Core authentication attributes

Every AM realm has a set of authentication properties that applies to all authentication performed to that realm. The settings are referred to as core authentication attributes.

To configure core authentication attributes for an entire AM deployment, go to Configure > Authentication in the AM admin UI, and click Core Attributes.

To override the global core authentication configuration in a realm, go to Realms > Realm Name > Authentication > Settings in the AM admin UI.

amster service name: Authentication

ssoadm service name: iPlanetAMAuthService

Global Attributes

The following properties are available under the Global Attributes tab:

Pluggable Authentication Module Classes: This property was used only for authentication with modules and chains and is no longer documented.
LDAP Connection Pool Size: Sets a minimum and a maximum number of LDAP connections to be used by any authentication node that connects to a specific directory server. This connection pool is different to the SDK connection pool configured in the serverconfig.xml file.

Format is host:port:minimum:maximum.

amster attribute: ldapConnectionPoolSize

ssoadm attribute: iplanet-am-auth-ldap-connection-pool-size
Default LDAP Connection Pool Size: Sets the default minimum and maximum number of LDAP connections to be used by any authentication node that connects to any directory server. This connection pool is different to the SDK connection pool configured in the serverconfig.xml file.

Format is minimum:maximum.

When tuning for production, start with 10 minimum, 65 maximum. For example, 10:65.

amster attribute: ldapConnectionPoolDefaultSize

ssoadm attribute: iplanet-am-auth-ldap-connection-pool-default-size
Remote Auth Security: When enabled, AM requires the authenticating application to send its SSO token. This allows AM to obtain the username and password associated with the application.

amster attribute: remoteAuthSecurityEnabled

ssoadm attribute: sunRemoteAuthSecurityEnabled
Keep Post Process Objects for Logout Processing: When enabled, AM stores instances of post-processing classes into the authenticated session. When the user logs out, the original post-processing classes are called instead of new instances. This may be required for special logout processing.

Enabling this setting increases the memory usage of AM.

amster attribute: keepPostProcessInstances

ssoadm attribute: sunAMAuthKeepPostProcessInstances

Core

The following properties are available under the Core tab:

Administrator Authentication Configuration

The default authentication tree used when an administrative user, such as amAdmin, logs in to the AM admin UI.

You can’t set a tree configured to always run as the default authentication tree.

ssoadm attribute: iplanet-am-auth-admin-auth-module

Organization Authentication Configuration

The default authentication tree used when a non-administrative user logs in to AM.

You can’t set a tree configured to always run as the default authentication tree.

amster attribute: orgConfig

ssoadm attribute: iplanet-am-auth-org-config

User Profile

The following properties are available under the User Profile tab:

User Profile

Specifies whether a user profile needs to exist in the user datastore, or should be created on successful authentication. The possible values are:

true. Dynamic.

After successful authentication, AM creates a user profile if one does not already exist. AM then issues the SSO token. AM creates the user profile in the user datastore configured for the realm.

createAlias. Dynamic with User Alias.

After successful authentication, AM creates a user profile that contains the User Alias List attribute, which defines one or more aliases for mapping a user’s multiple profiles.

ignore. Ignored.

After successful authentication, AM issues an SSO token regardless of whether a user profile exists in the datastore. The presence of a user profile is not checked.

Any functionality which needs to map values to profile attributes, such as SAML or OAuth 2.0, will not operate correctly if the User Profile property is set to ignore.

false. Required.

After successful authentication, the user must have a user profile in the user datastore configured for the realm in order for AM to issue an SSO token.

ssoadm attribute: iplanet-am-auth-dynamic-profile-creation. Set this attribute’s value to one of the following: true, createAlias, ignore, or false.

User Profile Dynamic Creation Default Roles

Specifies the distinguished name (DN) of a role to be assigned to a new user whose profile is created when either the true or createAlias options are selected under the User Profile property. There are no default values. The role specified must be within the realm for which the authentication process is configured.

This role can’t be a filtered role. If you want to automatically assign specific services to the user, configure the Required Services property in the user profile.

