CTS token types
The Core Token Service (CTS) uses a generic LDAP schema for all token types.
The following sections provide information about the different token types, including what LDAP attributes they use, the data stored in those attributes, and example token formats:
You can use this information to query the CTS using LDAP searches. For example, if you want to list user OAuth 2.0 refresh tokens, you can filter on |
OAuth 2.0 grant-set tokens
OAuth 2.0 grant-set tokens are created when the grant-set scheme is used.
The grant-set acts as a container for all authorizations:
-
Client-side access code tokens and grant tokens.
-
Server-side access code tokens, access tokens, and refresh tokens.
LDAP attributes
LDAP attribute | OAuth 2.0 grant-set token |
---|---|
coreTokenUserId |
|
coreTokenType |
|
coreTokenString01 |
|
coreTokenString02 |
|
coreTokenString03 |
user |
coreTokenString04 |
|
coreTokenString05 |
|
coreTokenString06 |
|
coreTokenString07 |
|
coreTokenString08 |
realm |
coreTokenString09 |
client ID |
coreTokenString10 |
|
coreTokenString11 |
|
coreTokenString12 |
|
coreTokenString13 |
|
coreTokenString14 |
|
coreTokenString15 |
|
coreTokenString16 |
|
coreTokenMultiString03 |
JSON representation of the OAuth 2.0 grant (access codes, refresh tokens, and access tokens)(1) |
(1) The following abbreviations are used in this JSON representation:
-
g
: Unique identifier for the grant in the CTS -
gx
: Grant expiry time -
_s
: Scope -
a
: Authorization code -
ax
: Authorization code expiry time -
asi
: Authentication session ID token -
aati
: Audit tracking ID -
au
: Redirect URI -
ast
: State -
_am
: Authentication node in AM -
_acr
: Authentication context class reference, if applicable -
gt
: Grant type, if applicable
Token examples
Client-side grant-set token
dn: coreTokenId=kOrkxaDZ6fYcUrcE0c3PEMFIGNk,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: frCoreToken
objectClass: top
coreTokenExpirationDate: 20240808152103.155Z
coreTokenId: kOrkxaDZ6fYcUrcE0c3PEMFIGNk
coreTokenMultiString03: {"g":"kOrkxaDZ6fYcUrcE0c3PEMFIGNk.xuPxwKKadXjWvMfKg9WFzvqIOC4","gx":1529062484276,"_s":["openid","profile"],"a":"kOrkxaDZ6fYcUrcE0c3PEMFIGNk.vm6gyeD5t8mF8nTYQ1XQBYTskMo","ax":1528454203638,"aati":"809b87b3-4fad-4ca1-9312-a7f0c669fd6c-34347","ai":true,"au":"https://example.com","asi":"AQIC5w...2NzEz*","ast":"1234","_am":"DataStore","_acr":"0","gt":[]}
coreTokenMultiString03: {"g":"C7mzozs1XJKVvCT63JwQatoI-og.Xf_gOFNZOeGcY6ZLnGxX11N9NKQ","gx":1579098268014,"_s":["read"],"a":"C7mzozs1XJKVvCT63JwQatoI-og.BXUyATQtb9GoyrFvAacc6b20S4A","ax":1578489985511,"aati":"0e4db3cf-14e5-4d44-9f36-8e2fc6ac78a6-15583","ai":true,"an":"123456","au":"https://example.com","asi":"AQIC5w...2NzEz*","ast":"eHI6","_am":"DataStore","_acr":"0","r":"C7mzozs1XJKVvCT63JwQatoI-og.IbiBbTo1bCKelDu4hj5tb_2qbrk","gt":[]}
coreTokenString03: demo
coreTokenString08: /myRealm
coreTokenString09: myClient
coreTokenType: OAUTH2_GRANT_SET
Server-side grant-set token
dn: coreTokenId=fx-GTfShtRhmJ89qMNVkxLx339U,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: frCoreToken
objectClass: top
