Service Endpoints

Supports debug logging by service. For more information, see "Debug Logging By Service" in the Administration Guide

Enables access to a page that encodes text passwords. The algorithm is based on PBEWithMD5AndDES, password-based encryption (PBE) using the MD5 message-digest algorithm, configured with the data encryption standard (DES)

Supports requests for server information. As getServerInfo.jsp is encoded in some .java files, you should retain getServerInfo.jsp in your deployment.

Verifies the current status of the OpenAM service; the "Server is ALIVE:" message also verifies activity on OpenAM systems behind load balancers. This can be a useful tool in a production environment.

Supports access to a remote identity provider, through the federation broker.

Lists active services within OpenAM. The details shown on this page can be used with the ssoadm command to create a second OpenAM server with matching services. Be aware, the amadmin administrative user is hard-coded into this file. If you change the identity of the administrative user to something other than amadmin, that user will not have access to services.jsp.

Specifies configuration information for the system, including the URL, the OS, the Java VM, the configuration directory, and more.

Supports GUI-based access to the options associated with the ssoadm command. The ssoadm.jsp file is disabled by default. Instructions for enabling this feature are available in "OpenAM ssoadm.jsp" in the Administration Guide

May be called by the validator.jsp or validatorMain.jsp files, to display progress in verifying the status of federation.

Refers to the ValidateSAML2 function to identify the realm, IdP and SP for the federation.

Starts an "Authentication Failed" message.

Incorporates a "Back to Login" button in validatorMain.jsp.

Opens a "Connectivity Test Results" window, specifying the status of a federation circle of trust. Tests relate to IdP authentication, SP authentication, account linking, single log out, single sign on, and account unlinking.

Adds information to validator.jsp and validatorMain.jsp with federation status information as it relates to the currently configured circle of trust.

The only endpoint in the com_sun_web_ui/jsp/datetime subdirectory. May be a legacy endpoint; it calls a DateTimeWindowViewBean class; the corresponding .java file does not exist in the current trunk.

One of two endpoints in the com_sun_web_ui/jsp/help subdirectory. May be a legacy endpoint; it calls a HelpViewBean class; the corresponding .java file does not exist in the current trunk.

One of two endpoints in the com_sun_web_ui/jsp/help, com_sun_web_ui/jsp/help2, and com_sun_web_ui/jsp/version subdirectories, in slightly different formats. May be a legacy endpoint; it calls a MastheadViewBean class; the Masthead.jsp file and the corresponding MastheadViewBean.java were last changed in 2004. (However, the Masthead.jsp file in the com_sun_web_ui/jsp/version subdirectory includes a VersionViewBean.java file that is used by the Version.jsp endpoint used in the console/base subdirectory.

Specifies an endpoint in the com_sun_web_ui/jsp/help2 directory. Points to a ButtonNavViewBean class; the associated .java file no longer exists in the trunk.

Specifies an endpoint in the com_sun_web_ui/jsp/help2 directory. Points to a Help2ViewBean class; the associated .java file no longer exists in the trunk.

Specifies an endpoint in the com_sun_web_ui/jsp/help2 directory. Points to a Help2ViewBean class; the associated .java file no longer exists in the trunk.

Specifies an endpoint in the com_sun_web_ui/jsp/help2 directory. Points to a Help2ViewBean class; the associated .java file no longer exists in the trunk.

Specifies an endpoint in the com_sun_web_ui/jsp/help2 directory. Points to a NavigatorViewBean class; the associated .java file no longer exists in the trunk.

Specifies an endpoint in the com_sun_web_ui/jsp/table directory.

Specifies an endpoint in the com_sun_web_ui/jsp/table directory. Points to a TableViewBean class; the associated .java file no longer exists in the trunk.

Points to an endpoint in the com_sun_web_ui/jsp/wizard subdirectory. Points to a WizardWindowViewBean class, which appears to be unused by any other .jsp file.

Specifies an error page for account expiration. The message displayed to the user can be modified in the amAuthUI.properties file.

Option to Exception.jsp; called if there is an existing resource bundle, as specified in AuthExceptionViewBean.java.

Specifies an error page for authentication errors. The message displayed to the user can be modified in the amAuthUI.properties file.

Associated with the self-registration module, which can be configured in the OpenAM Console, under Realms > Realm Name > Authentication > Modules. The default disclaimer is associated with the disclaimer.notice parameter, defined in the amAuthUI.properties file.

Associated with the self-registration module, which can be configured in the OpenAM Console, under Realm > Realm Name > Authentication > Modules. The default disclaimer_denied message is associated with the disclaimer.declined parameter, defined in the amAuthUI.properties file.

Includes the following error message: "Authentication Service is not initialized." Cited by several other .java files in the code, so it should not be removed in a secure deployment..

Used to specify an issue with the authentication level. The default invalidauthlevel and contactadmin messages can be redefined in the amAuthUI.properties file.

Displays a "No such Organization found" message when a domain is not defined in the OpenAM database. Refers to the nosuch.domain parameter in the amAuthUI.properties file.

Defines the response of OpenAM to a user who enters an undefined profile. Uses the userhasnosuchprofile.org and contactadmin parameters in the amAuthUI.properties file.

Provides a message in the event of a login failure. The message uses the auth.failed parameter in the amAuthUI.properties file.

Specifies a regular authentication template. As noted in "Securing OpenAM Administration" in the Administration Guide, the Login.jsp file may be customized for different deployments.

The Logout.jsp file may also be customized for different deployments.

Specifies the message given to users when the number of sessions has hit the preconfigured limit. The default is 5000, defined in the OpenAM console under Configure > Server Defaults > Session. The message uses the session.max.limit parameter defined in the amAuthUI.properties file.

Specifies information for the page associated with the self-registration module.

Calls text messages related to the authentication process.

Includes a message to a target user that he does not have access to a specified module. The message uses the authmodule.denied parameter defined in the amAuthUI.properties file.

