The module enables Single-Sign-On and authentication against OpenAM for CzechIdM. It also provides REST endpoint for retrieving users' OpenAM attributes, e.g. uid, dn, destinationindicator.

If the OpenAM authentication is successful, the user gets OpenAM token. This token is set to the cookie for the current domain. If users credentials are not correct or if they don't exist in OpenAM at all, they can still authenticate by standard CzechIdM authentication (local authentication).

When unauthenticated users come to CzechIdM and have the cookie with OpenAM token, the value of the token is validated against OpenAM. If the token is valid, the filter retrieves the user's login from OpenAM attributes and logs them in.

• OpenAM module - installation and configuration

• Authentication - create a new authentication method