Amster Entity Reference
Overview
This reference covers:
-
Entities supported in Amster commands
-
Actions you can perform with Amster commands.
Each page contains details of an entity available to Amster in AM 7.5.
AcceptTermsAndConditions
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/AcceptTermsAndConditionsNode
Resource version: 2.0
create
Usage
am> create AcceptTermsAndConditions --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "required" : [ ] }
delete
Usage
am> delete AcceptTermsAndConditions --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AcceptTermsAndConditions --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AcceptTermsAndConditions --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action AcceptTermsAndConditions --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AcceptTermsAndConditions --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AcceptTermsAndConditions --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
AccountActiveCheck
Realm Operations
Resource path:
/realm-config/authentication/modules/accountactivecheck
Resource version: 2.0
create
Usage
am> create AccountActiveCheck --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : null, "required" : true, "type" : "integer", "exampleValue" : "" } } }
delete
Usage
am> delete AccountActiveCheck --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AccountActiveCheck --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AccountActiveCheck --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AccountActiveCheck --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AccountActiveCheck --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AccountActiveCheck --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AccountActiveCheck --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : null, "required" : true, "type" : "integer", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/authentication/modules/accountactivecheck
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AccountActiveCheck --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AccountActiveCheck --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AccountActiveCheck --global --actionName nextdescendents
update
Usage
am> update AccountActiveCheck --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : null, "required" : true, "type" : "integer", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }
AccountActiveDecision
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/AccountActiveDecisionNode
Resource version: 2.0
create
Usage
am> create AccountActiveDecision --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "required" : [ ] }
delete
Usage
am> delete AccountActiveDecision --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AccountActiveDecision --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AccountActiveDecision --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action AccountActiveDecision --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AccountActiveDecision --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AccountActiveDecision --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
AccountLockout
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/AccountLockoutNode
Resource version: 2.0
create
Usage
am> create AccountLockout --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "lockAction" : { "title" : "Lock Action", "description" : "If the action is set to LOCK, the node will lock the account.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" } }, "required" : [ "lockAction" ] }
delete
Usage
am> delete AccountLockout --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AccountLockout --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AccountLockout --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action AccountLockout --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AccountLockout --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AccountLockout --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AccountLockout --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AccountLockout --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "lockAction" : { "title" : "Lock Action", "description" : "If the action is set to LOCK, the node will lock the account.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" } }, "required" : [ "lockAction" ] }
ActiveDirectory
Realm Operations
Resource path:
/realm-config/services/id-repositories/LDAPv3ForAD
Resource version: 2.0
create
Usage
am> create ActiveDirectory --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "ldapsettings" : { "type" : "object", "title" : "Server Settings", "propertyOrder" : 0, "properties" : { "sun-idrepo-ldapv3-config-time-limit" : { "title" : "Search Timeout", "description" : "In seconds.", "propertyOrder" : 1600, "required" : false, "type" : "integer", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-ldap-server" : { "title" : "LDAP Server", "description" : "Format: LDAP server host name:port | server_ID | site_ID", "propertyOrder" : 600, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-search-scope" : { "title" : "LDAPv3 Plug-in Search Scope", "description" : "", "propertyOrder" : 2000, "required" : false, "type" : "string", "exampleValue" : "" }, "openam-idrepo-ldapv3-affinity-enabled" : { "title" : "Affinity Enabled", "description" : "Enables affinity based request load balancing when accessing the user store servers (based on DN). It is imperative that the connection string setting is set to the same value for all OpenAM servers in the deployment when this feature is enabled.", "propertyOrder" : 6200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-max-result" : { "title" : "Maximum Results Returned from Search", "description" : "", "propertyOrder" : 1500, "required" : false, "type" : "integer", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-authid" : { "title" : "LDAP Bind DN", "description" : "A user or admin with sufficient access rights to perform the supported operations. This property is ignored if mTLS Enabled is set.", "propertyOrder" : 700, "required" : false, "type" : "string", "exampleValue" : "" }, "openam-idrepo-ldapv3-keepalive-searchbase" : { "title" : "LDAP Connection Heartbeat Search Base", "description" : "Defines the search base to the KeepAlive and Availability Search request.<br><br>This setting controls the search base to the KeepAlive and Availability search request. The default value for search base DN is \"\". The LDAP server connection pool will be marked as unavailable if the search fails with an error, returns no entries, or if more than one entry is returned.", "propertyOrder" : 1301, "required" : false, "type" : "string", "exampleValue" : "" }, "openam-idrepo-ldapv3-affinity-level" : { "title" : "Affinity Level", "description" : "Level of affinity used to balance requests across IdRepo servers. Applies only if <code>Affinity Enabled</code> is on. Options are: no affinity, affinity for BIND requests only, or affinity for all requests.", "propertyOrder" : 6350, "required" : false, "type" : "string", "exampleValue" : "" }, "openam-idrepo-ldapv3-keepalive-searchfilter" : { "title" : "LDAP Connection Heartbeat Search Filter", "description" : "Defines the search filter to the KeepAlive and Availability Search request.<br><br>This setting controls the search filter to the KeepAlive and Availability search request. The default value for search filter is \"(objectClass=*)\". The Absolute True and False filter \"(&)\" can also be used. The LDAP server connection pool will be marked as unavailable if the search fails with an error, returns no entries, or if more than one entry is returned.", "propertyOrder" : 1302, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-connection_pool_min_size" : { "title" : "LDAP Connection Pool Minimum Size", "description" : "", "propertyOrder" : 1100, "required" : false, "type" : "integer", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-organization_name" : { "title" : "LDAP Organization DN", "description" : "", "propertyOrder" : 900, "required" : true, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-connection_pool_max_size" : { "title" : "LDAP Connection Pool Maximum Size", "description" : "", "propertyOrder" : 1200, "required" : false, "type" : "integer", "exampleValue" : "" }, "openam-idrepo-ldapv3-heartbeat-interval" : { "title" : "LDAP Connection Heartbeat Interval", "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.", "propertyOrder" : 1300, "required" : false, "type" : "integer", "exampleValue" : "" }, "openam-idrepo-ldapv3-heartbeat-timeunit" : { "title" : "LDAP Connection Heartbeat Time Unit", "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.", "propertyOrder" : 1400, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-connection-mode" : { "title" : "LDAP Connection Mode", "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.", "propertyOrder" : 1000, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-authpw" : { "title" : "LDAP Bind Password", "description" : "This property is ignored if mTLS Enabled is set.", "propertyOrder" : 800, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" } } }, "userconfig" : { "type" : "object", "title" : "User Configuration", "propertyOrder" : 3, "properties" : { "sun-idrepo-ldapv3-config-users-search-attribute" : { "title" : "LDAP Users Search Attribute", "description" : "", "propertyOrder" : 2100, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-auth-kba-index-attr" : { "title" : "Knowledge Based Authentication Active Index", "description" : "", "propertyOrder" : 5400, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-auth-kba-attr" : { "title" : "Knowledge Based Authentication Attribute Name", "description" : "", "propertyOrder" : 5300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-active" : { "title" : "User Status Active Value", "description" : "", "propertyOrder" : 2700, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-user-objectclass" : { "title" : "LDAP User Object Class", "description" : "", "propertyOrder" : 2300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-isactive" : { "title" : "Attribute Name of User Status", "description" : "", "propertyOrder" : 2600, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-users-search-filter" : { "title" : "LDAP Users Search Filter", "description" : "", "propertyOrder" : 2200, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-people-container-value" : { "title" : "LDAP People Container Value", "description" : "", "propertyOrder" : 5100, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-inactive" : { "title" : "User Status Inactive Value", "description" : "", "propertyOrder" : 2800, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : { "title" : "Knowledge Based Authentication Attempts Attribute Name", "description" : "", "propertyOrder" : 5410, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-user-attributes" : { "title" : "LDAP User Attributes", "description" : "", "propertyOrder" : 2400, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-createuser-attr-mapping" : { "title" : "Create User Attribute Mapping", "description" : "Format: attribute name or TargetAttributeName=SourceAttributeName", "propertyOrder" : 2500, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-people-container-name" : { "title" : "LDAP People Container Naming Attribute", "description" : "", "propertyOrder" : 5000, "required" : false, "type" : "string", "exampleValue" : "" } } }, "groupconfig" : { "type" : "object", "title" : "Group Configuration", "propertyOrder" : 5, "properties" : { "adRecursiveGroupMembership" : { "title" : "AD Recursive Group Membership Evaluation", "description" : "Used to enable/disable Active Directory Recursive Group Membership evaluation.<br><br>Enables an Active Directory specific extensible filter called LDAP_MATCHING_RULE_IN_CHAIN that according to MSDN \"walks the chain of ancestry in objects all the way to the root until it finds a match\", meaning that it will resolve all group memberships, including nested groups. This will add a performance overhead on the Active Directory server, indexes may need to be created.", "propertyOrder" : 6100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-container-value" : { "title" : "LDAP Groups Container Value", "description" : "", "propertyOrder" : 3200, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-uniquemember" : { "title" : "Attribute Name of Unique Member", "description" : "", "propertyOrder" : 3600, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-memberof" : { "title" : "Attribute Name for Group Membership", "description" : "", "propertyOrder" : 3500, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-attributes" : { "title" : "LDAP Groups Attributes", "description" : "", "propertyOrder" : 3400, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-groups-search-attribute" : { "title" : "LDAP Groups Search Attribute", "description" : "", "propertyOrder" : 2900, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-container-name" : { "title" : "LDAP Groups Container Naming Attribute", "description" : "", "propertyOrder" : 3100, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-objectclass" : { "title" : "LDAP Groups Object Class", "description" : "", "propertyOrder" : 3300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-groups-search-filter" : { "title" : "LDAP Groups Search Filter", "description" : "", "propertyOrder" : 3000, "required" : false, "type" : "string", "exampleValue" : "" } } }, "persistentsearch" : { "type" : "object", "title" : "Persistent Search Controls", "propertyOrder" : 7, "properties" : { "sun-idrepo-ldapv3-config-psearchbase" : { "title" : "Persistent Search Base DN", "description" : "", "propertyOrder" : 5500, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-psearch-scope" : { "title" : "Persistent Search Scope", "description" : "", "propertyOrder" : 5700, "required" : false, "type" : "string", "exampleValue" : "" } } }, "errorhandling" : { "type" : "object", "title" : "Error Handling Configuration", "propertyOrder" : 8, "properties" : { "com.iplanet.am.ldap.connection.delay.between.retries" : { "title" : "The Delay Time Between Retries", "description" : "In milliseconds.", "propertyOrder" : 5800, "required" : false, "type" : "integer", "exampleValue" : "" } } }, "pluginconfig" : { "type" : "object", "title" : "Plug-in Configuration", "propertyOrder" : 2, "properties" : { "sunIdRepoAttributeMapping" : { "title" : "Attribute Name Mapping", "description" : "", "propertyOrder" : 1800, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sunIdRepoSupportedOperations" : { "title" : "LDAPv3 Plug-in Supported Types and Operations", "description" : "", "propertyOrder" : 1900, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sunIdRepoClass" : { "title" : "LDAPv3 Repository Plug-in Class Name", "description" : "", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" } } }, "cachecontrol" : { "type" : "object", "title" : "Cache Control", "propertyOrder" : 9, "properties" : { "sun-idrepo-ldapv3-dncache-enabled" : { "title" : "DN Cache", "description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.", "propertyOrder" : 5900, "required" : false, "type" : "boolean", "exampleValue" : "" }, "sun-idrepo-ldapv3-dncache-size" : { "title" : "DN Cache Size", "description" : "In DN items, only used when DN Cache is enabled.", "propertyOrder" : 6000, "required" : false, "type" : "integer", "exampleValue" : "" } } }, "authentication" : { "type" : "object", "title" : "Authentication Configuration", "propertyOrder" : 4, "properties" : { "sun-idrepo-ldapv3-config-auth-naming-attr" : { "title" : "Authentication Naming Attribute", "description" : "", "propertyOrder" : 5200, "required" : false, "type" : "string", "exampleValue" : "" } } } } }
delete
Usage
am> delete ActiveDirectory --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action ActiveDirectory --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action ActiveDirectory --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action ActiveDirectory --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query ActiveDirectory --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read ActiveDirectory --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update ActiveDirectory --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "ldapsettings" : { "type" : "object", "title" : "Server Settings", "propertyOrder" : 0, "properties" : { "sun-idrepo-ldapv3-config-time-limit" : { "title" : "Search Timeout", "description" : "In seconds.", "propertyOrder" : 1600, "required" : false, "type" : "integer", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-ldap-server" : { "title" : "LDAP Server", "description" : "Format: LDAP server host name:port | server_ID | site_ID", "propertyOrder" : 600, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-search-scope" : { "title" : "LDAPv3 Plug-in Search Scope", "description" : "", "propertyOrder" : 2000, "required" : false, "type" : "string", "exampleValue" : "" }, "openam-idrepo-ldapv3-affinity-enabled" : { "title" : "Affinity Enabled", "description" : "Enables affinity based request load balancing when accessing the user store servers (based on DN). It is imperative that the connection string setting is set to the same value for all OpenAM servers in the deployment when this feature is enabled.", "propertyOrder" : 6200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-max-result" : { "title" : "Maximum Results Returned from Search", "description" : "", "propertyOrder" : 1500, "required" : false, "type" : "integer", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-authid" : { "title" : "LDAP Bind DN", "description" : "A user or admin with sufficient access rights to perform the supported operations. This property is ignored if mTLS Enabled is set.", "propertyOrder" : 700, "required" : false, "type" : "string", "exampleValue" : "" }, "openam-idrepo-ldapv3-keepalive-searchbase" : { "title" : "LDAP Connection Heartbeat Search Base", "description" : "Defines the search base to the KeepAlive and Availability Search request.<br><br>This setting controls the search base to the KeepAlive and Availability search request. The default value for search base DN is \"\". The LDAP server connection pool will be marked as unavailable if the search fails with an error, returns no entries, or if more than one entry is returned.", "propertyOrder" : 1301, "required" : false, "type" : "string", "exampleValue" : "" }, "openam-idrepo-ldapv3-affinity-level" : { "title" : "Affinity Level", "description" : "Level of affinity used to balance requests across IdRepo servers. Applies only if <code>Affinity Enabled</code> is on. Options are: no affinity, affinity for BIND requests only, or affinity for all requests.", "propertyOrder" : 6350, "required" : false, "type" : "string", "exampleValue" : "" }, "openam-idrepo-ldapv3-keepalive-searchfilter" : { "title" : "LDAP Connection Heartbeat Search Filter", "description" : "Defines the search filter to the KeepAlive and Availability Search request.<br><br>This setting controls the search filter to the KeepAlive and Availability search request. The default value for search filter is \"(objectClass=*)\". The Absolute True and False filter \"(&)\" can also be used. The LDAP server connection pool will be marked as unavailable if the search fails with an error, returns no entries, or if more than one entry is returned.", "propertyOrder" : 1302, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-connection_pool_min_size" : { "title" : "LDAP Connection Pool Minimum Size", "description" : "", "propertyOrder" : 1100, "required" : false, "type" : "integer", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-organization_name" : { "title" : "LDAP Organization DN", "description" : "", "propertyOrder" : 900, "required" : true, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-connection_pool_max_size" : { "title" : "LDAP Connection Pool Maximum Size", "description" : "", "propertyOrder" : 1200, "required" : false, "type" : "integer", "exampleValue" : "" }, "openam-idrepo-ldapv3-heartbeat-interval" : { "title" : "LDAP Connection Heartbeat Interval", "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.", "propertyOrder" : 1300, "required" : false, "type" : "integer", "exampleValue" : "" }, "openam-idrepo-ldapv3-heartbeat-timeunit" : { "title" : "LDAP Connection Heartbeat Time Unit", "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.", "propertyOrder" : 1400, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-connection-mode" : { "title" : "LDAP Connection Mode", "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.", "propertyOrder" : 1000, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-authpw" : { "title" : "LDAP Bind Password", "description" : "This property is ignored if mTLS Enabled is set.", "propertyOrder" : 800, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" } } }, "userconfig" : { "type" : "object", "title" : "User Configuration", "propertyOrder" : 3, "properties" : { "sun-idrepo-ldapv3-config-users-search-attribute" : { "title" : "LDAP Users Search Attribute", "description" : "", "propertyOrder" : 2100, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-auth-kba-index-attr" : { "title" : "Knowledge Based Authentication Active Index", "description" : "", "propertyOrder" : 5400, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-auth-kba-attr" : { "title" : "Knowledge Based Authentication Attribute Name", "description" : "", "propertyOrder" : 5300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-active" : { "title" : "User Status Active Value", "description" : "", "propertyOrder" : 2700, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-user-objectclass" : { "title" : "LDAP User Object Class", "description" : "", "propertyOrder" : 2300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-isactive" : { "title" : "Attribute Name of User Status", "description" : "", "propertyOrder" : 2600, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-users-search-filter" : { "title" : "LDAP Users Search Filter", "description" : "", "propertyOrder" : 2200, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-people-container-value" : { "title" : "LDAP People Container Value", "description" : "", "propertyOrder" : 5100, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-inactive" : { "title" : "User Status Inactive Value", "description" : "", "propertyOrder" : 2800, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : { "title" : "Knowledge Based Authentication Attempts Attribute Name", "description" : "", "propertyOrder" : 5410, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-user-attributes" : { "title" : "LDAP User Attributes", "description" : "", "propertyOrder" : 2400, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-createuser-attr-mapping" : { "title" : "Create User Attribute Mapping", "description" : "Format: attribute name or TargetAttributeName=SourceAttributeName", "propertyOrder" : 2500, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-people-container-name" : { "title" : "LDAP People Container Naming Attribute", "description" : "", "propertyOrder" : 5000, "required" : false, "type" : "string", "exampleValue" : "" } } }, "groupconfig" : { "type" : "object", "title" : "Group Configuration", "propertyOrder" : 5, "properties" : { "adRecursiveGroupMembership" : { "title" : "AD Recursive Group Membership Evaluation", "description" : "Used to enable/disable Active Directory Recursive Group Membership evaluation.<br><br>Enables an Active Directory specific extensible filter called LDAP_MATCHING_RULE_IN_CHAIN that according to MSDN \"walks the chain of ancestry in objects all the way to the root until it finds a match\", meaning that it will resolve all group memberships, including nested groups. This will add a performance overhead on the Active Directory server, indexes may need to be created.", "propertyOrder" : 6100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-container-value" : { "title" : "LDAP Groups Container Value", "description" : "", "propertyOrder" : 3200, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-uniquemember" : { "title" : "Attribute Name of Unique Member", "description" : "", "propertyOrder" : 3600, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-memberof" : { "title" : "Attribute Name for Group Membership", "description" : "", "propertyOrder" : 3500, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-attributes" : { "title" : "LDAP Groups Attributes", "description" : "", "propertyOrder" : 3400, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-groups-search-attribute" : { "title" : "LDAP Groups Search Attribute", "description" : "", "propertyOrder" : 2900, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-container-name" : { "title" : "LDAP Groups Container Naming Attribute", "description" : "", "propertyOrder" : 3100, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-objectclass" : { "title" : "LDAP Groups Object Class", "description" : "", "propertyOrder" : 3300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-groups-search-filter" : { "title" : "LDAP Groups Search Filter", "description" : "", "propertyOrder" : 3000, "required" : false, "type" : "string", "exampleValue" : "" } } }, "persistentsearch" : { "type" : "object", "title" : "Persistent Search Controls", "propertyOrder" : 7, "properties" : { "sun-idrepo-ldapv3-config-psearchbase" : { "title" : "Persistent Search Base DN", "description" : "", "propertyOrder" : 5500, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-psearch-scope" : { "title" : "Persistent Search Scope", "description" : "", "propertyOrder" : 5700, "required" : false, "type" : "string", "exampleValue" : "" } } }, "errorhandling" : { "type" : "object", "title" : "Error Handling Configuration", "propertyOrder" : 8, "properties" : { "com.iplanet.am.ldap.connection.delay.between.retries" : { "title" : "The Delay Time Between Retries", "description" : "In milliseconds.", "propertyOrder" : 5800, "required" : false, "type" : "integer", "exampleValue" : "" } } }, "pluginconfig" : { "type" : "object", "title" : "Plug-in Configuration", "propertyOrder" : 2, "properties" : { "sunIdRepoAttributeMapping" : { "title" : "Attribute Name Mapping", "description" : "", "propertyOrder" : 1800, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sunIdRepoSupportedOperations" : { "title" : "LDAPv3 Plug-in Supported Types and Operations", "description" : "", "propertyOrder" : 1900, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sunIdRepoClass" : { "title" : "LDAPv3 Repository Plug-in Class Name", "description" : "", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" } } }, "cachecontrol" : { "type" : "object", "title" : "Cache Control", "propertyOrder" : 9, "properties" : { "sun-idrepo-ldapv3-dncache-enabled" : { "title" : "DN Cache", "description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.", "propertyOrder" : 5900, "required" : false, "type" : "boolean", "exampleValue" : "" }, "sun-idrepo-ldapv3-dncache-size" : { "title" : "DN Cache Size", "description" : "In DN items, only used when DN Cache is enabled.", "propertyOrder" : 6000, "required" : false, "type" : "integer", "exampleValue" : "" } } }, "authentication" : { "type" : "object", "title" : "Authentication Configuration", "propertyOrder" : 4, "properties" : { "sun-idrepo-ldapv3-config-auth-naming-attr" : { "title" : "Authentication Naming Attribute", "description" : "", "propertyOrder" : 5200, "required" : false, "type" : "string", "exampleValue" : "" } } } } }
ActiveDirectoryApplicationModeADAM
Realm Operations
Resource path:
/realm-config/services/id-repositories/LDAPv3ForADAM
Resource version: 2.0
create
Usage
am> create ActiveDirectoryApplicationModeADAM --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "ldapsettings" : { "type" : "object", "title" : "Server Settings", "propertyOrder" : 0, "properties" : { "sun-idrepo-ldapv3-config-ldap-server" : { "title" : "LDAP Server", "description" : "Format: LDAP server host name:port | server_ID | site_ID", "propertyOrder" : 600, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-connection-mode" : { "title" : "LDAP Connection Mode", "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.", "propertyOrder" : 1000, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-max-result" : { "title" : "Maximum Results Returned from Search", "description" : "", "propertyOrder" : 1500, "required" : false, "type" : "integer", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-search-scope" : { "title" : "LDAPv3 Plug-in Search Scope", "description" : "", "propertyOrder" : 2000, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-time-limit" : { "title" : "Search Timeout", "description" : "In seconds.", "propertyOrder" : 1600, "required" : false, "type" : "integer", "exampleValue" : "" }, "openam-idrepo-ldapv3-heartbeat-interval" : { "title" : "LDAP Connection Heartbeat Interval", "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.", "propertyOrder" : 1300, "required" : false, "type" : "integer", "exampleValue" : "" }, "openam-idrepo-ldapv3-affinity-enabled" : { "title" : "Affinity Enabled", "description" : "Enables affinity based request load balancing when accessing the user store servers (based on DN). It is imperative that the connection string setting is set to the same value for all OpenAM servers in the deployment when this feature is enabled.", "propertyOrder" : 6200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "openam-idrepo-ldapv3-affinity-level" : { "title" : "Affinity Level", "description" : "Level of affinity used to balance requests across IdRepo servers. Applies only if <code>Affinity Enabled</code> is on. Options are: no affinity, affinity for BIND requests only, or affinity for all requests.", "propertyOrder" : 6350, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-connection_pool_max_size" : { "title" : "LDAP Connection Pool Maximum Size", "description" : "", "propertyOrder" : 1200, "required" : false, "type" : "integer", "exampleValue" : "" }, "openam-idrepo-ldapv3-heartbeat-timeunit" : { "title" : "LDAP Connection Heartbeat Time Unit", "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.", "propertyOrder" : 1400, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-connection_pool_min_size" : { "title" : "LDAP Connection Pool Minimum Size", "description" : "", "propertyOrder" : 1100, "required" : false, "type" : "integer", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-authid" : { "title" : "LDAP Bind DN", "description" : "A user or admin with sufficient access rights to perform the supported operations. This property is ignored if mTLS Enabled is set.", "propertyOrder" : 700, "required" : false, "type" : "string", "exampleValue" : "" }, "openam-idrepo-ldapv3-keepalive-searchbase" : { "title" : "LDAP Connection Heartbeat Search Base", "description" : "Defines the search base to the KeepAlive and Availability Search request.<br><br>This setting controls the search base to the KeepAlive and Availability search request. The default value for search base DN is \"\". The LDAP server connection pool will be marked as unavailable if the search fails with an error, returns no entries, or if more than one entry is returned.", "propertyOrder" : 1301, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-authpw" : { "title" : "LDAP Bind Password", "description" : "This property is ignored if mTLS Enabled is set.", "propertyOrder" : 800, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-organization_name" : { "title" : "LDAP Organization DN", "description" : "", "propertyOrder" : 900, "required" : true, "type" : "string", "exampleValue" : "" }, "openam-idrepo-ldapv3-keepalive-searchfilter" : { "title" : "LDAP Connection Heartbeat Search Filter", "description" : "Defines the search filter to the KeepAlive and Availability Search request.<br><br>This setting controls the search filter to the KeepAlive and Availability search request. The default value for search filter is \"(objectClass=*)\". The Absolute True and False filter \"(&)\" can also be used. The LDAP server connection pool will be marked as unavailable if the search fails with an error, returns no entries, or if more than one entry is returned.", "propertyOrder" : 1302, "required" : false, "type" : "string", "exampleValue" : "" } } }, "userconfig" : { "type" : "object", "title" : "User Configuration", "propertyOrder" : 3, "properties" : { "sun-idrepo-ldapv3-config-auth-kba-attr" : { "title" : "Knowledge Based Authentication Attribute Name", "description" : "", "propertyOrder" : 5300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-active" : { "title" : "User Status Active Value", "description" : "", "propertyOrder" : 2700, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-users-search-filter" : { "title" : "LDAP Users Search Filter", "description" : "", "propertyOrder" : 2200, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-user-objectclass" : { "title" : "LDAP User Object Class", "description" : "", "propertyOrder" : 2300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-people-container-name" : { "title" : "LDAP People Container Naming Attribute", "description" : "", "propertyOrder" : 5000, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-user-attributes" : { "title" : "LDAP User Attributes", "description" : "", "propertyOrder" : 2400, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-inactive" : { "title" : "User Status Inactive Value", "description" : "", "propertyOrder" : 2800, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-createuser-attr-mapping" : { "title" : "Create User Attribute Mapping", "description" : "Format: attribute name or TargetAttributeName=SourceAttributeName", "propertyOrder" : 2500, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-users-search-attribute" : { "title" : "LDAP Users Search Attribute", "description" : "", "propertyOrder" : 2100, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : { "title" : "Knowledge Based Authentication Attempts Attribute Name", "description" : "", "propertyOrder" : 5410, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-auth-kba-index-attr" : { "title" : "Knowledge Based Authentication Active Index", "description" : "", "propertyOrder" : 5400, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-people-container-value" : { "title" : "LDAP People Container Value", "description" : "", "propertyOrder" : 5100, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-isactive" : { "title" : "Attribute Name of User Status", "description" : "", "propertyOrder" : 2600, "required" : false, "type" : "string", "exampleValue" : "" } } }, "groupconfig" : { "type" : "object", "title" : "Group Configuration", "propertyOrder" : 5, "properties" : { "adRecursiveGroupMembership" : { "title" : "AD Recursive Group Membership Evaluation", "description" : "Used to enable/disable Active Directory Recursive Group Membership evaluation.<br><br>Enables an Active Directory specific extensible filter called LDAP_MATCHING_RULE_IN_CHAIN that according to MSDN \"walks the chain of ancestry in objects all the way to the root until it finds a match\", meaning that it will resolve all group memberships, including nested groups. This will add a performance overhead on the Active Directory server, indexes may need to be created.", "propertyOrder" : 6100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-container-name" : { "title" : "LDAP Groups Container Naming Attribute", "description" : "", "propertyOrder" : 3100, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-attributes" : { "title" : "LDAP Groups Attributes", "description" : "", "propertyOrder" : 3400, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-groups-search-attribute" : { "title" : "LDAP Groups Search Attribute", "description" : "", "propertyOrder" : 2900, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-objectclass" : { "title" : "LDAP Groups Object Class", "description" : "", "propertyOrder" : 3300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-uniquemember" : { "title" : "Attribute Name of Unique Member", "description" : "", "propertyOrder" : 3600, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-memberof" : { "title" : "Attribute Name for Group Membership", "description" : "", "propertyOrder" : 3500, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-container-value" : { "title" : "LDAP Groups Container Value", "description" : "", "propertyOrder" : 3200, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-groups-search-filter" : { "title" : "LDAP Groups Search Filter", "description" : "", "propertyOrder" : 3000, "required" : false, "type" : "string", "exampleValue" : "" } } }, "cachecontrol" : { "type" : "object", "title" : "Cache Control", "propertyOrder" : 9, "properties" : { "sun-idrepo-ldapv3-dncache-size" : { "title" : "DN Cache Size", "description" : "In DN items, only used when DN Cache is enabled.", "propertyOrder" : 6000, "required" : false, "type" : "integer", "exampleValue" : "" }, "sun-idrepo-ldapv3-dncache-enabled" : { "title" : "DN Cache", "description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.", "propertyOrder" : 5900, "required" : false, "type" : "boolean", "exampleValue" : "" } } }, "persistentsearch" : { "type" : "object", "title" : "Persistent Search Controls", "propertyOrder" : 7, "properties" : { "sun-idrepo-ldapv3-config-psearchbase" : { "title" : "Persistent Search Base DN", "description" : "", "propertyOrder" : 5500, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-psearch-scope" : { "title" : "Persistent Search Scope", "description" : "", "propertyOrder" : 5700, "required" : false, "type" : "string", "exampleValue" : "" } } }, "authentication" : { "type" : "object", "title" : "Authentication Configuration", "propertyOrder" : 4, "properties" : { "sun-idrepo-ldapv3-config-auth-naming-attr" : { "title" : "Authentication Naming Attribute", "description" : "", "propertyOrder" : 5200, "required" : false, "type" : "string", "exampleValue" : "" } } }, "pluginconfig" : { "type" : "object", "title" : "Plug-in Configuration", "propertyOrder" : 2, "properties" : { "sunIdRepoSupportedOperations" : { "title" : "LDAPv3 Plug-in Supported Types and Operations", "description" : "", "propertyOrder" : 1900, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sunIdRepoAttributeMapping" : { "title" : "Attribute Name Mapping", "description" : "", "propertyOrder" : 1800, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sunIdRepoClass" : { "title" : "LDAPv3 Repository Plug-in Class Name", "description" : "", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" } } }, "errorhandling" : { "type" : "object", "title" : "Error Handling Configuration", "propertyOrder" : 8, "properties" : { "com.iplanet.am.ldap.connection.delay.between.retries" : { "title" : "The Delay Time Between Retries", "description" : "In milliseconds.", "propertyOrder" : 5800, "required" : false, "type" : "integer", "exampleValue" : "" } } } } }
delete
Usage
am> delete ActiveDirectoryApplicationModeADAM --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action ActiveDirectoryApplicationModeADAM --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action ActiveDirectoryApplicationModeADAM --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action ActiveDirectoryApplicationModeADAM --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query ActiveDirectoryApplicationModeADAM --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read ActiveDirectoryApplicationModeADAM --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update ActiveDirectoryApplicationModeADAM --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "ldapsettings" : { "type" : "object", "title" : "Server Settings", "propertyOrder" : 0, "properties" : { "sun-idrepo-ldapv3-config-ldap-server" : { "title" : "LDAP Server", "description" : "Format: LDAP server host name:port | server_ID | site_ID", "propertyOrder" : 600, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-connection-mode" : { "title" : "LDAP Connection Mode", "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.", "propertyOrder" : 1000, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-max-result" : { "title" : "Maximum Results Returned from Search", "description" : "", "propertyOrder" : 1500, "required" : false, "type" : "integer", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-search-scope" : { "title" : "LDAPv3 Plug-in Search Scope", "description" : "", "propertyOrder" : 2000, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-time-limit" : { "title" : "Search Timeout", "description" : "In seconds.", "propertyOrder" : 1600, "required" : false, "type" : "integer", "exampleValue" : "" }, "openam-idrepo-ldapv3-heartbeat-interval" : { "title" : "LDAP Connection Heartbeat Interval", "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.", "propertyOrder" : 1300, "required" : false, "type" : "integer", "exampleValue" : "" }, "openam-idrepo-ldapv3-affinity-enabled" : { "title" : "Affinity Enabled", "description" : "Enables affinity based request load balancing when accessing the user store servers (based on DN). It is imperative that the connection string setting is set to the same value for all OpenAM servers in the deployment when this feature is enabled.", "propertyOrder" : 6200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "openam-idrepo-ldapv3-affinity-level" : { "title" : "Affinity Level", "description" : "Level of affinity used to balance requests across IdRepo servers. Applies only if <code>Affinity Enabled</code> is on. Options are: no affinity, affinity for BIND requests only, or affinity for all requests.", "propertyOrder" : 6350, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-connection_pool_max_size" : { "title" : "LDAP Connection Pool Maximum Size", "description" : "", "propertyOrder" : 1200, "required" : false, "type" : "integer", "exampleValue" : "" }, "openam-idrepo-ldapv3-heartbeat-timeunit" : { "title" : "LDAP Connection Heartbeat Time Unit", "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.", "propertyOrder" : 1400, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-connection_pool_min_size" : { "title" : "LDAP Connection Pool Minimum Size", "description" : "", "propertyOrder" : 1100, "required" : false, "type" : "integer", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-authid" : { "title" : "LDAP Bind DN", "description" : "A user or admin with sufficient access rights to perform the supported operations. This property is ignored if mTLS Enabled is set.", "propertyOrder" : 700, "required" : false, "type" : "string", "exampleValue" : "" }, "openam-idrepo-ldapv3-keepalive-searchbase" : { "title" : "LDAP Connection Heartbeat Search Base", "description" : "Defines the search base to the KeepAlive and Availability Search request.<br><br>This setting controls the search base to the KeepAlive and Availability search request. The default value for search base DN is \"\". The LDAP server connection pool will be marked as unavailable if the search fails with an error, returns no entries, or if more than one entry is returned.", "propertyOrder" : 1301, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-authpw" : { "title" : "LDAP Bind Password", "description" : "This property is ignored if mTLS Enabled is set.", "propertyOrder" : 800, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-organization_name" : { "title" : "LDAP Organization DN", "description" : "", "propertyOrder" : 900, "required" : true, "type" : "string", "exampleValue" : "" }, "openam-idrepo-ldapv3-keepalive-searchfilter" : { "title" : "LDAP Connection Heartbeat Search Filter", "description" : "Defines the search filter to the KeepAlive and Availability Search request.<br><br>This setting controls the search filter to the KeepAlive and Availability search request. The default value for search filter is \"(objectClass=*)\". The Absolute True and False filter \"(&)\" can also be used. The LDAP server connection pool will be marked as unavailable if the search fails with an error, returns no entries, or if more than one entry is returned.", "propertyOrder" : 1302, "required" : false, "type" : "string", "exampleValue" : "" } } }, "userconfig" : { "type" : "object", "title" : "User Configuration", "propertyOrder" : 3, "properties" : { "sun-idrepo-ldapv3-config-auth-kba-attr" : { "title" : "Knowledge Based Authentication Attribute Name", "description" : "", "propertyOrder" : 5300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-active" : { "title" : "User Status Active Value", "description" : "", "propertyOrder" : 2700, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-users-search-filter" : { "title" : "LDAP Users Search Filter", "description" : "", "propertyOrder" : 2200, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-user-objectclass" : { "title" : "LDAP User Object Class", "description" : "", "propertyOrder" : 2300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-people-container-name" : { "title" : "LDAP People Container Naming Attribute", "description" : "", "propertyOrder" : 5000, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-user-attributes" : { "title" : "LDAP User Attributes", "description" : "", "propertyOrder" : 2400, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-inactive" : { "title" : "User Status Inactive Value", "description" : "", "propertyOrder" : 2800, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-createuser-attr-mapping" : { "title" : "Create User Attribute Mapping", "description" : "Format: attribute name or TargetAttributeName=SourceAttributeName", "propertyOrder" : 2500, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-users-search-attribute" : { "title" : "LDAP Users Search Attribute", "description" : "", "propertyOrder" : 2100, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-auth-kba-attempts-attr" : { "title" : "Knowledge Based Authentication Attempts Attribute Name", "description" : "", "propertyOrder" : 5410, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-auth-kba-index-attr" : { "title" : "Knowledge Based Authentication Active Index", "description" : "", "propertyOrder" : 5400, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-people-container-value" : { "title" : "LDAP People Container Value", "description" : "", "propertyOrder" : 5100, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-isactive" : { "title" : "Attribute Name of User Status", "description" : "", "propertyOrder" : 2600, "required" : false, "type" : "string", "exampleValue" : "" } } }, "groupconfig" : { "type" : "object", "title" : "Group Configuration", "propertyOrder" : 5, "properties" : { "adRecursiveGroupMembership" : { "title" : "AD Recursive Group Membership Evaluation", "description" : "Used to enable/disable Active Directory Recursive Group Membership evaluation.<br><br>Enables an Active Directory specific extensible filter called LDAP_MATCHING_RULE_IN_CHAIN that according to MSDN \"walks the chain of ancestry in objects all the way to the root until it finds a match\", meaning that it will resolve all group memberships, including nested groups. This will add a performance overhead on the Active Directory server, indexes may need to be created.", "propertyOrder" : 6100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-container-name" : { "title" : "LDAP Groups Container Naming Attribute", "description" : "", "propertyOrder" : 3100, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-attributes" : { "title" : "LDAP Groups Attributes", "description" : "", "propertyOrder" : 3400, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-groups-search-attribute" : { "title" : "LDAP Groups Search Attribute", "description" : "", "propertyOrder" : 2900, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-objectclass" : { "title" : "LDAP Groups Object Class", "description" : "", "propertyOrder" : 3300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-uniquemember" : { "title" : "Attribute Name of Unique Member", "description" : "", "propertyOrder" : 3600, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-memberof" : { "title" : "Attribute Name for Group Membership", "description" : "", "propertyOrder" : 3500, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-group-container-value" : { "title" : "LDAP Groups Container Value", "description" : "", "propertyOrder" : 3200, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-groups-search-filter" : { "title" : "LDAP Groups Search Filter", "description" : "", "propertyOrder" : 3000, "required" : false, "type" : "string", "exampleValue" : "" } } }, "cachecontrol" : { "type" : "object", "title" : "Cache Control", "propertyOrder" : 9, "properties" : { "sun-idrepo-ldapv3-dncache-size" : { "title" : "DN Cache Size", "description" : "In DN items, only used when DN Cache is enabled.", "propertyOrder" : 6000, "required" : false, "type" : "integer", "exampleValue" : "" }, "sun-idrepo-ldapv3-dncache-enabled" : { "title" : "DN Cache", "description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.", "propertyOrder" : 5900, "required" : false, "type" : "boolean", "exampleValue" : "" } } }, "persistentsearch" : { "type" : "object", "title" : "Persistent Search Controls", "propertyOrder" : 7, "properties" : { "sun-idrepo-ldapv3-config-psearchbase" : { "title" : "Persistent Search Base DN", "description" : "", "propertyOrder" : 5500, "required" : false, "type" : "string", "exampleValue" : "" }, "sun-idrepo-ldapv3-config-psearch-scope" : { "title" : "Persistent Search Scope", "description" : "", "propertyOrder" : 5700, "required" : false, "type" : "string", "exampleValue" : "" } } }, "authentication" : { "type" : "object", "title" : "Authentication Configuration", "propertyOrder" : 4, "properties" : { "sun-idrepo-ldapv3-config-auth-naming-attr" : { "title" : "Authentication Naming Attribute", "description" : "", "propertyOrder" : 5200, "required" : false, "type" : "string", "exampleValue" : "" } } }, "pluginconfig" : { "type" : "object", "title" : "Plug-in Configuration", "propertyOrder" : 2, "properties" : { "sunIdRepoSupportedOperations" : { "title" : "LDAPv3 Plug-in Supported Types and Operations", "description" : "", "propertyOrder" : 1900, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sunIdRepoAttributeMapping" : { "title" : "Attribute Name Mapping", "description" : "", "propertyOrder" : 1800, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sunIdRepoClass" : { "title" : "LDAPv3 Repository Plug-in Class Name", "description" : "", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" } } }, "errorhandling" : { "type" : "object", "title" : "Error Handling Configuration", "propertyOrder" : 8, "properties" : { "com.iplanet.am.ldap.connection.delay.between.retries" : { "title" : "The Delay Time Between Retries", "description" : "In milliseconds.", "propertyOrder" : 5800, "required" : false, "type" : "integer", "exampleValue" : "" } } } } }
ActiveDirectoryModule
Realm Operations
Resource path:
/realm-config/authentication/modules/activedirectory
Resource version: 2.0
create
Usage
am> create ActiveDirectoryModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "trustAllServerCertificates" : { "title" : "Trust All Server Certificates", "description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process", "propertyOrder" : 1400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "searchScope" : { "title" : "Search Scope", "description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>", "propertyOrder" : 900, "required" : true, "type" : "string", "exampleValue" : "" }, "userSearchAttributes" : { "title" : "Attributes Used to Search for a User to be Authenticated", "description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>", "propertyOrder" : 700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "operationTimeout" : { "title" : "LDAP operations timeout", "description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.", "propertyOrder" : 1700, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ", "propertyOrder" : 1800, "required" : true, "type" : "integer", "exampleValue" : "" }, "connectionHeartbeatTimeUnit" : { "title" : "LDAP Connection Heartbeat Time Unit", "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "" }, "secondaryLdapServer" : { "title" : "Secondary Active Directory Server", "description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 200, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userSearchStartDN" : { "title" : "DN to Start User Search", "description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userProfileRetrievalAttribute" : { "title" : "Attribute Used to Retrieve User Profile", "description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "primaryLdapServer" : { "title" : "Primary Active Directory Server ", "description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "openam-auth-ldap-connection-mode" : { "title" : "LDAP Connection Mode", "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "stopLdapbindAfterInmemoryLockedEnabled" : { "title" : "Stop LDAP Binds after in-memory lockout", "description" : "If enabled, further bind requests will not be sent to LDAP Server when the user is locked-out using in-memory Account Lockout.", "propertyOrder" : 1900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "userSearchFilter" : { "title" : "User Search Filter", "description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "profileAttributeMappings" : { "title" : "User Creation Attributes", "description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>", "propertyOrder" : 1300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "returnUserDN" : { "title" : "Return User DN to DataStore", "description" : "Controls whether the DN or the username is returned as the authentication principal.", "propertyOrder" : 1200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "userBindDN" : { "title" : "Bind User DN", "description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "connectionHeartbeatInterval" : { "title" : "LDAP Connection Heartbeat Interval", "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.", "propertyOrder" : 1500, "required" : true, "type" : "integer", "exampleValue" : "" }, "userBindPassword" : { "title" : "Bind User Password", "description" : "The password of the administration account.", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" } } }
