Lately we have been trying to use OpenID Connect with OpenAM. By following the official documentation, you can easily configure a basic scenario where OpenAM is just an OAuth/OpenID Connect provider. However, we have found that some goals are not easily achievable with the current available versions of OpenAM.
It is pretty simple to configure an OAuth / OpenID Connect provider in OpenAM; you just need a good understanding of the flow you want to implement (authorization code flow, implicit flow, hybrid flow), the official documentation and an OpenID Connect client to test with. Unfortunately, problems appear when you plan to add custom claims to the ID Token or even to the information provided by the userinfo endpoint.
In the OpenAM mailing list you can read that it is not achievable on the current stable release (OpenAM 12), unless by “writing a lot of code”, and it’s even more complicated with the previous release (OpenAM 11). However, this feature will be available in the future version of OpenAM (13) as you can read it in it’s documentation :
“This chapter shows you how to manage scripts used for client-side and server-side scripted authentication, custom policy conditions, and handling OpenID Connect claims by using the OpenAM console.”
So, as a conclusion, if you want to set up an OpenID Connect provider capable of delivering custom claims, avoid using OpenAM for now, and wait for the next version of the product, which should be released late 2015 according to the roadmap.