the property com.sun.identity.agents.config.agenturi.prefix. (property name: com.sun.identity.agents.config.override.protocol)", "propertyOrder" : 33100, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } } } }, "globalWebAgentConfig" : { "type" : "object", "title" : "Global", "propertyOrder" : 0, "properties" : { "agentUriPrefix" : { "title" : "Agent Deployment URI Prefix", "description" : "(property name: com.sun.identity.agents.config.agenturi.prefix)", "propertyOrder" : 25800, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "disableJwtAudit" : { "title" : "Disable validation of the audience claim", "description" : "Specifies whether the agent should validate the audience claim matches the agent profile ID represented in the JWT containing the end user's session. <br>Possible values are: <br> false = The agent validates audience claim. <br> true = The agent does not validate audience claim.<br> (property: com.forgerock.agents.jwt.aud.disable)", "propertyOrder" : 25510, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "cdssoRootUrl" : { "title" : "Agent Root URL for CDSSO", "description" : "The list of agent root URLs for CDSSO. The valid value is in the format protocol://hostname:port/, where protocol represents the protocol used, such as http or https, hostname represents the host name of the system where the agent resides, and port represents the port number on which the agent is installed. The slash following the port number is required.<br> If your agent system also has virtual host names, add URLs with the virtual host names to this list as well. AM checks that goto URLs match one of the agent root URLs for CDSSO.<br>Property: sunIdentityServerDeviceKeyValue <br>Valid for Agent 5.0 onwards", "propertyOrder" : 26100, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "fqdnMapping" : { "title" : "FQDN Virtual Host Map", "description" : "Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access protected resources. (property name: com.sun.identity.agents.config.fqdn.mapping) <br> Examples: <br> To map the partial hostname myserver to myserver.mydomain.com: enter myserver in the Map Key field and myserver.mydomain.com in the Corresponding Map Value field. To map a virtual server rst.hostname.com that points to the actual server abc.hostname.com: enter valid1 in the Map Key field and rst.hostname.com in the Corresponding Map Value field.", "propertyOrder" : 27500, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "object", "required" : false } } }, "amLbCookieEnable" : { "title" : "AM Load Balancer Cookie Enabled", "description" : "When true, the Web Agent passes the amlbcookie to AM. Use this property to improve performance. AM Load balancer cookies can reduce the number of calls that different AM instances make to the Core Token Service (CTS). <br>Property: com.forgerock.agents.config.add.amlbcookie <br>Introduced in Web Agent 5.8", "propertyOrder" : 26150, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "agentConfigChangeNotificationsEnabled" : { "title" : "Enable Notifications of Agent Configuration Change", "description" : "Enable agent to receive notification messages (via websockets) from AM server for configuration changes.<br>Property: com.sun.identity.agents.config.change.notification.enable <br>Valid for Web Agent 5.0 onwards", "propertyOrder" : 25300, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "secretLabelIdentifier" : { "title" : "Secret Label Identifier", "description" : "AM uses this identifier to create a specific secret label, using the template <code>am.applications.agents.{{identifier}}.secret</code> where {{identifier}} is the Secret Label Identifier. <br>The Secret Label Identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}. <br>As a best practice, use a different Secret Label Identifier per agent. <br><br> If you update or delete this value, any corresponding secret mapping for the previous identifier is updated or deleted, provided no other agent shares that secret mapping.", "propertyOrder" : 25050, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "fqdnDefault" : { "title" : "FQDN Default", "description" : "Fully qualified hostname that the users should use in order to access resources. (property name: com.sun.identity.agents.config.fqdn.default)", "propertyOrder" : 27400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "ssoOnlyMode" : { "title" : "SSO Only Mode", "description" : "Agent will just enforce authentication (SSO), but no authorization for policies. (property name: com.sun.identity.agents.config.sso.only)", "propertyOrder" : 26200, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "accessDeniedUrl" : { "title" : "Resources Access Denied URL", "description" : "The URL of the customized access denied page. (property name: com.sun.identity.agents.config.access.denied.url)", "propertyOrder" : 26300, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "fqdnCheck" : { "title" : "FQDN Check", "description" : "Enables checking of fqdn default value and fqdn map values. (property name: com.sun.identity.agents.config.fqdn.check.enable)", "propertyOrder" : 27300, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "repositoryLocation" : { "title" : "Location of Agent Configuration Repository", "description" : "Indicates agent's configuration located either on agent's host or centrally on AM server (property: org.forgerock.agents.config.location).", "propertyOrder" : 25200, "required" : true, "type" : "string", "exampleValue" : "" }, "auditAccessType" : { "title" : "Audit Access Types", "description" : "Types of