coreTokenExpirationDate: 20240808152103.155Z
coreTokenId: fx-GTfShtRhmJ89qMNVkxLx339U
coreTokenMultiString03: {"g":"fx-GTfShtRhmJ89qMNVkxLx339U.BwOWUGadbho7rKgCYj5Uq1XuRPc","gx":0,"_s":["openid","profile"],"a":"fx-GTfShtRhmJ89qMNVkxLx339U.0g7urZwlwyK_5gUOlC49t4PVUPo","ax":1540546982500,"aati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537161","ai":true,"au":"https://example.com","asi":"AQIC5w...2NzEz*","ast":"1234","_am":"DataStore","_acr":"0","r":"fx-GTfShtRhmJ89qMNVkxLx339U.vXS04FRzuWulPMomSoVDnZvj-6s","rx":1541151662549,"rgt":"authorization_code","rtt":"Bearer","rtn":"refresh_token","rati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537554","ro":"jS474J1xvNZwD-uLeJJeTDWjAzI","_at":1540546862,"_al":0,"gt":[{"t":"fx-GTfShtRhmJ89qMNVkxLx339U.SGEDFJ5BkuuKXKHVeV24_IzoHRg","tx":1540550462814,"tgt":"authorization_code","ts":["openid","profile"],"ttn":"access_token","tati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537841","tck":null}]}
coreTokenString03: demo
coreTokenString08: /myRealm
coreTokenString09: myClient
coreTokenType: OAUTH2_GRANT_SET
Client-side OAuth 2.0 tokens
- Access code tokens
-
Client-side access code tokens are created when the one-to-one scheme is used.
They are used in the OAuth 2.0 authorization code flow and in the OIDC authorization code and hybrid flows. They provide the state for the code used by the client to retrieve an access token.
Additionally, the value of the access code is used to form the unique identity of the subsequent grant token.
- OAuth 2.0 grant tokens
-
Client-side OAuth 2.0 grant tokens are created when the one-to-one scheme is used.
They replace individual access and refresh tokens with a single token indicating that a grant took place. This prevents additional data from being written to the CTS when a new access token is issued based on an existing refresh token with an existing grant ID. They use the grant ID value from the preceding access code if this token was generated with the OAuth 2.0 authorization code flow.
The grant ID in the client-side OAuth 2.0 JWT matches the DN of the token in the CTS.
LDAP attributes
LDAP attribute | Client-side access code token | Client-side OAuth 2.0 grant token |
---|---|---|
coreTokenUserId |
user |
|
coreTokenType |
|
|
coreTokenString01 |
scopes |
|
coreTokenString02 |
||
coreTokenString03 |
user |
|
coreTokenString04 |
redirect_uri |
client ID |
coreTokenString05 |
||
coreTokenString06 |
|
scope |
coreTokenString07 |
|
|
coreTokenString08 |
realm |
|
coreTokenString09 |
client ID |
|
coreTokenString10 |
|
|
coreTokenString11 |
nonce |
realm |
coreTokenString12 |
jti |
|
coreTokenString13 |
||
coreTokenString14 |
||
coreTokenString15 |
grant ID |
|
coreTokenString16 |
Token examples
Client-side access code token
dn: coreTokenId=4e915f7a-08ec-4c65-915f-2256d6c3a503,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"redirectURI":["https://example.com"],"clientID":["myClient"],"ssoTokenId":["AQIC5w...2NzEz*"],"auditTrackingId":["a7180708-c39b-4f92-90ea-b2b8bb79ec75-83912"],"tokenName":["access_code"],"authModules":["DataStore"],"code_challenge_method":[],"userName":["demo"],"nonce":["abcdef"],"authGrantId":["f58f19f9-7f3f-43db-be90-466643414143"],"acr":[],"expireTime":["1523281431770"],"scope":["openid","profile"],"claims":[null],"realm":["/myRealm"],"id":["4e915f7a-08ec-4c65-915f-2256d6c3a503"],"state":[],"tokenType":["Bearer"],"code_challenge":[],"issued":["true"]}