Adds a page which can be used to help customize appropriate modules.

Includes a warning when a user is trying to access a different realm. The message uses the newOrg.agree parameter, as defined in the amAuthUI.properties file.

Specifies the lack of a defined configuration module. The message uses the noconfig.found parameter, defined in the amAuthUI.properties file.

Shows a default template for entering an activation code. Used by OAuth.xml for password changes. As this file is not configured for OAuth2, the file is deprecated and may be removed from a future release.

Displays a password change screen, with an option for terms and conditions of service. As this file is not configured for OAuth2, it is deprecated and may be removed from a future release.

Transmits the message that the target organization is not active in the OpenAM database.

Specifies the message that is sent when there’s a failure in the use of the self-registration module. Associated with the profile.error parameter, defined in the amAuthUI.properties file.

Notes a file used by other code to redirect users for events such as login failures.

Identifies the page with the self-registration template.

Adds a message to a user when a session has gone past its allocated login time. Uses the session.timeout parameter, defined in the amAuthUI.properties file.

Associated with role-based authentication. Tells a user when the required role has not been configured for that user. The message is defined by the user.not.inrole parameter, which is defined in the amAuthUI.properties file.

Identifies a message sent to a user that is not currently active in the database. The message is defined by the usernot.active parameter, as shown in the amAuthUI.properties file.

Supports a non-blank page for cross-domain single sign-ons; associated with a Cross-Domain Controller (CDC) servlet.

Supports links to login pages of trusted identity providers.

Sets up an error message, using the com.sun.liberty.LibertyManager interface.

Supports a connection to providers that can be configured in a federation.

Specifies the status of a federation request; the default response is either "The user has cancelled account federation." or "Federation has been successfully completed with the remote provider."

Sets up code that you can use to include a custom footer on all pages.

Sets up code that you can use to include a custom header on all pages; the default version is configured with the OpenAM logo.

When a service provider (SP) belongs to more than one COT, this page prompts the user to select a preferred identity provider (IDP).

Specifies success or failure during a logout operation. Where a user has an account on multiple providers, he may see the following message: "Unable to log the user out from one or more providers where the user may still have active sessions."

Supports registration with a new remote provider. This endpoint is associated with NameRegistrationDone.jsp.

Displays different messages based on a registration attempt with a remote provider. The message varies depending on whether the request was successful, a failure, or cancelled.

Supports defederation from an existing remote provider; goes with TerminationDone.jsp.

Displays different messages based on a defederation attempt with a remote provider. The message varies depending on whether the request was successful, a failure, or cancelled.

Includes a newly created web agent for a specified realm. The AgentAdd page appears in the OpenAM console after an agent is added to a realm.

Allows an administrator to review default settings for the agent, as configured in the Inheritance Settings page. Inheritance assumes that agent is part of a previously configured group. To access Inheritance Settings, refer to the "Creating Agent Profiles" in the Administration Guide.

Displays information about the current configuration of an agent or an agent group, and how it might be exported.

Includes a newly created agent group for common web agents within a specified realm. The AgentGroupAdd page appears in the OpenAM console after an agent group is added to a realm.

Supports the display of agents that are members of a specified agent group.

Enables access to a form to specify a new agent to add. The same form is used for every category of new agents configured from the OpenAM console, when you navigate to Realms > Realm Name > Agents.

A template that the OpenAM console uses when it builds pages for editing agent properties.

Per comments in the HomeViewBean, this file should forward requests for other agents.

Specifies an element used by endpoints triggered from the OpenAM console’s Common Tasks tab, including the ConfigureGoogleApps.jsp and ConfigureSalesForceApps.jsp endpoints.

Provides functionality used for file uploading. This JSP is used for uploading:

Part of the creation of a New Authentication Chain; associated with the Authentication Chaining section of the Authentication tab for a realm.

Specifies properties that might be configured under the authentication tab for a specific or top-level realm.

Associated with the Core section of the Authentication tab of a specific or the top-level realm. Includes options for Realm Attributes, Account Lockout, and Post Authentication Processing.

Supports changes to Module Instances, under the Authentication tab of a specific or the top-level realm.

Associated with the creation of a New Authentication Chain, an option available from the Authentication Chaining section of the Authentication tab.

Supports the implementation of a new authentication module, available from the Module Instances section of the Authentication tab.

Supports a change in sequence of authentication criteria; to access, select an existing Authentication Chaining service under the Authentication tab for a specified realm.

Supports uploading a script when configuring a scripted authentication module.

Defaults to the opening page for the OpenAM console.

Provides an "Invalid URL" error message.

Redirects users to the default login page; assumes no user is currently logged into OpenAM.

Endpoint that either returns success of a post or an "Invalid or Missing Input" error.

Default uncaught exception error message endpoint: "An error occurred while processing this request. Contact your administrator."

Displays a "You’re logged in" information message.

Endpoint that closes existing windows.

Specifies a template endpoint used for messages.

Specifies current version information, copyright notice, and licensing.

Associated with the privileges for a realm. The privileges can be assigned for different groups of users, as configured via Realms > Realm Name > Subjects > Group.

Supports changes in properties for group privileges, described in the Delegation.jsp endpoint. To get to these properties, select Realms > Realm Name > Privileges > Group Name.

When you create a Circle of Trust (COT) via Federation > New, you can access the COT Configuration window. You can then access all configured COTs.

Used when creating a new entity provider, configured with the SAML2 protocol.

Associated with an edit of a COT; to access, select a previously configured COT.

Opened when you configure a new Trusted Partner under the SAML v1.x Configuration section.

Associated with FSSAMLServiceViewBean, which is used by a number of other JSP files in the console/federation subdirectory.

Associated with the FSSAMLSetTrustedPartnersEdit.jsp file; used when you select a configured SAML v1.x Configuration trusted partner.

Supports the addition of a Site ID for a SAML-configured partner.