messages to log based on user URL access attempts. (property name: com.sun.identity.agents.config.audit.accesstype)", "propertyOrder" : 26700, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "agentgroup" : { "title" : "Group", "description" : "Add the agent to a group to allow inheritance of property values from the group. <br>Changing the group will update inherited property values. <br>Inherited property values are copied to the agent.", "propertyOrder" : 100, "required" : false, "type" : "string", "exampleValue" : "" }, "notificationsEnabled" : { "title" : "Enable Notifications", "description" : "The notifications help in maintaining agent's sso, policy and configuration caches. (property name: com.sun.identity.agents.config.notification.enable) <br>Requires Agent Restart", "propertyOrder" : 25600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "userpassword" : { "title" : "Password", "description" : "The agent password. Used to authenticate the agent if you don't store agent passwords in a secret store. This password is ignored if you specify a Secret Label Identifier and the corresponding secret mapping.", "propertyOrder" : 25000, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "jwtName" : { "title" : "JWT Cookie Name", "description" : "The name used by the agent to set the OIDC JWT on the user's browser.<br>Property: org.forgerock.agents.jwt.cookie.name <br>Valid for Java Agent 5.0 onwards", "propertyOrder" : 25500, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "resetIdleTime" : { "title" : "Reset Idle Timeout", "description" : "If the agent is configured in SSO-only mode, the session may unexpectedly expire in AM due to idle timeout before the user has finished accessing the application. <br>Set this property to true to refresh the timeout when the user performs an action. <br>When set to true, the agent makes an additional call to AM, this may cause a performance impact. Configure this property only if: <br> The agent is configured in SSO-only mode. <br> User's sessions are timing out in AM because they are unexpectedly reaching the maximum idle timeout value. <br>(property: com.forgerock.agents.call.session.refresh)", "propertyOrder" : 26250, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "webSocketConnectionIntervalInMinutes" : { "title" : "WebSocket Connection Interval", "description" : "The time in minutes before WebSockets to AM are killed and reopened. This property helps ensure a balanced distribution of connections across the AM servers on the site. <br>Default: 30<br>Type: Integer<br>Hot-swap: Yes<br> Property: org.forgerock.agents.balance.websocket.interval.minutes <br>Valid for Java Agent 5.0 onwards", "propertyOrder" : 25400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "auditLogLocation" : { "title" : "Audit Log Location", "description" : "Specifies where audit messages should be logged. (property name: com.sun.identity.agents.config.log.disposition)", "propertyOrder" : 26800, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "jwtAuditWhitelist" : { "title" : "Agent Profile ID Allow List", "description" : "Specifies a comma-separated list of profile IDs that the agent will consider as valid values for the audience claim. This claim is represented in the JWT containing the end user's session. <br>Example: <br>agentprofile1,agentprofile2,.... <br>When several agents configured with different agent profiles protect the same application, set this property to a list of the agent profiles that are protecting the same application. <br>Property: com.forgerock.agents.jwt.aud.whitelist <br>Introduced in Web Agent 5.6.2", "propertyOrder" : 25520, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "agentDebugLevel" : { "title" : "Agent Debug Level", "description" : "Agent debug level. (property name: com.sun.identity.agents.config.debug.level)", "propertyOrder" : 26400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "configurationPollingInterval" : { "title" : "Configuration Reload Interval", "description" : "Interval in minutes to fetch agent configuration from AM. (property name: com.sun.identity.agents.config.polling.interval) <br>Requires Agent Restart", "propertyOrder" : 25900, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "status" : { "title" : "Status", "description" : "Status of the agent configuration.", "propertyOrder" : 25100, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : true } } } } }, "ssoWebAgentConfig" : { "type" : "object", "title" : "SSO", "propertyOrder" : 2, "properties" : { "httpOnly" : { "title" : "HTTP Only Mode", "description" : "Agents with this property set to true mark cookies as HTTPOnly to prevent scripts and third-party programs from accessing the cookies. (property: com.sun.identity.cookie.httponly)", "propertyOrder" : 29250, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "multivaluePreAuthnCookie" : { "title" : "Multivalue for Pre-Authn Cookie", "description" : "With this set, the agent will use a legacy mode to create cookies that are used to track unauthenticated requests that have been redirected to login. This mode should only be used for backward compatibility, where the pre-5.7 way of tracking redirected requests is required, perhaps because the cookie names are referenced in proxy configuration. This property need not be set in any other situation. (property: org.forgerock.openam.agents.config.multivalue.pre.authn.cookies)", "propertyOrder" : 29280, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "sameSite" : { "title" : "SameSite Cookie Attribute", "description" : "If set, agent