PingAM 7.5.0

Services configuration

You can configure services in AM in two places:

  • Under Configure > Global Services, you can set defaults for a range of AM services. These services affect all the realms in AM.

  • Under Realms > Realm Name > Services, you can enable, remove, or configure different services for the realm.

Android Key Attestation Service

Realm defaults

The following settings appear on the Realm Defaults tab:

Certificate revocation status list URL

The URL to retrieve the certificate revocation status list (CRL).

Keys are checked against the revocation status list to ensure they have not been revoked or suspended.

Keys can be revoked for a number of reasons, including mishandling or suspected extraction by an attacker.

Defaults to the list maintained by Google at https://android.googleapis.com/attestation/status.

Google hardware attestation root certificate URL

The URL for retrieving the Google hardware attestation root certificates.

Refer to Verifying hardware-backed key pairs with Key Attestation in the Android developer documentation.

If you don’t provide a URL, you must map the certificate using the secret label am.services.attestation.google.public.key.

For more information, refer to Map and rotate secrets.

Cache duration (hours)

The number of hours to cache the certificate revocation status list and Google hardware attestation root certificate.

Defaults to one day (24).

Specify 0 to prevent caching.

Audit logging

amster service name: audit

Global attributes

The following settings appear on the Global Attributes tab:

Audit logging

Enable audit logging in AM.

Default value: true

amster attribute: auditEnabled

Field whitelist filters

AM has a predefined allowlist that only records values that do not contain sensitive information. Use this property to allowlist fields in addition to the built-in list.

Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event’s topic. The topic will be one of access, activity, authentication, or config.

For example, to record the values of the Accept-Language HTTP header in access events, the pointer is /access/http/request/headers/accept-language.

amster attribute: whitelistFieldFilters

Field blacklist filters

Denylist filters can be used to remove audit event fields which are allowlisted by default. These are fields which are safe to log but which you have decided are not necessary for your requirements.

Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event’s topic. The topic will be one of access, activity, authentication, or config.

For example, you might want to filter out surnames by hiding the sn field from activity events. To do so, add the following pointers to the Field blacklist filters list:

  • /activity/before/sn

  • /activity/after/sn

amster attribute: blacklistFieldFilters

Realm defaults

The following settings appear on the Realm Defaults tab:

Audit logging

Enable audit logging in AM.

Default value: true

amster attribute: auditEnabled

Field whitelist filters

AM has a predefined allowlist that only records values that do not contain sensitive information. Use this property to allowlist fields in addition to the built-in list.

Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event’s topic. The topic will be one of access, activity, authentication, or config.

For example, to record the values of the Accept-Language HTTP header in access events, the pointer is /access/http/request/headers/accept-language.

amster attribute: whitelistFieldFilters

Field blacklist filters

Denylist filters can be used to remove audit event fields which are allowlisted by default. These are fields which are safe to log but which you have decided are not necessary for your requirements.

Each field filter should be provided using a JSON Pointer-like syntax which is prefixed with the event’s topic. The topic will be one of access, activity, authentication, or config.

For example, you might want to filter out surnames by hiding the sn field from activity events. To do so, add the following pointers to the Field blacklist filters list:

  • /activity/before/sn

  • /activity/after/sn

amster attribute: blacklistFieldFilters

Secondary configurations

This service has the following secondary configurations.

JMS

A configured secondary instance of the JMS type has the following tabs:

General handler configuration

The General Handler Configuration tab contains the following secondary configuration properties:

Enabled

Enables or disables an audit event handler.

Default value: true

amster attribute: enabled

Topics

List of topics handled by an audit event handler.

Default value:

access
activity
config
authentication

amster attribute: topics

Audit event handler factory

The Audit Event Handler Factory tab contains the following secondary configuration properties:

Factory Class Name

The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement org.forgerock.openam.audit.AuditEventHandlerFactory.

Default value: org.forgerock.openam.audit.events.handlers.JmsAuditEventHandlerFactory

amster attribute: handlerFactory

JMS configuration

The JMS Configuration tab contains the following secondary configuration properties:

Delivery Mode

Specifies whether JMS messages used to transmit audit events use persistent or non-persistent delivery.

With persistent delivery, the JMS provider ensures that messages are not lost in transit in case of a provider failure by logging messages to storage when they are sent.

Specify the delivery mode as persistent if it is unacceptable for delivery of audit events to be lost in JMS transit. If the possible loss of audit events is acceptable, choose non-persistent delivery, which provides better performance.

Default value: NON_PERSISTENT

amster attribute: deliveryMode

Session Mode

Specifies the JMS session acknowledgement mode.

The following values are supported:

  • AUTO. Auto mode guarantees once-only delivery of JMS messages used to transmit audit events.

  • CLIENT. Client mode does not ensure delivery.

  • DUPS_OK. Duplicates OK mode ensures that messages are delivered at least once.

Use the default setting unless your JMS broker implementation requires otherwise. See your broker documentation for more information.

Default value: AUTO

amster attribute: sessionMode

JNDI Context Properties

Specifies JNDI properties that AM uses to connect to the JMS message broker to which AM will publish audit events.

AM acts as a JMS client, using a JMS connection factory to connect to your JMS message broker. In order for AM to connect to the broker, the JNDI context properties must conform to those needed by the broker. See the documentation for your JMS message broker for required values.

The default properties are example properties for connecting to Apache ActiveMQ.

Default value:

{
    "java.naming.factory.initial": "org.apache.activemq.jndi.ActiveMQInitialContextFactory",
    "topic.audit": "audit",
    "java.naming.provider.url": "tcp://localhost:61616"
}

amster attribute: jndiContextProperties

JMS Topic Name

JNDI lookup name for the JMS topic

Default value: audit

amster attribute: jndiTopicName

JMS Connection Factory Name

Specifies the JNDI lookup name for the connection factory exposed by your JMS message broker. AM performs a JNDI lookup on this name to locate your broker’s connection factory.

See the documentation for your JMS message broker for the required value.

The default is the connection factory name for Apache ActiveMQ.

Default value: ConnectionFactory

amster attribute: jndiConnectionFactoryName

Batch events

The Batch Events tab contains the following secondary configuration properties:

Capacity

Maximum event count in the batch queue; additional events are dropped.

Default value: 1000

amster attribute: batchCapacity

Max Batched

Maximum number of events per batch.

Default value: 100

amster attribute: maxBatchedEvents

Writing Interval

The interval (in seconds) for reading events from the buffer to transmit via jms.

Default value: 10

amster attribute: pollTimeoutSec

JSONStdout

A configured secondary instance of the JSONStdout type has the following tabs:

General handler configuration

The General Handler Configuration tab contains the following secondary configuration properties:

Enabled

Enables or disables an audit event handler.

Default value: true

amster attribute: enabled

Topics

List of topics handled by an audit event handler.

Default value:

access
activity
config
authentication

amster attribute: topics

Audit event handler factory

The Audit Event Handler Factory tab contains the following secondary configuration properties:

Factory Class Name

The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement org.forgerock.openam.audit.AuditEventHandlerFactory.

Default value: org.forgerock.openam.audit.events.handlers.JsonStdoutAuditEventHandlerFactory

amster attribute: handlerFactory

JSON configuration

The JSON Configuration tab contains the following secondary configuration properties:

ElasticSearch JSON Format Compatible

JSON format should be transformed to be compatible with ElasticSearch format restrictions.

Default value: false

amster attribute: elasticsearchCompatible

Elasticsearch

A configured secondary instance of the Elasticsearch type has the following tabs:

General handler configuration

The General Handler Configuration tab contains the following secondary configuration properties:

Enabled

Enables or disables an audit event handler.

Default value: true

amster attribute: enabled

Topics

List of topics handled by an audit event handler.

Default value:

access
activity
config
authentication

amster attribute: topics

Audit event handler factory

The Audit Event Handler Factory tab contains the following secondary configuration properties:

Factory Class Name

The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement org.forgerock.openam.audit.AuditEventHandlerFactory.

Default value: org.forgerock.openam.audit.events.handlers.ElasticsearchAuditEventHandlerFactory

amster attribute: handlerFactory

Elasticsearch configuration

The Elasticsearch Configuration tab contains the following secondary configuration properties:

Server Hostname

Host name or IP address of the Elasticsearch server.

amster attribute: host

Server Port

Specifies the port number used to access Elasticsearch’s REST API.

amster attribute: port

SSL Enabled

Specifies whether SSL is configured on the Elasticsearch server.

If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs AM before attempting to log audit events to Elasticsearch.

Default value: false

amster attribute: sslEnabled

Elasticsearch Index

Specifies the name of the Elasticsearch index to be used for AM audit logging.

amster attribute: index

Authentication

The Authentication tab contains the following secondary configuration properties:

Username

Specifies the username to access the Elasticsearch server.

Required if Elasticsearch Shield authentication is configured.

amster attribute: username

Password

Specifies the password to access the Elasticsearch server.

Required if Elasticsearch Shield authentication is configured.

amster attribute: password

Buffering

The Buffering tab contains the following secondary configuration properties:

Buffering Enabled

Default value: true

amster attribute: bufferingEnabled

Batch Size

Maximum number of events that can be buffered (default: 10000)

Default value: 500

amster attribute: batchSize

Queue Capacity

Maximum number of audit logs in the batch queue. Additional audit events are dropped.

Default value: 10000

amster attribute: maxEvents

Write interval (in milliseconds)

Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.

Default value: 250

amster attribute: writeInterval

Syslog

A configured secondary instance of the Syslog type has the following tabs:

General handler configuration

The General Handler Configuration tab contains the following secondary configuration properties:

Enabled

Enables or disables an audit event handler.

Default value: true

amster attribute: enabled

Topics

List of topics handled by an audit event handler.

Default value:

access
activity
config
authentication

amster attribute: topics

Audit event handler factory

The Audit Event Handler Factory tab contains the following secondary configuration properties:

Factory Class Name

The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement org.forgerock.openam.audit.AuditEventHandlerFactory.

Default value: org.forgerock.openam.audit.events.handlers.SyslogAuditEventHandlerFactory

amster attribute: handlerFactory

Syslog configuration

The Syslog Configuration tab contains the following secondary configuration properties:

Server hostname

Host name or IP address of receiving syslog server.

amster attribute: host

Server port

Port number of receiving syslog server.

amster attribute: port

Transport Protocol

Default value: TCP

amster attribute: transportProtocol

Connection timeout

Timeout for connecting to syslog server, in seconds.

amster attribute: connectTimeout

Facility

Syslog facility value to apply to all events.

Default value: USER

amster attribute: facility

Buffering

The Buffering tab contains the following secondary configuration properties:

Buffering Enabled

Enables or disables audit event buffering.

Default value: true

amster attribute: bufferingEnabled

Buffer Size

Maximum number of events that can be buffered (default/minimum: 5000)

Default value: 5000

amster attribute: bufferingMaxSize

CSV

A configured secondary instance of the CSV type has the following tabs:

General handler configuration

The General Handler Configuration tab contains the following secondary configuration properties:

Enabled

Enables or disables an audit event handler.

Default value: true

amster attribute: enabled

Topics

List of topics handled by an audit event handler.

Default value:

access
activity
config
authentication

amster attribute: topics

Audit event handler factory

The Audit Event Handler Factory tab contains the following secondary configuration properties:

Factory Class Name

The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement org.forgerock.openam.audit.AuditEventHandlerFactory.

Default value: org.forgerock.openam.audit.events.handlers.CsvAuditEventHandlerFactory

amster attribute: handlerFactory

CSV configuration

The CSV Configuration tab contains the following secondary configuration properties:

Log Directory

Directory in which to store audit log CSV files.

Default value: %BASE_DIR%/var/audit/

amster attribute: location

File rotation

The File Rotation tab contains the following secondary configuration properties:

Rotation Enabled

Enables and disables audit file rotation.

Default value: true

amster attribute: rotationEnabled

Maximum File Size

Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.

Default value: 100000000

amster attribute: rotationMaxFileSize

File Rotation Prefix

Prefix to prepend to audit files when rotating audit files.

amster attribute: rotationFilePrefix

File Rotation Suffix

Suffix to append to audit files when they are rotated. Suffix should be a timestamp.

Default value: -yyyy.MM.dd-HH.mm.ss

amster attribute: rotationFileSuffix

Rotation Interval

Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.

Default value: -1

amster attribute: rotationInterval

Rotation Times

Durations after midnight to trigger file rotation, in seconds.

amster attribute: rotationTimes

File retention

The File Retention tab contains the following secondary configuration properties:

Maximum Number of Historical Files

Maximum number of backup audit files allowed. A value of -1 disables pruning of old history files.

Default value: 1

amster attribute: retentionMaxNumberOfHistoryFiles

Maximum Disk Space

The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.

Default value: -1

amster attribute: retentionMaxDiskSpaceToUse

Minimum Free Space Required

Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.

Default value: -1

amster attribute: retentionMinFreeSpaceRequired

Buffering

The Buffering tab contains the following secondary configuration properties:

Buffering Enabled

Enables or disables buffering.

Default value: true

amster attribute: bufferingEnabled

Flush Each Event Immediately

Performance may be improved by writing all buffered events before flushing.

Default value: false

amster attribute: bufferingAutoFlush

Tamper Evident Configuration

The Tamper Evident Configuration tab contains the following secondary configuration properties:

Is Enabled

Enables the CSV tamper evident feature.

Default value: false

amster attribute: securityEnabled

Certificate Store Location

Path to Java keystore.

Default value: %BASE_DIR%/var/audit/Logger.jks

amster attribute: securityFilename

Certificate Store Password

Password for Java keystore.

amster attribute: securityPassword

Signature Interval

Signature generation interval, in seconds.

Default value: 900

amster attribute: securitySignatureInterval

JDBC

A configured secondary instance of the JDBC type has the following tabs:

General handler configuration

The General Handler Configuration tab contains the following secondary configuration properties:

Enabled

Enables or disables an audit event handler.

Default value: true

amster attribute: enabled

Topics

List of topics handled by an audit event handler.

Default value:

access
activity
config
authentication

amster attribute: topics

Audit event handler factory

The Audit Event Handler Factory tab contains the following secondary configuration properties:

Factory Class Name

The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement org.forgerock.openam.audit.AuditEventHandlerFactory.

Default value: org.forgerock.openam.audit.events.handlers.JdbcAuditEventHandlerFactory

amster attribute: handlerFactory

Database Configuration

The Database Configuration tab contains the following secondary configuration properties:

Database Type

Select the database to use for logging audit events.

Identifies the database in use, for example MySQL, Oracle, or SQL.

Default value: oracle

amster attribute: databaseType

JDBC Database URL

URL of the JDBC database.

amster attribute: jdbcUrl

JDBC Driver

Fully qualified JDBC driver class name.

amster attribute: driverClassName

Database Username

Specifies the username to access the database server.

amster attribute: username

Database Password

Specifies the password to access the database server.

amster attribute: password

Connection Timeout (seconds)

Specifies the maximum wait time before failing the connection, in seconds.

Default value: 30

amster attribute: connectionTimeout

Maximum Connection Idle Timeout (seconds)

Specifies the maximum idle time before the connection is closed, in seconds.

Default value: 600

amster attribute: idleTimeout

Maximum Connection Time (seconds)

Specifies the maximum time a JDBC connection can be open, in seconds.

Default value: 1800

amster attribute: maxLifetime

Minimum Idle Connections

Specifies the minimum number of idle connections in the connection pool.

Default value: 10

amster attribute: minIdle

Maximum Connections

Specifies the maximum number of connections in the connection pool.

Default value: 10

amster attribute: maxPoolSize

Buffering

The Buffering tab contains the following secondary configuration properties:

Buffering Enabled

Enables or disables audit event buffering.

Default value: true

amster attribute: bufferingEnabled

Buffer Size (number of events)

Size of the queue where events are buffered before they are written to the database.

This queue has to be big enough to store all incoming events that have not yet been written to the database.

If the queue reaches capacity, the process will block until a write occurs.

Default value: 100000

amster attribute: bufferingMaxSize

Write Interval

Specifies the interval (seconds) at which buffered events are written to the database.

Default value: 5

amster attribute: bufferingWriteInterval

Writer Threads

Specifies the number of threads used to write the buffered events.

Default value: 1

amster attribute: bufferingWriterThreads

Max Batched Events

Specifies the maximum number of batched statements the database can support per connection.

Default value: 100

amster attribute: bufferingMaxBatchedEvents

JSON

A configured secondary instance of the JSON type has the following tabs:

General handler configuration

The General Handler Configuration tab contains the following secondary configuration properties:

Enabled

Enables or disables an audit event handler.

Default value: true

amster attribute: enabled

Topics

List of topics handled by an audit event handler.

Default value:

access
activity
config
authentication

amster attribute: topics

Audit event handler factory

The Audit Event Handler Factory tab contains the following secondary configuration properties:

Factory Class Name

The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement org.forgerock.openam.audit.AuditEventHandlerFactory.

Default value: org.forgerock.openam.audit.events.handlers.JsonAuditEventHandlerFactory

amster attribute: handlerFactory

JSON configuration

The JSON Configuration tab contains the following secondary configuration properties:

Log Directory

Directory in which to store audit log JSON files.

Default value: %BASE_DIR%/var/audit/

amster attribute: location

ElasticSearch JSON Format Compatible

JSON format should be transformed to be compatible with ElasticSearch format restrictions.

Default value: false

amster attribute: elasticsearchCompatible

File Rotation Retention Check Interval

Interval to check time-based file rotation policies, in seconds.

Default value: 5

amster attribute: rotationRetentionCheckInterval

File rotation

The File Rotation tab contains the following secondary configuration properties:

Rotation Enabled

Enables and disables audit file rotation.

Default value: true

amster attribute: rotationEnabled

Maximum File Size

Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.

Default value: 100000000

amster attribute: rotationMaxFileSize

File Rotation Prefix

Prefix to prepend to audit files when rotating audit files.

amster attribute: rotationFilePrefix

File Rotation Suffix

Suffix to append to audit files when they are rotated. Suffix should be a timestamp.

Default value: -yyyy.MM.dd-HH.mm.ss

amster attribute: rotationFileSuffix

Rotation Interval

Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.

Default value: -1

amster attribute: rotationInterval

Rotation Times

Durations after midnight to trigger file rotation, in seconds.

amster attribute: rotationTimes

File retention

The File Retention tab contains the following secondary configuration properties:

Maximum Number of Historical Files

Maximum number of backup audit files allowed. A value of -1 disables pruning of old history files.

Default value: 1

amster attribute: retentionMaxNumberOfHistoryFiles

Maximum Disk Space

The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.

Default value: -1

amster attribute: retentionMaxDiskSpaceToUse

Minimum Free Space Required

Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.

Default value: -1

amster attribute: retentionMinFreeSpaceRequired

Buffering

The Buffering tab contains the following secondary configuration properties:

Batch Size

Maximum number of events that can be buffered (default/minimum: 100000)

Default value: 100000

amster attribute: bufferingMaxSize

Write interval

Interval at which buffered events are written to a file, in milliseconds.

Default value: 5

amster attribute: bufferingWriteInterval

Splunk

A configured secondary instance of the Splunk type has the following tabs:

General handler configuration

The General Handler Configuration tab contains the following secondary configuration properties:

Enabled

Enables or disables an audit event handler.

Default value: true

amster attribute: enabled

Topics

List of topics handled by an audit event handler.

Default value:

access
activity
config
authentication

amster attribute: topics

Audit event handler factory

The Audit Event Handler Factory tab contains the following secondary configuration properties:

Factory Class Name

The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement org.forgerock.openam.audit.AuditEventHandlerFactory.

Default value: org.forgerock.openam.audit.events.handlers.SplunkAuditEventHandlerFactory

amster attribute: handlerFactory

Splunk Configuration

The Splunk Configuration tab contains the following secondary configuration properties:

Authorization Token

Authorization token used to connect to Splunk HTTP Event Collector endpoint.

amster attribute: authzToken

Server Hostname

Host name or IP address of Splunk server.

amster attribute: host

Server Port

Port number of Splunk server.

amster attribute: port

SSL Enabled

Use HTTPS protocol for communication with Splunk.

Default value: false

amster attribute: sslEnabled

Buffering

The Buffering tab contains the following secondary configuration properties:

Batch Size

Maximum number of events that can be buffered (default: 10000).

Default value: 500

amster attribute: batchSize

Queue Capacity

Maximum number of audit evens in the batch queue; additional events are dropped.

Default value: 10000

amster attribute: maxEvents

Write interval (in milliseconds)

Interval at which buffered events are written to Splunk.

Default value: 250

amster attribute: writeInterval

Base URL source

amster service name: BaseUrlSource

Realm defaults

The following settings appear on the Realm Defaults tab:

Base URL Source

Specifies how the base URL is generated.

The following values are supported:

  • Extension class (EXTENSION_CLASS). The extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter org.forgerock.openam.services.baseurl.BaseURLProvider.

  • Fixed value (FIXED_VALUE). The base URL is retrieved from the value specified in the Fixed value base URL field.

  • Forwarded header (FORWARDED_HEADER). The base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in RFC7239.

  • Host/protocol from incoming request (REQUEST_VALUES). The hostname, server name, and port are retrieved from the incoming HTTP request.

  • X-Forwarded-* headers (X_FORWARDED_HEADERS). The base URL is retrieved from non-standard header fields, such as X-Forwarded-For, X-Forwarded-By, X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Port.

    If the X-Forwarded-Proto header is not provided, the server uses a fallback scheme, based on the URI of the request.

    If multiple X-Forwarded-Host headers are specified, the outermost proxy host is used.

