Authentication and Session Module Configuration Details This appendix includes configuration details for authentication modules described here: "Supported Authentication and Session Modules". Authentication modules, as configured in the authentication.json file, include a number of properties. Except for the "OPENAM_SESSION Module Configuration Options", Those properties are listed in the following tables: Session Module Authentication Property Property as Listed in the Admin UI Description keyAlias (not shown) Used by the Jetty Web server to service SSL requests. privateKeyPassword (not shown) Defaults to openidm.keystore.password in boot.properties. keystoreType (not shown) Defaults to openidm.keystore.type in boot.properties. keystoreFile (not shown) Defaults to openidm.keystore.location in boot.properties. keystorePassword (not shown) Defaults to openidm.keystore.password in boot.properties maxTokenLifeMinutes Max Token Life (in seconds) Maximum time before a session is cancelled. Note the different units for the property and the UI. tokenIdleTimeMinutes Token Idle Time (in seconds) Maximum time before an idle session is cancelled. Note the different units for the property and the UI. sessionOnly Session Only Whether the session continues after browser restarts. Static User Module Authentication Property Property as Listed in the Admin UI Description enabled Module Enabled Does OpenIDM use the module queryOnResource Query on Resource Endpoint hard coded to user anonymous username Static User Name Default for the static user, anonymous password Static User Password Default for the static user, anonymous defaultUserRoles Static User Role Normally set to openidm-reg for self-registration The following table applies to several authentication modules: Managed User Internal User Client Cert Passthrough IWA The IWA module includes several Kerberos-related properties listed at the end of the table. Common Module Properties Authentication Property Property as Listed in the Admin UI Description enabled Module Enabled Does OpenIDM use the module queryOnResource Query on Resource Endpoint to query queryId Use Query ID A defined queryId searches against the queryOnResource endpoint. An undefined queryId against queryOnResource with action=reauthenticate defaultUserRoles Default User Roles Normally blank for managed users authenticationId Authentication ID Defines how account credentials are derived from a queryOnResource endpoint userCredential User Credential Defines how account credentials are derived from a queryOnResource endpoint userRoles User Roles Defines how account roles are derived from a queryOnResource endpoint groupMembership Group Membership Provides more information for calculated roles groupRoleMapping Group Role Mapping Provides more information for calculated roles groupComparisonMethod Group Comparison Method Provides more information for calculated roles managedUserLink Managed User Link Applicable mapping (Passthrough module only) augmentSecurityContext Augment Security Context Includes a script that is executed only after a successful authentication request. servicePrincipal Kerberos Service Principal (IWA only) For more information, see "Configuring IWA Authentication" keytabFileName Keytab File Name (IWA only) For more information, see "Configuring IWA Authentication" kerberosRealm Kerberos Realm (IWA only) For more information, see "Configuring IWA Authentication" kerberosServerName Kerberos Server Name (IWA only) For more information, see "Configuring IWA Authentication" OPENAM_SESSION Module Configuration Options The OPENAM_SESSION module uses OpenAM authentication to protect an OpenIDM deployment. The options shown in the screen are subdivided into basic and advanced properties. You may need to click Advanced Properties to review those details. The following table describes the label that you see in the Admin UI, the default value (if any), a brief description, and the associated configuration file. If you need the property name, look at the configuration file. The default values shown depict what you see if you use the OPENAM_SESSION module with the Full Stack Sample. For more information, see "Full Stack Sample - Using OpenIDM in the ForgeRock Identity Platform" in the Samples Guide. OPENAM_SESSION Module Basic Properties Admin UI Label Default Description Configuration File Module Enabled false Whether to enable the module authentication.json Route to OpenAM User Datastore system/ldap/account External repository with OpenAM Data Store Information authentication.json OpenAM Deployment URL blank FQDN of the deployed instance of OpenAM authentication.json Require OpenAM Authentication false Whether to make the OpenIDM UI redirect users to OpenAM for authentication ui-configuration.json OPENAM_SESSION Module Advanced Properties Admin UI Label Default Description Configuration File OpenAM Login URL http://example.com:8081/XUI/#login/ FQDN of the login endpoint of the deployed instance of OpenAM ui-configuration.json OpenAM Login Link Text Login with OpenAM UI text that links to OpenAM ui-configuration.json Default User Roles openidm-authorized OpenIDM assigns such roles to the security context of a user authentication.json OpenAM User Attribute uid User identifier for the OpenAM data store authentication.json Authentication ID uid User identifier authentication.json User Credential blank Credential, sometimes a password authentication.json User Roles or Group Membership Select an option For an explanation, see "Common Module Properties". authentication.json Group Membership (if selected) ldapGroups Group Membership authentication.json Role Name openidm-admin Default role for the user, normally a group role mapping authentication.json Group Mappings cn=idmAdmins,ou=Groups,dc=example,dc=com Mapping from a user to a LDAP entry authentication.json TruststorePath Property Name truststorePath File path to the OpenIDM truststore authentication.json TruststorePath Property Type security/truststore Truststore file location, relative to /path/to/openidm authentication.json (from boot.properties) Augment Security Context Javascript Supports Javascript or Groovy authentication.json File Path auth/populateAsManagedUser.js Path to security context script, in the /path/to/openidm/bin/defaults/script subdirectory authentication.json In general, if you add a custom property, the Admin UI writes changes to the authentication.json or ui-configuration.json files. Embedded Jetty Configuration Additional Audit Details