All posts by Cyril

Cyril Grosjean, CTO at Janua Cyril spent 3 years as a technical support engineer and integrator, working on Netscape and Sun servers software. He then joined Netscape professional services as a consultant for 3 years, then moved to Sun Microsystems as a project engineer and left after 3 years in late 2004. Since then, Cyril is Janua's technical manager, mostly devoted to open source and open standards based solutions, in the identity market. Main skills : identity management solutions consulting, technical expertise, solutions architecture and design, integration and deployments of LDAP directory services and related software, SAML & Shibboleth federation and single sign-on, access control, firewalls, PKIs, strong authentication, open source solutions. Team and project management

OpenAM 12 tricks

OpenAM 12 tricks: I recently had to find a solution built on OpenAM where the business requirements were to  be able to display a form to end users accessing a SAML SP (among several) for the first time, in order to let them make a choice upon which SAML assertions content generated by the OpenAM IdP would change.

There are actually multiple hooks in OpenAM and one way to accomplish that is to develop a custom SAML attribute mapper class on the OpenAM IdP side.

I was also asked how to avoid the OpenAM OAuth2 provider from displaying the user consent page, after authentication, in the code or implicit grant flow. One way to do that, on a per user basis, is to provision the user profile with the attribute chosen to store user consents.

This multi-valued attribute has to be set in the OpenAM (OAuth2 provider and datastore) configuration of course, and each value must be a string representing the client ID and a space separated list of scopes to allow.

For example: myClientID openid profile