Default value: REQUEST_VALUES

amster attribute: source

Fixed value base URL

If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.

amster attribute: fixedValue

Extension class name

If Extension class is selected as the Base URL source, enter org.forgerock.openam.services.baseurl.BaseURLProvider in the Extension class name field.

amster attribute: extensionClassName

Context path

Specifies the context path for the base URL.

If provided, the base URL includes the deployment context path appended to the calculated URL.

For example, /openam.

Default value: /openam

amster attribute: contextPath

Common federation configuration

amster service name: CommonFederationConfiguration

General configuration

The following settings appear on the General Configuration tab:

Maximum allowed content length

The maximum content length allowed in federation communications, in bytes.

Default value: 20480

amster attribute: maxContentLength

Check presence of certificates

Enable checking of certificates against local copy

Whether to verify that the partner’s signing certificate included in the Federation XML document is the same as the one stored in the said partner’s meta data.

The possible values for this property are:

  • off. Disabled

  • on. Enabled

Default value: on

amster attribute: certificateChecking

SAML Error Page URL

AM redirects users here when an error occurs in the SAML2 engine.

Both relative and absolute URLs are supported. Users are redirected to an absolute URL using the configured HTTP Binding whereas relative URLs are displayed within the request.

Default value: /saml2/jsp/saml2error.jsp

amster attribute: samlErrorPageUrl

SAML Error Page HTTP Binding

The possible values are HTTP-Redirect or HTTP-POST.

Default value: HTTP-POST

amster attribute: samlErrorPageHttpBinding

Implementation classes

The following settings appear on the Implementation Classes tab:

Datastore SPI implementation class

The Federation system uses this class to get/set user profile attributes.

The default implementation uses the Identity repository APIs to access user profile attributes. A custom implementation must implement the com.sun.identity.plugin.datastore.DataStoreProvider interface.

Default value: com.sun.identity.plugin.datastore.impl.IdRepoDataStoreProvider

amster attribute: datastoreClass

Root URL provider SPI implementation class

The Federation system uses this class to get the root URL of the AM deployment.

The default implementation uses the Root URL APIs to access the AM instance root url. A custom implementation must implement the org.forgerock.openam.federation.plugin.rooturl.RootUrlProvider interface.

Default value: org.forgerock.openam.federation.plugin.rooturl.impl.FmRootUrlProvider

amster attribute: rootUrlProviderClass

ConfigurationInstance SPI implementation class

The Federation system uses this class to fetch service configuration.

The default implementation uses the SMS APIs to access service configuration. A custom implementation must implement the com.sun.identity.plugin.configuration.ConfigurationInstance interface.

Default value: com.sun.identity.plugin.configuration.impl.ConfigurationInstanceImpl

amster attribute: configurationClass

Logger SPI implementation class

The Federation system uses this class to record log entries.

The default implementation uses the Logging APIs to record log entries. A custom implementation must implement the com.sun.identity.plugin.log.Logger interface.

Default value: com.sun.identity.plugin.log.impl.LogProvider

amster attribute: loggerClass

SessionProvider SPI implementation class

The Federation system uses this class to interface with the session service.

The default implementation uses the standard authentication and SSO APIs to access the session service. A custom implementation must implement the com.sun.identity.plugin.session.SessionProvider interface.

Default value: com.sun.identity.plugin.session.impl.FMSessionProvider

amster attribute: sessionProviderClass

PasswordDecoder SPI implementation class

The Federation system uses this class to decode password encoded by AM.

The default implementation uses the internal AM decryption API to decode passwords. A custom implementation must implement the com.sun.identity.saml.xmlsig.PasswordDecoder interface.

Default value: com.sun.identity.saml.xmlsig.FMPasswordDecoder

amster attribute: passwordDecoderClass

SignatureProvider SPI implementation class

The Federation system uses this class to digitally sign SAML documents.

The default implementation uses the XERCES APIs to sign the documents. A custom implementation must implement the com.sun.identity.saml.xmlsig.SignatureProvider interface.

Default value: com.sun.identity.saml.xmlsig.AMSignatureProvider

amster attribute: signatureProviderClass

KeyProvider SPI implementation class

The Federation system uses this class to provide access to the underlying Java keystore.

The default implementation uses the Java Cryptographic Engine to provide access to the Java keystore. A custom implementation must implement the com.sun.identity.saml.xmlsig.KeyProvider interface.

Default value: com.sun.identity.saml.xmlsig.JKSKeyProvider

amster attribute: keyProviderClass

Algorithms

The following settings appear on the Algorithms tab:

XML canonicalization algorithm

The algorithm used to canonicalize XML documents.

XML signature algorithm

The algorithm used to sign XML documents.

XML digest algorithm

The default digest algorithm to use in signing XML.

Query String signature algorithm (RSA)

The default signature algorithm to use for RSA keys.

Query String signature algorithm (DSA)

The default signature algorithm to use for DSA keys.

This property can only take the following value:

amster attribute: QuerySignatureAlgorithmDSA

Query String signature algorithm (EC)

The default signature algorithm to use for EC keys.

XML transformation algorithm

The algorithm used to transform XML documents.

Mask Generation Function Algorithm

Which MGF algorithm to use when encrypting the symmetric encryption key using RSA OAEP algorithm.

AES Key Wrap Algorithm

The AES key wrap algorithm to use when the remote entity provider does not specify which key wrap algorithms it supports.

RSA Key Transport Algorithm

Monitoring

The following settings appear on the Monitoring tab:

Monitoring Agent Provider Class

The Federation system uses this class to gain access to the monitoring system.

The default implementation uses the built-in AM monitoring system. A custom implementation must implement the com.sun.identity.plugin.monitoring.FedMonAgent interface.

Default value: com.sun.identity.plugin.monitoring.impl.AgentProvider

amster attribute: monitoringAgentClass

Monitoring Provider Class for SAML2

The SAML2 engine uses this class to gain access to the monitoring system.

The default implementation uses the built-in AM monitoring system. A custom implementation must implement the com.sun.identity.plugin.monitoring.FedMonSAML2Svc interface.

Default value: com.sun.identity.plugin.monitoring.impl.FedMonSAML2SvcProvider

amster attribute: monitoringSaml2Class

Configuration Version service

amster service name: ConfigurationVersionService

The following settings are available in this service:

configurationCommit

amster attribute: configurationCommit

Configuration Version

AM’s configuration version

Default value: 3.0.0.1

amster attribute: configurationVersion

CORS service

amster service name: CorsConfiguration

Configuration

The following settings appear on the Configuration tab:

Enable the CORS filter

If disable, no CORS headers will be added to responses.

Default value: true

amster attribute: enabled

Secondary configurations

This service has the following secondary configurations.

configuration

Enable the CORS filter

If disable, no CORS headers will be added to responses.

Default value: false

amster attribute: enabled

Accepted Origins

The set of accepted origins.

amster attribute: acceptedOrigins

Accepted Methods

The set of (non-simple) accepted methods, included in the pre-flight response in the header Access-Control-Allow-Methods.

amster attribute: acceptedMethods

Accepted Headers

The set of (non-simple) accepted headers, included in the pre-flight response in the header Access-Control-Allow-Headers.

amster attribute: acceptedHeaders

Exposed Headers

The set of headers to transmit in the header Access-Control-Expose-Headers.

amster attribute: exposedHeaders

Max Age

The max age (in seconds) for caching, included in the pre-flight response in the header Access-Control-Max-Age.

Default value: 0

amster attribute: maxAge

Allow Credentials

Whether to transmit the Access-Control-Allow-Credentials: true header in the response.

Default value: false

amster attribute: allowCredentials

Dashboard

amster service name: DashboardUserService

Realm defaults

The following settings appear on the Realm Defaults tab:

Available Dashboard Apps

List of application dashboard names available by default for realms with the Dashboard service configured.

amster attribute: assignedDashboard

Secondary configurations

This service has the following secondary configurations.

instances

Dashboard Class Name

Identifies how to access the application, for example SAML2ApplicationClass for a SAML v2.0 application.

amster attribute: className

Dashboard Name

The application name as it will appear to the administrator for configuring the dashboard.

amster attribute: name

Dashboard Display Name

The application name that displays on the dashboard client.

amster attribute: displayName

Dashboard Icon

The icon name that will be displayed on the dashboard client identifying the application.

amster attribute: icon

Dashboard Login

The URL that takes the user to the application.

amster attribute: login

ICF Identifier

amster attribute: icfIdentifier

Device Binding service

amster service name: DeviceBindingService

Realm defaults

The following settings appear on the Realm Defaults tab:

Device Binding Attribute

The user’s attribute in which to store bound device data.

The default attribute is added to the schema when you prepare a user store for use with AM. If you want to use a different attribute, you must add it to your user store schema prior to binding devices with AM. AM must be able to write to the attribute.

Default value: boundDevices

amster attribute: deviceBindingAttrName

Device Binding Encryption Scheme

Encryption scheme to use to secure device binding data stored on the server.

AM encrypts the data for each bound device using a unique random secret key with the selected AES encryption standard in CBC mode with PKCS#5 padding. An HMAC-SHA of the selected strength (truncated to half-size) protects the integrity and authenticity of the encryption. AM encrypts the unique random key with the given RSA key pair and stores it with the bound device data.

AES-256 may require installation of the JCE Unlimited Strength policy files.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings (value: NONE)

Default value: NONE

amster attribute: deviceBindingSettingsEncryptionScheme

Encryption Key Store

Path to the key store from which to load encryption keys.

For greater security, store the encryption key information in a secret store, instead of in the configuration. Use the secret label am.services.devicebinding.encryption to map an alias for Device Binding service secrets.

If you update encryption key information in the configuration or in the secret stores, users with existing device profiles will no longer be able to log in using this service. Delete the user’s device profile from their entry in the identity store so that the user can create a new one when they next log in.

If AM finds a matching secret for the am.services.devicebinding.encryption label in a secret store, this value is ignored.

Default value: /path/to/openam/security/keystores/keystore.jks

amster attribute: deviceBindingSettingsEncryptionKeystore

Key Store Type

Type of key store to load.

PKCS#11 key stores require hardware support such as a security device or smart card, which are not available by default in most JVM installations.

For more information, refer to the JDK 11 PKCS#11 Reference Guide.

If AM finds a matching secret for the am.services.devicebinding.encryption label in a secret store, this value is ignored.

The possible values for this property are:

  • Label: Java Key Store (JKS) (value: JKS)

  • Label: Java Cryptography Extension Key Store (JCEKS) (value: JCEKS)

  • Label: PKCS#11 Hardware Crypto Storage (value: PKCS11)

  • Label: PKCS#12 Key Store (value: PKCS12)

Default value: JKS

amster attribute: deviceBindingSettingsEncryptionKeystoreType

Key Store Password

Password to unlock the key store. AM encrypts this password when you save it in the configuration. You should modify the default value.

If AM finds a matching secret for the am.services.devicebinding.encryption label in a secret store, this value is ignored.

amster attribute: deviceBindingSettingsEncryptionKeystorePassword

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt bound device data.

If AM finds a matching secret for the am.services.devicebinding.encryption label in a secret store, this value is ignored.

amster attribute: deviceBindingSettingsEncryptionKeystoreKeyPairAlias

Private Key Password

Password to unlock the private key.

If AM finds a matching secret for the am.services.devicebinding.encryption label in a secret store, this value is ignored.

amster attribute: deviceBindingSettingsEncryptionKeystorePrivateKeyPassword

Device ID service

amster service name: deviceIdService

Realm defaults

The following settings appear on the Realm Defaults tab:

Profile Storage Attribute

The user’s attribute in which to store Device ID profiles.

The default attribute is added to the schema when you prepare a user store for use with AM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to enabling the Device ID authentication module. AM must be able to write to the attribute.

Default value: devicePrintProfiles

amster attribute: deviceIdAttrName

Device Profile Encryption Scheme

Encryption scheme to use to secure device profiles stored on the server.

If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.

AES-256 may require installation of the JCE Unlimited Strength policy files.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings (value: NONE)

Default value: NONE

amster attribute: deviceIdSettingsEncryptionScheme

Encryption Key Store

Path to the key store from which to load encryption keys.

For greater security, store encryption key information in a secret store, instead of in the configuration. Use the secret label am.services.deviceid.encryption to map an alias for Device ID service secrets.

If you update encryption key information in the configuration or in the secret stores, users with existing device profiles will no longer be able to log in using this service. Delete the user’s device profile from their entry in the identity store so that the user can create a new one when they next log in.

If AM finds a matching secret for the am.services.deviceid.encryption label in a secret store, this value is ignored.

Default value: /path/to/openam/security/keystores/keystore.jks

amster attribute: deviceIdSettingsEncryptionKeystore

Key Store Type

Type of key store to load.

PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.

Refer to the JDK 8 PKCS#11 Reference Guide for more details.

If AM finds a matching secret for the am.services.deviceid.encryption label in a secret store, this value is ignored.

The possible values for this property are:

  • Label: Java Key Store (JKS) (value: JKS)

  • Label: Java Cryptography Extension Key Store (JCEKS) (value: JCEKS)

  • Label: PKCS#11 Hardware Crypto Storage (value: PKCS11)

  • Label: PKCS#12 Key Store (value: PKCS12)

Default value: JKS

amster attribute: deviceIdSettingsEncryptionKeystoreType

Key Store Password

Password to unlock the key store. AM encrypts this password when you save it in the configuration. You should modify the default value.

If AM finds a matching secret for the am.services.deviceid.encryption label in a secret store, this value is ignored.

amster attribute: deviceIdSettingsEncryptionKeystorePassword

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.

If AM finds a matching secret for the am.services.deviceid.encryption label in a secret store, this value is ignored.

amster attribute: deviceIdSettingsEncryptionKeystoreKeyPairAlias

Private Key Password

Password to unlock the private key.

If AM finds a matching secret for the am.services.deviceid.encryption label in a secret store, this value is ignored.

amster attribute: deviceIdSettingsEncryptionKeystorePrivateKeyPassword

Device Profiles service

amster service name: DeviceProfilesService

Realm defaults

The following settings appear on the Realm Defaults tab:

Profile Storage Attribute

The user’s attribute in which to store Device profiles.

The default attribute is added to the schema when you prepare a user store for use with AM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to enabling the Device Profiles authentication module. AM must be able to write to the attribute.

Default value: deviceProfiles

amster attribute: deviceProfilesAttrName

Device Profile Encryption Scheme

Encryption scheme to use to secure device profiles stored on the server.

If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.

AES-256 may require installation of the JCE Unlimited Strength policy files.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings (value: NONE)

Default value: NONE

amster attribute: deviceProfilesSettingsEncryptionScheme

Encryption Key Store

Path to the key store from which to load encryption keys.

For greater security, store the encryption key information in a secret store, instead of in the configuration. Use the secret label am.services.deviceprofile.encryption to map an alias for Device Profiles service secrets.

If you update encryption key information in the configuration or in the secret stores, users with existing device profiles will no longer be able to log in using this service. Delete the user’s device profile from their entry in the identity store so that the user can create a new one when they next log in.

If AM finds a matching secret for the am.services.deviceprofile.encryption label in a secret store, this value is ignored.

Default value: /path/to/openam/security/keystores/keystore.jks

amster attribute: deviceProfilesSettingsEncryptionKeystore

Key Store Type

Type of key store to load.

PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.

Refer to the JDK 8 PKCS#11 Reference Guide for more details.

If AM finds a matching secret for the am.services.deviceprofile.encryption label in a secret store, this value is ignored.

The possible values for this property are:

  • Label: Java Key Store (JKS) (value: JKS)

  • Label: Java Cryptography Extension Key Store (JCEKS) (value: JCEKS)

  • Label: PKCS#11 Hardware Crypto Storage (value: PKCS11)

  • Label: PKCS#12 Key Store (value: PKCS12)

Default value: JKS

amster attribute: deviceProfilesSettingsEncryptionKeystoreType

Key Store Password

Password to unlock the key store. AM encrypts this password when you save it in the configuration. You should modify the default value.

If AM finds a matching secret for the am.services.deviceprofile.encryption label in a secret store, this value is ignored.

amster attribute: deviceProfilesSettingsEncryptionKeystorePassword

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.

If AM finds a matching secret for the am.services.deviceprofile.encryption label in a secret store, this value is ignored.

amster attribute: deviceProfilesSettingsEncryptionKeystoreKeyPairAlias

Private Key Password

Password to unlock the private key.

If AM finds a matching secret for the am.services.deviceprofile.encryption label in a secret store, this value is ignored.

amster attribute: deviceProfilesSettingsEncryptionKeystorePrivateKeyPassword

Email service

amster service name: EmailService

Realm defaults

The following settings appear on the Realm Defaults tab:

Email From Address

Specifies the address from which to send email notifications.

For example, you might set this property to: no-reply@example.com

For Microsoft Graph API transport configurations, this must exist as a valid address in the Microsoft Exchange administration center.

amster attribute: from

Email Attribute Name

Specifies the profile attribute from which to retrieve the end user’s email address.

Default value: mail

amster attribute: emailAddressAttribute

Email Subject

Specifies a subject for notification messages. If you do not set this, AM does not set the subject for notification messages.

amster attribute: subject

Email Content

Specifies content for notification messages. If you do not set this, AM includes only the confirmation URL in the mail body.

amster attribute: message

Email Rate Limit

Specifies the minimum number of seconds that must elapse between sending emails to an individual user.

Default value: 1

amster attribute: emailRateLimitSeconds

Transport Type

The mail server transport type to use. This value must be set to one of the secondary configurations.

amster attribute: transportType

Secondary configurations

This service has the following secondary configurations.

Microsoft Graph API

Email Message Implementation Class

Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.

Default value: org.forgerock.openam.services.email.rest.MicrosoftRestMailServer

amster attribute: emailImplClassName

Email Rest Endpoint URL

Specifies the REST endpoint for sending emails, in the format https://graph.microsoft.com/v1.0/users/USER ID/sendMail.

Refer to the sendMail API reference for details.

amster attribute: emailEndpoint

OAuth2 Token Endpoint URL

Specifies the endpoint for OAuth 2.0 authentication, in the format https://login.microsoftonline.com/TENANT ID/oauth2/v2.0/token.

amster attribute: tokenEndpoint

OAuth2 Client Id

Specifies the client ID for use in OAuth 2.0 authentication.

This is the client ID or application ID provided by the Microsoft Application Registration portal.

amster attribute: clientId

OAuth2 Scopes

Specifies the scopes to request as part of the OAuth 2.0 authentication.

The value supported by Microsoft Graph API is https://graph.microsoft.com/.default.

amster attribute: scope

SMTP

Email Message Implementation Class

Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.

Default value: org.forgerock.openam.services.email.MailServerImpl

amster attribute: emailImplClassName

Mail Server Host Name

Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.

For example, you might set this property to: smtp.example.com

amster attribute: hostname

Mail Server Host Port

Specifies the port number for the SMTP mail server.

Default value: 465

amster attribute: port

Mail Server Authentication Username

Specifies the username for the SMTP mail server.

For example, you might set this property to: username

amster attribute: username

Mail Server Authentication Password

Specifies the password for the SMTP user name.

amster attribute: password

Mail Server Secure Connection

Specifies whether to connect to the SMTP mail server using SSL.

The possible values for this property are:

  • SSL

  • Non SSL

  • Start TLS

Default value: SSL

amster attribute: sslState

External data stores

amster service name: DataStoreService

Realm defaults

The following settings appear on the Realm Defaults tab:

Policy Data Store

Select a data store configuration to be used for policy storage

The possible values for this property are:

  • Label: Default Data Store (value: fd270e31-1788-4193-8734-eb2d500c47f3)

Default value: fd270e31-1788-4193-8734-eb2d500c47f3

amster attribute: policyDataStoreId

Application Data Store

Select a data store configuration to be used for application storage

The possible values for this property are:

  • Label: Default Data Store (value: fd270e31-1788-4193-8734-eb2d500c47f3)

Default value: fd270e31-1788-4193-8734-eb2d500c47f3

amster attribute: applicationDataStoreId

Secondary configurations

This service has the following secondary configurations.

config

Host Urls

An ordered list of connection strings for LDAP directories.Each connection string is composed as follows: HOST:PORT. serverHostname = Host Name

amster attribute: serverUrls

Bind DN

amster attribute: bindDN

Bind Password

amster attribute: bindPassword

Minimum Connection Pool Size

Default value: 1

amster attribute: minimumConnectionPool

Maximum Connection Pool Size

Default value: 10

amster attribute: maximumConnectionPool

Use SSL

amster attribute: useSsl

Start TLS

amster attribute: useStartTLS

Affinity Enabled

amster attribute: affinityEnabled

ForgeRock Authenticator (OATH) service

amster service name: AuthenticatorOath

Realm defaults

The following settings appear on the Realm Defaults tab:

Profile Storage Attribute

Attribute for storing ForgeRock Authenticator OATH profiles.

The default attribute is added to the user store during AM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in AM. AM must be able to write to the attribute.

Default value: oathDeviceProfiles

amster attribute: oathAttrName

Device Profile Encryption Scheme

Encryption scheme for securing device profiles stored on the server.

If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.

AES-256 may require installation of the JCE Unlimited Strength policy files.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (Value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (Value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings. (Value: NONE)

Default value: NONE

amster attribute: authenticatorOATHDeviceSettingsEncryptionScheme

Encryption Key Store

Path to the key store from which to load encryption keys.

For greater security, store the encryption key information in a secret store, instead of in the configuration. Use the secret label am.services.authenticatoroath.encryption to map an alias for ForgeRock Authenticator OATH service secrets.