will add SameSite attribute to all cookies created by agent with value which is provided in this property. <br>Example: Strict, Lax, None (property: com.forgerock.agents.cdsso.cookie.samesite)", "propertyOrder" : 29260, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "secureCookies" : { "title" : "Cookie Security", "description" : "Agent sends secure cookies if communication is secure. (property name: com.sun.identity.agents.config.cookie.secure) <br>Requires Agent Restart", "propertyOrder" : 29200, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "cookieResetList" : { "title" : "Cookies Reset Name List", "description" : "List of cookies in the format: name[=value][;Domain=value]. (property name: com.sun.identity.agents.config.cookie.reset) <br> Examples: <br> Cookie1 <br> Cookie2=value;Domain=subdomain.domain.com", "propertyOrder" : 29800, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "cookieResetOnRedirect" : { "title" : "Session Cookie Reset on Authentication Redirect", "description" : "When set to true. the agent will not reset the session cookie on an authentication redirect if there is a policy advice present.By default, the agent resets the session cookie in all configured domains on every authentication redirect when a policy advice is present. (property: org.forgerock.agents.config.cdsso.advice.cleanup.disable)", "propertyOrder" : 29400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "persistentJwtCookie" : { "title" : "Persistent JWT Cookie", "description" : "Enable persistence for JWT cookie. If true JWT cookie will not be set as Session Cookie. (property: org.forgerock.agents.config.cdsso.persistent.cookie.enable)", "propertyOrder" : 29270, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "acceptSsoToken" : { "title" : "Accept SSO Token", "description" : "Specifies whether the agent should accept SSO tokens as session cookies alongside with ID tokens. Possible values: <br>- false. The agent does not accept SSO Tokens <br>- true. The agent accepts both SSO tokens and ID tokens as session tokens during the login flow, and afterwards. SSO tokens are not converted to ID tokens <br>Set this property to \"true\" only for specific migration cases (see documentation for more info) <br>(property: com.forgerock.agents.accept.sso.token) (Agent 5.7+ only)", "propertyOrder" : 29850, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "cdssoCookieDomain" : { "title" : "Cookies Domain List", "description" : "List of domains in which cookies have to be set in CDSSO. (property name: com.sun.identity.agents.config.cdsso.cookie.domain) <br> Example: <br> .example.com", "propertyOrder" : 29600, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "cookieName" : { "title" : "Cookie Name", "description" : "Name of the SSO Token cookie used between the AM server and the Agent. (property name: com.sun.identity.agents.config.cookie.name)<br>Requires Agent Restart", "propertyOrder" : 29100, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "cdssoRedirectUri" : { "title" : "Authentication Redirect URI", "description" : "An intermediate URI that is used by the Agent for processing CDSSO requests. <br>Property: org.forgerock.agents.authn.redirect.uri <br>Valid for Java Agent 5.0 onwards", "propertyOrder" : 29300, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "cookieResetEnabled" : { "title" : "Cookie Reset", "description" : "Agent resets cookies in the response before redirecting to authentication. (property name: com.sun.identity.agents.config.cookie.reset.enable)", "propertyOrder" : 29700, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } } } }, "miscWebAgentConfig" : { "type" : "object", "title" : "Miscellaneous", "propertyOrder" : 4, "properties" : { "profileAttributesCookieMaxAge" : { "title" : "Profile Attributes Cookie Maxage", "description" : "Maxage of attributes cookie headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.maxage)", "propertyOrder" : 31900, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "gotoParameterName" : { "title" : "Goto Parameter Name", "description" : "This is the name of the HTTP query \"goto\" parameter. It is not recommended to change it.<br>Property: com.sun.identity.agents.config.redirect.param <br>Valid for Java Agent 5.0 onwards", "propertyOrder" : 32600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "compositeAdviceRedirect" : { "title" : "Composite Advice Handling", "description" : "When set to true, the agent sends composite advice in the query (GET request) instead of sending it through a POST request. (property: com.sun.am.use_redirect_for_advice)", "propertyOrder" : 32200, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "compositeAdviceEncode" : { "title" : "Composite Advice Encode", "description" : "This property is used to specify whether AM composite advices should be based64url encoded before sending to custom login endpoints. (property: com.forgerock.agents.advice.b64.url.encode)", "propertyOrder" : 32300, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "statusCodeJsonResponse" : { "title" : "HTTP Return Code for JSON-Formatted Responses", "description" : "Specifies an HTTP response code to return when a JSON-formatted error is triggered. (property: org.forgerock.agents.config.json.response.code)", "propertyOrder" : 32760, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "addCacheControlHeader" : { "title" : "Add Cache-Control Headers", "description" : "Set this property to true to enable use of Cache-Control headers that prevent proxies from caching resources accessed by unauthenticated users. (property: com.forgerock.agents.cache_control_header.enable)", "propertyOrder" : 32710, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "invalidUrlRegex" : { "title" : "Invalid URL Regular Expression", "description" : "Specifies a Perl-compatible regular expression to parse valid request URLs. The web agent rejects requests to invalid URLs with HTTP 403 Forbidden status without further processing. <br>Example, to filter out URLs containing a list of characters and words such as ./ /. / . %00-%1f, %7f-%ff, %25, %2B, %2C, %7E, .info, configure the following regular expression: <br>^(\\?!.