OpenAM – Access Management

OpenAM Logo

OpenAM 13.5 – What’s new!

A preview version of an OpenAM service broker for Cloud Foundry is now available!

“All in one” access management that includes authentication, adaptive risk assessment, authorization, federation, single sign-on, social sign-on, basic self-service, privacy and consent, and high performance session management. Feature overview.

Mobile authentication, including Push Authentication feature to verify users without the need for passwords, and multi-factor authentication capabilities with an easy to use mobile app for iOS and Android.

Practical bits


Issue tracking (JIRA)
Knowledge Base

What’s New in OpenAM 13.5 in the release notes has the overview of what’s new and shiny.

Source code

OpenAM is open source. You can check out the source code here.

The code is licensed under CDDL.

Official project repository

Get involved!

– Join the OpenAM mailing list or forum to ask questions, make suggestions, and tell us what you think of OpenAM.

– Contribute to the development of OpenAM by checking out the source code, the roadmap, add to our issue/bug tracker and hack away on what matters to you.

– Idea; hack out scripts and recipes for OpenAM that work with solutions like JuJu, Vagrant, Ansible, puppet, Docker, CFEngine etc. (and share them here!)

Get started!

The chapter “Getting started with OpenAM” in the documentation will take you through the steps.


OpenAM feature overview

OpenAM has a 100% Java-based architecture allows deployment across many platforms. It is developer and admin friendly, with task based GUI, REST, C and Java developer tools, and comprehensive documentation. OpenAM also includes service provider interfaces (SPI’s) that provide a framework to extend all service modules such as adding custom authentication modules, federation plug-ins, policy conditions.

Supporting over 25 out-of-the-box authentication methods, OpenAM includes the ability to chain methods together along with Adaptive Risk scoring, or to create custom authentication modules based on the JAAS (Java Authentication and Authorization Service) open standard.

Windows IWA is supported to enable a completely seamless, heterogeneous OS and web application SSO environment. It is designed to be flexible and modular, making for a seamless user experience. Strong authentication, passwordless authentication, and frictionless multi-factor authentication can be easily implemented by leveraging the available ForgeRock Authenticator app for iOS and Android and corresponding authentication modules.

Scripts can be developed and easily integrated to augment authenticity validation by calling, for example, external identity verification systems. And these requirements can be enforced or exempted based on the Adaptive Risk score.

Leveraging a mobile phone in the login process (even when logging in from a desktop device) greatly increases security. OpenAM allows for users to generate one-time passwords (OTP) using the ForgeRock Mobile Authenticator App for Android or iOS, or to receive one-time passwords via SMS on any smartphone. This enables simple multi-factor authentication without the need for token cards, USB keys, or any other hardware besides the mobile phone the user already has.

OpenAM supports Push Authentication, which uses the native push notification services in Android and iOS devices to send secure notifications to users when login attempts are made. The user can then use Touch ID or swipe to approve the login. This enables passwordless logins, where a user simply enters their username and then completes the login process by verifying their identity on their phone. It also allows for simplified multi-factor authentication where the user enters their full credentials into a site, and then simply uses their fingerprint or a swipe to verify, eliminating the hassle of typing in a one-time password.

The adaptive risk authentication module is used to assess risks during the authentication process, to determine whether to require the user to complete further authentication steps. Adaptive risk authentication determines, based on risk scoring, whether more information from a user is required when they log in.

For example, a risk score can be calculated based on an IP address range, access from a new device, account idle time, etc., and applied to the authentication chain. By using context to evaluate the legitimacy of the user’s login attempt, OpenAM can bar invalid entrants in real-time.

OpenAM provides authorization policy, from basic, simple, coarse-grained rules to highly advanced, fine-grained entitlements. Policies can be exported and imported via XACML. By externalizing authorization policy from applications and centralizing it with OpenAM, developers can quickly add or change policy as needed, without modification to the underlying applications.

