OpenAM: Getting started

OpenAM community logo OpenAM lets you protect your application, adding authentication and authorization. When you protect a web application running in a supported web server, for example, you can set everything up without actually touching your application. Okay, we gulped the marketing Kool-aid. We can even install OpenAM. But how does one get started protecting a web site?

It turns out that Sam Drew wrote a short, sweet tutorial on how to get started with OpenAM that he called, Add Authentication to a Website using OpenAM. He tells me he did it after coming to ForgeRock when he was first learning about OpenAM. As you follow along, you see the pieces of the OpenAM puzzle coming together clearly: core OpenAM services connected to an OpenDJ identity store to hold user data; an agent installed as an Apache web server plugin to manage the connection with core OpenAM services, and to manage the redirections to login and logout pages; access policy configured in OpenAM to allow users to access URLs on Apache when they have authenticated to OpenAM.

In order to complete the tutorial, you need to be able to configure your network with a couple of hosts, and potentially set up Apache web server. I only have one physical system here (this laptop), so I tried it with a couple of VirtualBox guests running on host-only network, all hosts sharing their names and IP addresses through /etc/hosts entries. Nice work, Sam.


10 thoughts on “OpenAM: Getting started

  1. Thanks Naresh, for your comment.

    Once you’ve tried Sam’s Wiki article, I’d recommend the documentation at

    In particular, the Admin Guide chapters on authorization in OpenAM ( ) and on policy agent configuration ( ) are good places to start. There’s also a Policy Agent Install Guide ( ) that you might find useful.

  2. thank you mark..

    now i have one more concern over the following scenario..i set up openam as hosted sp on my machine..and using remote idp(not openam) for single on sign on..but when i am trying to test this scenario..[using: & NameIDFormat=transient] ..i am getting.. Error processing AuthnRequest. Null input…what could be the reason for NullInput…i am expecting this is because of metadata(signature and certificate) of remote idp…
    i hope you got the problem..waiting for your reply

    1. Hi Naresh,

      I ran into something like this today when configuring the Java Fedlet with to use signing and encryption. Not sure I had the exact same “NullInput” result as you did.

      If you’re sure that on the SP side OpenAM can correctly interpret the certificate from the IDP, and you know that both are able to use the same authentication context, then have you brought your issue to the OpenAM users mailing list?


      1. thanks mark..
        i had solved the above problem by checking the Authentication request signing and signing certificate alias as test on hosted sp …

  3. Hi Mark,
    I’m doing my thesis about openam. I was cheking the “Add Authentication to a Website using OpenAM” tutorial,and I have tried it, but in a local network. (and in the same computer)
    I have installed glassfish 2 and I have created two domains, one where I have deployed opeam, and another one that I want to protect(In that one I have installed hello.war). I have used j2ee agent instead of a web agent.

    I have done all the steps but finally no login is required and I can acces Hello app normally.
    I think that maybe is because what you have said: “In order to complete the tutorial, you need to be able to configure your network with a couple of hosts,” I used different host names and I specified then at /etc/hosts, but the IP finally it’s the same. Maybe is for this that no login is required, isn’t it?
    I have tried to acces with another computer joined to the local network, but still no login is required.

    I have a desktop pc of 2GB memory and a desktop of 2GB memory also and a local network(both with ubuntu). What should you recommend me to do to do tests with openam? and make this tutorial actually works? (I think that in one computer is going to required many resources when virtualizing)

    Many thanks,

    1. Hi Andrés,

      Although I’m not sure exactly what’s happening in your case, one of the gotchas that often happens when running both OpenAM and a client application on the same host is not logging out regularly when using one browser to access both the OpenAM console and also the client application.

      If for example you login to the console in your browser and then switch to the client without logging out, you’ve still got the cookie from when you authenticated to the console. So the client correctly relies on the cookie you got after successfully authenticating, and grants access without forcing you to login again. Even if you use separate desktops for OpenAM and for the client application, you can still run into this issue, because the user agent (your browser) keeps the cookie, and authenticated session remains valid in OpenAM (by default for 30 mins if left idle, or two hours if you keep using it.)

      Does that help?


      1. Thank you Mark.
        I have tried in different browser, and also I cleaned cache and cookies from browser and still it doesn’t work.
        My question is why you have specified in the post that “In order to complete the tutorial, you need to be able to configure your network with a couple of hosts” and ” I tried it with a couple of VirtualBox guests running on host-only network” ? Why is this needed, is it imposible to do the IDP and the SP and the client all in the same pc.

        Thanks and regards,

  4. Hi,

    it is definitely possible to run OpenAM IdP and agent/SP on the same pc, you just need to make sure that everything is configured using FQDNs. The tutorial in the mentioned article is using agents to get SSO working, but the IdP/SP term is usually used within federation, so without details is hard to tell what isn’t working for you. In order to get help you can use the user mailing list or the #openam IRC room on freenode. 😉


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s