coreTokenString11: abcdef
coreTokenString01: openid,profile
coreTokenString10: access_code
coreTokenString04: https://example.com
coreTokenString15: f58f19f9-7f3f-43db-be90-466643414143
coreTokenString03: demo
coreTokenExpirationDate: 20240808152103.155Z
coreTokenString08: /myRealm
coreTokenString09: myClient
coreTokenId: 4e915f7a-08ec-4c65-915f-2256d6c3a503
coreTokenString06: true
coreTokenString07: Bearer
coreTokenType: OAUTH
Client-side OAuth 2.0 grant token
dn: coreTokenId=f58f19f9-7f3f-43db-be90-466643414143,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {}
coreTokenString11: /myRealm
coreTokenString04: myClient
coreTokenExpirationDate: 20240808152103.155Z
coreTokenUserId: demo
coreTokenId: f58f19f9-7f3f-43db-be90-466643414143
coreTokenString06: openid,profile
coreTokenType: OAUTH2_STATELESS_GRANT
An example access token issued from this CTS grant token:
{
"sub": "demo",
"auth_level": 0,
"auditTrackingId": "610b705d-51a9-43e1-b59a-47b372b9d3ae",
"iss": "https://openam.example.com:8443/openam/oauth2/myRealm",
"tokenName": "access_token",
"token_type": "Bearer",
"authGrantId": "f58f19f9-7f3f-43db-be90-466643414143",
"nonce": "abcdef",
"aud": "myClient",
"nbf": 1523281312,
"grant_type": "authorization_code",
"scope": [
"openid",
"profile"
],
"auth_time": 1523281311000,
"realm": "/myRealm",
"exp": 1523284912,
"iat": 1523281312,
"expires_in": 3600,
"jti": "c35e5c2a-081b-417f-82c5-2708781816d6"
}
Server-side OAuth 2.0 tokens
- Access tokens
-
Server-side OAuth 2.0 access tokens are created when the one-to-one scheme is used.
They are used in all OAuth 2.0 and OIDC flows and are issued when the OAuth 2.0 provider uses server-side tokens.
These tokens are typically short-lived.
- Refresh tokens
-
Server-side OAuth 2.0 refresh tokens are created when the one-to-one scheme is used.
They are used in the OAuth 2.0 authorization code grant and resource owner password credentials flows and in the OIDC authorization code and hybrid flows. They are issued when the OAuth 2.0 provider uses server-side tokens.
These tokens are often long-lived and exchanged for access tokens by clients.
LDAP attributes
LDAP attribute | Server-side OAuth 2.0 access token | Server-side OAuth 2.0 refresh token |
---|---|---|
coreTokenUserId |
||
coreTokenType |
|
|
coreTokenString01 |
scopes |
scopes |
coreTokenString02 |
||
coreTokenString03 |
user |
user |
coreTokenString04 |
redirect_uri |
redirect_uri |
coreTokenString05 |
||
coreTokenString06 |
||
coreTokenString07 |
|
|
coreTokenString08 |
realm |
realm |
coreTokenString09 |
client ID |
client ID |
coreTokenString10 |
|
|
coreTokenString11 |
nonce |
|
coreTokenString12 |
grant type |
grant type |
coreTokenString13 |
||
coreTokenString14 |
||
coreTokenString15 |
grant ID |
grant ID |
coreTokenString16 |
Token examples
