openam #2

Supports: precise
Add to new model


The only "all-in-one" open source access management solution provides the most comprehensive consumer-facing identity relationship management (IRM) services,
as well as traditional access management capabilities.
Designed from inception to provide services for the web, cloud, mobile devices and things, OpenAM has a highly scalable, modular, easy to deploy architecture that includes Authentication, SSO, Authorization, Federation, Entitlements, Adaptive Authentication, Strong Authentication and Web Services Security - in a single, unified product.
- See more at:


About ForgeRock Open Identity Stack

ForgeRock is pioneering open source identity management through innovation, simplification, and openness for all identity services. Dedicated to democratizing Identity Management for everyone across enterprise, social, mobile, and the cloud, ForgeRock products support mission-critical operations with a fully open source platform.

ForgeRock’s Open Identity Stack powers solutions for thousands of the world’s largest companies and government organizations.

Our goal is simple: to deliver the best open source identity stack for securing anything, anywhere, on any device.

The Open Identity Stack includes the following main products:

  • OpenAM is a single, unified access management solution providing authentication, authorization, federation, web services security, fine-grained entitlements, and adaptive authorization all in one self-contained Java application. Included with OpenAM, the Open Identity Gateway (OpenIG) is a high-performance gateway with specialized session management and credential replay functionality.

  • OpenDJ is an LDAP directory server — the first-ever directory natively supporting REST — with a flexible access model that lets developers choose between REST, SCIM, LDAP or web services. The 100% Java-based LDAPv3-compliant server is extremely efficient with minimal CPU, memory and on-disk footprint.

  • OpenIDM is the only 100% open source, lightweight, user administration and provisioning solution purpose-built for Internet scale. It’s easy to embed and deploy, with a small footprint and out-of-the-box REST interfaces that use standard Java development tools. OpenIDM uses the Open Identity Connectors Framework and Toolkit (OpenICF) to aid development of resource connectors.

ForgeRock OpenAM

ForgeRock OpenAM was designed in response to a milieu of access management suites that were pieced together through acquisitions, creating an accidental architecture that complicates deployment and passes integration costs on to customers. Based on the Sun OpenSSO codebase, OpenAM is an “All-In-One” access management platform for protecting any type of resource across enterprise, cloud, social, and mobile environments. What has traditionally been delivered by legacy identity vendors as six different products — SSO, adaptive authentication, strong authentication, federation, web services security, and fine-grained entitlements — is delivered as a single, unified offering. Organizations can use the access control services they need and simply “turn on” additional services when ready.

The solution has an inherently unique architecture to support use cases from complex enterprise access control, to multi-protocol federation, to enabling SSO for cloud systems. At the highest level OpenAM consists in a single, self-contained Java application; service components such as session management; client side APIs in C, Java, REST; service provider interfaces to enable custom plugins; and policy agents for web and app server containers to enforce access policies to protected web sites and web applications. Organizations with existing internal access management solutions can easily integrate OpenAM into their environment through API services or through the token translation service. Maintaining all installation and configuration capabilities within one application vastly simplifies deployment. In addition, agent configuration, server configuration, and other tasks are simplified to be repeatable and scalable, so multiple instances of the solution can be deployed without additional effort. The embedded OpenDJ directory server eliminates the need to configure a separate directory to support the configuration and data stores, or if desired, users can utilize other LDAP directories or databases.

Key OpenAM Features

  • Authentication
    With over 20 out-of-the-box authentication methods supported, OpenAM has the flexibility to chain methods together along with Adaptive Risk scoring, or to create custom authentication modules based on the JAAS (Java Authentication and Authorization Service) open standard. Windows IWA is supported to enable a completely seamless heterogeneous OS and Web application SSO environment.

  • Authorization
    OpenAM provides authorization policy from basic, simple, coarse-grained rules to highly advanced, fine-grained entitlements based on XACML (Extensible Authorization Mark-Up Language). With the ability to abstract authorization policy away from the application, developers can quickly add or change policy as needed without modification to the underlying application.

  • Adaptive Risk Authentication
    The adaptive risk authentication module is used to assess risks during the authentication process, to determine whether to require that the user complete further authentication steps. Adaptive risk authentication determines, based on risk scoring, whether more information from a user is required when they login. For example, a risk score can be calculated based on an IP address range, access from a new device, account idle time, etc., and applied to the authentication chain.

  • Federation
    Federation services securely share identity information across heterogeneous systems or domain boundaries using standard identity protocols (SAML, WS-Fed, OpenID Connect). Quickly setup and configure service provider or cloud service connections through the Fedlet, OAUTH2 Client, OAUTH2 Provider, or OpenIG Federation Gateway. Unique to OpenAM, the OpenIG Federation Gateway provides a SAML2 compliant enforcement point to and allows businesses to quickly add SAML2 support to their applications with little to no knowledge of the standard.

