PingAM 7.5.0

CTS token types

The Core Token Service (CTS) uses a generic LDAP schema for all token types.

The following sections provide information about the different token types, including what LDAP attributes they use, the data stored in those attributes, and example token formats:

You can use this information to query the CTS using LDAP searches.

For example, if you want to list user OAuth 2.0 refresh tokens, you can filter on coreTokenString03=user and coreTokenString10=refresh_token.

OAuth 2.0 grant-set tokens

OAuth 2.0 grant-set tokens are created when the grant-set scheme is used.

The grant-set acts as a container for all authorizations:

  • Client-side access code tokens and grant tokens.

  • Server-side access code tokens, access tokens, and refresh tokens.

LDAP attributes

LDAP attribute OAuth 2.0 grant-set token

coreTokenUserId

coreTokenType

OAUTH2_GRANT_SET

coreTokenString01

coreTokenString02

coreTokenString03

user

coreTokenString04

coreTokenString05

coreTokenString06

coreTokenString07

coreTokenString08

realm

coreTokenString09

client ID

coreTokenString10

coreTokenString11

coreTokenString12

coreTokenString13

coreTokenString14

coreTokenString15

coreTokenString16

coreTokenMultiString03

JSON representation of the OAuth 2.0 grant (access codes, refresh tokens, and access tokens)(1)

(1) The following abbreviations are used in this JSON representation:

  • g: Unique identifier in CTS

  • gx: Issue time

  • _s: Scope

  • a: Authorization code

  • ax: Issue time

  • asi: Authentication session ID token

  • aati: Access token ID

  • au: Authorization audience

  • ast: State

  • _am: Authentication node in AM

  • _acr: Authentication context class reference, if applicable

  • gt: Grant type, if applicable

Token examples

Client-side grant-set token
dn: coreTokenId=kOrkxaDZ6fYcUrcE0c3PEMFIGNk,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: frCoreToken
objectClass: top
coreTokenExpirationDate: 20240808152103.155Z
coreTokenId: kOrkxaDZ6fYcUrcE0c3PEMFIGNk
coreTokenMultiString03: {"g":"kOrkxaDZ6fYcUrcE0c3PEMFIGNk.xuPxwKKadXjWvMfKg9WFzvqIOC4","gx":1529062484276,"_s":["openid","profile"],"a":"kOrkxaDZ6fYcUrcE0c3PEMFIGNk.vm6gyeD5t8mF8nTYQ1XQBYTskMo","ax":1528454203638,"aati":"809b87b3-4fad-4ca1-9312-a7f0c669fd6c-34347","ai":true,"au":"https://example.com","asi":"AQIC5w...2NzEz*","ast":"1234","_am":"DataStore","_acr":"0","gt":[]}
coreTokenMultiString03: {"g":"C7mzozs1XJKVvCT63JwQatoI-og.Xf_gOFNZOeGcY6ZLnGxX11N9NKQ","gx":1579098268014,"_s":["read"],"a":"C7mzozs1XJKVvCT63JwQatoI-og.BXUyATQtb9GoyrFvAacc6b20S4A","ax":1578489985511,"aati":"0e4db3cf-14e5-4d44-9f36-8e2fc6ac78a6-15583","ai":true,"an":"123456","au":"https://example.com","asi":"AQIC5w...2NzEz*","ast":"eHI6","_am":"DataStore","_acr":"0","r":"C7mzozs1XJKVvCT63JwQatoI-og.IbiBbTo1bCKelDu4hj5tb_2qbrk","gt":[]}
coreTokenString03: demo
coreTokenString08: /myRealm
coreTokenString09: myClient
coreTokenType: OAUTH2_GRANT_SET
Server-side grant-set token
dn: coreTokenId=fx-GTfShtRhmJ89qMNVkxLx339U,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: frCoreToken
objectClass: top
coreTokenExpirationDate: 20240808152103.155Z
coreTokenId: fx-GTfShtRhmJ89qMNVkxLx339U
coreTokenMultiString03: {"g":"fx-GTfShtRhmJ89qMNVkxLx339U.BwOWUGadbho7rKgCYj5Uq1XuRPc","gx":0,"_s":["openid","profile"],"a":"fx-GTfShtRhmJ89qMNVkxLx339U.0g7urZwlwyK_5gUOlC49t4PVUPo","ax":1540546982500,"aati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537161","ai":true,"au":"https://example.com","asi":"AQIC5w...2NzEz*","ast":"1234","_am":"DataStore","_acr":"0","r":"fx-GTfShtRhmJ89qMNVkxLx339U.vXS04FRzuWulPMomSoVDnZvj-6s","rx":1541151662549,"rgt":"authorization_code","rtt":"Bearer","rtn":"refresh_token","rati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537554","ro":"jS474J1xvNZwD-uLeJJeTDWjAzI","_at":1540546862,"_al":0,"gt":[{"t":"fx-GTfShtRhmJ89qMNVkxLx339U.SGEDFJ5BkuuKXKHVeV24_IzoHRg","tx":1540550462814,"tgt":"authorization_code","ts":["openid","profile"],"ttn":"access_token","tati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537841","tck":null}]}
coreTokenString03: demo
coreTokenString08: /myRealm
coreTokenString09: myClient
coreTokenType: OAUTH2_GRANT_SET