Server-side OAuth 2.0 access token
dn: coreTokenId=daaa2a39-ffe9-40a0-b0df-71dc6e278628,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenString11: abcdef
coreTokenObject: {"redirectURI":["https://example.com"],"parent":["cafdd8cc-b155-464a-a020-15013532578c"],"clientID":["myClient"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-290"],"tokenName":["access_token"],"userName":["demo"],"authGrantId":["6f10ad62-1be7-4ebe-aeea-81b7c9eb3735"],"nonce":["abcdef"],"expireTime":["1502145569132"],"grant_type":["authorization_code"],"scope":["openid","profile"],"realm":["/myRealm"],"id":["daaa2a39-ffe9-40a0-b0df-71dc6e278628"],"tokenType":["Bearer"],"refreshToken":["21f89047-4bcf-4d62-853b-d4fa22d632e5"]}
coreTokenString12: authorization_code
coreTokenString01: openid,profile
coreTokenString10: access_token
coreTokenString15: 6f10ad62-1be7-4ebe-aeea-81b7c9eb3735
coreTokenString04: https://example.com
coreTokenString05: 21f89047-4bcf-4d62-853b-d4fa22d632e5
coreTokenString02: cafdd8cc-b155-464a-a020-15013532578c
coreTokenString03: demo
coreTokenString08: /myRealm
coreTokenExpirationDate: 20240808152103.155Z
coreTokenString09: myClient
coreTokenId: daaa2a39-ffe9-40a0-b0df-71dc6e278628
coreTokenString07: Bearer
coreTokenType: OAUTH
Server-side OAuth 2.0 refresh token
dn: coreTokenId=21f89047-4bcf-4d62-853b-d4fa22d632e5,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"redirectURI":["https://example.com"],"clientID":["myClient"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-289"],"tokenName":["refresh_token"],"authModules":["DataStore"],"userName":["demo"],"authGrantId":["6f10ad62-1be7-4ebe-aeea-81b7c9eb3735"],"acr":[],"expireTime":["1502746769129"],"grant_type":["authorization_code"],"scope":["openid","profile"],"realm":["/myRealm"],"id":["21f89047-4bcf-4d62-853b-d4fa22d632e5"],"tokenType":["Bearer"]}
coreTokenString12: authorization_code
coreTokenString01: openid,profile
coreTokenString10: refresh_token
coreTokenString15: 6f10ad62-1be7-4ebe-aeea-81b7c9eb3735
coreTokenString04: https://example.com
coreTokenString03: demo
coreTokenString08: /myRealm
coreTokenExpirationDate: 20240808152103.155Z
coreTokenString09: MyClient
coreTokenId: 21f89047-4bcf-4d62-853b-d4fa22d632e5
coreTokenString07: Bearer
coreTokenType: OAUTH
Other OAuth 2.0 tokens
- OIDC operations (OPS) tokens
-
OIDC OPS tokens provide a link between the OIDC ID token and the user session that generated it. They contain a copy of the user’s SSO token. This can make the token large when used with a realm that uses client-side sessions.
These tokens are issued by the authorization code and implicit flows when the
openid
scope is requested, and session management is enabled in the OAuth 2.0 provider. You can disable session management in the OAuth 2.0 provider if you don’t use theendSession
andcheckSession
endpoints; disabling session management reduces the load on the CTS. - OAuth 2.0 device code tokens
-
OAuth 2.0 device code tokens are used to persist the code in the device code flow. The format is the same whether client-side tokens are used or not, and they are typically short-lived.