If you update encryption key information in the configuration or in the secret stores, users with existing device profiles will no longer be able to log in using this service. Delete the user’s device profile from their entry in the identity store so that the user can create a new one when they next log in.

If AM finds a matching secret for the am.services.authenticatoroath.encryption label in a secret store, this value is ignored.

Default value: /path/to/openam/openam/keystore.jks

amster attribute: authenticatorOATHDeviceSettingsEncryptionKeystore

Key Store Type

Type of encryption key store.

PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.

Refer to the JDK 8 PKCS#11 Reference Guide for more details.

If AM finds a matching secret for the am.services.authenticatoroath.encryption label in a secret store, this value is ignored.

The possible values for this property are:

  • Label: Java Key Store (JKS). (Value: JKS)

  • Label: Java Cryptography Extension Key Store (JCEKS). (Value: JCEKS)

  • Label: PKCS#11 Hardware Crypto Storage. (Value: PKCS11)

  • Label: PKCS#12 Key Store. (Value: PKCS12)

Default value: JKS

amster attribute: authenticatorOATHDeviceSettingsEncryptionKeystoreType

Key Store Password

Password to unlock the key store. AM encrypts this password when you save it in the configuration. You should modify the default value.

If AM finds a matching secret for the am.services.authenticatoroath.encryption label in a secret store, this value is ignored.

amster attribute: authenticatorOATHDeviceSettingsEncryptionKeystorePassword

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.

If AM finds a matching secret for the am.services.authenticatoroath.encryption label in a secret store, this value is ignored.

Default value: pushDeviceProfiles

amster attribute: authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias

Private Key Password

Password to unlock the private key.

If AM finds a matching secret for the am.services.authenticatoroath.encryption label in a secret store, this value is ignored.

amster attribute: authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword

ForgeRock Authenticator (OATH) Device Skippable Attribute Name

The data store attribute that holds the user’s decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writable.

Default value: oath2faEnabled

amster attribute: authenticatorOATHSkippableName

ForgeRock Authenticator (Push) service

amster service name: AuthenticatorPush

Realm defaults

The following settings appear on the Realm Defaults tab:

Profile Storage Attribute

The user’s attribute in which to store Push Notification profiles.

The default attribute is added to the schema when you prepare a user store for use with AM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in AM. AM must be able to write to the attribute.

Default value: pushDeviceProfiles

amster attribute: pushAttrName

Device Profile Encryption Scheme

Encryption scheme to use to secure device profiles stored on the server.

If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.

AES-256 may require installation of the JCE Unlimited Strength policy files.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings (value: NONE)

Default value: NONE

amster attribute: authenticatorPushDeviceSettingsEncryptionScheme

Encryption Key Store

Path to the key store from which to load encryption keys.

For greater security, store encryption key information in a secret store, instead of in the configuration. Use the secret label am.services.authenticatorpush.encryption to map an alias for ForgeRock Authenticator Push service secrets.

If you update encryption key information in the configuration or in the secret stores, users with existing device profiles will no longer be able to log in using this service. Delete the user’s device profile from their entry in the identity store so that the user can create a new one when they next log in.

If AM finds a matching secret for the am.services.authenticatorpush.encryption label in a secret store, this value is ignored.

Default value: /path/to/openam/openam/keystore.jks

amster attribute: authenticatorPushDeviceSettingsEncryptionKeystore

Key Store Type

Type of key store to load.

PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.

Refer to the JDK 8 PKCS#11 Reference Guide for more details.

If AM finds a matching secret for the am.services.authenticatorpush.encryption label in a secret store, this value is ignored.

The possible values for this property are:

  • Label: Java Key Store (JKS) (value: JKS)

  • Label: Java Cryptography Extension Key Store (JCEKS) (value: JCEKS)

  • Label: PKCS#11 Hardware Crypto Storage (value: PKCS11)

  • Label: PKCS#12 Key Store (value: PKCS12)

Default value: JKS

amster attribute: authenticatorPushDeviceSettingsEncryptionKeystoreType

Key Store Password

Password to unlock the key store. AM encrypts this password when you save it in the configuration. You should modify the default value.

If AM finds a matching secret for the am.services.authenticatorpush.encryption label in a secret store, this value is ignored.

amster attribute: authenticatorPushDeviceSettingsEncryptionKeystorePassword

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.

If AM finds a matching secret for the am.services.authenticatorpush.encryption label in a secret store, this value is ignored.

amster attribute: authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias

Private Key Password

Password to unlock the private key.

If AM finds a matching secret for the am.services.authenticatorpush.encryption label in a secret store, this value is ignored.

amster attribute: authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword

ForgeRock Authenticator (Push) Device Skippable Attribute Name

Name of the attribute on a user’s profile used to store their selection of whether to skip ForgeRock Authenticator (Push) 2FA modules.

Default value: push2faEnabled

amster attribute: authenticatorPushSkippableName

Globalization settings

amster service name: Globalization

Global attributes

The following settings appear on the Global Attributes tab:

Charsets Supported by Each Locale

This table lets you configure the order of supported character sets used for each supported locale. Change the settings only if the defaults are not appropriate.

Default value:

locale=zh|charset=UTF-8;GB2312
locale=ar|charset=UTF-8;ISO-8859-6
locale=es|charset=UTF-8;ISO-8859-15
locale=de|charset=UTF-8;ISO-8859-15
locale=zh_TW|charset=UTF-8;BIG5
locale=fr|charset=UTF-8;ISO-8859-15
locale=ko|charset=UTF-8;EUC-KR
locale=en|charset=UTF-8;ISO-8859-1
locale=th|charset=UTF-8;TIS-620
locale=ja|charset=UTF-8;Shift_JIS;EUC-JP

amster attribute: charsetMappings

Charset Aliases

Use this list to map between different character set names used in Java and in MIME.

Default value:

mimeName=EUC-KR|javaName=EUC_KR
mimeName=EUC-JP|javaName=EUC_JP
mimeName=Shift_JIS|javaName=SJIS

amster attribute: sun-identity-g11n-settings-charset-alias-mapping

Realm defaults

The following settings appear on the Realm Defaults tab:

Auto Generated Common Name Format

Use this list to configure how AM formats names shown in the console banner.

This setting allows the name of the authenticated user shown in the AM admin UI banner to be customised based on the locale of the user.

Default value: zh={sn}{givenname}

amster attribute: commonNameFormats

Google Cloud platform service accounts

amster service name: GoogleCloudServiceAccountService

Secondary configurations

This service has the following secondary configurations.

serviceAccounts

Credentials Secret Label

The secret label that contains the GCP service account credentials. Leave blank to use the default credentials from the environment. Credentials can be loaded from disk using a FileSystem Secret Store.

amster attribute: credentialsSecretId

Allowed Realms

A list of realms that can use this service account. Realms should be specified in path form, such as /subrealm/subsubrealm.

amster attribute: allowedRealms

Allowed Secret Names

A list of patterns of Google Secret Manager secret names that are allowed to be usedwith this service account. Patterns can include the wildcard "*".

Default value: *

amster attribute: allowedSecretNamePatterns

Disallowed Secret Names

A list of patterns of Google Secret Manager secret names that are not allowed to be used with this service account. Patterns can include the wildcard "*".

amster attribute: disallowedSecretNamePatterns

Identity Assertion service

amster service name: IdentityAssertionService

Realm defaults

The following settings appear on the Realm Defaults tab:

Enable

Enables the Identity Assertion service that lets AM use ${ig.abbr} to manage authentication through a third party such as WDSSO or Kerberos.

When enabled, the servers defined in the secondary configuration become available as options in the Identity Assertion node configuration.

Default value: true

Server cache duration (minutes)

Supports caching of identity assertion server configurations. A value greater than 0 indicates the duration in minutes that the server configurations are cached. A value of 0 disables caching.

Default value: 120

Secondary configurations

This service has the following secondary configurations.

Identity Assertion server URL

The identity assertion server URL, for example, https://ig.example.com:8448. Don’t include the route in this URL because you define the route when you configure the Identity Assertion node.

Shared Encryption Secret

AM uses this identifier to create a specific secret label, using the template am.services.identityassertion.service.identifier.shared.secret where identifier is the value of Shared Encryption Secret.

The identifier can only contain alphanumeric characters a-z, A-Z, 0-9, and periods (.). It can’t start or end with a period.

The secret is shared by AM and PingGateway to encrypt the assertion request JWT sent to PingGateway and then decrypt the result JWT.

Learn about mapping secrets in Map and rotate secrets.

JWT TTL (seconds)

The identity assertion request JWT time-to-live duration in seconds. This is the period until the JWT sent to the gateway expires.

Default value: 30

Skew Allowance (seconds)

The time difference skew allowance to use when validating the assertion result JWT’s issued-at and expiry claims. This is to address time differences between the PingGateway host and the AM hosts.

Default value: 0

IDM Provisioning

amster service name: IDMProvisioning

The following settings are available in this service:

Enabled

Default value: false

amster attribute: enabled

Deployment URL

URL of the IDM deployment, for example, https://localhost:8080.

amster attribute: idmDeploymentUrl

Deployment Path

Path of the IDM deployment, for example, openidm.

amster attribute: idmDeploymentPath

IDM Provisioning Client

The name of the oauth client to be used for the client credentials flow.

amster attribute: idmProvisioningClient

Signing Key Alias

Alias of the signing symmetric key in AM’s default keystore. Must be a duplicate of the symmetric key used by IDM.

amster attribute: provisioningSigningKeyAlias

Encryption Key Alias

Alias of the encryption asymmetric key in AM’s default keystore. Must be a duplicate of the asymmetric key used by IDM.

amster attribute: provisioningEncryptionKeyAlias

Signing Algorithm

JWT signing algorithm.

amster attribute: provisioningSigningAlgorithm

Signing Compatibility Mode

Enable AM to communicate with IDM 6 and earlier.

When this option is enabled, AM will sign JWTs in a way that is compatible with versions of IDM 6 and earlier. The approach used is incompatible with non-extractable HSM keys. Disable this option if you have upgraded to IDM 6.5 or later.

Default value: false

amster attribute: jwtSigningCompatibilityMode

Encryption Algorithm

JWT encryption algorithm.

amster attribute: provisioningEncryptionAlgorithm

Encryption Method

JWT encryption method.

amster attribute: provisioningEncryptionMethod

Configuration Cache Duration

Specify a duration in minutes for caching static IDM configuration to reduce calls to IDM endpoints and improve performance.

The following values are cached for the specified duration: IDM schemas, consent mappings, validation requirements, KBA configuration, and the IDM active terms.

If changes are made to the IDM Provisioning service in AM during this period, the configuration cache is immediately cleared. If, however, changes are made to IDM, the cache is only refreshed when the duration expires.

A zero value disables this feature.

Default value: 0

amster attribute: configurationCacheDuration

IoT service

amster service name: IoTService

Realm defaults

The following settings appear on the Realm Defaults tab:

Create OAuth 2.0 Client

Create an OAuth 2.0 Client with the given name and default configuration required to serve as the client for the IoT Service. The client will be created without any scope(s).

Default value: false

amster attribute: createOAuthClient

OAuth 2.0 Client Name

The name of the default OAuth 2.0 Client used by the IoT Service to request access tokens for things.

Default value: forgerock-iot-oauth2-client

amster attribute: oauthClientName

Create OAuth 2.0 JWT Issuer

Create a Trusted JWT Issuer with the given name and default configuration required for the IoT Service to act as the Issuer when handling request for thing access tokens.

Default value: false

amster attribute: createOAuthJwtIssuer

OAuth 2.0 JWT Issuer Name

The name of the Trusted JWT Issuer used by the IoT Service to request access tokens for things.

Default value: forgerock-iot-jwt-issuer

amster attribute: oauthJwtIssuerName

OAuth 2.0 Subject Attribute

The name of the identity store attribute from which to read the OAuth 2.0 subject value. The subject is used in access tokens issued for things. This allows the thing’s access token subject to have a value other than the thing’s ID, which is the value used by default.

amster attribute: oauthSubjectAttribute

Readable Attributes

Specifies the list of attributes that a thing is allowed to request from its identity.

Default value: thingConfig

amster attribute: attributeAllowlist

Legacy User Self-Service

amster service name: SecurityProperties

Realm defaults

The following settings appear on the Realm Defaults tab:

Legacy Self-Service REST Endpoint

Specify whether to enable the legacy self-service endpoint.

AM supports two user self-service components: the Legacy User Self-Service, which is based on a Java SDK and is available in AM versions prior to AM 13, and a common REST-based/XUI-based User Self-Service available in AM 13 and later.

The Legacy User Self-Service will be deprecated in a future release.

Default value: false

amster attribute: selfServiceEnabled

Self-Registration for Users

If enabled, new users can sign up using a REST API client.

Default value: false

amster attribute: selfRegistrationEnabled

Self-Registration Token LifeTime (seconds)

Maximum life time for the token allowing User Self-Registration using the REST API.

Default value: 900

amster attribute: selfRegistrationTokenLifetime

Self-Registration Confirmation Email URL

This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.

amster attribute: selfRegistrationConfirmationUrl

Forgot Password for Users

If enabled, users can assign themselves a new password using a REST API client.

Default value: false

amster attribute: forgotPasswordEnabled

Forgot Password Token Lifetime (seconds)

Maximum life time for the token that allows a user to process a forgotten password using the REST API.

Default value: 900

amster attribute: forgotPasswordTokenLifetime

Forgot Password Confirmation Email URL

This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.

amster attribute: forgotPasswordConfirmationUrl

Destination After Successful Self-Registration

Specifies the behavior when self-registration has successfully completed.

The possible values for this property are:

  • Label: User is sent to a 'successful registration' page, without being logged in (value: default)

  • Label: User is sent to the login page, to authenticate (value: login)

  • Label: User is automatically logged in and sent to the appropriate page within the system (value: autologin)

Default value: default

amster attribute: userRegisteredDestination

Protected User Attributes

A list of user profile attributes. Users modifying any of the attributes in this list will be required to enter a password as confirmation before the change is accepted. This option applies to XUI deployments only.

amster attribute: protectedUserAttributes

Confirmation Id HMAC Signing Key

256-bit key (base64-encoded) to use for HMAC signing of the legacy self-service confirmation email links.

Default value: Bn+TrDWLSv1E3ADHWxgqpv4fZnVmKLqwQcZvGdo/3jU=

amster attribute: confirmationIdHmacKey

Logging

amster service name: Logging

General

The following settings appear on the General tab:

Log Status

Enable the AM logging service.

AM supports two audit logging services:

  • A common REST-based audit logging service

  • A JAVA SDK-based logging service (deprecated)

The possible values for this property are:

  • ACTIVE

  • INACTIVE

Default value: INACTIVE

amster attribute: status

Logging Type

Specifies whether to log to a database, Syslog, or to the file system.

If you choose database then be sure to set the connection attributes correctly, including the JDBC driver to use.

The possible values for this property are:

  • File

  • DB

  • Syslog

Default value: File

amster attribute: type

Configurable Log Fields

Controls the fields that are logged by AM.

This property is the list of fields that are logged by default. Administrators can choose to limit the information logged by AM.

Default value:

IPAddr
LoggedBy
LoginID
NameID
ModuleName
ContextID
Domain
LogLevel
HostName
MessageID

amster attribute: fields

Log Verification Frequency

The frequency (in seconds) that AM verifies security of the log files.

When secure logging is enabled, this is the period that AM will check the integrity of the log files.

Default value: 3600

amster attribute: verifyPeriod

Log Signature Time

The frequency (in seconds) that AM will digitally sign the log records.

When secure logging is enabled, this is the period that AM will digitally signed the contents of the log files. The log signatures form the basis of the log file integrity checking.

Default value: 900

amster attribute: signaturePeriod

Secure Logging

Enable or disable secure logging.

If this setting is enabled, AM digitally signs and verifies the contents of log files, to help prevent and detect log file tampering. You must configure a certificate for this functionality to be enabled.

The possible values for this property are:

  • ON

  • OFF

Default value: OFF

amster attribute: security

Secure Logging Signing Algorithm

Determines the algorithm used to digitally sign the log records.

The possible values for this property are:

  • MD2withRSA. MD2 with RSA

  • MD5withRSA. MD5 with RSA

  • SHA1withDSA. SHA1 with DSA

  • SHA1withRSA. SHA1 with RSA

Default value: SHA1withRSA

amster attribute: signingAlgorithm

Logging Certificate Store Location

The path to the Java keystore containing the logging system certificate.

The secure logging system will use the certificate alias of Logger to locate the certificate in the specified keystore.

Default value: %BASE_DIR%/var/audit/Logger.jks

amster attribute: certificateStore

Number of Files per Archive

Controls the number of logs files that will be archived by the secure logging system.

Default value: 5

amster attribute: filesPerKeystore

Buffer Size

The number of log records held in memory before the log records will be flushed to the logfile or the database.

Default value: 25

amster attribute: bufferSize

Buffer Time

The maximum time (in seconds) AM will hold log records in memory before flushing to the underlying repository.

Default value: 60

amster attribute: bufferTime

Time Buffering

Enable or disable log buffering

When enabled AM holds all log records in a memory buffer that it periodically flushes to the repository. The period is set in the Buffer Time property.

The possible values for this property are:

  • ON

  • OFF

Default value: ON

amster attribute: buffering

Logging Level

Control the level of JDK logging within AM.

The possible values for this property are:

  • OFF

  • SEVERE

  • WARNING

  • INFO

  • CONFIG

  • FINE

  • FINER

  • FINEST

Default value: INFO

amster attribute: jdkLoggingLevel

File

The following settings appear on the File tab:

Log Rotation

Enable log rotation to cause new log files to be created when configured thresholds are reached, such as Maximum Log Size or Logfile Rotation Interval.

Default value: true

amster attribute: rotationEnabled

Maximum Log Size

Maximum size of a log file, in bytes.

Default value: 100000000

amster attribute: maxFileSize

Number of History Files

Sets the number of history files for each log that AM keeps, including time-based histories.

The previously live file is moved and is included in the history count, and a new log is created to serve as the live log file. Any log file in the history count that goes over the number specified here will be deleted.

For time-based logs, a new set of logs will be created when AM is started because of the time-based file names that are used.

Default value: 1

amster attribute: numberHistoryFiles

Logfile Rotation Prefix

The name of the log files will be prefixed with the supplied value.

This field defines the log file prefix. The prefix will be added to the name of all logfiles.

Only used when time-based log rotation is enabled.

amster attribute: prefix

Logfile Rotation Suffix

The name of the log files will be suffixed with the supplied value.

This field defines the log file suffix. If no suffix is provided, then the following default suffix format will be used: -MM.dd.yy-kk.mm. The suffix allows use of Date and Time patterns defined in SimpleDateFormat

This field is only used if the time based rotation is enabled.

Default value: -MM.dd.yy-kk.mm

amster attribute: suffix

Logfile Rotation Interval

The rotation interval (in minutes).

The rotation interval determines the frequency of when the log files will be rotated. If the value is -1, then time based rotation is disabled and log file size based rotation is enabled.

Default value: -1

amster attribute: rotationInterval

Log File Location

The path to the location of the log files

This property controls the location of the log files. The value depends on whether File or DB logging is used:

  • File: The full pathname to the directory containing the log files.

  • DB: The JDBC URL to the database used to store the log file database.

Default value: %BASE_DIR%/var/audit/

amster attribute: location

Database

The following settings appear on the Database tab:

Database User Name

When logging to a database, set this to the username used to connect to the database. If this attribute is incorrectly set, AM performance suffers.

Default value: dbuser

amster attribute: user

Database User Password

When logging to a database, set this to the password used to connect to the database. If this attribute is incorrectly set, AM performance suffers.

amster attribute: password

Database Driver Name

When logging to a database, set this to the class name of the JDBC driver used to connect to the database.

The default is for Oracle. AM also works with the MySQL database driver.

Default value: oracle.jdbc.driver.OracleDriver

amster attribute: driver

Maximum Number of Records

The maximum number of records read from the logs through the logging API.

Default value: 500

amster attribute: maxRecords

DB Failure Memory Buffer Size

Max number of log records held in memory if DB logging fails.

This is the maximum number of log records that will be held in memory if the database is unavailable. When the buffer is full, new log records cause the oldest record in the buffer to be cleared. AM monitoring records the number of log entries cleared when the database was unavailable.

If the value of this property is less than that of the Buffer Size then the buffer size value will take precedence.

Default value: 2

amster attribute: databaseFailureMemoryBufferSize

Syslog

The following settings appear on the Syslog tab:

Syslog server host

The URL or IP address of the syslog server, for example http://mysyslog.example.com, or localhost.

Default value: localhost

amster attribute: host

Syslog server port

The port number the syslog server is configured to listen to.

Default value: 514

amster attribute: port

Syslog transport protocol

The protocol to use to connect to the syslog server.

The possible values for this property are:

  • UDP

  • TCP

Default value: UDP

amster attribute: protocol

Syslog facility

Syslog uses the facility level to determine the type of program that is logging the message.

The possible values for this property are:

  • kern

  • user

  • mail

  • daemon

  • auth

  • syslog

  • lpr

  • news

  • uucp

  • cron

  • authpriv

  • ftp

  • local0

  • local1

  • local2

  • local3

  • local4

  • local5

  • local6

  • local7

Default value: local5

amster attribute: facility

Syslog connection timeout

The period of time, in seconds, to wait when attempting to connect to the syslog server, before reporting a failure.