Supports the modification of a Site ID for a SAML-configured partner.

Includes a new POST to a specified URL.

Supports editing of a POST to a specified URL.

Called when you create a new "trusted partner" in the SAML v1.x Configuration area of the Federation window.

Called when you edit an existing "trusted partner" in the SAML v1.x Configuration area of the Federation window.

Cited when you click New in the "Circle of Trust" section of the Federation window.

Called by the ImportEntity.jsp file, to support uploads of metadata files associated with a previously configured entity provider.

Specifies an IDFF affiliate in a COT.

Includes general parameters associated with an IDFF affiliate in a COT. The corresponding IDFFGeneralViewBean parameter is cited only in this and the IDFFGeneralViewBean.java files.

Associated with the Identity Provider (IDP) for IDFF.

Associated with the Service Provider (SP) for IDFF.

Supports the import of pre-existing metadata files which define an entity provider. Allows you to import metadata from a URL to a desired Realm.

Enables a view of SAML version 2 affiliates.

Associated with an IDP acting as an attribute authority.

Supports queries and saves of SAML2 attribute metadata.

Enables communication with an IDP acting as an authentication authority.

Identifies general properties of a SAML version 2 affiliate.

Supports the configuration of advanced properties for a SAML v2.0 IDP.

Associated with the Assertion Content tab, accessible when you select Federation > Entity Providers > Provider Name.

Associated with the Assertion Processing tab, accessible when you select Federation > Entity Providers > Provider Name.

Supports the configuration of IDP service properties for a SAML2 provider.

Enables the configuration of a SAML v2.0-based Policy Decision Point (PDP).

Enables the configuration of a SAML v2.0-based Policy Enforcement Point (PEP).

Supports the configuration of advanced properties for a SP. Accessible when you select Federation > Entity Providers > Provider Name > SP > Advanced.

Associated with the Assertion Content tab; supports the configuration of such for SPs; It is accessible when you select Federation > Entity Providers > Provider Name > SP > Assertion Content.

Associated with the Assertion Content tab; supports the configuration of assertion processing-related properties for SPs. It is accessible when you select Federation > Entity Providers > Provider Name > SP > Assertion Processing.

Supports the configuration of services-related properties for an SP. It is accessible when you select Federation > Entity Providers > Provider Name > SP > Services.

Associated with the configuration of a legacy WS-Federation entity provider.

Supports the configuration of an IDP under WS-Federation.

Supports the configuration of an SP under WS-Federation.

Accesses the information page for the currently logged in user.

Opens the list of currently configured users, available via Realms > Realm Name > Subjects.

Used when adding a new user or group.

Associated with the Discovery Service. To access that service, select a non-administrative user and select the Services tab. The EntityDiscoveryDescriptionAdd.jsp file is used when selecting a new Security Mechanism ID as a Service Description as a new Discovery Resource Offering.

Associated with an edit of an existing Security Mechanism ID.

Called when saving changes to an existing user.

Lists the members of a configured group.

Lists the members of a configured group based on some filter.

Accessed when a regular user is made a member of a previously configured group.

Supports custom resource offering entries for a previously configured user. Also used when accessing the UMUserResourceOffering.jsp file.

Supports entries of new resource offerings for a previously configured user. Also used when accessing the UMUserResourceOfferingAdd.jsp file.

Supports edits of existing resource offerings for a previously configured user. Also used when accessing the UMUserResourceOfferingEdit.jsp file.

Supports a new service for a specific user. As of this writing, available services are: Dashboard, Discovery Service, Liberty Personal Profile Service, and Session.

Opens a list of currently configured users.

Accessible after adding a new service for a currently configured user; associated with the EntityServices.jsp file.

Accessible for editing services associated with a currently configured user.

Used if a configured organization has no available attributes.

Opened when adding a service for a specific user.

Associated with the main Access Control page in the legacy OpenAM console, which lists configured realms. If you call realm/HomePage.jsp directly, it cites messages associated with changes for a specific user, and functions more closely associated with JSP endpoints in the console/idm subdirectory.

Enables links with directory server data stores within a realm. To access, select Realms > Realm Name > Data Stores > New. You should see a variety of supported directory server data stores, such as Active Directory, OpenDJ, and Tivoli Directory Server.

Appears when you add a data store; associated with the IDRepo.jsp service endpoint.

Appears when you edit an existing data store; associated with the IDRepo.jsp service endpoint.

Includes a list of supported data stores, from Active Directory to OpenDJ; associated with the IDRepo.jsp service endpoint.

Supports the configuration of a new realm, or editing of an existing realm.

Supports the addition of a new realm; associated with the `RMRealm.jsp`service endpoint.

Supports a new description for a realm; associated with the RealmResourceOffering.jsp service endpoint.

Supports an edited description; associated with the RealmResourceOffering.jsp service endpoint.

Works with the pages that allow you to edit an existing realm.

Supports the configuration of a security mechanism to a new realm resource offering. Requires the configuration of the discovery service, and the configuration of a directory resource offering for the specified realm.

Supports the addition of a security mechanism to a new realm resource offering. Requires the configuration of the discovery service, and the configuration of a directory resource offering for the specified realm.

Supports the editing of a security mechanism for an existing realm resource offering. Requires the configuration of the discovery service, and the configuration of a directory resource offering for the specified realm.

Supports the configuration of a service within a specified realm.

Supports the addition of a service to a specified realm; available services to add include Administration, Dashboard, Discovery, Globalization Settings, OAuth2 Provider, Password Reset, Session, and User.

If a desired service is not compatible with directory data available from an organization, it is rejected.

Supports the editing of an existing service; associated with the Services.jsp endpoint.

Supports the editing of an existing service; called if the attribute cannot be found or changed.

Implements step 1 of the addition of a new service; associated with the Services.jsp endpoint.

Supports the configuration of a new character set alias. Accessible from the Configure > Global Services > Console > Globalization Settings > Charset Aliases submenu.