LDAP attributes
LDAP attribute | OIDC OPS token | OAuth 2.0 device code token |
---|---|---|
coreTokenUserId |
||
coreTokenType |
OAUTH |
OAUTH |
coreTokenString01 |
scopes |
|
coreTokenString02 |
||
coreTokenString03 |
user |
|
coreTokenString04 |
||
coreTokenString05 |
||
coreTokenString06 |
||
coreTokenString07 |
||
coreTokenString08 |
realm |
|
coreTokenString09 |
client ID |
|
coreTokenString10 |
|
|
coreTokenString11 |
||
coreTokenString12 |
||
coreTokenString13 |
||
coreTokenString14 |
device_code |
|
coreTokenString15 |
||
coreTokenString16 |
Token examples
Server-side session realm OPS token
dn: coreTokenId=c23b5787-ace5-43c4-aeb3-369bbf4e07be,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"id":["c23b5787-ace5-43c4-aeb3-369bbf4e07be"],"ops":["AQIC5wM2LY4S...kyNgACUzEAAjAx*"],"expireTime":["1502145569141"]}
coreTokenExpirationDate: 20240808152103.155Z
coreTokenId: c23b5787-ace5-43c4-aeb3-369bbf4e07be
coreTokenType: OAUTH
Client-side session realm OPS token
dn: coreTokenId=938fbe6a-cab6-48fc-ba42-3dbe82af61f3,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"id":["938fbe6a-cab6-48fc-ba42-3dbe82af61f3"],"ops":["AQIC5wM2LY4S...PXN0YXRlbGVzc3JlYWx...kyNgACUzEAAjAx*"],"expireTime":["1502145569471"]}
coreTokenExpirationDate: 20240808152103.155Z
coreTokenId: 938fbe6a-cab6-48fc-ba42-3dbe82af61f3
coreTokenType: OAUTH
Device code token
dn: coreTokenId=501905e0-b350-47d5-92cc-161a4291116f,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"clientID":["myClient"],"expireTime":["1502142269359"],"user_code":["PDRxhXht"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-311"],"scope":["profile"],"tokenName":["device_code"],"response_type":["token"],"realm":["/myRealm"],"id":["501905e0-b350-47d5-92cc-161a4291116f"],"userName":["demo"],"AUTHORIZED":["true"]}
coreTokenString01: profile
coreTokenString10: device_code
coreTokenString14: PDRxhXht
coreTokenString03: demo
coreTokenString08: /myRealm
coreTokenExpirationDate: 20240808152103.155Z
coreTokenString09: myClient
coreTokenId: 501905e0-b350-47d5-92cc-161a4291116f
coreTokenType: OAUTH
SAML 2.0 tokens
- SAML 2.0 tokens
-
SAML 2.0 tokens are only saved to the CTS when SAML 2.0 failover is enabled, which it is by default.
- Assertion tokens
-
Assertions are saved to the CTS when SAML 2.0 failover is enabled, the Assertion Cache is enabled for the IdP, and AM is acting as the IdP.
- AuthnRequest tokens
-
AuthnRequests are saved to the CTS when SAML 2.0 failover is enabled and AM is acting as the SP.
The coreTokenObject
can be either JSON or a base64 encoded string.
LDAP attributes
LDAP attribute | SAML 2.0 token | SAML 2.0 assertion token | SAML 2.0 AuthnRequest token |
---|---|---|---|
coreTokenUserId |
|||
coreTokenType |
|
|
|
coreTokenString01 |
|
|
|
coreTokenString02 |
|||
coreTokenString03 |
|||
coreTokenString04 |
|||
coreTokenString05 |
|||
coreTokenString06 |
|||
coreTokenString07 |
|||
coreTokenString08 |
|||
coreTokenString09 |
|||
coreTokenString10 |
|||
coreTokenString11 |
|||
coreTokenString12 |
|||
coreTokenString13 |
|||
coreTokenString14 |
|||
coreTokenString15 |
|||
coreTokenString16 |
Token examples
SAML 2.0 token
dn: coreTokenId=733237633231656432303961383835626662623039343434653564666532323964366632376466343032,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenId: 733237633231656432303961383835626662623039343434653564666532323964366632376466343032