Default value: 30

amster attribute: timeout

Monitoring

amster service name: Monitoring

Configuration

The following settings appear on the Configuration tab:

Monitoring Status

Enable / Disable the monitoring system

Default value: false

amster attribute: enabled

Monitoring HTTP Port

Port number for the HTTP monitoring interface

Default value: 8082

amster attribute: httpPort

Monitoring HTTP interface status

Enable / Disable the HTTP access to the monitoring system

Default value: false

amster attribute: httpEnabled

Monitoring HTTP interface authentication file path

Path to the monitoring system authentication file

The openam_mon_auth file contains the username and password of the account used to protect the monitoring interfaces. The default username is demo with a password of changeit. Use the ampassword command to encrypt a new password.

Default value: %BASE_DIR%/security/openam_mon_auth

amster attribute: authfilePath

Monitoring RMI Port

Port number for the JMX monitoring interface

Default value: 9999

amster attribute: rmiPort

Monitoring RMI interface status

Enable / Disable the JMX access to the monitoring system

Default value: false

amster attribute: rmiEnabled

Monitoring SNMP Port

SNMP monitoring is no longer supported. Refer to the AM release notes for details.

Monitoring SNMP interface status

SNMP monitoring is no longer supported. Refer to the AM release notes for details.

Policy evaluation monitoring history size

Size of the window of most recent policy evaluations to record to expose via monitoring system. Valid range is 100 - 1000000.

Default value: 10000

amster attribute: policyHistoryWindowSize

Session monitoring history size

Size of the window of most recent session operations to record to expose via monitoring system. Valid range is 100 - 1000000.

Default value: 10000

amster attribute: sessionHistoryWindowSize

Secondary configurations

This service has the following secondary configurations.

crest

Enabled

Default value: false

amster attribute: enabled

graphite

Hostname

The hostname of the Graphite server to which metrics should be published.

amster attribute: host

Port

The port of the Graphite server to which metrics should be published.

Default value: 2004

amster attribute: port

Frequency

The frequency (in seconds) at which metrics should be published.

Default value: 30

amster attribute: frequency

prometheus

Enabled

Default value: false

amster attribute: enabled

Authentication Type

The type of authentication determines whether Prometheus needs to authenticate: None or HTTP Basic.

Default value: HTTP Basic

amster attribute: authenticationType

Username

If the authentication type is HTTP Basic, specify a username for Prometheus to use when accessing the endpoint.

Default value: prometheus

amster attribute: username

Password

If the authentication type is HTTP Basic, specify a password for Prometheus to use when accessing the endpoint.

If you set a Secret Label Identifier and AM finds a matching secret in a secret store, the Password is ignored.

amster attribute: password

Secret Label Identifier

AM uses this identifier to create a specific secret label, using the template am.services.monitoring.prometheus.identifier.secret where identifier is the value of Secret Label Identifier.

The identifier can only contain alphanumeric characters a-z, A-Z, 0-9, and periods (.). It can’t start or end with a period.

If you set a Secret Label Identifier and AM finds a matching secret in a secret store, the Password is ignored.

amster attribute: password

Multi-federation protocol

amster service name: MultiFederationProtocol

The following settings are available in this service:

Single Logout Handler List

List of logout handlers for each supported federation protocol

The multi-federation protocol engine supports single logout. Each federation protocol requires a different single logout handler. The logout handler must implement the com.sun.identity.multiprotocol.SingleLogoutHandler interface.

Default value:

key=WSFED|class=com.sun.identity.multiprotocol.WSFederationSingleLogoutHandler
key=SAML2|class=com.sun.identity.multiprotocol.SAML2SingleLogoutHandler

amster attribute: singleLogoutHandlerList

Naming

amster service name: Naming

General configuration

The following settings appear on the General Configuration tab:

Profile Service URL

Specifies the endpoint used by the profile service.

This attribute is deprecated.

Default value: %protocol://%host:%port%uri/profileservice

amster attribute: profileUrl

Session Service URL

Specifies the endpoint used by the session service.

Default value: %protocol://%host:%port%uri/sessionservice

amster attribute: sessionUrl

Logging Service URL

Specifies the endpoint used by the logging service.

Default value: %protocol://%host:%port%uri/loggingservice

amster attribute: loggingUrl

Policy Service URL

Specifies the endpoint used by the policy service.

Default value: %protocol://%host:%port%uri/policyservice

amster attribute: policyUrl

Authentication Service URL

Specifies the endpoint used by the authentication service.

Default value: %protocol://%host:%port%uri/authservice

amster attribute: authUrl

Federation configuration

The following settings appear on the Federation Configuration tab:

SAML Web Profile/Artifact Service URL

Specifies the SAML v1 endpoint.

Default value: %protocol://%host:%port%uri/SAMLAwareServlet

amster attribute: samlAwareServletUrl

SAML SOAP Service URL

Specifies the SAML v1 SOAP service endpoint.

Default value: %protocol://%host:%port%uri/SAMLSOAPReceiver

amster attribute: samlSoapReceiverUrl

SAML Web Profile/POST Service URL

Specifies the SAML v1 Web Profile endpoint.

Default value: %protocol://%host:%port%uri/SAMLPOSTProfileServlet

amster attribute: samlPostServletUrl

SAML Assertion Manager Service URL

Specifies the SAML v1 assertion service endpoint.

Default value: %protocol://%host:%port%uri/AssertionManagerServlet/AssertionManagerIF

amster attribute: samlAssertionManagerUrl

JAXRPC Endpoint URL

(Deprecated) Specifies the JAXRPC endpoint URL used by the remote IDM/SMS APIs.

Default value: %protocol://%host:%port%uri/jaxrpc/

amster attribute: jaxrpcUrl

Endpoint configuration

The following settings appear on the Endpoint Configuration tab:

Identity Web Services Endpoint URL

Specifies the endpoint for the Identity WSDL services.

Default value: %protocol://%host:%port%uri/identityservices/

amster attribute: jaxwsUrl

Identity REST Services Endpoint URL

Specifies the endpoint for the Identity REST services.

Default value: %protocol://%host:%port%uri/identity/

amster attribute: idsvcsRestUrl

Security Token Service Endpoint URL

Specifies the STS endpoint.

Default value: %protocol://%host:%port%uri/sts

amster attribute: stsUrl

Security Token Service MEX Endpoint URL

Specifies the STS MEX endpoint.

Default value: %protocol://%host:%port%uri/sts/mex

amster attribute: stsMexUrl

OAuth2 provider

amster service name: OAuth2Provider

Global attributes

The following settings appear on the Global Attributes tab:

Token Denylist Cache Size

Number of denylisted tokens to cache in memory to speed up denylist checks and reduce load on the CTS.

Default value: 10000

amster attribute: blacklistCacheSize

Denylist Poll Interval (seconds)

How frequently to poll for token denylist changes from other servers, in seconds.

How often each server will poll the CTS for token denylist changes from other servers. This is used to maintain a highly compressed view of the overall current token denylist improving performance. A lower number will reduce the delay for denylisted tokens to propagate to all servers at the cost of increased CTS load. Set to 0 to disable this feature completely.

Default value: 60

amster attribute: blacklistPollInterval

Denylist Purge Delay (minutes)

Length of time to denylist tokens beyond their expiry time.

Allows additional time to account for clock skew to ensure that a token has expired before it is removed from the denylist.

Default value: 1

amster attribute: blacklistPurgeDelay

Client-Side Grant Token Upgrade Compatibility Mode

Enable AM to consume and create client-side OAuth 2.0 tokens in two different formats simultaneously.

Enable this option when upgrading AM to allow the new instance to create and consume client-side OAuth 2.0 tokens in both the previous format and the new format. Disable this option once all AM instances in the cluster have been upgraded.

Default value: false

amster attribute: statelessGrantTokenUpgradeCompatibilityMode

CTS Storage Scheme

Storage scheme to be used when storing OAuth2 tokens to CTS.

To support rolling upgrades, this should be set to the latest storage scheme supported by all AM instances within your cluster. Select the latest storage scheme once all AM instances in the cluster have been upgraded.

One-to-One Storage Scheme

Under this storage scheme, each OAuth2 token maps to an individual CTS entry.

This storage scheme is inefficient - use the Grant-Set Storage Scheme after all servers have been upgraded to a version that supports it.

Grant-Set Storage Scheme

Under this storage scheme, multiple authorization codes, access tokens, and refresh tokens for a given OAuth 2.0 client and resource owner can be stored within a single CTS entry.

The possible values for this property are:

  • Label: One-to-One Storage Scheme (Value: CTS_ONE_TO_ONE_MODEL)

  • Label: Grant-Set Storage Scheme (Value: CTS_GRANT_SET_MODEL)

    Default value: CTS_ONE_TO_ONE_MODEL

    amster attribute: storageScheme

Enforce JWT Unreasonable Lifetime

Enable the enforcement of JWT token unreasonable lifetime during validation.

The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification states that an authorization server can reject JWTs with an "exp" claim value that is unreasonably far in the future and an "iat" claim value that is unreasonably far in the past. This enforcement can be disabled, but should only be done if the security implications have been evaluated.

Default value: true

amster attribute: jwtTokenLifetimeValidationEnabled

JWT Unreasonable Lifetime (seconds)

Specify the lifetime (in seconds) of a JWT which should be considered unreasonable and rejected by validation.

The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification states that an authorization server can reject JWTs with an "exp" claim value that is unreasonably far in the future and an "iat" claim value that is unreasonably far in the past. During token validation AM enforces that the token must expire within the specified duration and if the "iat" claim value is present, the token must not be older than the specified duration.

Default value: 86400

amster attribute: jwtTokenUnreasonableLifetime

JWT Required Claims

Specify a custom list of claims that will be treated as required during validation of an OAuth 2.0 authorization grant or client authentication JWT. This is in addition to the default mandatory claims, "iss", "aud", and "exp". AM will throw an error if any of the claims defined in this attribute are not present.

This attribute does not apply to a request object JWT, such as the JWT parameter used when invoking the PAR endpoint.

Default value: [Empty]

amster attribute: jwtTokenRequiredClaims

OAuth2 allow unauthenticated user code entry

Determines whether authentication must take place before a user is permitted to proceed to the verification URL to enter a user code.

If set to true, users will be able to input a user code without first signing on.

This setting is intended for backwards compatibility purposes only and should only be enabled on existing installations that require legacy functionality.

Default value: false

amster attribute: allowUnauthorisedAccessToUserCodeForm

Core

The following settings appear on the Core tab:

Use Client-Side Access & Refresh Tokens

When enabled, AM issues access and refresh tokens that can be inspected by resource servers.

This setting can be overridden at the client level. Learn more in client profile configuration.

Default value: false

amster attribute: statelessTokensEnabled

Use Macaroon Access and Refresh Tokens

When enabled, AM will issue access and refresh tokens as Macaroons with caveats.

Default value: false

amster attribute: macaroonTokensEnabled

Authorization Code Lifetime (seconds)

The time an authorization code is valid for, in seconds.

Default value: 120

amster attribute: codeLifetime

Refresh Token Lifetime (seconds)

The time in seconds a refresh token is valid for. If this field is set to -1, the refresh token will never expire.

Default value: 604800

amster attribute: refreshTokenLifetime

Access Token Lifetime (seconds)

The time an access token is valid for, in seconds. Note that if you set the value to 0, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.

Default value: 3600

amster attribute: accessTokenLifetime

Issue Refresh Tokens

Whether to issue a refresh token when returning an access token.

This setting can be overridden at the client level. Learn more in client profile configuration.

Default value: true

amster attribute: issueRefreshToken

Issue Refresh Tokens on Refreshing Access Tokens

Whether to issue a refresh token when refreshing an access token.

This setting can be overridden at the client level. Learn more in client profile configuration.

Default value: true

amster attribute: issueRefreshTokenOnRefreshedToken

Use Policy Engine for Scope decisions

With this setting enabled, the policy engine is consulted for each scope value that is requested.

Scope decisions are made in the following way when based on the policy engine:

  • If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow.

  • If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not see it in a user-interaction flow.

  • If no policy returns a value for the GRANT action:

    • For user-facing grant types, such as the authorization or device code flows, the user is asked for consent or saved consent is used.

    • For grant types that are not user-facing, such as those using password or client credentials, the scope is not added to any resulting token.

This setting can be overridden at the client level. Learn more in client profile configuration.

Default value: false

amster attribute: usePolicyEngineForScope

Scopes Policy Set

The policy set that defines the context in which policy evaluations occur when Use Policy Engine for Scope decisions is enabled on the OAuth 2.0 provider. Leave this field blank, or set it to oauth2Scopes to use the default policy set.

This setting can be overridden at the client level. Learn more in client profile configuration.

Default value: [Empty]

OAuth2 Access Token May Act Script

The script that is executed when issuing an access token explicitly to modify the may_act claim placed on the token.

This setting can be overridden at the client level. Learn more in client profile configuration.

The possible values for this property are:

  • Label: OAuth2 May Act Script (Value: c735de08-f8f2-4e69-aa4a-2d8d3d438323)

  • Label: --- Select a script --- (Value: [Empty])

Default value: [Empty]

amster attribute: accessTokenMayActScript

OIDC ID Token May Act Script

The script that is executed when issuing an OIDC ID Token explicitly to modify the may_act claim placed on the token.

This setting can be overridden at the client level. Learn more in client profile configuration.

The possible values for this property are:

  • Label: OAuth2 May Act Script (Value: c735de08-f8f2-4e69-aa4a-2d8d3d438323)

  • Label: --- Select a script --- (Value: [Empty])

Default value: [Empty]

amster attribute: oidcMayActScript

Advanced

The following settings appear on the Advanced tab:

Custom Login URL Template

Custom URL for handling login, to override the default AM login page.

Supports Freemarker syntax, with the following variables:

Variable

Description

gotoUrl

The URL to redirect to after login.

acrValues

The Authentication Context Class Reference (acr) values for the authorization request.

realm

The AM realm the authorization request was made on.

module

The name of the AM authentication module requested to perform resource owner authentication.

service

The name of the AM authentication chain requested to perform resource owner authentication.

locale

A space-separated list of locales, ordered by preference.

The following example template redirects users to a non-AM front end to handle login, which will then redirect back to the /oauth2/authorize endpoint with any required parameters:

http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if>

The default AM login page is constructed using the "Base URL Source" service.

This setting can be overridden at the client level. Learn more in client profile configuration.

amster attribute: customLoginUrlTemplate

Persistent Claims

Set of custom claims that can be persisted between token refreshes. This list should not include the RFC 123 OAuth2 specification defined list of claims.

Default value:

amster attribute: persistentClaims

Response Type Plugins

List of plugins that handle the valid response_type values.

OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (/oauth2/authorize) to indicate which grant type is requested from the provider. For example, the client passes code when requesting an authorization code, and token when requesting an access token.

Values in this list take the form response-type|plugin-class-name.

Default value:

code|org.forgerock.oauth2.core.AuthorizationCodeResponseTypeHandler
id_token|org.forgerock.openidconnect.IdTokenResponseTypeHandler
device_code|org.forgerock.oauth2.core.TokenResponseTypeHandler
token|org.forgerock.oauth2.core.TokenResponseTypeHandler

amster attribute: responseTypeClasses

Additional Audience Values

The additional audience values that will be permitted when verifying Client Authentication JWTs.

These audience values will be in addition to the AS base, issuer and endpoint URIs.

amster attribute: allowedAudienceValues

Token Exchanger Plugins

List of plugins that handle the valid requested_token_type values.

When using the Token Exchange grant type, these handlers will be used to convert the provided subject_token and actor_token into the appropriate impersonation or delegation tokens for use with downstream services.

Default value:

urn:ietf:params:oauth:token-type:access_token=&gt;urn:ietf:params:oauth:token-type:access_token|org.forgerock.oauth2.core.tokenexchange.accesstoken.AccessTokenToAccessTokenExchanger
urn:ietf:params:oauth:token-type:id_token=&gt;urn:ietf:params:oauth:token-type:id_token|org.forgerock.oauth2.core.tokenexchange.idtoken.IdTokenToIdTokenExchanger
urn:ietf:params:oauth:token-type:access_token=&gt;urn:ietf:params:oauth:token-type:id_token|org.forgerock.oauth2.core.tokenexchange.accesstoken.AccessTokenToIdTokenExchanger
urn:ietf:params:oauth:token-type:id_token=&gt;urn:ietf:params:oauth:token-type:access_token|org.forgerock.oauth2.core.tokenexchange.idtoken.IdTokenToAccessTokenExchanger

amster attribute: tokenExchangeClasses

Token Validator Plugins

List of plugins that validate subject_token and actor_token values.

When using the Token Exchange grant type, these handlers will be used to convert the validate subject_token and actor_token values to ensure they meet the required criteria to be exchanged.

Default value:

urn:ietf:params:oauth:token-type:id_token|org.forgerock.oauth2.core.tokenexchange.idtoken.OidcIdTokenValidator
urn:ietf:params:oauth:token-type:access_token|org.forgerock.oauth2.core.tokenexchange.accesstoken.OAuth2AccessTokenValidator

amster attribute: tokenValidatorClasses

User Profile Attribute(s) the Resource Owner is Authenticated On

Names of profile attributes that resource owners use to log in. You can add others to the default, for example mail.

Default value: uid

amster attribute: authenticationAttributes

User Display Name attribute

The profile attribute that contains the name to be displayed for the user on the consent page.

Default value: cn

amster attribute: displayNameAttribute

Client Registration Scope Allowlist

The set of scopes allowed when registering clients dynamically, with translations.

Scopes can be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.

For example: read|en|Permission to view email messages in your account

Locale strings are in the format: language_country_variant, for example en, en_GB, or en_US_WIN.

If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.

If the description is also omitted, nothing is displayed on the consent page for the scope. For example, specifying read| would allow the scope read to be used by the client but would not display it to the user on the consent page when requested.

amster attribute: supportedScopes

Subject Types supported

List of subject types supported. Valid values are:

  • public - Each client receives the same subject (sub) value.

  • pairwise - Each client receives a different subject (sub) value, to prevent correlation between clients.

    Default value:

    public
    pairwise

    amster attribute: supportedSubjectTypes

Default Client Scopes

List of scopes a client will be granted if they request registration without specifying which scopes they want. Default scopes are not auto-granted to clients created through the AM admin UI.

amster attribute: defaultScopes

OAuth2 Token Signing Algorithm

Algorithm used to sign client-side OAuth 2.0 tokens in order to detect tampering.

AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

    The possible values for this property are:

  • HS256

  • HS384

  • HS512

  • RS256

  • RS384

  • RS512

  • ES256

  • ES384

  • ES512

  • PS256

  • PS384

  • PS512

Default value: HS256
amster attribute: tokenSigningAlgorithm

Client-Side Token Compression

Whether client-side access and refresh tokens should be compressed.

Default value: false

amster attribute: tokenCompressionEnabled

Encrypt Client-Side Tokens

Whether client-side access and refresh tokens should be encrypted.

Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.

This setting can be overridden at the client level. Learn more in client profile configuration.

Default value: false

amster attribute: tokenEncryptionEnabled

Subject Identifier Hash Salt

If pairwise subject types are supported, it is STRONGLY RECOMMENDED to change this value. It is used in the salting of hashes for returning specific sub claims to individuals using the same request_uri or sector_identifier_uri.

If you map am.services.oauth2.provider.hash.salt.secret to a secret in a secret store, AM ignores this value.

Learn more about secret labels in OAuth 2.0 default secret label mappings.

Default value: changeme

amster attribute: hashSalt

Code Verifier Parameter Required

If enabled, requests using the authorization code grant or device flow require a code_challenge attribute to comply with the PKCE standard.

For more information, read the PKCE specification.

Note that if a client specifies a code_challenge parameter in the authorization request, PKCE is enabled regardless of the value of this attribute.

The possible values for this property are:

  • Label: All requests (Value: true)

  • Label: Requests from all public clients (Value: public)

  • Label: Requests from all passwordless public clients (Value: passwordless)

  • Label: No requests (Value: false)

Default value: false

amster attribute: codeVerifierEnforced

Modified Timestamp Attribute Name

The identity Data Store attribute used to return modified timestamp values.

This attribute is paired together with the Created Timestamp Attribute Name attribute (createdTimestampAttribute). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.

For example, when you configure AM as an OIDC provider (OP) in a Mobile Connect application and use DS as an identity store, the client accesses the userinfo endpoint to obtain the updated_at claim value in the ID token. The updated_at claim gets its value from the modifiedTimestampAttribute attribute in the user profile. If the profile has never been modified the updated_at claim uses the createdTimestampAttribute attribute.

amster attribute: modifiedTimestampAttribute

Created Timestamp Attribute Name

The identity Data Store attribute used to return created timestamp values.

amster attribute: createdTimestampAttribute

Password Grant Authentication Service

The authentication service (chain or tree) that will be used to authenticate the username and password for the resource owner password credentials grant type.

The possible values for this property are:

  • [Empty]

  • ldapService

  • amsterService

  • Example

  • Agent

  • RetryLimit

  • PersistentCookie

  • HmacOneTimePassword

  • Facebook-ProvisionIDMAccount

  • Google-AnonymousUser

  • Google-DynamicAccountCreation

  • PlatformRegistration

  • PlatformProgressiveProfile

  • PlatformLogin

  • PlatformForgottenUsername

  • PlatformResetPassword

  • PlatformUpdatePassword

amster attribute: passwordGrantAuthService

Enable Auth Module Messages for Password Credentials Grant

If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.

The Password Grant Type requires the grant_type=password parameter.