Supports the editing of an existing character set alias. Accessible from the Configure > Global Services > Console > Globalization Settings > Charset Aliases submenu.

Supports the configuration of a new character set supported by a locale. Accessible from the Configure > Global Services > Console > Globalization Settings > Charsets Supported by Each Locale submenu.

Supports the editing of an existing character set supported by a locale. Accessible from the Configure > Global Services > Console > Globalization Settings > Charsets Supported by Each Locale submenu.

Supports a list of client types. Associated with the Default Client Type option available via Configure > Global Services > System > Client Detection.

Supports creation of client devices.

Supports creation of client devices.

Supports step 1 of creating a new client device.

Used with duplicate client devices.

Associated with basic Service Configuration data, and the other endpoints accessible from the Configuration menu.

Supports the configuration of available authentication databases. You can get to this window by navigating to Configure > Authentication.

Supports the configuration of administrative an globalization console properties. You can get to this window by navigating to Configure > Global Services > Console.

Supports the configuration of OpenAM global properties. You can get to this window by selecting Configure > Server Defaults.

Supports the configuration of OpenAM system properties. You can get to this window by selecting Configure > Global Services > System.

Accesses current global attributes and cookie domain settings. To get to this window, select Configure > Global Services > System > Platform.

Supports a view of the current policy configuration. To access this window, select Configure > Global Services > Policy Configuration.

Supports the addition of a new resource comparator to the current policy configuration. To access the relevant window, select Configure > Global Services > Policy Configuration.

Supports the editing of an existing resource comparator in the current policy configuration. To access the relevant window, select Configure > Global Services > Policy Configuration.

Enables a review of current SAML v2.0 SOAP binding request handlers. Associated with SOAP-based communications, using SAML v2.0 requests, between a client and a server. To access the relevant screen, select Configure > Global Services > SAMLv2 SOAP Binding.

Allows you to add a new SAML v2.0 SOAP binding request handler. To access the relevant screen, select Configure > Global Services > SAMLv2 SOAP Binding.

Allows you to duplicate an existing SAML v2.0 SOAP binding request handler. To access the relevant screen, select Configure > Global Services > SAMLv2 SOAP Binding.

Allows you to edit an existing SAML v2.0 SOAP binding request handler. To access the relevant screen, select Configure > Global Services > SAMLv2 SOAP Binding.

Enables a review of current SOAP binding request handlers. Associated with the Liberty Alliance Project Identity Federation Framework (Liberty ID-FF).

Allows you to add a new SOAP binding request handler. Associated with the Liberty Alliance Project Identity Federation Framework (Liberty ID-FF).

Allows you to duplicate an existing SOAP binding request handler. Associated with the Liberty Alliance Project Identity Federation Framework (Liberty ID-FF).

Allows you to edit an existing SOAP binding request handler. Associated with the Liberty Alliance Project Identity Federation Framework (Liberty ID-FF).

Supports the configuration of tokens associated with the Security Token Service (STS). To access the associated screen, select Configure > Global Services > Security Token Service.

Supports the addition of an OpenAM server to work behind a load balancer in support of Session Failover (SFO). Available from Deployment > Servers.

Supports the cloning of an existing OpenAM server to work behind a load balancer in support of session failover. Available from Deployment > Servers.

Supports the inheritance of the default configuration for servers, as it relates to SFO.

Enables the configuration fo a new server; relates to SFO.

Supports the review of the XML settings of an existing server, as it relates to SFO.

Supports the editing of advanced properties for default servers, in the configuration of servers for SFO. To access, navigate to Configure > Server Defaults > Advanced.

Supports the editing of properties for the Core Token Service. To access, navigate to Configure > Server Defaults > CTS.

Supports the editing of general properties for default servers, such as the base directory, default locale, debug level, mail server for notifications, and more. Relates to the configuration of servers for SFO. To access, select Configure > Server Defaults.

Supports the editing of SDK-related properties for default servers, associated with SFO. Supports editing of settings such as datastore notifications, event service connection retries, LDAP connections, Time To Live (TTL) for user entries, and more. To access, navigate to Configure > Server Defaults > SDK.

Supports the editing of security properties for default servers; associated with SFO. Includes default security settings such as encryption keys, cookie encoding, keystores, and certificate management. To access, navigate to Configure > Server Defaults > Security.

Supports the editing of session properties for default servers; associated with SFO. Note the Session Limit default specifies a maximum of 5000, well short of the 100,000 sessions that can be handled by a standard 3GB dual-core production system. To access, navigate to Configure > Server Defaults > Session.

Supports the editing of UMA properties for default servers. To access, select Configure > Server Defaults > UMA.

Associated with the addition or editing of a load balancer that distributes requests to other OpenAM servers. To access, select Deployment > Servers.

Enables the configuration of a load balancer to distribute requests to other existing OpenAM servers. To access, select Configure > Sites.

Enables changes to a configured load balancer in how it distributes requests to other existing OpenAM servers. To access, select Configure > Sites.

Includes new resource offerings for the discovery service, bootstrapped using a standard such as SAML2.

Supports the editing of existing resource offerings for the discovery service, bootstrapped with a standard such as SAML2.

Includes the addition of of new options for the discovery service.

Supports the editing of existing options for the discovery service.

Supports the mapping of a new resource ID for the discovery service.

Supports the editing of an existing resource ID for the discovery service.

Supports a review and configuration of the Discovery Server, for global attributes, the ResourceID Mapper plug-in, and bootstrapping.

Allows you to configure globalization settings for OpenAM; accessible via Configure > Global Services > Console > Globalization Settings.

Allows you to configure a secondary configuration instance; accessible via Configure > Global Services > Session.

Allows you to edit an existing secondary configuration instance; accessible via Configure > Global Services > Session.

Allows you to configure a schema associated with breadcrumbs.