coreTokenType: SAML2
coreTokenExpirationDate: 20240808152103.155Z
coreTokenObject:: eyJkb0xvZ291dEFsbCI6ZmFsc2UsIm1ldGFBbGlhcyI6Ii9pZHAiLCJuYW1lSURhbmRTUHBhaXJzIjpbeyJuYW1lSUQiOnsiQGNsYXNzIjoiY29tLnN1bi5pZGVudGl0eS5zYW1sMi5hc3NlcnRpb24uaW1wbC5OYW1lSURJbXBsIiwiZm9ybWF0IjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6cGVyc2lzdGVudCIsImlzTXV0YWJsZSI6dHJ1ZSwibmFtZVF1YWxpZmllciI6Imh0dHBzOi8vaWRwLmV4YW1wbGUuY29tOjQ0My9pZHAiLCJzcE5hbWVRdWFsaWZpZXIiOiJodHRwczovL3NwLmV4YW1wbGUuY29tOjg0NDMvc3AiLCJzcFByb3ZpZGVkSUQiOm51bGwsInZhbHVlIjoiK3h4dXQxc3BCR0lWUWJLMDJMbHBNTUhDS1loVyJ9LCJzcEVudGl0eUlEIjoiaHR0cHM6Ly9zcC5leGFtcGxlLmNvbTo4NDQzL3NwIn1dLCJvcmlnaW5hdGluZ0xvZ291dFJlcXVlc3RCaW5kaW5nIjpudWxsLCJvcmlnaW5hdGluZ0xvZ291dFJlcXVlc3RJRCI6bnVsbCwib3JpZ2luYXRpbmdMb2dvdXRTUEVudGl0eUlEIjpudWxsLCJwZW5kaW5nTG9nb3V0UmVxdWVzdElEIjpudWxsLCJzc29Ub2tlbklEIjoiVWxNY0luVlVfR1VnWEdHbTdwTTA0R2h1WHdvLipBQUpUU1FBQ01ETUFBbE5MQUJ4dldYTlNkbTE0U1cxVUszUnpOVkJLVjFwcU5FODJaVGxxYWpnOUFBUjBlWEJsQUFORFZGTUFBbE14QUFJd01nLi4qIn0
coreTokenString01: com.sun.identity.saml2.profile.IDPSessionCopy
If the coreTokenObject
is a string, you can base64 decode it. For example, the above string decodes as follows:
{
"doLogoutAll":false,
"metaAlias":"/idp",
"nameIDandSPpairs":[
{
"nameID":{
"@class":"com.sun.identity.saml2.assertion.impl.NameIDImpl",
"format":"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
"isMutable":true,
"nameQualifier":"https://idp.example.com:443/idp",
"spNameQualifier":"https://sp.example.com:8443/sp",
"spProvidedID":null,
"value":"+xxut1spBGIVQbK02LlpMMHCKYhW"
},
"spEntityID":"https://sp.example.com:8443/sp"
}
],
"originatingLogoutRequestBinding":null,
"originatingLogoutRequestID":null,
"originatingLogoutSPEntityID":null,
"pendingLogoutRequestID":null,
"ssoTokenID":"UlMcInVU_GUgXGGm7pM04GhuXwo.*AAJTSQACMDMAAlNLABxvWXNSdm14SW1UK3RzNVBKV1pqNE82ZTlqajg9AAR0eXBlAANDVFMAAlMxAAIwMg..*"
}
Assertion token
dn: coreTokenId=4141514141465630674d52516d69643478435642777932316a714463507a5733566f62703738524a624b36523866755737303567545070624d44453d,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
control: 1.3.6.1.4.1.36733.2.1.5.1 false: bcb3efeb-14a9-47be-8716-9c18918322c8-19593/8
changetype: add
objectClass: frCoreToken
objectClass: top
coreTokenId: 4141514141465630674d52516d69643478435642777932316a714463507a5733566f62703738524a624b36523866755737303567545070624d44453d
coreTokenExpirationDate: 20240808152103.155Z
coreTokenType: SAML2
coreTokenObject: "<samlp:Response xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"s2d254cb2c6567979aa293a25d1e0c2c185c976524\" Version=\"2.0\" IssueInstant=\"2024-08-08T14:21:36Z\" Destination=\"https://sp.example.com:8443/am/Consumer/metaAlias/sp\"><saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">IdP</saml:Issuer><samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n<samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\">\n</samlp:StatusCode>\n</samlp:Status><saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" Version=\"2.0\" ID=\"s2f4d9640d71d59c81f145d17cdb738c8ff4d9e5fc\" IssueInstant=\"2024-08-08T14:21:36Z\">\n<saml:Issuer>IdP</saml:Issuer><saml:Subject>\n<saml:NameID NameQualifier=\"IdP\" SPNameQualifier=\"SP\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\">L+OjhuzCtalCRDSox+F3eMcjxjt2</saml:NameID><saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\">\n<saml:SubjectConfirmationData