Default value: false

amster attribute: moduleMessageEnabledInPasswordGrant

Grant Types

The set of Grant Types (OAuth2 Flows) that are permitted to be used by this client.

If no Grant Types (OAuth2 Flows) are configured nothing will be permitted.

Default value:

implicit
urn:ietf:params:oauth:grant-type:saml2-bearer
refresh_token
password
client_credentials
urn:ietf:params:oauth:grant-type:device_code
authorization_code
urn:openid:params:grant-type:ciba
urn:ietf:params:oauth:grant-type:uma-ticket
urn:ietf:params:oauth:grant-type:token-exchange
urn:ietf:params:oauth:grant-type:jwt-bearer

amster attribute: grantTypes

Trusted TLS Client Certificate Header

HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.

Leave blank if not terminating TLS at a proxy. Ensure that the proxy is configured to strip this headerfrom incoming requests. Best practice is to use a random string.

amster attribute: tlsClientCertificateTrustedHeader

TLS Client Certificate Header Format

Format of the HTTP header used to communicate a client certificate from a reverse proxy.

The following formats are supported:

  • URLENCODED_PEM - a URL-encoded PEM format certificate. This is the format used by Nginx.

  • ` X_FORWARDED_CLIENT_CERT` - the X-Forwarded-Client-Certformat used by Envoy and Istio.

    The possible values for this property are:

  • URLENCODED_PEM

  • X_FORWARDED_CLIENT_CERT

Default value: URLENCODED_PEM
amster attribute: tlsClientCertificateHeaderFormat

Support TLS Certificate-Bound Access Tokens

Whether to bind access tokens to the client certificate when using TLS client certificate authentication.

Default value: true

amster attribute: tlsCertificateBoundAccessTokensEnabled

Check TLS Certificate Revocation Status

Whether to check if TLS client certificates have been revoked.

If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements "soft fail" semantics: if the revocation status cannot be established due to a temporary error (for example, a network error) then the certificate is assumed to still be valid.

Default value: false

amster attribute: tlsCertificateRevocationCheckingEnabled

OCSP Responder URI

URI of the OCSP responder service to use for checking certificate revocation status.

If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.

amster attribute: tlsOcspResponderUri

OCSP Responder Certificate

PEM-encoded certificate to use to verify OCSP responses.

If specified this certificate will be used to verify the signature on all OCSP responses. Otherwise the appropriate certificate will be determined from the trusted CA certificates.

amster attribute: tlsOcspResponderCert

Macaroon Token Format

The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.

The possible values for this property are:

  • V1

  • V2

Default value: V2
amster attribute: macaroonTokenFormat

Require exp claim in Request Object

If enabled, the exp claim must be included in JWT request objects specified at /oauth2/authorize or /oauth2/par.

The exp (expiration time) claim defines the lifetime of the JWT, after which the JWT is no longer valid.

To comply with the FAPI security profile, this setting must be enabled.

Default value: false

amster attribute: expClaimRequiredInRequestObject

Require nbf claim in Request Object

If enabled, the nbf claim must be included in JWT request objects specified at /oauth2/authorize or /oauth2/par.

The nbf (not before) claim defines the earliest time that the JWT can be accepted for processing.

To comply with the FAPI security profile, this setting must be enabled.

Default value: false

amster attribute: nbfClaimRequiredInRequestObject

Max nbf and exp difference

The maximum permitted difference, in minutes, between the nbf and exp claims, as defined in the request object JWT.

A value of 0 indicates that there is no maximum time requirement.

If set to a value greater than 0, and either nbf or exp is not defined, the JWT is validated successfully, providing the claims are not required.

If set to a value greater than 0, and both claims are present, the JWT is validated accordingly, even when not required.

To comply with the FAPI security profile, this setting must be 60 (minutes) or less.

Default value: 0

amster attribute: maxDifferenceBetweenRequestObjectNbfAndExp

Max nbf age

The maximum permitted age, in minutes, of the nbf claim.

A value of 0 indicates that there is no maximum time requirement.

If set to a value greater than 0, and nbf is neither required nor specified, the JWT is validated successfully.

If set to a value greater than 0, and nbf is present, the JWT is validated accordingly, even when not required.

To comply with the FAPI security profile, this setting must be 60 (minutes) or less.

Default value: 0

amster attribute: maxAgeOfRequestObjectNbfClaim

Request Object Processing Specification

For OIDC requests only, this setting determines which specification is used to validate request object JWTs.

For example, the following OIDC request specifies a request object JWT and could be validated either according to the JAR specification, or as a standard OIDC request:

/authorize?client_id=myClient&request={JWT with scope=openid, response_type=id_token}

OAuth 2.0 requests that do not fall into this category, such as PAR or non-OIDC JWT requests, are processed according to the JAR specification, regardless of the value of this setting.

The possible values are:

This table summarizes the differences between the rules that need to be adhered to in each case.

Specification Rules
OIDC specification JAR specification

Request object

May be unsigned.

Must be JWS signed, and optionally, JWE encrypted.

Authorization request parameters

Assembles parameters from both the request object and the query parameters.

If duplicates exist, the request object parameter takes precedence.

Assembles parameters from the request object ONLY.

Duplicates that are defined as query parameters are ignored.

Required request parameters

  • client_id

  • response_type

  • scope, including openid scope value

  • client_id (must match the client ID specified in the request itself)

  • request OR request_uri

Default value: OIDC

amster attribute: requestObjectProcessing

PAR Request URI Lifetime (seconds)

The length of time that the PAR Request URI is valid, in seconds.

Set this value to a short interval (for example, between 5 and 150 seconds). Setting this attribute to a higher value increases the load on the CTS, and can even result in denial of service if the requests are large and consume the available storage capacity.

Learn more about the PAR flow in Authorization code grant with PAR.

Default value: 90

amster attribute: parRequestUriLifetime

Require Pushed Authorization Requests

If enabled, clients must use the PAR endpoint to initiate authorization requests, otherwise AM will throw an error indicating a missing or invalid request object.

This applies to all clients, including clients that are not configured to require PAR. You can find details in Advanced client properties.

Default value: false

amster attribute: requirePushedAuthorizationRequests

Refresh Token Grace Period (seconds)

The time, in seconds, that a refresh token can be reused. This grace period lets OAuth 2.0 clients recover seamlessly if the response from an original refresh token request is not received because of a network problem or other transient issue. During the grace period, the refresh token can be reused multiple times if the network problem persists. When the grace period ends, the refresh token is revoked.

The refresh token grace period applies only to server-side tokens, in a one-to-one storage scheme.

Having a long grace period poses a security risk. You should therefore keep the grace period as small as possible. By default, the grace period cannot exceed 120 seconds. You can override this default maximum by setting the org.forgerock.openam.oauth2.client.graceperiod.disabled advanced server property. Note, however, that exceeding the default maximum of 120 seconds is not recommended.

There is no grace period by default, so the default value is 0.

Allow Client Credentials in Token Endpoint Query Parameters

When this setting is true, you can include client credentials in token endpoint requests as query parameters.

Default value: false

Don’t change this setting, for security reasons.

amster attribute: allowClientCredentialsInTokenRequestQueryParameters

Include subname claim in tokens issued by the OAuth2 Provider

When this setting is true, AM adds the subname claim to access and ID tokens by default.

The value of the subname claim is the name of the token’s subject, for example, demo, or myOAuth2Client.

Default value: true

Client Dynamic Registration

The following settings appear on the Client Dynamic Registration tab:

Require Software Statement for Dynamic Client Registration

When enabled, a software statement JWT containing at least the iss (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.

Default value: false

amster attribute: dynamicClientRegistrationSoftwareStatementRequired

Required Software Statement Attested Attributes

The client attributes that are required to be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Only applies if Require Software Statements for Dynamic Client Registration is enabled.

Leave blank to allow any attributes to be present.

Default value: redirect_uris

amster attribute: requiredSoftwareStatementAttestedAttributes

Allow Open Dynamic Client Registration

Allow clients to register without an access token. If enabled, consider adding some form of rate limiting. For details, refer to Client Registration in the OIDC specification.

Default value: false

amster attribute: allowDynamicRegistration

Generate Registration Access Tokens

Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens let the client access the Client Configuration Endpoint as per the OIDC specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.

Default value: true

amster attribute: generateRegistrationAccessTokens

Scope to give access to dynamic client registration

Mandatory scope required when registering a new OAuth2 client.

Default value: dynamic_client_registration

amster attribute: dynamicClientRegistrationScope

OpenID Connect

The following settings appear on the OpenID Connect tab:

Overrideable Id_Token Claims

List of claims in the ID token that can be overridden in the OIDC Claims script. These should be the subset of the core OIDC claims, such as aud or azp.

This setting can be overridden at the client level. Learn more in client profile configuration.

amster attribute: overrideableOIDCClaims

ID Token Signing Algorithms supported

Algorithms supported to sign OIDC id_tokens.

AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

  • RS384 - RSASSA-PKCS-v1_5 using SHA-384.

  • RS512 - RSASSA-PKCS-v1_5 using SHA-512.

  • PS256 - RSASSA-PSS using SHA-256.

  • PS384 - RSASSA-PSS using SHA-384.

  • PS512 - RSASSA-PSS using SHA-512.

    Default value:

    PS384
    ES384
    RS384
    HS256
    HS512
    ES256
    RS256
    HS384
    ES512
    PS256
    PS512
    RS512

amster attribute: supportedIDTokenSigningAlgorithms

ID Token Encryption Algorithms supported

Encryption algorithms supported to encrypt OIDC ID tokens to hide their contents.

AM supports the following ID token encryption algorithms:

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • ` RSA-OAEP-256` - RSA with OAEP with SHA-256 and MGF-1.

  • ` A128KW` - AES Key Wrapping with 128-bit key derived from the client secret.

  • ` RSA1_5` - RSA with PKCS#1 v1.5 padding.

  • ` A256KW` - AES Key Wrapping with 256-bit key derived from the client secret.

  • ` dir` - Direct encryption with AES using the hashed client secret.

  • ` A192KW` - AES Key Wrapping with 192-bit key derived from the client secret.

    Default value:

    ECDH-ES+A256KW
    ECDH-ES+A192KW
    RSA-OAEP
    ECDH-ES+A128KW
    RSA-OAEP-256
    A128KW
    A256KW
    ECDH-ES
    dir
    A192KW

    amster attribute: supportedIDTokenEncryptionAlgorithms

ID Token Encryption Methods supported

Encryption methods supported to encrypt OIDC ID tokens to hide their contents.

AM supports the following ID token encryption algorithms:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

    Default value:

    A256GCM
    A192GCM
    A128GCM
    A128CBC-HS256
    A192CBC-HS384
    A256CBC-HS512

    amster attribute: supportedIDTokenEncryptionMethods

Supported Claims

Set of claims supported by the OIDC /oauth2/userinfo endpoint, with translations.

Claims can be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.

For example: name|en|Your full name..

Locale strings are in the format: language + "" + country + "" + variant, for example en, en_GB, or en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.

If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying family_name| would allow the claim family_name to be used by the client, but would not display it to the user on the consent page when requested.

amster attribute: supportedClaims

OpenID Connect JWT Token Lifetime (seconds)

The amount of time the JWT will be valid for, in seconds.

Default value: 3600

amster attribute: jwtTokenLifetime

OIDC Provider Discovery

Turns on and off OIDC Discovery endpoint.

Default value: false

amster attribute: oidcDiscoveryEndpointEnabled

Advanced OpenID Connect

The following settings appear on the Advanced OpenID Connect tab:

Remote JSON Web Key URL

The Remote URL where the providers JSON Web Key can be retrieved.

If this setting is not configured, then AM provides a local URL to access the public key of the private key used to sign ID tokens.

amster attribute: jkwsURI

Idtokeninfo Endpoint Requires Client Authentication

When enabled, the /oauth2/idtokeninfo endpoint requires client authentication if the signing algorithm is set to HS256, HS384, or HS512.

Default value: true

amster attribute: idTokenInfoClientAuthenticationEnabled

Enable "claims_parameter_supported"

If enabled, clients will be able to request individual claims using the claims request parameter, as per section 5.5 of the OIDC specification.

Default value: false

amster attribute: claimsParameterSupported

OpenID Connect acr_values to Auth Chain Mapping

Maps OIDC ACR values to authentication trees or chains. You can find details in the acr_values parameter in the OIDC authentication request specification.

Do not configure more than one ACR mapping to the same authentication tree or chain. Doing so can result in misrepresentation of the ACR information in the issued ID token.

amster attribute: loaMapping

Default ACR values

Default requested Authentication Context Class Reference values.

List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.

amster attribute: defaultACR

OpenID Connect id_token amr Values to Auth Module Mappings

Specify amr values to be returned in the OIDC id_token. When authentication has completed, the authentication modules used from the authentication service are mapped to the amr values. If you do not require amr values or are not providing OIDC tokens, leave this field blank.

amster attribute: amrMappings

Always Return Claims in ID Tokens

If enabled, include scope-derived claims in the id_token, even if an access token is also returned that could provide access to get the claims from the userinfo endpoint.

If not enabled, if an access token is requested the client must use it to access the userinfo endpoint for scope-derived claims, as they will not be included in the ID token.

Default value: false

amster attribute: alwaysAddClaimsToToken

Enable Session Management

If this setting is disabled, OIDC session management related endpoints are disabled. When enabled AM stores ops tokens corresponding to OIDC sessions in the CTS store and an OIDC session ID in the AM session.

Default value: true

amster attribute: storeOpsTokens

Request Parameter Signing Algorithms Supported

Algorithms supported to verify signature of Request parameter. AM supports the signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

Default value:

PS384
ES384
RS384
HS256
HS512
ES256
RS256
HS384
ES512
PS256
PS512
RS512

amster attribute: supportedRequestParameterSigningAlgorithms

Request Parameter Encryption Algorithms Supported

Encryption algorithms supported to decrypt Request parameter.

AM supports the following ID token encryption algorithms:

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

Default value:

ECDH-ES+A256KW
ECDH-ES+A192KW
ECDH-ES+A128KW
RSA-OAEP
RSA-OAEP-256
A128KW
A256KW
ECDH-ES
dir
A192KW

amster attribute: supportedRequestParameterEncryptionAlgorithms

Request Parameter Encryption Methods Supported

Encryption methods supported to decrypt Request parameter.

AM supports the following Request parameter encryption algorithms:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

Default value:

A256GCM
A192GCM
A128GCM
A128CBC-HS256
A192CBC-HS384
A256CBC-HS512

amster attribute: supportedRequestParameterEncryptionEnc

Supported Token Endpoint JWS Signing Algorithms.

Supported JWS Signing Algorithms for 'private_key_jwt' JWT-based authentication method.

Default value:

PS384
ES384
RS384
HS256
HS512
ES256
RS256
HS384
ES512
PS256
PS512
RS512

amster attribute: supportedTokenEndpointAuthenticationSigningAlgorithms

Authorized OIDC SSO Clients

Clients authorized to use OIDC ID tokens as SSO Tokens.

Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.

amster attribute: authorisedOpenIdConnectSSOClients

UserInfo Signing Algorithms Supported

Algorithms supported to verify signature of the UserInfo endpoint. AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

Default value:

ES384
HS256
HS512
ES256
RS256
HS384
ES512

amster attribute: supportedUserInfoSigningAlgorithms

UserInfo Encryption Algorithms Supported

Encryption algorithms supported by the UserInfo endpoint.

AM supports the following UserInfo endpoint encryption algorithms:

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • ` RSA-OAEP-256` - RSA with OAEP with SHA-256 and MGF-1.

  • ` A128KW` - AES Key Wrapping with 128-bit key derived from the client secret.

  • ` RSA1_5` - RSA with PKCS#1 v1.5 padding.

  • ` A256KW` - AES Key Wrapping with 256-bit key derived from the client secret.

  • ` dir` - Direct encryption with AES using the hashed client secret.

  • ` A192KW` - AES Key Wrapping with 192-bit key derived from the client secret.

Default value:

ECDH-ES+A256KW
ECDH-ES+A192KW
RSA-OAEP
ECDH-ES+A128KW
RSA-OAEP-256
A128KW
A256KW
ECDH-ES
dir
A192KW

amster attribute: supportedUserInfoEncryptionAlgorithms

UserInfo Encryption Methods Supported

Encryption methods supported by the UserInfo endpoint.

AM supports the following UserInfo endpoint encryption methods:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

Default value:

A256GCM
A192GCM
A128GCM
A128CBC-HS256
A192CBC-HS384
A256CBC-HS512

amster attribute: supportedUserInfoEncryptionEnc

Token Introspection Response Signing Algorithms Supported

Algorithms that are supported for signing the Token Introspection endpoint JWT response.

AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

  • RS384 - RSASSA-PKCS-v1_5 using SHA-384.

  • RS512 - RSASSA-PKCS-v1_5 using SHA-512.

  • EdDSA - EdDSA with SHA-512.

Default value:

PS384
RS384
EdDSA
ES384
HS256
HS512
ES256
RS256
HS384
ES512
PS256
PS512
RS512

amster attribute: supportedTokenIntrospectionResponseSigningAlgorithms

Token Introspection Response Encryption Algorithms Supported

Encryption algorithms supported by the Token Introspection endpoint JWT response.

AM supports the following Token Introspection endpoint encryption algorithms:

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

Default value:

ECDH-ES+A256KW
ECDH-ES+A192KW
RSA-OAEP
ECDH-ES+A128KW
RSA-OAEP-256
A128KW
A256KW
ECDH-ES
dir
A192KW

amster attribute: supportedTokenIntrospectionResponseEncryptionAlgorithms

Token Introspection Response Encryption Methods Supported

Encryption methods supported by the Token Introspection endpoint JWT response.

AM supports the following encryption methods:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

Default value:

A256GCM
A192GCM
A128GCM
A128CBC-HS256
A192CBC-HS384
A256CBC-HS512

amster attribute: supportedTokenIntrospectionResponseEncryptionEnc

Authorization Response Signing Algorithms Supported

Algorithms supported for signing the /oauth2/authorize endpoint JWT response.

AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256

  • HS384 - HMAC with SHA-384

  • HS512 - HMAC with SHA-512

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256

  • RS384 - RSASSA-PKCS1-v1_5 using SHA-384

  • RS512 - RSASSA-PKCS1-v1_5 using SHA-512

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve

  • PS256 - RSASSA-PSS using SHA-256 and MGF1 with SHA-256

  • PS384 - RSASSA-PSS using SHA-384 and MGF1 with SHA-384

  • PS512 - RSASSA-PSS using SHA-512 and MGF1 with SHA-512

Default value:

PS384
ES384
RS384
HS256
HS512
ES256
RS256
HS384
ES512
PS256
PS512
RS512

amster attribute: supportedAuthorizationResponseSigningAlgorithms

Authorization Response Encryption Algorithms Supported

Algorithms supported for encrypting the /oauth2/authorize JWT response.

AM supports the following Token Introspection endpoint encryption algorithms:

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

  • ECDH-ES - Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF.

  • ECDH-ES+A128KW - ECDH-ES using Concat KDF and CEK wrapped with A128KW.

  • ECDH-ES+A192KW - ECDH-ES using Concat KDF and CEK wrapped with A192KW.

  • ECDH-ES+A256KW - ECDH-ES using Concat KDF and CEK wrapped with A256KW.

Default value:

ECDH-ES+A256KW
ECDH-ES+A192KW
RSA-OAEP
ECDH-ES+A128KW
RSA-OAEP-256
A128KW
A256KW
ECDH-ES
dir
A192KW

amster attribute: supportedAuthorizationResponseEncryptionAlgorithms

Authorization Response Encryption Methods Supported

Methods supported for encrypting the /oauth2/authorize JWT response.

AM supports the following encryption methods:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

Default value:

A256GCM
A192GCM
A128GCM
A128CBC-HS256
A192CBC-HS384
A256CBC-HS512

amster attribute: supportedAuthorizationResponseEncryptionEnc

Include all kty and alg combinations in jwks_uri

By default only distinct kid entries are returned in the jwks_uri and the alg property is not included. Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination (RFC7517 distinct key KIDs).

Default value: false

amster attribute: includeAllKtyAlgCombinationsInJwksUri

Use Force Authentication for prompt=login

If you specify the prompt=login parameter in the URL, AM forces the end user to authenticate even if they already have a valid session.

This property has slightly different behavior depending on whether you’re using trees or chains for authentication.

In both cases, the property is false by default.

  • Trees

  • Chains

If this property is false (the default), AM destroys the existing session and creates a new session after reauthentication.

If this property is true, AM performs a session upgrade on reauthentication.

If this property is false (the default), AM destroys the existing session and creates a new session after reauthentication.

If this property is true, AM returns the same session ID after reauthentication.

If you set this property to true, you must also set the org.forgerock.openam.authentication.forceAuth.enabled advanced server property to true, otherwise, your users can end up in an infinite login loop.

For security reasons, you should leave Use Force Authentication for prompt=login set to the default value (false) so that AM creates a new session when the user reauthenticates.

Use Force Authentication for max_age

This property applies only to reauthentication triggered by the Default Max Age property of an OAuth 2.0 client.

The property has slightly different behavior depending on whether you’re using trees or chains for authentication.

In both cases, the property is false by default.

  • Trees

  • Chains

If this property is false and the user requests authorization after the max_age has passed, AM destroys the existing session and creates a new session after reauthentication.

If this property is true and the user requests authorization after the max_age has passed, AM performs a session upgrade on reauthentication.

If this property is false and the user requests authorization after the max_age has passed, AM destroys the existing session and creates a new session after reauthentication.

