appendix-auth-modules.adoc

Appendix A: Authentication and Session Module Configuration Details

This appendix includes configuration details for authentication modules described here: "Supported Authentication and Session Modules".

Authentication modules, as configured in the authentication.json file, include a number of properties. Except for the "OPENAM_SESSION Module Configuration Options", Those properties are listed in the following tables:

Session Module

Authentication Property	Property as Listed in the Admin UI	Description
keyAlias	(not shown)	Used by the Jetty Web server to service SSL requests.
privateKeyPassword	(not shown)	Defaults to openidm.keystore.password in boot.properties.
keystoreType	(not shown)	Defaults to openidm.keystore.type in boot.properties.
keystoreFile	(not shown)	Defaults to openidm.keystore.location in boot.properties.
keystorePassword	(not shown)	Defaults to openidm.keystore.password in boot.properties
maxTokenLifeMinutes	Max Token Life (in seconds)	Maximum time before a session is cancelled. Note the different units for the property and the UI.
tokenIdleTimeMinutes	Token Idle Time (in seconds)	Maximum time before an idle session is cancelled. Note the different units for the property and the UI.
sessionOnly	Session Only	Whether the session continues after browser restarts.

Static User Module

Authentication Property	Property as Listed in the Admin UI	Description
enabled	Module Enabled	Does OpenIDM use the module
queryOnResource	Query on Resource	Endpoint hard coded to user anonymous
username	Static User Name	Default for the static user, anonymous
password	Static User Password	Default for the static user, anonymous
defaultUserRoles	Static User Role	Normally set to openidm-reg for self-registration

The following table applies to several authentication modules:

• Managed User

• Internal User

• Client Cert

• Passthrough

• IWA The IWA module includes several Kerberos-related properties listed at the end of the table.

Common Module Properties

Authentication Property	Property as Listed in the Admin UI	Description
enabled	Module Enabled	Does OpenIDM use the module
queryOnResource	Query on Resource	Endpoint to query
queryId	Use Query ID	A defined queryId searches against the queryOnResource endpoint. An undefined queryId against queryOnResource with action=reauthenticate
defaultUserRoles	Default User Roles	Normally blank for managed users
authenticationId	Authentication ID	Defines how account credentials are derived from a queryOnResource endpoint
userCredential	User Credential	Defines how account credentials are derived from a queryOnResource endpoint
userRoles	User Roles	Defines how account roles are derived from a queryOnResource endpoint
groupMembership	Group Membership	Provides more information for calculated roles
groupRoleMapping	Group Role Mapping	Provides more information for calculated roles
groupComparisonMethod	Group Comparison Method	Provides more information for calculated roles
managedUserLink	Managed User Link	Applicable mapping (Passthrough module only)
augmentSecurityContext	Augment Security Context	Includes a script that is executed only after a successful authentication request.
servicePrincipal	Kerberos Service Principal	(IWA only) For more information, see "Configuring IWA Authentication"
keytabFileName	Keytab File Name	(IWA only) For more information, see "Configuring IWA Authentication"
kerberosRealm	Kerberos Realm	(IWA only) For more information, see "Configuring IWA Authentication"
kerberosServerName	Kerberos Server Name	(IWA only) For more information, see "Configuring IWA Authentication"

OPENAM_SESSION Module Configuration Options

The OPENAM_SESSION module uses OpenAM authentication to protect an OpenIDM deployment.

The options shown in the screen are subdivided into basic and advanced properties. You may need to click Advanced Properties to review those details.

The following table describes the label that you see in the Admin UI, the default value (if any), a brief description, and the associated configuration file. If you need the property name, look at the configuration file.

The default values shown depict what you see if you use the OPENAM_SESSION module with the Full Stack Sample. For more information, see "Full Stack Sample - Using OpenIDM in the Open Identity Platform" in the Samples Guide.

