Authentication module properties :: AM 7.3.0 (2023)

The default settings are for Facebook.

Client id

Specifies the OAuth 2.0 client_id parameter as described insection 2.2 of RFC 6749.

amster attribute: clientId

ssoadm attribute: iplanet-am-auth-oauth-client-id

Client Secret

Specifies the OAuth 2.0 client_secret parameter as described insection 2.3 of RFC 6749.

amster attribute: clientSecret

ssoadm attribute: iplanet-am-auth-oauth-client-secret

Authentication Endpoint URL

Specifies the URL to the endpoint handling OAuth 2.0 authentication as described insection 3.1 of RFC 6749.

amster attribute: authenticationEndpointUrl

ssoadm attribute: iplanet-am-auth-oauth-auth-service

Access Token Endpoint URL

Specifies the URL to the endpoint handling access tokens as described insection 3.2 of RFC 6749.

amster attribute: accessTokenEndpointUrl

ssoadm attribute: iplanet-am-auth-oauth-token-service

User Profile Service URL

Specifies the user profile URL that returns profile information in JSON format.

amster attribute: userProfileServiceUrl

ssoadm attribute: iplanet-am-auth-oauth-user-profile-service


Specifies a space-delimited list of user profile attributes that the client application requires,according to The OAuth 2.0 Authorization Framework.The list depends on the permissions that the resource owner, such as the end user, grants to the client application.

Some authorization servers use non-standard separators for scopes. Facebook, for example, takes a comma-separated list.

Default: email,read_stream (Facebook example)

amster attribute: scope

ssoadm attribute: iplanet-am-auth-oauth-scope

OAuth2 Access Token Profile Service Parameter name

Specifies the name of the parameter that contains the access token value when accessing the profile service.

Default: access_token.

amster attribute: accessTokenParameterName

ssoadm attribute: iplanet-am-auth-oauth-user-profile-param

Proxy URL

Sets the URL to the /oauth2c/OAuthProxy.jspfile, which provides AM with GET to POST proxying capabilities.Change this URL only if an external server performs the GET to POST proxying.

Default: @SERVER_PROTO@://@SERVER_HOST@:@SERVER_PORT@/@SERVER_URI@/oauth2c/OAuthProxy.jsp.

amster attribute: ssoProxyUrl

ssoadm attribute: iplanet-am-auth-oauth-sso-proxy-url

Account Provider

Specifies the name of the class that implements the account provider.

Default: org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider

amster attribute: accountProviderClass

ssoadm attribute: org-forgerock-auth-oauth-account-provider

Account Mapper

Specifies the name of the class that implements the attribute mapping for the account search.

For Google implementations,use _org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper|*|Google-+.

For Facebook implementations,use org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|*|facebook-.

Default: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper

amster attribute: accountMapperClass

ssoadm attribute: org-forgerock-auth-oauth-account-mapper

Account Mapper Configuration

Specifies the attribute configuration used to map the account of the user authenticated in the OAuth 2.0 providerto the local data store in AM.Valid values are in the form provider-attr=local-attr.

When using the org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper class,you can parse JSON objects in mappings, by using dot notation.

For example, given a JSON payload of:

{ "sub" : "12345", "name" : { "first_name" : "Demo", "last_name" : "User" }}

You can create a mapper, such as name.first_name=cn.

Default: email=mail and id=facebook-id.

amster attribute: accountMapperConfiguration

ssoadm attribute: org-forgerock-auth-oauth-account-mapper-configuration

Attribute Mapper

Specifies the list of fully qualified class names for implementationsthat map attributes from the OAuth 2.0 authorization server or OpenID Connect provider to AM profile attributes.

Default: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper

Provided implementations are:org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper,org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper (can only be used when using the openid scope)

You can provide string constructor parameters by appending pipe (|) separated values.

For example, the org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper classcan take two constructor parameters: a comma-separated list of attributes and a prefix to apply to their values.Specify these as follows:


amster attribute: attributeMappingClasses

ssoadm attribute: org-forgerock-auth-oauth-attribute-mapper

Attribute Mapper Configuration

Map of OAuth 2.0 provider user account attributes to local user profile attributes,with values in the form provider-attr=local-attr.

When using the org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper class,you can parse JSON objects in mappings, by using dot notation.

For example, given a JSON payload of:

{ "sub" : "12345", "name" : { "first_name" : "Demo", "last_name" : "User" }}

You can create a mapper, such as name.first_name=cn.