If this property is true and the user requests authorization after the max_age has passed, AM returns the same session ID after reauthentication.

If you set this property to true, you must also set the org.forgerock.openam.authentication.forceAuth.enabled advanced server property to true, otherwise, your users could end up in an infinite sign on loop.

For security reasons, you should leave Use Force Authentication for max_age set to the default value (false), so that AM creates a new session when the user reauthenticates.

Device Flow

The following settings appear on the Device Flow tab:

Verification URL

The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.

amster attribute: verificationUrl

Device Completion URL

The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.

amster attribute: completionUrl

Device Code Lifetime (seconds)

The lifetime of the device code, in seconds.

Default value: 300

amster attribute: deviceCodeLifetime

Device Polling Interval

The polling frequency for devices waiting for tokens when using the device code flow.

Default value: 5

amster attribute: devicePollInterval

User Code Character Length

The number of characters in the generated user code.

Default value: 8

amster attribute: deviceUserCodeLength

User Code Character Set

The set of characters to be used to generate a user code.

Consider limitations of low resolution mobile devices when defining a character sets. For example, the OAuth 2.0 Device Grant specification recommends removing characters that can be easily confused, such as "0" and "O" or "1", "l" and "I". You can find additional examples in RFC 8628.

Default value: 234567ACDEFGHJKLMNPQRSTWXYZabcdefhijkmnopqrstwxyz

amster attribute: deviceUserCodeCharacterSet

The following settings appear on the Consent tab:

Saved Consent Attribute Name

Name of a multi-valued attribute on resource owner profiles where AM can save authorization consent decisions.

When the resource owner chooses to save the decision to authorize access for a client application, then AM updates the resource owner’s profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.

amster attribute: savedConsentAttribute

Allow Clients to Skip Consent

If enabled, clients can be configured so that the resource owner won’t be asked for consent during authorization flows.

This setting can be overridden at the client level. Learn more in client profile configuration.

Default value: false

amster attribute: clientsCanSkipConsent

Enable Remote Consent

Enables consent to be gathered by a separate service.

This setting can be overridden at the client level. Learn more in client profile configuration.

Default value: false

amster attribute: enableRemoteConsent

Remote Consent Service ID

The ID of an existing remote consent service agent.

The possible values for this property are:

  • [Empty]

    This setting can be overridden at the client level. Learn more in client profile configuration.

    amster attribute: remoteConsentServiceId

Remote Consent Service Request Signing Algorithms Supported

Algorithms supported to sign consent_request JWTs for Remote Consent Services.

AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

    Default value:

    PS384
    ES384
    RS384
    HS256
    HS512
    ES256
    RS256
    HS384
    ES512
    PS256
    PS512
    RS512

    amster attribute: supportedRcsRequestSigningAlgorithms

Remote Consent Service Request Encryption Algorithms Supported

Encryption algorithms supported to encrypt Remote Consent Service requests.

AM supports the following encryption algorithms:

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

    Default value:

    ECDH-ES+A256KW
    ECDH-ES+A192KW
    RSA-OAEP
    ECDH-ES+A128KW
    RSA-OAEP-256
    A128KW
    A256KW
    ECDH-ES
    dir
    A192KW

    amster attribute: supportedRcsRequestEncryptionAlgorithms

Remote Consent Service Request Encryption Methods Supported

Encryption methods supported to encrypt Remote Consent Service requests.

AM supports the following encryption methods:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

    Default value:

    A256GCM
    A192GCM
    A128GCM
    A128CBC-HS256
    A192CBC-HS384
    A256CBC-HS512

    amster attribute: supportedRcsRequestEncryptionMethods

Remote Consent Service Response Signing Algorithms Supported

Algorithms supported to verify signed consent_response JWT from Remote Consent Services.

AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

    Default value:

    PS384
    ES384
    RS384
    HS256
    HS512
    ES256
    RS256
    HS384
    ES512
    PS256
    PS512
    RS512

    amster attribute: supportedRcsResponseSigningAlgorithms

Remote Consent Service Response Encryption Algorithms Supported

Encryption algorithms supported to decrypt Remote Consent Service responses.

AM supports the following encryption algorithms:

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • ` RSA-OAEP` - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • ` RSA-OAEP-256` - RSA with OAEP with SHA-256 and MGF-1.

  • ` A128KW` - AES Key Wrapping with 128-bit key derived from the client secret.

  • ` A192KW` - AES Key Wrapping with 192-bit key derived from the client secret.

  • ` A256KW` - AES Key Wrapping with 256-bit key derived from the client secret.

  • ` dir` - Direct encryption with AES using the hashed client secret.

    Default value:

    ECDH-ES+A256KW
    ECDH-ES+A192KW
    ECDH-ES+A128KW
    RSA-OAEP
    RSA-OAEP-256
    A128KW
    A256KW
    ECDH-ES
    dir
    A192KW

    amster attribute: supportedRcsResponseEncryptionAlgorithms

Remote Consent Service Response Encryption Methods Supported

Encryption methods supported to decrypt Remote Consent Service responses.

AM supports the following encryption methods:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

    Default value:

    A256GCM
    A192GCM
    A128GCM
    A128CBC-HS256
    A192CBC-HS384
    A256CBC-HS512

    amster attribute: supportedRcsResponseEncryptionMethods

CIBA

The following settings appear on the CIBA tab:

Back Channel Authentication ID Lifetime (seconds)

The time back channel authentication request id is valid for, in seconds.

Default value: 600

amster attribute: cibaAuthReqIdLifetime

Polling Wait Interval (seconds)

The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint

Default value: 2

amster attribute: cibaMinimumPollingInterval

Signing Algorithms Supported

Algorithms supported to sign the CIBA request parameter.

AM supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • PS256 - RSASSA-PSS using SHA-256.

    Default value:

    ES256
    PS256

    amster attribute: supportedCibaSigningAlgorithms

Plugins

The Plugins settings are used to configure the following supported OAuth2 plugin extension points:

  • Access Token Modification

  • OIDC Claims

  • Scope Evaluation

  • Scope Validation

  • Authorize Endpoint Data Provider

Each plugin is configured using three different attributes:

  • Plugin Type:

    This value can be either SCRIPTED to run a custom script, or JAVA for a custom implementation class.

  • Script:

    The script that is run for SCRIPTED plugin types.

  • Implementation Class:

    The class that is invoked for JAVA plugin types. The class must implement the appropriate Java interface in the org.forgerock.oauth2.core.plugins package for the plugin.

    These plugin settings can be overridden at the client level. Learn more in OAuth 2.0 provider overrides.

The following settings appear on the Plugins tab:

Access Token Modification Plugin Type

Default value: SCRIPTED

amster attribute: accessTokenModificationPluginType

Access Token Modification Script

This script is run when issuing an access token. The script lets you modify the token, for example, by altering the data fields, before it is persisted or returned to the client.

The script is run if Access Token Modification Plugin Type is set to SCRIPTED.

Learn more in Access token modification.

Default value: OAuth2 Access Modification Script

amster attribute: accessTokenModificationScript

Access Token Modifier Plugin Implementation Class

The Java class that provides the custom implementation for the access token modifier plugin interface, org.forgerock.oauth2.core.plugins.AccessTokenModifier. This class is invoked when Access Token Modification Plugin Type is set to JAVA.

Default value: [Empty]

amster attribute: accessTokenModificationClass

OIDC Claims Plugin Type

Default value: SCRIPTED

amster attribute: oidcClaimsPluginType

OIDC Claims Script

This script is run when issuing an ID token or during a request to the /userinfo OIDC endpoint. Use this script to retrieve claim values based on an issued access token.

The script is run if OIDC Claims Plugin Type is set to SCRIPTED.

Default value: OIDC Claims Script

amster attribute: oidcClaimsScript

OIDC Claims Plugin Implementation Class

The Java class that provides the custom implementation for the OIDC claims plugin interface, org.forgerock.oauth2.core.plugins.UserInfoClaimsPlugin. This class is invoked when OIDC Claims Plugin Type is set to JAVA.

Default value: [Empty]

amster attribute: oidcClaimsClass

Scope Evaluation Plugin Type

Default value: JAVA

amster attribute: evaluateScopePluginType

Scope Evaluation Script

This script retrieves and evaluates the scope information for an OAuth2 access token.

The script lets you populate the scopes with profile attribute values. For example, if one of the scopes is mail, AM sets mail to the resource owner’s email address in the token information returned.

Default value: --- Select a script ---

amster attribute: evaluateScopeScript

Scope Evaluation Plugin Implementation Class

The Java class that provides the custom implementation for the evaluate scope plugin interface: org.forgerock.oauth2.core.plugins.ScopeEvaluator.

Default value: org.forgerock.oauth2.core.plugins.registry.DefaultScopeEvaluator

amster attribute: evaluateScopeClass

Scope Validation Plugin Type

Default value: JAVA

amster attribute: validateScopePluginType

Scope Validation Script

This script validates and customizes the set of requested scopes for authorize, access token, refresh token, and back channel authorize requests.

Default value: --- Select a script ---

amster attribute: validateScopeScript

Scope Validation Plugin Implementation Class

The Java class that provides the custom implementation for the evaluate scope plugin interface: org.forgerock.oauth2.core.plugins.ScopeValidator.

Default value: org.forgerock.oauth2.core.plugins.registry.DefaultScopeValidator

amster attribute: validateScopeClass

Authorize Endpoint Data Provider Plugin Type

Default value: JAVA

amster attribute: authorizeEndpointDataProviderPluginType

Authorize Endpoint Data Provider Script

Use this script to retrieve additional data from an authorization request, such as data from the user’s session or from an external service.

Default value: --- Select a script ---

amster attribute: authorizeEndpointDataProviderScript

Authorize Endpoint Data Provider Plugin Implementation Class

The Java class that provides the custom implementation for the evaluate scope plugin interface: org.forgerock.oauth2.core.plugins.AuthorizeEndpointDataProvider.

Default value: org.forgerock.oauth2.core.plugins.registry.DefaultEndpointDataProvider

amster attribute: authorizeEndpointDataProviderClass

Access Token Enricher Plugin Implementation Class

The class that provides the custom implementation for the access token enricher plugin interface.

The access token enricher plugin interface is deprecated and will be removed in a future release.

Default value: org.forgerock.oauth2.core.plugins.registry.DefaultAccessTokenEnricher

amster attribute: accessTokenEnricherClass

Device Code Flow User Code Generator Implementation Class

The class that provides the custom implementation for generating user codes for the device code flow.

To override the default implementation, create a Java class that implements the UserCodeGenerator interface, and set this property to the fully qualified class name.

Default value: org.forgerock.oauth2.core.plugins.registry.DefaultUserCodeGenerator

amster attribute: userCodeGeneratorClass

PingOne Worker service

The PingOne Worker Service requires a configured OAuth2 provider service in your AM server.

Configuration

The following settings appear on the Configuration tab:

Enabled

Enables the service.

Secondary Configurations

This service has the following Secondary Configurations:

Client ID

Client ID of the worker application in PingOne.

Client Secret Label Identifier

AM uses this identifier to create a specific secret label for the client secret of the worker application.

The secret label uses the template am.services.pingone.worker.identifier.clientsecret where identifier is the Client Secret Label Identifier value.

This field can only contain characters a-z, A-Z, 0-9, and . and can’t start or end with a period.

For information on how to map the client secret to the secret label, refer to Map and rotate secrets.

Environment ID

The environment that contains the worker application in PingOne.

PingOne API Server URL

The regional base URL of the PingOne API server.

Enter one of the following:

  • https://api.pingone.com/v1 - for the North America region (excluding Canada)

  • https://api.pingone.ca/v1 - for the Canada region

  • https://api.pingone.eu/v1 - for the European Union region

  • https://api.pingone.asia/v1 - for the Asia-Pacific region

Default: https://api.pingone.com/v1

PingOne Authorization Server URL

The regional base URL for the PingOne authorization server.

Enter one of the following:

  • https://auth.pingone.com - for the North America region (excluding Canada)

  • https://auth.pingone.ca - for the Canada region

  • https://auth.pingone.eu - for the European Union region

  • https://auth.pingone.asia - for the Asia-Pacific region

Default: https://auth.pingone.com

Platform

amster service name: Platform

The following settings are available in this service:

Platform Locale

Set the fallback locale used when the user locale cannot be determined.

Default value: en_US

amster attribute: locale

Policy configuration

amster service name: PolicyConfiguration

Global attributes

The following settings appear on the Global Attributes tab:

Resource Comparator

AM uses resource comparators to match resources specified in policy rules. When setting comparators on the command line, separate fields with | characters.

Default value: serviceType=iPlanetAMWebAgentService|class=com.sun.identity.policy.plugins.HttpURLResourceName|wildcard=|oneLevelWildcard=--|delimiter=/|caseSensitive=false

amster attribute: resourceComparators

Continue Evaluation on Deny Decision

If no, then AM stops evaluating policy as soon as it reaches a deny decision.

Default value: false

amster attribute: continueEvaluationOnDeny

Realm Alias Referrals

If yes, then AM allows creation of policies for HTTP and HTTPS resources whose FQDN matches the DNS alias for the realm even when no referral policy exists.

Default value: false

amster attribute: realmAliasReferrals

Realm defaults

The following settings appear on the Realm Defaults tab:

Primary LDAP Server

Configuration directory server host:port that AM searches for policy information. The default value is the directory server specified during setup.

Configure the directory server settings if you want to use an external identity store in an LDAP filter condition in a policy.

These LDAP settings are only applicable to the identity repository of the LDAP accounts or groups used in the filter condition, and do not affect how other data, such as policies or policy subjects, is stored.

Format: local AM server name | hostname:port

Multiple entries must be prefixed by local server name. Make sure to place the multiple entries on a single line and separate the hostname:port URLs with a space.

For example, openam.example.com|opendj.example.com:1389 opendj.example.com:2389

Default value: openam.example.com:50636

amster attribute: ldapServer

LDAP Users Base DN

Base DN for LDAP Users subject searches.

Default value: dc=openam,dc=forgerock,dc=org

amster attribute: usersBaseDn

LDAP Bind DN

Bind DN to connect to the directory server for policy information.

If you enable mTLS, AM ignores this property. Default value: cn=Directory Manager

amster attribute: bindDn

LDAP Bind Password

Bind password to connect to the directory server for policy information.

If you enable mTLS, AM ignores this property.

amster attribute: bindPassword

LDAP Organization Search Filter

Search filter to match organization entries.

Default value: (objectclass=sunismanagedorganization)

amster attribute: realmSearchFilter

LDAP Users Search Filter

Search filter to match user entries.

Default value: (objectclass=inetorgperson)

amster attribute: usersSearchFilter

LDAP Users Search Scope

Search scope to find user entries.

The possible values for this property are:

  • SCOPE_BASE

  • SCOPE_ONE

  • SCOPE_SUB

Default value: SCOPE_SUB

amster attribute: usersSearchScope

LDAP Users Search Attribute

Naming attribute for user entries.

Default value: uid

amster attribute: usersSearchAttribute

Maximum Results Returned from Search

Search limit for LDAP searches.

Default value: 100

amster attribute: maximumSearchResults

Search Timeout

Time after which AM returns an error for an incomplete search, in seconds.

Default value: 5

amster attribute: searchTimeout

LDAP SSL/TLS

If enabled, AM connects securely to the directory server. This requires that you install the directory server certificate.

Default value: true

amster attribute: sslEnabled

LDAP Connection Pool Minimum Size

Minimum number of connections in the pool.

Default value: 1

amster attribute: connectionPoolMinimumSize

LDAP Connection Pool Maximum Size

Maximum number of connections in the pool.

Default value: 10

amster attribute: connectionPoolMaximumSize

Heartbeat Interval

Specifies how often should AM send a heartbeat request to the directory.

Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won’t become idle.

Default value: 10

amster attribute: policyHeartbeatInterval

Heartbeat Unit

Defines the time unit corresponding to the Heartbeat Interval setting.

Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won’t become idle.

The possible values for this property are:

  • Label: second (Value: SECONDS)

  • Label: minute (Value: MINUTES)

  • Label: hour (Value: HOURS)

Default value: SECONDS

amster attribute: policyHeartbeatTimeUnit

Subjects Result Time to Live

Maximum time that AM caches a subject result for evaluating policy requests, in minutes. A value of 0 prevents AM from caching subject evaluations for policy decisions.

Default value: 10

amster attribute: subjectsResultTTL

User Alias

If enabled, AM can evaluate policy for remote users aliased to local users.

Default value: false

amster attribute: userAliasEnabled

Check resources exist when Resource Server is updated

Check all registered resources exist when updating Resource Server.

Policy Set will check each registered Resource Types one by one against config datastore if enabled. Consider disabling this option if you have large number of Resource Types registered to a Policy Set.

Default value: true

amster attribute: checkIfResourceTypeExists

mTLS Enabled

Enables mutual TLS (mTLS) authentication between AM and this data store.

When you enable mTLS, you must also:

  • Enable LDAP SSL/TLS.

  • Map the secret label am.policy.configuration.serice.mtls.cert to the alias you want to use for mTLS authentication to this store.

AM ignores the LDAP Bind DN and LDAP Bind Password when you enable mTLS.

Push Notification service

amster service name: PushNotification

Realm defaults

The following settings appear on the Realm Defaults tab:

SNS Access Key ID

Amazon Simple Notification Service Access Key ID. For details, refer to Create an AWS (Push Auth) Credential in the Knowledge Base. You must log in to Backstage to read this article.

For example, you might set this property to: AKIAIOSFODNN7EXAMPLE

amster attribute: accessKey

SNS Access Key Secret

Amazon Simple Notification Service Access Key Secret. For details, refer to Create an AWS (Push Auth) Credential in the Knowledge Base. You must log in to Backstage to read this article.

For greater security, you can store this secret in a secret store, instead of in the configuration.

Map the secret to the secret label am.services.pushnotification.sns.accesskey.secret.

If a secret is mapped to this secret label, AM uses that secret and ignores the value of the SNS Access Key Secret property.

If a secret is mapped to this secret label and AM can’t locate the secret, it falls back to the value of the SNS Access Key Secret property.

amster attribute: secret

SNS Endpoint for APNS

The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages to the Apple Push Notification Service (APNS).

For example, you might set this property to: arn:aws:sns:us-east-1:1234567890:app/APNS/production

amster attribute: appleEndpoint

SNS Endpoint for GCM

The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages over Google Cloud Messaging (GCM).

For example, you might set this property to: arn:aws:sns:us-east-1:1234567890:app/GCM/production

amster attribute: googleEndpoint

SNS Client Region

Region of your registered Amazon Simple Notification Service client. For more information, see https://docs.aws.amazon.com/general/latest/gr/rande.html.

The possible values for this property are:

  • us-gov-west-1

  • us-east-1

  • us-west-1

  • us-west-2

  • eu-west-1

  • eu-central-1

  • ap-southeast-1

  • ap-southeast-2

  • ap-northeast-1

  • ap-northeast-2

  • sa-east-1

  • n-north-1

Default value: us-east-1

amster attribute: region

Message Transport Delegate Factory

The fully qualified class name of the factory responsible for creating the PushNotificationDelegate. The class must implement org.forgerock.openam.services.push.PushNotificationDelegate.

Default value: org.forgerock.openam.services.push.sns.SnsHttpDelegateFactory

amster attribute: delegateFactory

Response Cache Duration

The minimum lifetime to keep unanswered message records in the message dispatcher cache, in seconds. To keep unanswered message records indefinitely, set this property to 0.Should be tuned so that it is applicable to the use case of this service. For example, the ForgeRock Authenticator (Push) authentication module has a default timeout of 120 seconds.

Default value: 120

amster attribute: mdDuration

Response Cache Concurrency

Level of concurrency to use when accessing the message dispatcher cache. Defaults to 16, and must be greater than 0. Choose a value to accommodate as many threads as will ever concurrently access the message dispatcher cache.

Default value: 16

amster attribute: mdConcurrency

Response Cache Size

Maximum size of the message dispatcher cache, in number of records. If set to 0 the cache can grow indefinitely. If the number of records that need to be stored exceeds this maximum, then older items in the cache will be removed to make space.

Default value: 10000

amster attribute: mdCacheSize

RADIUS server

amster service name: RadiusServer

Configuration

The following settings appear on the Configuration tab:

Enabled

Lets the AM RADIUS server listen for requests on the listener port, and handle the requests.

The possible values for this property are:

  • NO

  • YES

Default value: NO

amster attribute: radiusListenerEnabled

Listener Port

The UDP port on which each AM server will listen for RADIUS Access-Request packets

According to the RADIUS Authentication Specification, RFC 2865, the officially assigned port number for RADIUS is 1812. Specify a value from 1024 to 65535. All client requests are handled through the same port.

Default value: 1812

amster attribute: radiusServerPort

Thread Pool Core Size

When a RADIUS request is received and fewer than corePoolSize threads are running, a new thread is created to handle the request, even if other worker threads are idle. If there are more than "Thread Pool Core Size" but less than "Thread Pool Max Size" threads running, a new thread will be created only if the queue is full. By setting "Thread Pool Core Size" and "Thread Pool Max Size" to the same value, you create a fixed-size thread pool. Specify a value from 1 to 100.

Default value: 1

amster attribute: radiusThreadPoolCoreSize

Thread Pool Max Size

Maximum number of threads allowed in the pool. See also "Thread Pool Core Size".

Default value: 10

amster attribute: radiusThreadPoolMaxSize

Thread Pool Keep-Alive Seconds

If the pool currently has more than Thread Pool Core Size threads, excess threads will be terminated if they have been idle for more than the Keep-Alive Seconds. Specify a value from 1 to 3600.