\\/|\\/.|.|.info|%2B|%00-%1f|%7f-%ff|%25|%2C|%7E).*$ <br>(property: com.forgerock.agents.agent.invalid.url.regex)", "propertyOrder" : 32500, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "profileAttributesCookiePrefix" : { "title" : "Profile Attributes Cookie Prefix", "description" : "Sets cookie prefix in the attributes headers. (property name: com.sun.identity.agents.config.profile.attribute.cookie.prefix)", "propertyOrder" : 31800, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "invertUrlJsonResponse" : { "title" : "Invert Properties That Receive JSON-Formatted Responses", "description" : "Set to true to invert the meaning of both the org.forgerock.agents.config.json.url and org.forgerock.agents.config.json.header properties. When inverted the specified values in those two properties will not trigger JSON-formatted responses. Any non-specified value will trigger JSON-formatted responses, instead. (property: org.forgerock.agents.config.json.url.invert)", "propertyOrder" : 32750, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "ignorePathInfo" : { "title" : "Ignore Path Info in Request URL", "description" : "The path info will be stripped from the request URL while doing Not Enforced List check and url policy evaluation if the value is set to true. <br>Property: com.sun.identity.agents.config.ignore.path.info <br>Valid for Agent 5.0 onwards", "propertyOrder" : 32400, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "headerJsonResponse" : { "title" : "Headers and Values to Receive JSON-Formatted Responses", "description" : "Specify HTTP headers and associated values that trigger JSON-formatted errors to be returned. <br>Example: <br>org.forgerock.agents.config.json.header[enableJsonResponse]=true <br>org.forgerock.agents.config.json.response.code=202 <br>(property: org.forgerock.agents.config.json.header[Header]=Value)", "propertyOrder" : 32740, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "object", "required" : false } } }, "urlJsonResponse" : { "title" : "URLs to Receive JSON-Formatted Responses", "description" : "Returning the responses in JSON format is useful for non-browser-based, or AJAX applications, that may not want to redirect users to the AM user interface for authentication. <br>Example: org.forgerock.agents.config.json.url[0]=http*://*.example.com:*/api/* <br>org.forgerock.agents.config.json.response.code=202 <br>(property: org.forgerock.agents.config.json.url)", "propertyOrder" : 32730, "items" : { "type" : "string" }, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "array", "required" : false } } }, "mineEncodeHeader" : { "title" : "MIME-Encode HTTP Header Values", "description" : "Specifies whether the agent must MIME-encode HTTP header values, and when to do it. Possible values are: <br> 0. The agent MIME-encodes the value of HTTP headers if said value is a multi-byte Unicode string. <br> 1. The agent MIME-encodes the value of every HTTP header. <br> 2. The agent does not MIME-encode the value of any HTTP header. <br> (property: com.forgerock.agents.header.mime.encode)", "propertyOrder" : 32720, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "integer", "required" : false } } }, "caseInsensitiveUrlComparison" : { "title" : "URL Comparison Case Sensitivity Check", "description" : "Enforces case insensitivity in both policy and not enforced url evaluation. (property name: com.sun.identity.agents.config.url.comparison.case.ignore)", "propertyOrder" : 32000, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "anonymousUserId" : { "title" : "Anonymous User Default Value", "description" : "User id of unauthenticated users. (property name: com.sun.identity.agents.config.anonymous.user.id)", "propertyOrder" : 32700, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "string", "required" : false } } }, "anonymousUserEnabled" : { "title" : "Anonymous User", "description" : "Enable/Disable REMOTE_USER processing for anonymous users. (property name: com.sun.identity.agents.config.anonymous.user.enable)", "propertyOrder" : 31600, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "encodeUrlSpecialCharacters" : { "title" : "Encode URL's Special Characters", "description" : "Encodes the url which has special characters before doing policy evaluation. (property name: com.sun.identity.agents.config.encode.url.special.chars.enable)", "propertyOrder" : 32100, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } }, "encodeSpecialCharsInCookies" : { "title" : "Encode special chars in Cookies", "description" : "Encode special chars in cookie by URL encoding. Useful when profile, session and response attributes contain special chars and attributes fetch mode is set to HTTP_COOKIE. (property name: com.sun.identity.agents.config.encode.cookie.special.chars.enable) ", "propertyOrder" : 31700, "type" : "object", "exampleValue" : "", "properties" : { "inherited" : { "type" : "boolean", "required" : true }, "value" : { "type" : "boolean", "required" : false } } } } } } }