Client-side OAuth 2.0 tokens

Access code tokens

Client-side access code tokens are created when the one-to-one scheme is used.

They are used in the OAuth 2.0 authorization code flow and in the OIDC authorization code and hybrid flows. They provide the state for the code used by the client to retrieve an access token.

Additionally, the value of the access code is used to form the unique identity of the subsequent grant token.

OAuth 2.0 grant tokens

Client-side OAuth 2.0 grant tokens are created when the one-to-one scheme is used.

They replace individual access and refresh tokens with a single token indicating that a grant took place. This prevents additional data from being written to the CTS when a new access token is issued based on an existing refresh token with an existing grant ID. They use the grant ID value from the preceding access code if this token was generated with the OAuth 2.0 authorization code flow.

The grant ID in the client-side OAuth 2.0 JWT matches the DN of the token in the CTS.

LDAP attributes

LDAP attribute Client-side access code token Client-side OAuth 2.0 grant token

coreTokenUserId

user

coreTokenType

OAUTH

OAUTH2_STATELESS_GRANT

coreTokenString01

scopes

coreTokenString02

coreTokenString03

user

coreTokenString04

redirect_uri

client ID

coreTokenString05

coreTokenString06

true (when the code is used and consent is granted)

scope

coreTokenString07

Bearer

coreTokenString08

realm

coreTokenString09

client ID

coreTokenString10

access_code

coreTokenString11

nonce

realm

coreTokenString12

jti

coreTokenString13

coreTokenString14

coreTokenString15

grant ID

coreTokenString16

Token examples

Client-side access code token
dn: coreTokenId=4e915f7a-08ec-4c65-915f-2256d6c3a503,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"redirectURI":["https://example.com"],"clientID":["myClient"],"ssoTokenId":["AQIC5w...2NzEz*"],"auditTrackingId":["a7180708-c39b-4f92-90ea-b2b8bb79ec75-83912"],"tokenName":["access_code"],"authModules":["DataStore"],"code_challenge_method":[],"userName":["demo"],"nonce":["abcdef"],"authGrantId":["f58f19f9-7f3f-43db-be90-466643414143"],"acr":[],"expireTime":["1523281431770"],"scope":["openid","profile"],"claims":[null],"realm":["/myRealm"],"id":["4e915f7a-08ec-4c65-915f-2256d6c3a503"],"state":[],"tokenType":["Bearer"],"code_challenge":[],"issued":["true"]}
coreTokenString11: abcdef
coreTokenString01: openid,profile
coreTokenString10: access_code
coreTokenString04: https://example.com
coreTokenString15: f58f19f9-7f3f-43db-be90-466643414143
coreTokenString03: demo
coreTokenExpirationDate: 20240808152103.155Z
coreTokenString08: /myRealm
coreTokenString09: myClient
coreTokenId: 4e915f7a-08ec-4c65-915f-2256d6c3a503
coreTokenString06: true
coreTokenString07: Bearer
coreTokenType: OAUTH
Client-side OAuth 2.0 grant token
dn: coreTokenId=f58f19f9-7f3f-43db-be90-466643414143,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {}
coreTokenString11: /myRealm
coreTokenString04: myClient
coreTokenExpirationDate: 20240808152103.155Z
coreTokenUserId: demo
coreTokenId: f58f19f9-7f3f-43db-be90-466643414143
coreTokenString06: openid,profile
coreTokenType: OAUTH2_STATELESS_GRANT

An example access token issued from this CTS grant token:

{
  "sub": "demo",
  "auth_level": 0,
  "auditTrackingId": "610b705d-51a9-43e1-b59a-47b372b9d3ae",
  "iss": "https://openam.example.com:8443/openam/oauth2/myRealm",
  "tokenName": "access_token",
  "token_type": "Bearer",
  "authGrantId": "f58f19f9-7f3f-43db-be90-466643414143",
  "nonce": "abcdef",
  "aud": "myClient",
  "nbf": 1523281312,
  "grant_type": "authorization_code",
  "scope": [
    "openid",
    "profile"
  ],
  "auth_time": 1523281311000,
  "realm": "/myRealm",
  "exp": 1523284912,
  "iat": 1523281312,
  "expires_in": 3600,
  "jti": "c35e5c2a-081b-417f-82c5-2708781816d6"
}

Server-side OAuth 2.0 tokens

Access tokens

Server-side OAuth 2.0 access tokens are created when the one-to-one scheme is used.

They are used in all OAuth 2.0 and OIDC flows and are issued when the OAuth 2.0 provider uses server-side tokens.

These tokens are typically short-lived.

Refresh tokens

Server-side OAuth 2.0 refresh tokens are created when the one-to-one scheme is used.

They are used in the OAuth 2.0 authorization code grant and resource owner password credentials flows and in the OIDC authorization code and hybrid flows. They are issued when the OAuth 2.0 provider uses server-side tokens.

These tokens are often long-lived and exchanged for access tokens by clients.

LDAP attributes

LDAP attribute Server-side OAuth 2.0 access token Server-side OAuth 2.0 refresh token