NotOnOrAfter=\"2024-08-08T14:21:36Z\" Recipient=\"https://sp.example.com:8443/am/Consumer/metaAlias/sp\" ></saml:SubjectConfirmationData></saml:SubjectConfirmation>\n</saml:Subject><saml:Conditions NotBefore=\"2024-08-08T14:21:36Z\" NotOnOrAfter=\"2024-08-08T14:21:36Z\">\n<saml:AudienceRestriction>\n<saml:Audience>SP</saml:Audience>\n</saml:AudienceRestriction>\n</saml:Conditions>\n<saml:AuthnStatement AuthnInstant=\"2024-08-08T14:21:36Z\" SessionIndex=\"s251a8cdd305404bdf8a4d493860732c2f75842f01\"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>\n</samlp:Response>"
coreTokenString01: java.lang.String
AuthnRequest token
dn: coreTokenId=733230323466363833626637636133316239333932316532616263653035616164656531323931613964,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: frCoreToken
objectClass: top
coreTokenExpirationDate: 20240808152103.155Z
coreTokenId: 733230323466363833626637636133316239333932316532616263653035616164656531323931613964
coreTokenObject: {"authnRequest":"<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"s2024f683bf7ca31b93921e2abce05aadee1291a9d\" Version=\"2.0\" IssueInstant=\"2024-08-08T14:21:36Z\" Destination=\"https://idp.example.com:443/am/SSORedirect/metaAlias/idp\" ForceAuthn=\"false\" IsPassive=\"false\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"https://openam.example.com:8443/openam/Consumer/metaAlias/sp\">\n<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">https://openam.example.com:8443/openam</saml:Issuer>\n<samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\" SPNameQualifier=\"https://openam.example.com:8443/openam\" AllowCreate=\"true\"></samlp:NameIDPolicy>\n<samlp:RequestedAuthnContext xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Comparison=\"exact\"><saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n</samlp:AuthnRequest>","idpEntityID":"myIdP","paramsMap":{"binding":["HTTP-POST"]},"realm":"/myRealm","relayState":null,"spEntityID":"mySP"}
coreTokenString01: com.sun.identity.saml2.profile.AuthnRequestInfoCopy
coreTokenType: SAML2
Session tokens
- Session tokens
-
The server-side session token is created in the CTS when a user authenticates to a realm configured for server-side sessions. This token allows a user to remain authenticated, even when the AM instance they authenticated to has been shut down.
- Session denylist tokens
-
The client-side session denylist token keeps a record of client-side sessions that were ended by logging out. This token is only created when client-side sessions denylisting is enabled.
LDAP attributes
LDAP attribute | Server-side session token | Client-side session denylist token |
---|---|---|
coreTokenUserId |
AM internal user DN |
|
coreTokenType |
|
|
coreTokenString01 |
server id |
|
coreTokenString02 |
||
coreTokenString03 |
||
coreTokenString04 |
||
coreTokenString05 |
session token |
|
coreTokenString06 |
session handle |
|
coreTokenString07 |
||
coreTokenString08 |
||
coreTokenString09 |
||
coreTokenString10 |
||
coreTokenString11 |
realm |
|
coreTokenString12 |
||
coreTokenString13 |
||
coreTokenString14 |
||
coreTokenString15 |
||
coreTokenString16 |
||
coreTokenMultiString01 |
listeners |
Token examples
Server-side session token
dn: coreTokenId=-8288022266790569769,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenString11: /myRealm