delete
Usage
am> delete ActiveDirectoryModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action ActiveDirectoryModule --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action ActiveDirectoryModule --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action ActiveDirectoryModule --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query ActiveDirectoryModule --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read ActiveDirectoryModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update ActiveDirectoryModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "trustAllServerCertificates" : { "title" : "Trust All Server Certificates", "description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process", "propertyOrder" : 1400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "searchScope" : { "title" : "Search Scope", "description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>", "propertyOrder" : 900, "required" : true, "type" : "string", "exampleValue" : "" }, "userSearchAttributes" : { "title" : "Attributes Used to Search for a User to be Authenticated", "description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>", "propertyOrder" : 700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "operationTimeout" : { "title" : "LDAP operations timeout", "description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.", "propertyOrder" : 1700, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ", "propertyOrder" : 1800, "required" : true, "type" : "integer", "exampleValue" : "" }, "connectionHeartbeatTimeUnit" : { "title" : "LDAP Connection Heartbeat Time Unit", "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "" }, "secondaryLdapServer" : { "title" : "Secondary Active Directory Server", "description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 200, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userSearchStartDN" : { "title" : "DN to Start User Search", "description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userProfileRetrievalAttribute" : { "title" : "Attribute Used to Retrieve User Profile", "description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "primaryLdapServer" : { "title" : "Primary Active Directory Server ", "description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "openam-auth-ldap-connection-mode" : { "title" : "LDAP Connection Mode", "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "stopLdapbindAfterInmemoryLockedEnabled" : { "title" : "Stop LDAP Binds after in-memory lockout", "description" : "If enabled, further bind requests will not be sent to LDAP Server when the user is locked-out using in-memory Account Lockout.", "propertyOrder" : 1900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "userSearchFilter" : { "title" : "User Search Filter", "description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "profileAttributeMappings" : { "title" : "User Creation Attributes", "description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>", "propertyOrder" : 1300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "returnUserDN" : { "title" : "Return User DN to DataStore", "description" : "Controls whether the DN or the username is returned as the authentication principal.", "propertyOrder" : 1200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "userBindDN" : { "title" : "Bind User DN", "description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "connectionHeartbeatInterval" : { "title" : "LDAP Connection Heartbeat Interval", "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.", "propertyOrder" : 1500, "required" : true, "type" : "integer", "exampleValue" : "" }, "userBindPassword" : { "title" : "Bind User Password", "description" : "The password of the administration account.", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/authentication/modules/activedirectory
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action ActiveDirectoryModule --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action ActiveDirectoryModule --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action ActiveDirectoryModule --global --actionName nextdescendents
update
Usage
am> update ActiveDirectoryModule --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "userBindPassword" : { "title" : "Bind User Password", "description" : "The password of the administration account.", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "userBindDN" : { "title" : "Bind User DN", "description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "userSearchStartDN" : { "title" : "DN to Start User Search", "description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "connectionHeartbeatInterval" : { "title" : "LDAP Connection Heartbeat Interval", "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.", "propertyOrder" : 1500, "required" : true, "type" : "integer", "exampleValue" : "" }, "profileAttributeMappings" : { "title" : "User Creation Attributes", "description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>", "propertyOrder" : 1300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userSearchFilter" : { "title" : "User Search Filter", "description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "openam-auth-ldap-connection-mode" : { "title" : "LDAP Connection Mode", "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "userProfileRetrievalAttribute" : { "title" : "Attribute Used to Retrieve User Profile", "description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "secondaryLdapServer" : { "title" : "Secondary Active Directory Server", "description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 200, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "searchScope" : { "title" : "Search Scope", "description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>", "propertyOrder" : 900, "required" : true, "type" : "string", "exampleValue" : "" }, "trustAllServerCertificates" : { "title" : "Trust All Server Certificates", "description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process", "propertyOrder" : 1400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "operationTimeout" : { "title" : "LDAP operations timeout", "description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.", "propertyOrder" : 1700, "required" : true, "type" : "integer", "exampleValue" : "" }, "returnUserDN" : { "title" : "Return User DN to DataStore", "description" : "Controls whether the DN or the username is returned as the authentication principal.", "propertyOrder" : 1200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ", "propertyOrder" : 1800, "required" : true, "type" : "integer", "exampleValue" : "" }, "primaryLdapServer" : { "title" : "Primary Active Directory Server ", "description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "stopLdapbindAfterInmemoryLockedEnabled" : { "title" : "Stop LDAP Binds after in-memory lockout", "description" : "If enabled, further bind requests will not be sent to LDAP Server when the user is locked-out using in-memory Account Lockout.", "propertyOrder" : 1900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "userSearchAttributes" : { "title" : "Attributes Used to Search for a User to be Authenticated", "description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>", "propertyOrder" : 700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "connectionHeartbeatTimeUnit" : { "title" : "LDAP Connection Heartbeat Time Unit", "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }
AdaptiveRiskModule
Realm Operations
Resource path:
/realm-config/authentication/modules/adaptiverisk
Resource version: 2.0
create
Usage
am> create AdaptiveRiskModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "geolocation" : { "type" : "object", "title" : "Geo Location", "propertyOrder" : 8, "properties" : { "geolocationCheckEnabled" : { "title" : "Geolocation Country Code Check", "description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.", "propertyOrder" : 3800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "geolocationDatabaseLocation" : { "title" : "Geolocation Database location", "description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.", "propertyOrder" : 3900, "required" : true, "type" : "string", "exampleValue" : "" }, "geolocationScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 4100, "required" : true, "type" : "integer", "exampleValue" : "" }, "invertGeolocationScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 4200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "geolocationValidCountryCodes" : { "title" : "Valid Country Codes", "description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>", "propertyOrder" : 4000, "required" : true, "type" : "string", "exampleValue" : "" } } }, "knowncookie" : { "type" : "object", "title" : "Known Cookie", "propertyOrder" : 4, "properties" : { "knownCookieCheckEnabled" : { "title" : "Cookie Value Check", "description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ", "propertyOrder" : 1600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "knownCookieValue" : { "title" : "Cookie Value", "description" : "The value to be set on the cookie.", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "invertKnownCookieScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 2100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "knownCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie to set on the client.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "createKnownCookieOnSuccessfulLogin" : { "title" : "Save Cookie Value on Successful Login", "description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response", "propertyOrder" : 1900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "knownCookieScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 2000, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "authfailed" : { "type" : "object", "title" : "Failed Authentications", "propertyOrder" : 1, "properties" : { "invertFailureScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "failureScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" }, "failedAuthenticationCheckEnabled" : { "title" : "Failed Authentication Check", "description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.", "propertyOrder" : 300, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "lastlogin" : { "type" : "object", "title" : "Time Since Last Login", "propertyOrder" : 6, "properties" : { "maxTimeSinceLastLogin" : { "title" : "Max Time since Last login", "description" : "The maximum number of days that can elapse before this test.", "propertyOrder" : 2400, "required" : true, "type" : "string", "exampleValue" : "" }, "saveLastLoginTimeOnSuccessfulLogin" : { "title" : "Save time of Successful Login", "description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time", "propertyOrder" : 2500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "timeSinceLastLoginCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie used to store the time of the last successful authentication.", "propertyOrder" : 2300, "required" : true, "type" : "string", "exampleValue" : "" }, "timeSinceLastLoginCheckEnabled" : { "title" : "Time since Last login Check", "description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.", "propertyOrder" : 2200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertTimeSinceLastLoginScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 2700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "timeSinceLastLoginScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 2600, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "attributecheck" : { "type" : "object", "title" : "Profile Attribute", "propertyOrder" : 7, "properties" : { "profileRiskAttributeCheckEnabled" : { "title" : "Profile Risk Attribute check", "description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.", "propertyOrder" : 2800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "profileRiskAttributeValue" : { "title" : "Attribute Value", "description" : "The required value of the named attribute.", "propertyOrder" : 3000, "required" : true, "type" : "string", "exampleValue" : "" }, "profileRiskAttributeName" : { "title" : "Attribute Name", "description" : "The name of the attribute to retrieve from the user profile in the data store.", "propertyOrder" : 2900, "required" : true, "type" : "string", "exampleValue" : "" }, "profileRiskAttributeScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 3100, "required" : true, "type" : "integer", "exampleValue" : "" }, "invertProfileRiskAttributeScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 3200, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "devicecookie" : { "type" : "object", "title" : "Device Cookie", "propertyOrder" : 5, "properties" : { "saveDeviceCookieValueOnSuccessfulLogin" : { "title" : "Save Device Registration on Successful Login", "description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response", "propertyOrder" : 3500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "deviceCookieScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 3600, "required" : true, "type" : "integer", "exampleValue" : "" }, "deviceCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie to be checked for (and optionally set) on the client request", "propertyOrder" : 3400, "required" : true, "type" : "string", "exampleValue" : "" }, "deviceCookieCheckEnabled" : { "title" : "Device Registration Cookie Check", "description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.", "propertyOrder" : 3300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertDeviceCookieScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 3700, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "iphistory" : { "type" : "object", "title" : "IP Address History", "propertyOrder" : 3, "properties" : { "ipHistoryCount" : { "title" : "History size", "description" : "The number of client IP addresses to save in the history list.", "propertyOrder" : 1100, "required" : true, "type" : "integer", "exampleValue" : "" }, "ipHistoryCheckEnabled" : { "title" : "IP History Check", "description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).", "propertyOrder" : 1000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipHistoryScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "saveSuccessfulIP" : { "title" : "Save Successful IP Address", "description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.", "propertyOrder" : 1300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertIPHistoryScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipHistoryProfileAttribute" : { "title" : "Profile Attribute Name", "description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" } } }, "iprange" : { "type" : "object", "title" : "IP Address Range", "propertyOrder" : 2, "properties" : { "ipRangeCheckEnabled" : { "title" : "IP Range Check", "description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.", "propertyOrder" : 600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertIPRangeScoreEnabled" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipRange" : { "title" : "IP Range", "description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>", "propertyOrder" : 700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "ipRangeScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "general" : { "type" : "object", "title" : "General", "propertyOrder" : 0, "properties" : { "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "riskThreshold" : { "title" : "Risk Threshold", "description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ", "propertyOrder" : 200, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "requestheader" : { "type" : "object", "title" : "Request Header", "propertyOrder" : 9, "properties" : { "requestHeaderCheckEnabled" : { "title" : "Request Header Check", "description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.", "propertyOrder" : 4300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requestHeaderName" : { "title" : "Request Header Name", "description" : "The name of the required HTTP header ", "propertyOrder" : 4400, "required" : true, "type" : "string", "exampleValue" : "" }, "requestHeaderValue" : { "title" : "Request Header Value", "description" : "The required value of the named HTTP header.", "propertyOrder" : 4500, "required" : true, "type" : "string", "exampleValue" : "" }, "invertRequestHeaderScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 4700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requestHeaderScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 4600, "required" : true, "type" : "integer", "exampleValue" : "" } } } } }
delete
Usage
am> delete AdaptiveRiskModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AdaptiveRiskModule --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AdaptiveRiskModule --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AdaptiveRiskModule --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AdaptiveRiskModule --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AdaptiveRiskModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AdaptiveRiskModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "geolocation" : { "type" : "object", "title" : "Geo Location", "propertyOrder" : 8, "properties" : { "geolocationCheckEnabled" : { "title" : "Geolocation Country Code Check", "description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.", "propertyOrder" : 3800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "geolocationDatabaseLocation" : { "title" : "Geolocation Database location", "description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.", "propertyOrder" : 3900, "required" : true, "type" : "string", "exampleValue" : "" }, "geolocationScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 4100, "required" : true, "type" : "integer", "exampleValue" : "" }, "invertGeolocationScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 4200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "geolocationValidCountryCodes" : { "title" : "Valid Country Codes", "description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>", "propertyOrder" : 4000, "required" : true, "type" : "string", "exampleValue" : "" } } }, "knowncookie" : { "type" : "object", "title" : "Known Cookie", "propertyOrder" : 4, "properties" : { "knownCookieCheckEnabled" : { "title" : "Cookie Value Check", "description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ", "propertyOrder" : 1600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "knownCookieValue" : { "title" : "Cookie Value", "description" : "The value to be set on the cookie.", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "invertKnownCookieScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 2100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "knownCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie to set on the client.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "createKnownCookieOnSuccessfulLogin" : { "title" : "Save Cookie Value on Successful Login", "description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response", "propertyOrder" : 1900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "knownCookieScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 2000, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "authfailed" : { "type" : "object", "title" : "Failed Authentications", "propertyOrder" : 1, "properties" : { "invertFailureScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "failureScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" }, "failedAuthenticationCheckEnabled" : { "title" : "Failed Authentication Check", "description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.", "propertyOrder" : 300, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "lastlogin" : { "type" : "object", "title" : "Time Since Last Login", "propertyOrder" : 6, "properties" : { "maxTimeSinceLastLogin" : { "title" : "Max Time since Last login", "description" : "The maximum number of days that can elapse before this test.", "propertyOrder" : 2400, "required" : true, "type" : "string", "exampleValue" : "" }, "saveLastLoginTimeOnSuccessfulLogin" : { "title" : "Save time of Successful Login", "description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time", "propertyOrder" : 2500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "timeSinceLastLoginCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie used to store the time of the last successful authentication.", "propertyOrder" : 2300, "required" : true, "type" : "string", "exampleValue" : "" }, "timeSinceLastLoginCheckEnabled" : { "title" : "Time since Last login Check", "description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.", "propertyOrder" : 2200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertTimeSinceLastLoginScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 2700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "timeSinceLastLoginScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 2600, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "attributecheck" : { "type" : "object", "title" : "Profile Attribute", "propertyOrder" : 7, "properties" : { "profileRiskAttributeCheckEnabled" : { "title" : "Profile Risk Attribute check", "description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.", "propertyOrder" : 2800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "profileRiskAttributeValue" : { "title" : "Attribute Value", "description" : "The required value of the named attribute.", "propertyOrder" : 3000, "required" : true, "type" : "string", "exampleValue" : "" }, "profileRiskAttributeName" : { "title" : "Attribute Name", "description" : "The name of the attribute to retrieve from the user profile in the data store.", "propertyOrder" : 2900, "required" : true, "type" : "string", "exampleValue" : "" }, "profileRiskAttributeScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 3100, "required" : true, "type" : "integer", "exampleValue" : "" }, "invertProfileRiskAttributeScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 3200, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "devicecookie" : { "type" : "object", "title" : "Device Cookie", "propertyOrder" : 5, "properties" : { "saveDeviceCookieValueOnSuccessfulLogin" : { "title" : "Save Device Registration on Successful Login", "description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response", "propertyOrder" : 3500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "deviceCookieScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 3600, "required" : true, "type" : "integer", "exampleValue" : "" }, "deviceCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie to be checked for (and optionally set) on the client request", "propertyOrder" : 3400, "required" : true, "type" : "string", "exampleValue" : "" }, "deviceCookieCheckEnabled" : { "title" : "Device Registration Cookie Check", "description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.", "propertyOrder" : 3300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertDeviceCookieScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 3700, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "iphistory" : { "type" : "object", "title" : "IP Address History", "propertyOrder" : 3, "properties" : { "ipHistoryCount" : { "title" : "History size", "description" : "The number of client IP addresses to save in the history list.", "propertyOrder" : 1100, "required" : true, "type" : "integer", "exampleValue" : "" }, "ipHistoryCheckEnabled" : { "title" : "IP History Check", "description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).", "propertyOrder" : 1000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipHistoryScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "saveSuccessfulIP" : { "title" : "Save Successful IP Address", "description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.", "propertyOrder" : 1300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertIPHistoryScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipHistoryProfileAttribute" : { "title" : "Profile Attribute Name", "description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" } } }, "iprange" : { "type" : "object", "title" : "IP Address Range", "propertyOrder" : 2, "properties" : { "ipRangeCheckEnabled" : { "title" : "IP Range Check", "description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.", "propertyOrder" : 600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertIPRangeScoreEnabled" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipRange" : { "title" : "IP Range", "description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>", "propertyOrder" : 700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "ipRangeScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "general" : { "type" : "object", "title" : "General", "propertyOrder" : 0, "properties" : { "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "riskThreshold" : { "title" : "Risk Threshold", "description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ", "propertyOrder" : 200, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "requestheader" : { "type" : "object", "title" : "Request Header", "propertyOrder" : 9, "properties" : { "requestHeaderCheckEnabled" : { "title" : "Request Header Check", "description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.", "propertyOrder" : 4300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requestHeaderName" : { "title" : "Request Header Name", "description" : "The name of the required HTTP header ", "propertyOrder" : 4400, "required" : true, "type" : "string", "exampleValue" : "" }, "requestHeaderValue" : { "title" : "Request Header Value", "description" : "The required value of the named HTTP header.", "propertyOrder" : 4500, "required" : true, "type" : "string", "exampleValue" : "" }, "invertRequestHeaderScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 4700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requestHeaderScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 4600, "required" : true, "type" : "integer", "exampleValue" : "" } } } } }
Global Operations
Resource path:
/global-config/authentication/modules/adaptiverisk
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AdaptiveRiskModule --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AdaptiveRiskModule --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AdaptiveRiskModule --global --actionName nextdescendents
update
Usage
am> update AdaptiveRiskModule --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "iphistory" : { "type" : "object", "title" : "IP Address History", "propertyOrder" : 3, "properties" : { "ipHistoryCheckEnabled" : { "title" : "IP History Check", "description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).", "propertyOrder" : 1000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipHistoryCount" : { "title" : "History size", "description" : "The number of client IP addresses to save in the history list.", "propertyOrder" : 1100, "required" : true, "type" : "integer", "exampleValue" : "" }, "ipHistoryScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "saveSuccessfulIP" : { "title" : "Save Successful IP Address", "description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.", "propertyOrder" : 1300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipHistoryProfileAttribute" : { "title" : "Profile Attribute Name", "description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "invertIPHistoryScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "lastlogin" : { "type" : "object", "title" : "Time Since Last Login", "propertyOrder" : 6, "properties" : { "saveLastLoginTimeOnSuccessfulLogin" : { "title" : "Save time of Successful Login", "description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time", "propertyOrder" : 2500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "timeSinceLastLoginCheckEnabled" : { "title" : "Time since Last login Check", "description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.", "propertyOrder" : 2200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "maxTimeSinceLastLogin" : { "title" : "Max Time since Last login", "description" : "The maximum number of days that can elapse before this test.", "propertyOrder" : 2400, "required" : true, "type" : "string", "exampleValue" : "" }, "timeSinceLastLoginCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie used to store the time of the last successful authentication.", "propertyOrder" : 2300, "required" : true, "type" : "string", "exampleValue" : "" }, "invertTimeSinceLastLoginScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 2700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "timeSinceLastLoginScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 2600, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "iprange" : { "type" : "object", "title" : "IP Address Range", "propertyOrder" : 2, "properties" : { "ipRangeCheckEnabled" : { "title" : "IP Range Check", "description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.", "propertyOrder" : 600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipRange" : { "title" : "IP Range", "description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>", "propertyOrder" : 700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "ipRangeScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" }, "invertIPRangeScoreEnabled" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 900, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "geolocation" : { "type" : "object", "title" : "Geo Location", "propertyOrder" : 8, "properties" : { "geolocationCheckEnabled" : { "title" : "Geolocation Country Code Check", "description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.", "propertyOrder" : 3800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertGeolocationScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 4200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "geolocationValidCountryCodes" : { "title" : "Valid Country Codes", "description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>", "propertyOrder" : 4000, "required" : true, "type" : "string", "exampleValue" : "" }, "geolocationDatabaseLocation" : { "title" : "Geolocation Database location", "description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.", "propertyOrder" : 3900, "required" : true, "type" : "string", "exampleValue" : "" }, "geolocationScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 4100, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "attributecheck" : { "type" : "object", "title" : "Profile Attribute", "propertyOrder" : 7, "properties" : { "profileRiskAttributeValue" : { "title" : "Attribute Value", "description" : "The required value of the named attribute.", "propertyOrder" : 3000, "required" : true, "type" : "string", "exampleValue" : "" }, "invertProfileRiskAttributeScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 3200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "profileRiskAttributeScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 3100, "required" : true, "type" : "integer", "exampleValue" : "" }, "profileRiskAttributeName" : { "title" : "Attribute Name", "description" : "The name of the attribute to retrieve from the user profile in the data store.", "propertyOrder" : 2900, "required" : true, "type" : "string", "exampleValue" : "" }, "profileRiskAttributeCheckEnabled" : { "title" : "Profile Risk Attribute check", "description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.", "propertyOrder" : 2800, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "knowncookie" : { "type" : "object", "title" : "Known Cookie", "propertyOrder" : 4, "properties" : { "createKnownCookieOnSuccessfulLogin" : { "title" : "Save Cookie Value on Successful Login", "description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response", "propertyOrder" : 1900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "knownCookieCheckEnabled" : { "title" : "Cookie Value Check", "description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ", "propertyOrder" : 1600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "knownCookieValue" : { "title" : "Cookie Value", "description" : "The value to be set on the cookie.", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "invertKnownCookieScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 2100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "knownCookieScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 2000, "required" : true, "type" : "integer", "exampleValue" : "" }, "knownCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie to set on the client.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" } } }, "devicecookie" : { "type" : "object", "title" : "Device Cookie", "propertyOrder" : 5, "properties" : { "deviceCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie to be checked for (and optionally set) on the client request", "propertyOrder" : 3400, "required" : true, "type" : "string", "exampleValue" : "" }, "deviceCookieCheckEnabled" : { "title" : "Device Registration Cookie Check", "description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.", "propertyOrder" : 3300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertDeviceCookieScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 3700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "saveDeviceCookieValueOnSuccessfulLogin" : { "title" : "Save Device Registration on Successful Login", "description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response", "propertyOrder" : 3500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "deviceCookieScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 3600, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "requestheader" : { "type" : "object", "title" : "Request Header", "propertyOrder" : 9, "properties" : { "requestHeaderValue" : { "title" : "Request Header Value", "description" : "The required value of the named HTTP header.", "propertyOrder" : 4500, "required" : true, "type" : "string", "exampleValue" : "" }, "requestHeaderName" : { "title" : "Request Header Name", "description" : "The name of the required HTTP header ", "propertyOrder" : 4400, "required" : true, "type" : "string", "exampleValue" : "" }, "requestHeaderScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 4600, "required" : true, "type" : "integer", "exampleValue" : "" }, "invertRequestHeaderScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 4700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requestHeaderCheckEnabled" : { "title" : "Request Header Check", "description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.", "propertyOrder" : 4300, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "general" : { "type" : "object", "title" : "General", "propertyOrder" : 0, "properties" : { "riskThreshold" : { "title" : "Risk Threshold", "description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ", "propertyOrder" : 200, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "authfailed" : { "type" : "object", "title" : "Failed Authentications", "propertyOrder" : 1, "properties" : { "failedAuthenticationCheckEnabled" : { "title" : "Failed Authentication Check", "description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.", "propertyOrder" : 300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertFailureScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "failureScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" } } } }, "type" : "object", "title" : "Realm Defaults" } } }
AdvancedProperties
Global Operations
An object of property key-value pairs
Resource path:
/global-config/servers/{serverName}/properties/advanced
Resource version: 1.0
read
Usage
am> read AdvancedProperties --global --serverName serverName
Parameters
- --serverName
-
An object of property key-value pairs
update
Usage
am> update AdvancedProperties --global --serverName serverName --body body
Parameters
- --serverName
-
An object of property key-value pairs
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "patternProperties" : { ".+" : { "type" : "string", "title" : "Value", "description" : "Any string value" } }, "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "An object of property key-value pairs", "type" : "object", "title" : "Advanced Properties" }
AgentDataStoreDecision
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/AgentDataStoreDecisionNode
Resource version: 2.0
create
Usage
am> create AgentDataStoreDecision --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "required" : [ ] }
delete
Usage
am> delete AgentDataStoreDecision --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AgentDataStoreDecision --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AgentDataStoreDecision --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action AgentDataStoreDecision --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AgentDataStoreDecision --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AgentDataStoreDecision --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
AgentGroups
Realm Operations
Aggregating Agent Groups handler that is responsible for querying the aggregating agent groups
Resource path:
/realm-config/agents/groups
Resource version: 2.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AgentGroups --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AgentGroups --realm Realm --actionName getCreatableTypes
AgentService
Global Operations
Resource path:
/global-config/agents/AgentService
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AgentService --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AgentService --global --actionName getCreatableTypes
Agents
Realm Operations
Aggregating Agents handler that is responsible for querying the aggregating agents
Resource path:
/realm-config/agents
Resource version: 2.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action Agents --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action Agents --realm Realm --actionName getCreatableTypes
Global Operations
Global and default configuration for agents
Resource path:
/global-config/agents
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action Agents --global --actionName getAllTypes
AmsterModule
Realm Operations
Resource path:
/realm-config/authentication/modules/amster
Resource version: 2.0
create
Usage
am> create AmsterModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "authenticationLevel" : { "title" : "Authentication Level", "description" : "", "propertyOrder" : 300, "required" : true, "type" : "integer", "exampleValue" : "" }, "authorizedKeys" : { "title" : "Authorized Keys", "description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "enabled" : { "title" : "Enabled", "description" : "If not enabled, prevents PKI login using the Amster module.", "propertyOrder" : 200, "required" : true, "type" : "boolean", "exampleValue" : "" } } }
delete
Usage
am> delete AmsterModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AmsterModule --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AmsterModule --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AmsterModule --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AmsterModule --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AmsterModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AmsterModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "authenticationLevel" : { "title" : "Authentication Level", "description" : "", "propertyOrder" : 300, "required" : true, "type" : "integer", "exampleValue" : "" }, "authorizedKeys" : { "title" : "Authorized Keys", "description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "enabled" : { "title" : "Enabled", "description" : "If not enabled, prevents PKI login using the Amster module.", "propertyOrder" : 200, "required" : true, "type" : "boolean", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/authentication/modules/amster
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AmsterModule --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AmsterModule --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AmsterModule --global --actionName nextdescendents
update
Usage
am> update AmsterModule --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "authenticationLevel" : { "title" : "Authentication Level", "description" : "", "propertyOrder" : 300, "required" : true, "type" : "integer", "exampleValue" : "" }, "authorizedKeys" : { "title" : "Authorized Keys", "description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "enabled" : { "title" : "Enabled", "description" : "If not enabled, prevents PKI login using the Amster module.", "propertyOrder" : 200, "required" : true, "type" : "boolean", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }
AndroidKeyAttestation
Realm Operations
Resource path:
/realm-config/services/androidKeyAttestation
Resource version: 2.0
create
Usage
am> create AndroidKeyAttestation --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "publicKeyUrl" : { "title" : "Google hardware attestation root certificate URL", "description" : "[Optional] The URL to retrieve the Google hardware attestation root certificate.<br><br>The root certificate of the chain is validated against builtin certificates provided by Google. Refer to <a href=\"https://developer.android.com/training/articles/security-key-attestation#root_certificate\">Verifying hardware-backed key pairs with Key Attestation | Android Developers.</a> You can override these defaults by providing the URL to a different hardware attestation certificate. The built-in certificates are used if this property is empty or a certificate cannot be obtained from the URL provided.", "propertyOrder" : 200, "required" : false, "type" : "string", "exampleValue" : "" }, "crlUrl" : { "title" : "Certificate revocation status list URL", "description" : "The URL to retrieve the certificate revocation status list (CRL).<br><br>Keys are checked against the revocation status list to ensure they have not been revoked or suspended. Keys can be revoked for a number of reasons, including mishandling or suspected extraction by an attacker. Defaults to the list maintained by Google. Refer to <a href=\"https://android.googleapis.com/attestation/status\">https://android.googleapis.com/attestation/status</a>", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" } } }
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AndroidKeyAttestation --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AndroidKeyAttestation --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AndroidKeyAttestation --realm Realm --actionName nextdescendents
update
Usage
am> update AndroidKeyAttestation --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "publicKeyUrl" : { "title" : "Google hardware attestation root certificate URL", "description" : "[Optional] The URL to retrieve the Google hardware attestation root certificate.<br><br>The root certificate of the chain is validated against builtin certificates provided by Google. Refer to <a href=\"https://developer.android.com/training/articles/security-key-attestation#root_certificate\">Verifying hardware-backed key pairs with Key Attestation | Android Developers.</a> You can override these defaults by providing the URL to a different hardware attestation certificate. The built-in certificates are used if this property is empty or a certificate cannot be obtained from the URL provided.", "propertyOrder" : 200, "required" : false, "type" : "string", "exampleValue" : "" }, "crlUrl" : { "title" : "Certificate revocation status list URL", "description" : "The URL to retrieve the certificate revocation status list (CRL).<br><br>Keys are checked against the revocation status list to ensure they have not been revoked or suspended. Keys can be revoked for a number of reasons, including mishandling or suspected extraction by an attacker. Defaults to the list maintained by Google. Refer to <a href=\"https://android.googleapis.com/attestation/status\">https://android.googleapis.com/attestation/status</a>", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/services/androidKeyAttestation
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AndroidKeyAttestation --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AndroidKeyAttestation --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AndroidKeyAttestation --global --actionName nextdescendents
update
Usage
am> update AndroidKeyAttestation --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "cacheDuration" : { "title" : "Cache duration (hours)", "description" : "The number of hours to cache the Certificate revocation status list and Google hardware attestation root certificate.<br><br>Defaults to one day (24). Specify 0 to prevent caching.", "propertyOrder" : 200, "required" : true, "type" : "integer", "exampleValue" : "" }, "defaults" : { "properties" : { "crlUrl" : { "title" : "Certificate revocation status list URL", "description" : "The URL to retrieve the certificate revocation status list (CRL).<br><br>Keys are checked against the revocation status list to ensure they have not been revoked or suspended. Keys can be revoked for a number of reasons, including mishandling or suspected extraction by an attacker. Defaults to the list maintained by Google. Refer to <a href=\"https://android.googleapis.com/attestation/status\">https://android.googleapis.com/attestation/status</a>", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "publicKeyUrl" : { "title" : "Google hardware attestation root certificate URL", "description" : "[Optional] The URL to retrieve the Google hardware attestation root certificate.<br><br>The root certificate of the chain is validated against builtin certificates provided by Google. Refer to <a href=\"https://developer.android.com/training/articles/security-key-attestation#root_certificate\">Verifying hardware-backed key pairs with Key Attestation | Android Developers.</a> You can override these defaults by providing the URL to a different hardware attestation certificate. The built-in certificates are used if this property is empty or a certificate cannot be obtained from the URL provided.", "propertyOrder" : 200, "required" : false, "type" : "string", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }
AnonymousModule
Realm Operations
Resource path:
/realm-config/authentication/modules/anonymous
Resource version: 2.0
create
Usage
am> create AnonymousModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "validAnonymousUsers" : { "title" : "Valid Anonymous Users", "description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "caseSensitiveUsernameMatchingEnabled" : { "title" : "Case Sensitive User IDs", "description" : "If enabled, username matching will be case sensitive.", "propertyOrder" : 300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" }, "defaultAnonymousUsername" : { "title" : "Default Anonymous User Name", "description" : "The default username to use if no username is supplied during authentication.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" } } }
delete
Usage
am> delete AnonymousModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AnonymousModule --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AnonymousModule --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AnonymousModule --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AnonymousModule --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AnonymousModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AnonymousModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "validAnonymousUsers" : { "title" : "Valid Anonymous Users", "description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "caseSensitiveUsernameMatchingEnabled" : { "title" : "Case Sensitive User IDs", "description" : "If enabled, username matching will be case sensitive.", "propertyOrder" : 300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" }, "defaultAnonymousUsername" : { "title" : "Default Anonymous User Name", "description" : "The default username to use if no username is supplied during authentication.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/authentication/modules/anonymous
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AnonymousModule --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AnonymousModule --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AnonymousModule --global --actionName nextdescendents
update
Usage
am> update AnonymousModule --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "caseSensitiveUsernameMatchingEnabled" : { "title" : "Case Sensitive User IDs", "description" : "If enabled, username matching will be case sensitive.", "propertyOrder" : 300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "defaultAnonymousUsername" : { "title" : "Default Anonymous User Name", "description" : "The default username to use if no username is supplied during authentication.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" }, "validAnonymousUsers" : { "title" : "Valid Anonymous Users", "description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }
AnonymousSessionUpgrade
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/AnonymousSessionUpgradeNode
Resource version: 2.0
create
Usage
am> create AnonymousSessionUpgrade --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "required" : [ ] }
delete
Usage
am> delete AnonymousSessionUpgrade --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AnonymousSessionUpgrade --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AnonymousSessionUpgrade --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action AnonymousSessionUpgrade --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AnonymousSessionUpgrade --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AnonymousSessionUpgrade --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
AnonymousUserMapping
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/AnonymousUserNode
Resource version: 2.0
create
Usage
am> create AnonymousUserMapping --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "anonymousUserName" : { "title" : "Anonymous User Name", "description" : "The username of the user that will represent the anonymous user. This user account must already exist in the realm.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" } }, "required" : [ "anonymousUserName" ] }
delete
Usage
am> delete AnonymousUserMapping --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AnonymousUserMapping --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AnonymousUserMapping --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action AnonymousUserMapping --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AnonymousUserMapping --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AnonymousUserMapping --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AnonymousUserMapping --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AnonymousUserMapping --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "anonymousUserName" : { "title" : "Anonymous User Name", "description" : "The username of the user that will represent the anonymous user. This user account must already exist in the realm.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" } }, "required" : [ "anonymousUserName" ] }
ApplicationTypes
Realm Operations
Service for reading and listing the available application types. Application types act as templates for policy sets, and define how to compare resources and index policies. OpenAM provides a default application type that represents web resources called iPlanetAMWebAgentService
Resource path:
/applicationtypes
Resource version: 1.0
Applications
Realm Operations
Service for manipulating Applications. It supports the CRUDQ operations.