coreTokenUserId

coreTokenType

OAUTH

OAUTH

coreTokenString01

scopes

scopes

coreTokenString02

coreTokenString03

user

user

coreTokenString04

redirect_uri

redirect_uri

coreTokenString05

coreTokenString06

coreTokenString07

Bearer

Bearer

coreTokenString08

realm

realm

coreTokenString09

client ID

client ID

coreTokenString10

access_token

refresh_token

coreTokenString11

nonce

coreTokenString12

grant type

grant type

coreTokenString13

coreTokenString14

coreTokenString15

grant ID

grant ID

coreTokenString16

Token examples

Server-side OAuth 2.0 access token
dn: coreTokenId=daaa2a39-ffe9-40a0-b0df-71dc6e278628,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenString11: abcdef
coreTokenObject: {"redirectURI":["https://example.com"],"parent":["cafdd8cc-b155-464a-a020-15013532578c"],"clientID":["myClient"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-290"],"tokenName":["access_token"],"userName":["demo"],"authGrantId":["6f10ad62-1be7-4ebe-aeea-81b7c9eb3735"],"nonce":["abcdef"],"expireTime":["1502145569132"],"grant_type":["authorization_code"],"scope":["openid","profile"],"realm":["/myRealm"],"id":["daaa2a39-ffe9-40a0-b0df-71dc6e278628"],"tokenType":["Bearer"],"refreshToken":["21f89047-4bcf-4d62-853b-d4fa22d632e5"]}
coreTokenString12: authorization_code
coreTokenString01: openid,profile
coreTokenString10: access_token
coreTokenString15: 6f10ad62-1be7-4ebe-aeea-81b7c9eb3735
coreTokenString04: https://example.com
coreTokenString05: 21f89047-4bcf-4d62-853b-d4fa22d632e5
coreTokenString02: cafdd8cc-b155-464a-a020-15013532578c
coreTokenString03: demo
coreTokenString08: /myRealm
coreTokenExpirationDate: 20240808152103.155Z
coreTokenString09: myClient
coreTokenId: daaa2a39-ffe9-40a0-b0df-71dc6e278628
coreTokenString07: Bearer
coreTokenType: OAUTH
Server-side OAuth 2.0 refresh token
dn: coreTokenId=21f89047-4bcf-4d62-853b-d4fa22d632e5,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"redirectURI":["https://example.com"],"clientID":["myClient"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-289"],"tokenName":["refresh_token"],"authModules":["DataStore"],"userName":["demo"],"authGrantId":["6f10ad62-1be7-4ebe-aeea-81b7c9eb3735"],"acr":[],"expireTime":["1502746769129"],"grant_type":["authorization_code"],"scope":["openid","profile"],"realm":["/myRealm"],"id":["21f89047-4bcf-4d62-853b-d4fa22d632e5"],"tokenType":["Bearer"]}
coreTokenString12: authorization_code
coreTokenString01: openid,profile
coreTokenString10: refresh_token
coreTokenString15: 6f10ad62-1be7-4ebe-aeea-81b7c9eb3735
coreTokenString04: https://example.com
coreTokenString03: demo
coreTokenString08: /myRealm
coreTokenExpirationDate: 20240808152103.155Z
coreTokenString09: MyClient
coreTokenId: 21f89047-4bcf-4d62-853b-d4fa22d632e5
coreTokenString07: Bearer
coreTokenType: OAUTH

Other OAuth 2.0 tokens

OIDC operations (OPS) tokens

OIDC OPS tokens provide a link between the OIDC ID token and the user session that generated it. They contain a copy of the user’s SSO token. This can make the token large when used with a realm that uses client-side sessions.

These tokens are issued by the authorization code and implicit flows when the openid scope is requested, and session management is enabled in the OAuth 2.0 provider. You can disable session management in the OAuth 2.0 provider if you don’t use the endSession and checkSession endpoints; disabling session management reduces the load on the CTS.

OAuth 2.0 device code tokens

OAuth 2.0 device code tokens are used to persist the code in the device code flow. The format is the same whether client-side tokens are used or not, and they are typically short-lived.