Provides statistics on current stateful login sessions. Available from the Sessions tab from the main console.

Supports session high availability statistics collection.

Provides information on what the administrator can do after configuring an Identity Provider (IDP). Options listed include registering a remote Service Provider (SP), creating a fedlet, configuring Google Apps, and configuring Salesforce CRM. Includes links to such functionality, which depend on the configuration of a Circle of Trust (CoT).

Supports the configuration of Google Apps for Single-sign on (SSO). Requires a CoT configured with an IDP.

Enables entries to configure the SP. Includes steps "To Enable Access to the Google Apps API."

Includes a default warning message related to the ConfigureGoogleApps.jsp endpoint. The message is: "Unable to configure because there are no circle of trust with Identity Provider."

Supports the configuration of OAuth2 Authorization. For more information, see the the chapter on "Managing OAuth 2.0 Authorization" in the Administration Guide.

Accessible when you select the Configure Salesforce CRM link shown in the main GUI console. Requires IDP and SP information for an appropriate CoT, where OpenAM is the IDP and Salesforce is configured as the SP.

Supports the configuration of SSO with a Salesforce CRM account. Includes instructions on the settings to add to an applicable Salesforce account.

Includes a warning message related to the ConfigureSalesForceApps.jsp endpoint. The message is: "Unable to configure because there are no circle of trust with Identity Provider."

Sets up a warning message related to a need for a circle of trust for the configuration.

Accessible when you select one of the Configure Social Authentication options shown in the main GUI console.

A fedlet supports federation for a SP that does not already have its own federation solution. For more information, see "Building SAML v2.0 Service Providers With Fedlets" in the Developer’s Guide.

Sets up a warning message related to the prerequisite for a CoT with the IDP.

Supports the configuration of a SAML v2.0 IDP on the local instance of OpenAM.

Supports the configuration of a SAML v2.0 SP on the local instance of OpenAM.

Supports the configuration of a SAML v2.0 IDP on a remote system, within a configured CoT.

Supports the configuration of a SAML v2.0 SP on a remote system, within a configured CoT.

Endpoint that redirects the client to the startup page for OpenAM.

Supports the test of a federation connection between an IDP and SP in a CoT.

This service endpoint is normally opened in a separate window to enable a user (or administrator) to change their login password. Accessible from the Edit User screen. All you need to do from the screen is click Edit next to the Password entry.

Relates to the security mechanism identifier associated wih a user. To access from the screen for an individual user, select Services > Discovery Service > Add > scroll down to the Service Description box > New Description > select and Add a Security Mechanism ID. An example ID is urn:liberty:security:2003-08:ClientTLS:SAML, which relates to the former Liberty Alliance project. The ID also uses Transaction Layer Security (TLS) on the client with SAML assertions.

Supports editing of the security mechanism identifier associated with a user. Closely related to the UMUserDiscoveryDescriptionAdd.jsp endpoint.

Allows you to "Force Change Password on Next Login". Accessible from the Edit User screen for a specific user, via the "Password Reset Options" entry near the bottom of the window.

Accessible as an option to the Discovery Service for a specific user. To access from the Edit User screen for a specific user, select Services > Discovery Service > Add.

Accessible as an option to the Discovery Service for a specific user. To access from the Edit User screen for a specific user, select Services > Discovery Service > Add.

Accessible as an option to the Discovery Service for a specific user. To edit an existing resource offering, navigate to the Edit User screen for a specific user, select Services > Discovery Service > [some previously configured service].

Supports the configuration of various mechanism handlers for authentication, including CRAM-MD5, PLAIN, and SSOToken.

Supports the addition of a new mechanism handler for authentication.

Supports changes to an existing mechanism handler for authentication.

Enables the addition of a new LDAP attribute, with a name prefix.

Enables the editing of an existing LDAP attribute, with a name prefix.

Enables the creation of a new supported container for ID-FF.

Enables the editing of an existing container.

Allows you to configure ID-FF for global attributes, supported containers, PPLDAP attributes and alternative security mechanisms.

Enables retrieval of session status change notifications for OpenID Connect 1.0. For more information, see the Session Status Change Notification section in the OpenID Connect Session Management 1.0 specification.

Enables registration of an OAuth 2.0 client with the OpenAM OAuth 2.0 authorization service. For details, see "Registering OAuth 2.0 Clients With the Authorization Service" in the Administration Guide.

Used to log out the resource owner with the OAuth 2.0 provider. For more information, see "Registering OAuth 2.0 Clients With the Authorization Service" in the Administration Guide.

Endpoint used for redirection. For more information, see "Registering OAuth 2.0 Clients With the Authorization Service" in the Administration Guide.

This simple endpoint includes a redirection of the ServiceURI, and specifies OpenAM as the ProductName. It is used by the other endpoints in the password/ui subdirectory.

This endpoint is called with the PWResetInvalidURLViewBean class, when a module servlet gets an invalid URL.

Starts the password reset process by prompting for the User ID. For more information on the process, see the method for the associated PWResetQuestionModel, available from the link:http://download.forgerock.org/downloads/openam/javadocs/internal/com/sun/identity/password/ui/model/PWResetQuestionModel.html [Interface PWResetQuestionModel specification page, window=\_blank].

Specifies the endpoint that is called when an account password is successfully reset.

Specifies a "Contact your administrator" message when there is an error in a related endpoint.

Opens a screen that prompts for a user ID (UID). If that UID is found in the database, configured with an accessible email address, on a system connected to a mail server, a reset link is sent to that address.

May be dispatched to perform a single logout.

May be dispatched to perform a single logout in a WML environment.

Auto-submitting form used to post an error message and relay state. Used by the Fedlet.

Auto-submitting form used to post error messages.

May be used by other files to return a success or failure message. While the default.jsp name is common in the trunk, the jsp/default.jsp filename is used only by SPSingleLogout.java, which is not commonly used.