Resource path:
/applications
Resource version: 2.1
create
Creates a new Application in a realm
Usage
am> create Applications --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "Application schema", "type" : "object", "title" : "Application", "properties" : { "name" : { "type" : "string", "title" : "Name", "description" : "Unique application identifier." }, "displayName" : { "type" : "string", "title" : "Display name", "description" : "When defined, it is displayed in the UI instead of application name." }, "description" : { "type" : "string", "title" : "Description", "description" : "String describing the application." }, "applicationType" : { "type" : "string", "title" : "Application type", "description" : "Name of the application type used as a template for the policy set." }, "conditions" : { "type" : "array", "items" : { "type" : "string", "title" : "Conditions", "description" : "Condition types allowed in the context of the policy set." } }, "subjects" : { "type" : "array", "items" : { "type" : "string", "title" : "Subjects", "description" : "Subject types allowed in the context of the policy set." } }, "resourceTypeUuids" : { "type" : "array", "items" : { "type" : "string", "title" : "Resource type uuids", "description" : "A list of the UUIDs of the resource types associated with the policy set." } }, "entitlementCombiner" : { "type" : "string", "title" : "Entitlement combiner", "description" : "Name of the decision combiner, such as \"DenyOverride\"." }, "searchIndex" : { "type" : "string", "title" : "Search index", "description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names." }, "saveIndex" : { "type" : "string", "title" : "Save index", "description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names." }, "resourceComparator" : { "type" : "string", "title" : "Resource comparator", "description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"." }, "attributeNames" : { "type" : "array", "items" : { "type" : "string", "title" : "Attribute names", "description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup." } }, "createdBy" : { "type" : "string", "title" : "Created by", "description" : "A string containing the universal identifier DN of the subject that created the application." }, "lastModifiedBy" : { "type" : "string", "title" : "Last modified by", "description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy." }, "creationDate" : { "type" : "integer", "title" : "Creation date", "description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch." }, "lastModifiedDate" : { "type" : "integer", "title" : "Last modified date", "description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate." }, "editable" : { "type" : "boolean", "title" : "Editable", "description" : "It indicates if application is editable." } }, "required" : [ "name", "applicationType" ] }
delete
Deletes an individual Application in a realm specified by its name
Usage
am> delete Applications --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
query
Lists all the Applications in a realm
Usage
am> query Applications --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all. Fields that can be queried: [*]
read
Reads an individual Application in a realm specified by its name
Usage
am> read Applications --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Updates an individual Application in a realm specified by its name
Usage
am> update Applications --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "Application schema", "type" : "object", "title" : "Application", "properties" : { "name" : { "type" : "string", "title" : "Name", "description" : "Unique application identifier." }, "displayName" : { "type" : "string", "title" : "Display name", "description" : "When defined, it is displayed in the UI instead of application name." }, "description" : { "type" : "string", "title" : "Description", "description" : "String describing the application." }, "applicationType" : { "type" : "string", "title" : "Application type", "description" : "Name of the application type used as a template for the policy set." }, "conditions" : { "type" : "array", "items" : { "type" : "string", "title" : "Conditions", "description" : "Condition types allowed in the context of the policy set." } }, "subjects" : { "type" : "array", "items" : { "type" : "string", "title" : "Subjects", "description" : "Subject types allowed in the context of the policy set." } }, "resourceTypeUuids" : { "type" : "array", "items" : { "type" : "string", "title" : "Resource type uuids", "description" : "A list of the UUIDs of the resource types associated with the policy set." } }, "entitlementCombiner" : { "type" : "string", "title" : "Entitlement combiner", "description" : "Name of the decision combiner, such as \"DenyOverride\"." }, "searchIndex" : { "type" : "string", "title" : "Search index", "description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names." }, "saveIndex" : { "type" : "string", "title" : "Save index", "description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names." }, "resourceComparator" : { "type" : "string", "title" : "Resource comparator", "description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"." }, "attributeNames" : { "type" : "array", "items" : { "type" : "string", "title" : "Attribute names", "description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup." } }, "createdBy" : { "type" : "string", "title" : "Created by", "description" : "A string containing the universal identifier DN of the subject that created the application." }, "lastModifiedBy" : { "type" : "string", "title" : "Last modified by", "description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy." }, "creationDate" : { "type" : "integer", "title" : "Creation date", "description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch." }, "lastModifiedDate" : { "type" : "integer", "title" : "Last modified date", "description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate." }, "editable" : { "type" : "boolean", "title" : "Editable", "description" : "It indicates if application is editable." } }, "required" : [ "name", "applicationType" ] }
AttributeCollector
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/AttributeCollectorNode
Resource version: 2.0
create
Usage
am> create AttributeCollector --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "validateInputs" : { "title" : "Validate Input", "description" : "Set to true if client input should be validated against IDM policy as declared in the schema.", "propertyOrder" : 300, "type" : "boolean", "exampleValue" : "" }, "attributesToCollect" : { "title" : "Attributes to Collect", "description" : "A set of attributes to collect from the client.", "propertyOrder" : 100, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "required" : { "title" : "All Attributes Required", "description" : "When set, requires all attributes collected to contain non-null values.", "propertyOrder" : 200, "type" : "boolean", "exampleValue" : "" }, "identityAttribute" : { "title" : "Identity Attribute", "description" : "The attribute used to identify the the object in IDM.", "propertyOrder" : 400, "type" : "string", "exampleValue" : "" } }, "required" : [ "validateInputs", "attributesToCollect", "required", "identityAttribute" ] }
delete
Usage
am> delete AttributeCollector --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AttributeCollector --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AttributeCollector --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action AttributeCollector --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AttributeCollector --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AttributeCollector --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AttributeCollector --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AttributeCollector --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "validateInputs" : { "title" : "Validate Input", "description" : "Set to true if client input should be validated against IDM policy as declared in the schema.", "propertyOrder" : 300, "type" : "boolean", "exampleValue" : "" }, "attributesToCollect" : { "title" : "Attributes to Collect", "description" : "A set of attributes to collect from the client.", "propertyOrder" : 100, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "required" : { "title" : "All Attributes Required", "description" : "When set, requires all attributes collected to contain non-null values.", "propertyOrder" : 200, "type" : "boolean", "exampleValue" : "" }, "identityAttribute" : { "title" : "Identity Attribute", "description" : "The attribute used to identify the the object in IDM.", "propertyOrder" : 400, "type" : "string", "exampleValue" : "" } }, "required" : [ "validateInputs", "attributesToCollect", "required", "identityAttribute" ] }
AttributePresentDecision
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/AttributePresentDecisionNode
Resource version: 2.0
create
Usage
am> create AttributePresentDecision --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "presentAttribute" : { "title" : "Present Attribute", "description" : "The object attribute to verify is present regardless of whether the field is private.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" }, "identityAttribute" : { "title" : "Identity Attribute", "description" : "The attribute to query in the IDM object.", "propertyOrder" : 200, "type" : "string", "exampleValue" : "" } }, "required" : [ "presentAttribute", "identityAttribute" ] }
delete
Usage
am> delete AttributePresentDecision --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AttributePresentDecision --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AttributePresentDecision --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action AttributePresentDecision --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AttributePresentDecision --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AttributePresentDecision --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AttributePresentDecision --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AttributePresentDecision --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "presentAttribute" : { "title" : "Present Attribute", "description" : "The object attribute to verify is present regardless of whether the field is private.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" }, "identityAttribute" : { "title" : "Identity Attribute", "description" : "The attribute to query in the IDM object.", "propertyOrder" : 200, "type" : "string", "exampleValue" : "" } }, "required" : [ "presentAttribute", "identityAttribute" ] }
AttributeValueDecision
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/AttributeValueDecisionNode
Resource version: 2.0
create
Usage
am> create AttributeValueDecision --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "comparisonValue" : { "title" : "Comparison Value", "description" : "If using the EQUALS comparison operation, the value to compare the object's attribute value to.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "" }, "comparisonAttribute" : { "title" : "Comparison Attribute", "description" : "The object attribute to compare.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" }, "comparisonOperation" : { "title" : "Comparison Operation", "description" : "The operation to perform on the object attribute; PRESENT checks for existence of an attribute, EQUALS checks if the object's attribute value equals the configured comparison value.", "propertyOrder" : 200, "type" : "string", "exampleValue" : "" }, "identityAttribute" : { "title" : "Identity Attribute", "description" : "The attribute to query in the IDM object.", "propertyOrder" : 400, "type" : "string", "exampleValue" : "" } }, "required" : [ "comparisonAttribute", "comparisonOperation", "identityAttribute" ] }
delete
Usage
am> delete AttributeValueDecision --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AttributeValueDecision --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AttributeValueDecision --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action AttributeValueDecision --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AttributeValueDecision --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AttributeValueDecision --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AttributeValueDecision --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AttributeValueDecision --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "comparisonValue" : { "title" : "Comparison Value", "description" : "If using the EQUALS comparison operation, the value to compare the object's attribute value to.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "" }, "comparisonAttribute" : { "title" : "Comparison Attribute", "description" : "The object attribute to compare.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" }, "comparisonOperation" : { "title" : "Comparison Operation", "description" : "The operation to perform on the object attribute; PRESENT checks for existence of an attribute, EQUALS checks if the object's attribute value equals the configured comparison value.", "propertyOrder" : 200, "type" : "string", "exampleValue" : "" }, "identityAttribute" : { "title" : "Identity Attribute", "description" : "The attribute to query in the IDM object.", "propertyOrder" : 400, "type" : "string", "exampleValue" : "" } }, "required" : [ "comparisonAttribute", "comparisonOperation", "identityAttribute" ] }
AuditEvent
Realm Operations
Audit events are logged through a realm audit service.
Resource path:
/realm-audit/{topic}
Resource version: 1.0
create
Create a new audit event, which will be handled and logged by the configured audit service.
Usage
am> create AuditEvent --realm Realm --topic topic --body body
Parameters
- --topic
-
Audit events are logged through a realm audit service.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "The schema contains properties that are common to all topics and some that are unique to a specific topic. The description of each property indicates which topic the property applies to.", "title" : "Audit event schema", "type" : "object", "properties" : { "_id" : { "title" : "ID", "description" : "The ID of the event, used by all topics", "type" : "string" }, "timestamp" : { "title" : "Timestamp", "description" : "The time at which the event occurred, used by all topics", "type" : "string" }, "eventName" : { "title" : "Event name", "description" : "The name of the event, used by all topics", "type" : "string" }, "transactionId" : { "title" : "Transaction ID", "description" : "The transaction ID of the event, used by all topics", "type" : "string" }, "userId" : { "title" : "User ID", "description" : "The ID of the user responsible for the event, used by all topics", "type" : "string" }, "trackingIds" : { "title" : "Tracking IDs", "description" : "The tracking IDs of the event, used by all topics", "type" : "array", "items" : { "id" : "0", "type" : "string" } }, "component" : { "title" : "Component", "description" : "The component responsible for the event, used by all topics", "type" : "string" }, "realm" : { "title" : "Realm", "description" : "The realm in which the event occurred, used by all topics", "type" : "string" }, "server" : { "title" : "Server", "description" : "The server details for an access event", "type" : "object", "properties" : { "ip" : { "title" : "Server IP address", "description" : "The server ip address for an access event", "type" : "string" }, "port" : { "title" : "Server port", "description" : "The server port for an access event", "type" : "integer" } } }, "client" : { "title" : "Client", "description" : "The client details for an access event", "type" : "object", "properties" : { "ip" : { "title" : "Client IP address", "description" : "The client IP address for an access event", "type" : "string" }, "port" : { "title" : "Client port", "description" : "The client port for an access event", "type" : "integer" } } }, "request" : { "title" : "Request", "description" : "The request details for an access event", "type" : "object", "properties" : { "protocol" : { "title" : "Request protocol", "description" : "The request protocol for an access event", "type" : "string" }, "operation" : { "title" : "Request operation", "description" : "The request operation for an access event", "type" : "string" }, "detail" : { "title" : "Request detail", "description" : "The request detail for an access event", "type" : "object" } } }, "http" : { "title" : "Http details", "description" : "The Http details for an access event", "type" : "object", "properties" : { "request" : { "title" : "Http request", "description" : "The http request for an access event", "type" : "object", "properties" : { "secure" : { "title" : "Http secure", "description" : "The http secure property for an access event", "type" : "boolean" }, "method" : { "title" : "Http method", "description" : "The http method for an access event", "type" : "string" }, "path" : { "title" : "Http path", "description" : "The http path for an access event", "type" : "string" }, "queryParameters" : { "title" : "Http query parameters", "description" : "The http query parameters for an access event", "type" : "object", "additionalProperties" : { "type" : "array", "items" : { "type" : "string" } } }, "headers" : { "title" : "Http headers", "description" : "The http headers for an access event", "type" : "object", "additionalProperties" : { "type" : "array", "items" : { "type" : "string" } } }, "cookies" : { "title" : "Http cookies", "description" : "The http cookies for an access event", "type" : "object", "additionalProperties" : { "type" : "string" } } } }, "response" : { "title" : "Http response", "description" : "The http response for an access event", "type" : "object", "properties" : { "headers" : { "title" : "Http request headers", "description" : "The http request headers for an access event", "type" : "object", "additionalProperties" : { "type" : "array", "items" : { "type" : "string" } } } } } } }, "response" : { "title" : "Response", "description" : "The response details for an access event", "type" : "object", "properties" : { "status" : { "title" : "Response status", "description" : "The response status for an access event", "type" : "string" }, "statusCode" : { "title" : "Response status code", "description" : "The response status code for an access event", "type" : "string" }, "detail" : { "title" : "Response detail", "description" : "The response detail for an access event", "type" : "object" }, "elapsedTime" : { "title" : "Response elapsed time", "description" : "The response elapsedTime for an access event", "type" : "integer" }, "elapsedTimeUnits" : { "title" : "Response elapsed time units", "description" : "The response elapsed time units for an access event", "type" : "string" } } }, "runAs" : { "title" : "Run as", "description" : "What the change that triggered an activity or config event was run as", "type" : "string" }, "objectId" : { "title" : "Object ID", "description" : "The object ID of the change that triggered an activity or config event", "type" : "string" }, "operation" : { "title" : "Operation", "description" : "The operation that triggered an activity or config event", "type" : "string" }, "before" : { "title" : "Before state", "description" : "The state before an activity or config event occurred", "type" : "object" }, "after" : { "title" : "After state", "description" : "The state after an activity or config event occurred", "type" : "object" }, "changedFields" : { "title" : "Changed fields", "description" : "The changed fields after an activity or config event occurred", "type" : "array", "items" : { "id" : "1", "type" : "string" } }, "revision" : { "title" : "Revision", "description" : "The revision for an activity or config event", "type" : "string" }, "result" : { "title" : "Result", "description" : "The result of the authentication event", "type" : "string" }, "principal" : { "title" : "Principal", "description" : "The principal responsible for the authentication event", "type" : "array", "items" : { "type" : "string" } }, "context" : { "title" : "Context", "description" : "The context of an authentication event", "type" : "object", "properties" : { } }, "entries" : { "title" : "Entries", "description" : "The entries for an authentication event", "type" : "array", "items" : { "type" : "object", "properties" : { "moduleId" : { "title" : "Module ID", "description" : "The module ID for the authentication event", "type" : "string" }, "result" : { "title" : "Module result", "description" : "The result of the module authentication event", "type" : "string" }, "info" : { "title" : "Entries information", "description" : "The entries information for an authentication event", "type" : "object", "properties" : { } } } } } }, "required" : [ "transactionId", "timestamp" ] }
Global Operations
Audit events are logged through the global audit service.
Resource path:
/global-audit/{topic}
Resource version: 1.0
create
Create a new audit event, which will be handled and logged by the configured audit service.
Usage
am> create AuditEvent --global --topic topic --body body
Parameters
- --topic
-
Audit events are logged through the global audit service.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "The schema contains properties that are common to all topics and some that are unique to a specific topic. The description of each property indicates which topic the property applies to.", "title" : "Audit event schema", "type" : "object", "properties" : { "_id" : { "title" : "ID", "description" : "The ID of the event, used by all topics", "type" : "string" }, "timestamp" : { "title" : "Timestamp", "description" : "The time at which the event occurred, used by all topics", "type" : "string" }, "eventName" : { "title" : "Event name", "description" : "The name of the event, used by all topics", "type" : "string" }, "transactionId" : { "title" : "Transaction ID", "description" : "The transaction ID of the event, used by all topics", "type" : "string" }, "userId" : { "title" : "User ID", "description" : "The ID of the user responsible for the event, used by all topics", "type" : "string" }, "trackingIds" : { "title" : "Tracking IDs", "description" : "The tracking IDs of the event, used by all topics", "type" : "array", "items" : { "id" : "0", "type" : "string" } }, "component" : { "title" : "Component", "description" : "The component responsible for the event, used by all topics", "type" : "string" }, "realm" : { "title" : "Realm", "description" : "The realm in which the event occurred, used by all topics", "type" : "string" }, "server" : { "title" : "Server", "description" : "The server details for an access event", "type" : "object", "properties" : { "ip" : { "title" : "Server IP address", "description" : "The server ip address for an access event", "type" : "string" }, "port" : { "title" : "Server port", "description" : "The server port for an access event", "type" : "integer" } } }, "client" : { "title" : "Client", "description" : "The client details for an access event", "type" : "object", "properties" : { "ip" : { "title" : "Client IP address", "description" : "The client IP address for an access event", "type" : "string" }, "port" : { "title" : "Client port", "description" : "The client port for an access event", "type" : "integer" } } }, "request" : { "title" : "Request", "description" : "The request details for an access event", "type" : "object", "properties" : { "protocol" : { "title" : "Request protocol", "description" : "The request protocol for an access event", "type" : "string" }, "operation" : { "title" : "Request operation", "description" : "The request operation for an access event", "type" : "string" }, "detail" : { "title" : "Request detail", "description" : "The request detail for an access event", "type" : "object" } } }, "http" : { "title" : "Http details", "description" : "The Http details for an access event", "type" : "object", "properties" : { "request" : { "title" : "Http request", "description" : "The http request for an access event", "type" : "object", "properties" : { "secure" : { "title" : "Http secure", "description" : "The http secure property for an access event", "type" : "boolean" }, "method" : { "title" : "Http method", "description" : "The http method for an access event", "type" : "string" }, "path" : { "title" : "Http path", "description" : "The http path for an access event", "type" : "string" }, "queryParameters" : { "title" : "Http query parameters", "description" : "The http query parameters for an access event", "type" : "object", "additionalProperties" : { "type" : "array", "items" : { "type" : "string" } } }, "headers" : { "title" : "Http headers", "description" : "The http headers for an access event", "type" : "object", "additionalProperties" : { "type" : "array", "items" : { "type" : "string" } } }, "cookies" : { "title" : "Http cookies", "description" : "The http cookies for an access event", "type" : "object", "additionalProperties" : { "type" : "string" } } } }, "response" : { "title" : "Http response", "description" : "The http response for an access event", "type" : "object", "properties" : { "headers" : { "title" : "Http request headers", "description" : "The http request headers for an access event", "type" : "object", "additionalProperties" : { "type" : "array", "items" : { "type" : "string" } } } } } } }, "response" : { "title" : "Response", "description" : "The response details for an access event", "type" : "object", "properties" : { "status" : { "title" : "Response status", "description" : "The response status for an access event", "type" : "string" }, "statusCode" : { "title" : "Response status code", "description" : "The response status code for an access event", "type" : "string" }, "detail" : { "title" : "Response detail", "description" : "The response detail for an access event", "type" : "object" }, "elapsedTime" : { "title" : "Response elapsed time", "description" : "The response elapsedTime for an access event", "type" : "integer" }, "elapsedTimeUnits" : { "title" : "Response elapsed time units", "description" : "The response elapsed time units for an access event", "type" : "string" } } }, "runAs" : { "title" : "Run as", "description" : "What the change that triggered an activity or config event was run as", "type" : "string" }, "objectId" : { "title" : "Object ID", "description" : "The object ID of the change that triggered an activity or config event", "type" : "string" }, "operation" : { "title" : "Operation", "description" : "The operation that triggered an activity or config event", "type" : "string" }, "before" : { "title" : "Before state", "description" : "The state before an activity or config event occurred", "type" : "object" }, "after" : { "title" : "After state", "description" : "The state after an activity or config event occurred", "type" : "object" }, "changedFields" : { "title" : "Changed fields", "description" : "The changed fields after an activity or config event occurred", "type" : "array", "items" : { "id" : "1", "type" : "string" } }, "revision" : { "title" : "Revision", "description" : "The revision for an activity or config event", "type" : "string" }, "result" : { "title" : "Result", "description" : "The result of the authentication event", "type" : "string" }, "principal" : { "title" : "Principal", "description" : "The principal responsible for the authentication event", "type" : "array", "items" : { "type" : "string" } }, "context" : { "title" : "Context", "description" : "The context of an authentication event", "type" : "object", "properties" : { } }, "entries" : { "title" : "Entries", "description" : "The entries for an authentication event", "type" : "array", "items" : { "type" : "object", "properties" : { "moduleId" : { "title" : "Module ID", "description" : "The module ID for the authentication event", "type" : "string" }, "result" : { "title" : "Module result", "description" : "The result of the module authentication event", "type" : "string" }, "info" : { "title" : "Entries information", "description" : "The entries information for an authentication event", "type" : "object", "properties" : { } } } } } }, "required" : [ "transactionId", "timestamp" ] }
AuditLogging
Realm Operations
Resource path:
/realm-config/services/audit
Resource version: 2.0
create
Usage
am> create AuditLogging --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "whitelistFieldFilters" : { "title" : "Field whitelist filters", "description" : "OpenAM has a predefined whitelist built-in that only records values that do not contain sensitive information. Use this property to whitelist fields in addition to the built-in list. <p> Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event's topic. The topic will be one of <code>access</code>, <code>activity</code>, <code>authentication</code>, or <code>config</code>.<p> For example, to record the values of the <code>Accept-Language</code> HTTP header in <em>access</em> events, the pointer is <code>/access/http/request/headers/accept-language</code>.", "propertyOrder" : 200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "auditEnabled" : { "title" : "Audit logging", "description" : "Enable audit logging in OpenAM.", "propertyOrder" : 100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "blacklistFieldFilters" : { "title" : "Field blacklist filters", "description" : "Blacklist filters can be used to remove audit event fields which are whitelisted by default. These are fields which are safe to log but which you have decided are not necessary for your requirements. <p> Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event's topic. The topic will be one of <code>access</code>, <code>activity</code>, <code>authentication</code>, or <code>config</code>.<p> For example, you might want to filter out surnames by hiding the <code>sn</code> field from <em>activity</em> events. To do so, add the following pointers to the Field blacklist filters list: <ul><li><code>/activity/before/sn</code></li><li><code>/activity/after/sn</code></li></ul>", "propertyOrder" : 300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuditLogging --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuditLogging --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuditLogging --realm Realm --actionName nextdescendents
update
Usage
am> update AuditLogging --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "whitelistFieldFilters" : { "title" : "Field whitelist filters", "description" : "OpenAM has a predefined whitelist built-in that only records values that do not contain sensitive information. Use this property to whitelist fields in addition to the built-in list. <p> Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event's topic. The topic will be one of <code>access</code>, <code>activity</code>, <code>authentication</code>, or <code>config</code>.<p> For example, to record the values of the <code>Accept-Language</code> HTTP header in <em>access</em> events, the pointer is <code>/access/http/request/headers/accept-language</code>.", "propertyOrder" : 200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "auditEnabled" : { "title" : "Audit logging", "description" : "Enable audit logging in OpenAM.", "propertyOrder" : 100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "blacklistFieldFilters" : { "title" : "Field blacklist filters", "description" : "Blacklist filters can be used to remove audit event fields which are whitelisted by default. These are fields which are safe to log but which you have decided are not necessary for your requirements. <p> Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event's topic. The topic will be one of <code>access</code>, <code>activity</code>, <code>authentication</code>, or <code>config</code>.<p> For example, you might want to filter out surnames by hiding the <code>sn</code> field from <em>activity</em> events. To do so, add the following pointers to the Field blacklist filters list: <ul><li><code>/activity/before/sn</code></li><li><code>/activity/after/sn</code></li></ul>", "propertyOrder" : 300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/services/audit
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuditLogging --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuditLogging --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuditLogging --global --actionName nextdescendents
update
Usage
am> update AuditLogging --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "whitelistFieldFilters" : { "title" : "Field whitelist filters", "description" : "OpenAM has a predefined whitelist built-in that only records values that do not contain sensitive information. Use this property to whitelist fields in addition to the built-in list. <p> Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event's topic. The topic will be one of <code>access</code>, <code>activity</code>, <code>authentication</code>, or <code>config</code>.<p> For example, to record the values of the <code>Accept-Language</code> HTTP header in <em>access</em> events, the pointer is <code>/access/http/request/headers/accept-language</code>.", "propertyOrder" : 200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "blacklistFieldFilters" : { "title" : "Field blacklist filters", "description" : "Blacklist filters can be used to remove audit event fields which are whitelisted by default. These are fields which are safe to log but which you have decided are not necessary for your requirements. <p> Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event's topic. The topic will be one of <code>access</code>, <code>activity</code>, <code>authentication</code>, or <code>config</code>.<p> For example, you might want to filter out surnames by hiding the <code>sn</code> field from <em>activity</em> events. To do so, add the following pointers to the Field blacklist filters list: <ul><li><code>/activity/before/sn</code></li><li><code>/activity/after/sn</code></li></ul>", "propertyOrder" : 300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "auditEnabled" : { "title" : "Audit logging", "description" : "Enable audit logging in OpenAM.", "propertyOrder" : 100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "defaults" : { "properties" : { "blacklistFieldFilters" : { "title" : "Field blacklist filters", "description" : "Blacklist filters can be used to remove audit event fields which are whitelisted by default. These are fields which are safe to log but which you have decided are not necessary for your requirements. <p> Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event's topic. The topic will be one of <code>access</code>, <code>activity</code>, <code>authentication</code>, or <code>config</code>.<p> For example, you might want to filter out surnames by hiding the <code>sn</code> field from <em>activity</em> events. To do so, add the following pointers to the Field blacklist filters list: <ul><li><code>/activity/before/sn</code></li><li><code>/activity/after/sn</code></li></ul>", "propertyOrder" : 300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "auditEnabled" : { "title" : "Audit logging", "description" : "Enable audit logging in OpenAM.", "propertyOrder" : 100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "whitelistFieldFilters" : { "title" : "Field whitelist filters", "description" : "OpenAM has a predefined whitelist built-in that only records values that do not contain sensitive information. Use this property to whitelist fields in addition to the built-in list. <p> Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event's topic. The topic will be one of <code>access</code>, <code>activity</code>, <code>authentication</code>, or <code>config</code>.<p> For example, to record the values of the <code>Accept-Language</code> HTTP header in <em>access</em> events, the pointer is <code>/access/http/request/headers/accept-language</code>.", "propertyOrder" : 200, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }
AuthLevelDecision
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/AuthLevelDecisionNode
Resource version: 2.0
create
Usage
am> create AuthLevelDecision --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "authLevelRequirement" : { "title" : "Sufficient Authentication Level", "description" : "The current authentication level must be greater than or equal to this value for the decision to return true.", "propertyOrder" : 100, "type" : "integer", "exampleValue" : "" } }, "required" : [ "authLevelRequirement" ] }
delete
Usage
am> delete AuthLevelDecision --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthLevelDecision --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthLevelDecision --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action AuthLevelDecision --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthLevelDecision --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AuthLevelDecision --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AuthLevelDecision --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AuthLevelDecision --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "authLevelRequirement" : { "title" : "Sufficient Authentication Level", "description" : "The current authentication level must be greater than or equal to this value for the decision to return true.", "propertyOrder" : 100, "type" : "integer", "exampleValue" : "" } }, "required" : [ "authLevelRequirement" ] }
AuthTree
Realm Operations
Authentication trees.