Using a modern GUI-based policy editor with its point-and-click, and drag-and-drop operations, sophisticated policies can be built to deliver controlled access to resources. Developers can easily deal with fine-grained policies through REST APIs. For IoT use cases, solution-specific policies can be built with arbitrary resource types and custom actions, such as opening a door lock or switching on a light. Most access management solutions only assess risk at initial authentication.

Contextual Authorization with OpenAM, on the other hand, allows for continuous security and dynamic, context-based policies. This allows organizations to assess risk not just at the time of authentication, but also as resources are accessed during the digital session. To gain greater knowledge about who the user is and what their context is, external policy information points can be called with easy to write scripts.

Additional context can then be used to further assess risk, requiring stronger authentication mechanisms only when necessary. This makes the end user experience simpler while maintaining security by ensuring the authenticity of users, devices, things, and services throughout the duration of each session. In addition, OpenAM can act as a User-Managed Access (UMA) Provider for extensive privacy and consent capabilities.

The federation services in OpenAM can securely share heterogeneous systems or domain boundaries using standard identity protocols (SAML, OpenID Connect). This allows users to access services that span the cloud and mobile devices, on premises and off, eliminating the need for multiple passwords, user profiles, and the added complexity that frustrates users and slows adoption. SAML-based federation can be incorporated into authentication chains, enabling the use of federated identities in stronger multi-factor authentication

OpenAM provides multiple mechanisms for SSO, whether the requirement is to enable SSO in a single domain, enable cross-domain SSO for a single organization, or enable SSO across multiple organizations through the Federation Service. It supports multiple options for enforcing policy and protecting resources, including policy agents that reside on web or application servers. The built-in Security Token Service (STS) can act as a multi-protocol hub, translating for providers who rely on other, older standards. A variety of flexible options for single sign-on are provided.

OpenAM is an ideal solution for customer-facing identity where it’s essential to employ a light touch when dealing with millions of users, all while providing the highest possible security. Businesses need to deliver a great, easy-to-use self-service login, empowering the user wherever possible, such as through easy self-registration or password reset. Otherwise customers are very quick to go somewhere else.

OpenAM also supports integration with social sign-on, via services such as Facebook, LinkedIn, or Google, eliminating the need for user registration and thus paving the way for rapid customer adoption. In addition, device registration or pairing to particular services can be easily set up according to the de-facto standard OAuth2 Device Flow.

Simple download and installation of OpenAM makes it very easy to evaluate. It provides client application programming interfaces with Java and C APIs and a RESTful API that can return JSON or XML over HTTP, allowing users to access authentication, authorization, and identity services from web applications using REST clients in their language of choice. OAuth2 also provides a REST interface for the modern, lightweight federation and authorization protocol.

Features such as user self-service, policy, and security token service are also exposed through REST APIs, making it simple for developers to adopt powerful functionality. Widely used in mobile and web applications, OAuth2 and OpenID Connect standards are more rigorously enforced, as the built-in OpenID Connect Provider is fully conformant with the OpenID Foundation’s Conformance tests. This ensures greater interoperability and consistent behavior for developers.

To enable high availability for large-scale and mission-critical deployments, OpenAM provides both system failover and session failover. These two key features help to ensure that no single point of failure exists in the deployment, and that the OpenAM service is always available to end-users. Redundant OpenAM servers, policy agents, and load balancers prevent a single point of failure. Session failover ensures the user’s session continues uninterrupted, and no user data is lost.

For situations requiring greater elasticity and massive scale, for example, in microservices environments where thousands of machine to machine connections are made every second, flexible stateless sessions can be leveraged as well.

The Common Audit Framework provides a means to log data consistently across the ForgeRock Identity Platform, and enables you to correlate events and transactions. Audit topics, such as access and activity, can be configured independently delivering the data you want to the appropriate business services. In addition to the existing handlers for CSV files, JDBC connections, and Syslog, there are now two new handlers available: JMS and Elasticsearch (part of the ELK stack).

OpenAM Slides and collateral

OpenAM Introduction

Identi-Tea Podcast: Episode 4 – The Rodeo of Things

OpenAM blog posts
OpenAM Resources

©2017 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your username and password

Lost your password?

Forgot your details?