coreTokenObject: {"clientDomain":"dc=example,dc=com","clientID":"id=amadmin,ou=user,dc=example,dc=com","cookieMode":true,"cookieStr":null,"creationTimeInMillis":1502229535517,"isSessionUpgrade":false,"listeners":{"9d16b2e1-50c2-43f8-86ce-97a67be1661a":true,"4bd2e5b4-22c8-4172-a2a6-b9f028e86dc8":true},"maxCachingTimeInMinutes":3,"maxIdleTimeInMinutes":30,"maxSessionTimeInMinutes":120,"restrictedTokensBySessionID":{},"sessionEventURLs":{},"sessionID":{"comingFromAuth":false,"cookieMode":null,"encryptedString":"AQIC5wM2LY4S...kyNgACUzEAAjAx*","sessionDomain":"dc=example,dc=com","sessionServer":"am.example.com","sessionServerID":"01","sessionServerPort":"8443","sessionServerProtocol":"https","sessionServerURI":"/am"},"sessionProperties":{"Locale":"en","authInstant":"2024-08-08T15:21:03Z","Organization":"dc=example,dc=com","UserProfile":"Required","Principals":"amadmin","successURL":"/am/console","CharSet":"UTF8","Service":"ldapService","Host":"192.0.2.0","cookieSupport":"true","FullLoginURL":"/am/XUI?realm=%2FmyRealm","AuthLevel":"0","clientType":"genericHTML","AMCtxId":"77a740625b90bc6301","loginURL":"/am/XUI","UserId":"amadmin","AuthType":"DataStore","sun.am.UniversalIdentifier":"id=amadmin,ou=user,dc=example,dc=com","amlbcookie":"01","HostName":"192.0.2.0","Principal":"id=amadmin,ou=user,dc=example,dc=com","UserToken":"amadmin"},"sessionState":"VALID","sessionType":"USER","timedOutTimeInSeconds":0}
coreTokenInteger07: 30
coreTokenString12: 1502229535517
coreTokenInteger06: 120
coreTokenString04: 1502229797863
coreTokenString05: AQIC5wM2LY4S...kyNgACUzEAAjAx*
coreTokenMultiString01: 9d16b2e1-50c2-43f8-86ce-97a67be1661a
coreTokenMultiString01: 4bd2e5b4-22c8-4172-a2a6-b9f028e86dc8
coreTokenExpirationDate: 20240808152103.155Z
coreTokenUserId: id=amadmin,ou=user,dc=example,dc=com
coreTokenId: -8288022266790569769
coreTokenString06: shandle:AQIC5wM2LY4S...kyNgACUzEAAjAx*
coreTokenType: SESSION
Client-side denylist token
dn: coreTokenId=7fac1a04-f358-4ed5-958b-48aac6dd5a34,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenString01: 01
coreTokenDate01: 20240808142103.155Z
coreTokenExpirationDate:20240808152103.155Z
coreTokenId: 7fac1a04-f358-4ed5-958b-48aac6dd5a34
coreTokenType: SESSION_BLACKLIST
Notification tokens
The notification token provides alerts for session changes, such as when the maximum session time is reached or there is an active logout. This notification system is used by Agents and PingGateway over WebSockets to receive notifications about these session changes.
LDAP attributes
LDAP attribute | Notification token |
---|---|
coreTokenUserId |
|
coreTokenType |
|
coreTokenString01 |
|
coreTokenString02 |
|
coreTokenString03 |
|
coreTokenString04 |
|
coreTokenString05 |
|
coreTokenString06 |
|
coreTokenString07 |
|
coreTokenString08 |
|
coreTokenString09 |
|
coreTokenString10 |
|
coreTokenString11 |
|
coreTokenString12 |
|
coreTokenString13 |
|
coreTokenString14 |
|
coreTokenString15 |
|
coreTokenString16 |
Token example
Notification token
dn: coreTokenId=b66384d2-4792-8bb1-f59f-aa5cff6f2e6c-5460,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
objectClass: frCoreToken
objectClass: top
coreTokenExpirationDate: 20240808152103.155Z
coreTokenId: b36284d2-f59f-4692-8bb1-aa5cff6f2e6c-5460
coreTokenObject:: eJyLrlYqyS/ITFayUtJPTE/NK9EvTi0uzszPU9JRSs7PKwGKKFlVK0EFSzNTgAqTjM2MLExSjHTTTC3TdE3MLI10LZKSDHUTE02T09LM0oxSzZJ1TcxNDYBmpJYBTQipLEgF6vPxd/cPDVGqrY0FAOjbJRI=
coreTokenType: NOTIFICATION