Resource path:
/realm-config/authentication/authenticationtrees/trees
Resource version: 2.0
clone
Creates a new tree and underlying set of nodes with the same node configurations as the cloned tree.
Usage
am> action AuthTree --realm Realm --body body --actionName clone
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "newId" : { "type" : "string", "title" : "New Tree ID", "description" : "The ID for the tree that will be created." } } }
create
Usage
am> create AuthTree --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "description" : "A tree contains a set of nodes and their connections.", "type" : "object", "title" : "Authentication Tree", "properties" : { "description" : { "type" : "string", "title" : "Description", "description" : "A description of the tree." }, "enabled" : { "type" : "boolean", "title" : "Enabled", "description" : "Whether the tree is enabled." }, "innerTreeOnly" : { "type" : "boolean", "title" : "Inner Tree Only", "description" : "Whether the tree can be executed only as an inner tree." }, "nodes" : { "type" : "object", "title" : "Nodes", "description" : "A map of node ID to node association details.", "patternProperties" : { ".*" : { "type" : "object", "title" : "Node", "description" : "A association of a node with a tree.", "properties" : { "connections" : { "type" : "object", "title" : "Connections", "description" : "The node's connected outcomes.", "patternProperties" : { ".*" : { "type" : "string", "title" : "Node ID", "description" : "The ID of the node that this outcome connects to." } } }, "x" : { "type" : "string", "title" : "tree.node.x", "description" : "tree.node.x.description" }, "y" : { "type" : "string", "title" : "tree.node.y", "description" : "tree.node.y.description" }, "_outcomes" : { "type" : "array", "title" : "Outcomes", "description" : "The node's complete set of outcomes.", "readOnly" : true, "items" : { "type" : "object", "title" : "Outcome", "description" : "A possible outcome of the node.", "readOnly" : true, "properties" : { "id" : { "type" : "string", "title" : "ID", "description" : "The identifier of the outcome.", "readOnly" : true }, "displayName" : { "type" : "string", "title" : "Display Name", "description" : "The display name of the outcome, in the requester's preferred locale.", "readOnly" : true } } } } } } } }, "staticNodes" : { "type" : "object", "title" : "Static Nodes", "description" : "A map of node ID to node layout positions for the static nodes, start, success and failure.", "patternProperties" : { ".*" : { "type" : "object", "title" : "Node", "description" : "A association of a node with a tree.", "properties" : { "x" : { "type" : "string", "title" : "tree.node.x", "description" : "tree.node.x.description" }, "y" : { "type" : "string", "title" : "tree.node.y", "description" : "tree.node.y.description" } } } } }, "uiConfig" : { "type" : "object", "title" : "UI Configuration", "description" : "Optional key-value map to hold implementation-specific client properties.", "patternProperties" : { ".*" : { "type" : "string" } } }, "identityResource" : { "type" : "string", "title" : "Identity Resource", "description" : "Optional IDM identity resource, e.g. managed/user." } } }
delete
Usage
am> delete AuthTree --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthTree --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthTree --realm Realm --actionName getCreatableTypes
getIds
Get the names of each tree configured in this realm.
Usage
am> action AuthTree --realm Realm --actionName getIds
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthTree --realm Realm --actionName nextdescendents
query
Query for all authentication trees. Only a query filter of 'true' is supported.
Usage
am> query AuthTree --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AuthTree --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AuthTree --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "description" : "A tree contains a set of nodes and their connections.", "type" : "object", "title" : "Authentication Tree", "properties" : { "description" : { "type" : "string", "title" : "Description", "description" : "A description of the tree." }, "enabled" : { "type" : "boolean", "title" : "Enabled", "description" : "Whether the tree is enabled." }, "innerTreeOnly" : { "type" : "boolean", "title" : "Inner Tree Only", "description" : "Whether the tree can be executed only as an inner tree." }, "nodes" : { "type" : "object", "title" : "Nodes", "description" : "A map of node ID to node association details.", "patternProperties" : { ".*" : { "type" : "object", "title" : "Node", "description" : "A association of a node with a tree.", "properties" : { "connections" : { "type" : "object", "title" : "Connections", "description" : "The node's connected outcomes.", "patternProperties" : { ".*" : { "type" : "string", "title" : "Node ID", "description" : "The ID of the node that this outcome connects to." } } }, "x" : { "type" : "string", "title" : "tree.node.x", "description" : "tree.node.x.description" }, "y" : { "type" : "string", "title" : "tree.node.y", "description" : "tree.node.y.description" }, "_outcomes" : { "type" : "array", "title" : "Outcomes", "description" : "The node's complete set of outcomes.", "readOnly" : true, "items" : { "type" : "object", "title" : "Outcome", "description" : "A possible outcome of the node.", "readOnly" : true, "properties" : { "id" : { "type" : "string", "title" : "ID", "description" : "The identifier of the outcome.", "readOnly" : true }, "displayName" : { "type" : "string", "title" : "Display Name", "description" : "The display name of the outcome, in the requester's preferred locale.", "readOnly" : true } } } } } } } }, "staticNodes" : { "type" : "object", "title" : "Static Nodes", "description" : "A map of node ID to node layout positions for the static nodes, start, success and failure.", "patternProperties" : { ".*" : { "type" : "object", "title" : "Node", "description" : "A association of a node with a tree.", "properties" : { "x" : { "type" : "string", "title" : "tree.node.x", "description" : "tree.node.x.description" }, "y" : { "type" : "string", "title" : "tree.node.y", "description" : "tree.node.y.description" } } } } }, "uiConfig" : { "type" : "object", "title" : "UI Configuration", "description" : "Optional key-value map to hold implementation-specific client properties.", "patternProperties" : { ".*" : { "type" : "string" } } }, "identityResource" : { "type" : "string", "title" : "Identity Resource", "description" : "Optional IDM identity resource, e.g. managed/user." } } }
validate
Validates a tree giving errors and warnings.
Usage
am> action AuthTree --realm Realm --body body --actionName validate
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "description" : "A tree contains a set of nodes and their connections.", "type" : "object", "title" : "Authentication Tree", "properties" : { "description" : { "type" : "string", "title" : "Description", "description" : "A description of the tree." }, "enabled" : { "type" : "boolean", "title" : "Enabled", "description" : "Whether the tree is enabled." }, "innerTreeOnly" : { "type" : "boolean", "title" : "Inner Tree Only", "description" : "Whether the tree can be executed only as an inner tree." }, "nodes" : { "type" : "object", "title" : "Nodes", "description" : "A map of node ID to node association details.", "patternProperties" : { ".*" : { "type" : "object", "title" : "Node", "description" : "A association of a node with a tree.", "properties" : { "connections" : { "type" : "object", "title" : "Connections", "description" : "The node's connected outcomes.", "patternProperties" : { ".*" : { "type" : "string", "title" : "Node ID", "description" : "The ID of the node that this outcome connects to." } } }, "x" : { "type" : "string", "title" : "tree.node.x", "description" : "tree.node.x.description" }, "y" : { "type" : "string", "title" : "tree.node.y", "description" : "tree.node.y.description" }, "_outcomes" : { "type" : "array", "title" : "Outcomes", "description" : "The node's complete set of outcomes.", "readOnly" : true, "items" : { "type" : "object", "title" : "Outcome", "description" : "A possible outcome of the node.", "readOnly" : true, "properties" : { "id" : { "type" : "string", "title" : "ID", "description" : "The identifier of the outcome.", "readOnly" : true }, "displayName" : { "type" : "string", "title" : "Display Name", "description" : "The display name of the outcome, in the requester's preferred locale.", "readOnly" : true } } } } } } } }, "staticNodes" : { "type" : "object", "title" : "Static Nodes", "description" : "A map of node ID to node layout positions for the static nodes, start, success and failure.", "patternProperties" : { ".*" : { "type" : "object", "title" : "Node", "description" : "A association of a node with a tree.", "properties" : { "x" : { "type" : "string", "title" : "tree.node.x", "description" : "tree.node.x.description" }, "y" : { "type" : "string", "title" : "tree.node.y", "description" : "tree.node.y.description" } } } } }, "uiConfig" : { "type" : "object", "title" : "UI Configuration", "description" : "Optional key-value map to hold implementation-specific client properties.", "patternProperties" : { ".*" : { "type" : "string" } } }, "identityResource" : { "type" : "string", "title" : "Identity Resource", "description" : "Optional IDM identity resource, e.g. managed/user." } } }
AuthenticateThing
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/IotAuthenticationNode
Resource version: 2.0
create
Usage
am> create AuthenticateThing --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "jwtAuthenticationMethod" : { "title" : "JWT Authentication Method", "description" : "Choose the required JWT authentication method.</br><p>Proof of Possession: Prove that the signer of the JWT is the owner of the key by including a challenge nonce in the JWT. Validation will be done in accordance with the <a href=\"https://tools.ietf.org/html/rfc7800\">JWT Proof of Possession specification</a>.</p><p>Client Assertion: Present a JWT Bearer token for authentication. Validation will be done in accordance with the <a href=\"https://datatracker.ietf.org/doc/html/rfc7523#section-3\">OAuth 2.0 JWT Profile for Client Authentication</a>.</p>", "propertyOrder" : 10, "type" : "string", "exampleValue" : "" }, "additionalAudienceValues" : { "title" : "Additional Audience Values", "description" : "The additional audience values that will be permitted when verifying JWTs. These audience values will be in addition to the AM base, issuer and token endpoint URIs for the Client Assertion authentication method or the realm path for Proof of Possession.", "propertyOrder" : 30, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "issueRestrictedToken" : { "title" : "Issue Restricted Token", "description" : "The session token issued on successful authentication will be modified by adding a proof of possession restriction to it. Any requests accompanied by the token must be signed with the key that was used to sign the authentication JWT.", "propertyOrder" : 20, "type" : "boolean", "exampleValue" : "" } }, "required" : [ "jwtAuthenticationMethod", "additionalAudienceValues", "issueRestrictedToken" ] }
delete
Usage
am> delete AuthenticateThing --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticateThing --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticateThing --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action AuthenticateThing --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthenticateThing --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AuthenticateThing --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AuthenticateThing --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AuthenticateThing --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "jwtAuthenticationMethod" : { "title" : "JWT Authentication Method", "description" : "Choose the required JWT authentication method.</br><p>Proof of Possession: Prove that the signer of the JWT is the owner of the key by including a challenge nonce in the JWT. Validation will be done in accordance with the <a href=\"https://tools.ietf.org/html/rfc7800\">JWT Proof of Possession specification</a>.</p><p>Client Assertion: Present a JWT Bearer token for authentication. Validation will be done in accordance with the <a href=\"https://datatracker.ietf.org/doc/html/rfc7523#section-3\">OAuth 2.0 JWT Profile for Client Authentication</a>.</p>", "propertyOrder" : 10, "type" : "string", "exampleValue" : "" }, "additionalAudienceValues" : { "title" : "Additional Audience Values", "description" : "The additional audience values that will be permitted when verifying JWTs. These audience values will be in addition to the AM base, issuer and token endpoint URIs for the Client Assertion authentication method or the realm path for Proof of Possession.", "propertyOrder" : 30, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "issueRestrictedToken" : { "title" : "Issue Restricted Token", "description" : "The session token issued on successful authentication will be modified by adding a proof of possession restriction to it. Any requests accompanied by the token must be signed with the key that was used to sign the authentication JWT.", "propertyOrder" : 20, "type" : "boolean", "exampleValue" : "" } }, "required" : [ "jwtAuthenticationMethod", "additionalAudienceValues", "issueRestrictedToken" ] }
Authentication
Realm Operations
Resource path:
/realm-config/authentication
Resource version: 2.0
create
Usage
am> create Authentication --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "trees" : { "type" : "object", "title" : "Trees", "propertyOrder" : 4, "properties" : { "authenticationSessionsMaxDuration" : { "title" : "Max duration (minutes)", "description" : "Specify how long an authentication session can last.<br><br>From the time an authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed.", "propertyOrder" : 3860, "required" : true, "type" : "integer", "exampleValue" : "" }, "suspendedAuthenticationTimeout" : { "title" : "Suspended authentication duration (minutes)", "description" : "Specify how long a suspended authentication session can last.<br><br>From the time a suspended authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed. This timeout should be less than or equal to the authentication session’s timeout value.", "propertyOrder" : 3870, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationSessionsStateManagement" : { "title" : "Authentication session state management scheme", "description" : "Specify how the authentication session state is managed.<br><br>CTS option will write the state down to the underlying core token store.<br />JWT option will transmit the state in a JWT to the client.<br />In-Memory option will maintain the state in the memory (requires sticky loadbalancing).<br /><br /> <em>To configure JWT signing, encryption, and denylisting use the options in the Client-Side Sessions section of the Sessions global service.</em>", "propertyOrder" : 3850, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationSessionsWhitelist" : { "title" : "Enable Allowlisting", "description" : "Enables explicit allowlisting of valid authentication states to prevent replay attacks.<br><br>If enabled, each time a response is sent to the user a randomly generated state parameter is also sent back to user. This state parameter is stored accessible to AM and must be sent in with the subsequent request. After a request has been received with a valid state parameter, the next response contains a new state, and the server's view of the valid state parameter is updated.", "propertyOrder" : 3880, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationTreeCookieHttpOnly" : { "title" : "Stops sending tokenId", "description" : "Stops sending tokenId when HttpOnly cookies are on.<br><br>If enabled and HttpOnly cookies are on, the tree authentication will not return tokenId.", "propertyOrder" : 3885, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "accountlockout" : { "type" : "object", "title" : "Account Lockout", "propertyOrder" : 2, "properties" : { "loginFailureDuration" : { "title" : "Login Failure Lockout Interval", "description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.", "propertyOrder" : 1000, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutDuration" : { "title" : "Login Failure Lockout Duration", "description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.", "propertyOrder" : 1300, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutEmailAddress" : { "title" : "Email Address to Send Lockout Notification", "description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "lockoutAttributeValue" : { "title" : "Lockout Attribute Value", "description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "" }, "lockoutAttributeName" : { "title" : "Lockout Attribute Name", "description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ", "propertyOrder" : 1500, "required" : true, "type" : "string", "exampleValue" : "" }, "loginFailureLockoutMode" : { "title" : "Login Failure Lockout Mode", "description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.", "propertyOrder" : 800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "lockoutWarnUserCount" : { "title" : "Warn User After N Failures", "description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.", "propertyOrder" : 1200, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutDurationMultiplier" : { "title" : "Lockout Duration Multiplier", "description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function. ", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "invalidAttemptsDataAttributeName" : { "title" : "Invalid Attempts Data Attribute Name", "description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "loginFailureCount" : { "title" : "Login Failure Lockout Count", "description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.", "propertyOrder" : 900, "required" : true, "type" : "integer", "exampleValue" : "" }, "storeInvalidAttemptsInDataStore" : { "title" : "Store Invalid Attempts in Data Store", "description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled AM will store the user's invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property. This setting only applies to authentication modules and chains; authentication trees will <i>always</i> write their account lockout progress and status to the data store.", "propertyOrder" : 2700, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "core" : { "type" : "object", "title" : "Core", "propertyOrder" : -1, "properties" : { "adminAuthModule" : { "title" : "Administrator Authentication Configuration", "description" : "Default Authentication Service for administrators<br><br>This is the authentication service that will be used to authentication administrative users to this realm.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "orgConfig" : { "title" : "Organization Authentication Configuration", "description" : "Default Authentication Service for users<br><br>This is the authentication service that will be used to authenticate users to this realm.", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" } } }, "postauthprocess" : { "type" : "object", "title" : "Post Authentication Processing", "propertyOrder" : 6, "properties" : { "loginPostProcessClass" : { "title" : "Authentication Post Processing Classes", "description" : "A list of post authentication processing classes for all users in this realm.<br><br>The list of Post-Processing Classes called by AM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set. Realm-level post-authentication plugins are only called when no post-authentication plugin is configured for the authentication chain.<br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.", "propertyOrder" : 2000, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "usernameGeneratorEnabled" : { "title" : "Generate UserID Mode", "description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.", "propertyOrder" : 2100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "loginFailureUrl" : { "title" : "Default Failure Login URL ", "description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.", "propertyOrder" : 1900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "loginSuccessUrl" : { "title" : "Default Success Login URL", "description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.", "propertyOrder" : 1800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "usernameGeneratorClass" : { "title" : "Pluggable User Name Generator Class", "description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>", "propertyOrder" : 2200, "required" : true, "type" : "string", "exampleValue" : "" }, "userAttributeSessionMapping" : { "title" : "User Attribute Mapping to Session Attribute", "description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ", "propertyOrder" : 3000, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "general" : { "type" : "object", "title" : "General", "propertyOrder" : 3, "properties" : { "defaultAuthLevel" : { "title" : "Default Authentication Level", "description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.", "propertyOrder" : 4100, "required" : true, "type" : "integer", "exampleValue" : "" }, "userStatusCallbackPlugins" : { "title" : "Pluggable User Status Event Classes", "description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.", "propertyOrder" : 2600, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "statelessSessionsEnabled" : { "title" : "Use Client-Side Sessions", "description" : "Enables client-side sessions.<br><br>Client-side sessions provide elastic scalability by storing all session state as a JWT in a cookie stored on the client. It is highly recommended to enable signing and encryption of the JWT in the global session service.", "propertyOrder" : 3800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "locale" : { "title" : "Default Authentication Locale", "description" : "", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "twoFactorRequired" : { "title" : "Two Factor Authentication Mandatory", "description" : "Enforces ALL 2FA (OATH and Push) authentication Modules (not nodes) only for this authentication realm.", "propertyOrder" : 3900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "identityType" : { "title" : "Identity Types", "description" : "", "propertyOrder" : 2500, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "externalLoginPageUrl" : { "title" : "External Login Page URL", "description" : "Link to the external login user interface.<br><br>If the authentication user interface is hosted separately from AM, its URL can be provided here. AM will use this URL for example when it's constructing the resume URI in case authentication is suspended in an authentication tree.", "propertyOrder" : 3910, "required" : true, "type" : "string", "exampleValue" : "" } } }, "userprofile" : { "type" : "object", "title" : "User Profile", "propertyOrder" : 0, "properties" : { "defaultRole" : { "title" : "User Profile Dynamic Creation Default Roles", "description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "dynamicProfileCreation" : { "title" : "User Profile", "description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "aliasAttributeName" : { "title" : "Alias Search Attribute Name", "description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.", "propertyOrder" : 400, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "security" : { "type" : "object", "title" : "Security", "propertyOrder" : 5, "properties" : { "sharedSecret" : { "title" : "Organization Authentication Signing Secret", "description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>The shared secret for signing RESTful authentication requests. This secret should be Base-64 encoded and at least 128 bits in length. By default, a cryptographically secure random value is generated. <br/><br/><i>Note: This attribute is deprecated. If you're using a secret store of type Keystore, HSM, Google KMS, or Google Secret Manager, add a mapping for <code>am.authn.authid.signing.HMAC</code> instead.</i>", "propertyOrder" : 4000, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "zeroPageLoginAllowedWithoutReferrer" : { "title" : "Zero Page Login Allowed without Referer?", "description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.", "propertyOrder" : 3700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "keyAlias" : { "title" : "Persistent Cookie Encryption Certificate Alias", "description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests. This property is deprecated. Use the secret mapping am.authentication.nodes.persistentcookie.encryption instead. The password is ignored if the am.authentication.nodes.persistentcookie.encryption mapping is mapped.", "propertyOrder" : 3300, "required" : true, "type" : "string", "exampleValue" : "" }, "addClearSiteDataHeader" : { "title" : "Add clear-site-data Header on Logout", "description" : "If true then a clear-site-data header will be added to successful logout responses. This header will have the value '\"cache\", \"cookies\", \"storage\", \"executionContexts\"'", "propertyOrder" : 3920, "required" : true, "type" : "boolean", "exampleValue" : "" }, "zeroPageLoginEnabled" : { "title" : "Zero Page Login", "description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.", "propertyOrder" : 3400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "moduleBasedAuthEnabled" : { "title" : "Module Based Authentication", "description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.", "propertyOrder" : 2800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "zeroPageLoginReferrerWhiteList" : { "title" : "Zero Page Login Referer Allowlist", "description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.", "propertyOrder" : 3600, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } } } }
update
Usage
am> update Authentication --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "trees" : { "type" : "object", "title" : "Trees", "propertyOrder" : 4, "properties" : { "authenticationSessionsMaxDuration" : { "title" : "Max duration (minutes)", "description" : "Specify how long an authentication session can last.<br><br>From the time an authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed.", "propertyOrder" : 3860, "required" : true, "type" : "integer", "exampleValue" : "" }, "suspendedAuthenticationTimeout" : { "title" : "Suspended authentication duration (minutes)", "description" : "Specify how long a suspended authentication session can last.<br><br>From the time a suspended authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed. This timeout should be less than or equal to the authentication session’s timeout value.", "propertyOrder" : 3870, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationSessionsStateManagement" : { "title" : "Authentication session state management scheme", "description" : "Specify how the authentication session state is managed.<br><br>CTS option will write the state down to the underlying core token store.<br />JWT option will transmit the state in a JWT to the client.<br />In-Memory option will maintain the state in the memory (requires sticky loadbalancing).<br /><br /> <em>To configure JWT signing, encryption, and denylisting use the options in the Client-Side Sessions section of the Sessions global service.</em>", "propertyOrder" : 3850, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationSessionsWhitelist" : { "title" : "Enable Allowlisting", "description" : "Enables explicit allowlisting of valid authentication states to prevent replay attacks.<br><br>If enabled, each time a response is sent to the user a randomly generated state parameter is also sent back to user. This state parameter is stored accessible to AM and must be sent in with the subsequent request. After a request has been received with a valid state parameter, the next response contains a new state, and the server's view of the valid state parameter is updated.", "propertyOrder" : 3880, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationTreeCookieHttpOnly" : { "title" : "Stops sending tokenId", "description" : "Stops sending tokenId when HttpOnly cookies are on.<br><br>If enabled and HttpOnly cookies are on, the tree authentication will not return tokenId.", "propertyOrder" : 3885, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "accountlockout" : { "type" : "object", "title" : "Account Lockout", "propertyOrder" : 2, "properties" : { "loginFailureDuration" : { "title" : "Login Failure Lockout Interval", "description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.", "propertyOrder" : 1000, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutDuration" : { "title" : "Login Failure Lockout Duration", "description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.", "propertyOrder" : 1300, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutEmailAddress" : { "title" : "Email Address to Send Lockout Notification", "description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "lockoutAttributeValue" : { "title" : "Lockout Attribute Value", "description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "" }, "lockoutAttributeName" : { "title" : "Lockout Attribute Name", "description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ", "propertyOrder" : 1500, "required" : true, "type" : "string", "exampleValue" : "" }, "loginFailureLockoutMode" : { "title" : "Login Failure Lockout Mode", "description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.", "propertyOrder" : 800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "lockoutWarnUserCount" : { "title" : "Warn User After N Failures", "description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.", "propertyOrder" : 1200, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutDurationMultiplier" : { "title" : "Lockout Duration Multiplier", "description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function. ", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "invalidAttemptsDataAttributeName" : { "title" : "Invalid Attempts Data Attribute Name", "description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "loginFailureCount" : { "title" : "Login Failure Lockout Count", "description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.", "propertyOrder" : 900, "required" : true, "type" : "integer", "exampleValue" : "" }, "storeInvalidAttemptsInDataStore" : { "title" : "Store Invalid Attempts in Data Store", "description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled AM will store the user's invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property. This setting only applies to authentication modules and chains; authentication trees will <i>always</i> write their account lockout progress and status to the data store.", "propertyOrder" : 2700, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "core" : { "type" : "object", "title" : "Core", "propertyOrder" : -1, "properties" : { "adminAuthModule" : { "title" : "Administrator Authentication Configuration", "description" : "Default Authentication Service for administrators<br><br>This is the authentication service that will be used to authentication administrative users to this realm.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "orgConfig" : { "title" : "Organization Authentication Configuration", "description" : "Default Authentication Service for users<br><br>This is the authentication service that will be used to authenticate users to this realm.", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" } } }, "postauthprocess" : { "type" : "object", "title" : "Post Authentication Processing", "propertyOrder" : 6, "properties" : { "loginPostProcessClass" : { "title" : "Authentication Post Processing Classes", "description" : "A list of post authentication processing classes for all users in this realm.<br><br>The list of Post-Processing Classes called by AM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set. Realm-level post-authentication plugins are only called when no post-authentication plugin is configured for the authentication chain.<br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.", "propertyOrder" : 2000, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "usernameGeneratorEnabled" : { "title" : "Generate UserID Mode", "description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.", "propertyOrder" : 2100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "loginFailureUrl" : { "title" : "Default Failure Login URL ", "description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.", "propertyOrder" : 1900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "loginSuccessUrl" : { "title" : "Default Success Login URL", "description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.", "propertyOrder" : 1800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "usernameGeneratorClass" : { "title" : "Pluggable User Name Generator Class", "description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>", "propertyOrder" : 2200, "required" : true, "type" : "string", "exampleValue" : "" }, "userAttributeSessionMapping" : { "title" : "User Attribute Mapping to Session Attribute", "description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ", "propertyOrder" : 3000, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "general" : { "type" : "object", "title" : "General", "propertyOrder" : 3, "properties" : { "defaultAuthLevel" : { "title" : "Default Authentication Level", "description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.", "propertyOrder" : 4100, "required" : true, "type" : "integer", "exampleValue" : "" }, "userStatusCallbackPlugins" : { "title" : "Pluggable User Status Event Classes", "description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.", "propertyOrder" : 2600, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "statelessSessionsEnabled" : { "title" : "Use Client-Side Sessions", "description" : "Enables client-side sessions.<br><br>Client-side sessions provide elastic scalability by storing all session state as a JWT in a cookie stored on the client. It is highly recommended to enable signing and encryption of the JWT in the global session service.", "propertyOrder" : 3800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "locale" : { "title" : "Default Authentication Locale", "description" : "", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "twoFactorRequired" : { "title" : "Two Factor Authentication Mandatory", "description" : "Enforces ALL 2FA (OATH and Push) authentication Modules (not nodes) only for this authentication realm.", "propertyOrder" : 3900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "identityType" : { "title" : "Identity Types", "description" : "", "propertyOrder" : 2500, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "externalLoginPageUrl" : { "title" : "External Login Page URL", "description" : "Link to the external login user interface.<br><br>If the authentication user interface is hosted separately from AM, its URL can be provided here. AM will use this URL for example when it's constructing the resume URI in case authentication is suspended in an authentication tree.", "propertyOrder" : 3910, "required" : true, "type" : "string", "exampleValue" : "" } } }, "userprofile" : { "type" : "object", "title" : "User Profile", "propertyOrder" : 0, "properties" : { "defaultRole" : { "title" : "User Profile Dynamic Creation Default Roles", "description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "dynamicProfileCreation" : { "title" : "User Profile", "description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "aliasAttributeName" : { "title" : "Alias Search Attribute Name", "description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.", "propertyOrder" : 400, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "security" : { "type" : "object", "title" : "Security", "propertyOrder" : 5, "properties" : { "sharedSecret" : { "title" : "Organization Authentication Signing Secret", "description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>The shared secret for signing RESTful authentication requests. This secret should be Base-64 encoded and at least 128 bits in length. By default, a cryptographically secure random value is generated. <br/><br/><i>Note: This attribute is deprecated. If you're using a secret store of type Keystore, HSM, Google KMS, or Google Secret Manager, add a mapping for <code>am.authn.authid.signing.HMAC</code> instead.</i>", "propertyOrder" : 4000, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "zeroPageLoginAllowedWithoutReferrer" : { "title" : "Zero Page Login Allowed without Referer?", "description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.", "propertyOrder" : 3700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "keyAlias" : { "title" : "Persistent Cookie Encryption Certificate Alias", "description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests. This property is deprecated. Use the secret mapping am.authentication.nodes.persistentcookie.encryption instead. The password is ignored if the am.authentication.nodes.persistentcookie.encryption mapping is mapped.", "propertyOrder" : 3300, "required" : true, "type" : "string", "exampleValue" : "" }, "addClearSiteDataHeader" : { "title" : "Add clear-site-data Header on Logout", "description" : "If true then a clear-site-data header will be added to successful logout responses. This header will have the value '\"cache\", \"cookies\", \"storage\", \"executionContexts\"'", "propertyOrder" : 3920, "required" : true, "type" : "boolean", "exampleValue" : "" }, "zeroPageLoginEnabled" : { "title" : "Zero Page Login", "description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.", "propertyOrder" : 3400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "moduleBasedAuthEnabled" : { "title" : "Module Based Authentication", "description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.", "propertyOrder" : 2800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "zeroPageLoginReferrerWhiteList" : { "title" : "Zero Page Login Referer Allowlist", "description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.", "propertyOrder" : 3600, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } } } }
Global Operations
Resource path:
/global-config/authentication
Resource version: 1.0
update
Usage
am> update Authentication --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "ldapConnectionPoolDefaultSize" : { "title" : "Default LDAP Connection Pool Size", "description" : "The default connection pool size; format is: mininum:maximum", "propertyOrder" : 2400, "required" : true, "type" : "string", "exampleValue" : "" }, "ldapConnectionPoolSize" : { "title" : "LDAP Connection Pool Size", "description" : "Controls the size of the LDAP connection pool used for authentication<br><br>Control the size of the connection pool to the LDAP directory server used by any of the authentication modules that use LDAP directly such as LDAP or Active Directory.Different OpenAM servers can be configured with different connection pool settings.<br/><br/>Format: host:port:minimum:maximum", "propertyOrder" : 2300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "keepPostProcessInstances" : { "title" : "Keep Post Process Objects for Logout Processing", "description" : "Store Post Processing Classes for the duration of the session.<br><br>Enabling this setting will cause OpenAM to store instances of post processing classes into the users session. When the user logs out the original instances of the post processing classes will be called instead of new instances. This may be needed for special logout processing.<br/><br/><i>NB </i>Enabling this setting will increase the memory usage of OpenAM.", "propertyOrder" : 3100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "remoteAuthSecurityEnabled" : { "title" : "Remote Auth Security", "description" : "OpenAM requires authentication client to authenticate itself before authenticating users.<br><br>When this setting is enabled, OpenAM will require the authentication client (such as a policy agent) to authentication itself to OpenAM before the client will be allow to use the remote authentication API to authenticate users. ", "propertyOrder" : 2900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticators" : { "title" : "Pluggable Authentication Module Classes", "description" : "List of configured authentication modules<br><br>The list of configured authentication modules available to OpenAM. All modules must extend from the <code>com.sun.identity.authentication.spi.AMLoginModule</code> class.", "propertyOrder" : 500, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "defaults" : { "properties" : { "trees" : { "type" : "object", "title" : "Trees", "propertyOrder" : 4, "properties" : { "authenticationTreeCookieHttpOnly" : { "title" : "Stops sending tokenId", "description" : "Stops sending tokenId when HttpOnly cookies are on.<br><br>If enabled and HttpOnly cookies are on, the tree authentication will not return tokenId.", "propertyOrder" : 3885, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationSessionsWhitelist" : { "title" : "Enable Allowlisting", "description" : "Enables explicit allowlisting of valid authentication states to prevent replay attacks.<br><br>If enabled, each time a response is sent to the user a randomly generated state parameter is also sent back to user. This state parameter is stored accessible to AM and must be sent in with the subsequent request. After a request has been received with a valid state parameter, the next response contains a new state, and the server's view of the valid state parameter is updated.", "propertyOrder" : 3880, "required" : true, "type" : "boolean", "exampleValue" : "" }, "suspendedAuthenticationTimeout" : { "title" : "Suspended authentication duration (minutes)", "description" : "Specify how long a suspended authentication session can last.<br><br>From the time a suspended authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed. This timeout should be less than or equal to the authentication session’s timeout value.", "propertyOrder" : 3870, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationSessionsMaxDuration" : { "title" : "Max duration (minutes)", "description" : "Specify how long an authentication session can last.<br><br>From the time an authentication session is generated, the session will be invalid after this number of minutes. Values from <strong>1</strong> upwards are allowed.", "propertyOrder" : 3860, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationSessionsStateManagement" : { "title" : "Authentication session state management scheme", "description" : "Specify how the authentication session state is managed.<br><br>CTS option will write the state down to the underlying core token store.<br />JWT option will transmit the state in a JWT to the client.<br />In-Memory option will maintain the state in the memory (requires sticky loadbalancing).<br /><br /> <em>To configure JWT signing, encryption, and denylisting use the options in the Client-Side Sessions section of the Sessions global service.</em>", "propertyOrder" : 3850, "required" : true, "type" : "string", "exampleValue" : "" } } }, "accountlockout" : { "type" : "object", "title" : "Account Lockout", "propertyOrder" : 2, "properties" : { "lockoutDuration" : { "title" : "Login Failure Lockout Duration", "description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.", "propertyOrder" : 1300, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutDurationMultiplier" : { "title" : "Lockout Duration Multiplier", "description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function. ", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "loginFailureCount" : { "title" : "Login Failure Lockout Count", "description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.", "propertyOrder" : 900, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutWarnUserCount" : { "title" : "Warn User After N Failures", "description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.", "propertyOrder" : 1200, "required" : true, "type" : "integer", "exampleValue" : "" }, "lockoutAttributeName" : { "title" : "Lockout Attribute Name", "description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ", "propertyOrder" : 1500, "required" : true, "type" : "string", "exampleValue" : "" }, "invalidAttemptsDataAttributeName" : { "title" : "Invalid Attempts Data Attribute Name", "description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "lockoutAttributeValue" : { "title" : "Lockout Attribute Value", "description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "" }, "loginFailureDuration" : { "title" : "Login Failure Lockout Interval", "description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.", "propertyOrder" : 1000, "required" : true, "type" : "integer", "exampleValue" : "" }, "loginFailureLockoutMode" : { "title" : "Login Failure Lockout Mode", "description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.", "propertyOrder" : 800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "storeInvalidAttemptsInDataStore" : { "title" : "Store Invalid Attempts in Data Store", "description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled AM will store the user's invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property. This setting only applies to authentication modules and chains; authentication trees will <i>always</i> write their account lockout progress and status to the data store.", "propertyOrder" : 2700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "lockoutEmailAddress" : { "title" : "Email Address to Send Lockout Notification", "description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" } } }, "core" : { "type" : "object", "title" : "Core", "propertyOrder" : -1, "properties" : { "adminAuthModule" : { "title" : "Administrator Authentication Configuration", "description" : "Default Authentication Service for administrators<br><br>This is the authentication service that will be used to authentication administrative users to this realm.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "orgConfig" : { "title" : "Organization Authentication Configuration", "description" : "Default Authentication Service for users<br><br>This is the authentication service that will be used to authenticate users to this realm.", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" } } }, "security" : { "type" : "object", "title" : "Security", "propertyOrder" : 5, "properties" : { "zeroPageLoginAllowedWithoutReferrer" : { "title" : "Zero Page Login Allowed without Referer?", "description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.", "propertyOrder" : 3700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "zeroPageLoginReferrerWhiteList" : { "title" : "Zero Page Login Referer Allowlist", "description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.", "propertyOrder" : 3600, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "keyAlias" : { "title" : "Persistent Cookie Encryption Certificate Alias", "description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests. This property is deprecated. Use the secret mapping am.authentication.nodes.persistentcookie.encryption instead. The password is ignored if the am.authentication.nodes.persistentcookie.encryption mapping is mapped.", "propertyOrder" : 3300, "required" : true, "type" : "string", "exampleValue" : "" }, "moduleBasedAuthEnabled" : { "title" : "Module Based Authentication", "description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.", "propertyOrder" : 2800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "sharedSecret" : { "title" : "Organization Authentication Signing Secret", "description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>The shared secret for signing RESTful authentication requests. This secret should be Base-64 encoded and at least 128 bits in length. By default, a cryptographically secure random value is generated. <br/><br/><i>Note: This attribute is deprecated. If you're using a secret store of type Keystore, HSM, Google KMS, or Google Secret Manager, add a mapping for <code>am.authn.authid.signing.HMAC</code> instead.</i>", "propertyOrder" : 4000, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "addClearSiteDataHeader" : { "title" : "Add clear-site-data Header on Logout", "description" : "If true then a clear-site-data header will be added to successful logout responses. This header will have the value '\"cache\", \"cookies\", \"storage\", \"executionContexts\"'", "propertyOrder" : 3920, "required" : true, "type" : "boolean", "exampleValue" : "" }, "zeroPageLoginEnabled" : { "title" : "Zero Page Login", "description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.", "propertyOrder" : 3400, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "postauthprocess" : { "type" : "object", "title" : "Post Authentication Processing", "propertyOrder" : 6, "properties" : { "userAttributeSessionMapping" : { "title" : "User Attribute Mapping to Session Attribute", "description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ", "propertyOrder" : 3000, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "loginFailureUrl" : { "title" : "Default Failure Login URL ", "description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.", "propertyOrder" : 1900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "usernameGeneratorEnabled" : { "title" : "Generate UserID Mode", "description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.", "propertyOrder" : 2100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "usernameGeneratorClass" : { "title" : "Pluggable User Name Generator Class", "description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>", "propertyOrder" : 2200, "required" : true, "type" : "string", "exampleValue" : "" }, "loginSuccessUrl" : { "title" : "Default Success Login URL", "description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.", "propertyOrder" : 1800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "loginPostProcessClass" : { "title" : "Authentication Post Processing Classes", "description" : "A list of post authentication processing classes for all users in this realm.<br><br>The list of Post-Processing Classes called by AM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set. Realm-level post-authentication plugins are only called when no post-authentication plugin is configured for the authentication chain.<br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.", "propertyOrder" : 2000, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "general" : { "type" : "object", "title" : "General", "propertyOrder" : 3, "properties" : { "locale" : { "title" : "Default Authentication Locale", "description" : "", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "twoFactorRequired" : { "title" : "Two Factor Authentication Mandatory", "description" : "Enforces ALL 2FA (OATH and Push) authentication Modules (not nodes) only for this authentication realm.", "propertyOrder" : 3900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "statelessSessionsEnabled" : { "title" : "Use Client-Side Sessions", "description" : "Enables client-side sessions.<br><br>Client-side sessions provide elastic scalability by storing all session state as a JWT in a cookie stored on the client. It is highly recommended to enable signing and encryption of the JWT in the global session service.", "propertyOrder" : 3800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "identityType" : { "title" : "Identity Types", "description" : "", "propertyOrder" : 2500, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userStatusCallbackPlugins" : { "title" : "Pluggable User Status Event Classes", "description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.", "propertyOrder" : 2600, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "externalLoginPageUrl" : { "title" : "External Login Page URL", "description" : "Link to the external login user interface.<br><br>If the authentication user interface is hosted separately from AM, its URL can be provided here. AM will use this URL for example when it's constructing the resume URI in case authentication is suspended in an authentication tree.", "propertyOrder" : 3910, "required" : true, "type" : "string", "exampleValue" : "" }, "defaultAuthLevel" : { "title" : "Default Authentication Level", "description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.", "propertyOrder" : 4100, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "userprofile" : { "type" : "object", "title" : "User Profile", "propertyOrder" : 0, "properties" : { "aliasAttributeName" : { "title" : "Alias Search Attribute Name", "description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.", "propertyOrder" : 400, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "defaultRole" : { "title" : "User Profile Dynamic Creation Default Roles", "description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "dynamicProfileCreation" : { "title" : "User Profile", "description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" } } } }, "type" : "object", "title" : "Realm Defaults" } } }