Default: first_name=givenname, last_name=sn, name=cn, email=mail, id=facebook-id, first_name=facebook-fname,last_name=facebook-lname, email=facebook-email.

amster attribute: attributeMapperConfiguration

ssoadm attribute: org-forgerock-auth-oauth-attribute-mapper-configuration

Save attributes in the session

When enabled, saves the attributes in the Attribute Mapper Configuration field to the AM session.

amster attribute: saveAttributesInSession

ssoadm attribute: org-forgerock-auth-oauth-save-attributes-to-session-flag

Email attribute in OAuth2 Response

Specifies the attribute identifying the authenticated user’s email address in the responsefrom the profile service in the OAuth 2.0 provider.This setting is used to send an email message with an activation code for accounts created dynamically.

amster attribute: oauth2EmailAttribute

ssoadm attribute: org-forgerock-auth-oauth-mail-attribute

Create account if it does not exist

When enabled, AM creates an account for the user if the user profile does not exist.If the Prompt for password setting and activation code attribute is enabled,AM prompts the user for a password and activation code before creating the account.

When the OAuth 2.0/OpenID Connect client is configured to create new accounts, the SMTP settings must also be valid.As part of account creation, the OAuth 2.0/OpenID Connect client authentication modulesends the resource owner an email with an account activation code.To send the mail,AM uses the SMTP settings you provide here in the OAuth 2.0/OpenID Connect client configuration.

When disabled, a user without a profile may still log into AMif the Ignore Profile attribute is set in the authentication service of the realm,or if the account is mapped to an anonymous account.

amster attribute: createAccount

ssoadm attribute: org-forgerock-auth-oauth-createaccount-flag

Prompt for password setting and activation code

When enabled, the user must set a password before AM creates an account dynamically.An activation code is also sent to the user’s email address.Both the password and the code are required before the account is created.

amster attribute: promptForPassword

ssoadm attribute: org-forgerock-auth-oauth-prompt-password-flag

Map to anonymous user

When enabled, maps the OAuth 2.0 authenticated user to the specified anonymous user.If the Create account if it does not exist property is enabled,AM creates an account for the authenticated user instead of mapping the account to the anonymous user.

amster attribute: mapToAnonymousUser

ssoadm attribute: org-forgerock-auth-oauth-map-to-anonymous-flag

Anonymous User

Specifies an anonymous user that exists in the current realm. The user status of this anonymous user must be Active.The Map to anonymous user property maps authorized users without a profile to this anonyomus user, if enabled.

Default: anonymous.

amster attribute: anonymousUserName

ssoadm attribute: org-forgerock-auth-oauth-anonymous-user

OAuth 2.0 Provider logout service

Specifies the optional URL of the OAuth 2.0 provider’s logout service, if required.

amster attribute: oauth2LogoutServiceUrl

ssoadm attribute: org-forgerock-auth-oauth-logout-service-url

Logout options

Specifies whether not to log the user out without prompting from the OAuth 2.0 provider on logout,to log the user out without prompting, or to prompt the user regarding whether to log out from the OAuth 2.0 provider.

Valid values are:

  • prompt, to ask the user whether or not to log out from the OAuth 2.0 provider.

  • logout, to log the user out of the OAuth 2.0 provider without prompting.

  • donotlogout, to keep the user logged in to the OAuth 2.0 provider. There is no prompt to the user.

Default: prompt.

amster attribute: logoutBehaviour

ssoadm attribute: org-forgerock-auth-oauth-logout-behaviour

Mail Server Gateway implementation class

Specifies the class used by the module to send email.A custom subclass of org.forgerock.openam.authentication.modules.oauth2.EmailGateway class can be provided.

Default: org.forgerock.openam.authentication.modules.oauth2.DefaultEmailGatewayImpl

amster attribute: mailGatewayClass

ssoadm attribute: org-forgerock-auth-oauth-email-gwy-impl

SMTP host

Specifies the host name of the mail server.

Default: localhost.

amster attribute: smtpHostName

ssoadm attribute: org-forgerock-auth-oauth-smtp-hostname

SMTP port

Specifies the SMTP port number for the mail server.

Default: 25.

amster attribute: smtpHostPort

ssoadm attribute: org-forgerock-auth-oauth-smtp-port

SMTP User Name, SMTP User Password

Specifies the username and password AM uses to authenticate to the mail server.

ssoadm attribute: org-forgerock-auth-oauth-smtp-username and org-forgerock-auth-oauth-smtp-password.