This functionality is deprecated.

amster attribute: defaultRole

ssoadm attribute: iplanet-am-auth-default-role

Alias Search Attribute Name

After a user is successfully authenticated, the user’s profile is retrieved. AM first searches for the user based on the datastore settings. If that fails to find the user, AM will use the attributes listed here to look up the user profile. This setting accepts any datastore specific attribute name.

amster attribute: aliasAttributeName

ssoadm attribute: iplanet-am-auth-alias-attr-name

If the Alias Search Attribute Name property is empty, AM uses the iplanet-am-auth-user-naming-attr property from the iPlanetAmAuthService. The iplanet-am-auth-user-naming-attr property is only configurable through the ssoadm command-line tool and not through the AM admin UI.

$ ssoadm get-realm-svc-attrs \
--adminid uid=amAdmin,ou=People,dc=am,dc=example,dc=com \
--password-file PATH_TO_PWDFILE \
--realm REALM \
--servicename iPlanetAMAuthService$ ssoadm set-realm-svc-attrs \
 --adminid uid=amAdmin,ou=People,dc=am,dc=example,dc=com \
 --password-file PATH_TO_PWDFILE \
 --realm REALM \
 --servicename iPlanetAMAuthService \
 --attributevalues iplanet-am-auth-user-naming-attr=SEARCH_ATTRIBUTE

Account Lockout

The following properties are available under the Account Lockout tab:

Login Failure Lockout Mode: When enabled, AM deactivates the LDAP attribute defined in the Lockout Attribute Name property in the user’s profile upon login failure. This attribute works in conjunction with the other account lockout and notification attributes.

amster attribute: loginFailureLockoutMode

ssoadm attribute: iplanet-am-auth-login-failure-lockout-mode
Login Failure Lockout Count: Defines the number of attempts that a user has to authenticate within the time interval defined in Login Failure Lockout Interval before being locked out.

amster attribute: loginFailureCount

ssoadm attribute: iplanet-am-auth-login-failure-count
Login Failure Lockout Interval: Defines the time in minutes during which failed login attempts are counted. If one failed login attempt is followed by a second failed attempt within this defined lockout interval time, the lockout count starts, and the user is locked out if the number of attempts reaches the number defined by the Login Failure Lockout Count property. If an attempt within the defined lockout interval time proves successful before the number of attempts reaches the number defined by the Login Failure Lockout Count property, the lockout count is reset.

amster attribute: loginFailureDuration

ssoadm attribute: iplanet-am-auth-login-failure-duration
Email Address to Send Lockout Notification: Specifies one or more email addresses to which notification is sent if a user lockout occurs.

Separate multiple addresses with spaces, and append |locale|charset to addresses for recipients in non-English locales.

amster attribute: lockoutEmailAddress

ssoadm attribute: iplanet-am-auth-lockout-email-address
Warn User After N Failures: Specifies the number of authentication failures after which AM displays a warning message that the user will be locked out.

ssoadm attribute: iplanet-am-auth-lockout-warn-user
Login Failure Lockout Duration: Defines how many minutes a user must wait after a lockout before attempting to authenticate again. Entering a value greater than 0 enables duration lockout and disables persistent (physical) lockout. Duration lockout means the user’s account is locked for the number of minutes specified. The account is unlocked after the time period has passed.

amster attribute: lockoutDuration

ssoadm attribute: iplanet-am-auth-lockout-duration
Lockout Duration Multiplier: For duration lockout, this attribute defines a multiplier that is applied to the value of the Login Failure Lockout Duration for each successive lockout. For example, if Login Failure Lockout Duration is set to 3 minutes, and the Lockout Duration Multiplier is set to 2, the user is locked out of the account for 6 minutes. After the 6 minutes has elapsed, if the user again provides the wrong credentials, the lockout duration is then 12 minutes. With the Lockout Duration Multiplier, the lockout duration is incrementally increased based on the number of times the user has been locked out.

amster attribute: lockoutDurationMultiplier

ssoadm attribute: sunLockoutDurationMultiplier
Lockout Attribute Name: Defines the LDAP attribute used for physical lockout. The default attribute is inetuserstatus, although the field in the AM admin UI is empty. The Lockout Attribute Value field must also contain an appropriate value.