AuthenticationChains
Realm Operations
Resource path:
/realm-config/authentication/chains
Resource version: 2.0
create
Usage
am> create AuthenticationChains --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "loginPostProcessClass" : { "title" : "Authentication Post Processing Classes", "description" : "Example: com.abc.authentication.PostProcessClass", "propertyOrder" : 400, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authChainConfiguration" : { "title" : "Authentication Configuration", "description" : "", "propertyOrder" : 100, "required" : true, "exampleValue" : "", "type" : "array", "items" : { "type" : "object", "properties" : { "module" : { "type" : "string" }, "criteria" : { "type" : "string" }, "options" : { "type" : "object", "patternProperties" : { ".*" : { "type" : "string" } } } } } }, "loginFailureUrl" : { "title" : "Login Failed URL", "description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "loginSuccessUrl" : { "title" : "Login Success URL", "description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.", "propertyOrder" : 200, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }
delete
Usage
am> delete AuthenticationChains --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticationChains --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticationChains --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthenticationChains --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AuthenticationChains --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AuthenticationChains --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AuthenticationChains --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "loginPostProcessClass" : { "title" : "Authentication Post Processing Classes", "description" : "Example: com.abc.authentication.PostProcessClass", "propertyOrder" : 400, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authChainConfiguration" : { "title" : "Authentication Configuration", "description" : "", "propertyOrder" : 100, "required" : true, "exampleValue" : "", "type" : "array", "items" : { "type" : "object", "properties" : { "module" : { "type" : "string" }, "criteria" : { "type" : "string" }, "options" : { "type" : "object", "patternProperties" : { ".*" : { "type" : "string" } } } } } }, "loginFailureUrl" : { "title" : "Login Failed URL", "description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "loginSuccessUrl" : { "title" : "Login Success URL", "description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.", "propertyOrder" : 200, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/authentication/chains
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticationChains --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticationChains --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthenticationChains --global --actionName nextdescendents
update
Usage
am> update AuthenticationChains --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "dynamic" : { "properties" : { "authChainConfiguration" : { "title" : "Authentication Configuration", "description" : "", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" } }, "type" : "object", "title" : "Dynamic Attributes" } } }
AuthenticationModules
Realm Operations
The collection of all authentication modules in a realm allows querying for all module instances.
Resource path:
/realm-config/authentication/modules
Resource version: 2.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticationModules --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticationModules --realm Realm --actionName getCreatableTypes
Global Operations
Global and default configuration for authentication modules
Resource path:
/global-config/authentication/modules
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticationModules --global --actionName getAllTypes
AuthenticationNodes
Realm Operations
Auth Tree Nodes
Resource path:
/realm-config/authentication/authenticationtrees/nodes
Resource version: 2.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticationNodes --realm Realm --actionName getAllTypes
AuthenticationTreesConfiguration
Realm Operations
Sub-path parent for all authentication tree configuration.
Resource path:
/realm-config/authentication/authenticationtrees
Resource version: 2.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticationTreesConfiguration --realm Realm --actionName getAllTypes
Global Operations
Resource path:
/global-config/authentication/authenticationtrees
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticationTreesConfiguration --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticationTreesConfiguration --global --actionName getCreatableTypes
AuthenticatorOath
Realm Operations
Resource path:
/realm-config/services/authenticatorOathService
Resource version: 2.0
create
Usage
am> create AuthenticatorOath --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : { "title" : "Key Store Password", "description" : "Password to unlock the key store. AM encrypts this password when you save it in the configuration.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "authenticatorOATHDeviceSettingsEncryptionKeystoreType" : { "title" : "Key Store Type", "description" : "Type of encryption key store.<br><br><i>Note:</i> PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorOATHDeviceSettingsEncryptionKeystore" : { "title" : "Encryption Key Store", "description" : "Path to the key store from which to load encryption keys.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : { "title" : "Private Key Password", "description" : "Password to unlock the private key.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.", "propertyOrder" : 700, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "authenticatorOATHDeviceSettingsEncryptionScheme" : { "title" : "Device Profile Encryption Scheme", "description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : { "title" : "Key-Pair Alias", "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "oathAttrName" : { "title" : "Profile Storage Attribute", "description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorOATHSkippableName" : { "title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name", "description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" } } }
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticatorOath --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticatorOath --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthenticatorOath --realm Realm --actionName nextdescendents
update
Usage
am> update AuthenticatorOath --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : { "title" : "Key Store Password", "description" : "Password to unlock the key store. AM encrypts this password when you save it in the configuration.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "authenticatorOATHDeviceSettingsEncryptionKeystoreType" : { "title" : "Key Store Type", "description" : "Type of encryption key store.<br><br><i>Note:</i> PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorOATHDeviceSettingsEncryptionKeystore" : { "title" : "Encryption Key Store", "description" : "Path to the key store from which to load encryption keys.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : { "title" : "Private Key Password", "description" : "Password to unlock the private key.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.", "propertyOrder" : 700, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "authenticatorOATHDeviceSettingsEncryptionScheme" : { "title" : "Device Profile Encryption Scheme", "description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : { "title" : "Key-Pair Alias", "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "oathAttrName" : { "title" : "Profile Storage Attribute", "description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorOATHSkippableName" : { "title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name", "description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/services/authenticatorOathService
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticatorOath --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticatorOath --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthenticatorOath --global --actionName nextdescendents
update
Usage
am> update AuthenticatorOath --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : { "title" : "Private Key Password", "description" : "Password to unlock the private key.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.", "propertyOrder" : 700, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "authenticatorOATHDeviceSettingsEncryptionScheme" : { "title" : "Device Profile Encryption Scheme", "description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorOATHDeviceSettingsEncryptionKeystoreType" : { "title" : "Key Store Type", "description" : "Type of encryption key store.<br><br><i>Note:</i> PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : { "title" : "Key-Pair Alias", "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorOATHSkippableName" : { "title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name", "description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "oathAttrName" : { "title" : "Profile Storage Attribute", "description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorOATHDeviceSettingsEncryptionKeystore" : { "title" : "Encryption Key Store", "description" : "Path to the key store from which to load encryption keys.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : { "title" : "Key Store Password", "description" : "Password to unlock the key store. AM encrypts this password when you save it in the configuration.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }
AuthenticatorOathModule
Realm Operations
Resource path:
/realm-config/authentication/modules/authenticatoroath
Resource version: 2.0
create
Usage
am> create AuthenticatorOathModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "totpTimeStepsInWindow" : { "title" : "TOTP Time Steps", "description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.", "propertyOrder" : 900, "required" : true, "type" : "integer", "exampleValue" : "" }, "frOathOtpMaxRetry" : { "title" : "One Time Password Max Retry", "description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.", "propertyOrder" : null, "required" : true, "type" : "integer", "exampleValue" : "" }, "totpMaximumClockDrift" : { "title" : "Maximum Allowed Clock Drift", "description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.", "propertyOrder" : 1000, "required" : true, "type" : "integer", "exampleValue" : "" }, "minimumSecretKeyLength" : { "title" : "Minimum Secret Key Length", "description" : "Number of hexadecimal characters allowed for the Secret Key.", "propertyOrder" : 300, "required" : true, "type" : "integer", "exampleValue" : "" }, "oathAlgorithm" : { "title" : "OATH Algorithm to Use", "description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "totpTimeStepInterval" : { "title" : "TOTP Time Step Interval", "description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" }, "truncationOffset" : { "title" : "Truncation Offset", "description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.", "propertyOrder" : 700, "required" : true, "type" : "integer", "exampleValue" : "" }, "hotpWindowSize" : { "title" : "HOTP Window Size", "description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.", "propertyOrder" : 500, "required" : true, "type" : "integer", "exampleValue" : "" }, "oathIssuerName" : { "title" : "Name of the Issuer", "description" : "Name to identify the OTP issuer.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "ForgeRock" }, "passwordLength" : { "title" : "One Time Password Length ", "description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "addChecksumToOtpEnabled" : { "title" : "Add Checksum Digit", "description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" } } }
delete
Usage
am> delete AuthenticatorOathModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticatorOathModule --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticatorOathModule --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthenticatorOathModule --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AuthenticatorOathModule --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AuthenticatorOathModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AuthenticatorOathModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "totpTimeStepsInWindow" : { "title" : "TOTP Time Steps", "description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.", "propertyOrder" : 900, "required" : true, "type" : "integer", "exampleValue" : "" }, "frOathOtpMaxRetry" : { "title" : "One Time Password Max Retry", "description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.", "propertyOrder" : null, "required" : true, "type" : "integer", "exampleValue" : "" }, "totpMaximumClockDrift" : { "title" : "Maximum Allowed Clock Drift", "description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.", "propertyOrder" : 1000, "required" : true, "type" : "integer", "exampleValue" : "" }, "minimumSecretKeyLength" : { "title" : "Minimum Secret Key Length", "description" : "Number of hexadecimal characters allowed for the Secret Key.", "propertyOrder" : 300, "required" : true, "type" : "integer", "exampleValue" : "" }, "oathAlgorithm" : { "title" : "OATH Algorithm to Use", "description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "totpTimeStepInterval" : { "title" : "TOTP Time Step Interval", "description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" }, "truncationOffset" : { "title" : "Truncation Offset", "description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.", "propertyOrder" : 700, "required" : true, "type" : "integer", "exampleValue" : "" }, "hotpWindowSize" : { "title" : "HOTP Window Size", "description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.", "propertyOrder" : 500, "required" : true, "type" : "integer", "exampleValue" : "" }, "oathIssuerName" : { "title" : "Name of the Issuer", "description" : "Name to identify the OTP issuer.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "ForgeRock" }, "passwordLength" : { "title" : "One Time Password Length ", "description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "addChecksumToOtpEnabled" : { "title" : "Add Checksum Digit", "description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/authentication/modules/authenticatoroath
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticatorOathModule --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticatorOathModule --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthenticatorOathModule --global --actionName nextdescendents
update
Usage
am> update AuthenticatorOathModule --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "addChecksumToOtpEnabled" : { "title" : "Add Checksum Digit", "description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "oathIssuerName" : { "title" : "Name of the Issuer", "description" : "Name to identify the OTP issuer.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "ForgeRock" }, "frOathOtpMaxRetry" : { "title" : "One Time Password Max Retry", "description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.", "propertyOrder" : null, "required" : true, "type" : "integer", "exampleValue" : "" }, "passwordLength" : { "title" : "One Time Password Length ", "description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "truncationOffset" : { "title" : "Truncation Offset", "description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.", "propertyOrder" : 700, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "hotpWindowSize" : { "title" : "HOTP Window Size", "description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.", "propertyOrder" : 500, "required" : true, "type" : "integer", "exampleValue" : "" }, "totpMaximumClockDrift" : { "title" : "Maximum Allowed Clock Drift", "description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.", "propertyOrder" : 1000, "required" : true, "type" : "integer", "exampleValue" : "" }, "minimumSecretKeyLength" : { "title" : "Minimum Secret Key Length", "description" : "Number of hexadecimal characters allowed for the Secret Key.", "propertyOrder" : 300, "required" : true, "type" : "integer", "exampleValue" : "" }, "totpTimeStepsInWindow" : { "title" : "TOTP Time Steps", "description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.", "propertyOrder" : 900, "required" : true, "type" : "integer", "exampleValue" : "" }, "totpTimeStepInterval" : { "title" : "TOTP Time Step Interval", "description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" }, "oathAlgorithm" : { "title" : "OATH Algorithm to Use", "description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }
AuthenticatorPush
Realm Operations
Resource path:
/realm-config/services/authenticatorPushService
Resource version: 2.0
create
Usage
am> create AuthenticatorPush --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword" : { "title" : "Private Key Password", "description" : "Password to unlock the private key.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorpush.encryption</code> to a secret in a secret store.", "propertyOrder" : 700, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionKeystorePassword" : { "title" : "Key Store Password", "description" : "Password to unlock the key store. AM encrypts this password when you save it in the configuration. You should modify the default value.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorpush.encryption</code> to a secret in a secret store.", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionKeystoreType" : { "title" : "Key Store Type", "description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorpush.encryption</code> to a secret in a secret store.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "pushAttrName" : { "title" : "Profile Storage Attribute", "description" : "The user's attribute in which to store Push Notification profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionScheme" : { "title" : "Device Profile Encryption Scheme", "description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionKeystore" : { "title" : "Encryption Key Store", "description" : "Path to the key store from which to load encryption keys.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorpush.encryption</code> to a secret in a secret store.", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias" : { "title" : "Key-Pair Alias", "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorpush.encryption</code> to a secret in a secret store.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorPushSkippableName" : { "title" : "ForgeRock Authenticator (Push) Device Skippable Attribute Name", "description" : "Name of the attribute on a user's profile used to store their selection of whether to skip ForgeRock Authenticator (Push) 2FA modules.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" } } }
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticatorPush --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticatorPush --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthenticatorPush --realm Realm --actionName nextdescendents
update
Usage
am> update AuthenticatorPush --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword" : { "title" : "Private Key Password", "description" : "Password to unlock the private key.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorpush.encryption</code> to a secret in a secret store.", "propertyOrder" : 700, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionKeystorePassword" : { "title" : "Key Store Password", "description" : "Password to unlock the key store. AM encrypts this password when you save it in the configuration. You should modify the default value.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorpush.encryption</code> to a secret in a secret store.", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionKeystoreType" : { "title" : "Key Store Type", "description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorpush.encryption</code> to a secret in a secret store.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "pushAttrName" : { "title" : "Profile Storage Attribute", "description" : "The user's attribute in which to store Push Notification profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionScheme" : { "title" : "Device Profile Encryption Scheme", "description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionKeystore" : { "title" : "Encryption Key Store", "description" : "Path to the key store from which to load encryption keys.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorpush.encryption</code> to a secret in a secret store.", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias" : { "title" : "Key-Pair Alias", "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorpush.encryption</code> to a secret in a secret store.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorPushSkippableName" : { "title" : "ForgeRock Authenticator (Push) Device Skippable Attribute Name", "description" : "Name of the attribute on a user's profile used to store their selection of whether to skip ForgeRock Authenticator (Push) 2FA modules.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/services/authenticatorPushService
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticatorPush --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticatorPush --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthenticatorPush --global --actionName nextdescendents
update
Usage
am> update AuthenticatorPush --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "pushAttrName" : { "title" : "Profile Storage Attribute", "description" : "The user's attribute in which to store Push Notification profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword" : { "title" : "Private Key Password", "description" : "Password to unlock the private key.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorpush.encryption</code> to a secret in a secret store.", "propertyOrder" : 700, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "authenticatorPushSkippableName" : { "title" : "ForgeRock Authenticator (Push) Device Skippable Attribute Name", "description" : "Name of the attribute on a user's profile used to store their selection of whether to skip ForgeRock Authenticator (Push) 2FA modules.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionScheme" : { "title" : "Device Profile Encryption Scheme", "description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionKeystorePassword" : { "title" : "Key Store Password", "description" : "Password to unlock the key store. AM encrypts this password when you save it in the configuration. You should modify the default value.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorpush.encryption</code> to a secret in a secret store.", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionKeystore" : { "title" : "Encryption Key Store", "description" : "Path to the key store from which to load encryption keys.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorpush.encryption</code> to a secret in a secret store.", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionKeystoreType" : { "title" : "Key Store Type", "description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorpush.encryption</code> to a secret in a secret store.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias" : { "title" : "Key-Pair Alias", "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorpush.encryption</code> to a secret in a secret store.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }
AuthenticatorPushModule
Realm Operations
Resource path:
/realm-config/authentication/modules/authPush
Resource version: 2.0
create
Usage
am> create AuthenticatorPushModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "pushMessage" : { "title" : "Login Message", "description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "timeoutInMilliSecconds" : { "title" : "Return Message Timeout (ms)", "description" : "The period of time (in milliseconds) within which a push notification should be replied to.", "propertyOrder" : 200, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" } } }
delete
Usage
am> delete AuthenticatorPushModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticatorPushModule --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticatorPushModule --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthenticatorPushModule --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AuthenticatorPushModule --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AuthenticatorPushModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AuthenticatorPushModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "pushMessage" : { "title" : "Login Message", "description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "timeoutInMilliSecconds" : { "title" : "Return Message Timeout (ms)", "description" : "The period of time (in milliseconds) within which a push notification should be replied to.", "propertyOrder" : 200, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/authentication/modules/authPush
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticatorPushModule --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticatorPushModule --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthenticatorPushModule --global --actionName nextdescendents
update
Usage
am> update AuthenticatorPushModule --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "timeoutInMilliSecconds" : { "title" : "Return Message Timeout (ms)", "description" : "The period of time (in milliseconds) within which a push notification should be replied to.", "propertyOrder" : 200, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "pushMessage" : { "title" : "Login Message", "description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }
AuthenticatorPushRegistrationModule
Realm Operations
Resource path:
/realm-config/authentication/modules/authPushReg
Resource version: 2.0
create
Usage
am> create AuthenticatorPushRegistrationModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "googleLink" : { "title" : "Google Play URL", "description" : "URL of the app to download on Google Play.", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "bgcolour" : { "title" : "Background Colour", "description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "timeoutInMilliSecconds" : { "title" : "Registration Response Timeout (ms)", "description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.", "propertyOrder" : 300, "required" : true, "type" : "integer", "exampleValue" : "" }, "issuer" : { "title" : "Issuer Name", "description" : "The Name of the service as it will appear on the registered device.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "imgUrl" : { "title" : "Image URL", "description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "http://example.com/image.png" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "appleLink" : { "title" : "App Store App URL", "description" : "URL of the app to download on the App Store.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" } } }
delete
Usage
am> delete AuthenticatorPushRegistrationModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticatorPushRegistrationModule --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticatorPushRegistrationModule --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthenticatorPushRegistrationModule --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AuthenticatorPushRegistrationModule --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AuthenticatorPushRegistrationModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AuthenticatorPushRegistrationModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "googleLink" : { "title" : "Google Play URL", "description" : "URL of the app to download on Google Play.", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "bgcolour" : { "title" : "Background Colour", "description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "timeoutInMilliSecconds" : { "title" : "Registration Response Timeout (ms)", "description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.", "propertyOrder" : 300, "required" : true, "type" : "integer", "exampleValue" : "" }, "issuer" : { "title" : "Issuer Name", "description" : "The Name of the service as it will appear on the registered device.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "imgUrl" : { "title" : "Image URL", "description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "http://example.com/image.png" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "appleLink" : { "title" : "App Store App URL", "description" : "URL of the app to download on the App Store.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/authentication/modules/authPushReg
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticatorPushRegistrationModule --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticatorPushRegistrationModule --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthenticatorPushRegistrationModule --global --actionName nextdescendents
update
Usage
am> update AuthenticatorPushRegistrationModule --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "timeoutInMilliSecconds" : { "title" : "Registration Response Timeout (ms)", "description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.", "propertyOrder" : 300, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "googleLink" : { "title" : "Google Play URL", "description" : "URL of the app to download on Google Play.", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "imgUrl" : { "title" : "Image URL", "description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "http://example.com/image.png" }, "bgcolour" : { "title" : "Background Colour", "description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "issuer" : { "title" : "Issuer Name", "description" : "The Name of the service as it will appear on the registered device.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "appleLink" : { "title" : "App Store App URL", "description" : "URL of the app to download on the App Store.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }
AuthenticatorWebAuthn
Realm Operations
Resource path:
/realm-config/services/authenticatorWebAuthnService
Resource version: 2.0
create
Usage
am> create AuthenticatorWebAuthn --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "authenticatorWebAuthnDeviceSettingsEncryptionKeystoreKeyPairAlias" : { "title" : "Key-Pair Alias", "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorwebauthn.encryption</code> to a secret in a secret store.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorWebAuthnDeviceSettingsEncryptionScheme" : { "title" : "Device Profile Encryption Scheme", "description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorWebAuthnDeviceSettingsEncryptionKeystore" : { "title" : "Encryption Key Store", "description" : "Path to the key store from which to load encryption keys.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorwebauthn.encryption</code> to a secret in a secret store.", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "webauthnAttrName" : { "title" : "Profile Storage Attribute", "description" : "The user's attribute in which to store WebAuthn profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with AM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying webauthn with AM. AM must be able to write to the attribute.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorWebAuthnDeviceSettingsEncryptionKeystorePrivateKeyPassword" : { "title" : "Private Key Password", "description" : "Password to unlock the private key.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorwebauthn.encryption</code> to a secret in a secret store.", "propertyOrder" : 700, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "authenticatorWebAuthnDeviceSettingsEncryptionKeystoreType" : { "title" : "Key Store Type", "description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorwebauthn.encryption</code> to a secret in a secret store.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorWebAuthnDeviceSettingsEncryptionKeystorePassword" : { "title" : "Key Store Password", "description" : "Password to unlock the key store. AM encrypts this password when you save it in the configuration. You should modify the default value.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorwebauthn.encryption</code> to a secret in a secret store.", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" } } }
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticatorWebAuthn --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticatorWebAuthn --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthenticatorWebAuthn --realm Realm --actionName nextdescendents
update
Usage
am> update AuthenticatorWebAuthn --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "authenticatorWebAuthnDeviceSettingsEncryptionKeystoreKeyPairAlias" : { "title" : "Key-Pair Alias", "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorwebauthn.encryption</code> to a secret in a secret store.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorWebAuthnDeviceSettingsEncryptionScheme" : { "title" : "Device Profile Encryption Scheme", "description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorWebAuthnDeviceSettingsEncryptionKeystore" : { "title" : "Encryption Key Store", "description" : "Path to the key store from which to load encryption keys.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorwebauthn.encryption</code> to a secret in a secret store.", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "webauthnAttrName" : { "title" : "Profile Storage Attribute", "description" : "The user's attribute in which to store WebAuthn profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with AM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying webauthn with AM. AM must be able to write to the attribute.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorWebAuthnDeviceSettingsEncryptionKeystorePrivateKeyPassword" : { "title" : "Private Key Password", "description" : "Password to unlock the private key.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorwebauthn.encryption</code> to a secret in a secret store.", "propertyOrder" : 700, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "authenticatorWebAuthnDeviceSettingsEncryptionKeystoreType" : { "title" : "Key Store Type", "description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorwebauthn.encryption</code> to a secret in a secret store.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorWebAuthnDeviceSettingsEncryptionKeystorePassword" : { "title" : "Key Store Password", "description" : "Password to unlock the key store. AM encrypts this password when you save it in the configuration. You should modify the default value.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorwebauthn.encryption</code> to a secret in a secret store.", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/services/authenticatorWebAuthnService
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AuthenticatorWebAuthn --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AuthenticatorWebAuthn --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AuthenticatorWebAuthn --global --actionName nextdescendents
update
Usage
am> update AuthenticatorWebAuthn --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "authenticatorWebAuthnDeviceSettingsEncryptionKeystorePrivateKeyPassword" : { "title" : "Private Key Password", "description" : "Password to unlock the private key.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorwebauthn.encryption</code> to a secret in a secret store.", "propertyOrder" : 700, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "authenticatorWebAuthnDeviceSettingsEncryptionKeystoreType" : { "title" : "Key Store Type", "description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorwebauthn.encryption</code> to a secret in a secret store.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorWebAuthnDeviceSettingsEncryptionKeystorePassword" : { "title" : "Key Store Password", "description" : "Password to unlock the key store. AM encrypts this password when you save it in the configuration. You should modify the default value.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorwebauthn.encryption</code> to a secret in a secret store.", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "authenticatorWebAuthnDeviceSettingsEncryptionKeystoreKeyPairAlias" : { "title" : "Key-Pair Alias", "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorwebauthn.encryption</code> to a secret in a secret store.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorWebAuthnDeviceSettingsEncryptionScheme" : { "title" : "Device Profile Encryption Scheme", "description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "webauthnAttrName" : { "title" : "Profile Storage Attribute", "description" : "The user's attribute in which to store WebAuthn profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with AM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying webauthn with AM. AM must be able to write to the attribute.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticatorWebAuthnDeviceSettingsEncryptionKeystore" : { "title" : "Encryption Key Store", "description" : "Path to the key store from which to load encryption keys.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatorwebauthn.encryption</code> to a secret in a secret store.", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }
BaseUrlSource
Realm Operations
Resource path:
/realm-config/services/baseurl
Resource version: 2.0
create
Usage
am> create BaseUrlSource --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "extensionClassName" : { "title" : "Extension class name", "description" : "If Extension class is selected as the Base URL source, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code> in the Extension class name field.", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "contextPath" : { "title" : "Context path", "description" : "Specifies the context path for the base URL.<p><p>If provided, the base URL includes the deployment context path appended to the calculated URL.<p>For example, <code>/openam</code>.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "source" : { "title" : "Base URL Source", "description" : "Specifies the source of the base URL. Choose from the following:<ul> <li>Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code>.</li><li>Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.</li><li>Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in <a href=\"https://tools.ietf.org/html/rfc7239\">RFC7239</a>.</li><li>Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.</li><li>X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as <code>X-Forwarded-For</code>, <code>X-Forwarded-By</code>, and <code>X-Forwarded-Proto</code>.</li></ul>", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "fixedValue" : { "title" : "Fixed value base URL", "description" : "If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" } } }
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action BaseUrlSource --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action BaseUrlSource --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action BaseUrlSource --realm Realm --actionName nextdescendents
update
Usage
am> update BaseUrlSource --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "extensionClassName" : { "title" : "Extension class name", "description" : "If Extension class is selected as the Base URL source, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code> in the Extension class name field.", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "contextPath" : { "title" : "Context path", "description" : "Specifies the context path for the base URL.<p><p>If provided, the base URL includes the deployment context path appended to the calculated URL.<p>For example, <code>/openam</code>.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "source" : { "title" : "Base URL Source", "description" : "Specifies the source of the base URL. Choose from the following:<ul> <li>Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code>.</li><li>Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.</li><li>Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in <a href=\"https://tools.ietf.org/html/rfc7239\">RFC7239</a>.</li><li>Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.</li><li>X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as <code>X-Forwarded-For</code>, <code>X-Forwarded-By</code>, and <code>X-Forwarded-Proto</code>.</li></ul>", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "fixedValue" : { "title" : "Fixed value base URL", "description" : "If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/services/baseurl
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action BaseUrlSource --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action BaseUrlSource --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action BaseUrlSource --global --actionName nextdescendents
update
Usage
am> update BaseUrlSource --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "fixedValue" : { "title" : "Fixed value base URL", "description" : "If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "source" : { "title" : "Base URL Source", "description" : "Specifies the source of the base URL. Choose from the following:<ul> <li>Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code>.</li><li>Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.</li><li>Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in <a href=\"https://tools.ietf.org/html/rfc7239\">RFC7239</a>.</li><li>Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.</li><li>X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as <code>X-Forwarded-For</code>, <code>X-Forwarded-By</code>, and <code>X-Forwarded-Proto</code>.</li></ul>", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "" }, "extensionClassName" : { "title" : "Extension class name", "description" : "If Extension class is selected as the Base URL source, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code> in the Extension class name field.", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "contextPath" : { "title" : "Context path", "description" : "Specifies the context path for the base URL.<p><p>If provided, the base URL includes the deployment context path appended to the calculated URL.<p>For example, <code>/openam</code>.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }
BoundDevice
Realm Operations
The devices service is responsible for exposing functions to change the collection of user bounded devices. The supported methods are update, delete, query
Resource path:
/users/{user}/devices/2fa/binding
Resource version: 1.0
delete
Delete user bounded device
Usage
am> delete BoundDevice --realm Realm --id id --user user
Parameters
- --id
-
The unique identifier for the resource.