Supports the export of XML-based metadata with other providers within a circle of trust (CoT). Currently used. For more information, see the chapter on "Managing SAML v2.0 Federation" in the Administration Guide.

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. This particular JSP file processes a request from an IDP through an HTTP redirect.

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. This particular JSP file processes a request from an IDP through an HTTP redirect. It uses a metadata-based alias, an entity ID for the service provider, and the type of MNI request; examples include NewID and terminate.

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. As described in "Changing Federation of Persistently Linked Accounts" in the Administration Guide, it allows you to change federation of persistently linked accounts. The chapter also includes an example of this endpoint at work.

Specifies an endpoint that takes authentication requests from an SP, with a SAMLRequest data, a metaAlias and a RelayState with information from the target URL.

Specifies an endpoint that starts SSO, either from cache, or by verifying metaAlias and SP identifier data. For more information, see the chapter on "Managing SAML v2.0 Federation" in the Administration Guide.

Starts a LogoutRequest from the identity provider. For more information, see the chapter on "Managing SAML v2.0 Federation" in the Administration Guide.

Specifies an endpoint that receives logout requests from IDPs and receives logout responses from SPs. Also sends logout responses to SPs.

Takes the SAMLRequest and SAMLResponse messages for logouts from the SP. May also handle the RelayState directive.

Used for SAML authentication for communication with identity providers (IDPs).

Used for SAML authentication for communication with service providers (SPs).

Returns an error message related to Secure Attribute Exchange (SAE). Currently used only by the SA_IDP.jsp and SA_SP.jsp endpoints.

Endpoint that may return one of many error codes, specified in the comments of the file.

Used on a SP, to interpret information from an IDP. The request to the IDP is an AuthnRequest; the response from the IDP is read by this endpoint. SAML v2.0 single sign-on implemented using integrated mode uses this endpoint.

Used on a SP, to interpret information from an IDP. The request to the IDP is an AuthnRequest; the response from the IDP is read by this endpoint. SAML v2.0 single sign-on implemented using standalone mode uses this endpoint.

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. This particular endpoint takes the associated request, using an HTTP Redirect, from a SP. Less commonly used.

This particular endpoint handles the ManageNameIDRequest and ManageNameIDResponse messages with the help of HTTP Redirect. Less commonly used.

This particular endpoint supports changes to federation of persistently linked accounts, in a fashion similar to idpMNIRequestInit.jsp. For an example of this endpoint in work, see the chapter on "Managing SAML v2.0 Federation" in the Administration Guide.

Supports SSO messages from the SP. For more information and an example of how this endpoint is used, see the chapter on "Managing SAML v2.0 Federation" in the Administration Guide.

Supports SSO messages from the SP. For more information, see the chapter on "Managing SAML v2.0 Federation" in the Administration Guide.

Specifies an endpoint that receives logout requests from SPs and receives logout responses from IDPs. Also sends logout responses to IDPs. Converse endpoint to idpSingleLogoutPOST.jsp.

Takes the SAMLRequest and SAMLResponse messages for logouts from the IDP. May also handle the RelayState directive. Converse endpoint to idpSingleLogoutRedirect.jsp.

Shows a page after a successful logout.

Used for multi-federation protocol configurations.

Sets up a form for single sign-on (SSO) responses sent from the IDP to the SP.

Default display if no realms are defined.

Filters for various endpoints. Associated with the JatoAuditFilter, which implements the org.forgerock.openam.audit.servlet.AuditAccessServletFilter filter class.

Implements the AuditContextFilter for all endpoints. This filter implements the org.forgerock.openam.audit.context.AuditContextFilter filter class.

Implements the amSetupFilter for all endpoints. This filter implements the com.sun.identity.setup.AMSetupFilter filter class.

Implements the XUIFilter. This filter implements the org.forgerock.openam.xui.XUIFilter filter class.

Implements the ResponseValidationFilter for all endpoints. This filter implements the org.forgerock.openam.validation.ResponseValidationFilter filter class.

Implements the CacheForFiveMinutes. This filter implements the org.forgerock.openam.headers.SetHeadersFilter filter class.

Implements the CacheForAMonth. This filter implements the org.forgerock.openam.headers.SetHeadersFilter filter class.

Implements the AuthNFilter and AuthZFilter. These filters implement the com.sun.identity.rest.AuthNFilter and com.sun.identity.rest.AuthZFilter filter classes.

With the help of the LoginLogoutMapping.java file, this would forward to the /UI/Login.jsp endpoint.

With the help of the LoginLogoutMapping.java file, this would forward to the /UI/Logout.jsp endpoint.

Uses the LoginServlet.

Uses the AMSetupServlet, which is the first class to get loaded by the Servlet * container (as noted in the associated .java file)

Used by the installation wizard to display the progress.

Used by the upgrade wizard to display progress.

Associated with the servlet named PWResetServlet, associated with password resets.

Used with the servlet named GatewayServlet. Associated with the Gateway.java file, which takes an authentication module and forwards it to a login URL.

The associated .java file is associated with session failover.

All of these endpoints are associated with OpenAM Security Advisory #201203. As suggested in the advisory, if you are using OpenAM version 9.5.4 or 10.0.0, you should be sure to apply the updates required to upgrade your systems to versions 9.5.5 or 10.0.1 (or higher).

These endpoints provide information on configured web services, including the port name, status, URL, and implementation class. Both endpoints show the same data. The IdentityServices servlet name points to the following description: "Web Service Endpoint - Identity Services".

Includes system configuration information when available, as documented in the comments to the AMSystemConfig.java file.

Possibly a legacy endpoint. While the associated IdentityServicesHandler servlet is identified as "REST Endpoint - Identity Services", it is only cited in the IdentityServicesHandler.java file.

The associated servlet named notificationservlet appears to be commonly used. When the URL is entered, the default output is 200, which is associated with a URL success message.

Used by the NetworkMonitor.java file, which is useful for the monitoring of OpenAM services.