LDAP attributes

LDAP attribute OIDC OPS token OAuth 2.0 device code token

coreTokenUserId

coreTokenType

OAUTH

OAUTH

coreTokenString01

scopes

coreTokenString02

coreTokenString03

user

coreTokenString04

coreTokenString05

coreTokenString06

coreTokenString07

coreTokenString08

realm

coreTokenString09

client ID

coreTokenString10

device_code

coreTokenString11

coreTokenString12

coreTokenString13

coreTokenString14

device_code

coreTokenString15

coreTokenString16

Token examples

Server-side session realm OPS token
dn: coreTokenId=c23b5787-ace5-43c4-aeb3-369bbf4e07be,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"id":["c23b5787-ace5-43c4-aeb3-369bbf4e07be"],"ops":["AQIC5wM2LY4S...kyNgACUzEAAjAx*"],"expireTime":["1502145569141"]}
coreTokenExpirationDate: 20240808152103.155Z
coreTokenId: c23b5787-ace5-43c4-aeb3-369bbf4e07be
coreTokenType: OAUTH
Client-side session realm OPS token
dn: coreTokenId=938fbe6a-cab6-48fc-ba42-3dbe82af61f3,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"id":["938fbe6a-cab6-48fc-ba42-3dbe82af61f3"],"ops":["AQIC5wM2LY4S...PXN0YXRlbGVzc3JlYWx...kyNgACUzEAAjAx*"],"expireTime":["1502145569471"]}
coreTokenExpirationDate: 20240808152103.155Z
coreTokenId: 938fbe6a-cab6-48fc-ba42-3dbe82af61f3
coreTokenType: OAUTH
Device code token
dn: coreTokenId=501905e0-b350-47d5-92cc-161a4291116f,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"clientID":["myClient"],"expireTime":["1502142269359"],"user_code":["PDRxhXht"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-311"],"scope":["profile"],"tokenName":["device_code"],"response_type":["token"],"realm":["/myRealm"],"id":["501905e0-b350-47d5-92cc-161a4291116f"],"userName":["demo"],"AUTHORIZED":["true"]}
coreTokenString01: profile
coreTokenString10: device_code
coreTokenString14: PDRxhXht
coreTokenString03: demo
coreTokenString08: /myRealm
coreTokenExpirationDate: 20240808152103.155Z
coreTokenString09: myClient
coreTokenId: 501905e0-b350-47d5-92cc-161a4291116f
coreTokenType: OAUTH

SAML 2.0 tokens

SAML 2.0 tokens

SAML 2.0 tokens are only saved to the CTS when SAML 2.0 failover is enabled, which it is by default.

Assertion tokens