- --user
-
The devices service is responsible for exposing functions to change the collection of user bounded devices. The supported methods are update, delete, query
query
Query the user bounded devices
Usage
am> query BoundDevice --realm Realm --filter filter --user user
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all. Fields that can be queried: [*]
- --user
-
The devices service is responsible for exposing functions to change the collection of user bounded devices. The supported methods are update, delete, query
update
Update an existing user bounded device name
Usage
am> update BoundDevice --realm Realm --id id --body body --user user
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "User devices schema that is used for user bounded devices", "type" : "object", "title" : "User devices schema", "properties" : { "deviceName" : { "type" : "string", "title" : "Device Name", "description" : "The name of the user bounded device." }, "uuid" : { "type" : "string", "title" : "UUID", "description" : "The unique identifier for this device." }, "createdDate" : { "type" : "integer", "title" : "Device created date.", "description" : "schema.createDate.description" }, "lastAccessDate" : { "type" : "integer", "title" : "Device last access date.", "description" : "The device last successfully signing and verify date." } } }
- --user
-
The devices service is responsible for exposing functions to change the collection of user bounded devices. The supported methods are update, delete, query
CORSService
Global Operations
Resource path:
/global-config/services/CorsService
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action CORSService --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action CORSService --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action CORSService --global --actionName nextdescendents
update
Usage
am> update CORSService --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "enabled" : { "title" : "Enable the CORS filter", "description" : "If disable, no CORS headers will be added to responses.", "propertyOrder" : 1, "required" : true, "type" : "boolean", "exampleValue" : "" } } }
CRESTReporter
Global Operations
Resource path:
/global-config/services/monitoring/crest
Resource version: 1.0
create
Usage
am> create CRESTReporter --global --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "enabled" : { "title" : "Enabled", "description" : "", "propertyOrder" : 100, "required" : true, "type" : "boolean", "exampleValue" : "" } } }
delete
Usage
am> delete CRESTReporter --global --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action CRESTReporter --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action CRESTReporter --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action CRESTReporter --global --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query CRESTReporter --global --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read CRESTReporter --global --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update CRESTReporter --global --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "enabled" : { "title" : "Enabled", "description" : "", "propertyOrder" : 100, "required" : true, "type" : "boolean", "exampleValue" : "" } } }
Captcha
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/product-CaptchaNode
Resource version: 2.0
create
Usage
am> create Captcha --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "disableSubmission" : { "title" : "Disable submission until verified", "description" : "If this is selected, form submission is disabled until CAPTCHA verification succeeds.", "propertyOrder" : 800, "type" : "boolean", "exampleValue" : "" }, "apiUri" : { "title" : "CAPTCHA API URL", "description" : "The URL of the JavaScript to load the CAPTCHA verification, defaults to the Google ReCAPTCHA API.", "propertyOrder" : 400, "type" : "string", "exampleValue" : "" }, "secretKey" : { "title" : "CAPTCHA Secret Key", "description" : "CAPTCHA Secret Key. This property is deprecated. Use the CAPTCHA Secret Label Identifier instead. If you set a CAPTCHA Secret Label Identifier and AM finds a matching secret in a secret store, the CAPTCHA Secret Key is ignored.", "propertyOrder" : 200, "type" : "string", "exampleValue" : "" }, "captchaUri" : { "title" : "CAPTCHA Verification URL", "description" : "URL to Verify CAPTCHA, defaults to the Google ReCAPTCHA verification URI.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "" }, "siteKey" : { "title" : "CAPTCHA Site Key", "description" : "CAPTCHA Site Key", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" }, "scoreThreshold" : { "title" : "Score Threshold", "description" : "Specifies the score threshold for determining if a user is likely to be a real person. CAPTCHA scores received will be between 0.0 and 1.0. The higher the score, the more likely the user is a real person. This score is not provided by all CAPTCHA implementations, please check the documentation for your vendor.", "propertyOrder" : 700, "type" : "string", "exampleValue" : "" }, "secretLabelIdentifier" : { "title" : "CAPTCHA Secret Label Identifier", "description" : "Identifier used to create a secret label for mapping to a secret in a secret store. <br>AM uses this identifier to create a specific secret label for this node. The secret label takes the form <code>am.authentication.nodes.captcha.{{identifier}}.secret</code> where {{identifier}} is the value of CAPTCHA Secret Label Identifier. The identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}. If you set a CAPTCHA Secret Label Identifier and AM finds a matching secret in a secret store, the CAPTCHA Secret Key is ignored.", "propertyOrder" : 250, "type" : "string", "exampleValue" : "" }, "reCaptchaV3" : { "title" : "ReCaptcha V3 Node", "description" : "If this is selected then a frictionless captcha will be assumed, leaving no interactive Captcha elements on the page.", "propertyOrder" : 600, "type" : "boolean", "exampleValue" : "" }, "divClass" : { "title" : "Class of CAPTCHA HTML Element", "description" : "The class of the HTML element required by the captcha API, defaults to the value for Google ReCAPTCHA.", "propertyOrder" : 500, "type" : "string", "exampleValue" : "" } }, "required" : [ "disableSubmission", "apiUri", "captchaUri", "siteKey", "scoreThreshold", "reCaptchaV3", "divClass" ] }
delete
Usage
am> delete Captcha --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action Captcha --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action Captcha --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action Captcha --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action Captcha --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query Captcha --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read Captcha --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update Captcha --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "disableSubmission" : { "title" : "Disable submission until verified", "description" : "If this is selected, form submission is disabled until CAPTCHA verification succeeds.", "propertyOrder" : 800, "type" : "boolean", "exampleValue" : "" }, "apiUri" : { "title" : "CAPTCHA API URL", "description" : "The URL of the JavaScript to load the CAPTCHA verification, defaults to the Google ReCAPTCHA API.", "propertyOrder" : 400, "type" : "string", "exampleValue" : "" }, "secretKey" : { "title" : "CAPTCHA Secret Key", "description" : "CAPTCHA Secret Key. This property is deprecated. Use the CAPTCHA Secret Label Identifier instead. If you set a CAPTCHA Secret Label Identifier and AM finds a matching secret in a secret store, the CAPTCHA Secret Key is ignored.", "propertyOrder" : 200, "type" : "string", "exampleValue" : "" }, "captchaUri" : { "title" : "CAPTCHA Verification URL", "description" : "URL to Verify CAPTCHA, defaults to the Google ReCAPTCHA verification URI.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "" }, "siteKey" : { "title" : "CAPTCHA Site Key", "description" : "CAPTCHA Site Key", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" }, "scoreThreshold" : { "title" : "Score Threshold", "description" : "Specifies the score threshold for determining if a user is likely to be a real person. CAPTCHA scores received will be between 0.0 and 1.0. The higher the score, the more likely the user is a real person. This score is not provided by all CAPTCHA implementations, please check the documentation for your vendor.", "propertyOrder" : 700, "type" : "string", "exampleValue" : "" }, "secretLabelIdentifier" : { "title" : "CAPTCHA Secret Label Identifier", "description" : "Identifier used to create a secret label for mapping to a secret in a secret store. <br>AM uses this identifier to create a specific secret label for this node. The secret label takes the form <code>am.authentication.nodes.captcha.{{identifier}}.secret</code> where {{identifier}} is the value of CAPTCHA Secret Label Identifier. The identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}. If you set a CAPTCHA Secret Label Identifier and AM finds a matching secret in a secret store, the CAPTCHA Secret Key is ignored.", "propertyOrder" : 250, "type" : "string", "exampleValue" : "" }, "reCaptchaV3" : { "title" : "ReCaptcha V3 Node", "description" : "If this is selected then a frictionless captcha will be assumed, leaving no interactive Captcha elements on the page.", "propertyOrder" : 600, "type" : "boolean", "exampleValue" : "" }, "divClass" : { "title" : "Class of CAPTCHA HTML Element", "description" : "The class of the HTML element required by the captcha API, defaults to the value for Google ReCAPTCHA.", "propertyOrder" : 500, "type" : "string", "exampleValue" : "" } }, "required" : [ "disableSubmission", "apiUri", "captchaUri", "siteKey", "scoreThreshold", "reCaptchaV3", "divClass" ] }
CertificateCollectorNode
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/product-CertificateCollectorNode
Resource version: 2.0
create
Usage
am> create CertificateCollectorNode --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "certificateCollectionMethod" : { "title" : "Certificate Collection Method", "description" : "This field defines how the certificate should be client certificate should be collected from the request. If TLS termination happens at the web container that is running Access Management, choose <code>Request</code>. If you have Access Management behind a proxy or load balancer and terminate TLS there, select <code>Header</code>. If <code>Either</code> is selected, the collector node will first look at the request, then look at the <code>HTTP Header Name for Client Certificate</code> specified in that order.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" }, "clientCertificateHttpHeaderName" : { "title" : "HTTP Header Name for Client Certificate", "description" : "The name of the HTTP request header containing the certificate, only used when header based collection is enabled.", "propertyOrder" : 200, "type" : "string", "exampleValue" : "" }, "trustedRemoteHosts" : { "title" : "Trusted Remote Hosts", "description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified trusted hosts (identified by IP address) are allowed to supply client certificates to the certificate node.<br><br>Empty list means do not trust remote headers and a single value of \"any\" means all are trusted <code>any</code>.", "propertyOrder" : 300, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } }, "required" : [ "certificateCollectionMethod", "trustedRemoteHosts" ] }
delete
Usage
am> delete CertificateCollectorNode --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action CertificateCollectorNode --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action CertificateCollectorNode --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action CertificateCollectorNode --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action CertificateCollectorNode --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query CertificateCollectorNode --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read CertificateCollectorNode --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update CertificateCollectorNode --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "certificateCollectionMethod" : { "title" : "Certificate Collection Method", "description" : "This field defines how the certificate should be client certificate should be collected from the request. If TLS termination happens at the web container that is running Access Management, choose <code>Request</code>. If you have Access Management behind a proxy or load balancer and terminate TLS there, select <code>Header</code>. If <code>Either</code> is selected, the collector node will first look at the request, then look at the <code>HTTP Header Name for Client Certificate</code> specified in that order.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" }, "clientCertificateHttpHeaderName" : { "title" : "HTTP Header Name for Client Certificate", "description" : "The name of the HTTP request header containing the certificate, only used when header based collection is enabled.", "propertyOrder" : 200, "type" : "string", "exampleValue" : "" }, "trustedRemoteHosts" : { "title" : "Trusted Remote Hosts", "description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified trusted hosts (identified by IP address) are allowed to supply client certificates to the certificate node.<br><br>Empty list means do not trust remote headers and a single value of \"any\" means all are trusted <code>any</code>.", "propertyOrder" : 300, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } }, "required" : [ "certificateCollectionMethod", "trustedRemoteHosts" ] }
CertificateModule
Realm Operations
Resource path:
/realm-config/authentication/modules/certificate
Resource version: 2.0
create
Usage
am> create CertificateModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "iplanet-am-auth-cert-gw-cert-preferred" : { "title" : "Use only Certificate from HTTP request header", "description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute", "propertyOrder" : 2000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 2100, "required" : true, "type" : "integer", "exampleValue" : "" }, "sslEnabled" : { "title" : "Use SSL/TLS for LDAP Access", "description" : "The certificate module will use SSL/TLS to access the LDAP server", "propertyOrder" : 1400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "certificateLdapServers" : { "title" : "LDAP Server Where Certificates are Stored", "description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 1000, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "cacheCRLsInMemory" : { "title" : "Cache CRLs in memory", "description" : "The CRLs will be cached in memory", "propertyOrder" : 700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "certificateAttributeToProfileMapping" : { "title" : "Certificate Field Used to Access User Profile", "description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate. ", "propertyOrder" : 1500, "required" : true, "type" : "string", "exampleValue" : "" }, "crlMatchingCertificateAttribute" : { "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs", "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "updateCRLsFromDistributionPoint" : { "title" : "Update CA CRLs from CRLDistributionPoint", "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.", "propertyOrder" : 800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "matchCertificateInLdap" : { "title" : "Match Certificate in LDAP", "description" : "The client certificate must exist in the directory for the authentication to be successful.", "propertyOrder" : 100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "otherCertificateAttributeToProfileMapping" : { "title" : "Other Certificate Field Used to Access User Profile", "description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "" }, "ldapCertificateAttribute" : { "title" : "Subject DN Attribute Used to Search LDAP for Certificates", "description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "userBindPassword" : { "title" : "LDAP Server Authentication Password", "description" : "The password for the authentication user", "propertyOrder" : 1300, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "userBindDN" : { "title" : "LDAP Server Authentication User", "description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "crlHttpParameters" : { "title" : "HTTP Parameters for CRL Update", "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "" }, "certificateAttributeProfileMappingExtension" : { "title" : "SubjectAltNameExt Value Type to Access User Profile", "description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "matchCertificateToCRL" : { "title" : "Match Certificate to CRL", "description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.", "propertyOrder" : 300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "clientCertificateHttpHeaderName" : { "title" : "HTTP Header Name for Client Certificate", "description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.", "propertyOrder" : 1900, "required" : true, "type" : "string", "exampleValue" : "" }, "ldapSearchStartDN" : { "title" : "LDAP Search Start or Base DN", "description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 1100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "trustedRemoteHosts" : { "title" : "Trusted Remote Hosts", "description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality", "propertyOrder" : 1800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "ocspValidationEnabled" : { "title" : "OCSP Validation", "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work", "propertyOrder" : 900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "matchCACertificateToCRL" : { "title" : "Match CA Certificate to CRL", "description" : "The CA certificate that issued the client certificate will also be checked against the CRL.", "propertyOrder" : 600, "required" : true, "type" : "boolean", "exampleValue" : "" } } }
delete
Usage
am> delete CertificateModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action CertificateModule --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action CertificateModule --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action CertificateModule --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query CertificateModule --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read CertificateModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update CertificateModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "iplanet-am-auth-cert-gw-cert-preferred" : { "title" : "Use only Certificate from HTTP request header", "description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute", "propertyOrder" : 2000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 2100, "required" : true, "type" : "integer", "exampleValue" : "" }, "sslEnabled" : { "title" : "Use SSL/TLS for LDAP Access", "description" : "The certificate module will use SSL/TLS to access the LDAP server", "propertyOrder" : 1400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "certificateLdapServers" : { "title" : "LDAP Server Where Certificates are Stored", "description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 1000, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "cacheCRLsInMemory" : { "title" : "Cache CRLs in memory", "description" : "The CRLs will be cached in memory", "propertyOrder" : 700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "certificateAttributeToProfileMapping" : { "title" : "Certificate Field Used to Access User Profile", "description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate. ", "propertyOrder" : 1500, "required" : true, "type" : "string", "exampleValue" : "" }, "crlMatchingCertificateAttribute" : { "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs", "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "updateCRLsFromDistributionPoint" : { "title" : "Update CA CRLs from CRLDistributionPoint", "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.", "propertyOrder" : 800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "matchCertificateInLdap" : { "title" : "Match Certificate in LDAP", "description" : "The client certificate must exist in the directory for the authentication to be successful.", "propertyOrder" : 100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "otherCertificateAttributeToProfileMapping" : { "title" : "Other Certificate Field Used to Access User Profile", "description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "" }, "ldapCertificateAttribute" : { "title" : "Subject DN Attribute Used to Search LDAP for Certificates", "description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "userBindPassword" : { "title" : "LDAP Server Authentication Password", "description" : "The password for the authentication user", "propertyOrder" : 1300, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "userBindDN" : { "title" : "LDAP Server Authentication User", "description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "crlHttpParameters" : { "title" : "HTTP Parameters for CRL Update", "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "" }, "certificateAttributeProfileMappingExtension" : { "title" : "SubjectAltNameExt Value Type to Access User Profile", "description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "matchCertificateToCRL" : { "title" : "Match Certificate to CRL", "description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.", "propertyOrder" : 300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "clientCertificateHttpHeaderName" : { "title" : "HTTP Header Name for Client Certificate", "description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.", "propertyOrder" : 1900, "required" : true, "type" : "string", "exampleValue" : "" }, "ldapSearchStartDN" : { "title" : "LDAP Search Start or Base DN", "description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 1100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "trustedRemoteHosts" : { "title" : "Trusted Remote Hosts", "description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality", "propertyOrder" : 1800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "ocspValidationEnabled" : { "title" : "OCSP Validation", "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work", "propertyOrder" : 900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "matchCACertificateToCRL" : { "title" : "Match CA Certificate to CRL", "description" : "The CA certificate that issued the client certificate will also be checked against the CRL.", "propertyOrder" : 600, "required" : true, "type" : "boolean", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/authentication/modules/certificate
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action CertificateModule --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action CertificateModule --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action CertificateModule --global --actionName nextdescendents
update
Usage
am> update CertificateModule --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "ocspValidationEnabled" : { "title" : "OCSP Validation", "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work", "propertyOrder" : 900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 2100, "required" : true, "type" : "integer", "exampleValue" : "" }, "userBindPassword" : { "title" : "LDAP Server Authentication Password", "description" : "The password for the authentication user", "propertyOrder" : 1300, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "updateCRLsFromDistributionPoint" : { "title" : "Update CA CRLs from CRLDistributionPoint", "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.", "propertyOrder" : 800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "trustedRemoteHosts" : { "title" : "Trusted Remote Hosts", "description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality", "propertyOrder" : 1800, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "iplanet-am-auth-cert-gw-cert-preferred" : { "title" : "Use only Certificate from HTTP request header", "description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute", "propertyOrder" : 2000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "certificateAttributeToProfileMapping" : { "title" : "Certificate Field Used to Access User Profile", "description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate. ", "propertyOrder" : 1500, "required" : true, "type" : "string", "exampleValue" : "" }, "matchCertificateToCRL" : { "title" : "Match Certificate to CRL", "description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.", "propertyOrder" : 300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "cacheCRLsInMemory" : { "title" : "Cache CRLs in memory", "description" : "The CRLs will be cached in memory", "propertyOrder" : 700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "userBindDN" : { "title" : "LDAP Server Authentication User", "description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "clientCertificateHttpHeaderName" : { "title" : "HTTP Header Name for Client Certificate", "description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.", "propertyOrder" : 1900, "required" : true, "type" : "string", "exampleValue" : "" }, "certificateAttributeProfileMappingExtension" : { "title" : "SubjectAltNameExt Value Type to Access User Profile", "description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "crlMatchingCertificateAttribute" : { "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs", "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "otherCertificateAttributeToProfileMapping" : { "title" : "Other Certificate Field Used to Access User Profile", "description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "" }, "ldapSearchStartDN" : { "title" : "LDAP Search Start or Base DN", "description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 1100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "sslEnabled" : { "title" : "Use SSL/TLS for LDAP Access", "description" : "The certificate module will use SSL/TLS to access the LDAP server", "propertyOrder" : 1400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "matchCertificateInLdap" : { "title" : "Match Certificate in LDAP", "description" : "The client certificate must exist in the directory for the authentication to be successful.", "propertyOrder" : 100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ldapCertificateAttribute" : { "title" : "Subject DN Attribute Used to Search LDAP for Certificates", "description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "crlHttpParameters" : { "title" : "HTTP Parameters for CRL Update", "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "" }, "certificateLdapServers" : { "title" : "LDAP Server Where Certificates are Stored", "description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 1000, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "matchCACertificateToCRL" : { "title" : "Match CA Certificate to CRL", "description" : "The CA certificate that issued the client certificate will also be checked against the CRL.", "propertyOrder" : 600, "required" : true, "type" : "boolean", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }
CertificateUserExtractorNode
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/product-CertificateUserExtractorNode
Resource version: 2.0
create
Usage
am> create CertificateUserExtractorNode --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "certificateAttributeProfileMappingExtension" : { "title" : "SubjectAltNameExt Value Type to Access User Profile", "description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <em>Certificate Field Used to Access User Profile</em> or <em>Other Certificate Field Used to Access User Profile</em> attribute.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "" }, "otherCertificateAttributeToProfileMapping" : { "title" : "Other Certificate Field Used to Access User Profile", "description" : "This field is only used if the <em>Certificate Field Used to Access User Profile</em> attribute is set to <em>other</em>. This field allows a custom certificate field to be used as the basis of the user search.", "propertyOrder" : 200, "type" : "string", "exampleValue" : "" }, "certificateAttributeToProfileMapping" : { "title" : "Certificate Field Used to Access User Profile", "description" : "The certificate node needs to read a value from the client certificate that can be used to search the LDAP server for the user. This value from the certificate will be populated in shared state under the username key.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" } }, "required" : [ "certificateAttributeProfileMappingExtension", "certificateAttributeToProfileMapping" ] }
delete
Usage
am> delete CertificateUserExtractorNode --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action CertificateUserExtractorNode --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action CertificateUserExtractorNode --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action CertificateUserExtractorNode --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action CertificateUserExtractorNode --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query CertificateUserExtractorNode --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read CertificateUserExtractorNode --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update CertificateUserExtractorNode --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "certificateAttributeProfileMappingExtension" : { "title" : "SubjectAltNameExt Value Type to Access User Profile", "description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <em>Certificate Field Used to Access User Profile</em> or <em>Other Certificate Field Used to Access User Profile</em> attribute.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "" }, "otherCertificateAttributeToProfileMapping" : { "title" : "Other Certificate Field Used to Access User Profile", "description" : "This field is only used if the <em>Certificate Field Used to Access User Profile</em> attribute is set to <em>other</em>. This field allows a custom certificate field to be used as the basis of the user search.", "propertyOrder" : 200, "type" : "string", "exampleValue" : "" }, "certificateAttributeToProfileMapping" : { "title" : "Certificate Field Used to Access User Profile", "description" : "The certificate node needs to read a value from the client certificate that can be used to search the LDAP server for the user. This value from the certificate will be populated in shared state under the username key.", "propertyOrder" : 100, "type" : "string", "exampleValue" : "" } }, "required" : [ "certificateAttributeProfileMappingExtension", "certificateAttributeToProfileMapping" ] }
CertificateValidationNode
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/product-CertificateValidationNode
Resource version: 2.0
create
Usage
am> create CertificateValidationNode --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "mtlsSecretLabel" : { "title" : "mTLS Secret Label Identifier", "description" : "Label identifier used to create a secret label for mapping to the mTLS certificate in the secret store. <br> AM uses this identifier to create a specific secret label for this node. The secret label takes the form <code>am.authentication.nodes.certificate.validation.mtls.{{identifier}}.cert</code> where {{identifier}} is the value of mTLS Secret Label Identifier. The label identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}.", "propertyOrder" : 1350, "type" : "string", "exampleValue" : "" }, "certificateLdapServers" : { "title" : "LDAP Server Where Certificates are Stored", "description" : "Use this list to set the LDAP server used to search for certificates.<br><br>The Certificate authentication node will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br><code>ldap_server:port</code><br><br>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br><code>local server name | server:port</code><br><br>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 1000, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "checkCertificateExpiry" : { "title" : "Check Certificate Expiration", "description" : "Check to see if the certificate is expired.", "propertyOrder" : 200, "type" : "boolean", "exampleValue" : "" }, "cacheCRLsInMemory" : { "title" : "Cache CRLs in Memory", "description" : "The CRLs will be cached in memory.", "propertyOrder" : 700, "type" : "boolean", "exampleValue" : "" }, "userBindDN" : { "title" : "LDAP Server Authentication User", "description" : "DN of the user used by the node to authenticate to the LDAP server.<br><br>The Certificate node authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server. If mTLS is enabled, this attribute is ignored.", "propertyOrder" : 1200, "type" : "string", "exampleValue" : "" }, "ldapCertificateAttribute" : { "title" : "Subject DN Attribute Used to Search LDAP for Certificates", "description" : "This is the attribute used to search the directory for the certificate.<br><br>The Certificate node will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "" }, "sslEnabled" : { "title" : "Use SSL/TLS for LDAP Access", "description" : "The certificate node will use SSL/TLS to access the LDAP server.", "propertyOrder" : 1400, "type" : "boolean", "exampleValue" : "" }, "crlHttpParameters" : { "title" : "HTTP Parameters for CRL Update", "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority.<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br><br>The format of the parameter is as follows:<br><code>param1=value1,param2=value</code>", "propertyOrder" : 600, "type" : "string", "exampleValue" : "" }, "updateCRLsFromDistributionPoint" : { "title" : "Update CA CRLs from CRLDistributionPoint", "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server.<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if needed (i.e. CRL is out-of-date).<br>This property controls if the update should be performed.<br>This property is only used if CA CRL checking is enabled.", "propertyOrder" : 800, "type" : "boolean", "exampleValue" : "" }, "matchCertificateToCRL" : { "title" : "Match Certificate to CRL", "description" : "The Client Certificate will be checked against the Certificate Revocation list held in thedirectory.<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.", "propertyOrder" : 400, "type" : "boolean", "exampleValue" : "" }, "ldapSearchStartDN" : { "title" : "LDAP Search Start or Base DN", "description" : "The start point in the LDAP server for the certificate and CRL search.<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br><code>local server name | base dn</code><br><br>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 1100, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userBindPassword" : { "title" : "LDAP Server Authentication Password", "description" : "The password for the authentication user. If mTLS is enabled, this attribute is ignored.", "propertyOrder" : 1300, "type" : "string", "format" : "password", "exampleValue" : "" }, "crlMatchingCertificateAttribute" : { "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs", "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap search filter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN) e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', search filter used will be <code>(CN=Some CA)</code>.<br><br>If several attribute names are specified, they have to separated by ,. The resulting ldap search filter value will be a comma separated list of name attribute values, the search attribute will be cn e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN, serialNumber', search filter used will be <code>cn=CN=Some CA,serialNumber=123456</code>. The order of the values of the attribute names matteras they must match the value of the cn attribute of a crlDistributionPoint entry in the directory server.", "propertyOrder" : 500, "type" : "string", "exampleValue" : "" }, "mtlsEnabled" : { "title" : "mTLS Enabled", "description" : "Enables mTLS (mutual TLS) between AM and this store. When mTLS is enabled:<ul><li>Set SSL enabled to <code>true</code>. <li>The values for <code>LDAP Server Authentication User</code> and <code>LDAP Server Authentication Password</code> are ignored.</li><li>You must provide an <code>mTLS Secret Label Identifier</code>.</li></ul>Instructions for setting up certificates and keystore mappings are in the product documentation.", "propertyOrder" : 1325, "type" : "boolean", "exampleValue" : "" }, "ocspValidationEnabled" : { "title" : "OCSP Validation", "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates.<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check thevalidity of the certificate as part of the authentication process.<br><br>The OpenAM server must have Internet connectivity for OCSP to work.", "propertyOrder" : 900, "type" : "boolean", "exampleValue" : "" }, "matchCertificateInLdap" : { "title" : "Match Certificate in LDAP", "description" : "The client certificate must exist in the directory for the authentication to be successful.", "propertyOrder" : 100, "type" : "boolean", "exampleValue" : "" } }, "required" : [ "certificateLdapServers", "checkCertificateExpiry", "cacheCRLsInMemory", "ldapCertificateAttribute", "sslEnabled", "updateCRLsFromDistributionPoint", "matchCertificateToCRL", "ldapSearchStartDN", "crlMatchingCertificateAttribute", "mtlsEnabled", "ocspValidationEnabled", "matchCertificateInLdap" ] }
delete
Usage
am> delete CertificateValidationNode --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action CertificateValidationNode --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action CertificateValidationNode --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action CertificateValidationNode --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action CertificateValidationNode --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query CertificateValidationNode --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read CertificateValidationNode --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update CertificateValidationNode --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "mtlsSecretLabel" : { "title" : "mTLS Secret Label Identifier", "description" : "Label identifier used to create a secret label for mapping to the mTLS certificate in the secret store. <br> AM uses this identifier to create a specific secret label for this node. The secret label takes the form <code>am.authentication.nodes.certificate.validation.mtls.{{identifier}}.cert</code> where {{identifier}} is the value of mTLS Secret Label Identifier. The label identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}.", "propertyOrder" : 1350, "type" : "string", "exampleValue" : "" }, "certificateLdapServers" : { "title" : "LDAP Server Where Certificates are Stored", "description" : "Use this list to set the LDAP server used to search for certificates.<br><br>The Certificate authentication node will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br><code>ldap_server:port</code><br><br>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br><code>local server name | server:port</code><br><br>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 1000, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "checkCertificateExpiry" : { "title" : "Check Certificate Expiration", "description" : "Check to see if the certificate is expired.", "propertyOrder" : 200, "type" : "boolean", "exampleValue" : "" }, "cacheCRLsInMemory" : { "title" : "Cache CRLs in Memory", "description" : "The CRLs will be cached in memory.", "propertyOrder" : 700, "type" : "boolean", "exampleValue" : "" }, "userBindDN" : { "title" : "LDAP Server Authentication User", "description" : "DN of the user used by the node to authenticate to the LDAP server.<br><br>The Certificate node authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server. If mTLS is enabled, this attribute is ignored.", "propertyOrder" : 1200, "type" : "string", "exampleValue" : "" }, "ldapCertificateAttribute" : { "title" : "Subject DN Attribute Used to Search LDAP for Certificates", "description" : "This is the attribute used to search the directory for the certificate.<br><br>The Certificate node will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "" }, "sslEnabled" : { "title" : "Use SSL/TLS for LDAP Access", "description" : "The certificate node will use SSL/TLS to access the LDAP server.", "propertyOrder" : 1400, "type" : "boolean", "exampleValue" : "" }, "crlHttpParameters" : { "title" : "HTTP Parameters for CRL Update", "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority.<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br><br>The format of the parameter is as follows:<br><code>param1=value1,param2=value</code>", "propertyOrder" : 600, "type" : "string", "exampleValue" : "" }, "updateCRLsFromDistributionPoint" : { "title" : "Update CA CRLs from CRLDistributionPoint", "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server.<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if needed (i.e. CRL is out-of-date).<br>This property controls if the update should be performed.<br>This property is only used if CA CRL checking is enabled.", "propertyOrder" : 800, "type" : "boolean", "exampleValue" : "" }, "matchCertificateToCRL" : { "title" : "Match Certificate to CRL", "description" : "The Client Certificate will be checked against the Certificate Revocation list held in thedirectory.<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.", "propertyOrder" : 400, "type" : "boolean", "exampleValue" : "" }, "ldapSearchStartDN" : { "title" : "LDAP Search Start or Base DN", "description" : "The start point in the LDAP server for the certificate and CRL search.<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br><code>local server name | base dn</code><br><br>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 1100, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userBindPassword" : { "title" : "LDAP Server Authentication Password", "description" : "The password for the authentication user. If mTLS is enabled, this attribute is ignored.", "propertyOrder" : 1300, "type" : "string", "format" : "password", "exampleValue" : "" }, "crlMatchingCertificateAttribute" : { "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs", "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap search filter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN) e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', search filter used will be <code>(CN=Some CA)</code>.<br><br>If several attribute names are specified, they have to separated by ,. The resulting ldap search filter value will be a comma separated list of name attribute values, the search attribute will be cn e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN, serialNumber', search filter used will be <code>cn=CN=Some CA,serialNumber=123456</code>. The order of the values of the attribute names matteras they must match the value of the cn attribute of a crlDistributionPoint entry in the directory server.", "propertyOrder" : 500, "type" : "string", "exampleValue" : "" }, "mtlsEnabled" : { "title" : "mTLS Enabled", "description" : "Enables mTLS (mutual TLS) between AM and this store. When mTLS is enabled:<ul><li>Set SSL enabled to <code>true</code>. <li>The values for <code>LDAP Server Authentication User</code> and <code>LDAP Server Authentication Password</code> are ignored.</li><li>You must provide an <code>mTLS Secret Label Identifier</code>.</li></ul>Instructions for setting up certificates and keystore mappings are in the product documentation.", "propertyOrder" : 1325, "type" : "boolean", "exampleValue" : "" }, "ocspValidationEnabled" : { "title" : "OCSP Validation", "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates.<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check thevalidity of the certificate as part of the authentication process.<br><br>The OpenAM server must have Internet connectivity for OCSP to work.", "propertyOrder" : 900, "type" : "boolean", "exampleValue" : "" }, "matchCertificateInLdap" : { "title" : "Match Certificate in LDAP", "description" : "The client certificate must exist in the directory for the authentication to be successful.", "propertyOrder" : 100, "type" : "boolean", "exampleValue" : "" } }, "required" : [ "certificateLdapServers", "checkCertificateExpiry", "cacheCRLsInMemory", "ldapCertificateAttribute", "sslEnabled", "updateCRLsFromDistributionPoint", "matchCertificateToCRL", "ldapSearchStartDN", "crlMatchingCertificateAttribute", "mtlsEnabled", "ocspValidationEnabled", "matchCertificateInLdap" ] }