Linked to an oauth servlet. The associated com.sun.identity.oauth.service.RestService class is rarely used.

Used by a servlet named SPMniSoap; associated with a com.sun.identity.saml2.servlet.SPManageNameIDServiceSOAP servlet class. The associated .java file works with Manage Name ID communications using SOAP binding from the SP. As the former spMNISOAP.jsp file no longer exists in the trunk, this may be a legacy endpoint.

Used by a servlet named spMNIPOST.jsp; previously defined in the SAML2 JSP Endpoints section.

Used by a servlet named spMNIRedirect.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named spMNIRequestInit.jsp, which is defined in the SAML2 JSP Endpoints section.

The associated SPECPService class receives and processes single logout (SLO) requests, using SOAP bindings on the SP.

The associated SPSingleLogoutServiceSOAP class receives and processes single logout (SLO) requests, using SOAP bindings on the SP.

Used by a servlet named spSingleLogoutPOST.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named spSingleLogoutRedirect.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named spSingleLogoutInit.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named spAssertionConsumer.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named AuthConsumer.jsp, which is defined in the SAML2 JSP Endpoints section. Used with SAML v2.0 integrated mode deployments.

Used by a servlet named idpSSOFederate.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named NameIDMappingServiceSOAP.

Used by a servlet named AssertionIDRequestServiceSoap.

Used by a servlet named AssertionIDRequestServiceSoap.

Used by a servlet named AuthnQueryServiceSoap.

Used by a servlet named AttributeServiceSoap.

Used by a servlet named SSOSoap.

Used by a servlet named IDPMniSoap.

Used by a servlet named idpMNIPOST.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named idpMNIRedirect.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named idpMNIRequestInit.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named IDPSloSoap.

Used by a servlet named idpSingleLogoutPOST.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named idpSingleLogoutRedirect.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named idpSingleLogoutInit.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named IDPArtifactResolver.

Used by a servlet named spSSOInit.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named idpSSOInit.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named idpSSOFederate.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named SA_IDP.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named IDP_SP.jsp, which is defined in the SAML2 JSP Endpoints section.

Used by a servlet named IDPFinderService; the associated FSIDPFinderService.java file can be used to find a preferred IDP with a common domain cookie.

Used by a servlet named CDCServlet. It is associated with a Cross Domain Controller Servlet, as described in the the chapter on "Configuring Cross-Domain Single Sign-On" in the Administration Guide.

Used by a servlet named SAMLAwareServlet. It is associated with communications between a client, an SP, and an IDP. The transfer service on the IDP is the SAML Aware Servlet, and is part of the client web browser artifact profile. It validates a session token from a request run through the IDP.

Used by a servlet named SAMLPOSTProfileServlet. It is associated with communications between a client, an SP, and an IDP. The transfer service on the IDP is the SAML Aware Servlet, and is part of the client web browser POST profile, which supplies assertion IDs, and returns the response to the client browser.

Used by a servlet named SAMLSOAPReceiver. The servlet extracts a SAML request from a message sent in SOAP format. That message can be a query for authorization, attributes, or authentication. It supports POST messages only.

Used by a servlet named AssertionManagerServlet. It supports dynamic substitution, using the host name, port number, and the deployment location.

Used by a servlet named FSAssertionManagerServlet. It provides remote interfaces for the assertion manager class.

Used by a servlet named SecurityTokenManagerServlet. It supports dynamic substitution, using session parameters.

Used by a servlet named preLoginHandler. As there is no associated .java or .jsp file, it may be a legacy endpoint.

Used by a servlet named postLoginHandler. As there is no associated .java or .jsp file, it may be a legacy endpoint.

Used by a servlet named FederationServlet. Associated with the com.sun.identity.federation.login.FSFederationHandler class. The matching FSFederationHandler.java file processes requests to initiate a federation.

Used by a servlet named consentHandler. Associated with the com.sun.identity.federation.login.FSConsentHandler class. The matching FSConsentHandler.java file processes redirect requests in an existing federation.

Used by a servlet named ProcessLogout. Associated with the FSProcessLogoutServlet class. It is designed to handle single logout requests related to Kantara/Liberty ID-FF processes.

Used by a servlet named ReturnLogout. Associated with the FSReturnLogoutServlet class. It is designed to handle single logout responses related to Kantara/Liberty ID-FF processes. (Note the subtle difference with the ProcessLogout endpoint which handles logout requests.)

Used by a servlet named LogoutServlet. Associated with the FSSingleLogoutServlet class. It is designed to start single logout requests related to Kantara/Liberty ID-FF processes.

Used by a servlet named SingleSignOnService. Associated with the FSSSOAndFedService class. Configured for SSO on the IDP.

Used by a servlet named IntersiteTransferService. Associated with the FSIntersiteTransferService class. It is designed to send a AuthnRequest to an IDP.

Used by a servlet named AssertionConsumerService. Associated with the FSAssertionConsumerService class. For more information, see the chapter on "Managing SAML v2.0 Federation" in the Administration Guide.

Used by a servlet named SOAPReceiver. Associated with the FSSOAPReceiver class. SOAP endpoint that handles federation and specifies a URI to the SP.

Used by a servlet named FederationTerminationServlet. Associated with the FSTerminationInitiationServlet.java file, used to initiate termination of a federation connection. The IDP will send the termination request to the associated URL.

Used by a servlet named ProcessTermination. Associated with the FSTerminationRequestServlet class. The associated .java file is used when a request is received by a remote SP.

Used by a servlet named ReturnTermination. Associated with the FSTerminationReturnServlet class. The associated .java file is used to define a URL used by an IP to send termination responses.

Used by a servlet named InitiateRegistration. Associated with the FSRegistrationInitiationServlet class. The associated .java file is used to handle the registration request from a remote IDP.

Used by a servlet named ProcessRegistration. Associated with the FSRegistrationRequestServlet class. Processes registration requests from remote SPs.