Assertions are saved to the CTS when SAML 2.0 failover is enabled, the Assertion Cache is enabled for the IdP, and AM is acting as the IdP.

AuthnRequest tokens

AuthnRequests are saved to the CTS when SAML 2.0 failover is enabled and AM is acting as the SP.

The coreTokenObject can be either JSON or a base64 encoded string.

LDAP attributes

LDAP attribute SAML 2.0 token SAML 2.0 assertion token SAML 2.0 AuthnRequest token

coreTokenUserId

coreTokenType

SAML2

SAML2

SAML2

coreTokenString01

com.sun.identity.saml2.profile.IDPSessionCopy

java.lang.String

com.sun.identity.saml2.profile.AuthnRequestInfoCopy

coreTokenString02

coreTokenString03

coreTokenString04

coreTokenString05

coreTokenString06

coreTokenString07

coreTokenString08

coreTokenString09

coreTokenString10

coreTokenString11

coreTokenString12

coreTokenString13

coreTokenString14

coreTokenString15

coreTokenString16

Token examples

SAML 2.0 token
dn: coreTokenId=733237633231656432303961383835626662623039343434653564666532323964366632376466343032,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenId: 733237633231656432303961383835626662623039343434653564666532323964366632376466343032
coreTokenType: SAML2
coreTokenExpirationDate: 20240808152103.155Z
coreTokenObject:: eyJkb0xvZ291dEFsbCI6ZmFsc2UsIm1ldGFBbGlhcyI6Ii9pZHAiLCJuYW1lSURhbmRTUHBhaXJzIjpbeyJuYW1lSUQiOnsiQGNsYXNzIjoiY29tLnN1bi5pZGVudGl0eS5zYW1sMi5hc3NlcnRpb24uaW1wbC5OYW1lSURJbXBsIiwiZm9ybWF0IjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6cGVyc2lzdGVudCIsImlzTXV0YWJsZSI6dHJ1ZSwibmFtZVF1YWxpZmllciI6Imh0dHBzOi8vaWRwLmV4YW1wbGUuY29tOjQ0My9pZHAiLCJzcE5hbWVRdWFsaWZpZXIiOiJodHRwczovL3NwLmV4YW1wbGUuY29tOjg0NDMvc3AiLCJzcFByb3ZpZGVkSUQiOm51bGwsInZhbHVlIjoiK3h4dXQxc3BCR0lWUWJLMDJMbHBNTUhDS1loVyJ9LCJzcEVudGl0eUlEIjoiaHR0cHM6Ly9zcC5leGFtcGxlLmNvbTo4NDQzL3NwIn1dLCJvcmlnaW5hdGluZ0xvZ291dFJlcXVlc3RCaW5kaW5nIjpudWxsLCJvcmlnaW5hdGluZ0xvZ291dFJlcXVlc3RJRCI6bnVsbCwib3JpZ2luYXRpbmdMb2dvdXRTUEVudGl0eUlEIjpudWxsLCJwZW5kaW5nTG9nb3V0UmVxdWVzdElEIjpudWxsLCJzc29Ub2tlbklEIjoiVWxNY0luVlVfR1VnWEdHbTdwTTA0R2h1WHdvLipBQUpUU1FBQ01ETUFBbE5MQUJ4dldYTlNkbTE0U1cxVUszUnpOVkJLVjFwcU5FODJaVGxxYWpnOUFBUjBlWEJsQUFORFZGTUFBbE14QUFJd01nLi4qIn0
coreTokenString01: com.sun.identity.saml2.profile.IDPSessionCopy