ChoiceCollector
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/ChoiceCollectorNode
Resource version: 2.0
create
Usage
am> create ChoiceCollector --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaultChoice" : { "title" : "Default Choice", "description" : "The default selected choice value.", "propertyOrder" : 200, "type" : "string", "exampleValue" : "" }, "choices" : { "title" : "Choices", "description" : "List of values that represents the choices for the user.", "propertyOrder" : 100, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "prompt" : { "title" : "Prompt", "description" : "Prompt displayed on the choice page.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "" } }, "required" : [ "defaultChoice", "choices", "prompt" ] }
delete
Usage
am> delete ChoiceCollector --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action ChoiceCollector --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action ChoiceCollector --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action ChoiceCollector --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action ChoiceCollector --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query ChoiceCollector --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read ChoiceCollector --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update ChoiceCollector --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaultChoice" : { "title" : "Default Choice", "description" : "The default selected choice value.", "propertyOrder" : 200, "type" : "string", "exampleValue" : "" }, "choices" : { "title" : "Choices", "description" : "List of values that represents the choices for the user.", "propertyOrder" : 100, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "prompt" : { "title" : "Prompt", "description" : "Prompt displayed on the choice page.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "" } }, "required" : [ "defaultChoice", "choices", "prompt" ] }
CircleOfTrust
Realm Operations
Resource path:
/realm-config/federation/circlesoftrust
Resource version: 2.0
create
Usage
am> create CircleOfTrust --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "description" : { "title" : "Description", "description" : "", "propertyOrder" : 100, "required" : false, "type" : "string", "exampleValue" : "" }, "trustedProviders" : { "title" : "Entity Providers", "description" : "Minimum requirements for a circle of trust are one identity provider and one service provider.", "propertyOrder" : 300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "status" : { "title" : "Status", "description" : "", "propertyOrder" : 200, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2WriterServiceUrl" : { "title" : "SAML2 Writer Service URL", "description" : "Location of the SAML2 Writer service that writes the cookie to the Common Domain.", "propertyOrder" : 400, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2ReaderServiceUrl" : { "title" : "SAML2 Reader Service URL", "description" : "Location of the SAML2 Reader service that reads the cookie from the Common Domain.", "propertyOrder" : 500, "required" : false, "type" : "string", "exampleValue" : "" } } }
delete
Usage
am> delete CircleOfTrust --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query CircleOfTrust --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read CircleOfTrust --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update CircleOfTrust --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "description" : { "title" : "Description", "description" : "", "propertyOrder" : 100, "required" : false, "type" : "string", "exampleValue" : "" }, "trustedProviders" : { "title" : "Entity Providers", "description" : "Minimum requirements for a circle of trust are one identity provider and one service provider.", "propertyOrder" : 300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "status" : { "title" : "Status", "description" : "", "propertyOrder" : 200, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2WriterServiceUrl" : { "title" : "SAML2 Writer Service URL", "description" : "Location of the SAML2 Writer service that writes the cookie to the Common Domain.", "propertyOrder" : 400, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2ReaderServiceUrl" : { "title" : "SAML2 Reader Service URL", "description" : "Location of the SAML2 Reader service that reads the cookie from the Common Domain.", "propertyOrder" : 500, "required" : false, "type" : "string", "exampleValue" : "" } } }
ClientConfigurationForAmazon
Realm Operations
Resource path:
/realm-config/services/SocialIdentityProviders/amazonConfig
Resource version: 2.0
create
Usage
am> create ClientConfigurationForAmazon --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "jwtEncryptionMethod" : { "title" : "JWT Encryption Method", "description" : "The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2100, "required" : true, "type" : "string", "exampleValue" : "" }, "scopeDelimiter" : { "title" : "Scope Delimiter", "description" : "The delimiter used by an auth server to separate scopes.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizationEndpoint" : { "title" : "Authentication Endpoint URL", "description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "https://www.amazon.com/ap/oa" }, "transform" : { "title" : "Transform Script", "description" : "A script that takes the raw profile object as input and outputs the normalized profile object.", "propertyOrder" : 10000, "required" : true, "type" : "string", "exampleValue" : "" }, "clientId" : { "title" : "Client ID", "description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "scopes" : { "title" : "OAuth Scopes", "description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "profile" }, "clientSecret" : { "title" : "Client Secret", "description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1. This property is deprecated. Use the Client Secret Label Identifier instead. AM ignores the Client Secret if you set a Client Secret Label Identifier.", "propertyOrder" : 300, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "issuerComparisonCheckType" : { "title" : "Issuer comparison check", "description" : "Controls whether the comparison of the expected issuer value in IdToken matches the actual value of the \"iss\" claim. EXACT performs a spec compliant exact string comparison. REGEX takes the expected issuer value as a regular expression and performs a regular expression evaluation to determine if the actual issuer value is a match. If using the REGEX comparison take care in what the regular expression will allow and the performance characteristics of the provided regex.", "propertyOrder" : 10001, "required" : true, "type" : "string", "exampleValue" : "" }, "privateKeyJwtExpTime" : { "title" : "Private Key JWT Expiration Time (seconds)", "description" : "The expiration time on or after which the private key JWT must not be accepted for processing.", "propertyOrder" : 2200, "required" : true, "type" : "integer", "exampleValue" : "" }, "useCustomTrustStore" : { "title" : "Use Custom TrustStore", "description" : "Indicates whether a custom TrustStore should be used to verify the server certificate of the OP's well known endpoint/JWKs URI in a TLS handshake.<p> If enabled a Secret label would be generated using the name of this client configuration.<p> For example, if the name of this client configuration is sampleOidcConfig,a secret label 'am.services.oidc.reliant.party.sampleOidcConfig.truststore' will be generated and available for mapping to an alias on the realm secret stores. The administrator has to make sure that a secret mapping is configured for this to work. If this flag is disabled, the verification of the server certificate is done using the default TrustStore", "propertyOrder" : 2900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jwtSigningAlgorithm" : { "title" : "JWT Signing Algorithm", "description" : "The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.", "propertyOrder" : 1900, "required" : true, "type" : "string", "exampleValue" : "" }, "introspectEndpoint" : { "title" : "Token Introspection Endpoint URL", "description" : "OAuth Token Introspection endpoint URL This is the URL endpoint for access token validation using the OAuth Identity Provider.Refer to the RFC 7662 (http://tools.ietf.org/html/rfc7662).", "propertyOrder" : 650, "required" : true, "type" : "string", "exampleValue" : "" }, "clientSecretLabelIdentifier" : { "title" : "Client Secret Label Identifier", "description" : "Identifier used to create a secret label for mapping to a secret in the secret store. <br>AM uses this identifier to create a specific secret label for this service instance. The secret label takes the form <code>am.social.providers.{{identifier}}.secret</code> where {{identifier}} is the value of Client Secret Label Identifier. The identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}. If you set a Client Secret Label Identifier and AM finds a matching secret in a secret store, the Client Secret is ignored.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenEndpoint" : { "title" : "Access Token Endpoint URL", "description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "https://api.amazon.com/auth/o2/token" }, "userInfoEndpoint" : { "title" : "User Profile Service URL", "description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "https://api.amazon.com/user/profile" }, "redirectURI" : { "title" : "Redirect URL", "description" : "", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationIdKey" : { "title" : "Auth ID Key", "description" : "Field used to identify a user by the social provider.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "user_id" }, "enabled" : { "title" : "Enabled", "description" : "", "propertyOrder" : 1, "required" : true, "type" : "boolean", "exampleValue" : "" }, "clientAuthenticationMethod" : { "title" : "Client Authentication Method", "description" : "Field used to define how the client would be identified by the social provider.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtEncryptionAlgorithm" : { "title" : "JWT Encryption Algorithm", "description" : "The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2000, "required" : true, "type" : "string", "exampleValue" : "" }, "uiConfig" : { "title" : "UI Config Properties", "description" : "Mapping of display properties to be defined and consumed by the UI.", "propertyOrder" : 9999, "required" : true, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "revocationCheckOptions" : { "title" : "Certificate Revocation Checking Options", "description" : "The option(s) that will be used by the TLS certificate revocation checking mechanism. <p> Including DISABLE_REVOCATION_CHECKING in the options will prevent any revocation checking. <p> If no options are selected the default behaviour is that it enables revocation checking with SOFT_FAIL. <p> If the certificate doesn't specify any OCSP/CRL endpoints, then the revocation checking will hard fail, even if the SOFT_FAIL option is enabled. An option in this case is for admins to disable revocation checking. <p> The revocation options follow the revocation checking mechanism as mentioned in https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/cert/PKIXRevocationChecker.Option.html", "propertyOrder" : 2700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "responseMode" : { "title" : "Response Mode", "description" : "Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.", "propertyOrder" : 2500, "required" : true, "type" : "string", "exampleValue" : "" }, "pkceMethod" : { "title" : "PKCE Method", "description" : "The PKCE transformation method to use when making requests to the authorization endpoint.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "redirectAfterFormPostURI" : { "title" : "Redirect after form post URL", "description" : "Specify URL to redirect the form post parameters to.", "propertyOrder" : 710, "required" : true, "type" : "string", "exampleValue" : "" }, "jwksUriEndpoint" : { "title" : "JWKS URI Endpoint", "description" : "The JWKS URL endpoint for the RP to use when encrypting or validating", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" } } }
delete
Usage
am> delete ClientConfigurationForAmazon --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action ClientConfigurationForAmazon --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action ClientConfigurationForAmazon --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action ClientConfigurationForAmazon --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query ClientConfigurationForAmazon --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read ClientConfigurationForAmazon --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update ClientConfigurationForAmazon --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "jwtEncryptionMethod" : { "title" : "JWT Encryption Method", "description" : "The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2100, "required" : true, "type" : "string", "exampleValue" : "" }, "scopeDelimiter" : { "title" : "Scope Delimiter", "description" : "The delimiter used by an auth server to separate scopes.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "authorizationEndpoint" : { "title" : "Authentication Endpoint URL", "description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "https://www.amazon.com/ap/oa" }, "transform" : { "title" : "Transform Script", "description" : "A script that takes the raw profile object as input and outputs the normalized profile object.", "propertyOrder" : 10000, "required" : true, "type" : "string", "exampleValue" : "" }, "clientId" : { "title" : "Client ID", "description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "scopes" : { "title" : "OAuth Scopes", "description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "profile" }, "clientSecret" : { "title" : "Client Secret", "description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1. This property is deprecated. Use the Client Secret Label Identifier instead. AM ignores the Client Secret if you set a Client Secret Label Identifier.", "propertyOrder" : 300, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "issuerComparisonCheckType" : { "title" : "Issuer comparison check", "description" : "Controls whether the comparison of the expected issuer value in IdToken matches the actual value of the \"iss\" claim. EXACT performs a spec compliant exact string comparison. REGEX takes the expected issuer value as a regular expression and performs a regular expression evaluation to determine if the actual issuer value is a match. If using the REGEX comparison take care in what the regular expression will allow and the performance characteristics of the provided regex.", "propertyOrder" : 10001, "required" : true, "type" : "string", "exampleValue" : "" }, "privateKeyJwtExpTime" : { "title" : "Private Key JWT Expiration Time (seconds)", "description" : "The expiration time on or after which the private key JWT must not be accepted for processing.", "propertyOrder" : 2200, "required" : true, "type" : "integer", "exampleValue" : "" }, "useCustomTrustStore" : { "title" : "Use Custom TrustStore", "description" : "Indicates whether a custom TrustStore should be used to verify the server certificate of the OP's well known endpoint/JWKs URI in a TLS handshake.<p> If enabled a Secret label would be generated using the name of this client configuration.<p> For example, if the name of this client configuration is sampleOidcConfig,a secret label 'am.services.oidc.reliant.party.sampleOidcConfig.truststore' will be generated and available for mapping to an alias on the realm secret stores. The administrator has to make sure that a secret mapping is configured for this to work. If this flag is disabled, the verification of the server certificate is done using the default TrustStore", "propertyOrder" : 2900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jwtSigningAlgorithm" : { "title" : "JWT Signing Algorithm", "description" : "The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.", "propertyOrder" : 1900, "required" : true, "type" : "string", "exampleValue" : "" }, "introspectEndpoint" : { "title" : "Token Introspection Endpoint URL", "description" : "OAuth Token Introspection endpoint URL This is the URL endpoint for access token validation using the OAuth Identity Provider.Refer to the RFC 7662 (http://tools.ietf.org/html/rfc7662).", "propertyOrder" : 650, "required" : true, "type" : "string", "exampleValue" : "" }, "clientSecretLabelIdentifier" : { "title" : "Client Secret Label Identifier", "description" : "Identifier used to create a secret label for mapping to a secret in the secret store. <br>AM uses this identifier to create a specific secret label for this service instance. The secret label takes the form <code>am.social.providers.{{identifier}}.secret</code> where {{identifier}} is the value of Client Secret Label Identifier. The identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}. If you set a Client Secret Label Identifier and AM finds a matching secret in a secret store, the Client Secret is ignored.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "tokenEndpoint" : { "title" : "Access Token Endpoint URL", "description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "https://api.amazon.com/auth/o2/token" }, "userInfoEndpoint" : { "title" : "User Profile Service URL", "description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "https://api.amazon.com/user/profile" }, "redirectURI" : { "title" : "Redirect URL", "description" : "", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationIdKey" : { "title" : "Auth ID Key", "description" : "Field used to identify a user by the social provider.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "user_id" }, "enabled" : { "title" : "Enabled", "description" : "", "propertyOrder" : 1, "required" : true, "type" : "boolean", "exampleValue" : "" }, "clientAuthenticationMethod" : { "title" : "Client Authentication Method", "description" : "Field used to define how the client would be identified by the social provider.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtEncryptionAlgorithm" : { "title" : "JWT Encryption Algorithm", "description" : "The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2000, "required" : true, "type" : "string", "exampleValue" : "" }, "uiConfig" : { "title" : "UI Config Properties", "description" : "Mapping of display properties to be defined and consumed by the UI.", "propertyOrder" : 9999, "required" : true, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "revocationCheckOptions" : { "title" : "Certificate Revocation Checking Options", "description" : "The option(s) that will be used by the TLS certificate revocation checking mechanism. <p> Including DISABLE_REVOCATION_CHECKING in the options will prevent any revocation checking. <p> If no options are selected the default behaviour is that it enables revocation checking with SOFT_FAIL. <p> If the certificate doesn't specify any OCSP/CRL endpoints, then the revocation checking will hard fail, even if the SOFT_FAIL option is enabled. An option in this case is for admins to disable revocation checking. <p> The revocation options follow the revocation checking mechanism as mentioned in https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/cert/PKIXRevocationChecker.Option.html", "propertyOrder" : 2700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "responseMode" : { "title" : "Response Mode", "description" : "Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.", "propertyOrder" : 2500, "required" : true, "type" : "string", "exampleValue" : "" }, "pkceMethod" : { "title" : "PKCE Method", "description" : "The PKCE transformation method to use when making requests to the authorization endpoint.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "redirectAfterFormPostURI" : { "title" : "Redirect after form post URL", "description" : "Specify URL to redirect the form post parameters to.", "propertyOrder" : 710, "required" : true, "type" : "string", "exampleValue" : "" }, "jwksUriEndpoint" : { "title" : "JWKS URI Endpoint", "description" : "The JWKS URL endpoint for the RP to use when encrypting or validating", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" } } }
ClientConfigurationForApple
Realm Operations
Resource path:
/realm-config/services/SocialIdentityProviders/appleConfig
Resource version: 2.0
create
Usage
am> create ClientConfigurationForApple --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "issuerComparisonCheckType" : { "title" : "Issuer comparison check", "description" : "Controls whether the comparison of the expected issuer value in IdToken matches the actual value of the \"iss\" claim. EXACT performs a spec compliant exact string comparison. REGEX takes the expected issuer value as a regular expression and performs a regular expression evaluation to determine if the actual issuer value is a match. If using the REGEX comparison take care in what the regular expression will allow and the performance characteristics of the provided regex.", "propertyOrder" : 10001, "required" : true, "type" : "string", "exampleValue" : "" }, "introspectEndpoint" : { "title" : "Token Introspection Endpoint URL", "description" : "OAuth Token Introspection endpoint URL This is the URL endpoint for access token validation using the OAuth Identity Provider.Refer to the RFC 7662 (http://tools.ietf.org/html/rfc7662).", "propertyOrder" : 650, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenEndpoint" : { "title" : "Access Token Endpoint URL", "description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "https://appleid.apple.com/auth/token" }, "jwksUriEndpoint" : { "title" : "JWKS URI Endpoint", "description" : "The JWKS URL endpoint for the RP to use when encrypting or validating", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "transform" : { "title" : "Transform Script", "description" : "A script that takes the raw profile object as input and outputs the normalized profile object.", "propertyOrder" : 10000, "required" : true, "type" : "string", "exampleValue" : "" }, "scopes" : { "title" : "OAuth Scopes", "description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "name, email" }, "userInfoEndpoint" : { "title" : "User Profile Service URL", "description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "acrValues" : { "title" : "ACR Values", "description" : "Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.", "propertyOrder" : 1150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "clientSecretLabelIdentifier" : { "title" : "Client Secret Label Identifier", "description" : "Identifier used to create a secret label for mapping to a secret in the secret store. <br>AM uses this identifier to create a specific secret label for this service instance. The secret label takes the form <code>am.social.providers.{{identifier}}.secret</code> where {{identifier}} is the value of Client Secret Label Identifier. The identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}. If you set a Client Secret Label Identifier and AM finds a matching secret in a secret store, the Client Secret is ignored.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "jwtEncryptionMethod" : { "title" : "JWT Encryption Method", "description" : "The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2100, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtSigningAlgorithm" : { "title" : "JWT Signing Algorithm", "description" : "The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.", "propertyOrder" : 1900, "required" : true, "type" : "string", "exampleValue" : "" }, "claims" : { "title" : "Claims", "description" : "Claims on request object in JSON format. Must conform to the claims request parameter definition in the OpenID Connect specification section 5.5.", "propertyOrder" : 1810, "required" : true, "type" : "string", "format" : "textarea", "exampleValue" : "" }, "jwtEncryptionAlgorithm" : { "title" : "JWT Encryption Algorithm", "description" : "The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2000, "required" : true, "type" : "string", "exampleValue" : "" }, "scopeDelimiter" : { "title" : "Scope Delimiter", "description" : "The delimiter used by an auth server to separate scopes.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "userInfoResponseType" : { "title" : "User Info Response Format", "description" : "The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.", "propertyOrder" : 1710, "required" : true, "type" : "string", "exampleValue" : "" }, "uiConfig" : { "title" : "UI Config Properties", "description" : "Mapping of display properties to be defined and consumed by the UI.", "propertyOrder" : 9999, "required" : true, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "requestObjectAudience" : { "title" : "Request Object Audience", "description" : "The intended audience of the request object. If unspecified, the issuer value will be used.", "propertyOrder" : 1410, "required" : true, "type" : "string", "exampleValue" : "" }, "clientId" : { "title" : "Client ID", "description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "redirectAfterFormPostURI" : { "title" : "Redirect after form post URL", "description" : "Specify URL to redirect the form post parameters to.", "propertyOrder" : 710, "required" : true, "type" : "string", "exampleValue" : "" }, "encryptJwtRequestParameter" : { "title" : "Encrypt Request Parameter JWT", "description" : "Enable the option to send an encrypted request parameter JWT.", "propertyOrder" : 1130, "required" : true, "type" : "boolean", "exampleValue" : "" }, "responseMode" : { "title" : "Response Mode", "description" : "Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.", "propertyOrder" : 2500, "required" : true, "type" : "string", "exampleValue" : "" }, "clientSecret" : { "title" : "Client Secret", "description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1. This property is deprecated. Use the Client Secret Label Identifier instead. AM ignores the Client Secret if you set a Client Secret Label Identifier.", "propertyOrder" : 300, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "issuer" : { "title" : "Issuer", "description" : "The Issuer of OIDC ID Tokens.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtRequestParameterOption" : { "title" : "Request Parameter JWT Option", "description" : "Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.", "propertyOrder" : 1125, "required" : true, "type" : "string", "exampleValue" : "" }, "pkceMethod" : { "title" : "PKCE Method", "description" : "The PKCE transformation method to use when making requests to the authorization endpoint.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "enabled" : { "title" : "Enabled", "description" : "", "propertyOrder" : 1, "required" : true, "type" : "boolean", "exampleValue" : "" }, "revocationCheckOptions" : { "title" : "Certificate Revocation Checking Options", "description" : "The option(s) that will be used by the TLS certificate revocation checking mechanism. <p> Including DISABLE_REVOCATION_CHECKING in the options will prevent any revocation checking. <p> If no options are selected the default behaviour is that it enables revocation checking with SOFT_FAIL. <p> If the certificate doesn't specify any OCSP/CRL endpoints, then the revocation checking will hard fail, even if the SOFT_FAIL option is enabled. An option in this case is for admins to disable revocation checking. <p> The revocation options follow the revocation checking mechanism as mentioned in https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/cert/PKIXRevocationChecker.Option.html", "propertyOrder" : 2700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "encryptedIdTokens" : { "title" : "OP Encrypts ID Tokens", "description" : "Whether the OP encrypts ID Tokens. Will determine which resolver to use.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "privateKeyJwtExpTime" : { "title" : "Private Key JWT Expiration Time (seconds)", "description" : "The expiration time on or after which the private key JWT must not be accepted for processing.", "propertyOrder" : 2200, "required" : true, "type" : "integer", "exampleValue" : "" }, "useCustomTrustStore" : { "title" : "Use Custom TrustStore", "description" : "Indicates whether a custom TrustStore should be used to verify the server certificate of the OP's well known endpoint/JWKs URI in a TLS handshake.<p> If enabled a Secret label would be generated using the name of this client configuration.<p> For example, if the name of this client configuration is sampleOidcConfig,a secret label 'am.services.oidc.reliant.party.sampleOidcConfig.truststore' will be generated and available for mapping to an alias on the realm secret stores. The administrator has to make sure that a secret mapping is configured for this to work. If this flag is disabled, the verification of the server certificate is done using the default TrustStore", "propertyOrder" : 2900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "enableNativeNonce" : { "title" : "Enable Native Nonce", "description" : "When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request. Enabled by default.", "propertyOrder" : 1700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authorizationEndpoint" : { "title" : "Authentication Endpoint URL", "description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "https://appleid.apple.com/auth/authorize" }, "authenticationIdKey" : { "title" : "Auth ID Key", "description" : "Field used to identify a user by the social provider.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "sub" }, "clientAuthenticationMethod" : { "title" : "Client Authentication Method", "description" : "Field used to define how the client would be identified by the social provider.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "wellKnownEndpoint" : { "title" : "Well Known Endpoint", "description" : "The endpoint for retrieving a list of OAuth/OIDC endpoints.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "redirectURI" : { "title" : "Redirect URL", "description" : "", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "requestNativeAppForUserInfo" : { "title" : "Request Native App for UserInfo", "description" : "Informs the native app it can send UserInfo as JSON.", "propertyOrder" : 2600, "required" : true, "type" : "boolean", "exampleValue" : "" } } }
delete
Usage
am> delete ClientConfigurationForApple --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action ClientConfigurationForApple --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action ClientConfigurationForApple --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action ClientConfigurationForApple --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query ClientConfigurationForApple --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read ClientConfigurationForApple --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update ClientConfigurationForApple --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "issuerComparisonCheckType" : { "title" : "Issuer comparison check", "description" : "Controls whether the comparison of the expected issuer value in IdToken matches the actual value of the \"iss\" claim. EXACT performs a spec compliant exact string comparison. REGEX takes the expected issuer value as a regular expression and performs a regular expression evaluation to determine if the actual issuer value is a match. If using the REGEX comparison take care in what the regular expression will allow and the performance characteristics of the provided regex.", "propertyOrder" : 10001, "required" : true, "type" : "string", "exampleValue" : "" }, "introspectEndpoint" : { "title" : "Token Introspection Endpoint URL", "description" : "OAuth Token Introspection endpoint URL This is the URL endpoint for access token validation using the OAuth Identity Provider.Refer to the RFC 7662 (http://tools.ietf.org/html/rfc7662).", "propertyOrder" : 650, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenEndpoint" : { "title" : "Access Token Endpoint URL", "description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "https://appleid.apple.com/auth/token" }, "jwksUriEndpoint" : { "title" : "JWKS URI Endpoint", "description" : "The JWKS URL endpoint for the RP to use when encrypting or validating", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "transform" : { "title" : "Transform Script", "description" : "A script that takes the raw profile object as input and outputs the normalized profile object.", "propertyOrder" : 10000, "required" : true, "type" : "string", "exampleValue" : "" }, "scopes" : { "title" : "OAuth Scopes", "description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "name, email" }, "userInfoEndpoint" : { "title" : "User Profile Service URL", "description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "acrValues" : { "title" : "ACR Values", "description" : "Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.", "propertyOrder" : 1150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "clientSecretLabelIdentifier" : { "title" : "Client Secret Label Identifier", "description" : "Identifier used to create a secret label for mapping to a secret in the secret store. <br>AM uses this identifier to create a specific secret label for this service instance. The secret label takes the form <code>am.social.providers.{{identifier}}.secret</code> where {{identifier}} is the value of Client Secret Label Identifier. The identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}. If you set a Client Secret Label Identifier and AM finds a matching secret in a secret store, the Client Secret is ignored.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "jwtEncryptionMethod" : { "title" : "JWT Encryption Method", "description" : "The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2100, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtSigningAlgorithm" : { "title" : "JWT Signing Algorithm", "description" : "The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.", "propertyOrder" : 1900, "required" : true, "type" : "string", "exampleValue" : "" }, "claims" : { "title" : "Claims", "description" : "Claims on request object in JSON format. Must conform to the claims request parameter definition in the OpenID Connect specification section 5.5.", "propertyOrder" : 1810, "required" : true, "type" : "string", "format" : "textarea", "exampleValue" : "" }, "jwtEncryptionAlgorithm" : { "title" : "JWT Encryption Algorithm", "description" : "The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2000, "required" : true, "type" : "string", "exampleValue" : "" }, "scopeDelimiter" : { "title" : "Scope Delimiter", "description" : "The delimiter used by an auth server to separate scopes.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "userInfoResponseType" : { "title" : "User Info Response Format", "description" : "The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.", "propertyOrder" : 1710, "required" : true, "type" : "string", "exampleValue" : "" }, "uiConfig" : { "title" : "UI Config Properties", "description" : "Mapping of display properties to be defined and consumed by the UI.", "propertyOrder" : 9999, "required" : true, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "requestObjectAudience" : { "title" : "Request Object Audience", "description" : "The intended audience of the request object. If unspecified, the issuer value will be used.", "propertyOrder" : 1410, "required" : true, "type" : "string", "exampleValue" : "" }, "clientId" : { "title" : "Client ID", "description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "redirectAfterFormPostURI" : { "title" : "Redirect after form post URL", "description" : "Specify URL to redirect the form post parameters to.", "propertyOrder" : 710, "required" : true, "type" : "string", "exampleValue" : "" }, "encryptJwtRequestParameter" : { "title" : "Encrypt Request Parameter JWT", "description" : "Enable the option to send an encrypted request parameter JWT.", "propertyOrder" : 1130, "required" : true, "type" : "boolean", "exampleValue" : "" }, "responseMode" : { "title" : "Response Mode", "description" : "Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.", "propertyOrder" : 2500, "required" : true, "type" : "string", "exampleValue" : "" }, "clientSecret" : { "title" : "Client Secret", "description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1. This property is deprecated. Use the Client Secret Label Identifier instead. AM ignores the Client Secret if you set a Client Secret Label Identifier.", "propertyOrder" : 300, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "issuer" : { "title" : "Issuer", "description" : "The Issuer of OIDC ID Tokens.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtRequestParameterOption" : { "title" : "Request Parameter JWT Option", "description" : "Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.", "propertyOrder" : 1125, "required" : true, "type" : "string", "exampleValue" : "" }, "pkceMethod" : { "title" : "PKCE Method", "description" : "The PKCE transformation method to use when making requests to the authorization endpoint.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "enabled" : { "title" : "Enabled", "description" : "", "propertyOrder" : 1, "required" : true, "type" : "boolean", "exampleValue" : "" }, "revocationCheckOptions" : { "title" : "Certificate Revocation Checking Options", "description" : "The option(s) that will be used by the TLS certificate revocation checking mechanism. <p> Including DISABLE_REVOCATION_CHECKING in the options will prevent any revocation checking. <p> If no options are selected the default behaviour is that it enables revocation checking with SOFT_FAIL. <p> If the certificate doesn't specify any OCSP/CRL endpoints, then the revocation checking will hard fail, even if the SOFT_FAIL option is enabled. An option in this case is for admins to disable revocation checking. <p> The revocation options follow the revocation checking mechanism as mentioned in https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/cert/PKIXRevocationChecker.Option.html", "propertyOrder" : 2700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "encryptedIdTokens" : { "title" : "OP Encrypts ID Tokens", "description" : "Whether the OP encrypts ID Tokens. Will determine which resolver to use.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "privateKeyJwtExpTime" : { "title" : "Private Key JWT Expiration Time (seconds)", "description" : "The expiration time on or after which the private key JWT must not be accepted for processing.", "propertyOrder" : 2200, "required" : true, "type" : "integer", "exampleValue" : "" }, "useCustomTrustStore" : { "title" : "Use Custom TrustStore", "description" : "Indicates whether a custom TrustStore should be used to verify the server certificate of the OP's well known endpoint/JWKs URI in a TLS handshake.<p> If enabled a Secret label would be generated using the name of this client configuration.<p> For example, if the name of this client configuration is sampleOidcConfig,a secret label 'am.services.oidc.reliant.party.sampleOidcConfig.truststore' will be generated and available for mapping to an alias on the realm secret stores. The administrator has to make sure that a secret mapping is configured for this to work. If this flag is disabled, the verification of the server certificate is done using the default TrustStore", "propertyOrder" : 2900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "enableNativeNonce" : { "title" : "Enable Native Nonce", "description" : "When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request. Enabled by default.", "propertyOrder" : 1700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "authorizationEndpoint" : { "title" : "Authentication Endpoint URL", "description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "https://appleid.apple.com/auth/authorize" }, "authenticationIdKey" : { "title" : "Auth ID Key", "description" : "Field used to identify a user by the social provider.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "sub" }, "clientAuthenticationMethod" : { "title" : "Client Authentication Method", "description" : "Field used to define how the client would be identified by the social provider.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "wellKnownEndpoint" : { "title" : "Well Known Endpoint", "description" : "The endpoint for retrieving a list of OAuth/OIDC endpoints.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "redirectURI" : { "title" : "Redirect URL", "description" : "", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "requestNativeAppForUserInfo" : { "title" : "Request Native App for UserInfo", "description" : "Informs the native app it can send UserInfo as JSON.", "propertyOrder" : 2600, "required" : true, "type" : "boolean", "exampleValue" : "" } } }
ClientConfigurationForGoogle
Realm Operations
Resource path:
/realm-config/services/SocialIdentityProviders/googleConfig
Resource version: 2.0
create
Usage