Default value: 10

amster attribute: radiusThreadPoolKeepaliveSeconds

Thread Pool Queue Size

The number of requests that can be queued for the pool before further requests will be silently dropped. See also "Thread Pool Core Size" and "Thread Pool Max Size". Specify a value from 1 to 1000.

Default value: 20

amster attribute: radiusThreadPoolQueueSize

Secondary configurations

This service has the following secondary configurations.

radiusClient

Client IP Address

The IP Address of the client.

Section 5.4 of the RADIUS Authentication Specification, RFC 2865, indicates that the source IP address of the Access-Request packet MUST be used to identify a configured client and hence determine the shared secret to use for decrypting the User-Password field.

This property should hold the source IP address of the client. This should match the value obtained from Java’s InetSocketAddress.getAddress().toString() function.

To verify the value, send an Access-Request packet to AM’s RADIUS port and watch for a message stating: "No Defined RADIUS Client matches IP address '/127.0.0.1'. Dropping request.". The value used in this property should match the IP address returned in the single quotes.

Default value: /127.0.0.1

amster attribute: clientIpAddress

Client Secret

This secret shared between server and client for encryption of the user password.

This secret must be conveyed to the RADIUS client and entered into its configuration before the User-Password field of incoming Access-Request packets can be decrypted to validate the password for the represented by that packet.

amster attribute: clientSecret

Log Packet Contents for this Client

Indicates if full packet contents should be dumped to the log.

When troubleshooting issues with RADIUS it is helpful to know what was received in a given packet. Enabling this feature will cause packet contents to be logged in a human consumable format. The only caveat is that the USER_PASSWORD field will be obfiscated by replacing with asterisks. This should only be enabled for troubleshooting as it adds significant content to logs and slows processing.

Default value: NO

amster attribute: clientPacketsLogged

Handler Class

The fully qualified name of a class to handle incoming RADIUS Access-Requests for this client.

This class must implement the com.sun.identity.authentication.modules.radius.server.spi.AccessRequestHandler interface to handle incoming Access-Request packets and provide a suitable response. An instance of this class is created when configuration is first loaded to validate the class and then once for each new request. The configuration properties will only be passed for the request handling instances and not when validating the class.

Default value: org.forgerock.openam.radius.server.spi.handlers.OpenAMAuthHandler

amster attribute: handlerClass

Handler Class Configuration Properties

Properties needed by the handler class for its configuration.

These properties are provided to the handler via its init method prior to the call to handle the request packet. If these values are changed the next handler instance created for an incoming request will receive the updated values. Each entry assumes that the first ‘`=`’ character incurred separates a key from its value. All entries are placed in a properties file handed to each handler instance.

Default value:

realm=/
chain=ldapService

amster attribute: handlerConfig

REST APIs

amster service name: RestApis

The following settings are available in this service:

Default Resource Version

The API resource version to use when the REST request does not specify an explicit version.

The possible values for this property are:

  • Latest. If an explicit version is not specified, the latest resource version of an API is used.

  • Oldest. If an explicit version is not specified, the oldest supported resource version of an API is used. Note that since APIs may be deprecated and fall out of support, the oldest supported version may not be the first version.

  • None. If an explicit version is not specified, the request will not be handled and an error status is returned.

Default value: Latest

amster attribute: defaultVersion

Warning Header

Whether to include a warning header in the response to a request which fails to include the Accept-API-Version header.

Default value: true

amster attribute: warningHeader

API Descriptions

Whether API Explorer and API Docs are enabled in AM and how the documentation for them is generated. Dynamic generation includes descriptions from any custom services and authentication modules you may have added. Static generation only includes services and authentication modules that were present when AM was built. Note that dynamic documentation generation may not work in some application containers.

The possible values for this property are:

  • Label: Enabled with Dynamic Documentation (Value: DYNAMIC)

  • Label: Enabled with Static Documentation (Value: STATIC)

  • DISABLED

Default value: STATIC

amster attribute: descriptionsState

Default Protocol Version

The API protocol version to use when a REST request does not specify an explicit version. Choose from:

The possible values for this property are:

  • Oldest. If an explicit version is not specified, the oldest protocol version is used.

  • Latest. If an explicit version is not specified, the latest protocol version is used.

  • None. If an explicit version is not specified, the request will not be handled and an error status is returned.

Default value: Latest

amster attribute: defaultProtocolVersion

Enable CSRF Protection

If enabled, all non-read/query requests will require the X-Requested-With header to be present.

Requiring a non-standard header ensures requests can only be made via methods (XHR) that have stricter same-origin policy protections in Web browsers, preventing Cross-Site Request Forgery (CSRF) attacks. Without this filter, cross-origin requests are prevented by the use of the application/json Content-Type header, which is less robust.

Default value: true

amster attribute: csrfFilterEnabled

Remote Consent service

amster service name: RemoteConsentService

Realm defaults

The following settings appear on the Realm Defaults tab:

Client Name

The name used to identify this OAuth 2.0 remote consent service when referencedin other services.

amster attribute: clientId

Authorization Server jwk_uri

The jwk_uri for retrieving the authorization server signing and encryption keys.

amster attribute: jwksUriAS

JWK Store Cache Timeout (in minutes)

The cache timeout for the JWK store of the authorization server, in minutes.

Default value: 60

amster attribute: jwkStoreCacheTimeout

JWK Store Cache Miss Cache Time (in minutes)

The length of time a cache miss is cached, in minutes.

Default value: 1

amster attribute: jwkStoreCacheMissCacheTime

Consent Response Time Limit (in minutes)

The time limit set on the consent response JWT before it expires, in minutes.

Default value: 2

amster attribute: consentResponseTimeLimit

SAML v2.0 SOAP binding

amster service name: SamlV2SoapBinding

The following settings are available in this service:

Request Handler List

List of handlers to deal with SAML v2.0 requests bound to SOAP.

The required format is: key=Meta Alias|class=Handler Class

Set the key property for a request handler to the meta alias, and the class property to the name of the class that implements the handler.

For example: key=/pdp|class=com.sun.identity.xacml.plugins.XACMLAuthzDecisionQueryHandler

amster attribute: requestHandlers

SAML v2.0 service configuration

amster service name: SamlV2ServiceConfiguration

The following settings are available in this service:

Cache cleanup interval (in seconds)

Time between cache cleanup operations, in seconds.

Default value: 600

amster attribute: cacheCleanupInterval

Attribute name for Name ID information

User entry attribute to store name identifier information.

Default value: sun-fm-saml2-nameid-info

amster attribute: nameIDInfoAttribute

Attribute name for Name ID information key

User entry attribute to store the name identifier key.

Default value: sun-fm-saml2-nameid-infokey

amster attribute: nameIDInfoKeyAttribute

Cookie domain for IdP Discovery Service

Specifies the cookie domain for the IDP discovery service.

Default value: openam.example.com

amster attribute: idpDiscoveryCookieDomain

Cookie type for IdP Discovery Service

Specifies the cookie type to use.

The possible values for this property are:

  • PERSISTENT

  • SESSION

Default value: PERSISTENT

amster attribute: idpDiscoveryCookieType

URL scheme for IdP Discovery Service

Specifies the URL scheme to use.

The possible values for this property are:

  • HTTP

  • HTTPS

Default value: HTTPS

amster attribute: idpDiscoveryUrlSchema

XML Encryption SPI implementation class

Used by the SAML2 engine to encrypt and decrypt documents.

Default value: com.sun.identity.saml2.xmlenc.FMEncProvider

amster attribute: xmlEncryptionClass

Include xenc:EncryptedKey inside ds:KeyInfo Element

Specify whether to include the xenc:EncryptedKey property inside the ds:KeyInfo element.

Default value: true

amster attribute: encryptedKeyInKeyInfo

XML Signing SPI implementation class

Used by the SAML2 engine to sign documents.

Default value: com.sun.identity.saml2.xmlsig.FMSigProvider

amster attribute: xmlSigningClass

XML Signing Certificate Validation

If enabled, then validate certificates used to sign documents.

Default value: false

amster attribute: signingCertValidation

CA Certificate Validation

If enabled, then validate CA certificates.

Default value: false

amster attribute: caCertValidation

Buffer length (in bytes) to decompress request

Specify the size of the buffer used for decompressing requests, in bytes.

Default value: 2048

amster attribute: bufferLength

Scripting

amster service name: Scripting

Configuration

The following settings appear on the Configuration tab:

Default Script Type

The default script context type when creating a new script.

The possible values for this property are:

Label Value

OAuth2 Access Token Modification

OAUTH2_ACCESS_TOKEN_MODIFICATION

Saml2 SP Adapter

SAML2_SP_ADAPTER

Client-side Authentication

AUTHENTICATION_CLIENT_SIDE

Decision node script for authentication trees

AUTHENTICATION_TREE_DECISION_NODE

OAuth2 Trusted JWT Issuer

OAUTH2_SCRIPTED_JWT_ISSUER

Server-side Authentication

AUTHENTICATION_SERVER_SIDE

Social Identity Provider Profile Transformation

SOCIAL_IDP_PROFILE_TRANSFORMATION

Library

LIBRARY

OAuth2 Validate Scope

OAUTH2_VALIDATE_SCOPE

Config Provider

CONFIG_PROVIDER_NODE

OAuth2 Authorize Endpoint Data Provider

OAUTH2_AUTHORIZE_ENDPOINT_DATA_PROVIDER

OAuth2 Evaluate Scope

OAUTH2_EVALUATE_SCOPE

Policy Condition

POLICY_CONDITION

OIDC Claims

OIDC_CLAIMS

Saml2 IDP Adapter

SAML2_IDP_ADAPTER

Saml2 IDP Attribute Mapper

SAML2_IDP_ATTRIBUTE_MAPPER

OAuth2 May Act

OAUTH2_MAY_ACT

Default value: POLICY_CONDITION

amster attribute: defaultContext

Secondary configurations

Configure script engine parameters for running a particular script type in AM.

A secondary configuration instance has the following tabs:

Configuration

Scripting languages

Select the languages available for scripts on the chosen type. Either GROOVY or JAVASCRIPT.

ssoadm attribute: languages

Default Script

The source code that is presented as the default when creating a new script of this type.

ssoadm attribute: defaultScript

Default Scripts

The default scripts for this secondary configuration.

Secondary Configurations

This service has the following secondary configurations.

engineConfiguration

The script engine configuration for scripts of this type.

ssoadm attribute: engineConfiguration

To access a secondary configuration instance using the ssoadm command, use: --subconfigname [primary configuration]/[secondary configuration]. For example:

$ ssoadm set-sub-cfg \
  --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org \
  --password-file admin_pwd_file \
  --servicename ScriptingService \
  --subconfigname OIDC_CLAIMS/engineConfiguration \
  --operation set \
  --attributevalues maxThreads=300 queueSize=-1

Supports server-side scripts only. AM cannot configure engine settings for client-side scripts.

ssoadm attribute: `

Property Name Prefix

This prefix must match the property name prefix used in the script. For example, if the property name is custom.script.property, the prefix is custom.script.

ssoadm attribute: propertyNamePrefix

Server-side Script Timeout

The maximum execution time any individual script should take on the server (in seconds). AM terminates scripts which take longer to run than this value.

ssoadm attribute: serverTimeout

Core thread pool size

The initial number of threads in the thread pool from which scripts operate. AM will ensure the pool contains at least this many threads.

ssoadm attribute: coreThreads

Maximum thread pool size

The maximum number of threads in the thread pool from which scripts operate. If no free thread is available in the pool, AM creates new threads in the pool for script execution up to the configured maximum. It is recommended to set the maximum number of threads to 300.

ssoadm attribute: maxThreads

Thread pool queue size

The size of the queue to use for buffering requests for script execution when all core threads are in use. When the core thread pool is at capacity, new script execution requests are queued up to this limit.

For short, CPU-bound scripts, consider a small pool size and larger queue length. For I/O-bound scripts such as REST calls, consider a larger maximum pool size and a smaller queue.

Not hot-swappable: restart server for changes to take effect.

ssoadm attribute: queueSize

Thread idle timeout (seconds)

Length of time (in seconds) for a thread to be idle before AM terminates created threads. If the current pool size contains the number of threads set in Core thread pool size idle threads aren’t terminated, to maintain the initial pool size.

ssoadm attribute: idleTimeout

Java class allowlist

The list of class-name patterns allowed to be invoked by the script. Every class accessed by the script must match at least one of these patterns.

You can specify the class name as-is or use a regular expression.

This only applies to legacy scripts. You can’t add classes to the allowlist for a next-generation script.

ssoadm attribute: whiteList

Java class denylist

The list of class-name patterns that are NOT allowed to be invoked by the script. The denylist is applied AFTER the allowlist to exclude those classes. Access to a class specified in both the allowlist and the denylist will be denied.

You can specify the class name to exclude as-is or use a regular expression.

ssoadm attribute: blackList

Use system SecurityManager

If enabled, AM makes a call to System.getSecurityManager().checkPackageAccess(…​) for each class that is accessed. The method throws SecurityException if the calling thread is not allowed to access the package.

This feature only takes effect if the security manager is enabled for the JVM.

ssoadm attribute: useSecurityManager

Session

amster service name: SessionUserService

General

The following settings appear on the General tab:

Latest Access Time Update Frequency

Defaults to 60 seconds. At most, AM updates a session’s latest access time this often.

Subsequent touches to the session that occur within the specified number of seconds after an update will not cause additional updates to the session’s access time.

Refreshing a session returns the idle time as the number of seconds since an update has occurred, which will be between 0 and the specified Latest Access Time Update Frequency.

Default value: 60

amster attribute: latestAccessTimeUpdateFrequency

DN Restriction Only Enabled

If enabled, AM will not perform DNS lookups when checking restrictions in cookie hijacking mode.

Default value: false

amster attribute: dnRestrictionOnly

Session Timeout Handler implementations

Lists plugin classes implementing session timeout handlers. Specify the fully qualified name.

amster attribute: timeoutHandlers

Enable Cross Upgrade Session Reference

If enabled, the AM session will contain an additional session reference property, the value of which is persisted across session upgrade.

To access the cross-upgrade session reference—for example, from within a script or when getting session information—allowlist the property XUSRef in the Session Property Whitelist service.

The session reference can be tracked in the audit logs for session creation and session upgrade events.

amster attribute: crossUpgradeReferenceFlag

The following settings appear on the Session Search tab:

Maximum Number of Search Results

Maximum number of results from a session search. Do not set this attribute to a large value, for example more than 1000, unless sufficient system resources are allocated.

Default value: 120

amster attribute: maxSessionListSize

Timeout for Search

Time after which AM sees an incomplete search as having failed, in seconds.

Default value: 5

amster attribute: sessionListRetrievalTimeout

Session property change notifications

The following settings appear on the Session Property Change Notifications tab:

Enable Property Change Notifications

If enabled, AM notifies other applications participating in SSO when a session property in the Notification Properties list changes on a server-side session.

The possible values for this property are:

  • ON

  • OFF

Default value: OFF

amster attribute: propertyChangeNotifications

Notification Properties

Lists session properties for which AM can send notifications upon modification. Session notification applies to server-side sessions only.

amster attribute: notificationPropertyList

Session quotas

The following settings appear on the Session Quotas tab:

Enable Quota Constraints

If enabled, AM lets you set quota constraints on server-side sessions.

The possible values for this property are:

  • ON

  • OFF

Default value: OFF

amster attribute: iplanet-am-session-enable-session-constraint

Read Timeout for Quota Constraint

Maximum wait time after which AM considers a search for live session count as having failed if quota constraints are enabled, in milliseconds.

Default value: 6000

amster attribute: quotaConstraintMaxWaitTime

Resulting behavior if session quota exhausted

Specify the action to take if a session quota is exhausted:

The possible values for this property are:

  • Deny Access (org.forgerock.openam.session.service.DenyAccessAction). New session creation requests are denied.

  • Destroy Next Expiring org.forgerock.openam.session.service.DestroyNextExpiringAction). The session that would expire next is destroyed.

  • Destroy Oldest (org.forgerock.openam.session.service.DestroyOldestAction). The oldest session is destroyed.

  • Destroy All (org.forgerock.openam.session.service.DestroyAllAction). All previous sessions are destroyed.

Default value: org.forgerock.openam.session.service.DestroyNextExpiringAction

amster attribute: behaviourWhenQuotaExhausted

Deny user login when session repository is down

This property only takes effect when the session quota constraint is enabled, and the session data store is unavailable.

The possible values for this property are:

  • YES

  • NO

Default value: NO

amster attribute: denyLoginWhenRepoDown

Client-side sessions

The following settings appear on the Client-Side Sessions tab:

Signing Algorithm Type

The algorithm that AM uses to sign the JSON Web Token (JWT) containing the session content. Signing the JWT enables tampering detection.

The possible values for this property are:

  • NONE

  • HS256. HMAC using SHA-256.

  • HS384. HMAC using SHA-384.

  • HS512. HMAC using SHA-512.

  • RS256. RSASSA-PKCS1-v1_5 using SHA-256.

  • ES256. ECDSA using SHA-256 and NIST standard P-256 elliptic curve.

  • ES384. ECDSA using SHA-384 and NIST standard P-384 elliptic curve.

  • ES512. ECDSA using SHA-512 and NIST standard P-521 elliptic curve.

Default value: HS256

amster attribute: statelessSigningType

Signing HMAC Shared Secret

Specifies the shared secret that AM uses when performing HMAC signing on the session JWT.

Specify a shared secret when using a "Signing Algorithm Type" of HS256, HS384, or HS512.

amster attribute: statelessSigningHmacSecret

Encryption Algorithm

Specifies the algorithm that AM uses to encrypt the JSON Web Token (JWT) containing the session content.

The possible values for this property are:

  • NONE. Session content is not encrypted.

  • RSA. Session content is encrypted with AES using a unique key. The key is then encrypted with an RSA public key and appended to the JWT.

    AM supports the following padding modes, which you can set using the org.forgerock.openam.session.stateless.rsa.padding advanced property:

    • RSA1_5. RSA with PKCS#1 v1.5 padding.

    • RSA-OAEP. RSA with optimal asymmetric encryption padding (OAEP) and SHA-1.

    • RSA-OAEP-256. RSA with OAEP padding and SHA-256.

  • AES_KEYWRAP. AES key wrapping.

    Session content is encrypted with AES using a unique key and is then wrapped using AES KeyWrap and the master key. This provides additional security, compared to RSA, at the cost of 128 or 256 bits (or 32 bytes) depending on the size of the master key. This method provides authenticated encryption, which removes the need for a separate signature and decreases the byte size of the JWT. See RFC 3394.

  • DIRECT. Direct AES encryption.

    Session content is encrypted with direct AES encryption, with a symmetric key. This method provides authenticated encryption, which removes the need for a separate signature and decreases the byte size of the JWT.

Users can accidentally disable all authentication by disabling signing and not using an authenticated encryption mode. To prevent this, set the org.forgerock.openam.session.stateless.signing.allownone system property to true to turn off signing completely.

Default value: DIRECT

amster attribute: statelessEncryptionType

Encryption Symmetric AES Key

AES key for use with Direct or AES KeyWrap encryption modes.

The symmetric AES key is a base64-encoded random key.

For direct encryption with AES-GCM or for AES-KeyWrap with any content encryption method, this should be 128, 192, or 256 bits.

For direct encryption with AES-CBC-HMAC, the key should be double those sizes (one half for the AES key, the other have for the HMAC key).

AES key sizes greater than 128 bits require installation of the JCE Unlimited Strength policy files in your JRE.

amster attribute: statelessEncryptionAesKey

Compression Algorithm

If enabled the session state is compressed before signing and encryption.

Enabling compression can compromise encryption. This may leak information about the content of the session state if encryption is enabled.

The possible values for this property are:

  • NONE

  • DEF. Deflate Compression.

Default value: NONE

amster attribute: statelessCompressionType

Enable Session Denylisting

Denylists client-side sessions that log out.

Enable this setting if the maximum session time is high. The denylist state is stored in the Core Token Service (CTS) token store until the session expires, to ensure that sessions cannot continue to be used.

Default value: false

amster attribute: openam-session-stateless-enable-session-blacklisting

Session Denylist Cache Size

Number of denylisted sessions to cache in memory to speed up denylist checks and reduce load on the CTS. The cache size should be approximately the number of logouts expected in the maximum session time.

Default value: 10000

amster attribute: openam-session-stateless-blacklist-cache-size

Denylist Poll Interval (seconds)

Specifies the interval at which AM polls the Core Token Service to update the list of logged out sessions, in seconds.

The longer the polling interval, the more time a malicious user has to connect to other AM servers in a deployment and make use of a stolen session cookie. Shortening the polling interval improves the security for logged out sessions, but might incur a minimal decrease in overall AM performance due to increased network activity. Set to 0 to disable this feature completely.

Default value: 60

amster attribute: openam-session-stateless-blacklist-poll-interval

Denylist Purge Delay (minutes)

When added to the maximum session time, specifies the amount of time that AM tracks logged out sessions.

Increase the denylist purge delay if you expect system clock skews in your deployment to be greater than one minute. You don’t need to increase the denylist purge delay for servers running a clock synchronization protocol, such as the Network Time Protocol.

Default value: 1

amster attribute: openam-session-stateless-blacklist-purge-delay

Enable Invalidation of Sessions Based on User Identifier

Let AM permit logging out all client-side sessions for a specific user, through the logoutByUser action.

Setting this to true causes AM to store logout user tokens in a local cache. For multi-server deployments, AM polls the CTS at a specified interval and populates the cache with the logout user tokens of all servers in the deployment.