OPENAM_SESSION Module Basic Properties

Admin UI Label	Default	Description	Configuration File
Module Enabled	false	Whether to enable the module	authentication.json
Route to OpenAM User Datastore	system/ldap/account	External repository with OpenAM Data Store Information	authentication.json
OpenAM Deployment URL	blank	FQDN of the deployed instance of OpenAM	authentication.json
Require OpenAM Authentication	false	Whether to make the OpenIDM UI redirect users to OpenAM for authentication	ui-configuration.json

OPENAM_SESSION Module Advanced Properties

Admin UI Label	Default	Description	Configuration File
OpenAM Login URL	http://example.com:8081/XUI/#login/	FQDN of the login endpoint of the deployed instance of OpenAM	ui-configuration.json
OpenAM Login Link Text	Login with OpenAM	UI text that links to OpenAM	ui-configuration.json
Default User Roles	openidm-authorized	OpenIDM assigns such roles to the security context of a user	authentication.json
OpenAM User Attribute	uid	User identifier for the OpenAM data store	authentication.json
Authentication ID	uid	User identifier	authentication.json
User Credential	blank	Credential, sometimes a password	authentication.json
User Roles or Group Membership	Select an option	For an explanation, see "Common Module Properties".	authentication.json
Group Membership (if selected)	ldapGroups	Group Membership	authentication.json
Role Name	openidm-admin	Default role for the user, normally a group role mapping	authentication.json
Group Mappings	cn=idmAdmins,ou=Groups,dc=example,dc=com	Mapping from a user to a LDAP entry	authentication.json
TruststorePath Property Name	truststorePath	File path to the OpenIDM truststore	authentication.json
TruststorePath Property Type	security/truststore	Truststore file location, relative to /path/to/openidm	authentication.json (from boot.properties)
Augment Security Context	Javascript	Supports Javascript or Groovy	authentication.json
File Path	auth/populateAsManagedUser.js	Path to security context script, in the /path/to/openidm/bin/defaults/script subdirectory	authentication.json

In general, if you add a custom property, the Admin UI writes changes to the authentication.json or ui-configuration.json files.

OAUTH Module Configuration Options

The OAUTH module authenticates users via a generic OAuth 2.0 provider. It validates an OAuth 2.0 access_token by calling the provider’s userinfo_endpoint. For more information, see "OAUTH".

The options shown in the Admin UI are subdivided into basic and advanced properties. You may need to click Advanced Properties to review those details.

OAUTH Module Basic Properties

Admin UI Label	Default	Description	Configuration File
Module Enabled	false	Whether to enable the module	authentication.json
Client ID	blank	OAuth 2.0 client ID registered with the provider (resolvers[].client_id)	authentication.json
Client Secret	blank	OAuth 2.0 client secret registered with the provider (resolvers[].client_secret)	authentication.json
Scope	blank	OAuth 2.0 scopes needed to access provider APIs (resolvers[].scope)	authentication.json
Authorization Endpoint	https://openam.example.com/openam/oauth2/authorize	Provider’s authorization endpoint URL (resolvers[].authorization_endpoint)	authentication.json
Token Endpoint	https://openam.example.com/openam/oauth2/access_token	Provider’s token endpoint URL (resolvers[].token_endpoint)	authentication.json
User Info Endpoint	https://openam.example.com/openam/oauth2/userinfo	Provider’s userinfo endpoint URL (resolvers[].userinfo_endpoint). The access token is validated by calling this endpoint.	authentication.json
Authentication ID attribute for the User ID	sub	Attribute name in the provider’s userinfo response that contains the user identifier (resolvers[].authenticationId)	authentication.json
Sign-In Button HTML	(HTML button markup)	HTML markup for the social login button displayed in the UI (resolvers[].icon)	authentication.json
Query on Resource	managed/user	Managed object endpoint to query after the token is validated against the provider (queryOnResource)	authentication.json
Default User Roles	openidm-authorized	Roles assigned to all users who authenticate successfully through this module (defaultUserRoles)	authentication.json
Authentication ID	userName	Attribute in the managed object used as the authentication identifier when querying the resource (propertyMapping.authenticationId)	authentication.json
Method for Determining Roles	User Roles Property	How roles are determined for the authenticated user (propertyMapping)	authentication.json
User Roles Property	authzRoles	Attribute in the managed object used for authorization roles (propertyMapping.userRoles)	authentication.json

OAUTH Module Advanced Properties

Admin UI Label	Default	Description	Configuration File
Use Query ID	blank	A defined queryId used to search against the queryOnResource endpoint (queryId)	authentication.json
OAuth Token Header	authToken	Name of the HTTP request header that carries the OAuth 2.0 access token (authTokenHeader). This header is required; authentication fails if it is absent.	authentication.json
OAuth Resolver Header	provider	Name of the HTTP request header that identifies the provider resolver to use (authResolverHeader). The value must match the resolver name.	authentication.json
Augment Security Context	JavaScript	Type of script executed after a successful authentication request (augmentSecurityContext). Supports JavaScript or Groovy.	authentication.json