Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Last revision Both sides next revision | ||
tutorial:adm:modules_openam [2017/12/06 17:53] apeterova openam - note about secured cookie |
tutorial:adm:modules_openam [2018/06/15 15:33] apeterova multiple instances, realms |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Modules - OpenAM: installation and configuration ====== | ||
+ | The module uses [[https:// | ||
+ | |||
+ | ===== Authentication token ===== | ||
+ | Token for successfully authenticated users is set to the cookie of the (default) name iPlanetDirectoryPro for the current request domain. | ||
+ | |||
+ | The cookie is set only for secured (https) connections by default. If you need to set it for unsecured connections, | ||
+ | |||
+ | ===== SSO ===== | ||
+ | Single-Sign-On functionality of the OpenAM module is done by a new authentication filter. When unauthenticated users come to CzechIdM and have the cookie with OpenAM token, the value of the token is validated against OpenAM. If the token is valid, the filter retrieves the user's login from OpenAM attributes and logs the user in. | ||
+ | |||
+ | ===== Multiple instances and realms ===== | ||
+ | The module supports multiple instances of OpenAM. The URLs must be configured in the property '' | ||
+ | |||
+ | The module also supports authentication realms in OpenAM. If configured, the realm(s) are used during authentication in the same order as the configured URLs of the instances. | ||
+ | |||
+ | ===== REST endpoint ===== | ||
+ | The module also provides a REST endpoint ''/ | ||
+ | |||
+ | The attributes are returned in lower case. | ||
+ | |||
+ | ===== Installation ===== | ||
+ | Download the openam distribution package. The package contains a backend folder. Your IdM Tomcat installation we call IDM in the following example. | ||
+ | - Copy content of the backend folder into your tomcat IdM installation - [IDM]/ | ||
+ | - Set correct access rights to the files if needed ('' | ||
+ | - Restart the IdM application server ('' | ||
+ | - Log in to CzechIdM as an privileged user and go to Settings -> Modules and enable the openam module. | ||
+ | - Go to the configuration and configure the OpenAM base url configuration property (see below). | ||
+ | |||
+ | ===== Configuration ===== | ||
+ | The module provides following configuration properties: | ||
+ | ^ Property | ||
+ | |idm.sec.openam.base.url | REQUIRED. Base URL of the REST API (e.g. '' | ||
+ | |idm.sec.openam.login.payload|The string that is appended to the authentication request, usually realm (e.g. '' | ||
+ | |idm.sec.openam.login.attr.name |Name of the OpenAM attribute which holds user login (default: uid) | | ||
+ | |idm.sec.openam.sso.cookie.name |Name of the cookie which holds OpenAM token (default: iPlanetDirectoryPro)| | ||
+ | |idm.sec.openam.sso.cookie.domain|Domain, | ||
+ | |idm.sec.openam.sso.cookie.httponly|Whether the cookie should have Http-Only sign (default: true)| | ||
+ | |idm.sec.openam.sso.cookie.secure|Whether the cookie should be sent for encrypted sessions only (https) (default: true)| | ||
+ | |idm.sec.openam.returned.attributes|Which attributes will be returned by / | ||
+ | |idm.sec.openam.connect.timeout |The time limit to establish the connection in ms (default: 2000), change requires restart | | ||
+ | |idm.sec.openam.socket.timeout |The time limit waiting for data after the connection was established in ms (default: 2000), change requires restart | | ||
+ | |||
+ | ==== Notes ==== | ||
+ | Note that the module doesn' | ||
+ | |||
+ | The module has only the backend part. |