If the coreTokenObject is a string, you can base64 decode it. For example, the above string decodes as follows:

{
   "doLogoutAll":false,
   "metaAlias":"/idp",
   "nameIDandSPpairs":[
      {
         "nameID":{
            "@class":"com.sun.identity.saml2.assertion.impl.NameIDImpl",
            "format":"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
            "isMutable":true,
            "nameQualifier":"https://idp.example.com:443/idp",
            "spNameQualifier":"https://sp.example.com:8443/sp",
            "spProvidedID":null,
            "value":"+xxut1spBGIVQbK02LlpMMHCKYhW"
         },
         "spEntityID":"https://sp.example.com:8443/sp"
      }
   ],
   "originatingLogoutRequestBinding":null,
   "originatingLogoutRequestID":null,
   "originatingLogoutSPEntityID":null,
   "pendingLogoutRequestID":null,
   "ssoTokenID":"UlMcInVU_GUgXGGm7pM04GhuXwo.*AAJTSQACMDMAAlNLABxvWXNSdm14SW1UK3RzNVBKV1pqNE82ZTlqajg9AAR0eXBlAANDVFMAAlMxAAIwMg..*"
}
Assertion token
dn: coreTokenId=4141514141465630674d52516d69643478435642777932316a714463507a5733566f62703738524a624b36523866755737303567545070624d44453d,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
control: 1.3.6.1.4.1.36733.2.1.5.1 false: bcb3efeb-14a9-47be-8716-9c18918322c8-19593/8
changetype: add
objectClass: frCoreToken
objectClass: top
coreTokenId: 4141514141465630674d52516d69643478435642777932316a714463507a5733566f62703738524a624b36523866755737303567545070624d44453d
coreTokenExpirationDate: 20240808152103.155Z
coreTokenType: SAML2
coreTokenObject: "<samlp:Response xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"s2d254cb2c6567979aa293a25d1e0c2c185c976524\" Version=\"2.0\" IssueInstant=\"2024-08-08T14:21:36Z\" Destination=\"https://sp.example.com:8443/am/Consumer/metaAlias/sp\"><saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">IdP</saml:Issuer><samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n<samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\">\n</samlp:StatusCode>\n</samlp:Status><saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" Version=\"2.0\" ID=\"s2f4d9640d71d59c81f145d17cdb738c8ff4d9e5fc\" IssueInstant=\"2024-08-08T14:21:36Z\">\n<saml:Issuer>IdP</saml:Issuer><saml:Subject>\n<saml:NameID NameQualifier=\"IdP\" SPNameQualifier=\"SP\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\">L+OjhuzCtalCRDSox+F3eMcjxjt2</saml:NameID><saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\">\n<saml:SubjectConfirmationData NotOnOrAfter=\"2024-08-08T14:21:36Z\" Recipient=\"https://sp.example.com:8443/am/Consumer/metaAlias/sp\" ></saml:SubjectConfirmationData></saml:SubjectConfirmation>\n</saml:Subject><saml:Conditions NotBefore=\"2024-08-08T14:21:36Z\" NotOnOrAfter=\"2024-08-08T14:21:36Z\">\n<saml:AudienceRestriction>\n<saml:Audience>SP</saml:Audience>\n</saml:AudienceRestriction>\n</saml:Conditions>\n<saml:AuthnStatement AuthnInstant=\"2024-08-08T14:21:36Z\" SessionIndex=\"s251a8cdd305404bdf8a4d493860732c2f75842f01\"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>\n</samlp:Response>"
coreTokenString01: java.lang.String
AuthnRequest token
dn: coreTokenId=733230323466363833626637636133316239333932316532616263653035616164656531323931613964,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: frCoreToken
objectClass: top
coreTokenExpirationDate: 20240808152103.155Z
coreTokenId: 733230323466363833626637636133316239333932316532616263653035616164656531323931613964
coreTokenObject: {"authnRequest":"<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"s2024f683bf7ca31b93921e2abce05aadee1291a9d\" Version=\"2.0\" IssueInstant=\"2024-08-08T14:21:36Z\" Destination=\"https://idp.example.com:443/am/SSORedirect/metaAlias/idp\" ForceAuthn=\"false\" IsPassive=\"false\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"https://openam.example.com:8443/openam/Consumer/metaAlias/sp\">\n<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">https://openam.example.com:8443/openam</saml:Issuer>\n<samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\" SPNameQualifier=\"https://openam.example.com:8443/openam\" AllowCreate=\"true\"></samlp:NameIDPolicy>\n<samlp:RequestedAuthnContext xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Comparison=\"exact\"><saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n</samlp:AuthnRequest>","idpEntityID":"myIdP","paramsMap":{"binding":["HTTP-POST"]},"realm":"/myRealm","relayState":null,"spEntityID":"mySP"}
coreTokenString01: com.sun.identity.saml2.profile.AuthnRequestInfoCopy
coreTokenType: SAML2