am> create ClientConfigurationForGoogle --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "acrValues" : { "title" : "ACR Values", "description" : "Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.", "propertyOrder" : 1150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authenticationIdKey" : { "title" : "Auth ID Key", "description" : "Field used to identify a user by the social provider.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "sub" }, "enabled" : { "title" : "Enabled", "description" : "", "propertyOrder" : 1, "required" : true, "type" : "boolean", "exampleValue" : "" }, "userInfoEndpoint" : { "title" : "User Profile Service URL", "description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo" }, "introspectEndpoint" : { "title" : "Token Introspection Endpoint URL", "description" : "OAuth Token Introspection endpoint URL This is the URL endpoint for access token validation using the OAuth Identity Provider.Refer to the RFC 7662 (http://tools.ietf.org/html/rfc7662).", "propertyOrder" : 650, "required" : true, "type" : "string", "exampleValue" : "" }, "transform" : { "title" : "Transform Script", "description" : "A script that takes the raw profile object as input and outputs the normalized profile object.", "propertyOrder" : 10000, "required" : true, "type" : "string", "exampleValue" : "" }, "scopes" : { "title" : "OAuth Scopes", "description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "openid, profile, email" }, "revocationCheckOptions" : { "title" : "Certificate Revocation Checking Options", "description" : "The option(s) that will be used by the TLS certificate revocation checking mechanism. <p> Including DISABLE_REVOCATION_CHECKING in the options will prevent any revocation checking. <p> If no options are selected the default behaviour is that it enables revocation checking with SOFT_FAIL. <p> If the certificate doesn't specify any OCSP/CRL endpoints, then the revocation checking will hard fail, even if the SOFT_FAIL option is enabled. An option in this case is for admins to disable revocation checking. <p> The revocation options follow the revocation checking mechanism as mentioned in https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/cert/PKIXRevocationChecker.Option.html", "propertyOrder" : 2700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authorizationEndpoint" : { "title" : "Authentication Endpoint URL", "description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth" }, "redirectAfterFormPostURI" : { "title" : "Redirect after form post URL", "description" : "Specify URL to redirect the form post parameters to.", "propertyOrder" : 710, "required" : true, "type" : "string", "exampleValue" : "" }, "jwksUriEndpoint" : { "title" : "JWKS URI Endpoint", "description" : "The JWKS URL endpoint for the RP to use when encrypting or validating", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtEncryptionMethod" : { "title" : "JWT Encryption Method", "description" : "The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2100, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtEncryptionAlgorithm" : { "title" : "JWT Encryption Algorithm", "description" : "The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2000, "required" : true, "type" : "string", "exampleValue" : "" }, "clientSecret" : { "title" : "Client Secret", "description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1. This property is deprecated. Use the Client Secret Label Identifier instead. AM ignores the Client Secret if you set a Client Secret Label Identifier.", "propertyOrder" : 300, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "claims" : { "title" : "Claims", "description" : "Claims on request object in JSON format. Must conform to the claims request parameter definition in the OpenID Connect specification section 5.5.", "propertyOrder" : 1810, "required" : true, "type" : "string", "format" : "textarea", "exampleValue" : "" }, "useCustomTrustStore" : { "title" : "Use Custom TrustStore", "description" : "Indicates whether a custom TrustStore should be used to verify the server certificate of the OP's well known endpoint/JWKs URI in a TLS handshake.<p> If enabled a Secret label would be generated using the name of this client configuration.<p> For example, if the name of this client configuration is sampleOidcConfig,a secret label 'am.services.oidc.reliant.party.sampleOidcConfig.truststore' will be generated and available for mapping to an alias on the realm secret stores. The administrator has to make sure that a secret mapping is configured for this to work. If this flag is disabled, the verification of the server certificate is done using the default TrustStore", "propertyOrder" : 2900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requestObjectAudience" : { "title" : "Request Object Audience", "description" : "The intended audience of the request object. If unspecified, the issuer value will be used.", "propertyOrder" : 1410, "required" : true, "type" : "string", "exampleValue" : "" }, "wellKnownEndpoint" : { "title" : "Well Known Endpoint", "description" : "The endpoint for retrieving a list of OAuth/OIDC endpoints.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "https://accounts.google.com/.well-known/openid-configuration" }, "encryptedIdTokens" : { "title" : "OP Encrypts ID Tokens", "description" : "Whether the OP encrypts ID Tokens. Will determine which resolver to use.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "scopeDelimiter" : { "title" : "Scope Delimiter", "description" : "The delimiter used by an auth server to separate scopes.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "privateKeyJwtExpTime" : { "title" : "Private Key JWT Expiration Time (seconds)", "description" : "The expiration time on or after which the private key JWT must not be accepted for processing.", "propertyOrder" : 2200, "required" : true, "type" : "integer", "exampleValue" : "" }, "responseMode" : { "title" : "Response Mode", "description" : "Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.", "propertyOrder" : 2500, "required" : true, "type" : "string", "exampleValue" : "" }, "clientAuthenticationMethod" : { "title" : "Client Authentication Method", "description" : "Field used to define how the client would be identified by the social provider.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "enableNativeNonce" : { "title" : "Enable Native Nonce", "description" : "When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request. Enabled by default.", "propertyOrder" : 1700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "clientSecretLabelIdentifier" : { "title" : "Client Secret Label Identifier", "description" : "Identifier used to create a secret label for mapping to a secret in the secret store. <br>AM uses this identifier to create a specific secret label for this service instance. The secret label takes the form <code>am.social.providers.{{identifier}}.secret</code> where {{identifier}} is the value of Client Secret Label Identifier. The identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}. If you set a Client Secret Label Identifier and AM finds a matching secret in a secret store, the Client Secret is ignored.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "issuerComparisonCheckType" : { "title" : "Issuer comparison check", "description" : "Controls whether the comparison of the expected issuer value in IdToken matches the actual value of the \"iss\" claim. EXACT performs a spec compliant exact string comparison. REGEX takes the expected issuer value as a regular expression and performs a regular expression evaluation to determine if the actual issuer value is a match. If using the REGEX comparison take care in what the regular expression will allow and the performance characteristics of the provided regex.", "propertyOrder" : 10001, "required" : true, "type" : "string", "exampleValue" : "" }, "redirectURI" : { "title" : "Redirect URL", "description" : "", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "uiConfig" : { "title" : "UI Config Properties", "description" : "Mapping of display properties to be defined and consumed by the UI.", "propertyOrder" : 9999, "required" : true, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "pkceMethod" : { "title" : "PKCE Method", "description" : "The PKCE transformation method to use when making requests to the authorization endpoint.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "encryptJwtRequestParameter" : { "title" : "Encrypt Request Parameter JWT", "description" : "Enable the option to send an encrypted request parameter JWT.", "propertyOrder" : 1130, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jwtRequestParameterOption" : { "title" : "Request Parameter JWT Option", "description" : "Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.", "propertyOrder" : 1125, "required" : true, "type" : "string", "exampleValue" : "" }, "userInfoResponseType" : { "title" : "User Info Response Format", "description" : "The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.", "propertyOrder" : 1710, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtSigningAlgorithm" : { "title" : "JWT Signing Algorithm", "description" : "The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.", "propertyOrder" : 1900, "required" : true, "type" : "string", "exampleValue" : "" }, "issuer" : { "title" : "Issuer", "description" : "The Issuer of OIDC ID Tokens.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "https://accounts.google.com" }, "clientId" : { "title" : "Client ID", "description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenEndpoint" : { "title" : "Access Token Endpoint URL", "description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "https://www.googleapis.com/oauth2/v4/token" } } }
delete
Usage
am> delete ClientConfigurationForGoogle --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action ClientConfigurationForGoogle --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action ClientConfigurationForGoogle --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action ClientConfigurationForGoogle --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query ClientConfigurationForGoogle --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read ClientConfigurationForGoogle --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update ClientConfigurationForGoogle --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "acrValues" : { "title" : "ACR Values", "description" : "Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.", "propertyOrder" : 1150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authenticationIdKey" : { "title" : "Auth ID Key", "description" : "Field used to identify a user by the social provider.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "sub" }, "enabled" : { "title" : "Enabled", "description" : "", "propertyOrder" : 1, "required" : true, "type" : "boolean", "exampleValue" : "" }, "userInfoEndpoint" : { "title" : "User Profile Service URL", "description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "https://www.googleapis.com/oauth2/v3/userinfo" }, "introspectEndpoint" : { "title" : "Token Introspection Endpoint URL", "description" : "OAuth Token Introspection endpoint URL This is the URL endpoint for access token validation using the OAuth Identity Provider.Refer to the RFC 7662 (http://tools.ietf.org/html/rfc7662).", "propertyOrder" : 650, "required" : true, "type" : "string", "exampleValue" : "" }, "transform" : { "title" : "Transform Script", "description" : "A script that takes the raw profile object as input and outputs the normalized profile object.", "propertyOrder" : 10000, "required" : true, "type" : "string", "exampleValue" : "" }, "scopes" : { "title" : "OAuth Scopes", "description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "openid, profile, email" }, "revocationCheckOptions" : { "title" : "Certificate Revocation Checking Options", "description" : "The option(s) that will be used by the TLS certificate revocation checking mechanism. <p> Including DISABLE_REVOCATION_CHECKING in the options will prevent any revocation checking. <p> If no options are selected the default behaviour is that it enables revocation checking with SOFT_FAIL. <p> If the certificate doesn't specify any OCSP/CRL endpoints, then the revocation checking will hard fail, even if the SOFT_FAIL option is enabled. An option in this case is for admins to disable revocation checking. <p> The revocation options follow the revocation checking mechanism as mentioned in https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/cert/PKIXRevocationChecker.Option.html", "propertyOrder" : 2700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authorizationEndpoint" : { "title" : "Authentication Endpoint URL", "description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "https://accounts.google.com/o/oauth2/v2/auth" }, "redirectAfterFormPostURI" : { "title" : "Redirect after form post URL", "description" : "Specify URL to redirect the form post parameters to.", "propertyOrder" : 710, "required" : true, "type" : "string", "exampleValue" : "" }, "jwksUriEndpoint" : { "title" : "JWKS URI Endpoint", "description" : "The JWKS URL endpoint for the RP to use when encrypting or validating", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtEncryptionMethod" : { "title" : "JWT Encryption Method", "description" : "The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2100, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtEncryptionAlgorithm" : { "title" : "JWT Encryption Algorithm", "description" : "The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2000, "required" : true, "type" : "string", "exampleValue" : "" }, "clientSecret" : { "title" : "Client Secret", "description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1. This property is deprecated. Use the Client Secret Label Identifier instead. AM ignores the Client Secret if you set a Client Secret Label Identifier.", "propertyOrder" : 300, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "claims" : { "title" : "Claims", "description" : "Claims on request object in JSON format. Must conform to the claims request parameter definition in the OpenID Connect specification section 5.5.", "propertyOrder" : 1810, "required" : true, "type" : "string", "format" : "textarea", "exampleValue" : "" }, "useCustomTrustStore" : { "title" : "Use Custom TrustStore", "description" : "Indicates whether a custom TrustStore should be used to verify the server certificate of the OP's well known endpoint/JWKs URI in a TLS handshake.<p> If enabled a Secret label would be generated using the name of this client configuration.<p> For example, if the name of this client configuration is sampleOidcConfig,a secret label 'am.services.oidc.reliant.party.sampleOidcConfig.truststore' will be generated and available for mapping to an alias on the realm secret stores. The administrator has to make sure that a secret mapping is configured for this to work. If this flag is disabled, the verification of the server certificate is done using the default TrustStore", "propertyOrder" : 2900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requestObjectAudience" : { "title" : "Request Object Audience", "description" : "The intended audience of the request object. If unspecified, the issuer value will be used.", "propertyOrder" : 1410, "required" : true, "type" : "string", "exampleValue" : "" }, "wellKnownEndpoint" : { "title" : "Well Known Endpoint", "description" : "The endpoint for retrieving a list of OAuth/OIDC endpoints.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "https://accounts.google.com/.well-known/openid-configuration" }, "encryptedIdTokens" : { "title" : "OP Encrypts ID Tokens", "description" : "Whether the OP encrypts ID Tokens. Will determine which resolver to use.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "scopeDelimiter" : { "title" : "Scope Delimiter", "description" : "The delimiter used by an auth server to separate scopes.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "privateKeyJwtExpTime" : { "title" : "Private Key JWT Expiration Time (seconds)", "description" : "The expiration time on or after which the private key JWT must not be accepted for processing.", "propertyOrder" : 2200, "required" : true, "type" : "integer", "exampleValue" : "" }, "responseMode" : { "title" : "Response Mode", "description" : "Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.", "propertyOrder" : 2500, "required" : true, "type" : "string", "exampleValue" : "" }, "clientAuthenticationMethod" : { "title" : "Client Authentication Method", "description" : "Field used to define how the client would be identified by the social provider.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "enableNativeNonce" : { "title" : "Enable Native Nonce", "description" : "When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request. Enabled by default.", "propertyOrder" : 1700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "clientSecretLabelIdentifier" : { "title" : "Client Secret Label Identifier", "description" : "Identifier used to create a secret label for mapping to a secret in the secret store. <br>AM uses this identifier to create a specific secret label for this service instance. The secret label takes the form <code>am.social.providers.{{identifier}}.secret</code> where {{identifier}} is the value of Client Secret Label Identifier. The identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}. If you set a Client Secret Label Identifier and AM finds a matching secret in a secret store, the Client Secret is ignored.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "issuerComparisonCheckType" : { "title" : "Issuer comparison check", "description" : "Controls whether the comparison of the expected issuer value in IdToken matches the actual value of the \"iss\" claim. EXACT performs a spec compliant exact string comparison. REGEX takes the expected issuer value as a regular expression and performs a regular expression evaluation to determine if the actual issuer value is a match. If using the REGEX comparison take care in what the regular expression will allow and the performance characteristics of the provided regex.", "propertyOrder" : 10001, "required" : true, "type" : "string", "exampleValue" : "" }, "redirectURI" : { "title" : "Redirect URL", "description" : "", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "uiConfig" : { "title" : "UI Config Properties", "description" : "Mapping of display properties to be defined and consumed by the UI.", "propertyOrder" : 9999, "required" : true, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "pkceMethod" : { "title" : "PKCE Method", "description" : "The PKCE transformation method to use when making requests to the authorization endpoint.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "encryptJwtRequestParameter" : { "title" : "Encrypt Request Parameter JWT", "description" : "Enable the option to send an encrypted request parameter JWT.", "propertyOrder" : 1130, "required" : true, "type" : "boolean", "exampleValue" : "" }, "jwtRequestParameterOption" : { "title" : "Request Parameter JWT Option", "description" : "Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.", "propertyOrder" : 1125, "required" : true, "type" : "string", "exampleValue" : "" }, "userInfoResponseType" : { "title" : "User Info Response Format", "description" : "The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.", "propertyOrder" : 1710, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtSigningAlgorithm" : { "title" : "JWT Signing Algorithm", "description" : "The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.", "propertyOrder" : 1900, "required" : true, "type" : "string", "exampleValue" : "" }, "issuer" : { "title" : "Issuer", "description" : "The Issuer of OIDC ID Tokens.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "https://accounts.google.com" }, "clientId" : { "title" : "Client ID", "description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "tokenEndpoint" : { "title" : "Access Token Endpoint URL", "description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "https://www.googleapis.com/oauth2/v4/token" } } }
ClientConfigurationForInstagram
Realm Operations
Resource path:
/realm-config/services/SocialIdentityProviders/instagramConfig
Resource version: 2.0
create
Usage
am> create ClientConfigurationForInstagram --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "scopes" : { "title" : "OAuth Scopes", "description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "user_profile" }, "pkceMethod" : { "title" : "PKCE Method", "description" : "The PKCE transformation method to use when making requests to the authorization endpoint.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "jwksUriEndpoint" : { "title" : "JWKS URI Endpoint", "description" : "The JWKS URL endpoint for the RP to use when encrypting or validating", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "clientSecretLabelIdentifier" : { "title" : "Client Secret Label Identifier", "description" : "Identifier used to create a secret label for mapping to a secret in the secret store. <br>AM uses this identifier to create a specific secret label for this service instance. The secret label takes the form <code>am.social.providers.{{identifier}}.secret</code> where {{identifier}} is the value of Client Secret Label Identifier. The identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}. If you set a Client Secret Label Identifier and AM finds a matching secret in a secret store, the Client Secret is ignored.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "clientId" : { "title" : "Client ID", "description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "introspectEndpoint" : { "title" : "Token Introspection Endpoint URL", "description" : "OAuth Token Introspection endpoint URL This is the URL endpoint for access token validation using the OAuth Identity Provider.Refer to the RFC 7662 (http://tools.ietf.org/html/rfc7662).", "propertyOrder" : 650, "required" : true, "type" : "string", "exampleValue" : "https://graph.instagram.com/debug_token" }, "redirectAfterFormPostURI" : { "title" : "Redirect after form post URL", "description" : "Specify URL to redirect the form post parameters to.", "propertyOrder" : 710, "required" : true, "type" : "string", "exampleValue" : "" }, "issuerComparisonCheckType" : { "title" : "Issuer comparison check", "description" : "Controls whether the comparison of the expected issuer value in IdToken matches the actual value of the \"iss\" claim. EXACT performs a spec compliant exact string comparison. REGEX takes the expected issuer value as a regular expression and performs a regular expression evaluation to determine if the actual issuer value is a match. If using the REGEX comparison take care in what the regular expression will allow and the performance characteristics of the provided regex.", "propertyOrder" : 10001, "required" : true, "type" : "string", "exampleValue" : "" }, "useCustomTrustStore" : { "title" : "Use Custom TrustStore", "description" : "Indicates whether a custom TrustStore should be used to verify the server certificate of the OP's well known endpoint/JWKs URI in a TLS handshake.<p> If enabled a Secret label would be generated using the name of this client configuration.<p> For example, if the name of this client configuration is sampleOidcConfig,a secret label 'am.services.oidc.reliant.party.sampleOidcConfig.truststore' will be generated and available for mapping to an alias on the realm secret stores. The administrator has to make sure that a secret mapping is configured for this to work. If this flag is disabled, the verification of the server certificate is done using the default TrustStore", "propertyOrder" : 2900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "revocationCheckOptions" : { "title" : "Certificate Revocation Checking Options", "description" : "The option(s) that will be used by the TLS certificate revocation checking mechanism. <p> Including DISABLE_REVOCATION_CHECKING in the options will prevent any revocation checking. <p> If no options are selected the default behaviour is that it enables revocation checking with SOFT_FAIL. <p> If the certificate doesn't specify any OCSP/CRL endpoints, then the revocation checking will hard fail, even if the SOFT_FAIL option is enabled. An option in this case is for admins to disable revocation checking. <p> The revocation options follow the revocation checking mechanism as mentioned in https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/cert/PKIXRevocationChecker.Option.html", "propertyOrder" : 2700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authenticationIdKey" : { "title" : "Auth ID Key", "description" : "Field used to identify a user by the social provider.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "id" }, "clientSecret" : { "title" : "Client Secret", "description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1. This property is deprecated. Use the Client Secret Label Identifier instead. AM ignores the Client Secret if you set a Client Secret Label Identifier.", "propertyOrder" : 300, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "clientAuthenticationMethod" : { "title" : "Client Authentication Method", "description" : "Field used to define how the client would be identified by the social provider.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "scopeDelimiter" : { "title" : "Scope Delimiter", "description" : "The delimiter used by an auth server to separate scopes.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "userInfoEndpoint" : { "title" : "User Profile Service URL", "description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "https://graph.instagram.com/me?fields=id,username" }, "responseMode" : { "title" : "Response Mode", "description" : "Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.", "propertyOrder" : 2500, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtEncryptionAlgorithm" : { "title" : "JWT Encryption Algorithm", "description" : "The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2000, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtEncryptionMethod" : { "title" : "JWT Encryption Method", "description" : "The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2100, "required" : true, "type" : "string", "exampleValue" : "" }, "transform" : { "title" : "Transform Script", "description" : "A script that takes the raw profile object as input and outputs the normalized profile object.", "propertyOrder" : 10000, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtSigningAlgorithm" : { "title" : "JWT Signing Algorithm", "description" : "The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.", "propertyOrder" : 1900, "required" : true, "type" : "string", "exampleValue" : "" }, "uiConfig" : { "title" : "UI Config Properties", "description" : "Mapping of display properties to be defined and consumed by the UI.", "propertyOrder" : 9999, "required" : true, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "tokenEndpoint" : { "title" : "Access Token Endpoint URL", "description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "https://api.instagram.com/oauth/access_token" }, "authorizationEndpoint" : { "title" : "Authentication Endpoint URL", "description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "https://api.instagram.com/oauth/authorize/" }, "redirectURI" : { "title" : "Redirect URL", "description" : "", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "enabled" : { "title" : "Enabled", "description" : "", "propertyOrder" : 1, "required" : true, "type" : "boolean", "exampleValue" : "" }, "privateKeyJwtExpTime" : { "title" : "Private Key JWT Expiration Time (seconds)", "description" : "The expiration time on or after which the private key JWT must not be accepted for processing.", "propertyOrder" : 2200, "required" : true, "type" : "integer", "exampleValue" : "" } } }
delete
Usage
am> delete ClientConfigurationForInstagram --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action ClientConfigurationForInstagram --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action ClientConfigurationForInstagram --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action ClientConfigurationForInstagram --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query ClientConfigurationForInstagram --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read ClientConfigurationForInstagram --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update ClientConfigurationForInstagram --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "scopes" : { "title" : "OAuth Scopes", "description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "user_profile" }, "pkceMethod" : { "title" : "PKCE Method", "description" : "The PKCE transformation method to use when making requests to the authorization endpoint.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "jwksUriEndpoint" : { "title" : "JWKS URI Endpoint", "description" : "The JWKS URL endpoint for the RP to use when encrypting or validating", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "clientSecretLabelIdentifier" : { "title" : "Client Secret Label Identifier", "description" : "Identifier used to create a secret label for mapping to a secret in the secret store. <br>AM uses this identifier to create a specific secret label for this service instance. The secret label takes the form <code>am.social.providers.{{identifier}}.secret</code> where {{identifier}} is the value of Client Secret Label Identifier. The identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}. If you set a Client Secret Label Identifier and AM finds a matching secret in a secret store, the Client Secret is ignored.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "clientId" : { "title" : "Client ID", "description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "introspectEndpoint" : { "title" : "Token Introspection Endpoint URL", "description" : "OAuth Token Introspection endpoint URL This is the URL endpoint for access token validation using the OAuth Identity Provider.Refer to the RFC 7662 (http://tools.ietf.org/html/rfc7662).", "propertyOrder" : 650, "required" : true, "type" : "string", "exampleValue" : "https://graph.instagram.com/debug_token" }, "redirectAfterFormPostURI" : { "title" : "Redirect after form post URL", "description" : "Specify URL to redirect the form post parameters to.", "propertyOrder" : 710, "required" : true, "type" : "string", "exampleValue" : "" }, "issuerComparisonCheckType" : { "title" : "Issuer comparison check", "description" : "Controls whether the comparison of the expected issuer value in IdToken matches the actual value of the \"iss\" claim. EXACT performs a spec compliant exact string comparison. REGEX takes the expected issuer value as a regular expression and performs a regular expression evaluation to determine if the actual issuer value is a match. If using the REGEX comparison take care in what the regular expression will allow and the performance characteristics of the provided regex.", "propertyOrder" : 10001, "required" : true, "type" : "string", "exampleValue" : "" }, "useCustomTrustStore" : { "title" : "Use Custom TrustStore", "description" : "Indicates whether a custom TrustStore should be used to verify the server certificate of the OP's well known endpoint/JWKs URI in a TLS handshake.<p> If enabled a Secret label would be generated using the name of this client configuration.<p> For example, if the name of this client configuration is sampleOidcConfig,a secret label 'am.services.oidc.reliant.party.sampleOidcConfig.truststore' will be generated and available for mapping to an alias on the realm secret stores. The administrator has to make sure that a secret mapping is configured for this to work. If this flag is disabled, the verification of the server certificate is done using the default TrustStore", "propertyOrder" : 2900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "revocationCheckOptions" : { "title" : "Certificate Revocation Checking Options", "description" : "The option(s) that will be used by the TLS certificate revocation checking mechanism. <p> Including DISABLE_REVOCATION_CHECKING in the options will prevent any revocation checking. <p> If no options are selected the default behaviour is that it enables revocation checking with SOFT_FAIL. <p> If the certificate doesn't specify any OCSP/CRL endpoints, then the revocation checking will hard fail, even if the SOFT_FAIL option is enabled. An option in this case is for admins to disable revocation checking. <p> The revocation options follow the revocation checking mechanism as mentioned in https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/cert/PKIXRevocationChecker.Option.html", "propertyOrder" : 2700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authenticationIdKey" : { "title" : "Auth ID Key", "description" : "Field used to identify a user by the social provider.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "id" }, "clientSecret" : { "title" : "Client Secret", "description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1. This property is deprecated. Use the Client Secret Label Identifier instead. AM ignores the Client Secret if you set a Client Secret Label Identifier.", "propertyOrder" : 300, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "clientAuthenticationMethod" : { "title" : "Client Authentication Method", "description" : "Field used to define how the client would be identified by the social provider.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "scopeDelimiter" : { "title" : "Scope Delimiter", "description" : "The delimiter used by an auth server to separate scopes.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "userInfoEndpoint" : { "title" : "User Profile Service URL", "description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "https://graph.instagram.com/me?fields=id,username" }, "responseMode" : { "title" : "Response Mode", "description" : "Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.", "propertyOrder" : 2500, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtEncryptionAlgorithm" : { "title" : "JWT Encryption Algorithm", "description" : "The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2000, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtEncryptionMethod" : { "title" : "JWT Encryption Method", "description" : "The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2100, "required" : true, "type" : "string", "exampleValue" : "" }, "transform" : { "title" : "Transform Script", "description" : "A script that takes the raw profile object as input and outputs the normalized profile object.", "propertyOrder" : 10000, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtSigningAlgorithm" : { "title" : "JWT Signing Algorithm", "description" : "The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.", "propertyOrder" : 1900, "required" : true, "type" : "string", "exampleValue" : "" }, "uiConfig" : { "title" : "UI Config Properties", "description" : "Mapping of display properties to be defined and consumed by the UI.", "propertyOrder" : 9999, "required" : true, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "tokenEndpoint" : { "title" : "Access Token Endpoint URL", "description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "https://api.instagram.com/oauth/access_token" }, "authorizationEndpoint" : { "title" : "Authentication Endpoint URL", "description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "https://api.instagram.com/oauth/authorize/" }, "redirectURI" : { "title" : "Redirect URL", "description" : "", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "enabled" : { "title" : "Enabled", "description" : "", "propertyOrder" : 1, "required" : true, "type" : "boolean", "exampleValue" : "" }, "privateKeyJwtExpTime" : { "title" : "Private Key JWT Expiration Time (seconds)", "description" : "The expiration time on or after which the private key JWT must not be accepted for processing.", "propertyOrder" : 2200, "required" : true, "type" : "integer", "exampleValue" : "" } } }
ClientConfigurationForItsme
Realm Operations
Resource path:
/realm-config/services/SocialIdentityProviders/itsmeConfig
Resource version: 2.0
create
Usage
am> create ClientConfigurationForItsme --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "userInfoResponseType" : { "title" : "User Info Response Format", "description" : "The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.", "propertyOrder" : 1710, "required" : true, "type" : "string", "exampleValue" : "" }, "issuerComparisonCheckType" : { "title" : "Issuer comparison check", "description" : "Controls whether the comparison of the expected issuer value in IdToken matches the actual value of the \"iss\" claim. EXACT performs a spec compliant exact string comparison. REGEX takes the expected issuer value as a regular expression and performs a regular expression evaluation to determine if the actual issuer value is a match. If using the REGEX comparison take care in what the regular expression will allow and the performance characteristics of the provided regex.", "propertyOrder" : 10001, "required" : true, "type" : "string", "exampleValue" : "" }, "jwksUriEndpoint" : { "title" : "JWKS URI Endpoint", "description" : "The JWKS URL endpoint for the RP to use when encrypting or validating", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "https://idp.prd.itsme.services/v2/jwkSet" }, "enableNativeNonce" : { "title" : "Enable Native Nonce", "description" : "When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request. Enabled by default.", "propertyOrder" : 1700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "claims" : { "title" : "Claims", "description" : "Claims on request object in JSON format. Must conform to the claims request parameter definition in the OpenID Connect specification section 5.5.", "propertyOrder" : 1810, "required" : true, "type" : "string", "format" : "textarea", "exampleValue" : "" }, "clientAuthenticationMethod" : { "title" : "Client Authentication Method", "description" : "Field used to define how the client would be identified by the social provider.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "transform" : { "title" : "Transform Script", "description" : "A script that takes the raw profile object as input and outputs the normalized profile object.", "propertyOrder" : 10000, "required" : true, "type" : "string", "exampleValue" : "" }, "pkceMethod" : { "title" : "PKCE Method", "description" : "The PKCE transformation method to use when making requests to the authorization endpoint.", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtSigningAlgorithm" : { "title" : "JWT Signing Algorithm", "description" : "The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.", "propertyOrder" : 1900, "required" : true, "type" : "string", "exampleValue" : "" }, "introspectEndpoint" : { "title" : "Token Introspection Endpoint URL", "description" : "OAuth Token Introspection endpoint URL This is the URL endpoint for access token validation using the OAuth Identity Provider.Refer to the RFC 7662 (http://tools.ietf.org/html/rfc7662).", "propertyOrder" : 650, "required" : true, "type" : "string", "exampleValue" : "" }, "jwtEncryptionAlgorithm" : { "title" : "JWT Encryption Algorithm", "description" : "The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2000, "required" : true, "type" : "string", "exampleValue" : "" }, "clientId" : { "title" : "Client ID", "description" : "OAuth client_id parameter<p> For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1.", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "uiConfig" : { "title" : "UI Config Properties", "description" : "Mapping of display properties to be defined and consumed by the UI.", "propertyOrder" : 9999, "required" : true, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "acrValues" : { "title" : "ACR Values", "description" : "Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.", "propertyOrder" : 1150, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "revocationCheckOptions" : { "title" : "Certificate Revocation Checking Options", "description" : "The option(s) that will be used by the TLS certificate revocation checking mechanism. <p> Including DISABLE_REVOCATION_CHECKING in the options will prevent any revocation checking. <p> If no options are selected the default behaviour is that it enables revocation checking with SOFT_FAIL. <p> If the certificate doesn't specify any OCSP/CRL endpoints, then the revocation checking will hard fail, even if the SOFT_FAIL option is enabled. An option in this case is for admins to disable revocation checking. <p> The revocation options follow the revocation checking mechanism as mentioned in https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/cert/PKIXRevocationChecker.Option.html", "propertyOrder" : 2700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "responseMode" : { "title" : "Response Mode", "description" : "Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.", "propertyOrder" : 2500, "required" : true, "type" : "string", "exampleValue" : "" }, "scopeDelimiter" : { "title" : "Scope Delimiter", "description" : "The delimiter used by an auth server to separate scopes.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "issuer" : { "title" : "Issuer", "description" : "The Issuer of OIDC ID Tokens.", "propertyOrder" : 1600, "required" : true, "type" : "string", "exampleValue" : "https://idp.prd.itsme.services/v2" }, "redirectAfterFormPostURI" : { "title" : "Redirect after form post URL", "description" : "Specify URL to redirect the form post parameters to.", "propertyOrder" : 710, "required" : true, "type" : "string", "exampleValue" : "" }, "wellKnownEndpoint" : { "title" : "Well Known Endpoint", "description" : "The endpoint for retrieving a list of OAuth/OIDC endpoints.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "https://idp.prd.itsme.services/v2/.well-known/openid-configuration" }, "encryptedIdTokens" : { "title" : "OP Encrypts ID Tokens", "description" : "Whether the OP encrypts ID Tokens. Will determine which resolver to use.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "scopes" : { "title" : "OAuth Scopes", "description" : "List of user profile properties<p>According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "openid, profile, email" }, "enabled" : { "title" : "Enabled", "description" : "", "propertyOrder" : 1, "required" : true, "type" : "boolean", "exampleValue" : "" }, "redirectURI" : { "title" : "Redirect URL", "description" : "", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "clientSecret" : { "title" : "Client Secret", "description" : "OAuth client_secret parameter <p>For more information on the OAuth client_id parameter refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-2.3.1), section 2.3.1. This property is deprecated. Use the Client Secret Label Identifier instead. AM ignores the Client Secret if you set a Client Secret Label Identifier.", "propertyOrder" : 300, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "privateKeyJwtExpTime" : { "title" : "Private Key JWT Expiration Time (seconds)", "description" : "The expiration time on or after which the private key JWT must not be accepted for processing.", "propertyOrder" : 2200, "required" : true, "type" : "integer", "exampleValue" : "" }, "clientSecretLabelIdentifier" : { "title" : "Client Secret Label Identifier", "description" : "Identifier used to create a secret label for mapping to a secret in the secret store. <br>AM uses this identifier to create a specific secret label for this service instance. The secret label takes the form <code>am.social.providers.{{identifier}}.secret</code> where {{identifier}} is the value of Client Secret Label Identifier. The identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}. If you set a Client Secret Label Identifier and AM finds a matching secret in a secret store, the Client Secret is ignored.", "propertyOrder" : 350, "required" : false, "type" : "string", "exampleValue" : "" }, "jwtRequestParameterOption" : { "title" : "Request Parameter JWT Option", "description" : "Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.", "propertyOrder" : 1125, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationIdKey" : { "title" : "Auth ID Key", "description" : "Field used to identify a user by the social provider.", "propertyOrder" : 100, "required" : true, "type" : "string", "exampleValue" : "sub" }, "useCustomTrustStore" : { "title" : "Use Custom TrustStore", "description" : "Indicates whether a custom TrustStore should be used to verify the server certificate of the OP's well known endpoint/JWKs URI in a TLS handshake.<p> If enabled a Secret label would be generated using the name of this client configuration.<p> For example, if the name of this client configuration is sampleOidcConfig,a secret label 'am.services.oidc.reliant.party.sampleOidcConfig.truststore' will be generated and available for mapping to an alias on the realm secret stores. The administrator has to make sure that a secret mapping is configured for this to work. If this flag is disabled, the verification of the server certificate is done using the default TrustStore", "propertyOrder" : 2900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "encryptJwtRequestParameter" : { "title" : "Encrypt Request Parameter JWT", "description" : "Enable the option to send an encrypted request parameter JWT.", "propertyOrder" : 1130, "required" : true, "type" : "boolean", "exampleValue" : "" }, "userInfoEndpoint" : { "title" : "User Profile Service URL", "description" : "User profile information URL <p> This URL endpoint provides user profile information and is provided by the OAuth Identity Provider NB This URL should return JSON objects in response.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "https://idp.prd.itsme.services/v2/userinfo" }, "jwtEncryptionMethod" : { "title" : "JWT Encryption Method", "description" : "The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.", "propertyOrder" : 2100, "required" : true, "type" : "string", "exampleValue" : "" }, "requestObjectAudience" : { "title" : "Request Object Audience", "description" : "The intended audience of the request object. If unspecified, the issuer value will be used.", "propertyOrder" : 1410, "required" : true, "type" : "string", "exampleValue" : "https://idp.prd.itsme.services/v2/authorization" }, "tokenEndpoint" : { "title" : "Access Token Endpoint URL", "description" : "OAuth access token endpoint URL This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider.Refer to the RFC 6749 (http://tools.ietf.org/html/rfc6749#section-3.2), section 3.2.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "https://idp.prd.itsme.services/v2/token" }, "authorizationEndpoint" : { "title" : "Authentication Endpoint URL", "description" : "OAuth authentication endpoint URL <p> This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "https://idp.prd.itsme.services/v2/authorization" } } }
delete
Usage
am> delete ClientConfigurationForItsme --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action ClientConfigurationForItsme --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action ClientConfigurationForItsme --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action ClientConfigurationForItsme --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query ClientConfigurationForItsme --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.