CzechIdM OpenAM module [openam]
The module enables Single-Sign-On and authentication against OpenAM for CzechIdM. It also provides REST endpoint for retrieving users' OpenAM attributes, e.g. uid, dn, destinationindicator.
The module uses OpenAM RESTful API. The base URL of the API is a required configuration property of the module. When the module is enabled in the CzechIdM, users can authenticate to CzechIdM with their login and password valid for OpenAM.
Authentication process
If the OpenAM authentication is successful, the user gets OpenAM token. This token is set to the cookie of the (default) name iPlanetDirectoryPro for the current request domain. If users credentials are not correct or if they don't exist in OpenAM at all, they can still authenticate by standard CzechIdM authentication (local authentication).
SSO
Single-Sign-On functionality of the OpenAM module is done by a new authentication filter. When unauthenticated users come to CzechIdM and have the cookie with OpenAM token, the value of the token is validated against OpenAM. If the token is valid, the filter retrieves the user's login from OpenAM attributes and logs them in.
REST endpoint
The module also provides a REST endpoint /get-attributes for retrieving OpenAM attributes for given SSO token. When calling the endpoint, the user's session by OpenAM can be refreshed (this is an optional parameter, default is false).
Installation
Download the openam distribution package. The package contains a backend folder. Your IdM Tomcat installation we call IDM in the following example.
- Copy content of the backend folder into your tomcat IdM installation - [IDM]/WEB-INF/lib
- Set correct access rights to the files if needed (
chown tomcat:tomcat [IDM]/WEB-INF/lib/*) - Restart the IdM application server (
service tomcat restart) - Log in to CzechIdM as an privileged user and go to Settings → Modules and enable the openam module.
- Go to the configuration and configure the OpenAM base url configuration property (see below).
Configuration
The module provides following configuration properties:
| Property | Description |
|---|---|
| idm.sec.openam.base.url | REQUIRED. Base URL of the REST API (e.g. https://amhost.domain.tld/opensso/identity) |
| idm.sec.openam.login.attr.name | Name of the OpenAM attribute which holds user login (default: uid) |
| idm.sec.openam.sso.cookie.name | Name of the cookie which holds OpenAM token (default: iPlanetDirectoryPro) |
| idm.sec.openam.sso.cookie.domain | Domain, for which the cookie will be set. If empty, request root domain will be used. |
| idm.sec.openam.sso.cookie.httponly | Whether the cookie should have Http-Only sign (default: true) |
| idm.sec.openam.sso.cookie.secure | Whether the cookie should be sent for encrypted sessions only (https) (default: true) |
| idm.sec.openam.returned.attributes | Which attributes will be returned by /get-attributes endpoint (default: uid,dn,destinationindicator,ou) |
Notes
Note that the module doesn't provide "Single-Sign-Off" - it doesn't check the validity of the users' sessions when they are already authenticated to CzechIdM.
The module has only the backend part.