Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
tutorial:adm:modules_openam [2017/12/06 17:53]
apeterova openam - note about secured cookie
tutorial:adm:modules_openam [2018/06/15 15:33] (current)
apeterova multiple instances, realms
Line 10: Line 10:
 ===== SSO ===== ===== SSO =====
 Single-Sign-On functionality of the OpenAM module is done by a new authentication filter. When unauthenticated users come to CzechIdM and have the cookie with OpenAM token, the value of the token is validated against OpenAM. If the token is valid, the filter retrieves the user's login from OpenAM attributes and logs the user in. Single-Sign-On functionality of the OpenAM module is done by a new authentication filter. When unauthenticated users come to CzechIdM and have the cookie with OpenAM token, the value of the token is validated against OpenAM. If the token is valid, the filter retrieves the user's login from OpenAM attributes and logs the user in.
 +
 +===== Multiple instances and realms =====
 +The module supports multiple instances of OpenAM. The URLs must be configured in the property ''​idm.sec.openam.base.url''​ separated by a comma. Authentication or token validation uses the configured instances one by one. The first instance that returns a success is the winner (no more calls are made to remaining instances).
 +
 +The module also supports authentication realms in OpenAM. If configured, the realm(s) are used during authentication in the same order as the configured URLs of the instances.
  
 ===== REST endpoint ===== ===== REST endpoint =====
 The module also provides a REST endpoint ''/​get-attributes''​ for retrieving OpenAM attributes for given SSO token. When calling the endpoint, the user's session by OpenAM can be refreshed (this is an optional parameter, default is false). The module also provides a REST endpoint ''/​get-attributes''​ for retrieving OpenAM attributes for given SSO token. When calling the endpoint, the user's session by OpenAM can be refreshed (this is an optional parameter, default is false).
 +
 +The attributes are returned in lower case.
  
 ===== Installation ===== ===== Installation =====
Line 25: Line 32:
 The module provides following configuration properties: The module provides following configuration properties:
 ^ Property ​    ^ Description ^ ^ Property ​    ^ Description ^
-| idm.sec.openam.base.url | REQUIRED. Base URL of the REST API (e.g. ''​https://​amhost.domain.tld/​opensso/​identity''​) |+|idm.sec.openam.base.url | REQUIRED. Base URL of the REST API (e.g. ''​https://​amhost.domain.tld/​openam/​identity''​). The property may contain multiple instances comma-separated.| 
 +|idm.sec.openam.login.payload|The string that is appended to the authentication request, usually realm (e.g. ''​uri=realm=/​customers''​). If multiple URLs are configured, configure this property also as multivalued and in the order corresponding to those URLs. (default: //empty//)|
 |idm.sec.openam.login.attr.name |Name of the OpenAM attribute which holds user login (default: uid) | |idm.sec.openam.login.attr.name |Name of the OpenAM attribute which holds user login (default: uid) |
 |idm.sec.openam.sso.cookie.name |Name of the cookie which holds OpenAM token (default: iPlanetDirectoryPro)| |idm.sec.openam.sso.cookie.name |Name of the cookie which holds OpenAM token (default: iPlanetDirectoryPro)|
Line 31: Line 39:
 |idm.sec.openam.sso.cookie.httponly|Whether the cookie should have Http-Only sign (default: true)| |idm.sec.openam.sso.cookie.httponly|Whether the cookie should have Http-Only sign (default: true)|
 |idm.sec.openam.sso.cookie.secure|Whether the cookie should be sent for encrypted sessions only (https) (default: true)| |idm.sec.openam.sso.cookie.secure|Whether the cookie should be sent for encrypted sessions only (https) (default: true)|
-|idm.sec.openam.returned.attributes|Which attributes will be returned by /​get-attributes endpoint (default: uid,​dn,​destinationindicator,​ou)|+|idm.sec.openam.returned.attributes|Which attributes will be returned by /​get-attributes endpoint, written in lower case (default: uid,​dn,​destinationindicator,​ou)
 +|idm.sec.openam.connect.timeout |The time limit to establish the connection in ms (default: 2000), change requires restart | 
 +|idm.sec.openam.socket.timeout |The time limit waiting for data after the connection was established in ms (default: 2000), change requires restart ​|
  
 ==== Notes ==== ==== Notes ====