OAuth2

  

OpenAM 12 tricks

OpenAM 12 tricks: I recently had to find a solution built on OpenAM where the business requirements were to  be able to display a form to end users accessing a SAML SP (among several) for the first time, in order to let them make a choice upon which SAML assertions content generated by the OpenAM IdP would change.

There are actually multiple hooks in OpenAM and one way to accomplish that is to develop a custom SAML attribute mapper class on the OpenAM IdP side.

I was also asked how to avoid the OpenAM OAuth2 provider from displaying the user consent page, after authentication, in the code or implicit grant flow. One way to do that, on a per user basis, is to provision the user profile with the attribute chosen to store user consents.

This multi-valued attribute has to be set in the OpenAM (OAuth2 provider and datastore) configuration of course, and each value must be a string representing the client ID and a space separated list of scopes to allow.

For example: myClientID openid profile