SMTP SSL Enabled

When enabled, connects to the mail server over SSL.AM must be able to trust the SMTP server certificate.

amster attribute: smtpSslEnabled

ssoadm attribute: org-forgerock-auth-oauth-smtp-ssl_enabled

SMTP From address

Specifies the address of the email sender, such as


amster attribute: smtpFromAddress

ssoadm attribute: org-forgerock-auth-oauth-smtp-email-from

Authentication Level

Sets the authentication level used to indicate the level of security associated with the module.The value can range from 0 to any positive integer.

Default: 0.

amster attribute: authenticationLevel

ssoadm attribute: iplanet-am-auth-oauth-auth-level

OpenID Connect validation configuration type

Validates the ID token from the OpenID Connect provider.The module needs either a URL to get the public keys for the provideror the symmetric key for an ID token signed with a HMAC-based algorithm.

By default, the configuration type is .well-known/openid-configuration_url.This means the module should retrieve the keysbased on information in the OpenID Connect provider configuration document.

You can instead configure the authentication module to validate the ID token signaturewith the client secret key you provide, or to validate the ID token with the keys retrieved from the URLto the OpenID Connect provider’s JSON web key set.

/oauth2/realms/root/.well-known/openid-configuration_url (Default)

Retrieve the provider keys based on the information provided in the OpenID Connect Provider Configuration Document.

Specify the URL to the document as the discovery URL.


Use the client secret that you specify as the key to validate the ID token signatureaccording to the HMAC by using the client secret to the decrypt the hash,and then checking that the hash matches the hash of the ID token JWT.


Retrieve the provider’s JSON web key set as the URL that you specify.

amster attribute: cryptoContextType

ssoadm attribute: openam-auth-openidconnect-crypto-context-type

OpenID Connect validation configuration value

Edit this field depending on the Configuration typeyou specified in the OpenId Connect validation configuration type field.

amster attribute: cryptoContextValue

ssoadm attribute: openam-auth-openidconnect-crypto-context-value

Token Issuer

Required when the openid scope is included. Value must match the iss field in the issued ID token.For example,

The issuer value MUST be provided when OAuth 2.0 Mix-Up Mitigation is enabled.For more information, see OAuth 2.0 Mix-Up Mitigation.

amster attribute: idTokenIssuer

ssoadm attribute: openam-auth-openidconnect-issuer-name

The following table shows endpoint URLs for AM when configured as an OAuth 2.0 provider.For details, see OAuth 2.0.The default endpoints are for Facebook as the OAuth 2.0 provider.

In addition to the endpoint URLs you can set other fields, like scope and attribute mapping,depending on the provider you use:

OAuth 2.0 Mix-Up Mitigation

AM has added a new property to the OAuth 2.0 authentication module,openam-auth-oauth-mix-up-mitigation-enabled.This OAuth 2.0 Mix-Up Mitigation property controlswhether the OAuth 2.0 authentication module carries out additional verification stepswhen it receives the authorization code from the authorization server.This setting should be only enabled when the authorization server also supports OAuth 2.0 Mix-Up Mitigation.

OAuth 2.0 Mix-Up Mitigation Enabled

Specifies that the client must compare the issuer identifier of the authorization serverupon registration with the issuer value returned in the iss response parameter.If they do not match, the client must abort the authorization process.The client must also confirm that the authorization server’s response is intended for the clientby comparing the client’s client identifier to the value of the client_id response parameter.

At the time of this release, Facebook, Google, and Microsoft identity providers do not support this draft.

amster attribute: mixUpMitigation

ssoadm attribute: openam-auth-oauth-mix-up-mitigation-enabled

In the AM admin UI, the field Token Issuer must be provided when the OAuth 2.0 Mix-Up Mitigation feature is enabled.The authorization code response will contain an issuer value (iss) that will be validated by the client.When the module is an OAuth2-only module (that is, OIDC is not used),the issuer value needs to be explicitly set in the Token Issuer field, so that the validation can succeed.

Consult with the authorization server’s documentation on what value it uses for the issuer field.
Top Articles
Latest Posts
Article information

Author: Mr. See Jast

Last Updated: 07/29/2023

Views: 5966

Rating: 4.4 / 5 (75 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Mr. See Jast

Birthday: 1999-07-30

Address: 8409 Megan Mountain, New Mathew, MT 44997-8193

Phone: +5023589614038

Job: Chief Executive

Hobby: Leather crafting, Flag Football, Candle making, Flying, Poi, Gunsmithing, Swimming

Introduction: My name is Mr. See Jast, I am a open, jolly, gorgeous, courageous, inexpensive, friendly, homely person who loves writing and wants to share my knowledge and understanding with you.