Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | |||
tutorial:adm:modules_openam [2018/06/15 15:33] apeterova multiple instances, realms |
tutorial:adm:modules_openam [2020/06/22 16:52] apeterova mostly moved to admin guide, added info about OpenAM version |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Modules - OpenAM: installation and configuration ====== | ====== Modules - OpenAM: installation and configuration ====== | ||
- | The module uses [[https:// | + | This tutorial will help you easily install |
- | + | ||
- | ===== Authentication token ===== | + | |
- | Token for successfully authenticated users is set to the cookie of the (default) name iPlanetDirectoryPro for the current request domain. | + | |
- | + | ||
- | The cookie is set only for secured (https) connections by default. If you need to set it for unsecured connections, | + | |
- | + | ||
- | ===== SSO ===== | + | |
- | Single-Sign-On functionality of the OpenAM module | + | |
- | + | ||
- | ===== Multiple instances and realms ===== | + | |
- | The module supports multiple instances of OpenAM. The URLs must be configured in the property '' | + | |
- | + | ||
- | The module also supports authentication realms in OpenAM. If configured, | + | |
- | + | ||
- | ===== REST endpoint ===== | + | |
- | The module | + | |
- | + | ||
- | The attributes are returned in lower case. | + | |
===== Installation ===== | ===== Installation ===== | ||
- | Download the openam distribution package. The package contains a backend folder. Your IdM Tomcat installation we call IDM in the following example. | + | Download the idm-openam |
- Copy content of the backend folder into your tomcat IdM installation - [IDM]/ | - Copy content of the backend folder into your tomcat IdM installation - [IDM]/ | ||
- Set correct access rights to the files if needed ('' | - Set correct access rights to the files if needed ('' | ||
- Restart the IdM application server ('' | - Restart the IdM application server ('' | ||
- Log in to CzechIdM as an privileged user and go to Settings -> Modules and enable the openam module. | - Log in to CzechIdM as an privileged user and go to Settings -> Modules and enable the openam module. | ||
- | - Go to the configuration and configure the OpenAM base url configuration | + | - Go to the configuration and configure the properties needed for the communication with OpenAM |
+ | |||
+ | ===== Basic configuration ===== | ||
+ | |||
+ | First, you need to know the address of your running OpenAM instance (or instances) and its version. | ||
+ | |||
+ | Based on that, set the following configuration properties: | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | If your OpenAM installation uses realms for the users, you may need to set '' | ||
- | ===== Configuration ===== | + | If you run multiple instances |
- | The module provides following configuration properties: | + | |
- | ^ Property | + | |
- | |idm.sec.openam.base.url | REQUIRED. Base URL of the REST API (e.g. '' | + | |
- | |idm.sec.openam.login.payload|The string that is appended | + | |
- | |idm.sec.openam.login.attr.name |Name of the OpenAM attribute which holds user login (default: uid) | | + | |
- | |idm.sec.openam.sso.cookie.name |Name of the cookie which holds OpenAM token (default: iPlanetDirectoryPro)| | + | |
- | |idm.sec.openam.sso.cookie.domain|Domain, | + | |
- | |idm.sec.openam.sso.cookie.httponly|Whether the cookie should have Http-Only sign (default: true)| | + | |
- | |idm.sec.openam.sso.cookie.secure|Whether the cookie should be sent for encrypted sessions only (https) (default: true)| | + | |
- | |idm.sec.openam.returned.attributes|Which attributes will be returned by / | + | |
- | |idm.sec.openam.connect.timeout |The time limit to establish the connection in ms (default: 2000), change requires restart | | + | |
- | |idm.sec.openam.socket.timeout |The time limit waiting for data after the connection was established in ms (default: 2000), change requires restart | | + | |
- | ==== Notes ==== | + | That's it! You probably don' |
- | Note that the module doesn't provide " | + | |
- | The module has only the backend part. | + | All available properties are documented in the [[devel: |