  • Single Sign-On: OpenAM provides multiple mechanisms for SSO, whether the requirement is enabling cross-domain SSO for a single organization, or SSO across multiple organizations through the Federation Service. OpenAM supports multiple options for enforcing policy and protecting resources, including policy agents that reside on web or application servers, a proxy server, or the OpenIG (Identity Gateway). OpenIG runs as a self-contained gateway and protects web applications where installing a policy agent is not possible.

  • High Availability & Session Failover
    To enable high availability for large-scale and mission-critical deployments, OpenAM provides both system failover and session failover. These two key features help to ensure that no single point of failure exists in the deployment, and that the OpenAM service is always available to end-users. Redundant OpenAM servers, policy agents, and load balancers prevent a single point of failure. Session failover ensures the user’s session continues uninterrupted, and no user data is lost. The high availability of OpenAM is based upon using a load balancing (either software or hardware based) which supports sticky sessions to distribute the load across all available OpenAM server. Should one server become unavailable, the load balancer fails client requests over to another OpenAM server. The other OpenAM server must then fail over the user session associated with the client.
    The session persistence repository is based on the bundled OpenDJ LDAP server. Recommended setup would be to have a external configuration of the OpenDJ as the session store which can scale and be redundant independent of the number of instances of OpenAM.

Further documentation


ForgeRock can offer a subscription for those who want to use ForgeRock products for production.
Check out here: Subscriptions.


To be able to install OpenAM you have to accept the license term as outlined in the license file.
You can either accept the license terms on the command line or by the checkbox in the Juju-gui.

In addition you have to set a "private" admin password for your deployment, either on the command line or in the Juju-gui.

Step by step instructions on using the charm

juju deploy openam --constraints="mem=4G arch=amd64"
juju set openam Accept_license='true' Amadmin_password='cangetin'

In addition you can also set a FQDN to be added as a alias in addition to the initial default hostname used for installation.
The alias host can then be a public resolvable FQDN or a name only resolvable on the local host. All Juju relationships will use the default initial returned by the 'unit-get public-address' function.

juju set openam FQDN_OpenAM_alias='';

The instance running OpenAM needs at least 4GB RAM.

This relase of the OpenAM charm supports a Juju relationship to ForgeRock OpenDJ. OpenDJ is a LDAP directory server, which in most cases are used as user repositories. OpenDJ comes with some sample users that can be added to the default authentication chain in OpenAM to test and verify how easy such a integration can be done. You can verify the users in the OpenAM web console in the following location both with and without a relationship:

  • 'Access Control' -> '/ (Top Level Realm)' -> 'Subjects'

The datastore itself is created in

  • 'Access Control' -> '/ (Top Level Realm)' -> 'Data stores'

and named 'opendj'.

Many more relationships for both datastores and authentication services will be added in the future.
Any contributions are welcome.

Scale out Usage

OpenAM itself is highly scalable using built-in a site configuration option and can be used behind load balancers. This release of OpenAM do support it, but the autoscaling features supported by Juju is not currently mapped a OpenAM site configurations.

Known Limitations and Issues

This release of OpenAM is meant for evaluation purposes only and will violate the license terms if used in a production environment. There is no limitation in features of the product.

The 'unit-get public-address' call in Juju install hook needs to return a Fully Qualified Domain Name (FQDN), just an IP address will abort the installation if no FQDN alias is used.

The 'amadmin' password will only be set on initial installation. It is not supported to change it from within Juju with the current version of this charm.

Other limitations for this charm:
- Autoscaling is not supported in this charm release. You can add and configure it manually if needed.
- Using privileged ports (low ports numbers) are not supported
- Only OpenDJ is tested as a user repository for authenticate users
- Only the Apache OpenAM Agent relationship is currently supported. Currently no support for the .Net and J2EE agents.
- Only OpenID Connect is supported as a automatically way of authenticate users of any charm implementing the same interface

There will be more features and relationships to come.


In addition to the license agreement and the admin password you can change or set the following configuration options.

OpenAM uses the default Tomcat7 as it's java container for deployment. Default ports are 8080 and for SSL 8443 is used. There is a self-signed certificate created for SSL.

  • http_port, defaults to 8080
  • https_port, defaults to 8443
  • java_opts, defaults to '-Xmx1024m -XX:MaxPermSize=256m'

You can then browse to http://ip-address:8080 or https://ip-address:8443 to further configure OpenAM. Default admin user is "amadmin" and password is the one defined on deployment.

Contact Information



(boolean) This otions is mandatory. . You have to accept the OpenDJ license terms before installation can proceed. The lisence terms can be found as part of the source in file named 'license.txt'.
(string) You have to provide a private OpenAM amadmin password before installation can be done. Administrator password must be atleast 8 characters. . The amadmin password will only be set on initial installation, it can not be changed using the charm config after installation. . This field is mandatory.
(string) Add this Fully Qualified Domain Name (FQDN) to be a valid hostname supported by OpenAM. If you already have a valid FQDN you wanna use, or by any other reasons need to provide a full hostname enter it here. The default (unit-get public-address) will be used as default but the alias will be added in addition. . This field is optional.
(int) HTTP port
(int) HTTPS port
(string) Java options for JVM
-Xmx1024m -XX:MaxPermSize=256m