Session tokens

Session tokens

The server-side session token is created in the CTS when a user authenticates to a realm configured for server-side sessions. This token allows a user to remain authenticated, even when the AM instance they authenticated to has been shut down.

Session denylist tokens

The client-side session denylist token keeps a record of client-side sessions that were ended by logging out. This token is only created when client-side sessions denylisting is enabled.

LDAP attributes

LDAP attribute Server-side session token Client-side session denylist token

coreTokenUserId

AM internal user DN

coreTokenType

SESSION

SESSION_BLACKLIST

coreTokenString01

server id

coreTokenString02

coreTokenString03

coreTokenString04

coreTokenString05

session token

coreTokenString06

session handle

coreTokenString07

coreTokenString08

coreTokenString09

coreTokenString10

coreTokenString11

realm

coreTokenString12

coreTokenString13

coreTokenString14

coreTokenString15

coreTokenString16

coreTokenMultiString01

listeners

Token examples

Server-side session token
dn: coreTokenId=-8288022266790569769,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenString11: /myRealm
coreTokenObject: {"clientDomain":"dc=example,dc=com","clientID":"id=amadmin,ou=user,dc=example,dc=com","cookieMode":true,"cookieStr":null,"creationTimeInMillis":1502229535517,"isSessionUpgrade":false,"listeners":{"9d16b2e1-50c2-43f8-86ce-97a67be1661a":true,"4bd2e5b4-22c8-4172-a2a6-b9f028e86dc8":true},"maxCachingTimeInMinutes":3,"maxIdleTimeInMinutes":30,"maxSessionTimeInMinutes":120,"restrictedTokensBySessionID":{},"sessionEventURLs":{},"sessionID":{"comingFromAuth":false,"cookieMode":null,"encryptedString":"AQIC5wM2LY4S...kyNgACUzEAAjAx*","sessionDomain":"dc=example,dc=com","sessionServer":"am.example.com","sessionServerID":"01","sessionServerPort":"8443","sessionServerProtocol":"https","sessionServerURI":"/am"},"sessionProperties":{"Locale":"en","authInstant":"2024-08-08T15:21:03Z","Organization":"dc=example,dc=com","UserProfile":"Required","Principals":"amadmin","successURL":"/am/console","CharSet":"UTF8","Service":"ldapService","Host":"192.0.2.0","cookieSupport":"true","FullLoginURL":"/am/UI/Login?realm=%2FmyRealm","AuthLevel":"0","clientType":"genericHTML","AMCtxId":"77a740625b90bc6301","loginURL":"/am/UI/Login","UserId":"amadmin","AuthType":"DataStore","sun.am.UniversalIdentifier":"id=amadmin,ou=user,dc=example,dc=com","amlbcookie":"01","HostName":"192.0.2.0","Principal":"id=amadmin,ou=user,dc=example,dc=com","UserToken":"amadmin"},"sessionState":"VALID","sessionType":"USER","timedOutTimeInSeconds":0}
