PingAM 8.0.0

Step 5. Authenticate to AM

After you’ve completed Step 4. Configure AM, you can use the myAuthTree you created to authenticate bjensen in the alpha realm.

To test your authentication tree in a web browser, go to a URL similar to the following:

http://am.example.com:8080/am/XUI/?realm=/&alpha=myAuthTree#login

Use the correct FQDN, port number, and deployment path for your environment. Also make sure you use the correct authentication tree name and realm. In the example above, the tree is named myAuthTree and the realm is called alpha.

Log in as bjensen, with the password Ch4ng31t.

Log in as bjensen as described in the instructions.

On successful login, AM creates a cookie named iPlanetDirectoryPro in your browser for your domain; for example, example.com. That cookie is then available to all servers in the example.com domain, such as am.example.com.

If you examine this cookie, you see that it has a value such as AQI5wM2L...*AAJTS.... This is the SSO token value. The value is an encrypted reference to the session that is stored only by AM. Only AM can determine whether you are actually logged in, or whether the authenticated session is no longer valid, and you need to reauthenticate.

The AM authenticated session is used for SSO. When the browser presents the cookie to a server in the domain, the agent on the server can check with AM using the SSO Token as a reference to the session. This lets AM make policy decisions based on who is authenticated, or prompt for additional authentication, if necessary.

Your authenticated session can end in a few ways. For example, when examining the cookie in your browser, you should notice that it expires when the browser session ends (when you shut down your browser). Alternatively, you can log out of AM explicitly.

Authenticated sessions can also expire. AM sets two limits: one that causes your authenticated session to expire if it remains inactive for a configurable period of time (default: 30 minutes), and another that caps the authenticated session lifetime (default: 2 hours).

Congratulations on authenticating your first user with AM!

See what else can AM do for you by reading Next steps.