Used by a servlet named ReturnRegistration. Associated with the SRegistrationReturnServlet class. Defines a URL for IDPs to send registration responses.

Used by a servlet named WSSOAPReceiver. Associated with the SOAPReceiver class. Defines an endpoint that handles SOAP requests.

Used by a servlet named WSPRedirectHandler. Associated with the WSPRedirectHandlerServlet class. Used by the SP for user redirects.

Used by a servlet with a matching name (idffwriter, saml2writer). Associated with the CookieWriterServlet class. Used by the IDP to help the web container find app-specific info, such as Java classes or Java Archives (JARs).

Used by a servlet with a matching name (idffreader, saml2reader). Associated with the CookieReaderServlet class. Used by the SP to help find the preferred IDP.

Used by a servlet named MultiProtocolRelayServlet. Associated with the MultiProtocolRelayServlet class. Also used in federation as a RelayState to continue to the next protocol.

Used by a servlet named WSFederationServlet. Associated with the WSFederationServlet class. Used as a service endpoint for WS-Federation.

Used by an endpoint named realmSelection.jsp, which was defined in the WS-Federation JSP Endpoints section.

Used by a servlet named saml2query. Associated with the QueryHandlerServlet class. The corresponding .java file receives and processes SAML2 queries.

Used by a servlet named federationrest. Associated with the ServletContainer class. Does not appear to be included in any current .java or .jsp file, so it may be a legacy endpoint.

Used by a servlet named OAuth2RegisterClient. For more information, see "Managing OAuth 2.0 Authorization" in the Administration Guide.

Used by a servlet named OAuth2ConnectCheckSession.

OpenAM’s well-known endpoints. See "Well-Known Endpoints".

Used by a servlet named ForgeRockRest. Associated with the HttpServlet class. For more information, see "Using the REST API" in the Developer’s Guide. In addition, you can read more about associated REST endpoints in "REST API Endpoints".

Used by a servlet named OAuth2Rest. Associated with the RestTokenDispatcher class. For more information, see "RESTful OAuth 2.0, OpenID Connect 1.0 and UMA 1.0 Services" in the Developer’s Guide.

Endpoints that expose OpenAM’s RESTful STS and SOAP STS functionality.

Endpoints that expose OpenAM’s XACML functionality.

Used by a servlet named OAuth2RestletAdapter. Associated with the RestTokenDispatcher class. For more information, see the chapter on the chapter on "RESTful OAuth 2.0, OpenID Connect 1.0 and UMA 1.0 Services" in the Developer’s Guide.

Endpoints that expose OpenAM’s RESTful UMA functionality.

Associated with the servlet named AuthServlet. The associated AuthServer.java file is the controller servlet for realm authentication pages. When the URL is entered prior to login, it defaults to the standard login page.

Associated with the servlet named AMBaseServlet. While the associated AMBaseServlet.java file is rarely used, any URL entered prior to login defaults to the standard login page.

Associated with the servlet named SCServlet.

Associated with the servlet named SMServlet. While the associated SMServlet.java file is rarely used, any URL entered prior to login defaults to the standard login page.

Associated with the servlet named RMServlet.

Associated with the servlet named PMServlet. While the associated PMServlet.java file is rarely used, any URL entered prior to login defaults to the standard login page.

Associated with the servlet named IDMServlet. While the associated IDMServlet.java file is rarely used, any URL entered prior to login defaults to the standard login page.

Associated with the servlet named UMServlet. While the associated UMServlet.java file is rarely used, any URL entered prior to login defaults to the standard login page.

Associated with the servlet named DelegationServlet. While the associated DelegationServlet.java file is rarely used, any URL entered prior to login defaults to the standard login page.

Associated with the servlet named TaskServle`t. While the associated `TaskServlet.java file is rarely used, any URL entered prior to login defaults to the standard login page.

Associated with the servlet named AgentConfigurationServlet. The associated AgentConfigurationServlet class is called by the amAccessControl.xml file, which suggests that it can be configured from the console from Realms > Realm Name > Agents. It is rarely used otherwise. any URL entered prior to login defaults to the standard login page.

Associated with the servlet named click-servlet. There is no associated click-servlet.java or ClickServlet.java file.

Associated with the servlet named FSServlet. While the associated FSServlet.java file is rarely used, the URL prior to login defaults to the standard login page.

Used by the WSServlet.java and SecurityTokenService.java files. If you are using web services and/or the Security Token Service (STS), you may want to keep this in place.

Associated with the STS. Be aware, this endpoint exposes basic service and port information for STS, Metadata Exchange (MEX), Simple Object Access Protocol 1.1 (SOAP11), and Web Service Definition Language (WSDL) endpoints without requiring authentication.

Associated with the servlet named AuditServlet.

How to use the OpenAM REST APIs for direct integration between web client applications and OpenAM, including REST API versioning, token encoding, authentication, logout, and logging.

How to use the OpenAM REST APIs for authorization and policy management.

How to use the OpenAM REST APIs for OAuth 2.0 and OpenID Connect 1.0.

How to use the OpenAM REST APIs for user self-registration and forgotten password reset.

How to use the OpenAM REST APIs for managing OpenAM identities and realms.

How to use the OpenAM REST APIs to manage OpenAM scripts.

How to use the OpenAM REST APIs to record information that can help you troubleshoot OpenAM.

How to use the OpenAM REST APIs to manage OpenAM’s Security Token Service, which lets you bridge identities across web and enterprise identity access management (IAM) systems through its token transformation process.

Exposes OpenID Provider configuration by HTTP GET as specified by OpenID Connect Discovery 1.0. No query string parameters are required.

Exposes User-Managed Access (UMA) configuration by HTTP GET as specified by UMA Profile of OAuth 2.0. No query string parameters are required.

Allows a client to retrieve the provider URL for an end user by HTTP GET as specified by OpenID Connect Discovery 1.0.