coreTokenInteger07: 30
coreTokenString12: 1502229535517
coreTokenInteger06: 120
coreTokenString04: 1502229797863
coreTokenString05: AQIC5wM2LY4S...kyNgACUzEAAjAx*
coreTokenMultiString01: 9d16b2e1-50c2-43f8-86ce-97a67be1661a
coreTokenMultiString01: 4bd2e5b4-22c8-4172-a2a6-b9f028e86dc8
coreTokenExpirationDate: 20240808152103.155Z
coreTokenUserId: id=amadmin,ou=user,dc=example,dc=com
coreTokenId: -8288022266790569769
coreTokenString06: shandle:AQIC5wM2LY4S...kyNgACUzEAAjAx*
coreTokenType: SESSION
Client-side denylist token
dn: coreTokenId=7fac1a04-f358-4ed5-958b-48aac6dd5a34,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenString01: 01
coreTokenDate01: 20240808142103.155Z
coreTokenExpirationDate:20240808152103.155Z
coreTokenId: 7fac1a04-f358-4ed5-958b-48aac6dd5a34
coreTokenType: SESSION_BLACKLIST

Notification tokens

The notification token provides alerts for session changes, such as when the maximum session time is reached or there is an active logout. This notification system is used by Agents and PingGateway over WebSockets to receive notifications about these session changes.

LDAP attributes

LDAP attribute Notification token

coreTokenUserId

coreTokenType

NOTIFICATION

coreTokenString01

coreTokenString02

coreTokenString03

coreTokenString04

coreTokenString05

coreTokenString06

coreTokenString07

coreTokenString08

coreTokenString09

coreTokenString10

coreTokenString11

coreTokenString12

coreTokenString13

coreTokenString14

coreTokenString15

coreTokenString16

Token example

Notification token
dn: coreTokenId=b66384d2-4792-8bb1-f59f-aa5cff6f2e6c-5460,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: frCoreToken
objectClass: top
coreTokenExpirationDate: 20240808152103.155Z
coreTokenId: b36284d2-f59f-4692-8bb1-aa5cff6f2e6c-5460
coreTokenObject:: eJyLrlYqyS/ITFayUtJPTE/NK9EvTi0uzszPU9JRSs7PKwGKKFlVK0EFSzNTgAqTjM2MLExSjHTTTC3TdE3MLI10LZKSDHUTE02T09LM0oxSzZJ1TcxNDYBmpJYBTQipLEgF6vPxd/cPDVGqrY0FAOjbJRI=
coreTokenType: NOTIFICATION