Default value: false

amster attribute: statelessLogoutByUser

Invalidated Sessions Poll Interval (seconds)

When Enable Invalidation of Sessions Based on User Identifier is true, this setting specifies the frequency at which AM polls the CTS for changes to persisted logout tokens.

Default value: 60

amster attribute: openam-session-stateless-logout-poll-interval

Dynamic attributes

Configuring any of the following properties at the realm level (Realms > Realm Name > Services > Session) causes the values to be stored in the identity store configured in that realm.

If you remove the identity store from the realm, the properties will use the values configured at the global level (Configure > Global Services > Session).

The following settings appear on the Dynamic Attributes tab:

Maximum Session Time

Maximum time a session can remain valid before AM requires the user to authenticate again, in minutes.

Default value: 120

amster attribute: maxSessionTime

Maximum Idle Time

Maximum time a server-side session can remain idle before AM requires the user to authenticate again, in minutes.

Default value: 30

amster attribute: maxIdleTime

Maximum Caching Time

Maximum time that external clients of AM are recommended to cache the session for, in minutes.

Default value: 3

amster attribute: maxCachingTime

Active User Sessions

Maximum number of concurrent server-side sessions per user.

Default value: 5

This value does not apply if Enable Quota Constraints is OFF. In other words, session quota constraints must be enabled for any configured maximum to apply.

amster attribute: quotaLimit

Session Property Whitelist service

amster service name: SessionPropertyWhiteList

Realm defaults

The following settings appear on the Realm Defaults tab:

Allowlisted Session Property Names

A list of properties that users may read, edit the value of, or delete from their session.

Adding properties to sessions can impact AM’s performance. There is no limit on the set of properties that you can add to sessions, and no limit on the number of session properties you can add.

Adding session properties can increase the load on an AM deployment in the following areas:

  • AM server memory

  • LDAP server storage

  • LDAP server replication

Protected attributes can NOT be set, edited or deleted, even if they are included in this allowlist.

Default value: AMCtxId

amster attribute: sessionPropertyWhitelist

Session Properties to return for session queries

A list of session properties that can be returned to admins in a REST session query response.

This setting may impact REST query performance - when session properties are added, the CTS token must be retrieved, and will be the subject of decryption and decompression, if configured.

Protected attributes will NOT be allowed to be set, edited or deleted, even if they are included in this list.

amster attribute: whitelistedQueryProperties

Social authentication implementations

amster service name: SocialAuthentication

Realm defaults

The following settings appear on the Realm Defaults tab:

Display Names

The display names for the implementations - this will be used to provide a name for the icon displayed on the login page. The key should be used across all the settings on this page to join them together.

For example:

Key

Value

google

Google

Default value: {}

amster attribute: displayNames

Authentication Chains

The name of the authentication chains that are the entry points to being authenticated by each respective social authentication provider. The key should correspond to a key used to define a Display Name above.

For example:

Key

Value

google

socialAuthChainGoogle

Default value: {}

amster attribute: authenticationChains

Icons

Either a full URL or a path relative to the base of the site/server where the image can be found. The image will be used on the login page to link to the authentication chain defined above. The key should correspond to a key used to define a Display Name above.

For example:

Key

Value

google

/images/google-sign-in.png

Default value: {}

amster attribute: icons

Enabled Implementations

Provide a key that has been used to define the settings above to enable that set of settings.

For example: google

amster attribute: enabledKeys

Social Identity Provider service

amster service name: SocialIdentityProviders

Realm defaults

The following settings appear on the Realm Defaults tab:

Enabled

Default value: true

amster attribute: enabled

Transaction Authentication service

amster service name: TransactionAuthentication

Realm defaults

The following settings appear on the Realm Defaults tab:

Time to Live

The number of seconds within which the transaction must be completed.

Default value: 180

amster attribute: timeToLive

UMA provider

amster service name: UmaProvider

Global Attributes

The following settings appear on the Global Attributes tab:

UMA Policy Upgrade Compatibility Mode

When this setting is enabled, AM creates backward-compatible UMA policies. Enable this setting when you are upgrading from servers prior to AM 7.2.0, and when you are upgrading multiple servers in a deployment at different times. Disable this setting when you have completed the upgrade for all AM instances in your deployment.

Default value: false

amster attribute: umaPolicyUpgradeCompatibilityMode

General

The following settings appear on the General tab:

Permission Ticket Lifetime (seconds)

The maximum life of a permission ticket before it expires, in seconds.

Default value: 120

amster attribute: permissionTicketLifetime

Delete user policies when Resource Server is removed

Delete all user policies that relate to a Resource Server when removing the OAuth2 agent entry or removing the uma_protection scope from the OAuth2 agent.

Default value: true

amster attribute: deletePoliciesOnDeleteRS

Delete resources when Resource Server is removed

Delete all resources that relate to a Resource Server when removing the OAuth2 agent entry or removing the uma_protection scope from the OAuth2 agent.

Default value: true

amster attribute: deleteResourceSetsOnDeleteRS

Pending Requests Enabled

Use the Pending Requests subsystem to notify the resource owner that an attempt was made to access their resource.

Default value: true

amster attribute: pendingRequestsEnabled

Email Resource Owner on Pending Request creation

Send an email to the Resource Owner when a Pending Request is created, when a Requesting Party requests access to a resource.

Default value: true

amster attribute: emailResourceOwnerOnPendingRequestCreation

Email Requesting Party on Pending Request approval

Send an email to the Requesting Party when a Pending Request is approved by the Resource Owner.

Default value: true

amster attribute: emailRequestingPartyOnPendingRequestApproval

Grant Resource Owner Implicit Consent

Implicitly grant the resource owner consent to the resource, regardless of policy conditions.

Default value: true

amster attribute: resourceOwnerImplicitConsent

User profile preferred Locale attribute

User profile attribute storing the user’s preferred locale.

Default value: inetOrgPerson

amster attribute: userProfileLocaleAttribute

Re-Sharing Mode

Specifies whether re-sharing is off or on implicitly for all users, allowing all users to re-share resources that have been shared with them.

The possible values for this property are:

  • Off

  • Implicit

Default value: Implicit

amster attribute: resharingMode

Grant RPTs…​

In UMA, scope comes from both the permission ticket and from the token request. An RPT is always granted when all scopes match, and is never granted when no scope matches. You can configure when RPTs are granted for partial match conditions here. For more information, see Assessment and Results Determination in the UMA 2.0 Grant Specification.

Default value:

When the scope from the request is partially matched.
When none of the scope from the request is matched.
When the scope from the ticket is partially matched.

amster attribute: grantRptConditions

Username attribute

The name of the attribute whose value must be specified by end users when sharing resources. For example, if a user wants to share a resource with another user, based on that user’s email address, set this value to mail.

The attribute that you set here must contain unique values; otherwise, a resource share can grant access to multiple users unintentionally.

If you leave this attribute empty, UMA policies are based on the attribute that the underlying data store considers the username (for example, the LDAP user search attribute). This behavior is compatible with previous AM versions. The UMA Postman Collection sets this value to uid, which works in most deployments.

Changing this setting can invalidate existing UMA authorizations.

Default value: None

amster attribute: usernameAttribute

Claims gathering

The following properties can be set on the Claims Gathering tab:

Interactive Claims Gathering Enabled

If this setting is enabled, and no PCT is provided on the request, the UMA provider returns a redirect_user hint to the client, where the requesting party can authenticate themselves.

Default value: false

amster attribute: interactiveClaimsGatheringEnabled

Claims Gathering Authentication Tree

The authentication tree to which the requesting party should be directed, in order to collect claims. This authentication tree should collect all claims necessary for successful UMA authorization.

Default value: None

amster attribute: claimsGatheringTree

Persisted Claims Token Lifetime (seconds)

During interactive claims gathering, AM can issue a PCT, that clients can use later during RPT flows, so that users don’t have to go through the interactive claims gathering process too frequently.

If a PCT is issued, this setting determines the interval (in seconds) that the PCT should be considered valid.

Default value: 604800 (7 days)

amster attribute: pctLifetime

User

amster service name: IdRepositoryUser

Dynamic attributes

The following settings appear on the Dynamic Attributes tab:

User Preferred Timezone

Time zone for accessing AM admin UI.

amster attribute: preferredTimezone

Administrator DN Starting View

Specifies the DN for the initial screen when the AM administrator successfully logs in to the AM admin UI.

amster attribute: adminDNStartingView

Default User Status

Inactive users cannot authenticate, although AM stores their profiles.

The possible values for this property are:

  • Active

  • Inactive

Default value: Active

amster attribute: defaultUserStatus

User Self-Service

amster service name: UserSelfService

General configuration

The following settings appear on the General Configuration tab:

Encryption Key Pair Alias

An encryption key alias in the AM server’s JCEKS keystore. Used to encrypt the JWT token that AM uses to track end users during User Self-Service operations.

For example, you might set this property to: selfserviceenctest

amster attribute: encryptionKeyPairAlias

Signing Secret Key Alias

A signing secret key alias in the AM server’s JCEKS keystore. Used to sign the JWT token that AM uses to track end users during User Self-Service operations.

For example, you might set this property to: selfservicesigntest

amster attribute: signingSecretKeyAlias

Google reCAPTCHA Site Key

Google reCAPTCHA plugin site key.

amster attribute: captchaSiteKey

Google reCAPTCHA Secret Key

Google reCAPTCHA plugin secret key.

amster attribute: captchaSecretKey

Google Re-captcha Verification URL

Google reCAPTCHA plugin verification URL.

amster attribute: captchaVerificationUrl

Security Questions

Specifies the default set of knowledge-based authentication (KBA) security questions. The security questions can be set for the User Self-Registration, forgotten password reset, and forgotten username services, respectively.

Format is unique key|locale|question.

Default value:

4|en|What is your mother&#39;s maiden name?
3|en|What was the name of your childhood pet?
2|en|What was the model of your first car?
1|en|What is the name of your favourite restaurant?

amster attribute: kbaQuestions

Minimum Answers to Define

Specifies the minimum number of KBA answers that users must define.

Default value: 1

amster attribute: minimumAnswersToDefine

Minimum Answers to Verify

Specifies the minimum number of KBA questions that users need to answer to be granted the privilege to carry out an action, such as registering for an account, resetting a password, or retrieving a username. Specify a value from 0 to 50.

Default value: 1

amster attribute: minimumAnswersToVerify

Valid Query Attributes

Specifies the valid query attributes used to search for the user. This is a list of attributes used to identify your account for forgotten password and forgotten username.

Default value:

uid
mail
givenName
sn

amster attribute: validQueryAttributes

User registration

The following settings appear on the User Registration tab:

User Registration

If enabled, new users can sign up for an account.

Default value: false

amster attribute: userRegistrationEnabled

Captcha

If enabled, users must pass a Google reCAPTCHA challenge during user self-registration to mitigate against software bots.

Default value: false

amster attribute: userRegistrationCaptchaEnabled

Email Verification

If enabled, users who self-register must perform email address verification.

Default value: true

amster attribute: userRegistrationEmailVerificationEnabled

Verify Email before User Detail

If enabled, email address verification will be performed first before user details screen is displayed. This will take effect only if Verify Email is enabled.

Default value: false

amster attribute: userRegistrationEmailVerificationFirstEnabled

Security Questions

If enabled, users must set up their security questions during the self-registration process.

Default value: false

amster attribute: userRegistrationKbaEnabled

Token Lifetime (seconds)

Maximum lifetime of the token allowing User Self-Registration, in seconds.

Default value: 300

amster attribute: userRegistrationTokenTTL

Outgoing Email Subject

Customize the User Self-Registration verification email subject text. Format is locale|subject text.

Default value: en|Registration email

amster attribute: userRegistrationEmailSubject

Outgoing Email Body

Customize the User Self-Registration verification email body text. Format is: locale|body text.

Default value: en|<h2>Click on this <a href="%link%">link</a> to register.</h2>

amster attribute: userRegistrationEmailBody

Valid Creation Attributes

Specifies an allowlist of user attributes that can be set during user creation.

Default value:

userPassword
mail
givenName
kbaInfo
inetUserStatus
sn
username

amster attribute: userRegistrationValidUserAttributes

Destination After Successful Self-Registration

The action to be taken after a user successfully registers a new account.

The possible values for this property are:

  • Label: User sent to 'successful registration' page (value: default). User is sent to a success page, without being logged in.

  • Label: User sent to login page (value: login). User is sent to the login page to authenticate.

  • Label: User is automatically logged in (value: auto-login). User is automatically logged in and sent to the appropriate page.

Default value: default

amster attribute: userRegisteredDestination

Forgotten password

The following settings appear on the Forgotten Password tab:

Forgotten Password

If enabled, users can reset their forgotten password.

Default value: false

amster attribute: forgottenPasswordEnabled

Captcha

If enabled, users must pass a Google reCAPTCHA challenge during password reset to mitigate against software bots.

Default value: false

amster attribute: forgottenPasswordCaptchaEnabled

Email Verification

If enabled, users who reset passwords must perform email address verification.

Default value: true

amster attribute: forgottenPasswordEmailVerificationEnabled

Security Questions

If enabled, users must answer their security questions during the forgotten password process.

Default value: false

amster attribute: forgottenPasswordKbaEnabled

Enforce password reset lockout

If enabled, users will be prevented from resetting their password after the configured number of failed attempts.

Default value: false

amster attribute: numberOfAttemptsEnforced

Lock Out After number of attempts

Can be set to 1 or more attempts for a user to correctly answer all their security questions. After the number of configured attempts the user has not correctly answered them the password reset feature will be disabled.

Default value: 1

amster attribute: numberOfAllowedAttempts

Token Lifetime (seconds)

Maximum lifetime for the token allowing forgotten password reset, in seconds.

Specify a value from 0 to 2147483647.

Default value: 300

amster attribute: forgottenPasswordTokenTTL

Outgoing Email Subject

Customize the forgotten password email subject text. Format is locale|subject text.

Default value: en|Forgotten password email

amster attribute: forgottenPasswordEmailSubject

Outgoing Email Body

Customize the forgotten password email body text. Format is locale|body text.

Default value: en|<h2>Click on this <a href="%link%">link</a> to reset your password.</h2>

amster attribute: forgottenPasswordEmailBody

Forgotten username

The following settings appear on the Forgotten Username tab:

Forgotten Username

If enabled, users can retrieve their forgotten username.

Default value: false

amster attribute: forgottenUsernameEnabled

Captcha

If enabled, users must pass a Google reCAPTCHA challenge during the forgotten username retrieval process to mitigate against software bots.

Default value: false

amster attribute: forgottenUsernameCaptchaEnabled

Security Questions

If enabled, users must answer their security questions during the forgotten username process.

Default value: false

amster attribute: forgottenUsernameKbaEnabled

Email Username

If enabled, users receive their forgotten username by email.

Default value: true

amster attribute: forgottenUsernameEmailUsernameEnabled

Show Username

If enabled, users see their forgotten username on the browser page.

Default value: false

amster attribute: forgottenUsernameShowUsernameEnabled

Token LifeTime (seconds)

Maximum lifetime for the token allowing forgotten username, in seconds.

Default value: 300

amster attribute: forgottenUsernameTokenTTL

Outgoing Email Subject

Customizes the forgotten username email subject text. Format is locale|subject text.

Default value: en|Forgotten username email

amster attribute: forgottenUsernameEmailSubject

Outgoing Email Body

Customizes the forgotten username email body text. Format is locale|body text.

Default value: en|<h2>Your username is <span style="color:blue">%username%</span>.</h2>

amster attribute: forgottenUsernameEmailBody

Profile management

The following settings appear on the Profile Management tab:

Protected Update Attributes

Specifies a profile’s protected user attributes, which causes re-authentication when the user attempts to modify these attributes.

amster attribute: profileProtectedUserAttributes

Self readable attributes

Specifies the list of attributes that users can view when accessing their user profile.

Default value:

uid
telephoneNumber
mail
kbaInfo
givenName
sn
cn

amster attribute: profileAttributeWhitelist

Advanced configuration

The following settings appear on the Advanced Configuration tab:

User Registration Confirmation Email URL

Specifies the confirmation URL that the user receives during the self-registration process. The ${realm} string is replaced with the current realm.

Default value: http://openam.example.com:8080/openam/XUI/?realm=${realm}#register/

amster attribute: userRegistrationConfirmationUrl

Forgotten Password Confirmation Email URL

Specifies the confirmation URL that the user receives after confirming their identity during the forgotten password process. The ${realm} string is replaced with the current realm.

Default value: http://openam.example.com:8080/openam/XUI/?realm=${realm}#passwordReset/

amster attribute: forgottenPasswordConfirmationUrl

User Registration Service Config Provider Class

Specifies the provider class to configure any custom plugins.

Default value: org.forgerock.openam.selfservice.config.flows.UserRegistrationConfigProvider

amster attribute: userRegistrationServiceConfigClass

Forgotten Password Service Config Provider Class

Specifies the provider class to configure any custom plugins.

Default value: org.forgerock.openam.selfservice.config.flows.ForgottenPasswordConfigProvider

amster attribute: forgottenPasswordServiceConfigClass

Forgotten Username Service Config Provider Class

Specifies the provider class to configure any custom plugins.

Default value: org.forgerock.openam.selfservice.config.flows.ForgottenUsernameConfigProvider

amster attribute: forgottenUsernameServiceConfigClass

Self-Service trees

amster service name: SelfServiceTrees

Realm defaults

The following settings appear on the Realm Defaults tab:

Enabled

Default value: true

amster attribute: enabled

Tree Mapping

Maps the self service function name (the key) to an authentication tree (the value).

Default value: {}

amster attribute: treeMapping

Validation service

amster service name: ValidationService

Global attributes

The following settings appear on the Global Attributes tab:

Valid goto URL Resources

List of valid goto URL resources.

Specifies a list of valid URLs for the goto and gotoOnFail query string parameters. AM only redirects a user after log in or log out to a URL in this list. If the URL is not in the list, AM redirects to either the user profile page, or the administration console. If this property is not set, AM will only allow URLs that match its domain; for example, domain-of-am-instance.com. Use the * wildcard to match all characters except ?.

Examples:

amster attribute: validGotoDestinations

Realm defaults

The following settings appear on the Realm Defaults tab:

Valid goto URL Resources

List of valid goto URL resources.

Specifies a list of valid URLs for the goto and gotoOnFail query string parameters. AM only redirects a user after log in or log out to a URL in this list. If the URL is not in the list, AM redirects to either the user profile page, or the administration console. If this property is not set, AM will only allow URLs that match its domain; for example, domain-of-am-instance.com. Use the * wildcard to match all characters except ?.

Examples:

amster attribute: validGotoDestinations

WebAuthn Profile Encryption service

amster service name: AuthenticatorWebAuthn

Realm defaults

The following settings appear on the Realm Defaults tab:

Profile Storage Attribute

The user’s attribute in which to store WebAuthn profiles.

The default attribute is added to the schema when you prepare a user store for use with AM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying webauthn with AM. AM must be able to write to the attribute.

Default value: webauthnDeviceProfiles

amster attribute: webauthnAttrName

Device Profile Encryption Scheme

Encryption scheme to use to secure device profiles stored on the server.

If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.

AES-256 may require installation of the JCE Unlimited Strength policy files.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings (value: NONE)

Default value: NONE

amster attribute: authenticatorWebAuthnDeviceSettingsEncryptionScheme

Encryption Key Store

Path to the key store from which to load encryption keys.

For greater security, store encryption key information in a secret store, instead of in the configuration. Use the secret label am.services.authenticatorwebauthn.encryption to map an alias for WebAuthn service secrets.

If you update encryption key information in the configuration or in the secret stores, users with existing device profiles will no longer be able to log in using this service. Delete the user’s device profile from their entry in the identity store so that the user can create a new one when they next log in.

If AM finds a matching secret for the am.services.authenticatorwebauthn.encryption label in a secret store, this value is ignored.

Default value: /path/to/openam/security/keystores/keystore.jceks

amster attribute: authenticatorWebAuthnDeviceSettingsEncryptionKeystore

Key Store Type

Type of key store to load.

PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.

Refer to the JDK 8 PKCS#11 Reference Guide for more details.

If AM finds a matching secret for the am.services.authenticatorwebauthn.encryption label in a secret store, this value is ignored.

The possible values for this property are:

  • Label: Java Key Store (JKS) (value: JKS)

  • Label: Java Cryptography Extension Key Store (JCEKS) (value: JCEKS)

  • Label: PKCS#11 Hardware Crypto Storage (value: PKCS11)

  • Label: PKCS#12 Key Store (value: PKCS12)

Default value: JCEKS

amster attribute: authenticatorWebAuthnDeviceSettingsEncryptionKeystoreType

Key Store Password

Password to unlock the key store. AM encrypts this password when you save it in the configuration. You should modify the default value.

If AM finds a matching secret for the am.services.authenticatorwebauthn.encryption label in a secret store, this value is ignored.

amster attribute: authenticatorWebAuthnDeviceSettingsEncryptionKeystorePassword

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.

If AM finds a matching secret for the am.services.authenticatorwebauthn.encryption label in a secret store, this value is ignored.

amster attribute: authenticatorWebAuthnDeviceSettingsEncryptionKeystoreKeyPairAlias

Private Key Password

Password to unlock the private key.

If AM finds a matching secret for the am.services.authenticatorwebauthn.encryption label in a secret store, this value is ignored.

amster attribute: authenticatorWebAuthnDeviceSettingsEncryptionKeystorePrivateKeyPassword