amster attribute: lockoutAttributeName

ssoadm attribute: iplanet-am-auth-lockout-attribute-name
Lockout Attribute Value: Specifies the action to take on the attribute defined in Lockout Attribute Name. The default value is inactive, although the field in the AM admin UI is empty. The Lockout Attribute Name field must also contain an appropriate value.

amster attribute: lockoutAttributeValue

ssoadm attribute: iplanet-am-auth-lockout-attribute-value
Invalid Attempts Data Attribute Name: Specifies the LDAP attribute used to hold the number of failed authentication attempts towards Login Failure Lockout Count. Although the field appears empty in the AM admin UI, AM stores this data in the sunAMAuthInvalidAttemptsDataAttrName attribute defined in the sunAMAuthAccountLockout objectclass by default.

amster attribute: invalidAttemptsDataAttributeName

ssoadm attribute: sunAMAuthInvalidAttemptsDataAttrName
Store Invalid Attempts in Data Store: When enabled, AM stores the information regarding failed authentication attempts as the value of the Invalid Attempts Data Attribute Name in the user datastore. Information stored includes the number of invalid attempts, the time of the last failed attempt, lockout time and lockout duration. Storing this information in the identity repository allows it to be shared among multiple instances of AM.

Enable this property to track invalid log in attempts when using server-side or client-side journey sessions.

amster attribute: storeInvalidAttemptsInDataStore

ssoadm attribute: sunStoreInvalidAttemptsInDS

General

The following properties are available under the General tab:

Default Authentication Locale: Specifies the default language subtype to be used by the Authentication service. The default value is en_US.

amster attribute: locale

ssoadm attribute: iplanet-am-auth-locale
Identity Types: This property was used only for authentication with modules and chains and is no longer documented.
Pluggable User Status Event Classes: This property was used only for authentication with modules and chains and is no longer documented.
Use Client-Side Sessions: When enabled, AM assigns client-side sessions to users authenticating to this realm. Otherwise, AM users authenticating to this realm are assigned server-side sessions.

Learn more in Introduction to sessions.

amster attribute: statelessSessionsEnabled

ssoadm attribute: openam-auth-stateless-sessions
Two Factor Authentication Mandatory: This property was used only for authentication with modules and chains and is no longer documented.
External Login Page URL: If the authentication user interface is hosted separately from AM, this property specifies the URL of the external login user interface.

When set, AM uses the provided URL as the base of the resume URI instead of using the Base URL Source Service to obtain the base URL.

If authentication is suspended in an authentication tree, AM uses this URL to construct the resume URI.

Find more information about the Base URL Source Service in Configure the Base URL source service.

amster attribute: externalLoginPageUrl

ssoadm attribute: externalLoginPageUrl
Default Authentication Level: This property was used only for authentication with modules and chains and is no longer documented.

Trees

The following properties are available under the Trees tab:

Authentication session state management scheme

Specifies the location where AM stores journey sessions.

Possible values are:

CTS. AM stores journey sessions server-side, in the CTS token store.
JWT. AM sends the journey session to the client as a JWT.
In-Memory. AM stores journey sessions in its memory.

Learn more in Introduction to sessions.

Default: JWT (new installations), In-Memory (after upgrade)

amster attribute: authenticationSessionsStateManagement

ssoadm attribute: openam-auth-authentication-sessions-state-management-scheme

Max duration (minutes)

Specifies the maximum allowed duration of a journey session, including any time spent in the suspended state, in minutes.

Values from 1 to 2147483647 are allowed.

Default: 5

amster attribute: authenticationSessionsMaxDuration

ssoadm attribute: openam-auth-authentication-sessions-max-duration

Suspended authentication duration (minutes)

Specifies the length of time a journey session can be suspended in minutes.

Suspending a journey session allows time for out-of-band authentication methods, such as responding to emailed codes or performing an action on an additional device. The value must be less than or equal to the total time allowed for a journey session, specified in the Max duration (minutes) property.

Values from 1 to 2147483647 are allowed.

Default: 5

ssoadm attribute: suspendedAuthenticationTimeout

Enable Allowlisting

When enabled, AM allowlists journey sessions to protect them against replay attacks.

Default: Disabled

amster attribute: authenticationSessionsWhitelist

ssoadm attribute: openam-auth-authentication-sessions-whitelist

Stops sending tokenId

When HttpOnly session cookies are enabled and a client calls the /json/authenticate endpoint with a valid SSO token, AM returns an empty tokenId field.

Disable this property to have AM send a valid token ID in this scenario.

For security reasons, you should leave this property enabled. If you have migrated an existing deployment, adjust your clients to expect an empty token ID, then enable this property.

Default: Enabled

amster attribute: authenticationTreeCookieHttpOnly

ssoadm attribute: authenticationTreeCookieHttpOnly

Security

The following properties are available under the Security tab:

Module Based Authentication

This property was used only for authentication with modules and chains and is no longer documented.

Persistent Cookie Encryption Certificate Alias

Specifies the key pair alias in the AM keystore to use for encrypting persistent cookies.

This property is deprecated. Use the rotatable secret mapping am.authentication.nodes.persistentcookie.encryption instead.

If AM finds a matching secret in the secret store for am.authentication.nodes.persistentcookie.encryption, this alias is ignored.

Learn more about rotating secrets in Map and rotate secrets.

Default: test

amster attribute: keyAlias

ssoadm attribute: iplanet-am-auth-key-alias

Zero Page Login

This property was used only for authentication with modules and chains and is no longer documented.

Zero Page Login Referer Allowlist

This property was used only for authentication with modules and chains and is no longer documented.

Zero Page Login Allowed Without Referer?

This property was used only for authentication with modules and chains and is no longer documented.

Add clear-site-data Header on Logout

When enabled, AM adds the Clear-Site-Data header to successful logout responses. The Clear-Site-Data directive instructs the browser to delete relevant site data on logout. This directive includes cache, cookies, storage, and executionContexts.

Default: true (enabled)

amster attribute: addClearSiteDataHeader

Organization Authentication Signing Secret

The HMAC shared secret for signing RESTful authentication requests. This secret should be Base64 encoded and at least 128 bits in length. By default, a cryptographically secure, random value is generated.

When users attempt to authenticate to the UI, AM uses this secret to sign a JSON Web Token (JWT). The JWT contains the journey session ID, realm, and authentication index type value, but doesn’t contain the user’s credentials.

This configuration property is deprecated and will be removed in a future release.

If you’re using a secret store of type Keystore, HSM, Google KMS, or Google Secret Manager, map the am.authn.authid.signing.HMAC secret label to a secret instead. If you map this secret label and set the configuration property, the mapped secret takes precedence.
You can map multiple secrets to the am.authn.authid.signing.HMAC secret label to enable secret rotation.

AM signs the authentication token with the active secret but checks all mapped secrets when verifying the authentication token signature. Therefore, if you rotate the active secret while an authentication request is in progress, the returned authentication token can still be verified.

If you delete the secret that was used to sign an authentication token, the authID returned in the authentication request can’t be verified and authentication fails.

amster attribute: sharedSecret

ssoadm attribute: iplanet-am-auth-hmac-signing-shared-secret

Post Authentication Processing

The following properties are available under the Post Authentication Processing tab:

Default Success Login URL: Accepts a list of values that specifies where users are directed after successful authentication. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. The default value is /am/console. Values that do not specify HTTP have that appended to the deployment URI.

amster attribute: loginSuccessUrl

ssoadm attribute: iplanet-am-auth-login-success-url
Default Failure Login URL: Accepts a list of values that specifies where users are directed after authentication has failed. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. Values that do not specify HTTP have that appended to the deployment URI.

amster attribute: loginFailureUrl

ssoadm attribute: iplanet-am-auth-login-failure-url
Authentication Post Processing Classes: This property was used only for authentication with modules and chains and is no longer documented.
Generate UserID Mode: This property was used only for authentication with modules and chains and is no longer documented.
Pluggable User Name Generator Class: This property was used only for authentication with modules and chains and is no longer documented.
User Attribute Mapping to Session Attribute: This property was used only for authentication with modules and chains and is no longer documented.

PingAM 8.0.0

Core authentication attributes